* fix(workstream): normalize migrate-name to valid slug
* docs(context): record workstream migrate-name slug invariant
* fix(catalog-cjs): balanced fallback for unknown profile (CR finding A)
profiles[profile] could return undefined for any profile key absent from
the catalog entry, causing downstream callers like formatAgentToModelMapAsTable
to crash on .length. Add ?? profiles.balanced fallback to match the SDK adapter.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* test(sdk): anchor path resolution on import.meta.url not cwd (CR finding B)
resolve(process.cwd(), '..') breaks when Vitest is invoked from the repo root
because cwd is already the repo root and '..' goes one level above. Replace
with a file-relative path using fileURLToPath(new URL('../../../', import.meta.url))
anchored at the test file's location (sdk/src/query/).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* test: derive Group B runtime list from catalog (CR finding C)
Hardcoded ['kilo', 'cline', ...] throws TypeError if a runtime name is
removed from the catalog. Derive group B dynamically via
Object.keys(catalog.runtimeTierDefaults).filter(r => !r.opus) so the
test never goes stale and auto-covers future Group B additions.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs(workflow): add hermes to Step B runtime options (CR finding D)
hermes appears in the Group A built-in defaults table but was missing from
the AskUserQuestion options in Step B, forcing users to manually type it via
'Other (Group B or custom)'. Add explicit hermes entry for UI consistency.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs(config): refresh dynamic_routing tier table; fix stale L671 (findings E+F)
Finding E: tier table was missing 6 heavy-tier agents and 15 standard/light
agents added by this PR. Updated all three rows to match catalog routingTier
assignments (33 agents total).
Finding F: removed stale '18 of 31' claim and agent enumeration; replaced
with accurate note that all 33 agents have explicit catalog entries. Updated
authoritative source pointers to model-catalog.cjs / model-catalog.ts.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* test(core): add profile-fallback unit tests for quality and budget (CR nitpick G)
The PR introduced quality→opus and budget→haiku unknown-agent fallbacks but
only balanced→sonnet and inherit→inherit were tested. Add two tests covering
the remaining two branches to complete coverage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* adr: define planning workspace and worktree seam
* refactor(worktree): extract worktree safety policy module
* refactor(workstream): extract active workstream pointer store seam
* test(worktree): cover policy branch paths and persist seam guardrails
* refactor(worktree): centralize health inventory seam for W017
* fix(workspace): align SDK project path policy with CJS planningDir
* refactor(query): unify SDK planning path projection seam
* refactor(init): route workspace projection through planningPaths seam
* docs(adr): add SDK architecture and planning path ADRs
* refactor(worktree): deepen name, pointer, inventory, and config seams
* docs(config): harmonize claude-opus-4-6 to 4-7 in resolve_model_ids example (CR finding 2)
* fix(sdk): return undefined for model_profile='inherit' sentinel (CR finding 3)
* docs(adr): renumber conflicting 0003-sdk-package-seam-module to 0007, update seam-map reference (CR finding 4)
* fix(workstream): align CJS and SDK name validation to accept dots, guard path traversal via includes('..') (CR finding 5)
* fix(sdk): guard writeActiveWorkstream against non-existent workstream directory, k014/k031 parity (CR finding 6)
* chore(changeset): add #3269 changeset (CR finding 1 — proper changeset for this PR)
* docs(inventory): register 3 new CLI modules in INVENTORY.md/MANIFEST (active-workstream-store, workstream-name-policy, worktree-safety)
* fix(sdk): use relPlanningPath(workstream) in planningPaths, fix setActiveWorkstream/getActiveWorkstream name errors in workstream.ts
* fix(sdk): validate GSD_WORKSTREAM in planningPaths before use (#3269 regression)
planningPaths() called resolveWorkspaceContext() which returned GSD_WORKSTREAM
raw (no validation). An invalid value like '../evil' was used as effectiveWorkstream,
constructing a bad path; roadmapAnalyze() caught the ENOENT and returned a
no-phase_count error object instead of the root ROADMAP result.
Fix: validate envCtx.workstream with validateWorkstreamName() in planningPaths()
before accepting it as effectiveWorkstream. Invalid env → null → root .planning/
fallback, preserving the bug-2791 contract: invalid GSD_WORKSTREAM is silently
ignored and falls back to the root context (phase_count: 0 for empty root ROADMAP).
The bug-2791 regression test now passes. No other call sites read GSD_WORKSTREAM
without validation: query-runtime-context.ts already validates; cli.ts already
validates; context-engine.ts takes a caller-validated workstream parameter.
Closes#3268 (regression introduced by #3269 workstream-name-policy work).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs(adr): add ADR-0003 model catalog module
* fix(#3229): add shared model catalog as source of truth for agent profiles and runtime tier defaults
Research / design (ADR-0003):
- Existing drift came from 4 independent model truths:
1. CJS model-profiles.cjs
2. SDK config-query.ts stale copy (18 agents)
3. settings-advanced.md runtime tier table
4. session-runner Claude-only profile map
- New design: one machine-readable Model Catalog Module in sdk/shared/
that both packages ship and consume.
Implementation:
- sdk/shared/model-catalog.json — canonical source of truth for:
- full 33-agent registry
- per-agent golden (quality) alias + balanced/budget aliases
- adaptive derivation from routingTier
- agent→phaseType map
- agent→dynamic-routing default tier map
- runtime tier defaults for all supported runtimes
- get-shit-done/bin/lib/model-catalog.cjs — CJS adapter over the catalog
- sdk/src/model-catalog.ts — SDK adapter over the same catalog
- CJS model-profiles.cjs now re-exports derived data from model-catalog.cjs
- SDK config-query.ts now re-exports MODEL_PROFILES/VALID_PROFILES from
model-catalog.ts instead of maintaining its own list
- sdk/src/query/helpers.ts runtime list now comes from the catalog (fixes hermes drift)
- sdk/src/session-runner.ts Claude profile→model-id mapping now resolves via catalog
- docs/CONFIGURATION.md + settings-advanced.md runtime tables updated to match catalog
Behavior changes:
- resolve-model now covers every shipped agent file on disk (33 agents)
- unknown-agent fallback is profile-semantic, not hardcoded sonnet:
quality→opus, budget→haiku, balanced/adaptive→sonnet, inherit→inherit
- Group B runtimes remain known runtimes but do not get built-in tier defaults
Tests (RED→GREEN):
- root tests: shipped agent files must equal MODEL_PROFILES keys
- sdk tests: shipped agent files must equal MODEL_PROFILES keys
- direct fix assertion: gsd-code-reviewer resolves to opus under quality with no unknown_agent
- runtime defaults parity test: settings-advanced.md + CONFIGURATION.md tables must match catalog
- helper tests: hermes included in SUPPORTED_RUNTIMES and getRuntimeConfigDir()
Closes#3229
* chore(changeset): update #3229 changeset pr field to 3230
* fix(ci): update inherit fallback expectations and inventory parity for model catalog
* Deepen SDK package seam and converge runtime skills policy
* fix(sdk): unified install-root resolution for workflows and agents (CR finding 1)
Use the already-resolved gsdInstallDir constant instead of calling
resolveLegacyInstallDir() again when computing agentsDir, ensuring
workflowsDir and agentsDir share the same install root.
* fix(sdk): tilde shortening requires path-boundary match (CR finding 2)
Both renderGlobalSkillsBaseDisplayPath and renderGlobalSkillDisplayPath
used startsWith(home) which could incorrectly shorten unrelated paths
sharing the same prefix. Now checks for home === base or
base.startsWith(home + sep) to ensure a real directory boundary.
* fix(sdk): validate loadConfig export before invocation (CR finding 3)
After requiring core.cjs, check typeof mod.loadConfig === 'function'
before calling it. Throws a classified GSDError with the module path
if the export is missing, rather than a generic TypeError.
* fix(test): guard root lookup before .path dereference (CR finding 4)
Added assert.ok() guards for claudeRoot and codexRoot after the .find()
calls so that a missing root produces an explicit assertion failure
rather than a TypeError on .path dereference.
* fix(ci): fail-safe on transient API errors in approval dismissal (CR finding 6)
resolveRole() returns 'unknown' for non-404 errors (rate limits, 5xx,
network blips). shouldDismissReviewer() now treats 'unknown' as
unresolvable and skips dismissal, preventing legitimate approvals from
being dismissed due to a transient API failure. Only 'none' (true 404)
is treated as a confirmed non-collaborator.
* changeset: pr=3238 SDK package seam and runtime skills convergence
* fix(sdk): harden resolveGlobalSkillDir against path traversal (CR finding 1)
Use resolve+relative to validate that skillName cannot escape the global
skills base directory. Values like "../../foo" or absolute paths now
return null instead of joining directly. All imports (resolve, relative,
isAbsolute) were already present in helpers.ts.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(sdk): split skill-dir-resolution and skill-not-found warnings (CR finding 2)
After resolveGlobalSkillDir's hardening can return null for traversal
attempts, the old single-branch warning "Global skill not found at ..."
was misleading. Split into two distinct cases:
- skillDir === null → "Could not resolve global skill directory for ..."
- skillMd missing → "Global skill not found at ..."
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* test: lock skill path-traversal rejection in resolveGlobalSkillDir
Regression test verifying that traversal segments (../../foo, ../escape),
empty string, and absolute paths are all rejected (return null), while
a legitimate skill name resolves correctly.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* test(sdk): align display-path contract + traversal coverage for resolveGlobalSkillMarkdownPath (CR nitpicks)
- renderGlobalSkillsBaseDisplayPath now returns a non-null string for
unsupported runtimes (e.g. cline → "(cline does not use a skills directory)")
matching the existing renderGlobalSkillDisplayPath contract; callers
of both helpers no longer need null-checks for unsupported runtimes.
- Remove now-redundant ! non-null assertion on renderGlobalSkillsBaseDisplayPath
calls in skill-manifest.ts (return type is string, not string | null).
- Extend the path-traversal test block to assert resolveGlobalSkillMarkdownPath
also propagates null for ../../foo, ../escape, empty, and /abs/path inputs,
locking the null-propagation contract against future refactors.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
MAJOR (security/correctness):
- commands/gsd/debug.md: add Write to allowed-tools (session file creation
requires it — workflow explicitly says 'use Write tool, never heredoc')
- workflows/debug.md: add SLUG sanitization guard to steps 1b+1c (status/
continue subcommands used raw user input in file paths — path traversal)
- workflows/thread.md: sanitize $ARGUMENTS in RESUME mode before file path
construction (was bypassing the sanitization guard in CLOSE/STATUS modes)
MINOR (consistency/correctness):
- docs/INVENTORY-MANIFEST.json: remove stale top-level 'workflows' array
(duplicate of families.workflows introduced in earlier update)
- commands/gsd/resume-work.md: normalize process to 'Execute end-to-end.'
- commands/gsd/settings.md: normalize process to 'Execute end-to-end.'
- commands/gsd/update.md: normalize otherwise branch to 'execute end-to-end.'
- docs/adr/0002: add Status: Accepted + Date header (ADR convention)
- workflows/extract-learnings.md: rename step extract_learnings → extract-learnings
- tests/extract-learnings.test.cjs: tighten step-name assertion to exact name
ARCHITECTURE:
- scripts/command-contract-helpers.cjs: extract CANONICAL_TOOLS, parseFrontmatter,
executionContextRefs as shared module — single source of truth consumed by
both lint script and test suite (prevents silent lint/test disagreement)
- scripts/lint-command-contract.cjs: require() helpers instead of duplicating
- tests/command-contract.test.cjs: require() helpers; move readFileSync calls
inside test() callbacks (registration-time throws surface as named failures)
