@tekyzinc/gsd-t 2.23.0 → 2.24.7

package/CHANGELOG.md

@@ -2,6 +2,105 @@
 
 All notable changes to GSD-T are documented here. Updated with each release.
 
+## [2.24.7] - 2026-02-18
+
+### Changed
+- **Next Command Hint redesigned**: Replaced plain `Next →` text with GSD-style "Next Up" visual block — divider lines, `▶ Next Up` header, phase name with description, command in backticks, and alternatives section. Format designed to trigger Claude Code's prompt suggestion engine, making the next command appear as ghost text in the user's input field
+
+## [2.24.6] - 2026-02-18
+
+### Added
+- **Auto-update on session start**: SessionStart hook now automatically installs new GSD-T versions when detected — runs `npm install -g` + `gsd-t update-all`. Falls back to manual instructions if auto-update fails
+- **Changelog link in all version messages**: All three output modes (`[GSD-T AUTO-UPDATE]`, `[GSD-T UPDATE]`, `[GSD-T]`) now include the changelog URL
+- **Update check installer**: `bin/gsd-t.js` now deploys the update check script and configures the SessionStart hook automatically during install, with auto-fix for incorrect matchers
+
+### Fixed
+- **SessionStart hook matcher**: Changed from `"startup"` to `""` (empty) to match all session types including compact/resumed sessions
+
+## [2.24.5] - 2026-02-18
+
+### Fixed
+- **Dead code removed**: `PKG_EXAMPLES` constant in `bin/gsd-t.js` and dead imports (`writeTemplateFile`, `showStatusVersion`) in `test/cli-quality.test.js` (TD-057, TD-058)
+- **summarize() case fallthrough**: Combined identical `Read`/`Edit`/`Write` cases using switch fallthrough, saving 4 lines (TD-056)
+- **checkForUpdates() condition**: Simplified redundant `!cached && isStale` to `if (!cached) ... else if (stale)` (TD-061)
+- **Notification title scrubbing**: Applied `scrubSecrets()` to `h.title` in heartbeat notification handler (TD-063)
+- **SEC-N16 note corrected**: Updated informational note during scan #5 (TD-062)
+- **Wave integrity check contract**: Updated `wave-phase-sequence.md` to match actual implementation — checks Status, Milestone name, Domains table (not version) (TD-064)
+- **Duplicate format contract**: Deleted `file-format-contract.md` — `backlog-file-formats.md` is authoritative (TD-065)
+
+### Added
+- 9 new tests: 3 `readSettingsJson()` tests in `cli-quality.test.js`, 6 `shortPath()` tests in `security.test.js` (TD-059, TD-060)
+- Total tests: 125 (was 116)
+
+## [2.24.4] - 2026-02-18
+
+### Fixed
+- **progress.md status**: Now uses contract-recognized values (READY between milestones, not ACTIVE)
+- **CLAUDE.md version**: Removed hardcoded version — references `package.json` directly to prevent recurring drift (TD-048)
+- **CHANGELOG.md**: Added missing entries for v2.23.1 through v2.24.3 covering milestones 3-7 (TD-045)
+- **Orphaned domains**: Deleted stale `cli-quality/` and `cmd-cleanup/` directories from previous milestones (TD-046)
+- **Git line endings**: Applied `git add --renormalize .` to enforce LF across all tracked files (TD-049)
+- **Notification scrubbing**: Applied `scrubSecrets()` to heartbeat notification messages (TD-052)
+
+### Changed
+- **Contracts synced**: `progress-file-format.md` enriched with milestone table + optional fields. `wave-phase-sequence.md` updated with integrity check (M7) and security considerations (M5). `command-interface-contract.md` renamed to `backlog-command-interface.md`. `integration-points.md` rewritten to reflect current state (TD-047, TD-053, TD-054, TD-055)
+- **readSettingsJson()**: Extracted helper to deduplicate 3 `JSON.parse(readFileSync)` call sites in CLI (TD-050)
+- **prepublishOnly**: Added `npm test` gate before `npm publish` (TD-051)
+- **TD-029 (TOCTOU)**: Formally accepted as risk with 5-point rationale — single-threaded Node.js, user-owned dirs, Windows symlink requires admin
+
+## [2.24.3] - 2026-02-19
+
+### Changed
+- **Command file cleanup**: 85 fractional step numbers renumbered to integers across 17 command files. Autonomy Behavior sections added to `gsd-t-discuss` and `gsd-t-impact`. QA agent hardened with file-path boundary constraints, multi-framework test detection, and Document Ripple section. Wave integrity check validates progress.md fields before starting. Structured 3-condition discuss-skip heuristic. Consistent "QA failure blocks" language across all 10 QA-spawning commands
+
+### Fixed
+- 8 tech debt items resolved: TD-030, TD-031, TD-036, TD-037, TD-038, TD-039, TD-040, TD-041
+
+## [2.24.2] - 2026-02-19
+
+### Changed
+- **CLI quality improvement**: All 86 functions across `bin/gsd-t.js` (80) and `scripts/gsd-t-heartbeat.js` (6) are now <= 30 lines. 3 code duplication patterns resolved (`readProjectDeps`, `writeTemplateFile`, `readPyContent` extracted). `buildEvent()` refactored to handler map pattern. `checkForUpdates` inline JS extracted to `scripts/gsd-t-fetch-version.js`. `doUpdateAll` has per-project error isolation
+
+### Added
+- `.gitattributes` and `.editorconfig` for consistent file formatting
+- 22 new tests in `test/cli-quality.test.js` (buildEvent, readProjectDeps, readPyContent, insertGuardSection, readUpdateCache, addHeartbeatHook)
+
+### Fixed
+- Heartbeat cleanup now only runs on SessionStart (not every event)
+- 7 tech debt items resolved: TD-017, TD-021, TD-024, TD-025, TD-032, TD-033, TD-034
+
+## [2.24.1] - 2026-02-18
+
+### Added
+- **Security hardening**: `scrubSecrets()` and `scrubUrl()` in heartbeat script scrub sensitive data (passwords, tokens, API keys, bearer tokens) before logging. 30 new security tests in `test/security.test.js`
+- `hasSymlinkInPath()` validates parent directories for symlink attacks
+- HTTP response accumulation bounded to 1MB in both fetch paths
+- Security Considerations section in `gsd-t-wave.md` documenting `bypassPermissions` implications
+
+### Fixed
+- `npm-update-check.js` validates cache path within `~/.claude/` and checks for symlinks before writing
+- 6 tech debt items resolved: TD-019, TD-020, TD-026, TD-027, TD-028, TD-035
+
+## [2.24.0] - 2026-02-18
+
+### Added
+- **Testing foundation**: 64 automated tests in 2 test files (`test/helpers.test.js`: 27 tests, `test/filesystem.test.js`: 37 tests) using Node.js built-in test runner (`node --test`). Zero external test dependencies
+- `module.exports` added to `bin/gsd-t.js` for 20 testable functions with `require.main` guard
+- CLI subcommand tests (--version, help, status, doctor)
+- Helper function tests (validateProjectName, applyTokens, normalizeEol, validateVersion, isNewerVersion)
+- Filesystem tests (isSymlink, ensureDir, validateProjectPath, copyFile, hasPlaywright, hasSwagger, hasApi)
+- Command listing tests (getCommandFiles, getGsdtCommands, getUtilityCommands with count validation)
+
+### Fixed
+- Tech debt item TD-003 (no test coverage) resolved
+
+## [2.23.1] - 2026-02-18
+
+### Fixed
+- **Count fix**: All command count references updated to 43/39/4 across CLAUDE.md, README.md, package.json, and docs (TD-022)
+- QA agent contract now includes test-sync phase with "During Test-Sync" section and updated output table (TD-042)
+- Orphaned domain files from previous milestones archived to `.gsd-t/milestones/` (TD-043)
+
 ## [2.23.0] - 2026-02-17
 
 ### Changed

package/README.md

@@ -18,7 +18,7 @@ A methodology for reliable, parallelizable development using Claude Code with op
 npx @tekyzinc/gsd-t install
 ```
 
-This installs 39 GSD-T commands + 3 utility commands to `~/.claude/commands/` and the global CLAUDE.md to `~/.claude/CLAUDE.md`. Works on Windows, Mac, and Linux.
+This installs 39 GSD-T commands + 4 utility commands (43 total) to `~/.claude/commands/` and the global CLAUDE.md to `~/.claude/CLAUDE.md`. Works on Windows, Mac, and Linux.
 
 ### Start Using It
 
@@ -246,6 +246,17 @@ your-project/
 
 ---
 
+## Security
+
+- **Wave mode** spawns phase agents with `bypassPermissions` — agents execute without per-action user approval. Use Level 1 or Level 2 autonomy for sensitive projects to review each phase.
+- **Heartbeat logs** scrub sensitive patterns (passwords, tokens, API keys) from bash commands and mask URL query parameters before writing to `.gsd-t/heartbeat-*.jsonl`.
+- **File write paths** are validated (within `~/.claude/`) and checked for symlinks before writing.
+- **HTTP responses** are bounded at 1MB to prevent memory exhaustion from oversized registry responses.
+- **Directory creation** validates parent path components for symlinks to prevent path traversal.
+- Run `gsd-t doctor` to verify installation integrity. Keep GSD-T updated with `gsd-t update`.
+
+---
+
 ## Enabling Agent Teams
 
 ```json
@@ -283,8 +294,8 @@ get-stuff-done-teams/
 ├── LICENSE
 ├── bin/
 │   └── gsd-t.js                       # CLI installer
-├── commands/                          # 42 slash commands
-│   ├── gsd-t-*.md                     # 38 GSD-T workflow commands
+├── commands/                          # 43 slash commands
+│   ├── gsd-t-*.md                     # 39 GSD-T workflow commands
 │   ├── gsd.md                         # GSD-T smart router
 │   ├── branch.md                      # Git branch helper
 │   ├── checkin.md                     # Auto-version + commit/push helper