v1.43.0-rc2 Release Notes

Release candidate. Published to npm under the next dist-tag.

npx get-shit-done-cc@next

What's in this release

1.43.0 is the first feature release on top of 1.42.x. The headline is
the CJS ↔ SDK seam migration (#3524) — Phases 2 through 6 land
end-to-end, moving Configuration, Workstream Inventory, Project-Root
Resolution, and a synchronous QueryRuntimeBridge.executeForCjs
primitive onto shared manifests and the public SDK surface. The release
also opens the Runtime Artifact Layout Module (ADR #3660) with
Phase 1, which migrates the install/uninstall skill-surface emission to
a layout-driven loop. Other notable additions include tiered
/gsd-help output (--brief / default / --full / <topic>),
opt-in knowledge-graph auto-update after main advances, a
Node 22 / 24 / 26 × OS test matrix, and three new
security / fault-injection suites — adversarial prompt-injection,
adversarial parser fixtures, and a platformWriteSync atomic-write
fault-injection harness. Every 1.42.3 hotfix is rolled forward
unchanged.

Added

• CJS ↔ SDK seam migration end-to-end complete (#3524) —
  Phases 2–6 replace ad-hoc CJS bridges with shared manifests, a
  generator, and the QueryRuntimeBridge.executeForCjs synchronous
  primitive: Configuration Module via shared manifests
  (#3536),
  Workstream Inventory Builder/Reader split
  (#3544),
  Project-Root Resolution Module via generator
  (#3553),
  executeForCjs primitive
  (#3555),
  end-to-end seam migration close-out
  (#3575).

• Runtime Artifact Layout Module — Phase 1 —
  runtime-artifact-layout.cjs becomes the single source of truth for
  per-runtime install staging. bin/install.js install/uninstall paths
  migrate onto the layout-driven loop, and applySurface switches to a
  layout-passing API. The ADR + CONTEXT.md entry document the module
  surface.
  (#3660,
  #3663,
  #3664)

• Tiered /gsd-help output — --brief, default, --full, and
  <topic> modes let users dial the help-surface size to the situation
  instead of paging through one monolithic dump.
  (#3039)

• Opt-in knowledge-graph auto-update after main advances — when
  enabled, .planning/graphs/ refreshes automatically whenever the
  project's main HEAD moves forward, so graph queries stay coherent
  with recent commits without a manual /gsd-graphify. The graphify
  hook + lib/ helper now ship through the canonical build-hooks +
  install pipeline.
  (#3347,
  #3579)

• Node 22 / 24 / 26 × OS test matrix — the test suite is split
  into focused groups and exercised across three Node majors and the
  CI-supported OS targets, with a shell:bash pin on npm ci/build
  steps to keep Windows runners on the same shell as Linux/macOS.
  (#3597,
  #3597)

• Three new security / fault-injection suites — adversarial
  security/prompt-injection abuse coverage
  (#3596),
  adversarial parser fixtures plus a frontmatter/roadmap matrix and a
  property-style sweep
  (#3594), and
  a filesystem fault-injection harness for the platformWriteSync
  atomic-write seam
  (#3595).

• Generator correctness, parity, and atomicity coverage — new
  test suite exercises the generator end-to-end for output stability,
  cross-target parity, and atomic-write behavior under partial-write
  scenarios.
  (#3598)

• CLI negative-matrix harness, config family, and universal sweep
  — invalid-input matrix coverage across every CLI entrypoint,
  catching argument-parsing regressions before they escape to runtime.
  (#3593)

Fixed

• Workstream relPlanningPath rejects path traversal (security) —
  workstream arguments containing .. segments or absolute paths are
  rejected before composition into .planning/ paths, closing a
  directory-traversal class.
  (#3589)

• Hook classifier whitelists bundled filenames (security) — the
  bundled-hook classifier now uses an allow-list of known filenames
  instead of inferring from path shape, preventing user-authored hooks
  with similar names from being misclassified as bundled.
  (#3628)

• Production npm audit advisories cleared (security) — all
  production-tree advisories surfaced by npm audit are resolved at
  the supply-chain level.
  (#3588)

• Workstream forwarded to native registry dispatch — the active
  workstream now propagates through to the native command registry so
  workstream-scoped invocations resolve against the correct registry
  view.
  (#3591)

• Project-code phase prefix preserved through milestone filter and
  roadmap lookup — phase directories carrying a project-code prefix
  are counted in the milestone filter
  (#3600) and
  the prefix survives roadmap lookup paths
  (#3599).

• Phase removal preserves peer-depth decimals and renumbers slugged
  plan references — /gsd:phase remove <N> keeps decimal siblings
  of the removed integer phase
  (#3601) and
  rewrites slugged plan references in the surviving phases
  (#3602).

• Fresh Codex install no longer blocked by leftover bundled hooks
  — the installer cleans residual bundled hooks from earlier installs
  before staging the current set, so a fresh install completes on a
  partially-cleaned home directory.
  (#3610)

• Antigravity modelled as a first-class runtime in update.md —
  the update flow treats Antigravity alongside Claude/Codex/Cursor
  instead of as a side-channel install.
  (#3608)

• Retired slash commands scrubbed from generated agent files and
  SKILL.md bodies — the deprecated colon form is no longer emitted
  into agents/*.md
  (#3605) or
  into Claude / Qwen / Hermes-generated SKILL.md bodies
  (#3583).

• Full Claude model id resolved when resolve_model_ids: true —
  config emission resolves the short alias (e.g. sonnet) to the
  current full id (e.g. claude-sonnet-4-6) at install time rather
  than at runtime.
  (#3643)

• Stale @gsd-build/sdk@0.1.0 global shadow detected and warned —
  the install probes for an outdated global SDK install that would
  shadow the bundled SDK and surfaces a remediation path.
  (#3406)

• Documentation gates and release-hygiene rules — lint:docs
  enforcement and PR-template validation land alongside a rule that
  forbids bundling test-fixture updates into docs: commits and a
  release-sdk fix to cherry-pick test-fixture commits cleanly.
  (#3651,
  #3621,
  #3621)

• Windows compatibility hardening — nested-worktree state derived
  from git show-prefix instead of path math, rmSync retry budgets
  in lint/security teardown, EPERM retry on tmpDir teardown, and
  EOL normalization in generator drift assertions land across the
  Windows matrix.
  (#3597)

What was in 1.42.3

v1.42.3
— Codex CLI 0.130.0 install routability, runtime-aware slash
formatting, argv-based subprocess for check.ship-ready (security),
phase_status on init.plan-phase with /gsd:plan-phase gating on
closed phases, canonical [features].hooks for Codex configs, plus
correctness fixes for W006/W007 health warnings, ultraplan runtime
detection, padded phase IDs, prompt-user migrations in non-TTY runs,
executor-agent stash prohibition, and configuration-manifest
install-time loading. All 1.42.3 fixes are rolled forward into
1.43.0-rc2.

Installing

# npm — release-candidate stream
npm install -g get-shit-done-cc@next

# npx (one-shot)
npx get-shit-done-cc@next

# Pin to this exact version
npm install -g get-shit-done-cc@1.43.0-rc2

The installer is idempotent — re-running on an existing install
updates in-place, preserving your .planning/ directory and local
patches.

Codex CLI requirement

Codex installs (--codex) require Codex CLI 0.130.0 or later.
Earlier Codex versions used a discovery mechanism that the current
install layout does not target; upgrade Codex first, then re-run the
GSD installer.

Release-candidate caveat

next-stream builds may carry rough edges that the latest (stable)
channel never sees. Use for early-exercise and feedback; do not pin
production projects to it.