@opengsd/gsd-core 1.2.0-rc.1

package/get-shit-done/workflows/scan.md

@@ -0,0 +1,105 @@
+<purpose>
+Lightweight codebase assessment. Spawns a single gsd-codebase-mapper agent for one focus area,
+producing targeted documents in `.planning/codebase/`.
+</purpose>
+
+<required_reading>
+Read all files referenced by the invoking prompt's execution_context before starting.
+</required_reading>
+
+<available_agent_types>
+Valid GSD subagent types (use exact names — do not fall back to 'general-purpose'):
+- gsd-codebase-mapper — Maps project structure and dependencies
+</available_agent_types>
+
+<process>
+
+## Focus-to-Document Mapping
+
+| Focus | Documents Produced |
+|-------|-------------------|
+| `tech` | STACK.md, INTEGRATIONS.md |
+| `arch` | ARCHITECTURE.md, STRUCTURE.md |
+| `quality` | CONVENTIONS.md, TESTING.md |
+| `concerns` | CONCERNS.md |
+| `tech+arch` | STACK.md, INTEGRATIONS.md, ARCHITECTURE.md, STRUCTURE.md |
+
+## Step 1: Parse arguments and resolve focus
+
+Parse the user's input for `--focus <area>`. Default to `tech+arch` if not specified.
+
+Validate that the focus is one of: `tech`, `arch`, `quality`, `concerns`, `tech+arch`.
+
+If invalid:
+```
+Unknown focus area: "{input}". Valid options: tech, arch, quality, concerns, tech+arch
+```
+Exit.
+
+## Step 2: Check for existing documents
+
+```bash
+_GSD_SHIM_NAME="gsd-tools.cjs"; _GSD_RUNTIME_ROOT="${RUNTIME_DIR:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"; GSD_TOOLS="${_GSD_RUNTIME_ROOT}/get-shit-done/bin/${_GSD_SHIM_NAME}"; if [ -f "$GSD_TOOLS" ]; then gsd_run() { node "$GSD_TOOLS" "$@"; }; elif [ -f "${_GSD_RUNTIME_ROOT}/.claude/get-shit-done/bin/${_GSD_SHIM_NAME}" ]; then GSD_TOOLS="${_GSD_RUNTIME_ROOT}/.claude/get-shit-done/bin/${_GSD_SHIM_NAME}"; gsd_run() { node "$GSD_TOOLS" "$@"; }; elif command -v gsd-tools >/dev/null 2>&1; then GSD_TOOLS="$(command -v gsd-tools)"; gsd_run() { "$GSD_TOOLS" "$@"; }; elif [ -f "$HOME/.claude/get-shit-done/bin/${_GSD_SHIM_NAME}" ]; then GSD_TOOLS="$HOME/.claude/get-shit-done/bin/${_GSD_SHIM_NAME}"; gsd_run() { node "$GSD_TOOLS" "$@"; }; else echo "ERROR: gsd-tools.cjs not found at $GSD_TOOLS and gsd-tools is not on PATH. Run: npx -y @opengsd/gsd-core@latest --claude --local" >&2; exit 1; fi
+INIT=$(gsd_run query init.map-codebase 2>/dev/null || echo "{}")
+if [[ "$INIT" == @file:* ]]; then INIT=$(cat "${INIT#@file:}"); fi
+```
+
+Look up which documents would be produced for the selected focus (from the mapping table above).
+
+For each target document, check if it already exists in `.planning/codebase/`:
+```bash
+ls -la .planning/codebase/{DOCUMENT}.md 2>/dev/null
+```
+
+If any exist, show their modification dates and ask:
+```
+Existing documents found:
+  - STACK.md (modified 2026-04-03)
+  - INTEGRATIONS.md (modified 2026-04-01)
+
+Overwrite with fresh scan? [y/N]
+```
+
+If user says no, exit.
+
+## Step 3: Create output directory
+
+```bash
+mkdir -p .planning/codebase
+```
+
+## Step 4: Spawn mapper agent
+
+Spawn a single `gsd-codebase-mapper` agent with the selected focus area:
+
+```
+Agent(
+  prompt="Scan this codebase with focus: {focus}. Write results to .planning/codebase/. Produce only: {document_list}",
+  subagent_type="gsd-codebase-mapper",
+  model="{resolved_model}"
+)
+```
+
+> **ORCHESTRATOR RULE — CODEX RUNTIME**: After calling Agent() above, stop working on this task immediately. Do not read more files, edit code, or run tests related to this task while the subagent is active. Wait for the subagent to return its result. This prevents duplicate work, conflicting edits, and wasted context. Only resume when the subagent result is available.
+
+## Step 5: Report
+
+```
+## Scan Complete
+
+**Focus:** {focus}
+**Documents produced:**
+{list of documents written with line counts}
+
+Use `/gsd:map-codebase` for a comprehensive 4-area parallel scan.
+```
+
+</process>
+
+<success_criteria>
+- [ ] Focus area correctly parsed (default: tech+arch)
+- [ ] Existing documents detected with modification dates shown
+- [ ] User prompted before overwriting
+- [ ] Single mapper agent spawned with correct focus
+- [ ] Output documents written to .planning/codebase/
+</success_criteria>

package/get-shit-done/workflows/secure-phase.md

@@ -0,0 +1,180 @@
+<purpose>
+Verify threat mitigations for a completed phase. Confirm PLAN.md threat register dispositions are resolved. Update SECURITY.md.
+</purpose>
+
+<required_reading>
+@~/.claude/get-shit-done/references/ui-brand.md
+</required_reading>
+
+<available_agent_types>
+Valid GSD subagent types (use exact names — do not fall back to 'general-purpose'):
+- gsd-security-auditor — Verifies threat mitigation coverage
+</available_agent_types>
+
+<process>
+
+## 0. Initialize
+
+```bash
+_GSD_SHIM_NAME="gsd-tools.cjs"; _GSD_RUNTIME_ROOT="${RUNTIME_DIR:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"; GSD_TOOLS="${_GSD_RUNTIME_ROOT}/get-shit-done/bin/${_GSD_SHIM_NAME}"; if [ -f "$GSD_TOOLS" ]; then gsd_run() { node "$GSD_TOOLS" "$@"; }; elif [ -f "${_GSD_RUNTIME_ROOT}/.claude/get-shit-done/bin/${_GSD_SHIM_NAME}" ]; then GSD_TOOLS="${_GSD_RUNTIME_ROOT}/.claude/get-shit-done/bin/${_GSD_SHIM_NAME}"; gsd_run() { node "$GSD_TOOLS" "$@"; }; elif command -v gsd-tools >/dev/null 2>&1; then GSD_TOOLS="$(command -v gsd-tools)"; gsd_run() { "$GSD_TOOLS" "$@"; }; elif [ -f "$HOME/.claude/get-shit-done/bin/${_GSD_SHIM_NAME}" ]; then GSD_TOOLS="$HOME/.claude/get-shit-done/bin/${_GSD_SHIM_NAME}"; gsd_run() { node "$GSD_TOOLS" "$@"; }; else echo "ERROR: gsd-tools.cjs not found at $GSD_TOOLS and gsd-tools is not on PATH. Run: npx -y @opengsd/gsd-core@latest --claude --local" >&2; exit 1; fi
+INIT=$(gsd_run query init.phase-op "${PHASE_ARG}")
+if [[ "$INIT" == @file:* ]]; then INIT=$(cat "${INIT#@file:}"); fi
+AGENT_SKILLS_AUDITOR=$(gsd_run query agent-skills gsd-security-auditor)
+```
+
+Parse: `phase_dir`, `phase_number`, `phase_name`, `phase_slug`, `padded_phase`.
+
+```bash
+AUDITOR_MODEL=$(gsd_run query resolve-model gsd-security-auditor --raw)
+SECURITY_CFG=$(gsd_run query config-get workflow.security_enforcement --raw 2>/dev/null || echo "true")
+```
+
+If `SECURITY_CFG` is `false`: exit with "Security enforcement disabled. Enable via /gsd:settings."
+
+Display banner: `GSD > SECURE PHASE {N}: {name}`
+
+## 1. Detect Input State
+
+```bash
+SECURITY_FILE=$(ls "${PHASE_DIR}"/*-SECURITY.md 2>/dev/null | head -1)
+PLAN_FILES=$(ls "${PHASE_DIR}"/*-PLAN.md 2>/dev/null)
+SUMMARY_FILES=$(ls "${PHASE_DIR}"/*-SUMMARY.md 2>/dev/null)
+```
+
+- **State A** (`SECURITY_FILE` non-empty): Audit existing
+- **State B** (`SECURITY_FILE` empty, `PLAN_FILES` and `SUMMARY_FILES` non-empty): Run from artifacts
+- **State C** (`SUMMARY_FILES` empty): Exit — "Phase {N} not executed. Run /gsd:execute-phase {N} first."
+
+## 2. Discovery
+
+### 2a. Read Phase Artifacts
+
+Read PLAN.md — extract `<threat_model>` block: trust boundaries, STRIDE register (`threat_id`, `category`, `component`, `disposition`, `mitigation_plan`).
+
+### 2b. Read Summary Threat Flags
+
+Read SUMMARY.md — extract `## Threat Flags` entries.
+
+### 2c. Build Threat Register
+
+Per threat: `{ threat_id, category, component, disposition, mitigation_pattern, files_to_check }`
+
+Also set `register_authored_at_plan_time: true` if **at least one** PLAN file contained a parseable `<threat_model>` block; `false` if no PLAN files had any `<threat_model>` block (legacy phase authored before formal threat modelling was standard).
+
+## 3. Threat Classification
+
+Classify each threat:
+
+| Status | Criteria |
+|--------|----------|
+| CLOSED | mitigation found OR accepted risk documented in SECURITY.md OR transfer documented |
+| OPEN | none of the above |
+
+Build: `{ threat_id, category, component, disposition, status, evidence }`
+
+**Short-circuit rule:**
+- If `threats_open: 0 AND register_authored_at_plan_time: true` → skip to Step 6 directly. All plan-time threats are verified CLOSED.
+- If `threats_open: 0 AND register_authored_at_plan_time: false` → **do NOT skip**. Empty-by-no-planning must not rubber-stamp a clean SECURITY.md. Proceed to Step 5 in **retroactive-STRIDE mode** — the auditor builds a register from implementation files first, then verifies mitigations.
+- If `threats_open > 0` → proceed to Step 4 (present threat plan to user).
+
+## 4. Present Threat Plan
+
+
+**Text mode (`workflow.text_mode: true` in config or `--text` flag):** Set `TEXT_MODE=true` if `--text` is present in `$ARGUMENTS` OR `text_mode` from init JSON is `true`. When TEXT_MODE is active, replace every `AskUserQuestion` call with a plain-text numbered list and ask the user to type their choice number. This is required for non-Claude runtimes (OpenAI Codex, Gemini CLI, etc.) where `AskUserQuestion` is not available.
+Call AskUserQuestion with threat table and options:
+1. "Verify all open threats" → Step 5
+2. "Accept all open — document in accepted risks log" → add to SECURITY.md accepted risks, set all CLOSED, Step 6
+3. "Cancel" → exit
+
+## 5. Spawn gsd-security-auditor
+
+**Auditor constraint — varies by register origin:**
+
+- `register_authored_at_plan_time: true` — **Verify mitigations exist** — do not scan for new threats. The register is complete; verify each threat's mitigation is present in the implementation.
+- `register_authored_at_plan_time: false` (retroactive-STRIDE mode) — **Retroactive-STRIDE: build a STRIDE register from implementation files first, then verify mitigations.** The phase was authored before formal threat modelling; the auditor must construct the register from scratch before verifying.
+
+```
+Agent(
+  prompt="Read ~/.claude/agents/gsd-security-auditor.md for instructions.\n\n" +
+    "<files_to_read>{PLAN, SUMMARY, impl files, SECURITY.md}</files_to_read>" +
+    "<threat_register>{threat register}</threat_register>" +
+    "<config>asvs_level: {SECURITY_ASVS}, block_on: {SECURITY_BLOCK_ON}</config>" +
+    "<constraints>Never modify implementation files. Verify mitigations exist — do not scan for new threats. Escalate implementation gaps.</constraints>" +
+    "${AGENT_SKILLS_AUDITOR}",
+  subagent_type="gsd-security-auditor",
+  model="{AUDITOR_MODEL}",
+  description="Verify threat mitigations for Phase {N}"
+)
+```
+
+> **ORCHESTRATOR RULE — CODEX RUNTIME**: After calling Agent() above, stop working on this task immediately. Do not read more files, edit code, or run tests related to this task while the subagent is active. Wait for the subagent to return its result. This prevents duplicate work, conflicting edits, and wasted context. Only resume when the subagent result is available.
+
+Handle return:
+- `## SECURED` → record closures → Step 6
+- `## OPEN_THREATS` → record closed + open, present user with accept/block choice → Step 6
+- `## ESCALATE` → present to user → Step 6
+
+## 6. Write/Update SECURITY.md
+
+**State B (create):**
+1. Read template from `~/.claude/get-shit-done/templates/SECURITY.md`
+2. Fill: frontmatter, threat register, accepted risks, audit trail
+3. Write to `${PHASE_DIR}/${PADDED_PHASE}-SECURITY.md`
+
+**State A (update):**
+1. Update threat register statuses, append to audit trail:
+
+```markdown
+## Security Audit {date}
+| Metric | Count |
+|--------|-------|
+| Threats found | {N} |
+| Closed | {M} |
+| Open | {K} |
+```
+
+**ENFORCING GATE:** If `threats_open > 0` after all options exhausted (user did not accept, not all verified closed):
+
+```
+GSD > PHASE {N} SECURITY BLOCKED
+{K} threats open — phase advancement blocked until threats_open: 0
+▶ Fix mitigations then re-run: /gsd:secure-phase {N}
+▶ Or document accepted risks in SECURITY.md and re-run.
+```
+
+Do NOT emit next-phase routing. Stop here.
+
+## 7. Commit
+
+```bash
+gsd_run query commit "docs(phase-${PHASE}): add/update security threat verification"
+```
+
+## 8. Results + Routing
+
+**Secured (threats_open: 0):**
+```
+GSD > PHASE {N} THREAT-SECURE
+threats_open: 0 — all threats have dispositions.
+▶ /gsd:validate-phase {N}    validate test coverage
+▶ /gsd:verify-work {N}       run UAT
+```
+
+Display `/clear` reminder.
+
+</process>
+
+<success_criteria>
+- [ ] Security enforcement checked — exit if false
+- [ ] Input state detected (A/B/C) — state C exits cleanly
+- [ ] PLAN.md threat model parsed, register built
+- [ ] SUMMARY.md threat flags incorporated
+- [ ] threats_open: 0 AND register_authored_at_plan_time: true → skip directly to Step 6
+- [ ] threats_open: 0 AND register_authored_at_plan_time: false → retroactive-STRIDE mode (Step 5), not skipped
+- [ ] User gate with threat table presented
+- [ ] Auditor spawned with complete context
+- [ ] All three return formats (SECURED/OPEN_THREATS/ESCALATE) handled
+- [ ] SECURITY.md created or updated
+- [ ] threats_open > 0 BLOCKS advancement (no next-phase routing emitted)
+- [ ] Results with routing presented on success
+</success_criteria>

package/get-shit-done/workflows/session-report.md

@@ -0,0 +1,146 @@
+<purpose>
+Generate a post-session summary document capturing work performed, outcomes achieved, and estimated resource usage. Writes SESSION_REPORT.md to .planning/reports/ for human review and stakeholder sharing.
+</purpose>
+
+<required_reading>
+Read all files referenced by the invoking prompt's execution_context before starting.
+</required_reading>
+
+<process>
+
+<step name="gather_session_data">
+Collect session data from available sources:
+
+1. **STATE.md** — current phase, milestone, progress, blockers, decisions
+2. **Git log** — commits made during this session (last 24h or since last report)
+3. **Plan/Summary files** — plans executed, summaries written
+4. **ROADMAP.md** — milestone context and phase goals
+
+```bash
+# Get recent commits (last 24 hours)
+git log --oneline --since="24 hours ago" --no-merges 2>/dev/null || echo "No recent commits"
+
+# Count files changed
+git diff --stat HEAD~10 HEAD 2>/dev/null | tail -1 || echo "No diff available"
+```
+
+Read `.planning/STATE.md` to get:
+- Current milestone and phase
+- Progress percentage
+- Active blockers
+- Recent decisions
+
+Read `.planning/ROADMAP.md` to get milestone name and goals.
+
+Check for existing reports:
+```bash
+ls -la .planning/reports/SESSION_REPORT*.md 2>/dev/null || echo "No previous reports"
+```
+</step>
+
+<step name="estimate_usage">
+Estimate token usage from observable signals:
+
+- Count of tool calls is not directly available, so estimate from git activity and file operations
+- Note: This is an **estimate** — exact token counts require API-level instrumentation not available to hooks
+
+Estimation heuristics:
+- Each commit ≈ 1 plan cycle (research + plan + execute + verify)
+- Each plan file ≈ 2,000-5,000 tokens of agent context
+- Each summary file ≈ 1,000-2,000 tokens generated
+- Subagent spawns multiply by ~1.5x per agent type used
+</step>
+
+<step name="generate_report">
+Create the report directory and file:
+
+```bash
+mkdir -p .planning/reports
+```
+
+Write `.planning/reports/SESSION_REPORT.md` (or `.planning/reports/YYYYMMDD-session-report.md` if previous reports exist):
+
+```markdown
+# GSD Session Report
+
+**Generated:** [timestamp]
+**Project:** [from PROJECT.md title or directory name]
+**Milestone:** [N] — [milestone name from ROADMAP.md]
+
+---
+
+## Session Summary
+
+**Duration:** [estimated from first to last commit timestamp, or "Single session"]
+**Phase Progress:** [from STATE.md]
+**Plans Executed:** [count of summaries written this session]
+**Commits Made:** [count from git log]
+
+## Work Performed
+
+### Phases Touched
+[List phases worked on with brief description of what was done]
+
+### Key Outcomes
+[Bullet list of concrete deliverables: files created, features implemented, bugs fixed]
+
+### Decisions Made
+[From STATE.md decisions table, if any were added this session]
+
+## Files Changed
+
+[Summary of files modified, created, deleted — from git diff stat]
+
+## Blockers & Open Items
+
+[Active blockers from STATE.md]
+[Any TODO items created during session]
+
+## Estimated Resource Usage
+
+| Metric | Estimate |
+|--------|----------|
+| Commits | [N] |
+| Files changed | [N] |
+| Plans executed | [N] |
+| Subagents spawned | [estimated] |
+
+> **Note:** Token and cost estimates require API-level instrumentation.
+> These metrics reflect observable session activity only.
+
+---
+
+*Generated by `/gsd-session-report`*
+```
+</step>
+
+<step name="display_result">
+Show the user:
+
+```
+## Session Report Generated
+
+📄 `.planning/reports/[filename].md`
+
+### Highlights
+- **Commits:** [N]
+- **Files changed:** [N]  
+- **Phase progress:** [X]%
+- **Plans executed:** [N]
+```
+
+If this is the first report, mention:
+```
+💡 Run `/gsd-session-report` at the end of each session to build a history of project activity.
+```
+</step>
+
+</process>
+
+<success_criteria>
+- [ ] Session data gathered from STATE.md, git log, and plan files
+- [ ] Report written to .planning/reports/
+- [ ] Report includes work summary, outcomes, and file changes
+- [ ] Filename includes date to prevent overwrites
+- [ ] Result summary displayed to user
+</success_criteria>