npm - @hanzlaa/rcode - Versions diffs - 3.4.23 → 3.4.25 - Mend

@hanzlaa/rcode 3.4.23 → 3.4.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/cli/install.js CHANGED Viewed

@@ -55,6 +55,10 @@ const path = require('path');
 const crypto = require('crypto');
 const os = require('os');
+// Atomic write helper (#687) + symlink-safe rmSync (#688) — protect against
+// Ctrl+C mid-write and malicious symlink-traversal during dedup/cleanup.
+const { writeFileAtomic, safeRmSync } = require(path.join(__dirname, 'lib', 'fsutil.cjs'));
 // Bundled packages — devDeps inlined by esbuild, loaded from node_modules in dev.
 const pc = require('picocolors');
 const { createSpinner } = require('nanospinner');
@@ -320,6 +324,11 @@ function detectIdeSignals(target) {
  * actually wanted cursor or gemini.
  */
 async function resolveIde(opts) {
+  // Issue #692: when the wizard has already collected opts.ides (interactive
+  // run from main()), resolveIde was re-prompting because it only checked
+  // opts.ideProvided (set by --ide flag, not by the wizard). Honor any
+  // pre-existing array result so we don't double-prompt.
+  if (Array.isArray(opts.ides) && opts.ides.length > 0) return opts.ides;
   if (opts.ideProvided) return [opts.ide];            // user passed --ide, respect it
   if (opts.noPrompt || opts.global) return ['claude']; // auto-install: always claude
   if (opts.yes || !process.stdin.isTTY) {
@@ -649,7 +658,7 @@ function seedStarterPlanning(target, projectName) {
       velocity_history: [],
     };
     fs.mkdirSync(path.dirname(rihalStateJson), { recursive: true });
-    fs.writeFileSync(rihalStateJson, JSON.stringify(state, null, 2) + '\n');
+    writeFileAtomic(rihalStateJson, JSON.stringify(state, null, 2) + '\n');
   }
   return true;
@@ -724,7 +733,7 @@ function ensureRcodeGitignore(target, options = {}) {
   const gitignorePath = path.join(target, '.gitignore');
   try {
     if (!fs.existsSync(gitignorePath)) {
-      fs.writeFileSync(gitignorePath, BLOCK);
+      writeFileAtomic(gitignorePath, BLOCK);
       return { action: 'created' };
     }
     const existing = fs.readFileSync(gitignorePath, 'utf8');
@@ -750,12 +759,12 @@ function ensureRcodeGitignore(target, options = {}) {
     if (existing.includes(BEGIN)) {
       const rewritten = spliceBlock(existing, BLOCK);
       if (rewritten !== null && rewritten !== existing) {
-        fs.writeFileSync(gitignorePath, rewritten);
+        writeFileAtomic(gitignorePath, rewritten);
         return { action: 'updated' };
       }
       return { action: 'already-present' };
     }
-    fs.writeFileSync(gitignorePath, existing + BLOCK);
+    writeFileAtomic(gitignorePath, existing + BLOCK);
     return { action: 'appended' };
   } catch (err) {
     return { action: 'skipped-error', error: err.message };
@@ -804,8 +813,7 @@ function ensureRcodePreCommitHook(target, options = {}) {
     fs.mkdirSync(hooksDir, { recursive: true });
     if (!fs.existsSync(hookPath)) {
-      fs.writeFileSync(hookPath, `#!/bin/sh\n${BLOCK}`);
-      fs.chmodSync(hookPath, 0o755);
+      writeFileAtomic(hookPath, `#!/bin/sh\n${BLOCK}`, { mode: 0o755 });
       return { action: 'created' };
     }
@@ -831,15 +839,13 @@ function ensureRcodePreCommitHook(target, options = {}) {
     if (existing.includes(BEGIN)) {
       const rewritten = spliceBlock(existing, BLOCK);
       if (rewritten !== null && rewritten !== existing) {
-        fs.writeFileSync(hookPath, rewritten);
-        fs.chmodSync(hookPath, 0o755);
+        writeFileAtomic(hookPath, rewritten, { mode: 0o755 });
         return { action: 'updated' };
       }
       return { action: 'already-present' };
     }
-    fs.writeFileSync(hookPath, existing + BLOCK);
-    fs.chmodSync(hookPath, 0o755);
+    writeFileAtomic(hookPath, existing + BLOCK, { mode: 0o755 });
     return { action: 'appended' };
   } catch (err) {
     return { action: 'skipped-error', error: err.message };
@@ -951,7 +957,8 @@ function installSkills(packageRoot, target, options = {}) {
           // Also remove the existing project copy (left over from previous
           // installs that didn't dedup) so it stops showing in the picker.
           if (fs.existsSync(dest)) {
-            try { fs.rmSync(dest, { recursive: true, force: true }); } catch { /* non-fatal */ }
+            // #688 — safeRmSync refuses to traverse symlinks pointing outside target.
+            try { safeRmSync(dest, target); } catch { /* non-fatal */ }
           }
           skippedGlobal++;
           continue;
@@ -1489,6 +1496,86 @@ async function install(opts) {
     return 2;
   }
+  // Issue #691: file lock prevents concurrent installs from racing on the
+  // same .rihal/_config/manifest.yaml + files-manifest.csv. Without it, two
+  // parallel runs (two terminals, postinstall + manual install, etc.) can
+  // each write a manifest the OTHER doesn't see → orphan sweep on the next
+  // install deletes files the other run considered legit.
+  let releaseLock = () => {};
+  if (!opts.global) {
+    const lockResult = acquireInstallLock(opts.target);
+    if (!lockResult.ok) {
+      console.log('');
+      console.log('  ' + warn(`Another install is already running here (PID ${lockResult.pid}).`));
+      console.log('  ' + dim(`  Lock: ${lockResult.lockPath}`));
+      console.log('  ' + dim('  If the other process crashed, delete the lock file and retry:'));
+      console.log('  ' + dim(`    rm ${lockResult.lockPath}`));
+      console.log('');
+      return 3;
+    }
+    releaseLock = lockResult.release;
+    // Make sure the lock is released even if install throws unexpectedly.
+    process.on('exit', releaseLock);
+  }
+  try {
+    return await installInner(opts);
+  } finally {
+    releaseLock();
+    process.removeListener('exit', releaseLock);
+  }
+}
+/**
+ * Acquire an exclusive install lock at .rihal/.install.lock (issue #691).
+ *
+ * Returns:
+ *   { ok: true, release: () => void }                 lock acquired
+ *   { ok: false, pid: number, lockPath: string }      another process holds it
+ *
+ * Stale-lock detection: if the recorded PID is not alive, the lock is
+ * reclaimed automatically.
+ */
+function acquireInstallLock(target) {
+  const lockDir = path.join(target, '.rihal');
+  const lockPath = path.join(lockDir, '.install.lock');
+  try {
+    fs.mkdirSync(lockDir, { recursive: true });
+  } catch { /* fall through; openSync will fail with a clearer error */ }
+  function isAlive(pid) {
+    try { process.kill(pid, 0); return true; } catch { return false; }
+  }
+  for (let attempt = 0; attempt < 2; attempt++) {
+    try {
+      const fd = fs.openSync(lockPath, 'wx'); // exclusive create
+      fs.writeSync(fd, String(process.pid));
+      fs.closeSync(fd);
+      return {
+        ok: true,
+        release: () => {
+          try { fs.unlinkSync(lockPath); } catch {}
+        },
+      };
+    } catch (err) {
+      if (err.code !== 'EEXIST') throw err;
+      // Lock exists — check if holder is alive.
+      let pid = 0;
+      try { pid = parseInt(fs.readFileSync(lockPath, 'utf8'), 10); } catch {}
+      if (pid && !isAlive(pid)) {
+        // Stale lock — remove and retry once.
+        try { fs.unlinkSync(lockPath); } catch {}
+        continue;
+      }
+      return { ok: false, pid, lockPath };
+    }
+  }
+  // Should be unreachable, but degrade gracefully.
+  return { ok: false, pid: 0, lockPath };
+}
+async function installInner(opts) {
   const pkgVersion = readPackageVersion();
   // Header banner — only shown for interactive runs to keep CI/non-TTY logs terse.
@@ -1875,10 +1962,11 @@ async function install(opts) {
           for (const f of projectCommandFiles) {
             fs.unlinkSync(path.join(projectClaudeCommands, f));
           }
-          // Remove rihal/ subdirectory (vscode-style commands)
+          // Remove rihal/ subdirectory (vscode-style commands).
+          // #688 — safeRmSync refuses to traverse out-of-target symlinks.
           const rihalSubdir = path.join(projectClaudeCommands, 'rihal');
           if (fs.existsSync(rihalSubdir)) {
-            fs.rmSync(rihalSubdir, { recursive: true, force: true });
+            safeRmSync(rihalSubdir, opts.target);
           }
           const projectAgentsDir = path.join(opts.target, '.claude', 'agents');
           if (fs.existsSync(projectAgentsDir)) {
@@ -1927,7 +2015,7 @@ async function install(opts) {
   // Write .rihal/config.yaml (user_name, project_name, language, mode)
   // Note: config.yaml is user data and should NOT be overwritten on --force (unless --reset)
   if (!fs.existsSync(configPath)) {
-    fs.writeFileSync(configPath, generateConfigYaml(opts));
+    writeFileAtomic(configPath, generateConfigYaml(opts));
   } else {
     // Issue #685: re-install path. config.yaml is preserved BUT if the user
     // just changed commit_planning via the prompt/flag, .gitignore will be
@@ -1942,12 +2030,12 @@ async function install(opts) {
       const currentInFile = match ? match[1] === 'true' : null;
       if (match && currentInFile !== desired) {
         const updated = before.replace(re, `commit_planning: ${desired}`);
-        fs.writeFileSync(configPath, updated);
+        writeFileAtomic(configPath, updated);
         console.log('  ' + dim(`Updated commit_planning in config.yaml (${currentInFile} → ${desired}) — closes #685.`));
       } else if (!match) {
         // Older config without the key — append it so the next read finds it.
         const appended = before.replace(/\n*$/, '') + `\ncommit_planning: ${desired}\n`;
-        fs.writeFileSync(configPath, appended);
+        writeFileAtomic(configPath, appended);
       }
     } catch { /* best-effort — never fail install on this */ }
   }
@@ -1973,7 +2061,7 @@ async function install(opts) {
         .replace(/__PROJECT_NAME__/g, opts.projectName)
         .replace(/__INSTALL_DATE__/g, now);
       ensureDir(path.dirname(stateDest));
-      fs.writeFileSync(stateDest, stateContent);
+      writeFileAtomic(stateDest, stateContent);
     }
   }
@@ -2158,10 +2246,13 @@ async function install(opts) {
     // Issue #669 — when global precedence applied (project copies were
     // intentionally removed), count from ~/.claude/ instead so the summary
     // doesn't lie about the install state.
-    if (agentCount === 0 || commandCount === 0) {
-      const os = require('os');
+    // Issue #689: skills count gets the same fallback. After dedup (#679)
+    // the project skills folder may have only sidebar stubs while ~/.claude/
+    // has the real skills — health check should see those.
+    if (agentCount === 0 || commandCount === 0 || skillsInstalled < 20) {
       const homeAgents = path.join(os.homedir(), '.claude/agents');
       const homeCommands = path.join(os.homedir(), '.claude/commands');
+      const homeSkills = path.join(os.homedir(), '.claude/skills');
       if (agentCount === 0 && fs.existsSync(homeAgents)) {
         const n = fs.readdirSync(homeAgents).filter(f => f.startsWith('rihal-') && f.endsWith('.md')).length;
         if (n > 0) { agentCount = n; agentsFromGlobal = true; }
@@ -2170,6 +2261,13 @@ async function install(opts) {
         const n = fs.readdirSync(homeCommands).filter(f => f.startsWith('rihal-') && f.endsWith('.md')).length;
         if (n > 0) { commandCount = n; commandsFromGlobal = true; }
       }
+      if (skillsInstalled < 20 && fs.existsSync(homeSkills)) {
+        try {
+          const globalSkillCount = fs.readdirSync(homeSkills, { withFileTypes: true })
+            .filter(d => d.isDirectory() && d.name.startsWith('rihal-')).length;
+          if (globalSkillCount > skillsInstalled) skillsInstalled = globalSkillCount;
+        } catch { /* non-fatal */ }
+      }
     }
   } catch {}
@@ -2250,6 +2348,36 @@ function runInstallHealthCheck(target, counts) {
   const { execFileSync } = require('child_process');
   let fails = 0;
+  // Issue #689: thresholds were hardcoded at 20 ("expected ≥ 20 agents",
+  // "expected ≥ 20 skills", "expected ≥ 20 commands"). If the package ever
+  // ships fewer than 20 of any kind, the health check fails on every install
+  // even when the install actually succeeded. Worse: if the package ships
+  // 22 agents and an install lands 21 (one corrupt copy), the >= 20 threshold
+  // passes — false green.
+  //
+  // Source the expected counts from the package manifest itself. The verifier
+  // in cli/lib/manifest.cjs already does this; we mirror its result here.
+  let expected = { agents: 20, skills: 20, commands: 20 };
+  try {
+    const { readPackageManifest } = require(path.join(__dirname, 'lib', 'manifest.cjs'));
+    const pkgManifest = readPackageManifest(PACKAGE_ROOT);
+    if (pkgManifest && pkgManifest.agents instanceof Set && pkgManifest.actions instanceof Set) {
+      // Tolerate ~10% loss vs source — global precedence, .local.md
+      // overrides, and intentionally-skipped sidebar stubs all reduce the
+      // count without indicating a failure.
+      const tolerate = (n) => Math.max(1, Math.floor(n * 0.9));
+      expected.agents = tolerate(pkgManifest.agents.size);
+      expected.skills = tolerate(pkgManifest.actions.size);
+      // Commands count comes from rihal/commands/. No bundled enumerator
+      // exists; reuse the agents threshold as a proxy floor.
+      const commandsDir = path.join(PACKAGE_ROOT, 'rihal', 'commands');
+      if (fs.existsSync(commandsDir)) {
+        const cmdCount = fs.readdirSync(commandsDir).filter(f => f.endsWith('.md') && !f.startsWith('_')).length;
+        expected.commands = tolerate(cmdCount);
+      }
+    }
+  } catch { /* keep hardcoded fallback */ }
   function check(label, fn) {
     try {
       const out = fn();
@@ -2283,14 +2411,16 @@ function runInstallHealthCheck(target, counts) {
   });
   check('agents installed', () => {
-    if ((counts.agentCount || 0) < 20) throw new Error(`only ${counts.agentCount} agents (expected ≥ 20)`);
+    if ((counts.agentCount || 0) < expected.agents) {
+      throw new Error(`only ${counts.agentCount} agents (expected ≥ ${expected.agents})`);
+    }
     return `${counts.agentCount}`;
   });
   check('skills + commands installed', () => {
     const issues = [];
-    if ((counts.skillsInstalled || 0) < 20) issues.push(`${counts.skillsInstalled} skills`);
-    if ((counts.commandCount || 0) < 20) issues.push(`${counts.commandCount} commands`);
+    if ((counts.skillsInstalled || 0) < expected.skills) issues.push(`${counts.skillsInstalled} skills (expected ≥ ${expected.skills})`);
+    if ((counts.commandCount || 0) < expected.commands) issues.push(`${counts.commandCount} commands (expected ≥ ${expected.commands})`);
     if (issues.length) throw new Error(`low count: ${issues.join(', ')}`);
     return `${counts.skillsInstalled} skills + ${counts.commandCount} commands`;
   });
@@ -2378,6 +2508,11 @@ async function runInstallWizard(opts) {
   });
   if (isCancel(editorChoices)) { cancel('Installation cancelled.'); process.exit(0); }
   opts.ides = editorChoices;
+  // Issue #692: keep opts.ide and opts.ides consistent so downstream callers
+  // that historically read either field see the same answer. Mark provided
+  // so any later resolveIde call exits early.
+  opts.ide = editorChoices[0];
+  opts.ideProvided = true;
   // ── 3. Communication language ─────────────────────────────────────────
   const langChoice = await select({

package/cli/lib/fsutil.cjs CHANGED Viewed

@@ -71,7 +71,73 @@ function writeJsonAtomic(filePath, obj, opts = {}) {
   writeFileAtomic(filePath, content, opts);
 }
+/**
+ * Safe recursive remove (issue #688).
+ *
+ * `fs.rmSync(path, { recursive: true, force: true })` is fine when `path`
+ * is a directory we control, but if it has been replaced with a symlink to
+ * `/`, `~/`, or any directory outside the project root, the recursive walk
+ * follows it and deletes outside the intended scope. Three sites in the
+ * installer / uninstaller pass user-controlled paths to that pattern.
+ *
+ * This wrapper:
+ *   1. lstats the path. If it is a symlink, unlinks the link only — never
+ *      traverses it.
+ *   2. realpaths it and asserts the resolved path is INSIDE `projectRoot`.
+ *      If not, refuses and returns { ok: false, reason: 'outside-root' }.
+ *   3. otherwise calls fs.rmSync recursively.
+ *
+ * Symlinks INSIDE the directory are still followed by Node's rmSync — that
+ * is unavoidable with the recursive flag. The threat model addressed here
+ * is a single top-level symlink swap (e.g. `.rihal -> /`), not deep nested
+ * symlinks. Defense in depth, not a sandbox.
+ *
+ * @param {string} targetPath path to remove
+ * @param {string} projectRoot absolute path that the target must be inside
+ * @returns {{ok: boolean, reason?: string}}
+ */
+function safeRmSync(targetPath, projectRoot) {
+  let stats;
+  try {
+    stats = fs.lstatSync(targetPath);
+  } catch (err) {
+    if (err.code === 'ENOENT') return { ok: true, reason: 'missing' };
+    return { ok: false, reason: `lstat: ${err.message}` };
+  }
+  // Top-level symlink? Just unlink the link, never traverse.
+  if (stats.isSymbolicLink()) {
+    try {
+      fs.unlinkSync(targetPath);
+      return { ok: true, reason: 'symlink-unlinked' };
+    } catch (err) {
+      return { ok: false, reason: `unlink: ${err.message}` };
+    }
+  }
+  // Real path must stay inside the project root.
+  const root = path.resolve(projectRoot);
+  let resolved;
+  try {
+    resolved = fs.realpathSync(targetPath);
+  } catch (err) {
+    return { ok: false, reason: `realpath: ${err.message}` };
+  }
+  const relative = path.relative(root, resolved);
+  if (relative.startsWith('..') || path.isAbsolute(relative)) {
+    return { ok: false, reason: 'outside-root' };
+  }
+  try {
+    fs.rmSync(resolved, { recursive: true, force: true });
+    return { ok: true };
+  } catch (err) {
+    return { ok: false, reason: `rmSync: ${err.message}` };
+  }
+}
 module.exports = {
   writeFileAtomic,
   writeJsonAtomic,
+  safeRmSync,
 };

package/cli/uninstall.js CHANGED Viewed

@@ -28,7 +28,7 @@ const fs = require('fs');
 const path = require('path');
 const { spawnSync } = require('child_process');
 const { askConfirm, PromptAbortError } = require('./lib/prompts.cjs');
-const { writeFileAtomic } = require('./lib/fsutil.cjs');
+const { writeFileAtomic, safeRmSync } = require('./lib/fsutil.cjs');
 function parseArgs(args) {
   const opts = {
@@ -75,11 +75,18 @@ function isLocalOverride(name) {
 function removeMatching(dir, predicate) {
   if (!fs.existsSync(dir)) return 0;
   let count = 0;
+  // Issue #688: project root for symlink-traversal guard. Anything we
+  // remove from inside the project must resolve to within the project.
+  const projectRoot = path.resolve(process.cwd());
   for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
     if (isLocalOverride(entry.name)) continue; // #382 — never remove user overrides
     if (!predicate(entry.name)) continue;
     const full = path.join(dir, entry.name);
-    fs.rmSync(full, { recursive: true, force: true });
+    const result = safeRmSync(full, projectRoot);
+    if (!result.ok && result.reason === 'outside-root') {
+      console.log(`   ⚠ refused to remove ${full} — symlink resolves outside project root`);
+      continue;
+    }
     count++;
   }
   return count;
@@ -213,35 +220,29 @@ function buildPlan(cwd, editors) {
 }
 /**
- * List of action-skill names the installer places in .claude/skills/.
- * These do NOT start with `rihal-` (e.g., `rihal-domain-research` does, but
- * for safety we also keep a known list).
+ * Names of action-skill directories the installer places under .claude/skills/.
+ *
+ * Issue #693: this used to be a hardcoded array of 23 names that drifted from
+ * the source the moment anyone added or removed a skill in `rihal/skills/`.
+ * We now derive it from the package's own manifest (cli/lib/manifest.cjs)
+ * with a static fallback for the rare case where the manifest module isn't
+ * resolvable from the uninstall context.
  */
-const KNOWN_ACTION_SKILLS = [
-  'rihal-check-implementation-readiness',
-  'rihal-code-review',
-  'rihal-correct-course',
-  'rihal-create-architecture',
-  'rihal-create-epics-and-stories',
-  'rihal-create-prd',
-  'rihal-create-story',
-  'rihal-create-ux-design',
-  'rihal-dev-story',
-  'rihal-document-project',
-  'rihal-domain-research',
-  'rihal-edit-prd',
-  'rihal-frontend-design',
-  'rihal-generate-project-context',
-  'rihal-market-research',
-  'rihal-product-brief',
-  'rihal-qa-generate-e2e-tests',
-  'rihal-retrospective',
-  'rihal-sprint-planning',
-  'rihal-sprint-status',
-  'rihal-technical-research',
-  'rihal-validate-prd',
-  'rihal-clone-website',
-];
+function discoverKnownActionSkills() {
+  try {
+    const { readPackageManifest } = require(path.join(__dirname, 'lib', 'manifest.cjs'));
+    const packageRoot = path.resolve(__dirname, '..');
+    const pkg = readPackageManifest(packageRoot);
+    if (pkg && pkg.actions instanceof Set && pkg.actions.size > 0) {
+      return Array.from(pkg.actions);
+    }
+  } catch { /* fall through to static list */ }
+  // Static fallback — kept minimal, only the names that don't start with
+  // 'rihal-' would actually need this list since we already match
+  // 'rihal-*' via prefix. This is defensive only.
+  return [];
+}
+const KNOWN_ACTION_SKILLS = discoverKnownActionSkills();
 function isKnownSkillName(name) {
   return KNOWN_ACTION_SKILLS.includes(name);
@@ -418,9 +419,15 @@ async function runUninstall(args) {
   const opts = parseArgs(args);
   const cwd = process.cwd();
+  // Issue #693: keep the IDE list in sync with the installer. The installer
+  // ships claude/cursor/gemini/vscode/antigravity. The previous uninstaller
+  // list (claude/cursor/windsurf/antigravity) was missing gemini + vscode
+  // and included windsurf (which the installer never writes). Result: a
+  // user with vscode-style commands could never `rcode uninstall`.
+  const SUPPORTED_EDITORS = ['claude', 'cursor', 'gemini', 'vscode', 'antigravity'];
   const editors = opts.editor
-    ? (opts.editor === 'all' ? ['claude', 'cursor', 'windsurf', 'antigravity'] : [opts.editor])
-    : ['claude', 'cursor', 'windsurf', 'antigravity'];
+    ? (opts.editor === 'all' ? SUPPORTED_EDITORS : [opts.editor])
+    : SUPPORTED_EDITORS;
   console.log(`\n🕌 Rihal Code — Uninstall\n`);
   console.log(`   Project: ${cwd}`);
@@ -548,7 +555,10 @@ async function runUninstall(args) {
     // Remove vscode-style subdir .claude/commands/rihal/
     const commandsDir = path.join(cwd, '.claude/commands/rihal');
     if (fs.existsSync(commandsDir)) {
-      fs.rmSync(commandsDir, { recursive: true, force: true });
+      const r = safeRmSync(commandsDir, path.resolve(cwd));
+      if (!r.ok && r.reason === 'outside-root') {
+        console.log(`   ⚠ refused to remove ${commandsDir} — symlink resolves outside project root`);
+      }
     }
     // Remove claude-style root-level rihal-*.md files
     const commandsRoot = path.join(cwd, '.claude/commands');
@@ -641,8 +651,12 @@ async function runUninstall(args) {
   // not user data. Refreshed by `brain pull` on next install.
   const brainDir = path.join(cwd, '.rihal', 'brain');
   if (fs.existsSync(brainDir)) {
-    fs.rmSync(brainDir, { recursive: true, force: true });
-    console.log(`   ✓ removed .rihal/brain/ (pulled content, will refresh on reinstall)`);
+    const r = safeRmSync(brainDir, path.resolve(cwd));
+    if (r.ok) {
+      console.log(`   ✓ removed .rihal/brain/ (pulled content, will refresh on reinstall)`);
+    } else if (r.reason === 'outside-root') {
+      console.log(`   ⚠ refused to remove .rihal/brain/ — symlink resolves outside project root`);
+    }
   }
   // Handle .rihal/ state directory
@@ -668,8 +682,14 @@ async function runUninstall(args) {
     }
     if (shouldDeleteState) {
-      fs.rmSync(rihalDir, { recursive: true, force: true });
-      console.log(`   ✓ removed .rihal/ state directory`);
+      const r = safeRmSync(rihalDir, path.resolve(cwd));
+      if (r.ok) {
+        console.log(`   ✓ removed .rihal/ state directory`);
+      } else if (r.reason === 'outside-root') {
+        console.log(`   ⚠ refused to remove .rihal/ — symlink resolves outside project root`);
+      } else {
+        console.log(`   ⚠ could not remove .rihal/: ${r.reason}`);
+      }
     } else {
       console.log(`   ℹ kept .rihal/ state directory (your project data is preserved)`);
     }
@@ -681,8 +701,14 @@ async function runUninstall(args) {
   if (opts.purge) {
     const planningDir = path.join(cwd, '.planning');
     if (fs.existsSync(planningDir)) {
-      fs.rmSync(planningDir, { recursive: true, force: true });
-      console.log(`   ✓ removed .planning/ (--purge)`);
+      const r = safeRmSync(planningDir, path.resolve(cwd));
+      if (r.ok) {
+        console.log(`   ✓ removed .planning/ (--purge)`);
+      } else if (r.reason === 'outside-root') {
+        console.log(`   ⚠ refused to remove .planning/ — symlink resolves outside project root`);
+      } else {
+        console.log(`   ⚠ could not remove .planning/: ${r.reason}`);
+      }
     }
     // Strip the rcode-managed block from .gitignore. The installer writes

package/dist/rcode.js CHANGED Viewed

@@ -14946,6 +14946,7 @@ var require_install = __commonJS({
     var path2 = require("path");
     var crypto = require("crypto");
     var os = require("os");
+    var { writeFileAtomic, safeRmSync } = require(path2.join(__dirname, "lib", "fsutil.cjs"));
     var pc = require_picocolors();
     var { createSpinner } = require_dist();
     var fg = require_out4();
@@ -15157,6 +15158,7 @@ var require_install = __commonJS({
       return signals;
     }
     async function resolveIde(opts) {
+      if (Array.isArray(opts.ides) && opts.ides.length > 0) return opts.ides;
       if (opts.ideProvided) return [opts.ide];
       if (opts.noPrompt || opts.global) return ["claude"];
       if (opts.yes || !process.stdin.isTTY) {
@@ -15419,7 +15421,7 @@ Run \`/rihal-new-project <description>\` to bootstrap, or \`/rihal-sprint-planni
           velocity_history: []
         };
         fs2.mkdirSync(path2.dirname(rihalStateJson), { recursive: true });
-        fs2.writeFileSync(rihalStateJson, JSON.stringify(state, null, 2) + "\n");
+        writeFileAtomic(rihalStateJson, JSON.stringify(state, null, 2) + "\n");
       }
       return true;
     }
@@ -15488,19 +15490,19 @@ Run \`/rihal-new-project <description>\` to bootstrap, or \`/rihal-sprint-planni
         };
         var spliceBlock = spliceBlock2;
         if (!fs2.existsSync(gitignorePath)) {
-          fs2.writeFileSync(gitignorePath, BLOCK);
+          writeFileAtomic(gitignorePath, BLOCK);
           return { action: "created" };
         }
         const existing = fs2.readFileSync(gitignorePath, "utf8");
         if (existing.includes(BEGIN)) {
           const rewritten = spliceBlock2(existing, BLOCK);
           if (rewritten !== null && rewritten !== existing) {
-            fs2.writeFileSync(gitignorePath, rewritten);
+            writeFileAtomic(gitignorePath, rewritten);
             return { action: "updated" };
           }
           return { action: "already-present" };
         }
-        fs2.writeFileSync(gitignorePath, existing + BLOCK);
+        writeFileAtomic(gitignorePath, existing + BLOCK);
         return { action: "appended" };
       } catch (err) {
         return { action: "skipped-error", error: err.message };
@@ -15549,23 +15551,20 @@ Run \`/rihal-new-project <description>\` to bootstrap, or \`/rihal-sprint-planni
         var spliceBlock = spliceBlock2;
         fs2.mkdirSync(hooksDir, { recursive: true });
         if (!fs2.existsSync(hookPath)) {
-          fs2.writeFileSync(hookPath, `#!/bin/sh
-${BLOCK}`);
-          fs2.chmodSync(hookPath, 493);
+          writeFileAtomic(hookPath, `#!/bin/sh
+${BLOCK}`, { mode: 493 });
           return { action: "created" };
         }
         const existing = fs2.readFileSync(hookPath, "utf8");
         if (existing.includes(BEGIN)) {
           const rewritten = spliceBlock2(existing, BLOCK);
           if (rewritten !== null && rewritten !== existing) {
-            fs2.writeFileSync(hookPath, rewritten);
-            fs2.chmodSync(hookPath, 493);
+            writeFileAtomic(hookPath, rewritten, { mode: 493 });
             return { action: "updated" };
           }
           return { action: "already-present" };
         }
-        fs2.writeFileSync(hookPath, existing + BLOCK);
-        fs2.chmodSync(hookPath, 493);
+        writeFileAtomic(hookPath, existing + BLOCK, { mode: 493 });
         return { action: "appended" };
       } catch (err) {
         return { action: "skipped-error", error: err.message };
@@ -15638,7 +15637,7 @@ ${BLOCK}`);
             if (!internal && globalRihalSkills.has(destName) && !hasLocalOverride(dest)) {
               if (fs2.existsSync(dest)) {
                 try {
-                  fs2.rmSync(dest, { recursive: true, force: true });
+                  safeRmSync(dest, target);
                 } catch {
                 }
               }
@@ -16048,6 +16047,78 @@ ${BLOCK}`);
         console.log("");
         return 2;
       }
+      let releaseLock = () => {
+      };
+      if (!opts.global) {
+        const lockResult = acquireInstallLock(opts.target);
+        if (!lockResult.ok) {
+          console.log("");
+          console.log("  " + warn(`Another install is already running here (PID ${lockResult.pid}).`));
+          console.log("  " + dim(`  Lock: ${lockResult.lockPath}`));
+          console.log("  " + dim("  If the other process crashed, delete the lock file and retry:"));
+          console.log("  " + dim(`    rm ${lockResult.lockPath}`));
+          console.log("");
+          return 3;
+        }
+        releaseLock = lockResult.release;
+        process.on("exit", releaseLock);
+      }
+      try {
+        return await installInner(opts);
+      } finally {
+        releaseLock();
+        process.removeListener("exit", releaseLock);
+      }
+    }
+    function acquireInstallLock(target) {
+      const lockDir = path2.join(target, ".rihal");
+      const lockPath = path2.join(lockDir, ".install.lock");
+      try {
+        fs2.mkdirSync(lockDir, { recursive: true });
+      } catch {
+      }
+      function isAlive(pid) {
+        try {
+          process.kill(pid, 0);
+          return true;
+        } catch {
+          return false;
+        }
+      }
+      for (let attempt = 0; attempt < 2; attempt++) {
+        try {
+          const fd = fs2.openSync(lockPath, "wx");
+          fs2.writeSync(fd, String(process.pid));
+          fs2.closeSync(fd);
+          return {
+            ok: true,
+            release: () => {
+              try {
+                fs2.unlinkSync(lockPath);
+              } catch {
+              }
+            }
+          };
+        } catch (err) {
+          if (err.code !== "EEXIST") throw err;
+          let pid = 0;
+          try {
+            pid = parseInt(fs2.readFileSync(lockPath, "utf8"), 10);
+          } catch {
+          }
+          if (pid && !isAlive(pid)) {
+            try {
+              fs2.unlinkSync(lockPath);
+            } catch {
+            }
+            continue;
+          }
+          return { ok: false, pid, lockPath };
+        }
+      }
+      return { ok: false, pid: 0, lockPath };
+    }
+    async function installInner(opts) {
       const pkgVersion = readPackageVersion();
       const isInteractive = process.stdin.isTTY && !opts.yes;
       if (isInteractive) printInstallHeader(pkgVersion);
@@ -16360,7 +16431,7 @@ ${BLOCK}`);
               }
               const rihalSubdir = path2.join(projectClaudeCommands, "rihal");
               if (fs2.existsSync(rihalSubdir)) {
-                fs2.rmSync(rihalSubdir, { recursive: true, force: true });
+                safeRmSync(rihalSubdir, opts.target);
               }
               const projectAgentsDir = path2.join(opts.target, ".claude", "agents");
               if (fs2.existsSync(projectAgentsDir)) {
@@ -16400,7 +16471,7 @@ ${BLOCK}`);
         existedBefore = true;
       }
       if (!fs2.existsSync(configPath)) {
-        fs2.writeFileSync(configPath, generateConfigYaml(opts));
+        writeFileAtomic(configPath, generateConfigYaml(opts));
       } else {
         try {
           const before = fs2.readFileSync(configPath, "utf8");
@@ -16410,13 +16481,13 @@ ${BLOCK}`);
           const currentInFile = match ? match[1] === "true" : null;
           if (match && currentInFile !== desired) {
             const updated = before.replace(re, `commit_planning: ${desired}`);
-            fs2.writeFileSync(configPath, updated);
+            writeFileAtomic(configPath, updated);
             console.log("  " + dim(`Updated commit_planning in config.yaml (${currentInFile} \u2192 ${desired}) \u2014 closes #685.`));
           } else if (!match) {
             const appended = before.replace(/\n*$/, "") + `
 commit_planning: ${desired}
 `;
-            fs2.writeFileSync(configPath, appended);
+            writeFileAtomic(configPath, appended);
           }
         } catch {
         }
@@ -16439,7 +16510,7 @@ commit_planning: ${desired}
           const now = (/* @__PURE__ */ new Date()).toISOString();
           const stateContent = fs2.readFileSync(stateSrc, "utf8").replace(/__PROJECT_NAME__/g, opts.projectName).replace(/__INSTALL_DATE__/g, now);
           ensureDir(path2.dirname(stateDest));
-          fs2.writeFileSync(stateDest, stateContent);
+          writeFileAtomic(stateDest, stateContent);
         }
       }
       ensureDir(path2.join(opts.target, ".planning", "council-sessions"));
@@ -16572,10 +16643,10 @@ commit_planning: ${desired}
           const commandFilter = primaryIde === "claude" ? (f) => f.startsWith("rihal-") && (f.endsWith(".md") || f.endsWith(".mdc")) : (f) => f.endsWith(".md") || f.endsWith(".mdc");
           commandCount = fs2.readdirSync(commandsDir).filter(commandFilter).length;
         }
-        if (agentCount === 0 || commandCount === 0) {
-          const os2 = require("os");
-          const homeAgents = path2.join(os2.homedir(), ".claude/agents");
-          const homeCommands = path2.join(os2.homedir(), ".claude/commands");
+        if (agentCount === 0 || commandCount === 0 || skillsInstalled < 20) {
+          const homeAgents = path2.join(os.homedir(), ".claude/agents");
+          const homeCommands = path2.join(os.homedir(), ".claude/commands");
+          const homeSkills = path2.join(os.homedir(), ".claude/skills");
           if (agentCount === 0 && fs2.existsSync(homeAgents)) {
             const n = fs2.readdirSync(homeAgents).filter((f) => f.startsWith("rihal-") && f.endsWith(".md")).length;
             if (n > 0) {
@@ -16590,6 +16661,13 @@ commit_planning: ${desired}
               commandsFromGlobal = true;
             }
           }
+          if (skillsInstalled < 20 && fs2.existsSync(homeSkills)) {
+            try {
+              const globalSkillCount = fs2.readdirSync(homeSkills, { withFileTypes: true }).filter((d) => d.isDirectory() && d.name.startsWith("rihal-")).length;
+              if (globalSkillCount > skillsInstalled) skillsInstalled = globalSkillCount;
+            } catch {
+            }
+          }
         }
       } catch {
       }
@@ -16658,6 +16736,22 @@ commit_planning: ${desired}
       console.log(`  ${bold("Health check:")}`);
       const { execFileSync } = require("child_process");
       let fails = 0;
+      let expected = { agents: 20, skills: 20, commands: 20 };
+      try {
+        const { readPackageManifest } = require(path2.join(__dirname, "lib", "manifest.cjs"));
+        const pkgManifest = readPackageManifest(PACKAGE_ROOT2);
+        if (pkgManifest && pkgManifest.agents instanceof Set && pkgManifest.actions instanceof Set) {
+          const tolerate = (n) => Math.max(1, Math.floor(n * 0.9));
+          expected.agents = tolerate(pkgManifest.agents.size);
+          expected.skills = tolerate(pkgManifest.actions.size);
+          const commandsDir = path2.join(PACKAGE_ROOT2, "rihal", "commands");
+          if (fs2.existsSync(commandsDir)) {
+            const cmdCount = fs2.readdirSync(commandsDir).filter((f) => f.endsWith(".md") && !f.startsWith("_")).length;
+            expected.commands = tolerate(cmdCount);
+          }
+        }
+      } catch {
+      }
       function check(label, fn) {
         try {
           const out = fn();
@@ -16687,13 +16781,15 @@ commit_planning: ${desired}
         return "valid JSON";
       });
       check("agents installed", () => {
-        if ((counts.agentCount || 0) < 20) throw new Error(`only ${counts.agentCount} agents (expected \u2265 20)`);
+        if ((counts.agentCount || 0) < expected.agents) {
+          throw new Error(`only ${counts.agentCount} agents (expected \u2265 ${expected.agents})`);
+        }
         return `${counts.agentCount}`;
       });
       check("skills + commands installed", () => {
         const issues = [];
-        if ((counts.skillsInstalled || 0) < 20) issues.push(`${counts.skillsInstalled} skills`);
-        if ((counts.commandCount || 0) < 20) issues.push(`${counts.commandCount} commands`);
+        if ((counts.skillsInstalled || 0) < expected.skills) issues.push(`${counts.skillsInstalled} skills (expected \u2265 ${expected.skills})`);
+        if ((counts.commandCount || 0) < expected.commands) issues.push(`${counts.commandCount} commands (expected \u2265 ${expected.commands})`);
         if (issues.length) throw new Error(`low count: ${issues.join(", ")}`);
         return `${counts.skillsInstalled} skills + ${counts.commandCount} commands`;
       });
@@ -16773,6 +16869,8 @@ commit_planning: ${desired}
         process.exit(0);
       }
       opts.ides = editorChoices;
+      opts.ide = editorChoices[0];
+      opts.ideProvided = true;
       const langChoice = await select({
         message: "Communication language?",
         options: [
@@ -17097,9 +17195,44 @@ var require_fsutil = __commonJS({
       const content = JSON.stringify(obj, null, 2) + "\n";
       writeFileAtomic(filePath, content, opts);
     }
+    function safeRmSync(targetPath, projectRoot) {
+      let stats;
+      try {
+        stats = fs2.lstatSync(targetPath);
+      } catch (err) {
+        if (err.code === "ENOENT") return { ok: true, reason: "missing" };
+        return { ok: false, reason: `lstat: ${err.message}` };
+      }
+      if (stats.isSymbolicLink()) {
+        try {
+          fs2.unlinkSync(targetPath);
+          return { ok: true, reason: "symlink-unlinked" };
+        } catch (err) {
+          return { ok: false, reason: `unlink: ${err.message}` };
+        }
+      }
+      const root = path2.resolve(projectRoot);
+      let resolved;
+      try {
+        resolved = fs2.realpathSync(targetPath);
+      } catch (err) {
+        return { ok: false, reason: `realpath: ${err.message}` };
+      }
+      const relative = path2.relative(root, resolved);
+      if (relative.startsWith("..") || path2.isAbsolute(relative)) {
+        return { ok: false, reason: "outside-root" };
+      }
+      try {
+        fs2.rmSync(resolved, { recursive: true, force: true });
+        return { ok: true };
+      } catch (err) {
+        return { ok: false, reason: `rmSync: ${err.message}` };
+      }
+    }
     module2.exports = {
       writeFileAtomic,
-      writeJsonAtomic
+      writeJsonAtomic,
+      safeRmSync
     };
   }
 });
@@ -17580,7 +17713,7 @@ var require_uninstall = __commonJS({
     var path2 = require("path");
     var { spawnSync } = require("child_process");
     var { askConfirm, PromptAbortError } = require_prompts();
-    var { writeFileAtomic } = require_fsutil();
+    var { writeFileAtomic, safeRmSync } = require_fsutil();
     function parseArgs(args) {
       const opts = {
         editor: null,
@@ -17616,11 +17749,16 @@ var require_uninstall = __commonJS({
     function removeMatching(dir, predicate) {
       if (!fs2.existsSync(dir)) return 0;
       let count = 0;
+      const projectRoot = path2.resolve(process.cwd());
       for (const entry of fs2.readdirSync(dir, { withFileTypes: true })) {
         if (isLocalOverride(entry.name)) continue;
         if (!predicate(entry.name)) continue;
         const full = path2.join(dir, entry.name);
-        fs2.rmSync(full, { recursive: true, force: true });
+        const result = safeRmSync(full, projectRoot);
+        if (!result.ok && result.reason === "outside-root") {
+          console.log(`   \u26A0 refused to remove ${full} \u2014 symlink resolves outside project root`);
+          continue;
+        }
         count++;
       }
       return count;
@@ -17716,31 +17854,19 @@ var require_uninstall = __commonJS({
       }
       return plan;
     }
-    var KNOWN_ACTION_SKILLS = [
-      "rihal-check-implementation-readiness",
-      "rihal-code-review",
-      "rihal-correct-course",
-      "rihal-create-architecture",
-      "rihal-create-epics-and-stories",
-      "rihal-create-prd",
-      "rihal-create-story",
-      "rihal-create-ux-design",
-      "rihal-dev-story",
-      "rihal-document-project",
-      "rihal-domain-research",
-      "rihal-edit-prd",
-      "rihal-frontend-design",
-      "rihal-generate-project-context",
-      "rihal-market-research",
-      "rihal-product-brief",
-      "rihal-qa-generate-e2e-tests",
-      "rihal-retrospective",
-      "rihal-sprint-planning",
-      "rihal-sprint-status",
-      "rihal-technical-research",
-      "rihal-validate-prd",
-      "rihal-clone-website"
-    ];
+    function discoverKnownActionSkills() {
+      try {
+        const { readPackageManifest } = require(path2.join(__dirname, "lib", "manifest.cjs"));
+        const packageRoot = path2.resolve(__dirname, "..");
+        const pkg = readPackageManifest(packageRoot);
+        if (pkg && pkg.actions instanceof Set && pkg.actions.size > 0) {
+          return Array.from(pkg.actions);
+        }
+      } catch {
+      }
+      return [];
+    }
+    var KNOWN_ACTION_SKILLS = discoverKnownActionSkills();
     function isKnownSkillName(name) {
       return KNOWN_ACTION_SKILLS.includes(name);
     }
@@ -17855,7 +17981,8 @@ var require_uninstall = __commonJS({
     async function runUninstall(args) {
       const opts = parseArgs(args);
       const cwd = process.cwd();
-      const editors = opts.editor ? opts.editor === "all" ? ["claude", "cursor", "windsurf", "antigravity"] : [opts.editor] : ["claude", "cursor", "windsurf", "antigravity"];
+      const SUPPORTED_EDITORS = ["claude", "cursor", "gemini", "vscode", "antigravity"];
+      const editors = opts.editor ? opts.editor === "all" ? SUPPORTED_EDITORS : [opts.editor] : SUPPORTED_EDITORS;
       console.log(`
 \u{1F54C} Rihal Code \u2014 Uninstall
 `);
@@ -17956,7 +18083,10 @@ var require_uninstall = __commonJS({
         if (n > 0) console.log(`   \u2713 removed ${n} Claude skills`);
         const commandsDir = path2.join(cwd, ".claude/commands/rihal");
         if (fs2.existsSync(commandsDir)) {
-          fs2.rmSync(commandsDir, { recursive: true, force: true });
+          const r = safeRmSync(commandsDir, path2.resolve(cwd));
+          if (!r.ok && r.reason === "outside-root") {
+            console.log(`   \u26A0 refused to remove ${commandsDir} \u2014 symlink resolves outside project root`);
+          }
         }
         const commandsRoot = path2.join(cwd, ".claude/commands");
         let commandsRemoved = 0;
@@ -18034,8 +18164,12 @@ var require_uninstall = __commonJS({
       ]);
       const brainDir = path2.join(cwd, ".rihal", "brain");
       if (fs2.existsSync(brainDir)) {
-        fs2.rmSync(brainDir, { recursive: true, force: true });
-        console.log(`   \u2713 removed .rihal/brain/ (pulled content, will refresh on reinstall)`);
+        const r = safeRmSync(brainDir, path2.resolve(cwd));
+        if (r.ok) {
+          console.log(`   \u2713 removed .rihal/brain/ (pulled content, will refresh on reinstall)`);
+        } else if (r.reason === "outside-root") {
+          console.log(`   \u26A0 refused to remove .rihal/brain/ \u2014 symlink resolves outside project root`);
+        }
       }
       if (plan.stateDir) {
         const rihalDir = path2.join(cwd, ".rihal");
@@ -18057,8 +18191,14 @@ var require_uninstall = __commonJS({
           );
         }
         if (shouldDeleteState) {
-          fs2.rmSync(rihalDir, { recursive: true, force: true });
-          console.log(`   \u2713 removed .rihal/ state directory`);
+          const r = safeRmSync(rihalDir, path2.resolve(cwd));
+          if (r.ok) {
+            console.log(`   \u2713 removed .rihal/ state directory`);
+          } else if (r.reason === "outside-root") {
+            console.log(`   \u26A0 refused to remove .rihal/ \u2014 symlink resolves outside project root`);
+          } else {
+            console.log(`   \u26A0 could not remove .rihal/: ${r.reason}`);
+          }
         } else {
           console.log(`   \u2139 kept .rihal/ state directory (your project data is preserved)`);
         }
@@ -18066,8 +18206,14 @@ var require_uninstall = __commonJS({
       if (opts.purge) {
         const planningDir = path2.join(cwd, ".planning");
         if (fs2.existsSync(planningDir)) {
-          fs2.rmSync(planningDir, { recursive: true, force: true });
-          console.log(`   \u2713 removed .planning/ (--purge)`);
+          const r = safeRmSync(planningDir, path2.resolve(cwd));
+          if (r.ok) {
+            console.log(`   \u2713 removed .planning/ (--purge)`);
+          } else if (r.reason === "outside-root") {
+            console.log(`   \u26A0 refused to remove .planning/ \u2014 symlink resolves outside project root`);
+          } else {
+            console.log(`   \u26A0 could not remove .planning/: ${r.reason}`);
+          }
         }
         const gitignorePath = path2.join(cwd, ".gitignore");
         if (fs2.existsSync(gitignorePath)) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@hanzlaa/rcode",
-  "version": "3.4.23",
+  "version": "3.4.25",
   "description": "rcode — the memory bank for AI-driven SaaS teams. Persistent project context, distinctive engineering personas, and phase-based workflows. Built by Rihal. Works in Claude Code, Cursor, Gemini, VS Code, and Antigravity.",
   "main": "cli/index.js",
   "bin": {