npm - gsd-pi - Versions diffs - 2.51.0 → 2.52.0-dev.655ad8a - Mend

gsd-pi 2.51.0 → 2.52.0-dev.655ad8a

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (419) hide show

package/src/resources/extensions/gsd/tools/plan-task.ts CHANGED Viewed

@@ -1,4 +1,6 @@
 import { clearParseCache } from "../files.js";
+import { isClosedStatus } from "../status-guards.js";
+import { isNonEmptyString, validateStringArray } from "../validation.js";
 import { transaction, getSlice, getTask, insertTask, upsertTaskPlanning } from "../gsd-db.js";
 import { invalidateStateCache } from "../state.js";
 import { renderTaskPlanFromDb } from "../markdown-renderer.js";
@@ -32,20 +34,6 @@ export interface PlanTaskResult {
   taskPlanPath: string;
 }
-function isNonEmptyString(value: unknown): value is string {
-  return typeof value === "string" && value.trim().length > 0;
-}
-function validateStringArray(value: unknown, field: string): string[] {
-  if (!Array.isArray(value)) {
-    throw new Error(`${field} must be an array`);
-  }
-  if (value.some((item) => !isNonEmptyString(item))) {
-    throw new Error(`${field} must contain only non-empty strings`);
-  }
-  return value;
-}
 function validateParams(params: PlanTaskParams): PlanTaskParams {
   if (!isNonEmptyString(params?.milestoneId)) throw new Error("milestoneId is required");
   if (!isNonEmptyString(params?.sliceId)) throw new Error("sliceId is required");
@@ -77,21 +65,29 @@ export async function handlePlanTask(
     return { error: `validation failed: ${(err as Error).message}` };
   }
-  const parentSlice = getSlice(params.milestoneId, params.sliceId);
-  if (!parentSlice) {
-    return { error: `missing parent slice: ${params.milestoneId}/${params.sliceId}` };
-  }
-  if (parentSlice.status === "complete" || parentSlice.status === "done") {
-    return { error: `cannot plan task in a closed slice: ${params.sliceId} (status: ${parentSlice.status})` };
-  }
-  const existingTask = getTask(params.milestoneId, params.sliceId, params.taskId);
-  if (existingTask && (existingTask.status === "complete" || existingTask.status === "done")) {
-    return { error: `cannot re-plan task ${params.taskId}: it is already complete — use gsd_task_reopen first` };
-  }
+  // ── Guards + DB writes inside a single transaction (prevents TOCTOU) ───
+  // Guards must be inside the transaction so the state they check cannot
+  // change between the read and the write (#2723).
+  let guardError: string | null = null;
   try {
     transaction(() => {
+      const parentSlice = getSlice(params.milestoneId, params.sliceId);
+      if (!parentSlice) {
+        guardError = `missing parent slice: ${params.milestoneId}/${params.sliceId}`;
+        return;
+      }
+      if (isClosedStatus(parentSlice.status)) {
+        guardError = `cannot plan task in a closed slice: ${params.sliceId} (status: ${parentSlice.status})`;
+        return;
+      }
+      const existingTask = getTask(params.milestoneId, params.sliceId, params.taskId);
+      if (existingTask && isClosedStatus(existingTask.status)) {
+        guardError = `cannot re-plan task ${params.taskId}: it is already complete — use gsd_task_reopen first`;
+        return;
+      }
       if (!existingTask) {
         insertTask({
           id: params.taskId,
@@ -117,6 +113,10 @@ export async function handlePlanTask(
     return { error: `db write failed: ${(err as Error).message}` };
   }
+  if (guardError) {
+    return { error: guardError };
+  }
   try {
     const renderResult = await renderTaskPlanFromDb(basePath, params.milestoneId, params.sliceId, params.taskId);
     invalidateStateCache();

package/src/resources/extensions/gsd/tools/reassess-roadmap.ts CHANGED Viewed

@@ -1,4 +1,7 @@
+import { join } from "node:path";
 import { clearParseCache } from "../files.js";
+import { isClosedStatus } from "../status-guards.js";
+import { isNonEmptyString } from "../validation.js";
 import {
   transaction,
   getMilestone,
@@ -14,7 +17,6 @@ import { renderRoadmapFromDb, renderAssessmentFromDb } from "../markdown-rendere
 import { renderAllProjections } from "../workflow-projections.js";
 import { writeManifest } from "../workflow-manifest.js";
 import { appendEvent } from "../workflow-events.js";
-import { join } from "node:path";
 export interface SliceChangeInput {
   sliceId: string;
@@ -47,9 +49,6 @@ export interface ReassessRoadmapResult {
   roadmapPath: string;
 }
-function isNonEmptyString(value: unknown): value is string {
-  return typeof value === "string" && value.trim().length > 0;
-}
 function validateParams(params: ReassessRoadmapParams): ReassessRoadmapParams {
   if (!isNonEmptyString(params?.milestoneId)) throw new Error("milestoneId is required");
@@ -104,47 +103,6 @@ export async function handleReassessRoadmap(
     return { error: `validation failed: ${(err as Error).message}` };
   }
-  // ── Verify milestone exists and is active ────────────────────────
-  const milestone = getMilestone(params.milestoneId);
-  if (!milestone) {
-    return { error: `milestone not found: ${params.milestoneId}` };
-  }
-  if (milestone.status === "complete" || milestone.status === "done") {
-    return { error: `cannot reassess a closed milestone: ${params.milestoneId} (status: ${milestone.status})` };
-  }
-  // ── Verify completedSliceId is actually complete ──────────────────
-  const completedSlice = getSlice(params.milestoneId, params.completedSliceId);
-  if (!completedSlice) {
-    return { error: `completedSliceId not found: ${params.milestoneId}/${params.completedSliceId}` };
-  }
-  if (completedSlice.status !== "complete" && completedSlice.status !== "done") {
-    return { error: `completedSliceId ${params.completedSliceId} is not complete (status: ${completedSlice.status}) — reassess can only be called after a slice finishes` };
-  }
-  // ── Structural enforcement ────────────────────────────────────────
-  const existingSlices = getMilestoneSlices(params.milestoneId);
-  const completedSliceIds = new Set<string>();
-  for (const slice of existingSlices) {
-    if (slice.status === "complete" || slice.status === "done") {
-      completedSliceIds.add(slice.id);
-    }
-  }
-  // Reject modifications to completed slices
-  for (const modifiedSlice of params.sliceChanges.modified) {
-    if (completedSliceIds.has(modifiedSlice.sliceId)) {
-      return { error: `cannot modify completed slice ${modifiedSlice.sliceId}` };
-    }
-  }
-  // Reject removal of completed slices
-  for (const removedId of params.sliceChanges.removed) {
-    if (completedSliceIds.has(removedId)) {
-      return { error: `cannot remove completed slice ${removedId}` };
-    }
-  }
   // ── Compute assessment artifact path ──────────────────────────────
   // Assessment lives in the completed slice's directory
   const assessmentRelPath = join(
@@ -153,9 +111,58 @@ export async function handleReassessRoadmap(
     `${params.completedSliceId}-ASSESSMENT.md`,
   );
-  // ── Transaction: DB mutations ─────────────────────────────────────
+  // ── Guards + DB writes inside a single transaction (prevents TOCTOU) ───
+  // Guards must be inside the transaction so the state they check cannot
+  // change between the read and the write (#2723).
+  let guardError: string | null = null;
   try {
     transaction(() => {
+      // Verify milestone exists and is active
+      const milestone = getMilestone(params.milestoneId);
+      if (!milestone) {
+        guardError = `milestone not found: ${params.milestoneId}`;
+        return;
+      }
+      if (isClosedStatus(milestone.status)) {
+        guardError = `cannot reassess a closed milestone: ${params.milestoneId} (status: ${milestone.status})`;
+        return;
+      }
+      // Verify completedSliceId is actually complete
+      const completedSlice = getSlice(params.milestoneId, params.completedSliceId);
+      if (!completedSlice) {
+        guardError = `completedSliceId not found: ${params.milestoneId}/${params.completedSliceId}`;
+        return;
+      }
+      if (!isClosedStatus(completedSlice.status)) {
+        guardError = `completedSliceId ${params.completedSliceId} is not complete (status: ${completedSlice.status}) — reassess can only be called after a slice finishes`;
+        return;
+      }
+      // Structural enforcement — reject modifications/removal of completed slices
+      const existingSlices = getMilestoneSlices(params.milestoneId);
+      const completedSliceIds = new Set<string>();
+      for (const slice of existingSlices) {
+        if (isClosedStatus(slice.status)) {
+          completedSliceIds.add(slice.id);
+        }
+      }
+      for (const modifiedSlice of params.sliceChanges.modified) {
+        if (completedSliceIds.has(modifiedSlice.sliceId)) {
+          guardError = `cannot modify completed slice ${modifiedSlice.sliceId}`;
+          return;
+        }
+      }
+      for (const removedId of params.sliceChanges.removed) {
+        if (completedSliceIds.has(removedId)) {
+          guardError = `cannot remove completed slice ${removedId}`;
+          return;
+        }
+      }
       // Record assessment
       insertAssessment({
         path: assessmentRelPath,
@@ -198,6 +205,10 @@ export async function handleReassessRoadmap(
     return { error: `db write failed: ${(err as Error).message}` };
   }
+  if (guardError) {
+    return { error: guardError };
+  }
   // ── Render artifacts ──────────────────────────────────────────────
   try {
     const roadmapResult = await renderRoadmapFromDb(basePath, params.milestoneId);

package/src/resources/extensions/gsd/tools/reopen-slice.ts CHANGED Viewed

@@ -20,6 +20,7 @@ import {
   transaction,
 } from "../gsd-db.js";
 import { invalidateStateCache } from "../state.js";
+import { isClosedStatus } from "../status-guards.js";
 import { renderAllProjections } from "../workflow-projections.js";
 import { writeManifest } from "../workflow-manifest.js";
 import { appendEvent } from "../workflow-events.js";
@@ -62,8 +63,8 @@ export async function handleReopenSlice(
       guardError = `milestone not found: ${params.milestoneId}`;
       return;
     }
-    if (milestone.status === "complete" || milestone.status === "done") {
-      guardError = `cannot reopen slice inside a closed milestone: ${params.milestoneId} (status: ${milestone.status})`;
+    if (isClosedStatus(milestone.status)) {
+      guardError = `cannot reopen slice in a closed milestone: ${params.milestoneId} (status: ${milestone.status})`;
       return;
     }
@@ -72,7 +73,7 @@ export async function handleReopenSlice(
       guardError = `slice not found: ${params.milestoneId}/${params.sliceId}`;
       return;
     }
-    if (slice.status !== "complete" && slice.status !== "done") {
+    if (!isClosedStatus(slice.status)) {
       guardError = `slice ${params.sliceId} is not complete (status: ${slice.status}) — nothing to reopen`;
       return;
     }

package/src/resources/extensions/gsd/tools/reopen-task.ts CHANGED Viewed

@@ -18,6 +18,7 @@ import {
   transaction,
 } from "../gsd-db.js";
 import { invalidateStateCache } from "../state.js";
+import { isClosedStatus } from "../status-guards.js";
 import { renderAllProjections } from "../workflow-projections.js";
 import { writeManifest } from "../workflow-manifest.js";
 import { appendEvent } from "../workflow-events.js";
@@ -63,7 +64,7 @@ export async function handleReopenTask(
       guardError = `milestone not found: ${params.milestoneId}`;
       return;
     }
-    if (milestone.status === "complete" || milestone.status === "done") {
+    if (isClosedStatus(milestone.status)) {
       guardError = `cannot reopen task in a closed milestone: ${params.milestoneId} (status: ${milestone.status})`;
       return;
     }
@@ -73,8 +74,8 @@ export async function handleReopenTask(
       guardError = `slice not found: ${params.milestoneId}/${params.sliceId}`;
       return;
     }
-    if (slice.status === "complete" || slice.status === "done") {
-      guardError = `cannot reopen task inside a closed slice: ${params.sliceId} (status: ${slice.status}) — use gsd_slice_reopen first`;
+    if (isClosedStatus(slice.status)) {
+      guardError = `cannot reopen task in a closed slice: ${params.sliceId} (status: ${slice.status}) — use gsd_slice_reopen first`;
       return;
     }
@@ -83,7 +84,7 @@ export async function handleReopenTask(
       guardError = `task not found: ${params.milestoneId}/${params.sliceId}/${params.taskId}`;
       return;
     }
-    if (task.status !== "complete" && task.status !== "done") {
+    if (!isClosedStatus(task.status)) {
       guardError = `task ${params.taskId} is not complete (status: ${task.status}) — nothing to reopen`;
       return;
     }

package/src/resources/extensions/gsd/tools/replan-slice.ts CHANGED Viewed

@@ -10,6 +10,8 @@ import {
   deleteTask,
 } from "../gsd-db.js";
 import { invalidateStateCache } from "../state.js";
+import { isClosedStatus } from "../status-guards.js";
+import { isNonEmptyString } from "../validation.js";
 import { renderPlanFromDb, renderReplanFromDb } from "../markdown-renderer.js";
 import { renderAllProjections } from "../workflow-projections.js";
 import { writeManifest } from "../workflow-manifest.js";
@@ -48,10 +50,6 @@ export interface ReplanSliceResult {
   planPath: string;
 }
-function isNonEmptyString(value: unknown): value is string {
-  return typeof value === "string" && value.trim().length > 0;
-}
 function validateParams(params: ReplanSliceParams): ReplanSliceParams {
   if (!isNonEmptyString(params?.milestoneId)) throw new Error("milestoneId is required");
   if (!isNonEmptyString(params?.sliceId)) throw new Error("sliceId is required");
@@ -90,52 +88,61 @@ export async function handleReplanSlice(
     return { error: `validation failed: ${(err as Error).message}` };
   }
-  // ── Verify parent slice exists and is not closed ─────────────────
-  const parentSlice = getSlice(params.milestoneId, params.sliceId);
-  if (!parentSlice) {
-    return { error: `missing parent slice: ${params.milestoneId}/${params.sliceId}` };
-  }
-  if (parentSlice.status === "complete" || parentSlice.status === "done") {
-    return { error: `cannot replan a closed slice: ${params.sliceId} (status: ${parentSlice.status})` };
-  }
+  // ── Guards + DB writes inside a single transaction (prevents TOCTOU) ───
+  // Guards must be inside the transaction so the state they check cannot
+  // change between the read and the write (#2723).
+  let guardError: string | null = null;
+  let existingTaskIds: Set<string> = new Set();
-  // ── Verify blocker task exists and is complete ────────────────────
-  const blockerTask = getTask(params.milestoneId, params.sliceId, params.blockerTaskId);
-  if (!blockerTask) {
-    return { error: `blockerTaskId not found: ${params.milestoneId}/${params.sliceId}/${params.blockerTaskId}` };
-  }
-  if (blockerTask.status !== "complete" && blockerTask.status !== "done") {
-    return { error: `blockerTaskId ${params.blockerTaskId} is not complete (status: ${blockerTask.status}) — the blocker task must be finished before a replan is triggered` };
-  }
+  try {
+    transaction(() => {
+      // Verify parent slice exists and is not closed
+      const parentSlice = getSlice(params.milestoneId, params.sliceId);
+      if (!parentSlice) {
+        guardError = `missing parent slice: ${params.milestoneId}/${params.sliceId}`;
+        return;
+      }
+      if (isClosedStatus(parentSlice.status)) {
+        guardError = `cannot replan a closed slice: ${params.sliceId} (status: ${parentSlice.status})`;
+        return;
+      }
-  // ── Structural enforcement ────────────────────────────────────────
-  const existingTasks = getSliceTasks(params.milestoneId, params.sliceId);
-  const completedTaskIds = new Set<string>();
-  for (const task of existingTasks) {
-    if (task.status === "complete" || task.status === "done") {
-      completedTaskIds.add(task.id);
-    }
-  }
+      // Verify blocker task exists and is complete
+      const blockerTask = getTask(params.milestoneId, params.sliceId, params.blockerTaskId);
+      if (!blockerTask) {
+        guardError = `blockerTaskId not found: ${params.milestoneId}/${params.sliceId}/${params.blockerTaskId}`;
+        return;
+      }
+      if (!isClosedStatus(blockerTask.status)) {
+        guardError = `blockerTaskId ${params.blockerTaskId} is not complete (status: ${blockerTask.status}) — the blocker task must be finished before a replan is triggered`;
+        return;
+      }
-  // Reject updates to completed tasks
-  for (const updatedTask of params.updatedTasks) {
-    if (completedTaskIds.has(updatedTask.taskId)) {
-      return { error: `cannot modify completed task ${updatedTask.taskId}` };
-    }
-  }
+      // Structural enforcement — reject modifications/removal of completed tasks
+      const existingTasks = getSliceTasks(params.milestoneId, params.sliceId);
+      const completedTaskIds = new Set<string>();
+      for (const task of existingTasks) {
+        if (isClosedStatus(task.status)) {
+          completedTaskIds.add(task.id);
+        }
+      }
-  // Reject removal of completed tasks
-  for (const removedId of params.removedTaskIds) {
-    if (completedTaskIds.has(removedId)) {
-      return { error: `cannot remove completed task ${removedId}` };
-    }
-  }
+      for (const updatedTask of params.updatedTasks) {
+        if (completedTaskIds.has(updatedTask.taskId)) {
+          guardError = `cannot modify completed task ${updatedTask.taskId}`;
+          return;
+        }
+      }
-  // ── Transaction: DB mutations ─────────────────────────────────────
-  const existingTaskIds = new Set(existingTasks.map((t) => t.id));
+      for (const removedId of params.removedTaskIds) {
+        if (completedTaskIds.has(removedId)) {
+          guardError = `cannot remove completed task ${removedId}`;
+          return;
+        }
+      }
+      existingTaskIds = new Set(existingTasks.map((t) => t.id));
-  try {
-    transaction(() => {
       // Record replan history
       insertReplanHistory({
         milestoneId: params.milestoneId,
@@ -189,6 +196,10 @@ export async function handleReplanSlice(
     return { error: `db write failed: ${(err as Error).message}` };
   }
+  if (guardError) {
+    return { error: guardError };
+  }
   // ── Render artifacts ──────────────────────────────────────────────
   try {
     const renderResult = await renderPlanFromDb(basePath, params.milestoneId, params.sliceId);

package/src/resources/extensions/gsd/tools/validate-milestone.ts CHANGED Viewed

@@ -9,7 +9,8 @@ import { join } from "node:path";
 import {
   transaction,
-  _getAdapter,
+  insertAssessment,
+  deleteAssessmentByScope,
 } from "../gsd-db.js";
 import { resolveMilestonePath, clearPathCache } from "../paths.js";
 import { saveFile, clearParseCache } from "../files.js";
@@ -76,7 +77,7 @@ export async function handleValidateMilestone(
     return { error: `verdict must be one of: ${VALIDATION_VERDICTS.join(", ")}` };
   }
-  // ── Filesystem render ──────────────────────────────────────────────────
+  // ── Resolve paths and render markdown ────────────────────────────────
   const validationMd = renderValidationMarkdown(params);
   let validationPath: string;
@@ -89,32 +90,37 @@ export async function handleValidateMilestone(
     validationPath = join(manualDir, `${params.milestoneId}-VALIDATION.md`);
   }
+  // ── DB write first — matches complete-task/complete-slice pattern ───
+  // Write DB before disk so a crash between the two leaves a recoverable
+  // state: the DB row exists but the file is missing, which projection
+  // rendering can regenerate. The inverse (file exists, no DB row) is
+  // harder to detect and recover from (#2725).
+  const validatedAt = new Date().toISOString();
+  transaction(() => {
+    insertAssessment({
+      path: validationPath,
+      milestoneId: params.milestoneId,
+      sliceId: null,
+      taskId: null,
+      status: params.verdict,
+      scope: 'milestone-validation',
+      fullContent: validationMd,
+    });
+  });
+  // ── Filesystem render (outside transaction) ────────────────────────────
+  // If disk render fails, roll back the DB row so state stays consistent.
   try {
     await saveFile(validationPath, validationMd);
   } catch (renderErr) {
     process.stderr.write(
-      `gsd-db: validate_milestone — disk render failed: ${(renderErr as Error).message}\n`,
+      `gsd-db: validate_milestone — disk render failed, rolling back DB row: ${(renderErr as Error).message}\n`,
     );
+    deleteAssessmentByScope(params.milestoneId, 'milestone-validation');
     return { error: `disk render failed: ${(renderErr as Error).message}` };
   }
-  // ── DB write — store in assessments table ──────────────────────────────
-  const validatedAt = new Date().toISOString();
-  transaction(() => {
-    const adapter = _getAdapter()!;
-    adapter.prepare(
-      `INSERT OR REPLACE INTO assessments (path, milestone_id, slice_id, task_id, status, scope, full_content, created_at)
-       VALUES (:path, :mid, NULL, NULL, :verdict, 'milestone-validation', :content, :created_at)`,
-    ).run({
-      ":path": validationPath,
-      ":mid": params.milestoneId,
-      ":verdict": params.verdict,
-      ":content": validationMd,
-      ":created_at": validatedAt,
-    });
-  });
   invalidateStateCache();
   clearPathCache();
   clearParseCache();

package/src/resources/extensions/gsd/validation.ts ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+ * Shared input-validation primitives for GSD tool handlers.
+ */
+/** Type guard: value is a string with at least one non-whitespace character. */
+export function isNonEmptyString(value: unknown): value is string {
+  return typeof value === "string" && value.trim().length > 0;
+}
+/**
+ * Validate that `value` is an array of non-empty strings.
+ * Throws with a message referencing `field` on failure.
+ * Returns the validated array (narrowed to string[]).
+ */
+export function validateStringArray(value: unknown, field: string): string[] {
+  if (!Array.isArray(value)) {
+    throw new Error(`${field} must be an array`);
+  }
+  if (value.some((item) => !isNonEmptyString(item))) {
+    throw new Error(`${field} must contain only non-empty strings`);
+  }
+  return value;
+}

package/src/resources/extensions/gsd/workflow-logger.ts CHANGED Viewed

@@ -199,7 +199,6 @@ export function readAuditLog(basePath?: string): LogEntry[] {
  */
 export function _resetLogs(): void {
   _buffer = [];
-  _auditBasePath = null;
 }
 // ─── Internal ───────────────────────────────────────────────────────────

package/src/resources/extensions/remote-questions/config.ts CHANGED Viewed

@@ -59,7 +59,7 @@ function hydrateRemoteTokensFromAuth(): void {
     for (const [providerId, envVar] of needed) {
       try {
         const creds = auth.getCredentialsForProvider(providerId);
-        const apiKeyCred = creds.find((c: { type: string }) => c.type === "api_key") as
+        const apiKeyCred = creds.find((c: { type: string; key?: string }) => c.type === "api_key" && !!c.key) as
           | { type: "api_key"; key: string }
           | undefined;
         if (apiKeyCred?.key) {

package/src/resources/extensions/remote-questions/remote-command.ts CHANGED Viewed

@@ -312,7 +312,7 @@ function saveProviderToken(provider: string, token: string): void {
 function removeProviderToken(provider: string): void {
   const auth = getAuthStorage();
-  auth.set(provider, { type: "api_key", key: "" });
+  auth.remove(provider);
 }
 export function saveRemoteQuestionsConfig(channel: "slack" | "discord" | "telegram", channelId: string): void {

package/src/resources/extensions/search-the-web/native-search.ts CHANGED Viewed

@@ -28,7 +28,7 @@ export const MAX_NATIVE_SEARCHES_PER_SESSION = 15;
 /** When true, skip native web search injection and keep Brave/custom tools active on Anthropic. */
 export function preferBraveSearch(): boolean {
-  // preferences.md takes priority over env var
+  // PREFERENCES.md takes priority over env var
   const prefsPref = resolveSearchProviderFromPreferences();
   if (prefsPref === "brave" || prefsPref === "tavily" || prefsPref === "ollama") return true;
   if (prefsPref === "native") return false;

package/src/resources/extensions/search-the-web/provider.ts CHANGED Viewed

@@ -105,7 +105,7 @@ export function resolveSearchProvider(overridePreference?: string): SearchProvid
   if (overridePreference && VALID_PREFERENCES.has(overridePreference)) {
     pref = overridePreference as SearchProviderPreference
   } else {
-    // preferences.md takes priority over auth.json
+    // PREFERENCES.md takes priority over auth.json
     const mdPref = resolveSearchProviderFromPreferences()
     if (mdPref && mdPref !== 'auto' && mdPref !== 'native') {
       pref = mdPref as SearchProviderPreference

package/src/resources/extensions/shared/rtk.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import { delimiter, join } from "node:path";
 const GSD_RTK_PATH_ENV = "GSD_RTK_PATH";
 const GSD_RTK_DISABLED_ENV = "GSD_RTK_DISABLED";
+const GSD_RTK_REWRITE_TIMEOUT_MS_ENV = "GSD_RTK_REWRITE_TIMEOUT_MS";
 const RTK_TELEMETRY_DISABLED_ENV = "RTK_TELEMETRY_DISABLED";
 const RTK_REWRITE_TIMEOUT_MS = 5_000;
@@ -14,6 +15,14 @@ function isTruthy(value: string | undefined): boolean {
   return normalized === "1" || normalized === "true" || normalized === "yes";
 }
+function getRewriteTimeoutMs(env: NodeJS.ProcessEnv = process.env): number {
+  const configured = Number.parseInt(env[GSD_RTK_REWRITE_TIMEOUT_MS_ENV] ?? "", 10);
+  if (Number.isFinite(configured) && configured > 0) {
+    return configured;
+  }
+  return RTK_REWRITE_TIMEOUT_MS;
+}
 export function isRtkEnabled(env: NodeJS.ProcessEnv = process.env): boolean {
   return !isTruthy(env[GSD_RTK_DISABLED_ENV]);
 }
@@ -96,18 +105,27 @@ export function resolveRtkBinaryPath(options: ResolveRtkBinaryPathOptions = {}):
   return resolveSystemRtkPath(options.pathValue ?? getPathValue(env), platform);
 }
-export function rewriteCommandWithRtk(command: string, env: NodeJS.ProcessEnv = process.env): string {
+interface RewriteCommandOptions {
+  binaryPath?: string;
+  env?: NodeJS.ProcessEnv;
+  spawnSyncImpl?: typeof spawnSync;
+}
+export function rewriteCommandWithRtk(command: string, options: RewriteCommandOptions = {}): string {
+  const env = options.env ?? process.env;
   if (!command.trim()) return command;
   if (!isRtkEnabled(env)) return command;
-  const binaryPath = resolveRtkBinaryPath({ env });
+  const binaryPath = options.binaryPath ?? resolveRtkBinaryPath({ env });
   if (!binaryPath) return command;
-  const result = spawnSync(binaryPath, ["rewrite", command], {
+  const run = options.spawnSyncImpl ?? spawnSync;
+  const result = run(binaryPath, ["rewrite", command], {
     encoding: "utf-8",
     env: buildRtkEnv(env),
     stdio: ["ignore", "pipe", "ignore"],
-    timeout: RTK_REWRITE_TIMEOUT_MS,
+    timeout: getRewriteTimeoutMs(env),
     // .cmd/.bat wrappers (used by fake-rtk in tests) require shell:true on Windows
     shell: /\.(cmd|bat)$/i.test(binaryPath),
   });