gsd-pi 3.0.0-dev.2e8b124f7 → 3.0.0-dev.6c9a50fd0

package/dist/resources/.managed-resources-content-hash

@@ -1 +1 @@
-411ea8182d6c507e
+718ae1fc3f4ba06c

package/dist/resources/extensions/gsd/auto/loop.js

@@ -11,7 +11,7 @@
 import { randomUUID } from "node:crypto";
 import { MAX_LOOP_ITERATIONS, } from "./types.js";
 import { _clearCurrentResolve } from "./resolve.js";
-import { runPreDispatch, runDispatch, runGuards, runFinalize, } from "./phases.js";
+import { runPreDispatch, runDispatch, runGuards, runFinalize, STUCK_WINDOW_SIZE, } from "./phases.js";
 import { debugLog } from "../debug-logger.js";
 import { isInfrastructureError, isTransientCooldownError, getCooldownRetryAfterMs, COOLDOWN_FALLBACK_WAIT_MS, MAX_COOLDOWN_RETRIES } from "./infra-errors.js";
 import { ModelPolicyDispatchBlockedError } from "../auto-model-selection.js";
@@ -57,7 +57,6 @@ import { handleCustomEngineReconcileOutcome } from "./workflow-custom-engine-rec
 // helpers degrade to the empty-state fallback that #3704 already
 // tolerates — same behavior as a fresh session.
 const STUCK_RECOVERY_ATTEMPTS_KEY = "stuck_recovery_attempts";
-const RECENT_UNIT_KEYS_LIMIT = 20;
 function stableStuckStateScopeId(s) {
     return normalizeRealPath(s.scope?.workspace.projectRoot ?? (s.originalBasePath || s.basePath));
 }
@@ -66,7 +65,7 @@ function loadStuckState(s) {
     if (!scopeId)
         return { recentUnits: [], stuckRecoveryAttempts: 0 };
     try {
-        const recentUnits = getRecentUnitKeysForProjectRoot(scopeId, RECENT_UNIT_KEYS_LIMIT);
+        const recentUnits = getRecentUnitKeysForProjectRoot(scopeId, STUCK_WINDOW_SIZE);
         const stuckRecoveryAttempts = getRuntimeKv("global", scopeId, STUCK_RECOVERY_ATTEMPTS_KEY) ?? 0;
         return { recentUnits, stuckRecoveryAttempts };
     }

package/dist/resources/extensions/gsd/auto/orchestrator.js

@@ -30,7 +30,7 @@ export class AutoOrchestrator {
         this.bumpTransition();
         await this.deps.runtime.journalTransition({ name: "start" });
         await this.deps.notifications.notifyLifecycle({ name: "start" });
-        return this.advance();
+        return { kind: "started" };
     }
     async advance() {
         try {
@@ -279,7 +279,7 @@ export class AutoOrchestrator {
         this.bumpTransition();
         await this.deps.runtime.journalTransition({ name: "resume" });
         await this.deps.notifications.notifyLifecycle({ name: "resume" });
-        return this.advance();
+        return { kind: "resumed" };
     }
     async stop(reason) {
         if (this.status.phase === "stopped") {

package/dist/resources/extensions/gsd/auto/phases.js

@@ -46,6 +46,7 @@ import { isSuspiciousGhostCompletion } from "../auto-unit-closeout.js";
 import { decideVerificationRetry, verificationRetryKey } from "./verification-retry-policy.js";
 import { buildPhaseHandoffOutcome, setAutoOutcomeWidget } from "../auto-dashboard.js";
 import { getConsecutiveDispatchBlocker } from "../dispatch-guard.js";
+export const STUCK_WINDOW_SIZE = 6;
 // ─── Path Comparison Helper ───────────────────────────────────────────────
 /** Compare two paths for physical identity, tolerating trailing slashes and symlinks. */
 function isSamePathLocal(a, b) {
@@ -97,7 +98,12 @@ export function shouldDegradeEmptyWorktreeToProjectRoot(worktreeClassification,
         projectRootClassification.kind !== "invalid-repo");
 }
 function unitWritesSource(unitType) {
-    const manifest = resolveManifest(unitType);
+    // Backward compatibility: sidecar queues from older builds may persist
+    // prefixed unit types (e.g. "sidecar/quick-task").
+    const normalizedUnitType = unitType.startsWith("sidecar/")
+        ? unitType.slice("sidecar/".length)
+        : unitType;
+    const manifest = resolveManifest(normalizedUnitType);
     if (!manifest)
         return null;
     return manifest.tools.mode === "all" || manifest.tools.mode === "docs";
@@ -151,7 +157,8 @@ async function validateSourceWriteWorktreeSafety(ic, unitType, unitId, milestone
     if (!writesSource)
         return null;
     const projectRoot = s.canonicalProjectRoot ?? resolveWorktreeProjectRoot(s.basePath, s.originalBasePath);
-    if (deps.getIsolationMode(projectRoot) !== "worktree")
+    const isolationMode = deps.getIsolationMode(projectRoot);
+    if (isolationMode !== "worktree")
         return null;
     const safety = createWorktreeSafetyModule();
     const result = safety.validateUnitRoot({
@@ -161,6 +168,7 @@ async function validateSourceWriteWorktreeSafety(ic, unitType, unitId, milestone
         projectRoot,
         unitRoot: s.basePath,
         milestoneId,
+        isolationMode,
         expectedBranch: milestoneId ? deps.autoWorktreeBranch(milestoneId) : null,
         emptyWorktreeWithProjectContent: resolveEmptyWorktreeWithProjectContent(s.basePath, projectRoot),
         lease: s.workerId
@@ -899,7 +907,6 @@ export async function runPreDispatch(ic, loopState) {
 export async function runDispatch(ic, preData, loopState) {
     const { ctx, pi, s, deps, prefs } = ic;
     const { state, mid, midTitle } = preData;
-    const STUCK_WINDOW_SIZE = 6;
     const provider = ctx.model?.provider;
     const authMode = provider && typeof ctx.modelRegistry?.getProviderAuthMode === "function"
         ? ctx.modelRegistry.getProviderAuthMode(provider)
@@ -1007,8 +1014,9 @@ export async function runDispatch(ic, preData, loopState) {
     // Rules 1/3/4 can catch retry loops with repeated failure content (#5719).
     // Rules 2/2b suppress legitimate retry backoff through the dispatch ledger.
     loopState.recentUnits.push({ key: derivedKey });
-    if (loopState.recentUnits.length > STUCK_WINDOW_SIZE)
+    while (loopState.recentUnits.length > STUCK_WINDOW_SIZE) {
         loopState.recentUnits.shift();
+    }
     const stuckSignal = detectStuck(loopState.recentUnits);
     if (stuckSignal) {
         debugLog("autoLoop", {

package/dist/resources/extensions/gsd/auto-dispatch.js

@@ -4,7 +4,7 @@ import { loadFile, extractUatType, loadActiveOverrides } from "./files.js";
 import { isDbAvailable, getMilestoneSlices, getPendingGates, markAllGatesOmitted, getMilestone, insertAssessment, transaction } from "./gsd-db.js";
 import { isClosedStatus } from "./status-guards.js";
 import { extractVerdict, isAcceptableUatVerdict } from "./verdict-parser.js";
-import { gsdRoot, resolveMilestoneFile, resolveMilestonePath, resolveSliceFile, resolveTaskFile, relSliceFile, buildMilestoneFileName, } from "./paths.js";
+import { gsdRoot, resolveMilestoneFile, resolveMilestonePath, resolveSliceFile, resolveTaskFile, relTaskFile, relSliceFile, buildMilestoneFileName, buildTaskFileName, gsdProjectionRoot, } from "./paths.js";
 import { parseRoadmap } from "./parsers-legacy.js";
 import { validateArtifact } from "./schemas/validate.js";
 import { existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync } from "node:fs";
@@ -27,6 +27,8 @@ import { annotateBackgroundable } from "./delegation-policy.js";
 import { invalidateAllCaches } from "./cache.js";
 import { insertMilestoneValidationGates } from "./milestone-validation-gates.js";
 import { nativeHasChanges } from "./native-git-bridge.js";
+import { debugLog, isDebugEnabled } from "./debug-logger.js";
+import { resolveCanonicalMilestoneRoot } from "./worktree-manager.js";
 let reassessmentChecker = checkNeedsReassessment;
 let researchProjectPromptBuilder = buildResearchProjectPrompt;
 function shouldBypassMilestoneDepthGateInAuto(prefs) {
@@ -96,6 +98,15 @@ export function shouldRunDeepProjectSetup(state, prefs, basePath, options = {})
     }
     return hasPendingDeepStage(prefs, basePath);
 }
+function resolveArtifactBasePath(basePath, mid, session) {
+    if (session?.basePath &&
+        session.currentMilestoneId === mid &&
+        session.basePath !== session.originalBasePath &&
+        existsSync(session.basePath)) {
+        return session.basePath;
+    }
+    return resolveCanonicalMilestoneRoot(basePath, mid);
+}
 function missingSliceStop(mid, phase) {
     return {
         action: "stop",
@@ -951,7 +962,7 @@ export const DISPATCH_RULES = [
     },
     {
         name: "executing → execute-task (recover missing task plan → plan-slice)",
-        match: async ({ state, mid, midTitle, basePath, sessionContextWindow, modelRegistry, sessionProvider }) => {
+        match: async ({ state, mid, midTitle, basePath, session, sessionContextWindow, modelRegistry, sessionProvider }) => {
             if (state.phase !== "executing" || !state.activeTask)
                 return null;
             if (!state.activeSlice)
@@ -959,13 +970,32 @@ export const DISPATCH_RULES = [
             const sid = state.activeSlice.id;
             const sTitle = state.activeSlice.title;
             const tid = state.activeTask.id;
+            const artifactBasePath = resolveArtifactBasePath(basePath, mid, session);
             // Guard: if the slice plan exists but the individual task plan files are
             // missing, the planner created S##-PLAN.md with task entries but never
             // wrote the tasks/ directory files. Dispatch plan-slice to regenerate
             // them rather than hard-stopping — fixes the infinite-loop described in
             // issue #909.
-            const taskPlanPath = resolveTaskFile(basePath, mid, sid, tid, "PLAN");
-            if (!taskPlanPath || !existsSync(taskPlanPath)) {
+            const taskPlanPath = resolveTaskFile(artifactBasePath, mid, sid, tid, "PLAN");
+            const projectionTaskPlanPath = join(gsdProjectionRoot(artifactBasePath), "milestones", mid, "slices", sid, "tasks", buildTaskFileName(tid, "PLAN"));
+            if ((!taskPlanPath || !existsSync(taskPlanPath)) && !existsSync(projectionTaskPlanPath)) {
+                if (isDebugEnabled()) {
+                    const expectedTaskPlanPath = join(artifactBasePath, relTaskFile(artifactBasePath, mid, sid, tid, "PLAN"));
+                    const originalProjectRoot = session?.originalBasePath || basePath;
+                    const activeMilestoneWorktreePath = session?.basePath || basePath;
+                    const artifactExists = taskPlanPath ? existsSync(taskPlanPath) : false;
+                    debugLog("dispatch-missing-task-plan-recovery", {
+                        selectedDispatchRule: "executing → execute-task (recover missing task plan → plan-slice)",
+                        basePathUsedForArtifactChecks: artifactBasePath,
+                        milestoneRoot: artifactBasePath,
+                        originalProjectRoot,
+                        activeMilestoneWorktreePath,
+                        expectedTaskPlanPath,
+                        projectionTaskPlanPath,
+                        artifactExists,
+                        projectionArtifactExists: existsSync(projectionTaskPlanPath),
+                    });
+                }
                 return {
                     action: "dispatch",
                     unitType: "plan-slice",

package/dist/resources/extensions/gsd/auto-recovery.js

@@ -188,6 +188,7 @@ export function hasImplementationArtifacts(basePath, milestoneId) {
                     return "unknown";
                 if (milestoneEvidence.matched)
                     return classifyImplementationFiles(milestoneEvidence.files);
+                return "unknown";
             }
             if (currentBranch && currentBranch !== "HEAD")
                 return "absent";

package/dist/resources/extensions/gsd/auto.js

@@ -52,7 +52,7 @@ import { createAutoWorktree, teardownAutoWorktree, isInAutoWorktree, getAutoWork
 import { pruneQueueOrder } from "./queue-order.js";
 import { startCommandPolling as _startCommandPolling, isRemoteConfigured } from "../remote-questions/manager.js";
 import { debugLog, isDebugEnabled, writeDebugSummary } from "./debug-logger.js";
-import { reconcileMergeState, } from "./auto-recovery.js";
+import { reconcileMergeState, verifyExpectedArtifact, } from "./auto-recovery.js";
 import { classifyMilestoneSummaryContent } from "./milestone-summary-classifier.js";
 import { resolveDispatch, DISPATCH_RULES } from "./auto-dispatch.js";
 import { getErrorMessage } from "./error-utils.js";
@@ -110,7 +110,7 @@ export { STUB_RECOVERY_THRESHOLD, NEW_SESSION_TIMEOUT_MS, } from "./auto/session
 import { autoSession as s } from "./auto-runtime-state.js";
 import { gsdHome } from "./gsd-home.js";
 import { createWorkspace, scopeMilestone } from "./workspace.js";
-import { registerAutoWorker, markWorkerStopping } from "./db/auto-workers.js";
+import { registerAutoWorker, markWorkerStopping, markWorkerStoppingByPid, } from "./db/auto-workers.js";
 import { releaseMilestoneLease } from "./db/milestone-leases.js";
 import { normalizeRealPath } from "./paths.js";
 // ── ENCAPSULATION INVARIANT ─────────────────────────────────────────────────
@@ -259,6 +259,27 @@ function synthesizePausedSessionRecovery(basePath, unitType, unitId, sessionFile
 export function _synthesizePausedSessionRecoveryForTest(basePath, unitType, unitId, sessionFile) {
     return synthesizePausedSessionRecovery(basePath, unitType, unitId, sessionFile);
 }
+function handlePausedSessionResumeRecovery(basePath, state, notify) {
+    if (!state.pausedSessionFile)
+        return { skippedReplay: false };
+    const pausedRecoveryUnitType = state.currentUnit?.type ?? state.pausedUnitType ?? "unknown";
+    const pausedRecoveryUnitId = state.currentUnit?.id ?? state.pausedUnitId ?? "unknown";
+    const completedPausedUnit = verifyExpectedArtifact(pausedRecoveryUnitType, pausedRecoveryUnitId, basePath);
+    if (completedPausedUnit) {
+        state.pausedSessionFile = null;
+        return { skippedReplay: true };
+    }
+    const recovery = synthesizePausedSessionRecovery(basePath, pausedRecoveryUnitType, pausedRecoveryUnitId, state.pausedSessionFile);
+    if (recovery && recovery.trace.toolCallCount > 0) {
+        state.pendingCrashRecovery = recovery.prompt;
+        notify(`Recovered ${recovery.trace.toolCallCount} tool calls from paused session. Resuming with context.`);
+    }
+    state.pausedSessionFile = null;
+    return { skippedReplay: false };
+}
+export function _handlePausedSessionResumeRecoveryForTest(basePath, state) {
+    return handlePausedSessionResumeRecovery(basePath, state, () => { });
+}
 // `_resolvePausedResumeBasePathForTest` was retired in ADR-016 phase 2 / B3
 // (#5621). Production callers go through
 // `WorktreeLifecycle.resumeFromPausedSession`; the pure helper for tests is
@@ -566,6 +587,7 @@ export function checkRemoteAutoSession(projectRoot) {
         return { running: false };
     if (!isLockProcessAlive(lock)) {
         // Stale lock from a dead process — not a live remote session
+        markWorkerStoppingByPid(normalizeRealPath(projectRoot), lock.pid);
         return { running: false };
     }
     return {
@@ -1430,7 +1452,7 @@ export function createWiredDispatchAdapter(ctx, pi, dispatchBasePath, session) {
                 midTitle: active.title,
                 state,
                 prefs,
-                session: input.session,
+                session: input.session ?? session,
                 structuredQuestionsAvailable,
                 sessionContextWindow,
                 sessionProvider,
@@ -1546,6 +1568,7 @@ export function createWiredAutoOrchestrationModule(ctx, pi, dispatchBasePath, ru
                     projectRoot: runtimeBasePath,
                     unitRoot: dispatchBasePath,
                     milestoneId,
+                    isolationMode: getIsolationMode(runtimeBasePath),
                     expectedBranch,
                 });
                 if (!result.ok) {
@@ -2104,14 +2127,7 @@ export async function startAuto(ctx, pi, base, verboseMode, options) {
             });
         }
         invalidateAllCaches();
-        if (s.pausedSessionFile) {
-            const recovery = synthesizePausedSessionRecovery(s.basePath, s.currentUnit?.type ?? s.pausedUnitType ?? "unknown", s.currentUnit?.id ?? s.pausedUnitId ?? "unknown", s.pausedSessionFile);
-            if (recovery && recovery.trace.toolCallCount > 0) {
-                s.pendingCrashRecovery = recovery.prompt;
-                ctx.ui.notify(`Recovered ${recovery.trace.toolCallCount} tool calls from paused session. Resuming with context.`, "info");
-            }
-            s.pausedSessionFile = null;
-        }
+        handlePausedSessionResumeRecovery(s.basePath, s, (message) => ctx.ui.notify(message, "info"));
         captureProjectRootEnv(s.originalBasePath || s.basePath);
         registerAutoWorkerForSession(s);
         updateSessionLock(lockBase(), "resuming", s.currentMilestoneId ?? "unknown");

package/dist/resources/extensions/gsd/bootstrap/agent-end-recovery.js

@@ -20,7 +20,20 @@ function isObjectRecord(value) {
     return !!value && typeof value === "object";
 }
 export function _hasEmptyAgentEndContent(content) {
-    return content == null || (Array.isArray(content) && content.length === 0);
+    if (content == null)
+        return true;
+    if (!Array.isArray(content))
+        return false;
+    if (content.length === 0)
+        return true;
+    return content.every((block) => {
+        if (!block || typeof block !== "object")
+            return true;
+        const typedBlock = block;
+        if (typedBlock.type !== "text")
+            return false;
+        return typeof typedBlock.text !== "string" || typedBlock.text.trim() === "";
+    });
 }
 /**
  * Cap on auto-resume attempts for sustained transient-provider errors.
@@ -248,9 +261,27 @@ export async function handleAgentEnd(pi, event, ctx) {
         return;
     }
     if (isBareClaudeCodeStreamAbortPlaceholder(lastMsg)) {
-        // The Claude Code adapter can emit this placeholder after a prior turn has
-        // already completed and the next unit is active. It has no user/provider
-        // diagnostic value and must not cancel the newly-dispatched unit.
+        if (isSessionSwitchAbortGraceActive()) {
+            // Old turn leaking through after a session switch — drop it.
+            return;
+        }
+        // Mid-unit stream abort with no diagnostic. Treat as non-fatal so the loop
+        // can continue, but surface it to the user and resolve the in-flight unit.
+        ctx.ui.notify("Claude Code stream aborted mid-unit (no diagnostic). Continuing.", "warning");
+        try {
+            resetRetryState(retryState);
+            resolveAgentEnd(event);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            ctx.ui.notify(`Auto-mode error after stream-abort placeholder: ${message}. Stopping auto-mode.`, "error");
+            try {
+                await pauseAuto(ctx, pi);
+            }
+            catch (e) {
+                logWarning("bootstrap", `pauseAuto failed after stream-abort placeholder: ${e.message}`);
+            }
+        }
         return;
     }
     if (isObjectRecord(lastMsg) && "stopReason" in lastMsg && lastMsg.stopReason === "aborted") {

package/dist/resources/extensions/gsd/crash-recovery.js

@@ -23,7 +23,7 @@
 import { emitJournalEvent, queryJournal, } from "./journal.js";
 import { readFileSync, unlinkSync, existsSync } from "node:fs";
 import { join } from "node:path";
-import { findStaleWorkerForProject, getAllAutoWorkers, markWorkerCrashed, markWorkerStopping, } from "./db/auto-workers.js";
+import { findStaleWorkerForProject, getAllAutoWorkers, markWorkerCrashed, markWorkerStopping, markWorkerStoppingByPid, } from "./db/auto-workers.js";
 import { forceReleaseLeasesForWorker } from "./db/milestone-leases.js";
 import { markLatestActiveForWorkerCanceled } from "./db/unit-dispatches.js";
 import { getRuntimeKv, setRuntimeKv, deleteRuntimeKv } from "./db/runtime-kv.js";
@@ -197,6 +197,9 @@ export function clearLock(basePath) {
             deleteRuntimeKv("worker", staleWorker.worker_id, SESSION_FILE_KV_KEY);
             return;
         }
+        const lock = readLegacyLock(basePath);
+        if (lock?.pid)
+            markWorkerStoppingByPid(projectRoot, lock.pid);
         const worker = findActiveWorkerForCurrentProcess(projectRoot);
         if (worker)
             deleteRuntimeKv("worker", worker.worker_id, SESSION_FILE_KV_KEY);

package/dist/resources/extensions/gsd/db/auto-workers.js

@@ -122,6 +122,27 @@ export function markWorkerStopping(workerId) {
         db.prepare(`UPDATE workers SET status = 'stopping' WHERE worker_id = :worker_id`).run({ ":worker_id": workerId });
     });
 }
+/**
+ * Mark the active worker row for a specific PID/project root as stopping.
+ * Used when we detect a dead PID from lock metadata before heartbeat expiry.
+ */
+export function markWorkerStoppingByPid(projectRootRealpath, pid) {
+    if (!isDbAvailable())
+        return;
+    if (!Number.isInteger(pid) || pid <= 0)
+        return;
+    const db = _getAdapter();
+    transaction(() => {
+        db.prepare(`UPDATE workers
+       SET status = 'stopping'
+       WHERE pid = :pid
+         AND project_root_realpath = :project_root
+         AND status = 'active'`).run({
+            ":pid": pid,
+            ":project_root": projectRootRealpath,
+        });
+    });
+}
 /**
  * Return all workers whose status is 'active' AND whose heartbeat is within
  * the TTL window. Workers older than the TTL are NOT auto-marked crashed

package/dist/resources/extensions/gsd/preferences.js

@@ -274,6 +274,10 @@ export function applyModeDefaults(mode, prefs) {
 }
 function mergePreferences(base, override) {
     return {
+        // Preserve validated preference keys that do not need custom merge logic.
+        // The explicit fields below still own defaults, arrays, and deep merges.
+        ...base,
+        ...override,
         version: override.version ?? base.version,
         mode: override.mode ?? base.mode,
         always_use_skills: mergeStringLists(base.always_use_skills, override.always_use_skills),

package/dist/resources/extensions/gsd/repo-identity.js

@@ -405,19 +405,32 @@ function hasProjectState(externalPath) {
  * Returns the resolved external path (may differ from the computed identity).
  */
 function resolveExternalPathWithRecovery(projectPath) {
-    const computedPath = externalGsdRoot(projectPath);
+    const base = process.env.GSD_STATE_DIR || gsdHome();
     const computedId = repoIdentity(projectPath);
+    const computedPath = join(base, "projects", computedId);
+    const computedHasState = hasProjectState(computedPath);
+    const markerId = readGsdIdMarker(projectPath);
+    const markerPath = markerId ? join(base, "projects", markerId) : null;
+    const markerHasState = markerPath ? hasProjectState(markerPath) : false;
+    // Split-brain guard: when marker and computed identities disagree and both
+    // directories contain state, prefer the marker-backed directory. This keeps
+    // all writers anchored to a single canonical project identity even if a
+    // transient identity computation produced a stale computed hash.
+    if (markerId
+        && markerPath
+        && markerId !== computedId
+        && markerHasState
+        && computedHasState) {
+        return { path: markerPath, identity: markerId };
+    }
     // Check if computed path already has state — fast path, no recovery needed.
-    if (hasProjectState(computedPath)) {
-        return computedPath;
+    if (computedHasState) {
+        return { path: computedPath, identity: computedId };
     }
     // Check for .gsd-id marker from a previous location.
-    const markerId = readGsdIdMarker(projectPath);
-    if (markerId && markerId !== computedId) {
+    if (markerId && markerPath && markerId !== computedId) {
         // The marker points to a different identity — the repo was likely moved.
-        const base = process.env.GSD_STATE_DIR || gsdHome();
-        const markerPath = join(base, "projects", markerId);
-        if (hasProjectState(markerPath)) {
+        if (markerHasState) {
             // Recover: use the old state directory and update the marker to the new identity.
             // Move the state from the old hash dir to the new one so future lookups work
             // without the marker.
@@ -446,11 +459,11 @@ function resolveExternalPathWithRecovery(projectPath) {
             }
             catch {
                 // If migration fails, just point at the old directory.
-                return markerPath;
+                return { path: markerPath, identity: markerId };
             }
         }
     }
-    return computedPath;
+    return { path: computedPath, identity: computedId };
 }
 // ─── Symlink Management ─────────────────────────────────────────────────────
 /**
@@ -467,17 +480,18 @@ function resolveExternalPathWithRecovery(projectPath) {
  * Returns the resolved external path.
  */
 export function ensureGsdSymlink(projectPath) {
-    const result = ensureGsdSymlinkCore(projectPath);
+    const { path: result, identity } = ensureGsdSymlinkCore(projectPath);
     // Write .gsd-id marker so future relocations can recover this state (#2750).
     // Only write for the project root (not subdirectories or worktrees that
     // delegate to a parent .gsd).
     if (!isInsideWorktree(projectPath)) {
-        writeGsdIdMarker(projectPath, repoIdentity(projectPath));
+        writeGsdIdMarker(projectPath, identity);
     }
     return result;
 }
 function ensureGsdSymlinkCore(projectPath) {
-    const externalPath = resolveExternalPathWithRecovery(projectPath);
+    const resolved = resolveExternalPathWithRecovery(projectPath);
+    const externalPath = resolved.path;
     const localGsd = join(projectPath, ".gsd");
     const inWorktree = isInsideWorktree(projectPath);
     // Guard: Never create a symlink at ~/.gsd — that's the user-level GSD home,
@@ -498,7 +512,7 @@ function ensureGsdSymlinkCore(projectPath) {
     const localGsdNormalized = normalizeForGuard(localGsd);
     const gsdHomeNorm = normalizeForGuard(gsdHome());
     if (localGsdNormalized === gsdHomeNorm) {
-        return localGsd;
+        return { path: localGsd, identity: resolved.identity };
     }
     // Guard: If projectPath is a plain subdirectory (not a worktree) of a git
     // repo that already has a .gsd at the git root, do not create a duplicate
@@ -516,7 +530,10 @@ function ensureGsdSymlinkCore(projectPath) {
                     try {
                         const rootStat = lstatSync(rootGsd);
                         if (rootStat.isSymbolicLink() || rootStat.isDirectory()) {
-                            return rootStat.isSymbolicLink() ? realpathSync(rootGsd) : rootGsd;
+                            return {
+                                path: rootStat.isSymbolicLink() ? realpathSync(rootGsd) : rootGsd,
+                                identity: resolved.identity,
+                            };
                         }
                     }
                     catch {
@@ -544,7 +561,7 @@ function ensureGsdSymlinkCore(projectPath) {
         }
         catch { /* already gone */ }
         symlinkSync(externalPath, localGsd, "junction");
-        return externalPath;
+        return resolved;
     };
     // Check for dangling symlinks (e.g. after relocation recovery removed the old
     // state dir). existsSync follows symlinks, so it returns false for dangling ones.
@@ -567,7 +584,7 @@ function ensureGsdSymlinkCore(projectPath) {
         }
         catch { /* nothing to remove */ }
         symlinkSync(externalPath, localGsd, "junction");
-        return externalPath;
+        return resolved;
     }
     try {
         const stat = lstatSync(localGsd);
@@ -575,7 +592,7 @@ function ensureGsdSymlinkCore(projectPath) {
             // Already a symlink — verify it points to the right place
             const target = realpathSync(localGsd);
             if (target === externalPath) {
-                return externalPath; // correct symlink, no-op
+                return resolved; // correct symlink, no-op
             }
             // In a worktree, mismatched symlinks are always stale. Heal them so
             // the worktree points at the same external state dir as the main repo.
@@ -610,24 +627,24 @@ function ensureGsdSymlinkCore(projectPath) {
                 }
                 catch {
                     // Migration failed — preserve old symlink
-                    return target;
+                    return { path: target, identity: resolved.identity };
                 }
             }
             // Outside worktrees, preserve custom overrides or legacy symlinks.
-            return target;
+            return { path: target, identity: resolved.identity };
         }
         if (stat.isDirectory()) {
             // Real directory in the main repo — migration will handle this later.
             // In worktrees, keep the directory in place and let syncGsdStateToWorktree
             // refresh its contents. Replacing a git-tracked .gsd directory with a
             // symlink makes git think tracked planning files were deleted.
-            return localGsd;
+            return { path: localGsd, identity: resolved.identity };
         }
     }
     catch {
         // lstat failed — path exists but we can't stat it
     }
-    return localGsd;
+    return { path: localGsd, identity: resolved.identity };
 }
 // ─── Worktree Detection ─────────────────────────────────────────────────────
 /**

package/dist/resources/extensions/gsd/session-lock.js

@@ -18,8 +18,9 @@
 import { createRequire } from "node:module";
 import { existsSync, readFileSync, readdirSync, mkdirSync, unlinkSync, rmSync, statSync } from "node:fs";
 import { join, dirname } from "node:path";
-import { gsdRoot } from "./paths.js";
+import { gsdRoot, normalizeRealPath } from "./paths.js";
 import { atomicWriteSync } from "./atomic-write.js";
+import { markWorkerStoppingByPid } from "./db/auto-workers.js";
 const _require = createRequire(import.meta.url);
 // ─── Module State ───────────────────────────────────────────────────────────
 /** Release function from proper-lockfile — calling it releases the OS lock. */
@@ -225,6 +226,12 @@ export function acquireSessionLock(basePath) {
     mkdirSync(dirname(lp), { recursive: true });
     // Clean up numbered lock file variants from cloud sync conflicts (#1315)
     cleanupStrayLockFiles(basePath);
+    // If lock metadata points to a dead PID, mark that worker row stopping so
+    // crash diagnostics do not keep surfacing it as active.
+    const existingPreflight = readExistingLockData(lp);
+    if (existingPreflight?.pid && !isPidAlive(existingPreflight.pid)) {
+        markWorkerStoppingByPid(normalizeRealPath(basePath), existingPreflight.pid);
+    }
     // Write our lock data first (the content is informational; the OS lock is the real guard)
     const lockData = {
         pid: process.pid,
@@ -250,7 +257,10 @@ export function acquireSessionLock(basePath) {
     const lockDir = lockTarget + ".lock";
     if (existsSync(lockDir)) {
         const existingData = readExistingLockData(lp);
-        const isOrphan = !existingData || (existingData.pid && !isPidAlive(existingData.pid));
+        const deadPid = existingData?.pid && !isPidAlive(existingData.pid) ? existingData.pid : null;
+        if (deadPid)
+            markWorkerStoppingByPid(normalizeRealPath(basePath), deadPid);
+        const isOrphan = !existingData || !!deadPid;
         if (isOrphan) {
             try {
                 rmSync(lockDir, { recursive: true, force: true });
@@ -288,6 +298,9 @@ export function acquireSessionLock(basePath) {
         // Check: if auto.lock is gone and no process is alive, the lock dir is stale.
         const existingData = readExistingLockData(lp);
         const existingPid = existingData?.pid;
+        if (existingPid && !isPidAlive(existingPid)) {
+            markWorkerStoppingByPid(normalizeRealPath(basePath), existingPid);
+        }
         // If no lock file or no alive process, try to clean up and re-acquire (#1245)
         if (!existingData || (existingPid && !isPidAlive(existingPid))) {
             try {

package/dist/resources/extensions/gsd/tools/complete-milestone.js

@@ -8,7 +8,7 @@
  */
 import { join } from "node:path";
 import { mkdirSync, existsSync } from "node:fs";
-import { transaction, getMilestone, getMilestoneSlices, getSliceTasks, updateMilestoneStatus, } from "../gsd-db.js";
+import { transaction, getMilestone, getMilestoneSlices, getSliceTasks, getLatestAssessmentByScope, updateMilestoneStatus, } from "../gsd-db.js";
 import { resolveMilestonePath, clearPathCache } from "../paths.js";
 import { isClosedStatus } from "../status-guards.js";
 import { saveFile, clearParseCache } from "../files.js";
@@ -99,6 +99,14 @@ export async function handleCompleteMilestone(params, basePath) {
             alreadyComplete = true;
             return;
         }
+        // Defense-in-depth: only a passing milestone validation permits closeout.
+        const validation = getLatestAssessmentByScope(params.milestoneId, "milestone-validation");
+        if (validation?.status !== "pass") {
+            guardError =
+                `Refusing to complete ${params.milestoneId}: latest milestone-validation verdict is ` +
+                    `"${validation?.status ?? "absent"}". Only verdict=pass permits closeout.`;
+            return;
+        }
         // Verify all slices are complete
         const slices = getMilestoneSlices(params.milestoneId);
         if (slices.length === 0) {