@litmers/cursorflow-orchestrator 0.1.15 → 0.1.20

package/src/core/runner.ts

@@ -15,7 +15,8 @@ import { saveState, appendLog, createConversationEntry } from '../utils/state';
 import { events } from '../utils/events';
 import { loadConfig } from '../utils/config';
 import { registerWebhooks } from '../utils/webhook';
-import { stripAnsi } from '../utils/enhanced-logger';
+import { runReviewLoop } from './reviewer';
+import { safeJoin } from '../utils/path';
 import { 
   RunnerConfig, 
   Task, 
@@ -191,6 +192,8 @@ export async function cursorAgentSend({ workspaceDir, chatId, prompt, model, sig
   const format = outputFormat || 'stream-json';
   const args = [
     '--print',
+    '--force',
+    '--approve-mcps',
     '--output-format', format,
     '--workspace', workspaceDir,
     ...(model ? ['--model', model] : []),
@@ -232,17 +235,18 @@ export async function cursorAgentSend({ workspaceDir, chatId, prompt, model, sig
       env: childEnv,
     });
 
-    // Save PID to state if possible
+    logger.info(`Executing cursor-agent... (timeout: ${Math.round(timeoutMs / 1000)}s)`);
+
+    // Save PID to state if possible (avoid TOCTOU by reading directly)
     if (child.pid && signalDir) {
       try {
-        const statePath = path.join(signalDir, 'state.json');
-        if (fs.existsSync(statePath)) {
-          const state = JSON.parse(fs.readFileSync(statePath, 'utf8'));
-          state.pid = child.pid;
-          fs.writeFileSync(statePath, JSON.stringify(state, null, 2));
-        }
-      } catch (e) {
-        // Best effort
+        const statePath = safeJoin(signalDir, 'state.json');
+        // Read directly without existence check to avoid race condition
+        const state = JSON.parse(fs.readFileSync(statePath, 'utf8'));
+        state.pid = child.pid;
+        fs.writeFileSync(statePath, JSON.stringify(state, null, 2));
+      } catch {
+        // Best effort - file may not exist yet
       }
     }
 
@@ -471,7 +475,7 @@ export function applyDependencyFilePermissions(worktreeDir: string, policy: Depe
   }
   
   for (const file of targets) {
-    const filePath = path.join(worktreeDir, file);
+    const filePath = safeJoin(worktreeDir, file);
     if (!fs.existsSync(filePath)) continue;
     
     try {
@@ -484,6 +488,82 @@ export function applyDependencyFilePermissions(worktreeDir: string, policy: Depe
   }
 }
 
+/**
+ * Wait for task-level dependencies to be completed by other lanes
+ */
+export async function waitForTaskDependencies(deps: string[], runDir: string): Promise<void> {
+  if (!deps || deps.length === 0) return;
+
+  const lanesRoot = path.dirname(runDir);
+  const pendingDeps = new Set(deps);
+
+  logger.info(`Waiting for task dependencies: ${deps.join(', ')}`);
+
+  while (pendingDeps.size > 0) {
+    for (const dep of pendingDeps) {
+      const [laneName, taskName] = dep.split(':');
+      if (!laneName || !taskName) {
+        logger.warn(`Invalid dependency format: ${dep}. Expected "lane:task"`);
+        pendingDeps.delete(dep);
+        continue;
+      }
+
+      const depStatePath = safeJoin(lanesRoot, laneName, 'state.json');
+      if (fs.existsSync(depStatePath)) {
+        try {
+          const state = JSON.parse(fs.readFileSync(depStatePath, 'utf8')) as LaneState;
+          if (state.completedTasks && state.completedTasks.includes(taskName)) {
+            logger.info(`✓ Dependency met: ${dep}`);
+            pendingDeps.delete(dep);
+          } else if (state.status === 'failed') {
+            throw new Error(`Dependency failed: ${dep} (Lane ${laneName} failed)`);
+          }
+        } catch (e: any) {
+          if (e.message.includes('Dependency failed')) throw e;
+          // Ignore parse errors, file might be being written
+        }
+      }
+    }
+
+    if (pendingDeps.size > 0) {
+      await new Promise(resolve => setTimeout(resolve, 5000)); // Poll every 5 seconds
+    }
+  }
+}
+
+/**
+ * Merge branches from dependency lanes
+ */
+export async function mergeDependencyBranches(deps: string[], runDir: string, worktreeDir: string): Promise<void> {
+  if (!deps || deps.length === 0) return;
+
+  const lanesRoot = path.dirname(runDir);
+  const lanesToMerge = new Set(deps.map(d => d.split(':')[0]!));
+
+  for (const laneName of lanesToMerge) {
+    const depStatePath = safeJoin(lanesRoot, laneName, 'state.json');
+    if (!fs.existsSync(depStatePath)) continue;
+
+    try {
+      const state = JSON.parse(fs.readFileSync(depStatePath, 'utf8')) as LaneState;
+      if (state.pipelineBranch) {
+        logger.info(`Merging branch from ${laneName}: ${state.pipelineBranch}`);
+        
+        // Ensure we have the latest
+        git.runGit(['fetch', 'origin', state.pipelineBranch], { cwd: worktreeDir, silent: true });
+        
+        git.merge(state.pipelineBranch, {
+          cwd: worktreeDir,
+          noFf: true,
+          message: `chore: merge task dependency from ${laneName}`
+        });
+      }
+    } catch (e) {
+      logger.error(`Failed to merge branch from ${laneName}: ${e}`);
+    }
+  }
+}
+
 /**
  * Run a single task
  */
@@ -509,7 +589,8 @@ export async function runTask({
   noGit?: boolean;
 }): Promise<TaskExecutionResult> {
   const model = task.model || config.model || 'sonnet-4.5';
-  const convoPath = path.join(runDir, 'conversation.jsonl');
+  const timeout = task.timeout || config.timeout;
+  const convoPath = safeJoin(runDir, 'conversation.jsonl');
   
   logger.section(`[${index + 1}/${config.tasks.length}] ${task.name}`);
   logger.info(`Model: ${model}`);
@@ -555,7 +636,7 @@ export async function runTask({
     prompt: prompt1,
     model,
     signalDir: runDir,
-    timeout: config.timeout,
+    timeout,
     enableIntervention: config.enableIntervention,
     outputFormat: config.agentOutputFormat,
   });
@@ -603,6 +684,37 @@ export async function runTask({
   if (!noGit) {
     git.push(taskBranch, { cwd: worktreeDir, setUpstream: true });
   }
+
+  // Automatic Review
+  const reviewEnabled = config.reviewAllTasks || task.acceptanceCriteria?.length || config.enableReview;
+  
+  if (reviewEnabled) {
+    logger.section(`🔍 Reviewing Task: ${task.name}`);
+    const reviewResult = await runReviewLoop({
+      taskResult: {
+        taskName: task.name,
+        taskBranch: taskBranch,
+        acceptanceCriteria: task.acceptanceCriteria,
+      },
+      worktreeDir,
+      runDir,
+      config,
+      workChatId: chatId,
+      model, // Use the same model as requested
+      cursorAgentSend,
+      cursorAgentCreateChat,
+    });
+
+    if (!reviewResult.approved) {
+      logger.error(`❌ Task review failed after ${reviewResult.iterations} iterations`);
+      return {
+        taskName: task.name,
+        taskBranch,
+        status: 'ERROR',
+        error: reviewResult.error || 'Task failed to pass review criteria',
+      };
+    }
+  }
   
   events.emit('task.completed', {
     taskName: task.name,
@@ -670,18 +782,25 @@ export async function runTasks(tasksFile: string, config: RunnerConfig, runDir:
   const repoRoot = noGit ? process.cwd() : git.getRepoRoot();
   
   // Load existing state if resuming
-  const statePath = path.join(runDir, 'state.json');
+  const statePath = safeJoin(runDir, 'state.json');
   let state: LaneState | null = null;
   
-  if (startIndex > 0 && fs.existsSync(statePath)) {
-    state = JSON.parse(fs.readFileSync(statePath, 'utf8'));
+  if (fs.existsSync(statePath)) {
+    try {
+      state = JSON.parse(fs.readFileSync(statePath, 'utf8'));
+    } catch (e) {
+      logger.warn(`Failed to load existing state from ${statePath}: ${e}`);
+    }
   }
   
-  const pipelineBranch = state?.pipelineBranch || config.pipelineBranch || `${config.branchPrefix || 'cursorflow/'}${Date.now().toString(36)}`;
+  const randomSuffix = Math.random().toString(36).substring(2, 7);
+  const pipelineBranch = state?.pipelineBranch || config.pipelineBranch || `${config.branchPrefix || 'cursorflow/'}${Date.now().toString(36)}-${randomSuffix}`;
+  
   // In noGit mode, use a simple local directory instead of worktree
-  const worktreeDir = state?.worktreeDir || (noGit 
-    ? path.join(repoRoot, config.worktreeRoot || '_cursorflow/workdir', pipelineBranch.replace(/\//g, '-'))
-    : path.join(repoRoot, config.worktreeRoot || '_cursorflow/worktrees', pipelineBranch));
+  // Flatten the path by replacing slashes with hyphens to avoid race conditions in parent directory creation
+  const worktreeDir = state?.worktreeDir || config.worktreeDir || (noGit 
+    ? safeJoin(repoRoot, config.worktreeRoot || '_cursorflow/workdir', pipelineBranch.replace(/\//g, '-'))
+    : safeJoin(repoRoot, config.worktreeRoot || '_cursorflow/worktrees', pipelineBranch.replace(/\//g, '-')));
   
   if (startIndex === 0) {
     logger.section('🚀 Starting Pipeline');
@@ -693,17 +812,54 @@ export async function runTasks(tasksFile: string, config: RunnerConfig, runDir:
   logger.info(`Worktree: ${worktreeDir}`);
   logger.info(`Tasks: ${config.tasks.length}`);
   
-  // Create worktree only if starting fresh
-  if (startIndex === 0 || !fs.existsSync(worktreeDir)) {
+  // Create worktree only if starting fresh and worktree doesn't exist
+  if (!fs.existsSync(worktreeDir)) {
     if (noGit) {
       // In noGit mode, just create the directory
       logger.info(`Creating work directory: ${worktreeDir}`);
       fs.mkdirSync(worktreeDir, { recursive: true });
     } else {
-      git.createWorktree(worktreeDir, pipelineBranch, { 
-        baseBranch: config.baseBranch || 'main',
-        cwd: repoRoot,
-      });
+      // Use a simple retry mechanism for Git worktree creation to handle potential race conditions
+      let retries = 3;
+      let lastError: Error | null = null;
+      
+      while (retries > 0) {
+        try {
+          // Ensure parent directory exists before calling git worktree
+          const worktreeParent = path.dirname(worktreeDir);
+          if (!fs.existsSync(worktreeParent)) {
+            fs.mkdirSync(worktreeParent, { recursive: true });
+          }
+
+          git.createWorktree(worktreeDir, pipelineBranch, { 
+            baseBranch: config.baseBranch || 'main',
+            cwd: repoRoot,
+          });
+          break; // Success
+        } catch (e: any) {
+          lastError = e;
+          retries--;
+          if (retries > 0) {
+            const delay = Math.floor(Math.random() * 1000) + 500;
+            logger.warn(`Worktree creation failed, retrying in ${delay}ms... (${retries} retries left)`);
+            await new Promise(resolve => setTimeout(resolve, delay));
+          }
+        }
+      }
+      
+      if (retries === 0 && lastError) {
+        throw new Error(`Failed to create Git worktree after retries: ${lastError.message}`);
+      }
+    }
+  } else if (!noGit) {
+    // If it exists but we are in Git mode, ensure it's actually a worktree and on the right branch
+    logger.info(`Reusing existing worktree: ${worktreeDir}`);
+    try {
+      git.runGit(['checkout', pipelineBranch], { cwd: worktreeDir });
+    } catch (e) {
+      // If checkout fails, maybe the worktree is in a weird state. 
+      // For now, just log it. In a more robust impl, we might want to repair it.
+      logger.warn(`Failed to checkout branch ${pipelineBranch} in existing worktree: ${e}`);
     }
   }
   
@@ -726,12 +882,17 @@ export async function runTasks(tasksFile: string, config: RunnerConfig, runDir:
       dependencyRequest: null,
       tasksFile, // Store tasks file for resume
       dependsOn: config.dependsOn || [],
+      completedTasks: [],
     };
   } else {
     state.status = 'running';
     state.error = null;
     state.dependencyRequest = null;
+    state.pipelineBranch = pipelineBranch;
+    state.worktreeDir = worktreeDir;
+    state.label = state.label || pipelineBranch;
     state.dependsOn = config.dependsOn || [];
+    state.completedTasks = state.completedTasks || [];
   }
   
   saveState(statePath, state);
@@ -744,8 +905,8 @@ export async function runTasks(tasksFile: string, config: RunnerConfig, runDir:
     const lanesRoot = path.dirname(runDir);
     
     for (const depName of config.dependsOn) {
-      const depRunDir = path.join(lanesRoot, depName);
-      const depStatePath = path.join(depRunDir, 'state.json');
+      const depRunDir = path.join(lanesRoot, depName); // nosemgrep
+      const depStatePath = path.join(depRunDir, 'state.json'); // nosemgrep
       
       if (!fs.existsSync(depStatePath)) {
         logger.warn(`Dependency state not found for ${depName} at ${depStatePath}`);
@@ -791,8 +952,8 @@ export async function runTasks(tasksFile: string, config: RunnerConfig, runDir:
     const lanesRoot = path.dirname(runDir);
     
     for (const depName of config.dependsOn) {
-      const depRunDir = path.join(lanesRoot, depName);
-      const depStatePath = path.join(depRunDir, 'state.json');
+      const depRunDir = safeJoin(lanesRoot, depName);
+      const depStatePath = safeJoin(depRunDir, 'state.json');
       
       if (!fs.existsSync(depStatePath)) {
         continue;
@@ -811,8 +972,8 @@ export async function runTasks(tasksFile: string, config: RunnerConfig, runDir:
             for (const entry of entries) {
               if (entry.name === '.git' || entry.name === '_cursorflow' || entry.name === 'node_modules') continue;
               
-              const srcPath = path.join(src, entry.name);
-              const destPath = path.join(dest, entry.name);
+              const srcPath = safeJoin(src, entry.name);
+              const destPath = safeJoin(dest, entry.name);
               
               if (entry.isDirectory()) {
                 copyFiles(srcPath, destPath);
@@ -836,6 +997,32 @@ export async function runTasks(tasksFile: string, config: RunnerConfig, runDir:
   for (let i = startIndex; i < config.tasks.length; i++) {
     const task = config.tasks[i]!;
     const taskBranch = `${pipelineBranch}--${String(i + 1).padStart(2, '0')}-${task.name}`;
+
+    // Handle task-level dependencies
+    if (task.dependsOn && task.dependsOn.length > 0) {
+      state.status = 'waiting';
+      state.waitingFor = task.dependsOn;
+      saveState(statePath, state);
+
+      try {
+        await waitForTaskDependencies(task.dependsOn, runDir);
+        
+        if (!noGit) {
+          await mergeDependencyBranches(task.dependsOn, runDir, worktreeDir);
+        }
+        
+        state.status = 'running';
+        state.waitingFor = [];
+        saveState(statePath, state);
+      } catch (e: any) {
+        state.status = 'failed';
+        state.waitingFor = [];
+        state.error = e.message;
+        saveState(statePath, state);
+        logger.error(`Task dependency wait/merge failed: ${e.message}`);
+        process.exit(1);
+      }
+    }
     
     const result = await runTask({
       task,
@@ -853,6 +1040,10 @@ export async function runTasks(tasksFile: string, config: RunnerConfig, runDir:
     
     // Update state
     state.currentTaskIndex = i + 1;
+    state.completedTasks = state.completedTasks || [];
+    if (!state.completedTasks.includes(task.name)) {
+      state.completedTasks.push(task.name);
+    }
     saveState(statePath, state);
     
     // Handle blocked or error
@@ -914,7 +1105,7 @@ export async function runTasks(tasksFile: string, config: RunnerConfig, runDir:
         
         if (entry.isDirectory()) {
           stats.dirs++;
-          const sub = getFileSummary(path.join(dir, entry.name));
+          const sub = getFileSummary(safeJoin(dir, entry.name));
           stats.files += sub.files;
           stats.dirs += sub.dirs;
         } else {
@@ -956,11 +1147,13 @@ if (require.main === module) {
   const runDirIdx = args.indexOf('--run-dir');
   const startIdxIdx = args.indexOf('--start-index');
   const pipelineBranchIdx = args.indexOf('--pipeline-branch');
+  const worktreeDirIdx = args.indexOf('--worktree-dir');
   const noGit = args.includes('--no-git');
   
   const runDir = runDirIdx >= 0 ? args[runDirIdx + 1]! : '.';
   const startIndex = startIdxIdx >= 0 ? parseInt(args[startIdxIdx + 1] || '0') : 0;
   const forcedPipelineBranch = pipelineBranchIdx >= 0 ? args[pipelineBranchIdx + 1] : null;
+  const forcedWorktreeDir = worktreeDirIdx >= 0 ? args[worktreeDirIdx + 1] : null;
 
   // Extract runId from runDir (format: .../runs/run-123/lanes/lane-name)
   const parts = runDir.split(path.sep);
@@ -992,6 +1185,9 @@ if (require.main === module) {
     if (forcedPipelineBranch) {
       config.pipelineBranch = forcedPipelineBranch;
     }
+    if (forcedWorktreeDir) {
+      config.worktreeDir = forcedWorktreeDir;
+    }
   } catch (error: any) {
     console.error(`Failed to load tasks file: ${error.message}`);
     process.exit(1);

package/src/utils/config.ts

@@ -7,6 +7,7 @@
 import * as path from 'path';
 import * as fs from 'fs';
 import { CursorFlowConfig } from './types';
+import { safeJoin } from './path';
 export { CursorFlowConfig };
 
 /**
@@ -16,8 +17,8 @@ export function findProjectRoot(cwd = process.cwd()): string {
   let current = cwd;
   
   while (current !== path.parse(current).root) {
-    const packagePath = path.join(current, 'package.json');
-    const configPath = path.join(current, 'cursorflow.config.js');
+    const packagePath = safeJoin(current, 'package.json');
+    const configPath = safeJoin(current, 'cursorflow.config.js');
     
     if (fs.existsSync(packagePath) || fs.existsSync(configPath)) {
       return current;
@@ -36,7 +37,7 @@ export function loadConfig(projectRoot: string | null = null): CursorFlowConfig
     projectRoot = findProjectRoot();
   }
   
-  const configPath = path.join(projectRoot, 'cursorflow.config.js');
+  const configPath = safeJoin(projectRoot, 'cursorflow.config.js');
   
   // Default configuration
   const defaults: CursorFlowConfig = {
@@ -59,6 +60,7 @@ export function loadConfig(projectRoot: string | null = null): CursorFlowConfig
     // Review
     enableReview: false,
     reviewModel: 'sonnet-4.5-thinking',
+    reviewAllTasks: false,
     maxReviewIterations: 3,
     
     // Lane defaults
@@ -113,14 +115,14 @@ export function loadConfig(projectRoot: string | null = null): CursorFlowConfig
  * Get absolute path for tasks directory
  */
 export function getTasksDir(config: CursorFlowConfig): string {
-  return path.join(config.projectRoot, config.tasksDir);
+  return safeJoin(config.projectRoot, config.tasksDir);
 }
 
 /**
  * Get absolute path for logs directory
  */
 export function getLogsDir(config: CursorFlowConfig): string {
-  return path.join(config.projectRoot, config.logsDir);
+  return safeJoin(config.projectRoot, config.logsDir);
 }
 
 /**
@@ -156,11 +158,7 @@ export function validateConfig(config: CursorFlowConfig): boolean {
  * Create default config file
  */
 export function createDefaultConfig(projectRoot: string, force = false): string {
-  const configPath = path.join(projectRoot, 'cursorflow.config.js');
-  
-  if (fs.existsSync(configPath) && !force) {
-    throw new Error(`Config file already exists: ${configPath}`);
-  }
+  const configPath = safeJoin(projectRoot, 'cursorflow.config.js');
   
   const template = `module.exports = {
   // Directory configuration
@@ -182,6 +180,7 @@ export function createDefaultConfig(projectRoot: string, force = false): string
   // Review configuration
   enableReview: false,
   reviewModel: 'sonnet-4.5-thinking',
+  reviewAllTasks: false,
   maxReviewIterations: 3,
   
   // Lane configuration
@@ -222,6 +221,15 @@ export function createDefaultConfig(projectRoot: string, force = false): string
 };
 `;
   
-  fs.writeFileSync(configPath, template, 'utf8');
+  // Use atomic write with wx flag to avoid TOCTOU race condition (unless force is set)
+  try {
+    const writeFlag = force ? 'w' : 'wx';
+    fs.writeFileSync(configPath, template, { encoding: 'utf8', flag: writeFlag });
+  } catch (err: any) {
+    if (err.code === 'EEXIST') {
+      throw new Error(`Config file already exists: ${configPath}`);
+    }
+    throw err;
+  }
   return configPath;
 }

package/src/utils/doctor.ts

@@ -18,6 +18,7 @@ import * as path from 'path';
 import * as git from './git';
 import { checkCursorAgentInstalled, checkCursorAuth } from './cursor-agent';
 import { areCommandsInstalled } from '../cli/setup-commands';
+import { safeJoin } from './path';
 
 export type DoctorSeverity = 'error' | 'warn';
 
@@ -149,7 +150,7 @@ function readLaneJsonFiles(tasksDir: string): { path: string; json: any; fileNam
     .readdirSync(tasksDir)
     .filter(f => f.endsWith('.json'))
     .sort()
-    .map(f => path.join(tasksDir, f));
+    .map(f => safeJoin(tasksDir, f));
 
   return files.map(p => {
     const raw = fs.readFileSync(p, 'utf8');
@@ -428,7 +429,7 @@ function checkDiskSpace(dir: string): { ok: boolean; freeBytes?: number; error?:
   const { spawnSync } = require('child_process');
   try {
     // Validate and normalize the directory path to prevent command injection
-    const safePath = path.resolve(dir);
+    const safePath = path.resolve(dir); // nosemgrep
     
     // Use spawnSync instead of execSync to avoid shell interpolation vulnerabilities
     // df -B1 returns bytes. We look for the line corresponding to our directory.
@@ -486,16 +487,46 @@ function validateBranchNames(
   const remoteBranches = getAllRemoteBranches(repoRoot);
   const allExistingBranches = new Set([...localBranches, ...remoteBranches]);
   
-  // Collect branch prefixes from lanes
+  // Collect branch prefixes and pipeline branches from lanes
   const branchPrefixes: { laneName: string; prefix: string }[] = [];
+  const pipelineBranches: { laneName: string; branch: string }[] = [];
   
   for (const lane of lanes) {
     const branchPrefix = lane.json?.branchPrefix;
     if (branchPrefix) {
       branchPrefixes.push({ laneName: lane.fileName, prefix: branchPrefix });
     }
+    
+    const pipelineBranch = lane.json?.pipelineBranch;
+    if (pipelineBranch) {
+      pipelineBranches.push({ laneName: lane.fileName, branch: pipelineBranch });
+    }
   }
   
+  // Check for pipeline branch collisions
+  const pipeMap = new Map<string, string[]>();
+  for (const { laneName, branch } of pipelineBranches) {
+    const existing = pipeMap.get(branch) || [];
+    existing.push(laneName);
+    pipeMap.set(branch, existing);
+  }
+  
+  for (const [branch, laneNames] of pipeMap) {
+    if (laneNames.length > 1) {
+      addIssue(issues, {
+        id: 'branch.pipeline_collision',
+        severity: 'error',
+        title: 'Pipeline branch collision',
+        message: `Multiple lanes use the same pipelineBranch "${branch}": ${laneNames.join(', ')}`,
+        details: 'Each lane should have a unique pipelineBranch to avoid worktree conflicts during parallel execution.',
+        fixes: [
+          'Update the pipelineBranch in each lane JSON file to be unique',
+          'Or remove pipelineBranch to let CursorFlow generate unique ones',
+        ],
+      });
+    }
+  }
+
   // Check for branch prefix collisions between lanes
   const prefixMap = new Map<string, string[]>();
   for (const { laneName, prefix } of branchPrefixes) {
@@ -582,7 +613,7 @@ function validateBranchNames(
 const DOCTOR_STATUS_FILE = '.cursorflow/doctor-status.json';
 
 export function saveDoctorStatus(repoRoot: string, report: DoctorReport): void {
-  const statusPath = path.join(repoRoot, DOCTOR_STATUS_FILE);
+  const statusPath = safeJoin(repoRoot, DOCTOR_STATUS_FILE);
   const statusDir = path.dirname(statusPath);
   
   if (!fs.existsSync(statusDir)) {
@@ -600,7 +631,7 @@ export function saveDoctorStatus(repoRoot: string, report: DoctorReport): void {
 }
 
 export function getDoctorStatus(repoRoot: string): { lastRun: number; ok: boolean; issueCount: number } | null {
-  const statusPath = path.join(repoRoot, DOCTOR_STATUS_FILE);
+  const statusPath = safeJoin(repoRoot, DOCTOR_STATUS_FILE);
   if (!fs.existsSync(statusPath)) return null;
 
   try {
@@ -800,7 +831,7 @@ export function runDoctor(options: DoctorOptions = {}): DoctorReport {
     });
   } else {
     // Advanced check: .gitignore check for worktrees
-    const gitignorePath = path.join(gitCwd, '.gitignore');
+    const gitignorePath = safeJoin(gitCwd, '.gitignore');
     const worktreeDirName = '_cursorflow'; // Default directory name
     if (fs.existsSync(gitignorePath)) {
       const content = fs.readFileSync(gitignorePath, 'utf8');
@@ -823,7 +854,7 @@ export function runDoctor(options: DoctorOptions = {}): DoctorReport {
   if (options.tasksDir) {
     const tasksDirAbs = path.isAbsolute(options.tasksDir)
       ? options.tasksDir
-      : path.resolve(cwd, options.tasksDir);
+      : safeJoin(cwd, options.tasksDir);
     context.tasksDir = tasksDirAbs;
 
     if (!fs.existsSync(tasksDirAbs)) {