gsdd-cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (65) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +528 -0
  3. package/agents/DISTILLATION.md +306 -0
  4. package/agents/README.md +53 -0
  5. package/agents/debugger.md +82 -0
  6. package/agents/executor.md +394 -0
  7. package/agents/integration-checker.md +318 -0
  8. package/agents/mapper.md +103 -0
  9. package/agents/planner.md +296 -0
  10. package/agents/researcher.md +84 -0
  11. package/agents/roadmapper.md +296 -0
  12. package/agents/synthesizer.md +236 -0
  13. package/agents/verifier.md +337 -0
  14. package/bin/adapters/agents.mjs +33 -0
  15. package/bin/adapters/claude.mjs +145 -0
  16. package/bin/adapters/codex.mjs +58 -0
  17. package/bin/adapters/index.mjs +20 -0
  18. package/bin/adapters/opencode.mjs +237 -0
  19. package/bin/gsdd.mjs +102 -0
  20. package/bin/lib/cli-utils.mjs +28 -0
  21. package/bin/lib/health.mjs +248 -0
  22. package/bin/lib/init.mjs +379 -0
  23. package/bin/lib/manifest.mjs +134 -0
  24. package/bin/lib/models.mjs +379 -0
  25. package/bin/lib/phase.mjs +237 -0
  26. package/bin/lib/rendering.mjs +95 -0
  27. package/bin/lib/templates.mjs +207 -0
  28. package/distilled/DESIGN.md +1286 -0
  29. package/distilled/README.md +169 -0
  30. package/distilled/SKILL.md +85 -0
  31. package/distilled/templates/agents.block.md +90 -0
  32. package/distilled/templates/agents.md +13 -0
  33. package/distilled/templates/auth-matrix.md +78 -0
  34. package/distilled/templates/codebase/architecture.md +110 -0
  35. package/distilled/templates/codebase/concerns.md +95 -0
  36. package/distilled/templates/codebase/conventions.md +193 -0
  37. package/distilled/templates/codebase/stack.md +96 -0
  38. package/distilled/templates/delegates/mapper-arch.md +26 -0
  39. package/distilled/templates/delegates/mapper-concerns.md +27 -0
  40. package/distilled/templates/delegates/mapper-quality.md +28 -0
  41. package/distilled/templates/delegates/mapper-tech.md +25 -0
  42. package/distilled/templates/delegates/plan-checker.md +55 -0
  43. package/distilled/templates/delegates/researcher-architecture.md +30 -0
  44. package/distilled/templates/delegates/researcher-features.md +30 -0
  45. package/distilled/templates/delegates/researcher-pitfalls.md +30 -0
  46. package/distilled/templates/delegates/researcher-stack.md +30 -0
  47. package/distilled/templates/delegates/researcher-synthesizer.md +31 -0
  48. package/distilled/templates/research/architecture.md +57 -0
  49. package/distilled/templates/research/features.md +23 -0
  50. package/distilled/templates/research/pitfalls.md +46 -0
  51. package/distilled/templates/research/stack.md +45 -0
  52. package/distilled/templates/research/summary.md +67 -0
  53. package/distilled/templates/roadmap.md +62 -0
  54. package/distilled/templates/spec.md +110 -0
  55. package/distilled/workflows/audit-milestone.md +220 -0
  56. package/distilled/workflows/execute.md +270 -0
  57. package/distilled/workflows/map-codebase.md +246 -0
  58. package/distilled/workflows/new-project.md +418 -0
  59. package/distilled/workflows/pause.md +121 -0
  60. package/distilled/workflows/plan.md +383 -0
  61. package/distilled/workflows/progress.md +199 -0
  62. package/distilled/workflows/quick.md +187 -0
  63. package/distilled/workflows/resume.md +152 -0
  64. package/distilled/workflows/verify.md +307 -0
  65. package/package.json +45 -0
@@ -0,0 +1,1286 @@
1
+ # GSDD Design Decisions
2
+
3
+ > Rationale for every structural choice GSDD makes relative to GSD.
4
+ > Each decision cites GSD source files, GSDD implementation, and external research.
5
+ > Updated as decisions are revised or new ones land.
6
+
7
+ ---
8
+
9
+ ## Table of Contents
10
+
11
+ 1. [4-File Codebase Standard](#1-4-file-codebase-standard)
12
+ 2. [Agent Consolidation: 11 to 9](#2-agent-consolidation-11-to-9)
13
+ 3. [Two-Layer Architecture: Roles and Delegates](#3-two-layer-architecture-roles-and-delegates)
14
+ 4. [Zero-Hop Security Propagation](#4-zero-hop-security-propagation)
15
+ 5. [Conditional Synthesizer](#5-conditional-synthesizer)
16
+ 6. [Mapper Staleness: Standalone Workflow](#6-mapper-staleness-standalone-workflow)
17
+ 7. [Milestone Hierarchy and Phase Continuation](#7-milestone-hierarchy-and-phase-continuation)
18
+ 8. [Advisory Git Protocol](#8-advisory-git-protocol)
19
+ 9. [Adapter Generation Over Conversion](#9-adapter-generation-over-conversion)
20
+ 10. [Context Isolation: Summaries Up, Documents to Disk](#10-context-isolation-summaries-up-documents-to-disk)
21
+ 11. [Quick-Work Lane](#11-quick-work-lane)
22
+ 12. [Session Persistence Without State File](#12-session-persistence-without-state-file)
23
+ 13. [Mechanical Invariant Enforcement](#13-mechanical-invariant-enforcement)
24
+ 14. [Headless Mode](#14-headless-mode)
25
+ 15. [Model Profile Propagation](#15-model-profile-propagation)
26
+ 16. [Template Versioning via Generation Manifest](#16-template-versioning-via-generation-manifest)
27
+ 17. [CLI Composition Root Boundary](#17-cli-composition-root-boundary)
28
+ 18. [Codex CLI Native Adapter](#18-codex-cli-native-adapter)
29
+ 19. [Scenario-Based Eval Coverage](#19-scenario-based-eval-coverage)
30
+ 20. [Workspace Health Diagnostics](#20-workspace-health-diagnostics)
31
+ 21. [OWASP Authorization Matrix](#21-owasp-authorization-matrix)
32
+ 22. [Delegate Layer Architecture](#22-delegate-layer-architecture)
33
+ 23. [Mapper Output Quantification](#23-mapper-output-quantification)
34
+ 24. [Consumer Governance Completeness](#24-consumer-governance-completeness)
35
+ 25. [Consumer First-Run Experience](#25-consumer-first-run-experience)
36
+ 26. [Session Continuity Contract Hardening](#26-session-continuity-contract-hardening)
37
+ 27. [Consumer-Ready Surface Completion](#27-consumer-ready-surface-completion)
38
+ 28. [Workflow Completion Routing](#28-workflow-completion-routing)
39
+
40
+ ---
41
+
42
+ ## 1. 4-File Codebase Standard
43
+
44
+ **GSD:** 7 static files during codebase mapping -- STACK.md, ARCHITECTURE.md, CONVENTIONS.md, CONCERNS.md, STRUCTURE.md, INTEGRATIONS.md, TESTING.md.
45
+
46
+ **GSDD:** 4 files -- STACK.md, ARCHITECTURE.md, CONVENTIONS.md, CONCERNS.md.
47
+
48
+ **What was dropped and where the rules went:**
49
+
50
+ | Dropped file | Absorbed into | Rationale |
51
+ | --------------- | ------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
52
+ | STRUCTURE.md | CONVENTIONS.md ("Where to put new code") | Physical directory maps break the moment a folder is added. Stale structure causes agent hallucination. Modern agents use dynamic tools (tree-sitter, codebase indexing) to view current structure. |
53
+ | INTEGRATIONS.md | STACK.md + CONVENTIONS.md | Database schemas and endpoint maps change daily. Agents should read definitive `schema.prisma` or `init.sql` dynamically, not trust a stale markdown summary. |
54
+ | TESTING.md | CONVENTIONS.md ("How to mock the database", testing patterns) | Testing conventions are stable rules; test inventories are not. Rules belong in CONVENTIONS.md. |
55
+
56
+ **Core principle:** Drop the _state_ (which rots), keep the _rules_ (which don't). Maximum architectural discipline without feeding stale topologies into limited context windows.
57
+
58
+ **Evidence:**
59
+
60
+ - GSD source: `agents/_archive/gsd-codebase-mapper.md` lines 72-79 (original 7-file model)
61
+ - GSDD implementation: `agents/mapper.md` input/output contracts (4 files only)
62
+ - External: LeanSpec "Context Economy" principle; Aider tree-sitter dynamic repomaps (2026 SOTA)
63
+ - `.planning/SPEC.md` "Lean Context Decision" section
64
+
65
+ ---
66
+
67
+ ## 2. Agent Consolidation: 11 to 9
68
+
69
+ **GSD:** 11 specialized agent files, each scoped to a single concern.
70
+
71
+ **GSDD:** 9 canonical roles. 3 mergers and 1 extraction.
72
+
73
+ **Merger table:**
74
+
75
+ | Canonical role | Absorbs from GSD | Merger criteria |
76
+ | ------------------------ | ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
77
+ | `integration-checker.md` | `gsd-integration-checker.md` | Cross-phase integration checking is structurally different from single-phase verification: different inputs (all phase SUMMARYs/VERIFICATIONs vs single phase), different scope (milestone-wide wiring vs phase goal), different algorithm (connectivity checks vs goal-backward). Extracted as standalone role rather than absorbed into verifier. |
78
+ | `researcher.md` | `gsd-project-researcher.md` + `gsd-phase-researcher.md` | Same algorithm, different scope. Scope is an input parameter, not a role distinction. Clean merger. |
79
+ | `planner.md` | `gsd-planner.md` + `gsd-plan-checker.md` | Reduces coordination overhead. **Tradeoff:** GSD's plan-checker was a fresh-context adversarial pass with a 3-cycle revision loop (planner -> checker -> revise x 3 max). GSDD keeps an explicit `plan-checker` contract, generates native planner/checker entry surfaces where runtimes can support the loop directly, and describes reduced-assurance fallback in the portable workflow when no independent checker runs. |
80
+ | `verifier.md` | `gsd-verifier.md` | Phase-level goal-backward verification remains the verifier's scope. Cross-phase integration audit remains a separate milestone surface rather than being silently absorbed. GSDD keeps the compact verification-report base fields and also preserves richer structured verifier findings where they materially improve re-verification and gap closure. |
81
+
82
+ **Known tradeoffs in mergers:**
83
+
84
+ The researcher merger is clean - scope is genuinely a parameter. The planner and verifier mergers each carry a real cost:
85
+
86
+ - **Planner:** External verification by a fresh-context agent catches blind spots the author cannot catch in self-review. GSDD restores that concept with a canonical `plan-checker` delegate, native planner/checker entry surfaces for Claude/OpenCode, and a portable workflow that describes reduced-assurance fallback when no independent checker runs. Verify quality checks now live inside `task_completeness`, so the planner/checker contract enforces runnable, fast, and ordered verification.
87
+ - **Adapter boundary:** `bin/gsdd.mjs` now stays the thin generator entrypoint and adapter dispatcher, while vendor-specific rendering lives under `bin/adapters/`. This is an architecture cleanup, not proof of runtime parity by itself.
88
+ - **Verifier:** The integration-checker's cross-phase wiring scope (orphaned exports, unconsumed API routes, broken E2E flows) is structurally different from single-phase goal-backward verification. GSDD keeps `verifier.md` phase-scoped and implements milestone integration audit as a separate surface: `distilled/workflows/audit-milestone.md` with `integration-checker.md`.
89
+ - **Verifier output contract:** Upstream GSD exposes two relevant shapes: the slim `verification-report.md` template with base fields (`phase`, `verified`, `status`, `score`) and the richer `gsd-verifier.md` output example with structured `re_verification`, `gaps`, and `human_verification`. GSDD keeps the richer phase-verifier structure intentionally, but labels it as normalized verifier behavior rather than pretending every field came from the slimmer template alone.
90
+
91
+ **Integration-checker second-pass recovery (2026-03-12):**
92
+
93
+ The first extraction of `integration-checker.md` preserved the milestone scope and core algorithm, but over-stripped execution leverage. The recovery pass keeps the portable role framework-neutral while restoring the upstream scaffolding that materially improves compliance:
94
+
95
+ - **Kept from GSD:** mandatory initial-read discipline, explicit section boundaries, auth-protection verification, end-to-end flow tracing, typed structured return, and checklist-driven completion.
96
+ - **Intentionally stripped:** framework-specific Bash recipes, hardcoded path assumptions, file-extension-specific grep flags, and other tool/runtime details that do not survive vendor-agnostic distillation well.
97
+ - **Gained in GSDD:** a cleaner split between role contract and milestone workflow, a stronger explicit phase-vs-milestone boundary, and a portable typed report shape aligned to the milestone auditor's current schema.
98
+
99
+ **Systemic role-contract hardening follow-up (2026-03-12):**
100
+
101
+ The same over-distillation pattern had also flattened `roadmapper.md`, `synthesizer.md`, `verifier.md`, and `planner.md`. The first recovery pass restored visible structure, but the follow-up audit found that structure alone was not enough. The current hardening pass restores the stricter mechanics that materially improve compliance while continuing to strip vendor/tool specifics.
102
+
103
+ - **Roadmapper kept from GSD:** mandatory initial-read discipline, bounded section structure, explicit coverage validation, parse-critical artifact contract, structured return modes, and checklist-driven completion.
104
+ - **Roadmapper intentionally stripped:** template-path references, commit steps, and vendor-specific file conventions.
105
+ - **Roadmapper gained in GSDD:** an explicit `.planning/ROADMAP.md` ownership contract, explicit `[ ]` / `[-]` / `[x]` status grammar, a concrete `ROADMAP CREATED` artifact example, and a hard boundary that this role does not settle the separate ROADMAP/STATE lifecycle seam.
106
+
107
+ - **Synthesizer kept from GSD:** mandatory initial-read discipline, deterministic research-input contract, execution-flow structure, output-format block, structured returns, blocked return shape, provenance via `Sources`, and completion checklist.
108
+ - **Synthesizer intentionally stripped:** commit behavior, template paths, and literal shell snippets.
109
+ - **Synthesizer gained in GSDD:** cleaner alignment with conditional invocation by `researchDepth` rather than implying it always runs, plus an explicit scope boundary that keeps research, roadmap authoring, and git ownership separate.
110
+
111
+ - **Verifier kept from GSD:** mandatory initial-read discipline, explicit must-have derivation steps, named L1/L2/L3 checks, truth-level status taxonomy, explicit key-link categories, typed report example, machine-usable structured gaps, structured return, and completion checklist.
112
+ - **Verifier intentionally stripped:** GSD tool invocations, literal grep/bash procedures, and commit steps.
113
+ - **Verifier gained in GSDD:** a portable verification-basis discovery protocol, grouped-gap guidance, a dedicated `<structured_returns>` contract for orchestrator handoff, and a stricter frontmatter-only machine-readable findings contract that now lines up directly with the current normalized `VERIFICATION.md` schema and the separate milestone-audit boundary.
114
+
115
+ - **Planner kept from GSD:** mandatory initial-read discipline, bounded section structure, context-fidelity rules, TDD detection heuristic, automated-verify discipline, test-scaffold-first rule when verification is missing, explicit output block, structured planning return, and completion checklist.
116
+ - **Planner intentionally stripped:** `user_setup`, vendor runtime/tool instructions, commit steps, and GSD-specific validation commands.
117
+ - **Planner gained in GSDD:** recovered strictness without regressing the current GSDD schema (`files-modified`, `checkpoint:user`, `checkpoint:review`, `2-5` tasks max, reduced-assurance checker fallback), plus portable gap-closure semantics and a concrete dependency-graph / wave example. Full `type: tdd` lifecycle support remains later research, not part of this recovery.
118
+
119
+ **Executor leverage audit (2026-03-13):**
120
+
121
+ The executor was the last un-audited core lifecycle role. At 89 lines it was the most under-structured role contract in the system — no XML section boundaries, no mandatory initial read, no scope boundary, no typed output example, no auth-gate protocol, no completion checklist. The audit applied the same S12 hardening pattern.
122
+
123
+ - **Executor kept from GSD:** mandatory initial-read discipline, explicit deviation-rule examples (null pointers, missing auth, missing dependency, new DB tables), auth-gate protocol (401/403 recognition, checkpoint return with exact auth steps), substantive summary quality gate, TDD RED/GREEN/REFACTOR steps with infrastructure detection, self-check discipline, and completion checklist.
124
+ - **Executor intentionally stripped:** wave-based parallelization, agent tracking journal, segment execution patterns A/B/C, auto-mode checkpoint routing (`auto_advance` config), per-task commit format `{type}({phase}-{plan}):`, `gsd-tools.cjs` CLI commands, template path references (`~/.claude/`), `user_setup` generation, `executor_model` selection, and codebase-map sync with dropped files (`STRUCTURE.md`, `INTEGRATIONS.md`).
125
+ - **Executor gained in GSDD:** XML-bounded section structure, explicit scope boundary (plan-scoped, does not own planning/verification/milestone audit), typed SUMMARY.md output example with YAML frontmatter, portable auth-gate protocol (checkpoint:user with exact steps, not vendor-specific checkpoint return format), and execution-loop alignment with the current GSDD plan schema (`checkpoint:user`, `checkpoint:review`, change-impact discipline).
126
+
127
+ The accompanying workflow alignment pass on `distilled/workflows/execute.md` added four targeted changes: mandatory read enforcement upgrade, auth-gate routing in the checkpoint protocol, concrete deviation-rule examples matching the role contract, and a substantive summary quality gate.
128
+
129
+ This hardening pass also clarified a reusable architectural rule: strict portable workflows are not enough if the canonical role contracts underneath them are flattened into prose. Role strictness and workflow strictness both matter.
130
+
131
+ **Research-claim narrowing from `agentic-prd-sota.md`:**
132
+
133
+ - **Keep:** density over brevity, no arbitrary line caps, bounded role contracts, deterministic inputs, and typed/machine-usable handoffs when another agent consumes the result.
134
+ - **Narrow:** the nested-data benchmark is relevant to output schema choices, not to whether XML-style prompt sections should exist. Prompt delimiters and machine-readable output formats are different problems.
135
+ - **Reject as universal claim:** "YAML is better than markdown" is too broad. The defensible rule is narrower: use constrained machine-readable structure when downstream agents must parse and aggregate findings.
136
+ - **Keep scoped:** OWASP auth guidance remains decisive for the milestone integration/audit surface, not for these four role contracts.
137
+
138
+ **Direct distillations (1:1 source lineage):**
139
+
140
+ | Canonical role | GSD source | Audit status |
141
+ | ---------------- | ------------------------------------------------------------------ | ------------------------------- |
142
+ | `mapper.md` | `gsd-codebase-mapper.md` | source-audited |
143
+ | `synthesizer.md` | `gsd-research-synthesizer.md` | source-audited (S12) |
144
+ | `executor.md` | `gsd-executor.md` | source-audited (executor audit) |
145
+ | `roadmapper.md` | `gsd-roadmapper.md` | source-audited (S12) |
146
+ | `debugger.md` | `gsd-debugger.md` (standalone utility, not part of core lifecycle) | — |
147
+
148
+ **Evidence:**
149
+
150
+ - GSD originals preserved in `agents/_archive/` (11 files, git history intact via `git mv`)
151
+ - GSDD canonicals in `agents/` (9 files + README.md)
152
+ - `agents/README.md` lifecycle table maps each canonical role to its GSD sources
153
+
154
+ ---
155
+
156
+ ## 3. Two-Layer Architecture: Roles and Delegates
157
+
158
+ **GSD:** Workflows embed role instructions inline. No separation between what an agent _is_ and what it _does_ in a given workflow. A single GSD workflow file (e.g., `new-project.md` at 851 lines) contains both orchestration logic and agent behavioral contracts.
159
+
160
+ **GSDD:** Two explicit layers.
161
+
162
+ | Layer | Location | Purpose | Example |
163
+ | --------- | ------------------------------------ | ------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- |
164
+ | Roles | `agents/*.md` | Durable contracts: identity, algorithm, quality guarantees, anti-patterns | `agents/mapper.md` -- defines the mapper's forbidden-files rule, output format, verification protocol |
165
+ | Delegates | `distilled/templates/delegates/*.md` | Thin task-specific wrappers: scoped instructions referencing a role | `mapper-tech.md` -- tells the mapper to focus on tech stack, write to STACK.md |
166
+
167
+ **Why two layers:**
168
+
169
+ - Roles can be audited and improved independently of workflow wiring.
170
+ - Delegates can be rewired (point to different output paths, change scope) without touching role semantics.
171
+ - New workflows compose existing roles via new delegates without duplicating behavioral definitions.
172
+ - Security rules, quality gates, and algorithms are defined once in the role -- not scattered across delegates.
173
+
174
+ **Delegate thinness principle:** Delegates carry ONLY task-specific content (output path, focus area, return format, quality checklist). They do NOT contain algorithms, verification protocols, security rules, or anti-patterns -- those live in the role contract.
175
+
176
+ **Current delegates (10):**
177
+
178
+ | Delegate | Role | Output | Workflow |
179
+ | ---------------------------- | ----------- | ------------------------------------ | ---------------------- |
180
+ | `mapper-tech.md` | mapper | `.planning/codebase/STACK.md` | map-codebase |
181
+ | `mapper-arch.md` | mapper | `.planning/codebase/ARCHITECTURE.md` | map-codebase |
182
+ | `mapper-quality.md` | mapper | `.planning/codebase/CONVENTIONS.md` | map-codebase |
183
+ | `mapper-concerns.md` | mapper | `.planning/codebase/CONCERNS.md` | map-codebase |
184
+ | `researcher-stack.md` | researcher | `.planning/research/STACK.md` | new-project |
185
+ | `researcher-features.md` | researcher | `.planning/research/FEATURES.md` | new-project |
186
+ | `researcher-architecture.md` | researcher | `.planning/research/ARCHITECTURE.md` | new-project |
187
+ | `researcher-pitfalls.md` | researcher | `.planning/research/PITFALLS.md` | new-project |
188
+ | `researcher-synthesizer.md` | synthesizer | `.planning/research/SUMMARY.md` | new-project |
189
+ | `plan-checker.md` | planner | JSON checker report | plan (native adapters) |
190
+
191
+ **Distribution model:** `gsdd init` copies role contracts from `agents/` to `.planning/templates/roles/` in consumer projects. Delegates in `.planning/templates/delegates/` reference the local role copy (`Read .planning/templates/roles/<role>.md`). Consumer projects are self-contained at runtime -- no dependency on the framework repo.
192
+
193
+ **Evidence:**
194
+
195
+ - `agents/README.md` (Two-Layer Architecture and Runtime Distribution sections)
196
+ - `bin/gsdd.mjs` lines 84-102 (role copy step with existsSync guard)
197
+ - `tests/gsdd.init.test.cjs` (validates role file existence and delegate-role references)
198
+ - All 10 delegate files (each starts with a role contract reference on line 1)
199
+
200
+ ---
201
+
202
+ ## 4. Zero-Hop Security Propagation
203
+
204
+ **GSD:** Security rules for mapper agents lived in `gsd-codebase-mapper.md` (the agent file). Workflows like `map-codebase.md` contained a `<forbidden_files>` block. Agents needed to read both the workflow and their own role definition to get the full security picture -- a one-hop dependency.
205
+
206
+ **GSDD evolution (two phases):**
207
+
208
+ | Phase | PR | What changed |
209
+ | ------------ | ---- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
210
+ | A (one-hop) | PR 2 | Mapper delegates cross-referenced `<forbidden_files>` from the map-codebase skill. Security rules reachable but required reading a second file. |
211
+ | B (zero-hop) | PR 4 | Full 12-category forbidden-files list absorbed into `agents/mapper.md`. Delegates reference the role contract directly. No second file needed. |
212
+
213
+ **The zero-hop rule:** Any rule that a delegate MUST follow belongs in the role contract it references, not in a cross-referenced workflow file that consumer projects may or may not have. When a delegate reads its role contract, it gets the complete behavioral and security contract in one read.
214
+
215
+ **Forbidden-files categories in `agents/mapper.md`:**
216
+
217
+ 1. `.env`, `.env.*`, `*.env`
218
+ 2. `credentials.*`, `secrets.*`, `*secret*`, `*credential*`
219
+ 3. `*.pem`, `*.key`, `*.p12`, `*.pfx`, `*.jks`
220
+ 4. `id_rsa*`, `id_ed25519*`, `id_dsa*`
221
+ 5. `.npmrc`, `.pypirc`, `.netrc`
222
+ 6. `config/secrets/*`, `.secrets/*`, `secrets/`
223
+ 7. `*.keystore`, `*.truststore`
224
+ 8. `serviceAccountKey.json`, `*-credentials.json`
225
+ 9. `docker-compose*.yml` -- read for architecture; flag inline secrets under Hard stop
226
+ 10. Gitignored files that appear to contain secrets
227
+ 11. `node_modules/`, `vendor/`, `.git/`
228
+ 12. Binary files, database files, media files
229
+
230
+ **Hard stop:** Before writing CONCERNS.md, grep for `API_KEY`, `SECRET`, `PASSWORD`, `PRIVATE_KEY`, `-----BEGIN`, `Authorization:`. If hardcoded secrets found: STOP immediately, report to orchestrator. Mapper output gets committed to git -- leaked secrets are a security incident.
231
+
232
+ **Evidence:**
233
+
234
+ - `agents/mapper.md` lines 66-90 (Forbidden Files section + Hard stop)
235
+ - `agents/_archive/gsd-codebase-mapper.md` lines 66-97 (original narrower rules)
236
+ - PR 2 intermediate state (one-hop via SKILL.md cross-reference)
237
+ - PR 4 final state (zero-hop, role contains all rules)
238
+ - `package.json` `files` array includes `agents/` (npm distribution fix)
239
+
240
+ ---
241
+
242
+ ## 5. Conditional Synthesizer
243
+
244
+ **GSD:** Always spawns `gsd-research-synthesizer` after 4 researchers complete. Synthesizer reads all 4 research files, writes SUMMARY.md. No option to skip.
245
+
246
+ **GSDD:** Conditional on `researchDepth` config:
247
+
248
+ | researchDepth | Synthesizer behavior |
249
+ | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
250
+ | `fast` | Orchestrator writes SUMMARY.md inline from the 4 x 3-5 sentence summaries it holds in context. No delegate spawned. |
251
+ | `balanced` | ResearchSynthesizer delegate spawned. Reads 4 full research files. Cross-references build order constraints, pitfall-to-phase mappings, feature-architecture conflicts that short summaries omit. |
252
+ | `deep` | Same as balanced but researchers produce longer output (more material for synthesizer to cross-reference). |
253
+
254
+ **Why conditional:** The synthesizer's value is in cross-referencing specific data across research dimensions. When `researchDepth=fast`, researchers produce 3-5 sentence summaries only -- there's nothing substantive to cross-reference. Spawning a synthesizer to reformat 4 short paragraphs wastes a context window and an agent hop.
255
+
256
+ **Evidence:**
257
+
258
+ - GSD source: `get-shit-done/workflows/new-project.md` lines 708-729 (always-spawn synthesizer)
259
+ - GSDD: `distilled/templates/delegates/researcher-synthesizer.md` (active delegate, references `synthesizer.md`)
260
+ - `agents/synthesizer.md` canonical contract (cross-reference algorithm)
261
+ - Config contract: `.planning/config.json` `researchDepth` field
262
+
263
+ ---
264
+
265
+ ## 6. Mapper Staleness: Standalone Workflow
266
+
267
+ **GSD:** `map-codebase.md` was ALWAYS a standalone workflow, separate from `new-project.md`. It had built-in staleness detection with three user options: Refresh (delete + remap), Update (selective document refresh), Skip (use existing maps).
268
+
269
+ **GSDD:** Preserved exactly. Two integration points:
270
+
271
+ 1. **On first brownfield init:** `new-project.md` detects source files, offers codebase mapping. If accepted, invokes `map-codebase` via the portable skill surface (`.agents/skills/gsdd-map-codebase/SKILL.md`).
272
+
273
+ 2. **On subsequent runs:** If `.planning/codebase/` already exists, mappers are skipped during init. User runs `/gsdd:map-codebase` directly to trigger the Refresh/Update/Skip flow.
274
+
275
+ **Why standalone:** Codebase maps become stale after major refactors. Users need to refresh maps independently of project initialization. Embedding mapping inside init would force a full re-init to refresh maps.
276
+
277
+ **Agent count implications:**
278
+
279
+ | Scenario | Mappers spawned |
280
+ | ---------------------- | ------------------------------------------------- |
281
+ | Brownfield, first run | 4 (one per focus area) |
282
+ | Brownfield, maps exist | 0 (skipped, user directed to standalone workflow) |
283
+ | Greenfield | 0 (no codebase to map) |
284
+
285
+ **Evidence:**
286
+
287
+ - GSD source: `get-shit-done/workflows/map-codebase.md` lines 35-62 (staleness check with 3 options)
288
+ - GSD source: `get-shit-done/workflows/new-project.md` lines 61-80 (brownfield offer delegates to map-codebase)
289
+ - GSDD: `distilled/workflows/map-codebase.md` (standalone, re-runnable)
290
+ - GSDD: `distilled/workflows/new-project.md` (auto-invoke for brownfield via skill reference)
291
+
292
+ ---
293
+
294
+ ## 7. Milestone Hierarchy and Phase Continuation
295
+
296
+ **GSD:** Three project-state files -- PROJECT.md (project definition), REQUIREMENTS.md (scoped features), STATE.md (current phase/status). Milestones archived in MILESTONES.md. Phase numbering continues across milestones (v1.0 phases 1-5, v1.1 starts at phase 6).
297
+
298
+ **GSDD:** Merged to two files -- `.planning/SPEC.md` (combines PROJECT.md + REQUIREMENTS.md), `.planning/ROADMAP.md` (combines roadmap + inline status, replacing STATE.md). Same milestone semantics.
299
+
300
+ | GSD file | GSDD equivalent | What changed |
301
+ | --------------- | ------------------------------------------------ | ----------------------------------------------------------------------------------- |
302
+ | PROJECT.md | `.planning/SPEC.md` (project definition section) | Merged -- no separate project definition file |
303
+ | REQUIREMENTS.md | `.planning/SPEC.md` (requirements section) | Merged -- requirements live alongside project context |
304
+ | STATE.md | `.planning/ROADMAP.md` (inline status per phase) | Dropped as separate file -- checkbox status in `.planning/ROADMAP.md` is sufficient |
305
+ | ROADMAP.md | `.planning/ROADMAP.md` | Simplified format -- checkboxes, no REQ-ID traceability tables |
306
+ | MILESTONES.md | `.planning/milestones/` directory | Archive of completed milestone roadmaps |
307
+
308
+ **Preserved semantics:**
309
+
310
+ - `.planning/SPEC.md` = project lifetime (grows with validated requirements)
311
+ - `.planning/ROADMAP.md` = current milestone only (archived when milestone completes)
312
+ - Phase numbering continues across milestones
313
+ - Researchers receive `milestone_context: [subsequent]` on new milestones -- they focus on new features, not existing system
314
+
315
+ **Evidence:**
316
+
317
+ - GSD source: `get-shit-done/workflows/new-milestone.md` lines 101-173 (milestone-aware researchers), line 269 (phase numbering continuation)
318
+ - GSDD: `distilled/README.md` lifecycle diagram
319
+ - `.planning/SPEC.md` "Long-Term Lifecycle" section
320
+
321
+ ---
322
+
323
+ ## 8. Advisory Git Protocol
324
+
325
+ **GSD:** Embedded git naming conventions in workflows and executor agents. Phase/plan/task IDs appeared in commit messages. Executor's core algorithm ended each task with a commit step. TDD flow required commits at RED/GREEN steps.
326
+
327
+ **GSDD:** Git guidance is advisory. Repository and team conventions take precedence over framework defaults.
328
+
329
+ **What was removed:**
330
+
331
+ - Phase/plan/task ID formatting in commit messages
332
+ - Mandatory one-commit-per-task rule in executor algorithm
333
+ - Mandatory commits at TDD RED/GREEN steps in executor contract
334
+ - Phase-scoped branch naming in generated governance
335
+
336
+ **What was kept:**
337
+
338
+ - `gitProtocol` config key in `.planning/config.json` (stable, not renamed)
339
+ - Advisory guidance fields: `branch`, `commit`, `pr` (user fills in or accepts defaults)
340
+ - Defaults state: "Follow the existing repo or team convention"
341
+
342
+ **Why advisory:** GSDD targets diverse teams and repos. Imposing one-commit-per-task or phase-scoped branch names on a repo that uses squash-and-merge or trunk-based development creates friction without value. The framework provides structure for planning -- it should not dictate git workflow.
343
+
344
+ **Evidence:**
345
+
346
+ - GSD source: `agents/_archive/gsd-executor.md` (mandatory commit in algorithm, TDD flow)
347
+ - GSDD: `agents/executor.md` lines 57-64 (Git Guidance -- repo-native, advisory)
348
+ - PR 5 (merged as PR #7): removed rigid git naming from workflows, adapters, generated governance
349
+
350
+ ---
351
+
352
+ ## 9. Adapter Generation Over Conversion
353
+
354
+ **GSD:** Writes workflows for Claude Code first. `install.js` converts Claude-specific frontmatter (AskUserQuestion, Task(), SlashCommand(), `~/.claude/` paths) to OpenCode and Gemini formats. Conversion is lossy -- some Claude features have no equivalent.
355
+
356
+ **GSDD:** Core workflows are plain markdown. No vendor-specific APIs. Adapter files are generated from agent-agnostic source, not converted from a Claude-first original.
357
+
358
+ **GSD's vendor lock-in surface:**
359
+
360
+ | API | Call sites in GSD | GSDD replacement |
361
+ | ------------------- | -------------------------------- | ---------------------------------------------- |
362
+ | `AskUserQuestion` | 38+ (15 workflows + 14 commands) | Plain text: "Ask the user: ..." |
363
+ | `Task()` subagent | 35+ across 15 workflows | `<delegate>` blocks with markdown instructions |
364
+ | `SlashCommand()` | 4 call sites | Skill references or inline workflow steps |
365
+ | `~/.claude/` paths | 39+ files | Install-time paths via CLI |
366
+ | `gsd-tools.cjs` CLI | 28 workflow files | `bin/gsdd.mjs` (simplified) |
367
+
368
+ **Adapter output per tool:**
369
+
370
+ | Tool | Generated surface | Trigger |
371
+ | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
372
+ | Any (portable) | `.agents/skills/gsdd-*/SKILL.md` | Always generated on `gsdd init` |
373
+ | Claude Code | `.claude/skills/gsdd-*/SKILL.md` + `.claude/commands/gsdd-plan.md` (compatibility alias for `plan`) + `.claude/agents/gsdd-plan-checker.md` | `--tools claude` |
374
+ | Codex CLI | `.agents/skills/gsdd-*/SKILL.md` | Always generated on `gsdd init`; no Codex-specific adapter file required |
375
+ | OpenCode | `.opencode/commands/gsdd-*.md` + `.opencode/agents/gsdd-plan-checker.md` | `--tools opencode` |
376
+ | Cursor/Copilot | `.agents/skills/gsdd-*/SKILL.md` | Slash-invoked skills once the runtime is configured with that skills location |
377
+ | Gemini CLI | `.gemini/commands/*.toml` or root `AGENTS.md` fallback | Custom commands if mirrored; `--tools agents` remains the fallback path |
378
+
379
+ Codex is skills-first because the Codex CLI already supports repository skills directly. GSDD should not generate a `.codex/AGENTS.md` file just to simulate a native path that the runtime does not need. Runtime validation status belongs in the internal status docs, not in this design record.
380
+
381
+ **Why generation over conversion:** Converting from a vendor-specific source is lossy and brittle -- every new agent needs a new converter. Generating tool-specific files from vendor-agnostic markdown is lossless and scales linearly. Pattern validated by OpenSpec (24 AI tools, 48 contributors).
382
+
383
+ **Evidence:**
384
+
385
+ - GSD source: `bin/install.js` (converter with per-runtime conversion logic)
386
+ - GSD source: `get-shit-done/workflows/new-project.md` (851 lines, 10+ AskUserQuestion calls, 7 Task() calls)
387
+ - GSDD: `bin/gsdd.mjs` (thin CLI entrypoint and adapter dispatcher after the boundary cleanup)
388
+ - GSDD: `bin/adapters/*` (vendor-specific adapter generation and native prompt rendering after the boundary cleanup)
389
+ - GSDD: `distilled/templates/delegates/plan-checker.md` as the single payload source for native-capable checker-agent generation
390
+ - `.planning/SPEC.md` "Agent Integration Strategy" section
391
+ - AGENTS.md Linux Foundation standard: [agents.md](https://agents.md)
392
+ - OpenAI Codex CLI: natively reads repository Agent Skills from `.agents/skills/` (open `agents.md` standard); no `.codex/AGENTS.md` required
393
+
394
+ ---
395
+
396
+ ## 10. Context Isolation: Summaries Up, Documents to Disk
397
+
398
+ **GSD:** Subagents (researchers, mappers) write documents to `.planning/` directories. Orchestrator spawns agents via `Task()`, receives their return value. The pattern implicitly keeps large documents out of the orchestrator's context.
399
+
400
+ **GSDD:** Makes this explicit as a design rule.
401
+
402
+ **The rule:** Delegates write full documents to disk. They return 3-5 sentence summaries to the orchestrator. The orchestrator never receives document contents in its conversation context.
403
+
404
+ **Why this matters:**
405
+
406
+ - LLM context windows are finite. An orchestrator that receives 4 full research files (each 200+ lines) before writing `.planning/SPEC.md` will be context-starved for the spec-writing step.
407
+ - Disk is unlimited. Downstream agents (synthesizer, planner) read files directly when they need the full content.
408
+ - Summaries give the orchestrator enough signal to make routing decisions (skip synthesis? flag a blocker?) without consuming the context budget.
409
+
410
+ **Implementation:**
411
+
412
+ - Each delegate's instructions end with: "Return a 3-5 sentence summary of key findings. Do NOT return the full document contents."
413
+ - Output templates in `.planning/templates/research/` and `.planning/templates/codebase/` define the on-disk format.
414
+ - The synthesizer reads all 4 research files from disk -- it is the only agent that sees full research content.
415
+
416
+ **Evidence:**
417
+
418
+ - GSD source: `get-shit-done/workflows/new-project.md` lines 544-706 (4 researchers write to files, return summaries)
419
+ - GSDD: all 9 delegate files (return format instructions)
420
+ - GSDD: `agents/synthesizer.md` (reads full research files from disk)
421
+ - External: Anthropic Agent Teams (Feb 2026) -- "Shared State, Not Shared Context" using filesystem over context window
422
+ - External: AI21 Modular Intelligence (Feb 2026) -- orchestrator-based designs prevent context drift
423
+
424
+ ---
425
+
426
+ ## 11. Quick-Work Lane
427
+
428
+ **GSD:** `get-shit-done/workflows/quick.md` (454 lines). Two modes: default (plan + execute) and `--full` (adds plan-checking and verification). Tracks tasks in STATE.md. Uses `gsd-tools.cjs` CLI, `Task()` subagent API, `AskUserQuestion` API, and mandatory atomic commits per task.
429
+
430
+ **GSDD:** Single mode, ~120 lines. Conditional verifier via `config.json`, LOG.md tracking, advisory git, direct role references.
431
+
432
+ **What was kept:**
433
+
434
+ - `.planning/quick/NNN-slug/` directory structure with sequential numbering
435
+ - 1-3 task maximum for quick plans
436
+ - Separate tracking from phase work (quick tasks don't touch ROADMAP.md)
437
+ - Reuse of planner, executor, and verifier roles (no new roles or delegates)
438
+
439
+ **What was stripped:**
440
+
441
+ - `--full` flag duality (use the full phase cycle when you need plan-checking depth)
442
+ - `STATE.md` tracking (eliminated in D7; replaced with append-only LOG.md)
443
+ - `gsd-tools.cjs` CLI calls for init, commit, and slug generation
444
+ - `Task()` vendor API and `AskUserQuestion` API (replaced with portable `<delegate>` blocks)
445
+ - Mandatory atomic commits (replaced with advisory git per D8)
446
+ - Plan-checker loop for quick tasks (the full phase workflow handles this when needed)
447
+
448
+ **What was added:**
449
+
450
+ - Advisory git protocol (D8) — follows repo conventions, no framework-imposed commit format
451
+ - Context isolation (D10) — delegates write to disk, return summaries
452
+ - Conditional verifier toggle via `config.json` `workflow.verifier` setting
453
+ - `.planning/quick/LOG.md` — append-only table tracking all quick tasks with status
454
+
455
+ **No new delegates.** Quick workflow uses `<delegate>` blocks referencing existing role contracts directly (same pattern as `audit-milestone.md`). Delegate count stays at 10.
456
+
457
+ **Evidence:**
458
+
459
+ - GSD source: `get-shit-done/workflows/quick.md` (454 lines, two modes, STATE.md tracking)
460
+ - GSDD: `distilled/workflows/quick.md` (~120 lines, single mode, LOG.md tracking)
461
+ - D7 (milestone hierarchy): STATE.md replaced by ROADMAP.md inline status
462
+ - D8 (advisory git): repo conventions over framework defaults
463
+ - D10 (context isolation): summaries up, documents to disk
464
+
465
+ ---
466
+
467
+ ## 12. Session Persistence Without State File
468
+
469
+ **GSD:** 4 control-plane workflows — `pause-work.md` (123L), `resume-project.md` (307L), `progress.md` (382L), `health.md` (157L) = 969 lines. All depend on `STATE.md` for current position, `gsd-tools.cjs` for timestamps and init, and Claude-specific APIs (`Task()`, `AskUserQuestion`). Resume includes ASCII box UI, progress bars, interrupted-agent detection, and STATE.md reconstruction.
470
+
471
+ **GSDD:** 3 workflows — `pause.md` (~107L) + `resume.md` (~139L) + `progress.md` (~200L) = ~446 lines. All three now use named XML sections inside `<process>` (aligned with core workflow conventions) and explicit scope boundaries in `<role>`.
472
+
473
+ **What was kept from GSD:**
474
+
475
+ - Disk-based state detection (phase directories, checkpoint files, plan/summary presence)
476
+ - Conversational pause gathering (ask the user to fill gaps artifacts can't answer)
477
+ - `.continue-here.md` checkpoint file with structured sections
478
+ - Contextual resume routing (5 priority-ordered branches)
479
+ - Quick-resume shortcut ("continue"/"go" = skip options, execute primary action)
480
+
481
+ **What was stripped at D12 design time:**
482
+
483
+ - `progress.md` (382L) — initially assessed as subsumed by resume; re-added as separate workflow after audit (see amendment below)
484
+ - `health.md` (157L) — GSDD's simpler `.planning/` structure does not warrant a dedicated error taxonomy and repair workflow
485
+ - `STATE.md` loading and reconstruction — GSDD has no STATE.md (D7)
486
+ - `gsd-tools.cjs` CLI calls for timestamps, init resume, and commit
487
+ - Interrupted-agent detection (vendor-specific `Task()` API, `agent-history.json`)
488
+ - ASCII box UI and progress bars
489
+ - `CONTEXT.md` awareness (no discuss-phase workflow in GSDD)
490
+ - Todo tracking integration
491
+ - Session continuity STATE.md updates
492
+ - Mandatory WIP commit format
493
+
494
+ **What was added:**
495
+
496
+ - Project-scoped checkpoint (single known location `.planning/.continue-here.md` vs GSD's phase-scoped glob)
497
+ - Quick-task awareness (LOG.md incomplete entries detected by both pause and resume)
498
+ - Workflow-type frontmatter in checkpoint (`workflow`, `phase`, `timestamp`) for resume routing
499
+ - Checkpoint cleanup after successful resume routing
500
+ - Explicit routing to GSDD workflow names (`gsdd-execute`, `gsdd-plan`, etc.)
501
+
502
+ **Design principle:** Derive state from primary artifacts (ROADMAP.md checkboxes, phase directories, checkpoint file), not from secondary summary files that can drift. This extends D7's elimination of STATE.md.
503
+
504
+ **No new roles or delegates.** Pause, resume, and progress are orchestrator-level workflows (read files, present status, route). Same pattern as `audit-milestone.md`. Delegate count stays at 10.
505
+
506
+ **Progress amendment (2026-03-14):**
507
+
508
+ The initial D12 assessment — that resume subsumes progress — turned out to be incomplete. An external audit (2026-03-13) explicitly listed `progress` as a required control-plane element in its top-3 highest-ROI recommendations. After delivering pause+resume, the gap became clear: the two workflows serve different contracts.
509
+
510
+ | Workflow | Contract | Side effects |
511
+ | ------------- | ------------------------------------------------------------------------- | ------------------------------------------------------------ |
512
+ | `resume.md` | Restore session context, load checkpoint, execute the primary next action | Checkpoint cleanup, state restoration, conversational resume |
513
+ | `progress.md` | Read-only status query: where am I, what's next? | None — no files written, no state changed |
514
+
515
+ A user who wants a quick status snapshot before deciding what to do next should not have to trigger a full session restore. Progress answers "where am I?" without side effects. Resume answers "restore me and get me moving."
516
+
517
+ GSDD's `progress.md` (~200 lines) is a deep distillation of GSD's 382-line version:
518
+
519
+ - **Kept from GSD:** project-existence check, ROADMAP.md phase-status parsing (`[ ]`/`[-]`/`[x]`), phase completion count, checkpoint-file detection, incomplete-work scanning (PLAN without SUMMARY, SUMMARY without VERIFICATION), quick-task log check, priority-ordered routing with 6 named branches (A-F) and output blocks, recent work from 2-3 most recent SUMMARY.md files, between-milestones detection (SPEC exists, ROADMAP absent), edge case handling for compound states, typed filled-in example
520
+ - **Stripped:** `gsd-tools.cjs` CLI calls, `STATE.md` loading, progress-bar rendering, Key Decisions section, Blockers section, Pending Todos, Active Debug Sessions, Profile display, UAT gap routing
521
+
522
+ Design principle unchanged: derive state from primary artifacts (ROADMAP.md, SPEC.md, phase directories, checkpoint file). No new roles, no new delegates.
523
+
524
+ **Evidence:**
525
+
526
+ - GSD source: `get-shit-done/workflows/pause-work.md` (123 lines, phase-scoped checkpoint)
527
+ - GSD source: `get-shit-done/workflows/resume-project.md` (307 lines, STATE.md-dependent)
528
+ - GSD source: `get-shit-done/workflows/progress.md` (382 lines, gsd-tools.cjs-dependent, STATE.md-dependent, progress bars, rich session dashboard)
529
+ - GSDD: `distilled/workflows/pause.md` (project-scoped checkpoint, advisory git)
530
+ - GSDD: `distilled/workflows/resume.md` (artifact-derived state, priority-ordered routing)
531
+ - GSDD: `distilled/workflows/progress.md` (~200 lines, read-only, no side effects, artifact-derived state)
532
+ - External audit: `.internal-research/gsd-distilled-audit-13th-march-2026.md` — Highest-ROI recommendation #3: "Add just enough: status/resume/progress/health"
533
+ - D7 (milestone hierarchy): STATE.md replaced by ROADMAP.md inline status
534
+ - D8 (advisory git): WIP commit is suggested, not mandated
535
+
536
+ ---
537
+
538
+ ## 13. Mechanical Invariant Enforcement
539
+
540
+ **GSD:** No structural invariant tests. Framework correctness relies on manual review and ad-hoc checking.
541
+
542
+ **GSDD:** 6 invariant suites (G1-G7, G2 reserved) with ~106 assertions enforce structural properties across all 29 framework markdown files. Every assertion message includes a `FIX:` instruction so CI agents can self-remediate.
543
+
544
+ **Suite inventory:**
545
+
546
+ | Suite | Name | Assertions | What it guards |
547
+ |-------|------|------------|----------------|
548
+ | G1 | Cross-Document Schema Consistency | ~20 | Same field documented in all surfaces that reference it |
549
+ | G3 | File Size Guards | ~29 | Prevent bloat regression (roles ≤500L, workflows ≤400L, delegates ≤100L) |
550
+ | G4 | XML Section Well-Formedness | ~29 | Every `<tag>` has matching `</tag>` across all framework files |
551
+ | G5 | Artifact Lifecycle Chain | ~11 | Each role references its input and output artifacts |
552
+ | G6 | DESIGN.md Decision Registry | ~5 | ≥13 numbered decisions, each with Evidence subsection |
553
+ | G7 | Delegate Thinness | ~9 | Non-empty lines ≤50 (plan-checker exempt) |
554
+
555
+ **Why remediation messages matter:** OpenAI's Harness Engineering (Feb 2026) confirmed what GSDD's audit surfaced independently: for agent-driven development, **error messages ARE the enforcement mechanism**. When an agent reads `"pause.md: <tag> opened 2x but closed 1x. FIX: Add missing </tag>."`, it can act on the fix instruction directly. Test failures without actionable messages require the agent to reason about intent from stack traces — slower and less reliable.
556
+
557
+ **The G4 suite caught 3 real bugs on first run:** 3 session workflows (pause.md, progress.md, resume.md) had orphan `</output>` closing tags with no corresponding opener. These were invisible to manual review across PRs #20-23 but immediately flagged by the well-formedness check.
558
+
559
+ **Evidence:**
560
+
561
+ - `tests/gsdd.invariants.test.cjs` lines 1015+ (6 suites, ~106 assertions)
562
+ - OpenAI Harness Engineering blog (Feb 2026): "error messages as enforcement mechanism"
563
+ - External audit (2026-03-13): recommendation #4 "Mechanize the framework's invariants"
564
+ - GSD source: no equivalent test infrastructure
565
+ - PRs #20-23: orphan `</output>` tags survived 4 manual review cycles before G4 caught them
566
+
567
+ ---
568
+
569
+ ## 14. Headless Mode
570
+
571
+ **GSD:** `--auto` flag in `new-project.md` — skips interactive questioning, requires idea document,
572
+ auto-approves requirements and roadmap, auto-advances to plan phase. Implemented across 5 workflow files
573
+ with `AskUserQuestion` API gates.
574
+
575
+ **GSDD:** `gsdd init --auto --tools <platform>` — non-interactive CLI bootstrap. Workflow-level auto mode
576
+ via `autoAdvance: true` in `.planning/config.json` + `<auto_mode>` section in `new-project.md`.
577
+
578
+ **Key design choices:**
579
+
580
+ 1. **Brief-file over argument-passing.** GSD passes the idea document as a workflow argument or pasted text.
581
+ GSDD uses a well-known file path (`.planning/PROJECT_BRIEF.md`) because:
582
+ - File reads work on every agent platform (portable)
583
+ - Brief can be inspected and edited before the workflow runs
584
+ - Matches GSDD's "documents to disk" principle (D10)
585
+ - CI pipelines can prepare the brief as a build artifact
586
+
587
+ 2. **Config-driven, not flag-driven at the workflow level.** The CLI sets `autoAdvance: true` in config.
588
+ The workflow reads config, not CLI arguments. This means any agent on any platform can detect
589
+ auto mode by reading config.json — no vendor-specific argument parsing required.
590
+
591
+ 3. **No auto-advance to plan phase.** GSD auto-chains: new-project → discuss → plan → execute.
592
+ GSDD stops after SPEC.md + ROADMAP.md are created. Reason: GSDD doesn't have a discuss-phase
593
+ workflow, and chaining the full lifecycle requires auto-mode support in plan.md/execute.md/verify.md
594
+ (future work). Stopping after init gives CI systems a review checkpoint.
595
+
596
+ 4. **Unified with existing non-TTY fallback.** `bin/gsdd.mjs` already had a non-interactive path
597
+ for piped stdin. `--auto` and the TTY fallback now share `buildDefaultConfig()`, reducing
598
+ code duplication and ensuring identical default config shape.
599
+
600
+ **Evidence:**
601
+
602
+ - GSD source: `get-shit-done/workflows/new-project.md` lines 9-40 — direct predecessor and
603
+ only comparable headless workflow found in reviewed spec-framework sources
604
+ - OpenFang comparison: capability-gate emphasis supports keeping security review explicit even in
605
+ automated flows, which is why auto mode inserts a deferred gate-review placeholder instead of
606
+ silently omitting the section
607
+ - Claude Code: `-p` flag for headless execution with `--allowedTools` for access control
608
+ (docs.anthropic.com)
609
+ - Codex CLI: `--quiet` and `--auto-edit` flags for non-interactive modes
610
+ (developers.openai.com/codex/cli/reference)
611
+ - Cline CLI 2.0: explicit headless CI/CD mode (devops.com, 2025)
612
+
613
+ ---
614
+
615
+ ## 15. Model Profile Propagation
616
+
617
+ **GSD:** `modelProfile` stored in `.planning/config.json` with profile-to-model mapping. GSD generates
618
+ `opencode.json` with agent-to-model mappings for the OpenCode runtime; does not inject `model:` into
619
+ individual sub-agent frontmatter files.
620
+
621
+ **GSDD:** Static injection at generation time, with explicit runtime ownership. `modelProfile`
622
+ remains the portable semantic default. `agentModelProfiles` adds per-agent semantic overrides.
623
+ Claude generation translates those semantic tiers into stable aliases for the native checker agent.
624
+ OpenCode generation no longer infers exact `provider/model-id` strings from detected runtime config;
625
+ it only injects an OpenCode `model:` when the user explicitly sets
626
+ `runtimeModelOverrides.opencode.<agent>`.
627
+
628
+ **Decision: static injection at generation time, not dynamic runtime config reading.**
629
+
630
+ Dynamic reading (having agent files instruct the LLM to read config.json and select a model)
631
+ is incompatible with how Claude Code and OpenCode frontmatter works: it is parsed at agent
632
+ spawn time, not by the agent itself. Static injection remains the right mechanic, but the old
633
+ OpenCode approach overreached by guessing runtime-specific ids from detected provider config.
634
+ Current GSDD keeps the portable semantic layer and makes exact runtime ids explicit user-owned
635
+ configuration instead of framework inference.
636
+
637
+ **Scope: agent files only.** The current supported agent id is `plan-checker`. The `model:` field is injected into:
638
+ - `.claude/agents/gsdd-plan-checker.md` using Claude Code aliases (`opus`, `sonnet`, `haiku`)
639
+ - `.opencode/agents/gsdd-plan-checker.md` using an exact runtime-native string only when the user
640
+ explicitly configured `runtimeModelOverrides.opencode.plan-checker`
641
+
642
+ Current repo truth:
643
+ - portable semantic settings:
644
+ - `modelProfile`
645
+ - optional `agentModelProfiles.<agent>` (currently consumed by `plan-checker`)
646
+ - exact runtime-native settings:
647
+ - optional `runtimeModelOverrides.<runtime>.<agent>` (currently consumed by checker agents)
648
+ - Claude checker generation uses the resolved semantic tier unless an exact Claude runtime override exists
649
+ - OpenCode checker generation omits `model:` by default and inherits the active OpenCode runtime model
650
+ - OpenCode checker generation injects `model:` only when `runtimeModelOverrides.opencode.plan-checker`
651
+ is explicitly set
652
+ - `gsdd models show` returns typed effective-state data and keeps human guidance in `hints` rather than
653
+ mixing prose into machine-readable model fields
654
+
655
+ NOT injected into:
656
+ - `.claude/commands/*.md` / `.opencode/commands/*.md` run in main orchestrator context; model is
657
+ orchestrator-determined
658
+ - `.agents/skills/*/SKILL.md` because the Agent Skills open standard has no `model:` field
659
+
660
+ **Resolution order:**
661
+
662
+ 1. `runtimeModelOverrides.<runtime>.<agent>`
663
+ 2. `agentModelProfiles.<agent>`
664
+ 3. global `modelProfile`
665
+ 4. runtime default / omitted `model:`
666
+
667
+ **CLI surface:**
668
+ - `gsdd models show`
669
+ - `gsdd models profile <quality|balanced|budget>`
670
+ - `gsdd models agent-profile --agent plan-checker --profile <quality|balanced|budget>`
671
+ - `gsdd models clear-agent-profile --agent plan-checker`
672
+ - `gsdd models set --runtime <claude|opencode|codex> --agent plan-checker --model <id>`
673
+ - `gsdd models clear --runtime <claude|opencode|codex> --agent plan-checker`
674
+
675
+ **Trade-off: static files become stale after a profile change.** If the user changes `modelProfile`
676
+ or runtime override config directly, generated checker files are not updated until `gsdd update`
677
+ is run. This is consistent with D9 (adapter generation over conversion): adapter files are generated
678
+ on demand.
679
+
680
+ **Scope: checker-only is the final design boundary.** GSDD delegates are inline orchestrator
681
+ instructions (`<delegate>` blocks), not standalone agent files. Only the plan-checker produces
682
+ standalone agent files (`.claude/agents/`, `.opencode/agents/`, `.codex/agents/`) where static `model:`
683
+ injection is both possible and meaningful. GSD's per-agent model profiles relied on `Task(model=...)`;
684
+ GSDD replaced `Task()` with agent-agnostic delegate blocks, making per-delegate model injection
685
+ architecturally not viable without reverting to vendor-specific APIs. This closes Gap I4 by design.
686
+
687
+ **Evidence:**
688
+ - GSD reference: `modelProfile` in `.planning/config.json` plus per-agent model resolution, including
689
+ per-agent overrides, in `get-shit-done/references/model-profiles.md` and
690
+ `get-shit-done/references/model-profile-resolution.md`
691
+ - OpenSpec: portable spec/workflow core is tool-agnostic and leaves runtime-specific execution concerns
692
+ to integrations rather than encoding them into the portable spec surface (openspec.dev)
693
+ - MetaGPT: role-specialized orchestration is a legitimate place to express role-level model intent, but
694
+ that does not imply exact vendor model ids belong in a portable workflow contract
695
+ (github.com/FoundationAgents/MetaGPT)
696
+ - Claude Code: `model:` field with aliases `sonnet`, `opus`, `haiku` documented for sub-agents
697
+ (docs.anthropic.com/en/docs/claude-code/sub-agents)
698
+ - OpenCode: `model:` in agent frontmatter uses `provider/model-id`, and when omitted the agent
699
+ inherits the current model (opencode.ai/docs/agents)
700
+ - OpenCode config docs: OpenCode already owns project/global model configuration through runtime-native
701
+ config, including `model` and `small_model`, so GSDD does not need to guess exact ids to regain DX
702
+ (opencode.ai/docs/config)
703
+ - OpenCode troubleshooting: `ProviderModelNotFoundError` usually means a bad `provider/model-id`
704
+ reference, which argues for explicit user-owned runtime ids instead of inferred framework guesses
705
+ (opencode.ai/docs/troubleshooting)
706
+ - OpenAI API models: `gpt-5.4` exists and is positioned as a top-tier model for coding and agentic
707
+ work, but vendor API availability alone does not prove an OpenCode-safe `provider/model-id`, which
708
+ is why GSDD no longer infers OpenCode ids from vendor releases
709
+ (developers.openai.com/api/docs/models/gpt-5.4)
710
+ - Agent Skills open standard: no `model:` field in spec (agentskills.io/specification) - no change
711
+
712
+ ---
713
+
714
+ ## 16. Template Versioning via Generation Manifest
715
+
716
+ **GSD:** `install.js` uses SHA-256 manifest (`installedFileHashes`) plus `gsd-local-patches/` backup directory
717
+ (lines 1227-1327). On update, GSD backs up user-modified files before overwriting, enabling rollback.
718
+
719
+ **GSDD:** Generation manifest in `.planning/generation-manifest.json`, opt-in `--templates` flag on
720
+ `gsdd update`, warn-but-overwrite semantics (no backup directory), `--dry` preview mode.
721
+
722
+ **Key differences from GSD:**
723
+ - **No backup directory.** Git handles recovery — users can `git checkout` to restore any overwritten
724
+ template. Adding a `gsd-local-patches/` equivalent would introduce stale-state complexity that Git
725
+ already solves.
726
+ - **Opt-in flag.** `gsdd update` without `--templates` preserves current behavior (adapter/skill refresh
727
+ only). Template refresh is explicitly requested, so users are not surprised by file overwrites.
728
+ - **Project-scoped manifest.** `generation-manifest.json` lives in `.planning/` alongside other project
729
+ artifacts, making it portable and inspectable. The manifest records SHA-256 hashes of all installed
730
+ templates and role contracts at init/update time.
731
+ - **Modification detection.** When `--templates` runs, GSDD compares installed file hashes against the
732
+ manifest to detect user modifications. Modified files trigger a `WARN` before overwrite. Files matching
733
+ the manifest (unchanged) are silently refreshed. Files matching source (already current) are skipped.
734
+
735
+ **Manifest shape:**
736
+ ```json
737
+ {
738
+ "frameworkVersion": "v1.2",
739
+ "generatedAt": "ISO-8601",
740
+ "templates": {
741
+ "delegates": { "file.md": "sha256..." },
742
+ "research": { ... },
743
+ "codebase": { ... },
744
+ "root": { "agents.block.md": "sha256..." }
745
+ },
746
+ "roles": { "mapper.md": "sha256..." }
747
+ }
748
+ ```
749
+
750
+ **`FRAMEWORK_VERSION` vs `initVersion`:** `initVersion` (currently `v1.1`) tracks config schema version.
751
+ `FRAMEWORK_VERSION` (currently `v1.2`) tracks template/generation versions in the manifest. They are
752
+ independent concerns — config shape can change without template changes and vice versa.
753
+
754
+ **Evidence:**
755
+ - GSD `install.js`: SHA-256 manifest + backup directory pattern
756
+ (`get-shit-done/install.js` lines 1227-1327)
757
+ - OpenSpec: managed blocks with bounded upsert for vendor-specific surfaces
758
+ (openspec.dev)
759
+ - Angular/Turborepo/Next.js: ordered migrations with dry-run preview
760
+ (angular.dev/cli/update, turbo.build/repo/docs/guides/migrate)
761
+ - Langfuse: generation/prompt versioning with hash-based change detection
762
+ (langfuse.com/docs/prompts/get-started)
763
+
764
+ ---
765
+
766
+ ## 17. CLI Composition Root Boundary
767
+
768
+ **GSD:** `install.js` and adjacent install/generation logic mix orchestration, runtime-specific conversion,
769
+ template syncing, prompts, and filesystem writes in one large entry surface.
770
+
771
+ **GSDD before D17 Session 2:** `bin/gsdd.mjs` had already pushed vendor rendering into `bin/adapters/`, but it
772
+ still mixed CLI composition with bootstrap command bodies, template refresh logic, prompt flows, and update
773
+ dispatch in a single file.
774
+
775
+ **GSDD after D17 Session 2:** `bin/gsdd.mjs` is a thin composition root. It owns:
776
+ - top-level constants (`WORKFLOWS`, `FRAMEWORK_VERSION`, path roots)
777
+ - adapter registry construction
778
+ - command registry wiring
779
+ - `runCli`
780
+ - stable exported command handles for tests
781
+
782
+ Implementation lives under `bin/lib/`:
783
+ - `cli-utils.mjs` owns flag parsing and JSON output helpers
784
+ - `models.mjs` owns config/model schema and `cmdModels`
785
+ - `phase.mjs` owns phase discovery, verify, and scaffold commands
786
+ - `templates.mjs` owns template/role install and refresh flows
787
+ - `init.mjs` owns `createCmdInit(ctx)`, `createCmdUpdate(ctx)`, help text, and bootstrap/update helper logic
788
+
789
+ **Boundary rules:**
790
+ - keep `bin/gsdd.mjs` as composition root, not a second implementation module
791
+ - keep config-schema ownership in `models.mjs`; do not duplicate or relocate `buildDefaultConfig` into `init.mjs`
792
+ just to satisfy an old task list
793
+ - let `init` use the same template-sync module that `update --templates` uses, instead of maintaining separate
794
+ copy logic
795
+ - enforce the boundary with code-structure guard tests, not by re-auditing the file manually each session
796
+
797
+ **Why this split:**
798
+ - it reduces the regression surface when bootstrap or template-refresh logic changes
799
+ - it keeps command logic close to the helpers it depends on
800
+ - it preserves a stable import surface for tests while making the main CLI file small enough to inspect quickly
801
+ - it aligns with the existing D9/D15/D16 direction: adapters own runtime-specific behavior; `bin/lib/` owns
802
+ framework logic; `bin/gsdd.mjs` wires them together
803
+
804
+ **Evidence:**
805
+ - GSD source: `get-shit-done/install.js` (monolithic install/conversion surface)
806
+ - GSDD implementation: `bin/gsdd.mjs`, `bin/lib/init.mjs`, `bin/lib/templates.mjs`, `bin/lib/models.mjs`
807
+ - GSDD tests: `tests/gsdd.init.test.cjs`, `tests/gsdd.models.test.cjs`, `tests/gsdd.manifest.test.cjs`,
808
+ `tests/gsdd.guards.test.cjs`
809
+
810
+ ---
811
+
812
+ ## 18. Codex CLI Native Adapter
813
+
814
+ **GSD:** No dedicated Codex CLI adapter. GSD was Claude-first.
815
+
816
+ **GSDD (before this decision):** Codex CLI was a skills-first runtime at ~40% parity. It consumed the portable `.agents/skills/gsdd-*/SKILL.md` surface but had no native plan-checker, no orchestration loop, no model control, and no dedicated adapter module. `--tools codex` was deprecated and silently stripped. Every Codex plan ran in silent `reduced_assurance` mode.
817
+
818
+ **GSDD (after this decision):** Codex CLI is promoted to `native_capable` — same tier as Claude Code and OpenCode. A dedicated `bin/adapters/codex.mjs` generates `.codex/agents/gsdd-plan-checker.toml` (read-only TOML agent with the plan-checker delegate). Codex's entry surface is the portable skill at `.agents/skills/gsdd-plan/SKILL.md` — Codex auto-discovers it via its `.agents/skills/` skill scanning ([developers.openai.com/codex/skills](https://developers.openai.com/codex/skills)). The portable skill now contains vendor-neutral checker invocation instructions (JSON schema, max-3 cycle loop, escalation), so when Codex follows it, it spawns the native `gsdd-plan-checker` agent for fresh-context review. `--tools codex` is reinstated as an active adapter flag.
819
+
820
+ **Why:** Codex CLI v0.115.0 (2026-03-16) stabilized its multi-agent system with `.codex/agents/*.toml` definitions, `spawn_agent` fresh-context invocation, per-agent `model` and `model_reasoning_effort` fields, and `sandbox_mode` access control. This provides structural parity with Claude's `.claude/agents/` and OpenCode's `.opencode/agents/`.
821
+
822
+ **Why now:** Phase A research confirmed all three prerequisites for native-capable promotion:
823
+ 1. A native agent surface exists (`.codex/agents/*.toml` with TOML format)
824
+ 2. Fresh-context subagent invocation is confirmed (`spawn_agent` tool, new `ThreadId` per subagent)
825
+ 3. Per-agent model control exists (`model` field in agent TOML)
826
+
827
+ **Key design choices:**
828
+
829
+ 1. **TOML agent format** — Codex uses `.codex/agents/<name>.toml` (not markdown). The plan-checker delegate content goes inside `developer_instructions = """..."""`. A TOML escape guard replaces `"""` with `"" "` in delegate content to prevent string termination. Model IDs are validated at the CLI setter (`MODEL_ID_PATTERN`) and escaped in the TOML renderer as defense-in-depth.
830
+ 2. **Portable skill as entry surface** — Unlike Claude (which has a vendor-specific `.claude/skills/gsdd-plan/SKILL.md`) and OpenCode (which has `.opencode/commands/gsdd-plan.md`), Codex reads skills from `.agents/skills/` — the shared portable path. The portable skill is enhanced with vendor-neutral checker invocation instructions (JSON schema, max-3 cycle loop, escalation, orchestration summary), making it self-sufficient as the Codex entry surface. When Codex auto-selects the `gsdd-plan` skill, the instructions tell it to invoke the `gsdd-plan-checker` agent if available. No separate planner TOML is needed — the portable skill handles orchestration directly.
831
+ 3. **Inherit-by-default model** — Following OpenCode's pattern, no `model` field is set by default (inherits from parent session). An explicit `model = "<id>"` is only written when the user sets `runtimeModelOverrides.codex.plan-checker`.
832
+ 4. **Always-high reasoning effort** — `model_reasoning_effort = "high"` is always set for the plan-checker (analysis agent should think carefully).
833
+ 5. **Read-only sandbox** — `sandbox_mode = "read-only"` prevents the checker from editing plans, functionally equivalent to OpenCode's `write: false, edit: false, bash: false`.
834
+
835
+ **Known gaps:**
836
+ - No `hidden: true` equivalent — unlike OpenCode, the checker agent is visible to users (ergonomic gap, not functional; no Codex equivalent exists)
837
+ - No deterministic spawn API — spawning is model-interpreted via natural language, not a programmatic `Task()` call
838
+ - GitHub issues #14719 (re-spawn failure) and #14841 (spawn loops with weaker models) are documented risks; GSDD's simple spawn-wait-pattern minimizes exposure, and the max-3 loop has escalation
839
+ - JSON schema duplication — the checker JSON schema is embedded in Claude, OpenCode orchestration prompts and the portable skill; tests guard drift across all surfaces
840
+ - No Codex CLI in CI — future regressions still require disposable-fixture validation even though local live validation now exists
841
+ - Entry surface is shared — Codex uses the portable `.agents/skills/gsdd-plan/SKILL.md` as its entry surface (no vendor-specific skill path exists in Codex). The portable skill's checker invocation is vendor-neutral, but routing depends on Codex's implicit skill selection matching the task description
842
+
843
+ **Live validation (2026-03-17):**
844
+ - Local runtime: `codex-cli 0.113.0` with `features.multi_agent = true`
845
+ - Happy path fixture: `%TEMP%\\gsdd-codex-pr29-happy-20260317-214241` wrote `.planning/phases/01-foundation/01-PLAN.md` through the portable `gsdd-plan` entry surface while the native checker double returned `CHECKER_HAPPY`
846
+ - Forced revision fixture: `%TEMP%\\gsdd-codex-pr29-revision-20260317-214942` required the checker-driven sentinel `SENTINEL-REVISION-OK` in the plan `Notes` section; the plan was revised and the second checker pass passed
847
+ - Max-3 escalation fixture: `%TEMP%\\gsdd-codex-pr29-max3-noresearch-20260317-220608` set `workflow.research = false` to isolate the checker seam; Codex spawned 3 fresh-context checker agents, each returned `CHECKER_STILL_BLOCKED`, and the final result was `escalated`
848
+
849
+ **Evidence:**
850
+ - OpenAI Codex CLI docs: [developers.openai.com/codex/subagents](https://developers.openai.com/codex/subagents)
851
+ - Codex CLI config reference: [developers.openai.com/codex/config-reference](https://developers.openai.com/codex/config-reference)
852
+ - Codex CLI v0.115.0 release notes: [github.com/openai/codex/releases/tag/rust-v0.115.0](https://github.com/openai/codex/releases/tag/rust-v0.115.0)
853
+ - Agent Skills standard: [developers.openai.com/codex/skills](https://developers.openai.com/codex/skills)
854
+ - GitHub issues: [#14719](https://github.com/openai/codex/issues/14719), [#14841](https://github.com/openai/codex/issues/14841)
855
+ - GSDD adapter patterns: `bin/adapters/claude.mjs`, `bin/adapters/opencode.mjs`
856
+ - GSDD implementation: `bin/adapters/codex.mjs`, `bin/adapters/index.mjs`, `bin/lib/init.mjs`, `bin/lib/models.mjs`
857
+ - GSDD tests: `tests/gsdd.init.test.cjs`, `tests/gsdd.models.test.cjs`, `tests/gsdd.plan.adapters.test.cjs`
858
+
859
+ ---
860
+
861
+ ## 19. Scenario-Based Eval Coverage
862
+
863
+ **GSD:** No structural eval tests. Correctness relied on manual review and live agent runs.
864
+
865
+ **GSDD:** Deterministic scenario tests (`tests/gsdd.scenarios.test.cjs`) verify artifact-chain contracts across 3 golden paths and 2 native-capable runtime chains. No LLM calls required.
866
+
867
+ **What scenarios test (S1–S5):**
868
+
869
+ | Suite | Coverage |
870
+ |-------|----------|
871
+ | S1 — Greenfield Golden Path | init → new-project → plan → execute → verify → audit-milestone artifact chain |
872
+ | S2 — Brownfield Path | map-codebase delegates, codebase map references, mapper role installation |
873
+ | S3 — Quick-Task Path | Isolation from ROADMAP/research, role references, researcher exclusion |
874
+ | S4 — Native Runtime Chain | Claude skill/command/checker + Codex TOML checker completeness, 7 dimensions |
875
+ | S5 — Config-to-Content Propagation | Default config values reflected in generated artifacts |
876
+
877
+ **What scenarios do NOT test:** Runtime LLM behavior, aggregate success rates, LLM-judge quality. Those belong in a future eval layer above this one.
878
+
879
+ **Design rationale:** The testing pyramid for AI agents (Block, Jan 2026) puts deterministic no-LLM tests at the base. OpenAI's eval guidance recommends skill-level testing with deterministic graders. Anthropic's guidance says "grade outcomes, not paths" — these tests verify what was produced, not how. This layer complements the G1–G13 invariant suites (D13) which test structural properties of source files; scenario tests verify that the *generated* artifact chain between workflows is complete.
880
+
881
+ **Evidence:**
882
+
883
+ - OpenAI: "Testing Agent Skills Systematically with Evals" (developers.openai.com/blog/eval-skills)
884
+ - Anthropic: "Demystifying Evals for AI Agents" (anthropic.com/engineering/demystifying-evals-for-ai-agents)
885
+ - Block: "Testing Pyramid for AI Agents" (engineering.block.xyz/blog/testing-pyramid-for-ai-agents)
886
+ - GSDD implementation: `tests/gsdd.scenarios.test.cjs` (S1–S5, ~37 assertions)
887
+ - Invariant complement: D13, `tests/gsdd.invariants.test.cjs`, `tests/gsdd.guards.test.cjs`
888
+
889
+ ---
890
+
891
+ ## 20. Workspace Health Diagnostics
892
+
893
+ **GSD:** `health.md` (157 lines) — calls `gsd-tools.cjs validate health [--repair]`, parses JSON with error codes E001-E005/W001-W007, supports `--repair` flag for createConfig/resetConfig/regenerateState repair actions.
894
+
895
+ **GSDD:** `gsdd health` CLI command (~150 lines in `bin/lib/health.mjs`). Factory function `createCmdHealth(ctx)` returning an async command. No `--repair` flag — fixes are documented as actionable instructions, not automated mutations. GSDD already has `gsdd init` and `gsdd update --templates` as the repair paths; a separate repair mode would duplicate those commands.
896
+
897
+ **Check categories:**
898
+
899
+ | ID | Severity | What it checks |
900
+ |----|----------|----------------|
901
+ | E1 | ERROR | `.planning/config.json` missing or unparseable |
902
+ | E2 | ERROR | config.json missing required fields (`researchDepth`, `modelProfile`, `initVersion`) |
903
+ | E3 | ERROR | `.planning/templates/` missing |
904
+ | E4 | ERROR | `.planning/templates/roles/` missing or empty |
905
+ | E5 | ERROR | `.planning/templates/delegates/` missing or empty |
906
+ | W1 | WARN | `generation-manifest.json` missing |
907
+ | W2 | WARN | Template files modified locally (hash mismatch vs manifest) |
908
+ | W3 | WARN | Template/role files missing from disk but listed in manifest |
909
+ | W4 | WARN | ROADMAP.md references phases not found in `.planning/phases/` |
910
+ | W5 | WARN | Phase artifact set has PLAN but no matching SUMMARY (stale in-progress) |
911
+ | W6 | WARN | No adapter surfaces detected |
912
+ | I1 | INFO | Generation manifest `frameworkVersion` differs from current `FRAMEWORK_VERSION` |
913
+ | I2 | INFO | Phase completion count from ROADMAP |
914
+ | I3 | INFO | Which adapters are installed |
915
+
916
+ **Verdict logic:**
917
+ - Any ERROR → `broken` (exit code 1)
918
+ - Any WARN, no ERROR → `degraded` (exit code 0)
919
+ - No ERROR, no WARN → `healthy` (exit code 0)
920
+
921
+ **Output modes:**
922
+ - Default: human-readable with severity markers and verdict line
923
+ - `--json`: machine-readable `{ status, errors[], warnings[], info[] }`
924
+
925
+ **Key design choices:**
926
+
927
+ 1. **No `--repair` flag.** GSD's health workflow supported `--repair` with three actions (createConfig, resetConfig, regenerateState). GSDD does not need this because `gsdd init` and `gsdd update --templates` already serve as repair paths. Documenting the fix command in each diagnostic is sufficient — agents can read and execute the instruction directly.
928
+
929
+ 2. **`brew doctor` pattern.** Diagnose, report, suggest — never auto-fix. This matches the D13 principle: error messages ARE the enforcement mechanism. When an agent reads `"E3: .planning/templates/ missing. Fix: Run gsdd update --templates"`, it can act on the instruction.
930
+
931
+ 3. **Pre-init guard.** If `.planning/config.json` doesn't exist, output a one-line message and exit 1. No partial checks — the workspace is simply not initialized.
932
+
933
+ 4. **Reuses existing modules.** `readManifest()` and `detectModifications()` from `manifest.mjs` handle W1-W3. `isProjectInitialized()` pattern from `models.mjs` handles the pre-init guard. No new utility functions.
934
+
935
+ **What was removed vs GSD:**
936
+ - `--repair` flag and associated repair actions
937
+ - Error codes E001-E005/W001-W007 (replaced with simpler E1-E5/W1-W6/I1-I3)
938
+ - STATE.md checks (GSDD has no STATE.md per D7)
939
+ - PROJECT.md checks (GSDD uses SPEC.md, not checked by health — it's workflow-authored)
940
+ - Phase directory naming format checks (GSDD uses flat numbered files, not NN-name directories)
941
+
942
+ **Evidence:**
943
+
944
+ - GSD source: `get-shit-done/workflows/health.md` (157 lines, predecessor)
945
+ - `brew doctor` pattern: diagnose, report, suggest — never auto-fix
946
+ - OpenAI Harness Engineering (Feb 2026): error messages as enforcement mechanism (same principle as D13)
947
+ - External audit (2026-03-13): recommendation #3 "Add just enough: status/resume/progress/health"
948
+ - External audit (2026-03-17): "You probably do need a minimal health surface, but not GSD's full style"
949
+ - PR #32: pre-init guard bug proved workspace integrity issues are real, not theoretical
950
+ - GSDD implementation: `bin/lib/health.mjs`, `bin/gsdd.mjs`, `tests/gsdd.health.test.cjs`, `tests/gsdd.guards.test.cjs` (G14)
951
+
952
+ ---
953
+
954
+ ## 21. OWASP Authorization Matrix
955
+
956
+ **GSD:** No formal authorization matrix. Auth verification during milestone audits relies on the integration checker's narrative inference — it identifies sensitive surfaces and checks for auth protection, but has no systematic cell-by-cell verification against declared permissions.
957
+
958
+ **GSDD:** Adds an optional OWASP-style authorization matrix as a project artifact (`.planning/AUTH_MATRIX.md`). When present, the integration checker performs cell-by-cell verification in addition to its existing narrative auth check.
959
+
960
+ **The matrix uses the OWASP pivot format:**
961
+
962
+ | Resource | Action | Role A | Role B | Role C |
963
+ |----------|--------|--------|--------|--------|
964
+ | /resource| verb | ALLOW | DENY | OWN |
965
+
966
+ Permission values: ALLOW (role can access), DENY (explicit rejection required), OWN (ownership-scoped access), N/A (not applicable).
967
+
968
+ **Design choices:**
969
+
970
+ 1. **Project artifact, not framework source.** The matrix lives in `.planning/AUTH_MATRIX.md` — a project-specific file created during `new-project` when the project has multiple roles. The template at `distilled/templates/auth-matrix.md` teaches the format but is not consumed at runtime. This follows the same pattern as `SPEC.md` and `ROADMAP.md`: the template instructs, the project artifact governs.
971
+
972
+ 2. **Backwards compatible.** The integration checker's new Step 4a is fully gated by an existence check: `If .planning/AUTH_MATRIX.md does not exist, skip this sub-step.` The narrative auth check (Step 4) always runs regardless. Projects without a matrix see zero behavioral change.
973
+
974
+ 3. **OWASP pivot format.** The resource x role x permission table is the standard format from the OWASP Authorization Testing Automation Cheat Sheet. Using a recognized standard means the matrix is portable — it can be consumed by other tools, reviewed by security auditors, or extended with automated test generation outside GSDD.
975
+
976
+ 4. **No automated test generation.** The matrix is consumed for verification, not for generating test code. Test generation would require framework-specific knowledge (HTTP client, test runner, auth setup) that varies per project. The integration checker reports VERIFIED / MISMATCH / UNTESTED per cell — turning mismatches into tests is the developer's job.
977
+
978
+ 5. **No auto-creation.** The `new-project` workflow mentions the matrix as optional item 8 in `<spec_creation>`. It is not automatically generated because auth requirements vary widely and a wrong matrix is worse than no matrix.
979
+
980
+ 6. **Template portability.** The template is auto-distributed by `installProjectTemplates()` (same `cpSync` path as all templates) and auto-tracked by `buildManifest()`. No code changes to `templates.mjs` or `manifest.mjs` were needed.
981
+
982
+ **What GSDD does NOT do:**
983
+
984
+ - Does not generate test code from the matrix
985
+ - Does not auto-create the matrix during project init
986
+ - Does not require the matrix for milestone audits to pass
987
+ - Does not replace the narrative auth check (Step 4 always runs)
988
+
989
+ **Evidence:**
990
+
991
+ - OWASP Authorization Testing Automation Cheat Sheet: pivot-format matrix standard
992
+ - OWASP Top 10 for Agentic Applications 2026: A1 Agent Overreach, A4 Insufficient Authorization
993
+ - External audit (2026-03-13): "Upgrade milestone auth from intent to matrix"
994
+ - External audit (2026-03-17): confirmed auth verification gap independently
995
+ - GSD source: `agents/integration-checker.md` (narrative auth check, no matrix support)
996
+ - GSDD implementation: `distilled/templates/auth-matrix.md`, `agents/integration-checker.md` (Step 4a), `distilled/workflows/audit-milestone.md`, `distilled/workflows/new-project.md`, `tests/gsdd.guards.test.cjs` (G15)
997
+
998
+ ---
999
+
1000
+ ## 22. Delegate Layer Architecture
1001
+
1002
+ **GSD:** Orchestrator subagent prompts were embedded inline in workflow files or referenced indirectly through agent role contracts. No explicit thin-wrapper layer. Scope and context were implicit in the orchestrator's prompt shaping.
1003
+
1004
+ **GSDD:** Extracted 10 delegates as explicit thin-wrapper files in `distilled/templates/delegates/`. A delegate is a sub-agent instruction wrapper scoped to a specific orchestrator task, carrying a bounded input/output contract. Ten delegates cover 3 canonical roles: mapper × 4 focus-scoped variants, researcher × 4 dimension-scoped variants, synthesizer × 1 (via `researcher-synthesizer.md`), plus one fresh-context adversarial reviewer (`plan-checker.md`, new in D9, no GSD equivalent). Executor, verifier, integration-checker, planner, and roadmapper are invoked directly from orchestrator workflows without thin-wrapper delegates.
1005
+
1006
+ **Why "delegates":** In multi-agent orchestration literature (Anthropic multi-agent guidance, OpenAI harness engineering, OpenDev terminal-agents paper arXiv 2603.05344), a delegate is a sub-agent invoked by an orchestrator with:
1007
+ 1. A single, bounded responsibility (not a general-purpose role)
1008
+ 2. A typed input/output contract
1009
+ 3. Explicit scope boundaries (what the sub-agent owns vs. doesn't own)
1010
+ 4. A specific invocation pattern (fresh context, checkpoint, isolation)
1011
+
1012
+ GSDD's delegates are exactly this: thin instruction wrappers that route to a canonical role contract, carry a specific scope parameter, enforce context isolation, and return typed structured output. The name is intentional and accurate to multi-agent literature.
1013
+
1014
+ **Why extract delegates:**
1015
+
1016
+ Orchestrator workflows need to invoke sub-agents with consistent, predictable behavior. The orchestrator's prompt is large and carries session context; the sub-agent should be small, focused, and isolated. GSD embedded sub-agent instructions inline, making workflows hard to read and sub-agent contracts hard to reuse. GSDD extracts delegates into portable files at `distilled/templates/delegates/`, installed to `.planning/templates/delegates/` per project, and referenced by `<delegate>` blocks in orchestrator workflows:
1017
+
1018
+ ```
1019
+ <delegate>
1020
+ Instruction: Read .planning/templates/delegates/researcher-stack.md
1021
+ Scope: domain tech stack research
1022
+ Input: Project domain, tech constraints, research mode
1023
+ Output: STACK.md with structured findings and confidence levels
1024
+ </delegate>
1025
+ ```
1026
+
1027
+ Benefits:
1028
+ 1. **Reusable:** The same delegate can be invoked from multiple orchestrator workflows (new-project, plan, milestone audit)
1029
+ 2. **Testable:** Delegate contracts are explicit and can be verified independently
1030
+ 3. **Portable:** Delegates are plain markdown; any agent can read them
1031
+ 4. **Versioned:** The generation manifest tracks delegate content; `gsdd update --templates` refreshes them
1032
+
1033
+ **Tradeoffs and close condition:**
1034
+
1035
+ The delegate layer is a semantic extraction, not a functional one. It does not change what happens at runtime; it only changes how we describe what happens. The tradeoff is:
1036
+ - **Benefit:** Orchestrators are smaller, clearer, and sub-agent contracts are reusable
1037
+ - **Cost:** One more layer of indirection; agents must read both the workflow and the delegate to understand the full contract
1038
+
1039
+ This is acceptable because:
1040
+ 1. Agents are fast at reading multiple files
1041
+ 2. The clarity gain outweighs the reading cost
1042
+ 3. Delegate independence enables better testing and quality gates
1043
+
1044
+ **10 delegates:**
1045
+
1046
+ | Delegate | Purpose | Wrapped Role |
1047
+ |----------|---------|--------------|
1048
+ | `mapper-tech.md` | Map codebase tech stack | mapper (focus: tech) |
1049
+ | `mapper-arch.md` | Map codebase architecture | mapper (focus: arch) |
1050
+ | `mapper-quality.md` | Map code quality conventions | mapper (focus: quality) |
1051
+ | `mapper-concerns.md` | Identify code concerns and debt | mapper (focus: concerns) |
1052
+ | `researcher-stack.md` | Research domain tech stack | researcher (dimension: stack) |
1053
+ | `researcher-features.md` | Research domain feature landscape | researcher (dimension: features) |
1054
+ | `researcher-architecture.md` | Research domain architecture patterns | researcher (dimension: architecture) |
1055
+ | `researcher-pitfalls.md` | Research domain pitfalls and risks | researcher (dimension: pitfalls) |
1056
+ | `researcher-synthesizer.md` | Synthesize research into roadmap implications | synthesizer |
1057
+ | `plan-checker.md` | Fresh-context adversarial plan review | planner (adversarial, new in D9) |
1058
+
1059
+ **Evidence:**
1060
+
1061
+ - Anthropic multi-agent guidance: orchestration patterns with isolated sub-agents
1062
+ - OpenAI Harness Engineering (2026): delegate pattern for consistent, reusable sub-agent behavior
1063
+ - OpenDev "Terminal Agents" (arXiv 2603.05344): multi-agent coordination with explicit role contracts
1064
+ - GSDD implementation: `distilled/templates/delegates/`, `distilled/workflows/*.md` (with `<delegate>` blocks), `bin/lib/rendering.mjs` (delegate text injection)
1065
+ - Tests: `tests/gsdd.scenarios.test.cjs` (S1–S5 verify delegate invocation chains)
1066
+
1067
+ ---
1068
+
1069
+ ## 23. Mapper Output Quantification
1070
+
1071
+ **GSD baseline:** Mapper agents produce qualitative descriptions ("uses constructor injection") without adoption rates, trend signals, or exemplar file identification. No systematic mechanism for ranking concerns by downstream impact.
1072
+
1073
+ **GSDD decision:** Five quantification primitives added across codebase map templates and delegates:
1074
+
1075
+ | Primitive | Where | Format |
1076
+ |-----------|-------|--------|
1077
+ | Convention adoption rates | CONVENTIONS.md + mapper-quality delegate | `~N% (stable\|rising\|declining)` via grep-counting |
1078
+ | Golden files (conventions) | CONVENTIONS.md + mapper-quality delegate | 2–3 files with highest convention density in production code |
1079
+ | Golden files per layer (arch) | ARCHITECTURE.md + mapper-arch delegate | Most-imported file per layer (inbound import frequency) |
1080
+ | Must-know packages | STACK.md + mapper-tech delegate | 3–5 packages with risk index low/medium/high + common mistake |
1081
+ | Downstream impact ranking | CONCERNS.md + mapper-concerns delegate | Top 3 concerns ranked by ARCHITECTURE.md change-routing rows blocked |
1082
+
1083
+ **Why algorithmic, not subjective:** Each primitive has a deterministic algorithm so different agents produce comparable output:
1084
+ - Adoption rate: grep-count ÷ total instances, expressed as ~N%
1085
+ - Golden file (conventions): highest density of documented conventions per production file
1086
+ - Golden file (arch): highest inbound import count per layer
1087
+ - Must-know packages: misuse causes hardest-to-debug problems (data corruption or silent failure = risk: high)
1088
+ - Impact ranking: number of ARCHITECTURE.md change-routing rows blocked per concern
1089
+
1090
+ **Why `~N%` format:** The tilde prefix signals estimation, not measurement. This prevents false precision while still providing a useful signal. "~84% (declining)" conveys the same planning information as an exact count while being honest about the estimation method.
1091
+
1092
+ **Why separate sections, not inline annotations:** Inline annotations ("constructor injection — 84%") would require reformatting existing rules. Dedicated sections (Convention Adoption Rates, Golden Files) keep quantification additive — the existing prescriptive rules remain unchanged and the new sections are skippable by agents that don't need them.
1093
+
1094
+ **Problem this solves:** Internal research (ideas.md, Feb 2026) directly compared GSDD's mapper against codebase-context MCP on the same codebase and found: GSDD returned "uses constructor injection" while CC returned "84% (declining)". The qualitative output gives downstream planners and executors weaker signal for prioritization decisions on brownfield projects.
1095
+
1096
+ **Evidence:**
1097
+
1098
+ 1. `ideas.md` (internal, Feb 2026): direct per-tool comparison — "Quantification matters — '84% declining' > 'uses constructor injection'"
1099
+ 2. ArXiv 2602.20478 (Codified Context): structured quantifiable facts enable agents to load context JIT without reading full files
1100
+ 3. GetDX measurement framework (2026): adoption % is the primary signal for convention strength in engineering teams
1101
+ 4. Anthropic 2026 Agentic Coding Trends: context quality is the primary competitive advantage; bottleneck is "does agent have context it needs?"
1102
+ 5. Codebase-Context MCP (PatrickSys): already returns quantified patterns — GSDD without this produces weaker artifacts on the same codebase
1103
+
1104
+ **Trade-offs:**
1105
+
1106
+ - Benefit: downstream planners and executors get quantified signals for prioritization; "~84% declining" tells the planner to budget for migration, "~100% stable" tells it not to
1107
+ - Cost: mapper must grep-count each major convention, adding analysis time; the tilde prefix is honest about estimation but agents may treat it as less authoritative than exact counts
1108
+ - Scope: quantification is additive — existing qualitative rules remain; agents can skip the new sections if not needed
1109
+
1110
+ **GSDD implementation:** `distilled/templates/codebase/conventions.md`, `distilled/templates/codebase/architecture.md`, `distilled/templates/codebase/stack.md`, `distilled/templates/codebase/concerns.md`, `distilled/templates/delegates/mapper-quality.md`, `distilled/templates/delegates/mapper-arch.md`, `distilled/templates/delegates/mapper-tech.md`, `distilled/templates/delegates/mapper-concerns.md`, `agents/mapper.md`
1111
+
1112
+ ---
1113
+
1114
+ ## 24. Consumer Governance Completeness
1115
+
1116
+ **Problem:** Consumer governance surfaces (`agents.block.md`) listed only 4 of 10 delivered workflows. When a consumer ran `gsdd init --tools agents`, the generated AGENTS.md told the agent about new-project, plan, execute, and verify -- but audit-milestone, quick, pause, resume, progress, and map-codebase were invisible. AI agents working in consumer projects could not discover 60% of the available workflows.
1117
+
1118
+ **GSDD decision:** Consumer governance surfaces must enumerate all delivered capabilities. Governance maps that omit delivered workflows are functionally broken -- agents cannot use what they cannot discover.
1119
+
1120
+ **What changed:**
1121
+
1122
+ - `agents.block.md` now lists all 10 workflow skills, organized by function (primary lifecycle + supporting workflows)
1123
+ - Lifecycle description updated to mention audit-milestone and supporting surfaces
1124
+ - G18 guard suite mechanically prevents recurrence: asserts every WORKFLOWS entry appears in `agents.block.md`
1125
+ - CHANGELOG and README synced to actual counts (assertions, design decisions, PRs, test suites)
1126
+
1127
+ **Why this is high-leverage:** The framework machinery is mechanically sound (800+ assertions, 10 workflows, 9 roles, 3 native adapters, 23 design decisions). But an incomplete AGENTS.md map is functionally broken governance -- agents succeed or fail based on the harness, not the LLM.
1128
+
1129
+ **Evidence:**
1130
+
1131
+ - Anthropic, "Effective harnesses for long-running agents" (2026): harnesses must provide comprehensive, discoverable context; incomplete maps cause agent failure
1132
+ - Agent Skills specification (agentskills.io): progressive disclosure requires a complete top-level map
1133
+ - HumanLayer, "Skill Issue" (2026): AGENTS.md should be a short map (~100 lines) that points to all available capabilities
1134
+ - OpenAI, "Harness Engineering" (2026): the harness determines whether agents succeed or fail
1135
+ - External audits (2026-03-13, 2026-03-17): both independently flagged documentation accuracy as the top remaining blocker for consumer adoption
1136
+ - GSDD implementation: `distilled/templates/agents.block.md`, `CHANGELOG.md`, `README.md`, `tests/gsdd.guards.test.cjs` (G18)
1137
+
1138
+ ---
1139
+
1140
+ ## 25. Consumer First-Run Experience
1141
+
1142
+ **Problem:** GSDD's internal architecture is complete (24 design decisions, 800+ tests, 10 workflows, 9 roles), but consumer-facing surfaces don't honestly guide first-time users. Two independent audits identified this as the single largest barrier to adoption.
1143
+
1144
+ **Decision:** Make all consumer-facing surfaces (README, agents.block.md, post-init CLI output) honestly distinguish between native-capable and governance-only platforms, and provide platform-specific invocation guidance at every consumer touchpoint.
1145
+
1146
+ **Key changes:**
1147
+ - Platform adapter table uses honest capability tiers (native vs governance) instead of aspirational labels (skill_aware, custom_command_aware)
1148
+ - Post-init CLI output shows platform-specific next-step commands
1149
+ - AGENTS.md governance block includes per-platform invocation guide
1150
+ - Quickstart section provides a guided first-use flow
1151
+
1152
+ **Evidence:**
1153
+ 1. **Anthropic harness engineering** (2025-2026): "honest constraints over vague prompting" — harnesses should clearly communicate what they can and cannot enforce
1154
+ 2. **OpenAI Codex skills documentation**: Shows clear per-platform invocation patterns with explicit examples, not generic "use the skill" instructions
1155
+ 3. **GitHub spec-driven development toolkit**: Provides explicit getting-started flows that match the user's specific tool, not one-size-fits-all docs
1156
+ 4. **Martin Fowler on context engineering**: Emphasizes that "the right information at the right time" applies to human consumers as much as to AI agents
1157
+ 5. **Both GSDD external audits** (March 13 + 17, 2026): Independently concluded the same gap — "architecture is solid, presentation lags implementation"
1158
+
1159
+ **GSDD implementation:** `README.md` (quickstart, honest platform tiers), `distilled/templates/agents.block.md` (per-platform invocation guide), `bin/lib/init.mjs` (platform-aware post-init routing), `tests/gsdd.guards.test.cjs` (G19)
1160
+
1161
+ ---
1162
+
1163
+ ## 26. Session Continuity Contract Hardening
1164
+
1165
+ **GSD:** No explicit session management contract. State lived in a separate STATE.md file. No pause/resume/progress workflows. Session continuity depended on the user remembering where they left off.
1166
+
1167
+ **GSDD:** Three specialized session workflows with artifact-based state derivation:
1168
+ - **pause.md:** Writes `.continue-here.md` checkpoint with frontmatter (`workflow`, `phase`, `timestamp`) and 6 XML sections (`current_state`, `completed_work`, `remaining_work`, `decisions`, `blockers`, `next_action`). Detects 3 work types (phase/quick/generic), gathers missing context conversationally, and advises on git commit.
1169
+ - **resume.md:** Reads artifacts (ROADMAP.md, SPEC.md, .continue-here.md, phase directories, quick LOG.md), routes to the correct next action with 5-branch priority logic (checkpoint-based routing, incomplete execution, needs planning, needs verification, all phases complete), and cleans up the checkpoint before dispatching.
1170
+ - **progress.md:** Read-only reporter with 4-way existence detection, 6 named routing branches (A through F), edge case handling for compound states, and recent-work scanning from SUMMARY.md files. Creates, modifies, or deletes no files.
1171
+
1172
+ D12 established the session persistence design. D26 mechanically enforces the routing contracts that D12 introduced with a G20 guard suite.
1173
+
1174
+ **Evidence:**
1175
+
1176
+ 1. Anthropic "Effective harnesses for long-running agents" (2026): artifact-based session handoff (`claude-progress.txt`) is the winning pattern; context compaction alone is "not sufficient" -- explicit progress files bridge sessions
1177
+ 2. GitHub "How to build reliable AI workflows with agentic primitives" (2026): session splitting as a first-class agentic primitive; distinct sessions for different phases improve accuracy
1178
+ 3. OpenAI harness engineering (2026): incremental progress tracking (JSON feature lists, progress files) is the key mechanism for multi-session work; "finding a way for agents to quickly understand the state of work when starting with a fresh context window"
1179
+ 4. OpenDev terminal agents (arXiv 2603.05344): scaffolding-harness separation; runtime state must be derivable from artifacts, not from context window memory
1180
+ 5. GSDD internal: I5 invariant suite covers basic structure (16 assertions) but not routing completeness; S1-S5 scenarios don't exercise session workflows in isolation; 18+ routing branches untested before D26
1181
+
1182
+ **Tradeoff:** More assertions to maintain (~35 new), but prevents routing drift that would break the consumer's primary multi-session interaction pattern. GSDD's 3-workflow session design already aligns with Anthropic's recommendation -- D26 mechanically locks it down.
1183
+
1184
+ **GSDD implementation:** `distilled/workflows/pause.md`, `distilled/workflows/resume.md`, `distilled/workflows/progress.md`, `tests/gsdd.guards.test.cjs` (G20)
1185
+
1186
+ ---
1187
+
1188
+ ## 27. Consumer-Ready Surface Completion
1189
+
1190
+ **Problem:** Three independent external audits (March 13, 17, 18 2026) converged: GSDD's architecture is complete but consumer-facing documentation has gaps blocking self-service adoption. Specifically: auto-mode not in README, no troubleshooting section, no git tracking guidance, model strategy unexplained, health not positioned as diagnostic entry point, team onboarding absent, and docs/USER-GUIDE.md not linked from README.
1191
+
1192
+ **Decision:** Close consumer journey gaps with compact README sections cross-referencing the existing User Guide. Do not bloat the README.
1193
+
1194
+ **Changes:** 6 new README subsections (Headless Mode, Team Use, User Guide link, Model Strategy, What to Track, Troubleshooting). G21 guard suite enforces section presence.
1195
+
1196
+ **Evidence:**
1197
+ 1. External audit (2026-03-13): "architecture is solid, presentation lags implementation"
1198
+ 2. External audit (2026-03-17): "close scope around the kernel" — consumer surface identified as #1 bottleneck
1199
+ 3. External audit (2026-03-18): "docs should close the consumer journey"
1200
+ 4. OpenAI harness engineering (2026): documentation is part of the harness environment
1201
+ 5. Anthropic context engineering (2026): progressive disclosure for onboarding
1202
+ 6. Agent Skills standard (agentskills.io, 30+ tools): skills need clear discovery documentation
1203
+
1204
+ **GSDD implementation:** `README.md`, `docs/USER-GUIDE.md` (already exists, now cross-referenced), `tests/gsdd.guards.test.cjs` (G21)
1205
+
1206
+ ---
1207
+
1208
+ ## 28. Workflow Completion Routing
1209
+
1210
+ **Problem:** Consumer testing (2026-03-21) revealed that AI agents completing a GSDD workflow go silent — the user must manually figure out which `/gsdd:*` command to run next. The lifecycle contract (`new-project → plan → execute → verify → [next phase]`) was correct in design but invisible in practice at each step boundary. GSD original solved this with explicit "Next Up" sections at the end of every workflow; GSDD lost this pattern during distillation.
1211
+
1212
+ **Decision:** Add `<completion>` sections after `<success_criteria>` in all 9 terminal workflows. Add positional discipline gates (STOP instructions at exact deviation points) and mandatory persistence enforcement for critical artifacts.
1213
+
1214
+ **Changes:**
1215
+
1216
+ | Fix | Scope | Files |
1217
+ |-----|-------|-------|
1218
+ | `<completion>` sections | 9 workflows (all except `progress.md` which already has routing) | `new-project.md`, `plan.md`, `execute.md`, `verify.md`, `audit-milestone.md`, `quick.md`, `pause.md`, `resume.md`, `map-codebase.md` |
1219
+ | Positional STOP gates | 2 transition points in `new-project.md` (questioning→research, research→spec) | `new-project.md` |
1220
+ | SUMMARY.md persistence gate | MANDATORY write enforcement in `<state_updates>` | `execute.md` |
1221
+ | VERIFICATION.md persistence | Dedicated `<persistence>` section with STOP-on-failure | `verify.md` |
1222
+ | G22 guard suite | ~30 assertions preventing regression | `tests/gsdd.guards.test.cjs` |
1223
+
1224
+ **Completion section pattern (consistent across all 9 workflows):**
1225
+ ```markdown
1226
+ <completion>
1227
+ Report to the user what was accomplished, then present the next step:
1228
+
1229
+ ---
1230
+ **Completed:** [what finished]
1231
+
1232
+ **Next step:** `/gsdd:[command]` — [description]
1233
+
1234
+ Also available:
1235
+ - `/gsdd:[alt]` — [description]
1236
+
1237
+ Consider clearing context before starting the next workflow for best results.
1238
+ ---
1239
+ </completion>
1240
+ ```
1241
+
1242
+ **Routing map (acyclic, complete):**
1243
+ - `new-project` → `/gsdd:plan`
1244
+ - `plan` → `/gsdd:execute`
1245
+ - `execute` → `/gsdd:verify` (if verifier enabled) or `/gsdd:progress`
1246
+ - `verify` → `/gsdd:progress` (passed), `/gsdd:plan` (gaps), `/gsdd:verify` (human_needed)
1247
+ - `audit-milestone` → `/gsdd:complete-milestone` (passed), `/gsdd:plan` (gaps/debt)
1248
+ - `quick` → `/gsdd:progress`
1249
+ - `pause` → `/gsdd:resume` (next session)
1250
+ - `resume` → dispatches to selected workflow
1251
+ - `map-codebase` → `/gsdd:new-project`
1252
+
1253
+ **GSD comparison:**
1254
+
1255
+ | Aspect | GSD | GSDD |
1256
+ |--------|-----|------|
1257
+ | End-of-workflow routing | `## ▶ Next Up` with emoji, separators, backticked commands | `<completion>` section with bold routing, consistent format |
1258
+ | Context clearing | Explicit: `<sub>/clear first → fresh context window</sub>` | Vendor-agnostic: "Consider clearing context before starting the next workflow" |
1259
+ | Persistence enforcement | No explicit gates | MANDATORY gates on SUMMARY.md and VERIFICATION.md |
1260
+ | Positional discipline | Rules at top of file only | STOP gates at exact deviation transition points |
1261
+
1262
+ GSDD's `<completion>` pattern is vendor-agnostic (GSD's `/clear` is Claude-specific) and adds persistence enforcement that GSD lacked.
1263
+
1264
+ **Evidence:**
1265
+
1266
+ 1. Consumer audit (2026-03-21): "Agent never proactively suggested the next GSDD command... the user becomes the workflow engine"
1267
+ 2. GSD source: `get-shit-done/workflows/progress.md` — every routing branch ends with formatted "Next Up" block showing exact command and alternatives
1268
+ 3. Anthropic "Building effective agents" (2025): workflows should make handoff points explicit with clear next actions
1269
+ 4. Consumer audit issue #6: "verification not persisted to disk" — VERIFICATION.md existed only in chat context, lost on context compression
1270
+ 5. Positional discipline research (Anthropic long-context, 2024): instructions at decision points are followed more reliably than instructions at document start
1271
+
1272
+ **Tradeoff:** ~30 new guard assertions to maintain, but prevents the highest-impact consumer UX failure (routing dead ends at every workflow boundary). Persistence gates add 2-3 lines per workflow but prevent artifact loss that breaks downstream audit.
1273
+
1274
+ **GSDD implementation:** `distilled/workflows/*.md` (9 files), `tests/gsdd.guards.test.cjs` (G22)
1275
+
1276
+ ---
1277
+
1278
+ ## Maintenance
1279
+
1280
+ This document is updated when:
1281
+
1282
+ - A design decision is revised or reversed (update the relevant section, note the change)
1283
+ - A new structural decision lands that affects how GSDD diverges from GSD (add a new section)
1284
+ - Evidence is found that contradicts a stated rationale (update or remove the claim)
1285
+
1286
+ Do not add speculative decisions. Every section must cite implementation artifacts (files, PRs, tests) and at least one GSD source file for comparison.