gstack

hai/gstack

Fork 0

mirror of https://github.com/garrytan/gstack.git synced 2026-05-11 23:17:26 +08:00

Commit Graph

Author	SHA1	Message	Date
Garry Tan	5d4fe7df07	v1.31.0.0 fix: delete AskUserQuestion fallback (root cause of forever war) + harness primitives (#1390 ) * test: add multi-finding batching regression test (periodic tier) Adds a periodic-tier E2E that catches the May 2026 transcript bug shape the existing single-finding gate-tier floor test cannot detect: a model that fires one AskUserQuestion and then batches the remaining findings into a single "## Decisions to confirm" plan write + ExitPlanMode. Why a separate test from skill-e2e-plan-eng-finding-floor: the gate-tier floor (runPlanSkillFloorCheck) exits on the first AUQ render and returns success, so a once-then-batch model would pass it trivially. This test uses runPlanSkillCounting at periodic tier with N-AUQ tracking and asserts >= 3 distinct review-phase AUQs on a 4-finding seeded plan. - test/fixtures/forcing-finding-seeds.ts: FORCING_BATCHING_ENG fixture (4 distinct non-trivial findings spread across Architecture, Code Quality, Tests, Performance — mirrors the D1-D4 transcript shape) - test/skill-e2e-plan-eng-multi-finding-batching.test.ts: new test - test/helpers/touchfiles.ts: registered in BOTH E2E_TOUCHFILES and E2E_TIERS (touchfiles.test.ts asserts exact equality) Test will fail on baseline today because today's model uses the preamble fallback to batch findings; passes after the architectural fix lands in a follow-up commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: expand plan-mode pass envelopes to accept BLOCKED path Three existing plan-mode regression tests previously codified the preamble fallback as a valid PASS path under --disallowedTools AskUserQuestion: outcome=plan_ready was accepted only when the model wrote a "## Decisions to confirm" section. The forever-war fix deletes that fallback, so this assertion would fail post-deletion. Expanded envelope accepts EITHER: - 'plan_ready' WITH (## Decisions section [legacy] OR BLOCKED string visible in TTY [post-fix]) - 'exited' WITH BLOCKED string visible in TTY [post-fix] The legacy ## Decisions branch stays in the envelope so these tests keep passing on today's code (where the fallback still exists) and on tomorrow's code (where the model reports BLOCKED instead). Once the deletion has been on main long enough that the cache flushes, the legacy branch can be removed in a follow-up. Failure signals (regression we DO want to catch) unchanged: auto_decided / silent_write / timeout / exited-without-BLOCKED / plan_ready-without-(decisions OR BLOCKED). - test/skill-e2e-plan-ceo-plan-mode.test.ts (test 2 only) - test/skill-e2e-autoplan-auto-mode.test.ts - test/skill-e2e-plan-design-plan-mode.test.ts Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix: delete AskUserQuestion fallback (root cause of forever war) The /plan-eng-review skill failed to fire AskUserQuestion on a real plan review and surfaced 4 calibration decisions via prose instead. Investigation traced this to a "fallback when neither variant is callable" clause in the preamble that the model rationalizes around as a general escape hatch from "fanning out round-trip AUQs," even when an AUQ variant IS callable. Codex review confirmed the fallback exists in 8 inline sites with 2 surviving escape hatches the original narrowing missed (a "genuinely trivial" exception duplicated across all 4 plan-* templates, and a "outside plan mode, output as prose and stop" branch in the preamble itself). Net deletion in skill text. Closes both branches of the deleted fallback (plan-file write AND prose-and-stop) and the trivial-fix exception with a single hard rule: If no AskUserQuestion variant appears in your tool list, this skill is BLOCKED. Stop, report `BLOCKED — AskUserQuestion unavailable`, and wait for the user. Honest about being a model directive, not a runtime guard — none of the PTY harness helpers enforce BLOCKED today. The architectural improvement is that the model has fewer alternatives to obey it against. Runtime enforcement is a follow-up TODO. Sources changed: - scripts/resolvers/preamble/generate-ask-user-format.ts: delete both fallback branches; replace with 1-line BLOCKED rule - scripts/resolvers/preamble/generate-completion-status.ts: delete fallback in generatePlanModeInfo - plan-eng-review/SKILL.md.tmpl: delete fallback at Step 0 + Sections 1-4 (5 instances) + delete trivial-fix exception - office-hours/SKILL.md.tmpl: delete fallback in approach-selection - plan-ceo-review/SKILL.md.tmpl: delete trivial-fix exception - plan-design-review/SKILL.md.tmpl: delete trivial-fix exception - plan-devex-review/SKILL.md.tmpl: delete trivial-fix exception Generated SKILL.md regen lands in a follow-up commit per the bisect convention (template changes separate from regenerated output). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: regenerate SKILL.md after fallback deletion Regenerates all 47 generated SKILL.md files (default + 7 host adapters) after the template/resolver edits in the prior commit. Pure mechanical output of `bun run gen:skill-docs`; no hand-edits. Verifies fallback deletion landed across the entire skill surface: - zero hits for "Decisions to confirm" in canonical SKILL.md / .tmpl - zero hits for "no AskUserQuestion variant is callable" - zero hits for "genuinely trivial" - BLOCKED rule present in 42 generated SKILL.md (every Tier-2+ skill) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(harness): detect prose-rendered AskUserQuestion in plan mode When --disallowedTools AskUserQuestion is set and no MCP variant is callable, the model surfaces decisions as visible prose options ("A) ... B) ... C) ..." or "1. ... 2. ... 3. ...") rather than via the native numbered-prompt UI. isNumberedOptionListVisible doesn't catch these because the ❯ cursor sits on the empty input prompt rather than on option 1, so runPlanSkillObservation and runPlanSkillFloorCheck would time out at 5-10 minutes per test even though the model was correctly waiting for user input. This was exposed by the v1.28 fallback deletion: pre-deletion the model used the preamble fallback to silently auto-resolve to plan_ready in this scenario. Post-deletion the model correctly surfaces the question and waits, but the harness couldn't tell. isProseAUQVisible matches: - 2+ distinct lettered options at line starts (A/B/C/D form) - 3+ distinct numbered options at line starts WITHOUT a `❯ 1.` cursor (so it doesn't double-fire on native numbered prompts) Wired into: - classifyVisible (used by runPlanSkillObservation) → returns outcome='asked' instead of timeout - runPlanSkillFloorCheck → counts as auq_observed (floor met) 8 new unit tests in claude-pty-runner.unit.test.ts cover the lettered shape, numbered shape, threshold edges, native-cursor exclusion, and mid-prose false-positive guard. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(harness): LLM judge for waiting-vs-working PTY state + snapshot logs Regex detectors (isNumberedOptionListVisible, isProseAUQVisible) are fast and free, but PTY rendering quirks fragment prose AUQ option lists across logical lines that no regex can reliably reassemble. When detection misses, polling loops time out at the full budget even though the model is correctly waiting for user input. Adds judgePtyState — a Haiku-graded trichotomy classifier: - waiting: agent surfaced a question/options, sitting at input prompt - working: spinner / tool calls / generation in progress - hung: stopped without surfacing anything (rare crash signal) Wired as a fallback into the polling loops of runPlanSkillObservation and runPlanSkillFloorCheck: after 60s with no regex hit, snapshot the TTY every 30s and call the judge. On 'waiting' verdict, return outcome=asked / auq_observed early. On 'working' or 'hung', enrich the eventual timeout summary with the verdict so failures are diagnosable. Implementation: - Spawns `claude -p --model claude-haiku-4-5 --max-turns 1` synchronously with prompt piped via stdin (subscription auth, no API key env required) - In-process cache keyed by SHA-1 of normalized last-4KB so identical spinner-frame snapshots don't re-charge - Best-effort JSONL log to ~/.gstack/analytics/pty-judge.jsonl with timestamp, testName, state, reasoning, hash, judge wall time - 30s timeout per call; returns state='unknown' with diagnostic on any failure mode (timeout, malformed JSON, missing claude binary) Snapshot logging: when GSTACK_PTY_LOG=1 is set, dump last 4KB of visible TTY at every judge tick to ~/.gstack/analytics/pty-snapshots/<test>- <elapsed>ms.txt — postmortem trail for debugging flakes. Cost: ~$0.0005 per call; ~10 calls per 5-min test budget; ~$0.005 per test added in worst case (only when regex detectors miss). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: accept prose-AUQ visible as third valid surface in plan-mode envelopes The first re-run after wiring the LLM judge revealed that the model also emits a third surface I hadn't anticipated: a properly-formatted question with options ("Pick A, B, or C in your reply") rendered as prose AND followed by ExitPlanMode (outcome=plan_ready). The migrated tests only accepted (## Decisions section) OR (BLOCKED string) — neither matched this case, so the test failed even though the user clearly saw the question. Three valid surfaces now: 1. `## Decisions to confirm` section in plan file (legacy fallback path, still valid through migration window) 2. `BLOCKED — AskUserQuestion` string in TTY (post-v1.28 BLOCKED rule) 3. Numbered/lettered options visible in TTY as prose (post-v1.28 prose rendering — uses the existing isProseAUQVisible detector) Also fixes assertReportAtBottomIfPlanWritten to be tolerant of: - Missing files (path detected from TTY but file not persisted) — was throwing ENOENT on plan_design_plan_mode and plan_ceo_plan_mode test 1 - 'asked' outcome (smoke test exited at first AUQ before the model reached the report-writing step) — was throwing on the 1 fail in the plan-eng-plan-mode --disallowedTools test Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: drop GSTACK REVIEW REPORT contract from --disallowedTools migrations The plan-ceo / plan-design --disallowedTools migrated tests called assertReportAtBottomIfPlanWritten as the final assertion, but that contract is for full multi-section review completions. Under --disallowedTools AskUserQuestion the model can't run the full review (no AUQ tools to ask findings questions through), so it exits at Step 0 with either prose-AUQ rendering or the legacy decisions fallback. A plan file written in that mode WON'T have a GSTACK REVIEW REPORT section — the workflow never reached the report-writing step. The contract is still enforced by the periodic finding-count tests (skill-e2e-plan-{ceo,eng,design,devex}-finding-count.test.ts), which DO run the full review end-to-end and assert report-at-bottom there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(harness): high-water-mark prose-AUQ tracking across polling iterations The autoplan E2E surfaces a brief prose-AUQ window (model emits options, waits ~30s for non-existent test responder, then resumes thinking) that the existing polling loop misses: by judge-tick time the buffer has moved into spinner state, so the LLM judge correctly reports 'working' and the loop times out at 5min. Adds two flags tracked across polling iterations: - proseAUQEverObserved: set true the first tick isProseAUQVisible returns true on the recent buffer - waitingEverObserved: set true on the first LLM judge 'waiting' verdict At timeout, if either flag is set, return outcome='asked' with a summary explaining the historical signal. The model DID surface the question — we just missed the live-state window. Snapshot logged with tag='prose-auq-surfaced' when GSTACK_PTY_LOG=1 for postmortem trace. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: migrate plan-eng-plan-mode test 2 envelope to match other plan-mode tests The plan-ceo, plan-design, and autoplan plan-mode tests under --disallowedTools all moved to the same surface-visibility envelope (decisions section OR BLOCKED string OR prose-AUQ visible) and dropped the GSTACK REVIEW REPORT contract because the workflow can't complete without AUQ tools. plan-eng-plan-mode test 2 had been left on the old envelope and was the last failing test. This commit migrates it to match. Also lifts 'exited' out of the failure list and into a guarded path (acceptable when surface-visible). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(harness): isProseAUQVisible — gate numbered path on tail, not full buffer The numbered-options branch of isProseAUQVisible deferred to isNumberedOptionListVisible whenever a `❯ 1.` cursor was visible in the full buffer. But the boot trust dialog (`❯ 1. Yes, trust`) lives in scrollback for the entire run, so this gate suppressed prose-numbered detection for any session that had the trust prompt at startup — i.e., every E2E run after the first user-trust acceptance. Fix: check only the last 4KB tail. Native-UI deferral applies when the cursor list is CURRENTLY rendered, not historically present in scrollback. Adds a regression test that puts the trust dialog in early scrollback + 5KB filler + a current prose-AUQ render, asserts true. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(harness): isProseAUQVisible — lower numbered threshold to 2 (matches lettered) The 4KB tail window often contains only options 2-4 of a 4-option numbered prose AUQ because the model emits the question header + option 1 several KB earlier in the buffer. The threshold of 3 distinct numbered markers caused the detector to miss real prose AUQs whenever option 1 had scrolled out. Threshold 2 matches the lettered branch and is still tightly gated by: - Line-start anchoring (no false positives on inline `1.` references) - No-cursor gate (defers to native UI when ❯ 1. is currently rendered) - The 4KB tail window itself (prose-AUQ rendering happens at the end of the model's response, so options are clustered in the tail) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: expose high-water-mark flags through PlanSkillObservation The 2KB obs.evidence window often misses the prose-AUQ moment because ExitPlanMode UI ("Ready to execute" + numbered approve/reject prompt) pushes the model's earlier option list out of the tail by the time outcome=plan_ready fires. Tests checking "did the user see a question" need to consult historical state, not just the truncated final tail. Adds two optional fields to PlanSkillObservation: - proseAUQEverObserved: true if isProseAUQVisible was true at any tick - waitingEverObserved: true if the LLM judge ever returned 'waiting' The 4 plan-mode --disallowedTools tests now check these flags as part of the surfaceVisible computation: isProseAUQVisible(obs.evidence) \|\| obs.proseAUQEverObserved === true blockedVisible \|\| proseAUQVisible \|\| obs.waitingEverObserved === true This catches the autoplan / plan-ceo / plan-eng case where the model surfaces options briefly, fails to get a response, then keeps thinking — eventually emitting ExitPlanMode and pushing options out of evidence. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(plan-ceo): bump --disallowedTools test timeout to 10 min Last 5 runs showed the model under --disallowedTools spending the full 5-min budget in 'high effort thinking' before surfacing options. The LLM judge correctly reports state=working at every 30s tick, so the high-water-mark fallback never fires. 10-min budget gives the model 20 judge windows to eventually surface the question. Outer bun timeout bumped accordingly to 660s (inner +60s). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(plan-ceo): pre-prime --disallowedTools test with concrete plan content Root cause of the persistent timeout: under --disallowedTools, the model can't fire the AUQ tool to ask "what should I review?" — it has to prose-render that question. Prose-rendering a 4-option choice requires the model to first enumerate every option, which spent the full 5min budget in 'high effort thinking' (8 consecutive 'state=working' verdicts from the LLM judge). Fix: pass initialPlanContent (already supported by runPlanSkillObservation) with a CEO-review-shaped seed plan (vague success metric, missing premise, scope creep smell). The model now has concrete material to critique on entry, bypasses the scope-deliberation loop, and moves directly to surfacing Step 0 / Section 1 findings — the actual behavior we want to regression-test. Reverted timeout from 600_000 back to 300_000 since the 5-min budget is plenty when the model has a real plan to work with. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: delete --disallowedTools AskUserQuestion-blocked test variants These tests simulated a fictional environment that doesn't exist in production. Real Conductor sessions launch claude with `--disallowedTools AskUserQuestion` AND register `mcp__conductor__AskUserQuestion` — the model has the MCP variant. But the tests passed `--disallowedTools` without standing up any MCP server, so they tested "model behavior with NO AUQ available," which no real user state produces. Combined with bare `/plan-ceo-review` invocation (no follow-up content), this forced the model into a 5+ minute deliberation loop trying to prose-render a question with options it had to first invent. The result was persistent flakes that consumed nine paid E2E runs trying to fix "the model takes too long" — but the actual problem was the test configuration, not the model. Removals: - test/skill-e2e-autoplan-auto-mode.test.ts (deleted; the entire file was a single AUQ-blocked test) - test/skill-e2e-plan-ceo-plan-mode.test.ts test 2 (the migrated --disallowedTools test); test 1 (baseline plan-mode smoke) stays - test/skill-e2e-plan-design-plan-mode.test.ts test 2 (same shape); test 1 stays - test/skill-e2e-plan-eng-plan-mode.test.ts test 2 (same shape); test 1 (baseline) and test 3 (STOP-gate with seeded plan, different contract) stay - test/helpers/touchfiles.ts: autoplan-auto-mode entry removed - test/touchfiles.test.ts: assertion count + commentary updated Coverage retained: test 1 of each plan-mode file already verifies the model fires AUQ; the periodic finding-count tests verify per-finding AUQ cadence end-to-end. The harness improvements landed during this debugging cycle (isProseAUQVisible regex, LLM judge, snapshot logging, high-water-mark tracking, ENOENT-tolerant assertReportAtBottomIfPlanWritten) all stay — they're useful for the remaining plan-mode tests that can also encounter prose rendering and slow-thinking phases. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: bump version and changelog (v1.31.0.0) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-09 17:01:13 -07:00
Garry Tan	19e699ab9b	v1.26.4.0 fix: GSTACK REVIEW REPORT delete-then-append (no more mid-file leftovers) (#1335 ) * fix: GSTACK REVIEW REPORT delete-then-append flow Replaces contradictory "replace it entirely" + "always last section / move if mid-file" bullets in scripts/resolvers/review.ts with a single delete-then-append rule. Adds Read-tool verification step so the agent self-checks before continuing. Affected SKILL.md files (regenerated): plan-ceo-review, plan-design-review, plan-devex-review, plan-eng-review, codex, devex-review. * test: static template assertions for delete-then-append + revert autoplan E2E shape 5 new static tests in test/gen-skill-docs.test.ts (4 plan-review SKILL.md files + 1 source resolver) verify the new prompt language is present and the old contradictory bullets are absent. Synthetic regression check confirmed all 5 fail when the prompt fix is reverted. The autoplan E2E (skill-e2e-autoplan-auto-mode.test.ts) reverts to its original AUQ-blocked-gate-surface shape. The mid-file regression scenario the plan briefly proposed isn't reachable in the current PTY harness because --disallowedTools AskUserQuestion makes autoplan bail at the Phase 1 premise gate before any review-write code path runs. Static prompt-text verification covers the load-bearing change. * chore: bump version and changelog (v1.26.4.0) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 21:18:35 -07:00
Garry Tan	6e1625c0d7	v1.25.0.0 fix: AskUserQuestion resolves to host MCP variant when native is disallowed (#1287 ) * test(harness): plumb extraArgs and auto_decided outcome through PTY runner runPlanSkillObservation now accepts extraArgs that pass through to launchClaudePty (which already supported them at the lower level), and exposes a new 'auto_decided' outcome detected via isAutoDecidedVisible when the AUTO_DECIDE preamble template fires (Auto-decided ... (your preference)). Both pieces are needed for the v1.21+ AskUserQuestion-blocked regression tests in the next commit. Detection order is deliberate: 'asked' (rendered numbered list) wins over 'auto_decided' (text only, no list), which wins over 'plan_ready' so the auto-decide evidence isn't masked by a downstream plan-mode confirmation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(e2e): add AskUserQuestion-blocked regression cases for 6 plan-mode skills Conductor launches Claude Code with --disallowedTools AskUserQuestion --permission-mode default --permission-prompt-tool stdio (verified by inspecting the live conductor claude process via ps -p ... -o args=). Native AskUserQuestion is removed from the model's tool registry; without fallback guidance the plan-mode skills (plan-ceo-review, plan-eng-review, plan-design-review, plan-devex-review, autoplan, office-hours) silently proceed and never surface decisions to the user. Adds 6 gate-tier real-PTY regression cases: - 4 inline test cases inside the existing plan-X-review-plan-mode.test files, each exercising the same skill with extraArgs ['--disallowedTools', 'AskUserQuestion'] and asserting outcome === 'asked'. plan-design-review keeps the ['asked', 'plan_ready'] envelope (legitimate short-circuit on no-UI-scope) but explicitly fails on 'auto_decided'. - 2 standalone test files for autoplan + office-hours (which had no prior plan-mode test). autoplan asserts the FIRST non-auto-decided gate fires (Phase 1 premise confirmation) — autoplan auto-decides intermediate questions BY DESIGN. Touchfile entries: - autoplan-auto-mode + office-hours-auto-mode added to E2E_TOUCHFILES + E2E_TIERS (gate) - existing plan-X-review-plan-mode entries gain question-tuning.ts and generate-ask-user-format.ts touchfile deps so AUTO_DECIDE-related resolver changes correctly invalidate the regression tests - touchfiles.test.ts count updated 18 -> 19 to cover the autoplan touchfile dependency on plan-ceo-review/** Filenames retain `auto-mode` for branch-history continuity. Auto-mode (the AUTO_DECIDE preamble path when QUESTION_TUNING=true) is a related but distinct silencing mechanism; both share the same fix surface in the preamble. These tests are expected to FAIL on this branch until the fix lands. The failure is the receipt for the regression. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(preamble): teach the model to prefer mcp____AskUserQuestion when registered When a host launches Claude Code with --disallowedTools AskUserQuestion (Conductor does this by default — verified via ps on the live conductor claude process), the native AskUserQuestion tool is removed from the model's tool registry. Skill templates that say "call AskUserQuestion" silently fail in that environment: the model can't ask, the user never sees the question, the skill auto-proceeds without input. The fix is preamble guidance, not a skill-template change: generate-ask-user-format.ts: new "Tool resolution" section at the top of the AskUserQuestion Format block. Tells the model that "AskUserQuestion" can resolve to two tools at runtime — the host MCP variant (e.g. mcp__conductor__AskUserQuestion, registered when the host injects it) and the native tool — and to PREFER any mcp____AskUserQuestion variant. Same questions/options shape; same decision-brief format. If neither variant is callable, fall back to writing a "## Decisions to confirm" section into the plan file plus ExitPlanMode (the native plan-mode confirmation surfaces it). Never silently auto-decide. generate-completion-status.ts: the plan-mode-info block (preamble position 1) now explicitly notes that AskUserQuestion satisfies plan mode's end-of-turn requirement for "any variant" and points at the Tool resolution section for the fallback path. This puts the resolution rule in front of every tier-≥2 skill via the preamble, so plan-mode review skills (plan-ceo-review, plan-eng-review, plan-design-review, plan-devex-review, autoplan, office-hours) all gain the fix without per-template surgery. Includes regenerated SKILL.md files for all 41 skills + the 3 host-ship golden fixtures used by test/host-config.test.ts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(periodic): AUTO_DECIDE opt-in preserved under Conductor flags Periodic-tier eval that exercises the legitimate /plan-tune AUTO_DECIDE path under the same flags Conductor uses (--disallowedTools AskUserQuestion). Confirms the new Tool resolution preamble doesn't trip opt-in users: when the user has set a never-ask preference for a question, the model should auto-pick (outcome 'auto_decided' or 'plan_ready') rather than surface the prompt. Setup runs in an isolated GSTACK_HOME tmpdir — never touches the user's real ~/.gstack state. Writes question_tuning=true + a never-ask preference for plan-ceo-review-mode (source: 'plan-tune', which bypasses the inline-user origin gate). Spawns claude with --disallowedTools AskUserQuestion in plan mode, runs /plan-ceo-review, asserts outcome is NOT 'asked' (i.e., the model honored the preference). Periodic tier because AUTO_DECIDE behavior depends on the model adhering to the QUESTION_TUNING preamble injection — non-deterministic, weekly cron is the right cadence rather than CI gating. Touchfiles cover the AUTO_DECIDE-bearing resolvers + the question-tuning binaries the test setup invokes. touchfiles.test.ts count updates 19 -> 20 because auto-decide-preserved also depends on plan-ceo-review/*. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> v1.21.0.0: AskUserQuestion resolves to host MCP variant when native is disallowed MINOR scale per scale-aware bumps in CLAUDE.md: substantial coordinated multi-file change (preamble fix + new test infrastructure + 6 gate-tier regression cases + 1 periodic eval) and a user-visible regression fix that affects every plan-mode review skill running under Conductor's default flag set. User originally targeted v1.21.2.0; landing as v1.21.0.0 since this is the first 1.21.x release on main and there's no prior 1.21.0.0/1.21.1.0 to skip past. Adjust at /ship time if a different number is preferred. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(harness): fix detection order + whitespace-tolerant pattern matching Two bugs surfaced when validating the v1.21 fix end-to-end: 1. PlanSkillObservation outcome detection ran 'asked' (any numbered options list) BEFORE 'plan_ready'. Plan-mode's "Ready to execute?" confirmation IS a numbered options list (1=auto, 2=manual, ...), so any skill that successfully reached the native confirmation got misclassified as 'asked'. Reorder: 'auto_decided' (most specific, requires AUTO_DECIDE annotation) > 'plan_ready' (next, requires the "ready to execute" stem) > 'asked' (any remaining numbered list). 2. isPlanReadyVisible and isAutoDecidedVisible regexes only matched spaced forms ("ready to execute", "(your preference)"). stripAnsi removes cursor-positioning escapes (`\x1b[40C`) entirely instead of replacing them with spaces, so the same text can render as "readytoexecute" or "(yourpreference)". Both detectors now test the spaced form first, fall through to a whitespace-collapsed comparison. Inline unit smoke confirms both forms match. Updates to the 5 strict 'asked' regression test cases (plan-ceo, plan-eng, plan-devex, autoplan, office-hours): with the detection order corrected, the model's plan-file fallback flow legitimately lands at 'plan_ready' instead of 'asked'. Pass envelope expanded to ['asked', 'plan_ready'] (matching plan-design-review's existing pattern). Failure signals tightened to include 'auto_decided' (catches AUTO_DECIDE without opt-in) plus the standard silent_write/exited/timeout. plan-design was already on this contract from v1.21's first commit, no change needed. The expanded envelope is correct: under --disallowedTools AskUserQuestion the Tool resolution preamble routes the question through plan-mode's native "Ready to execute?" surface — the user still sees the decision, just via the plan-file flow rather than a numbered prompt. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(harness): require ## Decisions section under --disallowedTools plan_ready Adversarial review (during /ship Step 11) found that the previous gate-test envelope ['asked', 'plan_ready'] for the AskUserQuestion-blocked regression cases accepted the bug they exist to catch: a model that silently skips Step 0 entirely (writes a plan with no questions, no `## Decisions to confirm` section, just ExitPlanModes) reaches plan_ready and passes. The fix tightens the contract in two layers: 1. Harness: PlanSkillObservation gains a `planFile?: string` field populated when outcome is plan_ready. extractPlanFilePath() walks the visible TTY buffer for "Plan saved to:", "Plan file:", or ".claude/plans/<name>.md" patterns and resolves tilde to absolute. planFileHasDecisionsSection() reads the resolved file and returns true if it contains a `## Decisions` heading (any form: "to confirm", "needed", etc.). 2. Tests: 5 of 6 regression cases now require, when outcome is plan_ready, that obs.planFile is set AND planFileHasDecisionsSection returns true. Otherwise the test fails with a "Step 0 was silently skipped" diagnosis. plan-design-review remains the sole exception — it legitimately short-circuits to plan_ready on no-UI-scope branches and we have no deterministic way to distinguish that from a silent skip. This closes the loophole the adversarial review identified. The fix preamble flow already tells the model to write `## Decisions to confirm` when neither AUQ variant is callable — now the test verifies the model actually did it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(harness): anchor extractPlanFilePath path captures on /Users\|~\|/home\|/var\|/tmp Adversarial-tightened gate sweep surfaced a real bug in the path extraction: stripAnsi collapses whitespace via cursor-positioning escape removal, so "yet at /Users/..." in the visible buffer becomes "yetat/Users/..." with no space between. The previous fallback pattern `(~?\/?\S*\.claude\/plans\/[\w-]+\.md)` greedily matched non-whitespace characters BEFORE the path, producing `yetat/Users/garrytan/.claude/...` which then fails fs.readFileSync. Fix: every regex now requires the path to START at a known path-anchor: `~/`, `/Users/`, `/home/`, `/var/`, `/tmp/`, or `./`. Earlier non-whitespace runs can't be glommed in. Verified against the failing fixture (`yetat/Users/...`) plus the four canonical render forms ("Plan saved to:", "Plan file:", `·`-decorated ctrl-g hint, and the bare fallback). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 08:45:36 -07:00

Author

SHA1

Message

Date

Garry Tan

5d4fe7df07

v1.31.0.0 fix: delete AskUserQuestion fallback (root cause of forever war) + harness primitives (#1390 )

* test: add multi-finding batching regression test (periodic tier)

Adds a periodic-tier E2E that catches the May 2026 transcript bug shape
the existing single-finding gate-tier floor test cannot detect: a model
that fires one AskUserQuestion and then batches the remaining findings
into a single "## Decisions to confirm" plan write + ExitPlanMode.

Why a separate test from skill-e2e-plan-eng-finding-floor: the gate-tier
floor (runPlanSkillFloorCheck) exits on the first AUQ render and returns
success, so a once-then-batch model would pass it trivially. This test
uses runPlanSkillCounting at periodic tier with N-AUQ tracking and
asserts >= 3 distinct review-phase AUQs on a 4-finding seeded plan.

- test/fixtures/forcing-finding-seeds.ts: FORCING_BATCHING_ENG fixture
  (4 distinct non-trivial findings spread across Architecture, Code
  Quality, Tests, Performance — mirrors the D1-D4 transcript shape)
- test/skill-e2e-plan-eng-multi-finding-batching.test.ts: new test
- test/helpers/touchfiles.ts: registered in BOTH E2E_TOUCHFILES and
  E2E_TIERS (touchfiles.test.ts asserts exact equality)

Test will fail on baseline today because today's model uses the preamble
fallback to batch findings; passes after the architectural fix lands in
a follow-up commit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test: expand plan-mode pass envelopes to accept BLOCKED path

Three existing plan-mode regression tests previously codified the
preamble fallback as a valid PASS path under --disallowedTools
AskUserQuestion: outcome=plan_ready was accepted only when the model
wrote a "## Decisions to confirm" section. The forever-war fix deletes
that fallback, so this assertion would fail post-deletion.

Expanded envelope accepts EITHER:
- 'plan_ready' WITH (## Decisions section [legacy] OR BLOCKED string
  visible in TTY [post-fix])
- 'exited' WITH BLOCKED string visible in TTY [post-fix]

The legacy ## Decisions branch stays in the envelope so these tests
keep passing on today's code (where the fallback still exists) and
on tomorrow's code (where the model reports BLOCKED instead). Once
the deletion has been on main long enough that the cache flushes,
the legacy branch can be removed in a follow-up.

Failure signals (regression we DO want to catch) unchanged:
auto_decided / silent_write / timeout / exited-without-BLOCKED /
plan_ready-without-(decisions OR BLOCKED).

- test/skill-e2e-plan-ceo-plan-mode.test.ts (test 2 only)
- test/skill-e2e-autoplan-auto-mode.test.ts
- test/skill-e2e-plan-design-plan-mode.test.ts

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: delete AskUserQuestion fallback (root cause of forever war)

The /plan-eng-review skill failed to fire AskUserQuestion on a real
plan review and surfaced 4 calibration decisions via prose instead.
Investigation traced this to a "fallback when neither variant is
callable" clause in the preamble that the model rationalizes around
as a general escape hatch from "fanning out round-trip AUQs," even
when an AUQ variant IS callable. Codex review confirmed the fallback
exists in 8 inline sites with 2 surviving escape hatches the original
narrowing missed (a "genuinely trivial" exception duplicated across
all 4 plan-* templates, and a "outside plan mode, output as prose
and stop" branch in the preamble itself).

Net deletion in skill text. Closes both branches of the deleted
fallback (plan-file write AND prose-and-stop) and the trivial-fix
exception with a single hard rule:

  If no AskUserQuestion variant appears in your tool list, this
  skill is BLOCKED. Stop, report `BLOCKED — AskUserQuestion
  unavailable`, and wait for the user.

Honest about being a model directive, not a runtime guard — none of
the PTY harness helpers enforce BLOCKED today. The architectural
improvement is that the model has fewer alternatives to obey it
against. Runtime enforcement is a follow-up TODO.

Sources changed:
- scripts/resolvers/preamble/generate-ask-user-format.ts: delete both
  fallback branches; replace with 1-line BLOCKED rule
- scripts/resolvers/preamble/generate-completion-status.ts: delete
  fallback in generatePlanModeInfo
- plan-eng-review/SKILL.md.tmpl: delete fallback at Step 0 + Sections
  1-4 (5 instances) + delete trivial-fix exception
- office-hours/SKILL.md.tmpl: delete fallback in approach-selection
- plan-ceo-review/SKILL.md.tmpl: delete trivial-fix exception
- plan-design-review/SKILL.md.tmpl: delete trivial-fix exception
- plan-devex-review/SKILL.md.tmpl: delete trivial-fix exception

Generated SKILL.md regen lands in a follow-up commit per the bisect
convention (template changes separate from regenerated output).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: regenerate SKILL.md after fallback deletion

Regenerates all 47 generated SKILL.md files (default + 7 host adapters)
after the template/resolver edits in the prior commit. Pure mechanical
output of `bun run gen:skill-docs`; no hand-edits.

Verifies fallback deletion landed across the entire skill surface:
- zero hits for "Decisions to confirm" in canonical SKILL.md / .tmpl
- zero hits for "no AskUserQuestion variant is callable"
- zero hits for "genuinely trivial"
- BLOCKED rule present in 42 generated SKILL.md (every Tier-2+ skill)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(harness): detect prose-rendered AskUserQuestion in plan mode

When --disallowedTools AskUserQuestion is set and no MCP variant is
callable, the model surfaces decisions as visible prose options
("A) ... B) ... C) ..." or "1. ... 2. ... 3. ...") rather than via the
native numbered-prompt UI. isNumberedOptionListVisible doesn't catch
these because the ❯ cursor sits on the empty input prompt rather than
on option 1, so runPlanSkillObservation and runPlanSkillFloorCheck
would time out at 5-10 minutes per test even though the model was
correctly waiting for user input.

This was exposed by the v1.28 fallback deletion: pre-deletion the
model used the preamble fallback to silently auto-resolve to
plan_ready in this scenario. Post-deletion the model correctly
surfaces the question and waits, but the harness couldn't tell.

isProseAUQVisible matches:
  - 2+ distinct lettered options at line starts (A/B/C/D form)
  - 3+ distinct numbered options at line starts WITHOUT a `❯ 1.`
    cursor (so it doesn't double-fire on native numbered prompts)

Wired into:
  - classifyVisible (used by runPlanSkillObservation) → returns
    outcome='asked' instead of timeout
  - runPlanSkillFloorCheck → counts as auq_observed (floor met)

8 new unit tests in claude-pty-runner.unit.test.ts cover the lettered
shape, numbered shape, threshold edges, native-cursor exclusion, and
mid-prose false-positive guard.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(harness): LLM judge for waiting-vs-working PTY state + snapshot logs

Regex detectors (isNumberedOptionListVisible, isProseAUQVisible) are
fast and free, but PTY rendering quirks fragment prose AUQ option
lists across logical lines that no regex can reliably reassemble.
When detection misses, polling loops time out at the full budget
even though the model is correctly waiting for user input.

Adds judgePtyState — a Haiku-graded trichotomy classifier:
  - waiting: agent surfaced a question/options, sitting at input prompt
  - working: spinner / tool calls / generation in progress
  - hung:    stopped without surfacing anything (rare crash signal)

Wired as a fallback into the polling loops of runPlanSkillObservation
and runPlanSkillFloorCheck: after 60s with no regex hit, snapshot the
TTY every 30s and call the judge. On 'waiting' verdict, return
outcome=asked / auq_observed early. On 'working' or 'hung', enrich the
eventual timeout summary with the verdict so failures are diagnosable.

Implementation:
  - Spawns `claude -p --model claude-haiku-4-5 --max-turns 1` synchronously
    with prompt piped via stdin (subscription auth, no API key env required)
  - In-process cache keyed by SHA-1 of normalized last-4KB so identical
    spinner-frame snapshots don't re-charge
  - Best-effort JSONL log to ~/.gstack/analytics/pty-judge.jsonl with
    timestamp, testName, state, reasoning, hash, judge wall time
  - 30s timeout per call; returns state='unknown' with diagnostic on any
    failure mode (timeout, malformed JSON, missing claude binary)

Snapshot logging: when GSTACK_PTY_LOG=1 is set, dump last 4KB of visible
TTY at every judge tick to ~/.gstack/analytics/pty-snapshots/<test>-
<elapsed>ms.txt — postmortem trail for debugging flakes.

Cost: ~$0.0005 per call; ~10 calls per 5-min test budget; ~$0.005 per
test added in worst case (only when regex detectors miss).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test: accept prose-AUQ visible as third valid surface in plan-mode envelopes

The first re-run after wiring the LLM judge revealed that the model also
emits a third surface I hadn't anticipated: a properly-formatted question
with options ("Pick A, B, or C in your reply") rendered as prose AND
followed by ExitPlanMode (outcome=plan_ready). The migrated tests only
accepted (## Decisions section) OR (BLOCKED string) — neither matched
this case, so the test failed even though the user clearly saw the
question.

Three valid surfaces now:
  1. `## Decisions to confirm` section in plan file (legacy fallback path,
     still valid through migration window)
  2. `BLOCKED — AskUserQuestion` string in TTY (post-v1.28 BLOCKED rule)
  3. Numbered/lettered options visible in TTY as prose (post-v1.28 prose
     rendering — uses the existing isProseAUQVisible detector)

Also fixes assertReportAtBottomIfPlanWritten to be tolerant of:
  - Missing files (path detected from TTY but file not persisted) — was
    throwing ENOENT on plan_design_plan_mode and plan_ceo_plan_mode test 1
  - 'asked' outcome (smoke test exited at first AUQ before the model
    reached the report-writing step) — was throwing on the 1 fail in the
    plan-eng-plan-mode --disallowedTools test

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test: drop GSTACK REVIEW REPORT contract from --disallowedTools migrations

The plan-ceo / plan-design --disallowedTools migrated tests called
assertReportAtBottomIfPlanWritten as the final assertion, but that
contract is for full multi-section review completions. Under
--disallowedTools AskUserQuestion the model can't run the full
review (no AUQ tools to ask findings questions through), so it exits
at Step 0 with either prose-AUQ rendering or the legacy decisions
fallback. A plan file written in that mode WON'T have a GSTACK
REVIEW REPORT section — the workflow never reached the report-writing
step.

The contract is still enforced by the periodic finding-count tests
(skill-e2e-plan-{ceo,eng,design,devex}-finding-count.test.ts), which
DO run the full review end-to-end and assert report-at-bottom there.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(harness): high-water-mark prose-AUQ tracking across polling iterations

The autoplan E2E surfaces a brief prose-AUQ window (model emits options,
waits ~30s for non-existent test responder, then resumes thinking) that
the existing polling loop misses: by judge-tick time the buffer has
moved into spinner state, so the LLM judge correctly reports 'working'
and the loop times out at 5min.

Adds two flags tracked across polling iterations:
  - proseAUQEverObserved: set true the first tick isProseAUQVisible
    returns true on the recent buffer
  - waitingEverObserved: set true on the first LLM judge 'waiting' verdict

At timeout, if either flag is set, return outcome='asked' with a
summary explaining the historical signal. The model DID surface the
question — we just missed the live-state window.

Snapshot logged with tag='prose-auq-surfaced' when GSTACK_PTY_LOG=1
for postmortem trace.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test: migrate plan-eng-plan-mode test 2 envelope to match other plan-mode tests

The plan-ceo, plan-design, and autoplan plan-mode tests under
--disallowedTools all moved to the same surface-visibility envelope
(decisions section OR BLOCKED string OR prose-AUQ visible) and dropped
the GSTACK REVIEW REPORT contract because the workflow can't complete
without AUQ tools. plan-eng-plan-mode test 2 had been left on the old
envelope and was the last failing test.

This commit migrates it to match. Also lifts 'exited' out of the failure
list and into a guarded path (acceptable when surface-visible).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(harness): isProseAUQVisible — gate numbered path on tail, not full buffer

The numbered-options branch of isProseAUQVisible deferred to
isNumberedOptionListVisible whenever a `❯ 1.` cursor was visible in the
full buffer. But the boot trust dialog (`❯ 1. Yes, trust`) lives in
scrollback for the entire run, so this gate suppressed prose-numbered
detection for any session that had the trust prompt at startup —
i.e., every E2E run after the first user-trust acceptance.

Fix: check only the last 4KB tail. Native-UI deferral applies when
the cursor list is CURRENTLY rendered, not historically present in
scrollback.

Adds a regression test that puts the trust dialog in early scrollback
+ 5KB filler + a current prose-AUQ render, asserts true.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(harness): isProseAUQVisible — lower numbered threshold to 2 (matches lettered)

The 4KB tail window often contains only options 2-4 of a 4-option
numbered prose AUQ because the model emits the question header + option 1
several KB earlier in the buffer. The threshold of 3 distinct numbered
markers caused the detector to miss real prose AUQs whenever option 1
had scrolled out.

Threshold 2 matches the lettered branch and is still tightly gated by:
- Line-start anchoring (no false positives on inline `1.` references)
- No-cursor gate (defers to native UI when ❯ 1. is currently rendered)
- The 4KB tail window itself (prose-AUQ rendering happens at the end of
  the model's response, so options are clustered in the tail)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test: expose high-water-mark flags through PlanSkillObservation

The 2KB obs.evidence window often misses the prose-AUQ moment because
ExitPlanMode UI ("Ready to execute" + numbered approve/reject prompt)
pushes the model's earlier option list out of the tail by the time
outcome=plan_ready fires. Tests checking "did the user see a question"
need to consult historical state, not just the truncated final tail.

Adds two optional fields to PlanSkillObservation:
  - proseAUQEverObserved: true if isProseAUQVisible was true at any tick
  - waitingEverObserved: true if the LLM judge ever returned 'waiting'

The 4 plan-mode --disallowedTools tests now check these flags as part
of the surfaceVisible computation:
    isProseAUQVisible(obs.evidence) || obs.proseAUQEverObserved === true
    blockedVisible || proseAUQVisible || obs.waitingEverObserved === true

This catches the autoplan / plan-ceo / plan-eng case where the model
surfaces options briefly, fails to get a response, then keeps thinking
— eventually emitting ExitPlanMode and pushing options out of evidence.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(plan-ceo): bump --disallowedTools test timeout to 10 min

Last 5 runs showed the model under --disallowedTools spending the full
5-min budget in 'high effort thinking' before surfacing options. The LLM
judge correctly reports state=working at every 30s tick, so the
high-water-mark fallback never fires.

10-min budget gives the model 20 judge windows to eventually surface
the question. Outer bun timeout bumped accordingly to 660s (inner +60s).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(plan-ceo): pre-prime --disallowedTools test with concrete plan content

Root cause of the persistent timeout: under --disallowedTools, the model
can't fire the AUQ tool to ask "what should I review?" — it has to
prose-render that question. Prose-rendering a 4-option choice requires
the model to first enumerate every option, which spent the full 5min
budget in 'high effort thinking' (8 consecutive 'state=working' verdicts
from the LLM judge).

Fix: pass initialPlanContent (already supported by runPlanSkillObservation)
with a CEO-review-shaped seed plan (vague success metric, missing
premise, scope creep smell). The model now has concrete material to
critique on entry, bypasses the scope-deliberation loop, and moves
directly to surfacing Step 0 / Section 1 findings — the actual
behavior we want to regression-test.

Reverted timeout from 600_000 back to 300_000 since the 5-min budget
is plenty when the model has a real plan to work with.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test: delete --disallowedTools AskUserQuestion-blocked test variants

These tests simulated a fictional environment that doesn't exist in
production. Real Conductor sessions launch claude with
`--disallowedTools AskUserQuestion` AND register
`mcp__conductor__AskUserQuestion` — the model has the MCP variant. But
the tests passed `--disallowedTools` without standing up any MCP server,
so they tested "model behavior with NO AUQ available," which no real
user state produces.

Combined with bare `/plan-ceo-review` invocation (no follow-up content),
this forced the model into a 5+ minute deliberation loop trying to
prose-render a question with options it had to first invent. The result
was persistent flakes that consumed nine paid E2E runs trying to fix
"the model takes too long" — but the actual problem was the test
configuration, not the model.

Removals:
- test/skill-e2e-autoplan-auto-mode.test.ts (deleted; the entire file
  was a single AUQ-blocked test)
- test/skill-e2e-plan-ceo-plan-mode.test.ts test 2 (the migrated
  --disallowedTools test); test 1 (baseline plan-mode smoke) stays
- test/skill-e2e-plan-design-plan-mode.test.ts test 2 (same shape);
  test 1 stays
- test/skill-e2e-plan-eng-plan-mode.test.ts test 2 (same shape); test 1
  (baseline) and test 3 (STOP-gate with seeded plan, different
  contract) stay
- test/helpers/touchfiles.ts: autoplan-auto-mode entry removed
- test/touchfiles.test.ts: assertion count + commentary updated

Coverage retained: test 1 of each plan-mode file already verifies the
model fires AUQ; the periodic finding-count tests verify per-finding
AUQ cadence end-to-end. The harness improvements landed during this
debugging cycle (isProseAUQVisible regex, LLM judge, snapshot logging,
high-water-mark tracking, ENOENT-tolerant assertReportAtBottomIfPlanWritten)
all stay — they're useful for the remaining plan-mode tests that can
also encounter prose rendering and slow-thinking phases.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: bump version and changelog (v1.31.0.0)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-09 17:01:13 -07:00

Garry Tan

19e699ab9b

v1.26.4.0 fix: GSTACK REVIEW REPORT delete-then-append (no more mid-file leftovers) (#1335 )

* fix: GSTACK REVIEW REPORT delete-then-append flow

Replaces contradictory "replace it entirely" + "always last section / move
if mid-file" bullets in scripts/resolvers/review.ts with a single
delete-then-append rule. Adds Read-tool verification step so the agent
self-checks before continuing.

Affected SKILL.md files (regenerated): plan-ceo-review, plan-design-review,
plan-devex-review, plan-eng-review, codex, devex-review.

* test: static template assertions for delete-then-append + revert autoplan E2E shape

5 new static tests in test/gen-skill-docs.test.ts (4 plan-review SKILL.md
files + 1 source resolver) verify the new prompt language is present and
the old contradictory bullets are absent. Synthetic regression check
confirmed all 5 fail when the prompt fix is reverted.

The autoplan E2E (skill-e2e-autoplan-auto-mode.test.ts) reverts to its
original AUQ-blocked-gate-surface shape. The mid-file regression scenario
the plan briefly proposed isn't reachable in the current PTY harness because
--disallowedTools AskUserQuestion makes autoplan bail at the Phase 1
premise gate before any review-write code path runs. Static prompt-text
verification covers the load-bearing change.

* chore: bump version and changelog (v1.26.4.0)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-05 21:18:35 -07:00

Garry Tan

6e1625c0d7

v1.25.0.0 fix: AskUserQuestion resolves to host MCP variant when native is disallowed (#1287 )

* test(harness): plumb extraArgs and auto_decided outcome through PTY runner

runPlanSkillObservation now accepts extraArgs that pass through to
launchClaudePty (which already supported them at the lower level), and
exposes a new 'auto_decided' outcome detected via isAutoDecidedVisible
when the AUTO_DECIDE preamble template fires (Auto-decided ... (your
preference)).

Both pieces are needed for the v1.21+ AskUserQuestion-blocked regression
tests in the next commit. Detection order is deliberate: 'asked' (rendered
numbered list) wins over 'auto_decided' (text only, no list), which wins
over 'plan_ready' so the auto-decide evidence isn't masked by a downstream
plan-mode confirmation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(e2e): add AskUserQuestion-blocked regression cases for 6 plan-mode skills

Conductor launches Claude Code with --disallowedTools AskUserQuestion
--permission-mode default --permission-prompt-tool stdio (verified by
inspecting the live conductor claude process via ps -p ... -o args=).
Native AskUserQuestion is removed from the model's tool registry; without
fallback guidance the plan-mode skills (plan-ceo-review, plan-eng-review,
plan-design-review, plan-devex-review, autoplan, office-hours) silently
proceed and never surface decisions to the user.

Adds 6 gate-tier real-PTY regression cases:

  - 4 inline test cases inside the existing plan-X-review-plan-mode.test
    files, each exercising the same skill with extraArgs ['--disallowedTools',
    'AskUserQuestion'] and asserting outcome === 'asked'. plan-design-review
    keeps the ['asked', 'plan_ready'] envelope (legitimate short-circuit on
    no-UI-scope) but explicitly fails on 'auto_decided'.
  - 2 standalone test files for autoplan + office-hours (which had no prior
    plan-mode test). autoplan asserts the FIRST non-auto-decided gate fires
    (Phase 1 premise confirmation) — autoplan auto-decides intermediate
    questions BY DESIGN.

Touchfile entries:
  - autoplan-auto-mode + office-hours-auto-mode added to E2E_TOUCHFILES +
    E2E_TIERS (gate)
  - existing plan-X-review-plan-mode entries gain question-tuning.ts and
    generate-ask-user-format.ts touchfile deps so AUTO_DECIDE-related
    resolver changes correctly invalidate the regression tests
  - touchfiles.test.ts count updated 18 -> 19 to cover the autoplan
    touchfile dependency on plan-ceo-review/**

Filenames retain `auto-mode` for branch-history continuity. Auto-mode (the
AUTO_DECIDE preamble path when QUESTION_TUNING=true) is a related but
distinct silencing mechanism; both share the same fix surface in the
preamble.

These tests are expected to FAIL on this branch until the fix lands. The
failure is the receipt for the regression.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(preamble): teach the model to prefer mcp__*__AskUserQuestion when registered

When a host launches Claude Code with --disallowedTools AskUserQuestion
(Conductor does this by default — verified via ps on the live conductor
claude process), the native AskUserQuestion tool is removed from the
model's tool registry. Skill templates that say "call AskUserQuestion"
silently fail in that environment: the model can't ask, the user never
sees the question, the skill auto-proceeds without input.

The fix is preamble guidance, not a skill-template change:

  generate-ask-user-format.ts: new "Tool resolution" section at the top
  of the AskUserQuestion Format block. Tells the model that
  "AskUserQuestion" can resolve to two tools at runtime — the host MCP
  variant (e.g. mcp__conductor__AskUserQuestion, registered when the
  host injects it) and the native tool — and to PREFER any
  mcp__*__AskUserQuestion variant. Same questions/options shape; same
  decision-brief format. If neither variant is callable, fall back to
  writing a "## Decisions to confirm" section into the plan file plus
  ExitPlanMode (the native plan-mode confirmation surfaces it). Never
  silently auto-decide.

  generate-completion-status.ts: the plan-mode-info block (preamble
  position 1) now explicitly notes that AskUserQuestion satisfies plan
  mode's end-of-turn requirement for "any variant" and points at the
  Tool resolution section for the fallback path.

This puts the resolution rule in front of every tier-≥2 skill via the
preamble, so plan-mode review skills (plan-ceo-review, plan-eng-review,
plan-design-review, plan-devex-review, autoplan, office-hours) all gain
the fix without per-template surgery.

Includes regenerated SKILL.md files for all 41 skills + the 3 host-ship
golden fixtures used by test/host-config.test.ts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(periodic): AUTO_DECIDE opt-in preserved under Conductor flags

Periodic-tier eval that exercises the legitimate /plan-tune AUTO_DECIDE
path under the same flags Conductor uses (--disallowedTools
AskUserQuestion). Confirms the new Tool resolution preamble doesn't trip
opt-in users: when the user has set a never-ask preference for a
question, the model should auto-pick (outcome 'auto_decided' or
'plan_ready') rather than surface the prompt.

Setup runs in an isolated GSTACK_HOME tmpdir — never touches the user's
real ~/.gstack state. Writes question_tuning=true + a never-ask
preference for plan-ceo-review-mode (source: 'plan-tune', which bypasses
the inline-user origin gate). Spawns claude with
--disallowedTools AskUserQuestion in plan mode, runs /plan-ceo-review,
asserts outcome is NOT 'asked' (i.e., the model honored the preference).

Periodic tier because AUTO_DECIDE behavior depends on the model adhering
to the QUESTION_TUNING preamble injection — non-deterministic, weekly
cron is the right cadence rather than CI gating.

Touchfiles cover the AUTO_DECIDE-bearing resolvers + the question-tuning
binaries the test setup invokes. touchfiles.test.ts count updates 19 ->
20 because auto-decide-preserved also depends on plan-ceo-review/**.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* v1.21.0.0: AskUserQuestion resolves to host MCP variant when native is disallowed

MINOR scale per scale-aware bumps in CLAUDE.md: substantial coordinated
multi-file change (preamble fix + new test infrastructure + 6 gate-tier
regression cases + 1 periodic eval) and a user-visible regression fix
that affects every plan-mode review skill running under Conductor's
default flag set.

User originally targeted v1.21.2.0; landing as v1.21.0.0 since this is
the first 1.21.x release on main and there's no prior 1.21.0.0/1.21.1.0
to skip past. Adjust at /ship time if a different number is preferred.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(harness): fix detection order + whitespace-tolerant pattern matching

Two bugs surfaced when validating the v1.21 fix end-to-end:

1. PlanSkillObservation outcome detection ran 'asked' (any numbered
   options list) BEFORE 'plan_ready'. Plan-mode's "Ready to execute?"
   confirmation IS a numbered options list (1=auto, 2=manual, ...), so
   any skill that successfully reached the native confirmation got
   misclassified as 'asked'. Reorder: 'auto_decided' (most specific,
   requires AUTO_DECIDE annotation) > 'plan_ready' (next, requires the
   "ready to execute" stem) > 'asked' (any remaining numbered list).

2. isPlanReadyVisible and isAutoDecidedVisible regexes only matched
   spaced forms ("ready to execute", "(your preference)"). stripAnsi
   removes cursor-positioning escapes (`\x1b[40C`) entirely instead of
   replacing them with spaces, so the same text can render as
   "readytoexecute" or "(yourpreference)". Both detectors now test the
   spaced form first, fall through to a whitespace-collapsed comparison.
   Inline unit smoke confirms both forms match.

Updates to the 5 strict 'asked' regression test cases (plan-ceo,
plan-eng, plan-devex, autoplan, office-hours): with the detection order
corrected, the model's plan-file fallback flow legitimately lands at
'plan_ready' instead of 'asked'. Pass envelope expanded to ['asked',
'plan_ready'] (matching plan-design-review's existing pattern). Failure
signals tightened to include 'auto_decided' (catches AUTO_DECIDE without
opt-in) plus the standard silent_write/exited/timeout. plan-design was
already on this contract from v1.21's first commit, no change needed.

The expanded envelope is correct: under --disallowedTools AskUserQuestion
the Tool resolution preamble routes the question through plan-mode's
native "Ready to execute?" surface — the user still sees the decision,
just via the plan-file flow rather than a numbered prompt.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(harness): require ## Decisions section under --disallowedTools plan_ready

Adversarial review (during /ship Step 11) found that the previous gate-test
envelope ['asked', 'plan_ready'] for the AskUserQuestion-blocked regression
cases accepted the bug they exist to catch: a model that silently skips
Step 0 entirely (writes a plan with no questions, no `## Decisions to
confirm` section, just ExitPlanModes) reaches plan_ready and passes.

The fix tightens the contract in two layers:

1. Harness: PlanSkillObservation gains a `planFile?: string` field
   populated when outcome is plan_ready. extractPlanFilePath() walks the
   visible TTY buffer for "Plan saved to:", "Plan file:", or
   ".claude/plans/<name>.md" patterns and resolves tilde to absolute.
   planFileHasDecisionsSection() reads the resolved file and returns true
   if it contains a `## Decisions` heading (any form: "to confirm",
   "needed", etc.).

2. Tests: 5 of 6 regression cases now require, when outcome is plan_ready,
   that obs.planFile is set AND planFileHasDecisionsSection returns true.
   Otherwise the test fails with a "Step 0 was silently skipped" diagnosis.
   plan-design-review remains the sole exception — it legitimately
   short-circuits to plan_ready on no-UI-scope branches and we have no
   deterministic way to distinguish that from a silent skip.

This closes the loophole the adversarial review identified. The fix
preamble flow already tells the model to write `## Decisions to confirm`
when neither AUQ variant is callable — now the test verifies the model
actually did it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(harness): anchor extractPlanFilePath path captures on /Users|~|/home|/var|/tmp

Adversarial-tightened gate sweep surfaced a real bug in the path
extraction: stripAnsi collapses whitespace via cursor-positioning escape
removal, so "yet at /Users/..." in the visible buffer becomes
"yetat/Users/..." with no space between. The previous fallback pattern
`(~?\/?\S*\.claude\/plans\/[\w-]+\.md)` greedily matched non-whitespace
characters BEFORE the path, producing `yetat/Users/garrytan/.claude/...`
which then fails fs.readFileSync.

Fix: every regex now requires the path to START at a known path-anchor:
`~/`, `/Users/`, `/home/`, `/var/`, `/tmp/`, or `./`. Earlier
non-whitespace runs can't be glommed in.

Verified against the failing fixture (`yetat/Users/...`) plus the four
canonical render forms ("Plan saved to:", "Plan file:", `·`-decorated
ctrl-g hint, and the bare fallback).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-01 08:45:36 -07:00

3 Commits