gsd-pi 2.65.0-dev.16e10d7 → 2.65.0-dev.6cc5110

package/dist/resources/extensions/gsd/auto/session.js

@@ -77,6 +77,9 @@ export class AutoSession {
     milestoneMergedInPhases = false;
     // ── Dispatch circuit breakers ──────────────────────────────────────
     rewriteAttemptCount = 0;
+    /** Tracks consecutive bootstrap attempts that found phase === "complete".
+     *  Moved from module-level to per-session so s.reset() clears it (#1348). */
+    consecutiveCompleteBootstraps = 0;
     // ── Metrics ──────────────────────────────────────────────────────────────
     autoStartTime = 0;
     lastPromptCharCount;
@@ -159,6 +162,7 @@ export class AutoSession {
         this.pendingQuickTasks = [];
         this.sidecarQueue = [];
         this.rewriteAttemptCount = 0;
+        this.consecutiveCompleteBootstraps = 0;
         this.lastToolInvocationError = null;
         this.isolationDegraded = false;
         this.milestoneMergedInPhases = false;

package/dist/resources/extensions/gsd/auto-dispatch.js

@@ -611,13 +611,17 @@ export const DISPATCH_RULES = [
             // Safety guard (#1703): verify the milestone produced implementation
             // artifacts (non-.gsd/ files). A milestone with only plan files and
             // zero implementation code should not be marked complete.
-            if (!hasImplementationArtifacts(basePath)) {
+            const artifactCheck = hasImplementationArtifacts(basePath);
+            if (artifactCheck === "absent") {
                 return {
                     action: "stop",
                     reason: `Cannot complete milestone ${mid}: no implementation files found outside .gsd/. The milestone has only plan files — actual code changes are required.`,
                     level: "error",
                 };
             }
+            if (artifactCheck === "unknown") {
+                logWarning("dispatch", `Implementation artifact check inconclusive for ${mid} — proceeding (git context unavailable)`);
+            }
             // Verification class compliance: if operational verification was planned,
             // ensure the validation output documents it before allowing completion.
             try {

package/dist/resources/extensions/gsd/auto-recovery.js

@@ -7,6 +7,7 @@
  * globals or AutoContext dependency.
  */
 import { parseUnitId } from "./unit-id.js";
+import { appendEvent } from "./workflow-events.js";
 import { clearParseCache } from "./files.js";
 import { parseRoadmap as parseLegacyRoadmap, parsePlan as parseLegacyPlan } from "./parsers-legacy.js";
 import { isDbAvailable, getTask, getSlice, getSliceTasks, updateTaskStatus, updateSliceStatus } from "./gsd-db.js";
@@ -27,13 +28,12 @@ export { resolveExpectedArtifactPath, diagnoseExpectedArtifact };
  * in the git history. Uses `git log --name-only` to inspect all commits on the
  * current branch that touch files outside `.gsd/`.
  *
- * Returns true if at least one non-`.gsd/` file was committed, false otherwise.
- * Non-fatal: returns true on git errors to avoid blocking the pipeline when
- * running outside a git repo (e.g., tests).
+ * Returns "present" if implementation files found, "absent" if only .gsd/ files,
+ * "unknown" if git is unavailable or check failed (callers decide how to handle).
  */
 export function hasImplementationArtifacts(basePath) {
     try {
-        // Verify we're in a git repo — fail open if not
+        // Verify we're in a git repo
         try {
             execFileSync("git", ["rev-parse", "--is-inside-work-tree"], {
                 cwd: basePath,
@@ -43,7 +43,7 @@ export function hasImplementationArtifacts(basePath) {
         }
         catch (e) {
             logWarning("recovery", `git rev-parse check failed: ${e.message}`);
-            return true;
+            return "unknown";
         }
         // Strategy: check `git diff --name-only` against the merge-base with the
         // main branch. This captures ALL files changed during the milestone's
@@ -51,20 +51,20 @@ export function hasImplementationArtifacts(basePath) {
         // back to checking the last N commits.
         const mainBranch = detectMainBranch(basePath);
         const changedFiles = getChangedFilesSinceBranch(basePath, mainBranch);
-        // No files changed at all — fail open (could be detached HEAD, single-
+        // No files changed at all — unknown (could be detached HEAD, single-
         // commit repo, or other edge case where git diff returns nothing).
         if (changedFiles.length === 0)
-            return true;
+            return "unknown";
         // Filter out .gsd/ files — only implementation files count.
         // If every changed file is under .gsd/, the milestone produced no
         // implementation code (#1703).
         const implFiles = changedFiles.filter(f => !f.startsWith(".gsd/") && !f.startsWith(".gsd\\"));
-        return implFiles.length > 0;
+        return implFiles.length > 0 ? "present" : "absent";
     }
     catch (e) {
-        // Non-fatal — if git operations fail, don't block the pipeline
+        // Non-fatal — if git operations fail, return unknown so callers can decide
         logWarning("recovery", `implementation artifact check failed: ${e.message}`);
-        return true;
+        return "unknown";
     }
 }
 /**
@@ -354,7 +354,7 @@ export function verifyExpectedArtifact(unitType, unitId, base) {
     // A milestone with only .gsd/ plan files and zero implementation code is
     // not genuinely complete — the LLM wrote plan files but skipped actual work.
     if (unitType === "complete-milestone") {
-        if (!hasImplementationArtifacts(base))
+        if (hasImplementationArtifacts(base) === "absent")
             return false;
     }
     return true;
@@ -386,21 +386,35 @@ export function writeBlockerPlaceholder(unitType, unitId, base, reason) {
     // re-derives the same unit indefinitely (#2531, #2653).
     if (isDbAvailable()) {
         const { milestone: mid, slice: sid, task: tid } = parseUnitId(unitId);
+        const ts = new Date().toISOString();
         if (unitType === "execute-task" && mid && sid && tid) {
             try {
-                updateTaskStatus(mid, sid, tid, "complete", new Date().toISOString());
+                updateTaskStatus(mid, sid, tid, "complete", ts);
             }
             catch (e) {
                 logWarning("recovery", `updateTaskStatus failed during context exhaustion: ${e instanceof Error ? e.message : String(e)}`);
             }
+            // Append event so worktree reconciliation can replay this recovery completion
+            try {
+                appendEvent(base, { cmd: "complete-task", params: { milestoneId: mid, sliceId: sid, taskId: tid }, ts, actor: "system", trigger_reason: "blocker-placeholder-recovery" });
+            }
+            catch (e) {
+                logWarning("recovery", `appendEvent failed for task recovery: ${e instanceof Error ? e.message : String(e)}`);
+            }
         }
         if (unitType === "complete-slice" && mid && sid) {
             try {
-                updateSliceStatus(mid, sid, "complete", new Date().toISOString());
+                updateSliceStatus(mid, sid, "complete", ts);
             }
             catch (e) {
                 logWarning("recovery", `updateSliceStatus failed during context exhaustion: ${e instanceof Error ? e.message : String(e)}`);
             }
+            try {
+                appendEvent(base, { cmd: "complete-slice", params: { milestoneId: mid, sliceId: sid }, ts, actor: "system", trigger_reason: "blocker-placeholder-recovery" });
+            }
+            catch (e) {
+                logWarning("recovery", `appendEvent failed for slice recovery: ${e instanceof Error ? e.message : String(e)}`);
+            }
         }
     }
     return diagnoseExpectedArtifact(unitType, unitId, base);
@@ -455,7 +469,7 @@ export function reconcileMergeState(basePath, ctx) {
     if (conflictedFiles.length === 0) {
         // All conflicts resolved — finalize the merge/squash commit
         try {
-            const commitSha = nativeCommit(basePath, ""); // --no-edit equivalent: use empty message placeholder
+            const commitSha = nativeCommit(basePath, "chore(gsd): reconcile merge state");
             if (commitSha) {
                 const mode = hasMergeHead ? "merge" : "squash commit";
                 ctx.ui.notify(`Finalized leftover ${mode} from prior session.`, "info");

package/dist/resources/extensions/gsd/auto-start.js

@@ -48,11 +48,8 @@ import { resolveDefaultSessionModel } from "./preferences-models.js";
  * Returns false if the bootstrap aborted (e.g., guided flow returned,
  * concurrent session detected). Returns true when ready to dispatch.
  */
-/** Guard: tracks consecutive bootstrap attempts that found phase === "complete".
- *  Prevents the recursive dialog loop described in #1348 where
- *  bootstrapAutoSession → showSmartEntry → checkAutoStartAfterDiscuss → startAuto
- *  cycles indefinitely when the discuss workflow doesn't produce a milestone. */
-let _consecutiveCompleteBootstraps = 0;
+// Guard constant for consecutive bootstrap attempts that found phase === "complete".
+// Counter moved to AutoSession.consecutiveCompleteBootstraps so s.reset() clears it.
 const MAX_CONSECUTIVE_COMPLETE_BOOTSTRAPS = 2;
 export async function openProjectDbIfPresent(basePath) {
     const gsdDbPath = resolveProjectRootDbPath(basePath);
@@ -263,9 +260,9 @@ export async function bootstrapAutoSession(s, ctx, pi, base, verboseMode, reques
                 // Guard against recursive dialog loop (#1348):
                 // If we've entered this branch multiple times in quick succession,
                 // the discuss workflow isn't producing a milestone. Break the cycle.
-                _consecutiveCompleteBootstraps++;
-                if (_consecutiveCompleteBootstraps > MAX_CONSECUTIVE_COMPLETE_BOOTSTRAPS) {
-                    _consecutiveCompleteBootstraps = 0;
+                s.consecutiveCompleteBootstraps++;
+                if (s.consecutiveCompleteBootstraps > MAX_CONSECUTIVE_COMPLETE_BOOTSTRAPS) {
+                    s.consecutiveCompleteBootstraps = 0;
                     ctx.ui.notify("All milestones are complete and the discussion didn't produce a new one. " +
                         "Run /gsd to start a new milestone manually.", "warning");
                     return releaseLockAndReturn();
@@ -277,7 +274,7 @@ export async function bootstrapAutoSession(s, ctx, pi, base, verboseMode, reques
                 if (postState.activeMilestone &&
                     postState.phase !== "complete" &&
                     postState.phase !== "pre-planning") {
-                    _consecutiveCompleteBootstraps = 0; // Successfully advanced past "complete"
+                    s.consecutiveCompleteBootstraps = 0; // Successfully advanced past "complete"
                     state = postState;
                 }
                 else if (postState.activeMilestone &&
@@ -338,7 +335,7 @@ export async function bootstrapAutoSession(s, ctx, pi, base, verboseMode, reques
             return releaseLockAndReturn();
         }
         // Successfully resolved an active milestone — reset the re-entry guard
-        _consecutiveCompleteBootstraps = 0;
+        s.consecutiveCompleteBootstraps = 0;
         // ── Initialize session state ──
         s.active = true;
         s.stepMode = requestedStepMode;

package/dist/resources/extensions/gsd/auto.js

@@ -845,12 +845,9 @@ export async function startAuto(ctx, pi, base, verboseMode, options) {
                     s.stepMode = meta.stepMode ?? requestedStepMode;
                     s.autoStartTime = meta.autoStartTime || Date.now();
                     s.paused = true;
-                    try {
-                        unlinkSync(pausedPath);
-                    }
-                    catch (err) { /* non-fatal */
-                        logWarning("session", `pause file cleanup failed: ${err instanceof Error ? err.message : String(err)}`, { file: "auto.ts" });
-                    }
+                    // Don't delete pause file yet — defer until lock is acquired.
+                    // If lock fails, the file must survive for retry.
+                    s.pausedSessionFile = pausedPath;
                     ctx.ui.notify(`Resuming paused custom workflow${meta.activeRunDir ? ` (${meta.activeRunDir})` : ""}.`, "info");
                 }
                 else if (meta.milestoneId) {
@@ -873,13 +870,9 @@ export async function startAuto(ctx, pi, base, verboseMode, options) {
                         s.stepMode = meta.stepMode ?? requestedStepMode;
                         s.autoStartTime = meta.autoStartTime || Date.now();
                         s.paused = true;
-                        // Clean up the persisted file — we're consuming it
-                        try {
-                            unlinkSync(pausedPath);
-                        }
-                        catch (err) { /* non-fatal */
-                            logWarning("session", `pause file cleanup failed: ${err instanceof Error ? err.message : String(err)}`, { file: "auto.ts" });
-                        }
+                        // Don't delete pause file yet — defer until lock is acquired.
+                        // If lock fails, the file must survive for retry.
+                        s.pausedSessionFile = pausedPath;
                         ctx.ui.notify(`Resuming paused session for ${meta.milestoneId}${meta.worktreePath ? ` (worktree)` : ""}.`, "info");
                     }
                 }
@@ -893,9 +886,22 @@ export async function startAuto(ctx, pi, base, verboseMode, options) {
     if (s.paused) {
         const resumeLock = acquireSessionLock(base);
         if (!resumeLock.acquired) {
+            // Reset paused state so isAutoPaused() doesn't stick true after lock failure.
+            // Pause file is preserved on disk for retry — not deleted.
+            s.paused = false;
             ctx.ui.notify(`Cannot resume: ${resumeLock.reason}`, "error");
             return;
         }
+        // Lock acquired — now safe to delete the pause file
+        if (s.pausedSessionFile) {
+            try {
+                unlinkSync(s.pausedSessionFile);
+            }
+            catch (err) {
+                logWarning("session", `pause file cleanup failed: ${err instanceof Error ? err.message : String(err)}`, { file: "auto.ts" });
+            }
+            s.pausedSessionFile = null;
+        }
         s.paused = false;
         s.active = true;
         s.verbose = verboseMode;

package/dist/resources/extensions/gsd/db-writer.js

@@ -300,8 +300,13 @@ export async function saveRequirementToDb(fields, basePath) {
         }
         catch (diskErr) {
             logError('manifest', 'disk write failed, rolling back DB row', { fn: 'saveRequirementToDb', error: String(diskErr.message) });
-            const rollbackAdapter = db._getAdapter();
-            rollbackAdapter?.prepare('DELETE FROM requirements WHERE id = :id').run({ ':id': id });
+            try {
+                const rollbackAdapter = db._getAdapter();
+                rollbackAdapter?.prepare('DELETE FROM requirements WHERE id = :id').run({ ':id': id });
+            }
+            catch (rollbackErr) {
+                logError('manifest', 'SPLIT BRAIN: disk write failed AND DB rollback failed — DB has orphaned row', { fn: 'saveRequirementToDb', id, error: String(rollbackErr.message) });
+            }
             throw diskErr;
         }
         invalidateStateCache();
@@ -399,7 +404,12 @@ export async function saveDecisionToDb(fields, basePath) {
         }
         catch (diskErr) {
             logError('manifest', 'disk write failed, rolling back DB row', { fn: 'saveDecisionToDb', error: String(diskErr.message) });
-            adapter?.prepare('DELETE FROM decisions WHERE id = :id').run({ ':id': id });
+            try {
+                adapter?.prepare('DELETE FROM decisions WHERE id = :id').run({ ':id': id });
+            }
+            catch (rollbackErr) {
+                logError('manifest', 'SPLIT BRAIN: disk write failed AND DB rollback failed — DB has orphaned row', { fn: 'saveDecisionToDb', id, error: String(rollbackErr.message) });
+            }
             throw diskErr;
         }
         // #2661: When a decision defers a slice, update the slice status in the DB

package/dist/resources/extensions/gsd/json-persistence.js

@@ -1,5 +1,6 @@
 import { existsSync, readFileSync, writeFileSync, mkdirSync, renameSync } from "node:fs";
 import { dirname } from "node:path";
+import { randomBytes } from "node:crypto";
 /**
  * Load a JSON file with validation, returning a default on failure.
  * Handles missing files, corrupt JSON, and schema mismatches uniformly.
@@ -45,9 +46,11 @@ export function loadJsonFileOrNull(filePath, validate) {
 export function saveJsonFile(filePath, data) {
     try {
         mkdirSync(dirname(filePath), { recursive: true });
-        const tmp = filePath + ".tmp";
+        // Use randomized tmp suffix to prevent concurrent-write data loss
+        const tmp = `${filePath}.tmp.${randomBytes(4).toString("hex")}`;
         writeFileSync(tmp, JSON.stringify(data, null, 2) + "\n", "utf-8");
         renameSync(tmp, filePath);
+        // No cleanup needed — renameSync atomically removes tmp on success
     }
     catch {
         // Non-fatal — don't let persistence failures break operation
@@ -60,7 +63,7 @@ export function saveJsonFile(filePath, data) {
 export function writeJsonFileAtomic(filePath, data) {
     try {
         mkdirSync(dirname(filePath), { recursive: true });
-        const tmp = filePath + ".tmp";
+        const tmp = `${filePath}.tmp.${randomBytes(4).toString("hex")}`;
         writeFileSync(tmp, JSON.stringify(data, null, 2), "utf-8");
         renameSync(tmp, filePath);
     }

package/dist/resources/extensions/gsd/state.js

@@ -6,7 +6,7 @@ import { parseSummary, loadFile, parseRequirementCounts, parseContextDependsOn,
 import { resolveMilestoneFile, resolveSlicePath, resolveSliceFile, resolveTaskFile, resolveTasksDir, resolveGsdRootFile, gsdRoot, } from './paths.js';
 import { findMilestoneIds } from './milestone-ids.js';
 import { loadQueueOrder, sortByQueueOrder } from './queue-order.js';
-import { isDeferredStatus } from './status-guards.js';
+import { isClosedStatus, isDeferredStatus } from './status-guards.js';
 import { nativeBatchParseGsdFiles } from './native-parser-bridge.js';
 import { join, resolve } from 'path';
 import { existsSync, readdirSync, readFileSync } from 'node:fs';
@@ -119,7 +119,7 @@ export async function getActiveMilestoneId(basePath) {
             const byId = new Map(allMilestones.map(m => [m.id, m]));
             for (const id of sortedIds) {
                 const m = byId.get(id);
-                if (m.status === "complete" || m.status === "done" || m.status === "parked")
+                if (isClosedStatus(m.status) || m.status === "parked")
                     continue;
                 return m.id;
             }
@@ -362,13 +362,10 @@ export async function deriveStateFromDb(basePath) {
             completeMilestoneIds.add(m.id);
             continue;
         }
-        // Check roadmap: all slices done means milestone is complete
-        const slices = getMilestoneSlices(m.id);
-        if (slices.length > 0 && slices.every(s => isStatusDone(s.status))) {
-            // All slices done but no summary — still counts as complete for dep resolution
-            // if a summary file exists
-            // Note: without summary file, the milestone is in validating/completing state, not complete
-        }
+        // Milestones with all slices done but no SUMMARY file are in
+        // validating/completing state — intentionally NOT added to
+        // completeMilestoneIds.  The SUMMARY file (checked above) is the
+        // terminal artifact that proves completion per #864.
     }
     // Phase 2: Build registry and find active milestone
     const registry = [];
@@ -840,7 +837,12 @@ export async function deriveStateFromDb(basePath) {
     // ── REPLAN-TRIGGER detection ─────────────────────────────────────────
     if (!blockerTaskId) {
         const sliceRow = getSlice(activeMilestone.id, activeSlice.id);
-        if (sliceRow?.replan_triggered_at) {
+        // Check DB column first, fall back to disk trigger file when DB write
+        // was best-effort and failed (triage-resolution.ts dual-write gap).
+        const dbTriggered = !!sliceRow?.replan_triggered_at;
+        const diskTriggered = !dbTriggered &&
+            !!resolveSliceFile(basePath, activeMilestone.id, activeSlice.id, "REPLAN-TRIGGER");
+        if (dbTriggered || diskTriggered) {
             // Loop protection: if replan_history has entries, replan was already done
             const replanHistory = getReplanHistory(activeMilestone.id, activeSlice.id);
             if (replanHistory.length === 0) {

package/dist/resources/extensions/gsd/tools/complete-milestone.js

@@ -15,7 +15,7 @@ import { invalidateStateCache } from "../state.js";
 import { renderAllProjections, stripIdPrefix } from "../workflow-projections.js";
 import { writeManifest } from "../workflow-manifest.js";
 import { appendEvent } from "../workflow-events.js";
-import { logWarning } from "../workflow-logger.js";
+import { logWarning, logError } from "../workflow-logger.js";
 function renderMilestoneSummaryMarkdown(params) {
     const now = new Date().toISOString();
     const displayTitle = stripIdPrefix(params.title, params.milestoneId);
@@ -156,9 +156,21 @@ export async function handleCompleteMilestone(params, basePath) {
     clearPathCache();
     clearParseCache();
     // ── Post-mutation hook: projections, manifest, event log ───────────────
+    // Separate try/catch per step so a projection failure doesn't prevent
+    // the event log entry (critical for worktree reconciliation).
     try {
         await renderAllProjections(basePath, params.milestoneId);
+    }
+    catch (projErr) {
+        logWarning("tool", `complete-milestone projection warning: ${projErr.message}`);
+    }
+    try {
         writeManifest(basePath);
+    }
+    catch (mfErr) {
+        logWarning("tool", `complete-milestone manifest warning: ${mfErr.message}`);
+    }
+    try {
         appendEvent(basePath, {
             cmd: "complete-milestone",
             params: { milestoneId: params.milestoneId },
@@ -168,8 +180,8 @@ export async function handleCompleteMilestone(params, basePath) {
             trigger_reason: params.triggerReason,
         });
     }
-    catch (hookErr) {
-        logWarning("tool", `complete-milestone post-mutation hook warning: ${hookErr.message}`);
+    catch (eventErr) {
+        logError("tool", `complete-milestone event log FAILED — completion invisible to reconciliation`, { error: eventErr.message });
     }
     return {
         milestoneId: params.milestoneId,

package/dist/resources/extensions/gsd/tools/complete-slice.js

@@ -18,7 +18,7 @@ import { renderRoadmapCheckboxes } from "../markdown-renderer.js";
 import { renderAllProjections } from "../workflow-projections.js";
 import { writeManifest } from "../workflow-manifest.js";
 import { appendEvent } from "../workflow-events.js";
-import { logWarning } from "../workflow-logger.js";
+import { logWarning, logError } from "../workflow-logger.js";
 /**
  * Render slice summary markdown matching the template format.
  * YAML frontmatter uses snake_case keys for parseSummary() compatibility.
@@ -276,9 +276,21 @@ export async function handleCompleteSlice(params, basePath) {
     clearPathCache();
     clearParseCache();
     // ── Post-mutation hook: projections, manifest, event log ───────────────
+    // Separate try/catch per step so a projection failure doesn't prevent
+    // the event log entry (critical for worktree reconciliation).
     try {
         await renderAllProjections(basePath, params.milestoneId);
+    }
+    catch (projErr) {
+        logWarning("tool", `complete-slice projection warning for ${params.milestoneId}/${params.sliceId}: ${projErr.message}`);
+    }
+    try {
         writeManifest(basePath);
+    }
+    catch (mfErr) {
+        logWarning("tool", `complete-slice manifest warning: ${mfErr.message}`);
+    }
+    try {
         appendEvent(basePath, {
             cmd: "complete-slice",
             params: { milestoneId: params.milestoneId, sliceId: params.sliceId },
@@ -288,8 +300,8 @@ export async function handleCompleteSlice(params, basePath) {
             trigger_reason: params.triggerReason,
         });
     }
-    catch (hookErr) {
-        logWarning("tool", `complete-slice post-mutation hook failed for ${params.milestoneId}/${params.sliceId}`, { error: hookErr.message });
+    catch (eventErr) {
+        logError("tool", `complete-slice event log FAILED — completion invisible to reconciliation`, { error: eventErr.message });
     }
     return {
         sliceId: params.sliceId,

package/dist/resources/extensions/gsd/tools/complete-task.js

@@ -18,7 +18,7 @@ import { renderPlanCheckboxes } from "../markdown-renderer.js";
 import { renderAllProjections, renderSummaryContent } from "../workflow-projections.js";
 import { writeManifest } from "../workflow-manifest.js";
 import { appendEvent } from "../workflow-events.js";
-import { logWarning } from "../workflow-logger.js";
+import { logWarning, logError } from "../workflow-logger.js";
 /**
  * Normalize a list parameter that may arrive as a string (newline-delimited
  * bullet list from the LLM) into a string array (#3361).
@@ -194,9 +194,21 @@ export async function handleCompleteTask(params, basePath) {
     clearPathCache();
     clearParseCache();
     // ── Post-mutation hook: projections, manifest, event log ───────────────
+    // Separate try/catch per step so a projection failure doesn't prevent
+    // the event log entry (critical for worktree reconciliation).
     try {
         await renderAllProjections(basePath, params.milestoneId);
+    }
+    catch (projErr) {
+        logWarning("tool", `complete-task projection warning: ${projErr.message}`);
+    }
+    try {
         writeManifest(basePath);
+    }
+    catch (mfErr) {
+        logWarning("tool", `complete-task manifest warning: ${mfErr.message}`);
+    }
+    try {
         appendEvent(basePath, {
             cmd: "complete-task",
             params: { milestoneId: params.milestoneId, sliceId: params.sliceId, taskId: params.taskId },
@@ -206,8 +218,8 @@ export async function handleCompleteTask(params, basePath) {
             trigger_reason: params.triggerReason,
         });
     }
-    catch (hookErr) {
-        logWarning("tool", `complete-task post-mutation hook warning: ${hookErr.message}`);
+    catch (eventErr) {
+        logError("tool", `complete-task event log FAILED — completion invisible to reconciliation`, { error: eventErr.message });
     }
     return {
         taskId: params.taskId,

package/dist/resources/extensions/gsd/triage-resolution.js

@@ -9,7 +9,8 @@
  *
  * Also provides detectFileOverlap() for surfacing downstream impact on quick tasks.
  */
-import { existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync } from "node:fs";
+import { existsSync, mkdirSync, readFileSync, unlinkSync } from "node:fs";
+import { atomicWriteSync } from "./atomic-write.js";
 import { join } from "node:path";
 import { createRequire } from "node:module";
 import { gsdRoot, milestonesDir } from "./paths.js";
@@ -46,11 +47,11 @@ export function executeInject(basePath, mid, sid, capture) {
         const filesSection = content.indexOf("## Files Likely Touched");
         if (filesSection !== -1) {
             const updated = content.slice(0, filesSection) + newTask + "\n\n" + content.slice(filesSection);
-            writeFileSync(planPath, updated, "utf-8");
+            atomicWriteSync(planPath, updated, "utf-8");
         }
         else {
             // No Files section — append at end
-            writeFileSync(planPath, content.trimEnd() + "\n\n" + newTask + "\n", "utf-8");
+            atomicWriteSync(planPath, content.trimEnd() + "\n\n" + newTask + "\n", "utf-8");
         }
         return newId;
     }
@@ -78,7 +79,7 @@ export function executeReplan(basePath, mid, sid, capture) {
             `This file was created by the triage pipeline. The next dispatch cycle`,
             `will detect it and enter the replanning-slice phase.`,
         ].join("\n");
-        writeFileSync(triggerPath, content, "utf-8");
+        atomicWriteSync(triggerPath, content, "utf-8");
         // Also write replan_triggered_at column for DB-backed detection
         try {
             const req = createRequire(import.meta.url);
@@ -146,7 +147,7 @@ export function executeBacktrack(basePath, currentMilestoneId, capture) {
             `2. Identify missing features/requirements from the target milestone`,
             `3. Resume auto-mode — the state machine will re-enter discussion for the target`,
         ].join("\n");
-        writeFileSync(triggerPath, content, "utf-8");
+        atomicWriteSync(triggerPath, content, "utf-8");
         // If we have a valid target, also reset that milestone's completion status
         // so deriveState() will re-enter it as the active milestone.
         if (targetMilestoneId) {
@@ -156,7 +157,7 @@ export function executeBacktrack(basePath, currentMilestoneId, capture) {
                     // Write a regression marker so the state machine knows this milestone
                     // needs re-discussion, not just re-execution
                     const regressionPath = join(targetDir, `${targetMilestoneId}-REGRESSION.md`);
-                    writeFileSync(regressionPath, [
+                    atomicWriteSync(regressionPath, [
                         `# Milestone Regression`,
                         ``,
                         `**From:** ${currentMilestoneId}`,
@@ -292,7 +293,7 @@ export function ensureDeferMilestoneDir(basePath, targetMilestone, captures) {
             captureList || `(no captures yet)`,
             ``,
         ].join("\n");
-        writeFileSync(join(msDir, `${targetMilestone}-CONTEXT-DRAFT.md`), draftContent, "utf-8");
+        atomicWriteSync(join(msDir, `${targetMilestone}-CONTEXT-DRAFT.md`), draftContent, "utf-8");
         return true;
     }
     catch {

package/dist/resources/extensions/gsd/undo.js

@@ -2,9 +2,10 @@
 // handleUndo: Rollback the most recent completed unit (revert git, remove state, uncheck plans).
 // handleUndoTask: Reset a single task's DB status to "pending" and re-render markdown.
 // handleResetSlice: Reset a slice and all its tasks, re-rendering plan + roadmap.
-import { existsSync, readFileSync, writeFileSync, unlinkSync, readdirSync } from "node:fs";
+import { existsSync, readFileSync, unlinkSync, readdirSync } from "node:fs";
 import { join, basename } from "node:path";
 import { nativeRevertCommit, nativeRevertAbort } from "./native-git-bridge.js";
+import { atomicWriteSync } from "./atomic-write.js";
 import { parseUnitId } from "./unit-id.js";
 import { deriveState } from "./state.js";
 import { invalidateAllCaches } from "./cache.js";
@@ -331,7 +332,7 @@ export function uncheckTaskInPlan(basePath, mid, sid, tid) {
     const regex = new RegExp(`^(\\s*-\\s*)\\[x\\](\\s*\\**${tid}\\**[:\\s])`, "mi");
     if (regex.test(content)) {
         content = content.replace(regex, "$1[ ]$2");
-        writeFileSync(planFile, content, "utf-8");
+        atomicWriteSync(planFile, content);
         return true;
     }
     return false;

package/dist/resources/extensions/gsd/workflow-logger.js

@@ -223,7 +223,7 @@ function _sanitizeForAudit(entry) {
     };
     if (entry.context) {
         // Allowlist: only persist known-safe structured keys
-        const SAFE_KEYS = new Set(["fn", "tool", "mid", "sid", "tid", "worktree"]);
+        const SAFE_KEYS = new Set(["fn", "tool", "mid", "sid", "tid", "worktree", "id", "error", "count"]);
         const filtered = {};
         for (const [k, v] of Object.entries(entry.context)) {
             if (SAFE_KEYS.has(k)) {