From 9c4ae901ead47de3b6f04534d16510dc56b2f59c Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 28 Mar 2026 08:10:44 -0700 Subject: [PATCH 01/11] fix(security): commit bun.lock to pin dependency versions Remove bun.lock from .gitignore and commit the lockfile. Every bun install now uses exact pinned versions instead of resolving floating ^ ranges from npm fresh. Closes the supply-chain vector from #566. Co-Authored-By: boinger Co-Authored-By: Claude Opus 4.6 (1M context) --- .gitignore | 1 - bun.lock | 196 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 196 insertions(+), 1 deletion(-) create mode 100644 bun.lock diff --git a/.gitignore b/.gitignore index 38b0fc282..ab951233f 100644 --- a/.gitignore +++ b/.gitignore @@ -11,7 +11,6 @@ extension/.auth.json .gstack-worktrees/ /tmp/ *.log -bun.lock *.bun-build .env .env.local diff --git a/bun.lock b/bun.lock new file mode 100644 index 000000000..255f4ee71 --- /dev/null +++ b/bun.lock @@ -0,0 +1,196 @@ +{ + "lockfileVersion": 1, + "configVersion": 1, + "workspaces": { + "": { + "name": "gstack", + "dependencies": { + "diff": "^7.0.0", + "playwright": "^1.58.2", + "puppeteer-core": "^24.40.0", + }, + "devDependencies": { + "@anthropic-ai/sdk": "^0.78.0", + }, + }, + }, + "packages": { + "@anthropic-ai/sdk": ["@anthropic-ai/sdk@0.78.0", "", { "dependencies": { "json-schema-to-ts": "^3.1.1" }, "peerDependencies": { "zod": "^3.25.0 || ^4.0.0" }, "optionalPeers": ["zod"], "bin": { "anthropic-ai-sdk": "bin/cli" } }, "sha512-PzQhR715td/m1UaaN5hHXjYB8Gl2lF9UVhrrGrZeysiF6Rb74Wc9GCB8hzLdzmQtBd1qe89F9OptgB9Za1Ib5w=="], + + "@babel/runtime": ["@babel/runtime@7.29.2", "", {}, "sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g=="], + + "@puppeteer/browsers": ["@puppeteer/browsers@2.13.0", "", { "dependencies": { "debug": "^4.4.3", "extract-zip": "^2.0.1", "progress": "^2.0.3", "proxy-agent": "^6.5.0", "semver": "^7.7.4", "tar-fs": "^3.1.1", "yargs": "^17.7.2" }, "bin": { "browsers": "lib/cjs/main-cli.js" } }, "sha512-46BZJYJjc/WwmKjsvDFykHtXrtomsCIrwYQPOP7VfMJoZY2bsDF9oROBABR3paDjDcmkUye1Pb1BqdcdiipaWA=="], + + "@tootallnate/quickjs-emscripten": ["@tootallnate/quickjs-emscripten@0.23.0", "", {}, "sha512-C5Mc6rdnsaJDjO3UpGW/CQTHtCKaYlScZTly4JIu97Jxo/odCiH0ITnDXSJPTOrEKk/ycSZ0AOgTmkDtkOsvIA=="], + + "@types/node": ["@types/node@25.5.0", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw=="], + + "@types/yauzl": ["@types/yauzl@2.10.3", "", { "dependencies": { "@types/node": "*" } }, "sha512-oJoftv0LSuaDZE3Le4DbKX+KS9G36NzOeSap90UIK0yMA/NhKJhqlSGtNDORNRaIbQfzjXDrQa0ytJ6mNRGz/Q=="], + + "agent-base": ["agent-base@7.1.4", "", {}, "sha512-MnA+YT8fwfJPgBx3m60MNqakm30XOkyIoH1y6huTQvC0PwZG7ki8NacLBcrPbNoo8vEZy7Jpuk7+jMO+CUovTQ=="], + + "ansi-regex": ["ansi-regex@5.0.1", "", {}, "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="], + + "ansi-styles": ["ansi-styles@4.3.0", "", { "dependencies": { "color-convert": "^2.0.1" } }, "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg=="], + + "ast-types": ["ast-types@0.13.4", "", { "dependencies": { "tslib": "^2.0.1" } }, "sha512-x1FCFnFifvYDDzTaLII71vG5uvDwgtmDTEVWAxrgeiR8VjMONcCXJx7E+USjDtHlwFmt9MysbqgF9b9Vjr6w+w=="], + + "b4a": ["b4a@1.8.0", "", { "peerDependencies": { "react-native-b4a": "*" }, "optionalPeers": ["react-native-b4a"] }, "sha512-qRuSmNSkGQaHwNbM7J78Wwy+ghLEYF1zNrSeMxj4Kgw6y33O3mXcQ6Ie9fRvfU/YnxWkOchPXbaLb73TkIsfdg=="], + + "bare-events": ["bare-events@2.8.2", "", { "peerDependencies": { "bare-abort-controller": "*" }, "optionalPeers": ["bare-abort-controller"] }, "sha512-riJjyv1/mHLIPX4RwiK+oW9/4c3TEUeORHKefKAKnZ5kyslbN+HXowtbaVEqt4IMUB7OXlfixcs6gsFeo/jhiQ=="], + + "bare-fs": ["bare-fs@4.5.6", "", { "dependencies": { "bare-events": "^2.5.4", "bare-path": "^3.0.0", "bare-stream": "^2.6.4", "bare-url": "^2.2.2", "fast-fifo": "^1.3.2" }, "peerDependencies": { "bare-buffer": "*" }, "optionalPeers": ["bare-buffer"] }, "sha512-1QovqDrR80Pmt5HPAsMsXTCFcDYr+NSUKW6nd6WO5v0JBmnItc/irNRzm2KOQ5oZ69P37y+AMujNyNtG+1Rggw=="], + + "bare-os": ["bare-os@3.8.1", "", {}, "sha512-6g8rIdyQqYL6XbghpOgS8AOSvWQUf0zT0XaYUrJIX5VugpCGUyJaz1zfcKCecOnUkI76oVJXuHg1LMGYVXTvKw=="], + + "bare-path": ["bare-path@3.0.0", "", { "dependencies": { "bare-os": "^3.0.1" } }, "sha512-tyfW2cQcB5NN8Saijrhqn0Zh7AnFNsnczRcuWODH0eYAXBsJ5gVxAUuNr7tsHSC6IZ77cA0SitzT+s47kot8Mw=="], + + "bare-stream": ["bare-stream@2.11.0", "", { "dependencies": { "streamx": "^2.25.0", "teex": "^1.0.1" }, "peerDependencies": { "bare-abort-controller": "*", "bare-buffer": "*", "bare-events": "*" }, "optionalPeers": ["bare-abort-controller", "bare-buffer", "bare-events"] }, "sha512-Y/+iQ49fL3rIn6w/AVxI/2+BRrpmzJvdWt5Jv8Za6Ngqc6V227c+pYjYYgLdpR3MwQ9ObVXD0ZrqoBztakM0rw=="], + + "bare-url": ["bare-url@2.4.0", "", { "dependencies": { "bare-path": "^3.0.0" } }, "sha512-NSTU5WN+fy/L0DDenfE8SXQna4voXuW0FHM7wH8i3/q9khUSchfPbPezO4zSFMnDGIf9YE+mt/RWhZgNRKRIXA=="], + + "basic-ftp": ["basic-ftp@5.2.0", "", {}, "sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw=="], + + "buffer-crc32": ["buffer-crc32@0.2.13", "", {}, "sha512-VO9Ht/+p3SN7SKWqcrgEzjGbRSJYTx+Q1pTQC0wrWqHx0vpJraQ6GtHx8tvcg1rlK1byhU5gccxgOgj7B0TDkQ=="], + + "chromium-bidi": ["chromium-bidi@14.0.0", "", { "dependencies": { "mitt": "^3.0.1", "zod": "^3.24.1" }, "peerDependencies": { "devtools-protocol": "*" } }, "sha512-9gYlLtS6tStdRWzrtXaTMnqcM4dudNegMXJxkR0I/CXObHalYeYcAMPrL19eroNZHtJ8DQmu1E+ZNOYu/IXMXw=="], + + "cliui": ["cliui@8.0.1", "", { "dependencies": { "string-width": "^4.2.0", "strip-ansi": "^6.0.1", "wrap-ansi": "^7.0.0" } }, "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ=="], + + "color-convert": ["color-convert@2.0.1", "", { "dependencies": { "color-name": "~1.1.4" } }, "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ=="], + + "color-name": ["color-name@1.1.4", "", {}, "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="], + + "data-uri-to-buffer": ["data-uri-to-buffer@6.0.2", "", {}, "sha512-7hvf7/GW8e86rW0ptuwS3OcBGDjIi6SZva7hCyWC0yYry2cOPmLIjXAUHI6DK2HsnwJd9ifmt57i8eV2n4YNpw=="], + + "debug": ["debug@4.4.3", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA=="], + + "degenerator": ["degenerator@5.0.1", "", { "dependencies": { "ast-types": "^0.13.4", "escodegen": "^2.1.0", "esprima": "^4.0.1" } }, "sha512-TllpMR/t0M5sqCXfj85i4XaAzxmS5tVA16dqvdkMwGmzI+dXLXnw3J+3Vdv7VKw+ThlTMboK6i9rnZ6Nntj5CQ=="], + + "devtools-protocol": ["devtools-protocol@0.0.1581282", "", {}, "sha512-nv7iKtNZQshSW2hKzYNr46nM/Cfh5SEvE2oV0/SEGgc9XupIY5ggf84Cz8eJIkBce7S3bmTAauFD6aysMpnqsQ=="], + + "diff": ["diff@7.0.0", "", {}, "sha512-PJWHUb1RFevKCwaFA9RlG5tCd+FO5iRh9A8HEtkmBH2Li03iJriB6m6JIN4rGz3K3JLawI7/veA1xzRKP6ISBw=="], + + "emoji-regex": ["emoji-regex@8.0.0", "", {}, "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="], + + "end-of-stream": ["end-of-stream@1.4.5", "", { "dependencies": { "once": "^1.4.0" } }, "sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg=="], + + "escalade": ["escalade@3.2.0", "", {}, "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA=="], + + "escodegen": ["escodegen@2.1.0", "", { "dependencies": { "esprima": "^4.0.1", "estraverse": "^5.2.0", "esutils": "^2.0.2" }, "optionalDependencies": { "source-map": "~0.6.1" }, "bin": { "esgenerate": "bin/esgenerate.js", "escodegen": "bin/escodegen.js" } }, "sha512-2NlIDTwUWJN0mRPQOdtQBzbUHvdGY2P1VXSyU83Q3xKxM7WHX2Ql8dKq782Q9TgQUNOLEzEYu9bzLNj1q88I5w=="], + + "esprima": ["esprima@4.0.1", "", { "bin": { "esparse": "./bin/esparse.js", "esvalidate": "./bin/esvalidate.js" } }, "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A=="], + + "estraverse": ["estraverse@5.3.0", "", {}, "sha512-MMdARuVEQziNTeJD8DgMqmhwR11BRQ/cBP+pLtYdSTnf3MIO8fFeiINEbX36ZdNlfU/7A9f3gUw49B3oQsvwBA=="], + + "esutils": ["esutils@2.0.3", "", {}, "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g=="], + + "events-universal": ["events-universal@1.0.1", "", { "dependencies": { "bare-events": "^2.7.0" } }, "sha512-LUd5euvbMLpwOF8m6ivPCbhQeSiYVNb8Vs0fQ8QjXo0JTkEHpz8pxdQf0gStltaPpw0Cca8b39KxvK9cfKRiAw=="], + + "extract-zip": ["extract-zip@2.0.1", "", { "dependencies": { "debug": "^4.1.1", "get-stream": "^5.1.0", "yauzl": "^2.10.0" }, "optionalDependencies": { "@types/yauzl": "^2.9.1" }, "bin": { "extract-zip": "cli.js" } }, "sha512-GDhU9ntwuKyGXdZBUgTIe+vXnWj0fppUEtMDL0+idd5Sta8TGpHssn/eusA9mrPr9qNDym6SxAYZjNvCn/9RBg=="], + + "fast-fifo": ["fast-fifo@1.3.2", "", {}, "sha512-/d9sfos4yxzpwkDkuN7k2SqFKtYNmCTzgfEpz82x34IM9/zc8KGxQoXg1liNC/izpRM/MBdt44Nmx41ZWqk+FQ=="], + + "fd-slicer": ["fd-slicer@1.1.0", "", { "dependencies": { "pend": "~1.2.0" } }, "sha512-cE1qsB/VwyQozZ+q1dGxR8LBYNZeofhEdUNGSMbQD3Gw2lAzX9Zb3uIU6Ebc/Fmyjo9AWWfnn0AUCHqtevs/8g=="], + + "fsevents": ["fsevents@2.3.2", "", { "os": "darwin" }, "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA=="], + + "get-caller-file": ["get-caller-file@2.0.5", "", {}, "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg=="], + + "get-stream": ["get-stream@5.2.0", "", { "dependencies": { "pump": "^3.0.0" } }, "sha512-nBF+F1rAZVCu/p7rjzgA+Yb4lfYXrpl7a6VmJrU8wF9I1CKvP/QwPNZHnOlwbTkY6dvtFIzFMSyQXbLoTQPRpA=="], + + "get-uri": ["get-uri@6.0.5", "", { "dependencies": { "basic-ftp": "^5.0.2", "data-uri-to-buffer": "^6.0.2", "debug": "^4.3.4" } }, "sha512-b1O07XYq8eRuVzBNgJLstU6FYc1tS6wnMtF1I1D9lE8LxZSOGZ7LhxN54yPP6mGw5f2CkXY2BQUL9Fx41qvcIg=="], + + "http-proxy-agent": ["http-proxy-agent@7.0.2", "", { "dependencies": { "agent-base": "^7.1.0", "debug": "^4.3.4" } }, "sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig=="], + + "https-proxy-agent": ["https-proxy-agent@7.0.6", "", { "dependencies": { "agent-base": "^7.1.2", "debug": "4" } }, "sha512-vK9P5/iUfdl95AI+JVyUuIcVtd4ofvtrOr3HNtM2yxC9bnMbEdp3x01OhQNnjb8IJYi38VlTE3mBXwcfvywuSw=="], + + "ip-address": ["ip-address@10.1.0", "", {}, "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q=="], + + "is-fullwidth-code-point": ["is-fullwidth-code-point@3.0.0", "", {}, "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg=="], + + "json-schema-to-ts": ["json-schema-to-ts@3.1.1", "", { "dependencies": { "@babel/runtime": "^7.18.3", "ts-algebra": "^2.0.0" } }, "sha512-+DWg8jCJG2TEnpy7kOm/7/AxaYoaRbjVB4LFZLySZlWn8exGs3A4OLJR966cVvU26N7X9TWxl+Jsw7dzAqKT6g=="], + + "lru-cache": ["lru-cache@7.18.3", "", {}, "sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA=="], + + "mitt": ["mitt@3.0.1", "", {}, "sha512-vKivATfr97l2/QBCYAkXYDbrIWPM2IIKEl7YPhjCvKlG3kE2gm+uBo6nEXK3M5/Ffh/FLpKExzOQ3JJoJGFKBw=="], + + "ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], + + "netmask": ["netmask@2.0.2", "", {}, "sha512-dBpDMdxv9Irdq66304OLfEmQ9tbNRFnFTuZiLo+bD+r332bBmMJ8GBLXklIXXgxd3+v9+KUnZaUR5PJMa75Gsg=="], + + "once": ["once@1.4.0", "", { "dependencies": { "wrappy": "1" } }, "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w=="], + + "pac-proxy-agent": ["pac-proxy-agent@7.2.0", "", { "dependencies": { "@tootallnate/quickjs-emscripten": "^0.23.0", "agent-base": "^7.1.2", "debug": "^4.3.4", "get-uri": "^6.0.1", "http-proxy-agent": "^7.0.0", "https-proxy-agent": "^7.0.6", "pac-resolver": "^7.0.1", "socks-proxy-agent": "^8.0.5" } }, "sha512-TEB8ESquiLMc0lV8vcd5Ql/JAKAoyzHFXaStwjkzpOpC5Yv+pIzLfHvjTSdf3vpa2bMiUQrg9i6276yn8666aA=="], + + "pac-resolver": ["pac-resolver@7.0.1", "", { "dependencies": { "degenerator": "^5.0.0", "netmask": "^2.0.2" } }, "sha512-5NPgf87AT2STgwa2ntRMr45jTKrYBGkVU36yT0ig/n/GMAa3oPqhZfIQ2kMEimReg0+t9kZViDVZ83qfVUlckg=="], + + "pend": ["pend@1.2.0", "", {}, "sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg=="], + + "playwright": ["playwright@1.58.2", "", { "dependencies": { "playwright-core": "1.58.2" }, "optionalDependencies": { "fsevents": "2.3.2" }, "bin": { "playwright": "cli.js" } }, "sha512-vA30H8Nvkq/cPBnNw4Q8TWz1EJyqgpuinBcHET0YVJVFldr8JDNiU9LaWAE1KqSkRYazuaBhTpB5ZzShOezQ6A=="], + + "playwright-core": ["playwright-core@1.58.2", "", { "bin": { "playwright-core": "cli.js" } }, "sha512-yZkEtftgwS8CsfYo7nm0KE8jsvm6i/PTgVtB8DL726wNf6H2IMsDuxCpJj59KDaxCtSnrWan2AeDqM7JBaultg=="], + + "progress": ["progress@2.0.3", "", {}, "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA=="], + + "proxy-agent": ["proxy-agent@6.5.0", "", { "dependencies": { "agent-base": "^7.1.2", "debug": "^4.3.4", "http-proxy-agent": "^7.0.1", "https-proxy-agent": "^7.0.6", "lru-cache": "^7.14.1", "pac-proxy-agent": "^7.1.0", "proxy-from-env": "^1.1.0", "socks-proxy-agent": "^8.0.5" } }, "sha512-TmatMXdr2KlRiA2CyDu8GqR8EjahTG3aY3nXjdzFyoZbmB8hrBsTyMezhULIXKnC0jpfjlmiZ3+EaCzoInSu/A=="], + + "proxy-from-env": ["proxy-from-env@1.1.0", "", {}, "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg=="], + + "pump": ["pump@3.0.4", "", { "dependencies": { "end-of-stream": "^1.1.0", "once": "^1.3.1" } }, "sha512-VS7sjc6KR7e1ukRFhQSY5LM2uBWAUPiOPa/A3mkKmiMwSmRFUITt0xuj+/lesgnCv+dPIEYlkzrcyXgquIHMcA=="], + + "puppeteer-core": ["puppeteer-core@24.40.0", "", { "dependencies": { "@puppeteer/browsers": "2.13.0", "chromium-bidi": "14.0.0", "debug": "^4.4.3", "devtools-protocol": "0.0.1581282", "typed-query-selector": "^2.12.1", "webdriver-bidi-protocol": "0.4.1", "ws": "^8.19.0" } }, "sha512-MWL3XbUCfVgGR0gRsidzT6oKJT2QydPLhMITU6HoVWiiv4gkb6gJi3pcdAa8q4HwjBTbqISOWVP4aJiiyUJvag=="], + + "require-directory": ["require-directory@2.1.1", "", {}, "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q=="], + + "semver": ["semver@7.7.4", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA=="], + + "smart-buffer": ["smart-buffer@4.2.0", "", {}, "sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg=="], + + "socks": ["socks@2.8.7", "", { "dependencies": { "ip-address": "^10.0.1", "smart-buffer": "^4.2.0" } }, "sha512-HLpt+uLy/pxB+bum/9DzAgiKS8CX1EvbWxI4zlmgGCExImLdiad2iCwXT5Z4c9c3Eq8rP2318mPW2c+QbtjK8A=="], + + "socks-proxy-agent": ["socks-proxy-agent@8.0.5", "", { "dependencies": { "agent-base": "^7.1.2", "debug": "^4.3.4", "socks": "^2.8.3" } }, "sha512-HehCEsotFqbPW9sJ8WVYB6UbmIMv7kUUORIF2Nncq4VQvBfNBLibW9YZR5dlYCSUhwcD628pRllm7n+E+YTzJw=="], + + "source-map": ["source-map@0.6.1", "", {}, "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="], + + "streamx": ["streamx@2.25.0", "", { "dependencies": { "events-universal": "^1.0.0", "fast-fifo": "^1.3.2", "text-decoder": "^1.1.0" } }, "sha512-0nQuG6jf1w+wddNEEXCF4nTg3LtufWINB5eFEN+5TNZW7KWJp6x87+JFL43vaAUPyCfH1wID+mNVyW6OHtFamg=="], + + "string-width": ["string-width@4.2.3", "", { "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } }, "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g=="], + + "strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="], + + "tar-fs": ["tar-fs@3.1.2", "", { "dependencies": { "pump": "^3.0.0", "tar-stream": "^3.1.5" }, "optionalDependencies": { "bare-fs": "^4.0.1", "bare-path": "^3.0.0" } }, "sha512-QGxxTxxyleAdyM3kpFs14ymbYmNFrfY+pHj7Z8FgtbZ7w2//VAgLMac7sT6nRpIHjppXO2AwwEOg0bPFVRcmXw=="], + + "tar-stream": ["tar-stream@3.1.8", "", { "dependencies": { "b4a": "^1.6.4", "bare-fs": "^4.5.5", "fast-fifo": "^1.2.0", "streamx": "^2.15.0" } }, "sha512-U6QpVRyCGHva435KoNWy9PRoi2IFYCgtEhq9nmrPPpbRacPs9IH4aJ3gbrFC8dPcXvdSZ4XXfXT5Fshbp2MtlQ=="], + + "teex": ["teex@1.0.1", "", { "dependencies": { "streamx": "^2.12.5" } }, "sha512-eYE6iEI62Ni1H8oIa7KlDU6uQBtqr4Eajni3wX7rpfXD8ysFx8z0+dri+KWEPWpBsxXfxu58x/0jvTVT1ekOSg=="], + + "text-decoder": ["text-decoder@1.2.7", "", { "dependencies": { "b4a": "^1.6.4" } }, "sha512-vlLytXkeP4xvEq2otHeJfSQIRyWxo/oZGEbXrtEEF9Hnmrdly59sUbzZ/QgyWuLYHctCHxFF4tRQZNQ9k60ExQ=="], + + "ts-algebra": ["ts-algebra@2.0.0", "", {}, "sha512-FPAhNPFMrkwz76P7cdjdmiShwMynZYN6SgOujD1urY4oNm80Ou9oMdmbR45LotcKOXoy7wSmHkRFE6Mxbrhefw=="], + + "tslib": ["tslib@2.8.1", "", {}, "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w=="], + + "typed-query-selector": ["typed-query-selector@2.12.1", "", {}, "sha512-uzR+FzI8qrUEIu96oaeBJmd9E7CFEiQ3goA5qCVgc4s5llSubcfGHq9yUstZx/k4s9dXHVKsE35YWoFyvEqEHA=="], + + "undici-types": ["undici-types@7.18.2", "", {}, "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w=="], + + "webdriver-bidi-protocol": ["webdriver-bidi-protocol@0.4.1", "", {}, "sha512-ARrjNjtWRRs2w4Tk7nqrf2gBI0QXWuOmMCx2hU+1jUt6d00MjMxURrhxhGbrsoiZKJrhTSTzbIrc554iKI10qw=="], + + "wrap-ansi": ["wrap-ansi@7.0.0", "", { "dependencies": { "ansi-styles": "^4.0.0", "string-width": "^4.1.0", "strip-ansi": "^6.0.0" } }, "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q=="], + + "wrappy": ["wrappy@1.0.2", "", {}, "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="], + + "ws": ["ws@8.20.0", "", { "peerDependencies": { "bufferutil": "^4.0.1", "utf-8-validate": ">=5.0.2" }, "optionalPeers": ["bufferutil", "utf-8-validate"] }, "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA=="], + + "y18n": ["y18n@5.0.8", "", {}, "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA=="], + + "yargs": ["yargs@17.7.2", "", { "dependencies": { "cliui": "^8.0.1", "escalade": "^3.1.1", "get-caller-file": "^2.0.5", "require-directory": "^2.1.1", "string-width": "^4.2.3", "y18n": "^5.0.5", "yargs-parser": "^21.1.1" } }, "sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w=="], + + "yargs-parser": ["yargs-parser@21.1.1", "", {}, "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw=="], + + "yauzl": ["yauzl@2.10.0", "", { "dependencies": { "buffer-crc32": "~0.2.3", "fd-slicer": "~1.1.0" } }, "sha512-p4a9I6X6nu6IhoGmBqAcbJy1mlC4j27vEPZX9F4L4/vZT3Lyq1VkFHw/V/PUcB9Buo+DG3iHkT0x3Qya58zc3g=="], + + "zod": ["zod@3.25.76", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="], + } +} From 36127d8ead77780ec939c0795bd1dfaed9a59722 Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 28 Mar 2026 08:10:53 -0700 Subject: [PATCH 02/11] fix: gstack-slug falls back to dirname/unknown when git context is absent Add || true to git commands and fallback defaults so gstack-slug works outside git repos. Prevents unbound variable crash that kills every review skill when no git context exists. Co-Authored-By: collinstraka-clov Co-Authored-By: Claude Opus 4.6 (1M context) --- bin/gstack-slug | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/bin/gstack-slug b/bin/gstack-slug index a7ae78839..baa1403f3 100755 --- a/bin/gstack-slug +++ b/bin/gstack-slug @@ -6,10 +6,13 @@ # Security: output is sanitized to [a-zA-Z0-9._-] only, preventing # shell injection when consumed via source or eval. set -euo pipefail -RAW_SLUG=$(git remote get-url origin 2>/dev/null | sed 's|.*[:/]\([^/]*/[^/]*\)\.git$|\1|;s|.*[:/]\([^/]*/[^/]*\)$|\1|' | tr '/' '-') -RAW_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null | tr '/' '-') +RAW_SLUG=$(git remote get-url origin 2>/dev/null | sed 's|.*[:/]\([^/]*/[^/]*\)\.git$|\1|;s|.*[:/]\([^/]*/[^/]*\)$|\1|' | tr '/' '-') || true +RAW_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null | tr '/' '-') || true # Strip any characters that aren't alphanumeric, dot, hyphen, or underscore -SLUG=$(printf '%s' "$RAW_SLUG" | tr -cd 'a-zA-Z0-9._-') -BRANCH=$(printf '%s' "$RAW_BRANCH" | tr -cd 'a-zA-Z0-9._-') +SLUG=$(printf '%s' "${RAW_SLUG:-}" | tr -cd 'a-zA-Z0-9._-') +BRANCH=$(printf '%s' "${RAW_BRANCH:-}" | tr -cd 'a-zA-Z0-9._-') +# Fallback when git context is absent +SLUG="${SLUG:-$(basename "$PWD" | tr -cd 'a-zA-Z0-9._-')}" +BRANCH="${BRANCH:-unknown}" echo "SLUG=$SLUG" echo "BRANCH=$BRANCH" From 7dc03596dfcfcf5c2914050a295fd1d7f0b05c02 Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 28 Mar 2026 08:10:58 -0700 Subject: [PATCH 03/11] fix: setup auto-selects default after 10s timeout to prevent CI hangs Add -t 10 to the read command in the skill-prefix prompt. In CI, Docker, and Conductor workspaces where a TTY exists but nobody is watching, the prompt now auto-selects short names after 10 seconds instead of blocking forever. Co-Authored-By: stedfn Co-Authored-By: Claude Opus 4.6 (1M context) --- setup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup b/setup index e624ecf82..e66a6df0f 100755 --- a/setup +++ b/setup @@ -62,8 +62,8 @@ if [ "$SKILL_PREFIX_FLAG" -eq 0 ]; then echo " 2) Namespaced: /gstack-qa, /gstack-ship, /gstack-review" echo " Use this if you run other skill packs alongside gstack to avoid conflicts." echo "" - printf "Choice [1/2] (default: 1): " - read -r _prefix_choice /dev/null || _prefix_choice="" + printf "Choice [1/2] (default: 1, auto-selects in 10s): " + read -t 10 -r _prefix_choice /dev/null || _prefix_choice="" case "$_prefix_choice" in 2) SKILL_PREFIX=1 ;; *) SKILL_PREFIX=0 ;; From a1bbc76c12db12bf9c98291cb267f26203d07e35 Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 28 Mar 2026 08:11:04 -0700 Subject: [PATCH 04/11] =?UTF-8?q?fix:=20browse=20CLI=20Windows=20lockfile?= =?UTF-8?q?=20=E2=80=94=20use=20string=20flag=20instead=20of=20numeric=20c?= =?UTF-8?q?onstants?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bun compiled binaries on Windows don't handle numeric fs.constants correctly. The string flag 'wx' is semantically identical to O_CREAT | O_EXCL | O_WRONLY per Node docs and works on all platforms. Fixes #599 Co-Authored-By: Claude Opus 4.6 (1M context) --- browse/src/cli.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/browse/src/cli.ts b/browse/src/cli.ts index a24886c24..e6e470fd5 100644 --- a/browse/src/cli.ts +++ b/browse/src/cli.ts @@ -291,8 +291,9 @@ async function startServer(extraEnv?: Record): Promise void) | null { const lockPath = `${config.stateFile}.lock`; try { - // O_CREAT | O_EXCL — fails if file already exists (atomic check-and-create) - const fd = fs.openSync(lockPath, fs.constants.O_CREAT | fs.constants.O_EXCL | fs.constants.O_WRONLY); + // 'wx' — create exclusively, fails if file already exists (atomic check-and-create) + // Using string flag instead of numeric constants for Bun Windows compatibility + const fd = fs.openSync(lockPath, 'wx'); fs.writeSync(fd, `${process.pid}\n`); fs.closeSync(fd); return () => { try { fs.unlinkSync(lockPath); } catch {} }; From e4d7c86870a701fc30596a5aef65c185d827edeb Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 28 Mar 2026 08:11:16 -0700 Subject: [PATCH 05/11] fix: add ~/.gstack/projects/ to plan file search path /office-hours writes design docs to ~/.gstack/projects/$SLUG/ but /ship and /review only searched ~/.claude/plans, ~/.codex/plans, and .gstack/plans. Add the project-scoped directory as the first search location so plan validation finds design docs created by the standard workflow. Fixes #591 Co-Authored-By: Claude Opus 4.6 (1M context) --- scripts/resolvers/review.ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/resolvers/review.ts b/scripts/resolvers/review.ts index 1fd214659..e3547c8dc 100644 --- a/scripts/resolvers/review.ts +++ b/scripts/resolvers/review.ts @@ -654,8 +654,11 @@ function generatePlanFileDiscovery(): string { setopt +o nomatch 2>/dev/null || true # zsh compat BRANCH=$(git branch --show-current 2>/dev/null | tr '/' '-') REPO=$(basename "$(git rev-parse --show-toplevel 2>/dev/null)") -# Search common plan file locations -for PLAN_DIR in "$HOME/.claude/plans" "$HOME/.codex/plans" ".gstack/plans"; do +# Compute project slug for ~/.gstack/projects/ lookup +_PLAN_SLUG=$(git remote get-url origin 2>/dev/null | sed 's|.*[:/]\\([^/]*/[^/]*\\)\\.git$|\\1|;s|.*[:/]\\([^/]*/[^/]*\\)$|\\1|' | tr '/' '-' | tr -cd 'a-zA-Z0-9._-') || true +_PLAN_SLUG="\${_PLAN_SLUG:-$(basename "$PWD" | tr -cd 'a-zA-Z0-9._-')}" +# Search common plan file locations (project designs first, then personal/local) +for PLAN_DIR in "$HOME/.gstack/projects/$_PLAN_SLUG" "$HOME/.claude/plans" "$HOME/.codex/plans" ".gstack/plans"; do [ -d "$PLAN_DIR" ] || continue PLAN=$(ls -t "$PLAN_DIR"/*.md 2>/dev/null | xargs grep -l "$BRANCH" 2>/dev/null | head -1) [ -z "$PLAN" ] && PLAN=$(ls -t "$PLAN_DIR"/*.md 2>/dev/null | xargs grep -l "$REPO" 2>/dev/null | head -1) From 3b62fec470bc559f2d80b05a6bb5d1435c1b56fd Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 28 Mar 2026 08:11:39 -0700 Subject: [PATCH 06/11] =?UTF-8?q?fix:=20autoplan=20dual-voice=20=E2=80=94?= =?UTF-8?q?=20sequential=20foreground=20execution=20instead=20of=20broken?= =?UTF-8?q?=20parallel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Background subagents don't inherit tool permissions in Claude Code, so the Claude subagent in dual-voice mode was silently failing on every invocation. Every autoplan run was degrading to single-reviewer mode without warning. Change all three phases (CEO, Design, Eng) from "simultaneously" to sequential foreground execution: Claude subagent first (Agent tool, foreground), then Codex (Bash). Both complete before the consensus table. Fixes #497 Co-Authored-By: Claude Opus 4.6 (1M context) --- autoplan/SKILL.md.tmpl | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/autoplan/SKILL.md.tmpl b/autoplan/SKILL.md.tmpl index 16c35adca..198099473 100644 --- a/autoplan/SKILL.md.tmpl +++ b/autoplan/SKILL.md.tmpl @@ -207,7 +207,9 @@ Override: every AskUserQuestion → auto-decide using the 6 principles. Duplicates → reject (P4). Borderline (3-5 files) → mark TASTE DECISION. - All 10 review sections: run fully, auto-decide each issue, log every decision. - Dual voices: always run BOTH Claude subagent AND Codex if available (P6). - Run them simultaneously (Agent tool for subagent, Bash for Codex). + Run them sequentially in foreground. First the Claude subagent (Agent tool, + foreground — do NOT use run_in_background), then Codex (Bash). Both must + complete before building the consensus table. **Codex CEO voice** (via Bash): ```bash @@ -234,7 +236,7 @@ Override: every AskUserQuestion → auto-decide using the 6 principles. 5. What's the competitive risk — could someone else solve this first/better? For each finding: what's wrong, severity (critical/high/medium), and the fix." - **Error handling:** All non-blocking. Codex auth/timeout/empty → proceed with + **Error handling:** Both calls block in foreground. Codex auth/timeout/empty → proceed with Claude subagent only, tagged `[single-model]`. If Claude subagent also fails → "Outside voices unavailable — continuing with primary review." @@ -255,10 +257,10 @@ Step 0 (0A-0F) — run each sub-step and produce: - 0E: Temporal interrogation (HOUR 1 → HOUR 6+) - 0F: Mode selection confirmation -Step 0.5 (Dual Voices): Run Claude subagent AND Codex simultaneously. Present -Codex output under CODEX SAYS (CEO — strategy challenge) header. Present subagent -output under CLAUDE SUBAGENT (CEO — strategic independence) header. Produce CEO -consensus table: +Step 0.5 (Dual Voices): Run Claude subagent (foreground Agent tool) first, then +Codex (Bash). Present Codex output under CODEX SAYS (CEO — strategy challenge) +header. Present subagent output under CLAUDE SUBAGENT (CEO — strategic independence) +header. Produce CEO consensus table: ``` CEO DUAL VOICES — CONSENSUS TABLE: @@ -351,7 +353,7 @@ Override: every AskUserQuestion → auto-decide using the 6 principles. For each finding: what's wrong, severity (critical/high/medium), and the fix." NO prior-phase context — subagent must be truly independent. - Error handling: same as Phase 1 (non-blocking, degradation matrix applies). + Error handling: same as Phase 1 (both foreground/blocking, degradation matrix applies). - Design choices: if codex disagrees with a design decision with valid UX reasoning → TASTE DECISION. @@ -360,7 +362,7 @@ Override: every AskUserQuestion → auto-decide using the 6 principles. 1. Step 0 (Design Scope): Rate completeness 0-10. Check DESIGN.md. Map existing patterns. -2. Step 0.5 (Dual Voices): Run Claude subagent AND Codex simultaneously. Present under +2. Step 0.5 (Dual Voices): Run Claude subagent (foreground) first, then Codex. Present under CODEX SAYS (design — UX challenge) and CLAUDE SUBAGENT (design — independent review) headers. Produce design litmus scorecard (consensus table). Use the litmus scorecard format from plan-design-review. Include CEO phase findings in Codex prompt ONLY @@ -421,7 +423,7 @@ Override: every AskUserQuestion → auto-decide using the 6 principles. For each finding: what's wrong, severity, and the fix." NO prior-phase context — subagent must be truly independent. - Error handling: same as Phase 1 (non-blocking, degradation matrix applies). + Error handling: same as Phase 1 (both foreground/blocking, degradation matrix applies). - Architecture choices: explicit over clever (P5). If codex disagrees with valid reason → TASTE DECISION. - Evals: always include all relevant suites (P1) @@ -433,7 +435,7 @@ Override: every AskUserQuestion → auto-decide using the 6 principles. 1. Step 0 (Scope Challenge): Read actual code referenced by the plan. Map each sub-problem to existing code. Run the complexity check. Produce concrete findings. -2. Step 0.5 (Dual Voices): Run Claude subagent AND Codex simultaneously. Present +2. Step 0.5 (Dual Voices): Run Claude subagent (foreground) first, then Codex. Present Codex output under CODEX SAYS (eng — architecture challenge) header. Present subagent output under CLAUDE SUBAGENT (eng — independent review) header. Produce eng consensus table: From 2e89234e729607e7eadce54a972c940cffc80204 Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 28 Mar 2026 08:11:46 -0700 Subject: [PATCH 07/11] chore: regenerate SKILL.md files from updated templates Regenerated from autoplan/SKILL.md.tmpl (dual-voice fix) and scripts/resolvers/review.ts (plan search path fix). Co-Authored-By: Claude Opus 4.6 (1M context) --- autoplan/SKILL.md | 22 ++++++++++++---------- review/SKILL.md | 7 +++++-- ship/SKILL.md | 7 +++++-- 3 files changed, 22 insertions(+), 14 deletions(-) diff --git a/autoplan/SKILL.md b/autoplan/SKILL.md index 5e8db0651..c523c2707 100644 --- a/autoplan/SKILL.md +++ b/autoplan/SKILL.md @@ -617,7 +617,9 @@ Override: every AskUserQuestion → auto-decide using the 6 principles. Duplicates → reject (P4). Borderline (3-5 files) → mark TASTE DECISION. - All 10 review sections: run fully, auto-decide each issue, log every decision. - Dual voices: always run BOTH Claude subagent AND Codex if available (P6). - Run them simultaneously (Agent tool for subagent, Bash for Codex). + Run them sequentially in foreground. First the Claude subagent (Agent tool, + foreground — do NOT use run_in_background), then Codex (Bash). Both must + complete before building the consensus table. **Codex CEO voice** (via Bash): ```bash @@ -644,7 +646,7 @@ Override: every AskUserQuestion → auto-decide using the 6 principles. 5. What's the competitive risk — could someone else solve this first/better? For each finding: what's wrong, severity (critical/high/medium), and the fix." - **Error handling:** All non-blocking. Codex auth/timeout/empty → proceed with + **Error handling:** Both calls block in foreground. Codex auth/timeout/empty → proceed with Claude subagent only, tagged `[single-model]`. If Claude subagent also fails → "Outside voices unavailable — continuing with primary review." @@ -665,10 +667,10 @@ Step 0 (0A-0F) — run each sub-step and produce: - 0E: Temporal interrogation (HOUR 1 → HOUR 6+) - 0F: Mode selection confirmation -Step 0.5 (Dual Voices): Run Claude subagent AND Codex simultaneously. Present -Codex output under CODEX SAYS (CEO — strategy challenge) header. Present subagent -output under CLAUDE SUBAGENT (CEO — strategic independence) header. Produce CEO -consensus table: +Step 0.5 (Dual Voices): Run Claude subagent (foreground Agent tool) first, then +Codex (Bash). Present Codex output under CODEX SAYS (CEO — strategy challenge) +header. Present subagent output under CLAUDE SUBAGENT (CEO — strategic independence) +header. Produce CEO consensus table: ``` CEO DUAL VOICES — CONSENSUS TABLE: @@ -761,7 +763,7 @@ Override: every AskUserQuestion → auto-decide using the 6 principles. For each finding: what's wrong, severity (critical/high/medium), and the fix." NO prior-phase context — subagent must be truly independent. - Error handling: same as Phase 1 (non-blocking, degradation matrix applies). + Error handling: same as Phase 1 (both foreground/blocking, degradation matrix applies). - Design choices: if codex disagrees with a design decision with valid UX reasoning → TASTE DECISION. @@ -770,7 +772,7 @@ Override: every AskUserQuestion → auto-decide using the 6 principles. 1. Step 0 (Design Scope): Rate completeness 0-10. Check DESIGN.md. Map existing patterns. -2. Step 0.5 (Dual Voices): Run Claude subagent AND Codex simultaneously. Present under +2. Step 0.5 (Dual Voices): Run Claude subagent (foreground) first, then Codex. Present under CODEX SAYS (design — UX challenge) and CLAUDE SUBAGENT (design — independent review) headers. Produce design litmus scorecard (consensus table). Use the litmus scorecard format from plan-design-review. Include CEO phase findings in Codex prompt ONLY @@ -831,7 +833,7 @@ Override: every AskUserQuestion → auto-decide using the 6 principles. For each finding: what's wrong, severity, and the fix." NO prior-phase context — subagent must be truly independent. - Error handling: same as Phase 1 (non-blocking, degradation matrix applies). + Error handling: same as Phase 1 (both foreground/blocking, degradation matrix applies). - Architecture choices: explicit over clever (P5). If codex disagrees with valid reason → TASTE DECISION. - Evals: always include all relevant suites (P1) @@ -843,7 +845,7 @@ Override: every AskUserQuestion → auto-decide using the 6 principles. 1. Step 0 (Scope Challenge): Read actual code referenced by the plan. Map each sub-problem to existing code. Run the complexity check. Produce concrete findings. -2. Step 0.5 (Dual Voices): Run Claude subagent AND Codex simultaneously. Present +2. Step 0.5 (Dual Voices): Run Claude subagent (foreground) first, then Codex. Present Codex output under CODEX SAYS (eng — architecture challenge) header. Present subagent output under CLAUDE SUBAGENT (eng — independent review) header. Produce eng consensus table: diff --git a/review/SKILL.md b/review/SKILL.md index f11c708f5..6c8152a43 100644 --- a/review/SKILL.md +++ b/review/SKILL.md @@ -417,8 +417,11 @@ Before reviewing code quality, check: **did they build what was requested — no setopt +o nomatch 2>/dev/null || true # zsh compat BRANCH=$(git branch --show-current 2>/dev/null | tr '/' '-') REPO=$(basename "$(git rev-parse --show-toplevel 2>/dev/null)") -# Search common plan file locations -for PLAN_DIR in "$HOME/.claude/plans" "$HOME/.codex/plans" ".gstack/plans"; do +# Compute project slug for ~/.gstack/projects/ lookup +_PLAN_SLUG=$(git remote get-url origin 2>/dev/null | sed 's|.*[:/]\([^/]*/[^/]*\)\.git$|\1|;s|.*[:/]\([^/]*/[^/]*\)$|\1|' | tr '/' '-' | tr -cd 'a-zA-Z0-9._-') || true +_PLAN_SLUG="${_PLAN_SLUG:-$(basename "$PWD" | tr -cd 'a-zA-Z0-9._-')}" +# Search common plan file locations (project designs first, then personal/local) +for PLAN_DIR in "$HOME/.gstack/projects/$_PLAN_SLUG" "$HOME/.claude/plans" "$HOME/.codex/plans" ".gstack/plans"; do [ -d "$PLAN_DIR" ] || continue PLAN=$(ls -t "$PLAN_DIR"/*.md 2>/dev/null | xargs grep -l "$BRANCH" 2>/dev/null | head -1) [ -z "$PLAN" ] && PLAN=$(ls -t "$PLAN_DIR"/*.md 2>/dev/null | xargs grep -l "$REPO" 2>/dev/null | head -1) diff --git a/ship/SKILL.md b/ship/SKILL.md index 9b51fabcb..58b80e1a9 100644 --- a/ship/SKILL.md +++ b/ship/SKILL.md @@ -1149,8 +1149,11 @@ Repo: {owner/repo} setopt +o nomatch 2>/dev/null || true # zsh compat BRANCH=$(git branch --show-current 2>/dev/null | tr '/' '-') REPO=$(basename "$(git rev-parse --show-toplevel 2>/dev/null)") -# Search common plan file locations -for PLAN_DIR in "$HOME/.claude/plans" "$HOME/.codex/plans" ".gstack/plans"; do +# Compute project slug for ~/.gstack/projects/ lookup +_PLAN_SLUG=$(git remote get-url origin 2>/dev/null | sed 's|.*[:/]\([^/]*/[^/]*\)\.git$|\1|;s|.*[:/]\([^/]*/[^/]*\)$|\1|' | tr '/' '-' | tr -cd 'a-zA-Z0-9._-') || true +_PLAN_SLUG="${_PLAN_SLUG:-$(basename "$PWD" | tr -cd 'a-zA-Z0-9._-')}" +# Search common plan file locations (project designs first, then personal/local) +for PLAN_DIR in "$HOME/.gstack/projects/$_PLAN_SLUG" "$HOME/.claude/plans" "$HOME/.codex/plans" ".gstack/plans"; do [ -d "$PLAN_DIR" ] || continue PLAN=$(ls -t "$PLAN_DIR"/*.md 2>/dev/null | xargs grep -l "$BRANCH" 2>/dev/null | head -1) [ -z "$PLAN" ] && PLAN=$(ls -t "$PLAN_DIR"/*.md 2>/dev/null | xargs grep -l "$REPO" 2>/dev/null | head -1) From 9530c295c509e33fd6433f04a51a90e5e945f4e8 Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 28 Mar 2026 08:11:55 -0700 Subject: [PATCH 08/11] =?UTF-8?q?docs:=20add=20community=20PR=20guardrails?= =?UTF-8?q?=20=E2=80=94=20protect=20ETHOS.md=20and=20voice?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add explicit CLAUDE.md rule requiring AskUserQuestion before accepting any community PR that touches ETHOS.md, removes promotional material, or changes Garry's voice. No exceptions, no auto-merging. Co-Authored-By: Claude Opus 4.6 (1M context) --- CLAUDE.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/CLAUDE.md b/CLAUDE.md index f73f5b947..0ea420c75 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -221,6 +221,24 @@ Examples of good bisection: When the user says "bisect commit" or "bisect and push," split staged/unstaged changes into logical commits and push. +## Community PR guardrails + +When reviewing or merging community PRs, **always AskUserQuestion** before accepting +any commit that: + +1. **Touches ETHOS.md** — this file is Garry's personal builder philosophy. No edits + from external contributors or AI agents, period. +2. **Removes or softens promotional material** — YC references, founder perspective, + and product voice are intentional. PRs that frame these as "unnecessary" or + "too promotional" must be rejected. +3. **Changes Garry's voice** — the tone, humor, directness, and perspective in skill + templates, CHANGELOG, and docs are not generic. PRs that rewrite voice to be + more "neutral" or "professional" must be rejected. + +Even if the agent strongly believes a change improves the project, these three +categories require explicit user approval via AskUserQuestion. No exceptions. +No auto-merging. No "I'll just clean this up." + ## CHANGELOG + VERSION style **VERSION and CHANGELOG are branch-scoped.** Every feature branch that ships gets its From 117964ddcfdd8647aea866b87d69c7127a73e9b2 Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 28 Mar 2026 08:45:43 -0700 Subject: [PATCH 09/11] chore: bump version and changelog (v0.13.2.0) Co-Authored-By: Claude Opus 4.6 (1M context) --- CHANGELOG.md | 17 +++++++++++++++++ VERSION | 2 +- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 24b7111a5..d2c32a910 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,22 @@ # Changelog +## [0.13.2.0] - 2026-03-28 — Lock It Down + +Six fixes from community PRs and bug reports. The big one: your dependency tree is now pinned. Every `bun install` resolves the exact same versions, every time. No more floating ranges pulling fresh packages from npm on every setup. + +### Fixed + +- **Dependencies are now pinned.** `bun.lock` is committed and tracked. Every install resolves identical versions instead of floating `^` ranges from npm. Closes the supply-chain vector from #566. +- **`gstack-slug` no longer crashes outside git repos.** Falls back to directory name and "unknown" branch when there's no remote or HEAD. Every review skill that depends on slug detection now works in non-git contexts. +- **`./setup` no longer hangs in CI.** The skill-prefix prompt now auto-selects short names after 10 seconds. Conductor workspaces, Docker builds, and unattended installs proceed without human input. +- **Browse CLI works on Windows.** The server lockfile now uses `'wx'` string flag instead of numeric `fs.constants` that Bun compiled binaries don't handle on Windows. +- **`/ship` and `/review` find your design docs.** Plan search now checks `~/.gstack/projects/` first, where `/office-hours` writes design documents. Previously, plan validation silently skipped because it was looking in the wrong directories. +- **`/autoplan` dual-voice actually works.** Background subagents can't read files (Claude Code limitation), so the Claude voice was silently failing on every run. Now runs sequentially in foreground. Both voices complete before the consensus table. + +### Added + +- **Community PR guardrails in CLAUDE.md.** ETHOS.md, promotional material, and Garry's voice are explicitly protected from modification without user approval. + ## [0.13.1.0] - 2026-03-28 — Defense in Depth The browse server runs on localhost and requires a token for access, so these issues only matter if a malicious process is already running on your machine (e.g., a compromised npm postinstall script). This release hardens the attack surface so that even in that scenario, the damage is contained. diff --git a/VERSION b/VERSION index 883dcff5e..dd678579b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.13.1.0 +0.13.2.0 From 712657f4e9a2c56726dec988e20e6f4d8a056106 Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 28 Mar 2026 09:50:30 -0700 Subject: [PATCH 10/11] fix: gen-skill-docs detects symlink loop, skips codex write that overwrites Claude SKILL.md When .agents/skills/gstack is symlinked to the repo root (vendored dev mode), gen-skill-docs --host codex was writing the Codex-transformed SKILL.md through the symlink, overwriting the Claude version. This caused SKILL.md and agents/openai.yaml to silently revert to Codex paths after every build. Now detects when the codex output path resolves to the same real file as the Claude output and skips the write. Content is still generated for token budget tracking. The openai.yaml write is also skipped for the same symlink case. Co-Authored-By: Claude Opus 4.6 (1M context) --- scripts/gen-skill-docs.ts | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/scripts/gen-skill-docs.ts b/scripts/gen-skill-docs.ts index 25733bd3f..a3584bc40 100644 --- a/scripts/gen-skill-docs.ts +++ b/scripts/gen-skill-docs.ts @@ -209,7 +209,7 @@ function extractHookSafetyProse(tmplContent: string): string | null { const GENERATED_HEADER = `\n\n`; -function processTemplate(tmplPath: string, host: Host = 'claude'): { outputPath: string; content: string } { +function processTemplate(tmplPath: string, host: Host = 'claude'): { outputPath: string; content: string; symlinkLoop?: boolean } { const tmplContent = fs.readFileSync(tmplPath, 'utf-8'); const relTmplPath = path.relative(ROOT, tmplPath); let outputPath = tmplPath.replace(/\.tmpl$/, ''); @@ -220,11 +220,27 @@ function processTemplate(tmplPath: string, host: Host = 'claude'): { outputPath: let outputDir: string | null = null; // For codex host, route output to .agents/skills/{codexSkillName}/SKILL.md + let symlinkLoop = false; if (host === 'codex') { const codexName = codexSkillName(skillDir === '.' ? '' : skillDir); outputDir = path.join(ROOT, '.agents', 'skills', codexName); fs.mkdirSync(outputDir, { recursive: true }); outputPath = path.join(outputDir, 'SKILL.md'); + + // Guard against symlink loops: if .agents/skills/gstack → repo root, + // writing to .agents/skills/gstack/SKILL.md would overwrite the Claude version. + // Skip the write entirely for this skill — the codex content is still generated + // for token budget tracking. + const claudePath = tmplPath.replace(/\.tmpl$/, ''); + try { + const resolvedClaude = fs.realpathSync(claudePath); + const resolvedCodex = fs.realpathSync(path.dirname(outputPath)) + '/' + path.basename(outputPath); + if (resolvedClaude === resolvedCodex) { + symlinkLoop = true; + } + } catch { + // realpathSync fails if file doesn't exist yet — that's fine, no symlink loop + } } // Extract skill name from frontmatter for TemplateContext @@ -276,7 +292,7 @@ function processTemplate(tmplPath: string, host: Host = 'claude'): { outputPath: content = content.replace(/\.claude\/skills\/review/g, '.agents/skills/gstack/review'); content = content.replace(/\.claude\/skills/g, '.agents/skills'); - if (outputDir) { + if (outputDir && !symlinkLoop) { const codexName = codexSkillName(skillDir === '.' ? '' : skillDir); const agentsDir = path.join(outputDir, 'agents'); fs.mkdirSync(agentsDir, { recursive: true }); @@ -296,7 +312,7 @@ function processTemplate(tmplPath: string, host: Host = 'claude'): { outputPath: content = header + content; } - return { outputPath, content }; + return { outputPath, content, symlinkLoop }; } // ─── Main ─────────────────────────────────────────────────── @@ -315,10 +331,12 @@ for (const tmplPath of findTemplates()) { if (dir === 'codex') continue; } - const { outputPath, content } = processTemplate(tmplPath, HOST); + const { outputPath, content, symlinkLoop } = processTemplate(tmplPath, HOST); const relOutput = path.relative(ROOT, outputPath); - if (DRY_RUN) { + if (symlinkLoop) { + console.log(`SKIPPED (symlink loop): ${relOutput}`); + } else if (DRY_RUN) { const existing = fs.existsSync(outputPath) ? fs.readFileSync(outputPath, 'utf-8') : ''; if (existing !== content) { console.log(`STALE: ${relOutput}`); From 82283bd12db0689e780df0aa8f813eb71238a4d0 Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sat, 28 Mar 2026 10:03:26 -0700 Subject: [PATCH 11/11] =?UTF-8?q?fix:=20resolve=20all=207=20test=20failure?= =?UTF-8?q?s=20=E2=80=94=20version=20sync,=20zsh=20glob=20guard,=20symlink?= =?UTF-8?q?-aware=20codex=20tests?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. package.json version synced with VERSION file (0.13.3.0) 2. design-shotgun/SKILL.md.tmpl: added setopt +o nomatch guard to bash block with variant-*.png glob 3. Codex generation tests: skip skills where .agents/skills/{name} is a symlink back to repo root (vendored dev mode). These can't have proper codex content since gen-skill-docs skips the write to avoid overwriting the Claude SKILL.md. Co-Authored-By: Claude Opus 4.6 (1M context) --- design-shotgun/SKILL.md | 1 + design-shotgun/SKILL.md.tmpl | 1 + package.json | 2 +- test/gen-skill-docs.test.ts | 13 ++++++++++++- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/design-shotgun/SKILL.md b/design-shotgun/SKILL.md index 6c3b3f075..080754e6c 100644 --- a/design-shotgun/SKILL.md +++ b/design-shotgun/SKILL.md @@ -594,6 +594,7 @@ After all agents complete: image list from whatever variant files actually exist, not a hardcoded A/B/C list: ```bash +setopt +o nomatch 2>/dev/null || true # zsh compat _IMAGES=$(ls "$_DESIGN_DIR"/variant-*.png 2>/dev/null | tr '\n' ',' | sed 's/,$//') ``` diff --git a/design-shotgun/SKILL.md.tmpl b/design-shotgun/SKILL.md.tmpl index 3e3984e2c..436c8bc65 100644 --- a/design-shotgun/SKILL.md.tmpl +++ b/design-shotgun/SKILL.md.tmpl @@ -246,6 +246,7 @@ After all agents complete: image list from whatever variant files actually exist, not a hardcoded A/B/C list: ```bash +setopt +o nomatch 2>/dev/null || true # zsh compat _IMAGES=$(ls "$_DESIGN_DIR"/variant-*.png 2>/dev/null | tr '\n' ',' | sed 's/,$//') ``` diff --git a/package.json b/package.json index 7d68f04df..55f7a9fbb 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "gstack", - "version": "0.13.0.0", + "version": "0.13.3.0", "description": "Garry's Stack — Claude Code skills + fast headless browser. One repo, one install, entire AI engineering workflow.", "license": "MIT", "type": "module", diff --git a/test/gen-skill-docs.test.ts b/test/gen-skill-docs.test.ts index 3091429fc..3bbc1869d 100644 --- a/test/gen-skill-docs.test.ts +++ b/test/gen-skill-docs.test.ts @@ -1276,16 +1276,27 @@ describe('Codex generation (--host codex)', () => { }); // Dynamic discovery of expected Codex skills: all templates except /codex + // Also excludes skills where .agents/skills/{name} is a symlink back to the repo root + // (vendored dev mode — gen-skill-docs skips these to avoid overwriting Claude SKILL.md) const CODEX_SKILLS = (() => { const skills: Array<{ dir: string; codexName: string }> = []; + const isSymlinkLoop = (codexName: string): boolean => { + const agentSkillDir = path.join(ROOT, '.agents', 'skills', codexName); + try { + return fs.realpathSync(agentSkillDir) === fs.realpathSync(ROOT); + } catch { return false; } + }; if (fs.existsSync(path.join(ROOT, 'SKILL.md.tmpl'))) { - skills.push({ dir: '.', codexName: 'gstack' }); + if (!isSymlinkLoop('gstack')) { + skills.push({ dir: '.', codexName: 'gstack' }); + } } for (const entry of fs.readdirSync(ROOT, { withFileTypes: true })) { if (!entry.isDirectory() || entry.name.startsWith('.') || entry.name === 'node_modules') continue; if (entry.name === 'codex') continue; // /codex is excluded from Codex output if (!fs.existsSync(path.join(ROOT, entry.name, 'SKILL.md.tmpl'))) continue; const codexName = entry.name.startsWith('gstack-') ? entry.name : `gstack-${entry.name}`; + if (isSymlinkLoop(codexName)) continue; skills.push({ dir: entry.name, codexName }); } return skills;