gsd-lite 0.5.13 → 0.5.15

package/.claude-plugin/marketplace.json

@@ -13,7 +13,7 @@
       "name": "gsd",
       "source": "./",
       "description": "AI orchestration tool — GSD management shell + Superpowers quality core. 5 commands, 4 agents, 5 workflows, MCP server, context monitoring.",
-      "version": "0.5.13",
+      "version": "0.5.15",
       "keywords": [
         "orchestration",
         "mcp",

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "gsd",
-  "version": "0.5.13",
+  "version": "0.5.15",
   "description": "AI orchestration tool for Claude Code — GSD management shell + Superpowers quality core",
   "author": {
     "name": "sdsrss",

package/README.md

@@ -17,7 +17,7 @@ GSD-Lite is an AI orchestration tool for [Claude Code](https://docs.anthropic.co
 ### Quality Discipline (Built-in, Not Optional)
 - **TDD enforcement** — "No production code without a failing test first" baked into every executor dispatch
 - **Anti-rationalization guards** — Red-flag checklists inline in every agent prompt, blocking common excuses to skip process
-- **Multi-level code review** — L0 self-review / L1 phase-batch review / L2 immediate independent review
+- **Multi-level code review** — L0 self-review / L1 phase-batch review / L2 immediate independent review / phase review retry limit
 - **Contract change propagation** — When an API contract changes, downstream tasks automatically invalidate
 
 ### Intelligent Failure Recovery
@@ -27,7 +27,7 @@ GSD-Lite is an AI orchestration tool for [Claude Code](https://docs.anthropic.co
 - **Rework propagation** — Critical review issues cascade invalidation to dependent tasks
 
 ### Adaptive Review & Parallel Execution
-- **Confidence-based review adjustment** — Executor self-assesses confidence (high/medium/low); orchestrator auto-adjusts review level accordingly
+- **Confidence-based review adjustment** — Executor self-assesses confidence (high/medium/low); orchestrator auto-adjusts review level with evidence cross-validation
 - **Impact analysis before review** — Reviewer runs impact analysis on multi-file changes to catch missed downstream effects
 - **Parallel task scheduling** — Independent tasks within the same phase are identified for concurrent dispatch
 - **Auto PR suggestion** — Phase/project completion prompts PR creation with evidence summary
@@ -249,7 +249,7 @@ gsd-lite/
 ├── references/             # 8 reference docs
 ├── hooks/                  # Session lifecycle (StatusLine + PostToolUse + SessionStart + Stop + AutoUpdate)
 │   └── lib/               # Shared hook utilities (gsd-finder)
-├── tests/                  # 822 tests (unit + simulation + E2E)
+├── tests/                  # 826 tests (unit + simulation + E2E)
 ├── cli.js                  # Install/uninstall CLI entry
 ├── install.js              # Installation script
 └── uninstall.js            # Uninstall script
@@ -258,8 +258,8 @@ gsd-lite/
 ## Testing
 
 ```bash
-npm test                    # Run all 822 tests
-npm run test:coverage       # Tests + coverage report (94%+ lines, 81%+ branches)
+npm test                    # Run all 826 tests
+npm run test:coverage       # Tests + coverage report (94%+ lines, 83%+ branches)
 npm run lint                # Biome lint
 node --test tests/file.js   # Run a single test file
 ```

package/hooks/gsd-auto-update.cjs

@@ -337,7 +337,7 @@ function validateExtractedPackage(extractDir) {
 // ── Download & Install ─────────────────────────────────────
 async function downloadAndInstall(tarballUrl, verbose = false, token = null) {
   const tmpDir = path.join(os.tmpdir(), `gsd-update-${Date.now()}`);
-  const backupPath = path.join(pluginRoot, 'package.json.bak');
+  const backupPath = path.join(runtimeDir, 'package.json.bak');
   let backedUp = false;
   try {
     fs.mkdirSync(tmpDir, { recursive: true });
@@ -450,6 +450,35 @@ function writeNotification(notification) {
   }
 }
 
+// ── Cache Cleanup ─────────────────────────────────────────
+// Remove old plugin cache versions, keeping the N most recent.
+function pruneOldCacheVersions(cacheBase, keepCount = 3, verbose = false) {
+  try {
+    if (!fs.existsSync(cacheBase)) return;
+    const entries = fs.readdirSync(cacheBase, { withFileTypes: true })
+      .filter(e => e.isDirectory())
+      .map(e => e.name);
+    if (entries.length <= keepCount) return;
+
+    // Sort by semver: split into [major, minor, patch] and compare numerically
+    const sorted = entries.slice().sort((a, b) => {
+      const pa = a.split('.').map(Number);
+      const pb = b.split('.').map(Number);
+      for (let i = 0; i < 3; i++) {
+        if ((pa[i] || 0) !== (pb[i] || 0)) return (pa[i] || 0) - (pb[i] || 0);
+      }
+      return 0;
+    });
+
+    const toRemove = sorted.slice(0, sorted.length - keepCount);
+    for (const ver of toRemove) {
+      const verPath = path.join(cacheBase, ver);
+      fs.rmSync(verPath, { recursive: true, force: true });
+      if (verbose) console.log(`  Pruned old cache: ${ver}`);
+    }
+  } catch { /* best effort */ }
+}
+
 // ── Plugin Cache Sync ─────────────────────────────────────
 // When installed as a plugin, the MCP server runs from plugins/cache/gsd/gsd/<version>/
 // The auto-update installs to ~/.claude/gsd/ (runtime dir) via install.js,
@@ -492,11 +521,17 @@ function syncPluginCache(extractedDir, verbose = false) {
 
     // Install dependencies in cache dir
     if (!fs.existsSync(path.join(newCachePath, 'node_modules', '@modelcontextprotocol'))) {
-      spawnSync('npm', ['install', '--omit=dev', '--ignore-scripts'], {
+      const npmResult = spawnSync('npm', ['install', '--omit=dev', '--ignore-scripts'], {
         cwd: newCachePath,
         stdio: 'pipe',
         timeout: 60000,
       });
+      if (npmResult.status !== 0) {
+        // npm install failed — don't update registry to point to broken cache
+        if (verbose) console.error('  npm install failed in cache dir, aborting cache sync');
+        fs.rmSync(newCachePath, { recursive: true, force: true });
+        return;
+      }
     }
 
     // Update installed_plugins.json to point to new cache path
@@ -507,6 +542,26 @@ function syncPluginCache(extractedDir, verbose = false) {
     fs.writeFileSync(tmpPlugins, JSON.stringify(plugins, null, 2) + '\n');
     fs.renameSync(tmpPlugins, pluginsFile);
 
+    // Update settings.json statusLine if it points to the old cache path
+    try {
+      const settingsPath = path.join(claudeDir, 'settings.json');
+      const settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+      if (settings.statusLine?.command?.includes('/plugins/cache/gsd/gsd/')) {
+        const oldCmd = settings.statusLine.command;
+        const updated = oldCmd.replace(/\/plugins\/cache\/gsd\/gsd\/[^/]+\//g, `/plugins/cache/gsd/gsd/${newVersion}/`);
+        if (updated !== oldCmd) {
+          settings.statusLine.command = updated;
+          const tmpSettings = settingsPath + `.${process.pid}.tmp`;
+          fs.writeFileSync(tmpSettings, JSON.stringify(settings, null, 2) + '\n');
+          fs.renameSync(tmpSettings, settingsPath);
+          if (verbose) console.log('  StatusLine path updated to new version');
+        }
+      }
+    } catch {}
+
+    // Prune old cache versions — keep only the 3 most recent
+    pruneOldCacheVersions(cacheBase, 3, verbose);
+
     if (verbose) console.log(`  Plugin cache synced to v${newVersion}`);
   } catch (err) {
     // Best effort — don't fail the update if cache sync fails

package/hooks/gsd-statusline.cjs

@@ -6,24 +6,7 @@
 const fs = require('node:fs');
 const path = require('node:path');
 const os = require('node:os');
-
-/**
- * Walk from startDir up to filesystem root looking for a .gsd directory.
- * Returns the absolute path to .gsd if found, or null.
- */
-function findGsdDir(startDir) {
-  let dir = startDir;
-  while (true) {
-    const candidate = path.join(dir, '.gsd');
-    try {
-      if (fs.statSync(candidate).isDirectory()) return candidate;
-    } catch {
-      const parent = path.dirname(dir);
-      if (parent === dir) return null; // reached filesystem root
-      dir = parent;
-    }
-  }
-}
+const { findGsdDir } = require('./lib/gsd-finder.cjs');
 
 let input = '';
 const stdinTimeout = setTimeout(() => process.exit(0), 3000);

package/install.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 // Plugin installer for GSD-Lite
 
-import { existsSync, mkdirSync, cpSync, readFileSync, writeFileSync, renameSync, rmSync } from 'node:fs';
+import { existsSync, mkdirSync, cpSync, readFileSync, writeFileSync, renameSync, rmSync, readdirSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 import { fileURLToPath, pathToFileURL } from 'node:url';
@@ -13,12 +13,13 @@ const RUNTIME_DIR = join(CLAUDE_DIR, 'gsd');
 const DRY_RUN = process.argv.includes('--dry-run');
 
 // Single source of truth for hook files (used by copy loop and registration)
-const HOOK_FILES = ['gsd-session-init.cjs', 'gsd-auto-update.cjs', 'gsd-context-monitor.cjs', 'gsd-statusline.cjs'];
+const HOOK_FILES = ['gsd-session-init.cjs', 'gsd-auto-update.cjs', 'gsd-context-monitor.cjs', 'gsd-statusline.cjs', 'gsd-session-stop.cjs'];
 
 // Hook registration config: hookType → { file identifier, matcher, timeout? }
 const HOOK_REGISTRY = [
   { hookType: 'SessionStart', identifier: 'gsd-session-init', matcher: 'startup', timeout: 5 },
   { hookType: 'PostToolUse', identifier: 'gsd-context-monitor', matcher: '*' },
+  { hookType: 'Stop', identifier: 'gsd-session-stop', matcher: '*', timeout: 3 },
 ];
 
 function log(msg) { console.log(msg); }
@@ -135,6 +136,11 @@ export function main() {
   for (const hookFile of HOOK_FILES) {
     copyFile(join(__dirname, 'hooks', hookFile), join(CLAUDE_DIR, 'hooks', hookFile), `hooks/${hookFile}`);
   }
+  // 5b. Hook library dependencies (e.g. gsd-finder.cjs used by statusline + session-init)
+  const hookLibDir = join(__dirname, 'hooks', 'lib');
+  if (existsSync(hookLibDir)) {
+    copyDir(hookLibDir, join(CLAUDE_DIR, 'hooks', 'lib'), 'hooks/lib → ~/.claude/hooks/lib/');
+  }
 
   // 6. Stable runtime for MCP server
   copyDir(join(__dirname, 'src'), join(RUNTIME_DIR, 'src'), 'runtime/src → ~/.claude/gsd/src/');
@@ -186,12 +192,36 @@ export function main() {
     }
 
     // Register statusLine (top-level setting) and hooks
-    if (!settings.hooks) settings.hooks = {};
-    const statuslinePath = join(CLAUDE_DIR, 'hooks', 'gsd-statusline.cjs');
-    const statusLineRegistered = registerStatusLine(settings, statuslinePath);
+    // When installed as a plugin, hooks are managed by hooks.json via the plugin system.
+    // Only register in settings.json for manual installs to avoid double execution.
+    let statusLineRegistered = false;
     let hooksRegistered = false;
-    for (const config of HOOK_REGISTRY) {
-      if (registerHookEntry(settings.hooks, config)) hooksRegistered = true;
+    if (!isPluginInstall) {
+      if (!settings.hooks) settings.hooks = {};
+      const statuslinePath = join(CLAUDE_DIR, 'hooks', 'gsd-statusline.cjs');
+      statusLineRegistered = registerStatusLine(settings, statuslinePath);
+      for (const config of HOOK_REGISTRY) {
+        if (registerHookEntry(settings.hooks, config)) hooksRegistered = true;
+      }
+    } else {
+      // Clean up stale manual hook entries left from previous install.js runs
+      if (settings.hooks) {
+        let cleaned = false;
+        for (const [hookType, identifier] of [
+          ['PostToolUse', 'gsd-context-monitor'],
+          ['SessionStart', 'gsd-session-init'],
+          ['Stop', 'gsd-session-stop'],
+        ]) {
+          if (Array.isArray(settings.hooks[hookType])) {
+            const before = settings.hooks[hookType].length;
+            settings.hooks[hookType] = settings.hooks[hookType].filter(e =>
+              !e.hooks?.some(h => h.command?.includes(identifier)));
+            if (settings.hooks[hookType].length < before) cleaned = true;
+            if (settings.hooks[hookType].length === 0) delete settings.hooks[hookType];
+          }
+        }
+        if (cleaned) log('  ✓ Removed stale manual hook entries (plugin hooks.json handles registration)');
+      }
     }
 
     const tmpSettings = settingsPath + `.${process.pid}-${Date.now()}.tmp`;
@@ -204,6 +234,32 @@ export function main() {
     log('  [dry-run] Would register MCP server in settings.json');
   }
 
+  // 9. Prune old plugin cache versions (keep latest 3)
+  if (!DRY_RUN && isPluginInstall) {
+    const cacheBase = join(CLAUDE_DIR, 'plugins', 'cache', 'gsd', 'gsd');
+    if (existsSync(cacheBase)) {
+      try {
+        const entries = readdirSync(cacheBase, { withFileTypes: true })
+          .filter(e => e.isDirectory()).map(e => e.name);
+        if (entries.length > 3) {
+          const sorted = entries.slice().sort((a, b) => {
+            const pa = a.split('.').map(Number);
+            const pb = b.split('.').map(Number);
+            for (let i = 0; i < 3; i++) {
+              if ((pa[i] || 0) !== (pb[i] || 0)) return (pa[i] || 0) - (pb[i] || 0);
+            }
+            return 0;
+          });
+          const toRemove = sorted.slice(0, sorted.length - 3);
+          for (const ver of toRemove) {
+            rmSync(join(cacheBase, ver), { recursive: true, force: true });
+          }
+          log(`  ✓ Pruned ${toRemove.length} old cache version(s), kept latest 3`);
+        }
+      } catch { /* best effort */ }
+    }
+  }
+
   log('\n✓ GSD-Lite installed successfully!');
   log('  Use /gsd:start to begin a new project');
   log('  Use /gsd:resume to continue an existing project');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gsd-lite",
-  "version": "0.5.13",
+  "version": "0.5.15",
   "description": "AI orchestration tool for Claude Code — GSD management shell + Superpowers quality core",
   "type": "module",
   "bin": {

package/src/tools/orchestrator/debugger.js

@@ -16,6 +16,8 @@ export async function handleDebuggerResult({ result, basePath = process.cwd() }
     return { error: true, message: `Invalid debugger result: ${validation.errors.join('; ')}` };
   }
 
+  // Note: read() is outside the state lock — safe under single-session sequential execution.
+  // See executor.js for rationale.
   const state = await read({ basePath });
   if (state.error) return state;
   const { phase, task } = getPhaseAndTask(state, result.task_id);

package/src/tools/orchestrator/executor.js

@@ -20,6 +20,9 @@ export async function handleExecutorResult({ result, basePath = process.cwd() }
     return { error: true, message: `Invalid executor result: ${validation.errors.join('; ')}` };
   }
 
+  // Note: read() is outside the state lock. This is safe because the MCP server
+  // processes tool calls sequentially (single-session, promise-queue serialized).
+  // persist() below re-acquires the lock and applies changes atomically.
   const state = await read({ basePath });
   if (state.error) return state;
   const { phase, task } = getPhaseAndTask(state, result.task_id);
@@ -27,6 +30,16 @@ export async function handleExecutorResult({ result, basePath = process.cwd() }
     return { error: true, message: `Task ${result.task_id} not found` };
   }
 
+  // Auto-start parallel tasks: if a task is still pending (dispatched via parallel_available
+  // but not explicitly started by orchestrator-resume), transition it to running first.
+  if (task.lifecycle === 'pending') {
+    const startError = await persist(basePath, {
+      phases: [{ id: phase.id, todo: [{ id: task.id, lifecycle: 'running' }] }],
+    });
+    if (startError) return startError;
+    task.lifecycle = 'running';
+  }
+
   // Build new decision entries — actual append happens atomically inside update()'s lock
   const newDecisions = buildDecisionEntries(result.decisions, phase.id, task.id, (state.decisions || []).length);
 

package/src/tools/orchestrator/helpers.js

@@ -10,6 +10,7 @@ import { getGitHead, getGsdDir } from '../../utils.js';
 const MAX_DEBUG_RETRY = 3;
 const MAX_RESUME_DEPTH = 3;
 const CONTEXT_RESUME_THRESHOLD = 40;
+const MAX_PHASE_REVIEW_RETRY = 5;
 
 // ── Result Contracts ──
 // Provided in dispatch responses so agents produce valid results on the first call.
@@ -424,6 +425,7 @@ export {
   MAX_DEBUG_RETRY,
   MAX_RESUME_DEPTH,
   CONTEXT_RESUME_THRESHOLD,
+  MAX_PHASE_REVIEW_RETRY,
   RESULT_CONTRACTS,
   isTerminalWorkflowMode,
   parseTimestamp,

package/src/tools/orchestrator/researcher.js

@@ -1,6 +1,5 @@
 import { storeResearch } from '../state/index.js';
 import { validateResearcherResult } from '../../schema.js';
-import { resumeWorkflow } from './resume.js';
 
 export async function handleResearcherResult({ result, artifacts, decision_index, basePath = process.cwd() } = {}) {
   if (!result || typeof result !== 'object' || Array.isArray(result)) {
@@ -15,11 +14,10 @@ export async function handleResearcherResult({ result, artifacts, decision_index
   const persisted = await storeResearch({ result, artifacts, decision_index, basePath });
   if (persisted.error) return persisted;
 
-  const resumed = await resumeWorkflow({ basePath });
-  if (resumed.error) return resumed;
-
   return {
-    ...resumed,
+    success: true,
+    action: 'research_stored',
+    workflow_mode: persisted.workflow_mode,
     stored_files: persisted.stored_files,
     decision_ids: persisted.decision_ids,
     research_warnings: persisted.warnings,

package/src/tools/orchestrator/reviewer.js

@@ -1,6 +1,7 @@
 import { read } from '../state/index.js';
 import { validateReviewerResult } from '../../schema.js';
 import {
+  MAX_PHASE_REVIEW_RETRY,
   getCurrentPhase,
   getTaskById,
   persist,
@@ -15,6 +16,8 @@ export async function handleReviewerResult({ result, basePath = process.cwd() }
     return { error: true, message: `Invalid reviewer result: ${validation.errors.join('; ')}` };
   }
 
+  // Note: read() is outside the state lock — safe under single-session sequential execution.
+  // See executor.js for rationale.
   const state = await read({ basePath });
   if (state.error) return state;
 
@@ -70,6 +73,40 @@ export async function handleReviewerResult({ result, basePath = process.cwd() }
   const specFailed = result.spec_passed === false;
   const qualityFailed = result.quality_passed === false;
   const needsRework = hasCritical || specFailed || qualityFailed;
+
+  // Compute retry count once for both exhaustion check and state update
+  const currentRetryCount = phase.phase_review?.retry_count || 0;
+  const nextRetryCount = needsRework ? currentRetryCount + 1 : 0;
+
+  // Phase review retry limit: prevent infinite reviewing↔active cycles
+  if (needsRework && nextRetryCount > MAX_PHASE_REVIEW_RETRY) {
+    const persistError = await persist(basePath, {
+      workflow_mode: 'awaiting_user',
+      current_task: null,
+      current_review: {
+        scope: 'phase',
+        scope_id: phase.id,
+        stage: 'review_retry_exhausted',
+        retry_count: nextRetryCount,
+      },
+      phases: [{
+        id: phase.id,
+        lifecycle: phase.lifecycle === 'reviewing' ? 'active' : phase.lifecycle,
+        phase_review: { status: 'rework_required', retry_count: nextRetryCount },
+      }],
+    });
+    if (persistError) return persistError;
+
+    return {
+      success: true,
+      action: 'review_retry_exhausted',
+      workflow_mode: 'awaiting_user',
+      phase_id: phase.id,
+      retry_count: nextRetryCount,
+      message: `Phase ${phase.id} review failed ${nextRetryCount} times (limit: ${MAX_PHASE_REVIEW_RETRY}). User intervention required.`,
+    };
+  }
+
   const reviewStatus = needsRework ? 'rework_required' : 'accepted';
 
   // done is auto-recomputed by update() — no manual tracking needed
@@ -77,9 +114,7 @@ export async function handleReviewerResult({ result, basePath = process.cwd() }
     id: phase.id,
     phase_review: {
       status: reviewStatus,
-      ...(needsRework
-        ? { retry_count: (phase.phase_review?.retry_count || 0) + 1 }
-        : { retry_count: 0 }),
+      retry_count: nextRetryCount,
     },
     todo: taskPatches,
   };

package/src/tools/state/crud.js

@@ -12,7 +12,6 @@ import {
   createInitialState,
   migrateState,
 } from '../../schema.js';
-import { runAll } from '../verify.js';
 import {
   ERROR_CODES,
   MAX_EVIDENCE_ENTRIES,
@@ -29,6 +28,11 @@ export async function init({ project, phases, research, force = false, basePath
   if (!project || typeof project !== 'string') {
     return { error: true, code: ERROR_CODES.INVALID_INPUT, message: 'project must be a non-empty string' };
   }
+  // Sanitize: strip HTML comment delimiters (could break marker-based CLAUDE.md injection) and cap length
+  project = project.replace(/<!--|-->/g, '').trim().slice(0, 200);
+  if (!project) {
+    return { error: true, code: ERROR_CODES.INVALID_INPUT, message: 'project name is empty after sanitization' };
+  }
   if (!Array.isArray(phases)) {
     return { error: true, code: ERROR_CODES.INVALID_INPUT, message: 'phases must be an array' };
   }
@@ -420,7 +424,14 @@ export async function phaseComplete({
       };
     }
 
-    const verificationResult = verification || (run_verify ? await runAll(basePath) : null);
+    if (run_verify && !verification) {
+      return {
+        error: true,
+        code: ERROR_CODES.INVALID_INPUT,
+        message: 'run_verify requires verification results to be passed via the verification parameter; the state layer does not execute external tools',
+      };
+    }
+    const verificationResult = verification || null;
     const testsPassed = verificationResult
       ? verificationPassed(verificationResult)
       : phase.phase_handoff.tests_passed === true;

package/src/tools/state/logic.js

@@ -269,9 +269,17 @@ export function reclassifyReviewLevel(task, executorResult) {
   }
 
   // High confidence on non-sensitive L1 tasks → downgrade to L0 (self-review sufficient)
+  // Cross-validate: require objective evidence before trusting self-reported confidence.
+  // Without evidence or with failed tests, confidence claim is not credible.
   if (executorResult.confidence === 'high' && currentLevel === 'L1'
       && !executorResult.contract_changed) {
-    return 'L0';
+    const hasEvidence = Array.isArray(executorResult.evidence) && executorResult.evidence.length > 0;
+    const hasTestFailure = Array.isArray(executorResult.evidence)
+      && executorResult.evidence.some(e => e && e.type === 'test' && e.passed === false);
+    if (hasEvidence && !hasTestFailure) {
+      return 'L0';
+    }
+    // Insufficient evidence or test failure — stay at L1 despite high confidence claim
   }
 
   return currentLevel;

package/src/utils.js

@@ -65,6 +65,7 @@ const LOCK_MAX_RETRIES = 100; // 5 seconds total
  */
 export async function withFileLock(lockPath, fn) {
   let acquired = false;
+  let nonLockError = false;
   for (let i = 0; i < LOCK_MAX_RETRIES; i++) {
     try {
       await writeFile(lockPath, String(process.pid), { flag: 'wx' });
@@ -84,11 +85,21 @@ export async function withFileLock(lockPath, fn) {
         }
         await new Promise(r => setTimeout(r, LOCK_RETRY_MS));
       } else {
-        break; // Non-EEXIST error — proceed without lock
+        // Non-EEXIST error (e.g., read-only fs) — proceed without lock
+        nonLockError = true;
+        break;
       }
     }
   }
 
+  // Lock exhaustion (retries depleted while another process held the lock):
+  // throw to prevent concurrent unlocked writes that cause data corruption.
+  // Non-EEXIST errors (read-only fs, permission denied) still proceed without lock
+  // since locking is physically impossible in those environments.
+  if (!acquired && !nonLockError) {
+    throw new Error(`Lock acquisition timeout: could not acquire ${lockPath} after ${LOCK_MAX_RETRIES} retries (${LOCK_MAX_RETRIES * LOCK_RETRY_MS}ms)`);
+  }
+
   try {
     return await fn();
   } finally {

package/uninstall.js

@@ -38,13 +38,23 @@ export function main() {
   removeDir(join(CLAUDE_DIR, 'gsd-lite'), 'legacy gsd-lite runtime/');
 
   // Remove hook files (both legacy and current names)
-  for (const name of ['context-monitor.js', 'gsd-statusline.cjs', 'gsd-context-monitor.cjs', 'gsd-session-init.cjs', 'gsd-auto-update.cjs']) {
+  for (const name of ['context-monitor.js', 'gsd-statusline.cjs', 'gsd-context-monitor.cjs', 'gsd-session-init.cjs', 'gsd-auto-update.cjs', 'gsd-session-stop.cjs']) {
     const hookFile = join(CLAUDE_DIR, 'hooks', name);
     if (existsSync(hookFile)) {
       rmSync(hookFile);
       log(`  ✓ Removed hooks/${name}`);
     }
   }
+  // Remove hook library dependencies
+  const hookLibDir = join(CLAUDE_DIR, 'hooks', 'lib');
+  if (existsSync(hookLibDir)) {
+    // Only remove GSD-owned files, not other plugins' libs
+    const gsdLibFile = join(hookLibDir, 'gsd-finder.cjs');
+    if (existsSync(gsdLibFile)) {
+      rmSync(gsdLibFile);
+      log('  ✓ Removed hooks/lib/gsd-finder.cjs');
+    }
+  }
 
   // Clean up plugin system directories (from /plugin install)
   removeDir(join(CLAUDE_DIR, 'plugins', 'marketplaces', 'gsd'), 'plugins/marketplaces/gsd/');
@@ -123,6 +133,7 @@ export function main() {
         ['PostToolUse', 'gsd-context-monitor'],
         ['PostToolUse', 'context-monitor.js'],
         ['SessionStart', 'gsd-session-init'],
+        ['Stop', 'gsd-session-stop'],
       ]) {
         if (Array.isArray(settings.hooks[hookType])) {
           const len = settings.hooks[hookType].length;