github gsd-build/get-shit-done v1.42.0-rc1
on GitHub

pre-release14 hours ago

v1.42.0-rc1 is a release candidate cutting forward from v1.41.0 with all the fixes that shipped in the v1.41.1 hotfix, plus a new security gate, two seam refactors, and additional state/workstream/docs corrections.

πŸ“– New-features companion doc: docs/RELEASE-v1.42.0-rc.1.md β€” feature-scoped writeup of the package legitimacy gate and the two architecture deepenings, with link-outs to v1.41.1 / v1.41.0 for prior content. (Resolves once #3280 merges to main.)

Added

Security

  • Package legitimacy gate against slopsquatting β€” three-layer defense across the research β†’ plan β†’ execute pipeline. Hallucinated package names that pre-register on npm/PyPI/crates.io with malicious post-install scripts no longer flow undetected through gsd-executor. Integrates slopcheck at the research boundary, requires human-verify checkpoints in plans for suspicious packages, and tightens the executor's auto-fix scope. (#3215)

Changed

Architecture

  • SDK package seam deepened; runtime-global skills policy converged β€” legacy package/install-layout compatibility (previously leaked across state-project-load, verify, roadmap, prompt-loading paths, agent-skills, skill-manifest, and generateDevPreferences) is now centralized behind the SDK Package Seam Module, with a single runtime-global skills path policy shared by SDK and CJS callers. (#3238)
  • Phase lifecycle seams deepened β€” phase-lifecycle.ts becomes a thin public orchestrator. Three new modules extracted: Phase Numbering Policy, Phase Filesystem Adapter (directory listing, gitkeep, archive), and Phase Roadmap Mutation (replaceInCurrentMilestone + atomic ROADMAP read-modify-write). Backward-compatible re-exports preserved. (#3267)

Fixed

Phase planning & state

  • Wave 0 plans no longer collapse into wave 1, and depends_on is honored β€” phase-plan-index now derives waves from a Kahn topological sort over depends_on (with cycle detection) instead of trusting the wave: frontmatter alone, and a parsed wave: 0 is preserved instead of being coerced by parseInt(...) || 1. A declared wave: that disagrees with the computed level surfaces as a non-fatal warning. CJS and SDK twins fixed identically. (#3276)
  • execute-phase step 5.5 documents the cross-wave-deviation cleanup tail so deviation cleanup is no longer silently skipped between waves. (#3273)
  • buildStateFrontmatter counts nested plans/<N>-PLAN-<NN>-<slug>.md files β€” repos using the post-#3139 nested layout no longer get progress.* counters silently overwritten downward on every state mutation (the reporter's total_plans: 36 β†’ 25 regression is fixed). Flat-layout repos are unaffected. (#3261)
  • state snapshot prefers YAML frontmatter for canonical fields β€” body table cells like **Status:** to βœ… COMPLETE no longer override the correct frontmatter value. Numeric frontmatter scalars (current_phase: 19) are preserved instead of dropped. Falls back to body extraction only when the key is absent. (#3275)
  • state.update on body-only changes preserves curated progress.* frontmatter β€” a "Last Activity" edit no longer tramples manually-curated cross-milestone counters. The progress-percent formula now applies min(plan_fraction, phase_fraction), so 22/22 plans across 6/12 declared phases reports 50%, not a false 100%. (#3252)
  • phase.add honors --dry-run and rejects unknown flags β€” --dry-run was silently absorbed into the phase description; it now returns { dry_run: true, roadmap_entry } and skips disk writes. Any unrecognized --flag raises a validation error. (#3246)

Workstream

  • workstream create --migrate-name normalizes through the canonical slug policy β€” raw values containing spaces or non-[a-z0-9-] characters no longer create migrated directories that later workstream commands reject. Empty post-normalization names fail fast. (#3269)

Query dispatch & CLI

  • Native --help is non-mutating β€” a dispatcher-level guard short-circuits to a help stub whenever --help / -h appears in args destined for a mutating handler, with defense-in-depth in milestoneComplete rejecting --help as a version value. (#3272)
  • CJS dispatcher accepts the canonical dotted command form β€” state.update, roadmap.analyze, phases.list, etc. now resolve correctly when callers bypass the SDK. Unknown dotted commands suggest the spaced equivalent. (#3248)
  • extractFrontmatter is anchored at file start β€” the regex no longer matches a frontmatter-shaped block later in the file, fixing fields read off the wrong block. (#3247)

Code review pipeline

  • code-review SUMMARY parser hardened; BL- / blocker: accepted as Critical-tier β€” fixes three cooperating bugs: compute_file_scope no longer captures prose bullets as file paths (boundary regex widened to [\w-]+, with path-validity guard); present_results grep accepts both critical: and blocker: keys (and ### BL- headings); gsd-code-fixer treats BL-* findings as Critical-tier-equivalent to CR-* instead of dropping them. POSIX [[:space:]] replaces \s so the grep works on BSD grep (macOS). (#3274)

Install

  • Codex install accepts TOML float values β€” parseTomlValue now reads TOML 1.0 floats (decimals, exponents, signed, _ separators), so tool_timeout_sec = 20.0 no longer triggers a fatal schema error. The Codex post-install rollback is unified and idempotent: it now reverts config.toml, skills/gsd-*, agents/gsd-*, get-shit-done/VERSION, and orphaned atomic-write temp files together, leaving no hybrid state behind. (#3254)
  • βœ“ GSD SDK ready only prints once SDK is genuinely reachable β€” install now requires a persistent cross-shell PATH probe and filters transient _npx entries from both process.env.PATH and the login-shell PATH before declaring success. Eliminates false-ready signals on Linux. (#3249)
  • config-set model_overrides.<agent-id> accepted β€” was previously rejected as an unknown key. (#3253)
  • Shared model catalog as the single source of truth for agent profiles and runtime tier defaults (ADR-0003) β€” replaces four drifting truths (CJS model-profiles, SDK config-query, settings-advanced.md, session-runner) with sdk/shared/model-catalog.json, consumed by both packages via thin adapters. resolve-model now covers all 33 shipped agents; unknown-agent fallback is profile-semantic (qualityβ†’opus, budgetβ†’haiku, balanced/adaptiveβ†’sonnet) instead of hardcoded sonnet. (#3230)

Capture

  • /gsd-capture --seed one-shot contract restored β€” the workflow now defines $KEYWORD from $IDEA in collect-breadcrumbs, wires --enrich to skip parse-idea and target the resolved seed, and adds language identifiers to plant-seed code blocks. (#3250)

Documentation

  • v1.41.0 release documentation β€” CHANGELOG.md promoted from [Unreleased] β†’ [1.41.0] - 2026-05-07; docs/CONFIGURATION.md section labels corrected ("added in v1.40" β†’ "v1.41" for models and dynamic_routing); compact docs/RELEASE-v1.41.0.md added; docs/FEATURES.md v1.41.0 section (features 126–131) added; root README "Notable extras" command table trimmed (README is a highlight page, not a command reference). (#3219)
  • /gsd-intel references replaced with /gsd-map-codebase --query across workflows/settings.md, references/planning-config.md, docs/INVENTORY.md, docs/USER-GUIDE.md, docs/FEATURES.md, and agents/gsd-intel-updater.md. The gsd-intel-updater agent name and backend intel.* config keys are intentionally preserved β€” only the retired user-facing slash command is updated. (#3260)
  • FEATURES.md /gsd-new-workspace reference replaced with /gsd-workspace --new in Feature 129 (Issue-Driven Orchestration Guide). (#3221)

This is a release candidate. Install for testing: 

npx get-shit-done-cc@next

Full Changelog: v1.41.0...v1.42.0-rc1

Check out latest releases or
releases around gsd-build/get-shit-done v1.42.0-rc1

Don't miss a new get-shit-done release

NewReleases is sending notifications on new releases.

Get notifications