gsd-pi 2.78.1-dev.d8826a445 → 2.78.1-dev.eccf86e27

package/dist/resources/extensions/gsd/gsd-db.js

@@ -136,10 +136,137 @@ function openRawDb(path) {
     const Database = providerModule;
     return new Database(path);
 }
-export const SCHEMA_VERSION = 23;
+export const SCHEMA_VERSION = 25;
 function indexExists(db, name) {
     return !!db.prepare("SELECT 1 as present FROM sqlite_master WHERE type = 'index' AND name = ?").get(name);
 }
+/**
+ * Create the v24 coordination tables (workers, milestone_leases,
+ * unit_dispatches, cancellation_requests, command_queue) and their indexes.
+ *
+ * Idempotent — uses IF NOT EXISTS throughout. Called from both the
+ * fresh-install path and the v24 migration block in migrateSchema().
+ *
+ * Single-host invariant: these tables coordinate concurrent auto-mode
+ * workers via shared SQLite WAL on local disk only. NFS / network
+ * filesystems break the coordination semantics — multi-host execution
+ * needs a real coordinator (etcd, Postgres) and is out of scope.
+ */
+function createCoordinationTablesV24(db) {
+    const ddl = [
+        `CREATE TABLE IF NOT EXISTS workers (
+      worker_id TEXT PRIMARY KEY,
+      host TEXT NOT NULL,
+      pid INTEGER NOT NULL,
+      started_at TEXT NOT NULL,
+      version TEXT NOT NULL,
+      last_heartbeat_at TEXT NOT NULL,
+      status TEXT NOT NULL,
+      project_root_realpath TEXT NOT NULL
+    )`,
+        `CREATE TABLE IF NOT EXISTS milestone_leases (
+      milestone_id TEXT PRIMARY KEY,
+      worker_id TEXT NOT NULL,
+      fencing_token INTEGER NOT NULL,
+      acquired_at TEXT NOT NULL,
+      expires_at TEXT NOT NULL,
+      status TEXT NOT NULL,
+      FOREIGN KEY (worker_id) REFERENCES workers(worker_id),
+      FOREIGN KEY (milestone_id) REFERENCES milestones(id)
+    )`,
+        `CREATE TABLE IF NOT EXISTS unit_dispatches (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      trace_id TEXT NOT NULL,
+      turn_id TEXT,
+      worker_id TEXT NOT NULL,
+      milestone_lease_token INTEGER NOT NULL,
+      milestone_id TEXT NOT NULL,
+      slice_id TEXT,
+      task_id TEXT,
+      unit_type TEXT NOT NULL,
+      unit_id TEXT NOT NULL,
+      status TEXT NOT NULL,
+      attempt_n INTEGER NOT NULL DEFAULT 1,
+      started_at TEXT NOT NULL,
+      ended_at TEXT,
+      exit_reason TEXT,
+      error_summary TEXT,
+      verification_evidence_id INTEGER,
+      next_run_at TEXT,
+      retry_after_ms INTEGER,
+      max_attempts INTEGER NOT NULL DEFAULT 3,
+      last_error_code TEXT,
+      last_error_at TEXT,
+      FOREIGN KEY (worker_id) REFERENCES workers(worker_id),
+      FOREIGN KEY (verification_evidence_id) REFERENCES verification_evidence(id)
+    )`,
+        `CREATE TABLE IF NOT EXISTS cancellation_requests (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      requested_at TEXT NOT NULL,
+      requested_by TEXT NOT NULL,
+      scope TEXT NOT NULL,
+      scope_id TEXT NOT NULL,
+      dispatch_id INTEGER,
+      reason TEXT NOT NULL,
+      status TEXT NOT NULL,
+      acked_at TEXT,
+      acked_worker_id TEXT,
+      FOREIGN KEY (dispatch_id) REFERENCES unit_dispatches(id),
+      FOREIGN KEY (acked_worker_id) REFERENCES workers(worker_id)
+    )`,
+        `CREATE TABLE IF NOT EXISTS command_queue (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      target_worker TEXT,
+      command TEXT NOT NULL,
+      args_json TEXT NOT NULL DEFAULT '{}',
+      enqueued_at TEXT NOT NULL,
+      claimed_at TEXT,
+      claimed_by TEXT,
+      completed_at TEXT,
+      result_json TEXT
+    )`,
+    ];
+    for (const stmt of ddl)
+        db.exec(stmt);
+    // Indexes — created here so both fresh-install and v24-migration paths
+    // produce identical structure.
+    db.exec("CREATE INDEX IF NOT EXISTS idx_unit_dispatches_active ON unit_dispatches(milestone_id, status)");
+    db.exec("CREATE INDEX IF NOT EXISTS idx_unit_dispatches_trace ON unit_dispatches(trace_id, turn_id)");
+    // Partial unique index — prevents two workers from claiming the same
+    // unit concurrently. Codex review MEDIUM B2: enforces double-claim guard
+    // at the DB level.
+    db.exec("CREATE UNIQUE INDEX IF NOT EXISTS idx_unit_dispatches_active_per_unit "
+        + "ON unit_dispatches(unit_id) WHERE status IN ('claimed','running')");
+    // command_queue index — SQLite indexes NULLs in B-trees, so this single
+    // index serves both targeted (target_worker = ?) and broadcast
+    // (target_worker IS NULL) queries. Codex review LOW B4 documented.
+    db.exec("CREATE INDEX IF NOT EXISTS idx_command_queue_pending ON command_queue(target_worker, claimed_at)");
+}
+/**
+ * Create the v25 runtime_kv table. Idempotent — uses IF NOT EXISTS.
+ *
+ * STRICT INVARIANT: runtime_kv is NON-CORRECTNESS-CRITICAL. UI cursors,
+ * dashboard caches, last-seen-version markers, resume cursors, and other
+ * "soft" state are OK. Anything that drives auto-mode control flow gets
+ * typed columns in unit_dispatches / workers / milestone_leases — never
+ * a bag of JSON in runtime_kv.
+ *
+ * Scope partitioning: ('global', '', key) for project-wide values;
+ * ('worker', worker_id, key) for per-worker state (resume cursors);
+ * ('milestone', milestone_id, key) for per-milestone soft state.
+ */
+function createRuntimeKvTableV25(db) {
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS runtime_kv (
+      scope TEXT NOT NULL,
+      scope_id TEXT NOT NULL DEFAULT '',
+      key TEXT NOT NULL,
+      value_json TEXT NOT NULL,
+      updated_at TEXT NOT NULL,
+      PRIMARY KEY (scope, scope_id, key)
+    )
+  `);
+}
 function dedupeVerificationEvidenceRows(db) {
     db.exec(`
     DELETE FROM verification_evidence
@@ -513,6 +640,8 @@ function initSchema(db, fileBacked) {
         db.exec(`CREATE VIEW IF NOT EXISTS active_memories AS SELECT * FROM memories WHERE superseded_by IS NULL`);
         const existing = db.prepare("SELECT count(*) as cnt FROM schema_version").get();
         if (existing && existing["cnt"] === 0) {
+            createCoordinationTablesV24(db);
+            createRuntimeKvTableV25(db);
             // Fresh install — all tables are created above with the full current schema,
             // so it is safe to create all migration-specific indexes here.  For existing
             // databases these indexes are created inside the individual migration guards
@@ -1142,6 +1271,26 @@ function migrateSchema(db) {
                 ":applied_at": new Date().toISOString(),
             });
         }
+        if (currentVersion < 24) {
+            // v24: auto-mode coordination tables. See createCoordinationTablesV24
+            // for full schema + invariants. No-op for fresh installs (the same
+            // helper runs in the fresh-install path); for upgraded DBs this is
+            // the only place these tables get created.
+            createCoordinationTablesV24(db);
+            db.prepare("INSERT INTO schema_version (version, applied_at) VALUES (:version, :applied_at)").run({
+                ":version": 24,
+                ":applied_at": new Date().toISOString(),
+            });
+        }
+        if (currentVersion < 25) {
+            // v25: runtime_kv non-correctness-critical key-value storage. See
+            // createRuntimeKvTableV25 for the full schema + invariants.
+            createRuntimeKvTableV25(db);
+            db.prepare("INSERT INTO schema_version (version, applied_at) VALUES (:version, :applied_at)").run({
+                ":version": 25,
+                ":applied_at": new Date().toISOString(),
+            });
+        }
         db.exec("COMMIT");
     }
     catch (err) {
@@ -2876,6 +3025,7 @@ export function deleteMilestone(milestoneId) {
         currentDb.prepare(`DELETE FROM replan_history WHERE milestone_id = :mid`).run({ ":mid": milestoneId });
         currentDb.prepare(`DELETE FROM assessments WHERE milestone_id = :mid`).run({ ":mid": milestoneId });
         currentDb.prepare(`DELETE FROM artifacts WHERE milestone_id = :mid`).run({ ":mid": milestoneId });
+        currentDb.prepare(`DELETE FROM milestone_leases WHERE milestone_id = :mid`).run({ ":mid": milestoneId });
         currentDb.prepare(`DELETE FROM milestones WHERE id = :mid`).run({ ":mid": milestoneId });
     });
 }
@@ -3190,15 +3340,21 @@ export function deleteArtifactByPath(path) {
     currentDb.prepare("DELETE FROM artifacts WHERE path = :path").run({ ":path": path });
 }
 /**
- * Drop all rows from tasks/slices/milestones in dependency order inside a
- * transaction. Used by `gsd recover` to rebuild engine state from markdown.
+ * Drop hierarchy rows in dependency order inside a transaction. Used by
+ * `gsd recover` to rebuild engine state from markdown.
  */
 export function clearEngineHierarchy() {
     if (!currentDb)
         throw new GSDError(GSD_STALE_STATE, "gsd-db: No database open");
     transaction(() => {
+        currentDb.exec("DELETE FROM verification_evidence");
+        currentDb.exec("DELETE FROM quality_gates");
+        currentDb.exec("DELETE FROM slice_dependencies");
+        currentDb.exec("DELETE FROM assessments");
+        currentDb.exec("DELETE FROM replan_history");
         currentDb.exec("DELETE FROM tasks");
         currentDb.exec("DELETE FROM slices");
+        currentDb.exec("DELETE FROM milestone_leases");
         currentDb.exec("DELETE FROM milestones");
     });
 }
@@ -3281,6 +3437,7 @@ export function restoreManifest(manifest) {
         db.exec("DELETE FROM verification_evidence");
         db.exec("DELETE FROM tasks");
         db.exec("DELETE FROM slices");
+        db.exec("DELETE FROM milestone_leases");
         db.exec("DELETE FROM milestones");
         db.exec("DELETE FROM decisions WHERE 1=1");
         // Restore milestones
@@ -3343,6 +3500,7 @@ export function bulkInsertLegacyHierarchy(payload) {
     transaction(() => {
         db.prepare(`DELETE FROM tasks WHERE milestone_id IN (${placeholders})`).run(...clearMilestoneIds);
         db.prepare(`DELETE FROM slices WHERE milestone_id IN (${placeholders})`).run(...clearMilestoneIds);
+        db.prepare(`DELETE FROM milestone_leases WHERE milestone_id IN (${placeholders})`).run(...clearMilestoneIds);
         db.prepare(`DELETE FROM milestones WHERE id IN (${placeholders})`).run(...clearMilestoneIds);
         const insertMilestone = db.prepare("INSERT INTO milestones (id, title, status, created_at) VALUES (?, ?, ?, ?)");
         for (const m of milestones) {

package/dist/resources/extensions/gsd/guided-flow.js

@@ -48,6 +48,8 @@ import { createWorkspace, scopeMilestone } from "./workspace.js";
 export { MILESTONE_ID_RE, generateMilestoneSuffix, nextMilestoneId, extractMilestoneSeq, parseMilestoneId, milestoneIdSort, maxMilestoneNum, findMilestoneIds, reserveMilestoneId, claimReservedId, getReservedMilestoneIds, clearReservedMilestoneIds, } from "./milestone-ids.js";
 export { showQueue, handleQueueReorder, showQueueAdd, buildExistingMilestonesContext, } from "./guided-flow-queue.js";
 import { logWarning } from "./workflow-logger.js";
+import { deleteRuntimeKv } from "./db/runtime-kv.js";
+import { PAUSED_SESSION_KV_KEY } from "./interrupted-session.js";
 // ─── Scope-based validator wrappers ──────────────────────────────────────────
 // These thin wrappers accept a MilestoneScope so callers that already hold a
 // pinned scope never have to re-derive (basePath, milestoneId) separately.
@@ -1621,11 +1623,13 @@ export async function showSmartEntry(ctx, pi, basePath, options) {
     if (interrupted.classification === "stale") {
         clearLock(basePath);
         if (interrupted.pausedSession) {
+            // Phase C pt 2: paused-session.json migrated to runtime_kv
+            // (global scope, key PAUSED_SESSION_KV_KEY).
             try {
-                unlinkSync(join(gsdRoot(basePath), "runtime", "paused-session.json"));
+                deleteRuntimeKv("global", "", PAUSED_SESSION_KV_KEY);
             }
             catch (e) {
-                logWarning("guided", `stale pause file cleanup failed: ${e.message}`, { file: "guided-flow.ts" });
+                logWarning("guided", `stale paused-session DB cleanup failed: ${e.message}`, { file: "guided-flow.ts" });
             }
         }
     }

package/dist/resources/extensions/gsd/interrupted-session.js

@@ -1,4 +1,4 @@
-import { existsSync, readFileSync, unlinkSync } from "node:fs";
+import { existsSync } from "node:fs";
 import { join } from "node:path";
 import { verifyExpectedArtifact } from "./auto-recovery.js";
 import { formatCrashInfo, isLockProcessAlive, readCrashLock, } from "./crash-recovery.js";
@@ -6,6 +6,7 @@ import { gsdRoot } from "./paths.js";
 import { MILESTONE_ID_RE } from "./milestone-ids.js";
 import { synthesizeCrashRecovery, } from "./session-forensics.js";
 import { deriveState } from "./state.js";
+import { getRuntimeKv, deleteRuntimeKv } from "./db/runtime-kv.js";
 const LEGACY_DEEP_SETUP_UNITS = new Set([
     "workflow-preferences:WORKFLOW-PREFS",
     "discuss-project:PROJECT",
@@ -32,24 +33,26 @@ function isStalePseudoMilestonePause(meta) {
         && typeof meta.unitId === "string"
         && LEGACY_DEEP_SETUP_UNITS.has(`${meta.unitType}:${meta.unitId}`);
 }
+/**
+ * runtime_kv key (global scope) that stores the most recent paused-session
+ * metadata. Phase C pt 2: replaces runtime/paused-session.json. The key is
+ * project-wide (not worker-scoped) because the paused state represents the
+ * last time auto-mode paused on this project — there is at most one paused
+ * session per project at a time.
+ */
+export const PAUSED_SESSION_KV_KEY = "paused_session";
 export function readPausedSessionMetadata(basePath) {
-    const pausedPath = join(gsdRoot(basePath), "runtime", "paused-session.json");
-    if (!existsSync(pausedPath))
+    // basePath is unused now (the DB is workspace-scoped via the connection
+    // openDatabase opened on it) but kept in the signature for callers.
+    void basePath;
+    const meta = getRuntimeKv("global", "", PAUSED_SESSION_KV_KEY);
+    if (!meta)
         return null;
-    try {
-        const meta = JSON.parse(readFileSync(pausedPath, "utf-8"));
-        if (isStalePseudoMilestonePause(meta)) {
-            try {
-                unlinkSync(pausedPath);
-            }
-            catch { /* non-fatal */ }
-            return null;
-        }
-        return meta;
-    }
-    catch {
+    if (isStalePseudoMilestonePause(meta)) {
+        deleteRuntimeKv("global", "", PAUSED_SESSION_KV_KEY);
         return null;
     }
+    return meta;
 }
 export function isBootstrapCrashLock(lock) {
     return !!(lock &&

package/dist/resources/extensions/gsd/state.js

@@ -208,10 +208,17 @@ export async function getActiveMilestoneId(basePath) {
  * Legacy filesystem parsing is available only through an explicit opt-in for
  * tests/recovery flows; runtime must not silently infer state from markdown.
  */
-export async function deriveState(basePath) {
-    // Return cached result if within the TTL window for the same basePath
+export async function deriveState(basePath, opts) {
+    // Use the canonical project root (when provided) as the cache key so that
+    // two calls with different basePath strings (e.g. worktree path vs project
+    // root) but the same canonical .gsd/ share a single cache entry. The same
+    // key is used for both the lookup AND the write below — keying lookup on
+    // canonical-root while writing on basePath would silently return stale
+    // results across path-form alternation.
+    const cacheKey = opts?.projectRootForReads ?? basePath;
+    // Return cached result if within the TTL window for the same cacheKey
     if (_stateCache &&
-        _stateCache.basePath === basePath &&
+        _stateCache.basePath === cacheKey &&
         Date.now() - _stateCache.timestamp < CACHE_TTL_MS) {
         return _stateCache.result;
     }
@@ -230,7 +237,7 @@ export async function deriveState(basePath) {
         if (wasDbOpenAttempted()) {
             logWarning("state", "DB unavailable — using explicit legacy filesystem state derivation");
         }
-        result = await _deriveStateImpl(basePath);
+        result = await _deriveStateImpl(basePath, opts);
         _telemetry.markdownDeriveCount++;
     }
     else {
@@ -252,7 +259,7 @@ export async function deriveState(basePath) {
     }
     stopTimer({ phase: result.phase, milestone: result.activeMilestone?.id });
     debugCount("deriveStateCalls");
-    _stateCache = { basePath, result, timestamp: Date.now() };
+    _stateCache = { basePath: cacheKey, result, timestamp: Date.now() };
     return result;
 }
 /**
@@ -689,7 +696,15 @@ export async function deriveStateFromDb(basePath) {
 // LEGACY: Filesystem-based state derivation for unmigrated projects.
 // DB-backed projects use deriveStateFromDb() above. Target: extract to
 // state-legacy.ts when all projects are DB-backed.
-export async function _deriveStateImpl(basePath) {
+export async function _deriveStateImpl(basePath, opts) {
+    // When the caller supplies a canonical project root for reads (e.g.
+    // s.canonicalProjectRoot from auto-mode), route all artifact reads through
+    // it. This prevents the worktree-local empty `.gsd/` from being consulted
+    // when the canonical state lives at the project root (or via a `.gsd`
+    // symlink into the external state dir).
+    if (opts?.projectRootForReads) {
+        basePath = opts.projectRootForReads;
+    }
     const diskIds = findMilestoneIds(basePath);
     const customOrder = loadQueueOrder(basePath);
     const milestoneIds = sortByQueueOrder(diskIds, customOrder);

package/dist/resources/extensions/gsd/worktree-resolver.js

@@ -22,6 +22,7 @@ import { emitWorktreeCreated, emitWorktreeMerged } from "./worktree-telemetry.js
 import { getCollapseCadence, getMilestoneResquash, resquashMilestoneOnMain } from "./slice-cadence.js";
 import { loadEffectiveGSDPreferences } from "./preferences.js";
 import { resolveWorktreeProjectRoot, normalizeWorktreePathForCompare } from "./worktree-root.js";
+import { claimMilestoneLease, releaseMilestoneLease } from "./db/milestone-leases.js";
 // ─── Path Comparison Helper ────────────────────────────────────────────────
 /**
  * Compare two paths for physical identity, tolerating trailing slashes,
@@ -111,6 +112,69 @@ export class WorktreeResolver {
             });
             return;
         }
+        // Phase B: claim a milestone lease before any worktree mutation. Two
+        // workers cannot enter the same milestone concurrently. Best-effort:
+        // skip if no worker registered (single-worker fallback) or DB
+        // unavailable; reuse existing lease if we already hold it on this
+        // milestone (re-entry within the same session).
+        if (this.s.workerId) {
+            if (this.s.currentMilestoneId === milestoneId && this.s.milestoneLeaseToken !== null) {
+                // Already held — no-op, the heartbeat in loop.ts refreshes TTL.
+            }
+            else {
+                // If we held a different milestone, release it first so other
+                // workers don't have to wait for TTL.
+                if (this.s.currentMilestoneId && this.s.currentMilestoneId !== milestoneId && this.s.milestoneLeaseToken !== null) {
+                    try {
+                        releaseMilestoneLease(this.s.workerId, this.s.currentMilestoneId, this.s.milestoneLeaseToken);
+                    }
+                    catch (err) {
+                        debugLog("WorktreeResolver", {
+                            action: "enterMilestone",
+                            milestoneId,
+                            releasePriorLeaseError: err instanceof Error ? err.message : String(err),
+                        });
+                    }
+                    this.s.milestoneLeaseToken = null;
+                }
+                try {
+                    const claim = claimMilestoneLease(this.s.workerId, milestoneId);
+                    if (claim.ok) {
+                        this.s.milestoneLeaseToken = claim.token;
+                        debugLog("WorktreeResolver", {
+                            action: "enterMilestone",
+                            milestoneId,
+                            leaseAcquired: true,
+                            fencingToken: claim.token,
+                            expiresAt: claim.expiresAt,
+                        });
+                    }
+                    else {
+                        // Lease held by another worker — fail loud so the user can
+                        // see the conflict instead of silently double-running.
+                        const msg = `Milestone ${milestoneId} is held by worker ${claim.byWorker} until ${claim.expiresAt}.`;
+                        debugLog("WorktreeResolver", {
+                            action: "enterMilestone",
+                            milestoneId,
+                            leaseHeldByOther: claim.byWorker,
+                            expiresAt: claim.expiresAt,
+                        });
+                        ctx.notify(`${msg} Another auto-mode worker is active. Stop it before entering ${milestoneId}.`, "error");
+                        return;
+                    }
+                }
+                catch (err) {
+                    // DB unavailable or other error — log and fall through to the
+                    // pre-Phase-B single-worker behavior so a fresh project before
+                    // DB init still works.
+                    debugLog("WorktreeResolver", {
+                        action: "enterMilestone",
+                        milestoneId,
+                        leaseError: err instanceof Error ? err.message : String(err),
+                    });
+                }
+            }
+        }
         // Resolve the project root for worktree operations via shared helper.
         // Handles the case where originalBasePath is falsy and basePath is itself
         // a worktree path — prevents double-nested worktree paths (#3729).