slash-do 1.2.0 → 1.4.0

package/commands/do/help.md

@@ -12,9 +12,9 @@ List all available `/do:*` commands with their descriptions.
 
 | Command | Description |
 |---|---|
+| `/do:better` | Unified DevSecOps audit, remediation, per-category PRs, CI verification, and Copilot review loop |
 | `/do:fpr` | Commit, push to fork, and open a PR against the upstream repo |
 | `/do:goals` | Scan codebase to infer project goals, clarify with user, and generate GOALS.md |
-| `/do:better` | Unified DevSecOps audit, remediation, per-category PRs, CI verification, and Copilot review loop |
 | `/do:help` | List all available slashdo commands |
 | `/do:omd` | Audit and optimize markdown files (CLAUDE.md, README.md, etc.) against best practices |
 | `/do:pr` | Commit, push, and open a PR against the repo's default branch |

package/commands/do/review.md

@@ -75,10 +75,22 @@ Check every file against this checklist:
 - Trace each error path end-to-end: does the error reach the user with a helpful message and correct HTTP status? Or does it get swallowed, logged silently, or surface as a generic 500?
 - For multi-step operations (sync to N repos, batch updates): are per-item failures tracked separately from overall success? Does the status reflect partial failure accurately?
 
+**Concurrency under user interaction**
+- If a component performs optimistic updates with async operations, simulate what happens when the user triggers a second action while the first is in-flight — trace whether rollback/success handlers can clobber concurrent state changes or close over stale snapshots
+
+**State ownership across component boundaries**
+- If a child component maintains local state derived from a parent's data (e.g., optimistic UI copies), trace the ownership boundary: does the child propagate changes back to the parent? What happens on unmount/remount — does the parent's stale cache resurface?
+
 **Data flow audit**
 - For sensitive data (secrets, tokens): trace the value from input → storage → retrieval → response. Verify it is never leaked in ANY response path (GET, PUT, POST, error responses, socket events)
 - For user input → URL/command interpolation: verify encoding/escaping at every boundary
 
+**Access scope changes**
+- If the PR widens access to an endpoint or resource (admin→public, internal→external), trace all shared dependencies the endpoint uses (rate limiters, queues, connection pools, external service quotas) and assess whether they were sized for the previous access level — in-memory/process-local limiters don't enforce limits across horizontally scaled instances
+
+**Guard-before-cache ordering**
+- If a handler performs a pre-flight guard check (rate limit, quota, feature flag) before a cache lookup or short-circuit path, verify the guard doesn't block operations that would be served from cache without touching the guarded resource — restructure so cache hits bypass the guard
+
 ## Fix Issues Found
 
 For each issue found:

package/hooks/slashdo-statusline.js

@@ -8,9 +8,13 @@ const os = require('os');
 
 // Read JSON from stdin
 let input = '';
+// Timeout guard: if stdin doesn't close within 3s (e.g. pipe issues on
+// Windows/Git Bash), exit silently instead of hanging.
+const stdinTimeout = setTimeout(() => process.exit(0), 3000);
 process.stdin.setEncoding('utf8');
 process.stdin.on('data', chunk => input += chunk);
 process.stdin.on('end', () => {
+  clearTimeout(stdinTimeout);
   try {
     const data = JSON.parse(input);
     const model = data.model?.display_name || 'Claude';
@@ -18,14 +22,14 @@ process.stdin.on('end', () => {
     const session = data.session_id || '';
     const remaining = data.context_window?.remaining_percentage;
 
-    // Context window display (shows USED percentage scaled to 80% limit)
-    // Claude Code enforces an 80% context limit, so we scale to show 100% at that point
+    // Context window display (shows USED percentage scaled to usable context)
+    // Claude Code reserves ~16.5% for autocompact buffer, so usable context
+    // is 83.5% of the total window. We normalize to show 100% at that point.
+    const AUTO_COMPACT_BUFFER_PCT = 16.5;
     let ctx = '';
     if (remaining != null) {
-      const rem = Math.round(remaining);
-      const rawUsed = Math.max(0, Math.min(100, 100 - rem));
-      // Scale: 80% real usage = 100% displayed
-      const used = Math.min(100, Math.round((rawUsed / 80) * 100));
+      const usableRemaining = Math.max(0, ((remaining - AUTO_COMPACT_BUFFER_PCT) / (100 - AUTO_COMPACT_BUFFER_PCT)) * 100);
+      const used = Math.max(0, Math.min(100, Math.round(100 - usableRemaining)));
 
       // Write context metrics to bridge file for context-monitor hooks
       if (session) {
@@ -48,12 +52,12 @@ process.stdin.on('end', () => {
       const filled = Math.floor(used / 10);
       const bar = '█'.repeat(filled) + '░'.repeat(10 - filled);
 
-      // Color based on scaled usage
-      if (used < 63) {
+      // Color based on usable context thresholds
+      if (used < 50) {
         ctx = ` \x1b[32m${bar} ${used}%\x1b[0m`;
-      } else if (used < 81) {
+      } else if (used < 65) {
         ctx = ` \x1b[33m${bar} ${used}%\x1b[0m`;
-      } else if (used < 95) {
+      } else if (used < 80) {
         ctx = ` \x1b[38;5;208m${bar} ${used}%\x1b[0m`;
       } else {
         ctx = ` \x1b[5;31m💀 ${bar} ${used}%\x1b[0m`;
@@ -63,7 +67,9 @@ process.stdin.on('end', () => {
     // Current task from todos
     let task = '';
     const homeDir = os.homedir();
-    const todosDir = path.join(homeDir, '.claude', 'todos');
+    // Respect CLAUDE_CONFIG_DIR for custom config directory setups
+    const claudeDir = process.env.CLAUDE_CONFIG_DIR || path.join(homeDir, '.claude');
+    const todosDir = path.join(claudeDir, 'todos');
     if (session && fs.existsSync(todosDir)) {
       try {
         const entries = fs.readdirSync(todosDir);
@@ -91,7 +97,8 @@ process.stdin.on('end', () => {
 
     // Update notifications (GSD + slashdo)
     let updates = '';
-    const gsdCacheFile = path.join(homeDir, '.claude', 'cache', 'gsd-update-check.json');
+    const cacheDir = path.join(claudeDir, 'cache');
+    const gsdCacheFile = path.join(cacheDir, 'gsd-update-check.json');
     if (fs.existsSync(gsdCacheFile)) {
       try {
         const cache = JSON.parse(fs.readFileSync(gsdCacheFile, 'utf8'));
@@ -100,7 +107,7 @@ process.stdin.on('end', () => {
         }
       } catch (e) {}
     }
-    const slashdoCacheFile = path.join(homeDir, '.claude', 'cache', 'slashdo-update-check.json');
+    const slashdoCacheFile = path.join(cacheDir, 'slashdo-update-check.json');
     if (fs.existsSync(slashdoCacheFile)) {
       try {
         const cache = JSON.parse(fs.readFileSync(slashdoCacheFile, 'utf8'));

package/install.sh

@@ -31,6 +31,7 @@ COMMANDS=(
   pr push release replan review rpr update
 )
 
+
 OLD_COMMANDS=(cam good makegoals makegood optimize-md)
 
 LIBS=(
@@ -152,12 +153,19 @@ install_claude() {
         modified = true;
       }
 
-      // Statusline (only if none exists and hook file was downloaded)
+      // Statusline: upgrade gsd-statusline → slashdo-statusline (superset)
       const statuslineHookPath = path.join(hooksDir, "slashdo-statusline.js");
-      if (!settings.statusLine && fs.existsSync(statuslineHookPath)) {
+      if (fs.existsSync(statuslineHookPath)) {
         const slCmd = "node \"" + statuslineHookPath + "\"";
-        settings.statusLine = { type: "command", command: slCmd };
-        modified = true;
+        const currentCmd = (settings.statusLine && typeof settings.statusLine.command === "string") ? settings.statusLine.command : "";
+        if (!settings.statusLine) {
+          settings.statusLine = { type: "command", command: slCmd };
+          modified = true;
+        } else if (currentCmd.indexOf("gsd-statusline") !== -1) {
+          settings.statusLine = { type: "command", command: slCmd };
+          modified = true;
+        }
+        // slashdo-statusline already active or custom statusline → no change
       }
 
       if (modified) {
@@ -231,6 +239,7 @@ install_gemini() {
         NR==1 && /^---$/ { in_fm=1; print "+++"; next }
         in_fm && /^---$/ { in_fm=0; print "+++"; next }
         in_fm && /^description:/ { sub(/^description: */, ""); gsub(/"/, ""); printf "description = \"%s\"\n", $0; next }
+        in_fm && /^argument-hint:/ { sub(/^argument-hint: */, ""); gsub(/"/, ""); printf "argument-hint = \"%s\"\n", $0; next }
         in_fm && /^allowed-tools:/ { next }
         in_fm { print; next }
         { gsub(/~\/.claude\/lib\//, "~/.gemini/lib/"); print }

package/lib/code-review-checklist.md

@@ -12,10 +12,26 @@
    - State/variables that are declared but never updated or only partially wired up (e.g. a state setter that's never called)
    - Side effects during React render (setState, navigation, mutations outside useEffect)
    - Off-by-one errors, null/undefined access without guards
-   - `JSON.parse` on user-editable files (config, settings, cache) without error handling — corrupted files will crash the process
+   - `JSON.parse` on user-editable or external files (config, settings, cache, package metadata) without error handling — corrupted files will crash the process. When the parsed data is optional enrichment (e.g., version info, display metadata), isolate the failure so it doesn't abort the main operation
    - Accessing properties/methods on parsed JSON objects without verifying expected structure (e.g., `obj.arr.push()` when `arr` might not be an array)
    - Iterating arrays from external/user-editable sources without guarding each element — a `null` or wrong-type entry throws `TypeError` when treated as an object
    - Version/string comparisons using `!==` when semantic ordering matters — use proper semver comparison for version checks
+   - `Number('')` produces `0`, not empty — cleared numeric inputs must map to `undefined`/`null`, not `0`, which silently fails validation or sets wrong values
+   - Truthy checks on numeric values where `0` is valid (e.g., `days || 365` treats `0` as falsy) — use `!= null` or explicit undefined checks instead
+   - Functions that index into arrays (`arr[Math.floor(Math.random() * arr.length)]`) without guarding empty arrays — produces `undefined`/`NaN` when `arr.length === 0`
+   - Module-level default/config objects passed by reference to consumers — shared mutation across calls. Use `structuredClone()` or spread when handing out defaults
+   - `useCallback`/`useMemo` referencing a `const` declared later in the same function body — triggers temporal dead zone `ReferenceError`. Ensure dependency declarations appear before their dependents
+   - Object spread/merge followed by unconditional field assignment that clobbers spread values — e.g., `{...input.details, notes: notes || null}` silently overwrites `input.details.notes` even when `notes` is undefined. Only set fields when the overriding value is explicitly provided
+
+   **Async & UI state consistency**
+   - Optimistic UI state changes (view switches, navigation, success callbacks) before an async operation completes — if the operation fails or is cancelled (drag cancel, upload abort, form dismiss), the UI is stuck in the wrong state with no rollback. Handle both failure and cancellation paths to reset intermediate state
+   - `Promise.all` without try/catch — if any request rejects, the UI ends up partially loaded with an unhandled rejection. Wrap in try/catch with fallback/error state so the view remains usable
+   - Success callbacks (`onSaved()`, `onComplete()`) called unconditionally after an async call — check the return value or catch errors before calling the callback
+   - Debounced/cancelable async operations that don't reset loading state on all code paths (input cleared, stale response arrives, request fails) — loading spinners get stuck and stale results display. Use AbortController or request IDs to discard outdated responses and clear loading in every exit path (including early returns)
+   - Multiple UI state variables representing coupled data (coordinates + display name, selected item + dependent list) updated independently — actions that change one must update all related fields to prevent display/data mismatch
+   - Error notification at multiple layers (shared API client that auto-displays errors + component-level error handling) — verify exactly one layer is responsible for user-facing error messages to avoid duplicate toasts/alerts. Suppress lower-layer notifications when the caller handles its own error display
+   - Optimistic state updates using full-collection snapshots for rollback — if a second user action starts while the first is in-flight, rollback restores the snapshot and clobbers the second action's changes. Use per-item rollback and functional state updaters (`setState(prev => ...)`) after async gaps to avoid stale closures
+   - Child components maintaining local copies of parent-provided data for optimistic updates without propagating changes back — on unmount/remount the parent's stale cache is re-rendered. Sync optimistic changes to the parent via callback alongside local state, or trigger a data refetch on remount
 
    **Resource management**
    - Event listeners, socket handlers, subscriptions, and timers are cleaned up on unmount/teardown
@@ -28,23 +44,36 @@
    **API & URL safety**
    - User-supplied values interpolated into URL paths must use `encodeURIComponent()` — even if the UI restricts input, the API should be safe independently
    - Route params (`:name`, `:id`) passed to services without validation — add format checks (regex, length limits) at the route level
+   - Data from external APIs or upstream services interpolated into shell commands, file paths, or subprocess arguments without validation — enforce expected format (e.g., regex allowlist) before passing to execution boundaries
+   - Path containment checks using string prefix comparison (`resolvedPath.startsWith(baseDir)`) without a path separator boundary — `baseDir + "evil/..."` passes the check. Use `path.relative()` (reject if starts with `..`) or append `path.sep` to the base
+   - Error/fallback responses that hardcode security headers (CORS, CSP) instead of using the centralized policy — error paths bypass security tightening applied to happy paths. Always reuse shared header middleware/constants
 
    **Data exposure**
    - API responses returning full objects that contain sensitive fields (secrets, tokens, passwords) — destructure and omit before sending. Check ALL response paths (GET, PUT, POST) not just one
    - Comments/docs claiming data is never exposed while the code path does expose it
 
+   **Client/server trust boundary**
+   - Server trusting client-provided computed/derived values (scores, totals, correctness flags) when the server has the data to recompute them — strip client-provided scoring/summary fields and recompute server-side
+   - Validation schemas requiring clients to submit fields the server should own (e.g., `expected` answers, `correct` flags) — make these optional/omitted in submissions and derive them server-side
+   - API responses leaking answer keys or expected values that the client will later submit back — either strip before responding or use server-side nonce/seed verification
+
    **Input handling**
    - Trimming values where whitespace is significant (API keys, tokens, passwords, base64) — only trim identifiers/names, not secret values
    - Swallowed errors (empty `.catch(() => {})`) that hide failures from users — at minimum surface a notification on failure
+   - Endpoints that accept unbounded arrays/collections without an upper limit — large payloads can exceed request timeouts, exhaust memory, or create DoS vectors. Enforce a max size and return 400 when exceeded, or move large operations to background jobs
 
    **Validation & consistency**
    - New endpoints/schemas match validation standards of similar existing endpoints (check for field limits, required fields, types)
    - New API routes have the same error handling patterns as existing routes
    - If validation exists on one endpoint for a param, the same param on other endpoints needs the same validation
    - Schema fields that accept values the rest of the system can't handle (e.g., a field accepts any string but downstream code requires a specific format)
+   - Zod/schema stripping fields the service actually reads — when Zod uses `.strict()` or strips unknown keys, any field the service reads from the validated object must be declared in the schema, otherwise it's silently `undefined`
+   - Config values accepted by the API and persisted but silently ignored by the implementation — trace each config field through schema → service → generator/consumer to verify it's actually used (e.g., a `startRange` saved to config but the generator hardcodes a range)
+   - Handlers/functions that read properties from framework-provided objects (request, event, context) using a field name the framework doesn't populate — results in silent `undefined`. Verify the property name matches the caller's contract, not just the handler's assumption
    - Numeric query params (`limit`, `offset`, `page`) parsed from strings without lower-bound clamping — `parseInt` can produce 0, negative, or `NaN` values that cause SQL errors or unexpected behavior. Always clamp to safe bounds (e.g., `Math.max(1, ...)`)
    - Summary counters/accumulators that miss edge cases — if an item is removed, is the count updated? Are all branches counted?
    - Silent operations in verbose sequences — when a series of operations each prints a status line, ensure all branches print consistent output
+   - UI elements hidden from navigation (filtered tabs, conditional menu items) but still accessible via direct URL — enforce access restrictions at the route/handler level, not just visibility
    - Labels, comments, or status messages that describe behavior the code doesn't implement — e.g., a map named "renamed" that only deletes, or an action labeled "migrated" that never creates the target
    - Registering references (config entries, settings pointers) to files or resources without verifying the resource actually exists — a failed download or missing file leaves dangling references that break later operations
    - Error/catch handlers that exit cleanly (`exit 0`, `return`) without any user-visible output — makes failures look like successes; always print a skip/warning message explaining why the operation was skipped
@@ -57,11 +86,12 @@
 
    **Search & navigation**
    - Search results that link to generic list pages instead of deep-linking to the specific record — include the record type and ID in the URL
-   - Search or query code that hardcodes one backend's implementation when the system supports multiple backends — use the active backend's capabilities so results aren't stale after a backend switch
+   - Search or query code that hardcodes one backend's implementation when the system supports multiple backends — use the active backend's capabilities so results aren't stale after a backend switch. Also check that option/parameter names are mapped between backends (e.g., `ftsWeight` vs `bm25Weight`) so configuration isn't silently ignored
 
    **Sync & replication**
    - Upsert/`ON CONFLICT UPDATE` clauses that only update a subset of the fields exported by the corresponding "get changes" query — omitted fields cause replicas to diverge. Deliberately omit only fields that should stay local (e.g., access stats), and document the decision
    - Pagination using `COUNT(*)` to compute `hasMore` — this forces a full table scan on large tables. Use the `limit + 1` pattern: fetch one extra row to detect more pages, return only `limit` rows
+   - Pagination endpoints that return a `next` token but don't accept one as input (or vice versa) — clients can't retrieve pages beyond the first. Also check that hard-capped query limits (e.g., `Limit: 100`) don't silently truncate results when offset exceeds the cap
 
    **SQL & database**
    - Parameterized query placeholder indices (`$1`, `$2`, ...) must match the actual parameter array positions — especially when multiple queries share a param builder or when the index is computed dynamically
@@ -71,33 +101,43 @@
    - Full-text search with strict query parsers (`to_tsquery`) directly on user input — punctuation, quotes, and operators cause SQL errors. Use `websearch_to_tsquery` or `plainto_tsquery` for user-facing search
    - Query results assigned to variables but never read — remove dead queries to avoid unnecessary database load
    - N+1 query patterns inside transactions (SELECT + INSERT/UPDATE per row) — use batched upserts (`INSERT ... ON CONFLICT ... DO UPDATE`) to reduce round-trips and lock time
+   - `CREATE TABLE IF NOT EXISTS` used as the sole schema migration strategy — it won't add new columns, indexes, or triggers to existing tables on upgrade. Use `ALTER TABLE ... ADD COLUMN IF NOT EXISTS` or a migration framework for schema evolution
+   - O(n²) algorithms (self-joins, all-pairs comparisons, nested loops over full tables) triggered per-request on data that grows over time — these become prohibitive at scale. Add caps, use indexed lookups, or move to background jobs
 
    **Lazy initialization & module loading**
    - Cached state getters that return `null`/`undefined` before the module is initialized — code that checks the cached value before triggering initialization will get incorrect results. Provide an async initializer or ensure-style function
    - Re-exporting constants from heavy modules defeats lazy loading — define shared constants in a lightweight module or inline them
+   - Module-level side effects (file reads, JSON.parse, SDK client init) that run on import without error handling — a corrupted file or missing credential crashes the entire process before any request is served. Wrap module-level init in try/catch and degrade gracefully
 
    **Data format portability**
    - Values that cross serialization boundaries (JSON API → database, peer sync) may change format — e.g., arrays in JSON vs specialized string literals in the database. Convert consistently before writing to the target
+   - Database BIGINT/BIGSERIAL values parsed into JavaScript `Number` via `parseInt` or `Number()` — precision is lost past `Number.MAX_SAFE_INTEGER`, silently corrupting IDs, sequence cursors, or pagination tokens. Use string representation or `BigInt` for large integer columns
 
    **Shell script safety**
-   - Subprocess calls in shell scripts under `set -e` — if the subprocess fails, the script aborts. Check exit status and handle gracefully
+   - Subprocess calls in shell scripts under `set -e` — if the subprocess fails, the script aborts. Also check non-critical writes (e.g., `echo` to stdout) which fail on broken pipes and trigger exit — use `|| true` for non-critical output
+   - Detached/background child processes spawned with piped stdio — if the parent exits (restart, crash), pipes close and writes cause SIGPIPE. Redirect stdio to log files or use `'ignore'` for children that must outlive the parent
    - When the same data structure is manipulated in both application code and shell-inline scripts, apply identical guards in both places
 
    **Cross-platform compatibility**
-   - Shell-specific commands (e.g., `sleep`) in Node.js setup/build scripts — use language-native alternatives for portability
+   - Platform-specific execution assumptions — hardcoded shell interpreters (`bash`, `sh`), `path.join()` producing backslashes that break ESM `import()` or URL-based APIs on Windows, platform-gated scripts without fallback or clear error. Use `pathToFileURL()` for dynamic imports, check `process.platform` for shell dispatch
 
    **Test coverage**
    - New validation schemas, service functions, or business logic added without corresponding tests — especially when the project already has a test suite covering similar existing code
    - New error paths (404, 400) that are untestable because the service throws generic errors instead of typed/status-coded ones
+   - Tests that re-implement the logic under test instead of importing real exports — these pass even when the real code regresses. Import and call the actual functions
+   - Missing tests for trust-boundary enforcement — if the server strips/recomputes client-provided fields, add a test that submits tampered values and verifies the server ignores them
+   - Tests that depend on real wall-clock time (`setTimeout`, `Date.now`, network delays) for rate limiters, debounce, or scheduling — slow under normal conditions and flaky under CI load. Use fake timers or time mocking
 
    **Accessibility**
-   - Interactive elements (buttons, toggles, custom controls) missing accessible names, roles, or ARIA states
+   - Interactive elements (buttons, toggles, custom controls) missing accessible names, roles, or ARIA states — including programmatically disabled interactions that don't reflect the disabled state visually or via `aria-disabled` (e.g., drag handles that appear interactive but are inert during async operations)
    - Custom toggle/switch UI built from `<button>` or `<div>` instead of native inputs with appropriate labeling
 
    **Configuration & hardcoding**
    - Hardcoded values (usernames, org names, limits) when a config field or env var already exists for that purpose
    - Dead config fields that nothing reads — either wire them up or remove them
-   - Duplicated config/constants across modules — extract to a single shared module to prevent drift (watch for circular imports when choosing the shared location)
+   - Function parameters that are accepted but never used — creates a false API contract; remove unused params or implement the intended behavior
+   - Duplicated config/constants/utility helpers across modules — extract to a single shared module to prevent drift (watch for circular imports when choosing the shared location)
+   - CI pipelines that install dependencies without lockfile pinning (`npm install` instead of `npm ci`) or that ad-hoc install packages without version constraints — creates non-deterministic builds that can break unpredictably
 
    **Style & conventions**
    - Naming and patterns consistent with the rest of the codebase

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "slash-do",
-  "version": "1.2.0",
+  "version": "1.4.0",
   "description": "Curated slash commands for AI coding assistants — Claude Code, OpenCode, Gemini CLI, and Codex",
   "author": "Adam Eivy <adam@eivy.com>",
   "license": "MIT",

package/src/installer.js

@@ -146,18 +146,25 @@ function registerHooksInSettings(env, hookFiles, dryRun) {
     }
   }
 
-  // Configure statusline only if none exists
+  // Configure statusline: upgrade gsd-statusline → slashdo-statusline (superset)
   const statuslineHook = hookFiles.find(h => h.name === 'slashdo-statusline.js');
-  if (statuslineHook && !settings.statusLine) {
+  if (statuslineHook) {
     const statuslineCommand = `node "${path.join(env.hooksDir, statuslineHook.name)}"`;
-    settings.statusLine = {
-      type: 'command',
-      command: statuslineCommand,
-    };
-    modified = true;
-    actions.push({ name: 'settings/statusLine', status: dryRun ? 'would configure' : 'configured' });
-  } else if (statuslineHook && settings.statusLine) {
-    actions.push({ name: 'settings/statusLine', status: 'existing statusline preserved' });
+    const currentCmd = typeof settings.statusLine?.command === 'string' ? settings.statusLine.command : '';
+
+    if (!settings.statusLine) {
+      settings.statusLine = { type: 'command', command: statuslineCommand };
+      modified = true;
+      actions.push({ name: 'settings/statusLine', status: dryRun ? 'would configure' : 'configured' });
+    } else if (currentCmd.includes('gsd-statusline')) {
+      settings.statusLine = { type: 'command', command: statuslineCommand };
+      modified = true;
+      actions.push({ name: 'settings/statusLine', status: dryRun ? 'would upgrade (gsd→slashdo)' : 'upgraded (gsd→slashdo)' });
+    } else if (currentCmd.includes('slashdo-statusline')) {
+      actions.push({ name: 'settings/statusLine', status: 'already configured' });
+    } else {
+      actions.push({ name: 'settings/statusLine', status: 'existing statusline preserved' });
+    }
   }
 
   if (!dryRun && modified) {
@@ -214,9 +221,16 @@ function deregisterHooksFromSettings(env, dryRun) {
 
   // Remove statusline if it references slashdo-statusline
   if (settings.statusLine?.command?.includes('slashdo-statusline')) {
-    delete settings.statusLine;
+    // Restore gsd-statusline if its hook file still exists
+    const gsdHookPath = path.join(env.hooksDir, 'gsd-statusline.js');
+    if (fs.existsSync(gsdHookPath)) {
+      settings.statusLine = { type: 'command', command: `node "${gsdHookPath}"` };
+      actions.push({ name: 'settings/statusLine', status: dryRun ? 'would downgrade (slashdo→gsd)' : 'downgraded (slashdo→gsd)' });
+    } else {
+      delete settings.statusLine;
+      actions.push({ name: 'settings/statusLine', status: dryRun ? 'would remove' : 'removed' });
+    }
     modified = true;
-    actions.push({ name: 'settings/statusLine', status: dryRun ? 'would remove' : 'removed' });
   }
 
   if (!dryRun && modified) {

package/uninstall.sh

@@ -27,6 +27,7 @@ COMMANDS=(
   pr push release replan review rpr update
 )
 
+
 OLD_COMMANDS=(cam good makegoals makegood optimize-md)
 
 LIBS=(
@@ -135,7 +136,13 @@ uninstall_claude() {
 
       if (settings.statusLine && settings.statusLine.command &&
           settings.statusLine.command.indexOf("slashdo-statusline") !== -1) {
-        delete settings.statusLine;
+        var hooksDir = path.join(home, ".claude", "hooks");
+        var gsdHookPath = path.join(hooksDir, "gsd-statusline.js");
+        if (fs.existsSync(gsdHookPath)) {
+          settings.statusLine = { type: "command", command: "node \"" + gsdHookPath + "\"" };
+        } else {
+          delete settings.statusLine;
+        }
         modified = true;
       }