v1.58.4.0 fix: high-priority community bug wave + PTY plan-mode smoke gate (#2077)

* fix(gbrain): stop forcing GBRAIN_PREPARE on transaction-mode poolers (#1965)

buildGbrainEnv auto-set GBRAIN_PREPARE=true whenever DATABASE_URL targeted
port 6543, and the /sync-gbrain capability check exported it for the rest
of the skill run. Both had the semantics inverted: gbrain auto-disables
prepared statements on transaction-mode poolers because they break every
write there ("prepared statement does not exist"); GBRAIN_PREPARE=true is
gbrain's documented override for SESSION-mode poolers on 6543, not a
requirement for transaction mode. The #1435 search symptom the auto-set
worked around was fixed gbrain-side.

Remove both force-sets. A caller-set GBRAIN_PREPARE (either value) still
passes through untouched, preserving the session-mode-on-6543 escape hatch.
isTransactionModePooler stays exported.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(gbrain): classify probe timeout as its own status; sync proceeds instead of skipping (#1964)

The 5s engine probe misclassified healthy-but-slow engines (cold Supabase
pooler connections measured at 6.9-10.7s) as broken-config, so /sync-gbrain
silently skipped code+memory and told the user their config was malformed.

- New "timeout" status: probe killed at the deadline with no recognized
  stderr pattern. Default deadline is now 15s, overridable via
  GSTACK_GBRAIN_PROBE_TIMEOUT_MS (tests set 300ms against a fake that
  sleeps 2s).
- Sync stages PROCEED on timeout with a stderr warning naming the env knob;
  a genuinely-dead engine surfaces its real error at the first operation
  instead of a false config diagnosis.
- Consistency everywhere "ok" gated behavior: gstack-gbrain-detect --is-ok
  exits 0 on timeout, and gen-skill-docs' detection gate accepts it, so a
  slow engine no longer silently suppresses brain-aware features.
- Status cache: key now includes the effective probe timeout (raising it
  invalidates a cached timeout) and GBRAIN_HOME; config detection honors
  GBRAIN_HOME so relocated-home users stop being misclassified as
  missing-config.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(bins): cygpath-normalize SCRIPT_DIR for bun imports; surface learnings-log errors (#1950)

Under Windows git-bash, pwd yields a POSIX path (/c/Users/...) that Bun on
Windows cannot resolve as an ES module specifier. gstack-learnings-log
interpolates SCRIPT_DIR into a bun -e import, so every invocation died with
"Cannot find module" — and 2>/dev/null swallowed the error, silently
dropping every AI-logged learning for Windows users.

- 3-line cygpath -m guard in gstack-learnings-log and gstack-question-log
  (which gains the same import shape in the next commit). Matches the
  duplicated IS_WINDOWS convention in setup; no shared shell lib exists.
- learnings-log adopts question-log's set +e / TMPERR capture pattern
  wholesale: validation errors now print to stderr. The old
  `if [ $? -ne 0 ]` check was dead code under set -euo pipefail — the
  script exited at the failing assignment before reaching it.
- New test/bin-windows-bun-import-paths.test.ts: static invariant (any
  bash bin interpolating $SCRIPT_DIR into a bun -e import must carry the
  guard) + behavioral end-to-end run invoked via `bash <bin>` — added to
  the windows-free-tests workflow list so the conversion is proven on the
  only platform where the bug exists.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(question-log): dedupe INJECTION_PATTERNS via lib/jsonl-store (#1934)

bin/gstack-question-log carried a local copy of the injection-pattern list,
so pattern fixes to lib/jsonl-store.ts never propagated — including the
/override[:\s]/i false-positive fix arriving via community PR #1940.
Import the shared hasInjection instead (enabled by the previous commit's
cygpath guard). question-log also gets the lib's stricter superset
(human:, disregard, from-now-on, approve-all patterns).

Tests pin the contract in a #1940-order-independent way: an "Override:
ignore all previous instructions" header is rejected, "prose overrides the
deterministic table" is accepted, and a static invariant keeps local
INJECTION_PATTERNS duplicates out of the bin.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(security): community-pulse + both dashboards never report fake zeros (#1947)

The security-signaling surface failed open at three layers — every failure
mode read as a reassuring "0 attacks" / "0 installs":

- community-pulse edge function: supabase-js returns {data,error} without
  throwing, and all five queries discarded `error` — a DB outage produced
  real-looking zeros via the SUCCESS path, and the catch (also returning
  zeros with HTTP 200) was unreachable for query failures. Every query now
  destructures and throws; the catch serves the stale cache (marked
  "stale": true) when one exists, else 503 {"error":"pulse_unavailable"}.
  Success responses carry "status":"ok" so clients can distinguish
  authoritative data from legacy backends. NOTE: the edge function deploys
  out-of-band (supabase functions deploy community-pulse).
- gstack-security-dashboard: captures the HTTP status; non-200 / network
  failure / error body / missing section → "unknown — backend error";
  jq missing → "unknown — install jq" (the lossy grep fallback broke on
  nested arrays and under-reported attacks as zero — removed); a 200
  without the new marker shows figures with an "unverified (legacy
  backend)" note. Also fixes a latent display bug: the TOTAL grep matched
  the digit 7 inside "attacks_last_7_days" and misreported every count.
- gstack-community-dashboard: same class — curl || echo "{}" plus
  grep || echo "0" printed "Weekly active installs: 0" on any failure.
  Now "unknown — backend error (HTTP N)".

test/security-dashboard-fallback.test.ts pins the matrix (200+marker,
200-legacy, 503, network failure) x (jq present, jq absent) for both bins:
"unknown" states never render as 0.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(telemetry): redact error_message spans before they leave the machine (#1947)

error_message was uploaded with only quote/newline escaping — stack traces
and failed-API errors can embed credentials, private paths, and hostnames,
and the sync path strips only _repo_slug/_branch.

New lib/redact-engine.ts export redactFindingSpans(): replaces EVERY
finding's span with <REDACTED-{id}> regardless of tier (applyRedactions is
the interactive PII-only path and exits nonzero on credential findings, so
it can't serve machine egress). Returns null when a span can't be located —
callers drop the whole payload rather than risk a leak.

gstack-telemetry-log pipes error_message through it at LOG time, so the
local JSONL at rest is clean too; surrounding text survives for crash
triage. FAIL CLOSED: bun missing, engine error, or non-JSON-string output
all null the field. Tests pin: embedded ghp_ token → <REDACTED-github.pat>
with context intact; redactor unavailable → null; raw bytes on disk never
contain the token.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(redact): prepush guard fails closed on git failure; /ship owns hook install (#1946)

Two gaps closed:

1. Fail closed. The git() helper returned "" on ANY non-zero exit or
   maxBuffer overflow (status null), addedLinesFor produced an empty
   string, and the push sailed through unscanned — fail-open on exactly
   the oversized-diff case where a large secret-bearing blob is most
   likely. The diff call now uses a strict variant that throws; main
   blocks with a clear message naming the GSTACK_REDACT_PREPUSH=skip
   escape valve. Probe calls (symbolic-ref, rev-parse, merge-base) keep
   the permissive helper — their failures are normal control flow.

2. Install path. The hook was installed by nothing ("opt-in, installed by
   nothing" was the issue's words). ./setup runs in the gstack checkout —
   the wrong repo for a per-project hook — so it gets a one-line hint
   only. /ship owns per-repo install: config redact_prepush_hook=true +
   hook missing → silent install (consent already given); config unset +
   no ~/.gstack/.redact-prepush-prompted marker → one-time machine-wide
   AskUserQuestion offer, answer persisted. ship/SKILL.md regenerated in
   this same commit (check-freshness bisect discipline).

Tests: unscannable diff (bogus SHAs) → exit 1 + valve named; empty-but-
successful diff → exit 0; static asserts pin setup as hint-only and the
ship template as the installer surface.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* feat(redact): six new credential patterns — GitLab, HuggingFace, npm, DigitalOcean, Bearer, GCP SA (#1946)

Coverage gaps from the #1946 security review, including token types for
tooling gstack itself drives (glab):

HIGH (block): gitlab.token (glpat-/glptt-/gldt-), huggingface.token (hf_),
npm.token (npm_), digitalocean.token (dop_v1_), gcp.service_account (the
JSON-escaped "private_key" form that dodges pem.private_key's literal-block
match when minified, confirmed by "private_key_id" proximity).

MEDIUM (warn): auth.bearer — the most FP-prone shape in the set (docs are
full of "Authorization: Bearer <token>"), so it requires header-context
proximity and the same entropy>=3.0 + placeholder validator recipe as
env.kv. "Bearer YOUR_TOKEN_HERE" never fires; calibration over coverage,
per the cries-wolf principle.

All shapes are linear-time; test/redact-pattern-lint.test.ts covers them
automatically. Engine tests add positive + placeholder-negative cases per
pattern.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* test: coverage-audit additions for the fix wave

Ship Step 7 gap-fill (all passing, 248 tests across the touched suites):
memory + dream stage probe-timeout proceeds, gbrain-detect override paths,
stale-flag passthrough, 200-body-missing-.security fail-closed case,
telemetry redaction edges, and credential-pattern edge cases.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix: pre-landing review fixes

Review army findings (1 critical, auto-fixed with regression tests):

- CRITICAL (security specialist, verified live): redactFindingSpans spliced
  only the regex capture span, and pem.private_key / gcp.service_account
  capture just the BEGIN-header — the key body survived "redaction" and
  shipped via telemetry. Marker-only patterns now drop the whole payload
  (null, fail closed). Overlapping spans (Bearer+JWT on the same bytes) are
  coalesced before splicing so stale offsets can't leave partial secret
  bytes behind.
- gitStrict: drop the dead `|| r.status === null` disjunct (null !== 0
  already covers it); add the signal-kill/null-status regression test the
  docstring promised.
- security-dashboard human mode flags stale snapshots ("figures may be out
  of date") instead of presenting frozen counts as current.
- community-dashboard marker check uses jq when available — the grep-only
  variant misclassified whitespaced/reserialized bodies as legacy.
- telemetry fail-closed test now shadows bun with a failing stub
  (deterministic on any host layout); stale "five status cases" describe
  title renamed.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix: adversarial review fixes (Claude + Codex cross-model passes)

Both adversarial passes ran against the wave; every FIXABLE finding landed
with a regression test:

- probeTimeoutMs clamps to >=1ms: a fractional override floored to 0, and
  execFileSync treats timeout:0 as NO timeout — the probe that exists to
  bound hangs could hang forever (found by both models independently).
- /ship silent hook install now requires the hooks dir to live inside
  .git: with core.hooksPath (husky's COMMITTED .husky/), the chaining
  installer would have renamed the team's committed pre-push and written a
  machine-local wrapper into the working tree (found by both models).
- gstack-config gbrain-refresh accepts the "timeout" status — the last
  consumer still gating on literal "ok" (Codex); gstack-gbrain-detect's
  config-derived fields honor GBRAIN_HOME so the detection JSON can't
  report status ok alongside config_exists false (Codex).
- prepush: a remote sha absent locally (shallow clone / stale fetch) falls
  back to the merge-base/empty-tree range — scans MORE, never blocks a
  legitimate push into training users toward --no-verify.
- dashboards: curl's own 000 no longer doubles to "HTTP 000000"; the
  community dashboard flags stale snapshots like the security one; array
  sections parse via jq (the sed/grep loops truncated at the first ']');
  the no-jq marker grep tolerates whitespace.
- telemetry: multi-line redactor output nulls the field instead of
  corrupting the JSONL record; setup's hint fires only when the config key
  is genuinely unset (an explicit false is a recorded decline); the /ship
  prompt marker honors GSTACK_HOME.

Kept as designed (cross-model tension noted): Bearer stays MEDIUM in the
prepush gate — a HIGH Bearer would block every docs example; the entropy
validator can't eliminate that FP class, and MEDIUM warns visibly.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* chore: bump version and changelog (v1.57.11.0)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* docs: P1 TODO — eval harness live progress + incremental persistence

Root-caused during this ship: a killed eval run was indistinguishable from a
healthy one for hours (per-file output buffering across mega test files, no
incremental eval-store writes, no honest liveness signal). Full context and
starting points in the entry.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* test: fix operational-learning E2E fixture — copy lib/jsonl-store.ts

Pre-existing breakage, proven on main: gstack-learnings-log has imported
lib/jsonl-store.ts (shared injection patterns) since v1.57.5.0 / #1910, but
the fixture copies only the bin scripts — the bin exits 1 before writing
anything, on main silently (stderr swallowed) and on this branch loudly
(the #1950 error-surfacing made the four-day-old failure visible). A real
install always ships bin/ and lib/ together; the fixture now does too.
Verified: the fixture-shaped invocation writes the learning (exit 0) with
lib present, exits 1 on both main and this branch without it.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix(ios-qa): isolate E2E tests under --concurrent (3 real races)

The ios-qa E2E file failed intermittently under `bun test --concurrent`
(the eval harness default). Three distinct shared-state races, all fixed:

1. Shared pidfile: a module-level `workDir` reassigned in beforeEach was
   clobbered by parallel tests, so concurrent daemons collided on the same
   pidfile and the loser returned `already_running`. Each test now gets its
   own dir via makeWorkDir().
2. process.env path globals: tests set GSTACK_IOS_AUDIT_PATH /
   _ATTEMPTS_PATH / _ALLOWLIST_PATH on the shared process env; concurrent
   tests stomped each other's audit/attempts destinations. Threaded
   auditPath/attemptsPath/allowlistPath through DaemonOptions (and
   mintForCaller) as explicit args — env is no longer load-bearing.
3. afterEach cleanup race: the per-test cleanup drained a shared dir array,
   so the first test to finish deleted still-running tests' workDirs
   mid-assertion. Moved to afterAll (cleans once, after all settle).

Verified: 5/5 clean full-suite runs at --max-concurrency 15 (was
intermittent); daemon unit suite 91/91; daemon source compiles. The paths
default to the env-derived locations when options are omitted, so the
production CLI path is unchanged.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* test(pty): pin spawned claude to EVALS model chain (default claude-sonnet-4-6)

launchClaudePty spawned the interactive `claude` TUI with no --model flag, so
the child inherited the operator's ~/.claude/settings.json model. On a
slow-thinking model that meant 5+ min of extended thinking on empty plan-mode
context, timing out the plan-mode smoke tests regardless of contention. Pin the
model via opts.model ?? EVALS_MODEL ?? 'claude-sonnet-4-6' — byte-identical to
session-runner.ts:144, so PTY and `claude -p` evals always agree.

Pushed before extraArgs (last flag wins, so a per-test --model still overrides).
Placement leaves the spawn region byte-stable for a clean merge with the
in-flight hermetic-env branch. Plumbed model through the three plan-skill
wrappers. Static-grep tripwires guard the pin, its fallback chain, the
before-extraArgs ordering, and all three wrapper forwards.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* test(pty): detect markdown bold-bullet prose AUQs (fixes office-hours smoke)

office-hours auto-mode renders its mode question as `- **Building a startup**`
markdown bullets (office-hours/SKILL.md.tmpl:102) with no letter/number marker.
isProseAUQVisible only matched `A)`-style lettered or `1.`-style numbered
options, so the question went undetected: the model surfaced it at ~2m19s
(well under the 300s budget) but the harness kept scoring the run "working"
off the spinner glyphs and timed out — a false timeout on a question that was
already on screen.

Add Pattern 3: when an interrogative line ('?') is present AND 3+ bold-bullet
markers (`- **`) appear in the 4KB tail, classify as a prose AUQ. Bold is the
discriminator vs incidental prose bullets; the line anchor is dropped (stripAnsi
can collapse option lines) and the existing `❯ 1.` cursor gate still defers to a
live native list. Wires through the existing classifyVisible 'asked' path and the
timeout high-water-mark, so office-hours now classifies 'asked' instead of
'timeout'. Five unit cases: the office-hours render passes; no-'?', <3-bullet,
plain-bullet, and native-cursor cases stay false.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* test(pty): detect stripAnsi-collapsed prose AUQs + judge spinner-precedence

The plan-eng/plan-design plan-mode + finding-floor smokes timed out even when
the skill HAD rendered a complete prose AskUserQuestion and was waiting: the PTY
strips cursor-positioning escapes, collapsing the option newlines/spaces so
"A) ..." arrives as "A(recommended)" / "-B:" and "Reply with A, B, or C" as
"ReplywithA,B,orC". Every line-anchored detector (Patterns 1-3) returns false on
those bytes, so proseAUQEverObserved never latched and the run timed out on a
question that was already on screen.

Add Pattern 4/5: a two-signal collapsed-form detector — a reply/recommendation
marker (space-insensitive "reply with [A-D]", "Recommendation:", or
"(recommended)") AND 2+ distinct A-D letters each punctuated by ) : or (. The
conjunction is what separates a real AUQ from incidental report prose; verified
true on the verbatim failing-run buffers where Patterns 1-3 return false.

Also fix the Haiku judge spinner bias: of 614 verdicts, 569 were 'working' and
95 of those noted a question was visible — Claude Code keeps the spinner
animating at an idle prose decision, so the judge coin-flipped. Add a precedence
override: when an option list AND a Recommendation/Reply instruction are both
visible, classify WAITING even with spinner glyphs. Kept the strict dual-signal
gate (never option-list-alone) so auto-decide-preserved doesn't flip.

5 unit tests pin the two-signal contract (2 true on real collapsed bytes, 3
false guards). 90 -> 95 pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(plan-review): ask-first scope gate for plan-eng + plan-design review

On an empty/cold invocation, plan-eng-review and plan-design-review would dive
straight into repo exploration (plan-eng) or a 7-pass mockup+audit (plan-design)
and only ask the user much later, if at all. plan-ceo-review already asks first
via an unconditional Step-0 gate and behaves well; these two did not.

Add a hard-STOP scope gate as the FIRST operational instruction in each skill
(above the design-doc check / pre-review audit / mockup defaults it explicitly
overrides): the first tool call must be AskUserQuestion confirming the review
target, before any git/Read/Grep/Glob/Bash or mockup generation. Under
--disallowedTools the options render as plain column-0 lettered prose with a
Recommendation + "Reply with A, B, or C" line so the answer is detectable.

This is correct cold-start UX (confirm what to review before grinding a full
review on nothing) and it is the product half of the plan-mode smoke fix; the
harness collapsed-form detector is the deterministic half that catches the ask
however it renders. Templates + regenerated SKILL.md (default variant).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* test(tiers): reclassify stochastic plan-eng/plan-design ask-first smokes as periodic

plan-eng-review and plan-design-review run a long explore/audit before their
first AskUserQuestion, so whether the plan-mode + finding-floor smokes reach a
terminal outcome within the 300s/600s budget depends on stochastic ask-first
compliance (measured ~50-67%/run even with the hardened gate). Per the
"non-deterministic -> periodic" tiering rule, move the four affected smokes
(plan-eng/plan-design review-plan-mode + finding-floor) to periodic.

The deterministic harness fix (collapsed-form detector + judge precedence) and
the ask-first gate lift these from always-failing to mostly-passing and are the
real product+harness improvements; periodic monitoring tracks the rate weekly
without blocking PRs on an LLM coin-flip. plan-ceo/plan-devex ask-first reliably
and stay gate-tier.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci(evals): gate the deterministic PTY plan-mode smokes in CI

The real-PTY plan-mode smokes never ran in CI — the gate was local-only. Add an
e2e-pty-plan-smoke matrix suite running the two deterministically-reliable ones
(office-hours-auto-mode, plan-mode-no-op) so a regression there blocks PRs. The
stochastic plan-eng/plan-design ask-first smokes stay periodic (touchfiles
E2E_TIERS) and are not CI-gated.

A fresh CI container has no ~/.claude.json, so the spawned interactive `claude`
would wedge on the onboarding + API-key-approval dialog. Add a scoped seed step
(hasCompletedOnboarding + key approval, its own ANTHROPIC_API_KEY env) before the
run — mirrors what the hermetic E2E child env seeds. Per-suite timeout override
(35 min) via matrix.suite.timeout so the PTY suite has headroom for --retry 2
without bumping the other 12 suites. Report runner count 12 -> 13.

Validate via workflow_dispatch before relying on the gate (PTY-in-CI is new).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci(evals): install gstack skill registry for the PTY smoke suite

The first dry-run of e2e-pty-plan-smoke failed: the spawned interactive `claude`
printed "Unknown command: /plan-ceo-review". .claude/skills is gitignored, so a
fresh CI checkout has no gstack skill registry and the TUI can't resolve
/office-hours or /plan-ceo-review.

Add a Register step (scoped to the suite, after Seed, before Run) that mirrors
setup's --no-prefix user-scoped registry minimally: $HOME/.claude/skills/gstack
-> repo (resolves the preambles' absolute ~/.claude/skills/gstack/bin/* and
<skill>/sections/* paths) + per-skill SKILL.md/sections symlinks for the two
skills these tests invoke. HOME is /github/home in this container and the runner
adds no HOME/CLAUDE_CONFIG_DIR override (no hermetic mode), so $HOME is the right
anchor — the Seed step already proved claude reads it. No ./setup (binary build
+ Chromium + fonts + /dev/tty prompt); SKILL.md + bin/ + sections/ are committed.

Self-validating: fails the step loudly on a dangling symlink or missing
`name:` frontmatter, so a moved target surfaces here instead of as a silent
35-min "Unknown command" timeout.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* chore: bump version and changelog (v1.58.4.0)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>

bin/gstack-community-dashboard

@@ -31,20 +31,52 @@ if [ -z "$SUPABASE_URL" ] || [ -z "$ANON_KEY" ]; then
 fi
 
 # ─── Fetch aggregated stats from edge function ────────────────
-DATA="$(curl -sf --max-time 15 \
+# HTTP status captured (#1947): a backend failure must read as "unknown",
+# never as a healthy "Weekly active installs: 0".
+TMPBODY="$(mktemp)"
+trap 'rm -f "$TMPBODY"' EXIT
+HTTP_CODE="$(curl -s --max-time 15 -w '%{http_code}' -o "$TMPBODY" \
   "${SUPABASE_URL}/functions/v1/community-pulse" \
   -H "apikey: ${ANON_KEY}" \
-  2>/dev/null || echo "{}")"
+  2>/dev/null || true)"
+# curl prints its own 000 before a non-zero exit — a `|| echo` here would
+# double it to "000000" in user-facing output. Normalize to the last 3 chars.
+HTTP_CODE="$(printf '%s' "$HTTP_CODE" | tr -d '[:space:]' | tail -c 3)"
+[ -n "$HTTP_CODE" ] || HTTP_CODE="000"
+DATA="$(cat "$TMPBODY" 2>/dev/null || echo "")"
 
 echo "gstack community dashboard"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo ""
 
+if [ "$HTTP_CODE" != "200" ] || [ -z "$DATA" ] || ! printf '%s' "$DATA" | grep -q '"weekly_active"'; then
+  echo "Community stats: unknown — backend error (HTTP ${HTTP_CODE})"
+  echo ""
+  echo "For local analytics: gstack-analytics"
+  exit 0
+fi
+
 # ─── Weekly active installs ──────────────────────────────────
 WEEKLY="$(echo "$DATA" | grep -o '"weekly_active":[0-9]*' | grep -o '[0-9]*' || echo "0")"
 CHANGE="$(echo "$DATA" | grep -o '"change_pct":[0-9-]*' | grep -o '[0-9-]*' || echo "0")"
 
 echo "Weekly active installs: ${WEEKLY}"
+# Marker check: jq when available (whitespace/reserialization-proof); the
+# grep fallback tolerates optional whitespace around the colon.
+_STALE="false"
+if command -v jq >/dev/null 2>&1; then
+  _MARKER="$(printf '%s' "$DATA" | jq -r '.status // empty' 2>/dev/null)"
+  _STALE="$(printf '%s' "$DATA" | jq -r '.stale // false' 2>/dev/null)"
+else
+  _MARKER="$(printf '%s' "$DATA" | grep -Eq '"status"[[:space:]]*:[[:space:]]*"ok"' && echo ok || true)"
+fi
+if [ "$_MARKER" != "ok" ]; then
+  echo "  (unverified — legacy backend response; deploy the latest community-pulse for verified figures)"
+elif [ "$_STALE" = "true" ]; then
+  # Backend serves its last good snapshot when recompute fails — real but
+  # frozen figures must not read as current (matches security-dashboard).
+  echo "  (stale snapshot — backend recompute failing; figures may be out of date)"
+fi
 if [ "$CHANGE" -gt 0 ] 2>/dev/null; then
   echo "  Change: +${CHANGE}%"
 elif [ "$CHANGE" -lt 0 ] 2>/dev/null; then

bin/gstack-config

@@ -411,8 +411,10 @@ case "${1:-}" in
     fi
 
     case "$STATUS" in
-      ok)
-        echo "Detected gbrain v$VERSION."
+      ok|timeout)
+        # "timeout" = slow-but-healthy engine (#1964) — same treatment as
+        # "ok", matching gstack-gbrain-detect --is-ok and gen-skill-docs.
+        echo "Detected gbrain v$VERSION (local-status: $STATUS)."
         # Render brain-aware blocks INTO the global install so EVERY project's
         # Claude sessions get them (other projects read SKILL.md + sections from
         # ~/.claude/skills/gstack via absolute paths baked at gen time). Guards

bin/gstack-gbrain-detect

@@ -18,7 +18,7 @@
  *     "gstack_brain_sync_mode": "off"|"artifacts-only"|"full",
  *     "gstack_brain_git": true|false,
  *     "gstack_artifacts_remote": "https://..." | "",
- *     "gbrain_local_status": "ok"|"no-cli"|"missing-config"|"broken-config"|"broken-db",
+ *     "gbrain_local_status": "ok"|"no-cli"|"missing-config"|"broken-config"|"broken-db"|"timeout",
  *     "gbrain_pooler_mode": "transaction"|"session"|null
  *   }
  *
@@ -48,7 +48,13 @@ import { isTransactionModePooler } from "../lib/gbrain-exec";
 const STATE_DIR = process.env.GSTACK_HOME || join(userHome(), ".gstack");
 const SCRIPT_DIR = __dirname;
 const CONFIG_BIN = join(SCRIPT_DIR, "gstack-config");
-const GBRAIN_CONFIG = join(userHome(), ".gbrain", "config.json");
+// Honors GBRAIN_HOME — must stay consistent with lib/gbrain-local-status's
+// config resolution, or the detect JSON reports gbrain_local_status "ok"
+// alongside gbrain_config_exists false for relocated-home users.
+const GBRAIN_CONFIG = join(
+  process.env.GBRAIN_HOME || join(userHome(), ".gbrain"),
+  "config.json",
+);
 const CLAUDE_JSON = join(userHome(), ".claude.json");
 
 function userHome(): string {
@@ -234,14 +240,17 @@ function main(): void {
   process.stdout.write(JSON.stringify(out, null, 2) + "\n");
 }
 
-// --is-ok: live engine-status gate. Exits 0 iff gbrain is usable ("ok"), 1
-// otherwise. Runs detection live (never reads the possibly-stale
-// gbrain-detection.json), so callers — setup, bin/dev-setup, and
-// `gstack-config gbrain-refresh` — can decide whether to render the gbrain
-// :user variant without duplicating the JSON grep. Prints nothing on stdout.
+// --is-ok: live engine-status gate. Exits 0 iff gbrain is usable ("ok", or
+// "timeout" — a slow-but-healthy engine, #1964 — slow must not silently
+// suppress brain features), 1 otherwise. Runs detection live (never reads
+// the possibly-stale gbrain-detection.json), so callers — setup,
+// bin/dev-setup, and `gstack-config gbrain-refresh` — can decide whether to
+// render the gbrain :user variant without duplicating the JSON grep.
+// Prints nothing on stdout.
 if (process.argv.includes("--is-ok")) {
   const noCache = process.env.GSTACK_DETECT_NO_CACHE === "1";
-  process.exit(localEngineStatus({ noCache }) === "ok" ? 0 : 1);
+  const status = localEngineStatus({ noCache });
+  process.exit(status === "ok" || status === "timeout" ? 0 : 1);
 }
 
 main();

bin/gstack-gbrain-sync.ts

@@ -717,6 +717,8 @@ function dreamMarkerPid(): number | null {
  *   missing-config → "no local engine; run /setup-gbrain to add local PGLite"
  *   broken-config  → "config file at ~/.gbrain/config.json is malformed; see /setup-gbrain Step 1.5"
  *   broken-db      → "config points at unreachable DB; see /setup-gbrain Step 1.5"
+ *   timeout        → kept for Record totality; stages PROCEED on timeout (#1964)
+ *                    via the gate's warnProbeTimeout path, never this skip.
  */
 function skipStageForLocalStatus(
   stage: "code" | "memory" | "dream",
@@ -731,6 +733,8 @@ function skipStageForLocalStatus(
       "config at ~/.gbrain/config.json is malformed; see /setup-gbrain Step 1.5",
     "broken-db":
       "config points at unreachable DB; see /setup-gbrain Step 1.5",
+    "timeout":
+      "engine probe timed out; raise GSTACK_GBRAIN_PROBE_TIMEOUT_MS if your pooler is slow",
   };
   const reason = reasons[status as Exclude<LocalEngineStatus, "ok">];
   return {
@@ -742,6 +746,20 @@ function skipStageForLocalStatus(
   };
 }
 
+/**
+ * "timeout" means the probe hit its deadline with no recognized error — the
+ * engine is most likely healthy but slow (#1964: cold pooler connections
+ * measured at 6.9-10.7s). Stages proceed; a genuinely-dead engine surfaces
+ * its REAL error at the first actual operation instead of a false
+ * "config malformed" skip.
+ */
+function warnProbeTimeout(stage: "code" | "memory" | "dream"): void {
+  process.stderr.write(
+    `[gstack-gbrain-sync] ${stage}: engine probe timed out — proceeding anyway; ` +
+      `raise GSTACK_GBRAIN_PROBE_TIMEOUT_MS if your pooler is slow\n`,
+  );
+}
+
 
 async function runCodeImport(args: CliArgs): Promise<StageResult> {
   const t0 = Date.now();
@@ -773,7 +791,9 @@ async function runCodeImport(args: CliArgs): Promise<StageResult> {
   // when the local DB is dead. Skipped on --dry-run (above) since dry-run
   // never actually probes anything.
   const localStatus = localEngineStatus({ noCache: false });
-  if (localStatus !== "ok") {
+  if (localStatus === "timeout") {
+    warnProbeTimeout("code"); // #1964: slow-but-healthy — proceed
+  } else if (localStatus !== "ok") {
     return skipStageForLocalStatus("code", localStatus, t0);
   }
 
@@ -1031,7 +1051,9 @@ function runMemoryIngest(args: CliArgs): StageResult {
   // not ok, SKIP cleanly so brain-sync (the only stage that doesn't depend
   // on local engine) still runs.
   const localStatus = localEngineStatus({ noCache: false });
-  if (localStatus !== "ok") {
+  if (localStatus === "timeout") {
+    warnProbeTimeout("memory"); // #1964: slow-but-healthy — proceed
+  } else if (localStatus !== "ok") {
     return skipStageForLocalStatus("memory", localStatus, t0);
   }
 
@@ -1193,7 +1215,9 @@ export async function runDream(args: CliArgs): Promise<StageResult> {
   }
 
   const localStatus = localEngineStatus({ noCache: false });
-  if (localStatus !== "ok") {
+  if (localStatus === "timeout") {
+    warnProbeTimeout("dream"); // #1964: slow-but-healthy — proceed
+  } else if (localStatus !== "ok") {
     return skipStageForLocalStatus("dream", localStatus, t0);
   }
 

bin/gstack-learnings-log

@@ -7,13 +7,24 @@
 # by gstack-learnings-search ("latest winner" per key+type).
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# Windows git-bash (#1950): pwd yields a POSIX path (/c/Users/...), which Bun
+# on Windows cannot resolve as an ES module specifier in the import below.
+# cygpath -m converts to C:/Users/... which Bun accepts.
+case "$(uname -s)" in
+  MINGW*|MSYS*|CYGWIN*) command -v cygpath >/dev/null 2>&1 && SCRIPT_DIR="$(cygpath -m "$SCRIPT_DIR")" ;;
+esac
 eval "$("$SCRIPT_DIR/gstack-slug" 2>/dev/null)"
 GSTACK_HOME="${GSTACK_HOME:-$HOME/.gstack}"
 mkdir -p "$GSTACK_HOME/projects/$SLUG"
 
 INPUT="$1"
 
-# Validate and sanitize input
+# Validate and sanitize input. Errors surface (#1950): stderr is captured and
+# printed on failure instead of swallowed — a silent exit 1 here cost Windows
+# users every AI-logged learning.
+TMPERR=$(mktemp)
+trap 'rm -f "$TMPERR"' EXIT
+set +e
 VALIDATED=$(printf '%s' "$INPUT" | bun -e "
 import { hasInjection } from '$SCRIPT_DIR/../lib/jsonl-store.ts';
 const raw = await Bun.stdin.text();
@@ -63,9 +74,14 @@ if (!j.ts) j.ts = new Date().toISOString();
 j.trusted = j.source === 'user-stated';
 
 console.log(JSON.stringify(j));
-" 2>/dev/null)
+" 2>"$TMPERR")
+VALIDATE_RC=$?
+set -e
 
-if [ $? -ne 0 ] || [ -z "$VALIDATED" ]; then
+if [ $VALIDATE_RC -ne 0 ] || [ -z "$VALIDATED" ]; then
+  if [ -s "$TMPERR" ]; then
+    cat "$TMPERR" >&2
+  fi
   exit 1
 fi
 

bin/gstack-question-log

@@ -27,6 +27,12 @@
 # Append-only JSONL. Dedup is at read time in gstack-question-sensitivity --read-log.
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# Windows git-bash (#1950): pwd yields a POSIX path (/c/Users/...), which Bun
+# on Windows cannot resolve as an ES module specifier in bun -e imports.
+# cygpath -m converts to C:/Users/... which Bun accepts.
+case "$(uname -s)" in
+  MINGW*|MSYS*|CYGWIN*) command -v cygpath >/dev/null 2>&1 && SCRIPT_DIR="$(cygpath -m "$SCRIPT_DIR")" ;;
+esac
 eval "$("$SCRIPT_DIR/gstack-slug" 2>/dev/null)"
 # GSTACK_STATE_ROOT takes precedence over GSTACK_HOME (test isolation per D16).
 GSTACK_HOME="${GSTACK_STATE_ROOT:-${GSTACK_HOME:-$HOME/.gstack}}"
@@ -39,6 +45,7 @@ TMPERR=$(mktemp)
 trap 'rm -f "$TMPERR"' EXIT
 set +e
 VALIDATED=$(printf '%s' "$INPUT" | bun -e "
+import { hasInjection } from '$SCRIPT_DIR/../lib/jsonl-store.ts';
 const path = require('path');
 const raw = await Bun.stdin.text();
 let j;
@@ -104,23 +111,12 @@ if (j.question_summary.includes('\n')) {
   j.question_summary = j.question_summary.replace(/\n+/g, ' ');
 }
 
-// Injection defense on the summary — same patterns as learnings-log.
-const INJECTION_PATTERNS = [
-  /ignore\s+(all\s+)?previous\s+(instructions|context|rules)/i,
-  /you\s+are\s+now\s+/i,
-  /always\s+output\s+no\s+findings/i,
-  /skip\s+(all\s+)?(security|review|checks)/i,
-  /override[:\s]/i,
-  /\bsystem\s*:/i,
-  /\bassistant\s*:/i,
-  /\buser\s*:/i,
-  /do\s+not\s+(report|flag|mention)/i,
-];
-for (const pat of INJECTION_PATTERNS) {
-  if (pat.test(j.question_summary)) {
-    process.stderr.write('gstack-question-log: question_summary contains suspicious instruction-like content, rejected\n');
-    process.exit(1);
-  }
+// Injection defense on the summary — shared audited list (lib/jsonl-store.ts),
+// same source of truth as learnings-log and decision-log. The previous local
+// duplicate drifted (#1934): pattern fixes to the lib never propagated here.
+if (hasInjection(j.question_summary)) {
+  process.stderr.write('gstack-question-log: question_summary contains suspicious instruction-like content, rejected\n');
+  process.exit(1);
 }
 
 // Registry lookup for category + door_type enrichment.

bin/gstack-redact-prepush

@@ -35,11 +35,41 @@ const ZERO = /^0+$/;
 // The canonical empty-tree object; diffing against it yields all content as added.
 const EMPTY_TREE = "4b825dc642cb6eb9a060e54bf8d69288fbee4904";
 
+/**
+ * Permissive git for legitimately-fallible PROBES (symbolic-ref, rev-parse,
+ * merge-base) where a non-zero exit is normal control flow. The DIFF call
+ * must NOT use this — see gitStrict (#1946 fail-closed).
+ */
 function git(args: string[]): string {
   const r = spawnSync("git", args, { encoding: "utf8", maxBuffer: 64 * 1024 * 1024 });
   return r.status === 0 ? (r.stdout ?? "") : "";
 }
 
+/**
+ * Fail-closed git for the diff that decides whether the push is scanned
+ * (#1946). status !== 0 covers repo errors; status === null covers a killed
+ * process AND maxBuffer overflow — the oversized-diff case is exactly where
+ * a large secret-bearing blob is most likely, so "couldn't read the diff"
+ * must block, not silently allow.
+ */
+function gitStrict(args: string[]): string {
+  const r = spawnSync("git", args, { encoding: "utf8", maxBuffer: 64 * 1024 * 1024 });
+  // status !== 0 covers BOTH a non-zero exit AND null (process killed by a
+  // signal or maxBuffer overflow — null !== 0 is true).
+  if (r.status !== 0) {
+    throw new Error(
+      `git ${args[0]} failed (status=${r.status ?? "killed/overflow"}): ${(r.stderr ?? "").slice(0, 300)}`,
+    );
+  }
+  return r.stdout ?? "";
+}
+
+/** True when the object exists in the local odb (cat-file -e signals via exit code). */
+function objectExists(sha: string): boolean {
+  const r = spawnSync("git", ["cat-file", "-e", sha], { encoding: "utf8" });
+  return r.status === 0;
+}
+
 function defaultRemoteBranch(): string {
   // origin/HEAD → origin/main, fall back to main/master.
   const sym = git(["symbolic-ref", "refs/remotes/origin/HEAD"]).trim();
@@ -59,13 +89,22 @@ function addedLinesFor(localSha: string, remoteSha: string): string {
     // branch content is scanned as added — fail-safe (scans more, never less).
     const base = git(["merge-base", localSha, defaultRemoteBranch()]).trim();
     range = base ? `${base}..${localSha}` : `${EMPTY_TREE}..${localSha}`;
+  } else if (!objectExists(remoteSha)) {
+    // Remote tip object absent locally (shallow clone, force-push without a
+    // prior fetch, CI checkout): remote..local can't resolve. Fall back to
+    // the merge-base/empty-tree path — scans MORE, never less — instead of
+    // hard-blocking a legitimate push (adversarial review finding 8).
+    const base = git(["merge-base", localSha, defaultRemoteBranch()]).trim();
+    range = base ? `${base}..${localSha}` : `${EMPTY_TREE}..${localSha}`;
   } else {
     // Existing branch (incl. force-push): net new content remote..local.
     range = `${remoteSha}..${localSha}`;
   }
   // -U0: only changed lines; we keep lines starting with '+' (added), drop the
   // +++ file header. Unified diff added lines start with a single '+'.
-  const diff = git(["diff", "--unified=0", "--no-color", range]);
+  // Strict (#1946): a failed diff used to return "" and the push sailed
+  // through unscanned — fail open on the exact path the guard exists for.
+  const diff = gitStrict(["diff", "--unified=0", "--no-color", range]);
   const added: string[] = [];
   for (const line of diff.split("\n")) {
     if (line.startsWith("+") && !line.startsWith("+++")) {
@@ -108,7 +147,21 @@ function main() {
 
   for (const [, localSha, , remoteSha] of refs) {
     if (!localSha || ZERO.test(localSha)) continue; // branch delete → nothing pushed
-    const added = addedLinesFor(localSha, remoteSha || "0");
+    let added: string;
+    try {
+      added = addedLinesFor(localSha, remoteSha || "0");
+    } catch (err) {
+      // Fail CLOSED (#1946): if we can't compute the pushed diff we can't
+      // scan it, and unscanned-but-allowed is the failure mode this hook
+      // exists to prevent.
+      process.stderr.write(
+        "\n⛔ gstack-redact-prepush BLOCKED the push — could not compute the pushed diff, " +
+          "so it cannot be scanned for credentials.\n" +
+          `  (${err instanceof Error ? err.message.split("\n")[0] : String(err)})\n` +
+          "Bypass if you're sure: GSTACK_REDACT_PREPUSH=skip git push   (or git push --no-verify)\n",
+      );
+      process.exit(1);
+    }
     if (!added.trim()) continue;
     // Visibility doesn't change HIGH behavior; pass private so nothing is treated
     // as public-strict (HIGH blocks regardless either way).

bin/gstack-security-dashboard

@@ -41,28 +41,52 @@ if [ -z "$SUPABASE_URL" ] || [ -z "$ANON_KEY" ]; then
   exit 0
 fi
 
-DATA="$(curl -sf --max-time 15 \
+# Fetch with the HTTP status captured (#1947). A backend failure must read
+# as "unknown", never as a healthy "0 attacks" — fake zeros on a security
+# surface are indistinguishable from good news.
+TMPBODY="$(mktemp)"
+trap 'rm -f "$TMPBODY"' EXIT
+HTTP_CODE="$(curl -s --max-time 15 -w '%{http_code}' -o "$TMPBODY" \
   "${SUPABASE_URL}/functions/v1/community-pulse" \
   -H "apikey: ${ANON_KEY}" \
-  2>/dev/null || echo "{}")"
+  2>/dev/null || true)"
+# curl prints its own 000 before a non-zero exit — a `|| echo` here would
+# double it to "000000" in user-facing output. Normalize to the last 3 chars.
+HTTP_CODE="$(printf '%s' "$HTTP_CODE" | tr -d '[:space:]' | tail -c 3)"
+[ -n "$HTTP_CODE" ] || HTTP_CODE="000"
+DATA="$(cat "$TMPBODY" 2>/dev/null || echo "")"
 
-# Extract the security section. Prefer jq for brace-balanced parsing of
-# nested arrays/objects (top_attack_domains etc.). Fall back to regex if
-# jq isn't installed — the regex is lossy but the dashboard degrades
-# gracefully to "0 attacks" rather than misreporting numbers.
-if command -v jq >/dev/null 2>&1; then
-  SEC_SECTION="$(echo "$DATA" | jq -rc '.security // empty | "\"security\":\(.)"' 2>/dev/null || echo "")"
-else
-  SEC_SECTION="$(echo "$DATA" | grep -o '"security":{[^}]*}' 2>/dev/null || echo "")"
+# Classify the response:
+#   ok      — 200 from the new backend (carries "status":"ok"); figures authoritative
+#   legacy  — 200 with a security section but no marker (pre-#1947 backend);
+#             figures shown but flagged unverified (old backend masked errors as zeros)
+#   unknown — non-200 / network failure / error body / missing section / no jq
+STATE="ok"
+REASON=""
+if [ "$HTTP_CODE" != "200" ] || [ -z "$DATA" ]; then
+  STATE="unknown"; REASON="backend_error"
+elif ! command -v jq >/dev/null 2>&1; then
+  # No lossy-grep fallback: the old regex broke on nested arrays and
+  # under-reported attacks as zero. Without jq the honest answer is unknown.
+  STATE="unknown"; REASON="jq_missing"
+elif ! echo "$DATA" | jq -e '.security' >/dev/null 2>&1; then
+  STATE="unknown"; REASON="backend_error"
+elif [ "$(echo "$DATA" | jq -r '.status // empty' 2>/dev/null)" != "ok" ]; then
+  STATE="legacy"
 fi
 
 if [ "$JSON_MODE" = "1" ]; then
-  # Machine-readable — echo the whole security section (or empty object)
-  if [ -n "$SEC_SECTION" ]; then
-    echo "{${SEC_SECTION}}"
-  else
-    echo '{"security":{"attacks_last_7_days":0,"top_attack_domains":[],"top_attack_layers":[],"verdict_distribution":[]}}'
-  fi
+  case "$STATE" in
+    unknown)
+      echo "{\"security\":null,\"status\":\"unknown\",\"reason\":\"${REASON}\"}"
+      ;;
+    legacy)
+      echo "$DATA" | jq -c '{security: .security, status: "legacy_unverified"}'
+      ;;
+    ok)
+      echo "$DATA" | jq -c '{security: .security, status: "ok", stale: (.stale // false)}'
+      ;;
+  esac
   exit 0
 fi
 
@@ -71,47 +95,64 @@ echo "gstack security dashboard"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo ""
 
-TOTAL="$(echo "$DATA" | grep -o '"attacks_last_7_days":[0-9]*' | grep -o '[0-9]*' | head -1 || echo "0")"
+if [ "$STATE" = "unknown" ]; then
+  if [ "$REASON" = "jq_missing" ]; then
+    echo "Attacks detected last 7 days: unknown — install jq for exact figures"
+  else
+    echo "Attacks detected last 7 days: unknown — backend error (HTTP ${HTTP_CODE})"
+  fi
+  echo ""
+  echo "Your local log: ~/.gstack/security/attempts.jsonl"
+  echo "Your telemetry mode: $(${GSTACK_DIR}/bin/gstack-config get telemetry 2>/dev/null || echo unknown)"
+  exit 0
+fi
+
+# jq is guaranteed here (jq-missing classified as unknown above). The old
+# grep chain matched the digit 7 inside "attacks_last_7_days" itself and
+# misreported every count as 7.
+TOTAL="$(echo "$DATA" | jq -r '.security.attacks_last_7_days // 0' 2>/dev/null || echo "0")"
 echo "Attacks detected last 7 days: ${TOTAL}"
-if [ "$TOTAL" = "0" ]; then
+if [ "$STATE" = "legacy" ]; then
+  echo "  (unverified — legacy backend response; deploy the latest community-pulse for verified figures)"
+elif [ "$(echo "$DATA" | jq -r '.stale // false' 2>/dev/null)" = "true" ]; then
+  # The backend serves its last good snapshot when recompute fails — figures
+  # are real but frozen. Don't present them as current.
+  echo "  (stale snapshot — backend recompute failing; figures may be out of date)"
+elif [ "$TOTAL" = "0" ]; then
   echo "  (No attack attempts reported by the community yet. Good news.)"
 fi
 echo ""
 
-# Top attacked domains — parse objects inside top_attack_domains array
-DOMAINS="$(echo "$DATA" | sed -n 's/.*"top_attack_domains":\(\[[^]]*\]\).*/\1/p' | head -1)"
-if [ -n "$DOMAINS" ] && [ "$DOMAINS" != "[]" ]; then
+# Array sections — jq is guaranteed past the state gate; the old sed/grep
+# parsing truncated at the first ']' and dropped entries on any nesting
+# (the same bug class as the "every count is 7" TOTAL grep).
+DOMAINS="$(echo "$DATA" | jq -r '.security.top_attack_domains[]? | "\(.domain)\t\(.count)"' 2>/dev/null)"
+if [ -n "$DOMAINS" ]; then
   echo "Top attacked domains"
   echo "────────────────────"
-  echo "$DOMAINS" | grep -o '{[^}]*}' | head -10 | while read -r OBJ; do
-    DOMAIN="$(echo "$OBJ" | grep -o '"domain":"[^"]*"' | awk -F'"' '{print $4}')"
-    COUNT="$(echo "$OBJ" | grep -o '"count":[0-9]*' | grep -o '[0-9]*')"
+  printf '%s\n' "$DOMAINS" | head -10 | while IFS="$(printf '\t')" read -r DOMAIN COUNT; do
     [ -n "$DOMAIN" ] && [ -n "$COUNT" ] && printf "  %-40s %s attempts\n" "$DOMAIN" "$COUNT"
   done
   echo ""
 fi
 
 # Which layer catches attacks
-LAYERS="$(echo "$DATA" | sed -n 's/.*"top_attack_layers":\(\[[^]]*\]\).*/\1/p' | head -1)"
-if [ -n "$LAYERS" ] && [ "$LAYERS" != "[]" ]; then
+LAYERS="$(echo "$DATA" | jq -r '.security.top_attack_layers[]? | "\(.layer)\t\(.count)"' 2>/dev/null)"
+if [ -n "$LAYERS" ]; then
   echo "Top detection layers"
   echo "────────────────────"
-  echo "$LAYERS" | grep -o '{[^}]*}' | while read -r OBJ; do
-    LAYER="$(echo "$OBJ" | grep -o '"layer":"[^"]*"' | awk -F'"' '{print $4}')"
-    COUNT="$(echo "$OBJ" | grep -o '"count":[0-9]*' | grep -o '[0-9]*')"
+  printf '%s\n' "$LAYERS" | while IFS="$(printf '\t')" read -r LAYER COUNT; do
     [ -n "$LAYER" ] && [ -n "$COUNT" ] && printf "  %-28s %s\n" "$LAYER" "$COUNT"
   done
   echo ""
 fi
 
 # Verdict distribution
-VERDICTS="$(echo "$DATA" | sed -n 's/.*"verdict_distribution":\(\[[^]]*\]\).*/\1/p' | head -1)"
-if [ -n "$VERDICTS" ] && [ "$VERDICTS" != "[]" ]; then
+VERDICTS="$(echo "$DATA" | jq -r '.security.verdict_distribution[]? | "\(.verdict)\t\(.count)"' 2>/dev/null)"
+if [ -n "$VERDICTS" ]; then
   echo "Verdict distribution"
   echo "────────────────────"
-  echo "$VERDICTS" | grep -o '{[^}]*}' | while read -r OBJ; do
-    VERDICT="$(echo "$OBJ" | grep -o '"verdict":"[^"]*"' | awk -F'"' '{print $4}')"
-    COUNT="$(echo "$OBJ" | grep -o '"count":[0-9]*' | grep -o '[0-9]*')"
+  printf '%s\n' "$VERDICTS" | while IFS="$(printf '\t')" read -r VERDICT COUNT; do
     [ -n "$VERDICT" ] && [ -n "$COUNT" ] && printf "  %-14s %s\n" "$VERDICT" "$COUNT"
   done
   echo ""

bin/gstack-telemetry-log

@@ -18,6 +18,12 @@
 set -uo pipefail
 
 GSTACK_DIR="${GSTACK_DIR:-$(cd "$(dirname "$0")/.." && pwd)}"
+SCRIPT_DIR="$GSTACK_DIR/bin"
+# Windows git-bash (#1950): pwd yields a POSIX path (/c/Users/...), which Bun
+# on Windows cannot resolve as an ES module specifier in bun -e imports.
+case "$(uname -s)" in
+  MINGW*|MSYS*|CYGWIN*) command -v cygpath >/dev/null 2>&1 && SCRIPT_DIR="$(cygpath -m "$SCRIPT_DIR")" ;;
+esac
 STATE_DIR="${GSTACK_STATE_DIR:-$HOME/.gstack}"
 ANALYTICS_DIR="$STATE_DIR/analytics"
 JSONL_FILE="$ANALYTICS_DIR/skill-usage.jsonl"
@@ -177,8 +183,29 @@ BRANCH="$(json_safe "$BRANCH")"
 ERR_FIELD="null"
 [ -n "$ERROR_CLASS" ] && ERR_FIELD="\"$(json_safe "$ERROR_CLASS")\""
 
+# error_message goes through the redaction engine before it touches disk
+# (#1947): stack traces and failed-API errors can embed credentials, paths,
+# and hostnames. Every finding span becomes <REDACTED-{id}>; the rest of the
+# message survives for crash triage. The bun snippet emits a JSON-encoded
+# string (quotes included) ready to drop into the printf below. FAIL CLOSED:
+# if bun / the engine is unavailable, the scan errors, or the output doesn't
+# look like a JSON string, the whole message becomes null — never raw.
 ERR_MSG_FIELD="null"
-[ -n "$ERROR_MESSAGE" ] && ERR_MSG_FIELD="\"$(printf '%s' "$ERROR_MESSAGE" | head -c 200 | sed -e 's/\\/\\\\/g' -e 's/"/\\"/g' -e 's/	/\\t/g' | tr '\n\r' '  ')\""
+if [ -n "$ERROR_MESSAGE" ]; then
+  ERR_MSG_FIELD="$(printf '%s' "$ERROR_MESSAGE" | bun -e "
+import { redactFindingSpans } from '$SCRIPT_DIR/../lib/redact-engine.ts';
+const input = await Bun.stdin.text();
+const out = redactFindingSpans(input, { repoVisibility: 'private' });
+if (out === null) process.exit(1);
+console.log(JSON.stringify(out.slice(0, 200)));
+" 2>/dev/null)" || ERR_MSG_FIELD="null"
+  case "$ERR_MSG_FIELD" in
+    *"
+"*) ERR_MSG_FIELD="null" ;; # embedded newline would corrupt the JSONL record
+    \"*\") ;; # single-line JSON string — safe to embed
+    *) ERR_MSG_FIELD="null" ;;
+  esac
+fi
 
 STEP_FIELD="null"
 [ -n "$FAILED_STEP" ] && STEP_FIELD="\"$(json_safe "$FAILED_STEP")\""