@opengsd/gsd-pi 1.0.2-dev.235ebf3 → 1.0.2-dev.29398d2

package/dist/resources/extensions/gsd/bootstrap/register-hooks.js

@@ -418,6 +418,17 @@ function initSessionNotifications(ctx) {
     installNotifyInterceptor(ctx);
     initNotificationWidget(ctx);
 }
+async function prepareWorkflowMcpForHookContext(ctx, basePath) {
+    // Skip MCP auto-prep when running inside an auto-worktree. The worktree
+    // already has .mcp.json from createAutoWorktree, and re-running the writer
+    // post-chdir rewrites the file mid-run (non-idempotent due to cwd-relative
+    // CLI path resolution), dirtying the tree and breaking the milestone merge.
+    const { isInAutoWorktree } = await import("../auto-worktree.js");
+    if (isInAutoWorktree(basePath))
+        return;
+    const { prepareWorkflowMcpForProject } = await import("../workflow-mcp-auto-prep.js");
+    prepareWorkflowMcpForProject(ctx, basePath);
+}
 export function registerHooks(pi, ecosystemHandlers) {
     // ADR-005 Phase 3b: surface pi-ai ProviderSwitchReport via audit, notification, and counter.
     // Idempotent — only the first registerHooks call installs.
@@ -438,12 +449,7 @@ export function registerHooks(pi, ecosystemHandlers) {
         await syncServiceTierStatus(ctx);
         await applyDisabledModelProviderPolicy(ctx);
         await applyCompactionThresholdOverride(ctx);
-        // Skip MCP auto-prep when running inside an auto-worktree (see session_switch below).
-        const { isInAutoWorktree } = await import("../auto-worktree.js");
-        if (!isInAutoWorktree(basePath)) {
-            const { prepareWorkflowMcpForProject } = await import("../workflow-mcp-auto-prep.js");
-            prepareWorkflowMcpForProject(ctx, basePath);
-        }
+        await prepareWorkflowMcpForHookContext(ctx, basePath);
         // Apply show_token_cost preference (#1515)
         try {
             const { loadEffectiveGSDPreferences } = await import("../preferences.js");
@@ -468,15 +474,7 @@ export function registerHooks(pi, ecosystemHandlers) {
         await syncServiceTierStatus(ctx);
         await applyDisabledModelProviderPolicy(ctx);
         await applyCompactionThresholdOverride(ctx);
-        // Skip MCP auto-prep when running inside an auto-worktree. The worktree
-        // already has .mcp.json from createAutoWorktree, and re-running the writer
-        // post-chdir rewrites the file mid-run (non-idempotent due to cwd-relative
-        // CLI path resolution), dirtying the tree and breaking the milestone merge.
-        const { isInAutoWorktree } = await import("../auto-worktree.js");
-        if (!isInAutoWorktree(basePath)) {
-            const { prepareWorkflowMcpForProject } = await import("../workflow-mcp-auto-prep.js");
-            prepareWorkflowMcpForProject(ctx, basePath);
-        }
+        await prepareWorkflowMcpForHookContext(ctx, basePath);
         await loadToolApiKeysForSession();
         if (!isAutoActive()) {
             ctx.ui.setWidget("gsd-progress", undefined);
@@ -511,6 +509,10 @@ export function registerHooks(pi, ecosystemHandlers) {
             }
         }
         clearDeferredApprovalGate(beforeAgentBasePath);
+        // session_start can fire before the active provider has settled. By
+        // before_agent_start, Claude Code CLI sessions should get the same
+        // project MCP config that /gsd mcp init would write.
+        await prepareWorkflowMcpForHookContext(ctx, beforeAgentBasePath);
         // GSD's own context injection (existing behavior — unchanged).
         const { buildBeforeAgentStartResult } = await import("./system-context.js");
         const gsdResult = await buildBeforeAgentStartResult(event, ctx);

package/dist/resources/extensions/gsd/closeout-recovery.js

@@ -167,7 +167,13 @@ export function getCloseoutManualResolveBlocker(basePath) {
     if (conflictProbe.status === "dirty" && conflictProbe.unmerged.length > 0) {
         return `Unmerged paths remain in ${basePath}: ${conflictProbe.unmerged.slice(0, 5).join(", ")}`;
     }
-    const status = runGit(basePath, ["status", "--porcelain"]);
+    let status;
+    try {
+        status = runGit(basePath, ["status", "--porcelain"]);
+    }
+    catch {
+        return `Could not inspect git status in ${basePath}.`;
+    }
     if (status) {
         return `Working tree still has uncommitted changes in ${basePath}. Commit, stash, or run /gsd closeout retry first.`;
     }

package/dist/resources/extensions/gsd/commands/handlers/auto.js

@@ -197,7 +197,15 @@ export async function handleAutoCommand(trimmed, ctx, pi) {
     if (trimmed === "") {
         if (!(await guardRemoteSession(ctx, pi)))
             return true;
-        if (await hasUnresolvedCloseoutBlocker(ctx, projectRoot()))
+        const basePath = projectRoot();
+        const { hasGsdBootstrapArtifacts } = await import("../../detection.js");
+        const { gsdRoot } = await import("../../paths.js");
+        if (!hasGsdBootstrapArtifacts(gsdRoot(basePath))) {
+            const { showSmartEntry } = await import("../../guided-flow.js");
+            await showSmartEntry(ctx, pi, basePath, { step: true });
+            return true;
+        }
+        if (await hasUnresolvedCloseoutBlocker(ctx, basePath))
             return true;
         const { showGsdHome } = await import("../../gsd-command-home.js");
         await showGsdHome(ctx, pi, projectRoot());

package/dist/resources/extensions/gsd/commands-handlers.js

@@ -17,6 +17,7 @@ import { isAutoActive, checkRemoteAutoSession } from "./auto.js";
 import { getAutoWorktreePath } from "./auto-worktree.js";
 import { currentDirectoryRoot, projectRoot } from "./commands/context.js";
 import { loadPrompt } from "./prompt-loader.js";
+import { isPnpmInstall } from "../../shared/package-manager-detection.js";
 import { buildDoctorHealIssuePayload, buildDoctorHealSummary, buildWorkflowDispatchContent, } from "./workflow-protocol.js";
 import { restoreGsdWorkflowTools, scopeGsdWorkflowToolsForDispatch, } from "./bootstrap/register-hooks.js";
 const UPDATE_REGISTRY_URL = "https://registry.npmjs.org/@opengsd%2fgsd-pi/latest";
@@ -42,6 +43,8 @@ function isBunInstall(argv1 = process.argv[1]) {
 function resolveInstallCommand(pkg) {
     if (isBunInstall())
         return `bun add -g ${pkg}`;
+    if (isPnpmInstall())
+        return `pnpm add -g ${pkg}`;
     return `npm install -g ${pkg}`;
 }
 async function fetchLatestVersionForCommand() {

package/dist/resources/extensions/gsd/doctor-providers.js

@@ -15,16 +15,15 @@ import { delimiter, join } from "node:path";
 import { AuthStorage } from "@gsd/pi-coding-agent";
 import { getEnvApiKey } from "@gsd/pi-ai";
 import { loadEffectiveGSDPreferences } from "./preferences.js";
-import { getAuthPath, PROVIDER_REGISTRY } from "./key-manager.js";
+import { getAuthPath, PROVIDER_REGISTRY, supportsBrowserOAuth } from "./key-manager.js";
 import { homedir } from "node:os";
 // ── Provider routing constants ────────────────────────────────────────────────
 /**
  * Providers that use external CLI authentication (not API keys).
- * These are always considered "found" — the host CLI handles auth.
+ * When explicitly selected, the provider's own CLI/session owns auth.
  */
 const CLI_AUTH_PROVIDERS = new Set([
     "claude-code",
-    "openai-codex",
     "google-gemini-cli",
     "google-antigravity",
 ]);
@@ -126,23 +125,26 @@ function collectConfiguredModelProviders() {
  * Used for lightweight binary-presence checks (PATH scan, no subprocess).
  */
 const CLI_BINARY_MAP = {
-    "claude-code": "claude",
-    "openai-codex": "codex",
-    "google-gemini-cli": "gemini",
-    "google-antigravity": "antigravity",
+    "claude-code": ["claude", "claude-code"],
+    "google-gemini-cli": ["gemini"],
+    "google-antigravity": ["agy"],
 };
+const CLI_AUTH_PATH_CHECK_PROVIDERS = new Set([
+    "google-gemini-cli",
+    "google-antigravity",
+]);
 /**
  * Check if a CLI provider's binary exists anywhere in PATH.
  * Fast filesystem scan — no subprocess, no network, sub-1ms.
  */
 function isCliBinaryInPath(providerId) {
-    const binary = CLI_BINARY_MAP[providerId];
-    if (!binary)
+    const binaries = CLI_BINARY_MAP[providerId];
+    if (!binaries)
         return false;
     const pathDirs = (process.env.PATH ?? "").split(delimiter).filter(Boolean);
     // On Windows, command shims are commonly installed as .cmd/.exe/.bat/.com.
     // Scan PATHEXT candidates in addition to the bare binary name.
-    const executableNames = [binary];
+    const executableNames = [...binaries];
     if (process.platform === "win32") {
         const rawPathExt = process.env.PATHEXT
             ?.split(";")
@@ -150,10 +152,12 @@ function isCliBinaryInPath(providerId) {
             .filter(Boolean) ?? [];
         const normalizedPathExt = rawPathExt.map(ext => ext.startsWith(".") ? ext.toLowerCase() : `.${ext.toLowerCase()}`);
         const defaultExt = [".exe", ".cmd", ".bat", ".com"];
-        for (const ext of [...normalizedPathExt, ...defaultExt]) {
-            const candidate = `${binary}${ext}`;
-            if (!executableNames.includes(candidate))
-                executableNames.push(candidate);
+        for (const binary of binaries) {
+            for (const ext of [...normalizedPathExt, ...defaultExt]) {
+                const candidate = `${binary}${ext}`;
+                if (!executableNames.includes(candidate))
+                    executableNames.push(candidate);
+            }
         }
     }
     return pathDirs.some(dir => executableNames.some(name => existsSync(join(dir, name))));
@@ -185,11 +189,6 @@ function hasModelsJsonApiKey(providerId) {
 }
 function resolveKey(providerId) {
     const info = PROVIDER_REGISTRY.find(p => p.id === providerId);
-    // claude-code never stores credentials in auth.json — GSD delegates entirely to
-    // the local CLI binary. Presence of the binary in PATH is the only signal.
-    if (providerId === "claude-code") {
-        return { found: isCliBinaryInPath("claude-code"), source: "env", backedOff: false };
-    }
     if (providerId === "anthropic-vertex" && process.env.ANTHROPIC_VERTEX_PROJECT_ID) {
         return { found: true, source: "env", backedOff: false };
     }
@@ -201,7 +200,16 @@ function resolveKey(providerId) {
             const creds = auth.getCredentialsForProvider(providerId);
             if (creds.length > 0) {
                 // Filter out empty placeholder keys (from skipped onboarding)
-                const hasRealKey = creds.some(c => c.type === "oauth" || (c.type === "api_key" && c.key));
+                const hasRealKey = creds.some(c => {
+                    if (c.type === "oauth")
+                        return true;
+                    if (c.type !== "api_key")
+                        return false;
+                    const key = c.key?.trim();
+                    if (!key)
+                        return false;
+                    return !(CLI_AUTH_PROVIDERS.has(providerId) && key === "cli");
+                });
                 if (hasRealKey) {
                     return {
                         found: true,
@@ -229,6 +237,11 @@ function resolveKey(providerId) {
     if (hasModelsJsonApiKey(providerId)) {
         return { found: true, source: "models.json", backedOff: false };
     }
+    // Cross-provider routes can use a local CLI when it is installed. Explicit
+    // external CLI provider selections are handled in checkLlmProviders() below.
+    if (CLI_AUTH_PROVIDERS.has(providerId) && isCliBinaryInPath(providerId)) {
+        return { found: true, source: "env", backedOff: false };
+    }
     return { found: false, source: "none", backedOff: false };
 }
 // ── Individual check groups ────────────────────────────────────────────────────
@@ -236,15 +249,32 @@ function checkLlmProviders() {
     const required = collectConfiguredModelProviders();
     const results = [];
     for (const providerId of required) {
-        // CLI-authenticated providers don't need API keys — skip key check
+        // CLI-authenticated providers don't need API keys. The provider's own
+        // request path validates CLI sessions when it is used.
         if (CLI_AUTH_PROVIDERS.has(providerId)) {
             const info = PROVIDER_REGISTRY.find(p => p.id === providerId);
+            const label = info?.label ?? providerId;
+            if (CLI_AUTH_PATH_CHECK_PROVIDERS.has(providerId) && !isCliBinaryInPath(providerId)) {
+                const binaries = CLI_BINARY_MAP[providerId]?.map(binary => `\`${binary}\``).join(" or ");
+                results.push({
+                    name: providerId,
+                    label,
+                    category: "llm",
+                    status: "error",
+                    message: `${label} — CLI not found`,
+                    detail: binaries
+                        ? `Install ${label} and ensure ${binaries} is on PATH`
+                        : `Install ${label} and ensure its CLI is on PATH`,
+                    required: true,
+                });
+                continue;
+            }
             results.push({
                 name: providerId,
-                label: info?.label ?? providerId,
+                label,
                 category: "llm",
                 status: "ok",
-                message: `${info?.label ?? providerId} — CLI auth (no key needed)`,
+                message: `${label} — CLI auth (no key needed)`,
                 required: true,
             });
             continue;
@@ -282,7 +312,7 @@ function checkLlmProviders() {
                 message: `${label} — not configured`,
                 detail: providerId === "anthropic-vertex"
                     ? "Set ANTHROPIC_VERTEX_PROJECT_ID and authenticate with Google ADC"
-                    : info?.hasOAuth
+                    : info && supportsBrowserOAuth(info)
                         ? `Run /gsd keys to authenticate`
                         : `Set ${envVar} or run /gsd keys`,
                 required: true,

package/dist/resources/extensions/gsd/git-conflict-state.js

@@ -2,7 +2,7 @@
 // File Purpose: Detect and reconcile unresolved Git conflict state before automation runs.
 import { spawnSync } from "node:child_process";
 import { existsSync } from "node:fs";
-import { join } from "node:path";
+import { dirname, join, resolve } from "node:path";
 import { autoResolveSafeConflictPaths } from "./git-conflict-resolve.js";
 import { GIT_NO_PROMPT_ENV } from "./git-constants.js";
 import { abortAndReset } from "./git-self-heal.js";
@@ -10,6 +10,23 @@ import { logWarning } from "./workflow-logger.js";
 function splitZeroDelimited(output) {
     return output.split("\0").filter(Boolean);
 }
+function hasGitMarker(basePath) {
+    try {
+        let dir = resolve(basePath);
+        for (let i = 0; i < 30; i++) {
+            if (existsSync(join(dir, ".git")))
+                return true;
+            const parent = dirname(dir);
+            if (parent === dir)
+                break;
+            dir = parent;
+        }
+    }
+    catch {
+        // Fall through to the git probes, which will report unknown on failure.
+    }
+    return false;
+}
 export function listUnmergedGitPaths(basePath) {
     try {
         const output = spawnSync("git", ["diff", "--name-only", "--diff-filter=U", "-z"], {
@@ -57,6 +74,14 @@ export function listMergeStateBlockers(basePath) {
     return MERGE_STATE_MARKERS.filter((marker) => existsSync(join(gitDir, marker)));
 }
 export function probeGitConflictState(basePath) {
+    if (!hasGitMarker(basePath)) {
+        return {
+            status: "clean",
+            unmerged: [],
+            checkFailures: [],
+            mergeStateBlockers: [],
+        };
+    }
     const unmerged = listUnmergedGitPaths(basePath);
     if (unmerged === null) {
         return {

package/dist/resources/extensions/gsd/key-manager.js

@@ -12,18 +12,18 @@ import { getErrorMessage } from "./error-utils.js";
 import { gsdHome } from "./gsd-home.js";
 export const PROVIDER_REGISTRY = [
     // LLM Providers
-    { id: "anthropic", label: "Anthropic (Claude)", category: "llm", envVar: "ANTHROPIC_API_KEY", prefixes: ["sk-ant-"], hasOAuth: true, dashboardUrl: "console.anthropic.com" },
+    { id: "anthropic", label: "Anthropic (Claude)", category: "llm", envVar: "ANTHROPIC_API_KEY", prefixes: ["sk-ant-"], authMode: "apiKey", dashboardUrl: "console.anthropic.com" },
     // Claude Code CLI: routes through the local `claude` binary — no API key,
     // authentication is handled by the CLI's own OAuth flow.
     // Referenced by doctor-providers.ts, auto-model-selection.ts, and others;
     // must be in the canonical registry so all consumers see the same catalog.
     // See: https://github.com/open-gsd/gsd-pi/issues/4541
-    { id: "claude-code", label: "Claude Code CLI", category: "llm", hasOAuth: true },
+    { id: "claude-code", label: "Claude Code CLI", category: "llm", authMode: "externalCli" },
     { id: "openai", label: "OpenAI", category: "llm", envVar: "OPENAI_API_KEY", prefixes: ["sk-"], dashboardUrl: "platform.openai.com/api-keys" },
-    { id: "github-copilot", label: "GitHub Copilot", category: "llm", envVar: "GITHUB_TOKEN", hasOAuth: true },
-    { id: "openai-codex", label: "ChatGPT Plus/Pro (Codex)", category: "llm", hasOAuth: true },
-    { id: "google-gemini-cli", label: "Google Gemini CLI", category: "llm", hasOAuth: true },
-    { id: "google-antigravity", label: "Antigravity", category: "llm", hasOAuth: true },
+    { id: "github-copilot", label: "GitHub Copilot", category: "llm", envVar: "GITHUB_TOKEN", authMode: "browserOAuth" },
+    { id: "openai-codex", label: "ChatGPT Plus/Pro (Codex)", category: "llm", authMode: "browserOAuth" },
+    { id: "google-gemini-cli", label: "Google Gemini CLI", category: "llm", authMode: "externalCli" },
+    { id: "google-antigravity", label: "Antigravity", category: "llm", authMode: "externalCli" },
     { id: "google", label: "Google (Gemini)", category: "llm", envVar: "GEMINI_API_KEY", dashboardUrl: "aistudio.google.com/apikey" },
     { id: "groq", label: "Groq", category: "llm", envVar: "GROQ_API_KEY", dashboardUrl: "console.groq.com" },
     { id: "xai", label: "xAI (Grok)", category: "llm", envVar: "XAI_API_KEY", dashboardUrl: "console.x.ai" },
@@ -49,6 +49,20 @@ export const PROVIDER_REGISTRY = [
     { id: "telegram_bot", label: "Telegram Bot", category: "remote", envVar: "TELEGRAM_BOT_TOKEN" },
 ];
 // ─── Utilities ──────────────────────────────────────────────────────────────────
+export function getProviderAuthMode(provider) {
+    return provider.authMode ?? "apiKey";
+}
+export function supportsBrowserOAuth(provider) {
+    return getProviderAuthMode(provider) === "browserOAuth";
+}
+export function supportsStoredApiKey(provider) {
+    const mode = getProviderAuthMode(provider);
+    if (mode === "externalCli" || mode === "cloudIdentity" || mode === "none")
+        return false;
+    if (mode === "browserOAuth")
+        return Boolean(provider.envVar || provider.prefixes?.length);
+    return true;
+}
 /**
  * Mask an API key for display: show first 4 + last 4 chars.
  * Keys shorter than 12 chars show only first 2 + last 2.
@@ -79,11 +93,14 @@ export function formatDuration(ms) {
 /**
  * Describe a credential's type and status.
  */
-export function describeCredential(cred) {
+export function describeCredential(cred, provider) {
     if (cred.type === "api_key") {
         const apiCred = cred;
         if (!apiCred.key)
             return "empty key";
+        if (apiCred.key === "cli" && provider && getProviderAuthMode(provider) === "externalCli") {
+            return "external CLI";
+        }
         return `API key (${maskKey(apiCred.key)})`;
     }
     if (cred.type === "oauth") {
@@ -129,7 +146,7 @@ export function getAllKeyStatuses(auth) {
             const firstCred = creds[0];
             const desc = creds.length > 1
                 ? `${creds.length} keys (round-robin)`
-                : describeCredential(firstCred);
+                : describeCredential(firstCred, provider);
             return {
                 provider,
                 configured: true,
@@ -236,9 +253,20 @@ export async function handleAddKey(providerArg, ctx, auth) {
             return false;
         provider = PROVIDER_REGISTRY[idx];
     }
-    // If OAuth is available, offer choice
-    if (provider.hasOAuth) {
-        const methods = ["API key", "Browser login (OAuth)"];
+    const authMode = getProviderAuthMode(provider);
+    if (authMode === "externalCli") {
+        ctx.ui.notify(`${provider.label} is authenticated by its own local CLI. ` +
+            `Sign in with that CLI first, then run /login to activate it in GSD.`, "info");
+        return false;
+    }
+    if (authMode === "cloudIdentity") {
+        ctx.ui.notify(`${provider.label} uses cloud identity credentials. Configure the provider's cloud CLI or environment, then restart GSD.`, "info");
+        return false;
+    }
+    if (supportsBrowserOAuth(provider)) {
+        const methods = supportsStoredApiKey(provider)
+            ? ["API token/key", "Browser login (OAuth)"]
+            : ["Browser login (OAuth)"];
         const method = await ctx.ui.select(`${provider.label} — how do you want to authenticate?`, methods);
         if (!method || typeof method !== "string")
             return false;
@@ -248,6 +276,10 @@ export async function handleAddKey(providerArg, ctx, auth) {
             return false;
         }
     }
+    if (!supportsStoredApiKey(provider)) {
+        ctx.ui.notify(`${provider.label} does not accept a GSD-stored API key. Use /login.`, "info");
+        return false;
+    }
     // API key input
     const input = await ctx.ui.input(`API key for ${provider.label}:`, provider.envVar ? `or set ${provider.envVar} env var` : "paste your key here");
     if (input === null || input === undefined)
@@ -309,7 +341,7 @@ export async function handleRemoveKey(providerArg, ctx, auth) {
     }
     // Multi-key handling
     if (creds.length > 1) {
-        const options = creds.map((c, i) => `[${i + 1}] ${describeCredential(c)}`);
+        const options = creds.map((c, i) => `[${i + 1}] ${describeCredential(c, provider)}`);
         options.push("Remove all");
         const choice = await ctx.ui.select(`${provider.label} has ${creds.length} keys. Remove which?`, options);
         if (!choice || typeof choice !== "string")
@@ -330,7 +362,7 @@ export async function handleRemoveKey(providerArg, ctx, auth) {
         }
     }
     else {
-        const confirmed = await ctx.ui.confirm("Remove key?", `Remove ${describeCredential(creds[0])} for ${provider.label}?`);
+        const confirmed = await ctx.ui.confirm("Remove key?", `Remove ${describeCredential(creds[0], provider)} for ${provider.label}?`);
         if (!confirmed)
             return false;
         auth.remove(provider.id);

package/dist/resources/extensions/gsd/tools/complete-task.js

@@ -116,6 +116,15 @@ export async function handleCompleteTask(params, basePath) {
     if (!params.milestoneId || typeof params.milestoneId !== "string" || params.milestoneId.trim() === "") {
         return { error: "milestoneId is required and must be a non-empty string" };
     }
+    if (!params.oneLiner || typeof params.oneLiner !== "string" || params.oneLiner.trim() === "") {
+        return { error: "oneLiner is required and must be a non-empty string" };
+    }
+    if (!params.narrative || typeof params.narrative !== "string" || params.narrative.trim() === "") {
+        return { error: "narrative is required and must be a non-empty string" };
+    }
+    if (!params.verification || typeof params.verification !== "string" || params.verification.trim() === "") {
+        return { error: "verification is required and must be a non-empty string" };
+    }
     const artifactBasePath = resolveCanonicalMilestoneRoot(basePath, params.milestoneId);
     // ── Ownership check (opt-in: only enforced when claim file exists) ──────
     const ownershipErr = checkOwnership(artifactBasePath, taskUnitKey(params.milestoneId, params.sliceId, params.taskId), params.actorName);

package/dist/resources/extensions/gsd/tools/workflow-tool-executors.js

@@ -238,6 +238,24 @@ export async function executeSummarySave(params, basePath = process.cwd()) {
         };
     }
 }
+function normalizeVerificationEvidence(evidence) {
+    return (evidence ?? []).map((entry) => typeof entry === "string"
+        ? { command: entry, exitCode: -1, verdict: "unknown (coerced from string)", durationMs: 0 }
+        : entry);
+}
+function deriveVerificationSummary(evidence) {
+    if (evidence.length === 0)
+        return null;
+    const rendered = evidence.slice(0, 3).map((entry) => {
+        const command = entry.command.trim() || "(unspecified command)";
+        const verdict = entry.verdict.trim() || "recorded";
+        return `\`${command}\` exited ${entry.exitCode} (${verdict})`;
+    });
+    const suffix = evidence.length > rendered.length
+        ? `; ${evidence.length - rendered.length} more check(s) recorded`
+        : "";
+    return `Verification evidence recorded: ${rendered.join("; ")}${suffix}.`;
+}
 export async function executeTaskComplete(params, basePath = process.cwd()) {
     const dbAvailable = await ensureDbOpen(basePath);
     if (!dbAvailable) {
@@ -249,7 +267,28 @@ export async function executeTaskComplete(params, basePath = process.cwd()) {
     }
     try {
         const coerced = { ...params };
-        coerced.verificationEvidence = (params.verificationEvidence ?? []).map((v) => typeof v === "string" ? { command: v, exitCode: -1, verdict: "unknown (coerced from string)", durationMs: 0 } : v);
+        const verificationEvidence = normalizeVerificationEvidence(params.verificationEvidence);
+        coerced.verificationEvidence = verificationEvidence;
+        const verification = typeof params.verification === "string" ? params.verification.trim() : "";
+        if (verification.length === 0) {
+            const derived = deriveVerificationSummary(verificationEvidence);
+            if (derived) {
+                coerced.verification = derived;
+            }
+            else if (params.blockerDiscovered === true) {
+                coerced.verification = "Not run: blocker discovered before verification.";
+            }
+            else {
+                return {
+                    content: [{
+                            type: "text",
+                            text: "Error completing task: verification is required unless verificationEvidence is provided or blockerDiscovered is true.",
+                        }],
+                    details: { operation: "complete_task", error: "verification_required" },
+                    isError: true,
+                };
+            }
+        }
         const result = await handleCompleteTask(coerced, basePath);
         if ("error" in result) {
             return {

package/dist/resources/extensions/gsd/worktree-lifecycle.js

@@ -203,7 +203,7 @@ function validateMilestoneId(milestoneId) {
  *   - emits worktree-created telemetry on successful entry
  *   - notifies the caller via `ctx.notify` for every user-visible outcome
  */
-export function _enterMilestoneCore(s, deps, milestoneId, ctx) {
+export function _enterMilestoneCore(s, deps, milestoneId, ctx, opts = {}) {
     if (!isValidMilestoneId(milestoneId)) {
         debugLog("WorktreeLifecycle", {
             action: "enterMilestone",
@@ -305,7 +305,7 @@ export function _enterMilestoneCore(s, deps, milestoneId, ctx) {
     // Handles the case where originalBasePath is falsy and basePath is itself
     // a worktree path — prevents double-nested worktree paths (#3729).
     const basePath = resolveWorktreeProjectRoot(s.basePath, s.originalBasePath);
-    const mode = getIsolationMode(basePath);
+    const mode = opts.modeOverride ?? getIsolationMode(basePath);
     if (s.isolationDegraded) {
         if (mode === "worktree") {
             try {
@@ -841,7 +841,8 @@ export function mergeMilestoneStandalone(deps, mctx) {
             pushed: false,
         };
     }
-    const mode = getIsolationMode(originalBasePath || worktreeBasePath);
+    const mode = mctx.isolationModeOverride ??
+        getIsolationMode(originalBasePath || worktreeBasePath);
     debugLog("WorktreeLifecycle", {
         action: "mergeAndExit",
         milestoneId,
@@ -1137,6 +1138,7 @@ export class WorktreeLifecycle {
                 originalBasePath: this.s.originalBasePath,
                 worktreeBasePath: this.s.basePath,
                 milestoneId,
+                isolationModeOverride: this.s.strandedRecoveryIsolationMode ?? undefined,
                 isolationDegraded: this.s.isolationDegraded,
                 notify: ctx.notify,
             });
@@ -1223,6 +1225,7 @@ export class WorktreeLifecycle {
             // Rebuild GitService after merge (branch HEAD changed)
             rebuildGitService(this.s, this.deps);
         }
+        this.s.strandedRecoveryIsolationMode = null;
         return result;
     }
     // ── Removed: _mergeWorktreeMode / _mergeBranchMode bodies ────────────
@@ -1345,6 +1348,24 @@ export class WorktreeLifecycle {
     resumeFromPausedSession(base, persistedWorktreePath) {
         this.s.basePath = resolvePausedResumeBasePath(base, persistedWorktreePath);
     }
+    /**
+     * Adopt in-progress stranded work during bootstrap.
+     *
+     * Unlike completed-orphan recovery, this does not merge, delete, or commit.
+     * It only moves the live session onto the branch/worktree proven by the
+     * audit evidence, while preserving that mode for the eventual merge.
+     */
+    adoptStrandedMilestone(milestoneId, base, ctx, opts) {
+        this.adoptSessionRoot(base);
+        this.s.strandedRecoveryIsolationMode = opts.mode;
+        const result = _enterMilestoneCore(this.s, this.deps, milestoneId, ctx, {
+            modeOverride: opts.mode,
+        });
+        if (!result.ok) {
+            this.s.strandedRecoveryIsolationMode = null;
+        }
+        return result;
+    }
     /**
      * Adopt an orphan worktree for a bootstrap-time merge (ADR-016 phase 2 / B4,
      * issue #5622).