npm - gsd-pi - Versions diffs - 2.78.1-dev.84a383f51 → 2.78.1-dev.8a893322c - Mend

gsd-pi 2.78.1-dev.84a383f51 → 2.78.1-dev.8a893322c

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (147) hide show

package/dist/resources/extensions/gsd/bootstrap/register-hooks.js CHANGED Viewed

@@ -16,6 +16,7 @@ import { logWarning as safetyLogWarning } from "../workflow-logger.js";
 import { installNotifyInterceptor } from "./notify-interceptor.js";
 import { initNotificationStore } from "../notification-store.js";
 import { initNotificationWidget } from "../notification-widget.js";
+import { extractSubagentAgentClasses } from "./subagent-input.js";
 // Skip the welcome screen on the very first session_start — cli.ts already
 // printed it before the TUI launched. Only re-print on /clear (subsequent sessions).
 let isFirstSession = true;
@@ -358,6 +359,7 @@ export function registerHooks(pi, ecosystemHandlers) {
             const manifest = resolveManifest(activeUnitType);
             if (manifest) {
                 let planningInput = "";
+                let agentClasses;
                 if (isToolCallEventType("write", event)) {
                     planningInput = event.input.path;
                 }
@@ -367,7 +369,11 @@ export function registerHooks(pi, ecosystemHandlers) {
                 else if (isToolCallEventType("bash", event)) {
                     planningInput = event.input.command;
                 }
-                const planningGuard = shouldBlockPlanningUnit(event.toolName, planningInput, dash.basePath || discussionBasePath, activeUnitType, manifest.tools);
+                else if (event.toolName === "subagent" || event.toolName === "task") {
+                    // Subagent inputs use { agent }, { tasks: [{ agent }] }, or { chain: [{ agent }] }.
+                    agentClasses = extractSubagentAgentClasses(event.input);
+                }
+                const planningGuard = shouldBlockPlanningUnit(event.toolName, planningInput, dash.basePath || discussionBasePath, activeUnitType, manifest.tools, agentClasses);
                 if (planningGuard.block)
                     return planningGuard;
             }
@@ -401,6 +407,18 @@ export function registerHooks(pi, ecosystemHandlers) {
             return;
         markToolStart(event.toolCallId, event.toolName);
         safetyRecordToolCall(event.toolCallId, event.toolName, event.input);
+        // Persist immediately at dispatch so a mid-unit re-dispatch — which calls
+        // resetEvidence() + loadEvidenceFromDisk() in runUnitPhase — cannot wipe
+        // the entry between tool_call and tool_execution_end. Without this, the
+        // race window equals the tool's runtime, producing the "no bash calls"
+        // false positive when the LLM clearly ran a verification command.
+        const callDash = getAutoRuntimeSnapshot();
+        if (callDash.basePath && callDash.currentUnit?.type === "execute-task") {
+            const { milestone: cMid, slice: cSid, task: cTid } = parseUnitId(callDash.currentUnit.id);
+            if (cMid && cSid && cTid) {
+                saveEvidenceToDisk(callDash.basePath, cMid, cSid, cTid);
+            }
+        }
         // Destructive command classification (warn only, never block)
         if (isToolCallEventType("bash", event)) {
             const classification = classifyCommand(event.input.command);

package/dist/resources/extensions/gsd/bootstrap/subagent-input.js ADDED Viewed

@@ -0,0 +1,22 @@
+export function extractSubagentAgentClasses(input) {
+    if (!input || typeof input !== "object")
+        return [];
+    const record = input;
+    const agentClasses = [];
+    const addAgentClass = (value) => {
+        if (typeof value === "string" && value.trim().length > 0)
+            agentClasses.push(value.trim());
+    };
+    const addFromItems = (value) => {
+        if (!Array.isArray(value))
+            return;
+        for (const item of value) {
+            if (item && typeof item === "object")
+                addAgentClass(item.agent);
+        }
+    };
+    addAgentClass(record.agent);
+    addFromItems(record.tasks);
+    addFromItems(record.chain);
+    return agentClasses;
+}

package/dist/resources/extensions/gsd/bootstrap/system-context.js CHANGED Viewed

@@ -47,6 +47,17 @@ export const BUNDLED_SKILL_TRIGGERS = [
     { trigger: "HTTP/REST/GraphQL API design — verbs, status codes, pagination, errors, idempotency, versioning", skill: "api-design" },
     { trigger: "Dependency upgrades — risk-batched, verified between batches, one major per commit", skill: "dependency-upgrade" },
     { trigger: "Agent-first observability — structured logs, persisted failure state, health surfaces, explicit failure modes", skill: "observability" },
+    { trigger: "React/Next.js performance — components, data fetching, bundle optimization, rendering patterns from Vercel Engineering", skill: "react-best-practices" },
+    { trigger: "Core Web Vitals — fix LCP, CLS, INP; layout shifts; page experience optimization", skill: "core-web-vitals" },
+    { trigger: "GitHub Actions CI/CD — write, run, and debug workflow files; live syntax and run monitoring", skill: "github-workflows" },
+    { trigger: "Comprehensive web quality audit — performance, accessibility, SEO, and best-practices (Lighthouse-style)", skill: "web-quality-audit" },
+    { trigger: "Browser automation — open sites, fill forms, click, screenshot, scrape, or test web apps programmatically", skill: "agent-browser" },
+    { trigger: "Review UI code for Web Interface Guidelines compliance — UX, design, and accessibility patterns", skill: "web-design-guidelines" },
+    { trigger: "UI/UX patterns reference — animations, CSS, typography, prefetching, icons (file:line findings)", skill: "userinterface-wiki" },
+    { trigger: "Author or refine a GSD skill — SKILL.md structure, frontmatter, and best practices", skill: "create-skill" },
+    { trigger: "Create or debug a GSD extension — tools, commands, event hooks, custom TUI, providers", skill: "create-gsd-extension" },
+    { trigger: "Author a YAML workflow definition — steps, triggers, and templates", skill: "create-workflow" },
+    { trigger: "Deep code optimization audit — perf anti-patterns, memory leaks, algorithmic complexity, bundle size, I/O, caching, dead code (parallel pattern-based hunt)", skill: "code-optimizer" },
 ];
 function buildBundledSkillsTable() {
     const cwd = process.cwd();

package/dist/resources/extensions/gsd/bootstrap/write-gate.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { copyFileSync, existsSync, mkdirSync, readFileSync, renameSync, unlinkSync, writeFileSync } from "node:fs";
 import { isAbsolute, join, relative, resolve, sep } from "node:path";
 import { minimatch } from "minimatch";
+import { logWarning } from "../workflow-logger.js";
 /**
  * Regex matching milestone CONTEXT.md file names in both legacy M001
  * and unique M001-abc123 formats. Exported so regex-hardening tests
@@ -458,6 +459,42 @@ export function shouldBlockQueueExecutionInSnapshot(snapshot, toolName, input, q
 // guards.
 const PLANNING_WRITE_TOOLS = new Set(["write", "edit", "multi_edit", "notebook_edit"]);
 const PLANNING_SUBAGENT_TOOLS = new Set(["subagent", "task"]);
+/**
+ * Canonical registry for agents that planning-dispatch may consider. Unit
+ * manifests still declare per-unit subsets via ToolsPolicy.allowedSubagents.
+ */
+const PLANNING_DISPATCH_AGENT_REGISTRY = {
+    scout: { readOnlySpecialist: true },
+    planner: { readOnlySpecialist: true },
+    reviewer: { readOnlySpecialist: true },
+    security: { readOnlySpecialist: true },
+    tester: { readOnlySpecialist: true },
+};
+export const ALLOWED_PLANNING_DISPATCH_AGENTS = new Set(Object.entries(PLANNING_DISPATCH_AGENT_REGISTRY)
+    .filter(([, metadata]) => metadata.readOnlySpecialist)
+    .map(([agentId]) => agentId));
+let warnedMissingPlanningDispatchAgentClasses = false;
+function isReadOnlySpecialist(agentId) {
+    const metadata = PLANNING_DISPATCH_AGENT_REGISTRY[agentId];
+    return metadata?.readOnlySpecialist === true;
+}
+function allowedPlanningDispatchAgentsList() {
+    return [...ALLOWED_PLANNING_DISPATCH_AGENTS].join(", ");
+}
+function warnMissingPlanningDispatchAgentClasses(unitType, mode, toolName) {
+    if (warnedMissingPlanningDispatchAgentClasses)
+        return;
+    warnedMissingPlanningDispatchAgentClasses = true;
+    // TODO(#5060): Remove this migration shim once all subagent/task callers are verified to forward agent identities.
+    const message = `[write-gate] planning-dispatch: shouldBlockPlanningUnit called for tool "${toolName}" ` +
+        `on unit "${unitType}" without agentClasses - stale caller; blocking dispatch.`;
+    console.warn(message);
+    logWarning("intercept", message, {
+        unitType,
+        mode,
+        toolName,
+    });
+}
 /**
  * Read-only / planning-safe tools that any non-"all" mode allows. Mirrors
  * QUEUE_SAFE_TOOLS / GATE_SAFE_TOOLS but is the inclusive default for
@@ -501,6 +538,10 @@ function blockReason(unitType, mode, what) {
  *   - "read-only"  → blocks all writes, bash, and subagent dispatch.
  *   - "planning"   → blocks writes to paths outside <basePath>/.gsd/,
  *                    bash that isn't read-only, and subagent dispatch.
+ *   - "planning-dispatch"
+ *                  → like "planning", but permits subagent dispatch only
+ *                    when every forwarded agent class is globally allowed
+ *                    and listed in the policy's allowedSubagents.
  *   - "docs"       → like "planning" but also allows writes to paths
  *                    matching `allowedPathGlobs` relative to basePath.
  *
@@ -510,8 +551,13 @@ function blockReason(unitType, mode, what) {
  * `policy` of null means "no manifest resolved" — pass-through. Callers
  * that have no active unit (interactive sessions) pass null and this
  * predicate is a no-op.
+ *
+ * `agentClasses` is supplied by the tool hook for subagent-shaped calls. If
+ * absent, planning-dispatch fails closed so stale callers cannot silently
+ * bypass the agent allowlists. An explicitly supplied-but-empty list is
+ * allowed through so the downstream tool call can reject the malformed input.
  */
-export function shouldBlockPlanningUnit(toolName, pathOrCommand, basePath, unitType, policy) {
+export function shouldBlockPlanningUnit(toolName, pathOrCommand, basePath, unitType, policy, agentClasses) {
     if (!policy)
         return { block: false };
     if (policy.mode === "all")
@@ -529,12 +575,48 @@ export function shouldBlockPlanningUnit(toolName, pathOrCommand, basePath, unitT
         // Unknown tool in read-only mode — block by default.
         return { block: true, reason: blockReason(unitType, policy.mode, `tool "${tool}" is not on the read-only allowlist`) };
     }
-    // planning / docs modes share the same surface for safe tools, bash, and subagent.
+    // planning / planning-dispatch / docs modes share the same surface for safe tools, bash, and subagent.
     if (PLANNING_SAFE_TOOLS.has(tool))
         return { block: false };
     if (tool.startsWith("gsd_"))
         return { block: false };
     if (PLANNING_SUBAGENT_TOOLS.has(tool)) {
+        if (policy.mode === "planning-dispatch") {
+            const requested = (agentClasses ?? []).map(a => a.trim()).filter(Boolean);
+            const allowedSubagents = Array.isArray(policy.allowedSubagents) ? policy.allowedSubagents : [];
+            const allowed = new Set(allowedSubagents);
+            // When agentClasses is undefined, the caller has not been updated to extract
+            // agent identities yet. Block and warn so stale callers surface in telemetry
+            // instead of silently bypassing the gate.
+            if (agentClasses === undefined) {
+                warnMissingPlanningDispatchAgentClasses(unitType, policy.mode, tool);
+                return {
+                    block: true,
+                    reason: blockReason(unitType, policy.mode, `subagent dispatch blocked: stale caller did not supply agent identities for "${tool}"; update extractSubagentAgentClasses to handle this input shape`),
+                };
+            }
+            // agentClasses was explicitly provided but resolved to an empty list (for
+            // example, a bare tool call with no agent field). Pass through; no agents
+            // to validate means the downstream tool call itself will fail.
+            if (requested.length === 0) {
+                return { block: false };
+            }
+            const globallyDisallowed = requested.find(a => !isReadOnlySpecialist(a));
+            if (globallyDisallowed) {
+                return {
+                    block: true,
+                    reason: blockReason(unitType, policy.mode, `subagent dispatch of "${globallyDisallowed}" not permitted; only read-only specialists (${allowedPlanningDispatchAgentsList()}) may be dispatched from planning-dispatch units`),
+                };
+            }
+            const disallowedByPolicy = requested.find(a => !allowed.has(a));
+            if (disallowedByPolicy) {
+                return {
+                    block: true,
+                    reason: blockReason(unitType, policy.mode, `subagent dispatch of "${disallowedByPolicy}" not permitted by ToolsPolicy.allowedSubagents; permitted agents for this unit: ${allowedSubagents.join(", ")}`),
+                };
+            }
+            return { block: false };
+        }
         return { block: true, reason: blockReason(unitType, policy.mode, `subagent dispatch is not permitted in planning units`) };
     }
     if (tool === "bash") {

package/dist/resources/extensions/gsd/commands/catalog.js CHANGED Viewed

@@ -3,7 +3,7 @@ import { homedir } from "node:os";
 import { join, resolve } from "node:path";
 import { loadRegistry } from "../workflow-templates.js";
 const gsdHome = process.env.GSD_HOME || join(homedir(), ".gsd");
-export const GSD_COMMAND_DESCRIPTION = "GSD — Get Shit Done: /gsd help|start|templates|next|auto|stop|pause|status|widget|visualize|queue|quick|discuss|capture|triage|dispatch|history|undo|undo-task|reset-slice|rate|skip|export|cleanup|model|mode|prefs|config|keys|hooks|run-hook|skill-health|doctor|debug|logs|forensics|changelog|migrate|remote|steer|knowledge|new-milestone|parallel|cmux|park|unpark|init|setup|onboarding|inspect|extensions|update|fast|mcp|rethink|workflow|codebase|notifications|ship|do|session-report|backlog|pr-branch|add-tests|scan|language";
+export const GSD_COMMAND_DESCRIPTION = "GSD — Get Shit Done: /gsd help|start|templates|next|auto|stop|pause|status|widget|visualize|queue|quick|discuss|capture|triage|dispatch|history|undo|undo-task|reset-slice|rate|skip|export|cleanup|model|mode|prefs|config|keys|hooks|run-hook|skill-health|doctor|debug|logs|forensics|changelog|migrate|remote|steer|knowledge|new-milestone|parallel|cmux|park|unpark|init|setup|onboarding|inspect|extensions|update|fast|mcp|rethink|workflow|codebase|notifications|ship|do|session-report|backlog|pr-branch|add-tests|scan|language|worktree";
 export const TOP_LEVEL_SUBCOMMANDS = [
     { cmd: "help", desc: "Categorized command reference with descriptions" },
     { cmd: "next", desc: "Explicit step mode (same as /gsd)" },
@@ -71,6 +71,7 @@ export const TOP_LEVEL_SUBCOMMANDS = [
     { cmd: "add-tests", desc: "Generate tests for completed slices" },
     { cmd: "scan", desc: "Rapid codebase assessment — lightweight alternative to full map (--focus tech|arch|quality|concerns|tech+arch)" },
     { cmd: "language", desc: "Set or clear the global response language (e.g. /gsd language Chinese)" },
+    { cmd: "worktree", desc: "Manage worktrees from the TUI (list, merge, clean, remove)" },
 ];
 const NESTED_COMPLETIONS = {
     auto: [
@@ -286,6 +287,12 @@ const NESTED_COMPLETIONS = {
         { cmd: "off", desc: "Clear the language preference (revert to default)" },
         { cmd: "clear", desc: "Alias for off — clear the language preference" },
     ],
+    worktree: [
+        { cmd: "list", desc: "Show all worktrees with status" },
+        { cmd: "merge", desc: "Merge a worktree into main and clean up" },
+        { cmd: "clean", desc: "Remove all merged/empty worktrees" },
+        { cmd: "remove", desc: "Remove a worktree (--force to skip safety checks)" },
+    ],
 };
 function filterOptions(partial, options, prefix = "") {
     const normalizedPrefix = prefix ? `${prefix} ` : "";

package/dist/resources/extensions/gsd/commands/handlers/core.js CHANGED Viewed

@@ -124,6 +124,7 @@ export function showHelp(ctx, args = "") {
         "  /gsd forensics      Examine execution logs and post-mortem analysis",
         "  /gsd export         Export milestone/slice results  [--json|--markdown|--html] [--all]",
         "  /gsd cleanup        Remove merged branches or snapshots  [branches|snapshots]",
+        "  /gsd worktree       Manage worktrees from the TUI  [list|merge|clean|remove]",
         "  /gsd migrate        Migrate .planning/ (v1) to .gsd/ (v2) format",
         "  /gsd remote         Control remote auto-mode  [slack|discord|status|disconnect]",
         "  /gsd inspect        Show SQLite DB diagnostics (schema, row counts, recent entries)",

package/dist/resources/extensions/gsd/commands/handlers/ops.js CHANGED Viewed

@@ -259,5 +259,13 @@ Examples:
         await handleScan(trimmed.replace(/^scan\s*/, "").trim(), ctx, pi);
         return true;
     }
+    if (trimmed === "worktree" ||
+        trimmed.startsWith("worktree ") ||
+        trimmed === "wt" ||
+        trimmed.startsWith("wt ")) {
+        const { handleWorktree } = await import("../../commands-worktree.js");
+        await handleWorktree(trimmed.replace(/^(worktree|wt)\s*/, "").trim(), ctx);
+        return true;
+    }
     return false;
 }

package/dist/resources/extensions/gsd/commands-config.js CHANGED Viewed

@@ -6,6 +6,7 @@
 import { AuthStorage } from "@gsd/pi-coding-agent";
 import { existsSync, mkdirSync } from "node:fs";
 import { join, dirname } from "node:path";
+import { getHomeDir } from "./home-dir.js";
 /**
  * Tool API key configurations.
  * This is the source of truth for tool credentials - used by both the config wizard
@@ -29,7 +30,7 @@ function getStoredToolKey(auth, providerId) {
  */
 export function loadToolApiKeys() {
     try {
-        const authPath = join(process.env.HOME ?? "", ".gsd", "agent", "auth.json");
+        const authPath = join(getHomeDir(), ".gsd", "agent", "auth.json");
         if (!existsSync(authPath))
             return;
         const auth = AuthStorage.create(authPath);
@@ -45,7 +46,7 @@ export function loadToolApiKeys() {
     }
 }
 export function getConfigAuthStorage() {
-    const authPath = join(process.env.HOME ?? "", ".gsd", "agent", "auth.json");
+    const authPath = join(getHomeDir(), ".gsd", "agent", "auth.json");
     mkdirSync(dirname(authPath), { recursive: true });
     return AuthStorage.create(authPath);
 }

package/dist/resources/extensions/gsd/commands-extensions.js CHANGED Viewed

@@ -10,7 +10,50 @@ import { dirname, join, resolve } from "node:path";
 import { homedir, tmpdir } from "node:os";
 import { execFileSync } from "node:child_process";
 import { lockSync, unlockSync } from "proper-lockfile";
-import semver from "semver";
+/**
+ * Strict numeric comparison of two npm-style version strings.
+ *
+ * Returns true when `a` is strictly greater than `b`. Compares the dotted
+ * release components numerically (so `1.10.0` > `1.9.0`) and treats any
+ * prerelease suffix (`-beta.1`, `-rc.2`) as less than the equivalent
+ * release version (`1.0.0` > `1.0.0-beta.1`). Sufficient for npm package
+ * version comparison in the extension installer; we don't need the full
+ * semver range/intersect machinery here.
+ *
+ * Replaces the earlier `import semver from "semver"` — that import broke
+ * `tsc -p tsconfig.json` whenever `@types/semver` failed to install
+ * (Issue #4946) because the file is pulled in transitively despite being
+ * under the `src/resources` exclude.
+ */
+export function isVersionGreater(a, b) {
+    const split = (v) => {
+        const dash = v.indexOf("-");
+        const release = (dash === -1 ? v : v.slice(0, dash))
+            .split(".")
+            .map(part => Number.parseInt(part, 10) || 0);
+        const pre = dash === -1 ? null : v.slice(dash + 1);
+        return { release, pre };
+    };
+    const sa = split(a);
+    const sb = split(b);
+    const len = Math.max(sa.release.length, sb.release.length);
+    for (let i = 0; i < len; i++) {
+        const ai = sa.release[i] ?? 0;
+        const bi = sb.release[i] ?? 0;
+        if (ai !== bi)
+            return ai > bi;
+    }
+    // Release components equal — a release version beats any prerelease,
+    // and prerelease strings are compared lexicographically (good enough
+    // for `beta.1` vs `beta.2`, the only realistic case here).
+    if (sa.pre === null && sb.pre !== null)
+        return true;
+    if (sa.pre !== null && sb.pre === null)
+        return false;
+    if (sa.pre !== null && sb.pre !== null)
+        return sa.pre > sb.pre;
+    return false;
+}
 const gsdHome = process.env.GSD_HOME || join(homedir(), ".gsd");
 // ─── Registry I/O ───────────────────────────────────────────────────────────
 function getRegistryPath() {
@@ -413,7 +456,7 @@ async function updateSingleExtension(id, registry, ctx) {
         ctx.ui.notify(`Could not fetch latest version for "${id}".`, "warning");
         return;
     }
-    if (semver.gt(latest, current)) {
+    if (isVersionGreater(latest, current)) {
         ctx.ui.notify(`Updating "${id}": v${current} → v${latest}...`, "info");
         await handleInstall(packageName, ctx);
     }
@@ -464,7 +507,7 @@ async function updateAllExtensions(registry, ctx) {
             skipped++;
             continue;
         }
-        if (semver.gt(latest, current)) {
+        if (isVersionGreater(latest, current)) {
             ctx.ui.notify(`  ${entry.id}: v${current} → v${latest} (updating)`, "info");
             await handleInstall(packageName, ctx);
             updated++;

package/dist/resources/extensions/gsd/commands-handlers.js CHANGED Viewed

@@ -9,6 +9,7 @@ import { join, resolve as resolvePath, sep } from "node:path";
 import { homedir } from "node:os";
 import { deriveState } from "./state.js";
 import { gsdRoot } from "./paths.js";
+import { getHomeDir } from "./home-dir.js";
 import { appendCapture, hasPendingCaptures, loadPendingCaptures } from "./captures.js";
 import { appendOverride, appendKnowledge } from "./files.js";
 import { formatDoctorIssuesForPrompt, formatDoctorReport, formatDoctorReportJson, runGSDDoctor, selectDoctorScope, filterDoctorIssues, } from "./doctor.js";
@@ -60,7 +61,7 @@ async function fetchLatestVersionForCommand() {
     }
 }
 export function dispatchDoctorHeal(pi, scope, reportText, structuredIssues) {
-    const workflowPath = process.env.GSD_WORKFLOW_PATH ?? join(process.env.HOME ?? "~", ".gsd", "agent", "GSD-WORKFLOW.md");
+    const workflowPath = process.env.GSD_WORKFLOW_PATH ?? join(getHomeDir(), ".gsd", "agent", "GSD-WORKFLOW.md");
     const workflow = readFileSync(workflowPath, "utf-8");
     const prompt = loadPrompt("doctor-heal", {
         doctorSummary: reportText,
@@ -210,7 +211,7 @@ export async function handleTriage(ctx, pi, basePath) {
         currentPlan: currentPlan || "(no active slice plan)",
         roadmapContext: roadmapContext || "(no active roadmap)",
     });
-    const workflowPath = process.env.GSD_WORKFLOW_PATH ?? join(process.env.HOME ?? "~", ".gsd", "agent", "GSD-WORKFLOW.md");
+    const workflowPath = process.env.GSD_WORKFLOW_PATH ?? join(getHomeDir(), ".gsd", "agent", "GSD-WORKFLOW.md");
     const workflow = readFileSync(workflowPath, "utf-8");
     pi.sendMessage({
         customType: "gsd-triage",