Address six convergent audit findings in the auto-mode agent loop:
1. Move rewriteAttemptCount to AutoSession — eliminates module-level state
that leaked across stop/start cycles in auto-dispatch.ts
2. Add unit correlation to agent_end queue — tag events with unitId so late
completions from unit A cannot falsely resolve unit B
3. Split post-unit into heavy/light paths — sidecars skip settle delay,
doctor, state rebuild, and worktree sync; reduce sleep 500ms→100ms
4. Data-driven budget thresholds — consolidate 75/80/90% copy-pasted
notification blocks into BUDGET_THRESHOLDS array lookup
5. Fix session teardown — stopAuto() restores model first then calls
s.reset() replacing 36 lines of manual field clearing
6. Add debugLog to 12 silent catch blocks in auto-post-unit.ts
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Centralise all ~/.gsd path construction through app-paths.ts (compiled
code) or a module-level `gsdHome` const (runtime extensions that cannot
import app-paths). When GSD_HOME is set, every path that previously
resolved under ~/.gsd now resolves under the override.
Existing overrides (GSD_STATE_DIR, GSD_CODING_AGENT_DIR) continue to
take precedence when set.
PR #1527 fixed metrics.ts but missed several other paths that still
reach shared/mod.js → ui.js → @gsd/pi-tui during report generation
via native dynamic import() (which bypasses jiti alias resolution).
Remaining chains fixed:
- preferences.ts, preferences-validation.ts, export.ts, forensics.ts,
migrate/parsers.ts: import from shared/format-utils.js directly
- state.ts, visualizer-data.ts, files.ts: import from milestone-ids.js
instead of guided-flow.js (which pulls in shared/mod.js)
- files.ts: import checkExistingEnvKeys from new env-utils.ts instead
of get-secrets-from-user.ts (which imports @gsd/pi-tui)
New file: env-utils.ts extracts the pure checkExistingEnvKeys function.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New detections:
- Circular dependency detection (DFS cycle check on slice depends:[])
- Orphaned slice directories (dirs not in roadmap)
- Duplicate task IDs in plan files
- Task summary files on disk not in plan (info)
- Stale REPLAN.md when all tasks are done (info)
- Metrics ledger corruption (version != 1 or units not array)
- Large planning files >100KB (warning)
- Future completed_at timestamps >24h ahead (warning)
New modes and output:
- --dry-run flag: reports [dry-run] would fix entries without writing
- --json flag: formatDoctorReportJson() for CI/tooling integration
- --build / --test flags: opt-in slow checkBuildHealth/checkTestHealth
- Per-check timing: timing.{git,runtime,environment,gsdState} on DoctorReport
- Doctor history: appends compact JSONL entry to .gsd/doctor-history.jsonl;
exports readDoctorHistory() for programmatic access
Tests: 27 new test scenarios in doctor-enhancements.test.ts covering all features
* fix: apply pi manifest opt-out to extension-discovery.ts (#1537 follow-up)
The cmux fix in #1537 patched resolveExtensionEntries() in
packages/pi-coding-agent/src/core/extensions/loader.ts to honor
"pi": {} as an opt-out from auto-discovery. However, there is a
second copy of resolveExtensionEntries() in src/extension-discovery.ts
that was not updated. This is the version actually used at startup
by loader.js via discoverExtensionEntryPaths().
As a result, cmux/index.js is still discovered and loaded as an
extension on startup, producing:
Extension does not export a valid factory function: .../cmux/index.js
Fix: Apply the same authoritative-manifest logic to the
extension-discovery.ts copy. When a package.json has a "pi" field,
treat it as authoritative and return early — either with declared
extension paths or an empty array for library opt-out.
Tests: 7 new tests covering resolveExtensionEntries and
discoverExtensionEntryPaths behavior for opt-out, declared
extensions, and fallback discovery.
* fix: apply pi manifest opt-out to package-manager.ts (third copy)
There are THREE copies of resolveExtensionEntries():
1. packages/pi-coding-agent/src/core/extensions/loader.ts (fixed in #1537)
2. src/extension-discovery.ts (fixed in previous commit)
3. packages/pi-coding-agent/src/core/package-manager.ts (THIS commit)
Copy #3 is used by collectAutoExtensionEntries() which is called from
addAutoDiscoveredResources() during DefaultPackageManager.resolve().
This is the actual code path that discovers ~/.gsd/agent/extensions/cmux
and passes it to loadExtensions(), producing the factory function error.
* fix: rewrite pi.extensions .ts paths to .js during resource copy
copy-resources.cjs compiles .ts → .js via tsc but copies package.json
files verbatim. Extensions with pi.extensions: ["./index.ts"] end up
in dist/ pointing to a .ts file that doesn't exist (only .js does).
This causes resolveExtensionEntries() to find no valid entry points,
silently skipping the extension. Affected: gsd, browser-tools, context7,
google-search, universal-config — all extensions with pi manifests.
Fix: When copying package.json files, rewrite .ts/.tsx extensions in
pi.extensions arrays to .js so they match the compiled output.
* fix: add missing commands to /gsd description and rate sub-completions
- Add 9 missing commands to the description string: widget, rate, park,
unpark, init, setup, logs, inspect, extensions
- Add sub-completions for /gsd rate (over/ok/under)
* feat: grid layout for parallel cmux splits and completion trailing-space fix
CmuxClient.createGridLayout(count) pre-creates a tiled grid of surfaces
before launching parallel agents, instead of the previous approach of
creating splits per-agent with alternating right/down directions.
Grid layout strategy:
1 agent: [gsd | A]
2 agents: [gsd | A] (A split down)
[ | B]
3 agents: [gsd | A] (2x2 grid)
[ C | B]
4 agents: [gsd | A] (additional splits from bottom-right)
[ C | B]
[ | D]
Changes:
- Add CmuxClient.createSplitFrom(sourceSurfaceId, direction) to split
from a specific surface rather than always the gsd surface
- Add CmuxClient.createGridLayout(count) that builds the grid and
returns surface IDs in order
- Update runSingleAgentInCmuxSplit to accept a pre-created surface ID
(string) or a direction for backward compatibility
- Parallel dispatch pre-creates grid, assigns each agent a surface
- Fix getArgumentCompletions trailing-space handling so sub-completions
work (e.g., /gsd cmux <tab> now shows status/on/off/etc.)
- 5 new tests for grid layout logic
* feat(ui): add GSD welcome screen on interactive startup
Renders a two-panel boxed welcome screen to stderr before the TUI
takes over, mirroring the style of the Claude Code welcome screen.
Left panel — personalized greeting, GSD ASCII logo, active model + cwd
Right panel — getting-started tips, recent session activity
The screen is printed to stderr immediately before InteractiveMode.run(),
so it appears on launch and reappears when the TUI exits (alternate-screen
buffer swap). It silently skips when not a TTY or terminal < 60 cols.
Files:
src/welcome-screen.ts — printWelcomeScreen() implementation
src/cli.ts — call site before interactiveMode.run()
src/tests/welcome-screen.test.ts — 11 unit tests (all passing)
* refactor(ui): minimal welcome screen — logo + metadata, no box
Replace two-panel boxed layout with a minimal design:
logo block with version/model/cwd alongside it, dim hint below.
No box borders, no tips panel. Clean and fast.
* feat(ui): show tool status line (Brave/Jina/Tavily) when keys are configured
When .gsd is a symlink (e.g., openclip/.gsd -> ~/.gsd/projects/<hash>),
worktrees resolve to ~/.gsd/projects/<hash>/worktrees/<name> instead of
the expected <repo>/.gsd/worktrees/<name>. All worktree detection
functions used the marker /.gsd/worktrees/ which did not match the
resolved path /.gsd/projects/<hash>/worktrees/.
This caused three cascading failures:
1. escapeStaleWorktree failed to detect stale worktree CWD
2. isUnderGsdWorktrees returned false, causing nested worktrees
3. Empty registry was conflated with "all milestones complete"
Changes:
- Add findWorktreeSegment helper matching both direct and symlink layouts
- Refactor detectWorktreeName and resolveProjectRoot to use the helper
- Fix escapeStaleWorktree in auto-worktree-sync.ts for symlink paths
- Fix isUnderGsdWorktrees in auto-start.ts for symlink paths
- Fix resolveCapturesPath in captures.ts for symlink paths
- Distinguish empty registry from all-complete in auto-loop.ts
- Add tests for symlink-resolved path detection
- Remove feat/** push trigger (PRs already cover feature branches)
- Add concurrency groups with cancel-in-progress to kill stale runs
- Add paths-ignore for docs/markdown/license/unrelated workflow changes
- Consolidate secret-scan, no-gsd-dir, skill-references into single lint job
- Restrict Windows runner (2x minute multiplier) to main push only
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(gsd): batch-specific artifact verification for reactive-execute
The reactive-execute artifact verifier previously checked only that
'at least one task summary exists' in the slice. This meant the unit
could report success even when none of the dispatched tasks actually
completed — a pre-existing T01 summary would satisfy the check.
Fix:
- Encode dispatched task IDs in the unitId: M001/S01/reactive+T02,T03
- Persist dispatched batch in ReactiveExecutionState before dispatch
- Verify each dispatched task's summary file exists individually
- Legacy unitId format (no +batch suffix) falls back to old behavior
The verifier now answers 'did the tasks we dispatched actually finish?'
instead of 'does any summary exist?'
Added ReactiveExecutionState.dispatched field to track the batch.
5 new tests covering: all-pass, partial-fail, pre-existing-irrelevant,
legacy fallback, and unitId round-trip encoding.
* fix(gsd): dependency-based carry-forward for reactive task execution
In reactive mode, each subagent task was getting order-based carry-forward
(all prior task summaries by number), not dependency-based. T05 depending
only on T02 would still receive T01, T03, T04 summaries — noise context
that wastes tokens and could confuse execution.
Fix:
- Add getDependencyTaskSummaryPaths() — returns only summaries for tasks
in the derived dependsOn set, falling back to order-based for root tasks
with no dependencies (preserves continuity)
- Add ExecuteTaskPromptOptions with carryForwardPaths override
- buildExecuteTaskPrompt accepts optional override, sequential callers
unchanged (no options = order-based, backward compatible)
- buildReactiveExecutePrompt now passes dependency-scoped paths per task
Sequential execute-task dispatch is completely unchanged — the new code
path only activates when carryForwardPaths is explicitly provided.
3 new tests: dependency-only filtering, root task fallback, missing
dependency summary handling.
* fix(gsd): enforce backtick file paths in task plan IO sections
The reactive task graph (ADR-004) derives dependencies from backtick-wrapped
file paths in ## Inputs and ## Expected Output sections. Without concrete
paths, the graph is ambiguous and falls back to sequential execution.
Changes:
- task-plan.md template: add comments explaining paths are machine-parsed
- plan-slice.md prompt: explicitly instruct planner to write backtick file
paths in IO sections, add self-audit check for path presence
- observability-validator.ts: new validation rules missing_output_file_paths
(warning) and missing_input_file_paths (info) catch plans without paths
- plan-quality-validator.test.ts: 4 new test cases for IO path validation
* fix(ci): increase max_tokens and add JSON parse error handling in ai-triage
max_tokens: 300 was too low, causing truncated JSON responses from Claude
that failed to parse. Bumped to 1024 and added try/catch with raw text
logging for easier debugging.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add reactive (graph-derived parallel) task execution within slices.
When enabled via preferences, the dispatch table derives a task dependency
graph from IO annotations in task plans and dispatches multiple ready,
non-conflicting tasks in parallel via subagent.
Architecture:
- Graph derivation happens at dispatch time (auto-dispatch.ts)
- A new reactive-execute prompt instructs the agent to use subagent
parallel mode to dispatch all currently-ready tasks
- The auto-loop treats reactive-execute as a single unit type
- After agent_end, the orchestrator checks which tasks completed and loops
New files:
- reactive-graph.ts: pure graph derivation, ready-set resolution,
conflict detection, deadlock detection, IO loader, state persistence
- prompts/reactive-execute.md: prompt template for parallel dispatch
- tests/reactive-graph.test.ts: 22 unit tests for graph functions
- tests/reactive-executor.test.ts: 11 integration tests for dispatch
rules, preferences validation, state persistence, re-entry
Modified files:
- types.ts: TaskIO, DerivedTaskNode, ReactiveExecutionConfig,
ReactiveExecutionState interfaces
- files.ts: parseTaskPlanIO() extracts IO from task plan sections
- preferences-types.ts: reactive_execution config + known keys
- preferences-validation.ts: validation with range checks
- auto-dispatch.ts: new reactive-execute dispatch rule
- auto-prompts.ts: buildReactiveExecutePrompt()
- auto-recovery.ts: artifact verification for reactive-execute
- auto-post-unit.ts: reactive state cleanup on slice completion
Backward compatible: disabled by default, falls through to sequential
execution when disabled, ambiguous, or only 1 task is ready.
* feat: add anthropic-vertex provider for Claude models on Google Vertex AI
Add a new anthropic-vertex provider that enables using Claude models
(Opus 4.6, Sonnet 4.6, Haiku 4.5) through Google Vertex AI using the
@anthropic-ai/vertex-sdk package. Follows the same pattern as the
existing google/google-vertex provider split.
Detection uses ANTHROPIC_VERTEX_PROJECT_ID (same env var as Claude Code)
with CLOUD_ML_REGION for region selection, falling back to us-central1.
Extracts shared Anthropic utilities into anthropic-shared.ts (message
conversion, tool conversion, param building, stream processing) to
avoid duplication between anthropic.ts and anthropic-vertex.ts.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add full Claude model set for anthropic-vertex provider
Add 200K context window variants for Opus 4.6 and Sonnet 4.6, plus
older models (Sonnet 4.5, Sonnet 4, Opus 4.5, Opus 4.1, Opus 4, Haiku 4.5).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: add @anthropic-ai/vertex-sdk to root dependencies
Required for the published package to resolve the vertex SDK at runtime.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: remove unnecessary comments to match codebase style
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: remove duplicate stream functions after rebase
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Nathan Roe <nathan.roe@carvana.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* docs: update README for v2.37 — changelog, extensions, stale refs
- Update "What's New" section from v2.33 to v2.37
- Update extensions table: add Async Jobs and GitHub, remove LSP (Pi SDK core)
- Fix extension count in architecture section (12 → 18)
- Remove stale v2.17 version tags from Token Optimization section
* docs: fix stale references across documentation
- commands.md: update version example from v2.28 to v2.37
- troubleshooting.md: fix Node.js requirement from ≥20.6.0 to ≥22.0.0
- skills.md: fix project-local skills path from .pi/ to .gsd/
- CONTRIBUTING.md: fix scope area paths to include packages/ prefix,
remove incorrect PR #1232 supply chain attack reference
- vscode-extension: fix Node.js requirement, remove hardcoded RPC
command count (changes over time)
* docs: add troubleshooting for command not found after install
Addresses #1542 — npm global bin directory not in PATH is a common
issue on macOS, especially with Homebrew Node, version managers, or
oh-my-zsh git aliases.
- Add "command not found: gsd" section to troubleshooting.md
- Add callout to getting-started.md install section
Replace the simple notifyRemoteAutoActive notification with an interactive
guardRemoteSession menu that shows session details and offers actionable
choices (view status, steer, stop, or force start). Guards all auto-mode
entry points: bare /gsd, /gsd next, and /gsd auto.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pull_request events from forks/branches cannot access repo secrets,
causing 401 auth failures on every PR triage. pull_request_target runs
in the base repo context. Safe because the workflow only reads event
payload data and sparse-checks base branch docs — no PR code executes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(#1526): auto-mode worktree commits land on main instead of milestone branch
GitServiceImpl.getMainBranch() was designed to detect manual /worktree worktrees
(worktree/<name> branches) but incorrectly applied the same logic to auto-mode
worktrees (milestone/<MID> branches). When no worktree/<name> branch existed,
it fell back to the current branch, which in certain contexts could be main,
causing slice commits to land on main instead of the milestone branch.
Fix: Detect if currently on a milestone/* branch first (auto-mode case) and
return it, before checking for worktree/* branches (manual worktree case).
- Modify getMainBranch() to detect milestone branches first
- Add test verifying getMainBranch() returns correct branch in auto-worktree
- All tests pass, build succeeds
Fixes#1526
* fix: cmux library directory incorrectly loaded as extension
The extension auto-discovery in resolveExtensionEntries() finds
index.js files in subdirectories and treats them as extensions.
The cmux directory has an index.js but it's a utility library
(imported by gsd and subagent extensions), not an extension itself.
Two changes:
1. When a package.json has a "pi" manifest, treat it as authoritative
and don't fall through to index.ts/index.js auto-detection. This
lets library directories opt out with "pi": {}.
2. Add package.json to cmux directory with empty pi manifest.
Report generation in auto-loop uses native dynamic import() which
bypasses jiti's alias resolution. The import chain
metrics.js → mod.js → ui.js → @gsd/pi-tui failed because Node
cannot resolve @gsd/pi-tui from ~/.gsd/agent/extensions/.
Split ANSI-aware layout helpers (padRight, joinColumns, centerLine,
fitColumns) into layout-utils.ts and keep format-utils.ts pure so
report modules can import formatting functions without pulling in
the @gsd/pi-tui dependency.
GitServiceImpl.getMainBranch() was designed to detect manual /worktree worktrees
(worktree/<name> branches) but incorrectly applied the same logic to auto-mode
worktrees (milestone/<MID> branches). When no worktree/<name> branch existed,
it fell back to the current branch, which in certain contexts could be main,
causing slice commits to land on main instead of the milestone branch.
Fix: Detect if currently on a milestone/* branch first (auto-mode case) and
return it, before checking for worktree/* branches (manual worktree case).
- Modify getMainBranch() to detect milestone branches first
- Add test verifying getMainBranch() returns correct branch in auto-worktree
- All tests pass, build succeeds
Fixes#1526
The Anthropic API's max_uses resets per request — when pause_turn triggers
a resubmit, the model gets a fresh budget each time. This allowed unlimited
total searches across a research unit, overwhelming the TUI render buffer.
Fix:
- Count web_search_tool_result blocks in conversation history on each
before_provider_request to track cumulative searches per session
- Cap total native searches at 15 per session (3 full turns of 5)
- Dynamically set max_uses to min(5, remaining) — preserves per-turn cap
while enforcing session ceiling
- When budget exhausted, omit web_search tool entirely instead of letting
the model hit max_uses_exceeded repeatedly
- Reset counter on session_start (new agent unit)
- Add web search budget guidance to research prompts (defense in depth)
Tests: 5 new tests covering budget tracking, exhaustion, and reset.
All 35 native-search tests pass.
* feat(dashboard): two-column layout with redesigned widget
- Two-column layout: progress bar left, task checklist right
- 4 widget modes: full → small → min → off (cycle with /gsd widget)
- Health indicator and ETA in header line for immediate visibility
- Simplified stats: 3 items (hit rate, cost, context %) instead of 7
- Short PWD (last 2 segments), git worktree name with ⎇ prefix
- Last commit time + message in footer (cached every 15s)
- Preview script with mock data for all modes
* docs: add dashboard widget screenshots for PR #1530
* docs: update dashboard screenshots with wider renders
* docs: wider full-width dashboard screenshots
* feat(dashboard): persist widget_mode in preferences
- Add widget_mode to GSDPreferences and KNOWN_PREFERENCE_KEYS
- Load saved widget_mode from preferences on first access
- Persist to global PREFERENCES.md on /gsd widget change
- Default remains "full" when no preference is set
When a user presses Escape during streaming, the abort flow clears all
queued messages indiscriminately. User messages typed during streaming
are silently discarded. This adds a QueueEntry wrapper in the Agent class
to track message origin ("user" vs "system"), so that clearQueue() can
preserve user-typed messages while discarding system-generated ones.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove the bundled SwiftUI skill which had 13+ broken references to a
non-existent `../macos-apps/references/` directory. Add a CI script
that validates all relative .md file references in bundled skills,
preventing this class of bug from shipping again. Fix 5 additional
pre-existing broken references in other skills.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When a unit fails and is retried, the model tier is now escalated
(light -> standard -> heavy) if dynamic routing is enabled and
escalate_on_failure is not explicitly disabled. This connects the
existing escalateTier() function, which was fully implemented and
tested but never called at runtime.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bare /gsd and /gsd next now check for a remote auto-mode session via
readSessionLockData before attempting to start step-mode. If another
process holds the lock, a steering menu is shown instead of competing
for the lock and killing the running session.
Also fixes the guided-flow "all slices discussed" message to detect
active auto-mode and direct users to /gsd status instead of bare /gsd.
Closes#1507
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Wire resolveProfileDefaults into loadEffectiveGSDPreferences so
token_profile: budget actually sets cheaper models and skips phases
- Add /gsd rate <over|ok|under> command to submit user feedback on
model tier assignments, completing the adaptive routing feedback loop
- Document that models config is required for dynamic routing activation
- Document ceiling behavior when dynamic routing is active
- Document reassess_after_slice as required for reassessment
Closes#1505 (partial — escalateTier wiring deferred to follow-up)
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The onCompromised callback in the retry acquisition path lacked the
elapsed-time suppression that the primary path had, causing unconditional
_lockCompromised=true on benign mtime drift. Additionally, validateSessionLock
now attempts PID-based recovery and re-acquisition before declaring the lock
lost, preventing sessions from stopping when no other process has taken over.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace loadAgentInstructions() with a deprecation warning that fires when
legacy agent-instructions.md files are detected. Pi core already supports
AGENTS.md (with CLAUDE.md fallback) per directory, making the custom GSD
mechanism redundant.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Directories under .gsd/milestones/ that don't match the M\d+ pattern
(e.g. slices/, temp-backup/) are now excluded instead of being returned
with their raw name. This prevents rogue directories from blocking
auto-mode milestone discovery.
Closes#1494
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
isValidationTerminal() now normalizes verdict: passed → pass before
comparison. LLM-generated validation files that write "passed" instead
of "pass" are accepted as terminal, preventing milestones from being
treated as incomplete.
Closes#1429
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds a GitHub Actions workflow that automatically triages new issues and
PRs using Claude Haiku 4.5. Classifies with type and priority labels,
and flags items that violate VISION.md or CONTRIBUTING.md guidelines
with a `needs-review` label and explanatory comment. No auto-closing —
maintainer makes all final decisions.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add missing `parseRoadmap` import in `auto-dispatch.ts`
- Add missing `unlinkSync` import in `auto.ts`
- Add missing `syncGsdStateToWorktree` import in `worktree-sync-milestones.test.ts`
All three were dropped during the PR #1419 merge.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Establishes contributor guidelines based on maintainer team discussion.
VISION.md defines project identity, principles, and explicit rejection
criteria. CONTRIBUTING.md covers assign-then-PR workflow, RFC process
for architectural changes, AI disclosure policy, and testing standards.
PR template restructured around TL;DR + What/Why/How format.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* rfc: GitOps branching & versioning strategy proposal
Proposes a Git-Flow Lite model with automated integration branches:
main ← production-ready, tagged releases only
next ← integration branch for next minor (PRs target here)
release/X.Y ← stabilization branch, only bugfixes allowed
hotfix/X.Y.Z ← emergency fixes cherry-picked to release
Includes:
- RFC document with lifecycle diagrams, migration path, open questions
- Workflow scaffolds (in docs/proposals/workflows/, NOT .github/):
- create-release.yml: manual dispatch to cut release branch from next
- sync-next.yml: auto-sync next branch after version tags
- backmerge.yml: auto back-merge release fixes to next
This is an experimental proposal requesting community feedback before
any implementation. The workflow files are inert scaffolds — they do
not run in CI.
* fix: prevent ensureGitignore from adding .gsd when tracked in git (#1364)
CRITICAL DATA-LOSS FIX: ensureGitignore() unconditionally added '.gsd' to
.gitignore even when .gsd/ was a real git-tracked directory, causing git to
report ~889 tracked files as deleted.
Root cause: BASELINE_PATTERNS included '.gsd' unconditionally, and the
gitignore modification ran BEFORE migration checks in auto-start.ts.
Changes:
- Add hasGitTrackedGsdFiles() helper using nativeLsFiles to detect tracked
.gsd/ content
- ensureGitignore() now skips the '.gsd' pattern when .gsd/ has tracked files
- untrackRuntimeFiles() now skips entirely when .gsd/ has tracked files
- migrateToExternalState() aborts when .gsd/ has tracked files
- Reorder auto-start.ts: migration runs BEFORE gitignore modification
- Add 8 regression tests covering all scenarios
Fixes#1364
* fix: break recursive dialog loop when all milestones complete (#1348)
Two interacting bugs:
1. Recursive dialog loop: When all milestones are complete, bootstrapAutoSession
calls showSmartEntry → sets pendingAutoStart → checkAutoStartAfterDiscuss
calls startAuto → bootstrapAutoSession → showSmartEntry → infinite loop.
The discuss workflow completes without producing a milestone directory, so
phase stays 'complete' and the cycle never breaks.
Fix: Add a re-entry counter (_consecutiveCompleteBootstraps) that tracks
how many times bootstrapAutoSession enters the 'complete' branch without
advancing. After 2 consecutive attempts, break the loop with a warning
message and return false.
2. Missing _releaseFunction = null in retry lock onCompromised handler:
The retry lock path in session-lock.ts set _lockCompromised but didn't
null out _releaseFunction, which could leave a stale reference that
masks the compromise detection in validateSessionLock().
Fixes#1348
* fix: self-heal stale roadmap checkbox for interrupted complete-slice (#1350)
When complete-slice is interrupted after writing SUMMARY.md and UAT.md but
before flipping the roadmap checkbox, auto-mode enters an infinite loop —
re-launching the same complete-slice unit because the dispatch loop uses
the roadmap checkbox as the sole 'slice done' signal.
Fix: Add a self-heal case in selfHealRuntimeRecords that detects when
SUMMARY + UAT exist but the roadmap checkbox is unchecked, and auto-fixes
the checkbox. This allows the verification to pass and the dispatch loop
to advance.
Fixes#1350
* fix: add EISDIR guard to complete/validate milestone prompts (#1343)
The LLM was passing tasks/ directory paths to the read tool during
milestone completion, causing EISDIR crashes. Added file system safety
instructions to both complete-milestone and validate-milestone prompts
telling the LLM to use ls/find for directory listing, not the read tool.
Fixes#1343
* feat: improve extension conflict messages with removal guidance (#1347)
When a user extension registers tools/commands that now ship as built-ins,
the conflict message now includes '(built-in tool supersedes — consider
removing <path>)' and the log level is downgraded from 'Extension load error'
to 'Extension conflict'.
Changes:
- resource-loader.ts: detect built-in vs user extension conflicts, add hint
- cli.ts: downgrade severity for superseded-tool conflicts
Fixes#1347
* test: fix always-skipped preferences test, add test:marketplace script
- preferences.test.ts: Replace always-skipped getIsolationMode test with
a filesystem-independent version that validates the default through
validatePreferences() instead of reading ~/.gsd/preferences.md.
Reduces skipped count from 3 → 2.
- package.json: Add test:marketplace script for running marketplace
contract tests (claude-import-tui, plugin-importer-live,
marketplace-discovery) with GSD_TEST_CLONE_MARKETPLACES=1.
These tests need external repos and self-skip in unit test runs.
Remaining 2 skips:
- Marketplace contract test suites (need external repos, run via test:marketplace)
- Windows-only tests in validate-directory.test.ts are platform-conditional
and correctly skip on macOS
* fix: use execFileSync in regression tests for Windows portability
The regression tests used execSync with shell-dependent constructs:
- '&&' command chaining (works in bash/cmd but fragile)
- Single-quoted commit messages (bash-only, cmd.exe splits on spaces)
Replaced with execFileSync via a git() helper that bypasses the shell
entirely. Each git operation is a separate call with proper argument
arrays, eliminating all shell interpretation issues.
Fixes windows-portability CI failure.
* fix: guard milestone completion against missing slice summaries (#1368)
Auto-mode could report a milestone as complete after executing only the
last slice, skipping earlier unexecuted slices. The milestone completion
signal fired based on roadmap checkbox state, which could be stale or
inconsistent after worktree transitions.
Changes:
- auto-dispatch.ts: Added slice SUMMARY file existence check to both
validating-milestone and completing-milestone dispatch rules. If any
slice lacks a SUMMARY file, dispatch stops with a diagnostic error
instead of proceeding to validation/completion.
- validate-milestone.test.ts: Updated tests to create slice summary
files (required by the new guard).
- file-watcher.test.ts: Fixed flaky 'auth.json change emits auth-changed
event' test by adding watcher initialization delay and increasing event
propagation timeout (race condition when run in full suite).
Fixes#1368
* fix: warn on common misspelled preference keys + verify field guidance (#1373, #1341)
#1373: Users setting 'taskIsolation.mode: none' instead of 'git.isolation: none'
got a generic 'unknown key' warning. Added KEY_MIGRATION_HINTS that map common
misspellings (taskIsolation, task_isolation, isolation, manage_gitignore, auto_push,
main_branch) to their correct git.* equivalents with actionable messages.
#1341: Planning agent writes aspirational prose in Verify fields ('Sections 3.1
and 3.2 exist with exact formulas. Zero TBD.') instead of executable commands.
Added explicit verify field rules to the plan template: must be mechanically
executable, with examples of good vs bad patterns for content tasks.
Fixes#1373, partially addresses #1341
* refactor: extract roadmap-mutations.ts + shared test-utils.ts
Consolidation:
- roadmap-mutations.ts: Extracted markSliceDoneInRoadmap() and markTaskDoneInPlan()
from duplicated implementations in doctor.ts, mechanical-completion.ts, and
auto-recovery.ts. All three callers used identical regex patterns.
mechanical-completion.ts and auto-recovery.ts now import the shared utility.
(doctor.ts deferred — touched by PR #1349)
- test-utils.ts: Shared cross-platform test utilities for GSD extension tests.
Provides git() helper (execFileSync, no shell), makeTempRepo() with
core.autocrlf=false, cleanup(), createFile(), safeReadFile(), and
writeMilestoneFixture(). 12 test files currently define their own versions
of these helpers — new tests should import from test-utils.ts instead.
Security audit: No injection vectors (sid/tid are alphanumeric from roadmap
parser), no path traversal, no secrets, no new dependencies.
* fix: port conflict false positive on non-Node projects + paused worktree resume (#1381, #1383)
projects without package.json. macOS AirPlay Receiver listens on port 5000,
causing a spurious warning on non-Node projects.
Fix: Skip port checks entirely when no package.json exists. When using
default ports, filter out 5000 on macOS.
in-memory only. Re-entering /gsd started a fresh bootstrap from the project
root instead of the active worktree.
Fix: pauseAuto() now writes paused-session.json to .gsd/runtime/ with
milestoneId, worktreePath, originalBasePath, and stepMode. startAuto()
checks for this file before bootstrap and restores the paused session
context, including worktree re-entry. stopAuto() cleans up the file.
Fixes#1381, #1383
* fix: catch spawn ENOENT in uncaught exception guard + snapshot session lock path (#1384, #1363)
uncaught exception and crashes auto-mode. The EPIPE guard now also catches
ENOENT from spawn syscalls — logs the error and continues instead of
terminating the process.
the lock path differently via gsdRoot() because basePath could be either the
project root or a worktree path. gsdRoot() produces different results for
each, so the lock was written to one path and validated against another.
Fix: Snapshot the resolved lock path (_snapshotLockPath) at acquisition time
and reuse it for all subsequent lock operations within the session.
Fixes#1384, #1363
* fix: suppress false-positive lock compromise + skip migration with active worktrees (#1362, #1337)
because the event loop stall delays the heartbeat mtime update. The handler
now checks elapsed time since acquisition — if within the 30-minute stale
window, it logs a warning and continues instead of setting _lockCompromised.
Real takeovers (past the stale window) still trigger the compromise flag.
even when .gsd/worktrees/ contained active git worktrees with locked
directory handles. This caused EBUSY errors and destructive data loss.
Migration now checks for active worktree directories and skips entirely
if any are found.
Fixes#1362, #1337
In worktree isolation mode, the secrets gate checked for .env at the
worktree path (process.cwd()), but the user's .env lives at the project
root. Keys that existed in the project root's .env were reported as
missing, causing repeated blocking key collection prompts.
Fix: getManifestStatus() now accepts an optional projectRoot parameter.
When provided (worktree mode), it checks both the worktree .env AND the
project root .env. All callers in auto.ts and auto-start.ts updated to
pass s.originalBasePath.
Fixes#1387
In worktree isolation, process.cwd() drifts when async_bash or background
jobs change directory, causing commits to land on the wrong branch.
Realign cwd to basePath before every dispatch and hook dispatch.
Also clean stale .git/SQUASH_MSG, MERGE_HEAD, MERGE_MSG after failed
squash-merges to prevent subsequent git operations from seeing phantom
merge state.
Adapted to post-M001 architecture: cwd fix in auto-loop.ts runUnit(),
hook cwd fix in auto.ts dispatchHookUnit(), merge cleanup in
worktree-resolver.ts _mergeWorktreeMode().
Co-authored-by: Lex Christopherson <lex@glittercowboy.com>
syncGsdStateToWorktree() assumed the milestones/ directory already
existed in the worktree. On a fresh worktree bootstrap this directory
is absent, causing milestone sync to silently skip all entries and
auto-mode to report "All milestones complete" immediately.
Create the directory before iterating if the main repo has milestones
but the worktree does not.
Co-authored-by: Berat Can <berat@hyperlab.games>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Post-unit hooks that use browser tools can hang indefinitely when the LLM
calls browser_wait_for with condition 'network_idle' against a dev server
with persistent connections (Vite HMR, WebSocket). The networkidle event
never fires because at least one connection stays open.
Fix: Inject a browser safety instruction into every hook prompt warning
against network_idle and recommending selector_visible, text_visible, or
delay as alternatives.
Fixes#1345
migrateToExternalState() moved .gsd/ to ~/.gsd/projects/<hash>/ and
created a symlink, but never verified the symlink resolved correctly.
On Windows, junction creation can silently fail or resolve to the wrong
target. If the symlink was broken, the backup (.gsd.migrating) was
deleted anyway, losing all project state.
Changes:
- migrate-external.ts: After creating symlink, verify it resolves to the
expected path and is readable. If verification fails, restore from backup.
- repo-identity-worktree.test.ts: Canonicalize temp dirs with realpathSync
to fix macOS /var → /private/var mismatch in path assertions.
- resource-loader.ts: Check for agents/ subdir before using dist/resources
as source — partial builds (tsc without copy-resources) create an
incomplete dist/resources that's missing agents/ and skills/.
Fixes#1377
When the user's home directory is a git repo, resolveProjectRoot() correctly
returns $HOME as the main tree root. assertSafeDirectory() then hard-blocks it
with the home-directory guard added in #1053, even though the session is running
from a valid GSD worktree (e.g. ~/.gsd/worktrees/M001) — not from $HOME itself.
Fix: in projectRoot(), detect when CWD diverges from the resolved root (i.e. we
are inside a git worktree) and validate the CWD instead. The worktree path is
never $HOME, so the guard no longer fires. When not in a worktree cwd === root,
preserving the existing behaviour unchanged.
Adds a regression test: validateDirectory() on a ~/.gsd/worktrees/M001 path
must return { safe: true, severity: "ok" }.
Co-authored-by: Jeremy McSpadden <jeremy@fluxlabs.net>
* fix(gsd extension): detect initialized projects in health widget
Use .gsd presence plus project-state detection for the health widget so bootstrapped projects no longer appear as unloaded before metrics exist.
* fix(gsd extension): make health widget execution-aware
Lead the health widget with current GSD execution state so it explains what the project is doing before surfacing provider and environment diagnostics. Keep issue, budget, and progress details as secondary context and cover the new output with focused widget tests.
* fix(gsd extension): address review feedback on health widget PR
- Replace em dash with ASCII hyphen in headline for terminal safety
- Reformat catch/finally to standard single-line style
- Replace computeProgressScore() status with direct phase labels so
the status reflects the actual execution phase, not a global health
aggregate
- Use lightweight milestone-dir scan instead of full detectProjectState()
to avoid unnecessary filesystem work on the 60s refresh
- Add cache warm-up comment on updateSliceProgressCache call
- Add safety comment on early void refresh() call
- Update test assertions for new phase labels and ASCII separator
