@opengsd/gsd-pi 1.0.2-dev.235ebf3 → 1.0.2-dev.29398d2

package/src/resources/extensions/gsd/bootstrap/register-hooks.ts

@@ -507,6 +507,21 @@ function initSessionNotifications(ctx: ExtensionContext): void {
   initNotificationWidget(ctx);
 }
 
+async function prepareWorkflowMcpForHookContext(
+  ctx: ExtensionContext,
+  basePath: string,
+): Promise<void> {
+  // Skip MCP auto-prep when running inside an auto-worktree. The worktree
+  // already has .mcp.json from createAutoWorktree, and re-running the writer
+  // post-chdir rewrites the file mid-run (non-idempotent due to cwd-relative
+  // CLI path resolution), dirtying the tree and breaking the milestone merge.
+  const { isInAutoWorktree } = await import("../auto-worktree.js");
+  if (isInAutoWorktree(basePath)) return;
+
+  const { prepareWorkflowMcpForProject } = await import("../workflow-mcp-auto-prep.js");
+  prepareWorkflowMcpForProject(ctx, basePath);
+}
+
 export function registerHooks(
   pi: ExtensionAPI,
   ecosystemHandlers: GSDEcosystemBeforeAgentStartHandler[],
@@ -532,12 +547,7 @@ export function registerHooks(
     await syncServiceTierStatus(ctx);
     await applyDisabledModelProviderPolicy(ctx);
     await applyCompactionThresholdOverride(ctx);
-    // Skip MCP auto-prep when running inside an auto-worktree (see session_switch below).
-    const { isInAutoWorktree } = await import("../auto-worktree.js");
-    if (!isInAutoWorktree(basePath)) {
-      const { prepareWorkflowMcpForProject } = await import("../workflow-mcp-auto-prep.js");
-      prepareWorkflowMcpForProject(ctx, basePath);
-    }
+    await prepareWorkflowMcpForHookContext(ctx, basePath);
 
     // Apply show_token_cost preference (#1515)
     try {
@@ -563,15 +573,7 @@ export function registerHooks(
     await syncServiceTierStatus(ctx);
     await applyDisabledModelProviderPolicy(ctx);
     await applyCompactionThresholdOverride(ctx);
-    // Skip MCP auto-prep when running inside an auto-worktree. The worktree
-    // already has .mcp.json from createAutoWorktree, and re-running the writer
-    // post-chdir rewrites the file mid-run (non-idempotent due to cwd-relative
-    // CLI path resolution), dirtying the tree and breaking the milestone merge.
-    const { isInAutoWorktree } = await import("../auto-worktree.js");
-    if (!isInAutoWorktree(basePath)) {
-      const { prepareWorkflowMcpForProject } = await import("../workflow-mcp-auto-prep.js");
-      prepareWorkflowMcpForProject(ctx, basePath);
-    }
+    await prepareWorkflowMcpForHookContext(ctx, basePath);
     await loadToolApiKeysForSession();
     if (!isAutoActive()) {
       ctx.ui.setWidget("gsd-progress", undefined);
@@ -608,6 +610,11 @@ export function registerHooks(
     }
     clearDeferredApprovalGate(beforeAgentBasePath);
 
+    // session_start can fire before the active provider has settled. By
+    // before_agent_start, Claude Code CLI sessions should get the same
+    // project MCP config that /gsd mcp init would write.
+    await prepareWorkflowMcpForHookContext(ctx, beforeAgentBasePath);
+
     // GSD's own context injection (existing behavior — unchanged).
     const { buildBeforeAgentStartResult } = await import("./system-context.js");
     const gsdResult = await buildBeforeAgentStartResult(event, ctx);

package/src/resources/extensions/gsd/closeout-recovery.ts

@@ -205,7 +205,12 @@ export function getCloseoutManualResolveBlocker(basePath: string): string | null
     return `Unmerged paths remain in ${basePath}: ${conflictProbe.unmerged.slice(0, 5).join(", ")}`;
   }
 
-  const status = runGit(basePath, ["status", "--porcelain"]);
+  let status: string;
+  try {
+    status = runGit(basePath, ["status", "--porcelain"]);
+  } catch {
+    return `Could not inspect git status in ${basePath}.`;
+  }
   if (status) {
     return `Working tree still has uncommitted changes in ${basePath}. Commit, stash, or run /gsd closeout retry first.`;
   }

package/src/resources/extensions/gsd/commands/handlers/auto.ts

@@ -208,7 +208,15 @@ export async function handleAutoCommand(trimmed: string, ctx: ExtensionCommandCo
 
   if (trimmed === "") {
     if (!(await guardRemoteSession(ctx, pi))) return true;
-    if (await hasUnresolvedCloseoutBlocker(ctx, projectRoot())) return true;
+    const basePath = projectRoot();
+    const { hasGsdBootstrapArtifacts } = await import("../../detection.js");
+    const { gsdRoot } = await import("../../paths.js");
+    if (!hasGsdBootstrapArtifacts(gsdRoot(basePath))) {
+      const { showSmartEntry } = await import("../../guided-flow.js");
+      await showSmartEntry(ctx, pi, basePath, { step: true });
+      return true;
+    }
+    if (await hasUnresolvedCloseoutBlocker(ctx, basePath)) return true;
     const { showGsdHome } = await import("../../gsd-command-home.js");
     await showGsdHome(ctx, pi, projectRoot());
     return true;

package/src/resources/extensions/gsd/commands-handlers.ts

@@ -26,6 +26,7 @@ import { isAutoActive, checkRemoteAutoSession } from "./auto.js";
 import { getAutoWorktreePath } from "./auto-worktree.js";
 import { currentDirectoryRoot, projectRoot } from "./commands/context.js";
 import { loadPrompt } from "./prompt-loader.js";
+import { isPnpmInstall } from "../../shared/package-manager-detection.js";
 import {
   buildDoctorHealIssuePayload,
   buildDoctorHealSummary,
@@ -57,6 +58,7 @@ function isBunInstall(argv1: string | undefined = process.argv[1]): boolean {
 
 function resolveInstallCommand(pkg: string): string {
   if (isBunInstall()) return `bun add -g ${pkg}`;
+  if (isPnpmInstall()) return `pnpm add -g ${pkg}`;
   return `npm install -g ${pkg}`;
 }
 

package/src/resources/extensions/gsd/doctor-providers.ts

@@ -16,7 +16,7 @@ import { delimiter, join } from "node:path";
 import { AuthStorage } from "@gsd/pi-coding-agent";
 import { getEnvApiKey } from "@gsd/pi-ai";
 import { loadEffectiveGSDPreferences } from "./preferences.js";
-import { getAuthPath, PROVIDER_REGISTRY, type ProviderCategory } from "./key-manager.js";
+import { getAuthPath, PROVIDER_REGISTRY, supportsBrowserOAuth, type ProviderCategory } from "./key-manager.js";
 import { homedir } from "node:os";
 
 // ── Types ──────────────────────────────────────────────────────────────────────
@@ -42,11 +42,10 @@ export interface ProviderCheckResult {
 
 /**
  * Providers that use external CLI authentication (not API keys).
- * These are always considered "found" — the host CLI handles auth.
+ * When explicitly selected, the provider's own CLI/session owns auth.
  */
 const CLI_AUTH_PROVIDERS = new Set([
   "claude-code",
-  "openai-codex",
   "google-gemini-cli",
   "google-antigravity",
 ]);
@@ -156,26 +155,30 @@ interface KeyLookup {
  * Map of CLI provider IDs to their binary names on disk.
  * Used for lightweight binary-presence checks (PATH scan, no subprocess).
  */
-const CLI_BINARY_MAP: Record<string, string> = {
-  "claude-code": "claude",
-  "openai-codex": "codex",
-  "google-gemini-cli": "gemini",
-  "google-antigravity": "antigravity",
+const CLI_BINARY_MAP: Record<string, string[]> = {
+  "claude-code": ["claude", "claude-code"],
+  "google-gemini-cli": ["gemini"],
+  "google-antigravity": ["agy"],
 };
 
+const CLI_AUTH_PATH_CHECK_PROVIDERS = new Set([
+  "google-gemini-cli",
+  "google-antigravity",
+]);
+
 /**
  * Check if a CLI provider's binary exists anywhere in PATH.
  * Fast filesystem scan — no subprocess, no network, sub-1ms.
  */
 function isCliBinaryInPath(providerId: string): boolean {
-  const binary = CLI_BINARY_MAP[providerId];
-  if (!binary) return false;
+  const binaries = CLI_BINARY_MAP[providerId];
+  if (!binaries) return false;
 
   const pathDirs = (process.env.PATH ?? "").split(delimiter).filter(Boolean);
 
   // On Windows, command shims are commonly installed as .cmd/.exe/.bat/.com.
   // Scan PATHEXT candidates in addition to the bare binary name.
-  const executableNames: string[] = [binary];
+  const executableNames: string[] = [...binaries];
   if (process.platform === "win32") {
     const rawPathExt = process.env.PATHEXT
       ?.split(";")
@@ -185,9 +188,11 @@ function isCliBinaryInPath(providerId: string): boolean {
       ext.startsWith(".") ? ext.toLowerCase() : `.${ext.toLowerCase()}`,
     );
     const defaultExt = [".exe", ".cmd", ".bat", ".com"];
-    for (const ext of [...normalizedPathExt, ...defaultExt]) {
-      const candidate = `${binary}${ext}`;
-      if (!executableNames.includes(candidate)) executableNames.push(candidate);
+    for (const binary of binaries) {
+      for (const ext of [...normalizedPathExt, ...defaultExt]) {
+        const candidate = `${binary}${ext}`;
+        if (!executableNames.includes(candidate)) executableNames.push(candidate);
+      }
     }
   }
 
@@ -224,12 +229,6 @@ function hasModelsJsonApiKey(providerId: string): boolean {
 function resolveKey(providerId: string): KeyLookup {
   const info = PROVIDER_REGISTRY.find(p => p.id === providerId);
 
-  // claude-code never stores credentials in auth.json — GSD delegates entirely to
-  // the local CLI binary. Presence of the binary in PATH is the only signal.
-  if (providerId === "claude-code") {
-    return { found: isCliBinaryInPath("claude-code"), source: "env", backedOff: false };
-  }
-
   if (providerId === "anthropic-vertex" && process.env.ANTHROPIC_VERTEX_PROJECT_ID) {
     return { found: true, source: "env", backedOff: false };
   }
@@ -242,9 +241,15 @@ function resolveKey(providerId: string): KeyLookup {
       const creds = auth.getCredentialsForProvider(providerId);
       if (creds.length > 0) {
         // Filter out empty placeholder keys (from skipped onboarding)
-        const hasRealKey = creds.some(c =>
-          c.type === "oauth" || (c.type === "api_key" && (c as { key?: string }).key)
-        );
+        const hasRealKey = creds.some(c => {
+          if (c.type === "oauth") return true;
+          if (c.type !== "api_key") return false;
+
+          const key = (c as { key?: string }).key?.trim();
+          if (!key) return false;
+
+          return !(CLI_AUTH_PROVIDERS.has(providerId) && key === "cli");
+        });
         if (hasRealKey) {
           return {
             found: true,
@@ -275,6 +280,12 @@ function resolveKey(providerId: string): KeyLookup {
     return { found: true, source: "models.json", backedOff: false };
   }
 
+  // Cross-provider routes can use a local CLI when it is installed. Explicit
+  // external CLI provider selections are handled in checkLlmProviders() below.
+  if (CLI_AUTH_PROVIDERS.has(providerId) && isCliBinaryInPath(providerId)) {
+    return { found: true, source: "env", backedOff: false };
+  }
+
   return { found: false, source: "none", backedOff: false };
 }
 
@@ -285,15 +296,32 @@ function checkLlmProviders(): ProviderCheckResult[] {
   const results: ProviderCheckResult[] = [];
 
   for (const providerId of required) {
-    // CLI-authenticated providers don't need API keys — skip key check
+    // CLI-authenticated providers don't need API keys. The provider's own
+    // request path validates CLI sessions when it is used.
     if (CLI_AUTH_PROVIDERS.has(providerId)) {
       const info = PROVIDER_REGISTRY.find(p => p.id === providerId);
+      const label = info?.label ?? providerId;
+      if (CLI_AUTH_PATH_CHECK_PROVIDERS.has(providerId) && !isCliBinaryInPath(providerId)) {
+        const binaries = CLI_BINARY_MAP[providerId]?.map(binary => `\`${binary}\``).join(" or ");
+        results.push({
+          name: providerId,
+          label,
+          category: "llm",
+          status: "error",
+          message: `${label} — CLI not found`,
+          detail: binaries
+            ? `Install ${label} and ensure ${binaries} is on PATH`
+            : `Install ${label} and ensure its CLI is on PATH`,
+          required: true,
+        });
+        continue;
+      }
       results.push({
         name: providerId,
-        label: info?.label ?? providerId,
+        label,
         category: "llm",
         status: "ok",
-        message: `${info?.label ?? providerId} — CLI auth (no key needed)`,
+        message: `${label} — CLI auth (no key needed)`,
         required: true,
       });
       continue;
@@ -333,7 +361,7 @@ function checkLlmProviders(): ProviderCheckResult[] {
         message: `${label} — not configured`,
         detail: providerId === "anthropic-vertex"
           ? "Set ANTHROPIC_VERTEX_PROJECT_ID and authenticate with Google ADC"
-          : info?.hasOAuth
+          : info && supportsBrowserOAuth(info)
           ? `Run /gsd keys to authenticate`
           : `Set ${envVar} or run /gsd keys`,
         required: true,

package/src/resources/extensions/gsd/git-conflict-state.ts

@@ -3,7 +3,7 @@
 
 import { spawnSync } from "node:child_process";
 import { existsSync } from "node:fs";
-import { join } from "node:path";
+import { dirname, join, resolve } from "node:path";
 
 import { autoResolveSafeConflictPaths } from "./git-conflict-resolve.js";
 import { GIT_NO_PROMPT_ENV } from "./git-constants.js";
@@ -14,6 +14,21 @@ function splitZeroDelimited(output: string): string[] {
   return output.split("\0").filter(Boolean);
 }
 
+function hasGitMarker(basePath: string): boolean {
+  try {
+    let dir = resolve(basePath);
+    for (let i = 0; i < 30; i++) {
+      if (existsSync(join(dir, ".git"))) return true;
+      const parent = dirname(dir);
+      if (parent === dir) break;
+      dir = parent;
+    }
+  } catch {
+    // Fall through to the git probes, which will report unknown on failure.
+  }
+  return false;
+}
+
 export function listUnmergedGitPaths(basePath: string): string[] | null {
   try {
     const output = spawnSync("git", ["diff", "--name-only", "--diff-filter=U", "-z"], {
@@ -75,6 +90,15 @@ export interface GitConflictProbeResult {
 }
 
 export function probeGitConflictState(basePath: string): GitConflictProbeResult {
+  if (!hasGitMarker(basePath)) {
+    return {
+      status: "clean",
+      unmerged: [],
+      checkFailures: [],
+      mergeStateBlockers: [],
+    };
+  }
+
   const unmerged = listUnmergedGitPaths(basePath);
   if (unmerged === null) {
     return {

package/src/resources/extensions/gsd/key-manager.ts

@@ -22,6 +22,7 @@ import { gsdHome } from "./gsd-home.js";
 // ─── Provider Registry ─────────────────────────────────────────────────────────
 
 export type ProviderCategory = "llm" | "tool" | "search" | "remote";
+export type ProviderAuthMode = "apiKey" | "browserOAuth" | "externalCli" | "cloudIdentity" | "none";
 
 export interface ProviderInfo {
   id: string;
@@ -29,24 +30,24 @@ export interface ProviderInfo {
   category: ProviderCategory;
   envVar?: string;
   prefixes?: string[];
-  hasOAuth?: boolean;
+  authMode?: ProviderAuthMode;
   dashboardUrl?: string;
 }
 
 export const PROVIDER_REGISTRY: ProviderInfo[] = [
   // LLM Providers
-  { id: "anthropic",        label: "Anthropic (Claude)",      category: "llm", envVar: "ANTHROPIC_API_KEY",      prefixes: ["sk-ant-"], hasOAuth: true, dashboardUrl: "console.anthropic.com" },
+  { id: "anthropic",        label: "Anthropic (Claude)",      category: "llm", envVar: "ANTHROPIC_API_KEY",      prefixes: ["sk-ant-"], authMode: "apiKey", dashboardUrl: "console.anthropic.com" },
   // Claude Code CLI: routes through the local `claude` binary — no API key,
   // authentication is handled by the CLI's own OAuth flow.
   // Referenced by doctor-providers.ts, auto-model-selection.ts, and others;
   // must be in the canonical registry so all consumers see the same catalog.
   // See: https://github.com/open-gsd/gsd-pi/issues/4541
-  { id: "claude-code",      label: "Claude Code CLI",         category: "llm",                                   hasOAuth: true },
+  { id: "claude-code",      label: "Claude Code CLI",         category: "llm",                                   authMode: "externalCli" },
   { id: "openai",           label: "OpenAI",                  category: "llm", envVar: "OPENAI_API_KEY",         prefixes: ["sk-"],     dashboardUrl: "platform.openai.com/api-keys" },
-  { id: "github-copilot",   label: "GitHub Copilot",          category: "llm", envVar: "GITHUB_TOKEN",           hasOAuth: true },
-  { id: "openai-codex",     label: "ChatGPT Plus/Pro (Codex)",category: "llm",                                   hasOAuth: true },
-  { id: "google-gemini-cli",label: "Google Gemini CLI",       category: "llm",                                   hasOAuth: true },
-  { id: "google-antigravity",label: "Antigravity",            category: "llm",                                   hasOAuth: true },
+  { id: "github-copilot",   label: "GitHub Copilot",          category: "llm", envVar: "GITHUB_TOKEN",           authMode: "browserOAuth" },
+  { id: "openai-codex",     label: "ChatGPT Plus/Pro (Codex)",category: "llm",                                   authMode: "browserOAuth" },
+  { id: "google-gemini-cli",label: "Google Gemini CLI",       category: "llm",                                   authMode: "externalCli" },
+  { id: "google-antigravity",label: "Antigravity",            category: "llm",                                   authMode: "externalCli" },
   { id: "google",           label: "Google (Gemini)",         category: "llm", envVar: "GEMINI_API_KEY",         dashboardUrl: "aistudio.google.com/apikey" },
   { id: "groq",             label: "Groq",                    category: "llm", envVar: "GROQ_API_KEY",           dashboardUrl: "console.groq.com" },
   { id: "xai",              label: "xAI (Grok)",              category: "llm", envVar: "XAI_API_KEY",            dashboardUrl: "console.x.ai" },
@@ -77,6 +78,21 @@ export const PROVIDER_REGISTRY: ProviderInfo[] = [
 
 // ─── Utilities ──────────────────────────────────────────────────────────────────
 
+export function getProviderAuthMode(provider: ProviderInfo): ProviderAuthMode {
+  return provider.authMode ?? "apiKey";
+}
+
+export function supportsBrowserOAuth(provider: ProviderInfo): boolean {
+  return getProviderAuthMode(provider) === "browserOAuth";
+}
+
+export function supportsStoredApiKey(provider: ProviderInfo): boolean {
+  const mode = getProviderAuthMode(provider);
+  if (mode === "externalCli" || mode === "cloudIdentity" || mode === "none") return false;
+  if (mode === "browserOAuth") return Boolean(provider.envVar || provider.prefixes?.length);
+  return true;
+}
+
 /**
  * Mask an API key for display: show first 4 + last 4 chars.
  * Keys shorter than 12 chars show only first 2 + last 2.
@@ -104,10 +120,13 @@ export function formatDuration(ms: number): string {
 /**
  * Describe a credential's type and status.
  */
-export function describeCredential(cred: AuthCredential): string {
+export function describeCredential(cred: AuthCredential, provider?: ProviderInfo): string {
   if (cred.type === "api_key") {
     const apiCred = cred as ApiKeyCredential;
     if (!apiCred.key) return "empty key";
+    if (apiCred.key === "cli" && provider && getProviderAuthMode(provider) === "externalCli") {
+      return "external CLI";
+    }
     return `API key (${maskKey(apiCred.key)})`;
   }
   if (cred.type === "oauth") {
@@ -171,7 +190,7 @@ export function getAllKeyStatuses(auth: AuthStorage): KeyStatus[] {
       const desc =
         creds.length > 1
           ? `${creds.length} keys (round-robin)`
-          : describeCredential(firstCred);
+          : describeCredential(firstCred, provider);
       return {
         provider,
         configured: true,
@@ -289,9 +308,28 @@ export async function handleAddKey(
     provider = PROVIDER_REGISTRY[idx];
   }
 
-  // If OAuth is available, offer choice
-  if (provider.hasOAuth) {
-    const methods = ["API key", "Browser login (OAuth)"];
+  const authMode = getProviderAuthMode(provider);
+  if (authMode === "externalCli") {
+    ctx.ui.notify(
+      `${provider.label} is authenticated by its own local CLI. ` +
+      `Sign in with that CLI first, then run /login to activate it in GSD.`,
+      "info",
+    );
+    return false;
+  }
+
+  if (authMode === "cloudIdentity") {
+    ctx.ui.notify(
+      `${provider.label} uses cloud identity credentials. Configure the provider's cloud CLI or environment, then restart GSD.`,
+      "info",
+    );
+    return false;
+  }
+
+  if (supportsBrowserOAuth(provider)) {
+    const methods = supportsStoredApiKey(provider)
+      ? ["API token/key", "Browser login (OAuth)"]
+      : ["Browser login (OAuth)"];
     const method = await ctx.ui.select(
       `${provider.label} — how do you want to authenticate?`,
       methods,
@@ -308,6 +346,11 @@ export async function handleAddKey(
     }
   }
 
+  if (!supportsStoredApiKey(provider)) {
+    ctx.ui.notify(`${provider.label} does not accept a GSD-stored API key. Use /login.`, "info");
+    return false;
+  }
+
   // API key input
   const input = await ctx.ui.input(
     `API key for ${provider.label}:`,
@@ -387,7 +430,7 @@ export async function handleRemoveKey(
 
   // Multi-key handling
   if (creds.length > 1) {
-    const options = creds.map((c, i) => `[${i + 1}] ${describeCredential(c)}`);
+    const options = creds.map((c, i) => `[${i + 1}] ${describeCredential(c, provider)}`);
     options.push("Remove all");
 
     const choice = await ctx.ui.select(
@@ -411,7 +454,7 @@ export async function handleRemoveKey(
   } else {
     const confirmed = await ctx.ui.confirm(
       "Remove key?",
-      `Remove ${describeCredential(creds[0])} for ${provider.label}?`,
+      `Remove ${describeCredential(creds[0], provider)} for ${provider.label}?`,
     );
     if (!confirmed) return false;
     auth.remove(provider.id);