Add CI security pipeline to catch prompt injection attacks, base64-obfuscated
payloads, leaked secrets, and .planning/ directory commits in PRs.
This is critical for get-shit-done because the entire codebase is markdown
prompts — a prompt injection in a workflow file IS the attack surface.
New files:
- scripts/prompt-injection-scan.sh: scans for instruction override, role
manipulation, system boundary injection, DAN/jailbreak, and tool call
injection patterns in changed files
- scripts/base64-scan.sh: extracts base64 blobs >= 40 chars, decodes them,
and checks decoded content against injection patterns (skips data URIs
and binary content)
- scripts/secret-scan.sh: detects AWS keys, OpenAI/Anthropic keys, GitHub
PATs, Stripe keys, private key headers, and generic credential patterns
- .github/workflows/security-scan.yml: runs all three scans plus a
.planning/ directory check on every PR
- .base64scanignore / .secretscanignore: per-repo false positive allowlists
- tests/security-scan.test.cjs: 51 tests covering script existence,
pattern matching, false positive avoidance, and workflow structure
All scripts support --diff (CI), --file, and --dir modes. Cross-platform
(macOS + Linux). SHA-pinned actions. Environment variables used for
github context in run blocks (no direct interpolation).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The original PR (#1337) used \Z in a JavaScript regex, which is a
Perl/Python/Ruby anchor — JavaScript interprets it as a literal match
for the character 'Z', silently truncating expected text containing
that letter. Replace with a two-pass approach: try next-key lookahead
first, fall back to greedy match to end-of-string.
Also remove the redundant `to=all:` pattern in sanitizeForDisplay()
since it is a subset of the existing `to=[^:\s]+:` pattern.
Add regression tests proving the Z-truncation bug and verifying
expected blocks at end-of-section parse correctly.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add validateHookFields() that strips invalid hook entries before they
cause Claude Code's Zod schema to silently discard the entire
settings.json file. Agent hooks require "prompt", command hooks require
"command", and entries without a valid hooks sub-array are removed.
Uses a clean two-pass approach: first validate and build new arrays
(no mutation inside filter predicates), then collect-and-delete empty
event keys (no delete during Object.keys iteration). Result entries
are shallow copies so the original input objects are never mutated.
Includes 24 tests covering passthrough, removal, structural invalidity,
empty cleanup, mutation safety, unknown types, and iteration safety.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two fixes for Codex config.toml compatibility:
1. ensureCodexHooksFeature: insert [features] before the first table header
instead of prepending it before all content. Prepending traps bare
top-level keys (model, model_reasoning_effort) under [features], where
Codex rejects them with "invalid type: string, expected a boolean".
2. generateCodexConfigBlock: use absolute config_file paths when targetDir
is provided. Codex ≥0.116 requires AbsolutePathBuf and cannot resolve
relative "agents/..." paths, failing with "AbsolutePathBuf deserialized
without a base path".
Fixes#1202
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Address 4 root causes of Windows + Claude Code reliability issues:
1. Workflow shell robustness: add || true guards to informational commands
(ls, grep, find, cat) that return non-zero on "no results", preventing
workflow step failures under strict execution models. Guard glob loops
with [ -e "$var" ] || continue to handle empty glob expansion.
2. Hook stdin handling: replace readFileSync('/dev/stdin') with async
process.stdin + timeout in agent templates (gsd-verifier.md). Existing
JS hooks already have timeout guards.
3. project_root detection: fix isInsideGitRepo() to check .git at the
candidate parent level (not just below it), enabling correct detection
when .git and .planning/ are siblings at the same directory level —
the common single-repo case from a subdirectory.
4. @file: handoff: add missing @file: handlers to autonomous.md and
manager.md workflows that call gsd-tools init but lacked the handler
for large output payloads.
Fixes#1343
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The map-codebase workflow was refactored to remove the explicit
"Runtimes with Task tool" line in favor of inline detection instructions.
Updated test to match the new workflow structure by checking the
"NOT available" condition line instead.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Worktree agents (gsd-executor, gsd-debugger) prompt for edit permissions
on every new directory they touch, even when the user has "accept edits"
enabled. This is caused by Claude Code's directory-scoped permission
model not propagating to worktree paths.
Setting permissionMode: acceptEdits in the agent frontmatter tells Claude
Code to auto-approve file edits for these agents, bypassing the per-
directory prompts. This is safe because these agents are already granted
Write/Edit in their tools list and are spawned in isolated worktrees.
- Add permissionMode: acceptEdits to gsd-executor.md frontmatter
- Add permissionMode: acceptEdits to gsd-debugger.md frontmatter
- Add regression tests verifying worktree agents have the field
- Add test ensuring all isolation="worktree" spawns are covered
Upstream: anthropics/claude-code#29110, anthropics/claude-code#28041
Fixes#1334
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds full Windsurf (by Codeium) runtime integration, following the same
pattern as the existing Cursor support. Windsurf uses .windsurf/ for
local config and ~/.windsurf/ for global config, with skills in
.windsurf/skills/ using the SKILL.md structure.
What:
- CLI flag --windsurf and interactive prompt option (8)
- Directory mapping (.windsurf local, ~/.windsurf global)
- Content converter functions (tool names, path replacements, brand refs)
- Skill copy function (copyCommandsAsWindsurfSkills)
- Agent conversion (convertClaudeAgentToWindsurfAgent)
- Install/uninstall branches
- Banner, help text, and issue template updates
- Windsurf conversion test suite (windsurf-conversion.test.cjs)
- Updated multi-runtime selection tests for 8 runtimes
Closes#1336
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The code/package detection in cmdInitNewProject only recognized 7 file
extensions and 5 package files, missing Android (Kotlin + Gradle), Flutter
(Dart + pubspec.yaml), C/C++, C#, Ruby, PHP, Scala, and others. This caused
new-project to treat brownfield projects in those ecosystems as greenfield,
skipping the codebase mapping step.
Added 18 code extensions and 11 package/build files to the detection lists.
Fixes#1325
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
OpenCode has a `task` tool that supports spawning subagents, but
map-codebase workflow incorrectly listed it under "Runtimes WITHOUT
Task tool". This caused the agent to skip parallel mapping and fall
back to sequential mode, wasting tokens when it self-corrected.
Move OpenCode to the "with Task tool" list and clarify that either
`Task` or `task` (case-insensitive) qualifies. Add regression test.
Fixes#1316
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
On Windows CI, os.tmpdir() returns 8.3 short paths (C:\Users\RUNNER~1)
while git returns long paths (C:\Users\runneradmin). fs.realpathSync()
doesn't resolve DOS 8.3 names on NTFS — fs.realpathSync.native() does.
Added normalizePath() helper using realpathSync.native with fallback,
applied to all temp dir creation and path comparisons in the linked
worktree test suite.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The test tried to fs.readFileSync on config.json which doesn't exist
in createTempProject() fixtures. Now gracefully creates the config
from scratch when the file is missing.
Co-Authored-By: GhadiSaab <GhadiSaab@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
`workflow.text_mode: true` (or `--text` flag) now applies to
plan-phase, not just discuss-phase. Fixes#1313.
Changes:
- `init plan-phase` now exposes `text_mode` from config in its JSON output
- plan-phase workflow parses `--text` flag and resolves TEXT_MODE from
init JSON or flag, whichever is set
- All four AskUserQuestion call sites (no-context gate, research prompt,
UI design contract gate, requirements coverage gap) now conditionally
present as plain-text numbered lists when TEXT_MODE is active
- `--text` added to plan-phase command argument-hint and flags docs
- Tests added for init output and workflow references
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On Windows CI, fs.realpathSync returns the long path (runneradmin)
while git worktree list returns the 8.3 short path (RUNNER~1).
Apply fs.realpathSync to both sides of the assertion.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
resolveWorktreeRoot() unconditionally resolved linked worktrees to the main
repo root. When a linked worktree has its own independent .planning/ directory
(e.g., Conductor workspaces), all GSD commands read/wrote the wrong planning
state. Add an early return that checks for a local .planning/ before falling
through to main repo resolution.
The caller in gsd-tools.cjs already had this guard (added in #1283), but the
function itself should be correct regardless of call site. This is defense-in-
depth for any future callers.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The hardcoded EXPECTED_SKILLS and EXPECTED_AGENTS constants broke CI
on every PR that added or removed a command/agent, because the count
drifted from the source directories. Every open PR based on the old
count would fail until manually updated.
Now computed at test time by counting .md files in commands/gsd/ and
agents/ directories — the same source the installer reads from. Adding
a new command automatically updates the expected count.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
