fix: adversarial review fixes — fail-closed resume guard + duplicate-number defense

anbangr · claude · anbangr · commit e2781eb99ba2 · 2026-05-18T21:29:43.000+08:00
Address 3 HIGH findings from cross-model adversarial review (Claude
subagent + Codex structured review).

The biggest concern: the resume-time auto-repair I introduced in the
previous commit preserves runtime artifacts (gemini.outputFilePath,
codexReview, committedAt) under whatever `number` is stored in
state.json. But state.json corrupted by the pre-fix /build has the
artifacts persisted at slots whose `number` is wrong — by-number merge
re-attributes those artifacts to the wrong phase. If a downstream
--mark-phase-committed then marks the wrong phase done, the real
phase silently skips its real work. Same silent-corruption shape as
the bug being fixed.

Resolution per user-approved option A: the resume guard becomes
fail-closed. On detected disagreement, gstack-build now exits with code 2
and prints a clear remediation message (delete state, --no-resume, or
manually realign). Users decide what to keep; no silent heal.

The in-run phases_added merge stays auto: there, state.phases[i]
genuinely holds the prior phase's runtime state because the splice
hasn't been re-parsed yet. By-number merge is the correct semantic.

state.ts:
- arePhasesAligned() now also checks feature-level alignment (count +
  per-index number). Resume desync of features alone (user renamed a
  `## Feature N:` heading) no longer slips past the guard.
- mergeReparsedPhases() throws on duplicate phase numbers from the
  parser, defending against aliasing where two same-numbered phases
  would share a single PhaseState object across two array slots.
- Document the contract: cli.ts does NOT auto-invoke the merge on
  resume; the function is wired only on the in-run phases_added path.

cli.ts:
- Resume guard: on disagreement, print a remediation block and exit 2
  via the existing setupFailed flow. No mergeReparsedPhases call on
  resume. The error message names all four counts (state vs parsed,
  for phases and features), names the root cause (pre-fix gstack or
  hand-edit), and lists three recovery paths.
- statePath imported so the remediation message can name the on-disk
  state file explicitly.
- logMergeReport() kept; doc updated to note "resume" context tag is
  reserved for future use (not currently wired now that resume is
  fail-closed).

tests:
- New describe block for arePhasesAligned covering phase-count drift,
  per-index phase-number drift, feature-count drift, and feature-number
  drift with phases preserved.
- New test for duplicate-number rejection (asserts the thrown error).
- Resume-path test renamed and rescoped: it now exercises the PURE
  function's behavior (the shape of the merge if called) without
  claiming this is the runtime recovery path. Comment makes the
  contract clear.

Cross-model adversarial review findings addressed:
- Claude F1 / Codex Med#2 (failedAtPhase desync): moot — fail-closed
  resume means the merge never runs on shifted on-disk state.
- Codex High#1 (resume preserves shifted artifacts): fixed by
  fail-closed.
- Codex High#2 (duplicate phase aliasing): fixed by parser-side
  duplicate detection.
- Codex High#3 / Claude F11 (arePhasesAligned ignores features): fixed.
- Codex Med#1 (corrupted .index survives valid JSON loads): moot
  on resume (fail-closed) and impossible on in-run merge (.index is
  rewritten to i unconditionally).
- Codex Med#2 / Claude F5 (last-write-wins duplicate collapse drops
  recoverable state): moot — resume is fail-closed, so any disk
  duplicates surface as a fail-closed error rather than silent collapse.

Suite: 1305 pass / 2 skip / 1 pre-existing flake in sub-agents.test.ts
(timeout-fix integration block — same shape on main, unrelated to this
diff; passes intermittently). Regression test now: 12 pass / 84
assertions.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/build/orchestrator/__tests__/phases-added-merge.test.ts b/build/orchestrator/__tests__/phases-added-merge.test.ts
@@ -27,7 +27,7 @@ import * as fs from "node:fs";
 import * as path from "node:path";
 import { parsePlan } from "../parser";
 import { appendFeaturePhases, _testWritePlan } from "../plan-mutator";
-import { mergeReparsedPhases } from "../state";
+import { mergeReparsedPhases, arePhasesAligned } from "../state";
 import type { BuildState, PhaseState, SubAgentInvocation } from "../types";
 
 /** Typed sentinel SubAgentInvocation for tests — avoids `as unknown as` double-casts. */
@@ -365,15 +365,19 @@ describe("mergeReparsedPhases — FEATURE_NEEDS_PHASES splice mid-array", () =>
   });
 });
 
-describe("mergeReparsedPhases — resume-path repair of pre-fix on-disk state", () => {
+describe("mergeReparsedPhases — pure function behavior on pre-fix corrupted state", () => {
   // Simulates the exact corrupted-state shape the bug report describes:
   //   * Plan markdown has Feature 1's review phase spliced in mid-array
   //   * On-disk state.json (written by pre-fix gstack) has the OLD phase order
   //     plus a duplicate of the actually-last phase pushed by slice(oldCount)
-  // The cli.ts resume guard detects the disagreement and calls mergeReparsedPhases
-  // to repair. This test pins that the repair restores invariants without losing
-  // PhaseState content (status, committedAt, gemini outputs).
-  it("repairs state.phases for a build started by the pre-fix code path", () => {
+  //
+  // IMPORTANT: cli.ts does NOT auto-invoke this merge on resume. The resume
+  // guard is fail-closed (see cli.ts, "state/plan desync detected on resume")
+  // because by-number merge would re-attribute runtime artifacts to the
+  // wrong phase. This test exercises the pure function's behavior — the
+  // shape of the merge if it WERE called — so future refactors can rely on
+  // a known contract. It is NOT the runtime recovery path.
+  it("rebuilds state.phases to parser order while preserving PhaseState identity (pure function contract)", () => {
     const desyncedMd = `# Plan
 
 ## Feature 1: Auth
@@ -648,4 +652,190 @@ describe("mergeReparsedPhases — resume-path repair of pre-fix on-disk state",
     expect(report.orphaned).toEqual(["2.1"]);
     expect(report.added).toEqual(["3.1"]);
   });
+
+  it("rejects duplicate phase numbers in the parsed plan rather than silently aliasing PhaseState", () => {
+    // Two `### Phase 1.1` headings in the same plan would cause
+    // `stateByNumber.get("1.1")` to return the same object for both array
+    // slots, aliasing .index mutation and downstream status writes. The
+    // parser today never produces duplicates, but a bug in appendFeaturePhases
+    // or a hand-edited plan could. Defense: throw on duplicate parser-side
+    // numbers so the failure mode is loud, not a silent state corruption.
+    const initial = parsePlan(`# Plan
+
+## Feature 1: A
+
+### Phase 1.1: Original
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+`);
+    const state = buildStateFromParsed(initial);
+
+    // Hand-construct a malformed reparsed result with a duplicate number.
+    // (Going through parsePlan + plan-mutator would not produce this; we
+    // call the function directly with a crafted input to exercise the
+    // defense.)
+    const malformed = {
+      phases: [
+        ...initial.phases,
+        // Duplicate of "1.1" — should throw.
+        {
+          ...initial.phases[0],
+          index: 1,
+          name: "Duplicate",
+        },
+      ],
+      features: initial.features,
+    };
+
+    expect(() => mergeReparsedPhases(state, malformed)).toThrow(
+      /duplicate phase number "1\.1"/,
+    );
+  });
+});
+
+describe("arePhasesAligned — drift detection on resume", () => {
+  // The resume-time fail-closed guard in cli.ts uses this predicate to
+  // decide whether to abort with a remediation message. Both phase-level
+  // AND feature-level drift must be detected — feature-only drift (e.g.,
+  // user renames a feature heading) would otherwise leave state.features
+  // stale.
+  it("returns true when state and parsed plan agree on phases and features", () => {
+    const md = `# Plan
+
+## Feature 1: Auth
+
+### Phase 1.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+
+## Feature 2: Billing
+
+### Phase 2.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+`;
+    const parsed = parsePlan(md);
+    const state = buildStateFromParsed(parsed);
+    expect(arePhasesAligned(state, parsed)).toBe(true);
+  });
+
+  it("returns false when phase count disagrees", () => {
+    const initial = parsePlan(`# Plan
+
+## Feature 1: A
+
+### Phase 1.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+`);
+    const state = buildStateFromParsed(initial);
+    const reparsed = parsePlan(`# Plan
+
+## Feature 1: A
+
+### Phase 1.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+
+### Phase 1.2: new
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+`);
+    expect(arePhasesAligned(state, reparsed)).toBe(false);
+  });
+
+  it("returns false when per-index phase number disagrees (the original bug shape)", () => {
+    const initial = parsePlan(`# Plan
+
+## Feature 1: A
+
+### Phase 1.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+
+## Feature 2: B
+
+### Phase 2.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+`);
+    const state = buildStateFromParsed(initial);
+    // Reparsed plan with a review phase spliced under Feature 1 — phase
+    // count grew, AND per-index numbers shift starting at index 1.
+    const reparsed = parsePlan(`# Plan
+
+## Feature 1: A
+
+### Phase 1.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+
+### Phase 1.review-1: new
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+
+## Feature 2: B
+
+### Phase 2.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+`);
+    expect(arePhasesAligned(state, reparsed)).toBe(false);
+  });
+
+  it("returns false when feature count disagrees", () => {
+    const initial = parsePlan(`# Plan
+
+## Feature 1: A
+
+### Phase 1.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+`);
+    const state = buildStateFromParsed(initial);
+    const reparsed = parsePlan(`# Plan
+
+## Feature 1: A
+
+### Phase 1.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+
+## Feature 2: New
+
+### Phase 2.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+`);
+    expect(arePhasesAligned(state, reparsed)).toBe(false);
+  });
+
+  it("returns false when feature numbers disagree even if counts match", () => {
+    // User renamed/replaced a feature heading. Phase count and per-index
+    // phase numbers can still match, but state.features carries stale
+    // metadata that downstream gates would consult.
+    const initial = parsePlan(`# Plan
+
+## Feature 1: Original
+
+### Phase 1.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+`);
+    const state = buildStateFromParsed(initial);
+    // Rename Feature 1 to Feature 2 (different number, same phase
+    // numbering preserved via a hand-edit pretend-scenario). parsePlan
+    // would auto-renumber phases, but we simulate the worst case where
+    // the phase number stayed identical.
+    state.features[0].number = "2"; // simulate post-rename runtime state
+    const reparsed = parsePlan(`# Plan
+
+## Feature 1: Renamed
+
+### Phase 1.1: x
+- [ ] **Implementation**: x
+- [ ] **Review**: y
+`);
+    expect(arePhasesAligned(state, reparsed)).toBe(false);
+  });
 });
diff --git a/build/orchestrator/cli.ts b/build/orchestrator/cli.ts
@@ -46,6 +46,7 @@ import {
   releaseLock,
   readLockInfo,
   lockPath,
+  statePath,
   ensureLogDir,
   deriveStateSlug,
   logDir,
@@ -251,10 +252,12 @@ function saveState(
 }
 
 /**
- * Emit greppable `[plan]` warnings for a `mergeReparsedPhases` report. Both
- * call sites (resume-time repair and the FEATURE_NEEDS_PHASES branch) share
- * this so log shapes stay identical and a single grep catches every merge
- * mutation — context tag distinguishes the call site.
+ * Emit greppable `[plan]` warnings for a `mergeReparsedPhases` report. Today
+ * the merge runs only on the FEATURE_NEEDS_PHASES path during a live build;
+ * the resume guard is fail-closed (see resume guard handling above) so the
+ * `"resume"` context tag is reserved for future use, not currently wired.
+ * Context tag stays explicit so log shapes are uniform if a future code path
+ * adds another merge call site.
  */
 function logMergeReport(
   report: {
@@ -8581,30 +8584,51 @@ async function main() {
           // kind to disk so state-only consumers (fault detectors,
           // drain-faults) can read kind without re-parsing.
           backfillKindFromPlan(state, phases);
-          // Detect state/plan phase-array disagreement and repair by
-          // re-aligning state.phases to the parser's view by `number`.
-          // Triggered by:
-          //   1. State files written by pre-fix gstack versions where
-          //      FEATURE_NEEDS_PHASES mis-merged review phases (see
-          //      `mergeReparsedPhases` in state.ts).
-          //   2. A user hand-editing the plan markdown between runs in a
-          //      way that adds / renames phases.
-          // Repair preserves PhaseState identity for unchanged phase numbers
-          // (status, gemini output paths, codexReview records all survive).
-          // Orphaned state entries (numbers no longer in the plan) are
-          // dropped with a warning. The `arePhasesAligned` predicate checks
-          // both length AND per-index `number` agreement — a length match
-          // alone is insufficient (the original bug produced equal-length
-          // arrays with mis-aligned contents).
-          if (!arePhasesAligned(state, { phases })) {
-            console.warn(
-              `[plan] state.phases disagrees with the parsed plan ` +
-                `(state has ${state.phases.length} phase(s), plan has ${phases.length}). ` +
-                `Re-aligning state to the plan by phase number.`,
+          // Detect state/plan disagreement on resume and FAIL CLOSED.
+          //
+          // Auto-merging on resume was tempting but unsafe: runtime
+          // artifacts on shifted slots (gemini.outputFilePath,
+          // codexReview, committedAt) belong to the work that physically
+          // ran at that slot, not to the phase whose `number` is stored
+          // there in the corrupted JSON. By-number merge would re-attribute
+          // those artifacts to the wrong phase, and a downstream
+          // --mark-phase-committed would mark the wrong phase done — the
+          // real downstream phase would skip its real work. Same silent-
+          // corruption shape as the bug being fixed.
+          //
+          // The right move: stop, surface what's wrong, and let the user
+          // decide. They can delete state.json and start fresh, or
+          // hand-edit it with full context. Re-running with `--no-resume`
+          // also re-creates state from the current plan.
+          //
+          // Trigger: state.phases or state.features disagrees with the
+          // parsed plan on length or per-index `number` — either dimension
+          // proves desync. See `arePhasesAligned` in state.ts.
+          if (!arePhasesAligned(state, { phases, features })) {
+            console.error(
+              `\n✗ state/plan desync detected on resume.\n\n` +
+                `  state.phases length:    ${state.phases.length}\n` +
+                `  parsed plan phases:     ${phases.length}\n` +
+                `  state.features length:  ${state.features?.length ?? 0}\n` +
+                `  parsed plan features:   ${features.length}\n\n` +
+                `This usually means state.json was written by a pre-fix gstack version ` +
+                `(see release notes for the FEATURE_NEEDS_PHASES merge fix) or the plan ` +
+                `markdown was hand-edited between runs.\n\n` +
+                `gstack-build refuses to auto-merge because the on-disk state may ` +
+                `have runtime artifacts (gemini outputs, codex reviews, committedAt ` +
+                `timestamps) attached to phase numbers that no longer match the ` +
+                `parsed plan. Silently merging by number would re-attribute that ` +
+                `work to the wrong phase.\n\n` +
+                `To recover:\n` +
+                `  1. Re-run with --no-resume to rebuild state from the current plan ` +
+                `(loses runtime artifacts, restarts phases from scratch).\n` +
+                `  2. Or delete the state file and run again from scratch:\n` +
+                `       rm ${statePath(slug)}\n` +
+                `  3. Or inspect state.json and the plan markdown side by side, ` +
+                `manually realign the phase numbers, then re-run.\n`,
             );
-            const repair = mergeReparsedPhases(state, { phases, features });
-            logMergeReport(repair, "resume");
-            saveState(state, { noGbrain: args.noGbrain, log: console.warn });
+            exitCode = 2;
+            setupFailed = true;
           }
           if (
             JSON.stringify(loaded.roleConfigs) !== JSON.stringify(args.roles)
diff --git a/build/orchestrator/state.ts b/build/orchestrator/state.ts
@@ -271,24 +271,32 @@ export interface MergeReparsedPhasesReport {
 }
 
 /**
- * Cheap predicate: does `state.phases` already agree with the parser's view?
+ * Cheap predicate: does the on-disk state already agree with the parser's
+ * view of both phases AND features?
  *
- * Used by the resume-time repair guard in cli.ts to decide whether to invoke
- * the full merge. Equal-length arrays with per-index `number` agreement is
- * sufficient because the merge always assigns `.index = i` and the parser
- * walks top-to-bottom — disagreement on either dimension proves desync.
+ * Used by the resume-time fail-closed guard in cli.ts to decide whether to
+ * abort with a remediation message. Disagreement on any dimension (phase
+ * count, per-index phase number, feature count, per-index feature number)
+ * proves desync — the orchestrator must not silently auto-heal because
+ * runtime artifacts on shifted slots may belong to a different phase than
+ * the stale `number` they're persisted under. See cli.ts resume guard for
+ * the remediation flow.
  *
- * Kept here (next to `mergeReparsedPhases`) so the trigger condition and the
- * repair function stay in sync. Pure (no mutation), safe to call repeatedly.
+ * Pure (no mutation), safe to call repeatedly.
  */
 export function arePhasesAligned(
   state: BuildState,
-  reparsed: { phases: Phase[] },
+  reparsed: { phases: Phase[]; features: Feature[] },
 ): boolean {
   if (state.phases.length !== reparsed.phases.length) return false;
   for (let i = 0; i < state.phases.length; i++) {
     if (state.phases[i].number !== reparsed.phases[i].number) return false;
   }
+  if ((state.features?.length ?? 0) !== reparsed.features.length) return false;
+  for (let i = 0; i < reparsed.features.length; i++) {
+    const sf = state.features?.[i];
+    if (!sf || sf.number !== reparsed.features[i].number) return false;
+  }
   return true;
 }
 
@@ -334,6 +342,25 @@ export function mergeReparsedPhases(
   state: BuildState,
   reparsed: { phases: Phase[]; features: Feature[] },
 ): MergeReparsedPhasesReport {
+  // Reject duplicate phase numbers in the parser's view: two `### Phase X`
+  // headings with the same number would cause `stateByNumber.get(X)` to
+  // return the same PhaseState object for two array slots, aliasing
+  // `.index` mutation and downstream status writes. The parser today never
+  // produces duplicates (every heading lands at a unique array index), but
+  // a bug in `appendFeaturePhases` or a hand-edited plan could. Fail fast
+  // here rather than silently corrupting state.
+  const parserSeen = new Set<string>();
+  for (const p of reparsed.phases) {
+    if (parserSeen.has(p.number)) {
+      throw new Error(
+        `mergeReparsedPhases: parser produced duplicate phase number "${p.number}". ` +
+          `This is a plan-file or parser bug — refusing to merge to avoid aliasing PhaseState ` +
+          `between two array slots. Inspect the plan markdown for two "### Phase ${p.number}" headings.`,
+      );
+    }
+    parserSeen.add(p.number);
+  }
+
   const stateByNumber = new Map<string, PhaseState>();
   for (const ps of state.phases) {
     stateByNumber.set(ps.number, ps);
