@hanzlaa/rcode 3.4.10 → 3.4.12

package/README.md

@@ -100,6 +100,11 @@ Restart Claude Code (or your IDE), type `/`, and every `rihal-*` command appears
 
 Update anytime with `npx @hanzlaa/rcode update` (or `/rihal-update` inside a Claude session).
 
+> **Want `rcode` on your PATH?** `npx @hanzlaa/rcode install` sets up the project files but doesn't put `rcode` in your shell. For the `rcode` CLI command (e.g. `rcode version`, `rcode update`), install globally once:
+> ```bash
+> npm install -g @hanzlaa/rcode
+> ```
+
 ### Then begin the rihla
 
 ```

package/cli/digest.js

@@ -12,7 +12,12 @@ const fs = require('fs');
 const path = require('path');
 
 function normalize(name) {
-  return name.replace(/^rihal-/, '');
+  const stripped = name.replace(/^rihal-/, '');
+  // Reject path traversal attempts — names must be simple identifiers
+  if (stripped.includes('..') || stripped.includes('/') || stripped.includes('\\')) {
+    throw new Error(`Invalid agent name: '${name}'`);
+  }
+  return stripped;
 }
 
 function listAvailable(digestDir, agentsDir) {

package/cli/index.js

@@ -51,7 +51,7 @@ Usage:
 
 📦 PROJECT
   install        Install Rihal Code into the current project
-                 (sets up .rihal/, .claude/skills/, .claude/commands/rihal/,
+                 (sets up .rihal/, .claude/skills/, .claude/commands/,
                  .cursor/rules/, .windsurf/rules/, .antigravity/agents/, AGENTS.md)
   init           Alias for install
   update         Refresh skill files (backs up .rihal/ state first)

package/cli/install.js

@@ -1972,6 +1972,10 @@ async function install(opts) {
   console.log(dim('    npx @hanzlaa/rcode@latest install   # pull the latest rcode + brain'));
   console.log(dim(`    /rihal-update v${version}              # pin rcode to a specific version`));
   console.log('');
+  console.log(dim('  Want the rcode CLI on your PATH? (optional — needed for rcode version / rcode update):'));
+  console.log(dim('    npm install -g @hanzlaa/rcode       # installs rcode, rihal, rihal-code commands'));
+  console.log(dim('    rcode version                       # verify'));
+  console.log('');
   console.log(dim('  Customize without losing changes on update:'));
   console.log(dim('    Create <name>.local.md siblings (e.g. .claude/agents/rihal-waleed.local.md)'));
   console.log(dim('    *.local.md files are NEVER touched by install / --force-overwrite / uninstall.'));

package/cli/lib/fsutil.cjs

@@ -43,7 +43,7 @@ function writeFileAtomic(filePath, content, opts = {}) {
 
   let fd;
   try {
-    fd = fs.openSync(tmpPath, 'w', mode ?? 0o644);
+    fd = fs.openSync(tmpPath, 'wx', mode ?? 0o644);
     fs.writeSync(fd, content, 0, encoding);
     // fsync the data to disk before rename — otherwise a crash between
     // write() and rename() could leave the target renamed but with zero

package/cli/lib/github.cjs

@@ -18,6 +18,14 @@ const { execSync, spawnSync } = require('child_process');
 
 // ---------- Utility: run gh commands safely ----------
 
+function sanitizeGhOutput(text) {
+  if (!text) return '';
+  // Strip anything that looks like a token (ghp_*, ghs_*, github_pat_*)
+  return text
+    .replace(/\b(ghp_|ghs_|github_pat_)[A-Za-z0-9_]{10,}\b/g, '[REDACTED]')
+    .slice(0, 2000);
+}
+
 function runGh(args, { input = null, allowFailure = false } = {}) {
   const result = spawnSync('gh', args, {
     encoding: 'utf8',
@@ -26,9 +34,8 @@ function runGh(args, { input = null, allowFailure = false } = {}) {
   });
 
   if (result.status !== 0 && !allowFailure) {
-    throw new Error(
-      `gh ${args.join(' ')} failed:\n${result.stderr || result.stdout || '(no output)'}`
-    );
+    const detail = sanitizeGhOutput(result.stderr || result.stdout || '(no output)');
+    throw new Error(`gh ${args.join(' ')} failed:\n${detail}`);
   }
 
   return {

package/dist/rcode.js

@@ -16462,6 +16462,10 @@ ${BLOCK}`);
       console.log(dim("    npx @hanzlaa/rcode@latest install   # pull the latest rcode + brain"));
       console.log(dim(`    /rihal-update v${version}              # pin rcode to a specific version`));
       console.log("");
+      console.log(dim("  Want the rcode CLI on your PATH? (optional \u2014 needed for rcode version / rcode update):"));
+      console.log(dim("    npm install -g @hanzlaa/rcode       # installs rcode, rihal, rihal-code commands"));
+      console.log(dim("    rcode version                       # verify"));
+      console.log("");
       console.log(dim("  Customize without losing changes on update:"));
       console.log(dim("    Create <name>.local.md siblings (e.g. .claude/agents/rihal-waleed.local.md)"));
       console.log(dim("    *.local.md files are NEVER touched by install / --force-overwrite / uninstall."));
@@ -16909,7 +16913,7 @@ var require_fsutil = __commonJS({
       );
       let fd;
       try {
-        fd = fs2.openSync(tmpPath, "w", mode ?? 420);
+        fd = fs2.openSync(tmpPath, "wx", mode ?? 420);
         fs2.writeSync(fd, content, 0, encoding);
         fs2.fsyncSync(fd);
         fs2.closeSync(fd);
@@ -17923,7 +17927,11 @@ var require_digest = __commonJS({
     var fs2 = require("fs");
     var path2 = require("path");
     function normalize(name) {
-      return name.replace(/^rihal-/, "");
+      const stripped = name.replace(/^rihal-/, "");
+      if (stripped.includes("..") || stripped.includes("/") || stripped.includes("\\")) {
+        throw new Error(`Invalid agent name: '${name}'`);
+      }
+      return stripped;
     }
     function listAvailable(digestDir, agentsDir) {
       const digestNames = fs2.existsSync(digestDir) ? fs2.readdirSync(digestDir).filter((f) => f.endsWith(".md") && f !== "README.md").map((f) => f.replace(".md", "")) : [];
@@ -19285,6 +19293,10 @@ var require_show_model = __commonJS({
 var require_github = __commonJS({
   "cli/lib/github.cjs"(exports2, module2) {
     var { execSync, spawnSync } = require("child_process");
+    function sanitizeGhOutput(text) {
+      if (!text) return "";
+      return text.replace(/\b(ghp_|ghs_|github_pat_)[A-Za-z0-9_]{10,}\b/g, "[REDACTED]").slice(0, 2e3);
+    }
     function runGh(args, { input = null, allowFailure = false } = {}) {
       const result = spawnSync("gh", args, {
         encoding: "utf8",
@@ -19292,10 +19304,9 @@ var require_github = __commonJS({
         stdio: input ? ["pipe", "pipe", "pipe"] : ["ignore", "pipe", "pipe"]
       });
       if (result.status !== 0 && !allowFailure) {
-        throw new Error(
-          `gh ${args.join(" ")} failed:
-${result.stderr || result.stdout || "(no output)"}`
-        );
+        const detail = sanitizeGhOutput(result.stderr || result.stdout || "(no output)");
+        throw new Error(`gh ${args.join(" ")} failed:
+${detail}`);
       }
       return {
         status: result.status,
@@ -20408,7 +20419,7 @@ Usage:
 
 \u{1F4E6} PROJECT
   install        Install Rihal Code into the current project
-                 (sets up .rihal/, .claude/skills/, .claude/commands/rihal/,
+                 (sets up .rihal/, .claude/skills/, .claude/commands/,
                  .cursor/rules/, .windsurf/rules/, .antigravity/agents/, AGENTS.md)
   init           Alias for install
   update         Refresh skill files (backs up .rihal/ state first)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hanzlaa/rcode",
-  "version": "3.4.10",
+  "version": "3.4.12",
   "description": "rcode — the memory bank for AI-driven SaaS teams. Persistent project context, distinctive engineering personas, and phase-based workflows. Built by Rihal. Works in Claude Code, Cursor, Gemini, VS Code, and Antigravity.",
   "main": "cli/index.js",
   "bin": {
@@ -8,15 +8,6 @@
     "rihal": "dist/rcode.js",
     "rihal-code": "dist/rcode.js"
   },
-  "scripts": {
-    "dashboard": "node server/dashboard.js",
-    "test": "node --test",
-    "test:ci": "node --test --test-reporter=spec",
-    "postinstall": "node cli/postinstall.js",
-    "build:cli": "node scripts/build.cjs",
-    "build": "node scripts/build.cjs",
-    "dogfood": "bash scripts/dogfood-check.sh"
-  },
   "files": [
     "cli/",
     "rihal/",
@@ -69,5 +60,14 @@
   },
   "publishConfig": {
     "access": "public"
+  },
+  "scripts": {
+    "dashboard": "node server/dashboard.js",
+    "test": "node --test",
+    "test:ci": "node --test --test-reporter=spec",
+    "postinstall": "node cli/postinstall.js",
+    "build:cli": "node scripts/build.cjs",
+    "build": "node scripts/build.cjs",
+    "dogfood": "bash scripts/dogfood-check.sh"
   }
-}
+}

package/rihal/bin/rihal-tools.cjs

@@ -4688,11 +4688,11 @@ function cmdProgress(args) {
       byNum[num] = {
         path: full,
         dirName: entry,
-        plan_count: files.filter(f => /PLAN\.md$|-PLAN\.md$|SPRINT\.md$/.test(f)).length,
+        plan_count: files.filter(f => /-SPRINT\.md$/i.test(f)).length,
         summary_count: files.filter(f => /SUMMARY\.md$|-SUMMARY\.md$/.test(f)).length,
         has_research: files.includes('RESEARCH.md'),
         has_context: files.includes('CONTEXT.md'),
-        has_verification: files.includes('VERIFICATION.md'),
+        has_verification: files.some(f => /VERIFICATION\.md$/i.test(f)),
       };
     }
     return byNum;

package/rihal/workflows/feature-drift.md

@@ -103,8 +103,8 @@ Auditor returns structured JSON:
 **If `MODE=phase-status` (Phase 8 / #461):**
 
 Spawn `rihal-docs-auditor` with `--mode=phase-status`. Pass:
-- `roadmap_phases[]` — output of `node rihal/bin/rihal-tools.cjs roadmap list-phases` (post-#464 fix)
-- `phase_dirs[]` — output of `node rihal/bin/rihal-tools.cjs init phase-op N` for each phase number, OR a direct walk of `.planning/phases/*` that captures: dir name, presence of `*-SUMMARY.md`, `*-SPRINT.md`, `*-PLAN.md`, `*-CONTEXT.md`, `*-RESEARCH.md`, `*-VERIFICATION.md`
+- `roadmap_phases[]` — output of `node .rihal/bin/rihal-tools.cjs roadmap list-phases` (post-#464 fix)
+- `phase_dirs[]` — output of `node .rihal/bin/rihal-tools.cjs init phase-op N` for each phase number, OR a direct walk of `.planning/phases/*` that captures: dir name, presence of `*-SUMMARY.md`, `*-SPRINT.md`, `*-PLAN.md`, `*-CONTEXT.md`, `*-RESEARCH.md`, `*-VERIFICATION.md`
 - For each phase, the most recent commit hash that touches files in `${phase_dir}/` (used as a freshness signal)
 
 Auditor returns structured JSON:

package/rihal/workflows/status.md

@@ -58,12 +58,15 @@ the weighted bar as the primary progress indicator to avoid a misleading `0/N (0
 For each entry in `SNAPSHOT.phases[]`:
 
 - `▶` if `phase.number === SNAPSHOT.current_phase`
-- `✓` if `phase.disk.summary_count > 0` AND matches `phase.disk.plan_count` AND `phase.disk.has_verification` (complete + verified; if VERIFICATION.md absent, use `◎` and label "complete-unverified")
+- `✓` if `phase.disk.summary_count > 0` AND `phase.disk.summary_count >= phase.disk.plan_count` AND `phase.disk.has_verification` (complete + verified; if VERIFICATION.md absent, use `◎` and label "complete-unverified")
+- `◎` if `phase.disk.summary_count > 0` AND `phase.disk.summary_count >= phase.disk.plan_count` AND NOT `phase.disk.has_verification` (work done, awaiting verification)
 - `◆` if `phase.disk.plan_count > phase.disk.summary_count` (executing — has plans, not all summarized)
 - `◇` if `phase.disk.has_context && !phase.disk.plan_count` (discussing — CONTEXT.md exists but no plan yet)
 - `◈` if `phase.disk.has_research && !phase.disk.plan_count` (researched — RESEARCH.md but no plan)
 - `○` otherwise (planned — no artifacts on disk)
 
+**Edge case — summary without sprint:** If `summary_count > 0` AND `plan_count === 0`, treat as `◎ complete-unverified` (sprint was archived or the phase used an older single-file workflow; summary is evidence of completed work).
+
 ```
 Phases:
   ▶ [04] Component compaction — executing (1/3 plans)