gsd-opencode 1.22.1 → 1.33.0

package/get-shit-done/workflows/secure-phase.md

@@ -0,0 +1,154 @@
+<objective>
+Verify threat mitigations for a completed phase. Confirm PLAN.md threat register dispositions are resolved. Update SECURITY.md.
+</objective>
+
+<required_reading>
+@$HOME/.config/opencode/get-shit-done/references/ui-brand.md
+</required_reading>
+
+<available_agent_types>
+Valid GSD subagent types (use exact names — do not fall back to 'general'):
+- gsd-security-auditor — Verifies threat mitigation coverage
+</available_agent_types>
+
+<process>
+
+## 0. Initialize
+
+```bash
+INIT=$(node "$HOME/.config/opencode/get-shit-done/bin/gsd-tools.cjs" init phase-op "${PHASE_ARG}")
+if [[ "$INIT" == @file:* ]]; then INIT=$(cat "${INIT#@file:}"); fi
+AGENT_SKILLS_AUDITOR=$(node "$HOME/.config/opencode/get-shit-done/bin/gsd-tools.cjs" agent-skills gsd-security-auditor 2>/dev/null)
+```
+
+Parse: `phase_dir`, `phase_number`, `phase_name`, `phase_slug`, `padded_phase`.
+
+```bash
+AUDITOR_MODEL=$(node "$HOME/.config/opencode/get-shit-done/bin/gsd-tools.cjs" resolve-model gsd-security-auditor --raw)
+SECURITY_CFG=$(node "$HOME/.config/opencode/get-shit-done/bin/gsd-tools.cjs" config-get workflow.security_enforcement --raw 2>/dev/null || echo "true")
+```
+
+If `SECURITY_CFG` is `false`: exit with "Security enforcement disabled. Enable via /gsd-settings."
+
+Display banner: `GSD > SECURE PHASE {N}: {name}`
+
+## 1. Detect Input State
+
+```bash
+SECURITY_FILE=$(ls "${PHASE_DIR}"/*-SECURITY.md 2>/dev/null | head -1)
+PLAN_FILES=$(ls "${PHASE_DIR}"/*-PLAN.md 2>/dev/null)
+SUMMARY_FILES=$(ls "${PHASE_DIR}"/*-SUMMARY.md 2>/dev/null)
+```
+
+- **State A** (`SECURITY_FILE` non-empty): Audit existing
+- **State B** (`SECURITY_FILE` empty, `PLAN_FILES` and `SUMMARY_FILES` non-empty): Run from artifacts
+- **State C** (`SUMMARY_FILES` empty): Exit — "Phase {N} not executed. Run /gsd-execute-phase {N} first."
+
+## 2. Discovery
+
+### 2a. read Phase Artifacts
+
+read PLAN.md — extract `<threat_model>` block: trust boundaries, STRIDE register (`threat_id`, `category`, `component`, `disposition`, `mitigation_plan`).
+
+### 2b. read Summary Threat Flags
+
+read SUMMARY.md — extract `## Threat Flags` entries.
+
+### 2c. Build Threat Register
+
+Per threat: `{ threat_id, category, component, disposition, mitigation_pattern, files_to_check }`
+
+## 3. Threat Classification
+
+Classify each threat:
+
+| Status | Criteria |
+|--------|----------|
+| CLOSED | mitigation found OR accepted risk documented in SECURITY.md OR transfer documented |
+| OPEN | none of the above |
+
+Build: `{ threat_id, category, component, disposition, status, evidence }`
+
+If `threats_open: 0` → skip to Step 6 directly.
+
+## 4. Present Threat Plan
+
+Call question with threat table and options:
+1. "Verify all open threats" → Step 5
+2. "Accept all open — document in accepted risks log" → add to SECURITY.md accepted risks, set all CLOSED, Step 6
+3. "Cancel" → exit
+
+## 5. Spawn gsd-security-auditor
+
+```
+@gsd-security-auditor "read $HOME/.config/opencode/agents/gsd-security-auditor.md for instructions.\n\n"
+```
+
+Handle return:
+- `## SECURED` → record closures → Step 6
+- `## OPEN_THREATS` → record closed + open, present user with accept/block choice → Step 6
+- `## ESCALATE` → present to user → Step 6
+
+## 6. write/Update SECURITY.md
+
+**State B (create):**
+1. read template from `$HOME/.config/opencode/get-shit-done/templates/SECURITY.md`
+2. Fill: frontmatter, threat register, accepted risks, audit trail
+3. write to `${PHASE_DIR}/${PADDED_PHASE}-SECURITY.md`
+
+**State A (update):**
+1. Update threat register statuses, append to audit trail:
+
+```markdown
+## Security Audit {date}
+| Metric | Count |
+|--------|-------|
+| Threats found | {N} |
+| Closed | {M} |
+| Open | {K} |
+```
+
+**ENFORCING GATE:** If `threats_open > 0` after all options exhausted (user did not accept, not all verified closed):
+
+```
+GSD > PHASE {N} SECURITY BLOCKED
+{K} threats open — phase advancement blocked until threats_open: 0
+▶ Fix mitigations then re-run: /gsd-secure-phase {N}
+▶ Or document accepted risks in SECURITY.md and re-run.
+```
+
+Do NOT emit next-phase routing. Stop here.
+
+## 7. Commit
+
+```bash
+node "$HOME/.config/opencode/get-shit-done/bin/gsd-tools.cjs" commit "docs(phase-${PHASE}): add/update security threat verification"
+```
+
+## 8. Results + Routing
+
+**Secured (threats_open: 0):**
+```
+GSD > PHASE {N} THREAT-SECURE
+threats_open: 0 — all threats have dispositions.
+▶ /gsd-validate-phase {N}    validate test coverage
+▶ /gsd-verify-work {N}       run UAT
+```
+
+Display `/new` reminder.
+
+</process>
+
+<success_criteria>
+- [ ] Security enforcement checked — exit if false
+- [ ] Input state detected (A/B/C) — state C exits cleanly
+- [ ] PLAN.md threat model parsed, register built
+- [ ] SUMMARY.md threat flags incorporated
+- [ ] threats_open: 0 → skip directly to Step 6
+- [ ] User gate with threat table presented
+- [ ] Auditor spawned with complete context
+- [ ] All three return formats (SECURED/OPEN_THREATS/ESCALATE) handled
+- [ ] SECURITY.md created or updated
+- [ ] threats_open > 0 BLOCKS advancement (no next-phase routing emitted)
+- [ ] Results with routing presented on success
+</success_criteria>

package/get-shit-done/workflows/session-report.md

@@ -0,0 +1,146 @@
+<objective>
+Generate a post-session summary document capturing work performed, outcomes achieved, and estimated resource usage. Writes SESSION_REPORT.md to .planning/reports/ for human review and stakeholder sharing.
+</objective>
+
+<required_reading>
+read all files referenced by the invoking prompt's execution_context before starting.
+</required_reading>
+
+<process>
+
+<step name="gather_session_data">
+Collect session data from available sources:
+
+1. **STATE.md** — current phase, milestone, progress, blockers, decisions
+2. **Git log** — commits made during this session (last 24h or since last report)
+3. **Plan/Summary files** — plans executed, summaries written
+4. **ROADMAP.md** — milestone context and phase goals
+
+```bash
+# Get recent commits (last 24 hours)
+git log --oneline --since="24 hours ago" --no-merges 2>/dev/null || echo "No recent commits"
+
+# Count files changed
+git diff --stat HEAD~10 HEAD 2>/dev/null | tail -1 || echo "No diff available"
+```
+
+read `.planning/STATE.md` to get:
+- Current milestone and phase
+- Progress percentage
+- Active blockers
+- Recent decisions
+
+read `.planning/ROADMAP.md` to get milestone name and goals.
+
+Check for existing reports:
+```bash
+ls -la .planning/reports/SESSION_REPORT*.md 2>/dev/null || echo "No previous reports"
+```
+</step>
+
+<step name="estimate_usage">
+Estimate token usage from observable signals:
+
+- Count of tool calls is not directly available, so estimate from git activity and file operations
+- Note: This is an **estimate** — exact token counts require API-level instrumentation not available to hooks
+
+Estimation heuristics:
+- Each commit ≈ 1 plan cycle (research + plan + execute + verify)
+- Each plan file ≈ 2,000-5,000 tokens of agent context
+- Each summary file ≈ 1,000-2,000 tokens generated
+- Subagent spawns multiply by ~1.5x per agent type used
+</step>
+
+<step name="generate_report">
+Create the report directory and file:
+
+```bash
+mkdir -p .planning/reports
+```
+
+write `.planning/reports/SESSION_REPORT.md` (or `.planning/reports/YYYYMMDD-session-report.md` if previous reports exist):
+
+```markdown
+# GSD Session Report
+
+**Generated:** [timestamp]
+**Project:** [from PROJECT.md title or directory name]
+**Milestone:** [N] — [milestone name from ROADMAP.md]
+
+---
+
+## Session Summary
+
+**Duration:** [estimated from first to last commit timestamp, or "Single session"]
+**Phase Progress:** [from STATE.md]
+**Plans Executed:** [count of summaries written this session]
+**Commits Made:** [count from git log]
+
+## Work Performed
+
+### Phases Touched
+[List phases worked on with brief description of what was done]
+
+### Key Outcomes
+[Bullet list of concrete deliverables: files created, features implemented, bugs fixed]
+
+### Decisions Made
+[From STATE.md decisions table, if any were added this session]
+
+## Files Changed
+
+[Summary of files modified, created, deleted — from git diff stat]
+
+## Blockers & Open Items
+
+[Active blockers from STATE.md]
+[Any TODO items created during session]
+
+## Estimated Resource Usage
+
+| Metric | Estimate |
+|--------|----------|
+| Commits | [N] |
+| Files changed | [N] |
+| Plans executed | [N] |
+| Subagents spawned | [estimated] |
+
+> **Note:** Token and cost estimates require API-level instrumentation.
+> These metrics reflect observable session activity only.
+
+---
+
+*Generated by `/gsd-session-report`*
+```
+</step>
+
+<step name="display_result">
+Show the user:
+
+```
+## Session Report Generated
+
+📄 `.planning/reports/[filename].md`
+
+### Highlights
+- **Commits:** [N]
+- **Files changed:** [N]  
+- **Phase progress:** [X]%
+- **Plans executed:** [N]
+```
+
+If this is the first report, mention:
+```
+💡 Run `/gsd-session-report` at the end of each session to build a history of project activity.
+```
+</step>
+
+</process>
+
+<success_criteria>
+- [ ] Session data gathered from STATE.md, git log, and plan files
+- [ ] Report written to .planning/reports/
+- [ ] Report includes work summary, outcomes, and file changes
+- [ ] Filename includes date to prevent overwrites
+- [ ] Result summary displayed to user
+</success_criteria>

package/get-shit-done/workflows/set-profile.md

@@ -1,6 +1,6 @@
-<purpose>
+<objective>
 Switch the model profile used by GSD agents. Controls which OpenCode model each agent uses, balancing quality vs token spend.
-</purpose>
+</objective>
 
 <required_reading>
 read all files referenced by the invoking prompt's execution_context before starting.

package/get-shit-done/workflows/settings.md

@@ -1,6 +1,6 @@
-<purpose>
+<objective>
 Interactive configuration of GSD workflow agents (research, plan_check, verifier) and model profile selection via multi-question prompt. Updates .planning/config.json with user preferences. Optionally saves settings as global defaults (~/.gsd/defaults.json) for future projects.
-</purpose>
+</objective>
 
 <required_reading>
 read all files referenced by the invoking prompt's execution_context before starting.
@@ -30,8 +30,11 @@ Parse current values (default to `true` if not present):
 - `workflow.plan_check` — spawn plan checker during plan-phase
 - `workflow.verifier` — spawn verifier during execute-phase
 - `workflow.nyquist_validation` — validation architecture research during plan-phase (default: true if absent)
+- `workflow.ui_phase` — generate UI-SPEC.md design contracts for frontend phases (default: true if absent)
+- `workflow.ui_safety_gate` — prompt to run /gsd-ui-phase before planning frontend phases (default: true if absent)
 - `model_profile` — which model each agent uses (default: `simple`)
 - `git.branching_strategy` — branching approach (default: `"none"`)
+- `workflow.use_worktrees` — whether parallel executor agents run in worktree isolation (default: `true`)
 </step>
 
 <step name="present_settings">
@@ -45,8 +48,9 @@ question([
     multiSelect: false,
     options: [
       { label: "Simple", description: "One model for all agents (not flexible)" },
-      { label: "Smart (Recommended)", description: "Two models: one for reseach and planing, other for execution and verification" },
-      { label: "Genius (most flexible)", description: "Three models: different for every stage" }
+      { label: "Smart (Recommended)", description: "Opus for planning, Sonnet for research/execution/verification" },
+      { label: "Genius (most flexible)", description: "Three models: different for every stage" },
+      { label: "Inherit", description: "Use current session model for all agents (best for OpenRouter, local models, or runtime model switching)" }
     ]
   },
   {
@@ -94,6 +98,26 @@ question([
       { label: "No", description: "Skip validation research. Good for rapid prototyping or no-test phases." }
     ]
   },
+  // Note: Nyquist validation depends on research output. If research is disabled,
+  // plan-phase automatically skips Nyquist steps (no RESEARCH.md to extract from).
+  {
+    question: "Enable UI Phase? (generates UI-SPEC.md design contracts for frontend phases)",
+    header: "UI Phase",
+    multiSelect: false,
+    options: [
+      { label: "Yes (Recommended)", description: "Generate UI design contracts before planning frontend phases. Locks spacing, typography, color, and copywriting." },
+      { label: "No", description: "Skip UI-SPEC generation. Good for backend-only projects or API phases." }
+    ]
+  },
+  {
+    question: "Enable UI Safety Gate? (prompts to run /gsd-ui-phase before planning frontend phases)",
+    header: "UI Gate",
+    multiSelect: false,
+    options: [
+      { label: "Yes (Recommended)", description: "plan-phase asks to run /gsd-ui-phase first when frontend indicators detected." },
+      { label: "No", description: "No prompt — plan-phase proceeds without UI-SPEC check." }
+    ]
+  },
   {
     question: "Git branching strategy?",
     header: "Branching",
@@ -103,6 +127,42 @@ question([
       { label: "Per Phase", description: "Create branch for each phase (gsd/phase-{N}-{name})" },
       { label: "Per Milestone", description: "Create branch for entire milestone (gsd/{version}-{name})" }
     ]
+  },
+  {
+    question: "Enable context window warnings? (injects advisory messages when context is getting full)",
+    header: "Ctx Warnings",
+    multiSelect: false,
+    options: [
+      { label: "Yes (Recommended)", description: "Warn when context usage exceeds 65%. Helps avoid losing work." },
+      { label: "No", description: "Disable warnings. Allows OpenCode to reach auto-compact naturally. Good for long unattended runs." }
+    ]
+  },
+  {
+    question: "Research best practices before asking questions? (web search during new-project and discuss-phase)",
+    header: "Research Qs",
+    multiSelect: false,
+    options: [
+      { label: "No (Recommended)", description: "Ask questions directly. Faster, uses fewer tokens." },
+      { label: "Yes", description: "Search web for best practices before each question group. More informed questions but uses more tokens." }
+    ]
+  },
+  {
+    question: "Skip discuss-phase in autonomous mode? (use ROADMAP phase goals as spec)",
+    header: "Skip Discuss",
+    multiSelect: false,
+    options: [
+      { label: "No (Recommended)", description: "Run smart discuss before each phase — surfaces gray areas and captures decisions." },
+      { label: "Yes", description: "Skip discuss in /gsd-autonomous — chain directly to plan. Best for backend/pipeline work where phase descriptions are the spec." }
+    ]
+  },
+  {
+    question: "Use git worktrees for parallel agent isolation?",
+    header: "Worktrees",
+    multiSelect: false,
+    options: [
+      { label: "Yes (Recommended)", description: "Each parallel executor runs in its own worktree branch — no conflicts between agents." },
+      { label: "No", description: "Disable worktree isolation. Use on platforms where EnterWorktree is broken (e.g. Windows with feature branches). Agents run sequentially on the main working tree." }
+    ]
   }
 ])
 ```
@@ -114,16 +174,28 @@ Merge new settings into existing config.json:
 ```json
 {
   ...existing_config,
-  "model_profile": "simple" | "smart" | "genius",
+  "model_profile": "simple" | "smart" | "genius" | "inherit",
   "workflow": {
     "research": true/false,
     "plan_check": true/false,
     "verifier": true/false,
     "auto_advance": true/false,
-    "nyquist_validation": true/false
+    "nyquist_validation": true/false,
+    "ui_phase": true/false,
+    "ui_safety_gate": true/false,
+    "text_mode": true/false,
+    "research_before_questions": true/false,
+    "discuss_mode": "discuss" | "assumptions",
+    "skip_discuss": true/false,
+    "use_worktrees": true/false
   },
   "git": {
-    "branching_strategy": "none" | "phase" | "milestone"
+    "branching_strategy": "none" | "phase" | "milestone",
+    "quick_branch_template": <string|null>
+  },
+  "hooks": {
+    "context_warnings": true/false,
+    "workflow_guard": true/false
   }
 }
 ```
@@ -163,12 +235,16 @@ write `~/.gsd/defaults.json` with:
   "commit_docs": <current>,
   "parallelization": <current>,
   "branching_strategy": <current>,
+  "quick_branch_template": <current>,
   "workflow": {
     "research": <current>,
     "plan_check": <current>,
     "verifier": <current>,
     "auto_advance": <current>,
-    "nyquist_validation": <current>
+    "nyquist_validation": <current>,
+    "ui_phase": <current>,
+    "ui_safety_gate": <current>,
+    "skip_discuss": <current>
   }
 }
 ```
@@ -184,19 +260,23 @@ Display:
 
 | Setting              | Value |
 |----------------------|-------|
-| Model Profile        | {simple/smart/genius} |
+| Model Profile        | {simple/smart/genius/inherit} |
 | Plan Researcher      | {On/Off} |
 | Plan Checker         | {On/Off} |
 | Execution Verifier   | {On/Off} |
 | Auto-Advance         | {On/Off} |
 | Nyquist Validation   | {On/Off} |
+| UI Phase             | {On/Off} |
+| UI Safety Gate       | {On/Off} |
 | Git Branching        | {None/Per Phase/Per Milestone} |
+| Skip Discuss         | {On/Off} |
+| Context Warnings     | {On/Off} |
 | Saved as Defaults    | {Yes/No} |
 
 These settings apply to future /gsd-plan-phase and /gsd-execute-phase runs.
 
 Quick commands:
-- /gsd-set-profile <profile> — switch model profile/choose models
+- /gsd-set-profile <profile> — switch model profile
 - /gsd-plan-phase --research — force research
 - /gsd-plan-phase --skip-research — skip research
 - /gsd-plan-phase --skip-verify — skip plan check
@@ -207,7 +287,7 @@ Quick commands:
 
 <success_criteria>
 - [ ] Current config read
-- [ ] User presented with 7 settings (profile + 5 workflow toggles + git branching)
+- [ ] User presented with 10 settings (profile + 8 workflow toggles + git branching)
 - [ ] Config updated with model_profile, workflow, and git sections
 - [ ] User offered to save as global defaults (~/.gsd/defaults.json)
 - [ ] Changes confirmed to user