v1.25.0.0 chore: merge upstream gstack v1.25.0.0#5
Merged
Conversation
…rytan#1255) * test: extract classifyVisible() + permission-dialog filter in PTY runner Pure classifier extracted from runPlanSkillObservation's polling loop so unit tests can exercise the actual branch order with synthetic input strings. Runner gains: - env? passthrough on runPlanSkillObservation (forwarded to launchClaudePty). gstack-config does not yet honor env overrides; plumbing is in place for a future change to make tests hermetic. - TAIL_SCAN_BYTES = 1500 exported constant. Replaces a duplicated magic number in test/skill-e2e-plan-ceo-mode-routing.test.ts so tuning stays in sync. - isPermissionDialogVisible: the bare phrase "Do you want to proceed?" now requires a file-edit context co-trigger. Other clauses unchanged. Skill questions that contain the bare phrase are no longer mis-classified. - classifyVisible(visible): pure function. Branch order silent_write → plan_ready → asked → null. Permission dialogs filtered out of the 'asked' classification so a permission prompt cannot pose as a Step 0 skill question. Adds 24 unit tests covering all classifier branches, edge cases, and the co-trigger contract. * test: tighten plan-ceo-review smoke to require Step 0 fires first Assertion narrows from ['asked', 'plan_ready'] to 'asked' only. Reaching plan_ready first means the agent skipped Step 0 entirely and went straight to ExitPlanMode — the regression we want to catch. Why plan-ceo is special: unlike plan-eng / plan-design / plan-devex (whose smokes legitimately reach plan_ready on certain branches without asking), plan-ceo-review's template mandates Step 0A premise challenge plus Step 0F mode selection BEFORE any plan write. There is no legitimate path to plan_ready that does not first emit a skill-question numbered prompt. Failure message now branches on outcome (plan_ready vs timeout vs silent_write) with a tailored diagnosis line per case. References the skill template by section name ("Step 0 STOP rules", "One issue = one AskUserQuestion call") instead of line numbers, so it survives template edits. Passes env: { QUESTION_TUNING: 'false', EXPLAIN_LEVEL: 'default' } through the runner. Today this is advisory — gstack-config reads only ~/.gstack/config.yaml, not env vars — but the wiring is in place for a future change. Documented honestly in the docstring. Verified across 4 PTY runs: 3 pre-refactor + 1 post-refactor, all PASS. * chore: capture v1.21.1.0 follow-ups in TODOS.md - P2: per-finding AskUserQuestion count assertion (V2) - P3: honor env vars in gstack-config so test isolation env actually works - P3: path-confusion hardening on SANCTIONED_WRITE_SUBSTRINGS All three surfaced during the v1.21.1.0 plan-eng-review and adversarial review passes. Captured here so the design intent persists. * chore: bump version and changelog (v1.21.1.0) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: extract MODE_RE + optionsSignature into PTY runner exports Refactor prep for the upcoming per-finding AskUserQuestion count test across plan-{ceo,eng,design,devex}-review. Both new tests and the existing mode-routing test need the same mode regex and the same option-list fingerprint dedupe — pulling them into one source of truth in test/helpers/claude-pty-runner.ts so a fifth mode (or a tweak to the fingerprint shape) updates everywhere instead of drifting per-test. Mechanical: no behavior change in the mode-routing test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: add per-finding count primitives + unit tests Pure helpers landing ahead of runPlanSkillCounting: - parseQuestionPrompt(visible) — extract the 1-3 line prompt above the latest "❯ 1." cursor, normalize to a 240-char snippet - auqFingerprint(prompt, opts) — Bun.hash of normalized prompt + sorted options signature; distinct prompts with shared option labels (the generic A/B/C TODO menu) get distinct fingerprints - COMPLETION_SUMMARY_RE — terminal-signal regex matching all four plan-review skills' completion / verdict markers - assertReviewReportAtBottom(content) — checks "## GSTACK REVIEW REPORT" is present and is the last "## " heading in a plan file - Step0BoundaryPredicate type + four per-skill predicates (ceo / eng / design / devex) — fire on the answered AUQ's fingerprint, marking the end of Step 0 deterministically (event-based, not content-based, per Codex F7) Plus 37 deterministic unit tests covering option-label collision regression, prompt extraction edge cases, predicate positive AND negative cases, and review-report-at-bottom triple-check (missing / mid-file / multiple trailing). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: add runPlanSkillCounting PTY helper Drives a plan-* skill end-to-end and counts distinct review-phase AskUserQuestions. Composes the primitives from the previous commit: - Boot + auto-trust handler (existing launchClaudePty) - Send slash command alone, sleep 3s, send plan content as follow-up message (proven pattern from skill-e2e-plan-design-with-ui) - Poll loop with permission-dialog auto-grant, same-redraw skip, empty-prompt re-poll - Event-based Step-0 boundary via isLastStep0AUQ predicate fired on the answered AUQ's fingerprint (Codex F7 — boundary is observed event, not later rendered content) - Multi-signal terminals: hard ceiling, COMPLETION_SUMMARY_RE, plan_ready, silent_write, exited, timeout Empty-prompt fingerprints are skipped per the contract documented in auqFingerprint's unit tests — fingerprinting them would re-introduce the option-label collision regression Codex F1 caught. No E2E tests yet — those land in commit 5 with the four skill fixtures. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: register four finding-count tests in touchfiles + tier map Each new test depends on its skill template, the runner, and three preamble resolvers (preamble.ts, generate-ask-user-format.ts, generate-completion-status.ts) — those affect question cadence and completion rendering, which is exactly what the test asserts on. All four classified periodic. Sequential execution during calibration; opt-in to concurrent only after measured comparison agrees (plan §D15). Updated touchfiles.test.ts: plan-ceo-review/** now selects 19 tests (was 18) because plan-ceo-finding-count joins the family. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: add four per-finding count E2E tests (plan-ceo + eng + design + devex) Each test drives its plan-* skill through Step 0 then asserts the review-phase AskUserQuestion count falls in [N-1, N+2] for an N=5 seeded plan, plus D19: produced plan file ends with "## GSTACK REVIEW REPORT" as its last "## " heading. plan-ceo also runs a paired-finding positive control: 2 deliberately related findings should still produce 2 distinct AUQs, not 1 batched. Periodic-tier (gate-skipped without EVALS=1, EVALS_TIER=periodic). Sequential execution by plan §D15. Each fixture is inline TypeScript content delivered as a follow-up message after the slash command, per the proven pattern at skill-e2e-plan-design-with-ui.test.ts. Calibration loop (5 runs per skill) and the manual pre-merge negative check (D7 + D12) are required before merge per plan §Verification. NOT yet run. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: fix parseNumberedOptions for inline-cursor box-layout AUQs Calibration run 1 timed out with step0=0 review=0 because the parser could not find the cursor in /plan-ceo-review's scope-selection AUQ. The TTY's box-layout rendering inlines divider + header + prompt + "1." onto one logical line — cursor escapes get stripped, leaving text crushed onto a single line. Cursor anchor regex changed from anchored to unanchored so it matches mid-line. Cursor-line option extraction uses a non-anchored regex; subsequent options stay with the original start-of-line parser. parseQuestionPrompt picks up the inline prompt text BEFORE the cursor on the cursor line (after stripping box-drawing chars + sigil) and appends it after any walked-up multi-line prompt above. Three new unit tests: clean-cursor still works, inline-cursor extracts all 7 options, prompt extraction strips box chars. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: add firstAUQPick + plan-ceo skip-interview routing Calibration run 1 surfaced a second issue beyond the parser bug: the default pick of 1 on /plan-ceo-review's scope-selection AUQ routes the agent to "branch diff vs main" — so it reviews the gstack PR itself (recursive!) instead of the seeded fixture plan we sent. Added firstAUQPick callback to runPlanSkillCounting. Override applies only to the FIRST AUQ; subsequent presses keep using defaultPick. ceoStep0Boundary now fires on either the mode-pick AUQ (existing path) or any AUQ containing "Skip interview and plan immediately" — which is the scope-selection AUQ. Picking that option bypasses Step 0 and routes straight to review-phase using the chat-paste plan as context. Plan-ceo test wires firstAUQPick = pickSkipInterview which finds the "Skip interview" option by label. Falls back to "describe inline" if the option labels change. Two new unit tests: ceoStep0Boundary fires on the scope-selection fixture; existing mode-pick fixture still fires. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…rytan#1255) * test: extract classifyVisible() + permission-dialog filter in PTY runner Pure classifier extracted from runPlanSkillObservation's polling loop so unit tests can exercise the actual branch order with synthetic input strings. Runner gains: - env? passthrough on runPlanSkillObservation (forwarded to launchClaudePty). gstack-config does not yet honor env overrides; plumbing is in place for a future change to make tests hermetic. - TAIL_SCAN_BYTES = 1500 exported constant. Replaces a duplicated magic number in test/skill-e2e-plan-ceo-mode-routing.test.ts so tuning stays in sync. - isPermissionDialogVisible: the bare phrase "Do you want to proceed?" now requires a file-edit context co-trigger. Other clauses unchanged. Skill questions that contain the bare phrase are no longer mis-classified. - classifyVisible(visible): pure function. Branch order silent_write → plan_ready → asked → null. Permission dialogs filtered out of the 'asked' classification so a permission prompt cannot pose as a Step 0 skill question. Adds 24 unit tests covering all classifier branches, edge cases, and the co-trigger contract. * test: tighten plan-ceo-review smoke to require Step 0 fires first Assertion narrows from ['asked', 'plan_ready'] to 'asked' only. Reaching plan_ready first means the agent skipped Step 0 entirely and went straight to ExitPlanMode — the regression we want to catch. Why plan-ceo is special: unlike plan-eng / plan-design / plan-devex (whose smokes legitimately reach plan_ready on certain branches without asking), plan-ceo-review's template mandates Step 0A premise challenge plus Step 0F mode selection BEFORE any plan write. There is no legitimate path to plan_ready that does not first emit a skill-question numbered prompt. Failure message now branches on outcome (plan_ready vs timeout vs silent_write) with a tailored diagnosis line per case. References the skill template by section name ("Step 0 STOP rules", "One issue = one AskUserQuestion call") instead of line numbers, so it survives template edits. Passes env: { QUESTION_TUNING: 'false', EXPLAIN_LEVEL: 'default' } through the runner. Today this is advisory — gstack-config reads only ~/.gstack/config.yaml, not env vars — but the wiring is in place for a future change. Documented honestly in the docstring. Verified across 4 PTY runs: 3 pre-refactor + 1 post-refactor, all PASS. * chore: capture v1.21.1.0 follow-ups in TODOS.md - P2: per-finding AskUserQuestion count assertion (V2) - P3: honor env vars in gstack-config so test isolation env actually works - P3: path-confusion hardening on SANCTIONED_WRITE_SUBSTRINGS All three surfaced during the v1.21.1.0 plan-eng-review and adversarial review passes. Captured here so the design intent persists. * chore: bump version and changelog (v1.21.1.0) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: extract MODE_RE + optionsSignature into PTY runner exports Refactor prep for the upcoming per-finding AskUserQuestion count test across plan-{ceo,eng,design,devex}-review. Both new tests and the existing mode-routing test need the same mode regex and the same option-list fingerprint dedupe — pulling them into one source of truth in test/helpers/claude-pty-runner.ts so a fifth mode (or a tweak to the fingerprint shape) updates everywhere instead of drifting per-test. Mechanical: no behavior change in the mode-routing test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: add per-finding count primitives + unit tests Pure helpers landing ahead of runPlanSkillCounting: - parseQuestionPrompt(visible) — extract the 1-3 line prompt above the latest "❯ 1." cursor, normalize to a 240-char snippet - auqFingerprint(prompt, opts) — Bun.hash of normalized prompt + sorted options signature; distinct prompts with shared option labels (the generic A/B/C TODO menu) get distinct fingerprints - COMPLETION_SUMMARY_RE — terminal-signal regex matching all four plan-review skills' completion / verdict markers - assertReviewReportAtBottom(content) — checks "## GSTACK REVIEW REPORT" is present and is the last "## " heading in a plan file - Step0BoundaryPredicate type + four per-skill predicates (ceo / eng / design / devex) — fire on the answered AUQ's fingerprint, marking the end of Step 0 deterministically (event-based, not content-based, per Codex F7) Plus 37 deterministic unit tests covering option-label collision regression, prompt extraction edge cases, predicate positive AND negative cases, and review-report-at-bottom triple-check (missing / mid-file / multiple trailing). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: add runPlanSkillCounting PTY helper Drives a plan-* skill end-to-end and counts distinct review-phase AskUserQuestions. Composes the primitives from the previous commit: - Boot + auto-trust handler (existing launchClaudePty) - Send slash command alone, sleep 3s, send plan content as follow-up message (proven pattern from skill-e2e-plan-design-with-ui) - Poll loop with permission-dialog auto-grant, same-redraw skip, empty-prompt re-poll - Event-based Step-0 boundary via isLastStep0AUQ predicate fired on the answered AUQ's fingerprint (Codex F7 — boundary is observed event, not later rendered content) - Multi-signal terminals: hard ceiling, COMPLETION_SUMMARY_RE, plan_ready, silent_write, exited, timeout Empty-prompt fingerprints are skipped per the contract documented in auqFingerprint's unit tests — fingerprinting them would re-introduce the option-label collision regression Codex F1 caught. No E2E tests yet — those land in commit 5 with the four skill fixtures. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: register four finding-count tests in touchfiles + tier map Each new test depends on its skill template, the runner, and three preamble resolvers (preamble.ts, generate-ask-user-format.ts, generate-completion-status.ts) — those affect question cadence and completion rendering, which is exactly what the test asserts on. All four classified periodic. Sequential execution during calibration; opt-in to concurrent only after measured comparison agrees (plan §D15). Updated touchfiles.test.ts: plan-ceo-review/** now selects 19 tests (was 18) because plan-ceo-finding-count joins the family. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: add four per-finding count E2E tests (plan-ceo + eng + design + devex) Each test drives its plan-* skill through Step 0 then asserts the review-phase AskUserQuestion count falls in [N-1, N+2] for an N=5 seeded plan, plus D19: produced plan file ends with "## GSTACK REVIEW REPORT" as its last "## " heading. plan-ceo also runs a paired-finding positive control: 2 deliberately related findings should still produce 2 distinct AUQs, not 1 batched. Periodic-tier (gate-skipped without EVALS=1, EVALS_TIER=periodic). Sequential execution by plan §D15. Each fixture is inline TypeScript content delivered as a follow-up message after the slash command, per the proven pattern at skill-e2e-plan-design-with-ui.test.ts. Calibration loop (5 runs per skill) and the manual pre-merge negative check (D7 + D12) are required before merge per plan §Verification. NOT yet run. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: fix parseNumberedOptions for inline-cursor box-layout AUQs Calibration run 1 timed out with step0=0 review=0 because the parser could not find the cursor in /plan-ceo-review's scope-selection AUQ. The TTY's box-layout rendering inlines divider + header + prompt + "1." onto one logical line — cursor escapes get stripped, leaving text crushed onto a single line. Cursor anchor regex changed from anchored to unanchored so it matches mid-line. Cursor-line option extraction uses a non-anchored regex; subsequent options stay with the original start-of-line parser. parseQuestionPrompt picks up the inline prompt text BEFORE the cursor on the cursor line (after stripping box-drawing chars + sigil) and appends it after any walked-up multi-line prompt above. Three new unit tests: clean-cursor still works, inline-cursor extracts all 7 options, prompt extraction strips box chars. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: add firstAUQPick + plan-ceo skip-interview routing Calibration run 1 surfaced a second issue beyond the parser bug: the default pick of 1 on /plan-ceo-review's scope-selection AUQ routes the agent to "branch diff vs main" — so it reviews the gstack PR itself (recursive!) instead of the seeded fixture plan we sent. Added firstAUQPick callback to runPlanSkillCounting. Override applies only to the FIRST AUQ; subsequent presses keep using defaultPick. ceoStep0Boundary now fires on either the mode-pick AUQ (existing path) or any AUQ containing "Skip interview and plan immediately" — which is the scope-selection AUQ. Picking that option bypasses Step 0 and routes straight to review-phase using the chat-paste plan as context. Plan-ceo test wires firstAUQPick = pickSkipInterview which finds the "Skip interview" option by label. Falls back to "describe inline" if the option labels change. Two new unit tests: ceoStep0Boundary fires on the scope-selection fixture; existing mode-pick fixture still fires. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Rewrite gstack-build-phase-guardrail: fail closed on gh errors, use gh pr view --json state for merge detection (handles squash/rebase), git fetch now hard-fails instead of silently continuing on network error - Scope pgrep kill to this build's project root (was killing all gstack-build processes on the machine) - All three jq model lookups use // empty + explicit STOP guard instead of hardcoded fallback strings — misconfured configure.cm now halts rather than silently using wrong models - Step 3 ship/land spawn is conditional on --skip-ship flag — without it the CLI already shipped, so spawning again would double-ship and create duplicate PRs - Add planLocator/planSynthesizer/featureVerifier roles to configure.cm; note these are template-only roles and intentionally absent from ROLE_DEFINITIONS Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rewrite intro and Skill-Prompt Path: v1.20.0 always routes all plans to gstack-build; document the planLocator/planSynthesizer subagent startup sequence and post-feature monitoring loop - Document double-ship prevention: skill only spawns ship/land when --skip-ship was passed; otherwise CLI already handled it - Add Feature Verification section: featureVerifier subagent per-feature origin-plan coverage check (VERIFICATION: PASS | GAPS) - Add Phase Guardrail section: document gstack-build-phase-guardrail, its three checks, and why it uses gh pr view --json state instead of git branch --merged (squash/rebase merge detection) - Add template-only roles to Sub-Agent Roles: planLocator, planSynthesizer, featureVerifier with note they have no CLI flags or env vars; add configure.cm // empty STOP-on-misconfiguration behavior - Add configure.cm and bin/gstack-build-phase-guardrail to Module Map Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add bin/gstack-pr-title-rewrite.sh shared helper Single source of truth for "rewrite a PR title to start with v<VERSION>". Three cases: already correct (no-op), different prefix (replace), no prefix (prepend). Rejects malformed VERSION (anything outside ^[0-9]+(\.[0-9]+)*$) with exit code 2. Uses literal case prefix match instead of bash's pattern- matching # operator so a VERSION with glob metacharacters cannot mismatch. Free bun test covers the four branches plus malformed-input rejection, plain-words-not-stripped, single-segment-not-stripped, idempotence, and missing-args. 9 tests, ~400ms. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * feat(skills): /ship and /document-release always prefix PR titles with v<VERSION> ship/SKILL.md.tmpl Step 19: idempotency block now always rewrites titles to start with v$NEW_VERSION via the new helper. Removes the "custom title kept intentionally" loophole that let unprefixed titles persist forever. Adds a post-edit self-check that re-fetches the title and retries once if the edit didn't stick. Inline comments on the create-PR snippets at lines 867 and 876 make the rule unmissable. document-release/SKILL.md.tmpl Step 9: new "PR/MR title sync" sub-step calls the same helper after the body update. Catches the case where Step 8 bumped VERSION after /ship had already created the PR — title now follows VERSION instead of going stale. Golden fixtures regenerated for claude/codex/factory ship variants. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * feat(ci): pr-title-sync rewrites titles unconditionally Drops the "eligible only if already prefixed" gate. Sources the new shared helper, rewrites unconditionally on every VERSION change. Defense-in-depth backstop for PRs opened outside the skills (manual gh pr create, web UI). Uses env: for OLD_TITLE so YAML expression injection cannot reach run:. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore: bump version and changelog (v1.23.0.0) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
….which resolver + path-portability helper (garrytan#1252) * feat(paths): bin/gstack-paths helper + migrate 8 skills off inline state-root chains New bin/gstack-paths emits GSTACK_STATE_ROOT, PLAN_ROOT, TMP_ROOT exports for skill bash blocks to source via eval. Honors GSTACK_HOME → CLAUDE_PLUGIN_DATA → $HOME/.gstack → .gstack (and parallel chains for plan/tmp roots) so skills work the same in plugin installs, global installs, and CI containers without HOME. Eight skills migrate off inline ${CLAUDE_PLUGIN_DATA:-...} or ${GSTACK_HOME:-...} chains: careful, freeze, guard, unfreeze, investigate, context-save, context-restore, learn, office-hours, plan-tune, codex. Resolved values are identical, so existing tests cover correctness; the win is consolidating 11 copy-pasted fallback chains behind one helper. codex/SKILL.md.tmpl gets a new Step 0.6 Resolve portable roots that sources gstack-paths once, then replaces hardcoded ~/.claude/plans/*.md and /tmp/codex-*-XXXXXX.txt with "$PLAN_ROOT"/*.md and "$TMP_ROOT/codex-*-XXXXXX.txt". Hardening direction credited to the McGluut/gstack fork; this is upstream's factoring of the per-skill chain the fork inlined. Tests: test/gstack-paths.test.ts covers all three fallback chains with 8 unit tests (HOME unset, CLAUDE_PLUGIN_DATA set, GSTACK_HOME wins, etc). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(claude-bin): Bun.which wrapper for cross-platform claude resolution Replaces 75 LOC of fork-side reimplementation (PATH parsing, Windows PATHEXT, case-insensitive Path/PATH, X_OK) with a thin wrapper around Bun.which() — the runtime built-in that already does all of it. New file is ~70 LOC including the override + arg-prefix logic the runtime doesn't cover. Override branch fixed: GSTACK_CLAUDE_BIN=wsl now resolves through Bun.which() just like a bare claude lookup would. The McGluut fork's claude-bin.ts only handled absolute-path overrides; bare commands silently returned null. Passing the override value through Bun.which fixes the documented use case for free. Five hardcoded claude spawn sites rewired through resolveClaudeCommand: - browse/src/security-classifier.ts:396 — version probe - browse/src/security-classifier.ts:496 — Haiku transcript classifier - scripts/preflight-agent-sdk.ts — preflight binary pinning - test/helpers/providers/claude.ts — LLM judge availability + run - test/helpers/agent-sdk-runner.ts — SDK harness binary resolver All retain their existing degrade-on-missing semantics. Tests: browse/test/claude-bin.test.ts has 9 unit tests including the override-PATH-resolution case the fork's version got wrong. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs+test: AGENTS.md/docs/skills.md inventory sync + private-path leak detector Inventory sync (codex-flagged drift): - /debug → /investigate (skill renamed in v1.0.1.0) - AGENTS.md grows from 21 to 40+ skills, organized by category (plan reviews, implementation, release, operational, browser, safety) - docs/skills.md gains 11 missing entries: /plan-devex-review, /devex-review, /plan-tune, /context-save, /context-restore, /health, /landing-report, /benchmark-models, /pair-agent, /setup-gbrain, /make-pdf - Stale "<5s bun test" claim dropped — slim-preamble harness + new tests means no realistic universal claim to make - Adds explicit "Mac + Linux full, curated Windows lane" platform statement + "Git Bash / MSYS today, native PowerShell future" install note New invariants in test/skill-validation.test.ts (~80 LOC): - Private-path leak detector scans every SKILL.md / SKILL.md.tmpl for known maintainer-only filenames (coordination-board.md, SEEKING_LOG.md, RATIONAL_SUBJECT.md, VALUE_SIGNAL_LOOP.md, C:\LLM Playground\go). Adapted from the McGluut fork's skill-contract-audit.ts; we don't take the script wholesale because most of its checks are already covered by test/gen-skill-docs.test.ts:1668-2074 and test/skill-validation.test.ts:1419 — only the private-path scan and doc-inventory cross-check are new. - Doc-inventory cross-check: every skill directory with a SKILL.md.tmpl must appear in both AGENTS.md and docs/skills.md. Catches the inventory drift this commit is fixing — without this test it would just drift again. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(windows): curated windows-free-tests CI job + test-free-shards curation Codex's v1.18.0.0 review flagged that a windows-latest matrix entry on the existing Linux-container evals.yml workflow can't work as a drop-in, and that the free test suite has POSIX-bound dependencies a sharded runner doesn't fix on its own. This commit takes McGluut's test-free-shards.ts (190 LOC), adds a Windows-fragility scan, and runs the curated subset on a separate non-container windows-latest job. scripts/test-free-shards.ts: - Enumeration + paid-eval filtering + stable-hash sharding (FNV-1a). Adapted from McGluut/gstack fork. - Upstream-original: --windows-only filter scans each test's content for POSIX-bound patterns: hardcoded /bin/sh, spawn('sh', ...), bash -c, raw /tmp/, chmod, xargs, which claude. Files matching are excluded with the reason logged. Currently filters 25 of 128 free tests; remaining 103 run on windows-latest. .github/workflows/windows-free-tests.yml: - Separate non-container job (NOT a matrix entry on evals.yml). Runs: bun run test:windows # curated subset bun test browse/test/claude-bin.test.ts # PATHEXT+overrides on Windows bun test test/gstack-paths.test.ts # state-root resolution package.json: new test:free + test:windows scripts. Honest about scope (codex-flagged): this does NOT make the full free suite Windows-safe. The 25 excluded tests need POSIX-only surfaces ported off shell primitives (test/ship-version-sync.test.ts:72 hardcodes /bin/bash, etc). Tracked as a P4 follow-up TODO. Full Windows parity is the next wave; this release ships the curated lane. Tests: test/test-free-shards.test.ts has 14 unit tests covering enumeration, paid-eval filtering, Windows-fragility detection (POSIX patterns + safe code), and stable sharding determinism. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(release): v1.20.0.0 — cross-platform hardening, curated Windows lane Cross-platform hardening. Mac + Linux full, curated Windows lane added. Workspace-aware queue at ship time: - v1.17.0.0 claimed by garrytan/setup-gbrain-run (PR garrytan#1234) - v1.19.0.0 claimed by garrytan/browserharness (PR garrytan#1233) - This branch claims v1.20.0.0 (next available slot) (Initially bumped to v1.18.0.0 during plan-mode implementation; rebumped to v1.20.0.0 at /ship time when gstack-next-version detected the queue had moved.) Headline numbers (full release-note in CHANGELOG.md): - 2 new shared resolvers: bin/gstack-paths (61 LOC), browse/src/claude-bin.ts (73 LOC) - 8 skills migrated off inline state-root chains - 5 hardcoded claude spawn sites rewired through the shared resolver - 75 LOC of fork-side reimplementation replaced by Bun.which() - 103 of 128 free tests run on windows-latest (curated, ~80%) - +31 new unit tests + 3 new invariants - AGENTS.md inventory grows from 21 to 40+ skills Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(windows-ci): configure git identity + extend Windows-fragility curation First windows-free-tests CI run surfaced 34 failures across two patterns: 1. Tests that init a temp git repo via execSync('git commit ...') — Windows runner has no default git user.email/user.name, so the commit fails. Fix: add a "Configure git identity" step to .github/workflows/windows-free-tests.yml that sets a CI-only identity globally. 2. Tests that use POSIX-only APIs unconditionally: - file-mode bitmask checks (`stat.mode & 0o600`, `mode & 0o111`) — Windows fakes mode bits and these assertions don't compose - hardcoded forward-slash path assertions (`file.endsWith('/tab-42.json')`) — Windows path separators are '\\' Fix: extend WINDOWS_FRAGILE_PATTERNS in scripts/test-free-shards.ts to detect both. 8 additional tests now excluded from the curated Windows subset with logged reasons: - browse/test/security-review-flow.test.ts (file mode) - browse/test/security-sidepanel-dom.test.ts (forward-slash path) - browse/test/url-validation.test.ts (forward-slash path) - test/gbrain-repo-policy.test.ts (file mode) - test/relink.test.ts (file mode) - test/skill-validation.test.ts (file mode — single assertion at :934) - test/team-mode.test.ts (file mode — also kills its 30 git-init beforeEach failures) - test/upgrade-migration-v1.test.ts (file mode) Curated Windows subset: 103 → 95 tests (still ~74% of free suite). All 14 test-free-shards unit tests still pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(windows-ci): enforce LF + build server-node.mjs in CI Second round of windows-free-tests fixes after the first push. Curated subset went from 386/34 to 58/4 fails. Remaining 4 fails + 1 error trace to two root causes: 1. Line-ending sensitivity. Windows checkout with core.autocrlf=true converts .md/.tmpl files to CRLF. Tests that parse YAML frontmatter with `/^---\n([\\s\\S]+?)\n---/` then return zero matches — skill-collision- sentinel.test.ts:120 enumerated 0 skills on Windows, cascading into 3 downstream test failures (sanity, KNOWN_COLLISIONS, /checkpoint resolved). Fix: add .gitattributes that pins LF for .md/.tmpl/.yml/.json/.toml/.sh/ .ts/.tsx/.js/.mjs/.cjs/.bash. Root-cause fix; prevents future similar tests from hitting the same trap. Also keeps bash scripts LF on Linux runners (CRLF in shebangs produces "bad interpreter" errors). 2. Module-level Windows assertion in browse/src/cli.ts:82 throws if browse/dist/server-node.mjs is missing. Any test that transitively loads cli.ts (e.g., browse/test/tab-isolation.test.ts via shard mate imports) then fails to even start. server-node.mjs is generated by bash browse/scripts/build-node-server.sh, which `bun run build` calls but `bun install` does not. Fix: add a "Build server-node.mjs" step to .github/workflows/ windows-free-tests.yml. Calls only the node-server build script, not full `bun run build` — we don't need the compiled binaries for tests and the full build is slow. Expected: skill-collision-sentinel goes 0→3 pass (sanity, KNOWN_COLLISIONS, /checkpoint resolved). tab-isolation's "unhandled error between tests" disappears. Remaining tests should be green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(windows-ci): platform-aware claude-bin test + curate bin/ shebang spawns Round 3 of windows-free-tests fixes. Round 2 (LF gitattributes + server-node.mjs build) cleared shard 1 entirely (skill-collision-sentinel and tab-isolation green). Shard 2 surfaced two more issues: 1. browse/test/claude-bin.test.ts:50 — the "PATH-resolvable override" test creates a fake binary 'fake-claude-cli' (no extension) and expects Bun.which to find it. On Windows, Bun.which probes PATHEXT extensions (.cmd, .exe, .bat) — a bare-name file is not discoverable. Production behavior is correct; the test was Mac/Linux-shaped. Fix: branch on process.platform. On Windows, write 'fake-claude-cli.cmd' with a Windows batch payload instead of a POSIX shebang script. 2. test/gstack-question-log.test.ts (and 18 sibling tests) — spawn a bash shebang script via spawnSync(BIN, args). Git Bash on Windows can run `bash /path/to/script` but spawnSync invokes CreateProcess directly, which doesn't parse #!/usr/bin/env bash. All these tests are Windows-fragile and can't run as-is. Fix: extend WINDOWS_FRAGILE_PATTERNS with `path.join(.., 'bin', ..)` detector. Curates 19 additional tests (benchmark-cli, brain-sync, builder-profile, explain-level-config, gbrain-*, gstack-question-*, hook-scripts, learnings, plan-tune, review-log, secret-sink-harness, taste-engine, telemetry, timeline, uninstall). Curated Windows subset: 95 → 76 tests (~59% of free suite). Still meaningful Windows coverage. The 52 excluded tests are tracked as a follow-up TODO for full Windows parity (shebang-bin spawns + POSIX file modes + raw /tmp/ etc). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(windows-ci): curate Playwright-launching tests Round 4 of windows-free-tests fixes. Round 3 cleared shard 2 except for browse/test/batch.test.ts:35 which calls `await bm.launch()` and triggers Playwright Chromium launch. The windows-latest runner doesn't have Chromium installed (browser bring-up is a separate concern, tracked by PR garrytan#1238 windows-pty-bun-pty-fix). Fix: extend WINDOWS_FRAGILE_PATTERNS with `await \\w+\\.launch\\(` matcher. Catches batch.test.ts plus 7 sibling tests (commands, compare-board, content-security, handoff, security-live-playwright, security-sidepanel-dom, snapshot — most already excluded by other patterns). Curated Windows subset: 76 → 72 tests (~56% of free suite). Net curation across all 4 rounds: 56 of 128 free tests excluded, each with a logged reason. The 56 excluded fall into 6 buckets — POSIX shells, raw /tmp/, chmod/xargs, file mode bitmasks, forward-slash path assertions, bin/ shebang spawns, and Playwright launches — all tracked as a P4 follow-up TODO for full Windows parity. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(windows-ci): catch destructured join() bin-spawns + browse server tests Round 5 of windows-free-tests fixes. Round 4 caught Playwright launchers but two more failure shapes appeared in shard 5: 1. test/diff-scope.test.ts uses `import { join }` (destructured) and `join(import.meta.dir, '..', 'bin', 'gstack-diff-scope')`. My round-3 pattern only matched `path.join(...)` — the destructured form slipped through. Tightened the pattern to match the literal `, 'bin', '<name>'` path-segment shape regardless of whether it's `path.join` or `join` directly. 2. browse/test/sidebar-integration.test.ts spawns the browse server via `spawn(['bun', 'run', server.ts])` with BROWSE_HEADLESS_SKIP=1. The Bun-run-server.ts path is the same Playwright-on-Windows broken path that the windows-free-tests job intentionally avoids — the server-node.mjs route only kicks in for the compiled binary, not direct Bun runs of the TypeScript source. Added a BROWSE_HEADLESS_SKIP / spawn-bun-run pattern. Curated Windows subset: 72 → 73 tests (~57% of free suite). Net up by 1 because the tightened bin pattern released one test that was a false positive in the loose `path\\.join` form. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(windows-ci): broaden bin/ pattern to match path.join(ROOT, 'bin') Round 6. Round 5 tightened the bin/ pattern to require a script-name segment after 'bin', which inadvertently released test/brain-sync.test.ts that uses: const BIN = path.join(ROOT, 'bin'); const full = bin.startsWith('/') ? bin : path.join(BIN, bin); The 'bin' segment is the LAST argument to path.join — there's no literal script name to match. The earlier looser pattern caught this; round 5 broke that. Fix: revert to `,\\s*['"]bin['"]\\s*[,)]` which matches both forms: - `, 'bin', 'script-name')` (path.join with name) — typical - `, 'bin')` (path.join ending at bin) — brain-sync style Curated subset: 73 → 66 tests (~52% of free suite). The 7 additional exclusions are all bin-script tests that were misclassified by the round-5 tightening. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(find-browse): guard main() with import.meta.main Round 7 of windows-free-tests fixes (and a genuine bug fix beyond Windows). browse/src/find-browse.ts called main() unconditionally at module load. main() calls process.exit(1) when no compiled `browse` binary exists at the known install paths. Any test that imports `locateBinary` from this module then exits the entire test process before any tests run. This affected the windows-free-tests CI lane because the runner intentionally doesn't compile the browse binary (only server-node.mjs is built — full binary compilation is slow and not needed for the curated subset). It would also affect any Mac/Linux contributor who runs tests in a fresh checkout before running ./setup, though the symptom is rarer there. Fix: wrap `main()` in `if (import.meta.main) { main() }`. The CLI invocation (via the find-browse binary or `bun run browse/src/find-browse.ts`) still runs main() and emits the path. Imports get only the named exports. Verified locally: - `bun run browse/src/find-browse.ts` still prints the binary path. - `import { locateBinary } from '...'` no longer exits the process. - `bun test browse/test/find-browse.test.ts` passes 4/4 (was crashing at module load). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(windows-ci): pin LF on extensionless executables (setup, bin/*, scripts/*) Round 8 of windows-free-tests fixes. Round 7 cleared find-browse + most shards; one fail left in shard 7: test/setup-codesign.test.ts > codesign shell snippet is syntactically valid expect(received).toBeTruthy() — match was null The test extracts a bash codesign block from the `setup` file via a \\n-anchored regex, then syntax-checks it with `bash -n`. On Windows the regex returned null because the `setup` file was checked out with CRLF endings — my round-2 .gitattributes only covered files matched by extension patterns (*.md, *.sh, *.ts) and `setup` is extensionless. Fix: extend .gitattributes with explicit rules for extensionless executables: setup text eol=lf bin/* text eol=lf **/scripts/* text eol=lf This also LF-pins all the bash bin/ scripts (gstack-paths, gstack-slug, gstack-codex-probe, ...) which would otherwise break with "bad interpreter" errors on Linux if a Windows contributor accidentally committed CRLF versions. Defense in depth. Verified locally: `git check-attr eol setup bin/gstack-paths` reports `eol: lf` for both. Renormalized via `git add --renormalize` so any already-LF files in the repo stay LF after the .gitattributes change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(windows-ci): gen:skill-docs in workflow + known-bad list for env-specific tests Round 9 of windows-free-tests fixes. Round 8 cleared shard 7; shard 8 surfaced 4 fails: 1+2. test/gen-skill-docs.test.ts golden-file regression for Codex + Factory ship skills failed with ENOENT on `.agents/skills/gstack-ship/SKILL.md` and `.factory/skills/gstack-ship/SKILL.md`. These are gitignored gen-skill-docs outputs that the Mac/Linux CI workflows already regenerate elsewhere — the windows-free-tests lane never did. Fix: add `bun run gen:skill-docs --host all` step to windows-free-tests.yml after `bun install`. 3. test/host-config.test.ts:377 "detect finds claude" asserts the `claude` binary is on PATH. True when running inside Claude Code; false on a bare CI runner. 4. browse/test/findport.test.ts:117 asserts Bun.serve.stop() is fire-and-forget (returns undefined). Bun's Windows behavior for this polyfill differs; the assertion is Bun-on-non-Windows-specific. Both 3 and 4 are environment/runtime-specific failures that don't fit a regex pattern. Added a KNOWN_WINDOWS_INCOMPATIBLE explicit list to scripts/test-free-shards.ts so they're curated by exact path, with a reason string. The list is for cases where pattern matching can't infer the failure shape from the source file alone. Curated subset: 66 → 64 tests (~50% of free suite). 14 unit tests in test/test-free-shards.test.ts still pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(windows-ci): curate pre-existing breakage from v1.14.0.0 sidebar refactor Round 10 of windows-free-tests fixes. Round 9 cleared shards 7+8; shard 9 surfaced ENOENT for browse/src/sidebar-agent.ts. That file was DELETED in v1.14.0.0 (sidebar REPL refactor — sidebar-agent.ts and the chat queue path were ripped in favor of the interactive xterm.js PTY). 10 security tests still reference it via top-level fs.readFileSync and fail on import. Verified locally: `bun test browse/test/security-source-contracts.test.ts` on this branch reports 0 pass, 1 fail, 1 error. Mac/Linux CI exits 0 because Bun reports module-load failures as "error" not "fail" and the exit code is 0; Windows CI exits 1 (stricter). Same pre-existing breakage on every platform — just only visible in shard 9 of the Windows lane. Fix: add WINDOWS_FRAGILE_PATTERNS entry matching `sidebar-agent.ts` / `src/sidebar-agent` references. Curates browse/test/sidebar-ux.test.ts (other 9 likely caught by paid-eval filter or earlier patterns). Tracked as a follow-up TODO: update or delete the 10 security tests that reference deleted source. Out of scope for v1.20.0.0 portability wave. Curated subset: 64 → 63 tests (~49% of free suite). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(windows-ci): broaden sidebar-agent.ts pattern to catch all references * fix(windows-ci): catch ./bin/<name> direct path spawns * fix(windows-ci): scope Windows job to v1.20.0.0 new portability work 12 rounds of curation revealed that gstack has a long tail of tests with environment-specific assumptions (POSIX paths, /tmp, mode bits, bash spawns, deleted v1.14 sidebar refs, HOME=unset guards, Bun polyfill specifics). Each round of pattern-matching curation caught 1-2 new buckets but kept surfacing more. Honest scope for v1.20.0.0: this PR delivers two new portability primitives (bin/gstack-paths + browse/src/claude-bin.ts). The Windows CI job should verify those primitives work on Windows. Full-suite Windows parity is a P4 follow-up that requires touching many tests that aren't part of this PR's scope. Change: windows-free-tests.yml now runs: bun test test/gstack-paths.test.ts \\ browse/test/claude-bin.test.ts \\ test/test-free-shards.test.ts That's 31 tests targeting exactly the new code paths shipped here. The release-note headline ("curated Windows lane added") becomes truthful when this passes — we have a real Windows CI gate on the new portability work, not a rebadged failure-tolerant attempt at the full suite. Retained: scripts/test-free-shards.ts curation logic (informational output via `--list`, useful for future expansion of the Windows lane when contributors port specific tests). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(test): invoke bin/gstack-paths via bash (Windows shebang fix) Round 13 of windows-free-tests fixes. Round 12 (scope pivot) revealed all 8 gstack-paths tests fail on Windows because the test invokes the bash shebang script directly: spawnSync(BIN, []) # BIN = path.join(ROOT, 'bin', 'gstack-paths') Windows CreateProcess can't parse `#!/usr/bin/env bash` from the file. The script never runs on Windows via this invocation path. Fix: change to `spawnSync('bash', [BIN], ...)`. This matches production usage — the script is sourced from inside skill bash blocks via `eval "$(~/.claude/skills/gstack/bin/gstack-paths)"`, where bash is always the executor. Mac/Linux behavior is identical (bash invocation of a bash script). Verified locally: 8/8 tests still pass on macOS. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(release): rebump v1.20.0.0 → v1.22.0.0 (queue drift) Version-gate workflow rejected v1.20.0.0 because the queue moved during the windows-free-tests fix loop: v1.16.0.0 → garrytan/gbrowser-unleashed (PR garrytan#1253) [new since last bump] v1.17.0.0 → garrytan/setup-gbrain-run (PR garrytan#1234) v1.19.0.0 → garrytan/browserharness (PR garrytan#1233) v1.21.1.0 → garrytan/pty-plan-mode-e2e (PR garrytan#1255) [new since last bump] Two new sibling PRs landed slot claims while we iterated on Windows. Next free MINOR slot is v1.22.0.0. Updated VERSION, package.json, CHANGELOG header + body. Also pushing the round-13 windows-fix in parallel (test invokes bin/gstack-paths via bash to handle Windows shebang). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(test): clear USERPROFILE alongside HOME (Git Bash auto-populates HOME) Final Windows fix. 29/31 pass; 2 fail in gstack-paths HOME-unset tests: (fail) CWD fallback when HOME also unset (container env) (fail) PLAN_ROOT chain: GSTACK_PLAN_DIR > CLAUDE_PLANS_DIR > HOME > CWD Root cause: Git Bash on Windows auto-populates `HOME` from `USERPROFILE` at shell startup if HOME is empty/unset. Passing `HOME: ''` to spawnSync does set HOME='' for the child, but Git Bash overwrites it from USERPROFILE during init, so the script sees `${HOME:-}` as non-empty (C:\\Users\\runneradmin) and never reaches the CWD-fallback branch. Fix: clear USERPROFILE='' too. On Linux/Mac it's a no-op (env var doesn't exist in normal env); on Windows Git Bash it stops the HOME auto-populate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(test): skip HOME-unset assertions on Windows (Git Bash auto-populates) 29/31 → 31/31 expected on Windows. Final fix: The 2 still-failing gstack-paths tests assert CWD-fallback behavior when HOME is genuinely unset (Linux container scenario). On Windows Git Bash, HOME gets auto-derived from USERPROFILE → HOMEDRIVE+HOMEPATH → /c/Users/<user> during shell startup. Clearing all three of those env vars in the spawn still results in HOME being non-empty by the time the script runs. The bash script's CWD-fallback logic IS correct — it just isn't exercisable through the Git Bash test surface. Skip those specific assertions on Windows; they continue to verify on Linux/Mac. This is the only platform-specific test guard introduced; it's narrowly scoped to the unreachable code path, not a bypass of the real check. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ve is disallowed (garrytan#1287) * test(harness): plumb extraArgs and auto_decided outcome through PTY runner runPlanSkillObservation now accepts extraArgs that pass through to launchClaudePty (which already supported them at the lower level), and exposes a new 'auto_decided' outcome detected via isAutoDecidedVisible when the AUTO_DECIDE preamble template fires (Auto-decided ... (your preference)). Both pieces are needed for the v1.21+ AskUserQuestion-blocked regression tests in the next commit. Detection order is deliberate: 'asked' (rendered numbered list) wins over 'auto_decided' (text only, no list), which wins over 'plan_ready' so the auto-decide evidence isn't masked by a downstream plan-mode confirmation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(e2e): add AskUserQuestion-blocked regression cases for 6 plan-mode skills Conductor launches Claude Code with --disallowedTools AskUserQuestion --permission-mode default --permission-prompt-tool stdio (verified by inspecting the live conductor claude process via ps -p ... -o args=). Native AskUserQuestion is removed from the model's tool registry; without fallback guidance the plan-mode skills (plan-ceo-review, plan-eng-review, plan-design-review, plan-devex-review, autoplan, office-hours) silently proceed and never surface decisions to the user. Adds 6 gate-tier real-PTY regression cases: - 4 inline test cases inside the existing plan-X-review-plan-mode.test files, each exercising the same skill with extraArgs ['--disallowedTools', 'AskUserQuestion'] and asserting outcome === 'asked'. plan-design-review keeps the ['asked', 'plan_ready'] envelope (legitimate short-circuit on no-UI-scope) but explicitly fails on 'auto_decided'. - 2 standalone test files for autoplan + office-hours (which had no prior plan-mode test). autoplan asserts the FIRST non-auto-decided gate fires (Phase 1 premise confirmation) — autoplan auto-decides intermediate questions BY DESIGN. Touchfile entries: - autoplan-auto-mode + office-hours-auto-mode added to E2E_TOUCHFILES + E2E_TIERS (gate) - existing plan-X-review-plan-mode entries gain question-tuning.ts and generate-ask-user-format.ts touchfile deps so AUTO_DECIDE-related resolver changes correctly invalidate the regression tests - touchfiles.test.ts count updated 18 -> 19 to cover the autoplan touchfile dependency on plan-ceo-review/** Filenames retain `auto-mode` for branch-history continuity. Auto-mode (the AUTO_DECIDE preamble path when QUESTION_TUNING=true) is a related but distinct silencing mechanism; both share the same fix surface in the preamble. These tests are expected to FAIL on this branch until the fix lands. The failure is the receipt for the regression. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(preamble): teach the model to prefer mcp__*__AskUserQuestion when registered When a host launches Claude Code with --disallowedTools AskUserQuestion (Conductor does this by default — verified via ps on the live conductor claude process), the native AskUserQuestion tool is removed from the model's tool registry. Skill templates that say "call AskUserQuestion" silently fail in that environment: the model can't ask, the user never sees the question, the skill auto-proceeds without input. The fix is preamble guidance, not a skill-template change: generate-ask-user-format.ts: new "Tool resolution" section at the top of the AskUserQuestion Format block. Tells the model that "AskUserQuestion" can resolve to two tools at runtime — the host MCP variant (e.g. mcp__conductor__AskUserQuestion, registered when the host injects it) and the native tool — and to PREFER any mcp__*__AskUserQuestion variant. Same questions/options shape; same decision-brief format. If neither variant is callable, fall back to writing a "## Decisions to confirm" section into the plan file plus ExitPlanMode (the native plan-mode confirmation surfaces it). Never silently auto-decide. generate-completion-status.ts: the plan-mode-info block (preamble position 1) now explicitly notes that AskUserQuestion satisfies plan mode's end-of-turn requirement for "any variant" and points at the Tool resolution section for the fallback path. This puts the resolution rule in front of every tier-≥2 skill via the preamble, so plan-mode review skills (plan-ceo-review, plan-eng-review, plan-design-review, plan-devex-review, autoplan, office-hours) all gain the fix without per-template surgery. Includes regenerated SKILL.md files for all 41 skills + the 3 host-ship golden fixtures used by test/host-config.test.ts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(periodic): AUTO_DECIDE opt-in preserved under Conductor flags Periodic-tier eval that exercises the legitimate /plan-tune AUTO_DECIDE path under the same flags Conductor uses (--disallowedTools AskUserQuestion). Confirms the new Tool resolution preamble doesn't trip opt-in users: when the user has set a never-ask preference for a question, the model should auto-pick (outcome 'auto_decided' or 'plan_ready') rather than surface the prompt. Setup runs in an isolated GSTACK_HOME tmpdir — never touches the user's real ~/.gstack state. Writes question_tuning=true + a never-ask preference for plan-ceo-review-mode (source: 'plan-tune', which bypasses the inline-user origin gate). Spawns claude with --disallowedTools AskUserQuestion in plan mode, runs /plan-ceo-review, asserts outcome is NOT 'asked' (i.e., the model honored the preference). Periodic tier because AUTO_DECIDE behavior depends on the model adhering to the QUESTION_TUNING preamble injection — non-deterministic, weekly cron is the right cadence rather than CI gating. Touchfiles cover the AUTO_DECIDE-bearing resolvers + the question-tuning binaries the test setup invokes. touchfiles.test.ts count updates 19 -> 20 because auto-decide-preserved also depends on plan-ceo-review/**. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * v1.21.0.0: AskUserQuestion resolves to host MCP variant when native is disallowed MINOR scale per scale-aware bumps in CLAUDE.md: substantial coordinated multi-file change (preamble fix + new test infrastructure + 6 gate-tier regression cases + 1 periodic eval) and a user-visible regression fix that affects every plan-mode review skill running under Conductor's default flag set. User originally targeted v1.21.2.0; landing as v1.21.0.0 since this is the first 1.21.x release on main and there's no prior 1.21.0.0/1.21.1.0 to skip past. Adjust at /ship time if a different number is preferred. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(harness): fix detection order + whitespace-tolerant pattern matching Two bugs surfaced when validating the v1.21 fix end-to-end: 1. PlanSkillObservation outcome detection ran 'asked' (any numbered options list) BEFORE 'plan_ready'. Plan-mode's "Ready to execute?" confirmation IS a numbered options list (1=auto, 2=manual, ...), so any skill that successfully reached the native confirmation got misclassified as 'asked'. Reorder: 'auto_decided' (most specific, requires AUTO_DECIDE annotation) > 'plan_ready' (next, requires the "ready to execute" stem) > 'asked' (any remaining numbered list). 2. isPlanReadyVisible and isAutoDecidedVisible regexes only matched spaced forms ("ready to execute", "(your preference)"). stripAnsi removes cursor-positioning escapes (`\x1b[40C`) entirely instead of replacing them with spaces, so the same text can render as "readytoexecute" or "(yourpreference)". Both detectors now test the spaced form first, fall through to a whitespace-collapsed comparison. Inline unit smoke confirms both forms match. Updates to the 5 strict 'asked' regression test cases (plan-ceo, plan-eng, plan-devex, autoplan, office-hours): with the detection order corrected, the model's plan-file fallback flow legitimately lands at 'plan_ready' instead of 'asked'. Pass envelope expanded to ['asked', 'plan_ready'] (matching plan-design-review's existing pattern). Failure signals tightened to include 'auto_decided' (catches AUTO_DECIDE without opt-in) plus the standard silent_write/exited/timeout. plan-design was already on this contract from v1.21's first commit, no change needed. The expanded envelope is correct: under --disallowedTools AskUserQuestion the Tool resolution preamble routes the question through plan-mode's native "Ready to execute?" surface — the user still sees the decision, just via the plan-file flow rather than a numbered prompt. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(harness): require ## Decisions section under --disallowedTools plan_ready Adversarial review (during /ship Step 11) found that the previous gate-test envelope ['asked', 'plan_ready'] for the AskUserQuestion-blocked regression cases accepted the bug they exist to catch: a model that silently skips Step 0 entirely (writes a plan with no questions, no `## Decisions to confirm` section, just ExitPlanModes) reaches plan_ready and passes. The fix tightens the contract in two layers: 1. Harness: PlanSkillObservation gains a `planFile?: string` field populated when outcome is plan_ready. extractPlanFilePath() walks the visible TTY buffer for "Plan saved to:", "Plan file:", or ".claude/plans/<name>.md" patterns and resolves tilde to absolute. planFileHasDecisionsSection() reads the resolved file and returns true if it contains a `## Decisions` heading (any form: "to confirm", "needed", etc.). 2. Tests: 5 of 6 regression cases now require, when outcome is plan_ready, that obs.planFile is set AND planFileHasDecisionsSection returns true. Otherwise the test fails with a "Step 0 was silently skipped" diagnosis. plan-design-review remains the sole exception — it legitimately short-circuits to plan_ready on no-UI-scope branches and we have no deterministic way to distinguish that from a silent skip. This closes the loophole the adversarial review identified. The fix preamble flow already tells the model to write `## Decisions to confirm` when neither AUQ variant is callable — now the test verifies the model actually did it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(harness): anchor extractPlanFilePath path captures on /Users|~|/home|/var|/tmp Adversarial-tightened gate sweep surfaced a real bug in the path extraction: stripAnsi collapses whitespace via cursor-positioning escape removal, so "yet at /Users/..." in the visible buffer becomes "yetat/Users/..." with no space between. The previous fallback pattern `(~?\/?\S*\.claude\/plans\/[\w-]+\.md)` greedily matched non-whitespace characters BEFORE the path, producing `yetat/Users/garrytan/.claude/...` which then fails fs.readFileSync. Fix: every regex now requires the path to START at a known path-anchor: `~/`, `/Users/`, `/home/`, `/var/`, `/tmp/`, or `./`. Earlier non-whitespace runs can't be glommed in. Verified against the failing fixture (`yetat/Users/...`) plus the four canonical render forms ("Plan saved to:", "Plan file:", `·`-decorated ctrl-g hint, and the bare fallback). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…-1-stale-branch-triage-gate' into feat/safer-stale-branch-handling-1-stale-branch-triage-gate # Conflicts: # CHANGELOG.md # VERSION # package.json # test/helpers/claude-pty-runner.ts # test/skill-e2e-plan-ceo-plan-mode.test.ts # test/touchfiles.test.ts
anbangr
deleted the
feat/safer-stale-branch-handling-1-stale-branch-triage-gate
branch
anbangr
added a commit
that referenced
this pull request
May 3, 2026
Three correctness gaps that made the script unsafe in real use: 1. The lock check was TOCTOU. readLockInfo() observed the lock state at line 27, mutation happened at line 58. A gstack-build process could acquire the lock in that window and start its own atomic temp+rename writes. Both processes would each load the pre-mutation plan, each rename their own variant, second writer wins, first writer's flips silently lost. Replace with acquireLock(slug) + try/finally releaseLock — O_EXCL is the only way to actually serialize against the orchestrator. 2. cli.ts:reconcileCommittedCheckboxes already has a phase-number guard for the plan-reordered-between-runs scenario. The standalone backfill script had the EXACT same failure mode but never received the guard. Mirror it: if state.phases[i].number disagrees with plan.phases[i].number, log a warning and skip rather than flip the wrong checkboxes. 3. The script accepted any <plan.md> <state.json> pair without verifying they describe the same plan. Passing a stale or mismatched pair (easy to do during recovery work) silently marked the wrong plan complete. Add an explicit equality check between path.resolve(state.planFile) and path.resolve(planFileArg); refuse to mutate on mismatch with both paths printed for diagnosis. Bonus hardening that came for free in the rewrite: try/catch around both fs.readFileSync and JSON.parse with hint about mid-write corruption (was an opaque V8 SyntaxError trace before). Ten tests in backfill-checkboxes.test.ts spawn the script as a process and exercise the actual CLI exit codes a user would observe: happy path, lock contention, lock release after success (idempotent re-run), reorder-mismatch warning, plan/state mismatch refusal, legacy state without planFile field accepted, malformed JSON diagnosed clearly, missing files diagnosed clearly, missing argv prints usage. Caught by /review post-landing pass: security S5, claude adversarial A5, codex adversarial #3/#4/#5. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR upgrades this fork of gstack from the fork base to upstream v1.25.0.0 while preserving the local fork behavior.
Upgrade + fork preservation
gstack-buildbehavior: recursive review, reviewsecondary, and QA fix loops stay in place./gstack-upgrademerge-based so future upstream upgrades merge into the fork instead of replacing it.Tooling + generated skills
gstack-paths, PR title rewriting, Windows-safe free-test sharding, Claude binary resolution, and build phase guardrails.VERSION,package.json, and the top changelog entry atv1.25.0.0.Test Coverage
Tests generated during /ship: 5375 -> 5375 (+0 new). Existing branch tests already cover the changed paths.
Pre-Landing Review
Pre-Landing Review: No issues found. Logged clean review via
/shipat HEAD.Design Review
No frontend files changed. Design review skipped.
Eval Results
No prompt-related app eval files changed. Evals skipped.
Scope Drift
Scope Check: CLEAN
Intent: upgrade the local fork to upstream gstack v1.25.0.0 while preserving fork customizations.
Delivered: upstream v1.25.0.0 merged, fork build/upgrade customizations preserved, generated skills/docs/tests verified.
Plan Completion
No implementation plan file detected for this branch. Plan completion audit skipped.
Verification Results
Plan verification skipped: no app dev server or implementation-plan verification section applies to this repo-only skill/tooling change.
TODOS
No TODO items were clearly completed by this PR;
TODOS.mdleft unchanged.Test plan
bun testexited 0.bun run skill:checkexited 0.bun run buildexited 0.git diff --checkexited 0.Generated with OpenAI Codex.