gsd-pi 2.63.0 → 2.64.0

package/dist/resources/extensions/gsd/guided-flow.js

@@ -33,6 +33,7 @@ import { debugLog } from "./debug-logger.js";
 import { findMilestoneIds, nextMilestoneId, reserveMilestoneId, getReservedMilestoneIds, clearReservedMilestoneIds } from "./milestone-ids.js";
 import { parkMilestone, discardMilestone } from "./milestone-actions.js";
 import { selectAndApplyModel } from "./auto-model-selection.js";
+import { DISCUSS_TOOLS_ALLOWLIST } from "./constants.js";
 // ─── Re-exports (preserve public API for existing importers) ────────────────
 export { MILESTONE_ID_RE, generateMilestoneSuffix, nextMilestoneId, extractMilestoneSeq, parseMilestoneId, milestoneIdSort, maxMilestoneNum, findMilestoneIds, reserveMilestoneId, claimReservedId, getReservedMilestoneIds, clearReservedMilestoneIds, } from "./milestone-ids.js";
 export { showQueue, handleQueueReorder, showQueueAdd, buildExistingMilestonesContext, } from "./guided-flow-queue.js";
@@ -242,6 +243,24 @@ async function dispatchWorkflow(pi, note, customType = "gsd-run", ctx, unitType)
             });
         }
     }
+    // Scope tools for discuss flows (#2949).
+    // Providers with grammar-based constrained decoding (xAI/Grok) return
+    // "Grammar is too complex" when the combined tool schema is too large.
+    // Discuss flows only need a small subset of GSD tools — strip the heavy
+    // planning/execution/completion tools to keep the grammar within limits.
+    if (unitType?.startsWith("discuss-")) {
+        const currentTools = pi.getActiveTools();
+        // Keep all non-GSD tools (builtins, other extensions) and only the
+        // GSD tools on the discuss allowlist.
+        const scopedTools = currentTools.filter((t) => !t.startsWith("gsd_") || DISCUSS_TOOLS_ALLOWLIST.includes(t));
+        pi.setActiveTools(scopedTools);
+        debugLog("discuss-tool-scoping", {
+            unitType,
+            before: currentTools.length,
+            after: scopedTools.length,
+            removed: currentTools.length - scopedTools.length,
+        });
+    }
     const workflowPath = process.env.GSD_WORKFLOW_PATH ?? join(process.env.HOME ?? "~", ".gsd", "agent", "GSD-WORKFLOW.md");
     const workflow = readFileSync(workflowPath, "utf-8");
     pi.sendMessage({

package/dist/resources/extensions/gsd/metrics.js

@@ -412,7 +412,33 @@ export function loadLedgerFromDisk(base) {
     return loadJsonFileOrNull(metricsPath(base), isMetricsLedger);
 }
 function loadLedger(base) {
-    return loadJsonFile(metricsPath(base), isMetricsLedger, defaultLedger);
+    const raw = loadJsonFile(metricsPath(base), isMetricsLedger, defaultLedger);
+    const before = raw.units.length;
+    raw.units = deduplicateUnits(raw.units);
+    if (raw.units.length < before) {
+        // Persist the cleaned ledger so duplicates don't re-accumulate
+        saveLedger(base, raw);
+    }
+    return raw;
+}
+/**
+ * Collapse duplicate entries with the same (type, id, startedAt) triple.
+ * Keeps the entry with the highest finishedAt (the most complete snapshot).
+ *
+ * This is a defensive measure against idle-watchdog race conditions that can
+ * produce duplicate entries on disk despite the in-memory idempotency guard
+ * in snapshotUnitMetrics(). See #1943.
+ */
+function deduplicateUnits(units) {
+    const map = new Map();
+    for (const u of units) {
+        const key = `${u.type}\0${u.id}\0${u.startedAt}`;
+        const existing = map.get(key);
+        if (!existing || u.finishedAt > existing.finishedAt) {
+            map.set(key, u);
+        }
+    }
+    return Array.from(map.values());
 }
 function saveLedger(base, data) {
     saveJsonFile(metricsPath(base), data);

package/dist/resources/extensions/gsd/native-git-bridge.js

@@ -569,10 +569,12 @@ export function nativeAddAllWithExclusions(basePath, exclusions) {
             return;
         }
         // When .gsd is a symlink, git rejects `:!.gsd/...` pathspecs with
-        // "beyond a symbolic link". Fall back to plain `git add -A` which
-        // respects .gitignore (where .gsd/ is listed by default).
+        // "beyond a symbolic link". Fall back to `git add -u` which only
+        // stages changes to already-tracked files — O(tracked) not O(filesystem).
+        // Using `git add -A` here would traverse the entire working tree,
+        // hanging indefinitely on repos with large untracked data dirs. (#1977)
         if (stderr.includes("beyond a symbolic link")) {
-            nativeAddAll(basePath);
+            gitFileExec(basePath, ["add", "-u"]);
             return;
         }
         throw new GSDError(GSD_GIT_ERROR, `git add -A with exclusions failed in ${basePath}: ${getErrorMessage(err)}`);

package/dist/resources/extensions/gsd/preferences-types.js

@@ -74,6 +74,8 @@ export const KNOWN_PREFERENCE_KEYS = new Set([
     "context_management",
     "experimental",
     "codebase",
+    "slice_parallel",
+    "safety_harness",
 ]);
 /** Canonical list of all dispatch unit types. */
 export const KNOWN_UNIT_TYPES = [

package/dist/resources/extensions/gsd/preferences.js

@@ -148,9 +148,11 @@ export function parsePreferencesMarkdown(content) {
     if (/^##\s+\w/m.test(content)) {
         return parseHeadingListFormat(content);
     }
-    if (!_warnedUnrecognizedFormat) {
+    // Warn when a non-empty file exists but lacks frontmatter delimiters (#2036).
+    if (content.trim().length > 0 && !_warnedUnrecognizedFormat) {
         _warnedUnrecognizedFormat = true;
-        console.warn("[parsePreferencesMarkdown] preferences.md exists but uses an unrecognized format — skipping.");
+        console.warn("[GSD] Warning: preferences file has unrecognized format — content does not use YAML frontmatter delimiters (---). " +
+            "Wrap your preferences in --- fences. See https://github.com/gsd-build/gsd-2/issues/2036");
     }
     return null;
 }
@@ -301,6 +303,9 @@ function mergePreferences(base, override) {
                 ].filter(Boolean),
             }
             : undefined,
+        slice_parallel: (base.slice_parallel || override.slice_parallel)
+            ? { ...(base.slice_parallel ?? {}), ...(override.slice_parallel ?? {}) }
+            : undefined,
     };
 }
 function mergeStringLists(base, override) {

package/dist/resources/extensions/gsd/prompt-loader.js

@@ -47,6 +47,13 @@ function resolveExtensionDir() {
 const __extensionDir = resolveExtensionDir();
 const promptsDir = join(__extensionDir, "prompts");
 const templatesDir = join(__extensionDir, "templates");
+/**
+ * Return the resolved templates directory path for use in prompts.
+ * Avoids hardcoding `~/.gsd/agent/extensions/gsd/templates/` in templates. (#3575)
+ */
+export function getTemplatesDir() {
+    return templatesDir;
+}
 // Cache all templates eagerly at module load — a running session uses the
 // template versions that were on disk at startup, immune to later overwrites.
 const templateCache = new Map();

package/dist/resources/extensions/gsd/prompts/complete-milestone.md

@@ -24,6 +24,8 @@ Then:
 7. Fill the **Decision Re-evaluation** table in the milestone summary. For each key decision from `.gsd/DECISIONS.md` made during this milestone, evaluate whether it is still valid given what was actually built. Flag decisions that should be revisited next milestone.
 8. Validate **requirement status transitions**. For each requirement that changed status during this milestone, confirm the transition is supported by evidence. Requirements can move between Active, Validated, Deferred, Blocked, or Out of Scope — but only with proof.
 
+**DB access safety:** Do NOT query `.gsd/gsd.db` directly via `sqlite3` or `node -e require('better-sqlite3')` — the engine owns the WAL connection. Use `gsd_milestone_status` to read milestone and slice state. All data you need is already inlined in the context above or accessible via the `gsd_*` tools — never via direct SQL.
+
 ### Verification Gate — STOP if verification failed
 
 **If ANY verification failure was recorded in steps 3, 4, or 5, you MUST follow the failure path below. Do NOT proceed to step 9.**

package/dist/resources/extensions/gsd/prompts/complete-slice.md

@@ -35,6 +35,8 @@ Then:
 
 **Autonomous execution:** Do not call `ask_user_questions` or `secure_env_collect`. You are running in auto-mode — there is no human available to answer questions. Make reasonable assumptions and document them in the slice summary. If a decision genuinely requires human input, note it in the summary and proceed with the best available option.
 
+**File system safety:** Task summaries are preloaded in the inlined context above. If you need to re-read any of them, use `find .gsd/milestones/{{milestoneId}}/slices/{{sliceId}}/tasks -name "*-SUMMARY.md"` to list file paths first — never pass `{{slicePath}}` or any other directory path directly to the `read` tool. The `read` tool only accepts file paths, not directories.
+
 **You MUST call `gsd_complete_slice` with the slice summary and UAT content before finishing. The tool persists to both DB and disk and renders `{{sliceSummaryPath}}` and `{{sliceUatPath}}` automatically.**
 
 When done, say: "Slice {{sliceId}} complete."

package/dist/resources/extensions/gsd/prompts/doctor-heal.md

@@ -9,6 +9,7 @@ Rules:
 4. For missing summaries or UAT files, generate the real artifact from existing slice/task context when possible — do not leave placeholders if you can reconstruct the real content.
 5. After each repair cluster, verify the relevant invariant directly from disk.
 6. When done, rerun `/gsd doctor {{doctorCommandSuffix}}` mentally by ensuring the remaining issue set for this scope is reduced or cleared.
+7. Do NOT query `.gsd/gsd.db` directly via `sqlite3` or `node -e require('better-sqlite3')` — use `gsd_milestone_status` to inspect DB state. Direct access bypasses the WAL connection owned by the engine and can corrupt in-flight writes.
 
 ## Doctor Summary
 

package/dist/resources/extensions/gsd/prompts/forensics.md

@@ -116,6 +116,8 @@ A unit dispatched more than once (`type/id` appears multiple times) indicates a
 
 5. **Read the actual GSD source code** at `{{gsdSourceDir}}` to confirm or deny each hypothesis. Do not guess what code does — read it.
 
+   **DB inspection:** If you need to check DB state as part of investigation, use `gsd_milestone_status` — never run `sqlite3 .gsd/gsd.db` or `node -e require('better-sqlite3')` directly. The engine holds a WAL write lock; direct access will either fail or return stale data.
+
 6. **Trace the code path** from the entry point (usually `auto-loop.ts` dispatch or `auto-dispatch.ts`) through to the failure point. Follow function calls across files.
 
 7. **Identify the specific file and line** where the bug lives. Determine what kind of defect it is:

package/dist/resources/extensions/gsd/prompts/reassess-roadmap.md

@@ -63,4 +63,6 @@ If `.gsd/REQUIREMENTS.md` exists and requirement ownership or status changed, up
 
 {{commitInstruction}}
 
+**DB access safety:** Do NOT query `.gsd/gsd.db` directly via `sqlite3` or `node -e require('better-sqlite3')`. Use `gsd_milestone_status` to read current milestone and slice state. All roadmap mutations go through `gsd_reassess_roadmap` — the tool writes to the DB and re-renders ROADMAP.md atomically.
+
 When done, say: "Roadmap reassessed."

package/dist/resources/extensions/gsd/prompts/system.md

@@ -24,13 +24,9 @@ Leave the project in a state where the next agent can immediately understand wha
 
 ## Skills
 
-GSD ships with bundled skills. Load the relevant skill file with the `read` tool before starting work when the task matches.
+GSD ships with bundled skills. Load the relevant skill file with the `read` tool before starting work when the task matches. Use bare skill names — GSD resolves them to the correct path automatically.
 
-| Trigger | Skill to load |
-|---|---|
-| Frontend UI - web components, pages, landing pages, dashboards, React/HTML/CSS, styling | `~/.gsd/agent/skills/frontend-design/SKILL.md` |
-| macOS or iOS apps - SwiftUI, Xcode, App Store | `~/.gsd/agent/skills/swiftui/SKILL.md` |
-| Debugging - complex bugs, failing tests, root-cause investigation after standard approaches fail | `~/.gsd/agent/skills/debug-like-expert/SKILL.md` |
+{{bundledSkillsTable}}
 
 ## Hard Rules
 
@@ -119,7 +115,7 @@ In all modes, slices commit sequentially on the active branch; there are no per-
 ### Artifact Templates
 
 Templates showing the expected format for each artifact type are in:
-`~/.gsd/agent/extensions/gsd/templates/`
+`{{templatesDir}}`
 
 **Always read the relevant template before writing an artifact** to match the expected structure exactly. The parsers that read these files depend on specific formatting:
 
@@ -175,6 +171,7 @@ Templates showing the expected format for each artifact type are in:
 - Never guess at library APIs from training data — use `get_library_docs`.
 - Never ask the user to run a command, set a variable, or check something you can check yourself.
 - Never await stale async jobs after editing source — `cancel_job` them first, then re-run.
+- Never query `.gsd/gsd.db` directly via `sqlite3`, `better-sqlite3`, or `node -e require('better-sqlite3')` — the database uses a single-writer WAL connection managed by the engine. Direct access causes reader/writer conflicts and bypasses validation logic. Use `gsd_milestone_status`, `gsd_journal_query`, or other `gsd_*` tools exclusively for all DB reads and writes.
 
 ### Ask vs infer
 

package/dist/resources/extensions/gsd/prompts/validate-milestone.md

@@ -38,6 +38,8 @@ All relevant context has been preloaded below — the roadmap, all slice summari
 
 **Persist validation results through `gsd_validate_milestone`.** Call it with: `milestoneId`, `verdict`, `remediationRound`, `successCriteriaChecklist`, `sliceDeliveryAudit`, `crossSliceIntegration`, `requirementCoverage`, `verificationClasses` (when non-empty), `verdictRationale`, and `remediationPlan` (if verdict is `needs-remediation`). The tool writes the validation to the DB and renders VALIDATION.md to disk.
 
+**DB access safety:** Do NOT query `.gsd/gsd.db` directly via `sqlite3` or `node -e require('better-sqlite3')` — the engine owns the WAL connection. Use `gsd_milestone_status` to read milestone and slice state. All data you need is already inlined in the context above or accessible via the `gsd_*` tools. Direct DB access corrupts the WAL and bypasses tool-level validation.
+
 If verdict is `needs-remediation`:
 - After calling `gsd_validate_milestone`, use `gsd_reassess_roadmap` to add remediation slices. Pass `milestoneId`, a synthetic `completedSliceId` (e.g. "VALIDATION"), `verdict: "roadmap-adjusted"`, `assessment` text, and `sliceChanges` with the new slices in the `added` array. The tool persists the changes to the DB and re-renders ROADMAP.md.
 - These remediation slices will be planned and executed before validation re-runs.

package/dist/resources/extensions/gsd/roadmap-mutations.js

@@ -31,7 +31,7 @@ export function markSliceDoneInRoadmap(basePath, mid, sid) {
     if (updated === content) {
         updated = content.replace(new RegExp(`^(#{1,4}\\s+(?:\\*{0,2})(?:Slice\\s+)?${sid}\\*{0,2}[:\\s.\\u2014\\u2013-]+\\s*)(.+)`, "m"), (match, prefix, title) => {
             // Already marked done — no-op
-            if (/^\u2713/.test(title) || /\(Complete\)\s*$/i.test(title))
+            if (/^[\u2713\u2705]/.test(title) || /[\u2705]\s*$/.test(title) || /\(Complete\)\s*$/i.test(title))
                 return match;
             return `${prefix}\u2713 ${title}`;
         });

package/dist/resources/extensions/gsd/roadmap-slices.js

@@ -74,7 +74,7 @@ function parseTableSlices(section) {
         // Determine completion status from any cell containing [x], "Done", or "Complete"
         const fullRow = line.toLowerCase();
         const done = /\[x\]/i.test(line) ||
-            /[✅☑✓]/.test(line) ||
+            /[✅☑✓✔]/.test(line) ||
             /\bdone\b/.test(fullRow) ||
             /\bcomplete(?:d)?\b/.test(fullRow);
         // Extract risk from any cell containing risk keywords
@@ -214,10 +214,10 @@ function parseProseSliceHeaders(content) {
     // numeric prefixes (e.g., "1.", "(1)"), bracketed IDs (e.g., "[S01]"),
     // optional checkmark completion marker, and optional leading indentation.
     // Separator after the ID is flexible: colon, dash, em/en dash, dot, or just whitespace.
-    const headerPattern = /^\s*#{1,4}\s+\*{0,2}(?:\u2713\s+)?(?:\d+[.)]\s+)?(?:\(\d+\)\s+)?(?:Slice\s+)?\[?(S\d+)\]?\*{0,2}[:\s.\u2014\u2013-]*\s*(.+)/gm;
+    const headerPattern = /^\s*#{1,4}\s+\*{0,2}(?:[\u2713\u2705]\s+)?(?:\d+[.)]\s+)?(?:\(\d+\)\s+)?(?:Slice\s+)?\[?(S\d+)\]?\*{0,2}[:\s.\u2014\u2013-]*\s*(.+)/gm;
     let match;
     // Check for checkmark before the slice ID (e.g., "## checkmark S01: Title")
-    const prefixCheckPattern = /^\s*#{1,4}\s+\*{0,2}\u2713\s+/;
+    const prefixCheckPattern = /^\s*#{1,4}\s+\*{0,2}[\u2713\u2705]\s+/;
     while ((match = headerPattern.exec(content)) !== null) {
         const id = match[1];
         let title = match[2].trim().replace(/\*{1,2}$/g, "").trim(); // strip trailing bold markers
@@ -229,9 +229,13 @@ function parseProseSliceHeaders(content) {
         // 3. (Complete) suffix: "## S01: Title (Complete)"
         const line = match[0];
         let done = prefixCheckPattern.test(line);
-        if (!done && title.startsWith("\u2713")) {
+        if (!done && /^[\u2713\u2705]/.test(title)) {
             done = true;
-            title = title.replace(/^\u2713\s*/, "");
+            title = title.replace(/^[\u2713\u2705]\s*/, "");
+        }
+        if (!done && /[\u2705]\s*$/.test(title)) {
+            done = true;
+            title = title.replace(/\s*[\u2705]\s*$/, "");
         }
         if (!done && /\(Complete\)\s*$/i.test(title)) {
             done = true;

package/dist/resources/extensions/gsd/safety/content-validator.js

@@ -0,0 +1,73 @@
+/**
+ * Lightweight content validator for auto-mode safety harness.
+ * Validates that high-value unit outputs contain minimum expected content.
+ *
+ * Copyright (c) 2026 Jeremy McSpadden <jeremy@fluxlabs.net>
+ */
+import { existsSync, readFileSync } from "node:fs";
+import { logWarning } from "../workflow-logger.js";
+// ─── Public API ─────────────────────────────────────────────────────────────
+/**
+ * Validate content quality for a completed unit.
+ * Returns an array of violations. Empty array = content looks acceptable.
+ *
+ * @param unitType - The type of unit that completed (e.g. "plan-slice")
+ * @param artifactPath - Absolute path to the primary artifact file
+ */
+export function validateContent(unitType, artifactPath) {
+    if (!artifactPath || !existsSync(artifactPath))
+        return [];
+    const validator = VALIDATORS[unitType];
+    if (!validator)
+        return [];
+    try {
+        const content = readFileSync(artifactPath, "utf-8");
+        return validator(content);
+    }
+    catch (e) {
+        logWarning("safety", `content validation read failed: ${e.message}`);
+        return [];
+    }
+}
+const VALIDATORS = {
+    "plan-slice": validatePlanSlice,
+    "plan-milestone": validatePlanMilestone,
+};
+function validatePlanSlice(content) {
+    const violations = [];
+    // Must have at least 2 task entries (checkbox pattern)
+    const taskCount = (content.match(/- \[[ x]\] \*\*T\d+/g) || []).length;
+    if (taskCount < 2) {
+        violations.push({
+            severity: "warning",
+            reason: `Slice plan has only ${taskCount} task(s) — expected at least 2`,
+        });
+    }
+    // Should have a Files Likely Touched section
+    if (!content.includes("## Files Likely Touched") && !content.includes("## Files")) {
+        violations.push({
+            severity: "warning",
+            reason: "Slice plan missing 'Files Likely Touched' section",
+        });
+    }
+    // Should have a verification section
+    if (!content.includes("Verify") && !content.includes("verify")) {
+        violations.push({
+            severity: "warning",
+            reason: "Slice plan has no verification instructions",
+        });
+    }
+    return violations;
+}
+function validatePlanMilestone(content) {
+    const violations = [];
+    // Must have at least 1 slice entry
+    const sliceCount = (content.match(/##\s+S\d+/g) || []).length;
+    if (sliceCount < 1) {
+        violations.push({
+            severity: "warning",
+            reason: `Milestone roadmap has ${sliceCount} slice(s) — expected at least 1`,
+        });
+    }
+    return violations;
+}

package/dist/resources/extensions/gsd/safety/destructive-guard.js

@@ -0,0 +1,34 @@
+/**
+ * Destructive command classifier for auto-mode safety harness.
+ * Classifies bash commands and warns on potentially destructive operations.
+ * Does NOT block — only classifies for logging/notification.
+ *
+ * Copyright (c) 2026 Jeremy McSpadden <jeremy@fluxlabs.net>
+ */
+const DESTRUCTIVE_PATTERNS = [
+    { pattern: /\brm\s+(-[^\s]*[rfRF][^\s]*\s+|.*\s+-[^\s]*[rfRF])/, label: "recursive delete" },
+    { pattern: /\bgit\s+push\s+.*--force/, label: "force push" },
+    { pattern: /\bgit\s+push\s+-f\b/, label: "force push" },
+    { pattern: /\bgit\s+reset\s+--hard/, label: "hard reset" },
+    { pattern: /\bgit\s+clean\s+-[^\s]*[fdxFDX]/, label: "git clean" },
+    { pattern: /\bgit\s+checkout\s+--\s+\./, label: "discard all changes" },
+    { pattern: /\bdrop\s+(database|table|index)\b/i, label: "SQL drop" },
+    { pattern: /\btruncate\s+table\b/i, label: "SQL truncate" },
+    { pattern: /\bchmod\s+777\b/, label: "world-writable permissions" },
+    { pattern: /\bcurl\s.*\|\s*(bash|sh|zsh)\b/, label: "pipe to shell" },
+];
+/**
+ * Classify a bash command for destructive operations.
+ * Returns the list of matched destructive pattern labels.
+ */
+export function classifyCommand(command) {
+    const labels = [];
+    for (const { pattern, label } of DESTRUCTIVE_PATTERNS) {
+        if (pattern.test(command)) {
+            // Deduplicate labels (e.g., two force-push patterns)
+            if (!labels.includes(label))
+                labels.push(label);
+        }
+    }
+    return { destructive: labels.length > 0, labels };
+}

package/dist/resources/extensions/gsd/safety/evidence-collector.js

@@ -0,0 +1,109 @@
+/**
+ * Real-time tool call evidence collector for auto-mode safety harness.
+ * Tracks every bash command, file write, and file edit during a unit execution.
+ * Evidence is compared against LLM completion claims in evidence-cross-ref.ts.
+ *
+ * Follows the same module-level Map pattern as auto-tool-tracking.ts.
+ * Copyright (c) 2026 Jeremy McSpadden <jeremy@fluxlabs.net>
+ */
+// ─── Module State ───────────────────────────────────────────────────────────
+let unitEvidence = [];
+// ─── Public API ─────────────────────────────────────────────────────────────
+/** Reset all evidence for a new unit. Call at unit start. */
+export function resetEvidence() {
+    unitEvidence = [];
+}
+/** Get a read-only view of all evidence collected for the current unit. */
+export function getEvidence() {
+    return unitEvidence;
+}
+/** Get only bash evidence entries. */
+export function getBashEvidence() {
+    return unitEvidence.filter((e) => e.kind === "bash");
+}
+/** Get all file paths touched (write + edit). */
+export function getFilePaths() {
+    return unitEvidence
+        .filter((e) => e.kind === "write" || e.kind === "edit")
+        .map(e => e.path);
+}
+// ─── Recording (called from register-hooks.ts) ─────────────────────────────
+/**
+ * Record a tool call at dispatch time (before execution).
+ * Exit codes and output are filled in by recordToolResult after execution.
+ */
+export function recordToolCall(toolName, input) {
+    if (toolName === "bash" || toolName === "Bash") {
+        unitEvidence.push({
+            kind: "bash",
+            toolCallId: "",
+            command: String(input.command ?? ""),
+            exitCode: -1,
+            outputSnippet: "",
+            timestamp: Date.now(),
+        });
+    }
+    else if (toolName === "write" || toolName === "Write") {
+        unitEvidence.push({
+            kind: "write",
+            toolCallId: "",
+            path: String(input.file_path ?? input.path ?? ""),
+            timestamp: Date.now(),
+        });
+    }
+    else if (toolName === "edit" || toolName === "Edit") {
+        unitEvidence.push({
+            kind: "edit",
+            toolCallId: "",
+            path: String(input.file_path ?? input.path ?? ""),
+            timestamp: Date.now(),
+        });
+    }
+}
+/**
+ * Record a tool execution result. Matches the most recent unresolved entry
+ * of the same kind and fills in the toolCallId, exit code, and output.
+ */
+export function recordToolResult(toolCallId, toolName, result, isError) {
+    const normalizedName = toolName.toLowerCase();
+    if (normalizedName === "bash") {
+        const entry = findLastUnresolved("bash");
+        if (entry) {
+            entry.toolCallId = toolCallId;
+            const text = extractResultText(result);
+            entry.outputSnippet = text.slice(0, 500);
+            const exitMatch = text.match(/Command exited with code (\d+)/);
+            entry.exitCode = exitMatch ? Number(exitMatch[1]) : (isError ? 1 : 0);
+        }
+    }
+    else if (normalizedName === "write" || normalizedName === "edit") {
+        const entry = findLastUnresolved(normalizedName);
+        if (entry) {
+            entry.toolCallId = toolCallId;
+        }
+    }
+}
+// ─── Internals ──────────────────────────────────────────────────────────────
+function findLastUnresolved(kind) {
+    for (let i = unitEvidence.length - 1; i >= 0; i--) {
+        if (unitEvidence[i].kind === kind && unitEvidence[i].toolCallId === "") {
+            return unitEvidence[i];
+        }
+    }
+    return undefined;
+}
+function extractResultText(result) {
+    if (typeof result === "string")
+        return result;
+    if (result && typeof result === "object") {
+        const r = result;
+        if (Array.isArray(r.content)) {
+            const textBlock = r.content.find((c) => typeof c === "object" && c !== null && c.type === "text");
+            if (textBlock && typeof textBlock.text === "string")
+                return textBlock.text;
+        }
+        if (typeof r.text === "string")
+            return r.text;
+    }
+    return String(result ?? "");
+}

package/dist/resources/extensions/gsd/safety/evidence-cross-ref.js

@@ -0,0 +1,83 @@
+/**
+ * Evidence cross-reference for auto-mode safety harness.
+ * Compares the LLM's claimed verification evidence (command + exitCode)
+ * against actual bash tool calls recorded by the evidence collector.
+ *
+ * Copyright (c) 2026 Jeremy McSpadden <jeremy@fluxlabs.net>
+ */
+// ─── Public API ─────────────────────────────────────────────────────────────
+/**
+ * Cross-reference claimed verification evidence against actual bash tool calls.
+ *
+ * Returns an array of mismatches. Empty array = all claims verified.
+ * Skips entries that were coerced from strings (already flagged by db-tools.ts).
+ */
+export function crossReferenceEvidence(claimedEvidence, actualEvidence) {
+    const bashCalls = actualEvidence.filter((e) => e.kind === "bash");
+    const mismatches = [];
+    for (const claimed of claimedEvidence) {
+        // Skip coerced entries — they're already flagged with exitCode: -1
+        // and verdict: "unknown (coerced from string)" by db-tools.ts
+        if (claimed.verdict?.includes("coerced from string"))
+            continue;
+        if (claimed.exitCode === -1)
+            continue;
+        // Skip entries with empty or generic commands
+        if (!claimed.command || claimed.command.length < 3)
+            continue;
+        // Find matching bash call by command substring match
+        const match = findBestMatch(claimed.command, bashCalls);
+        if (!match) {
+            mismatches.push({
+                severity: "warning",
+                claimed,
+                actual: null,
+                reason: `No bash tool call found matching "${claimed.command.slice(0, 80)}"`,
+            });
+            continue;
+        }
+        // Exit code mismatch: LLM claims success but actual command failed
+        if (claimed.exitCode === 0 && match.exitCode !== 0) {
+            mismatches.push({
+                severity: "error",
+                claimed,
+                actual: match,
+                reason: `Claimed exitCode=0 but actual exitCode=${match.exitCode}`,
+            });
+        }
+    }
+    return mismatches;
+}
+// ─── Internals ──────────────────────────────────────────────────────────────
+/**
+ * Find the best matching bash evidence entry for a claimed command.
+ * Uses substring matching — the claimed command may be a shortened version
+ * of the actual command, or vice versa.
+ */
+function findBestMatch(claimedCommand, bashCalls) {
+    const normalized = claimedCommand.trim();
+    // Exact match first
+    const exact = bashCalls.find(b => b.command.trim() === normalized);
+    if (exact)
+        return exact;
+    // Substring match: claimed is contained in actual or actual in claimed
+    const substring = bashCalls.find(b => b.command.includes(normalized) || normalized.includes(b.command));
+    if (substring)
+        return substring;
+    // Token match: split on whitespace and check significant overlap
+    const claimedTokens = normalized.split(/\s+/).filter(t => t.length > 2);
+    if (claimedTokens.length === 0)
+        return null;
+    let bestMatch = null;
+    let bestScore = 0;
+    for (const call of bashCalls) {
+        const callTokens = new Set(call.command.split(/\s+/));
+        const matchCount = claimedTokens.filter(t => callTokens.has(t)).length;
+        const score = matchCount / claimedTokens.length;
+        if (score > bestScore && score >= 0.5) {
+            bestScore = score;
+            bestMatch = call;
+        }
+    }
+    return bestMatch;
+}

package/dist/resources/extensions/gsd/safety/file-change-validator.js

@@ -0,0 +1,71 @@
+/**
+ * Post-unit file change validator for auto-mode safety harness.
+ * Compares actual git diff against the task plan's expected output files.
+ *
+ * Uses tasks.expected_output (DB column, populated from per-task ## Expected Output)
+ * and tasks.files (from slice PLAN.md - Files: subline) as the expected set.
+ * Compares against git diff HEAD~1 --name-only after auto-commit.
+ *
+ * Copyright (c) 2026 Jeremy McSpadden <jeremy@fluxlabs.net>
+ */
+import { execFileSync } from "node:child_process";
+import { logWarning } from "../workflow-logger.js";
+// ─── Public API ─────────────────────────────────────────────────────────────
+/**
+ * Validate file changes after auto-commit for an execute-task unit.
+ * Returns null if task data is unavailable or DB is not loaded.
+ *
+ * @param basePath - Working directory (worktree or project root)
+ * @param expectedOutput - JSON array from tasks.expected_output DB column
+ * @param plannedFiles - JSON array from tasks.files DB column
+ */
+export function validateFileChanges(basePath, expectedOutput, plannedFiles) {
+    const allExpected = new Set([...expectedOutput, ...plannedFiles]);
+    // If no expected files were planned, skip validation
+    if (allExpected.size === 0)
+        return null;
+    // Get actual changed files from last commit
+    const actualFiles = getChangedFilesFromLastCommit(basePath);
+    if (!actualFiles)
+        return null;
+    // Filter out .gsd/ internal files — only validate project source files
+    const projectFiles = actualFiles.filter(f => !f.startsWith(".gsd/") && !f.startsWith(".gsd\\"));
+    // Normalize expected paths (strip leading ./ or /)
+    const normalizedExpected = new Set([...allExpected].map(f => f.replace(/^\.\//, "").replace(/^\//, "")));
+    // Compute symmetric difference
+    const unexpectedFiles = projectFiles.filter(f => !normalizedExpected.has(f));
+    const missingFiles = [...normalizedExpected].filter(f => !projectFiles.includes(f));
+    const violations = [];
+    for (const f of unexpectedFiles) {
+        violations.push({
+            severity: "warning",
+            file: f,
+            reason: "Modified but not in task plan's expected output",
+        });
+    }
+    for (const f of missingFiles) {
+        violations.push({
+            severity: "info",
+            file: f,
+            reason: "Listed in task plan but not modified",
+        });
+    }
+    return {
+        expectedFiles: [...normalizedExpected],
+        actualFiles: projectFiles,
+        unexpectedFiles,
+        missingFiles,
+        violations,
+    };
+}
+// ─── Internals ──────────────────────────────────────────────────────────────
+function getChangedFilesFromLastCommit(basePath) {
+    try {
+        const result = execFileSync("git", ["diff", "--name-only", "HEAD~1", "HEAD"], { cwd: basePath, stdio: ["ignore", "pipe", "pipe"], encoding: "utf-8" }).trim();
+        return result ? result.split("\n").filter(Boolean) : [];
+    }
+    catch (e) {
+        logWarning("safety", `git diff failed in file-change-validator: ${e.message}`);
+        return null;
+    }
+}