gossipcat 0.4.27 → 0.4.28

package/dist-mcp/mcp-server.js

@@ -10597,7 +10597,7 @@ ${clamped}`);
           }
         }
         const EXCLUDED_DIRS = /* @__PURE__ */ new Set(["node_modules", ".git", ".gossip", "dist", "build", "out", "coverage"]);
-        const EXCLUDED_EXTS = /* @__PURE__ */ new Set([".json", ".md", ".yaml", ".yml", ".toml", ".lock", ".txt", ".xml", ".ini", ".cfg", ".env", ".gitignore", ".gitattributes", ".editorconfig", ".npmrc", ".nvmrc"]);
+        const EXCLUDED_EXTS = /* @__PURE__ */ new Set([".json", ".md", ".yaml", ".yml", ".toml", ".lock", ".txt", ".xml", ".ini", ".cfg", ".env", ".gitignore", ".gitattributes", ".editorconfig", ".npmrc", ".nvmrc", ".prettierrc", ".eslintrc", ".babelrc", ".dockerignore", ".flowconfig"]);
         let extensionSignal = false;
         try {
           const entries = (0, import_fs9.readdirSync)(this.projectRoot, { withFileTypes: true });
@@ -16562,7 +16562,7 @@ var init_parse_findings = __esm({
     TYPE_ATTR_PATTERN = /type="([a-zA-Z]+)"/;
     SEVERITY_ATTR_PATTERN = /severity="(critical|high|medium|low)"/;
     CATEGORY_ATTR_PATTERN = /category="([a-z_]+)"/;
-    ANCHOR_PATTERN = /[\w./-]+\.(ts|js|tsx|jsx|py|go|rs|java|rb|md|json|yaml|yml|toml|sh):\d+/;
+    ANCHOR_PATTERN = /(?:[a-zA-Z]:\/)?[\w./-]+\.(ts|js|tsx|jsx|py|go|rs|java|rb|md|json|yaml|yml|toml|sh):\d+/;
     CANONICAL_TYPES = /* @__PURE__ */ new Set(["finding", "suggestion", "insight"]);
     HTML_ENTITY_OPEN_PATTERN = /<agent_finding\b/gi;
     HTML_ENTITY_CLOSE_PATTERN = /<\/agent_finding>/gi;
@@ -16736,7 +16736,7 @@ var init_consensus_engine = __esm({
     };
     MIN_FINDINGS_PER_PEER = 2;
     VALID_ACTIONS = /* @__PURE__ */ new Set(["agree", "disagree", "unverified", "new"]);
-    ANCHOR_PATTERN2 = /[\w./-]+\.(ts|js|tsx|jsx|py|go|rs|java|rb|md|json|yaml|yml|toml|sh):\d+/;
+    ANCHOR_PATTERN2 = /(?:[a-zA-Z]:\/)?[\w./-]+\.(ts|js|tsx|jsx|py|go|rs|java|rb|md|json|yaml|yml|toml|sh):\d+/;
     MAX_VERIFIER_TURNS = 7;
     VERIFIER_TOOLS = [
       { name: "file_read", description: "Read file contents", parameters: { type: "object", properties: { path: { type: "string", description: "Absolute or project-relative file path" }, startLine: { type: "number", description: "First line to read (1-based)" }, endLine: { type: "number", description: "Last line to read (inclusive)" } }, required: ["path"] } },
@@ -17762,7 +17762,7 @@ Return only valid JSON.${skillsBlock}`;
        */
       async snippetsForFinding(findingText, maxSnippets = 3) {
         if (!this.config.projectRoot && this.currentWorktreeRoots.size === 0) return "";
-        const citationPattern = /((?:[\w./-]+\/)?([a-zA-Z][\w.-]+\.[a-z]{1,6})):(\d+)/g;
+        const citationPattern = /((?:[a-zA-Z]:\/)?(?:[\w./-]+\/)?([a-zA-Z][\w.-]+\.[a-z]{1,6})):(\d+)/g;
         const CONTEXT_LINES = 2;
         const MAX_FILE_SIZE2 = 10 * 1024 * 1024;
         const anchors = [];
@@ -17783,7 +17783,7 @@ Return only valid JSON.${skillsBlock}`;
               anchors.push(`\u26A0 Agent cited \`${safeRef}:${lineNum}\` but file not found`);
               continue;
             }
-            const resolvedFromProjectRoot = this.currentWorktreeRoots.size > 0 && this.config.projectRoot && filePath.startsWith((0, import_path28.resolve)(this.config.projectRoot) + "/");
+            const resolvedFromProjectRoot = this.isResolvedFromProjectRootOnly(filePath);
             const fileStat = await (0, import_promises3.stat)(filePath);
             if (fileStat.size > MAX_FILE_SIZE2) continue;
             const content = await this.cachedRead(filePath);
@@ -17817,7 +17817,7 @@ ${safeSnippet}
             const trimmed = value.trim();
             if (!trimmed || trimmed.length > 80) continue;
             if (tag === "file") {
-              const fileMatch = trimmed.match(/^((?:[\w./-]+\/)?([a-zA-Z][\w.-]+\.[a-z]{1,6})):(\d+)$/);
+              const fileMatch = trimmed.match(/^((?:[a-zA-Z]:\/)?(?:[\w./-]+\/)?([a-zA-Z][\w.-]+\.[a-z]{1,6})):(\d+)$/);
               if (fileMatch && !seen.has(trimmed)) {
                 seen.add(trimmed);
                 const fullRef = fileMatch[1];
@@ -17827,7 +17827,7 @@ ${safeSnippet}
                   const safeRef = fullRef.replace(/["<>]/g, "");
                   const filePath = await this.cachedResolveForAnchor(fullRef) ?? await this.cachedResolveForAnchor(bareFile);
                   if (filePath) {
-                    const resolvedFromProjectRoot = this.currentWorktreeRoots.size > 0 && this.config.projectRoot && filePath.startsWith((0, import_path28.resolve)(this.config.projectRoot) + "/");
+                    const resolvedFromProjectRoot = this.isResolvedFromProjectRootOnly(filePath);
                     const content = await this.cachedRead(filePath);
                     if (content) {
                       const fileLines = content.split("\n");
@@ -17907,7 +17907,7 @@ ${safeSnippet}
           return false;
         }
         const stripped = evidence.replace(/```[\s\S]*?```/g, "").replace(/`[^`\n]*`/g, "").replace(/<example>[\s\S]*?<\/example>/gi, "").replace(/"[^"\n]*"/g, "").replace(/'[^'\n]*'/g, "");
-        const citationPattern = /(?:[\w./-]+\/)?([a-zA-Z][\w.-]+\.[a-z]{1,6}):(\d+)/g;
+        const citationPattern = /(?:(?:[a-zA-Z]:\/)?(?:[\w./-]+\/)?)?([a-zA-Z][\w.-]+\.[a-z]{1,6}):(\d+)/g;
         const rawCitations = [];
         let match;
         while ((match = citationPattern.exec(stripped)) !== null) {
@@ -17953,6 +17953,28 @@ ${safeSnippet}
        * worktree can still be auto-anchored when consensus runs back in the main
        * MCP process).
        */
+      /**
+       * Returns true when filePath falls under projectRoot but NOT inside any
+       * active worktree root.  This is the condition that warrants the
+       * "⚠ resolved against project root, NOT worktree" attribute — the file
+       * was found via the projectRoot fallback, meaning it reflects master HEAD,
+       * not the branch under review.
+       *
+       * The previous inline check used only a startsWith(projectRoot) test, which
+       * produced a false-positive when the worktree itself is nested under
+       * projectRoot (the standard `.claude/worktrees/agent-X` layout): a worktree
+       * file like /x/.claude/worktrees/agent-Y/foo.ts passes startsWith(/x/)
+       * even though it was correctly resolved via the worktree priority root.
+       *
+       * Fix: additionally verify the path is NOT inside any currentWorktreeRoot
+       * via isInsideAnyRoot, which applies realpath-safe containment checks.
+       */
+      isResolvedFromProjectRootOnly(filePath) {
+        if (this.currentWorktreeRoots.size === 0) return false;
+        if (!this.config.projectRoot) return false;
+        if (!filePath.startsWith((0, import_path28.resolve)(this.config.projectRoot) + "/")) return false;
+        return !this.isInsideAnyRoot(filePath, [...this.currentWorktreeRoots]);
+      }
       /**
        * Guard: resolved path must stay inside one of the valid roots, with
        * symlink-safe containment.
@@ -19157,7 +19179,7 @@ function detectFormatCompliance(result) {
   const tags_dropped_unknown_type = Object.values(parseRes.droppedUnknownType).reduce((a, b) => a + b, 0) + parseRes.droppedMissingType;
   const tags_dropped_short_content = parseRes.droppedShortContent;
   const findingCount = (body.match(/<agent_finding[\s>]/g) ?? []).length;
-  const citationCount = (body.match(/\b[\w./-]+\.\w+:\d+\b/g) ?? []).length;
+  const citationCount = (body.match(/\b(?:[a-zA-Z]:\/)?[\w./-]+\.\w+:\d+\b/g) ?? []).length;
   const formatCompliant = tags_accepted > 0 && citationCount >= tags_accepted;
   const diagnostics = [...parseRes.diagnostics];
   if (truncated) {
@@ -23407,7 +23429,7 @@ var init_dedupe_key = __esm({
   "packages/orchestrator/src/dedupe-key.ts"() {
     "use strict";
     import_crypto15 = require("crypto");
-    ANCHOR_PATTERN3 = /[\w./-]+\.(ts|js|tsx|jsx|py|go|rs|java|rb|md|json|yaml|yml|toml|sh):\d+/;
+    ANCHOR_PATTERN3 = /(?:[a-zA-Z]:\/)?[\w./-]+\.(ts|js|tsx|jsx|py|go|rs|java|rb|md|json|yaml|yml|toml|sh):\d+/;
     MIN_NORMALIZED_CONTENT_LENGTH = 32;
     DEDUPE_KEY_INTERNALS = {
       MIN_NORMALIZED_CONTENT_LENGTH,
@@ -49431,7 +49453,10 @@ async function resolveDispatchResolutionRoots(dispatchResolutionRoots) {
         );
       }
       if (discovered.length > 0) {
-        effectiveRoots = discovered;
+        const hashedPaths = discovered.map((d) => hashPath(d));
+        warnings.push(
+          `autoDiscoverWorktrees: ${discovered.length} sibling worktree(s) discovered but auto-promotion is disabled. Pass resolutionRoots to gossip_dispatch to pin cross-reviewers to a specific worktree. Discovered (hashed): ${hashedPaths.join(", ")}`
+        );
       } else if (rejected.length > 0) {
         warnings.push(
           `autoDiscoverWorktrees: ${rejected.length} candidate(s) failed validation; cross-review will use projectRoot only. See stderr for rejection reasons.`
@@ -50140,10 +50165,10 @@ ${t.skillWarnings.map((w) => `  - ${w}`).join("\n")}`;
       if (!mainLlm) {
         return { content: [{ type: "text", text: "Error: No LLM configured for consensus. Check gossip_setup." }] };
       }
-      const { PerformanceReader: PerformanceReader3, discoverGitWorktrees: discoverGitWorktrees2 } = await Promise.resolve().then(() => (init_src4(), src_exports3));
+      const { PerformanceReader: PerformanceReader3, discoverGitWorktrees: discoverGitWorktrees2, hashPath: hashPath2 } = await Promise.resolve().then(() => (init_src4(), src_exports3));
       const performanceReader = new PerformanceReader3(process.cwd());
       const explicitRoots = resolutionRoots ?? [];
-      let effectiveRoots = explicitRoots;
+      const effectiveRoots = explicitRoots;
       try {
         const { findConfigPath: findConfigPath2, loadConfig: loadConfig2 } = await Promise.resolve().then(() => (init_config(), config_exports));
         const cfgPath = findConfigPath2(process.cwd());
@@ -50156,7 +50181,13 @@ ${t.skillWarnings.map((w) => `  - ${w}`).join("\n")}`;
 `
             );
           }
-          effectiveRoots = [...explicitRoots, ...discovered];
+          if (discovered.length > 0) {
+            const hashedPaths = discovered.map((d) => hashPath2(d));
+            process.stderr.write(
+              `[consensus] autoDiscoverWorktrees: ${discovered.length} sibling worktree(s) discovered but auto-promotion is disabled (issue #402). Pass resolutionRoots to gossip_collect to pin cross-reviewers. Discovered (hashed): ${hashedPaths.join(", ")}
+`
+            );
+          }
         }
       } catch (err) {
         process.stderr.write(`[consensus] auto-discovery failed: ${err.message}

package/docs/HANDBOOK.md

@@ -232,7 +232,7 @@ When blocked, the error message shows age + remaining cooldown + override instru
 
 Drop a `.gossip/tech-stack.md` at the project root to bypass auto-detection on `gossip_skills(action: "develop")`. Content (max 2000 chars after trim) is injected verbatim into the skill-develop prompt's `<tech_stack>` block, replacing the auto-detected description. Useful for non-Node host projects (Solidity, Rust, Move, audit workspaces) where the LLM hallucinates a Node.js stack from thin npm dep signal (issue #410, PR #411 floor + this override). Cache is session-stable — restart the MCP server to pick up edits. Empty file or read errors fall through to auto-detect (with stderr warning on errors). Files over 2 KB are clamped with a stderr warning.
 
-**Tech-stack auto-detection.** When no override is present and the npm dep count is below `TECH_STACK_MIN_DEPS=3` OR the project is non-Node, `detectTechStack` scans the project root for known manifests (Cargo.toml, pyproject.toml, requirements.txt, go.mod, foundry.toml, Move.toml, Gemfile, composer.json), the README first 30 lines / 2 KB, and a shallow file-extension census (root only, excluding `node_modules`/`.git`/`.gossip`/`dist`/`build`/`out`/`coverage`, capped at 10 extension types; config/docs extensions such as `.json`, `.md`, `.yaml`, `.toml`, `.lock` are excluded from the census since they are already captured by other signals). Any non-Node signal — manifest match, README content, or extension census — bypasses the `MIN_DEPS=3` floor so polyglot projects don't need the override file. Workspace-level manifests (e.g., `packages/contracts/foundry.toml`) are NOT scanned in this MVP; place the manifest at root or use `.gossip/tech-stack.md` for those cases.
+**Tech-stack auto-detection.** When no override is present and the npm dep count is below `TECH_STACK_MIN_DEPS=3` OR the project is non-Node, `detectTechStack` scans the project root for known manifests (Cargo.toml, pyproject.toml, requirements.txt, go.mod, foundry.toml, Move.toml, Gemfile, composer.json), the README first 30 lines / 2 KB, and a shallow file-extension census (root only, excluding `node_modules`/`.git`/`.gossip`/`dist`/`build`/`out`/`coverage`, capped at 10 extension types; Config/docs extensions (`.json`, `.md`, `.yaml`, `.toml`, `.lock`, common dotfiles like `.prettierrc`/`.eslintrc`/`.dockerignore`/etc.) are excluded from the census — they're either ubiquitous across project types (carrying no toolchain signal) or already covered elsewhere (npm deps via `package.json`, language via manifests). Trade-off: Kubernetes / Ansible projects whose primary source is `.yaml` will receive less detection signal from the census; use `.gossip/tech-stack.md` for those). Any non-Node signal — manifest match, README content, or extension census — bypasses the `MIN_DEPS=3` floor so polyglot projects don't need the override file. Workspace-level manifests (e.g., `packages/contracts/foundry.toml`) are NOT scanned in this MVP; place the manifest at root or use `.gossip/tech-stack.md` for those cases.
 
 ### Verifying UNVERIFIED findings
 
@@ -252,7 +252,7 @@ gossip_collect({
 
 Without `resolutionRoots`, citations to files that only exist in the worktree resolve against `projectRoot` → `⚠ file not found` → every cross-reviewer marks UNVERIFIED → the round produces zero verified findings. `resolutionRoots` runs each path through a validator (NUL reject, `..` reject, realpath, ownership check, git-common-dir match, `git worktree list` membership) before adding it to the citation-resolver trust zone.
 
-Secondary: `consensus.autoDiscoverWorktrees: true` in `.gossip/config.json` auto-discovers all git worktrees at round start (opt-in, default off) — convenience for users who routinely run consensus on feature branches. Same validator applies.
+Secondary: `consensus.autoDiscoverWorktrees: true` in `.gossip/config.json` is DISCOVERY-ONLY (opt-in, default off). When enabled, it logs a warning listing hashed paths of sibling git worktrees so operators know which branches exist — but it does NOT auto-route cross-reviewers to any of them. You must still pass explicit `resolutionRoots` to `gossip_dispatch` (or `gossip_collect`) to pin cross-reviewers to a specific worktree. Per consensus c6b8580d-595e48d2 + issue #402, prior auto-promotion behaviour was a foot-gun: it silently routed reviews to the wrong branch when multiple worktrees existed. Same validator applies to anything you do pass explicitly.
 
 See spec `docs/specs/2026-04-17-issue-126.md` for the full design.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gossipcat",
-  "version": "0.4.27",
+  "version": "0.4.28",
   "description": "Multi-agent orchestration for Claude Code — parallel review, consensus, adaptive dispatch",
   "mcpName": "io.github.ataberk-xyz/gossipcat",
   "repository": {