github gsd-build/get-shit-done v1.42.0
on GitHub

pre-release2 hours ago

Added

Security & planning gates

  • Package legitimacy gate against slopsquatting - researchers now audit recommended packages with registry checks and slopcheck, planners add human-verification checkpoints for assumed or suspicious packages, and executors no longer auto-retry failed package installs. The gate degrades safely when slopcheck is unavailable by tagging packages as assumed and requiring human verification. (#3215)
  • End-of-phase human verification mode is now the default - workflow.human_verify_mode = end-of-phase reduces mid-flight interruption while preserving the human gate before completion. (#3325)
  • Structured JSON error mode for gsd-tools - --json-errors now exposes typed failure reasons for automation and agent callers. (#3304, #3311)

Installer migration framework

  • Installer migration runner foundation - the installer now has a staged migration framework for legacy cleanup and install/update reconciliation work. (#3398)
  • Existing cleanup behavior moved into migrations - legacy cleanup paths are now represented as explicit migration steps instead of ad hoc installer branches. (#3399)
  • First-time baseline scanner added - new installs can establish a cleaner baseline for future migration decisions. (#3400)
  • Install/update integration wired through the migration runner - migration execution is now part of the installer flow instead of a disconnected helper path. (#3402)
  • Migration authoring guardrails added - migration files now have tests and conventions that make future cleanup work easier to review safely. (#3404)

Release and PR automation

  • Release notes can now be generated from changeset slugs - release tooling can render grouped release notes from .changeset/ fragments instead of relying on raw GitHub autogenerated PR lists. (#3383)
  • Configurable PR body sections for ship workflows - ship automation can compose PR bodies from configured sections while preserving required contribution metadata. (#3391)

Changed

Architecture & SDK seams

  • SDK package seam and runtime-global skills policy deepened - legacy install-layout compatibility and runtime-aware global-skill paths now live behind dedicated modules instead of leaking across state, verification, roadmap, prompt-loading, and manifest code. (#3238)
  • Phase lifecycle seams deepened - phase numbering, filesystem operations, and roadmap mutation are split into dedicated modules while keeping compatibility re-exports on the public phase lifecycle surface. (#3267)
  • SDK-first architecture seams refactored - more CJS/SDK overlap is consolidated behind SDK-oriented boundaries, reducing drift between runtime paths. (#3316)
  • Shared phase-plan scanning helper extracted - phase-plan indexing now shares one scanner across call sites. (#3308)
  • Contributor standards and ADR indexing codified - contribution guidance now points agents and humans at CONTEXT.md, ADRs, and the ADR index as canonical architecture inputs. (#3301, #3302)
  • Release-note formatting standard documented for agents - CONTEXT.md now records the expected curated release-note style so future releases avoid raw autogenerated GitHub output. (#3278)

Fixed

Install & runtime conversion

  • Windows gsd-sdk installation is reliable - the installer checks persistent Windows PATH, replaces stale gsd-sdk.cmd shims that point at deprecated gsd-tools.cjs, and withholds false-ready messages when the shim is not reachable. (#3282)
  • CJS fallback bridge works after install - sdk/shared/model-catalog.json is now copied into the install payload and model-catalog.cjs resolves through install path, source repo path, then GSD_MODEL_CATALOG. (#3293)
  • Codex TOML hook state tables are accepted - hooks.state.* trust-persistence tables are treated as regular tables, not hook-event arrays. (#3289)
  • Gemini and Antigravity conversion drops Claude-only agent dispatcher tools instead of emitting invalid runtime permissions. (#3349)
  • Gemini Windows hook output is valid PowerShell - managed hook commands use PowerShell's call operator for quoted Node runners and reinstall rewrites existing managed hooks without double-prefixing. (#3368)
  • Installer SDK readiness detects stale gsd-sdk earlier on PATH and reports the resolved path, detected version, expected version, and global update remediation. (#3363)
  • Codex legacy hooks.json update hooks are cleaned up after TOML SessionStart hook installation, avoiding duplicate update hooks while preserving user-owned JSON hooks. (#3364)
  • Windows managed hook script paths are normalized to double-quoted forward-slash paths for PowerShell compatibility. (#3396)
  • Windows Bash-backed hooks resolve Git Bash explicitly instead of assuming bare bash is available on PATH. (#3397)

State, planning & execution

  • Phase directory naming now applies project_code consistently across discuss, plan, milestone-gap, import, add-backlog, and scaffold paths. (#3292, #3306)
  • record-metric, add-decision, and add-blocker preserve data by auto-creating missing canonical sections and honoring --ws workstream routing. (#3291)
  • Planner deep-work rules now match the action contract so planners keep directive prose, avoid fenced implementation dumps, and can include behavior/test acceptance criteria. (#3326)
  • Executor stall detection and safe-resume contracts added so interrupted execution runs surface drift before duplicate executor dispatch. (#3329)
  • Human-needed verification remains pending and ship preflight only passes explicit pass/passed verification states. (#3339)
  • Codex execute-phase fails closed when worktree isolation is requested because Codex agent spawning cannot currently guarantee Claude-style worktree isolation. (#3365)
  • phase remove --force no longer collapses later ROADMAP phases to the removed phase number. (#3367)
  • Codex model overrides show up in resolve-model and init.progress before resolve_model_ids: "omit" strips model IDs. (#3361)
  • SDK init phase flags normalized so workflow calls reach the expected SDK init handlers. (#3389)
  • New-project agent diagnostics exposed so failed project-research dispatch has actionable context. (#3390)
  • Codex roadmap progress sync handles padded phase arguments correctly. (#3380)

Verification, update & review safety

  • detect-custom-files scans skills/ again so user-added skills are not silently destroyed during update. (#3318)
  • Verifier blocks completion on unresolved TBD, FIXME, and XXX markers unless they carry accepted formal deferral references. (#3343)
  • Verifier probe scripts run directly instead of accepting SUMMARY-reported probe PASS markers as evidence. (#3350)
  • Worktree health subprocesses are bounded and surfaced so hung Git calls degrade visibly instead of blocking indefinitely. (#3283)
  • Worktree cleanup now fails closed when safety checks cannot prove the cleanup target is safe. (#3385)
  • Verify-work initialization honors workstream routing so workstream-scoped verification loads the right planning state. (#3386)
  • Deny-list parity tests replaced with polarity-inverted live-registry coverage to catch registry drift without maintaining brittle blocklists. (#3284)

Removed

Intel updater

  • gsd-intel-updater no longer emits the vestigial layout-detection line on non-framework projects - the layout detection block is gated on the get-shit-done-cc package name so ordinary user projects skip it silently. (#3299)

Install/upgrade: npx get-shit-done-cc@latest

Full Changelog: v1.41.2...v1.42.0

Check out latest releases or
releases around gsd-build/get-shit-done v1.42.0

Don't miss a new get-shit-done release

NewReleases is sending notifications on new releases.

Get notifications