gsd-opencode 1.30.0 → 1.33.0

package/get-shit-done/bin/lib/profile-output.cjs

@@ -177,8 +177,12 @@ const CLAUDE_MD_FALLBACKS = {
   stack: 'Technology stack not yet documented. Will populate after codebase mapping or first phase.',
   conventions: 'Conventions not yet established. Will populate as patterns emerge during development.',
   architecture: 'Architecture not yet mapped. Follow existing patterns found in the codebase.',
+  skills: 'No project skills found. Add skills to any of: `.OpenCode/skills/`, `.agents/skills/`, `.cursor/skills/`, or `.github/skills/` with a `SKILL.md` index file.',
 };
 
+// Directories where project skills may live (checked in order)
+const SKILL_SEARCH_DIRS = ['.OpenCode/skills', '.agents/skills', '.cursor/skills', '.github/skills'];
+
 const CLAUDE_MD_WORKFLOW_ENFORCEMENT = [
   'Before using edit, write, or other file-changing tools, start work through a GSD command so planning artifacts and execution context stay in sync.',
   '',
@@ -375,6 +379,96 @@ function generateWorkflowSection() {
   };
 }
 
+/**
+ * Discover project skills from standard directories and extract frontmatter
+ * (name + description) for each. Returns a table summary for AGENTS.md so
+ * agents know which skills are available at session startup (Layer 1 discovery).
+ */
+function generateSkillsSection(cwd) {
+  const discovered = [];
+
+  for (const dir of SKILL_SEARCH_DIRS) {
+    const absDir = path.join(cwd, dir);
+    if (!fs.existsSync(absDir)) continue;
+
+    let entries;
+    try {
+      entries = fs.readdirSync(absDir, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+
+    for (const entry of entries) {
+      if (!entry.isDirectory()) continue;
+      // Skip GSD's own installed skills — only surface project-specific skills
+      if (entry.name.startsWith('gsd-')) continue;
+
+      const skillMdPath = path.join(absDir, entry.name, 'SKILL.md');
+      if (!fs.existsSync(skillMdPath)) continue;
+
+      const content = safeReadFile(skillMdPath);
+      if (!content) continue;
+
+      const frontmatter = extractSkillFrontmatter(content);
+      const name = frontmatter.name || entry.name;
+      const description = frontmatter.description || '';
+
+      // Avoid duplicates when same skill dir is symlinked from multiple locations
+      if (discovered.some(s => s.name === name)) continue;
+
+      discovered.push({ name, description, path: `${dir}/${entry.name}` });
+    }
+  }
+
+  if (discovered.length === 0) {
+    return { content: CLAUDE_MD_FALLBACKS.skills, source: 'skills/', hasFallback: true };
+  }
+
+  const lines = ['| skill | Description | Path |', '|-------|-------------|------|'];
+  for (const skill of discovered) {
+    // Sanitize table cell content (escape pipes)
+    const desc = skill.description.replace(/\|/g, '\\|').replace(/\n/g, ' ').trim();
+    const safeName = skill.name.replace(/\|/g, '\\|');
+    lines.push(`| ${safeName} | ${desc} | \`${skill.path}/SKILL.md\` |`);
+  }
+
+  return { content: lines.join('\n'), source: 'skills/', hasFallback: false };
+}
+
+/**
+ * Extract name and description from YAML-like frontmatter in a SKILL.md file.
+ * Handles multi-line description values (continuation lines indented with spaces).
+ */
+function extractSkillFrontmatter(content) {
+  const result = { name: '', description: '' };
+  const fmMatch = content.match(/^---\s*\n([\s\S]*?)\n---/);
+  if (!fmMatch) return result;
+
+  const fmBlock = fmMatch[1];
+  const lines = fmBlock.split('\n');
+
+  let currentKey = '';
+  for (const line of lines) {
+    // Top-level key: value
+    const kvMatch = line.match(/^(\w[\w-]*):\s*(.*)/);
+    if (kvMatch) {
+      currentKey = kvMatch[1];
+      const value = kvMatch[2].trim();
+      if (currentKey === 'name') result.name = value;
+      if (currentKey === 'description') result.description = value;
+      continue;
+    }
+    // Continuation line (indented) for multi-line values
+    if (currentKey === 'description' && /^\s+/.test(line)) {
+      result.description += ' ' + line.trim();
+    } else {
+      currentKey = '';
+    }
+  }
+
+  return result;
+}
+
 // ─── Commands ─────────────────────────────────────────────────────────────────
 
 function cmdWriteProfile(cwd, options, raw) {
@@ -815,12 +909,13 @@ function cmdGenerateClaudeProfile(cwd, options, raw) {
 }
 
 function cmdGenerateClaudeMd(cwd, options, raw) {
-  const MANAGED_SECTIONS = ['project', 'stack', 'conventions', 'architecture', 'workflow'];
+  const MANAGED_SECTIONS = ['project', 'stack', 'conventions', 'architecture', 'skills', 'workflow'];
   const generators = {
     project: generateProjectSection,
     stack: generateStackSection,
     conventions: generateConventionsSection,
     architecture: generateArchitectureSection,
+    skills: generateSkillsSection,
     workflow: generateWorkflowSection,
   };
   const sectionHeadings = {
@@ -828,6 +923,7 @@ function cmdGenerateClaudeMd(cwd, options, raw) {
     stack: '## Technology Stack',
     conventions: '## Conventions',
     architecture: '## Architecture',
+    skills: '## Project Skills',
     workflow: '## GSD Workflow Enforcement',
   };
 

package/get-shit-done/bin/lib/roadmap.cjs

@@ -4,7 +4,73 @@
 
 const fs = require('fs');
 const path = require('path');
-const { escapeRegex, normalizePhaseName, planningPaths, output, error, findPhaseInternal, stripShippedMilestones, extractCurrentMilestone, replaceInCurrentMilestone } = require('./core.cjs');
+const { escapeRegex, normalizePhaseName, planningPaths, withPlanningLock, output, error, findPhaseInternal, stripShippedMilestones, extractCurrentMilestone, replaceInCurrentMilestone, phaseTokenMatches } = require('./core.cjs');
+
+/**
+ * Search for a phase header (and its section) within the given content string.
+ * Returns a result object if found (either a full match or a malformed_roadmap
+ * checklist-only match), or null if the phase is not present at all.
+ */
+function searchPhaseInContent(content, escapedPhase, phaseNum) {
+  // Match "## Phase X:", "### Phase X:", or "#### Phase X:" with optional name
+  const phasePattern = new RegExp(
+    `#{2,4}\\s*Phase\\s+${escapedPhase}:\\s*([^\\n]+)`,
+    'i'
+  );
+  const headerMatch = content.match(phasePattern);
+
+  if (!headerMatch) {
+    // Fallback: check if phase exists in summary list but missing detail section
+    const checklistPattern = new RegExp(
+      `-\\s*\\[[ x]\\]\\s*\\*\\*Phase\\s+${escapedPhase}:\\s*([^*]+)\\*\\*`,
+      'i'
+    );
+    const checklistMatch = content.match(checklistPattern);
+
+    if (checklistMatch) {
+      return {
+        found: false,
+        phase_number: phaseNum,
+        phase_name: checklistMatch[1].trim(),
+        error: 'malformed_roadmap',
+        message: `Phase ${phaseNum} exists in summary list but missing "### Phase ${phaseNum}:" detail section. ROADMAP.md needs both formats.`
+      };
+    }
+
+    return null;
+  }
+
+  const phaseName = headerMatch[1].trim();
+  const headerIndex = headerMatch.index;
+
+  // Find the end of this section (next ## or ### phase header, or end of file)
+  const restOfContent = content.slice(headerIndex);
+  const nextHeaderMatch = restOfContent.match(/\n#{2,4}\s+Phase\s+\d/i);
+  const sectionEnd = nextHeaderMatch
+    ? headerIndex + nextHeaderMatch.index
+    : content.length;
+
+  const section = content.slice(headerIndex, sectionEnd).trim();
+
+  // Extract goal if present (supports both **Goal:** and **Goal**: formats)
+  const goalMatch = section.match(/\*\*Goal(?::\*\*|\*\*:)\s*([^\n]+)/i);
+  const goal = goalMatch ? goalMatch[1].trim() : null;
+
+  // Extract success criteria as structured array
+  const criteriaMatch = section.match(/\*\*Success Criteria\*\*[^\n]*:\s*\n((?:\s*\d+\.\s*[^\n]+\n?)+)/i);
+  const success_criteria = criteriaMatch
+    ? criteriaMatch[1].trim().split('\n').map(line => line.replace(/^\s*\d+\.\s*/, '').trim()).filter(Boolean)
+    : [];
+
+  return {
+    found: true,
+    phase_number: phaseNum,
+    phase_name: phaseName,
+    goal,
+    success_criteria,
+    section,
+  };
+}
 
 function cmdRoadmapGetPhase(cwd, phaseNum, raw) {
   const roadmapPath = planningPaths(cwd).roadmap;
@@ -15,76 +81,32 @@ function cmdRoadmapGetPhase(cwd, phaseNum, raw) {
   }
 
   try {
-    const content = extractCurrentMilestone(fs.readFileSync(roadmapPath, 'utf-8'), cwd);
+    const rawContent = fs.readFileSync(roadmapPath, 'utf-8');
+    const milestoneContent = extractCurrentMilestone(rawContent, cwd);
 
     // Escape special regex chars in phase number, handle decimal
     const escapedPhase = escapeRegex(phaseNum);
 
-    // Match "## Phase X:", "### Phase X:", or "#### Phase X:" with optional name
-    const phasePattern = new RegExp(
-      `#{2,4}\\s*Phase\\s+${escapedPhase}:\\s*([^\\n]+)`,
-      'i'
-    );
-    const headerMatch = content.match(phasePattern);
-
-    if (!headerMatch) {
-      // Fallback: check if phase exists in summary list but missing detail section
-      const checklistPattern = new RegExp(
-        `-\\s*\\[[ x]\\]\\s*\\*\\*Phase\\s+${escapedPhase}:\\s*([^*]+)\\*\\*`,
-        'i'
-      );
-      const checklistMatch = content.match(checklistPattern);
-
-      if (checklistMatch) {
-        // Phase exists in summary but missing detail section - malformed ROADMAP
-        output({
-          found: false,
-          phase_number: phaseNum,
-          phase_name: checklistMatch[1].trim(),
-          error: 'malformed_roadmap',
-          message: `Phase ${phaseNum} exists in summary list but missing "### Phase ${phaseNum}:" detail section. ROADMAP.md needs both formats.`
-        }, raw, '');
-        return;
-      }
+    // Search the current milestone slice first, then fall back to full roadmap.
+    // A malformed_roadmap result (checklist-only) from the milestone should not
+    // block finding a full header match in the wider roadmap content.
+    const fullContent = stripShippedMilestones(rawContent);
+    const milestoneResult = searchPhaseInContent(milestoneContent, escapedPhase, phaseNum);
+    const result = (milestoneResult && !milestoneResult.error)
+      ? milestoneResult
+      : searchPhaseInContent(fullContent, escapedPhase, phaseNum) || milestoneResult;
 
+    if (!result) {
       output({ found: false, phase_number: phaseNum }, raw, '');
       return;
     }
 
-    const phaseName = headerMatch[1].trim();
-    const headerIndex = headerMatch.index;
-
-    // Find the end of this section (next ## or ### phase header, or end of file)
-    const restOfContent = content.slice(headerIndex);
-    const nextHeaderMatch = restOfContent.match(/\n#{2,4}\s+Phase\s+\d/i);
-    const sectionEnd = nextHeaderMatch
-      ? headerIndex + nextHeaderMatch.index
-      : content.length;
-
-    const section = content.slice(headerIndex, sectionEnd).trim();
-
-    // Extract goal if present (supports both **Goal:** and **Goal**: formats)
-    const goalMatch = section.match(/\*\*Goal(?::\*\*|\*\*:)\s*([^\n]+)/i);
-    const goal = goalMatch ? goalMatch[1].trim() : null;
-
-    // Extract success criteria as structured array
-    const criteriaMatch = section.match(/\*\*Success Criteria\*\*[^\n]*:\s*\n((?:\s*\d+\.\s*[^\n]+\n?)+)/i);
-    const success_criteria = criteriaMatch
-      ? criteriaMatch[1].trim().split('\n').map(line => line.replace(/^\s*\d+\.\s*/, '').trim()).filter(Boolean)
-      : [];
+    if (result.error) {
+      output(result, raw, '');
+      return;
+    }
 
-    output(
-      {
-        found: true,
-        phase_number: phaseNum,
-        phase_name: phaseName,
-        goal,
-        success_criteria,
-        section,
-      },
-      raw,
-      section
-    );
+    output(result, raw, result.section);
   } catch (e) {
     error('Failed to read ROADMAP.md: ' + e.message);
   }
@@ -135,7 +157,7 @@ function cmdRoadmapAnalyze(cwd, raw) {
     try {
       const entries = fs.readdirSync(phasesDir, { withFileTypes: true });
       const dirs = entries.filter(e => e.isDirectory()).map(e => e.name);
-      const dirMatch = dirs.find(d => d.startsWith(normalized + '-') || d === normalized);
+      const dirMatch = dirs.find(d => phaseTokenMatches(d, normalized));
 
       if (dirMatch) {
         const phaseFiles = fs.readdirSync(path.join(phasesDir, dirMatch));
@@ -254,64 +276,66 @@ function cmdRoadmapUpdatePlanProgress(cwd, phaseNum, raw) {
     return;
   }
 
-  let roadmapContent = fs.readFileSync(roadmapPath, 'utf-8');
-  const phaseEscaped = escapeRegex(phaseNum);
+  // Wrap entire read-modify-write in lock to prevent concurrent corruption
+  withPlanningLock(cwd, () => {
+    let roadmapContent = fs.readFileSync(roadmapPath, 'utf-8');
+    const phaseEscaped = escapeRegex(phaseNum);
 
-  // Progress table row: update Plans/Status/Date columns (handles 4 or 5 column tables)
-  const tableRowPattern = new RegExp(
-    `^(\\|\\s*${phaseEscaped}\\.?\\s[^|]*(?:\\|[^\\n]*))$`,
-    'im'
-  );
-  const dateField = isComplete ? ` ${today} ` : '  ';
-  roadmapContent = roadmapContent.replace(tableRowPattern, (fullRow) => {
-    const cells = fullRow.split('|').slice(1, -1); // drop leading/trailing empty from split
-    if (cells.length === 5) {
-      // 5-col: Phase | Milestone | Plans | Status | Completed
-      cells[2] = ` ${summaryCount}/${planCount} `;
-      cells[3] = ` ${status.padEnd(11)}`;
-      cells[4] = dateField;
-    } else if (cells.length === 4) {
-      // 4-col: Phase | Plans | Status | Completed
-      cells[1] = ` ${summaryCount}/${planCount} `;
-      cells[2] = ` ${status.padEnd(11)}`;
-      cells[3] = dateField;
-    }
-    return '|' + cells.join('|') + '|';
-  });
-
-  // Update plan count in phase detail section
-  const planCountPattern = new RegExp(
-    `(#{2,4}\\s*Phase\\s+${phaseEscaped}[\\s\\S]*?\\*\\*Plans:\\*\\*\\s*)[^\\n]+`,
-    'i'
-  );
-  const planCountText = isComplete
-    ? `${summaryCount}/${planCount} plans complete`
-    : `${summaryCount}/${planCount} plans executed`;
-  roadmapContent = replaceInCurrentMilestone(roadmapContent, planCountPattern, `$1${planCountText}`);
-
-  // If complete: check checkbox
-  if (isComplete) {
-    const checkboxPattern = new RegExp(
-      `(-\\s*\\[)[ ](\\]\\s*.*Phase\\s+${phaseEscaped}[:\\s][^\\n]*)`,
-      'i'
+    // Progress table row: update Plans/Status/Date columns (handles 4 or 5 column tables)
+    const tableRowPattern = new RegExp(
+      `^(\\|\\s*${phaseEscaped}\\.?\\s[^|]*(?:\\|[^\\n]*))$`,
+      'im'
     );
-    roadmapContent = replaceInCurrentMilestone(roadmapContent, checkboxPattern, `$1x$2 (completed ${today})`);
-  }
+    const dateField = isComplete ? ` ${today} ` : '  ';
+    roadmapContent = roadmapContent.replace(tableRowPattern, (fullRow) => {
+      const cells = fullRow.split('|').slice(1, -1); // drop leading/trailing empty from split
+      if (cells.length === 5) {
+        // 5-col: Phase | Milestone | Plans | Status | Completed
+        cells[2] = ` ${summaryCount}/${planCount} `;
+        cells[3] = ` ${status.padEnd(11)}`;
+        cells[4] = dateField;
+      } else if (cells.length === 4) {
+        // 4-col: Phase | Plans | Status | Completed
+        cells[1] = ` ${summaryCount}/${planCount} `;
+        cells[2] = ` ${status.padEnd(11)}`;
+        cells[3] = dateField;
+      }
+      return '|' + cells.join('|') + '|';
+    });
 
-  // Mark completed plan checkboxes (e.g. "- [ ] 50-01-PLAN.md" or "- [ ] 50-01:")
-  for (const summaryFile of phaseInfo.summaries) {
-    const planId = summaryFile.replace('-SUMMARY.md', '').replace('SUMMARY.md', '');
-    if (!planId) continue;
-    const planEscaped = escapeRegex(planId);
-    const planCheckboxPattern = new RegExp(
-      `(-\\s*\\[) (\\]\\s*${planEscaped})`,
+    // Update plan count in phase detail section
+    const planCountPattern = new RegExp(
+      `(#{2,4}\\s*Phase\\s+${phaseEscaped}[\\s\\S]*?\\*\\*Plans:\\*\\*\\s*)[^\\n]+`,
       'i'
     );
-    roadmapContent = roadmapContent.replace(planCheckboxPattern, '$1x$2');
-  }
+    const planCountText = isComplete
+      ? `${summaryCount}/${planCount} plans complete`
+      : `${summaryCount}/${planCount} plans executed`;
+    roadmapContent = replaceInCurrentMilestone(roadmapContent, planCountPattern, `$1${planCountText}`);
+
+    // If complete: check checkbox
+    if (isComplete) {
+      const checkboxPattern = new RegExp(
+        `(-\\s*\\[)[ ](\\]\\s*.*Phase\\s+${phaseEscaped}[:\\s][^\\n]*)`,
+        'i'
+      );
+      roadmapContent = replaceInCurrentMilestone(roadmapContent, checkboxPattern, `$1x$2 (completed ${today})`);
+    }
 
-  fs.writeFileSync(roadmapPath, roadmapContent, 'utf-8');
+    // Mark completed plan checkboxes (e.g. "- [ ] 50-01-PLAN.md", "- [ ] 50-01:", or "- [ ] **50-01**")
+    for (const summaryFile of phaseInfo.summaries) {
+      const planId = summaryFile.replace('-SUMMARY.md', '').replace('SUMMARY.md', '');
+      if (!planId) continue;
+      const planEscaped = escapeRegex(planId);
+      const planCheckboxPattern = new RegExp(
+        `(-\\s*\\[) (\\]\\s*(?:\\*\\*)?${planEscaped}(?:\\*\\*)?)`,
+        'i'
+      );
+      roadmapContent = roadmapContent.replace(planCheckboxPattern, '$1x$2');
+    }
 
+    fs.writeFileSync(roadmapPath, roadmapContent, 'utf-8');
+  });
   output({
     updated: true,
     phase: phaseNum,

package/get-shit-done/bin/lib/schema-detect.cjs

@@ -0,0 +1,238 @@
+/**
+ * Schema Drift Detection — Detects schema-relevant file changes and verifies
+ * that the appropriate database push command was executed during a phase.
+ *
+ * Prevents false-positive verification when schema files change but no push
+ * occurs — TypeScript types come from config, not the live database, so
+ * build/types pass on a broken state.
+ */
+
+'use strict';
+
+// ─── ORM Patterns ────────────────────────────────────────────────────────────
+//
+// Each entry maps a glob-like pattern to an ORM name. Patterns use forward
+// slashes internally — Windows backslash paths are normalized before matching.
+
+const SCHEMA_PATTERNS = [
+  // Payload CMS
+  { pattern: /^src\/collections\/.*\.ts$/, orm: 'payload' },
+  { pattern: /^src\/globals\/.*\.ts$/, orm: 'payload' },
+
+  // Prisma
+  { pattern: /^prisma\/schema\.prisma$/, orm: 'prisma' },
+  { pattern: /^prisma\/schema\/.*\.prisma$/, orm: 'prisma' },
+
+  // Drizzle
+  { pattern: /^drizzle\/schema\.ts$/, orm: 'drizzle' },
+  { pattern: /^src\/db\/schema\.ts$/, orm: 'drizzle' },
+  { pattern: /^drizzle\/.*\.ts$/, orm: 'drizzle' },
+
+  // Supabase
+  { pattern: /^supabase\/migrations\/.*\.sql$/, orm: 'supabase' },
+
+  // TypeORM
+  { pattern: /^src\/entities\/.*\.ts$/, orm: 'typeorm' },
+  { pattern: /^src\/migrations\/.*\.ts$/, orm: 'typeorm' },
+];
+
+// ─── Push Commands & Evidence Patterns ───────────────────────────────────────
+//
+// For each ORM, the push command that agents should run, plus regex patterns
+// that indicate the push was actually executed (matched against execution logs,
+// SUMMARY.md content, and git commit messages).
+
+const ORM_INFO = {
+  payload: {
+    pushCommand: 'npx payload migrate',
+    envHint: 'CI=true PAYLOAD_MIGRATING=true npx payload migrate',
+    interactiveWarning: 'Payload migrate may require interactive prompts — use CI=true PAYLOAD_MIGRATING=true to suppress',
+    evidencePatterns: [
+      /payload\s+migrate/i,
+      /PAYLOAD_MIGRATING/,
+    ],
+  },
+  prisma: {
+    pushCommand: 'npx prisma db push',
+    envHint: 'npx prisma db push --accept-data-loss (if destructive changes are intended)',
+    interactiveWarning: 'Prisma db push may prompt for confirmation on destructive changes — use --accept-data-loss to bypass',
+    evidencePatterns: [
+      /prisma\s+db\s+push/i,
+      /prisma\s+migrate\s+deploy/i,
+      /prisma\s+migrate\s+dev/i,
+    ],
+  },
+  drizzle: {
+    pushCommand: 'npx drizzle-kit push',
+    envHint: 'npx drizzle-kit push',
+    interactiveWarning: null,
+    evidencePatterns: [
+      /drizzle-kit\s+push/i,
+      /drizzle-kit\s+migrate/i,
+    ],
+  },
+  supabase: {
+    pushCommand: 'supabase db push',
+    envHint: 'supabase db push',
+    interactiveWarning: 'Supabase db push may require authentication — ensure SUPABASE_ACCESS_TOKEN is set',
+    evidencePatterns: [
+      /supabase\s+db\s+push/i,
+      /supabase\s+migration\s+up/i,
+    ],
+  },
+  typeorm: {
+    pushCommand: 'npx typeorm migration:run',
+    envHint: 'npx typeorm migration:run -d src/data-source.ts',
+    interactiveWarning: null,
+    evidencePatterns: [
+      /typeorm\s+migration:run/i,
+      /typeorm\s+schema:sync/i,
+    ],
+  },
+};
+
+// ─── Public API ──────────────────────────────────────────────────────────────
+
+/**
+ * Detect schema-relevant files in a list of file paths.
+ *
+ * @param {string[]} files - List of file paths (relative to project root)
+ * @returns {{ detected: boolean, matches: string[], orms: string[] }}
+ */
+function detectSchemaFiles(files) {
+  const matches = [];
+  const orms = new Set();
+
+  for (const rawFile of files) {
+    // Normalize Windows backslash paths
+    const file = rawFile.replace(/\\/g, '/');
+
+    for (const { pattern, orm } of SCHEMA_PATTERNS) {
+      if (pattern.test(file)) {
+        matches.push(rawFile);
+        orms.add(orm);
+        break; // One match per file is enough
+      }
+    }
+  }
+
+  return {
+    detected: matches.length > 0,
+    matches,
+    orms: Array.from(orms),
+  };
+}
+
+/**
+ * Get ORM-specific push command info.
+ *
+ * @param {string} ormName - ORM identifier (payload, prisma, drizzle, supabase, typeorm)
+ * @returns {{ pushCommand: string, envHint: string, interactiveWarning: string|null, evidencePatterns: RegExp[] } | null}
+ */
+function detectSchemaOrm(ormName) {
+  return ORM_INFO[ormName] || null;
+}
+
+/**
+ * Check for schema drift: schema files changed but no push evidence found.
+ *
+ * @param {string[]} changedFiles - Files changed during the phase
+ * @param {string} executionLog - Combined text from SUMMARY.md, commit messages, and execution logs
+ * @param {{ skipCheck?: boolean }} [options] - Options
+ * @returns {{ driftDetected: boolean, blocking: boolean, schemaFiles: string[], orms: string[], unpushedOrms: string[], message: string, skipped?: boolean }}
+ */
+function checkSchemaDrift(changedFiles, executionLog, options = {}) {
+  const { skipCheck = false } = options;
+
+  const detection = detectSchemaFiles(changedFiles);
+
+  if (!detection.detected) {
+    return {
+      driftDetected: false,
+      blocking: false,
+      schemaFiles: [],
+      orms: [],
+      unpushedOrms: [],
+      message: '',
+    };
+  }
+
+  // Check which ORMs have push evidence in the execution log
+  const pushedOrms = new Set();
+  const unpushedOrms = [];
+
+  for (const orm of detection.orms) {
+    const info = ORM_INFO[orm];
+    if (!info) continue;
+
+    const hasPushEvidence = info.evidencePatterns.some(p => p.test(executionLog));
+    if (hasPushEvidence) {
+      pushedOrms.add(orm);
+    } else {
+      unpushedOrms.push(orm);
+    }
+  }
+
+  const driftDetected = unpushedOrms.length > 0;
+
+  if (!driftDetected) {
+    return {
+      driftDetected: false,
+      blocking: false,
+      schemaFiles: detection.matches,
+      orms: detection.orms,
+      unpushedOrms: [],
+      message: '',
+    };
+  }
+
+  // Build actionable message
+  const pushCommands = unpushedOrms
+    .map(orm => {
+      const info = ORM_INFO[orm];
+      return info ? `  ${orm}: ${info.envHint || info.pushCommand}` : null;
+    })
+    .filter(Boolean)
+    .join('\n');
+
+  const message = [
+    'Schema drift detected: schema-relevant files changed but no database push was executed.',
+    '',
+    `Schema files changed: ${detection.matches.join(', ')}`,
+    `ORMs requiring push: ${unpushedOrms.join(', ')}`,
+    '',
+    'Required push commands:',
+    pushCommands,
+    '',
+    'Run the appropriate push command, or set GSD_SKIP_SCHEMA_CHECK=true to bypass this gate.',
+  ].join('\n');
+
+  if (skipCheck) {
+    return {
+      driftDetected: true,
+      blocking: false,
+      skipped: true,
+      schemaFiles: detection.matches,
+      orms: detection.orms,
+      unpushedOrms,
+      message: 'Schema drift detected but check was skipped (GSD_SKIP_SCHEMA_CHECK=true).',
+    };
+  }
+
+  return {
+    driftDetected: true,
+    blocking: true,
+    schemaFiles: detection.matches,
+    orms: detection.orms,
+    unpushedOrms,
+    message,
+  };
+}
+
+module.exports = {
+  SCHEMA_PATTERNS,
+  ORM_INFO,
+  detectSchemaFiles,
+  detectSchemaOrm,
+  checkSchemaDrift,
+};

package/get-shit-done/bin/lib/security.cjs

@@ -181,9 +181,11 @@ function scanForInjection(text, opts = {}) {
       findings.push('Contains suspicious zero-width or invisible Unicode characters');
     }
 
-    // Check for extremely long strings that could be prompt stuffing
-    if (text.length > 50000) {
-      findings.push(`Suspicious text length: ${text.length} chars (potential prompt stuffing)`);
+    // Check for extremely long strings that could be prompt stuffing.
+    // Normalize CRLF → LF before measuring so Windows checkouts don't inflate the count.
+    const normalizedLength = text.replace(/\r\n/g, '\n').replace(/\r/g, '\n').length;
+    if (normalizedLength > 50000) {
+      findings.push(`Suspicious text length: ${normalizedLength} chars (potential prompt stuffing)`);
     }
   }