gsd-pi 2.78.0 → 2.78.1

package/README.md

@@ -27,34 +27,70 @@ One command. Walk away. Come back to a built project with clean git history.
 
 ---
 
-## What's New in v2.77
+## What's New in v2.78
 
-### Context Mode & Execution
+### Worktree Lifecycle & Forensics
 
-- **Context Mode** — a dispatch behavior that builds task-ready context automatically: it pulls in the most relevant project artifacts, prior session state, milestone/slice signals, and execution metadata before the model runs. This reduces manual prompt assembly, improves continuity across turns, and helps tasks start with the right files and constraints from the first dispatch. Enabled by default for new projects (opt out with `enabled: false`).
-- **Sandboxed execution tools** — added `gsd_exec_search`, `gsd_resume`, and sandboxed tool-output execution paths for context-mode flows, so search/resume and follow-up execution can run with tighter boundaries and more predictable runtime behavior.
-- **Preflight hardening** — milestone completion now performs stricter clean-root preflight checks and can auto-stash when needed, reducing accidental dirty-tree transitions and helping completion flows fail fast with clearer remediation.
+- **Slice-cadence worktree collapse (#4765)** — new `git.collapse_cadence: "milestone" | "slice"` preference. With `slice`, each validated slice squash-merges to main immediately, shrinking the orphan window from milestone-size to slice-size. Pair with `git.milestone_resquash: true` to collapse per-slice commits into one milestone commit at completion.
+- **Worktree telemetry (#4764)** — new journal events (`worktree-created`, `worktree-merged`, `worktree-orphaned`, `auto-exit`, `canonical-root-redirect`, `slice-merged`, `milestone-resquash`) and a `summarizeWorktreeTelemetry` aggregator that reports orphan breakdowns, merge durations, conflict counts, exit reasons, and unmerged-exit metrics.
+- **`/gsd forensics` worktree section** — surfaces the telemetry above with two new anomalies: `worktree-orphan` and `worktree-unmerged-exit`.
+- **Worktree-aware canonical milestone root (#4761)** — `resolveCanonicalMilestoneRoot` routes validators and cross-session readers through the live worktree, so milestone validation no longer silently reads stale project-root state.
+- **Bootstrap orphan audit (#4762)** — in-progress milestones with commits ahead of main no longer get skipped; the audit emits a warning with commit count and worktree location so interrupted auto-runs are visible.
 
-### Memory Architecture (ADR-013)
+### Auto Pipeline & Component System
 
-- **Memories table is now authoritative** — all memory reads and writes now flow through the `memories` table as the single source of truth. By removing split legacy paths, memory state stays consistent across agents, tools, and UI surfaces, with fewer reconciliation edge cases and less sync drift.
-- **Structured memory fields** — `structured_fields` adds typed metadata (instead of only free-form text), so memories can carry machine-usable attributes for more accurate retrieval, stronger filtering, and more dependable downstream automation and tooling.
-- **Dual-write migration completed** — the staged migration that wrote to both old and new paths is now fully landed, including decisions backfill and parity wiring across agents, MCP tools, and extract-learnings flows. That gives a safer upgrade path while preserving historical data and reducing cutover risk.
+- **Unified component system** — skills, agents, pipelines, and marketplace are now one component model wired through runtime, dispatch, and telemetry, replacing per-surface plumbing.
+- **UnitContextManifest v2 (#4924, #4934)** — auto dispatch runs through a typed manifest with declarative tools-policy and typed computed artifacts. CI guards the schema so drift fails fast.
+- **Composer migration phase 3 (#4782)** — `complete-slice`, `research-milestone`, `run-uat`, and `reassess-roadmap` now build context through the manifest composer for a consistent shape across units.
+- **Milestone scope classifier + pipeline variants (#4781)** — auto picks a pipeline variant from milestone shape, so research-heavy and execution-heavy milestones no longer share a one-size dispatch path.
+- **Per-unit-type skill manifest resolver (#4779)** — skills wire into specific unit types instead of being globally on, with manifests expanded across the remaining types.
+- **Single-writer-v3 control plane** — closes outstanding gaps in the durable-state writer model so concurrent writers can't desync workflow state.
+- **Opt-in `reassess-roadmap` (#4778)** — gated behind the `skip_clean_reassess` preference per ADR-003 §4; auto no longer triggers reassessment unprompted.
 
-### Skills, Tooling, and UX
+### Extensions Framework
 
-- **Skill coverage expanded** — 9 gap-closing skills landed and 6 planning/design skills were surfaced, improving end-to-end workflow coverage and making specialized guidance easier to discover at the point of use.
-- **Hook stack upgrades** — Layer 0 shell hooks and additional Layer 2 events were added to widen extension integration points: hooks can act earlier in command execution, and lifecycle consumers now receive richer event signals for orchestration, policy checks, and observability.
-- **TUI polish** — skill invocations now render in a dedicated chat-frame style for clearer scanability, and active-row overflow handling was fixed to prevent terminal layout breakage during long outputs.
+- **Extension lifecycle commands** — `gsd extensions install / update / uninstall / list / info / validate` for npm, git, and local sources, with dependency warnings and user-metadata tracking.
+- **Topological extension load order** — Kahn's-algorithm sort with surfaced `ExtensionLoadWarning`s, so dependent extensions resolve deterministically and misconfigurations are visible instead of silent.
+- **cmux ↔ gsd decoupling** — static cross-imports replaced with a shared `cmux-events` contract and dynamic imports, isolating extension boundaries.
+- **Extracted `@gsd-extensions/google-search` workspace** — first reference extension carved out of core; legacy in-tree source replaced with a deprecation stub.
+
+### Models, Agent, and UX
+
+- **GPT-5.5 Codex support** — added across `gsd` and `pi-ai`, including `xhigh` thinking level for custom GPT-5.5 models.
+- **Auth mode in `/model`** — providers display alongside auth mode for clearer routing.
+- **Permission granularity picker** — Claude Code "Always Allow" prompts let you scope the grant instead of approving the broad case.
+- **Headless auto default → `bypassPermissions` (#4657)** — Claude Code CLI headless auto-mode runs without permission prompts by default.
+- **`skillFilter` for system prompts** — `pi-coding-agent` filters which skills are surfaced in `buildSystemPrompt`, with consumer exceptions guarded.
+- **Visual postinstall (#4641)** — install shows a spinner/banner UX so first-run state is legible.
+- **PR-risk verification** — risk prompt emits a copy-pasteable code block to make follow-up commands one step.
 
 ### Reliability & Safety
 
-- **Worktree and dispatch resilience** — crash-recovery dispatch is more robust, path derivation is safer, and worktree context fallback is improved, reducing stuck states and misrouted artifact operations after interruptions.
-- **DB/schema guardrails** — migration/index ordering and schema version stamping were tightened so upgrades apply deterministically and avoid index/version drift across mixed or legacy states.
-- **Security and validation fixes** — multiple hardening fixes landed across redaction paths, file/path checks, and pre-execution validation, closing false-positive/false-negative gaps while improving safety boundaries.
+- **Major git-safety pass** — clarified TOCTOU ancestry guard, atomic sync-lock acquire with PID-verified stale override, `.git/index.lock` force-removal gated by 5-min age, `GIT_DIR`/`GIT_WORK_TREE`/`GIT_INDEX_FILE` stripped from env overlays, rebase/cherry-pick/revert state detected and aborted in recovery, working tree stashed before `reset --hard` in self-heal/rollback, worktree create guarded against unborn branches, and user hooks + `commit.gpgsign` honored on auto-commits.
+- **Atomic `.gsd/` state writes** — file-locks now actually lock and throw on contention; appends are lock-wrapped to prevent interleaved writes.
+- **Compaction correctness (#4665)** — fixed chunker/truncation mismatch and silent chunk-drops that produced degenerate or empty summaries.
+- **Write-gate (#4950)** — fail-closed depth confirmation, EXDEV-safe snapshot rename, opt-out persistence default, off-by-one max-attempts fix, exception capture in `gate.execute`, and audit/DB rows for unknown gate ids.
+- **Auto state machine** — deterministic policy errors classified non-retriable (#4973), depth-verification bypass for non-interactive sessions, baseline restored between units (#4961), `restoreToolBaseline` gated by `isAutoMode` (#4966).
+- **Slice + crash recovery** — slice orchestrator state persists across crashes; ancestry-guarded force-reset, detached-HEAD refusal, and stash-by-ref recovery.
+- **Empty-turn recovery** — Claude Code CLI tool-block shape canonicalized so empty-turn recovery matches real provider output.
 
 See the full [Changelog](./CHANGELOG.md) for details on every release.
 
+<details>
+<summary>v2.77 highlights</summary>
+
+- **Context Mode** — dispatch builds task-ready context automatically (artifacts, prior session, milestone/slice signals, execution metadata); enabled by default for new projects
+- **Sandboxed execution tools** — `gsd_exec_search`, `gsd_resume`, and sandboxed tool-output paths for context-mode flows
+- **Memory architecture (ADR-013)** — `memories` table is now authoritative; `structured_fields` adds typed metadata; dual-write migration landed with decisions backfill
+- **Skill coverage** — 9 gap-closing skills landed plus 6 planning/design skills surfaced
+- **Hook stack** — Layer 0 shell hooks and additional Layer 2 lifecycle events
+- **TUI polish** — dedicated chat-frame style for skill invocations; active-row overflow fixes
+- **Worktree + dispatch resilience** — crash-recovery dispatch hardened, safer path derivation, improved worktree context fallback
+- **DB/schema guardrails** — migration/index ordering and schema version stamping tightened
+- **Preflight hardening** — milestone completion enforces stricter clean-root checks with auto-stash
+
+</details>
+
 <details>
 <summary>v2.75 highlights</summary>
 

package/dist/claude-cli-check.js

@@ -1,6 +1,9 @@
 // GSD2 — Claude CLI binary detection for onboarding
 // Lightweight check used at onboarding time (before extensions load).
 // The full readiness check with caching lives in the claude-code-cli extension.
+//
+// Set GSD_CLAUDE_DEBUG=1 to log probe output to stderr. Useful when
+// diagnosing platform-specific detection failures (Issue #4997).
 import { execFileSync } from 'node:child_process';
 /**
  * Platform-correct binary name for the Claude Code CLI.
@@ -20,60 +23,116 @@ export const CLAUDE_COMMAND = process.platform === 'win32' ? 'claude.cmd' : 'cla
  * expose a bare `claude` shim. Try all three so no valid install is missed.
  */
 const CLAUDE_COMMAND_CANDIDATES = process.platform === 'win32' ? [CLAUDE_COMMAND, 'claude.exe', 'claude'] : [CLAUDE_COMMAND];
+const VERSION_TIMEOUT_MS = 5_000;
+// Auth probe needs more headroom on Windows because the spawn goes through
+// cmd.exe → claude.cmd → node → Claude CLI.
+const AUTH_TIMEOUT_MS = 15_000;
+function debugLog(...parts) {
+    if (process.env.GSD_CLAUDE_DEBUG) {
+        process.stderr.write(`[claude-cli-check] ${parts.map(p => (typeof p === 'string' ? p : JSON.stringify(p))).join(' ')}\n`);
+    }
+}
 /**
- * Try to run `args` against each candidate binary.
- * Returns the output buffer on first success, throws the last error if all fail.
+ * Find the first candidate that responds to `--version`. Returns the
+ * candidate name on success, null if none worked.
+ *
+ * On Windows with `shell: true`, a missing candidate surfaces as a
+ * non-zero exit from cmd.exe rather than ENOENT — so we cannot rely on
+ * the error code to decide "try next". Treat any failure as "try next"
+ * for the version probe.
  */
-function execClaudeCheck(args) {
-    let lastError;
+function findWorkingCommand() {
     for (const command of CLAUDE_COMMAND_CANDIDATES) {
         try {
-            return execFileSync(command, args, {
-                timeout: 5_000,
+            execFileSync(command, ['--version'], {
+                timeout: VERSION_TIMEOUT_MS,
                 stdio: 'pipe',
                 shell: process.platform === 'win32',
             });
+            debugLog('version probe ok via', command);
+            return command;
         }
         catch (error) {
-            lastError = error;
-            const code = error?.code;
-            // EINVAL can surface on Windows Git Bash for .cmd spawn failures.
-            if (code === 'ENOENT' || code === 'EINVAL')
-                continue;
-            throw error;
+            debugLog('version probe failed for', command, 'code=', error?.code);
+            continue;
         }
     }
-    throw lastError ?? new Error(`Claude CLI not found (tried: ${CLAUDE_COMMAND_CANDIDATES.join(', ')})`);
+    return null;
 }
 /**
- * Check if the `claude` binary is installed (regardless of auth state).
+ * Decide auth state from `claude auth status` output.
+ *
+ * Newer Claude CLI builds emit JSON with a `loggedIn` boolean. Older builds
+ * emit free-form text. Prefer the structured signal; fall back to a text
+ * heuristic. The text heuristic only covers English phrasing.
  */
-export function isClaudeBinaryInstalled() {
-    try {
-        execClaudeCheck(['--version']);
-        return true;
+function parseAuthStatus(output) {
+    const trimmed = output.trim();
+    if (!trimmed)
+        return null;
+    if (trimmed.startsWith('{')) {
+        try {
+            const parsed = JSON.parse(trimmed);
+            if (typeof parsed.loggedIn === 'boolean') {
+                return parsed.loggedIn;
+            }
+        }
+        catch {
+            // Fall through to text heuristic.
+        }
     }
-    catch {
+    const lower = trimmed.toLowerCase();
+    if (/not logged in|no credentials|unauthenticated|not authenticated/.test(lower)) {
         return false;
     }
+    if (/logged in|authenticated|signed in|email|subscription/.test(lower)) {
+        return true;
+    }
+    return null;
 }
-/**
- * Check if the `claude` CLI is installed AND authenticated.
- */
-export function isClaudeCliReady() {
+function probeAuth(command) {
+    // Try --json first (newer CLIs).
     try {
-        execClaudeCheck(['--version']);
+        const out = execFileSync(command, ['auth', 'status', '--json'], {
+            timeout: AUTH_TIMEOUT_MS,
+            stdio: 'pipe',
+            shell: process.platform === 'win32',
+        }).toString();
+        debugLog('auth status --json output:', out.slice(0, 200));
+        const parsed = parseAuthStatus(out);
+        if (parsed !== null)
+            return parsed;
     }
-    catch {
-        return false;
+    catch (error) {
+        debugLog('auth status --json threw:', error.message?.slice(0, 200));
     }
+    // Fallback: plain `auth status` (older CLIs that don't accept --json).
     try {
-        const output = execClaudeCheck(['auth', 'status'])
-            .toString()
-            .toLowerCase();
-        return !(/not logged in|no credentials|unauthenticated|not authenticated/i.test(output));
+        const out = execFileSync(command, ['auth', 'status'], {
+            timeout: AUTH_TIMEOUT_MS,
+            stdio: 'pipe',
+            shell: process.platform === 'win32',
+        }).toString();
+        debugLog('auth status output:', out.slice(0, 200));
+        return parseAuthStatus(out);
     }
-    catch {
-        return false;
+    catch (error) {
+        debugLog('auth status threw:', error.message?.slice(0, 200));
+        return null;
     }
 }
+/**
+ * Check if the `claude` binary is installed (regardless of auth state).
+ */
+export function isClaudeBinaryInstalled() {
+    return findWorkingCommand() !== null;
+}
+/**
+ * Check if the `claude` CLI is installed AND authenticated.
+ */
+export function isClaudeCliReady() {
+    const command = findWorkingCommand();
+    if (!command)
+        return false;
+    return probeAuth(command) === true;
+}

package/dist/resources/extensions/claude-code-cli/readiness.js

@@ -5,8 +5,13 @@
  * Results are cached for 30 seconds to avoid shelling out on every
  * model-availability check.
  *
- * Auth verification follows the T3 Code pattern: run `claude auth status`
- * and check the exit code + output for an authenticated session.
+ * Auth verification runs `claude auth status --json` and inspects the
+ * `loggedIn` field, falling back to plain `claude auth status` and a text
+ * heuristic when the JSON shape is unavailable (older Claude CLI builds).
+ *
+ * Set GSD_CLAUDE_DEBUG=1 to print the probe's binary selection and auth
+ * outputs to stderr — useful when diagnosing platform-specific detection
+ * failures (Issue #4997).
  */
 import { execFileSync } from "node:child_process";
 /**
@@ -23,33 +28,117 @@ const CLAUDE_COMMAND = process.platform === "win32" ? "claude.cmd" : "claude";
  * installed" results in readiness checks.
  */
 const CLAUDE_COMMAND_CANDIDATES = process.platform === "win32" ? [CLAUDE_COMMAND, "claude.exe", "claude"] : [CLAUDE_COMMAND];
-function execClaude(args) {
-    let lastError;
+// Keep the version probe snappy — `claude --version` is a quick path.
+const VERSION_TIMEOUT_MS = 5_000;
+// Auth status can be much slower on Windows because the spawn goes through
+// cmd.exe → claude.cmd → node → Claude CLI. 15s leaves headroom on cold spawns
+// without making startup feel hung when the CLI is genuinely missing.
+const AUTH_TIMEOUT_MS = 15_000;
+function debugLog(...parts) {
+    if (process.env.GSD_CLAUDE_DEBUG) {
+        process.stderr.write(`[claude-readiness] ${parts.map((p) => (typeof p === "string" ? p : JSON.stringify(p))).join(" ")}\n`);
+    }
+}
+/**
+ * Find the first candidate that responds to `--version`. Returns the
+ * candidate name on success, null if none worked.
+ *
+ * On Windows with `shell: true`, a missing candidate surfaces as a
+ * non-zero exit from cmd.exe rather than ENOENT — so we cannot rely on
+ * the error code to decide "try next". Treat any failure as "try next"
+ * for the version probe; the only thing that matters for binary
+ * detection is whether *some* candidate produces a `claude --version`
+ * line.
+ */
+function findWorkingCommand() {
     for (const command of CLAUDE_COMMAND_CANDIDATES) {
         try {
-            return execFileSync(command, args, {
-                timeout: 5_000,
+            execFileSync(command, ["--version"], {
+                timeout: VERSION_TIMEOUT_MS,
                 stdio: "pipe",
                 shell: process.platform === "win32",
             });
+            debugLog("version probe ok via", command);
+            return command;
         }
         catch (error) {
-            lastError = error;
-            const code = error?.code;
-            // Windows Git Bash can surface `.cmd` spawn failures as EINVAL instead
-            // of ENOENT. Treat both as "try next candidate".
-            if (code === "ENOENT" || code === "EINVAL") {
-                continue;
+            debugLog("version probe failed for", command, "code=", error?.code);
+            continue;
+        }
+    }
+    return null;
+}
+/**
+ * Decide auth state from `claude auth status` output.
+ *
+ * Newer Claude CLI builds emit JSON by default with a `loggedIn` boolean.
+ * Older builds emit free-form text. We prefer the structured signal and fall
+ * back to a text heuristic. Note: the text heuristic only covers English
+ * phrasing — the JSON path is the durable signal.
+ */
+function parseAuthStatus(output) {
+    const trimmed = output.trim();
+    if (!trimmed)
+        return null;
+    if (trimmed.startsWith("{")) {
+        try {
+            const parsed = JSON.parse(trimmed);
+            if (typeof parsed.loggedIn === "boolean") {
+                return parsed.loggedIn;
             }
-            throw error;
         }
+        catch {
+            // Fall through to text heuristic.
+        }
+    }
+    const lower = trimmed.toLowerCase();
+    if (/not logged in|no credentials|unauthenticated|not authenticated/.test(lower)) {
+        return false;
+    }
+    if (/logged in|authenticated|signed in|email|subscription/.test(lower)) {
+        return true;
+    }
+    return null;
+}
+function probeAuth(command) {
+    // Try --json first (newer CLIs).
+    try {
+        const out = execFileSync(command, ["auth", "status", "--json"], {
+            timeout: AUTH_TIMEOUT_MS,
+            stdio: "pipe",
+            shell: process.platform === "win32",
+        }).toString();
+        debugLog("auth status --json output:", out.slice(0, 200));
+        const parsed = parseAuthStatus(out);
+        if (parsed !== null)
+            return parsed;
+    }
+    catch (error) {
+        debugLog("auth status --json threw:", error.message?.slice(0, 200));
+    }
+    // Fallback: plain `auth status` (older CLIs that don't accept --json).
+    try {
+        const out = execFileSync(command, ["auth", "status"], {
+            timeout: AUTH_TIMEOUT_MS,
+            stdio: "pipe",
+            shell: process.platform === "win32",
+        }).toString();
+        debugLog("auth status output:", out.slice(0, 200));
+        return parseAuthStatus(out);
+    }
+    catch (error) {
+        debugLog("auth status threw:", error.message?.slice(0, 200));
+        return null;
     }
-    throw lastError ?? new Error(`Claude CLI executable not found (tried: ${CLAUDE_COMMAND_CANDIDATES.join(", ")})`);
 }
 let cachedBinaryPresent = null;
 let cachedAuthed = null;
 let lastCheckMs = 0;
 const CHECK_INTERVAL_MS = 30_000;
+/**
+ * Refresh the cached binary/auth state when the cache window has expired.
+ * Preserves a known auth state across soft-fail auth probes.
+ */
 function refreshCache() {
     const now = Date.now();
     if (cachedBinaryPresent !== null && now - lastCheckMs < CHECK_INTERVAL_MS) {
@@ -57,28 +146,23 @@ function refreshCache() {
     }
     // Set timestamp first to prevent re-entrant checks during the same window
     lastCheckMs = now;
-    // Check binary presence
-    try {
-        execClaude(["--version"]);
-        cachedBinaryPresent = true;
-    }
-    catch {
+    const command = findWorkingCommand();
+    if (!command) {
         cachedBinaryPresent = false;
         cachedAuthed = false;
         return;
     }
-    // Check auth status — exit code 0 with non-error output means authenticated
-    try {
-        const output = execClaude(["auth", "status"])
-            .toString()
-            .toLowerCase();
-        // The CLI outputs "not logged in", "no credentials", or similar when unauthenticated
-        cachedAuthed = !(/not logged in|no credentials|unauthenticated|not authenticated/i.test(output));
-    }
-    catch {
-        // Non-zero exit code means not authenticated
-        cachedAuthed = false;
+    cachedBinaryPresent = true;
+    const authed = probeAuth(command);
+    if (authed === null) {
+        // Couldn't determine auth state from CLI output. Don't clobber a
+        // previously known-good cache; otherwise default to false so we don't
+        // silently route requests to an unauthenticated CLI.
+        if (cachedAuthed === null)
+            cachedAuthed = false;
+        return;
     }
+    cachedAuthed = authed;
 }
 /**
  * Whether the `claude` binary is installed (regardless of auth state).