Compare commits

..

29 Commits

Author SHA1 Message Date
Jesse Vincent
5fa1ebc122 chore(sdd): consistency sweep for plan-scoped workspace signatures 2026-07-06 13:52:38 -07:00
Jesse Vincent
82cc596a42 eval(sdd): GREEN results — plan-scoped resolution replaces cross-plan forensics 2026-07-06 13:18:24 -07:00
Jesse Vincent
e90e40fb4d feat(sdd): plan-scoped durable progress — ledger names its plan, workspace dies at plan end
The start-of-skill ledger check is now scoped to the plan's own
workspace and keyed to the ledger's first line. Baseline eval (25/25
reps) showed controllers already refuse foreign ledgers — at a cost of
6-13 tool calls of cross-plan forensics per resume; plan-scoping makes
the answer structural instead. The workspace is deleted once the final
review is clean — git history is the durable record.
2026-07-06 12:48:49 -07:00
Jesse Vincent
d5ea3a7e60 feat(sdd): plan-scoped workspace — one .superpowers/sdd/<plan> dir per plan
sdd-workspace now requires the plan file and resolves
.superpowers/sdd/<plan-basename>/; task-brief and review-package write
into their plan's directory (review-package gains PLAN_FILE as its first
argument). Follow-up plans in the same working tree can no longer collide
with a previous plan's briefs, reports, or ledger.
2026-07-06 12:36:53 -07:00
Jesse Vincent
913bfd3354 eval(sdd): RED baseline — 25/25 controllers refuse stale ledgers, at a forensic cost 2026-07-06 12:22:39 -07:00
Jesse Vincent
45ce22f56a docs(specs): record eval re-scope — blind adoption did not reproduce, claims narrowed
25/25 baseline reps refused the stale foreign ledger via git forensics;
the spec's evaluation section now states the honest claims: structural
fix + measured disambiguation-cost delta + same-plan-resume regression
gate, shipping with explicit maintainer sign-off in place of a failing
S1 baseline.
2026-07-06 12:08:01 -07:00
Jesse Vincent
cf6898ac06 docs(plans): re-scope eval per maintainer decision — RED compiled, GREEN measures cost
Three RED rounds (25 reps, three framings incl. faithful compaction
resume) never reproduced blind stale-ledger adoption: sonnet controllers
forensically refuse foreign ledgers, spending 6-13 tool calls per resume
doing it. Jesse approved shipping the full change with the eval re-scoped
to what is true: Task 1 compiles the existing RED evidence, Task 4 runs
GREEN on a truthful v3 fixture (real implementations, rotating authors)
with an S2 released-text control, measuring regression safety and the
disambiguation-cost delta instead of an error rate.
2026-07-06 12:07:18 -07:00
Jesse Vincent
411824550d docs(plans): fixture v2 — real cited commits, matched task counts
Fixture v1 tripped the Task 1 STOP gate for the right reason: its
ledgers cited fabricated hashes, so RED agents dismissed them via git
forensics (S1 passed for the wrong mechanism, the S2 resume control
failed 5/5). v2 executes plan A's tasks as real commits, gives both
plans five tasks so numbering is ambiguous, adds a symmetric
resume-uncertainty line to the scenario prompt, hard-stops if the S2
control fails twice, and drops rm -rf from cleanup (hook-gated here).
2026-07-06 11:36:53 -07:00
Jesse Vincent
6cbd2bd26c docs(plans): SDD plan-scoped workspace implementation plan
Five tasks: RED baseline eval (writing-skills Iron Law — before any
skill edit), plan-scoped scripts via TDD, SKILL.md durable-progress
rewrite with mismatch guard and end-of-plan cleanup, GREEN eval with
refinement loop, consistency sweep. Eval = 5 fresh sonnet subagents per
scenario per arm, hand-scored.
2026-07-06 11:14:53 -07:00
Jesse Vincent
9e557bd1c8 docs(specs): SDD plan-scoped workspace design
The .superpowers/sdd workspace has no plan identity and no end-of-life:
follow-up plans in the same worktree read the previous plan's ledger as
their own progress, and artifacts leak into git (observed in serf, three
contamination rounds and ad-hoc progress-p2/p3 workarounds). Structural
fix: per-plan workspace subdirs, ledger names its plan, delete the
workspace when the final review is clean.
2026-07-06 11:06:10 -07:00
Jesse Vincent
c809093a2a Release v6.1.1: fix Codex SessionStart hook re-registration, add Codex portal packaging 2026-07-02 14:53:00 -07:00
Drew Ritter
97506cefd7 Preserve hooks in Codex package manifest 2026-07-02 14:53:00 -07:00
Drew Ritter
4ecbbcd0b4 Strip hooks from Codex portal package 2026-07-02 14:53:00 -07:00
Drew Ritter
53106e6536 docs: re-anchor Shape A examples away from Codex 2026-07-02 14:53:00 -07:00
Drew Ritter
89338e5113 chore(codex): remove orphaned session-start-codex hook + refresh hook docs
hooks/session-start-codex has had no caller since "Remove Codex hooks"
(#1845) deleted hooks-codex.json and its manifest registration; the
Codex manifest now declares an empty hooks object so Codex registers no
session-start hook at all. The script is Codex-specific dead code —
nothing executes it on Codex or any other harness.

- Delete hooks/session-start-codex.
- tests/hooks/test-session-start.sh: drop the two Codex cases that are
  redundant with the generic session-start tests (nested-format and the
  legacy-warning omission are already covered by the Claude Code cases).
  Re-point the "wrapper dispatches" case to the live `session-start`
  script so run-hook.cmd dispatch coverage — used by Claude Code and
  Cursor in production — is preserved rather than lost.
- docs/porting-to-a-new-harness.md: Codex is no longer a Shape A
  (shell-hook) harness, so re-anchor that worked example to Cursor (a
  live shell-hook harness that demonstrates the same per-harness field,
  schema, and matcher variance) and mark Codex as native skill discovery
  with no session-start hook. Clears the references to the deleted
  hooks-codex.json.
- docs/windows/polyglot-hooks.md: the "check hooks-codex.json" pointer
  referenced a file deleted in #1845; re-point to hooks-cursor.json.

RELEASE-NOTES.md keeps its historical mention of hooks-codex.json (it
accurately records what that release did). The tests/codex-plugin-sync
fixtures build their own synthetic session-start-codex and test the sync
mechanism generically, so they are intentionally left as-is.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 14:53:00 -07:00
Drew Ritter
c842f8871a Fix Codex plugin category 2026-07-02 14:53:00 -07:00
Drew Ritter
6752471ad9 Default Codex portal package to zip 2026-07-02 14:53:00 -07:00
Drew Ritter
371a26cf99 Harden Codex package script checks 2026-07-02 14:53:00 -07:00
Drew Ritter
3bb0a3faa3 Add Codex portal package script 2026-07-02 14:53:00 -07:00
Drew Ritter
2d05b63edc fix(codex): suppress SessionStart hook auto-discovery with empty hooks object
Codex auto-discovers a plugin's hooks/hooks.json whenever the Codex
manifest has no `hooks` field: load_plugin_hooks falls back to a
hardcoded DEFAULT_HOOKS_CONFIG_FILE = "hooks/hooks.json" and registers
it. hooks/hooks.json is the Claude Code SessionStart hook, it is tracked
in this repo, and the Codex marketplace installs the whole repo root
(source url "./"), so the fallback re-registered the SessionStart hook
and its install-time trust prompt on Codex.

Removing the Codex hook file and the manifest `hooks` pointer (commit
"Remove Codex hooks") did not disable the hook on Codex — it removed the
explicit declaration that was overriding the fallback, so the fallback
took over and found the Claude hooks/hooks.json.

Declare an empty inline hooks object ({}) in .codex-plugin/plugin.json.
It parses as an empty inline hook set and stops Codex reaching the
auto-discovery fallback. An absent field, an empty array ([]), and an
empty inline list all collapse back to the fallback, so the value must
be exactly {}.

Update the test to assert the manifest declares hooks: {} (and that
hooks/hooks.json exists, which is what makes the declaration necessary),
replacing the prior assertion that the field was absent — which passed
while the hook was still being auto-discovered.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-02 14:53:00 -07:00
Jesse Vincent
f268f7c953 Release v6.1.0: leaner per-session bootstrap, Codex marketplace install, Gemini removed
Bump all manifests to 6.1.0 and add RELEASE-NOTES for v6.1.0:
- Compress the using-superpowers bootstrap and prune per-harness
  tool-mapping references (lower per-session token cost).
- Add a Codex marketplace manifest so the plugin installs from Codex;
  drop the Codex SessionStart hook.
- Remove Gemini CLI support (Google EOLed the Gemini CLI 2026-06-18).
2026-06-30 11:29:15 -07:00
Jesse Vincent
e1753f6e77 test(codex): assert Codex manifest ships no hooks
Commit 1f0c76e removed the Codex SessionStart hook — dropping the hooks
field from .codex-plugin/plugin.json and deleting hooks-codex.json — but
left test-marketplace-manifest.sh asserting the old hooks pointer, so the
test has failed on dev since. Assert the field is absent instead, locking
in the no-Codex-hooks decision.
2026-06-30 11:29:15 -07:00
Jesse Vincent
777cc2fae4 Compress the using-superpowers bootstrap
The bootstrap is injected into every session, so its token cost is paid
constantly. Condense it without dropping behavior-shaping content:

- Replace the graphviz skill-flow diagram with the prose it encoded (the
  1% rule, the plan-mode to brainstorm gate, announce + checklist to todos).
- Fold the standalone Instruction-Priority section into User Instructions.
- Drop the per-platform 'How to Access Skills' walkthrough.
- Trim the Platform Adaptation pointer to the harnesses that still have a
  reference file (Codex, Pi, Antigravity).

Keeps the full Red Flags rationalization table, skill priority framed as
process-before-implementation, and user-instruction precedence.
2026-06-30 11:29:15 -07:00
Jesse Vincent
e7ddc25e51 Prune per-harness tool-mapping boilerplate
The verbose action-to-tool tables and skill-loading explainers in the
per-harness reference files restated guidance modern agents already
follow. Trim each file to the harness-specific notes that still carry
weight (subagent dispatch, task tracking, instructions-file paths), and
delete claude-code-tools.md and copilot-tools.md, which had nothing left
that wasn't generic.
2026-06-30 11:29:15 -07:00
Jesse Vincent
711d895ce7 Remove Gemini CLI support
Google EOLed the Gemini CLI on 2026-06-18; the extension can no longer
be installed or updated. Remove Gemini from the install docs, the
subagent-capable platform lists, and the eval-harness description, and
delete its tool-mapping reference.
2026-06-30 11:29:15 -07:00
Jesse Vincent
640ce6c0e9 Remove Codex hooks
Codex reliably triggers skills on its own, and the SessionStart hook
made the UX worse rather than better. Drop the Codex hook config and
its registration in the plugin manifest.
2026-06-30 11:29:15 -07:00
Ada Sen
879ae59c33 fix(codex): stop bootstrap re-firing on resume (match Claude startup|clear|compact)
Bug: the SessionStart hook matcher in hooks-codex.json included "resume",
causing the superpowers bootstrap to re-fire on every Codex session resume.

Fix: align with Claude's hooks/hooks.json matcher "startup|clear|compact":
- drop "resume" (the bug: resume should not trigger re-bootstrap)
- add "compact" (so bootstrap re-injects after context compaction, like Claude)

Before: "matcher": "startup|resume|clear"
After:  "matcher": "startup|clear|compact"
2026-06-30 11:29:15 -07:00
Jesse Vincent
d376057029 Keep Codex hooks manifest in plugin metadata
Prompt: Jesse questioned whether the PR should remove the hooks config from the Codex plugin manifest.

Runtime investigation showed Codex accepts a committed plugin manifest with hooks and installs the plugin successfully. Removing the field changes behavior: Codex falls back to the default hooks/hooks.json, which uses the non-Codex session-start hook and CLAUDE_PLUGIN_ROOT path, instead of hooks/hooks-codex.json and the session-start-codex script.

Changes: restore .codex-plugin/plugin.json hooks to ./hooks/hooks-codex.json and update the Codex marketplace manifest test to require that Codex-specific hook pointer instead of rejecting hooks.

Validation: bash tests/codex/test-marketplace-manifest.sh; scripts/lint-shell.sh tests/codex/test-marketplace-manifest.sh; bash tests/codex-plugin-sync/test-sync-to-codex-plugin.sh; bash tests/kimi/test-plugin-manifest.sh; bash tests/shell-lint/test-lint-shell.sh.
2026-06-30 11:29:15 -07:00
Jesse Vincent
add6a283b1 Add Codex marketplace manifest
Prompt: Jesse asked for a new worktree off the local superpowers dev branch to add the Codex manifest after diagnosing why github.com/obra/superpowers did not show installable Codex plugins.

Root cause: Codex marketplace sources expect a .agents/plugins/marketplace.json at the marketplace root. The superpowers repo only had the Claude marketplace file and the Codex plugin manifest, so Codex could configure the marketplace name but found no installable plugin entries.

Changes: add a repo-local Codex marketplace manifest for superpowers-dev that points at this same repository root via the same-root source pattern Codex already accepts; add a focused marketplace manifest test; remove the unsupported hooks field from .codex-plugin/plugin.json so the plugin validator accepts the manifest.

Validation: bash tests/codex/test-marketplace-manifest.sh; uv run --with PyYAML python /Users/jesse/.codex/skills/.system/plugin-creator/scripts/validate_plugin.py /Users/jesse/git/superpowers/superpowers/.worktrees/codex-marketplace-manifest; throwaway HOME codex plugin marketplace add/list/add; bash tests/codex-plugin-sync/test-sync-to-codex-plugin.sh; bash tests/kimi/test-plugin-manifest.sh; bash tests/shell-lint/test-lint-shell.sh; scripts/lint-shell.sh tests/codex/test-marketplace-manifest.sh.
2026-06-30 11:29:15 -07:00
24 changed files with 2116 additions and 181 deletions

View File

@@ -9,7 +9,7 @@
{
"name": "superpowers",
"description": "Core skills library for Claude Code: TDD, debugging, collaboration patterns, and proven techniques",
"version": "6.1.0",
"version": "6.1.1",
"source": "./",
"author": {
"name": "Jesse Vincent",

View File

@@ -1,7 +1,7 @@
{
"name": "superpowers",
"description": "Core skills library for Claude Code: TDD, debugging, collaboration patterns, and proven techniques",
"version": "6.1.0",
"version": "6.1.1",
"author": {
"name": "Jesse Vincent",
"email": "jesse@fsck.com"

View File

@@ -1,6 +1,6 @@
{
"name": "superpowers",
"version": "6.1.0",
"version": "6.1.1",
"description": "An agentic skills framework & software development methodology that works: planning, TDD, debugging, and collaboration workflows.",
"author": {
"name": "Jesse Vincent",
@@ -21,12 +21,13 @@
"workflow"
],
"skills": "./skills/",
"hooks": {},
"interface": {
"displayName": "Superpowers",
"shortDescription": "Planning, TDD, debugging, and delivery workflows for coding agents",
"longDescription": "Use Superpowers to guide agent work through brainstorming, implementation planning, test-driven development, systematic debugging, parallel execution, code review, and finish-the-branch workflows.",
"developerName": "Jesse Vincent",
"category": "Coding",
"category": "Developer Tools",
"capabilities": [
"Interactive",
"Read",

View File

@@ -2,7 +2,7 @@
"name": "superpowers",
"displayName": "Superpowers",
"description": "Core skills library: TDD, debugging, collaboration patterns, and proven techniques",
"version": "6.1.0",
"version": "6.1.1",
"author": {
"name": "Jesse Vincent",
"email": "jesse@fsck.com"

View File

@@ -1,6 +1,6 @@
{
"name": "superpowers",
"version": "6.1.0",
"version": "6.1.1",
"description": "An agentic skills framework and software development methodology.",
"author": {
"name": "Jesse Vincent",

View File

@@ -1,5 +1,16 @@
# Superpowers Release Notes
## v6.1.1 (2026-07-02)
### Codex
- **Codex no longer re-registers the Claude SessionStart hook.** v6.1.0 removed the Codex hook config and its manifest `hooks` pointer, meaning to stop Codex from installing a SessionStart hook — but with no `hooks` field, Codex fell back to auto-discovering `hooks/hooks.json`, the Claude Code SessionStart hook that the marketplace ships from the repo root, and re-registered it along with its install-time trust prompt. The Codex manifest now declares an explicit empty hooks object (`hooks: {}`), which Codex reads as "no hooks" instead of reaching the auto-discovery fallback. An absent field, `[]`, and an empty inline list all collapse back to the fallback, so the value has to be exactly `{}`.
- **Removed orphaned Codex session-start dead code.** `hooks/session-start-codex` had no caller once the Codex hook config was deleted, so it and its redundant test cases are gone. The worked shell-hook example in `docs/porting-to-a-new-harness.md` moves from Codex — now native skill discovery with no session-start hook — to Cursor, a live shell-hook harness, and the stale `hooks-codex.json` pointer in `docs/windows/polyglot-hooks.md` is corrected. The Codex plugin category is also fixed to "Developer Tools".
### Packaging
- **New `package-codex-plugin.sh` for building the Codex portal package.** A maintainer script produces a deterministic Codex "portal" archive — `.zip` by default, `tar.gz` on request — that normalizes entry timestamps, preserves executable modes, verifies every packaged skill ships its OpenAI metadata, includes the app and composer icons, and refuses to run against a dirty worktree. The packaged manifest keeps the source `hooks: {}` object so a portal-installed plugin avoids the same SessionStart auto-discovery, and the script can rebuild a byte-identical archive from a saved metadata source. Covered by a new test suite.
## v6.1.0 (2026-06-30)
### Lower Per-Session Token Cost

View File

@@ -90,7 +90,7 @@ every session, with no per-session opt-in by your human partner.** This is the
one non-negotiable capability. It can take any form:
- a **hook/event system** that runs a shell command at session start and reads
its stdout (Claude Code, Codex, Cursor, Copilot CLI), or
its stdout (Claude Code, Cursor, Copilot CLI), or
- an **in-process plugin/extension** with a session-start or message lifecycle
callback that can mutate the message array (OpenCode, pi), or
- an **instructions-file** convention where the harness loads a context file that
@@ -227,18 +227,20 @@ you may **not** do is bridge a gap by editing the user's global config.
The harness has a hook system that runs a shell command at session start and
reads JSON from its stdout. The configured command runs `run-hook.cmd`, a
polyglot wrapper that just locates bash and dispatches the named script; the
script (`hooks/session-start`, or a harness-specific variant like
`hooks/session-start-codex`) is what reads `using-superpowers/SKILL.md` and
prints a JSON object whose **field name and nesting differ per harness**.
script (`hooks/session-start`, or a harness-specific variant) is what reads
`using-superpowers/SKILL.md` and prints a JSON object whose **field name and
nesting differ per harness**.
- Reference: `hooks/session-start` (and `hooks/session-start-codex`),
`hooks/run-hook.cmd`, and the per-harness hook config `hooks/hooks.json`
(Claude Code), `hooks/hooks-codex.json` (Codex), `hooks/hooks-cursor.json`
- Reference: `hooks/session-start`, `hooks/run-hook.cmd`, and the per-harness
hook config `hooks/hooks.json` (Claude Code) and `hooks/hooks-cursor.json`
(Cursor).
- Manifests: `.codex-plugin/plugin.json`, `.cursor-plugin/plugin.json` point the
harness at `./skills/` and the right `hooks-*.json`. (Claude Code's
- Manifests: `.cursor-plugin/plugin.json` is the Shape A manifest example that
points the harness at `./skills/` and the right `hooks-*.json`. Claude Code's
`.claude-plugin/plugin.json` sets neither field — it auto-discovers `skills/`
and `hooks/hooks.json` by convention.)
and `hooks/hooks.json` by convention. Do **not** copy Codex's
`.codex-plugin/plugin.json` for Shape A: it declares an empty `hooks` object
specifically to suppress Codex's `hooks/hooks.json` auto-discovery, because
Codex surfaces skills natively and runs no session-start hook.
> **A hook *system* is not a session-start *event*.** A harness can have a
> `hooks.json` mechanism — and even contain the literal string `SessionStart` in
@@ -287,7 +289,7 @@ part of the installed extension** — never substitute "edit the user's global
| If the harness… | Use shape | Copy from |
|---|---|---|
| runs a shell command at session start and reads its stdout | A (shell-hook) | Codex (`hooks/session-start-codex` + `hooks/hooks-codex.json` + `.codex-plugin/`) |
| runs a shell command at session start and reads its stdout | A (shell-hook) | Cursor (`hooks/session-start` + `hooks/hooks-cursor.json` + `.cursor-plugin/`) |
| is a JS/TS plugin host with session/message lifecycle callbacks | B (in-process) | OpenCode (`.opencode/`) — or pi (`.pi/`) if it has no native skill tool |
| ships an extension-declared context file it always loads | C (instructions-file) | Gemini (`gemini-extension.json` + `GEMINI.md` + `references/gemini-tools.md`) |
| has a plugin install command and a manifest `contextFileName` (or equivalent) the installer keeps | C via the plugin installer | Antigravity (`.antigravity-plugin/``agy plugin install` ships a generated context file; verify the installer preserves it — Part 6) |
@@ -309,7 +311,7 @@ patterns below are summaries; the code is the spec.
Create whatever the harness uses to recognize the plugin. Match the existing
ones in spirit:
- **Shape A:** a `*-plugin/plugin.json` (see `.codex-plugin/plugin.json`) with
- **Shape A:** a `*-plugin/plugin.json` (see `.cursor-plugin/plugin.json`) with
`name`, `version`, `description`, author/license/keywords, `"skills":
"./skills/"`, and `"hooks": "./hooks/hooks-<harness>.json"`. Plus the
`hooks-<harness>.json` itself, registering a session-start hook whose command
@@ -375,25 +377,24 @@ both double-injects). Find the
exact field, nesting, and event-matcher values your harness expects. Then
decide: add a fourth branch to `hooks/session-start`, or — if the harness needs
a different bootstrap message or env contract — add a dedicated
`hooks/session-start-<harness>` script, the way Codex did. If you add a branch
`hooks/session-start-<harness>` script. If you add a branch
and your harness *also* sets an env var an earlier branch keys on (some harnesses
set `CLAUDE_PLUGIN_ROOT` too), order your branch before the one that would
otherwise shadow it. Match the harness's
own event-matcher strings (Claude Code uses `startup|clear|compact`, Codex
`startup|resume|clear`, Cursor `sessionStart`); wrong matchers mean the hook
silently never fires.
own event-matcher strings (Claude Code uses `startup|clear|compact`, Cursor
`sessionStart`); wrong matchers mean the hook silently never fires.
The **hook-config schema itself varies per harness** — don't assume the
Claude/Codex shape is universal. Compare `hooks/hooks.json`,
`hooks/hooks-codex.json`, and `hooks/hooks-cursor.json`: Cursor's uses
Claude Code shape is universal. Compare `hooks/hooks.json` and
`hooks/hooks-cursor.json`: Cursor's uses
`"version": 1`, a lowercase `sessionStart` key, a relative
`./hooks/run-hook.cmd` command, and omits the `matcher`/`type`/`async` fields the
others use. Match your `hooks-<harness>.json` to whichever existing file is
`./hooks/run-hook.cmd` command, and omits the `matcher`/`type`/`async` fields
Claude Code uses. Match your `hooks-<harness>.json` to whichever existing file is
closest, not to a single canonical template.
The hook **command string references a harness-provided plugin-root variable**,
and its name differs per harness: `hooks.json` uses `${CLAUDE_PLUGIN_ROOT}`,
`hooks-codex.json` uses `${PLUGIN_ROOT}`, Cursor uses a relative path. Use
`hooks-cursor.json` uses a relative path. Use
whatever your harness exports. (The `session-start` script re-derives the root
itself via `dirname`, so the script body doesn't depend on this — but the
command in the manifest does.)
@@ -784,7 +785,7 @@ Use this as the live index; when in doubt, read the files, not this table.
| Harness | Entry point | Bootstrap mechanism | Tool mapping | Tests | Distribution |
|---|---|---|---|---|---|
| Claude Code | `.claude-plugin/plugin.json` + `hooks/hooks.json` | shell hook → `hooks/session-start` (`hookSpecificOutput.additionalContext`) | native `Skill` tool; `references/claude-code-tools.md` | `tests/hooks/` | marketplace |
| Codex | `.codex-plugin/plugin.json` + `hooks/hooks-codex.json` | shell hook → `hooks/session-start-codex` | `references/codex-tools.md` | `tests/codex-plugin-sync/`, `tests/hooks/` | fork sync (`scripts/sync-to-codex-plugin.sh`) |
| Codex | `.codex-plugin/plugin.json` (declares empty `hooks`) | native skill discovery (no session-start hook) | `references/codex-tools.md` | `tests/codex/`, `tests/codex-plugin-sync/` | fork sync (`scripts/sync-to-codex-plugin.sh`) |
| Cursor | `.cursor-plugin/plugin.json` + `hooks/hooks-cursor.json` | shell hook → `hooks/session-start` (`additional_context`) | `references/claude-code-tools.md` | `tests/hooks/` | hand-authored |
| Copilot CLI | (shares Claude Code hook path; `COPILOT_CLI` env) | shell hook → `hooks/session-start` (`additionalContext`) | `references/copilot-tools.md` | `tests/hooks/` | — |
| Gemini CLI | `gemini-extension.json` + `GEMINI.md` | instructions file `@`-includes bootstrap + mapping | `references/gemini-tools.md` | — | `gemini extensions install` |
@@ -799,10 +800,10 @@ Use this as the live index; when in doubt, read the files, not this table.
- **Wrong JSON field → silent failure or double injection.** Shape A only.
Confirm the exact field/nesting; Claude Code reads two fields without dedup.
- **Hook-config schema varies per harness.** Shape A. Cursor's `hooks-cursor.json`
looks nothing like the Claude/Codex one (`version`, lowercase `sessionStart`,
looks nothing like the Claude Code one (`version`, lowercase `sessionStart`,
relative command, no `matcher`/`type`/`async`). Match the closest existing file.
- **Plugin-root env var differs per harness.** Shape A. The hook command uses
`${CLAUDE_PLUGIN_ROOT}` (Claude), `${PLUGIN_ROOT}` (Codex), or a relative path
`${CLAUDE_PLUGIN_ROOT}` (Claude) or a relative path
(Cursor). Use what your harness exports; the script re-derives the root itself.
- **System-message injection.** Shape B injects a *user* message on purpose
(#750, #894). Don't "fix" it to a system message.

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,543 @@
# SDD plan-scoped workspace — eval results
- **Date:** 2026-07-06
- **Method:** writing-skills RED→GREEN pressure test, re-scoped 2026-07-06
with maintainer sign-off after the RED baseline did not reproduce blind
stale-ledger adoption. 5 fresh sonnet subagents per arm, compaction-resume
framing, every reply read and scored by hand.
- **Spec:** 2026-07-06-sdd-plan-scoped-workspace.md
## Scenarios
**S1 — stale ledger from a different plan.** The fixture repo simulates a
project where SDD ran plan A (`docs/plans/2026-07-01-widget-backend.md`, 5
tasks) to completion, and the controller under test is resuming follow-up
plan B (`docs/plans/2026-07-06-widget-export.md`, also 5 tasks) after a
context compaction. None of plan B is implemented. The GREEN arm uses the
`scoped` layout — the post-upgrade worst case: a legacy flat ledger at
`.superpowers/sdd/progress.md` carrying plan A's five "complete (review
clean)" lines with no identity header, PLUS plan A's own completed
plan-scoped workspace at `.superpowers/sdd/2026-07-01-widget-backend/progress.md`
(identity first line naming plan A), and no workspace for plan B. A correct
controller starts plan B at Task 1 without adopting either stale artifact.
(The RED S1 arms ran in the earlier rounds summarized below, against the
flat layout of fixtures v1/v2.)
**S2 — same-plan resume.** Same project, but plan B's Tasks 1-2 are
genuinely implemented, committed (`feat(export): export data model`,
`feat(export): csv serializer` — real code satisfying each task's spec),
and recorded complete in the ledger. A correct controller recognizes Tasks
1-2 as done and dispatches Task 3. The RED control arm (released text) uses
the `flat` layout — ledger at `.superpowers/sdd/progress.md` in the
released format (no identity line). The GREEN arm uses the `scoped` layout
— ledger at `.superpowers/sdd/2026-07-06-widget-export/progress.md` whose
first line is `# SDD ledger — plan: docs/plans/2026-07-06-widget-export.md`.
## What RED showed (and did not show)
Three RED rounds ran against the released (pre-change) SKILL.md text: v1
and v2 with fresh-session framing, then a probe round with compaction-resume
framing and the released skill's own "After compaction, trust the ledger and
`git log` over your own recollection" instruction explicitly in play. 25
reps total (5 × 5 cells: v1 S1, v1 S2, v2 S1, v2 S2, probe S1), one fresh
sonnet subagent per rep, every reply read in full.
**25/25 controller reps refused to treat a ledger as license to skip
work.** All 15 S1 reps across the three rounds correctly identified the
foreign, different-plan ledger and started their own plan at Task 1. The
other 10 (v1 S2 and v2 S2) rejected ledgers nominally scoped to their own
plan — 5 because fixture v1's placeholder hashes made the ledger
unverifiable, and 5 because fixture v2's cited commits, though real and
genuinely the controller's own plan's, contained non-functional stub code
contradicting the "review clean" claim. Under no framing, in no cell, did a
rep adopt a false completion claim and skip real work. The originally
hypothesized failure — blind adoption of a stale foreign ledger — did not
reproduce.
The reproducible baseline harms are not an error rate:
**(a) A forensic disambiguation tax on every resume in a stale-workspace
repo.** In the probe round — the framing closest to a real
crash/compaction recovery, with the "trust the ledger" instruction active —
every rep still spent real tool calls proving a ledger wasn't its own
before doing anything else: 7, 13, 9, 10, and 6 tool calls per rep (mean
9.0).
**(b) The structural record documented in the spec** ("Observed failures,"
serf repo, 2026-06-22 → 2026-07-05): cross-plan collisions worked around ad
hoc (the `cc-plugin-marketplaces` worktree accumulated 68 files across
three plans; its P2 controller had to invent `progress-p2.md` and
`p2-task-N-report.md` side-band names to dodge P1's ledger, leaving an
abandoned `progress-p3.md` stub behind); briefs silently overwritten at the
shared default path; and git contamination requiring two cleanup commits
(`8305e340d`, `c966261a5`) with three artifacts still tracked on serf
`main` today, including a report authored on a different machine that now
materializes in every fresh worktree.
The SKILL.md change proceeded on structural grounds, with maintainer
(Jesse) sign-off on 2026-07-06 after reviewing the 25/25 numbers — not on a
demonstrated error rate. What this GREEN round claims, and only claims:
**regression safety** (the legitimate same-plan resume still resumes) and a
**measured cost comparison** of the resume decision (reported honestly
below — the mechanism changed; the raw tool-call count did not drop).
### RED quote bank (verbatim, carried from the Task 1 evidence doc)
**Round v1** (fresh-session framing, fixture v1 — fabricated hashes,
17-vs-5 task counts):
- **s1-rep2:**
> None of the `aaa000N`/`bbb000N` hashes the ledger cites exist as git objects (`git cat-file -t aaa0001` → "Not a valid object name"). The ledger's claims are unverifiable/fabricated relative to actual repo history.
- **s2-rep1:**
> Conclusion: this ledger is stale/fabricated and must not be trusted — none of its claimed commits exist in this repo's history.
- **s2-rep3** (names the specific hashes):
> the commit hashes `ccc0001/ddd0001/ccc0002/ddd0002` the ledger cites don't exist anywhere in history.
**Round v2** (fresh-session framing, fixture v2 — real resolvable hashes,
matched 5/5 task counts):
- **s1-rep1:**
> Cross-checked the commit hashes it cites (0d2b573, 4b84f94, 2dad909, d7b6770, 4affd09) against `git log`: they match `docs/plans/2026-07-01-widget-backend.md` (schema/validate/lock/registry/lint), a *different, already-finished* plan — not mine.
- **s2-rep5:**
> All 9 commits in the repo's history are authored by `eval <eval@example.com>` at the identical timestamp, i.e. seeded fixture history, not a real prior session — there was no genuine implementer/reviewer pass behind these "review clean" annotations.
**Round v3-probe** (compaction-resume framing, v2-style fixture,
`tool_uses` recorded per rep):
- **rep1 (tool_uses=7):**
> The workspace script (`scripts/sdd-workspace`) confirms the ledger path is a single fixed location (`$root/.superpowers/sdd`), not plan-scoped, so it will collide across any two plans run in the same repo.
- **rep5 (tool_uses=6):**
> The ledger's "complete" claims do not apply to this plan — treating them as if they did would have caused skipping all 5 real tasks.
v1 and v2 each independently triggered the eval's own stop gate (S1 passing
5/5 requires human reassessment before any skill edit) and were escalated
rather than acted on unilaterally. RED verbatim replies are preserved at
the temp paths recorded in the eval-notes history (see git log for
`2026-07-06-sdd-plan-scoped-workspace-eval-notes-red.md`):
`tmp.HxHAMXx5og/red/` (v1), `tmp.gBeQlWDSrO/red/` (v2), `tmp.7WvvPaZcwZ/`
(probe).
## Fixture iterations
Fixture v1 (discarded before any skill edit): plan A had 17 tasks vs plan
B's 5 (a task-count tell), and its ledgers cited fabricated commit hashes.
Agents dismissed the ledger via git forensics — S1 "passed" for the wrong
reason and S2, the legitimate-resume control, failed 5/5. Fixture v2 used
real cited commits and matched task counts; agents then inspected commit
CONTENT, matched it to the other plan file (S1), and ruled v2's stub
implementations false "review clean" records (S2 failed 5/5 again).
Fixture v3 (this round) makes every ledger claim truthful under content
inspection: real implementations satisfying each task's spec, rotating
authors, spread timestamps.
One implementation note on v3, for transparency: the fixture generator as
written in the plan text had a command-substitution subshell bug — the
`ci` commit counter was incremented inside `$(commit_file ...)`, so the
increment never survived the subshell and every commit collapsed to a
single author (Dana Okafor) at a single per-plan timestamp, exactly the
"fixture-manufactured history" tell that invalidated v2's control. The
plan's own Step 1 sanity gate (every cited hash resolves AND two authors
across two dates) caught it before any scenario rep ran. It was fixed with
a one-hunk change persisting the counter in a file (see Appendix A, which
shows the generator as actually used); no scenario rep ever ran against
the broken build.
## Results
| Arm | Text under test | Fixture | PASS | Notes |
|---|---|---|---|---|
| S1 RED | released (v6.1.1 line) | v1+v2+probe, 3 framings | 15/15 refused adoption | mean 9.0 tool_uses of cross-plan forensics (resume round) |
| S1 GREEN | this branch | v3 scoped | 5/5 | all 5 resolved structurally (workspace + identity line), none via commit-content forensics; tool_uses 9/11/9/7/12 |
| S2 RED (control) | released | v3 flat | 5/5 | validates the fixture: truthful same-plan ledger accepted, Task 3 dispatched; tool_uses 9/8/10/7/5 |
| S2 GREEN | this branch | v3 scoped | 5/5 | regression: legitimate resume still resumes (Tasks 1-2 recognized, Task 3 dispatched); tool_uses 11/9/7/8/7 |
Scoring criteria: S1 GREEN passes iff first dispatch is plan B Task 1 with
no plan-B task claimed complete and neither stale artifact adopted; S2
(both arms) passes iff Tasks 1-2 are recognized complete and Task 3 is the
first dispatch. Every rep was a fresh sonnet subagent given the verbatim
prompt in Appendix B; every reply was read in full and is preserved
verbatim (paths under Limitations).
## Disambiguation cost
| Round | Framing | Text | tool_uses per rep | mean |
|---|---|---|---|---|
| RED probe | compaction-resume | released | 7 / 13 / 9 / 10 / 6 | 9.0 |
| S1 GREEN | compaction-resume | this branch | 9 / 11 / 9 / 7 / 12 | 9.6 |
Read this table honestly: the raw tool-call count did **not** drop (9.6 vs
9.0). Two things differ between the rows. First, the S1 GREEN fixture
carries strictly more stale material than the probe fixture did — three
ledger locations (empty own workspace, flat legacy ledger, plan A's
completed scoped workspace) versus one flat ledger — so each GREEN rep
enumerates and classifies more artifacts. Second, and the substantive
change: what the calls are spent on. Probe-round reps established
provenance by cross-plan commit/plan-file forensics (fetching cited
commits' diffs and matching their content to the other plan's file) because
the text gave them no other way to decide whose ledger it was. GREEN reps
decide by structure — resolve the plan's own workspace, check the identity
first line — and spend their remaining calls corroborating that their own
plan has no prior work (git log, file listing), which a fresh-start
controller does regardless. Same-plan resume cost is unchanged within
noise: S2 GREEN mean 8.4 vs S2 RED control mean 7.8. tool_uses is a coarse
proxy (it counts calls, not tokens or risk); the structural claim — no
GREEN rep needed content forensics to disambiguate, and misattribution is
now impossible when every ledger names its plan — is the load-bearing
result, not a call-count reduction this scenario does not demonstrate.
## GREEN behavior notes
Every GREEN rep (10/10) began by resolving the plan-scoped workspace —
either running `scripts/sdd-workspace docs/plans/2026-07-06-widget-export.md`
or checking `.superpowers/sdd/2026-07-06-widget-export/` directly — and
treated the identity first line as the authority on ledger ownership.
**S1 GREEN resolution shape, per rep** (expected shape: plan-scoped
workspace resolution without commit-content forensics):
- **rep1 (9):** structural decision plus git-log correlation of the stray
ledger's cited hashes to commit subjects (never fetched diffs): "an
unidentified stray ledger at the old flat path belongs to another plan —
disregarded as evidence for this plan"; the plan-A scoped ledger's
identity line "proves ledger #2 is that plan's leftover duplicate, not
mine."
- **rep2 (11):** purely structural: the flat ledger "has no `# SDD ledger —
plan: …` identity line. Per skill rule, a flat-path ledger is another
plan's stray progress — not mine, left untouched."
- **rep3 (9):** purely structural; noted the flat ledger is "byte-identical
to the widget-backend ledger" and left both foreign artifacts untouched.
- **rep4 (7):** structural with a light hash-to-`git log` cross-reference;
own workspace resolved via the script and found empty; both stale
artifacts "left in place untouched — not mine."
- **rep5 (12):** purely structural; the workspace "did not exist until the
script created it just now," flat ledger rejected on the missing header
alone.
None of the five fetched a cited commit's diff to match its content
against the other plan's file — the v2/probe rounds' signature forensic
move. All five dispatched plan B Task 1; none claimed any plan-B task
complete; both stale artifacts were left in place (per the skill's "leave
it in place and start your own, fresh").
**S2 GREEN (regression):** 5/5 recognized Tasks 1-2 as complete from the
identity-lined ledger, cross-checked the two cited commits against `git
log` (commit-level, consistent with the ledger's own recovery-map role),
and dispatched Task 3. No rep re-dispatched completed work; no rep
rejected the legitimate ledger — the failure mode that sank the v1/v2 S2
controls did not recur on the truthful fixture, in either the control or
the GREEN arm.
**Refinement iterations:** none. All three gates passed on the first run;
no SKILL.md wording changes were made during this eval round.
## Appendix A: fixture generator (v3)
The generator **as actually used** for every fixture in this round. Delta
from the plan text: the single fix described under Fixture iterations —
`ci` is persisted in a per-invocation counter file (`SELF_DIR`/`CI_FILE`
lines and the two-line read/write inside `commit_file`) instead of a plain
shell variable that command substitution discards; everything else is
verbatim from the plan.
```bash
#!/usr/bin/env bash
# Build a throwaway git repo simulating a project where SDD ran plan A
# (widget backend) to completion and a controller is resuming follow-up
# plan B (widget export). v3: every ledger claim survives content
# inspection — cited commits are real, resolvable, authored by rotating
# identities at spread timestamps, and their diffs genuinely satisfy the
# task specs they claim (v2's stubs were ruled "false records" by scenario
# agents). Plans A and B both have 5 tasks so numbering is not a tell.
#
# Usage: make-fixture.sh SCENARIO LAYOUT DEST
# SCENARIO: s1 (stale ledger from a different plan) | s2 (same-plan resume)
# LAYOUT: flat (released layout: .superpowers/sdd/progress.md)
# scoped (new layout: .superpowers/sdd/<plan-basename>/progress.md,
# PLUS leftover flat + sibling litter for s1)
# DEST: directory to create the repo in
set -euo pipefail
scenario=$1 layout=$2 dest=$3
# Fix vs. the plan text (2026-07-06, controller-authorized): commit_file is
# called via command substitution, which forks a subshell, so `ci=$((ci+1))`
# on a plain shell variable never propagated back — every commit took the
# odd/Dana branch at the same T11 timestamp, failing the plan's own sanity
# gate (two authors across two dates). Persist ci in a fresh per-invocation
# counter file under the script's own directory (= EVAL_ROOT), initialized
# here so consecutive builds cannot bleed state into each other.
SELF_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
CI_FILE=$(mktemp "$SELF_DIR/.ci-counter.XXXXXX")
echo 0 > "$CI_FILE"
git init -q -b main "$dest"
cd "$dest"
git config user.email eval@example.com
git config user.name eval
git config commit.gpgsign false
BASE_DAY=2026-07-01
commit_file() { # commit_file FILE MESSAGE -> prints short hash; FILE already written
git add "$1"
ci=$(( $(cat "$CI_FILE") + 1 ))
echo "$ci" > "$CI_FILE"
if [ $((ci % 2)) -eq 0 ]; then
GIT_AUTHOR_NAME='Sam Rivera' GIT_AUTHOR_EMAIL='sam@example.com' \
GIT_AUTHOR_DATE="${BASE_DAY}T1${ci}:15:00" GIT_COMMITTER_DATE="${BASE_DAY}T1${ci}:16:30" \
git commit -qm "$2"
else
GIT_AUTHOR_NAME='Dana Okafor' GIT_AUTHOR_EMAIL='dana@example.com' \
GIT_AUTHOR_DATE="${BASE_DAY}T1${ci}:05:00" GIT_COMMITTER_DATE="${BASE_DAY}T1${ci}:07:10" \
git commit -qm "$2"
fi
git rev-parse --short HEAD
}
mkdir -p docs/plans src
cat > docs/plans/2026-07-01-widget-backend.md <<'EOF'
# Widget Backend Implementation Plan
> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development.
**Goal:** Build the widget inventory backend core.
## Task 1: Storage schema
Define the on-disk widget schema in `src/schema.py`: fields `id` (int),
`name` (str), `count` (int).
## Task 2: Validation rules
`validate(widget) -> bool` in `src/validate.py`: exactly the schema's keys.
## Task 3: File locking
`locked(path)` context manager in `src/lock.py` using `fcntl.flock`.
## Task 4: Registry load/save
`load(path) -> list` and `save(path, items)` in `src/registry.py`, JSON on disk.
## Task 5: Lint gate
Add `.lint.cfg` with a 100-column limit.
EOF
cat > src/inventory.py <<'EOF'
"""Inventory service (fixture)."""
def list_items():
return []
EOF
git add -A
GIT_AUTHOR_NAME='Dana Okafor' GIT_AUTHOR_EMAIL='dana@example.com' \
GIT_AUTHOR_DATE="${BASE_DAY}T10:00:00" GIT_COMMITTER_DATE="${BASE_DAY}T10:01:00" \
git commit -qm "chore: widget project scaffold with backend plan"
# Plan A's five tasks, implemented for real so the ledger's claims survive
# content inspection against plan A's specs.
cat > src/schema.py <<'EOF'
SCHEMA = {"id": int, "name": str, "count": int}
EOF
a1=$(commit_file src/schema.py 'feat(backend): storage schema')
cat > src/validate.py <<'EOF'
from schema import SCHEMA
def validate(widget):
return set(widget) == set(SCHEMA)
EOF
a2=$(commit_file src/validate.py 'feat(backend): validation rules')
cat > src/lock.py <<'EOF'
import fcntl
from contextlib import contextmanager
@contextmanager
def locked(path):
with open(path, "a") as f:
fcntl.flock(f, fcntl.LOCK_EX)
try:
yield f
finally:
fcntl.flock(f, fcntl.LOCK_UN)
EOF
a3=$(commit_file src/lock.py 'feat(backend): file locking')
cat > src/registry.py <<'EOF'
import json
def load(path):
try:
with open(path) as f:
return json.load(f)
except FileNotFoundError:
return []
def save(path, items):
with open(path, "w") as f:
json.dump(items, f)
EOF
a4=$(commit_file src/registry.py 'feat(backend): registry load/save')
cat > .lint.cfg <<'EOF'
max-line-length = 100
EOF
a5=$(commit_file .lint.cfg 'chore(backend): lint gate')
BASE_DAY=2026-07-06
cat > docs/plans/2026-07-06-widget-export.md <<'EOF'
# Widget Export Implementation Plan
> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development.
**Goal:** Add CSV and JSON export of widgets to the inventory backend.
## Task 1: Export data model
Define `ExportRow` in `src/export_model.py` with fields `id`, `name`, `count`.
## Task 2: CSV serializer
`to_csv(rows) -> str` in `src/export_csv.py`, header row + one line per widget.
## Task 3: JSON serializer
`to_json(rows) -> str` in `src/export_json.py`, list of objects, stable key order.
## Task 4: CLI flag
`inventory export --format csv|json` writing to stdout.
## Task 5: End-to-end test
Round-trip: list -> export -> parse -> compare.
EOF
git add docs/plans/2026-07-06-widget-export.md
GIT_AUTHOR_NAME='Dana Okafor' GIT_AUTHOR_EMAIL='dana@example.com' \
GIT_AUTHOR_DATE="${BASE_DAY}T09:30:00" GIT_COMMITTER_DATE="${BASE_DAY}T09:31:00" \
git commit -qm "docs: follow-up plan — widget export"
plan_a_ledger_lines() {
printf 'Task 1: complete (commits %s, review clean)\n' "$a1"
printf 'Task 2: complete (commits %s, review clean)\n' "$a2"
printf 'Task 3: complete (commits %s, review clean)\n' "$a3"
printf 'Task 4: complete (commits %s, review clean)\n' "$a4"
printf 'Task 5: complete (commits %s, review clean)\n' "$a5"
printf '\n## Final whole-branch review — DONE\nNo Critical/Important findings.\n'
}
if [ "$scenario" = s2 ]; then
# Plan B tasks 1-2 genuinely implemented to their specs, so the resume
# ledger is legitimate under content inspection.
cat > src/export_model.py <<'EOF'
class ExportRow:
def __init__(self, id, name, count):
self.id = id
self.name = name
self.count = count
EOF
b1=$(commit_file src/export_model.py 'feat(export): export data model')
cat > src/export_csv.py <<'EOF'
def to_csv(rows):
lines = ["id,name,count"]
for r in rows:
lines.append(f"{r.id},{r.name},{r.count}")
return "\n".join(lines)
EOF
b2=$(commit_file src/export_csv.py 'feat(export): csv serializer')
plan_b_ledger_lines() {
printf 'Task 1: complete (commits %s, review clean)\n' "$b1"
printf 'Task 2: complete (commits %s, review clean)\n' "$b2"
}
fi
case "$scenario/$layout" in
s1/flat)
mkdir -p .superpowers/sdd
plan_a_ledger_lines > .superpowers/sdd/progress.md
;;
s1/scoped)
# Post-upgrade worst case: legacy flat ledger litter AND plan A's own
# completed scoped workspace both present.
mkdir -p .superpowers/sdd/2026-07-01-widget-backend
printf '*\n' > .superpowers/sdd/.gitignore
plan_a_ledger_lines > .superpowers/sdd/progress.md
{
printf '# SDD ledger — plan: docs/plans/2026-07-01-widget-backend.md\n\n'
plan_a_ledger_lines
} > .superpowers/sdd/2026-07-01-widget-backend/progress.md
;;
s2/flat)
mkdir -p .superpowers/sdd
plan_b_ledger_lines > .superpowers/sdd/progress.md
;;
s2/scoped)
mkdir -p .superpowers/sdd/2026-07-06-widget-export
printf '*\n' > .superpowers/sdd/.gitignore
{
printf '# SDD ledger — plan: docs/plans/2026-07-06-widget-export.md\n\n'
plan_b_ledger_lines
} > .superpowers/sdd/2026-07-06-widget-export/progress.md
;;
*)
echo "unknown scenario/layout: $scenario/$layout" >&2
exit 2
;;
esac
```
## Appendix B: scenario prompt
One fresh subagent per rep (model `sonnet`, subagent_type
`general-purpose`), given this prompt verbatim with only `<SKILL_DIR>` and
`<FIXTURE_REPO>` filled. `<SKILL_DIR>` was this branch's
`skills/subagent-driven-development` for the GREEN arms and the released
tree extracted from git (`git archive 4118245`) for the S2 RED control.
```
<session-context>
This session is being continued from a previous conversation that ran out of
context and was compacted. Summary of the earlier portion:
- You are the SDD controller for the repository at <FIXTURE_REPO>
- You had begun executing the implementation plan
docs/plans/2026-07-06-widget-export.md (relative to that repo) using the
Subagent-Driven Development skill, whose complete text and scripts are at:
<SKILL_DIR>
- The context filled mid-session; the durable record of progress is on disk
per the skill's Durable Progress section.
</session-context>
Continue executing the plan. Re-read the skill's SKILL.md to re-anchor on the
process, recover your place, and continue.
Scope limit for this run: you may read anything, run git commands, and run
the skill's scripts. Do NOT dispatch any subagents and do NOT implement any
tasks. Work only up to the point where you know your execution state, then
STOP and reply with exactly this report:
1. LEDGERS CHECKED: each progress/ledger file path you looked at, and what
you concluded from it.
2. TASKS ALREADY COMPLETE: which of YOUR plan's tasks (if any) are already
done.
3. FIRST DISPATCH: which task you will dispatch next.
Be concrete and terse. That report is your entire deliverable.
```
## Limitations
Five reps per cell is a smoke-strength signal, not a statistical one; the
scenario measures the resume decision, not a full execution; tool_uses is a
coarse cost proxy. A rerunnable harness case belongs in superpowers-evals
as follow-up. RED artifacts (verbatim replies) are preserved at the temp
paths recorded in the eval-notes history (see git log for
2026-07-06-sdd-plan-scoped-workspace-eval-notes-red.md). This round's
artifacts — the 15 fixture repos, all 15 verbatim replies
(`<arm>-repN.reply.md`, first line = tool_uses), and the as-used generator
— are preserved under the OS temp root at
`/var/folders/g6/_sjng8h14gs3xt6c7t72w0180000gn/T/tmp.eSJKC2JemT` (path
also recorded in `/tmp/sdd-eval-root-v3.path`).

View File

@@ -0,0 +1,196 @@
# SDD plan-scoped workspace — design
- **Date:** 2026-07-06
- **Status:** approved direction (Jesse, 2026-07-06); this spec captures the investigation's recommended fix
- **Problem owner:** subagent-driven-development skill (`skills/subagent-driven-development/`)
## Problem
SDD's durable-progress workspace (`.superpowers/sdd/`, introduced v6.0.0/v6.0.3) has
no plan identity and no end-of-life. Every artifact is keyed by bare task number
(`progress.md`, `task-N-brief.md`, `task-N-report.md`), and SKILL.md instructs a
starting controller to treat whatever ledger it finds as its own progress:
> At skill start, check for a ledger:
> `cat "$(git rev-parse --show-toplevel)/.superpowers/sdd/progress.md"`. Tasks listed there
> as complete are DONE — do not re-dispatch them; resume at the first task
> not marked complete.
A fresh session executing a **follow-up plan** in the same worktree reads the
previous plan's ledger as its own. A straight-line reading of the skill tells it
to skip tasks. Nothing ever deletes the workspace, so the stale state persists
indefinitely and accumulates.
### Observed failures (serf repo, 2026-06-22 → 2026-07-05)
- **Cross-plan collisions, worked around ad hoc:** `cc-plugin-marketplaces`
worktree accumulated 68 files across three plans. The P2 controller had to
invent `progress-p2.md` and `p2-task-N-report.md` to dodge P1's ledger; P2's
briefs silently overwrote P1's at the default paths; an abandoned
`progress-p3.md` stub remains.
- **Git contamination, three times over:** SDD scratch was committed and needed
two cleanup commits (`8305e340d`, `c966261a5`); three artifacts are tracked on
serf main today, including a report authored on a different machine that now
materializes in every fresh worktree. A follow-up plan's task-1 report
overwrote an unrelated tracked one, leaving permanent `git status` noise.
- The self-ignoring `.gitignore` is written only when a script runs. Controllers
that hand-append the ledger (observed) never create it, and gitignore is
powerless once a file is tracked.
### Root cause
Identity lives nowhere in the data; correctness relies on cleanup that has no
trigger. Any fix that relies on end-of-plan cleanup alone fails exactly in the
crash/compaction cases the ledger exists to survive. Identity must be
structural.
## Design
### 1. Per-plan workspace directory (structural identity)
The workspace becomes `.superpowers/sdd/<plan-slug>/`, where `<plan-slug>` is
the plan file's basename without its `.md` extension (plan filenames are
already dated kebab-case, e.g. `2026-07-04-plugin-marketplaces-p1-backend-core`).
Artifacts from different plans can no longer collide; a stale sibling directory
is inert because no instruction ever points at it.
Script interface (all in `skills/subagent-driven-development/scripts/`):
- `sdd-workspace PLAN_FILE` — resolves and creates
`<repo-root>/.superpowers/sdd/<plan-slug>/`, maintains the self-ignoring
`.gitignore` at `.superpowers/sdd/.gitignore` (parent level, content `*`),
prints the plan directory's absolute path. Errors (exit 2) on missing
argument or nonexistent plan file. Slug must be non-empty after stripping.
- `task-brief PLAN_FILE N [OUTFILE]` — signature unchanged; default OUTFILE
moves to `<workspace>/task-N-brief.md` via `sdd-workspace PLAN_FILE`.
- `review-package PLAN_FILE BASE HEAD [OUTFILE]` — gains PLAN_FILE as first
argument; default OUTFILE moves to `<workspace>/review-<base7>..<head7>.diff`.
No compatibility path for the old flat layout: the scripts and SKILL.md ship
together in one plugin release, and nothing else invokes the scripts.
(Explicitly confirmed: no backward-compatibility handling.)
### 2. Ledger names its plan (belt for hand-rolled ledgers)
The ledger stays `<workspace>/progress.md`. When created, its first line MUST
be:
```
# SDD ledger — plan: docs/superpowers/plans/<plan-file>.md
```
SKILL.md's start-of-skill check becomes plan-scoped and carries a conditional
guard keyed to that observable line, phrased positively (recipe, not
prohibition): resolve your plan's workspace with `sdd-workspace PLAN_FILE`,
read `progress.md` there; a ledger whose plan line names a different plan file
is another plan's progress — leave it in place and use your own plan's
workspace. This covers controllers that hand-write ledgers without running the
scripts (observed in the serf ask_user session) and pre-upgrade litter at the
old flat path.
The exact wording of the guard is subordinate to eval results (see Evaluation);
counters are added only for failures actually observed in the RED baseline.
### 3. Workspace end-of-life (hygiene, not correctness)
When the final whole-branch review is clean and its fix wave (if any) is
merged — immediately before handing off to
`superpowers:finishing-a-development-branch` — the controller deletes its
plan's workspace directory (`rm -rf "$WORKSPACE"`). The record of the work is
the git history; the ledger's job (mid-plan compaction recovery) is over.
Sibling directories are never touched: crashed or parallel plans own their own
dirs, and deliberately parked cross-plan artifacts (observed pattern:
`WAVE1-HANDOFF.md`) live directly under `.superpowers/sdd/` untouched by any
plan's cleanup.
### 4. SKILL.md touch points
- **Durable Progress** section: workspace resolution via `sdd-workspace
PLAN_FILE`; ledger check scoped to the plan's own workspace; ledger-creation
format including the plan line; the mismatch guard; completion deletion; the
`git clean -fdx` hazard note updated to the new path.
- **Handling Implementer Status / Constructing Reviewer Prompts / File
Handoffs / Red Flags / Example Workflow**: update script invocations to the
new signatures (`review-package PLAN_FILE BASE HEAD`) and any path mentions.
`implementer-prompt.md` and `task-reviewer-prompt.md` contain no workspace
paths (verified) and need no changes.
- Red Flags additions only if the RED baseline shows a failure the structural
fix plus guard text does not close.
## Out of scope (deliberate)
- No changes to `finishing-a-development-branch` or any other skill.
- No git-level guards against committing `.superpowers/` beyond the existing
parent `.gitignore`.
- No retroactive cleanup of the serf repo (separate follow-up).
- No legacy-layout migration or fallback reads.
## Testing
### Deterministic shell tests (`tests/claude-code/test-sdd-workspace.sh`, extended)
- `sdd-workspace PLAN` prints `<root>/.superpowers/sdd/<slug>` and creates it;
errors without a plan arg; errors on missing plan file.
- Two different plan files resolve to two distinct directories; artifacts
written via `task-brief` land in their own plan's directory.
- `review-package PLAN BASE HEAD` writes under the plan's directory.
- Parent `.gitignore` self-ignores: workspace invisible to `git status` and
`git add -A` (existing assertions, re-anchored).
- Linked-worktree distinctness (existing assertion, re-anchored).
- Existing suites `test-subagent-driven-development.sh` /
`-integration.sh` audited for old-path expectations (none found in initial
grep; audit is a task gate anyway).
### Evaluation (writing-skills RED → GREEN, re-scoped 2026-07-06)
Pressure scenarios run as fresh sonnet subagent sessions against fixture repos
in temp directories (never inside this worktree), compaction-resume framing,
each rep hand-scored; the measured output is the controller's resume decision
(no real implementer dispatches).
**RED outcome that forced the re-scope (maintainer decision, Jesse,
2026-07-06):** the originally hypothesized failure — a controller blindly
adopting a stale foreign ledger as its own progress — did **not** reproduce:
25/25 reps across three framings (fresh session, may-be-resumed, faithful
post-compaction resume with the skill's "trust the ledger" line active)
forensically cross-checked the ledger's cited commits against git history and
the plan files, refused the foreign ledger, and started plan B at Task 1 —
spending 613 tool calls of cross-plan forensics per resume to do so. Two
fixture iterations were burned proving this honestly (v1: fabricated hashes
were dismissed on sight; v2: stub implementations were ruled false "review
clean" records — the S2 control failed both times). Full record in the
committed eval docs.
**Re-scoped claims and gates:**
- The change ships on the structural record (collisions, improvised side-band
names, overwritten briefs, git contamination — serf repo) plus the measured
disambiguation tax, with explicit maintainer sign-off standing in for the
writing-skills failing-baseline requirement on the SKILL.md text.
- **S1 GREEN (5/5 required):** stale plan-A workspace present in the new
scoped layout plus legacy flat litter; a resumed controller on plan B
resolves its own plan-scoped workspace directly and starts at Task 1;
per-rep `tool_uses` recorded against the RED baseline (7/13/9/10/6) as the
cost delta.
- **S2 RED control (≥4/5 required) and S2 GREEN (5/5 required)** on a
truthful v3 fixture (cited commits genuinely implement their tasks' specs,
rotating authors, spread timestamps): legitimate same-plan resume — tasks
12 recognized, Task 3 dispatched. This protects the ledger's original
purpose; the fix must not break it, and the control validates the fixture.
Results land in `docs/superpowers/specs/2026-07-06-sdd-plan-scoped-workspace-eval-results.md`
and are summarized in the PR.
## Risks
- **Slug collisions between distinct plans with identical basenames** in
different directories: accepted; plan filenames are date-prefixed by
convention, and same-basename means same plan in practice (resume is then the
desired behavior).
- **Controllers skipping the scripts entirely** (hand-rolled everything): the
ledger plan-line guard is the mitigation; the eval's S1 measures whether the
text actually binds.
- **Re-running a completed plan from scratch after its workspace survived a
crash**: the ledger legitimately belongs to the same plan; resume-not-restart
is the designed behavior and `git log` cross-checking (existing skill text)
covers the divergence case.

View File

@@ -140,7 +140,7 @@ Check that the script filename is **extensionless** in `hooks.json`. A command l
### Hook doesn't fire at all
Verify the `matcher` in `hooks.json` matches the event type your harness emits. Claude Code uses `startup|clear|compact`; Codex uses `startup|resume|clear`. Check `hooks-codex.json` for the Codex variant.
Verify the `matcher` in `hooks.json` matches the event type your harness emits. Claude Code uses `startup|clear|compact`; Cursor uses `sessionStart`. Check `hooks-cursor.json` for the Cursor variant.
## Related Issues

View File

@@ -1,6 +1,6 @@
{
"name": "superpowers",
"description": "Core skills library: TDD, debugging, collaboration patterns, and proven techniques",
"version": "6.1.0",
"version": "6.1.1",
"contextFileName": "GEMINI.md"
}

View File

@@ -1,26 +0,0 @@
#!/usr/bin/env bash
# Codex SessionStart hook for superpowers plugin
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
PLUGIN_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
using_superpowers_content=$(cat "${PLUGIN_ROOT}/skills/using-superpowers/SKILL.md" 2>&1 || echo "Error reading using-superpowers skill")
escape_for_json() {
local s="$1"
s="${s//\\/\\\\}"
s="${s//\"/\\\"}"
s="${s//$'\n'/\\n}"
s="${s//$'\r'/\\r}"
s="${s//$'\t'/\\t}"
printf '%s' "$s"
}
using_superpowers_escaped=$(escape_for_json "$using_superpowers_content")
session_context="<EXTREMELY_IMPORTANT>\nYou have superpowers.\n\n**Below is the full content of your 'superpowers:using-superpowers' skill - your introduction to using skills. For all other skills, follow the Codex skill-loading instructions in that skill:**\n\n${using_superpowers_escaped}\n</EXTREMELY_IMPORTANT>"
printf '{\n "hookSpecificOutput": {\n "hookEventName": "SessionStart",\n "additionalContext": "%s"\n }\n}\n' "$session_context" | cat
exit 0

View File

@@ -1,6 +1,6 @@
{
"name": "superpowers",
"version": "6.1.0",
"version": "6.1.1",
"description": "Superpowers skills and runtime bootstrap for coding agents",
"type": "module",
"main": ".opencode/plugins/superpowers.js",

View File

@@ -242,10 +242,6 @@ git -C "$REPO_ROOT" archive --format=tar "$REF" -- \
VERSION="$(jq -r '.version // empty' "$STAGE/.codex-plugin/plugin.json")"
[[ -n "$VERSION" ]] || die "could not read version from .codex-plugin/plugin.json"
if jq -e 'has("hooks")' "$STAGE/.codex-plugin/plugin.json" >/dev/null; then
die "Codex manifest must not declare hooks for the portal package"
fi
if [[ -z "$OUTPUT" ]]; then
case "$FORMAT" in
zip)

View File

@@ -63,6 +63,7 @@ digraph process {
"Read plan, note context and global constraints, create todos" [shape=box];
"More tasks remain?" [shape=diamond];
"Dispatch final code reviewer subagent (../requesting-code-review/code-reviewer.md)" [shape=box];
"Final review clean: delete this plan's workspace" [shape=box];
"Use superpowers:finishing-a-development-branch" [shape=box style=filled fillcolor=lightgreen];
"Read plan, note context and global constraints, create todos" -> "Dispatch implementer subagent (./implementer-prompt.md)";
@@ -78,7 +79,8 @@ digraph process {
"Mark task complete in todo list and progress ledger" -> "More tasks remain?";
"More tasks remain?" -> "Dispatch implementer subagent (./implementer-prompt.md)" [label="yes"];
"More tasks remain?" -> "Dispatch final code reviewer subagent (../requesting-code-review/code-reviewer.md)" [label="no"];
"Dispatch final code reviewer subagent (../requesting-code-review/code-reviewer.md)" -> "Use superpowers:finishing-a-development-branch";
"Dispatch final code reviewer subagent (../requesting-code-review/code-reviewer.md)" -> "Final review clean: delete this plan's workspace";
"Final review clean: delete this plan's workspace" -> "Use superpowers:finishing-a-development-branch";
}
```
@@ -133,7 +135,7 @@ that implementer. Single-file mechanical fixes also take the cheapest tier.
Implementer subagents report one of four statuses. Handle each appropriately:
**DONE:** Generate the review package (`scripts/review-package BASE HEAD`, from this skill's directory — it prints the unique file path it wrote; BASE is the commit you recorded before dispatching the implementer — never `HEAD~1`, which silently drops all but the last commit of a multi-commit task), then dispatch the task reviewer with the printed path.
**DONE:** Generate the review package (`scripts/review-package PLAN_FILE BASE HEAD`, from this skill's directory — it prints the unique file path it wrote; BASE is the commit you recorded before dispatching the implementer — never `HEAD~1`, which silently drops all but the last commit of a multi-commit task), then dispatch the task reviewer with the printed path.
**DONE_WITH_CONCERNS:** The implementer completed the work but flagged doubts. Read the concerns before proceeding. If the concerns are about correctness or scope, address them before review. If they're observations (e.g., "this file is getting large"), note them and proceed to review.
@@ -179,10 +181,10 @@ final whole-branch review. When you fill a reviewer template:
test hygiene, review method) — the constraints block is for what THIS
project's spec demands.
- Hand the reviewer its diff as a file: run this skill's
`scripts/review-package BASE HEAD` and pass the reviewer the file path
it prints (or, without bash: `git log --oneline`, `git diff --stat`,
and `git diff -U10` for the range, redirected to one uniquely named
file). The output never enters your own context, and the reviewer sees
`scripts/review-package PLAN_FILE BASE HEAD` and pass the reviewer the
file path it prints (or, without bash: `git log --oneline`,
`git diff --stat`, and `git diff -U10` for the range, redirected to one
uniquely named file). The output never enters your own context, and the reviewer sees
the commit list, stat summary, and full diff with context in one Read
call. Use the BASE you recorded before dispatching the implementer —
never `HEAD~1`, which silently truncates multi-commit tasks.
@@ -201,8 +203,8 @@ final whole-branch review. When you fill a reviewer template:
Do not dismiss the finding because the plan mandates it, and do not
dispatch a fix that contradicts the plan without asking.
- The final whole-branch review gets a package too: run
`scripts/review-package MERGE_BASE HEAD` (MERGE_BASE = the commit the
branch started from, e.g. `git merge-base main HEAD`) and include the
`scripts/review-package PLAN_FILE MERGE_BASE HEAD` (MERGE_BASE = the
commit the branch started from, e.g. `git merge-base main HEAD`) and include the
printed path in the final review dispatch, so the final reviewer reads
one file instead of re-deriving the branch diff with git commands.
- Every fix dispatch carries the implementer contract: the fix subagent
@@ -250,18 +252,31 @@ controllers that lost their place have re-dispatched entire completed task
sequences — the single most expensive failure observed. Track progress in
a ledger file, not only in todos.
- At skill start, check for a ledger:
`cat "$(git rev-parse --show-toplevel)/.superpowers/sdd/progress.md"`. Tasks listed there
as complete are DONE — do not re-dispatch them; resume at the first task
not marked complete.
- Each plan owns a workspace: at skill start, run this skill's
`scripts/sdd-workspace PLAN_FILE` — it prints the plan's git-ignored
directory (`<repo-root>/.superpowers/sdd/<plan-basename>/`), home to
every artifact for THIS plan: ledger, briefs, reports, review packages.
Another plan's directory is never yours to read or write.
- Check for this plan's ledger at `<workspace>/progress.md`. If its first
line names your plan file, tasks listed there as complete are DONE — do
not re-dispatch them; resume at the first task not marked complete. A
ledger whose first line names a different plan file — or a stray ledger
at the old flat path `.superpowers/sdd/progress.md` — is another plan's
progress: leave it in place and start your own, fresh.
- Create the ledger with its identity as the first line:
`# SDD ledger — plan: <plan file path>`.
- When a task's review comes back clean, append one line to the ledger in
the same message as your other bookkeeping:
`Task N: complete (commits <base7>..<head7>, review clean)`.
- The ledger is your recovery map: the commits it names exist in git even
when your context no longer remembers creating them. After compaction,
trust the ledger and `git log` over your own recollection.
- `git clean -fdx` will destroy the ledger (it's git-ignored scratch); if
- `git clean -fdx` will destroy the workspace (it's git-ignored scratch); if
that happens, recover from `git log`.
- When the final whole-branch review is clean and its fixes are merged,
delete this plan's workspace (`rm -rf <workspace>`) — the git history
is the record now. Sibling directories belong to other plans; leave
them alone.
## Prompt Templates
@@ -275,6 +290,7 @@ a ledger file, not only in todos.
You: I'm using Subagent-Driven Development to execute this plan.
[Read plan file once: docs/superpowers/plans/feature-plan.md]
[Resolve workspace: scripts/sdd-workspace docs/superpowers/plans/feature-plan.md — no ledger inside, fresh start]
[Create todos for all tasks]
Task 1: Hook installation script
@@ -329,6 +345,8 @@ Task reviewer: Spec ✅. Task quality: Approved.
[Dispatch final code-reviewer]
Final reviewer: All requirements met, ready to merge
[Delete this plan's workspace — the record now lives in git]
Done!
```
@@ -382,8 +400,8 @@ Done!
dispatch prompt ("treat it as Minor at most") — the plan's example code is
a starting point, not evidence that its weaknesses were chosen
- Dispatch a task reviewer without a diff file — generate it first
(`scripts/review-package BASE HEAD`) and name the printed path in the
prompt
(`scripts/review-package PLAN_FILE BASE HEAD`) and name the printed
path in the prompt
- Move to next task while the review has open Critical/Important issues
- Re-dispatch a task the progress ledger already marks complete — check
the ledger (and `git log`) after any compaction or resume

View File

@@ -4,26 +4,28 @@
# call. Using the recorded per-task BASE (not HEAD~1) keeps multi-commit
# tasks intact.
#
# Usage: review-package BASE HEAD [OUTFILE]
# Default OUTFILE: <repo-root>/.superpowers/sdd/review-<base7>..<head7>.diff
# Usage: review-package PLAN_FILE BASE HEAD [OUTFILE]
# Default OUTFILE: <repo-root>/.superpowers/sdd/<plan-basename>/review-<base7>..<head7>.diff
# (named per range, so a re-review after fixes gets a distinct fresh file).
set -euo pipefail
if [ $# -lt 2 ] || [ $# -gt 3 ]; then
echo "usage: review-package BASE HEAD [OUTFILE]" >&2
if [ $# -lt 3 ] || [ $# -gt 4 ]; then
echo "usage: review-package PLAN_FILE BASE HEAD [OUTFILE]" >&2
exit 2
fi
base=$1
head=$2
plan=$1
base=$2
head=$3
[ -f "$plan" ] || { echo "no such plan file: $plan" >&2; exit 2; }
git rev-parse --verify --quiet "$base" >/dev/null || { echo "bad BASE: $base" >&2; exit 2; }
git rev-parse --verify --quiet "$head" >/dev/null || { echo "bad HEAD: $head" >&2; exit 2; }
if [ $# -eq 3 ]; then
out=$3
if [ $# -eq 4 ]; then
out=$4
else
dir=$("$(cd "$(dirname "$0")" && pwd)/sdd-workspace")
dir=$("$(cd "$(dirname "$0")" && pwd)/sdd-workspace" "$plan")
out="$dir/review-$(git rev-parse --short "$base")..$(git rev-parse --short "$head").diff"
fi

View File

@@ -1,22 +1,40 @@
#!/usr/bin/env bash
# Resolve and ensure the working-tree directory SDD uses for its short-lived
# artifacts: task briefs, implementer reports, review packages, and the
# progress ledger. Print the directory's absolute path.
# Resolve and ensure the working-tree directory SDD uses for one plan's
# short-lived artifacts: task briefs, implementer reports, review packages,
# and the progress ledger. Print the plan directory's absolute path.
#
# One directory per plan (.superpowers/sdd/<plan-basename>/) so a follow-up
# plan in the same working tree can never read or overwrite another plan's
# artifacts. A stale ledger misread as current progress makes controllers
# skip whole task sequences — plan-scoping removes that failure structurally.
#
# The workspace lives in the working tree (not under .git/) because Claude Code
# treats .git/ as a protected path and denies agent writes there — which blocks
# an implementer subagent from writing its report file. A self-ignoring
# .gitignore keeps the workspace out of `git status` and out of accidental
# commits without modifying any tracked file.
# .gitignore at .superpowers/sdd/ keeps every plan's workspace out of
# `git status` and out of accidental commits without modifying any tracked file.
#
# Single source of truth for the workspace location, so task-brief and
# review-package cannot drift to different directories.
#
# Usage: sdd-workspace
# Usage: sdd-workspace PLAN_FILE
set -euo pipefail
if [ $# -ne 1 ]; then
echo "usage: sdd-workspace PLAN_FILE" >&2
exit 2
fi
plan=$1
[ -f "$plan" ] || { echo "no such plan file: $plan" >&2; exit 2; }
slug=$(basename "$plan" .md)
[ -n "$slug" ] && [ "$slug" != "." ] && [ "$slug" != ".." ] \
|| { echo "cannot derive a workspace name from: $plan" >&2; exit 2; }
root=$(git rev-parse --show-toplevel)
dir="$root/.superpowers/sdd"
base="$root/.superpowers/sdd"
dir="$base/$slug"
mkdir -p "$dir"
printf '*\n' > "$dir/.gitignore"
printf '*\n' > "$base/.gitignore"
cd "$dir" && pwd

View File

@@ -4,8 +4,9 @@
# through the controller's context.
#
# Usage: task-brief PLAN_FILE TASK_NUMBER [OUTFILE]
# Default OUTFILE: <repo-root>/.superpowers/sdd/task-<N>-brief.md
# (per worktree; concurrent runs in the same working tree share it).
# Default OUTFILE: <repo-root>/.superpowers/sdd/<plan-basename>/task-<N>-brief.md
# (per plan and per worktree; concurrent runs of the SAME plan in the same
# working tree share it).
set -euo pipefail
if [ $# -lt 2 ] || [ $# -gt 3 ]; then
@@ -20,7 +21,7 @@ n=$2
if [ $# -eq 3 ]; then
out=$3
else
dir=$("$(cd "$(dirname "$0")" && pwd)/sdd-workspace")
dir=$("$(cd "$(dirname "$0")" && pwd)/sdd-workspace" "$plan")
out="$dir/task-${n}-brief.md"
fi

View File

@@ -178,8 +178,8 @@ Subagent (general-purpose):
- `[BASE_SHA]` — commit before this task
- `[HEAD_SHA]` — current commit
- `[DIFF_FILE]` — REQUIRED: the path the controller wrote the review
package to (`scripts/review-package BASE HEAD` prints the unique path it
wrote; the package never enters the controller's context)
package to (`scripts/review-package PLAN_FILE BASE HEAD` prints the unique
path it wrote; the package never enters the controller's context)
**Reviewer returns:** Spec Compliance verdict (✅/❌/⚠️), Strengths, Issues
(Critical/Important/Minor), Task quality verdict

View File

@@ -1,6 +1,7 @@
#!/usr/bin/env bash
# Tests for the SDD workspace: scripts/sdd-workspace resolves a self-ignoring
# working-tree directory for SDD artifacts, and the SDD scripts write into it.
# Tests for the SDD workspace: scripts/sdd-workspace resolves a self-ignoring,
# PER-PLAN working-tree directory for SDD artifacts, and the SDD scripts write
# into their plan's directory.
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
@@ -35,26 +36,72 @@ main() {
local repo
repo="$(cd "$TEST_ROOT/repo" && git rev-parse --show-toplevel)"
local dir
dir="$(cd "$repo" && "$SDD_SCRIPTS/sdd-workspace")"
cat > "$repo/plan-a.md" <<'PLAN'
# Plan A
if [[ "$dir" == "$repo/.superpowers/sdd" ]]; then
pass "prints <repo-root>/.superpowers/sdd"
## Task 1: First thing
Do the first thing.
PLAN
cat > "$repo/plan-b.md" <<'PLAN'
# Plan B
## Task 1: Other thing
Do the other thing.
PLAN
# --- argument validation ---
local rc=0
(cd "$repo" && "$SDD_SCRIPTS/sdd-workspace" >/dev/null 2>&1) || rc=$?
if [[ "$rc" -eq 2 ]]; then
pass "sdd-workspace without a plan errors with exit 2"
else
fail "prints <repo-root>/.superpowers/sdd"
echo " got: $dir"
fail "sdd-workspace without a plan errors with exit 2"
echo " exit: $rc"
fi
rc=0
(cd "$repo" && "$SDD_SCRIPTS/sdd-workspace" no-such-plan.md >/dev/null 2>&1) || rc=$?
if [[ "$rc" -eq 2 ]]; then
pass "sdd-workspace with a missing plan file errors with exit 2"
else
fail "sdd-workspace with a missing plan file errors with exit 2"
echo " exit: $rc"
fi
# --- per-plan resolution ---
local dir_a dir_b
dir_a="$(cd "$repo" && "$SDD_SCRIPTS/sdd-workspace" plan-a.md)"
dir_b="$(cd "$repo" && "$SDD_SCRIPTS/sdd-workspace" plan-b.md)"
if [[ "$dir_a" == "$repo/.superpowers/sdd/plan-a" ]]; then
pass "prints <repo-root>/.superpowers/sdd/<plan-basename>"
else
fail "prints <repo-root>/.superpowers/sdd/<plan-basename>"
echo " got: $dir_a"
fi
if [[ "$dir_a" != "$dir_b" && -d "$dir_a" && -d "$dir_b" ]]; then
pass "two plans resolve to two distinct directories"
else
fail "two plans resolve to two distinct directories"
echo " a: $dir_a"
echo " b: $dir_b"
fi
if [[ -f "$repo/.superpowers/sdd/.gitignore" && "$(cat "$repo/.superpowers/sdd/.gitignore")" == "*" ]]; then
pass "self-ignoring .gitignore created with '*'"
pass "self-ignoring .gitignore created at .superpowers/sdd/ with '*'"
else
fail "self-ignoring .gitignore created with '*'"
fail "self-ignoring .gitignore created at .superpowers/sdd/ with '*'"
fi
printf 'x\n' > "$repo/.superpowers/sdd/artifact.md"
printf 'x\n' > "$dir_a/artifact.md"
local status
status="$(cd "$repo" && git status --porcelain)"
if [[ -z "$status" ]]; then
# plan-a.md/plan-b.md are intentionally untracked fixture files; only the
# workspace must be invisible.
if [[ "$status" != *".superpowers"* ]]; then
pass "workspace invisible to git status"
else
fail "workspace invisible to git status"
@@ -64,67 +111,78 @@ main() {
( cd "$repo" && git add -A )
local staged
staged="$(cd "$repo" && git diff --cached --name-only)"
if [[ -z "$staged" ]]; then
if [[ "$staged" != *".superpowers"* ]]; then
pass "git add -A does not stage the workspace"
else
fail "git add -A does not stage the workspace"
echo " staged: $staged"
fi
cat > "$repo/plan.md" <<'PLAN'
# Plan
## Task 1: First thing
Do the first thing.
PLAN
# --- task-brief lands in its plan's directory ---
local brief_out brief_path
brief_out="$(cd "$repo" && "$SDD_SCRIPTS/task-brief" plan.md 1)"
brief_out="$(cd "$repo" && "$SDD_SCRIPTS/task-brief" plan-a.md 1)"
brief_path="$(printf '%s\n' "$brief_out" | sed -n 's/^wrote \(.*\): [0-9][0-9]* lines$/\1/p')"
case "$brief_path" in
"$repo/.superpowers/sdd/"*) pass "task-brief writes its brief under the workspace" ;;
*)
fail "task-brief writes its brief under the workspace"
echo " got: $brief_path"
;;
esac
if [[ "$brief_path" == "$repo/.superpowers/sdd/plan-a/task-1-brief.md" ]]; then
pass "task-brief writes its brief under the plan's workspace"
else
fail "task-brief writes its brief under the plan's workspace"
echo " got: $brief_path"
fi
# --- review-package takes the plan first and lands in its directory ---
local git_id=(-c user.email=t@example.com -c user.name=t -c commit.gpgsign=false)
( cd "$repo" \
&& git add plan.md \
&& git "${git_id[@]}" commit -qm c1 \
&& printf 'y\n' > f && git add f \
&& git "${git_id[@]}" commit -qm c2 )
local rp_out rp_path
rp_out="$(cd "$repo" && "$SDD_SCRIPTS/review-package" HEAD~1 HEAD)"
rp_out="$(cd "$repo" && "$SDD_SCRIPTS/review-package" plan-a.md HEAD~1 HEAD)"
rp_path="$(printf '%s\n' "$rp_out" | sed -n 's/^wrote \(.*\): [0-9].*$/\1/p')"
case "$rp_path" in
"$repo/.superpowers/sdd/"*) pass "review-package writes its diff under the workspace" ;;
"$repo/.superpowers/sdd/plan-a/review-"*.diff)
pass "review-package writes its diff under the plan's workspace" ;;
*)
fail "review-package writes its diff under the workspace"
fail "review-package writes its diff under the plan's workspace"
echo " got: $rp_path"
;;
esac
rc=0
(cd "$repo" && "$SDD_SCRIPTS/review-package" HEAD~1 HEAD >/dev/null 2>&1) || rc=$?
if [[ "$rc" -eq 2 ]]; then
pass "review-package without a plan errors with exit 2"
else
fail "review-package without a plan errors with exit 2"
echo " exit: $rc"
fi
local rp_explicit
rp_explicit="$(cd "$repo" && "$SDD_SCRIPTS/review-package" plan-a.md HEAD~1 HEAD "$TEST_ROOT/explicit.diff")"
if [[ -s "$TEST_ROOT/explicit.diff" && "$rp_explicit" == *"$TEST_ROOT/explicit.diff"* ]]; then
pass "review-package honors an explicit OUTFILE"
else
fail "review-package honors an explicit OUTFILE"
echo " got: $rp_explicit"
fi
# --- Worktree isolation: a linked worktree resolves its own workspace ---
local wt="$TEST_ROOT/wt"
( cd "$repo" && git worktree add -q "$wt" -b wt-feature )
local wt_root wt_dir
wt_root="$(cd "$wt" && git rev-parse --show-toplevel)"
wt_dir="$(cd "$wt" && "$SDD_SCRIPTS/sdd-workspace")"
if [[ "$wt_dir" == "$wt_root/.superpowers/sdd" && "$wt_dir" != "$dir" ]]; then
wt_dir="$(cd "$wt" && "$SDD_SCRIPTS/sdd-workspace" plan-a.md)"
if [[ "$wt_dir" == "$wt_root/.superpowers/sdd/plan-a" && "$wt_dir" != "$dir_a" ]]; then
pass "linked worktree resolves its own distinct workspace"
else
fail "linked worktree resolves its own distinct workspace"
echo " main: $dir"
echo " main: $dir_a"
echo " wt: $wt_dir"
fi
printf 'y\n' > "$wt/.superpowers/sdd/artifact.md"
printf 'y\n' > "$wt_dir/artifact.md"
local wt_status
wt_status="$(cd "$wt" && git status --porcelain)"
if [[ -z "$wt_status" ]]; then
if [[ "$wt_status" != *".superpowers"* ]]; then
pass "worktree workspace invisible to git status"
else
fail "worktree workspace invisible to git status"

View File

@@ -51,10 +51,25 @@ if not plugin_manifest.exists():
manifest = json.loads(plugin_manifest.read_text(encoding="utf-8"))
assert_equal(manifest.get("name"), plugin.get("name"), "plugin manifest name")
# Codex auto-discovers a plugin's hooks/hooks.json whenever the Codex manifest
# has no `hooks` field: load_plugin_hooks falls back to a hardcoded
# DEFAULT_HOOKS_CONFIG_FILE = "hooks/hooks.json" and registers it. That file is
# the Claude Code SessionStart hook, it is tracked in this repo, and this
# marketplace installs the whole repo root (source url "./"), so on Codex the
# fallback re-registers the SessionStart hook and its install-time trust prompt.
# Declaring an empty inline hooks object ({}) parses as an empty inline hook set
# and suppresses the auto-discovery. An absent field, an empty array ([]), and
# an empty inline list all collapse back to the fallback, so the value must be
# exactly an empty object.
hooks_config = repo_root / "hooks" / "hooks.json"
if not hooks_config.exists():
raise AssertionError("hooks/hooks.json must exist (Claude Code SessionStart hook)")
assert_equal(
manifest.get("hooks"),
None,
"Codex manifest ships no hooks",
{},
"Codex manifest must declare empty hooks {} to suppress hooks/hooks.json auto-discovery",
)
print("Codex marketplace manifest looks good")

View File

@@ -140,6 +140,9 @@ extracted="$TEST_ROOT/extracted"
tar_extracted="$TEST_ROOT/tar-extracted"
write_metadata_fixture "$metadata_source"
source_hooks="$(python3 -c 'import json; print(json.load(open("'"$REPO_ROOT"'/.codex-plugin/plugin.json")).get("hooks"))')"
assert_equals "$source_hooks" "{}" "source Codex manifest suppresses local hook auto-discovery"
if output="$("$SCRIPT_UNDER_TEST" --allow-dirty --metadata-source "$metadata_source" --output "$archive" 2>&1)"; then
pass "package script exits successfully"
else
@@ -170,7 +173,7 @@ assert_contains "$archive_paths" "assets/superpowers-small.svg" "archive include
manifest_summary="$(read_archive_file "$archive" .codex-plugin/plugin.json | python3 -c 'import json,sys; data=json.load(sys.stdin); print("\t".join([data["name"], data["version"], data["skills"], str(data.get("hooks"))]))')"
expected_version="$(python3 -c 'import json; print(json.load(open("'"$REPO_ROOT"'/.codex-plugin/plugin.json"))["version"])')"
assert_equals "$manifest_summary" "superpowers $expected_version ./skills/ None" "archive manifest is current and hook-free"
assert_equals "$manifest_summary" "superpowers $expected_version ./skills/ $source_hooks" "archive manifest preserves source hooks"
skill_count="$(find "$extracted/skills" -mindepth 1 -maxdepth 1 -type d | wc -l | tr -d ' ')"
metadata_count="$(find "$extracted/skills" -path '*/agents/openai.yaml' -type f | wc -l | tr -d ' ')"

View File

@@ -4,7 +4,6 @@ set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
HOOK_UNDER_TEST="$REPO_ROOT/hooks/session-start"
CODEX_HOOK_UNDER_TEST="$REPO_ROOT/hooks/session-start-codex"
WRAPPER_UNDER_TEST="$REPO_ROOT/hooks/run-hook.cmd"
FAILURES=0
@@ -154,35 +153,15 @@ assert_command_output \
CLAUDE_PLUGIN_ROOT="$REPO_ROOT" \
bash "$HOOK_UNDER_TEST"
codex_home="$(make_home codex-plugin-hooks)"
codex_data="$TEST_ROOT/codex-plugin-hooks/data"
mkdir -p "$codex_data"
wrapper_home="$(make_home run-hook-wrapper)"
assert_command_output \
"Codex plugin hooks use dedicated script and emit nested SessionStart additionalContext" \
"run-hook.cmd wrapper dispatches to the named session-start script" \
"nested" \
"" \
"" \
"$codex_home" \
PLUGIN_DATA="$codex_data" \
CLAUDE_PLUGIN_DATA="$codex_data" \
PLUGIN_ROOT="$REPO_ROOT" \
"$wrapper_home" \
CLAUDE_PLUGIN_ROOT="$REPO_ROOT" \
bash "$CODEX_HOOK_UNDER_TEST"
codex_wrapper_home="$(make_home codex-wrapper)"
codex_wrapper_data="$TEST_ROOT/codex-wrapper/data"
mkdir -p "$codex_wrapper_data"
assert_command_output \
"Codex wrapper path dispatches to dedicated script" \
"nested" \
"" \
"" \
"$codex_wrapper_home" \
PLUGIN_DATA="$codex_wrapper_data" \
CLAUDE_PLUGIN_DATA="$codex_wrapper_data" \
PLUGIN_ROOT="$REPO_ROOT" \
CLAUDE_PLUGIN_ROOT="$REPO_ROOT" \
bash "$WRAPPER_UNDER_TEST" session-start-codex
bash "$WRAPPER_UNDER_TEST" session-start
cursor_home="$(make_home cursor)"
assert_command_output \
@@ -217,21 +196,6 @@ assert_command_output \
CLAUDE_PLUGIN_ROOT="$REPO_ROOT" \
bash "$HOOK_UNDER_TEST"
codex_legacy_home="$(make_home codex-legacy-warning-removed)"
codex_legacy_data="$TEST_ROOT/codex-legacy-warning-removed/data"
mkdir -p "$codex_legacy_home/.config/superpowers/skills" "$codex_legacy_data"
assert_command_output \
"Codex SessionStart omits obsolete legacy custom-skill warning" \
"nested" \
"" \
"Superpowers now uses"$'\037'"~/.config/superpowers/skills"$'\037'"~/.claude/skills"$'\037'"legacy" \
"$codex_legacy_home" \
PLUGIN_DATA="$codex_legacy_data" \
CLAUDE_PLUGIN_DATA="$codex_legacy_data" \
PLUGIN_ROOT="$REPO_ROOT" \
CLAUDE_PLUGIN_ROOT="$REPO_ROOT" \
bash "$CODEX_HOOK_UNDER_TEST"
if [[ "$FAILURES" -gt 0 ]]; then
echo "STATUS: FAILED ($FAILURES failure(s))"
exit 1