fix(config): add workflow.security_* keys to VALID_CONFIG_KEYS

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/release.yml

@@ -99,7 +99,8 @@ jobs:
         run: |
           git checkout -b "$BRANCH"
           npm version "$VERSION" --no-git-tag-version
-          git add package.json package-lock.json
+          cd sdk && npm version "$VERSION" --no-git-tag-version && cd ..
+          git add package.json package-lock.json sdk/package.json
           git commit -m "chore: bump version to ${VERSION} for release"
           git push origin "$BRANCH"
           echo "## Release branch created" >> "$GITHUB_STEP_SUMMARY"
@@ -174,6 +175,7 @@ jobs:
           PRE_VERSION: ${{ steps.prerelease.outputs.pre_version }}
         run: |
           npm version "$PRE_VERSION" --no-git-tag-version
+          cd sdk && npm version "$PRE_VERSION" --no-git-tag-version && cd ..
 
       - name: Install and test
         run: |
@@ -184,11 +186,16 @@ jobs:
         env:
           PRE_VERSION: ${{ steps.prerelease.outputs.pre_version }}
         run: |
-          git add package.json package-lock.json
+          git add package.json package-lock.json sdk/package.json
           git commit -m "chore: bump to ${PRE_VERSION}"
 
+      - name: Build SDK
+        run: cd sdk && npm ci && npm run build
+
       - name: Dry-run publish validation
-        run: npm publish --dry-run --tag next
+        run: |
+          npm publish --dry-run --tag next
+          cd sdk && npm publish --dry-run --tag next
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
@@ -217,6 +224,12 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
+      - name: Publish SDK to npm (next)
+        if: ${{ !inputs.dry_run }}
+        run: cd sdk && npm publish --provenance --access public --tag next
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
       - name: Create GitHub pre-release
         if: ${{ !inputs.dry_run }}
         env:
@@ -240,6 +253,12 @@ jobs:
             exit 1
           fi
           echo "✓ Verified: get-shit-done-cc@$PRE_VERSION is live on npm"
+          SDK_PUBLISHED=$(npm view @gsd-build/sdk@"$PRE_VERSION" version 2>/dev/null || echo "NOT_FOUND")
+          if [ "$SDK_PUBLISHED" != "$PRE_VERSION" ]; then
+            echo "::error::SDK version verification failed. Expected $PRE_VERSION, got $SDK_PUBLISHED"
+            exit 1
+          fi
+          echo "✓ Verified: @gsd-build/sdk@$PRE_VERSION is live on npm"
           # Also verify dist-tag
           NEXT_TAG=$(npm dist-tag ls get-shit-done-cc 2>/dev/null | grep "next:" | awk '{print $2}')
           echo "✓ next tag points to: $NEXT_TAG"
@@ -254,6 +273,7 @@ jobs:
             echo "**DRY RUN** — npm publish, tagging, and push skipped" >> "$GITHUB_STEP_SUMMARY"
           else
             echo "- Published to npm as \`next\`" >> "$GITHUB_STEP_SUMMARY"
+            echo "- SDK also published: \`@gsd-build/sdk@${PRE_VERSION}\` on \`next\`" >> "$GITHUB_STEP_SUMMARY"
             echo "- Install: \`npx get-shit-done-cc@next\`" >> "$GITHUB_STEP_SUMMARY"
           fi
           echo "" >> "$GITHUB_STEP_SUMMARY"
@@ -301,7 +321,8 @@ jobs:
           VERSION: ${{ inputs.version }}
         run: |
           npm version "$VERSION" --no-git-tag-version --allow-same-version
-          git add package.json package-lock.json
+          cd sdk && npm version "$VERSION" --no-git-tag-version --allow-same-version && cd ..
+          git add package.json package-lock.json sdk/package.json
           git diff --cached --quiet || git commit -m "chore: finalize v${VERSION}"
 
       - name: Install and test
@@ -309,8 +330,13 @@ jobs:
           npm ci
           npm run test:coverage
 
+      - name: Build SDK
+        run: cd sdk && npm ci && npm run build
+
       - name: Dry-run publish validation
-        run: npm publish --dry-run
+        run: |
+          npm publish --dry-run
+          cd sdk && npm publish --dry-run
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
@@ -360,6 +386,12 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
+      - name: Publish SDK to npm (latest)
+        if: ${{ !inputs.dry_run }}
+        run: cd sdk && npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
       - name: Create GitHub Release
         if: ${{ !inputs.dry_run }}
         env:
@@ -380,6 +412,7 @@ jobs:
           # Point next to the stable release so @next never returns something
           # older than @latest. This prevents stale pre-release installs.
           npm dist-tag add "get-shit-done-cc@${VERSION}" next 2>/dev/null || true
+          npm dist-tag add "@gsd-build/sdk@${VERSION}" next 2>/dev/null || true
           echo "✓ next dist-tag updated to v${VERSION}"
 
       - name: Verify publish
@@ -394,6 +427,12 @@ jobs:
             exit 1
           fi
           echo "✓ Verified: get-shit-done-cc@$VERSION is live on npm"
+          SDK_PUBLISHED=$(npm view @gsd-build/sdk@"$VERSION" version 2>/dev/null || echo "NOT_FOUND")
+          if [ "$SDK_PUBLISHED" != "$VERSION" ]; then
+            echo "::error::SDK version verification failed. Expected $VERSION, got $SDK_PUBLISHED"
+            exit 1
+          fi
+          echo "✓ Verified: @gsd-build/sdk@$VERSION is live on npm"
           # Verify latest tag
           LATEST_TAG=$(npm dist-tag ls get-shit-done-cc 2>/dev/null | grep "latest:" | awk '{print $2}')
           echo "✓ latest tag points to: $LATEST_TAG"
@@ -408,6 +447,7 @@ jobs:
             echo "**DRY RUN** — npm publish, tagging, and push skipped" >> "$GITHUB_STEP_SUMMARY"
           else
             echo "- Published to npm as \`latest\`" >> "$GITHUB_STEP_SUMMARY"
+            echo "- SDK also published: \`@gsd-build/sdk@${VERSION}\` as \`latest\`" >> "$GITHUB_STEP_SUMMARY"
             echo "- Tagged \`v${VERSION}\`" >> "$GITHUB_STEP_SUMMARY"
             echo "- PR created to merge back to main" >> "$GITHUB_STEP_SUMMARY"
             echo "- Install: \`npx get-shit-done-cc@latest\`" >> "$GITHUB_STEP_SUMMARY"

commands/gsd/debug.md

@@ -63,7 +63,7 @@ debugger_model=$(gsd-sdk query resolve-model gsd-debugger 2>/dev/null | jq -r '.
 
 Read TDD mode from config:
 ```bash
-TDD_MODE=$(gsd-sdk query config-get tdd_mode 2>/dev/null | jq -r 'if type == "boolean" then tostring else . end' 2>/dev/null || echo "false")
+TDD_MODE=$(gsd-sdk query config-get workflow.tdd_mode 2>/dev/null | jq -r 'if type == "boolean" then tostring else . end' 2>/dev/null || echo "false")
 ```
 
 ## 1a. LIST subcommand

get-shit-done/bin/gsd-tools.cjs

@@ -1,6 +1,10 @@
 #!/usr/bin/env node
 
 /**
+ * @deprecated The supported programmatic surface is `gsd-sdk query` (SDK query registry)
+ * and the `@gsd-build/sdk` package. This Node CLI remains the compatibility implementation
+ * for shell scripts and older workflows; prefer calling the SDK from agents and automation.
+ *
  * GSD Tools — CLI utility for GSD workflow operations
  *
  * Replaces repetitive inline bash patterns across ~50 GSD command/workflow/agent files.

get-shit-done/bin/lib/config.cjs

@@ -19,6 +19,9 @@ const VALID_CONFIG_KEYS = new Set([
   'workflow.auto_advance', 'workflow.node_repair', 'workflow.node_repair_budget',
   'workflow.tdd_mode',
   'workflow.text_mode',
+  'workflow.security_asvs_level',
+  'workflow.security_block_on',
+  'workflow.security_enforcement',
   'workflow.research_before_questions',
   'workflow.discuss_mode',
   'workflow.skip_discuss',

sdk/package.json

@@ -30,7 +30,7 @@
   "author": "TÂCHES",
   "license": "MIT",
   "engines": {
-    "node": ">=20"
+    "node": ">=22.0.0"
   },
   "scripts": {
     "build": "tsc",

tests/debug-session-management.test.cjs

@@ -66,6 +66,21 @@ describe('debug session management implementation', () => {
     );
   });
 
+  test('debug.md reads tdd_mode via workflow.tdd_mode key (not bare tdd_mode)', () => {
+    const content = fs.readFileSync(
+      path.join(process.cwd(), 'commands/gsd/debug.md'),
+      'utf8'
+    );
+    assert.ok(
+      !content.includes('config-get tdd_mode'),
+      'debug.md must not use bare "tdd_mode" key — use "workflow.tdd_mode" to match every other consumer'
+    );
+    assert.ok(
+      content.includes('config-get workflow.tdd_mode'),
+      'debug.md must read tdd_mode via the "workflow.tdd_mode" key'
+    );
+  });
+
   test('debug command contains security hardening', () => {
     const content = fs.readFileSync(
       path.join(process.cwd(), 'commands/gsd/debug.md'),