@tekyzinc/gsd-t 2.22.0 → 2.24.6

package/CHANGELOG.md

@@ -2,6 +2,105 @@
 
 All notable changes to GSD-T are documented here. Updated with each release.
 
+## [2.24.6] - 2026-02-18
+
+### Added
+- **Auto-update on session start**: SessionStart hook now automatically installs new GSD-T versions when detected — runs `npm install -g` + `gsd-t update-all`. Falls back to manual instructions if auto-update fails
+- **Changelog link in all version messages**: All three output modes (`[GSD-T AUTO-UPDATE]`, `[GSD-T UPDATE]`, `[GSD-T]`) now include the changelog URL
+- **Update check installer**: `bin/gsd-t.js` now deploys the update check script and configures the SessionStart hook automatically during install, with auto-fix for incorrect matchers
+
+### Fixed
+- **SessionStart hook matcher**: Changed from `"startup"` to `""` (empty) to match all session types including compact/resumed sessions
+
+## [2.24.5] - 2026-02-18
+
+### Fixed
+- **Dead code removed**: `PKG_EXAMPLES` constant in `bin/gsd-t.js` and dead imports (`writeTemplateFile`, `showStatusVersion`) in `test/cli-quality.test.js` (TD-057, TD-058)
+- **summarize() case fallthrough**: Combined identical `Read`/`Edit`/`Write` cases using switch fallthrough, saving 4 lines (TD-056)
+- **checkForUpdates() condition**: Simplified redundant `!cached && isStale` to `if (!cached) ... else if (stale)` (TD-061)
+- **Notification title scrubbing**: Applied `scrubSecrets()` to `h.title` in heartbeat notification handler (TD-063)
+- **SEC-N16 note corrected**: Updated informational note during scan #5 (TD-062)
+- **Wave integrity check contract**: Updated `wave-phase-sequence.md` to match actual implementation — checks Status, Milestone name, Domains table (not version) (TD-064)
+- **Duplicate format contract**: Deleted `file-format-contract.md` — `backlog-file-formats.md` is authoritative (TD-065)
+
+### Added
+- 9 new tests: 3 `readSettingsJson()` tests in `cli-quality.test.js`, 6 `shortPath()` tests in `security.test.js` (TD-059, TD-060)
+- Total tests: 125 (was 116)
+
+## [2.24.4] - 2026-02-18
+
+### Fixed
+- **progress.md status**: Now uses contract-recognized values (READY between milestones, not ACTIVE)
+- **CLAUDE.md version**: Removed hardcoded version — references `package.json` directly to prevent recurring drift (TD-048)
+- **CHANGELOG.md**: Added missing entries for v2.23.1 through v2.24.3 covering milestones 3-7 (TD-045)
+- **Orphaned domains**: Deleted stale `cli-quality/` and `cmd-cleanup/` directories from previous milestones (TD-046)
+- **Git line endings**: Applied `git add --renormalize .` to enforce LF across all tracked files (TD-049)
+- **Notification scrubbing**: Applied `scrubSecrets()` to heartbeat notification messages (TD-052)
+
+### Changed
+- **Contracts synced**: `progress-file-format.md` enriched with milestone table + optional fields. `wave-phase-sequence.md` updated with integrity check (M7) and security considerations (M5). `command-interface-contract.md` renamed to `backlog-command-interface.md`. `integration-points.md` rewritten to reflect current state (TD-047, TD-053, TD-054, TD-055)
+- **readSettingsJson()**: Extracted helper to deduplicate 3 `JSON.parse(readFileSync)` call sites in CLI (TD-050)
+- **prepublishOnly**: Added `npm test` gate before `npm publish` (TD-051)
+- **TD-029 (TOCTOU)**: Formally accepted as risk with 5-point rationale — single-threaded Node.js, user-owned dirs, Windows symlink requires admin
+
+## [2.24.3] - 2026-02-19
+
+### Changed
+- **Command file cleanup**: 85 fractional step numbers renumbered to integers across 17 command files. Autonomy Behavior sections added to `gsd-t-discuss` and `gsd-t-impact`. QA agent hardened with file-path boundary constraints, multi-framework test detection, and Document Ripple section. Wave integrity check validates progress.md fields before starting. Structured 3-condition discuss-skip heuristic. Consistent "QA failure blocks" language across all 10 QA-spawning commands
+
+### Fixed
+- 8 tech debt items resolved: TD-030, TD-031, TD-036, TD-037, TD-038, TD-039, TD-040, TD-041
+
+## [2.24.2] - 2026-02-19
+
+### Changed
+- **CLI quality improvement**: All 86 functions across `bin/gsd-t.js` (80) and `scripts/gsd-t-heartbeat.js` (6) are now <= 30 lines. 3 code duplication patterns resolved (`readProjectDeps`, `writeTemplateFile`, `readPyContent` extracted). `buildEvent()` refactored to handler map pattern. `checkForUpdates` inline JS extracted to `scripts/gsd-t-fetch-version.js`. `doUpdateAll` has per-project error isolation
+
+### Added
+- `.gitattributes` and `.editorconfig` for consistent file formatting
+- 22 new tests in `test/cli-quality.test.js` (buildEvent, readProjectDeps, readPyContent, insertGuardSection, readUpdateCache, addHeartbeatHook)
+
+### Fixed
+- Heartbeat cleanup now only runs on SessionStart (not every event)
+- 7 tech debt items resolved: TD-017, TD-021, TD-024, TD-025, TD-032, TD-033, TD-034
+
+## [2.24.1] - 2026-02-18
+
+### Added
+- **Security hardening**: `scrubSecrets()` and `scrubUrl()` in heartbeat script scrub sensitive data (passwords, tokens, API keys, bearer tokens) before logging. 30 new security tests in `test/security.test.js`
+- `hasSymlinkInPath()` validates parent directories for symlink attacks
+- HTTP response accumulation bounded to 1MB in both fetch paths
+- Security Considerations section in `gsd-t-wave.md` documenting `bypassPermissions` implications
+
+### Fixed
+- `npm-update-check.js` validates cache path within `~/.claude/` and checks for symlinks before writing
+- 6 tech debt items resolved: TD-019, TD-020, TD-026, TD-027, TD-028, TD-035
+
+## [2.24.0] - 2026-02-18
+
+### Added
+- **Testing foundation**: 64 automated tests in 2 test files (`test/helpers.test.js`: 27 tests, `test/filesystem.test.js`: 37 tests) using Node.js built-in test runner (`node --test`). Zero external test dependencies
+- `module.exports` added to `bin/gsd-t.js` for 20 testable functions with `require.main` guard
+- CLI subcommand tests (--version, help, status, doctor)
+- Helper function tests (validateProjectName, applyTokens, normalizeEol, validateVersion, isNewerVersion)
+- Filesystem tests (isSymlink, ensureDir, validateProjectPath, copyFile, hasPlaywright, hasSwagger, hasApi)
+- Command listing tests (getCommandFiles, getGsdtCommands, getUtilityCommands with count validation)
+
+### Fixed
+- Tech debt item TD-003 (no test coverage) resolved
+
+## [2.23.1] - 2026-02-18
+
+### Fixed
+- **Count fix**: All command count references updated to 43/39/4 across CLAUDE.md, README.md, package.json, and docs (TD-022)
+- QA agent contract now includes test-sync phase with "During Test-Sync" section and updated output table (TD-042)
+- Orphaned domain files from previous milestones archived to `.gsd-t/milestones/` (TD-043)
+
+## [2.23.0] - 2026-02-17
+
+### Changed
+- **Wave orchestrator rewrite**: `gsd-t-wave` now spawns an independent agent for each phase instead of executing all phases inline. Each phase agent gets a fresh context window (~200K tokens), eliminating cross-phase context accumulation and preventing mid-wave compaction. The orchestrator stays lightweight (~30KB), reading only progress.md between phases. Phase sequence is unchanged — only the execution model changed. Estimated 75-85% reduction in peak context usage during waves
+
 ## [2.22.0] - 2026-02-17
 
 ### Added

package/README.md

@@ -18,7 +18,7 @@ A methodology for reliable, parallelizable development using Claude Code with op
 npx @tekyzinc/gsd-t install
 ```
 
-This installs 39 GSD-T commands + 3 utility commands to `~/.claude/commands/` and the global CLAUDE.md to `~/.claude/CLAUDE.md`. Works on Windows, Mac, and Linux.
+This installs 39 GSD-T commands + 4 utility commands (43 total) to `~/.claude/commands/` and the global CLAUDE.md to `~/.claude/CLAUDE.md`. Works on Windows, Mac, and Linux.
 
 ### Start Using It
 
@@ -246,6 +246,17 @@ your-project/
 
 ---
 
+## Security
+
+- **Wave mode** spawns phase agents with `bypassPermissions` — agents execute without per-action user approval. Use Level 1 or Level 2 autonomy for sensitive projects to review each phase.
+- **Heartbeat logs** scrub sensitive patterns (passwords, tokens, API keys) from bash commands and mask URL query parameters before writing to `.gsd-t/heartbeat-*.jsonl`.
+- **File write paths** are validated (within `~/.claude/`) and checked for symlinks before writing.
+- **HTTP responses** are bounded at 1MB to prevent memory exhaustion from oversized registry responses.
+- **Directory creation** validates parent path components for symlinks to prevent path traversal.
+- Run `gsd-t doctor` to verify installation integrity. Keep GSD-T updated with `gsd-t update`.
+
+---
+
 ## Enabling Agent Teams
 
 ```json
@@ -283,8 +294,8 @@ get-stuff-done-teams/
 ├── LICENSE
 ├── bin/
 │   └── gsd-t.js                       # CLI installer
-├── commands/                          # 42 slash commands
-│   ├── gsd-t-*.md                     # 38 GSD-T workflow commands
+├── commands/                          # 43 slash commands
+│   ├── gsd-t-*.md                     # 39 GSD-T workflow commands
 │   ├── gsd.md                         # GSD-T smart router
 │   ├── branch.md                      # Git branch helper
 │   ├── checkin.md                     # Auto-version + commit/push helper