fix(build/orchestrator): re-align state.phases when feature-review inserts mid-array (build skill v1.22.3)

[anbangr]

Summary

Fixes a silent state-corruption bug in gstack-build where state.phases (the persisted JSON array of per-phase runtime state) gets mis-aligned with the parsed plan markdown when feature-review returns FEATURE_NEEDS_PHASES and the named feature is not the last feature in the plan.

Root cause: build/orchestrator/cli.ts:9063 (pre-fix) used reparsed.phases.slice(oldPhaseCount) to identify "new" phases, assuming new entries append to the END of the parser's array. They don't. appendFeaturePhases splices new ### Phase N.review-K headings inside Feature N's body (before the next ## Feature heading). The parser walks top-to-bottom assigning phaseIndex = phases.length, so every PhaseState downstream of the insertion point shifts in the parser's view while the slice captures the wrong tail. Result: state.phases[i].number becomes stale for every i ≥ insertion point AND state.phases gains a duplicate of the actually-last phase with a conflicting .index. The orchestrator runs the new review against a slot whose .number still describes the OLD phase at that index — exactly the state.phases[3].number = "2.1" but gemini.outputPath = "phase-1.review-1-*" symptom in the bug report.

Fix: Replace the slice-based merge with mergeReparsedPhases in build/orchestrator/state.ts — a diff-merge by phase number that splices new phases into state.phases at the parser-assigned position and preserves PhaseState identity (status, gemini, codexReview, committedAt). Add a fail-closed resume guard in cli.ts: on detected state/plan desync at startup, exit with code 2 and print a remediation message instead of silently re-attributing runtime artifacts to the wrong phase.

Bumps: build skill frontmatter 1.22.2 → 1.22.3. No top-level VERSION bump (Fork versioning rule).

Test Coverage

Coverage: 100%. All paths in mergeReparsedPhases, arePhasesAligned, and the resume guard have direct tests in build/orchestrator/tests/phases-added-merge.test.ts (12 tests / 84 assertions).

CODE PATHS
[+] state.ts/mergeReparsedPhases
  ├── [★★★ TESTED] mid-array splice with downstream PhaseState identity preserved
  ├── [★★★ TESTED] append at last feature
  ├── [★★★ TESTED] multiple review phases in one verdict
  ├── [★★★ TESTED] orphan detection + drop
  ├── [★★★ TESTED] feature-level add/orphan surfaced in report
  ├── [★★★ TESTED] duplicate parser-side number rejection (throws)
  ├── [★★★ TESTED] last-write-wins on duplicate state.phases entries (resume scenario)
  └── [★★★ TESTED] currentPhaseIndex / currentFeatureIndex untouched
[+] state.ts/arePhasesAligned
  ├── [★★★ TESTED] aligned baseline
  ├── [★★★ TESTED] phase-count drift
  ├── [★★★ TESTED] per-index phase-number drift
  ├── [★★★ TESTED] feature-count drift
  └── [★★★ TESTED] feature-number drift with phases preserved

COVERAGE: 13/13 paths tested (100%)
Tests: 0 → 12 new tests / 84 assertions (single regression test file)

Coverage gate: PASS (100%).

Pre-Landing Review

9 INFORMATIONAL findings from 4 specialists (Testing, Maintainability, Security, Performance). 0 CRITICAL.

• Testing (4): all auto-fixed — typed sentinel helper replaces as unknown as double-casts; duplicate-collapse semantic now pinned with distinct sentinels; cursor-preservation assertions added; feature-asymmetry test added.
• Maintainability (5): 4 auto-fixed (arePhasesAligned extracted, logMergeReport helper, kind defaulting symmetrized, comment ordering), 1 ASK answered as B (extend report shape with addedFeatures/orphanedFeatures now rather than defer).
• Security: NO FINDINGS.
• Performance: NO FINDINGS.

PR Quality Score: 5.5/10 (penalized for surfaced informational findings; all addressed).

Adversarial Review

Cross-model adversarial review (Claude subagent + Codex codex exec + Codex codex review) surfaced 3 HIGH findings. All addressed in commit e2781eb9:

1. Resume-time auto-repair re-attributes runtime artifacts to the wrong phase (Codex High v1.16.0.0 feat: gstack-build CLI orchestrator #1). The original fix's resume guard auto-merged on desync, but artifacts on shifted slots (gemini.outputFilePath, codexReview) belong to the work that physically ran at that slot, not to the phase whose number was stored there in corrupted JSON. By-number merge would silently re-attribute work; downstream --mark-phase-committed would mark the wrong phase done. Resolved per user-approved Option A: resume guard now FAILS CLOSED. Exits with code 2 and prints a 3-option remediation message (--no-resume, delete state, manual realign). User decides what to keep.
2. Duplicate phase numbers in the parsed plan alias the same PhaseState object across multiple array slots (Codex High feat(build): TDD integration — Red→Green enforced by state machine (v1.14.0) #2). Defended: mergeReparsedPhases now throws on parser-side duplicate number values.
3. arePhasesAligned ignored feature-level drift (Codex High feat(dual-impl): Gemini + Codex tournament selection with Opus judge (gstack-build v1.15.0) #3 / Claude F11). Extended to check both state.phases (length + per-index number) AND state.features (length + per-index number).

Cross-model agreement on the resume-corruption concern was the strongest signal — both reviewers independently flagged the same silent-corruption shape as the bug being fixed.

CODEX (code review) gate: PASS (after fixes).

Plan Completion

No plan file detected. The branch shipped from a bug report (the user's screenshot/markdown). All items from the bug report's "Proposed fix" section addressed:

1. Re-parse plan to get new full phase array ✓
2. Compute the diff (by number, not slice) ✓
3. Splice new phase entries at correct positions ✓
4. Rewrite state.json atomically (via existing saveState + fs.renameSync) ✓

The alternative the report mentioned ("change state.phases[] to be derived not persisted") was explicitly NOT taken — the fix preserves the persistence model and just fixes the alignment.

Verification Results

No verification section in the plan (no plan file). Step 8.1 skipped.

Documentation

Doc diff preview

• docs/orchestrator-state-machine.md: added Inv F (phases-array alignment with parsed plan) naming arePhasesAligned as the predicate; added §9 mergeReparsedPhases contract (strategy, last-write-wins on pre-existing duplicates, parser-side duplicate rejection, hands-off cursor, in-run-only wiring); added §10 resume-time alignment guard (fail-closed exit 2, three printed recovery paths, silent-corruption rationale for refusing to auto-heal); refreshed §11 glossary line numbers and added arePhasesAligned, mergeReparsedPhases, and the resume-guard call site.
• build/README.md: added Resume-time state/plan desync (exit 2) subsection to Failure Handling describing the new fail-closed error, the three recovery options, and a back-reference to state-machine §10.

Docs-state-machine enforcement test passes (37/37). No other docs needed updating — the fix is an internal orchestrator behavior change with no new CLI flags or skills.

Documentation coverage

Entity	reference	how-to	tutorial	explanation
arePhasesAligned	yes (state-machine §11 glossary, Inv F)	n/a	n/a	yes (Inv F, §10)
mergeReparsedPhases	yes (state-machine §9, §11 glossary)	n/a	n/a	yes (§9 strategy + rationale)
resume-time fail-closed guard (exit 2)	yes (state-machine §10, §11 glossary)	yes (build/README Failure Handling)	n/a	yes (§10 silent-corruption rationale)

Coverage: all shipped behavior has adequate documentation.

Tests

Full suite: 1305 pass / 2 skip / 1 pre-existing flake (4072 expects).

The 1 flake is in build/orchestrator/__tests__/sub-agents.test.ts — runConfiguredRoleTask: timeout-fix integration block, timing-dependent. Pre-existing: passes when run in isolation, fails under concurrent suite load. Reproduces on main without this branch's diff. Not in scope for this fix.

Per /ship Step 5 Test Failure Ownership Triage: classified as pre-existing, skip per Option D (the same flake was already documented during the parent /investigate session).

Test plan

• bun test build/orchestrator/__tests__/phases-added-merge.test.ts — 12 pass / 0 fail
• bun test build/orchestrator/__tests__/ — 1305 pass / 2 skip / 1 pre-existing flake
• Targeted re-verify after each fix commit — passing
• Documentation: bun test build/orchestrator/__tests__/docs-state-machine.test.ts — 37/37 pass

🤖 Generated with Claude Code

[anbangr]

Closing — PR #42 (#42) landed the same FEATURE_NEEDS_PHASES merge fix earlier today (2026-05-18T13:40Z) while this branch was in development.

Both branches independently identified the same root cause (slice-tail merge assumes new phases append, but appendFeaturePhases splices mid-array; downstream state.phases[k] go stale) and arrived at the same high-level fix (replace the slice with a by-number diff-merge in a new state.ts helper).

PR #42's helper is reconcileStatePhasesAfterReparse; this PR's was mergeReparsedPhases. The implementations differ in detail but the contract is the same. PR #42 also wires a fail-closed throw on dropped phases with a BLOCKED-feature-N.md recovery report — better than what this PR had on the first commit.

This PR's additive value over what's already landed:

1. Parser-side duplicate-number rejection (Codex High feat(build): TDD integration — Red→Green enforced by state machine (v1.14.0) #2 from this PR's adversarial review — also called out in PR v1.40.2.0 fix(build/orchestrator): rebuild state.phases by number on FEATURE_NEEDS_PHASES #42's INVESTIGATE list as future work).
2. Fail-closed resume guard (refuses to auto-merge on resume because corrupted on-disk state has runtime artifacts attached to wrong phase numbers — by-number merge would silently re-attribute them).
3. Feature-level drift detection in arePhasesAligned (catches user-edited ## Feature N: heading changes between runs).

These will be filed as a follow-up PR that compounds on PR #42's landed code, not a competing implementation.

🤖 Generated with Claude Code