v1.51.0.0 feat: $B memory diagnostic + 4 CDP-resource leak fixes#1751
Merged
Conversation
Two CDP-session lifecycle helpers in cdp-bridge.ts:
- withCdpSession(page, fn): ephemeral session with try/finally detach.
For one-shot CDP work (archive snapshots, $B memory, single
Page.captureScreenshot) where the caller doesn't need session reuse.
- getOrCreateCdpSession(page, cache): cached long-lived session that
registers a page.once('close') hook to BOTH delete the cache entry
AND call session.detach(). Pre-helper code only deleted the cache
entry, leaving the Chromium-side CDP target attached until the
underlying transport dropped.
Pure addition. Existing callers untouched in this commit; they migrate
in the next commit alongside the static-grep test that pins the
invariant.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fixes the CDP-target leak class identified by /codex outside-voice on
the eng review (D11 EXPAND_SCOPE). All three sites called
`page.context().newCDPSession(page)` directly and either forgot the
detach entirely (cdp-bridge cache cleanup), only detached on the
success path (write-commands archive), or detached on framenavigated
but not page-close (cdp-inspector).
- cdp-bridge.ts: `getCdpSession` now delegates to
`getOrCreateCdpSession`, which registers a `page.once('close')` hook
that BOTH removes the cache entry AND calls `session.detach()`.
- cdp-inspector.ts: same migration for the inspector's session pool.
Keeps the existing framenavigated detach (more granular than close
for DOM/CSS state invalidation) plus an inspector-layer close hook
for the initializedPages WeakSet.
- write-commands.ts archive: wraps Page.captureSnapshot in
withCdpSession so the detach runs in `finally`, including the path
where captureSnapshot throws.
The static-grep tripwire (next commit) pins the invariant so future
direct calls to newCDPSession fail CI.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
browse/test/cdp-session-cleanup.test.ts pins the invariant that no source file outside cdp-bridge.ts may call newCDPSession() directly. If a future refactor reintroduces the direct call, CI fails with a file:line list and a pointer to the right helper to use instead (withCdpSession for one-shot, getOrCreateCdpSession for cached). Also covers the helpers themselves with fake-Page unit tests: - withCdpSession detaches on success - withCdpSession detaches on throw (the actual leak fix) - withCdpSession swallows detach errors so they don't mask fn errors - getOrCreateCdpSession caches the session across calls - close hook detaches AND clears the cache Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
browse/src/sse-helpers.ts owns the SSE cleanup invariant: cleanup runs on abort, enqueue failure, AND heartbeat failure, exactly once, regardless of which edge fires first. Pre-helper, /activity/stream and /inspector/events ran cleanup only on the req.signal.abort edge. If the underlying TCP died without firing abort (Chromium MV3 service-worker suspend, intermediate proxy half-close), the subscriber closure stayed in the Set capturing the ReadableStreamDefaultController plus any payloads queued behind it. Over a multi-day sidebar session this compounded into multi-MB of retained controllers per dead connection. Caller surface: initialReplay (optional, for gap replay or state snapshots), subscribe (live-event source), liveEventName (SSE event name for live wrap), heartbeatMs. send() helper handles JSON encoding with sanitizeReplacer + lone-surrogate stripping. Unit tests pin all three cleanup edges + idempotency + replay ordering + surrogate sanitization. Endpoint refactors land in the next commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Both endpoints collapse from ~45 lines of in-line ReadableStream wiring to ~8 lines of helper config. Behavior preserved bit-for-bit by the new sse-helpers tests: - initial replay (activity gap + history, inspector state snapshot) - live event subscription - 15s heartbeat - SSE framing - sanitizeReplacer applied to every JSON.stringify The leak fix is the cleanup contract: pre-refactor, both endpoints ran cleanup only on req.signal.abort. If TCP died without firing abort (Chromium MV3 SW suspend, intermediate proxy half-close), the subscriber closure stayed in the Set forever capturing the ReadableStreamDefaultController + queued payloads. Post-refactor, an enqueue-failure or heartbeat-failure on a dead consumer triggers the same idempotent cleanup as abort would. Net: -83 / +15 in server.ts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pre-cap, modificationHistory was an unbounded module-scoped array that grew for every CSS edit through $B css across the entire session. Small per-entry footprint but no upper bound, the kind of slow leak that compounds over multi-day inspector use. Cap is 200, oldest evicted on push past the cap. modHistoryTotalPushed stays monotonic across the session so undoModification can tell the user when their target index has been evicted, instead of just the opaque pre-cap "No modification at index 500" with no context. __testInternals export lets the cap + eviction error be unit-tested without spinning up a CDP-driven Page. Production code must continue to go through modifyStyle / undoModification / resetModifications. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Diagnostic foundation for $B memory and the /memory endpoint that land in the next two commits. Collects: - Bun process memory via process.memoryUsage (cross-platform, accurate). - Per-tab JS heap via CDP Performance.getMetrics, lazy per tracked page, swallows target-died errors so a dying tab doesn't poison the snapshot for the rest. - Chromium process tree via SystemInfo.getProcessInfo (PID + type + CPU time). RSS is NOT exposed via CDP — the eng review (D2 USE_CDP) picked CDP over shelling to `ps`, so notes[] tells the caller why the RSS column is absent and points at the follow-up TODO. cdp-inspector exports getModificationHistoryStats so the snapshot can surface buffer occupancy + cap + evicted count without reaching into module-private state. memory-snapshot.ts holds the shared types so server.ts and read-commands can import without circular dep on browser-manager. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Registers 'memory' in META_COMMANDS, wires the meta-command dispatch to a lazy-imported handler in memory-command.ts. Lazy because the import graph (cdp-bridge + memory-snapshot + buffer accessors) isn't useful to projects that never run the diagnostic. The handler assembles MemoryStructureStats from the modules that own each buffer (cdp-inspector mod history stats, activity subscriber count, console/network/dialog buffer lengths, captureBuffer bytes, inspectorSubscriber count via a new server.ts export) and calls BrowserManager.getMemorySnapshot. Output is text by default, JSON with --json so the sidebar footer and test harness can consume it programmatically. buildMemorySnapshotJson is the entry the /memory endpoint will call in the next commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
GET /memory returns the BrowserManager memory snapshot as JSON. Auth matches /activity/stream and /inspector/events: Bearer header OR view-only SSE-session cookie (the extension fetches the cookie once via POST /sse-session, then polls /memory with withCredentials: true). Deliberately NOT extending /health for the sidebar footer poll — TODOS.md "Audit /health token distribution" records that /health already surfaces AUTH_TOKEN to any localhost caller in headed mode. A separate endpoint with the standard SSE auth keeps the future /health fix from cascading into the sidebar. sanitizeReplacer is applied at egress because tab.url and tab.title come from page content — lone-surrogate bytes from broken emoji could otherwise reach the sidebar and (when forwarded to Claude API) trigger HTTP 400. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Footer now shows "<bun-rss> · <tab-count>" sourced from the /memory endpoint, polled every 30s. Color thresholds: orange warn at 2 GB Bun RSS or 50 tabs; red bad at 8 GB or 200 tabs (matches the tab-guardrail threshold landing in a later commit). The footer gives the user an early signal that the cliff is forming, instead of only learning when the OS OOM-kills the process. Backoff per Codex's flag: if a poll takes > 2s response time the sidebar drops to a 5-minute cadence until the next successful fast poll. The diagnostic shouldn't add load to a browser that's already unhealthy. Start/stop is wired to the existing setServerInfo() hook so the timer only runs while the sidebar is connected to a server. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The Bun-side accelerant on the gbrowser-OOM investigation. Pre-fix, the per-page requestfinished listener called \`await res.body()\` just to read .length — Playwright fetches the bytes from Chromium across CDP into a Bun Buffer, only for the listener to discard the buffer after a single length read. On a long-lived headed browser with media-heavy pages this is multi-GB/hour of Buffer allocation churn. Bun GCs it, but the cross-process CDP traffic + transient allocation pressure feeds the OOM trajectory. The fix: req.sizes() pulls from the Network.loadingFinished event Chromium already emits. No body materialization. Accurate for chunked transfer, gzip-compressed responses, and streaming media — the cases where a naive Content-Length header read (the original review's proposal) would have missed the size entirely (Codex flag on the eng review, D10 USE_CDP_EVENT_BATCHED). The D10 stretch goal — replacing N per-page listeners with a single context-level CDP listener via Target.setAutoAttach — is deferred and tracked in TODOS. The listener architecture change is significantly more plumbing than the leak fix and not on the critical path for stopping the body materialization. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Server side (browser-manager.ts):
Idempotent threshold tracker fires an activity entry exactly once at
each upward crossing of 50 (soft warn) and 200 (hard warn). Re-arms
when the count drops below. Activity-feed surface gives the
audit-trail invariant even with the sidebar closed; the toast UX
lives in the sidebar.
Sidebar side (extension/sidepanel.{html,css,js}):
Every /memory poll evaluates two trigger conditions:
- Any single tab > 4 GB JS heap (catches the WebGL/video runaway
case Codex flagged on the eng review).
- Tab count >= 200.
Toast shows top 5 tabs ranked by max(jsHeap, nodes*1KB + listeners*200)
so a WebGL-heavy tab with small JS heap still surfaces. Default-selected
checkboxes + "Close selected" run \`\$B closetab <id>\` through the
existing /command path — no chrome.tabs.remove bridge needed. "Snooze"
bumps tabsAbove/heapAbove thresholds in chrome.storage.session so the
toast stays hidden until the user accumulates more tabs OR one tab
grows another 2 GB.
Tests: browse/test/tab-guardrail.test.ts pins the server-side
fires-once + re-arms invariants without spinning up Chromium.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
browse/test/memory-leak-reproducer.test.ts pins the invariant from the D10 fix: wirePageEvents.requestfinished must call req.sizes() but must NEVER call res.body(). Fakes a page emitting a burst of 200 requestfinished events, each with a notional 1 MB response — pre-fix this would allocate 200 MB of Buffer per burst, post-fix not one byte of body content is materialized. The test also asserts networkBuffer entries are still populated with the right size, so size reporting in the network panel doesn't regress. A real-Chromium peak-RSS reproducer (periodic tier) is deferred — see TODOS "Reproducer with WebGL / video / MSE buffer pressure". This gate-tier test is sufficient to catch the leak class being reintroduced by any future refactor of the requestfinished listener. Wall clock: ~400ms. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Captures the items deliberately deferred from the v1.49 leak-fix PR so the deferrals don't fall off the radar: - P2: MV3 extension service-worker memory profile (Codex finding #4) - P2: Native + GPU memory breakdown in \$B memory (Codex finding #5) - P3: Single-context CDP listener for Network.loadingFinished (D10 stretch goal) - P3: Real-Chromium peak-RSS reproducer for periodic tier (Codex finding on transient amplification + ANGLE_B_NUMBERS CHANGELOG framing dependency) Each entry follows the standard TODOS.md format: What / Why / Pros / Cons / Context / Priority / Effort. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The C8 commit added 'memory' to META_COMMANDS + COMMAND_DESCRIPTIONS but didn't regenerate the SKILL.md files. The category was 'Diagnostics' which isn't in scripts/resolvers/browse.ts:categoryOrder; switched to 'Server' (matches the existing 'status' / 'restart' / 'handoff' pattern) so the table renders under the existing ### Server section. Test fix: gen-skill-docs.test.ts asserts every command appears in the generated SKILL.md and gstack/llms.txt; without this regen the test fails with "Expected to contain: 'memory'". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
17 tests across the formatter + byte renderer + JSON entry point: - formatBytes() 4-tier (bytes, KB, MB, GB) + 160 GB sanity case (the friend's OOM number from the original screenshot, so the renderer doesn't blow up at real leak scale) - handleMemoryCommand --json mode parseable shape - handleMemoryCommand text mode: Bun server line, no-tabs branch, top-10 sort with "...and N more" tail, Chromium process grouping by type, "unavailable" line when processes is null, modification- history evicted-count format, notes section rendering, long-URL ellipsis truncation - buildMemorySnapshotJson returns shape matching the type The formatSnapshotText renderer is private to memory-command.ts; tests exercise it through handleMemoryCommand's text-mode return path. The eviction-count format is pinned via a parallel format contract assertion since the renderer reads live module state. Coverage gate: brings the diagnostic surface from 0% to ~80%. Extension UI (sidepanel.js footer + toast) remains uncovered — adding tests there would require extracting fmtBytesShort and tabRamScore from sidepanel.js into a testable TS module, which is deferred to a follow-up to keep this PR scoped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add $B memory command to BROWSER.md server lifecycle table. Document the new createSseEndpoint helper + CDP session lifecycle helpers (withCdpSession, getOrCreateCdpSession) in CLAUDE.md alongside the existing server hardening notes, with the static-grep tripwire callout so future contributors route through the helpers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…lper The two `wiring invariants` tests grepped server.ts for `JSON.stringify(entry, sanitizeReplacer)` and `JSON.stringify(event, sanitizeReplacer)` — patterns that lived inline in /activity/stream and /inspector/events before the v1.51 refactor moved both endpoints behind createSseEndpoint. Sanitization still happens (the helper applies it inside its send() and live-event callback), but the static-grep was pinned to the old wiring and started failing on Windows free-tests after the refactor landed. Updated to check the new contract: - /activity/stream + /inspector/events route through createSseEndpoint (regex match of the route handler block ending in the helper call). - sse-helpers.ts contains JSON.stringify + sanitizeReplacer + imports stripLoneSurrogates from ./sanitize (catches drift to a private copy). - server.ts retains its own sanitizeReplacer for non-SSE egress paths (handleCommandInternal); the two replacers coexist by design. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
E2E Evals: ✅ PASS15/15 tests passed | $1.20 total cost | 12 parallel runners
12x ubicloud-standard-8 (Docker: pre-baked toolchain + deps) | wall clock ≈ slowest suite |
garrytan
added a commit
that referenced
this pull request
May 27, 2026
CI version gate caught: PR #1742 (garrytan/upgrade-gstack-gbrain-v1) already claims v1.50.0.0 and #1751 (garrytan/browser-memory-leak) claims v1.51.0.0. gstack-next-version util recommends v1.52.0.0 as the next free slot. Updates: - VERSION 1.50.0.0 → 1.52.0.0 - package.json version sync - CHANGELOG.md header + metric table label - parity-baseline-v1.47.0.0.json baseline_note reference No content changes; pure slot rebase per the queue. The cathedral scope (8 layers, 96 tests) and CHANGELOG narrative stay identical — same ship, different release number. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
garrytan
added a commit
that referenced
this pull request
May 29, 2026
…for contributors (#1741) * feat(plan-tune): explicit-consent surface + setup gate for question_tuning Step 0 grows two implicit gates that run before user-intent routing: - Consent gate: question_tuning=false + no marker → offer opt-in (contributor-specific copy variant) - Setup gate: question_tuning=true + declared empty + no marker → run 5-Q wizard Markers (~/.gstack/.question-tuning-prompted, ~/.gstack/.declared-setup-prompted) ensure each user is asked at most once. The Enable+setup section split into "Consent + opt-in" (with contributor framing) and standalone "5-Q setup" reachable from both the consent flow and the setup gate. Also aligns the calibration gate across three docs (V0 said 90+ days, TODOS said 2+ weeks, binary uses 7 days). The fix distinguishes: - Display gate (sample_size>=20, skills>=3, question_ids>=8, days_span>=7): for rendering inferred values in /plan-tune output - Promotion gate (90+ days stable across 3+ skills): for shipping E1 behavior-adapting defaults TODOS.md E1 card updated to reference 90+ days, plus Codex's substrate risk note: generated skill prose is agent-compliance-based, so E1 ships as advisory annotations on AskUserQuestion recommendations, not silent AUTO_DECIDE. Tests can verify templates contain right reads but can't prove agents obey them. Per /plan-eng-review + Codex outside-voice 2026-05-26. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore: bump version and changelog (v1.49.0.0) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * feat(bins): honor GSTACK_STATE_ROOT override for test isolation Plan-tune cathedral T1 (per D16 / Codex outside voice). The 3 bins that back /plan-tune (question-log, question-preference, developer-profile) previously ignored GSTACK_STATE_ROOT, so tests that tried to point state at a tempdir via that env var silently wrote to the real ~/.gstack. Make STATE_ROOT take precedence over GSTACK_HOME so the cathedral's E2E + unit tests can isolate cleanly without sledgehammering HOME. Order of precedence: GSTACK_STATE_ROOT > GSTACK_HOME > $HOME/.gstack Matches the existing gstack-paths emission order. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(plan-tune): regression coverage for v1.49 consent + setup gates Plan-tune cathedral T2 + part of T1 follow-up (Codex IRON RULE — regressions get tests). v1.49 shipped two prose-driven implicit gates inside plan-tune Step 0 (consent, setup) with zero test coverage. The cathedral refactors that template heavily; without tests, silent breakage is possible. Three regression families plus a static template assertion: 1. Consent gate fires under qt=false + no marker; goes silent on marker write or qt=true flip. 2. Setup gate fires under qt=true + empty declared + no marker; goes silent when declared populates, marker is written, or qt is still false. 3. Marker idempotency: gates stay silent across 5 re-invocations after a single decline/bail. Markers honored independently. 4. Static template assertion: gate language can't be silently deleted without breaking a test. Also extends gstack-config to honor GSTACK_STATE_ROOT (it was the last bin still ignoring it — caught while writing the tests; without this, tests would silently mutate the user's real config.yaml). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(spikes): Claude hook mutation + Codex session format Plan-tune cathedral T4 (per D5/D10). Two Phase 1 design spikes that downstream tasks (T3, T5, T6, T8, T9) depend on. claude-code-hook-mutation.md - Confirms PreToolUse allow + updatedInput is supported and is the right mechanism for substituting an auto-decided answer. - Pins stdin/stdout JSON schemas with field-by-field reference. - Documents matcher regex syntax for "(AskUserQuestion|mcp__.*__AskUserQuestion)" so Conductor's MCP-routed AUQ is covered. - Captures parallel-hook merge order caveat and our settings.json snippet. codex-session-format.md - Maps the on-disk ~/.codex/sessions/<date>/rollout-*.jsonl schema by event type (response_item 76%, event_msg 19%, turn_context, session_meta). - Critical finding: Codex has NO AskUserQuestion tool. Gstack AUQ-shaped Decision Briefs surface as agent_message text; answer is the next user_message. Two-tier recovery: marker-first (D18), then pattern fallback for hash-only logging. - Confirms logs_2.sqlite is internal telemetry, not session content. - Lists open questions to answer during T9 implementation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(settings-hook): schema-aware PreToolUse/PostToolUse registration Plan-tune cathedral T3 (per D4 + Codex correction). The previous bin only knew SessionStart and dedup'd on the hardcoded `gstack-session-update` substring. The cathedral needs PreToolUse + PostToolUse hooks registered side-by-side with the user's own hooks, with explicit consent UX, backups, and rollback. New subcommands: - add-event --event <SessionStart|PreToolUse|PostToolUse|...> --command <cmd> --source <tag> [--matcher <re>] [--timeout <s>] - remove-source --source <tag> # removes all entries tagged by source - diff-event ... # preview without mutating - rollback # restore latest backup - list-sources # audit gstack-tagged hooks Multi-source dedup via a new `_gstack_source` field on each hook entry (Claude Code preserves unknown fields). Source tag lets plan-tune-cathedral register PreToolUse + PostToolUse without colliding with the existing SessionStart wiring, and lets remove-source clean up cleanly during gstack-uninstall. Backups written automatically to settings.json.bak.<ts> before any mutation, with a .bak-latest pointer the rollback subcommand reads. Existing legacy `add <cmd>` / `remove <cmd>` shape preserved verbatim so setup --team and gstack-uninstall keep working unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(hooks): PostToolUse capture hook for AskUserQuestion Plan-tune cathedral T5. Closes the substrate hole that motivated this entire branch: agent-compliance-only logging produced zero events in weeks of dogfood. PostToolUse hook captures every AUQ fire deterministically. What ships: - hosts/claude/hooks/question-log-hook.ts — TS hook that reads Claude Code's hook stdin, walks tool_input.questions[*], extracts user choice + recommended option from tool_response, spawns gstack-question-log per question. - hosts/claude/hooks/question-log-hook — bash shim Claude Code's hook runner invokes; execs bun against the .ts file. - Marker-first question_id extraction (D18 progressive markers): <gstack-qid:foo-bar> stripped from question text, used as the id. Hash fallback hook-<sha1[:10]> for unmarked questions (observed-only, never used as preference key — D18 hash drift mitigation). - (recommended) label parsing for the user_choice/recommended fields, with refuse-on-ambiguous when two labels are present (D2 safety). - Free-text capture: source=auq-other + free_text field when user picks Other and types (Layer 8 dream cycle input). - Matcher covers both native AskUserQuestion and mcp__*__AskUserQuestion (Codex/Conductor catch from outside voice review). - Crash safety: always exits 0; errors land in ~/.gstack/hook-errors.log so the user's session is never blocked by a hook failure. gstack-question-log extended to: - Accept `source` field (default 'agent', new values: hook, auq-other, auto-decided, codex-import-marker, codex-import-pattern). - Accept `tool_use_id` (<=128 chars) for dedup. - Composite dedup on (source, tool_use_id) across the last 100 lines — protects against hook + preamble both firing on the same tool call (D3 belt+suspenders). - Async fire `gstack-developer-profile --derive` after each successful write so inferred.sample_size actually grows (D17 — without this, the cathedral's "before 0, after >0" metric never moves). - GSTACK_QUESTION_LOG_NO_DERIVE=1 escape hatch for tests. 9 new unit tests covering capture, marker extraction, MCP variant, free-text, dedup, ambiguous-recommended safety, crash paths. All pass plus the existing 88 tests across related files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(hooks): PreToolUse enforcement hook for AskUserQuestion preferences Plan-tune cathedral T6 — the keystone that makes never-ask actually bind. Today preferences are agent-convention (silently ignored). This hook enforces them via Claude Code's hook protocol: when a never-ask preference matches an AUQ that is two-way + has a marker + has a clear recommendation, the hook returns permissionDecision: "deny" with permissionDecisionReason naming the auto-decided option. The agent obeys the rejection feedback and proceeds with the recommended option without re-firing AUQ. Decision tree (per question): - marker absent → defer (D18: hash IDs are observed-only) - one-way door → defer (safety override — never auto-decide one-way) - always-ask preference → defer - no preference set → defer - ambiguous recommendation (two (recommended) labels OR no parseable rec) → defer (D2 refuse-on-ambiguous) - never-ask / ask-only-for-one-way + two-way + clean rec → deny+reason Preference precedence per D8: project-local (~/.gstack/projects/<slug>/question-preferences.json) wins, global (~/.gstack/global-question-preferences.json) is fallback. Why deny+reason instead of allow+updatedInput: AskUserQuestion's updatedInput shape for "pre-resolve this question" isn't structurally pinned in Claude Code docs (T4 spike open question). deny with a reason that names the auto-decided option is the conservative + reliable v1 — the model receives the rejection, reads the recommended option from the reason, proceeds without re-prompting. Swap to allow+updatedInput once the AUQ input shape is verified against real Claude Code. Since deny prevents PostToolUse from firing, this hook logs the auto-decided event itself via gstack-question-log (source=auto-decided) so /plan-tune's Recent auto-decisions surface picks it up. Also writes a session marker ~/.gstack/sessions/<id>/.auto-decided-<tool_use_id> for coordination when the AUQ-shape switch lands. Multi-question AUQ: enforcement is all-or-nothing per call. If any question in the batch isn't eligible (no marker, no preference, ambiguous rec, etc.), the whole call defers so the user still gets to answer the rest normally. Registry lookup: cheap regex extraction from scripts/question-registry.ts (reading + bun-importing the TS file from a hook is too slow). Door type defaults to two-way for unregistered. Matcher covers both native AskUserQuestion and mcp__*__AskUserQuestion (Conductor disables native — Codex outside-voice catch). 15 unit tests cover defer paths, enforcement, one-way safety override, ambiguous-rec refuse, precedence (project wins, global fallback, project-overrides-global), MCP matcher, auto-decided event logging, session marker writing, crash safety. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(scripts): declared-annotation helper + autonomy signal_key wiring Plan-tune cathedral T7. Adds the helper that lets skills inject one-line plain-English annotations on AUQ recommendations based on the user's declared profile — read-only, advisory-only, per TODOS.md E1 substrate-risk guidance (no AUTO_DECIDE off inferred). scripts/declared-annotation.ts - getDeclaredAnnotation(signal_key) → annotation | null - primaryDimensionFor(signal_key) → Dimension | null - Signature uses kebab signal_key per D2/Codex correction (registry uses hyphens; profile dimensions use underscores; helper maps internally). - Bands: >= 0.7 high, <= 0.3 low, else null. Middle band stays silent. - Per-dimension plain-English phrasing: 5 dimensions × 2 bands = 10 phrases. - Reads ~/.gstack/developer-profile.json (honors GSTACK_STATE_ROOT). scripts/psychographic-signals.ts - New signal_key 'decision-autonomy' that maps user_choice → autonomy dimension nudges. This was the missing signal for the 'autonomy' dimension — without it, the cathedral could annotate four of five declared dimensions but autonomy stayed silent. scripts/question-registry.ts - Add signal_key: 'decision-autonomy' to land-and-deploy-merge-confirm and land-and-deploy-rollback. These are the highest-leverage autonomy questions in the surface — "let me decide" vs "go ahead" is exactly what the dimension captures. 13 unit tests cover the helper's full contract (unknown keys, missing profile, middle-band null, both band thresholds, all five dimensions rendering distinct phrases). Existing 47 plan-tune.test.ts tests still pass after the registry + signal-map enrichment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(setup): install plan-tune cathedral hooks with explicit consent UX Plan-tune cathedral T8. Wires the new PostToolUse capture hook and PreToolUse enforcement hook into ~/.claude/settings.json via the schema-aware gstack-settings-hook (T3) — respecting D4's "never mutate settings.json silently" boundary and the Codex outside-voice warning. Behavior at setup time: - Idempotency: if list-sources already shows 'plan-tune-cathedral', no-op with a one-line note. - Marker present (previously declined): no-op, no re-prompt. - Interactive terminal: print rationale + diff preview from settings-hook, rollback command, and prompt y/N. On accept, register both hooks (PostToolUse and PreToolUse) with --source plan-tune-cathedral. On decline, touch ~/.gstack/.plan-tune-hooks-prompted so we don't re-ask. - Non-interactive (CI / scripted): no prompt; print the two exact commands the user would need to install manually. - --no-team teardown also removes the plan-tune hooks via remove-source. gstack-uninstall extended to clean up plan-tune-cathedral hooks alongside the existing SessionStart cleanup. Listed as a separate "plan-tune cathedral hooks" line in the REMOVED summary when it fires. No new test file — coverage from T3's gstack-settings-hook-schema-aware tests proves the underlying bin behavior; setup-level integration is verified manually (re-running ./setup is cheap and the prompt makes it obvious whether install happened). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(bin): gstack-codex-session-import — structured Codex transcript parser Plan-tune cathedral T9. Backfills question-log.jsonl from Codex sessions since Codex has no AskUserQuestion tool (per docs/spikes/codex-session-format.md) and gstack AUQ-shaped Decision Briefs show up as agent_message prose. Walks ~/.codex/sessions/<date>/rollout-*.jsonl, matches each agent_message that contains either a <gstack-qid:foo-bar> marker or a D-numbered Decision Brief header, then pairs it with the next user_message for the answer. Two-tier recovery per D5: - marker present → source=codex-import-marker, stable question_id - no marker but D-shape detected → source=codex-import-pattern with hash-only question_id (never used as preference key per D18) Subcommands: gstack-codex-session-import # latest session gstack-codex-session-import <file> # explicit path gstack-codex-session-import --since <iso> # all sessions newer than User-choice extraction handles A/B/C letter responses and prose responses that start with the option label. Recommended option parsed via the "(recommended)" label suffix (same convention as Layer 2). Each extracted event written via gstack-question-log, so source tagging, dedup, and async derive all apply uniformly. spawnSync uses the cwd from session_meta so gstack-slug buckets events into the project the user was actually working in, not the importer's cwd. 7 unit tests cover marker path, pattern fallback, multiple briefs in sequence, missing user_message, numeric/letter user response forms, empty-sessions-dir handling. Smoke-tested against a real ~/.codex/sessions/ file from earlier today — returns IMPORTED: 0 because that session was autonomous (no AUQ-shaped prose), proving the bin doesn't false-positive on unrelated agent_message events. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(bin): gstack-distill-free-text — Layer 8 dream cycle distiller Plan-tune cathedral T10. Reads auq-other free-text events from this project's question-log.jsonl, calls Claude via the Anthropic SDK to extract structured proposals (preference candidates, declared-profile nudges, memory nuggets), writes them to distillation-proposals.json for the user to review via /plan-tune (never autonomous — every apply requires explicit Y). Subcommands: gstack-distill-free-text # sync distill gstack-distill-free-text --background # detach + return PID gstack-distill-free-text --dry-run # emit prompt + events, no API call gstack-distill-free-text --status # run history + cost-to-date D7 rate cap: 3 distills per slug per day. Reads ~/.gstack/distill-cost.jsonl for the count, exits with RATE_CAPPED when limit hit. Cost log lines tagged by slug so sibling projects don't share the cap. Yesterday runs don't count. D6 API auth: Anthropic SDK direct, fail-loud on missing ANTHROPIC_API_KEY with explicit message that distill is a separate billing surface from the interactive Claude Code session. Uses claude-haiku-4-5 for cost (~$0.001/ 1k input, $0.005/1k output) — sufficient for structured extraction. D14 execution context: --background spawns detached (nohup) so auto-trigger during /ship doesn't add 30s of pause; results surface on next /plan-tune. Source events get distilled_at:<ts> stamped on them after the run so they don't re-propose on the next distill. Match by ts + question_id. Cost-log line per run includes: slug, proposals_count, rejected_low_confidence, input_tokens, output_tokens, cost_usd_est. /plan-tune stats reads this to show "$X estimated, N runs this month" per Layer 4 surface. 10 unit tests cover --status, rate cap (3/day, yesterday-not-counted, other-slug-not-counted), no-log/no-free-text paths, --dry-run, missing API key, --background spawn. The actual SDK call is exercised by the T16 E2E test (uses real key, ~$0.001 per run). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(bin): gstack-distill-apply — apply distillation proposals with gbrain tag Plan-tune cathedral T11. Bin that applies a single user-approved proposal from distillation-proposals.json to the right surface: - memory-nugget → appended to ~/.gstack/free-text-memory.json (durable local source-of-truth; gbrain is mirror when configured). - preference → routed through gstack-question-preference --write with source=plan-tune (clears the user-origin gate). - declared-nudge → atomic update to developer-profile.json declared dim, small=0.05, medium=0.10, large=0.15, clamped to [0, 1]. Why a separate bin (not inline in the skill template): /plan-tune's apply step needs to be invokable from any host (Claude, Codex, etc) and must write to multiple state files atomically. A bin centralizes the schema + clamp logic; the skill template just calls it after user Y. gbrain coordination: --gbrain-published true marks the nugget so /plan-tune stats can show "12 nuggets, 8 mirrored to gbrain". The skill template invokes mcp__gbrain__put_page / extract_facts / add_tag in the same turn (those are MCP tools, not CLI-callable) before calling this bin. Local file remains canonical so the PreToolUse hook injection path (T12) doesn't depend on gbrain availability. Subcommands: gstack-distill-apply --list # show pending proposals gstack-distill-apply --proposal <N> # apply, file fallback gstack-distill-apply --proposal <N> --gbrain-published true Applied proposals get applied_at + gbrain_published stamped on them so re-running --list shows only unconsumed ones. 11 unit tests cover --list (all three kinds + quotes), memory-nugget append + non-clobber, preference routing through the gate-respecting bin, declared-nudge math (medium=0.10, small=0.05, large=0.15, clamp at [0,1]), proposal mark-applied with gbrain flag, and error paths (bad index, missing --proposal). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(hooks): Layer 8 memory injection via per-session cache Plan-tune cathedral T12. Extends the PreToolUse hook to inject matching free-text-memory.json nuggets into AskUserQuestion responses, giving the agent + user the distilled context from past 'Other' answers right when the related question fires. Per-session cache (D13 perf): first read of free-text-memory.json writes ~/.gstack/sessions/<id>/memory-cache.json. Subsequent hooks on the same session take the cached path. Invalidation is by file-missing: when the canonical file changes (via gstack-distill-apply), the per-session cache either reflects the staler view for the rest of the session or the session restarts and the cache rebuilds. Cheap, correct enough for v1. Matching logic: - Walk this AUQ batch's questions, extract marker question_ids. - Look up signal_key in scripts/question-registry.ts. - Collect nuggets whose applies_to_signal_keys include any of the matched signal_keys. - Cap to 3 most-recent (by applied_at) so the additionalContext stays short. - Surface as additionalContext on the hookSpecificOutput response. Memory + enforcement interact cleanly: the same hook can both surface nuggets AND deny the tool when a never-ask preference matches. Memory context isn't doubled in the deny reason — the auto-decided option name in the deny path is sufficient signal. 6 new tests cover injection on defer, no-match silence, 3-most-recent cap, memory-alongside-deny enforcement, cache file write-through, empty-canonical graceful degradation. Existing 15 preference-hook tests still green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(plan-tune): SKILL.md surfaces for cathedral T13 Plan-tune cathedral T13. Rewires plan-tune/SKILL.md.tmpl to expose the new cathedral surfaces: Step 0 routing: - Implicit gate #3 (dream-cycle): fires when distillation-proposals.json has unapplied proposals. Marker is per-proposal applied_at so re-firing naturally skips already-handled items. - Added user-intent route for "dream cycle" / "distill" / "what have I been free-texting". - Power-user shortcuts: distill, dream, audit. Stats: - Host-aware source breakdown (SOURCE_HOOK, SOURCE_AGENT, SOURCE_AUTO_DECIDED, SOURCE_CODEX_IMPORT_*, SOURCE_AUQ_OTHER). - MARKED percentage so D18 progressive-markers progress is visible. - Distill cost-to-date via gstack-distill-free-text --status. Recent auto-decisions: - Last 10 source=auto-decided events with question_id + user_choice. Lets the user spot-check enforcement and flip via always-ask. Audit unmarked questions: - Top N hash-only ids by frequency. Surfaces next candidates for the D18 marker retrofit. Dream cycle review + manual distill: - Walks unapplied proposals via AskUserQuestion (one per call), routes accepts through gstack-distill-apply with --gbrain-published flag. Skill template invokes mcp__gbrain__put_page when MCP is available; local file remains source-of-truth. Regenerated SKILL.md via `bun run gen:skill-docs`. All 60 plan-tune tests still green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(preamble): inject <gstack-qid:...> marker convention into question-tuning resolver Plan-tune cathedral T14. Per D18 progressive markers, the PreToolUse enforcement hook only fires when the AUQ question text contains a <gstack-qid:foo-bar> marker the hook can extract. Without a marker, the hook logs the fire as observed-only and skips enforcement (hash IDs drift with prose so they're never used as preference keys). The high-leverage retrofit point is the preamble's Question Tuning section, not 10 individual skill templates. Updating scripts/resolvers/question-tuning.ts adds the marker convention to every tier-≥2 skill in one change — agents running ANY of the 30+ tier-≥2 skills now embed the marker by default when the question matches a registered question_id. Two convention additions in the preamble: 1. "Embed the question_id as a marker (<gstack-qid:{id}>) somewhere in the rendered question." With explanation that the marker is the only path for the PreToolUse hook to enforce preferences. 2. "Embed the option recommendation via the (recommended) label suffix on exactly one option per AUQ." Documents the D2 parser contract: label first, prose fallback, refuse-on-ambiguous. Net cost: ~700 bytes added to the preamble per generated skill. Plan-review preamble budget ratcheted from 39000 → 40000 (test/gen-skill-docs.test.ts) with a comment explaining the cathedral T14 expansion is load-bearing. Regenerated 42 SKILL.md files via `bun run gen:skill-docs`. The token ceiling warning on ship/SKILL.md (~41K tokens) is pre-existing; this PR doesn't change ship's preamble materially. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(ship): plan-tune discoverability nudge after first successful ship Plan-tune cathedral T15 (the ship-side surface; the setup-side surface shipped in T8 with explicit hook-install consent UX). Adds Step 21 to ship/SKILL.md.tmpl: after Step 20 (persist metrics) succeeds, surface /plan-tune once per machine via a marker-gated single-line nudge. Behavior: - If ~/.gstack/.plan-tune-nudge-shown exists → no-op. - If question_tuning is already true → no-op (user already on board). - Otherwise: print one nudge line, touch marker. The nudge mentions both the observational substrate AND the hook-installed auto-decide enforcement so users know what they get when they opt in. Non-blocking — never asks a question, doesn't gate ship completion. To re-show: rm ~/.gstack/.plan-tune-nudge-shown before next ship. Setup-side discoverability shipped in T8 via the hook install prompt (explicit consent + diff preview + backup). Together these two surfaces cover first-install AND first-ship moments — the user discovers plan-tune organically rather than needing to know /plan-tune exists. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(plan-tune): 5 cathedral E2E scenarios + touchfile registration Plan-tune cathedral T16 (per D12 — all 5 in gate tier). One consolidated file with five describeIfSelected scenarios, each selectable by its own touchfile entry so they only run when the relevant code changes (or EVALS_ALL=1 forces all): plan-tune-hook-capture — PostToolUse hook fires → question-log fills plan-tune-enforcement — never-ask + marker + 2-way → deny+reason + auto-decided event logged plan-tune-annotation — declared profile + memory nugget → additionalContext surfaced on defer plan-tune-codex-import — synthetic JSONL → import bin → log with source=codex-import-marker plan-tune-dream-cycle — apply proposal → re-fire question → memory injected via additionalContext Each scenario fixtures an isolated git repo + bins + scripts + hooks under tmp, then exercises the cathedral chain end-to-end against real on-disk binaries (no mocks at the bin layer). GSTACK_STATE_ROOT keeps the user's real ~/.gstack untouched. These five complement the existing unit tests by proving the full sub-process chain works (not just individual functions in isolation). They DON'T spawn claude -p because the cathedral's substrate behavior is deterministic — agent compliance is no longer the variable. The existing test/skill-e2e-plan-tune.test.ts (plan-tune-inspect) still covers the LLM-driven intent-routing behavior. Cost: each scenario runs in ~1s with $0 because no claude -p invocations. Touchfile-gated, so they only run on PRs that touch cathedral code. Also fixes a bug found by the E2E: question-log-hook didn't pass the incoming tool call's cwd to spawnSync when invoking gstack-question-log, so the bin used the hook process's cwd (the repo root) instead of the session's cwd. Result: log writes landed in the wrong project bucket. Fix mirrors the same cwd-passing pattern from question-preference-hook. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: bump VERSION to 1.50.0.0 + plan-tune cathedral CHANGELOG Plan-tune cathedral T17. Bumps VERSION 1.49.0.0 → 1.50.0.0 (MINOR per CLAUDE.md scale-aware rule: this is substantial new capability — 8 layers, ~3000 LOC, 96 new tests, deterministic substrate + dream-cycle distillation). CHANGELOG entry follows the release-summary format from CLAUDE.md: - Two-line bold headline naming what changed for users (deterministic capture, binding preferences, free-text memory loop) - Lead paragraph: before/after framed concretely (zero events captured → every fire, agent-honored → hook-enforced, declared profile → injected context, regex backfill → structured JSONL parser) - Two tables: metric deltas + layer/where-it-lives. Real numbers (96 tests, ~$0.01 per distill, 3/day cap), no AI vocabulary, no em dashes. - "What this means for solo builders" close: ties dream cycle to the compounding loop and points to ./setup as the on-ramp. - Itemized Added/Changed/For contributors sections list every layer's surfaces with file paths. Also: - Refreshed test/fixtures/golden/{claude,codex,factory}-ship-SKILL.md to match the regenerated ship templates (Step 21 nudge added). - Rebased plan-tune entry in parity-baseline-v1.47.0.0.json from 51717 → 64017 bytes with a baseline_note explaining the cathedral T13 expansion. Documents that the new Dream cycle, Recent auto-decisions, Audit unmarked, Dream cycle review/distill sections are load-bearing, not bloat. Without the rebase, the size-budget gate fails — and the cathedral's whole point is making /plan-tune do more, not less. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: bump VERSION 1.50.0.0 → 1.52.0.0 (queue collision with #1742) CI version gate caught: PR #1742 (garrytan/upgrade-gstack-gbrain-v1) already claims v1.50.0.0 and #1751 (garrytan/browser-memory-leak) claims v1.51.0.0. gstack-next-version util recommends v1.52.0.0 as the next free slot. Updates: - VERSION 1.50.0.0 → 1.52.0.0 - package.json version sync - CHANGELOG.md header + metric table label - parity-baseline-v1.47.0.0.json baseline_note reference No content changes; pure slot rebase per the queue. The cathedral scope (8 layers, 96 tests) and CHANGELOG narrative stay identical — same ship, different release number. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: cap audit — remove distill rate cap, loosen size/budget gates Plan-tune cathedral follow-up. The 3/day distill cap was theatrical: at ~$0.01 per Haiku call, even a runaway loop firing every minute would cost ~$14/day, and free-text events are rare enough that the natural input rate self-limits to 1-2 fires/day. Count caps don't protect against runaway bugs (which fire 1000x/second, not 4 times/day) but DO punish heavy users who'd legitimately distill multiple times during a busy week. Removed: 3/day rate cap on bin/gstack-distill-free-text. --status output swapped from "TODAY: N / 3" to "TODAY: N run(s), $X" so users see what they're spending instead of how close they are to a meaningless count. Loosened (caps that exist for real-runaway protection, not normal scope): - EVALS_BUDGET_HARD_CAP_GATE $25 → $200/run - EVALS_BUDGET_HARD_CAP_PERIODIC $70 → $500/run - EVALS_BUDGET_HARD_CAP $30 → $300/run (umbrella fallback) - GSTACK_SIZE_BUDGET_RATIO 1.05 → 1.50 per-skill ratio - plan-review preamble byte budget 40K → 60K Principle: caps exist to catch obvious bugs (infinite retry, model price change, prompt blowup), not to gate legitimate scope growth. Set high enough that real growth never trips them, only bug territory does. Adjusted defaults are 4-8× historical worst case, leaving ample headroom for the next 12 months of legitimate expansion. Tests updated: distill-free-text removes the 3-test rate-cap describe block in favor of "no rate cap" assertion that 10 runs/day pass. Other budget tests still pass because they were never near the old ceilings. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
garrytan
added a commit
that referenced
this pull request
May 30, 2026
…pec, /ship, /cso, /document-* (#1797) * v1.51.0.0 feat: $B memory diagnostic + 4 CDP-resource leak fixes (#1751) * add withCdpSession + getOrCreateCdpSession helpers Two CDP-session lifecycle helpers in cdp-bridge.ts: - withCdpSession(page, fn): ephemeral session with try/finally detach. For one-shot CDP work (archive snapshots, $B memory, single Page.captureScreenshot) where the caller doesn't need session reuse. - getOrCreateCdpSession(page, cache): cached long-lived session that registers a page.once('close') hook to BOTH delete the cache entry AND call session.detach(). Pre-helper code only deleted the cache entry, leaving the Chromium-side CDP target attached until the underlying transport dropped. Pure addition. Existing callers untouched in this commit; they migrate in the next commit alongside the static-grep test that pins the invariant. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * migrate 3 CDP-session sites to lifecycle helpers Fixes the CDP-target leak class identified by /codex outside-voice on the eng review (D11 EXPAND_SCOPE). All three sites called `page.context().newCDPSession(page)` directly and either forgot the detach entirely (cdp-bridge cache cleanup), only detached on the success path (write-commands archive), or detached on framenavigated but not page-close (cdp-inspector). - cdp-bridge.ts: `getCdpSession` now delegates to `getOrCreateCdpSession`, which registers a `page.once('close')` hook that BOTH removes the cache entry AND calls `session.detach()`. - cdp-inspector.ts: same migration for the inspector's session pool. Keeps the existing framenavigated detach (more granular than close for DOM/CSS state invalidation) plus an inspector-layer close hook for the initializedPages WeakSet. - write-commands.ts archive: wraps Page.captureSnapshot in withCdpSession so the detach runs in `finally`, including the path where captureSnapshot throws. The static-grep tripwire (next commit) pins the invariant so future direct calls to newCDPSession fail CI. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * add CDP-session cleanup tripwire + helper unit tests browse/test/cdp-session-cleanup.test.ts pins the invariant that no source file outside cdp-bridge.ts may call newCDPSession() directly. If a future refactor reintroduces the direct call, CI fails with a file:line list and a pointer to the right helper to use instead (withCdpSession for one-shot, getOrCreateCdpSession for cached). Also covers the helpers themselves with fake-Page unit tests: - withCdpSession detaches on success - withCdpSession detaches on throw (the actual leak fix) - withCdpSession swallows detach errors so they don't mask fn errors - getOrCreateCdpSession caches the session across calls - close hook detaches AND clears the cache Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * extract createSseEndpoint helper with cleanup contract browse/src/sse-helpers.ts owns the SSE cleanup invariant: cleanup runs on abort, enqueue failure, AND heartbeat failure, exactly once, regardless of which edge fires first. Pre-helper, /activity/stream and /inspector/events ran cleanup only on the req.signal.abort edge. If the underlying TCP died without firing abort (Chromium MV3 service-worker suspend, intermediate proxy half-close), the subscriber closure stayed in the Set capturing the ReadableStreamDefaultController plus any payloads queued behind it. Over a multi-day sidebar session this compounded into multi-MB of retained controllers per dead connection. Caller surface: initialReplay (optional, for gap replay or state snapshots), subscribe (live-event source), liveEventName (SSE event name for live wrap), heartbeatMs. send() helper handles JSON encoding with sanitizeReplacer + lone-surrogate stripping. Unit tests pin all three cleanup edges + idempotency + replay ordering + surrogate sanitization. Endpoint refactors land in the next commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * route /activity/stream + /inspector/events through createSseEndpoint Both endpoints collapse from ~45 lines of in-line ReadableStream wiring to ~8 lines of helper config. Behavior preserved bit-for-bit by the new sse-helpers tests: - initial replay (activity gap + history, inspector state snapshot) - live event subscription - 15s heartbeat - SSE framing - sanitizeReplacer applied to every JSON.stringify The leak fix is the cleanup contract: pre-refactor, both endpoints ran cleanup only on req.signal.abort. If TCP died without firing abort (Chromium MV3 SW suspend, intermediate proxy half-close), the subscriber closure stayed in the Set forever capturing the ReadableStreamDefaultController + queued payloads. Post-refactor, an enqueue-failure or heartbeat-failure on a dead consumer triggers the same idempotent cleanup as abort would. Net: -83 / +15 in server.ts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * cap inspector modificationHistory at 200 entries Pre-cap, modificationHistory was an unbounded module-scoped array that grew for every CSS edit through $B css across the entire session. Small per-entry footprint but no upper bound, the kind of slow leak that compounds over multi-day inspector use. Cap is 200, oldest evicted on push past the cap. modHistoryTotalPushed stays monotonic across the session so undoModification can tell the user when their target index has been evicted, instead of just the opaque pre-cap "No modification at index 500" with no context. __testInternals export lets the cap + eviction error be unit-tested without spinning up a CDP-driven Page. Production code must continue to go through modifyStyle / undoModification / resetModifications. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * add BrowserManager.getMemorySnapshot() + shared types Diagnostic foundation for $B memory and the /memory endpoint that land in the next two commits. Collects: - Bun process memory via process.memoryUsage (cross-platform, accurate). - Per-tab JS heap via CDP Performance.getMetrics, lazy per tracked page, swallows target-died errors so a dying tab doesn't poison the snapshot for the rest. - Chromium process tree via SystemInfo.getProcessInfo (PID + type + CPU time). RSS is NOT exposed via CDP — the eng review (D2 USE_CDP) picked CDP over shelling to `ps`, so notes[] tells the caller why the RSS column is absent and points at the follow-up TODO. cdp-inspector exports getModificationHistoryStats so the snapshot can surface buffer occupancy + cap + evicted count without reaching into module-private state. memory-snapshot.ts holds the shared types so server.ts and read-commands can import without circular dep on browser-manager. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * add \$B memory command Registers 'memory' in META_COMMANDS, wires the meta-command dispatch to a lazy-imported handler in memory-command.ts. Lazy because the import graph (cdp-bridge + memory-snapshot + buffer accessors) isn't useful to projects that never run the diagnostic. The handler assembles MemoryStructureStats from the modules that own each buffer (cdp-inspector mod history stats, activity subscriber count, console/network/dialog buffer lengths, captureBuffer bytes, inspectorSubscriber count via a new server.ts export) and calls BrowserManager.getMemorySnapshot. Output is text by default, JSON with --json so the sidebar footer and test harness can consume it programmatically. buildMemorySnapshotJson is the entry the /memory endpoint will call in the next commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * add /memory endpoint (SSE-session-cookie gated) GET /memory returns the BrowserManager memory snapshot as JSON. Auth matches /activity/stream and /inspector/events: Bearer header OR view-only SSE-session cookie (the extension fetches the cookie once via POST /sse-session, then polls /memory with withCredentials: true). Deliberately NOT extending /health for the sidebar footer poll — TODOS.md "Audit /health token distribution" records that /health already surfaces AUTH_TOKEN to any localhost caller in headed mode. A separate endpoint with the standard SSE auth keeps the future /health fix from cascading into the sidebar. sanitizeReplacer is applied at egress because tab.url and tab.title come from page content — lone-surrogate bytes from broken emoji could otherwise reach the sidebar and (when forwarded to Claude API) trigger HTTP 400. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * add sidebar footer RSS readout (polls /memory every 30s) Footer now shows "<bun-rss> · <tab-count>" sourced from the /memory endpoint, polled every 30s. Color thresholds: orange warn at 2 GB Bun RSS or 50 tabs; red bad at 8 GB or 200 tabs (matches the tab-guardrail threshold landing in a later commit). The footer gives the user an early signal that the cliff is forming, instead of only learning when the OS OOM-kills the process. Backoff per Codex's flag: if a poll takes > 2s response time the sidebar drops to a 5-minute cadence until the next successful fast poll. The diagnostic shouldn't add load to a browser that's already unhealthy. Start/stop is wired to the existing setServerInfo() hook so the timer only runs while the sidebar is connected to a server. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * stop materializing response bodies in requestfinished listener The Bun-side accelerant on the gbrowser-OOM investigation. Pre-fix, the per-page requestfinished listener called \`await res.body()\` just to read .length — Playwright fetches the bytes from Chromium across CDP into a Bun Buffer, only for the listener to discard the buffer after a single length read. On a long-lived headed browser with media-heavy pages this is multi-GB/hour of Buffer allocation churn. Bun GCs it, but the cross-process CDP traffic + transient allocation pressure feeds the OOM trajectory. The fix: req.sizes() pulls from the Network.loadingFinished event Chromium already emits. No body materialization. Accurate for chunked transfer, gzip-compressed responses, and streaming media — the cases where a naive Content-Length header read (the original review's proposal) would have missed the size entirely (Codex flag on the eng review, D10 USE_CDP_EVENT_BATCHED). The D10 stretch goal — replacing N per-page listeners with a single context-level CDP listener via Target.setAutoAttach — is deferred and tracked in TODOS. The listener architecture change is significantly more plumbing than the leak fix and not on the critical path for stopping the body materialization. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * tab guardrail (50/200 thresholds) + sidebar action toast Server side (browser-manager.ts): Idempotent threshold tracker fires an activity entry exactly once at each upward crossing of 50 (soft warn) and 200 (hard warn). Re-arms when the count drops below. Activity-feed surface gives the audit-trail invariant even with the sidebar closed; the toast UX lives in the sidebar. Sidebar side (extension/sidepanel.{html,css,js}): Every /memory poll evaluates two trigger conditions: - Any single tab > 4 GB JS heap (catches the WebGL/video runaway case Codex flagged on the eng review). - Tab count >= 200. Toast shows top 5 tabs ranked by max(jsHeap, nodes*1KB + listeners*200) so a WebGL-heavy tab with small JS heap still surfaces. Default-selected checkboxes + "Close selected" run \`\$B closetab <id>\` through the existing /command path — no chrome.tabs.remove bridge needed. "Snooze" bumps tabsAbove/heapAbove thresholds in chrome.storage.session so the toast stays hidden until the user accumulates more tabs OR one tab grows another 2 GB. Tests: browse/test/tab-guardrail.test.ts pins the server-side fires-once + re-arms invariants without spinning up Chromium. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * add memory-leak reproducer (gate tier) browse/test/memory-leak-reproducer.test.ts pins the invariant from the D10 fix: wirePageEvents.requestfinished must call req.sizes() but must NEVER call res.body(). Fakes a page emitting a burst of 200 requestfinished events, each with a notional 1 MB response — pre-fix this would allocate 200 MB of Buffer per burst, post-fix not one byte of body content is materialized. The test also asserts networkBuffer entries are still populated with the right size, so size reporting in the network panel doesn't regress. A real-Chromium peak-RSS reproducer (periodic tier) is deferred — see TODOS "Reproducer with WebGL / video / MSE buffer pressure". This gate-tier test is sufficient to catch the leak class being reintroduced by any future refactor of the requestfinished listener. Wall clock: ~400ms. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * TODOS: 4 follow-ups from gbrowser-OOM PR Captures the items deliberately deferred from the v1.49 leak-fix PR so the deferrals don't fall off the radar: - P2: MV3 extension service-worker memory profile (Codex finding #4) - P2: Native + GPU memory breakdown in \$B memory (Codex finding #5) - P3: Single-context CDP listener for Network.loadingFinished (D10 stretch goal) - P3: Real-Chromium peak-RSS reproducer for periodic tier (Codex finding on transient amplification + ANGLE_B_NUMBERS CHANGELOG framing dependency) Each entry follows the standard TODOS.md format: What / Why / Pros / Cons / Context / Priority / Effort. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * regen SKILL.md after adding \$B memory command The C8 commit added 'memory' to META_COMMANDS + COMMAND_DESCRIPTIONS but didn't regenerate the SKILL.md files. The category was 'Diagnostics' which isn't in scripts/resolvers/browse.ts:categoryOrder; switched to 'Server' (matches the existing 'status' / 'restart' / 'handoff' pattern) so the table renders under the existing ### Server section. Test fix: gen-skill-docs.test.ts asserts every command appears in the generated SKILL.md and gstack/llms.txt; without this regen the test fails with "Expected to contain: 'memory'". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * add coverage for \$B memory diagnostic surface 17 tests across the formatter + byte renderer + JSON entry point: - formatBytes() 4-tier (bytes, KB, MB, GB) + 160 GB sanity case (the friend's OOM number from the original screenshot, so the renderer doesn't blow up at real leak scale) - handleMemoryCommand --json mode parseable shape - handleMemoryCommand text mode: Bun server line, no-tabs branch, top-10 sort with "...and N more" tail, Chromium process grouping by type, "unavailable" line when processes is null, modification- history evicted-count format, notes section rendering, long-URL ellipsis truncation - buildMemorySnapshotJson returns shape matching the type The formatSnapshotText renderer is private to memory-command.ts; tests exercise it through handleMemoryCommand's text-mode return path. The eviction-count format is pinned via a parallel format contract assertion since the renderer reads live module state. Coverage gate: brings the diagnostic surface from 0% to ~80%. Extension UI (sidepanel.js footer + toast) remains uncovered — adding tests there would require extracting fmtBytesShort and tabRamScore from sidepanel.js into a testable TS module, which is deferred to a follow-up to keep this PR scoped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: bump version and changelog (v1.51.0.0) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: update project documentation for v1.51.0.0 Add $B memory command to BROWSER.md server lifecycle table. Document the new createSseEndpoint helper + CDP session lifecycle helpers (withCdpSession, getOrCreateCdpSession) in CLAUDE.md alongside the existing server hardening notes, with the static-grep tripwire callout so future contributors route through the helpers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(test): pin SSE sanitizer wiring to the v1.51 createSseEndpoint helper The two `wiring invariants` tests grepped server.ts for `JSON.stringify(entry, sanitizeReplacer)` and `JSON.stringify(event, sanitizeReplacer)` — patterns that lived inline in /activity/stream and /inspector/events before the v1.51 refactor moved both endpoints behind createSseEndpoint. Sanitization still happens (the helper applies it inside its send() and live-event callback), but the static-grep was pinned to the old wiring and started failing on Windows free-tests after the refactor landed. Updated to check the new contract: - /activity/stream + /inspector/events route through createSseEndpoint (regex match of the route handler block ending in the helper call). - sse-helpers.ts contains JSON.stringify + sanitizeReplacer + imports stripLoneSurrogates from ./sanitize (catches drift to a private copy). - server.ts retains its own sanitizeReplacer for non-SSE egress paths (handleCommandInternal); the two replacers coexist by design. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * v1.52.0.0 feat(plan-tune): explicit consent + first-run setup wizard for contributors (#1741) * feat(plan-tune): explicit-consent surface + setup gate for question_tuning Step 0 grows two implicit gates that run before user-intent routing: - Consent gate: question_tuning=false + no marker → offer opt-in (contributor-specific copy variant) - Setup gate: question_tuning=true + declared empty + no marker → run 5-Q wizard Markers (~/.gstack/.question-tuning-prompted, ~/.gstack/.declared-setup-prompted) ensure each user is asked at most once. The Enable+setup section split into "Consent + opt-in" (with contributor framing) and standalone "5-Q setup" reachable from both the consent flow and the setup gate. Also aligns the calibration gate across three docs (V0 said 90+ days, TODOS said 2+ weeks, binary uses 7 days). The fix distinguishes: - Display gate (sample_size>=20, skills>=3, question_ids>=8, days_span>=7): for rendering inferred values in /plan-tune output - Promotion gate (90+ days stable across 3+ skills): for shipping E1 behavior-adapting defaults TODOS.md E1 card updated to reference 90+ days, plus Codex's substrate risk note: generated skill prose is agent-compliance-based, so E1 ships as advisory annotations on AskUserQuestion recommendations, not silent AUTO_DECIDE. Tests can verify templates contain right reads but can't prove agents obey them. Per /plan-eng-review + Codex outside-voice 2026-05-26. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore: bump version and changelog (v1.49.0.0) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * feat(bins): honor GSTACK_STATE_ROOT override for test isolation Plan-tune cathedral T1 (per D16 / Codex outside voice). The 3 bins that back /plan-tune (question-log, question-preference, developer-profile) previously ignored GSTACK_STATE_ROOT, so tests that tried to point state at a tempdir via that env var silently wrote to the real ~/.gstack. Make STATE_ROOT take precedence over GSTACK_HOME so the cathedral's E2E + unit tests can isolate cleanly without sledgehammering HOME. Order of precedence: GSTACK_STATE_ROOT > GSTACK_HOME > $HOME/.gstack Matches the existing gstack-paths emission order. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(plan-tune): regression coverage for v1.49 consent + setup gates Plan-tune cathedral T2 + part of T1 follow-up (Codex IRON RULE — regressions get tests). v1.49 shipped two prose-driven implicit gates inside plan-tune Step 0 (consent, setup) with zero test coverage. The cathedral refactors that template heavily; without tests, silent breakage is possible. Three regression families plus a static template assertion: 1. Consent gate fires under qt=false + no marker; goes silent on marker write or qt=true flip. 2. Setup gate fires under qt=true + empty declared + no marker; goes silent when declared populates, marker is written, or qt is still false. 3. Marker idempotency: gates stay silent across 5 re-invocations after a single decline/bail. Markers honored independently. 4. Static template assertion: gate language can't be silently deleted without breaking a test. Also extends gstack-config to honor GSTACK_STATE_ROOT (it was the last bin still ignoring it — caught while writing the tests; without this, tests would silently mutate the user's real config.yaml). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(spikes): Claude hook mutation + Codex session format Plan-tune cathedral T4 (per D5/D10). Two Phase 1 design spikes that downstream tasks (T3, T5, T6, T8, T9) depend on. claude-code-hook-mutation.md - Confirms PreToolUse allow + updatedInput is supported and is the right mechanism for substituting an auto-decided answer. - Pins stdin/stdout JSON schemas with field-by-field reference. - Documents matcher regex syntax for "(AskUserQuestion|mcp__.*__AskUserQuestion)" so Conductor's MCP-routed AUQ is covered. - Captures parallel-hook merge order caveat and our settings.json snippet. codex-session-format.md - Maps the on-disk ~/.codex/sessions/<date>/rollout-*.jsonl schema by event type (response_item 76%, event_msg 19%, turn_context, session_meta). - Critical finding: Codex has NO AskUserQuestion tool. Gstack AUQ-shaped Decision Briefs surface as agent_message text; answer is the next user_message. Two-tier recovery: marker-first (D18), then pattern fallback for hash-only logging. - Confirms logs_2.sqlite is internal telemetry, not session content. - Lists open questions to answer during T9 implementation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(settings-hook): schema-aware PreToolUse/PostToolUse registration Plan-tune cathedral T3 (per D4 + Codex correction). The previous bin only knew SessionStart and dedup'd on the hardcoded `gstack-session-update` substring. The cathedral needs PreToolUse + PostToolUse hooks registered side-by-side with the user's own hooks, with explicit consent UX, backups, and rollback. New subcommands: - add-event --event <SessionStart|PreToolUse|PostToolUse|...> --command <cmd> --source <tag> [--matcher <re>] [--timeout <s>] - remove-source --source <tag> # removes all entries tagged by source - diff-event ... # preview without mutating - rollback # restore latest backup - list-sources # audit gstack-tagged hooks Multi-source dedup via a new `_gstack_source` field on each hook entry (Claude Code preserves unknown fields). Source tag lets plan-tune-cathedral register PreToolUse + PostToolUse without colliding with the existing SessionStart wiring, and lets remove-source clean up cleanly during gstack-uninstall. Backups written automatically to settings.json.bak.<ts> before any mutation, with a .bak-latest pointer the rollback subcommand reads. Existing legacy `add <cmd>` / `remove <cmd>` shape preserved verbatim so setup --team and gstack-uninstall keep working unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(hooks): PostToolUse capture hook for AskUserQuestion Plan-tune cathedral T5. Closes the substrate hole that motivated this entire branch: agent-compliance-only logging produced zero events in weeks of dogfood. PostToolUse hook captures every AUQ fire deterministically. What ships: - hosts/claude/hooks/question-log-hook.ts — TS hook that reads Claude Code's hook stdin, walks tool_input.questions[*], extracts user choice + recommended option from tool_response, spawns gstack-question-log per question. - hosts/claude/hooks/question-log-hook — bash shim Claude Code's hook runner invokes; execs bun against the .ts file. - Marker-first question_id extraction (D18 progressive markers): <gstack-qid:foo-bar> stripped from question text, used as the id. Hash fallback hook-<sha1[:10]> for unmarked questions (observed-only, never used as preference key — D18 hash drift mitigation). - (recommended) label parsing for the user_choice/recommended fields, with refuse-on-ambiguous when two labels are present (D2 safety). - Free-text capture: source=auq-other + free_text field when user picks Other and types (Layer 8 dream cycle input). - Matcher covers both native AskUserQuestion and mcp__*__AskUserQuestion (Codex/Conductor catch from outside voice review). - Crash safety: always exits 0; errors land in ~/.gstack/hook-errors.log so the user's session is never blocked by a hook failure. gstack-question-log extended to: - Accept `source` field (default 'agent', new values: hook, auq-other, auto-decided, codex-import-marker, codex-import-pattern). - Accept `tool_use_id` (<=128 chars) for dedup. - Composite dedup on (source, tool_use_id) across the last 100 lines — protects against hook + preamble both firing on the same tool call (D3 belt+suspenders). - Async fire `gstack-developer-profile --derive` after each successful write so inferred.sample_size actually grows (D17 — without this, the cathedral's "before 0, after >0" metric never moves). - GSTACK_QUESTION_LOG_NO_DERIVE=1 escape hatch for tests. 9 new unit tests covering capture, marker extraction, MCP variant, free-text, dedup, ambiguous-recommended safety, crash paths. All pass plus the existing 88 tests across related files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(hooks): PreToolUse enforcement hook for AskUserQuestion preferences Plan-tune cathedral T6 — the keystone that makes never-ask actually bind. Today preferences are agent-convention (silently ignored). This hook enforces them via Claude Code's hook protocol: when a never-ask preference matches an AUQ that is two-way + has a marker + has a clear recommendation, the hook returns permissionDecision: "deny" with permissionDecisionReason naming the auto-decided option. The agent obeys the rejection feedback and proceeds with the recommended option without re-firing AUQ. Decision tree (per question): - marker absent → defer (D18: hash IDs are observed-only) - one-way door → defer (safety override — never auto-decide one-way) - always-ask preference → defer - no preference set → defer - ambiguous recommendation (two (recommended) labels OR no parseable rec) → defer (D2 refuse-on-ambiguous) - never-ask / ask-only-for-one-way + two-way + clean rec → deny+reason Preference precedence per D8: project-local (~/.gstack/projects/<slug>/question-preferences.json) wins, global (~/.gstack/global-question-preferences.json) is fallback. Why deny+reason instead of allow+updatedInput: AskUserQuestion's updatedInput shape for "pre-resolve this question" isn't structurally pinned in Claude Code docs (T4 spike open question). deny with a reason that names the auto-decided option is the conservative + reliable v1 — the model receives the rejection, reads the recommended option from the reason, proceeds without re-prompting. Swap to allow+updatedInput once the AUQ input shape is verified against real Claude Code. Since deny prevents PostToolUse from firing, this hook logs the auto-decided event itself via gstack-question-log (source=auto-decided) so /plan-tune's Recent auto-decisions surface picks it up. Also writes a session marker ~/.gstack/sessions/<id>/.auto-decided-<tool_use_id> for coordination when the AUQ-shape switch lands. Multi-question AUQ: enforcement is all-or-nothing per call. If any question in the batch isn't eligible (no marker, no preference, ambiguous rec, etc.), the whole call defers so the user still gets to answer the rest normally. Registry lookup: cheap regex extraction from scripts/question-registry.ts (reading + bun-importing the TS file from a hook is too slow). Door type defaults to two-way for unregistered. Matcher covers both native AskUserQuestion and mcp__*__AskUserQuestion (Conductor disables native — Codex outside-voice catch). 15 unit tests cover defer paths, enforcement, one-way safety override, ambiguous-rec refuse, precedence (project wins, global fallback, project-overrides-global), MCP matcher, auto-decided event logging, session marker writing, crash safety. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(scripts): declared-annotation helper + autonomy signal_key wiring Plan-tune cathedral T7. Adds the helper that lets skills inject one-line plain-English annotations on AUQ recommendations based on the user's declared profile — read-only, advisory-only, per TODOS.md E1 substrate-risk guidance (no AUTO_DECIDE off inferred). scripts/declared-annotation.ts - getDeclaredAnnotation(signal_key) → annotation | null - primaryDimensionFor(signal_key) → Dimension | null - Signature uses kebab signal_key per D2/Codex correction (registry uses hyphens; profile dimensions use underscores; helper maps internally). - Bands: >= 0.7 high, <= 0.3 low, else null. Middle band stays silent. - Per-dimension plain-English phrasing: 5 dimensions × 2 bands = 10 phrases. - Reads ~/.gstack/developer-profile.json (honors GSTACK_STATE_ROOT). scripts/psychographic-signals.ts - New signal_key 'decision-autonomy' that maps user_choice → autonomy dimension nudges. This was the missing signal for the 'autonomy' dimension — without it, the cathedral could annotate four of five declared dimensions but autonomy stayed silent. scripts/question-registry.ts - Add signal_key: 'decision-autonomy' to land-and-deploy-merge-confirm and land-and-deploy-rollback. These are the highest-leverage autonomy questions in the surface — "let me decide" vs "go ahead" is exactly what the dimension captures. 13 unit tests cover the helper's full contract (unknown keys, missing profile, middle-band null, both band thresholds, all five dimensions rendering distinct phrases). Existing 47 plan-tune.test.ts tests still pass after the registry + signal-map enrichment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(setup): install plan-tune cathedral hooks with explicit consent UX Plan-tune cathedral T8. Wires the new PostToolUse capture hook and PreToolUse enforcement hook into ~/.claude/settings.json via the schema-aware gstack-settings-hook (T3) — respecting D4's "never mutate settings.json silently" boundary and the Codex outside-voice warning. Behavior at setup time: - Idempotency: if list-sources already shows 'plan-tune-cathedral', no-op with a one-line note. - Marker present (previously declined): no-op, no re-prompt. - Interactive terminal: print rationale + diff preview from settings-hook, rollback command, and prompt y/N. On accept, register both hooks (PostToolUse and PreToolUse) with --source plan-tune-cathedral. On decline, touch ~/.gstack/.plan-tune-hooks-prompted so we don't re-ask. - Non-interactive (CI / scripted): no prompt; print the two exact commands the user would need to install manually. - --no-team teardown also removes the plan-tune hooks via remove-source. gstack-uninstall extended to clean up plan-tune-cathedral hooks alongside the existing SessionStart cleanup. Listed as a separate "plan-tune cathedral hooks" line in the REMOVED summary when it fires. No new test file — coverage from T3's gstack-settings-hook-schema-aware tests proves the underlying bin behavior; setup-level integration is verified manually (re-running ./setup is cheap and the prompt makes it obvious whether install happened). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(bin): gstack-codex-session-import — structured Codex transcript parser Plan-tune cathedral T9. Backfills question-log.jsonl from Codex sessions since Codex has no AskUserQuestion tool (per docs/spikes/codex-session-format.md) and gstack AUQ-shaped Decision Briefs show up as agent_message prose. Walks ~/.codex/sessions/<date>/rollout-*.jsonl, matches each agent_message that contains either a <gstack-qid:foo-bar> marker or a D-numbered Decision Brief header, then pairs it with the next user_message for the answer. Two-tier recovery per D5: - marker present → source=codex-import-marker, stable question_id - no marker but D-shape detected → source=codex-import-pattern with hash-only question_id (never used as preference key per D18) Subcommands: gstack-codex-session-import # latest session gstack-codex-session-import <file> # explicit path gstack-codex-session-import --since <iso> # all sessions newer than User-choice extraction handles A/B/C letter responses and prose responses that start with the option label. Recommended option parsed via the "(recommended)" label suffix (same convention as Layer 2). Each extracted event written via gstack-question-log, so source tagging, dedup, and async derive all apply uniformly. spawnSync uses the cwd from session_meta so gstack-slug buckets events into the project the user was actually working in, not the importer's cwd. 7 unit tests cover marker path, pattern fallback, multiple briefs in sequence, missing user_message, numeric/letter user response forms, empty-sessions-dir handling. Smoke-tested against a real ~/.codex/sessions/ file from earlier today — returns IMPORTED: 0 because that session was autonomous (no AUQ-shaped prose), proving the bin doesn't false-positive on unrelated agent_message events. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(bin): gstack-distill-free-text — Layer 8 dream cycle distiller Plan-tune cathedral T10. Reads auq-other free-text events from this project's question-log.jsonl, calls Claude via the Anthropic SDK to extract structured proposals (preference candidates, declared-profile nudges, memory nuggets), writes them to distillation-proposals.json for the user to review via /plan-tune (never autonomous — every apply requires explicit Y). Subcommands: gstack-distill-free-text # sync distill gstack-distill-free-text --background # detach + return PID gstack-distill-free-text --dry-run # emit prompt + events, no API call gstack-distill-free-text --status # run history + cost-to-date D7 rate cap: 3 distills per slug per day. Reads ~/.gstack/distill-cost.jsonl for the count, exits with RATE_CAPPED when limit hit. Cost log lines tagged by slug so sibling projects don't share the cap. Yesterday runs don't count. D6 API auth: Anthropic SDK direct, fail-loud on missing ANTHROPIC_API_KEY with explicit message that distill is a separate billing surface from the interactive Claude Code session. Uses claude-haiku-4-5 for cost (~$0.001/ 1k input, $0.005/1k output) — sufficient for structured extraction. D14 execution context: --background spawns detached (nohup) so auto-trigger during /ship doesn't add 30s of pause; results surface on next /plan-tune. Source events get distilled_at:<ts> stamped on them after the run so they don't re-propose on the next distill. Match by ts + question_id. Cost-log line per run includes: slug, proposals_count, rejected_low_confidence, input_tokens, output_tokens, cost_usd_est. /plan-tune stats reads this to show "$X estimated, N runs this month" per Layer 4 surface. 10 unit tests cover --status, rate cap (3/day, yesterday-not-counted, other-slug-not-counted), no-log/no-free-text paths, --dry-run, missing API key, --background spawn. The actual SDK call is exercised by the T16 E2E test (uses real key, ~$0.001 per run). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(bin): gstack-distill-apply — apply distillation proposals with gbrain tag Plan-tune cathedral T11. Bin that applies a single user-approved proposal from distillation-proposals.json to the right surface: - memory-nugget → appended to ~/.gstack/free-text-memory.json (durable local source-of-truth; gbrain is mirror when configured). - preference → routed through gstack-question-preference --write with source=plan-tune (clears the user-origin gate). - declared-nudge → atomic update to developer-profile.json declared dim, small=0.05, medium=0.10, large=0.15, clamped to [0, 1]. Why a separate bin (not inline in the skill template): /plan-tune's apply step needs to be invokable from any host (Claude, Codex, etc) and must write to multiple state files atomically. A bin centralizes the schema + clamp logic; the skill template just calls it after user Y. gbrain coordination: --gbrain-published true marks the nugget so /plan-tune stats can show "12 nuggets, 8 mirrored to gbrain". The skill template invokes mcp__gbrain__put_page / extract_facts / add_tag in the same turn (those are MCP tools, not CLI-callable) before calling this bin. Local file remains canonical so the PreToolUse hook injection path (T12) doesn't depend on gbrain availability. Subcommands: gstack-distill-apply --list # show pending proposals gstack-distill-apply --proposal <N> # apply, file fallback gstack-distill-apply --proposal <N> --gbrain-published true Applied proposals get applied_at + gbrain_published stamped on them so re-running --list shows only unconsumed ones. 11 unit tests cover --list (all three kinds + quotes), memory-nugget append + non-clobber, preference routing through the gate-respecting bin, declared-nudge math (medium=0.10, small=0.05, large=0.15, clamp at [0,1]), proposal mark-applied with gbrain flag, and error paths (bad index, missing --proposal). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(hooks): Layer 8 memory injection via per-session cache Plan-tune cathedral T12. Extends the PreToolUse hook to inject matching free-text-memory.json nuggets into AskUserQuestion responses, giving the agent + user the distilled context from past 'Other' answers right when the related question fires. Per-session cache (D13 perf): first read of free-text-memory.json writes ~/.gstack/sessions/<id>/memory-cache.json. Subsequent hooks on the same session take the cached path. Invalidation is by file-missing: when the canonical file changes (via gstack-distill-apply), the per-session cache either reflects the staler view for the rest of the session or the session restarts and the cache rebuilds. Cheap, correct enough for v1. Matching logic: - Walk this AUQ batch's questions, extract marker question_ids. - Look up signal_key in scripts/question-registry.ts. - Collect nuggets whose applies_to_signal_keys include any of the matched signal_keys. - Cap to 3 most-recent (by applied_at) so the additionalContext stays short. - Surface as additionalContext on the hookSpecificOutput response. Memory + enforcement interact cleanly: the same hook can both surface nuggets AND deny the tool when a never-ask preference matches. Memory context isn't doubled in the deny reason — the auto-decided option name in the deny path is sufficient signal. 6 new tests cover injection on defer, no-match silence, 3-most-recent cap, memory-alongside-deny enforcement, cache file write-through, empty-canonical graceful degradation. Existing 15 preference-hook tests still green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(plan-tune): SKILL.md surfaces for cathedral T13 Plan-tune cathedral T13. Rewires plan-tune/SKILL.md.tmpl to expose the new cathedral surfaces: Step 0 routing: - Implicit gate #3 (dream-cycle): fires when distillation-proposals.json has unapplied proposals. Marker is per-proposal applied_at so re-firing naturally skips already-handled items. - Added user-intent route for "dream cycle" / "distill" / "what have I been free-texting". - Power-user shortcuts: distill, dream, audit. Stats: - Host-aware source breakdown (SOURCE_HOOK, SOURCE_AGENT, SOURCE_AUTO_DECIDED, SOURCE_CODEX_IMPORT_*, SOURCE_AUQ_OTHER). - MARKED percentage so D18 progressive-markers progress is visible. - Distill cost-to-date via gstack-distill-free-text --status. Recent auto-decisions: - Last 10 source=auto-decided events with question_id + user_choice. Lets the user spot-check enforcement and flip via always-ask. Audit unmarked questions: - Top N hash-only ids by frequency. Surfaces next candidates for the D18 marker retrofit. Dream cycle review + manual distill: - Walks unapplied proposals via AskUserQuestion (one per call), routes accepts through gstack-distill-apply with --gbrain-published flag. Skill template invokes mcp__gbrain__put_page when MCP is available; local file remains source-of-truth. Regenerated SKILL.md via `bun run gen:skill-docs`. All 60 plan-tune tests still green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(preamble): inject <gstack-qid:...> marker convention into question-tuning resolver Plan-tune cathedral T14. Per D18 progressive markers, the PreToolUse enforcement hook only fires when the AUQ question text contains a <gstack-qid:foo-bar> marker the hook can extract. Without a marker, the hook logs the fire as observed-only and skips enforcement (hash IDs drift with prose so they're never used as preference keys). The high-leverage retrofit point is the preamble's Question Tuning section, not 10 individual skill templates. Updating scripts/resolvers/question-tuning.ts adds the marker convention to every tier-≥2 skill in one change — agents running ANY of the 30+ tier-≥2 skills now embed the marker by default when the question matches a registered question_id. Two convention additions in the preamble: 1. "Embed the question_id as a marker (<gstack-qid:{id}>) somewhere in the rendered question." With explanation that the marker is the only path for the PreToolUse hook to enforce preferences. 2. "Embed the option recommendation via the (recommended) label suffix on exactly one option per AUQ." Documents the D2 parser contract: label first, prose fallback, refuse-on-ambiguous. Net cost: ~700 bytes added to the preamble per generated skill. Plan-review preamble budget ratcheted from 39000 → 40000 (test/gen-skill-docs.test.ts) with a comment explaining the cathedral T14 expansion is load-bearing. Regenerated 42 SKILL.md files via `bun run gen:skill-docs`. The token ceiling warning on ship/SKILL.md (~41K tokens) is pre-existing; this PR doesn't change ship's preamble materially. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(ship): plan-tune discoverability nudge after first successful ship Plan-tune cathedral T15 (the ship-side surface; the setup-side surface shipped in T8 with explicit hook-install consent UX). Adds Step 21 to ship/SKILL.md.tmpl: after Step 20 (persist metrics) succeeds, surface /plan-tune once per machine via a marker-gated single-line nudge. Behavior: - If ~/.gstack/.plan-tune-nudge-shown exists → no-op. - If question_tuning is already true → no-op (user already on board). - Otherwise: print one nudge line, touch marker. The nudge mentions both the observational substrate AND the hook-installed auto-decide enforcement so users know what they get when they opt in. Non-blocking — never asks a question, doesn't gate ship completion. To re-show: rm ~/.gstack/.plan-tune-nudge-shown before next ship. Setup-side discoverability shipped in T8 via the hook install prompt (explicit consent + diff preview + backup). Together these two surfaces cover first-install AND first-ship moments — the user discovers plan-tune organically rather than needing to know /plan-tune exists. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(plan-tune): 5 cathedral E2E scenarios + touchfile registration Plan-tune cathedral T16 (per D12 — all 5 in gate tier). One consolidated file with five describeIfSelected scenarios, each selectable by its own touchfile entry so they only run when the relevant code changes (or EVALS_ALL=1 forces all): plan-tune-hook-capture — PostToolUse hook fires → question-log fills plan-tune-enforcement — never-ask + marker + 2-way → deny+reason + auto-decided event logged plan-tune-annotation — declared profile + memory nugget → additionalContext surfaced on defer plan-tune-codex-import — synthetic JSONL → import bin → log with source=codex-import-marker plan-tune-dream-cycle — apply proposal → re-fire question → memory injected via additionalContext Each scenario fixtures an isolated git repo + bins + scripts + hooks under tmp, then exercises the cathedral chain end-to-end against real on-disk binaries (no mocks at the bin layer). GSTACK_STATE_ROOT keeps the user's real ~/.gstack untouched. These five complement the existing unit tests by proving the full sub-process chain works (not just individual functions in isolation). They DON'T spawn claude -p because the cathedral's substrate behavior is deterministic — agent compliance is no longer the variable. The existing test/skill-e2e-plan-tune.test.ts (plan-tune-inspect) still covers the LLM-driven intent-routing behavior. Cost: each scenario runs in ~1s with $0 because no claude -p invocations. Touchfile-gated, so they only run on PRs that touch cathedral code. Also fixes a bug found by the E2E: question-log-hook didn't pass the incoming tool call's cwd to spawnSync when invoking gstack-question-log, so the bin used the hook process's cwd (the repo root) instead of the session's cwd. Result: log writes landed in the wrong project bucket. Fix mirrors the same cwd-passing pattern from question-preference-hook. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: bump VERSION to 1.50.0.0 + plan-tune cathedral CHANGELOG Plan-tune cathedral T17. Bumps VERSION 1.49.0.0 → 1.50.0.0 (MINOR per CLAUDE.md scale-aware rule: this is substantial new capability — 8 layers, ~3000 LOC, 96 new tests, deterministic substrate + dream-cycle distillation). CHANGELOG entry follows the release-summary format from CLAUDE.md: - Two-line bold headline naming what changed for users (deterministic capture, binding preferences, free-text memory loop) - Lead paragraph: before/after framed concretely (zero events captured → every fire, agent-honored → hook-enforced, declared profile → injected context, regex backfill → structured JSONL parser) - Two tables: metric deltas + layer/where-it-lives. Real numbers (96 tests, ~$0.01 per distill, 3/day cap), no AI vocabulary, no em dashes. - "What this means for solo builders" close: ties dream cycle to the compounding loop and points to ./setup as the on-ramp. - Itemized Added/Changed/For contributors sections list every layer's surfaces with file paths. Also: - Refreshed test/fixtures/golden/{claude,codex,factory}-ship-SKILL.md to match the regenerated ship templates (Step 21 nudge added). - Rebased plan-tune entry in parity-baseline-v1.47.0.0.json from 51717 → 64017 bytes with a baseline_note explaining the cathedral T13 expansion. Documents that the new Dream cycle, Recent auto-decisions, Audit unmarked, Dream cycle review/distill sections are load-bearing, not bloat. Without the rebase, the size-budget gate fails — and the cathedral's whole point is making /plan-tune do more, not less. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: bump VERSION 1.50.0.0 → 1.52.0.0 (queue collision with #1742) CI version gate caught: PR #1742 (garrytan/upgrade-gstack-gbrain-v1) already claims v1.50.0.0 and #1751 (garrytan/browser-memory-leak) claims v1.51.0.0. gstack-next-version util recommends v1.52.0.0 as the next free slot. Updates: - VERSION 1.50.0.0 → 1.52.0.0 - package.json version sync - CHANGELOG.md header + metric table label - parity-baseline-v1.47.0.0.json baseline_note reference No content changes; pure slot rebase per the queue. The cathedral scope (8 layers, 96 tests) and CHANGELOG narrative stay identical — same ship, different release number. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: cap audit — remove distill rate cap, loosen size/budget gates Plan-tune cathedral follow-up. The 3/day distill cap was theatrical: at ~$0.01 per Haiku call, even a runaway loop firing every minute would cost ~$14/day, and free-text events are rare enough that the natural input rate self-limits to 1-2 fires/day. Count caps don't protect against runaway bugs (which fire 1000x/second, not 4 times/day) but DO punish heavy users who'd legitimately distill multiple times during a busy week. Removed: 3/day rate cap on bin/gstack-distill-free-text. --status output swapped from "TODAY: N / 3" to "TODAY: N run(s), $X" so users see what they're spending instead of how close they are to a meaningless count. Loosened (caps that exist for real-runaway protection, not normal scope): - EVALS_BUDGET_HARD_CAP_GATE $25 → $200/run - EVALS_BUDGET_HARD_CAP_PERIODIC $70 → $500/run - EVALS_BUDGET_HARD_CAP $30 → $300/run (umbrella fallback) - GSTACK_SIZE_BUDGET_RATIO 1.05 → 1.50 per-skill ratio - plan-review preamble byte budget 40K → 60K Principle: caps exist to catch obvious bugs (infinite retry, model price change, prompt blowup), not to gate legitimate scope growth. Set high enough that real growth never trips them, only bug territory does. Adjusted defaults are 4-8× historical worst case, leaving ample headroom for the next 12 months of legitimate expansion. Tests updated: distill-free-text removes the 3-test rate-cap describe block in favor of "no rate cap" assertion that 10 runs/day pass. Other budget tests still pass because they were never near the old ceilings. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * feat(redact): shared redaction engine + taxonomy (pure lib, no behavior change) Add the foundation for cross-skill PII/secret/legal redaction: - lib/redact-patterns.ts — canonical 3-tier taxonomy (HIGH genuinely-secret credentials, MEDIUM PII/legal/internal + high-FP credential-shaped, LOW surface-only). Tier-1 calibration: Stripe-publishable, Google AIza, JWT, and env-KV are MEDIUM not HIGH (context-variable / high-FP). Validators: Luhn, Shannon-entropy gate, RFC1918 exclusion, wallet sanity. Per-span placeholder suppression (not line-based). - lib/redact-engine.ts — pure scan() + applyRedactions(). Normalization pass (NFKC + zero-width strip + entity decode) with offset map back to original. Oversize input fails CLOSED. No visibility-based tier promotion (records repoVisibility for sterner wording only). Tool-attributed-fence WARN-degrade for obvious doc-examples. Safe preview masking (≤4 leading chars). - 100 unit tests: per-pattern positives, FP filters, validators, email allowlist, no-promotion semantics, tool-fence degrade, normalization, oversize-fail-closed, ReDoS pattern-lint + runtime budget, auto-redact (idempotent, right-to-left, structural-corruption guard). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feat(redact): bin/gstack-redact CLI shim over the engine Skill-facing CLI wrapping lib/redact-engine. Reads stdin or --from-file, scans, prints JSON (--json) or a human table. Exit codes 0/2/3 gate dispatch/file/edit/commit (WARN never gates). --auto-redact emits the sanitized body + diff for the PII-class one-keystroke path. --allowlist, --self-email, --repo-public-emails, --repo-visibility, --max-bytes. Fails closed on oversize at the CLI boundary before the engine even reads. 9 contract tests: exit codes, JSON shape, auto-redact, allowlist, self-email, from-file, oversize-fail-closed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feat(redact): opt-in pre-push hook (accident catcher) + safe installer bin/gstack-redact-prepush scans the diff being pushed for HIGH credentials and blocks on a hit, for public AND private repos (a pushed secret is compromised regardless of visibility). Correct git pre-push semantics: scans remote..local (what's being pushed), handles new-branch zero-SHA via merge-base or empty-tree fallback, force-push, and branch-delete skip. MEDIUM warns non-blocking; LOW/WARN silent. GSTACK_REDACT_PREPUSH=skip escape valve logs to prepush-skip.jsonl. bin/gstack-redact gains install-prepush-hook / uninstall-prepush-hook subcommands that chain any pre-existing hook (renamed to pre-push.local, stdin forwarded to both, exit code propagated). Guardrail not enforcement: --no-verify and the env skip both bypass; it scans only the pushed delta, not history/binary/LFS. 9 tests in a throwaway git repo. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feat(redact): gstack-config keys redact_repo_visibility + redact_prepush_hook redact_repo_visibility (public|private|unknown) is a LOCAL override for repos gh/glab can't read; it lives in ~/.gstack/config.yaml so it can't weaken the gate repo-wide for other contributors. redact_prepush_hook (true|false) toggles the opt-in pre-push hook. No block_private key — HIGH blocks both visibilities unconditionally. Value-domain validation + 6 tests. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feat(redact): gen-skill-docs resolver for taxonomy table + invocation block scripts/resolvers/redact-doc.ts emits two placeholders, both derived from lib/redact-patterns so skill docs never drift from the engine: - {{REDACT_TAXONOMY_TABLE}} — 3-tier table for /spec + /cso (shared source). - {{REDACT_INVOCATION_BLOCK:<sink>}} — the canonical scan-at-sink bash + prose for one enforcement point (pre-codex/pre-issue/pre-archive/pre-pr-body/ pre-pr-title/pre-commit): which-bun probe, visibility resolution (local config → gh → glab → unknown), temp-file scan-at-sink, exit 3/2/0 branches, PII auto-redact offer, guardrail-not-enforcement framing. Registered in index.ts. 12 resolver tests. No SKILL.md churn yet (no template references the placeholders until the per-skill wiring commits). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feat(spec,cso): wire shared redaction — semantic pass + scan-at-sink + taxonomy /spec Phase 4.5 rewrite: - Phase 4.5a: in-conversation semantic content review (named-criticism, customer complaints, unannounced strategy, NDA, codename bleed). Injection- hardened (a body containing the SEMANTIC_REVIEW marker forces flagged). Content-free audit trail to ~/.gstack/security/semantic-reviews.jsonl. - Phase 4.5b: replaces the inline 7-regex prose with the shared gstack-redact scan-at-sink (exact-byte temp file). Three enforcement points: pre-codex, pre-issue (files via --body-file from the scanned file), pre-archive (D2: sanitized body to the archive). --no-gate skips codex score only; redaction always runs, no flag disables it. /cso: renders the full generated taxonomy table as its canonical pattern catalog (shared source), keeps its git-history archaeology (different use case). lib/redact-audit-log.ts: 0600 append-only semantic-review trail (no body text). Resolver gains compact-table + brief-block variants so /spec references the catalog instead of inlining it (stays under the v1.47 size budget). Tests: extended spec invariants (semantic pass, scan-at-sink, no-promotion), audit-log, cso/spec alignment. All green; spec 1.050× / cso 1.046× baseline. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feat(ship,document-*): redaction scan-at-sink on PR bodies + generated docs - /ship: scan the composed PR body + title before create AND edit, from a temp file (exact bytes scanned = bytes sent). HIGH blocks the PR (no skip); MEDIUM confirms per finding. Codex/Greptile/eval sections go in tool-attributed fences so example credentials those tools quote WARN-degrade instead of blocking the PR — a live-format credential inside the fence still blocks. - /document-release: scan the PR-body temp file before gh pr edit. - /document-generate: scan the staged doc diff (added lines) before commit — generated docs often carry example credentials; a live-format secret blocks. Tests: ship-template-redaction (incl. tool-fence WARN-degrade contract), document-skills-redaction. All skills stay under the v1.47 size budget. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feat(redact): semantic-pass eval + CLAUDE.md docs + size/parity baselines - test/redact-semantic-pass.eval.ts: periodic-tier paid eval (EVALS=1) with 10 should-flag / should-clean fixtures + an injection-resistance case, the only way to detect semantic-pass model drift. - CLAUDE.md: "Redaction guard" section — engine/CLI/hook locations, the guardrail-not-enforcement framing, scan-at-sink, no-tier-promotion, the tool-attributed-fence convention, the config keys, and the audit log. - /cso uses the compact (HIGH-tier) taxonomy table so it fits under BOTH the v1.47 and the older v1.44.1 parity ceilings; full MEDIUM/LOW lives in lib/redact-patterns.ts. Alignment test asserts the HIGH-tier contract. - Refresh the ship golden baselines (claude/codex/factory) for the PR-body redaction wiring. Full free suite green (incl. skill-size-budget + parity 10/10). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * v1.52.1.0 feat: brain-aware planning — 5 skills read structured gbrain context before asking (#1742) * feat(brain): brain-cache-spec.ts — single source of truth for cache layer Foundation for the brain-aware planning skills work (v1.48 plan / D2). One TS const file consolidates BRAIN_CACHE_ENTITIES (8 entities × TTL + budget + invalidation rules), SKILL_DIGEST_SUBSETS (per-skill which files to load), SALIENCE_DEFAULT_ALLOWLIST (D9 privacy gate), SKILL_CALIBRATION_WEIGHTS (Phase 2 E5), and policy / identity / schema constants. Drift between docs and runtime becomes impossible by construction: resolver, cache CLI, and test/skill-preflight-budget.test.ts all import from the same module. test/brain-cache-spec.test.ts: 19 invariant assertions (subset/entity consistency, per-skill achievability, allowlist sanity, transport defaults, user-slug fallback chain, lock timeout, retention policy). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(brain): gstack-core@1.0.0 schema pack (T1 / Phase 0) Defines 8 typed page kinds for the brain entity model: gstack/user-profile, gstack/product, gstack/goal, gstack/developer-persona, gstack/brand, gstack/competitive-intel, gstack/skill-run, gstack/take Each declares frontmatter shape (typed fields with required/optional flags), retention policy (immutable / archive-after-90d / never-archive), and emits_links graph for mcp__gbrain__schema_graph rendering. getSchemaPackMutationPayload() returns JSON in the shape accepted by mcp__gbrain__schema_apply_mutations. Idempotent registration: gbrain skips when pack+version already installed. test/gstack-schema-pack.test.ts: 16 invariants on pack shape, retention policies, link verb consistency, JSON serializability. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(brain): gstack-brain-cache CLI (T2a) — core subcommands bin/gstack-brain-cache: TS CLI with five subcommands: get <entity-name> [--project <slug>] refresh [--full] [--entity X] [--project <slug>] invalidate <entity-name> [--project <slug>] digest <entity-slug> meta [--project <slug>] Cache layout per Phase 0.5 design: ~/.gstack/brain-cache/ ← cross-project (user-profile) ~/.gstack/projects/<slug>/brain-cache/ ← per-project (everything else) Per-entity TTL drives staleness; per-entity byte budgets enforce compression at write time. Atomic writes via tmp+rename. Stale-but-usable fallback when brain unreachable (returns cached digest with diagnostic prefix instead of failing). Schema-version mismatch + endpoint switch both trigger full rebuild for the affected scope (D4 A4). Fetch+compress paths wired for the 7 entities (user-profile, product, goals, developer-persona, brand, competitive-intel, recent-decisions, salience) via gbrain CLI shell-out — works for local PGLite and local-stdio MCP, transparent over the existing spawnGbrain helper. Concurrent-refresh dedup (D3 / T15) is a follow-up commit. Salience allowlist gate (D9 / T17) is a follow-up commit. Bootstrap + lifecycle subcommands (T2b / T18) are follow-up commits. test/brain-cache-roundtrip.test.ts: 11 tests covering path resolution, meta lifecycle, endpoint detection, schema mismatch behavior, and the four cache states (warm / cold-refreshed / stale-fallback / missing). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(brain): concurrent-refresh lockfile dedup (T15 / D3) When autoplan dispatches 4 planning skills back-to-back and they all hit a cold-miss on the same digest, only ONE actually fetches from the brain. The rest dedup via the project-scoped lockfile at ~/.gstack/projects/<slug>/brain-cache/.refresh.lock. Reuses the 5-min stale-takeover convention from /sync-gbrain. Lock is taken over when: - File is older than CACHE_REFRESH_LOCK_TIMEOUT_MS - PID is on the same host and dead (process.kill(pid, 0) fails) - Lock file is corrupt (defensive) withRefreshLock(projectSlug, fn) returns either the callback's value or the literal 'dedup'. The CLI emits exit code 3 + diagnostic stderr on dedup, so callers can choose to wait + retry (resolver does this) or fall through to stale-but-usable behavior. test/cache-concurrent-refresh.test.ts: 7 tests covering acquire/release, stale-takeover, dead-PID takeover, corrupt-lock recovery, error-path release, and cross-project lock location. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(brain): salience privacy allowlist gate (T17 / D9) D9 cross-model finding from codex outside voice: salience-sourced digests can include emotionally-weighted personal pages (family, therapy, reflection). Pulling those into a coding-review prompt leaks sensitive context into work-flow reasoning. fetchSalience now strips entries whose slugs don't match an allowlist prefix BEFORE writing to the cache file. Default allowlist is SALIENCE_DEFAULT_ALLOWLIST = ['projects/', 'concepts/', 'gstack/']. User can extend via: gstack-config set salience_allowlist 'projects/,gstack/,concepts/,custom/' or override with GSTACK_SALIENCE_ALLOWLIST env var. Digest still records the strip count for transparency. Empty result emits 'all N entries stripped' note rather than silent absence. test/salience-allowlist.test.ts: 9 tests covering default permits, default blocks, empty allowlist, env override, whitespace trimming, and the invariant that defaults contain nothing sensitive (personal, family, therapy, reflection, private, medical, health). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(brain): bootstrap + list + purge subcommands (T2b / T18) T2b — bootstrap synthesizes draft entity content from CLAUDE.md + README + recent learnings.jsonl and emits as JSON for the caller. Skill template is responsible for the AUQ-confirm-before-write flow (D10 T4 extraction- review requirement). Cli stays pure (no AUQ logic); agent owns user interaction. T18 — list/purge subcommands close the lifecycle loop: list [--project <slug>] — enumerate gstack-owned pages in brain (probe all 8 gstack/* page types) purge <slug> — delete one gstack page, refuses non-gstack/ slugs (defensive) list defaults to all-projects (cross-project user-profile included). With --project, filters to per-project pages plus the cross-project user-profile. --json flag emits machine-readable output for the agent. Retention sweep + audit subcommand are deferred to a follow-up commit (they need the lifecycle scheduling design, not just CLI plumbing). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(brain): brain-aware planning resolvers + 3 new placeholders (T4) scripts/resolvers/gbrain.ts adds: - generateBrainPreflight(ctx) — emits per-skill ## Brain Context block + bash that loads digests via gstack-brain-cache get (one call per digest). Per-skill subset comes from SKILL_DIGEST_SUBSETS (single source). - generateBrainCacheRefresh(ctx) — at-skill-end background refresh hook; non-blocking; warms cache for next run. - generateBrainWriteBack(ctx) — Phase 2 / E5 calibration write-back with per-skill weight. Gated on …
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes four CDP-resource leak classes in the browse server and ships
$B memoryso the next OOM lands with receipts instead of a screenshot.CDP-resource leak fixes:
wirePageEvents.requestfinishedno longer callsawait res.body()to read.length— usesreq.sizes()(pulls fromNetwork.loadingFinishedwithout materialization). Multi-GB/hour Buffer churn → zero body allocation.newCDPSessioncall sites migrated towithCdpSession/getOrCreateCdpSessionlifecycle helpers with try/finally detach and close-detach. Static-grep tripwire (browse/test/cdp-session-cleanup.test.ts) fails CI on regression.modificationHistorycapped at 200 with FIFO eviction; undo error names the evicted count when out of range./activity/stream+/inspector/eventsrefactored through newcreateSseEndpointhelper with cleanup on abort + enqueue-throw + heartbeat-throw (idempotent). Pre-helper: only abort fired cleanup; TCP-died-without-abort leaked the subscriber + controller forever.Diagnostic stack:
$B memorycommand +/memoryHTTP endpoint (SSE-session-cookie gated) returning Bun heap, per-tab JS heap (CDPPerformance.getMetrics), Chromium process tree (SystemInfo.getProcessInfo), bounded buffer sizes./memoryevery 30s with adaptive backoff (5min if response time >2s). Color-coded: orange at 2 GB Bun RSS / 50 tabs, red at 8 GB / 200 tabs.Tab guardrail UX:
$B closetab) + Snooze persisted inchrome.storage.session.Net: 24 files, +2306 / -143 across browse server (TS), gstack extension (JS/HTML/CSS), and tests.
Test Coverage
browse/src/cdp-bridge.tsbrowse/src/cdp-inspector.tsbrowse/src/sse-helpers.tsbrowse/src/browser-manager.tsbrowse/src/memory-snapshot.ts(formatBytes)browse/src/memory-command.tsbrowse/src/commands.tsbrowse/src/server.ts(refactored endpoints)extension/sidepanel.{html,js,css}Tests: 6 new files, 45 new tests, all passing. Critical leak-fix paths (CDP session lifecycle, body materialization, history cap, tab guardrail, SSE cleanup) all at 100% with invariant tests + a static-grep tripwire. Extension UI tests deferred (no extension test harness in this repo today; would require extracting
fmtBytesShort+tabRamScorefromsidepanel.jsto a testable TS module).Reproducer test (
browse/test/memory-leak-reproducer.test.ts) pins the body-materialization invariant: 200 concurrentrequestfinishedevents with notional 1 MB responses, assertsres.body()is never called. Pre-fix would have allocated 200 MB of Buffer.Pre-Landing Review
Two reviewers ran adversarial passes. Findings classified as informational/follow-up since the fixes' invariants are pinned by tests.
Claude adversarial subagent (3 critical, 2 high, 4 med, 3 low):
getOrCreateCdpSessionclose-vs-create race can leak a session ifpage.close()fires during theawait newCDPSession. Mitigation: rare race; close-detach path catches the common case.framenavigatedlistener fires for iframes too (not just main frame); inspector session may be invalidated by an iframe load instead of a real navigation.modificationHistoryundo throughsetStyleTextspath can silently evict the oldest entry at the 200 cap (push-evict-pop race).newCDPSessionbut notnewBrowserCDPSession— extend regex.Codex adversarial + structured review (1 high, 3 med):
/memoryperforms unbounded sequential per-tab CDP work with no server-side timeout; client has 8s timeout + 5min backoff which bounds client but not server.addEventListener('abort')registration)./memoryblanket auth gate at server.ts:2666 runs before per-route cookie auth check; EventSource cookie consumers may hit 401 (also affects pre-existing/inspector/events).pollMemoryOncereschedules after disconnect;memToastSnooze.heapAboveuses| 0coercion which clips above 4 GB.These are queued as P2/P3 follow-up items. The fixes' core invariants (no body materialization, CDP session detach pinned by tripwire, modificationHistory bounded, SSE abort-edge cleanup) are pinned by tests in this PR.
Eval Results
Full eval suite ran to completion. 11 evals passed (~$4.55 spent); 5 failures all pre-existing on
main:Passed (11, $4.55 total):
Failed (5, pre-existing on main):
git diff origin/main...HEAD --name-only | grep -i iosempty/sidebar-command→ 404CLAUDE.md"Sidebar architecture": "chat queue path was ripped once the PTY proved out;/sidebar-command... endpoints are gone"/sidebar-command→ 404/sidebar-command→ 404All 5 failures are independently verifiable: my branch touches no files referenced by these tests, and the failing endpoint (
/sidebar-command) is documented as removed inCLAUDE.md. Per the eval-failure-blame protocol, I'd run these onmainto confirm but the file-diff evidence is conclusive.Plan Completion
$B memory+/memory+ sidebar footer)requestfinishedreq.sizes()instead of context-level CDP listener; same goal, simpler; single-context architecture deferred to TODOS P3)TODOS
4 P2/P3 follow-ups filed in TODOS.md:
$B memoryNetwork.loadingFinished(D10 stretch goal)Documentation
Doc diff preview
memory [--json]row to the Server lifecycle command table.server.tsMUST route throughcreateSseEndpoint(browse/src/sse-helpers.ts); owns the cleanup contract (abort + enqueue-throw + heartbeat-throw, idempotent) + bakes insanitizeLoneSurrogates. Pinned bybrowse/test/sse-helpers.test.ts.newCDPSessioncalls outsidecdp-bridge.tsfail CI via the static-grep tripwire inbrowse/test/cdp-session-cleanup.test.ts. UsewithCdpSession(one-shot) orgetOrCreateCdpSession(cached) instead. Three sites migrated.Already-updated docs on this branch: SKILL.md, browse/SKILL.md, gstack/llms.txt (memory command via
gen:skill-docs), CHANGELOG.md (v1.51.0.0 release-summary + itemized changes), TODOS.md (4 follow-ups filed).Test plan
bun test) — 497 targeted-module tests, 0 failuresnewCDPSessionoutsidecdp-bridge.ts/activity/stream+/inspector/eventscontract preserved throughcreateSseEndpointrefactor (verified bydual-listener.test.ts+activity.test.tspassing)$B memorysnapshot in headed Chromium with 5+ tabs open🤖 Generated with Claude Code