npm - gm-skill - Versions diffs - 2.0.1526 → 2.0.1527 - Mend

gm-skill 2.0.1526 → 2.0.1527

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/AGENTS.md +1 -3
package/gm-plugkit/package.json +1 -1
package/gm-plugkit/plugkit-wasm-wrapper.js +5 -77
package/gm.json +1 -1
package/lib/skill-bootstrap.js +7 -8
package/package.json +1 -1

package/AGENTS.md CHANGED Viewed

@@ -32,9 +32,7 @@ The plugkit stack runs as a wasm cdylib loaded by `plugkit-wasm-wrapper.js` unde
 **`plugkit-wasm-wrapper.js` is ESM; never use inline `require()` for a node builtin -- import it at module scope.** The wrapper runs under both node and bun, and the supervisor's `resolveRuntime()` prefers bun. Under bun's ESM, `require` is not a global, so an inline `const x = require('crypto'|'net'|'http'|'https'|'child_process')` throws `require is not defined` -- and because those calls sit in `catch(_){}` blocks, the failure is silent: it broke `_ownWrapperSha12` (status.wrapper_sha stayed null, leaving the supervisor wrapper-sha-drift recycle inert), `_wrapperShaAtBoot` and its self-drift-restart, the synthetic-session cwd-hash, and the file-index sha -- all only under the bun watcher, which is why it hid for so long (node-run watchers have `require` via CJS interop). Every node builtin is imported once at the top (`import crypto from 'crypto'`, etc.); inline `require` of a builtin is forbidden. Full incident in rs-learn (`recall: wrapper require not defined under bun`).
-**Every single-instance / lock guard is atomic, never check-then-act.** A guard that does `existsSync` -> read -> decide -> `writeFileSync` is TOCTOU: under a concurrent burst (the bootstrap spawns several supervisors in the same millisecond per skill-load) every caller passes the check before any writes, so all proceed and the duplicate it was meant to prevent happens anyway. The supervisor single-instance guard, the `.watcher.lock`, and any future pid/lock file all acquire via an atomic primitive -- `fs.openSync(path, 'wx')` (O_EXCL exclusive-create, succeeds for exactly one racer) or atomic-rename -- then on `EEXIST` read the holder and refuse-if-alive / take-over-if-stale. The trap: a check-then-write guard passes sequential testing (a later boot sees the prior holder) and silently fails only under concurrency, so when a guard is in place and the duplicate STILL occurs, suspect non-atomicity before suspecting absence. Full incident (three mis-diagnoses) in rs-learn (`recall: supervisor churn TOCTOU atomic guard`).
-**Count plugkit processes by executable Name, never by command-line substring.** A `Get-CimInstance Win32_Process | Where-Object { $_.CommandLine -like '*plugkit-wasm-wrapper*' }` (or `-match 'plugkit-supervisor'`) also matches the bash/powershell command running the query itself -- its eval string contains those literals -- so it fabricates phantom processes and inflates the count (it reported `8 watchers + 4 supervisors` when the truth was `4 watchers, 0 supervisors`). Always constrain to the real runtime: `Where-Object { ($_.Name -eq 'node.exe' -or $_.Name -eq 'bun.exe') -and $_.CommandLine -match 'plugkit-wasm-wrapper\.js' }`. The phantom count made a working atomic-guard fix look unconverged across two fires; a wrong measurement is as costly as a wrong diagnosis. Full incident in rs-learn (`recall: supervisor churn TOCTOU atomic guard`).
+**Every single-instance / lock guard is atomic (`fs.openSync(path,'wx')` O_EXCL or atomic-rename), never check-then-act; count plugkit processes by executable Name not command-line substring.** Both are Windows concurrency mechanics whose full incident lives in rs-learn (`recall: supervisor churn TOCTOU atomic guard`).
 ## Spool dispatch ABI

package/gm-plugkit/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "gm-plugkit",
-  "version": "2.0.1526",
+  "version": "2.0.1527",
   "description": "Bootstrap and daemon-spawn tool for gm plugkit binary. Downloads the correct platform binary, verifies SHA256, and starts the spool watcher daemon. Includes plugkit-wasm-wrapper for WASM-based spool watching.",
   "main": "index.js",
   "bin": {

package/gm-plugkit/plugkit-wasm-wrapper.js CHANGED Viewed

@@ -3472,78 +3472,7 @@ async function runSpoolWatcher(instance, spoolDir) {
       applyUpdateCheckResult(installed, cached.latest, cached.status || 200);
       return;
     }
-    const req = https.get({
-      host: 'api.github.com',
-      path: '/repos/AnEntrypoint/plugkit-bin/releases/latest',
-      headers: { 'user-agent': 'plugkit-watcher', 'accept': 'application/json' },
-      timeout: 5000,
-    }, (res) => {
-      if (res.statusCode !== 200) {
-        res.resume();
-        writeSharedUpdateCache(null, res.statusCode);
-        applyUpdateCheckResult(installed, null, res.statusCode);
-        checkUpdateViaNpm(installed);
-        return;
-      }
-      const chunks = [];
-      res.on('data', c => chunks.push(c));
-      res.on('end', () => {
-        try {
-          const rel = JSON.parse(Buffer.concat(chunks).toString('utf-8'));
-          const tag = rel && rel.tag_name;
-          if (!tag) return;
-          const latest = tag.replace(/^v/, '');
-          writeSharedUpdateCache(latest, 200);
-          if (latest === installed) {
-            try { fs.unlinkSync(UPDATE_AVAILABLE_PATH); } catch (_) {}
-            if (_lastKnownDrift) {
-              logEvent('plugkit', 'update.cleared', { installed, was: _lastKnownDrift });
-              _lastKnownDrift = null;
-            }
-            return;
-          }
-          const update_url = `https://github.com/AnEntrypoint/plugkit-bin/releases/tag/v${latest}`;
-          fs.writeFileSync(UPDATE_AVAILABLE_PATH, JSON.stringify({
-            installed,
-            latest,
-            checked_at_ms: Date.now(),
-            instruction: 'plugkit is out of date. Update with: bun x gm-plugkit@latest --kill-stale-watchers; bun x gm-plugkit@latest spool. A fresh boot downloads the new wasm and respawns; an in-place running watcher does not self-download.',
-            update_url,
-          }, null, 2));
-          console.log(`[update] available: installed=${installed} latest=${latest} -> wrote ${UPDATE_AVAILABLE_PATH}`);
-          if (_lastKnownDrift !== latest) {
-            logEvent('plugkit', 'update.available', { installed, latest, update_url });
-            _lastKnownDrift = latest;
-          }
-          // NOTE: do NOT bump the disk version file here to "arm" a drift-respawn. installedVersionAtTools()
-          // reads that file as the source of truth for the installed version; bumping it ahead of the actual
-          // wasm download makes ensureReady compute versionDrift=false (file==target) and isReady()=true, so it
-          // returns already-ready WITHOUT downloading the new binary -- while the running instance is still the
-          // old version. The drift-check then sees instance(old) != file(new) forever and self-respawns in an
-          // infinite loop, each respawn reloading the same old wasm. The version file must only advance AFTER
-          // a verified binary download (bootstrap's job). Auto-update stays notify-only until ensureReady gains
-          // a sha-verified force-download path; see PRD watcher-autoupdate-thrash-fix.
-        } catch (e) {
-          logUpdateCheckError({ error: String(e && e.message || e) });
-        }
-      });
-    });
-    let _checkErrored = false;
-    req.on('timeout', () => {
-      if (_checkErrored) { try { req.destroy(); } catch (_) {} return; }
-      _checkErrored = true;
-      try { req.destroy(); } catch (_) {}
-      writeSharedUpdateCache(null, -1);
-      logUpdateCheckError({ error: 'timeout' });
-      checkUpdateViaNpm(installed);
-    });
-    req.on('error', (e) => {
-      if (_checkErrored) return;
-      _checkErrored = true;
-      writeSharedUpdateCache(null, -2);
-      logUpdateCheckError({ error: String(e && e.message || e) });
-      checkUpdateViaNpm(installed);
-    });
+    checkUpdateViaNpm(installed);
   }
   setTimeout(checkForUpdate, 10_000);
   setInterval(checkForUpdate, UPDATE_CHECK_INTERVAL_MS);
@@ -3739,11 +3668,10 @@ async function selfHealFromGithubReleases() {
     });
     (async () => {
       try {
-        const rel = await fetchJson('https://api.github.com/repos/AnEntrypoint/plugkit-bin/releases/latest');
-        const tag = rel.tag_name;
-        if (!tag) throw new Error('no tag_name from GH Releases');
-        const version = tag.replace(/^v/, '');
-        const base = `https://github.com/AnEntrypoint/plugkit-bin/releases/download/${tag}`;
+        const meta = await fetchJson('https://registry.npmjs.org/plugkit-wasm/latest');
+        const version = meta && meta.version;
+        if (!version) throw new Error('no version from npm plugkit-wasm');
+        const base = `https://github.com/AnEntrypoint/plugkit-bin/releases/download/v${version}`;
         const [wasm, sha] = await Promise.all([
           fetchBuf(`${base}/plugkit.wasm`),
           fetchBuf(`${base}/plugkit.wasm.sha256`).then(b => b.toString('utf-8').trim().split(/\s+/)[0]).catch(() => ''),

package/gm.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "gm",
-  "version": "2.0.1526",
+  "version": "2.0.1527",
   "description": "Spool-dispatch orchestration engine with unified state machine, skills, and automated git enforcement",
   "author": "AnEntrypoint",
   "license": "MIT",

package/lib/skill-bootstrap.js CHANGED Viewed

@@ -132,15 +132,14 @@ async function getLatestRemoteVersion() {
   let version = null;
   let source = null;
   try {
-    const buf = await httpGet('https://api.github.com/repos/AnEntrypoint/plugkit-bin/releases/latest', 3000);
-    const rel = JSON.parse(buf.toString('utf-8'));
-    const tag = rel && rel.tag_name;
-    if (tag) {
-      version = tag.replace(/^v/, '');
-      source = 'github-releases';
+    const buf = await httpGet('https://registry.npmjs.org/plugkit-wasm/latest', 3000);
+    const pkg = JSON.parse(buf.toString('utf-8'));
+    if (pkg && pkg.version) {
+      version = pkg.version;
+      source = 'npm-plugkit-wasm';
     }
   } catch (e) {
-    emitBootstrapEvent('warn', 'GitHub Releases lookup failed', { error: e.message });
+    emitBootstrapEvent('warn', 'npm plugkit-wasm lookup failed', { error: e.message });
   }
   if (!version) {
     try {
@@ -154,7 +153,7 @@ async function getLatestRemoteVersion() {
         source = 'npm-gm-plugkit-fallback';
       }
     } catch (e) {
-      emitBootstrapEvent('warn', 'npm fallback lookup failed', { error: e.message });
+      emitBootstrapEvent('warn', 'npm gm-plugkit fallback lookup failed', { error: e.message });
     }
   }
   if (!version) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "gm-skill",
-  "version": "2.0.1526",
+  "version": "2.0.1527",
   "description": "Canonical universal harness — AI-native software engineering via skill-driven orchestration; bootstraps plugkit for task execution and session isolation. Install in any AI coding agent host.",
   "author": "AnEntrypoint",
   "license": "MIT",