gsd-pi 2.28.0-dev.e19bf89 → 2.29.0-dev.23d50d0

package/dist/resources/extensions/gsd/types.ts

@@ -55,6 +55,7 @@ export interface VerificationCheck {
   stdout: string;
   stderr: string;
   durationMs: number;
+  blocking: boolean;     // true for preference/task-plan sources, false for package-json (advisory only)
 }
 
 /** A runtime error captured from bg-shell processes or browser console */
@@ -303,6 +304,8 @@ export interface PhaseSkipPreferences {
   skip_reassess?: boolean;
   skip_slice_research?: boolean;
   skip_milestone_validation?: boolean;
+  /** When true, reassess-roadmap fires after each slice completion. Opt-in. */
+  reassess_after_slice?: boolean;
   /** When true, auto-mode pauses before each slice for discussion (#789). */
   require_slice_discussion?: boolean;
 }

package/dist/resources/extensions/gsd/unit-runtime.ts

@@ -1,4 +1,4 @@
-import { existsSync, mkdirSync, readdirSync, readFileSync, writeFileSync, unlinkSync } from "node:fs";
+import { existsSync, readdirSync, readFileSync, unlinkSync } from "node:fs";
 import { join } from "node:path";
 import {
   gsdRoot,
@@ -8,6 +8,7 @@ import {
   resolveTaskFile,
 } from "./paths.js";
 import { loadFile, parseTaskPlanMustHaves, countMustHavesMentionedInSummary } from "./files.js";
+import { loadJsonFileOrNull, saveJsonFile } from "./json-persistence.js";
 
 export type UnitRuntimePhase =
   | "dispatched"
@@ -46,13 +47,23 @@ export interface AutoUnitRuntimeRecord {
   lastRecoveryReason?: "idle" | "hard";
 }
 
+function isAutoUnitRuntimeRecord(data: unknown): data is AutoUnitRuntimeRecord {
+  return (
+    typeof data === "object" &&
+    data !== null &&
+    (data as AutoUnitRuntimeRecord).version === 1 &&
+    typeof (data as AutoUnitRuntimeRecord).unitType === "string" &&
+    typeof (data as AutoUnitRuntimeRecord).unitId === "string"
+  );
+}
+
 function runtimeDir(basePath: string): string {
   return join(gsdRoot(basePath), "runtime", "units");
 }
 
 function runtimePath(basePath: string, unitType: string, unitId: string): string {
-  const sanitizedUnitType = unitType.replace(/[\/]/g, "-");
-  const sanitizedUnitId = unitId.replace(/[\/]/g, "-");
+  const sanitizedUnitType = unitType.replace(/[^a-zA-Z0-9._-]+/g, "-");
+  const sanitizedUnitId = unitId.replace(/[^a-zA-Z0-9._-]+/g, "-");
   return join(runtimeDir(basePath), `${sanitizedUnitType}-${sanitizedUnitId}.json`);
 }
 
@@ -63,8 +74,6 @@ export function writeUnitRuntimeRecord(
   startedAt: number,
   updates: Partial<AutoUnitRuntimeRecord> = {},
 ): AutoUnitRuntimeRecord {
-  const dir = runtimeDir(basePath);
-  mkdirSync(dir, { recursive: true });
   const path = runtimePath(basePath, unitType, unitId);
   const prev = readUnitRuntimeRecord(basePath, unitType, unitId);
   const next: AutoUnitRuntimeRecord = {
@@ -84,18 +93,12 @@ export function writeUnitRuntimeRecord(
     recoveryAttempts: updates.recoveryAttempts ?? prev?.recoveryAttempts ?? 0,
     lastRecoveryReason: updates.lastRecoveryReason ?? prev?.lastRecoveryReason,
   };
-  writeFileSync(path, JSON.stringify(next, null, 2) + "\n", "utf-8");
+  saveJsonFile(path, next);
   return next;
 }
 
 export function readUnitRuntimeRecord(basePath: string, unitType: string, unitId: string): AutoUnitRuntimeRecord | null {
-  const path = runtimePath(basePath, unitType, unitId);
-  if (!existsSync(path)) return null;
-  try {
-    return JSON.parse(readFileSync(path, "utf-8")) as AutoUnitRuntimeRecord;
-  } catch {
-    return null;
-  }
+  return loadJsonFileOrNull(runtimePath(basePath, unitType, unitId), isAutoUnitRuntimeRecord);
 }
 
 export function clearUnitRuntimeRecord(basePath: string, unitType: string, unitId: string): void {

package/dist/resources/extensions/gsd/verification-evidence.ts

@@ -20,6 +20,7 @@ export interface EvidenceCheckJSON {
   exitCode: number;
   durationMs: number;
   verdict: "pass" | "fail";
+  blocking: boolean;
 }
 
 export interface RuntimeErrorJSON {
@@ -80,6 +81,7 @@ export function writeVerificationJSON(
       exitCode: check.exitCode,
       durationMs: check.durationMs,
       verdict: check.exitCode === 0 ? "pass" : "fail",
+      blocking: check.blocking,
     })),
     ...(retryAttempt !== undefined ? { retryAttempt } : {}),
     ...(maxRetries !== undefined ? { maxRetries } : {}),

package/dist/resources/extensions/gsd/verification-gate.ts

@@ -112,7 +112,9 @@ const MAX_FAILURE_CONTEXT_CHARS = 10_000;
  * Returns an empty string when all checks pass or the checks array is empty.
  */
 export function formatFailureContext(result: VerificationResult): string {
-  const failures = result.checks.filter((c) => c.exitCode !== 0);
+  // Only include blocking failures in retry context — non-blocking (advisory) failures
+  // should not be injected into retry prompts to avoid noise pollution.
+  const failures = result.checks.filter((c) => c.exitCode !== 0 && c.blocking);
   if (failures.length === 0) return "";
 
   const blocks: string[] = [];
@@ -256,6 +258,10 @@ export function runVerificationGate(options: RunVerificationGateOptions): Verifi
     };
   }
 
+  // Commands from preference and task-plan sources are blocking;
+  // package-json discovered commands are advisory (non-blocking).
+  const blocking = source === "preference" || source === "task-plan";
+
   const checks: VerificationCheck[] = [];
 
   for (const command of commands) {
@@ -291,11 +297,16 @@ export function runVerificationGate(options: RunVerificationGateOptions): Verifi
       stdout: truncate(result.stdout, MAX_OUTPUT_BYTES),
       stderr,
       durationMs,
+      blocking,
     });
   }
 
+  // Gate passes if all blocking checks pass (non-blocking failures are advisory)
+  const blockingChecks = checks.filter(c => c.blocking);
+  const passed = blockingChecks.length === 0 || blockingChecks.every(c => c.exitCode === 0);
+
   return {
-    passed: checks.every(c => c.exitCode === 0),
+    passed,
     checks,
     discoverySource: source,
     timestamp,

package/dist/resources/extensions/gsd/workflow-templates/bugfix.md

@@ -0,0 +1,87 @@
+# Bugfix Workflow
+
+<template_meta>
+name: bugfix
+version: 1
+requires_project: false
+artifact_dir: .gsd/workflows/bugfixes/
+</template_meta>
+
+<purpose>
+Fix a bug from identification through to PR submission. Designed for issues reported
+via GitHub, user reports, or developer discovery. Emphasizes root cause analysis
+before jumping to fixes.
+</purpose>
+
+<phases>
+1. triage    — Identify root cause, reproduce the bug
+2. fix       — Implement the fix with tests
+3. verify    — Run full test suite, check for regressions
+4. ship      — Create PR with detailed explanation
+</phases>
+
+<process>
+
+## Phase 1: Triage
+
+**Goal:** Understand the bug before touching any code.
+
+1. **Gather context:**
+   - If a GitHub issue was referenced, read the issue description, labels, and comments
+   - Identify the expected behavior vs actual behavior
+   - Note any error messages, stack traces, or reproduction steps provided
+
+2. **Reproduce:**
+   - Find the minimal reproduction path
+   - Identify the affected code paths (files, functions, lines)
+   - If the bug is intermittent, note the conditions that trigger it
+
+3. **Root cause analysis:**
+   - Trace the bug to its root cause (not just the symptom)
+   - Identify when the bug was introduced if possible (git blame/log)
+   - Assess blast radius: what else could be affected?
+
+4. **Produce:** Write a brief `TRIAGE.md` in the artifact directory with:
+   - Root cause explanation
+   - Reproduction steps
+   - Affected files/functions
+   - Proposed fix approach
+
+5. **Gate:** Present the triage findings and proposed fix to the user for confirmation.
+
+## Phase 2: Fix
+
+**Goal:** Implement a clean, tested fix.
+
+1. **Plan the fix:** Write a brief plan (1-3 tasks max)
+2. **Write the fix:** Implement the code change
+3. **Write tests:** Add or update tests that:
+   - Reproduce the original bug (test fails without fix)
+   - Verify the fix works
+   - Cover edge cases
+4. **Commit:** Atomic commit with message: `fix(<scope>): <description>`
+
+## Phase 3: Verify
+
+**Goal:** Ensure the fix doesn't break anything else.
+
+1. Run the project's full test suite
+2. Run the build (if applicable)
+3. Run the linter (if applicable)
+4. Check for regressions in related functionality
+5. If any failures, fix them before proceeding
+
+## Phase 4: Ship
+
+**Goal:** Create a well-documented PR.
+
+1. Ensure all changes are committed on the workflow branch
+2. Build the PR body:
+   - Link to the original issue (if applicable)
+   - Explain the root cause
+   - Describe the fix approach
+   - List the test coverage added
+3. Present the PR details to the user for review
+4. Create the PR via `gh pr create` (with user approval)
+
+</process>

package/dist/resources/extensions/gsd/workflow-templates/dep-upgrade.md

@@ -0,0 +1,74 @@
+# Dependency Upgrade Workflow
+
+<template_meta>
+name: dep-upgrade
+version: 1
+requires_project: false
+artifact_dir: .gsd/workflows/upgrades/
+</template_meta>
+
+<purpose>
+Upgrade project dependencies safely. Assess breaking changes before upgrading,
+fix issues incrementally, and verify everything works. Handles both single-package
+upgrades and bulk dependency refresh.
+</purpose>
+
+<phases>
+1. assess  — Analyze what's outdated and what will break
+2. upgrade — Apply upgrades incrementally
+3. fix     — Resolve breaking changes
+4. verify  — Full test suite and build validation
+</phases>
+
+<process>
+
+## Phase 1: Assess
+
+**Goal:** Know what you're getting into before changing versions.
+
+1. **List outdated dependencies:** Run `npm outdated` / equivalent
+2. **For each target upgrade:**
+   - Read the changelog / release notes
+   - Identify breaking changes
+   - Check for known migration guides
+   - Assess impact on the codebase (grep for affected APIs)
+3. **Prioritize:** Which upgrades to do now, which to defer
+4. **Produce:** Write `ASSESSMENT.md` with:
+   - Dependency list with current → target versions
+   - Breaking changes per dependency
+   - Upgrade order (dependencies before dependents)
+   - Risk assessment
+
+5. **Gate:** Review assessment with user. Confirm upgrade scope.
+
+## Phase 2: Upgrade
+
+**Goal:** Apply version bumps incrementally.
+
+1. Upgrade one dependency (or one group of related dependencies) at a time
+2. Run tests after each upgrade
+3. Commit each upgrade: `chore(deps): upgrade <package> to <version>`
+4. If tests fail, move to Phase 3 for that dependency before continuing
+
+## Phase 3: Fix
+
+**Goal:** Resolve any breaking changes from upgrades.
+
+1. Fix API changes, type errors, deprecations
+2. Update configuration if needed
+3. Commit fixes separately from the upgrade: `fix(deps): adapt to <package> v<version> changes`
+
+## Phase 4: Verify
+
+**Goal:** Ensure everything works together.
+
+1. Run the full test suite
+2. Run the build
+3. Run the linter
+4. Check for deprecation warnings in output
+5. **Produce:** Write `SUMMARY.md` with:
+   - Dependencies upgraded (from → to)
+   - Breaking changes encountered and how they were resolved
+   - Any deferred upgrades and why
+
+</process>

package/dist/resources/extensions/gsd/workflow-templates/full-project.md

@@ -0,0 +1,41 @@
+# Full Project Workflow
+
+<template_meta>
+name: full-project
+version: 1
+requires_project: true
+artifact_dir: .gsd/
+</template_meta>
+
+<purpose>
+The complete GSD workflow with full ceremony: roadmap, milestones, slices, tasks,
+research, planning, execution, and verification. Use for greenfield projects or
+major features that need the full planning apparatus.
+
+This template wraps the existing GSD workflow for registry completeness.
+When selected, it routes to the standard /gsd init → /gsd auto pipeline.
+</purpose>
+
+<phases>
+1. init    — Initialize project, detect stack, create .gsd/
+2. discuss — Define requirements, decisions, and architecture
+3. plan    — Create roadmap with milestones and slices
+4. execute — Execute slices: research → plan → implement → verify per slice
+5. verify  — Milestone-level verification and completion
+</phases>
+
+<process>
+
+## Routing to Standard GSD
+
+This template is a convenience entry point. When selected via `/gsd start full-project`,
+it should route to the standard GSD workflow:
+
+1. If `.gsd/` doesn't exist: Run `/gsd init` to bootstrap the project
+2. If `.gsd/` exists but no milestones: Start the discuss phase via `/gsd discuss`
+3. If milestones exist: Resume via `/gsd auto` or `/gsd next`
+
+The full GSD workflow protocol is defined in `GSD-WORKFLOW.md` and handles all
+phases, state tracking, and agent orchestration.
+
+</process>

package/dist/resources/extensions/gsd/workflow-templates/hotfix.md

@@ -0,0 +1,45 @@
+# Hotfix Workflow
+
+<template_meta>
+name: hotfix
+version: 1
+requires_project: false
+artifact_dir: null
+</template_meta>
+
+<purpose>
+Minimal ceremony for urgent fixes. Fix it, test it, ship it. No planning artifacts,
+no research phase, no lengthy documentation. For when production is broken and
+speed matters.
+</purpose>
+
+<phases>
+1. fix  — Identify and fix the issue
+2. ship — Test, commit, and create PR
+</phases>
+
+<process>
+
+## Phase 1: Fix
+
+**Goal:** Find and fix the issue as fast as possible.
+
+1. Identify the broken behavior
+2. Locate the root cause
+3. Implement the minimal fix
+4. Add a regression test if possible (don't block on this if the fix is urgent)
+5. Commit: `fix(<scope>): <description>`
+
+## Phase 2: Ship
+
+**Goal:** Get the fix deployed.
+
+1. Run tests — fix any failures
+2. Run the build
+3. Push and create PR with:
+   - What broke
+   - What the fix does
+   - How to verify
+4. Present PR to user for approval
+
+</process>

package/dist/resources/extensions/gsd/workflow-templates/refactor.md

@@ -0,0 +1,83 @@
+# Refactor / Migration Workflow
+
+<template_meta>
+name: refactor
+version: 1
+requires_project: false
+artifact_dir: .gsd/workflows/refactors/
+</template_meta>
+
+<purpose>
+Systematic code transformation with inventory-driven planning. Designed for
+renames, restructures, pattern migrations, and API modernization. Executes in
+waves to minimize risk and enable incremental verification.
+</purpose>
+
+<phases>
+1. inventory — Catalog everything that needs to change
+2. plan      — Group changes into safe waves
+3. migrate   — Execute waves with verification between each
+4. verify    — Full regression testing and cleanup
+</phases>
+
+<process>
+
+## Phase 1: Inventory
+
+**Goal:** Know the full scope before changing anything.
+
+1. **Scan the codebase:** Find all instances of what needs to change
+   - Files, functions, types, imports, tests, docs, config
+   - Use grep/glob to be exhaustive — don't rely on memory
+2. **Categorize:** Group by type (source, test, config, docs)
+3. **Identify dependencies:** What order must changes happen in?
+4. **Produce:** Write `INVENTORY.md` with:
+   - Complete list of files/locations that need changes
+   - Dependency relationships
+   - Estimated scope (number of files, lines affected)
+
+5. **Gate:** Review inventory with user. Confirm nothing is missing.
+
+## Phase 2: Plan
+
+**Goal:** Break the migration into safe, independently-verifiable waves.
+
+1. **Define waves:** Group related changes so each wave:
+   - Leaves the codebase in a working state
+   - Can be committed and tested independently
+   - Handles dependencies (change the definition before the consumers)
+2. **Typical wave structure:**
+   - Wave 1: Types/interfaces
+   - Wave 2: Core implementation
+   - Wave 3: Consumers/callers
+   - Wave 4: Tests
+   - Wave 5: Documentation and config
+3. **Produce:** Write `PLAN.md` with waves and per-wave file lists
+
+4. **Gate:** Confirm plan with user.
+
+## Phase 3: Migrate
+
+**Goal:** Execute waves one at a time with verification between each.
+
+1. For each wave:
+   - Make the changes
+   - Run tests (at minimum, the build must pass)
+   - Commit: `refactor(<scope>): wave N — <description>`
+2. If a wave introduces failures, fix them before moving to the next wave
+3. If unexpected scope is discovered, update the inventory and plan
+
+## Phase 4: Verify
+
+**Goal:** Ensure the full refactor is complete and clean.
+
+1. Run the complete test suite
+2. Run the build
+3. Run the linter — fix any new warnings
+4. Search for any remnants of the old pattern (grep for old names/patterns)
+5. **Produce:** Write `SUMMARY.md` with:
+   - What was changed and why
+   - Files modified (count and list)
+   - Any remaining follow-up items
+
+</process>

package/dist/resources/extensions/gsd/workflow-templates/registry.json

@@ -0,0 +1,85 @@
+{
+  "version": 1,
+  "templates": {
+    "full-project": {
+      "name": "Full Project",
+      "description": "Complete GSD workflow with roadmap, milestones, slices, and full ceremony",
+      "file": "full-project.md",
+      "phases": ["init", "discuss", "plan", "execute", "verify"],
+      "triggers": ["new project", "greenfield", "from scratch", "build an app", "create a new"],
+      "artifact_dir": ".gsd/",
+      "estimated_complexity": "high",
+      "requires_project": true
+    },
+    "bugfix": {
+      "name": "Bug Fix",
+      "description": "Triage, reproduce, fix, test, and ship a bug fix",
+      "file": "bugfix.md",
+      "phases": ["triage", "fix", "verify", "ship"],
+      "triggers": ["bug", "issue", "fix", "broken", "regression", "error", "crash", "failing", "github.com/*/issues/*"],
+      "artifact_dir": ".gsd/workflows/bugfixes/",
+      "estimated_complexity": "low",
+      "requires_project": false
+    },
+    "small-feature": {
+      "name": "Small Feature",
+      "description": "Lightweight feature development with optional discussion and research",
+      "file": "small-feature.md",
+      "phases": ["scope", "plan", "implement", "verify"],
+      "triggers": ["add", "feature", "implement", "build", "create", "new command", "new endpoint"],
+      "artifact_dir": ".gsd/workflows/features/",
+      "estimated_complexity": "medium",
+      "requires_project": false
+    },
+    "refactor": {
+      "name": "Refactor / Migration",
+      "description": "Systematic code transformation with inventory and wave-based execution",
+      "file": "refactor.md",
+      "phases": ["inventory", "plan", "migrate", "verify"],
+      "triggers": ["refactor", "migrate", "rename", "restructure", "move", "reorganize", "clean up"],
+      "artifact_dir": ".gsd/workflows/refactors/",
+      "estimated_complexity": "medium",
+      "requires_project": false
+    },
+    "spike": {
+      "name": "Research Spike",
+      "description": "Investigate a question, prototype, and document findings",
+      "file": "spike.md",
+      "phases": ["scope", "research", "synthesize"],
+      "triggers": ["research", "investigate", "explore", "spike", "compare", "evaluate", "should we", "what if", "how does"],
+      "artifact_dir": ".gsd/workflows/spikes/",
+      "estimated_complexity": "low",
+      "requires_project": false
+    },
+    "hotfix": {
+      "name": "Hotfix",
+      "description": "Minimal ceremony: fix the thing, test it, ship it",
+      "file": "hotfix.md",
+      "phases": ["fix", "ship"],
+      "triggers": ["hotfix", "urgent", "critical", "asap", "production down", "p0"],
+      "artifact_dir": null,
+      "estimated_complexity": "minimal",
+      "requires_project": false
+    },
+    "security-audit": {
+      "name": "Security Audit",
+      "description": "Scan for vulnerabilities, triage findings, remediate, and verify",
+      "file": "security-audit.md",
+      "phases": ["scan", "triage", "remediate", "re-scan"],
+      "triggers": ["security", "audit", "vulnerability", "owasp", "cve", "penetration", "hardening"],
+      "artifact_dir": ".gsd/workflows/audits/",
+      "estimated_complexity": "medium",
+      "requires_project": false
+    },
+    "dep-upgrade": {
+      "name": "Dependency Upgrade",
+      "description": "Assess impact, upgrade dependencies, fix breaking changes",
+      "file": "dep-upgrade.md",
+      "phases": ["assess", "upgrade", "fix", "verify"],
+      "triggers": ["upgrade", "update", "dependency", "deps", "bump", "outdated", "npm update", "renovate"],
+      "artifact_dir": ".gsd/workflows/upgrades/",
+      "estimated_complexity": "medium",
+      "requires_project": false
+    }
+  }
+}

package/dist/resources/extensions/gsd/workflow-templates/security-audit.md

@@ -0,0 +1,73 @@
+# Security Audit Workflow
+
+<template_meta>
+name: security-audit
+version: 1
+requires_project: false
+artifact_dir: .gsd/workflows/audits/
+</template_meta>
+
+<purpose>
+Systematic security review of the codebase. Scan for vulnerabilities, triage
+findings by severity, remediate issues, and verify fixes. Covers OWASP Top 10,
+dependency vulnerabilities, and project-specific security concerns.
+</purpose>
+
+<phases>
+1. scan       — Identify potential vulnerabilities
+2. triage     — Prioritize findings by severity and exploitability
+3. remediate  — Fix critical and high-severity issues
+4. re-scan    — Verify fixes and document remaining items
+</phases>
+
+<process>
+
+## Phase 1: Scan
+
+**Goal:** Identify potential security issues across the codebase.
+
+1. **Dependency audit:** Run `npm audit` / `pip audit` / equivalent
+2. **Code review for common vulnerabilities:**
+   - Injection (SQL, command, XSS)
+   - Authentication/authorization flaws
+   - Sensitive data exposure (hardcoded secrets, logs)
+   - Insecure configuration
+   - Missing input validation at boundaries
+3. **Check security headers and CORS** (if web application)
+4. **Review secrets management:** .env files, config, environment variables
+5. **Produce:** Write `SCAN-RESULTS.md` with all findings
+
+## Phase 2: Triage
+
+**Goal:** Prioritize what to fix now vs later.
+
+1. **Rate each finding:**
+   - Critical: exploitable, high impact, fix immediately
+   - High: likely exploitable, fix in this workflow
+   - Medium: lower risk, fix if time allows
+   - Low: informational, document for later
+2. **Assess exploitability:** Is this theoretical or practically exploitable?
+3. **Produce:** Update `SCAN-RESULTS.md` with severity ratings and triage decisions
+
+4. **Gate:** Review triage with user. Agree on what to remediate now.
+
+## Phase 3: Remediate
+
+**Goal:** Fix critical and high-severity issues.
+
+1. Fix each issue with proper testing
+2. Commit each fix individually: `fix(security): <description>`
+3. Don't introduce new functionality — security fixes only
+
+## Phase 4: Re-scan
+
+**Goal:** Verify fixes and document the final state.
+
+1. Re-run the scans from Phase 1
+2. Verify all targeted issues are resolved
+3. **Produce:** Write `AUDIT-REPORT.md` with:
+   - Summary of findings and fixes
+   - Remaining medium/low items for future attention
+   - Recommendations for ongoing security practices
+
+</process>