Adds a mandatory Hunk Verification Table output to Step 4 (columns: file,
hunk_id, signature_line, line_count, verified) and a new Step 5 gate that
STOPs with an actionable error if any row shows verified: no or the table
is absent. Prevents the LLM from silently bypassing post-merge checks by
making the next step structurally dependent on the table's presence and
content. Adds four regression tests covering table presence, column
requirements, Step 5 reference, and the gate condition.
Fixes#1999
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* refactor(tests): standardize to node:assert/strict and t.after() per CONTRIBUTING.md
- Replace require('node:assert') with require('node:assert/strict') across
all 73 test files to enforce strict equality (no type coercion)
- Replace try/finally cleanup blocks with t.after() hooks in core.test.cjs
and hooks-opt-in.test.cjs per the test lifecycle standards
- Utility functions in codex-config and security-scan retain try/finally
as that is appropriate for per-function resource guards, not lifecycle hooks
Closes#1674
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* perf(tests): add --test-concurrency=4 to test runner for parallel file execution
Node.js --test-concurrency controls how many test files run as parallel child
processes. Set to 4 by default, configurable via TEST_CONCURRENCY env var.
Fixes tests at a known level rather than inheriting os.availableParallelism()
which varies across CI environments.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(security): allowlist verify.test.cjs in prompt-injection scanner
tests/verify.test.cjs uses <human>...</human> as GSD phase task-type
XML (meaning "a human should verify this step"), which matches the
scanner's fake-message-boundary pattern for LLM APIs. This is a
false positive — add it to the allowlist alongside the other test files
that legitimately contain injection-adjacent patterns.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
The reapply-patches workflow used a two-way comparison (user's backup vs
new version) which couldn't distinguish user customizations from version
drift. This caused 10/10 files to be misclassified as "no custom content"
in real-world usage, silently discarding user modifications.
Changes:
- Rewrite workflow with three-way merge strategy (pristine baseline vs
user-modified backup vs newly installed version)
- Add critical invariant: files in gsd-local-patches/ must NEVER be
classified as "no custom content" — they were backed up because the
installer's hash check detected modifications
- Add git-aware detection path using commit history when config dir is
a git repo
- Add pristine_hashes to backup-meta.json so the reapply workflow can
verify reconstructed baseline files
- Add from_manifest_timestamp to backup-meta.json for version tracking
- Conservative default: flag as CONFLICT when uncertain, not SKIP
Closes#1469
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
