Windows compatibility + security improvements (6 patches) #899
Description
Summary
I maintain a set of local patches for GSD on Windows (MSYS/Git Bash). Several are generally useful improvements that would benefit all users. Proposing them upstream to reduce maintenance burden.
Patches
1. Replace curl with fetch() in verification commands
Files: get-shit-done/references/checkpoints.md, get-shit-done/templates/phase-prompt.md
MSYS curl is broken on Windows (SSL/TLS failures, path mangling). 8 verification commands in checkpoints.md and 2 in phase-prompt.md use curl for health checks. Replace with fetch() which works cross-platform.
Impact: Windows users get working health checks. No change for macOS/Linux (fetch works everywhere).
2. CWD guard in health check (verify.cjs)
File: get-shit-done/bin/lib/verify.cjs
cmdValidateHealth() uses process.cwd() as the project root. If run from the home directory (e.g., accidental cd ~ before /gsd:health), it reads the wrong .planning/ directory and produces misleading diagnostics.
Fix: Add os import + guard that detects cwd === os.homedir() and returns error code E010 before running checks. Also adds I010 diagnostic showing resolved CWD.
3. Security preflight in executor agent
File: agents/gsd-executor.md
Before executing any plan tasks, check if .env exists but isn't in .gitignore. If found, auto-add it (Rule 2 deviation: missing critical security). Prevents accidental secret commits during automated execution.
4. Trivy vulnerability scan after dependency changes
File: agents/gsd-executor.md
After Rule 3 auto-fixes that add/update dependencies, run npx trivy fs . --severity HIGH,CRITICAL. Treats findings as Rule 1 deviations (security bugs). Catches vulnerable dependencies before they're committed.
5. Package version verification protocol
File: agents/gsd-phase-researcher.md
Researcher agent recommends package versions from training data, which can be months stale. Add mandatory npm view <package> version verification before writing the Standard Stack section. Documents verified version + publish date.
6. Atomic update procedure
File: get-shit-done/workflows/update.md
Current update uses npx -y get-shit-done-cc@latest which can leave an empty directory if interrupted. Replace with 7-phase atomic procedure: download to temp, verify extraction, backup current install, copy new files, write VERSION, verify swap, rollback on failure.
Notes
- Patches 1-2 are Windows-motivated but benefit all platforms
- Patches 3-5 are platform-independent safety improvements
- Patch 6 is a reliability improvement for all platforms
- Happy to submit PRs for any/all of these if there's interest