feat: add list/status/resume/close subcommands to /gsd-quick and /gsd-thread (#2159)

* feat(2155): add list/status/resume subcommands and security hardening to /gsd-quick - Add SUBCMD routing (list/status/resume/run) before quick workflow delegation - LIST subcommand scans .planning/quick/ dirs, reads SUMMARY.md frontmatter status - STATUS subcommand shows plan description and current status for a slug - RESUME subcommand finds task by slug, prints context, then resumes quick workflow - Slug sanitization: only [a-z0-9-], max 60 chars, reject ".." and "/" - Directory name sanitization for display (strip non-printable + ANSI sequences) - Add security_notes section documenting all input handling guarantees * feat(2156): formalize thread status frontmatter, add list/close/status subcommands, remove heredoc injection risk - Replace heredoc (cat << 'EOF') with Write tool instruction — eliminates shell injection risk - Thread template now uses YAML frontmatter (slug, title, status, created, updated fields) - Add subcommand routing: list / list --open / list --resolved / close <slug> / status <slug> - LIST mode reads status from frontmatter, falls back to ## Status heading - CLOSE mode updates frontmatter status to resolved via frontmatter set, then commits - STATUS mode displays thread summary (title, status, goal, next steps) without spawning - RESUME mode updates status from open → in_progress via frontmatter set - Slug sanitization for close/status: only [a-z0-9-], max 60 chars, reject ".." and "/" - Add security_notes section documenting all input handling guarantees * test(2155,2156): add quick and thread session management tests - quick-session-management.test.cjs: verifies list/status/resume routing, slug sanitization, directory sanitization, frontmatter get usage, security_notes - thread-session-management.test.cjs: verifies list filters (--open/--resolved), close/status subcommands, no heredoc, frontmatter fields, Write tool usage, slug sanitization, security_notes
2026-04-25 17:25:23 +02:00 · 2026-04-12 10:05:17 -04:00
parent 1aa89b8ae2
commit 7b07dde150
4 changed files with 440 additions and 40 deletions
--- a/tests/thread-session-management.test.cjs
+++ b/tests/thread-session-management.test.cjs
@@ -0,0 +1,105 @@
+'use strict';
+
+const { describe, test } = require('node:test');
+const assert = require('node:assert/strict');
+const fs = require('fs');
+const path = require('path');
+
+describe('thread session management (#2156)', () => {
+  const threadCmd = fs.readFileSync(
+    path.join(__dirname, '..', 'commands', 'gsd', 'thread.md'),
+    'utf8'
+  );
+
+  test('thread command has list subcommand with status filter', () => {
+    assert.ok(
+      threadCmd.includes('list --open') || threadCmd.includes('LIST-OPEN'),
+      'missing list --open filter'
+    );
+  });
+
+  test('thread command has close subcommand', () => {
+    assert.ok(
+      threadCmd.includes('CLOSE') || threadCmd.includes('close <slug>'),
+      'missing close subcommand'
+    );
+  });
+
+  test('thread command has status subcommand', () => {
+    assert.ok(
+      threadCmd.includes('STATUS') || threadCmd.includes('status <slug>'),
+      'missing status subcommand'
+    );
+  });
+
+  test('thread command does not use heredoc', () => {
+    assert.ok(
+      !threadCmd.includes("<< 'EOF'") && !threadCmd.includes('<< EOF'),
+      'thread command still uses heredoc — injection risk'
+    );
+  });
+
+  test('thread template includes frontmatter status field', () => {
+    assert.ok(
+      threadCmd.includes('status: open') || threadCmd.includes('status:'),
+      'thread template missing frontmatter status field'
+    );
+  });
+
+  test('thread command has security_notes section', () => {
+    assert.ok(threadCmd.includes('security_notes'), 'missing security_notes section');
+  });
+
+  test('thread command has slug sanitization', () => {
+    assert.ok(
+      threadCmd.includes('sanitiz') || threadCmd.includes('[a-z0-9'),
+      'missing slug sanitization'
+    );
+  });
+
+  test('thread command uses Write tool for file creation', () => {
+    assert.ok(
+      threadCmd.includes('Write tool'),
+      'thread create mode should use the Write tool instead of heredoc'
+    );
+  });
+
+  test('thread command list reads frontmatter status', () => {
+    assert.ok(
+      threadCmd.includes('frontmatter get'),
+      'list mode should read status via frontmatter get'
+    );
+  });
+
+  test('thread command close updates status to resolved', () => {
+    assert.ok(
+      threadCmd.includes('resolved'),
+      'close mode should set status to resolved'
+    );
+  });
+
+  test('thread command list shows resolved filter option', () => {
+    assert.ok(
+      threadCmd.includes('list --resolved') || threadCmd.includes('LIST-RESOLVED'),
+      'missing list --resolved filter'
+    );
+  });
+
+  test('thread command rejects slugs with path traversal', () => {
+    assert.ok(
+      threadCmd.includes('..') && threadCmd.includes('reject'),
+      'missing path traversal rejection for slugs'
+    );
+  });
+
+  test('thread create uses frontmatter with slug title status created updated fields', () => {
+    assert.ok(
+      threadCmd.includes('slug:') &&
+      threadCmd.includes('title:') &&
+      threadCmd.includes('status:') &&
+      threadCmd.includes('created:') &&
+      threadCmd.includes('updated:'),
+      'thread template missing required frontmatter fields'
+    );
+  });
+});