npm - gsd-pi - Versions diffs - 2.76.0-dev.97807402 → 2.76.0-dev.97f5583d9 - Mend

gsd-pi 2.76.0-dev.97807402 → 2.76.0-dev.97f5583d9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (100) hide show

package/src/resources/extensions/gsd/tests/pre-exec-gate-loop.test.ts ADDED Viewed

@@ -0,0 +1,272 @@
+/**
+ * pre-exec-gate-loop.test.ts — Regression tests for #4551.
+ *
+ * Verifies that when a pre-execution gate fails on a plan-slice unit:
+ *   1. `s.lastPreExecFailure` is populated on the AutoSession with the blocking
+ *      findings and a verdict excerpt.
+ *   2. The `planning → plan-slice` dispatch rule reads that field and injects a
+ *      "Fix these specific issues" section into the prompt.
+ *   3. The field is cleared (consumed) after the prompt is built so that stale
+ *      context does not bleed into an unrelated future plan-slice run.
+ *   4. When the failure belongs to a *different* unit ID, the dispatch rule
+ *      does NOT inject the stale context into the prompt.
+ */
+import test from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { AutoSession } from "../auto/session.ts";
+import { resolveDispatch } from "../auto-dispatch.ts";
+import type { DispatchContext } from "../auto-dispatch.ts";
+import { buildPlanSlicePrompt } from "../auto-prompts.ts";
+import {
+  openDatabase,
+  closeDatabase,
+  insertMilestone,
+  insertSlice,
+  insertTask,
+} from "../gsd-db.ts";
+import { deriveStateFromDb } from "../state.ts";
+import { _clearGsdRootCache } from "../paths.ts";
+import { invalidateAllCaches } from "../cache.ts";
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+function makeTempBase(): string {
+  const base = mkdtempSync(join(tmpdir(), "gsd-4551-"));
+  mkdirSync(join(base, ".gsd", "milestones", "M001", "slices", "S01"), { recursive: true });
+  mkdirSync(join(base, ".gsd", "milestones", "M001", "slices", "S01", "tasks"), { recursive: true });
+  return base;
+}
+function seedPlanningState(base: string): void {
+  openDatabase(join(base, ".gsd", "gsd.db"));
+  insertMilestone({ id: "M001", title: "Test Milestone", status: "active" });
+  insertSlice({
+    id: "S01",
+    milestoneId: "M001",
+    title: "Core Slice",
+    status: "pending",
+    risk: "medium",
+    depends: [],
+    demo: "demo",
+    sequence: 1,
+    isSketch: false,
+  });
+  // Write minimal ROADMAP so state derivation doesn't error
+  writeFileSync(
+    join(base, ".gsd", "milestones", "M001", "M001-ROADMAP.md"),
+    "# Roadmap\n",
+  );
+}
+function cleanup(base: string, originalCwd: string): void {
+  try { closeDatabase(); } catch { /* noop */ }
+  try { process.chdir(originalCwd); } catch { /* noop */ }
+  try { rmSync(base, { recursive: true, force: true }); } catch { /* noop */ }
+}
+// ─── Tests ────────────────────────────────────────────────────────────────────
+test("#4551: AutoSession.lastPreExecFailure defaults to null", () => {
+  const s = new AutoSession();
+  assert.equal(s.lastPreExecFailure, null, "lastPreExecFailure must start null");
+});
+test("#4551: AutoSession.reset() clears lastPreExecFailure", () => {
+  const s = new AutoSession();
+  s.lastPreExecFailure = {
+    unitId: "M001/S01",
+    blockingFindings: ["[file] src/foo.ts: file not found"],
+    verdictExcerpt: "status=fail; 1 blocking issue detected",
+  };
+  s.reset();
+  assert.equal(s.lastPreExecFailure, null, "reset() must clear lastPreExecFailure");
+});
+test("#4551: buildPlanSlicePrompt injects fix section when priorPreExecFailure provided", async (t) => {
+  const originalCwd = process.cwd();
+  const base = makeTempBase();
+  t.after(() => cleanup(base, originalCwd));
+  seedPlanningState(base);
+  process.chdir(base);
+  _clearGsdRootCache();
+  invalidateAllCaches();
+  const prompt = await buildPlanSlicePrompt(
+    "M001", "Test Milestone", "S01", "Core Slice", base,
+    undefined,
+    {
+      priorPreExecFailure: {
+        blockingFindings: [
+          "[file] src/utils/helper.ts: file not found",
+          "[package] nonexistent-pkg: package not found on npm",
+        ],
+        verdictExcerpt: "status=fail; 2 blocking issues detected",
+      },
+    },
+  );
+  assert.ok(
+    prompt.includes("Fix these specific issues from the prior pre-exec check"),
+    "prompt must contain the fix section heading",
+  );
+  assert.ok(
+    prompt.includes("src/utils/helper.ts: file not found"),
+    "prompt must include the specific file finding",
+  );
+  assert.ok(
+    prompt.includes("nonexistent-pkg: package not found on npm"),
+    "prompt must include the specific package finding",
+  );
+  assert.ok(
+    prompt.includes("status=fail; 2 blocking issues detected"),
+    "prompt must include the verdict excerpt",
+  );
+});
+test("#4551: buildPlanSlicePrompt with no priorPreExecFailure does NOT include fix section", async (t) => {
+  const originalCwd = process.cwd();
+  const base = makeTempBase();
+  t.after(() => cleanup(base, originalCwd));
+  seedPlanningState(base);
+  process.chdir(base);
+  _clearGsdRootCache();
+  invalidateAllCaches();
+  const prompt = await buildPlanSlicePrompt(
+    "M001", "Test Milestone", "S01", "Core Slice", base,
+    undefined,
+    { /* no priorPreExecFailure */ },
+  );
+  assert.ok(
+    !prompt.includes("Fix these specific issues from the prior pre-exec check"),
+    "prompt must NOT include the fix section when no failure context is given",
+  );
+});
+test("#4551: dispatch rule injects failure context and clears session field", async (t) => {
+  const originalCwd = process.cwd();
+  const base = makeTempBase();
+  t.after(() => cleanup(base, originalCwd));
+  seedPlanningState(base);
+  // Write a RESEARCH file so the dispatch rule skips research-slice and reaches
+  // plan-slice (which is the phase we're testing).
+  writeFileSync(
+    join(base, ".gsd", "milestones", "M001", "slices", "S01", "S01-RESEARCH.md"),
+    "# Research\n",
+  );
+  process.chdir(base);
+  _clearGsdRootCache();
+  invalidateAllCaches();
+  const state = await deriveStateFromDb(base);
+  assert.equal(state.phase, "planning", "state must be in planning phase");
+  const session = new AutoSession();
+  session.basePath = base;
+  session.active = true;
+  session.lastPreExecFailure = {
+    unitId: "M001/S01",
+    blockingFindings: ["[file] src/missing.ts: file not found"],
+    verdictExcerpt: "status=fail; 1 blocking issue detected",
+  };
+  const ctx: DispatchContext = {
+    basePath: base,
+    mid: "M001",
+    midTitle: "Test Milestone",
+    state,
+    prefs: { phases: { reassess_after_slice: false, skip_research: true } } as any,
+    session,
+  };
+  const result = await resolveDispatch(ctx);
+  assert.equal(result.action, "dispatch", "must dispatch a unit");
+  if (result.action !== "dispatch") throw new Error("unreachable");
+  assert.equal(result.unitType, "plan-slice", "must be a plan-slice unit");
+  // The fix section must appear in the prompt
+  assert.ok(
+    result.prompt.includes("Fix these specific issues from the prior pre-exec check"),
+    "dispatched prompt must include the fix section",
+  );
+  assert.ok(
+    result.prompt.includes("src/missing.ts: file not found"),
+    "dispatched prompt must include the specific blocking finding",
+  );
+  // Field must be cleared after consumption
+  assert.equal(
+    session.lastPreExecFailure,
+    null,
+    "lastPreExecFailure must be cleared after being consumed by the dispatch rule",
+  );
+});
+test("#4551: dispatch rule does NOT inject stale failure for a different slice", async (t) => {
+  const originalCwd = process.cwd();
+  const base = makeTempBase();
+  t.after(() => cleanup(base, originalCwd));
+  seedPlanningState(base);
+  // Write a RESEARCH file so dispatch reaches plan-slice, making the assertion
+  // about the prompt meaningful (we can check it's a plan-slice prompt without
+  // the fix section rather than a research-slice prompt without it).
+  writeFileSync(
+    join(base, ".gsd", "milestones", "M001", "slices", "S01", "S01-RESEARCH.md"),
+    "# Research\n",
+  );
+  process.chdir(base);
+  _clearGsdRootCache();
+  invalidateAllCaches();
+  const state = await deriveStateFromDb(base);
+  const session = new AutoSession();
+  session.basePath = base;
+  session.active = true;
+  // Failure belongs to a different slice (S02), not the active one (S01)
+  session.lastPreExecFailure = {
+    unitId: "M001/S02",
+    blockingFindings: ["[file] src/other.ts: file not found"],
+    verdictExcerpt: "status=fail; 1 blocking issue detected",
+  };
+  const ctx: DispatchContext = {
+    basePath: base,
+    mid: "M001",
+    midTitle: "Test Milestone",
+    state,
+    prefs: { phases: { reassess_after_slice: false, skip_research: true } } as any,
+    session,
+  };
+  const result = await resolveDispatch(ctx);
+  assert.equal(result.action, "dispatch");
+  if (result.action !== "dispatch") throw new Error("unreachable");
+  // The stale fix section must NOT appear
+  assert.ok(
+    !result.prompt.includes("Fix these specific issues from the prior pre-exec check"),
+    "prompt must NOT include fix section for a mismatched unit ID",
+  );
+  assert.ok(
+    !result.prompt.includes("src/other.ts"),
+    "prompt must NOT include findings from a different slice",
+  );
+  // Field must remain untouched (not consumed)
+  assert.notEqual(
+    session.lastPreExecFailure,
+    null,
+    "lastPreExecFailure must NOT be cleared when unit IDs don't match",
+  );
+});

package/src/resources/extensions/gsd/tests/safety-harness-false-positives.test.ts ADDED Viewed

@@ -0,0 +1,205 @@
+/**
+ * Regression tests for three false-positive sources in the safety harness.
+ * Issue #4385
+ *
+ * Bug 1: Hardcoded BASH_READ_ONLY_RE — new legitimate commands blocked
+ * Bug 2: Non-persisted evidence — session restart causes false positive on resume
+ * Bug 3: git diff HEAD~1 scope check — fails on initial commits / shallow clones
+ */
+import test from "node:test";
+import assert from "node:assert/strict";
+import { execFileSync } from "node:child_process";
+import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { shouldBlockQueueExecution } from "../bootstrap/write-gate.ts";
+import {
+  resetEvidence,
+  recordToolCall,
+  getEvidence,
+  saveEvidenceToDisk,
+  loadEvidenceFromDisk,
+} from "../safety/evidence-collector.ts";
+import { validateFileChanges } from "../safety/file-change-validator.ts";
+// ─── Bug 1: Hardcoded Bash allowlist ────────────────────────────────────────
+test("safety-harness-bug1: npm commands are not blocked during queue mode", () => {
+  const r = shouldBlockQueueExecution("bash", "npm run test", true);
+  assert.strictEqual(r.block, false, "npm run test must be read-only-safe");
+});
+test("safety-harness-bug1: npx commands are not blocked during queue mode", () => {
+  const r = shouldBlockQueueExecution("bash", "npx tsc --noEmit", true);
+  assert.strictEqual(r.block, false, "npx tsc --noEmit must pass");
+});
+test("safety-harness-bug1: tsx commands are not blocked during queue mode", () => {
+  const r = shouldBlockQueueExecution("bash", "tsx src/index.ts", true);
+  assert.strictEqual(
+    r.block,
+    false,
+    "tsx (TypeScript runner — read-only investigative) must pass",
+  );
+});
+test("safety-harness-bug1: node --print commands are not blocked during queue mode", () => {
+  const r = shouldBlockQueueExecution("bash", "node --print 'process.version'", true);
+  assert.strictEqual(r.block, false, "node --print must pass");
+});
+test("safety-harness-bug1: python read-only invocations are not blocked during queue mode", () => {
+  const r = shouldBlockQueueExecution("bash", "python -c 'import sys; print(sys.version)'", true);
+  assert.strictEqual(r.block, false, "python -c read-only must pass");
+});
+test("safety-harness-bug1: jq read-only command is not blocked during queue mode", () => {
+  const r = shouldBlockQueueExecution("bash", "jq '.version' package.json", true);
+  assert.strictEqual(r.block, false, "jq (read-only JSON query) must pass");
+});
+test("safety-harness-bug1: destructive commands are still blocked during queue mode", () => {
+  const r = shouldBlockQueueExecution("bash", "rm -rf dist/", true);
+  assert.strictEqual(r.block, true, "rm -rf must still be blocked");
+});
+// ─── Bug 2: Non-persisted evidence ──────────────────────────────────────────
+test("safety-harness-bug2: evidence survives save/load round-trip (simulates session restart)", (t) => {
+  const base = mkdtempSync(join(tmpdir(), "gsd-evidence-persist-"));
+  t.after(() => rmSync(base, { recursive: true, force: true }));
+  resetEvidence();
+  // Simulate bash tool calls during unit execution
+  recordToolCall("tc-001", "Bash", { command: "npm run test:unit" });
+  recordToolCall("tc-002", "Bash", { command: "npx tsc --noEmit" });
+  recordToolCall("tc-003", "Write", { file_path: "src/foo.ts" });
+  const before = getEvidence();
+  assert.equal(before.length, 3, "three entries before save");
+  // Persist to disk
+  saveEvidenceToDisk(base, "M001", "S001", "T001");
+  // Simulate session restart: module-level array reset
+  resetEvidence();
+  assert.equal(getEvidence().length, 0, "in-memory cleared after reset");
+  // Resume: load from disk
+  loadEvidenceFromDisk(base, "M001", "S001", "T001");
+  const after = getEvidence();
+  assert.equal(after.length, 3, "evidence restored from disk after simulated restart");
+  const bashEntries = after.filter((e) => e.kind === "bash");
+  assert.equal(bashEntries.length, 2, "both bash entries restored");
+  const writeEntries = after.filter((e) => e.kind === "write");
+  assert.equal(writeEntries.length, 1, "write entry restored");
+});
+test("safety-harness-bug2: loadEvidenceFromDisk returns empty array when no file exists (fresh unit)", (t) => {
+  const base = mkdtempSync(join(tmpdir(), "gsd-evidence-nopersist-"));
+  t.after(() => rmSync(base, { recursive: true, force: true }));
+  resetEvidence();
+  loadEvidenceFromDisk(base, "M001", "S001", "T001");
+  assert.equal(getEvidence().length, 0, "no evidence on fresh unit is correct — not a false positive");
+});
+// ─── Bug 3: git diff HEAD~1 scope check ─────────────────────────────────────
+test("safety-harness-bug3: validateFileChanges works on initial commit (no HEAD~1)", (t) => {
+  const base = mkdtempSync(join(tmpdir(), "gsd-initial-commit-"));
+  t.after(() => rmSync(base, { recursive: true, force: true }));
+  execFileSync("git", ["init"], { cwd: base });
+  execFileSync("git", ["config", "user.email", "test@example.com"], { cwd: base });
+  execFileSync("git", ["config", "user.name", "Test User"], { cwd: base });
+  writeFileSync(join(base, "index.ts"), "export const x = 1;\n");
+  execFileSync("git", ["add", "."], { cwd: base });
+  execFileSync("git", ["commit", "-m", "initial"], { cwd: base });
+  // On initial commit, HEAD~1 does not exist — must not throw or produce wrong results
+  const audit = validateFileChanges(base, ["index.ts"], []);
+  assert.ok(audit !== null, "audit must be produced for initial commit");
+  assert.deepEqual(audit!.unexpectedFiles, [], "no unexpected files on initial commit");
+  assert.deepEqual(audit!.missingFiles, [], "no missing files on initial commit");
+});
+test("safety-harness-bug3: validateFileChanges works on shallow clone (shallow repo without full history)", (t) => {
+  // Simulate shallow clone: create a repo, then clone it with depth=1
+  const origin = mkdtempSync(join(tmpdir(), "gsd-origin-"));
+  const shallow = mkdtempSync(join(tmpdir(), "gsd-shallow-"));
+  t.after(() => {
+    rmSync(origin, { recursive: true, force: true });
+    rmSync(shallow, { recursive: true, force: true });
+  });
+  // Set up origin with multiple commits
+  execFileSync("git", ["init"], { cwd: origin });
+  execFileSync("git", ["config", "user.email", "test@example.com"], { cwd: origin });
+  execFileSync("git", ["config", "user.name", "Test User"], { cwd: origin });
+  writeFileSync(join(origin, "a.ts"), "export const a = 1;\n");
+  execFileSync("git", ["add", "."], { cwd: origin });
+  execFileSync("git", ["commit", "-m", "first"], { cwd: origin });
+  writeFileSync(join(origin, "b.ts"), "export const b = 2;\n");
+  execFileSync("git", ["add", "."], { cwd: origin });
+  execFileSync("git", ["commit", "-m", "second"], { cwd: origin });
+  // Shallow clone with depth=1 — HEAD~1 will not exist
+  execFileSync("git", ["clone", "--depth=1", `file://${origin}`, shallow], {
+    stdio: ["ignore", "pipe", "pipe"],
+  });
+  // Verify the shallow clone has no parent (HEAD~1 unavailable)
+  let hasParent = true;
+  try {
+    execFileSync("git", ["rev-parse", "HEAD~1"], {
+      cwd: shallow,
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+  } catch {
+    hasParent = false;
+  }
+  assert.equal(hasParent, false, "shallow clone should not have HEAD~1");
+  // validateFileChanges must not throw or give wrong results
+  const audit = validateFileChanges(shallow, ["b.ts"], []);
+  assert.ok(audit !== null, "audit must be produced even in shallow clone");
+});
+test("safety-harness-bug3: validateFileChanges works on merge commit", (t) => {
+  const base = mkdtempSync(join(tmpdir(), "gsd-merge-commit-"));
+  t.after(() => rmSync(base, { recursive: true, force: true }));
+  execFileSync("git", ["init", "-b", "main"], { cwd: base });
+  execFileSync("git", ["config", "user.email", "test@example.com"], { cwd: base });
+  execFileSync("git", ["config", "user.name", "Test User"], { cwd: base });
+  // Main branch: initial commit
+  writeFileSync(join(base, "main.ts"), "export const m = 1;\n");
+  execFileSync("git", ["add", "."], { cwd: base });
+  execFileSync("git", ["commit", "-m", "initial"], { cwd: base });
+  // Feature branch
+  execFileSync("git", ["checkout", "-b", "feature"], { cwd: base });
+  writeFileSync(join(base, "feature.ts"), "export const f = 2;\n");
+  execFileSync("git", ["add", "."], { cwd: base });
+  execFileSync("git", ["commit", "-m", "feature work"], { cwd: base });
+  // Merge back to main
+  execFileSync("git", ["checkout", "main"], { cwd: base });
+  execFileSync("git", ["merge", "--no-ff", "feature", "-m", "Merge feature"], { cwd: base });
+  // HEAD is now a merge commit with two parents — git diff HEAD~1 gives wrong scope
+  const audit = validateFileChanges(base, ["feature.ts"], []);
+  // Must produce a valid result without throwing
+  assert.ok(audit !== null, "audit must be produced for merge commit repo");
+});

package/src/resources/extensions/gsd/tests/uok-plan-v2-wiring.test.ts CHANGED Viewed

@@ -109,6 +109,29 @@ test("plan-v2 gate fails closed for execution phase when finalized context is mi
   assert.match(compiled.reason ?? "", /CONTEXT\.md/i);
 });
+test("plan-v2 gate accepts finalized context from project-root fallback", () => {
+  const projectRoot = createBasePath();
+  const worktreeBase = createBasePath();
+  seedGraphRows();
+  writeMilestoneFile(projectRoot, "CONTEXT", "Finalized context in project root.");
+  writeMilestoneFile(worktreeBase, "CONTEXT-DRAFT", "Draft context in worktree.");
+  const prevProjectRoot = process.env.GSD_PROJECT_ROOT;
+  process.env.GSD_PROJECT_ROOT = projectRoot;
+  try {
+    const compiled = ensurePlanV2Graph(worktreeBase, buildState("executing"));
+    assert.equal(compiled.ok, true);
+    assert.equal(compiled.finalizedContextIncluded, true);
+  } finally {
+    if (prevProjectRoot === undefined) {
+      delete process.env.GSD_PROJECT_ROOT;
+    } else {
+      process.env.GSD_PROJECT_ROOT = prevProjectRoot;
+    }
+  }
+});
 test("plan-v2 compiler writes pipeline metadata for clarify/research/draft stages", () => {
   const basePath = createBasePath();
   seedGraphRows();

package/src/resources/extensions/gsd/uok/plan-v2.ts CHANGED Viewed

@@ -38,6 +38,29 @@ function hasFileContent(path: string | null): boolean {
   }
 }
+function getArtifactLookupBases(basePath: string): string[] {
+  const bases = [basePath];
+  const projectRoot = process.env.GSD_PROJECT_ROOT;
+  if (projectRoot && projectRoot.trim().length > 0 && projectRoot !== basePath) {
+    bases.push(projectRoot);
+  }
+  return bases;
+}
+function hasMilestoneFileContent(
+  basePath: string,
+  milestoneId: string,
+  suffix: string,
+): boolean {
+  const bases = getArtifactLookupBases(basePath);
+  for (const candidateBase of bases) {
+    if (hasFileContent(resolveMilestoneFile(candidateBase, milestoneId, suffix))) {
+      return true;
+    }
+  }
+  return false;
+}
 function countSliceResearchArtifacts(basePath: string, milestoneId: string, slices: SliceRow[]): number {
   let count = 0;
   for (const slice of slices) {
@@ -60,9 +83,9 @@ export function compileUnitGraphFromState(basePath: string, state: GSDState): Pl
   const slices = getMilestoneSlices(mid).sort((a, b) => Number(a.sequence ?? 0) - Number(b.sequence ?? 0));
   const nodes: UokGraphNode[] = [];
   const clarifyRoundLimit = PLAN_V2_CLARIFY_ROUND_LIMIT;
-  const draftContextIncluded = hasFileContent(resolveMilestoneFile(basePath, mid, "CONTEXT-DRAFT"));
-  const finalizedContextIncluded = hasFileContent(resolveMilestoneFile(basePath, mid, "CONTEXT"));
-  const researchSynthesized = hasFileContent(resolveMilestoneFile(basePath, mid, "RESEARCH"))
+  const draftContextIncluded = hasMilestoneFileContent(basePath, mid, "CONTEXT-DRAFT");
+  const finalizedContextIncluded = hasMilestoneFileContent(basePath, mid, "CONTEXT");
+  const researchSynthesized = hasMilestoneFileContent(basePath, mid, "RESEARCH")
     || countSliceResearchArtifacts(basePath, mid, slices) > 0;
   if (isExecutionEntryPhase(state.phase) && !finalizedContextIncluded) {

package/src/resources/extensions/gsd/workflow-logger.ts CHANGED Viewed

@@ -58,7 +58,8 @@ export type LogComponent =
   | "memory-embeddings" // Memory layer embedding generation
   | "memory-ingest"     // Memory layer ingestion pipeline
   | "memory-backfill"   // ADR-013: decisions->memories backfill
-  | "context-mode";    // Context-mode exec sandbox and compaction snapshot
+  | "context-mode"     // Context-mode exec sandbox and compaction snapshot
+  | "preflight";       // Clean-root preflight gate at milestone completion
 export interface LogEntry {
   ts: string;

/package/dist/web/standalone/.next/static/{pI48IF3dgfs0CBrYi2bh_ → lLdDRDspgYzfz0bJAmUSz}/_buildManifest.js RENAMED Viewed

File without changes

/package/dist/web/standalone/.next/static/{pI48IF3dgfs0CBrYi2bh_ → lLdDRDspgYzfz0bJAmUSz}/_ssgManifest.js RENAMED Viewed

File without changes