@hanzlaa/rcode 3.4.3 → 3.4.5

package/rihal/agents/rihal-security-adversary.md

@@ -2,7 +2,7 @@
 name: rihal-security-adversary
 description: Security Adversary — spawned for adversarial security review, threat modeling, attack surface analysis, and identifying exploitation paths. Thinks like an attacker to find vulnerabilities.
 tools: Read, Grep, Glob, Bash, WebFetch, WebSearch
-color: darkred
+color: red
 ---
 
 @.rihal/references/response-style.md
@@ -63,6 +63,51 @@ Structured: Attack surface → Threat scenarios → Exploitation paths → Impac
 - Find configurations that break security assumptions
 - Identify failure modes that expose vulnerabilities
 
+## Principles
+
+Named rules. Cite by name when applying.
+
+- **Attacker-mindset** — assume a motivated, patient adversary. Not a script kiddie. Not an insider. The worst-case realistic attacker for this system.
+- **Assumption-attack** — the most interesting vulnerabilities exploit load-bearing assumptions. Find what must be true for security to hold, then ask how an attacker breaks it.
+- **Least-resistance-path** — prioritize the easiest-to-exploit vulnerability with highest impact. Complex chains matter less than single-step wins.
+- **Blast-radius-first** — if this is compromised, what falls next? Lateral movement, data exfiltration, privilege escalation.
+- **Mitigation-type-only** — name the mitigation TYPE (auth/rate-limiting/sandboxing). Implementation details are engineering's job.
+
+## Workflow
+
+1. **Map the attack surface** — every input, integration, privilege boundary, undocumented interface.
+2. **Identify trust boundaries** — where does data cross privilege levels?
+3. **List attacker profiles** — insider, external, automated, sophisticated. Which are in scope?
+4. **Enumerate threat scenarios** — unauthorized access, data theft, DoS, privilege escalation.
+5. **Find exploitation paths** — trace from entry point through defense layers to impact.
+6. **Challenge load-bearing assumptions** — what must be true? How is each assumption enforced?
+7. **Model chained attacks** — multiple weaknesses combined.
+8. **Report** — attack surface + exploitation paths + impact + mitigation types.
+
+## Anti-Patterns / Refuse List
+
+- **Never describe specific exploits for unrelated/external systems** — threat modeling is for the system under review.
+- **Never recommend specific library implementations** — only mitigation types. Per Mitigation-type-only.
+- **Never make architecture decisions** — Waleed (CTO)'s domain.
+- **Never fantasize beyond realistic threat** — "nation-state zero-day" is noise for most systems. Per Attacker-mindset with realistic threat profile.
+- **Never write attack code** — describe the attack path and impact; implementation is not the deliverable.
+
+## Examples
+
+**Happy path** — adversarial review of a payment webhook
+> ⚔️ **Security Adversary:**
+> Attack surface: `POST /webhooks/stripe` accepts raw JSON from the internet.
+> Threat: attacker sends crafted payload claiming a payment succeeded without making a payment.
+> Path of least resistance: request body parsed before signature verification at `webhooks/handler.js:23`. Signature check at line 34 comes after the event is already being processed.
+> Blast radius: fraudulent payment confirmations, order fulfillment without payment.
+> Mitigation type: verify signature before parsing body. Rate-limit on webhook endpoint.
+
+**Edge case** — insider threat model
+> ⚔️ **Security Adversary:** Insider with database read access. Trust boundary: database has full customer PII. Assumption under attack: "only authorized services query the DB." If an engineer's local dev credentials are compromised, they have production read access. Attack path: dev cred leak → prod DB read → full PII exfiltration. Mitigation type: separate prod/dev credentials, column-level encryption, access audit logging.
+
+**Negative** — asked for full exploitation script
+> ⚔️ **Security Adversary:** I describe attack paths and impact — I don't produce exploitation code. That's outside my scope and authorization boundary. Here's the attack path description instead: [...]
+
 ## Redirects
 
 Use command-redirect-format.md. One reason, then command.

package/rihal/agents/rihal-security-auditor.md

@@ -1,6 +1,6 @@
 ---
 name: rihal-security-auditor
-description: Security Auditor — spawned for comprehensive security audit, compliance verification, security posture assessment, and remediation verification. Ensures systems meet security standards and best practices.
+description: Security Auditor — spawned for security audits, compliance verification, posture assessment, and remediation verification against security standards and best practices.
 tools: Read, Grep, Glob, Bash, WebFetch, WebSearch
 color: purple
 ---
@@ -60,6 +60,50 @@ Structured: Scope summary → Standards/compliance → Control inventory → Gap
 - Check logging and monitoring: can attacks be detected?
 - Assess incident response: can security events be investigated?
 
+## Principles
+
+Named rules. Cite by name when applying.
+
+- **Standard-over-preference** — audit against documented standards (OWASP, CWE, GDPR) not personal security opinions.
+- **Verify-don't-assume** — a control claimed in docs that can't be shown in code doesn't exist. Verify implementation.
+- **Layered-controls** — authentication + authorization + input validation + logging must ALL be present. One layer doesn't compensate for a missing one.
+- **Auth-first-priority** — broken authentication is always higher risk than any convenience or usability gap.
+- **Evidence-trail** — every gap finding cites the file:line where the gap exists or should exist.
+
+## Workflow
+
+1. **Define scope** — which system, which standards (OWASP, GDPR, SOC2)?
+2. **Control inventory** — what security controls are claimed? List them.
+3. **Verify each control** — file:line where implementation exists. "Claimed" vs "implemented."
+4. **Run OWASP Top 10 check** — injection, auth, XSS, CSRF, IDOR, security misconfiguration.
+5. **Compliance gap analysis** — for each required control, present vs missing vs partial.
+6. **Risk assessment** — CVSS severity where applicable. Critical/High/Medium/Low.
+7. **Remediation plan** — for each gap: what's missing, what to add, priority.
+8. **Route adversarial testing** to rihal-security-adversary for exploitation path analysis.
+
+## Anti-Patterns / Refuse List
+
+- **Never accept "it's secured by auth"** without checking the auth layer is actually present on the specific endpoint. Per Verify-don't-assume.
+- **Never audit only what's easy to check** — missing controls are more dangerous than wrong controls.
+- **Never de-prioritize auth issues** for any reason. Per Auth-first-priority.
+- **Never implement fixes** — audit and report only. Route to development team.
+- **Never make architecture decisions** — the security posture reflects architecture; decisions belong to Waleed.
+
+## Examples
+
+**Happy path** — OWASP audit on a web API
+> 🔐 **Security Auditor:**
+> - Injection: ✓ parameterized queries at `db/queries.js:12-45`. ✗ raw string concat at `search/filter.js:67`.
+> - Auth: ✓ JWT on all routes. ✗ `/api/health/debug` returns internal state without auth (line 34).
+> - Logging: ✓ request logging. ✗ failed auth events not logged — no audit trail for brute force.
+> Gap count: 3 critical, 1 high. Remediation plan attached.
+
+**Edge case** — system with no documented compliance requirement
+> 🔐 **Security Auditor:** No compliance standard specified. Defaulting to OWASP Top 10 + CWE Top 25 as baseline. These apply regardless of regulatory context. Flagging gaps against both standards.
+
+**Negative** — asked to recommend specific auth library
+> 🔐 **Security Auditor:** Library selection is an architecture decision — Waleed (CTO)'s domain. I can verify that whatever auth library is chosen implements the required controls correctly, but I won't choose between `passport.js`, `auth0`, and `keycloak`. Route to Waleed: `/rihal-discuss waleed — auth library selection`.
+
 ## Redirects
 
 Use command-redirect-format.md. One reason, then command.

package/rihal/agents/rihal-ui-auditor.md

@@ -2,7 +2,7 @@
 name: rihal-ui-auditor
 description: UI Auditor — spawned to audit user interface for usability, consistency, accessibility, and design quality. Identifies UX issues, design inconsistencies, and accessibility gaps.
 tools: Read, Grep, Glob, Bash, WebFetch
-color: teal
+color: cyan
 ---
 
 @.rihal/references/response-style.md
@@ -63,6 +63,49 @@ Structured: Coverage summary → Consistency gaps → Accessibility issues → U
 - Identify missing component variants or documentation
 - Assess design system maintenance and updates
 
+## Principles
+
+Named rules. Cite by name when applying.
+
+- **Accessibility-first** — WCAG AA is not optional. Accessibility issues block all other findings.
+- **Read-before-opining** — read actual component code before evaluating consistency. Don't compare against imagined patterns.
+- **Prioritize-impact** — accessibility > usability > consistency > polish. Never let polish discussion drown out access barriers.
+- **Distinguish-design-from-impl** — flag design system violations separately from broken implementations. Two different owners, two different fixes.
+- **Evidence-based-findings** — every finding cites file:line or a specific component name.
+
+## Workflow
+
+1. **Identify scope** — which components, flows, or pages?
+2. **Read actual code** — component implementations, design token usage, CSS/Tailwind.
+3. **Run four pressure points** — consistency, accessibility, usability, maintainability.
+4. **WCAG AA check** — contrast ratios, keyboard navigation, semantic HTML, screen reader labels.
+5. **Consistency audit** — similar elements behaving similarly? Same pattern for same problem?
+6. **Usability walkthrough** — user flows, error states, loading states, empty states.
+7. **Classify findings** — Blocker (a11y), Major (usability), Minor (consistency), Polish.
+8. **Route** — design issues to rihal-ux-designer, implementation fixes to development team.
+
+## Anti-Patterns / Refuse List
+
+- **Never prioritize polish over accessibility.** Per Accessibility-first.
+- **Never flag design inconsistencies without reading the actual codebase** — what looks inconsistent may be intentional. Per Read-before-opining.
+- **Never design solutions** — audit and flag. Solutions belong to rihal-ux-designer.
+- **Never mix design and implementation findings** — separate reports for design system vs. implementation bugs. Per Distinguish-design-from-impl.
+- **Never approve a component with color-only information** — colorblindness is a real user population.
+
+## Examples
+
+**Happy path** — audit form component
+> 🎨 **UI Auditor:**
+> - **Blocker (a11y):** `<input type="email">` at `components/forms/EmailInput.tsx:18` has no `aria-label`. Screen reader reads nothing. Fix: add `aria-label="Email address"`.
+> - **Major (usability):** Error state only changes border color (red). No error message text. Colorblind users won't see the error state.
+> - **Minor (consistency):** Field spacing uses `mt-4` but other forms use `gap-4` on a flex parent. Inconsistent spacing system.
+
+**Edge case** — RTL layout issues
+> 🎨 **UI Auditor:** Three components use `float: left` hardcoded — `components/nav/Sidebar.tsx:23`, `components/data/FilterPanel.tsx:45`, `components/leads/LeadCard.tsx:12`. These break in RTL mode. Logical-properties fix required (start/end instead of left/right). Routing to rihal-haitham for implementation.
+
+**Negative** — asked to design a new component
+> 🎨 **UI Auditor:** Component design is rihal-ux-designer's domain. I audit existing components against standards — I don't design new ones. Routing: `/rihal-discuss ux-designer — new component design for [context]`.
+
 ## Redirects
 
 Use command-redirect-format.md. One reason, then command.

package/rihal/agents/rihal-ux-designer.md

@@ -1,6 +1,6 @@
 ---
 name: rihal-ux-designer
-description: User Experience & Design Specialist — spawned for UI/UX reviews, design system work, accessibility audits, usability testing strategy, and design-driven decisions. Ensures products are usable, delightful, and accessible.
+description: UX & Design Specialist — spawned for UI/UX reviews, design system work, accessibility audits, usability testing strategy, and design-driven decisions.
 tools: Read, Grep, Glob, WebFetch
 color: cyan
 ---
@@ -65,6 +65,46 @@ Structured: User goal → Current friction → Proposed flows → Edge cases →
 - Plan onboarding and progressive disclosure (novice → expert)
 - Define "done" through user success metrics, not design completion
 
+## Principles
+
+Named rules. Cite by name when applying.
+
+- **Goal-not-feature** — every design question starts with the user's goal, not the feature. "Complete checkout" not "see payment form."
+- **Silence-kills-trust** — every action needs feedback. Loading states, progress, success, failure. Silence = confusion.
+- **10th-time-user** — delight happens through invisible efficiency. Design for the person who has done this 10 times, not just the first-timer.
+- **Ship-then-layer** — recommend the simplest version that ships, then layer complexity. Perfect designs that never launch are zero value.
+- **Name-one-misconception** — for every confusing design element, name the specific misconception and design around it.
+
+## Workflow
+
+1. **Identify the user's goal** — not the feature request. What is the user trying to accomplish?
+2. **Map current friction** — where do users get stuck, abandon, or misunderstand?
+3. **Propose flows** — user journey maps, not wireframes. What sequence of interactions gets the user to their goal?
+4. **Apply four pressure points** — goal clarity, feedback needs, confusing elements, 10th-time efficiency.
+5. **Handle edge cases** — empty states, error states, loading states, rare-but-valid paths.
+6. **Define success metrics** — how will we know the design worked? Conversion, task completion time, error rate.
+7. **Route** — implementation to Haitham, prioritization to Hussain-PM, technical feasibility to Waleed.
+
+## Anti-Patterns / Refuse List
+
+- **Never propose perfect designs that require a full redesign** when incremental improvement ships sooner. Per Ship-then-layer.
+- **Never ignore empty/error/loading states** — these are where trust breaks down. Per Silence-kills-trust.
+- **Never design for demographics** — design for jobs to be done. "35-year-old marketing manager" is not a useful design target; "person scheduling a recurring social post under time pressure" is.
+- **Never make technical feasibility calls** — defer to Waleed and Haitham.
+- **Never make product prioritization decisions** — defer to Hussain-PM and Sadiq.
+- **Never implement UI** — design experiences; let Haitham build them.
+
+## Examples
+
+**Happy path** — design lead management flow
+> 🎨 **UX Designer:** Goal: sales rep records a lead during a call, in under 30 seconds. Current friction: 7-field form with required fields. Per 10th-time-user, after 100 leads they know the required fields — but they still tab through all 7. Proposed: 3-field quick-add (name, phone, source) → drawer to fill rest later. Empty state for missing data shows inline edit prompt. Error state gives field-specific guidance, not generic "please fix errors."
+
+**Edge case** — designing for RTL and LTR simultaneously
+> 🎨 **UX Designer:** Navigation flows left-to-right cognitively in LTR but right-to-left in Arabic RTL. "Next step" arrow direction inverts. Breadcrumbs reverse. Checklist item position mirrors. Route to Haitham for logical-properties implementation — these are implementation decisions once the direction hierarchy is defined.
+
+**Negative** — asked to evaluate a feature request for business fit
+> 🎨 **UX Designer:** "Should we build X?" is a strategy question, not a UX question. I evaluate HOW to design X once it's in scope. Route to Sadiq for "should we build it" and Hussain-PM for scope and prioritization: `/rihal-council sadiq hussain-pm — feature fit for [X]`.
+
 ## Redirects
 
 Use command-redirect-format.md. One reason, then command.

package/rihal/agents/rihal-zahra.md

@@ -1,12 +1,13 @@
 ---
 name: rihal-zahra
-description: Branding & Creative Director — spawned by /rihal-council for brand identity, visual language, typography systems (Latin + Arabic), color systems, design tokens, and cross-touchpoint brand consistency. Defers to Layla on UX interaction design, Haitham on frontend implementation, Mariam on marketing copy.
+description: Branding & Creative Director — spawned by /rihal-council for brand identity, visual language, typography (Latin + Arabic), color systems, design tokens, and cross-touchpoint brand consistency.
 tools: Read, Grep, Glob, WebFetch
 color: magenta
 ---
 
 @.rihal/references/response-style.md
 @.rihal/references/codebase-grounding.md
+@.rihal/skills/agents/zahra-branding/SKILL.md
 
 # Zahra — Branding & Creative Director
 

package/rihal/agents/rihal-zayd.md

@@ -1,6 +1,6 @@
 ---
 name: rihal-zayd
-description: Senior ML Engineer — spawned by /rihal-council for machine learning, OCR, LLM integration, RAG/retrieval, vector search, reranking, embeddings, prompt engineering, and eval questions. Defers to Waleed on architecture, Yousef on integration points (queues, APIs), Fatima on eval methodology.
+description: Senior ML Engineer — spawned by /rihal-council for machine learning, OCR, LLM integration, RAG/retrieval, vector search, reranking, embeddings, prompt engineering, and evals.
 tools: Read, Grep, Glob, Bash, WebFetch
 color: purple
 ---
@@ -8,6 +8,7 @@ color: purple
 @.rihal/references/response-style.md
 @.rihal/references/codebase-grounding.md
 @.rihal/references/karpathy-guidelines.md
+@.rihal/skills/agents/zayd-ml/SKILL.md
 
 # Zayd — Senior ML Engineer
 

package/rihal/bin/lib/config.cjs

@@ -112,12 +112,24 @@ function setAt(config, dottedKey, value) {
  * Returns a string (or null for missing) the caller should print with console.log
  * WITHOUT JSON-wrapping.
  */
+// Aliases: bare key → namespaced key (and reverse). When the primary lookup
+// returns null, the alias is tried automatically — fixes namespace-mix issues.
+const KEY_ALIASES = {
+  'commit_docs':          'git.commit_docs',
+  'git.commit_docs':      'commit_docs',
+  'discuss_mode':         'workflow.discuss_mode',
+  'workflow.discuss_mode': 'discuss_mode',
+};
+
 function cmdGet(projectRoot, dottedKey) {
   if (!dottedKey) throw new Error('Usage: config-get <dotted.key>');
   const cp = configPathFor(projectRoot);
   if (!fs.existsSync(cp)) return null;
   const config = parseNestedYaml(fs.readFileSync(cp, 'utf8'));
-  const val = getAt(config, dottedKey);
+  let val = getAt(config, dottedKey);
+  if ((val === undefined || val === null) && KEY_ALIASES[dottedKey]) {
+    val = getAt(config, KEY_ALIASES[dottedKey]);
+  }
   if (val === undefined || val === null) return null;
   if (typeof val === 'object') return JSON.stringify(val);
   return String(val);

package/rihal/bin/lib/council-panel.cjs

@@ -1,6 +1,6 @@
 /**
- * Council panel selection — pure function that picks the right 3-5 agents
- * for a given strategic question.
+ * Council panel selection — pure function that picks the right agents
+ * for a given question.
  *
  * This is the v2 version of the scorer, installed alongside rihal-tools.cjs
  * at {project-root}/.rihal/bin/lib/council-panel.cjs. The helper binary
@@ -16,6 +16,8 @@
  *   - Auditable: `explainSelection()` returns per-agent scores so users
  *     running with `--explain` can see why each agent was picked.
  *   - Cheap: zero LLM calls before the council starts.
+ *   - Intent-matched: domain-specific panels. FE question → Haitham leads.
+ *     BE question → Yousef leads. No strategic padding for technical work.
  *   - Optional team.yaml: If team.yaml exists at project root, reads
  *     domain_keywords from it. Fallback: hardcoded keywords below.
  *
@@ -25,16 +27,17 @@
  *      else use hardcoded KEYWORDS below.
  *   2. Normalize the question (lowercase, strip punctuation).
  *   3. For each agent, sum the weight of every keyword that appears.
- *   4. Apply priority boosts (Sadiq for strategic triggers, Hussain-PM
- *      for scope triggers).
+ *   4. Apply priority boosts (Sadiq for strategic triggers, domain
+ *      boosts for FE/BE/ML/deploy questions).
  *   5. Named-agent mentions get +20 (overrides topic score).
- *   6. Sort by score desc. Tiebreaker: STRATEGIC_PADDING_ORDER for
- *      strategic questions, AGENT_IDS for others.
- *   7. Take top K (default maxPanel = 5). Pad to minPanel (default 3) if
- *      fewer agents scored non-zero, using STRATEGIC_PADDING_ORDER (or
- *      AGENT_IDS for non-strategic) as the fill pool.
- *   8. If opts.full, return AGENT_IDS (canonical order).
- *   9. If opts.agents, return that exact list (validated).
+ *   6. Detect domain from top-scoring agents: fe / be / ml / deploy /
+ *      quality / strategic / market.
+ *   7. Sort by score desc. Tiebreaker: domain-specific padding order.
+ *   8. maxPanel=3 for technical domains (fe/be/ml/deploy/quality),
+ *      maxPanel=4 for strategic/market. minPanel=1 always — no forced
+ *      lame padding for specific technical questions.
+ *   9. If opts.full, return AGENT_IDS (canonical order).
+ *   10. If opts.agents, return that exact list (validated).
  *
  * The orchestrator is responsible for filtering the result to installed
  * agents. This module returns the "ideal" panel; the workflow validates
@@ -307,6 +310,75 @@ const STRATEGIC_PADDING_ORDER = [
   'zahra', 'zayd', 'mariam', 'noor',
 ];
 
+// Domain-specific padding orders — used when a technical domain is clearly detected.
+// These put the right specialists first and keep PM/strategy out unless asked.
+const FRONTEND_PADDING_ORDER = [
+  'haitham', 'layla', 'zahra', 'yousef', 'waleed',
+  'fatima', 'sadiq', 'hussain-pm', 'zayd', 'khalid',
+  'nasser', 'ahmed-hassani', 'mariam', 'noor',
+];
+
+const BACKEND_PADDING_ORDER = [
+  'yousef', 'waleed', 'khalid', 'fatima', 'haitham',
+  'zayd', 'ahmed-hassani', 'sadiq', 'hussain-pm', 'layla',
+  'nasser', 'zahra', 'mariam', 'noor',
+];
+
+const ML_PADDING_ORDER = [
+  'zayd', 'yousef', 'waleed', 'fatima', 'khalid',
+  'haitham', 'sadiq', 'hussain-pm', 'ahmed-hassani', 'layla',
+  'nasser', 'zahra', 'mariam', 'noor',
+];
+
+const DEPLOY_PADDING_ORDER = [
+  'khalid', 'waleed', 'yousef', 'ahmed-hassani', 'fatima',
+  'sadiq', 'haitham', 'zayd', 'hussain-pm', 'nasser',
+  'layla', 'zahra', 'mariam', 'noor',
+];
+
+const QUALITY_PADDING_ORDER = [
+  'fatima', 'waleed', 'yousef', 'haitham', 'khalid',
+  'sadiq', 'zayd', 'ahmed-hassani', 'hussain-pm', 'layla',
+  'nasser', 'zahra', 'mariam', 'noor',
+];
+
+// Domain trigger arrays — when these fire, the question is clearly technical
+// and should NOT be padded with PM/strategy agents.
+const FE_TRIGGERS = [
+  'react', 'component', 'frontend', 'front-end', 'next.js', 'nextjs',
+  'tailwind', 'css', 'html', 'tsx', 'jsx', 'rtl', 'a11y', 'accessibility',
+  'ui ', 'ux ', 'layout', 'responsive', 'animation', 'hydration',
+  'bundle size', 'lighthouse', 'cls', 'lcp', 'tbt',
+  // Roman Urdu FE signals
+  'fe ', 'front end', 'button', 'page ', 'screen ', 'form ',
+];
+
+const BE_TRIGGERS = [
+  'backend', 'back-end', 'api', 'endpoint', 'server', 'prisma', 'database',
+  'query', 'schema', 'migration', 'queue', 'webhook', 'rest', 'graphql',
+  'n+1', 'index', 'latency', 'timeout', 'caching', 'redis', 'postgres',
+  'mysql', 'mongodb', 'bullmq', 'celery', 'worker', 'job', 'cron',
+  // Roman Urdu BE signals
+  'be ', 'db ', 'api call', 'server side',
+];
+
+const ML_TRIGGERS = [
+  'llm', 'model', 'embedding', 'rag', 'retrieval', 'vector', 'ocr',
+  'prompt', 'inference', 'fine-tun', 'dataset', 'eval', 'nlp',
+  'openai', 'anthropic', 'gemini', 'gpt', 'claude', 'mistral',
+];
+
+const DEPLOY_TRIGGERS = [
+  'deploy', 'docker', 'kubernetes', 'k8s', 'ci/cd', 'cicd', 'pipeline',
+  'rollback', 'incident', 'outage', 'monitoring', 'alert', 'sre',
+  'infra', 'cloud', 'aws', 'gcp', 'azure', 'vps',
+];
+
+const QUALITY_TRIGGERS = [
+  'test coverage', 'qa ', 'regression', 'flaky', 'production ready',
+  'ready to ship', 'release ready', 'perf test', 'load test', 'benchmark',
+];
+
 const AGENT_NAMES = {
   sadiq: ['sadiq'],
   'hussain-pm': ['hussain', 'hussain-pm', 'hussain pm'],
@@ -357,9 +429,64 @@ function applyPriorityBoosts(scores, normalizedQuestion) {
     scores.mariam = (scores.mariam || 0) + 6; // Mariam leads market questions
     scores['hussain-pm'] = (scores['hussain-pm'] || 0) + 3; // PM follows for scoping
   }
+  // Domain boosts — lift the right technical expert when signal is clear
+  if (FE_TRIGGERS.some((t) => normalizedQuestion.includes(t))) {
+    scores.haitham = (scores.haitham || 0) + 4;
+  }
+  if (BE_TRIGGERS.some((t) => normalizedQuestion.includes(t))) {
+    scores.yousef = (scores.yousef || 0) + 4;
+  }
+  if (ML_TRIGGERS.some((t) => normalizedQuestion.includes(t))) {
+    scores.zayd = (scores.zayd || 0) + 4;
+  }
+  if (DEPLOY_TRIGGERS.some((t) => normalizedQuestion.includes(t))) {
+    scores.khalid = (scores.khalid || 0) + 4;
+  }
+  if (QUALITY_TRIGGERS.some((t) => normalizedQuestion.includes(t))) {
+    scores.fatima = (scores.fatima || 0) + 4;
+  }
   return scores;
 }
 
+/**
+ * Detect the primary domain of a question from its normalized text and scores.
+ * Returns: 'fe' | 'be' | 'ml' | 'deploy' | 'quality' | 'market' | 'strategic' | 'general'
+ */
+function detectDomain(normalizedQuestion, scores) {
+  const isMarket = MARKET_TRIGGERS.some((t) => normalizedQuestion.includes(t));
+  if (isMarket) return 'market';
+
+  const isStrategic = SADIQ_TRIGGERS.some((t) => normalizedQuestion.includes(t));
+
+  const feTrigger = FE_TRIGGERS.some((t) => normalizedQuestion.includes(t));
+  const beTrigger = BE_TRIGGERS.some((t) => normalizedQuestion.includes(t));
+  const mlTrigger = ML_TRIGGERS.some((t) => normalizedQuestion.includes(t));
+  const deployTrigger = DEPLOY_TRIGGERS.some((t) => normalizedQuestion.includes(t));
+  const qualityTrigger = QUALITY_TRIGGERS.some((t) => normalizedQuestion.includes(t));
+
+  // Multiple technical domains present — fall back to top-scoring agent
+  const technicalCount = [feTrigger, beTrigger, mlTrigger, deployTrigger, qualityTrigger].filter(Boolean).length;
+  if (technicalCount >= 2) {
+    // Resolve by whichever technical expert scored highest
+    const techLeaders = [
+      { domain: 'fe', agent: 'haitham', score: scores.haitham || 0 },
+      { domain: 'be', agent: 'yousef', score: scores.yousef || 0 },
+      { domain: 'ml', agent: 'zayd', score: scores.zayd || 0 },
+      { domain: 'deploy', agent: 'khalid', score: scores.khalid || 0 },
+      { domain: 'quality', agent: 'fatima', score: scores.fatima || 0 },
+    ].sort((a, b) => b.score - a.score);
+    if (techLeaders[0].score > 0) return techLeaders[0].domain;
+  }
+
+  if (feTrigger) return 'fe';
+  if (beTrigger) return 'be';
+  if (mlTrigger) return 'ml';
+  if (deployTrigger) return 'deploy';
+  if (qualityTrigger) return 'quality';
+  if (isStrategic) return 'strategic';
+  return 'general';
+}
+
 function validateAgents(agents) {
   const bad = agents.filter((id) => !AGENT_IDS.includes(id));
   if (bad.length > 0) {
@@ -368,34 +495,59 @@ function validateAgents(agents) {
   return agents;
 }
 
+const DOMAIN_PADDING = {
+  fe:       FRONTEND_PADDING_ORDER,
+  be:       BACKEND_PADDING_ORDER,
+  ml:       ML_PADDING_ORDER,
+  deploy:   DEPLOY_PADDING_ORDER,
+  quality:  QUALITY_PADDING_ORDER,
+  market:   MARKET_PADDING_ORDER,
+  strategic: STRATEGIC_PADDING_ORDER,
+  general:  STRATEGIC_PADDING_ORDER,
+};
+
+// Technical domains keep panels small — 1 right expert beats 3 wrong ones.
+const DOMAIN_MAX_PANEL = {
+  fe: 3, be: 3, ml: 3, deploy: 3, quality: 3,
+  market: 4, strategic: 4, general: 3,
+};
+
+// minPanel=1: never force-pad with irrelevant agents.
+const DOMAIN_MIN_PANEL = {
+  fe: 1, be: 1, ml: 1, deploy: 1, quality: 1,
+  market: 2, strategic: 2, general: 1,
+};
+
 function selectPanel(question, opts = {}) {
   if (opts.full) return [...AGENT_IDS];
   if (opts.agents && opts.agents.length > 0) return validateAgents(opts.agents);
 
-  const maxPanel = opts.maxPanel || 5;
-  const minPanel = opts.minPanel || 3;
   const normalized = normalize(question);
-  if (!normalized) return STRATEGIC_PADDING_ORDER.slice(0, minPanel);
+  if (!normalized) return STRATEGIC_PADDING_ORDER.slice(0, 2);
 
   const scores = {};
   for (const agentId of AGENT_IDS) scores[agentId] = scoreAgent(agentId, normalized);
   applyPriorityBoosts(scores, normalized);
 
-  const isStrategic = SADIQ_TRIGGERS.some((t) => normalized.includes(t));
-  const isMarket = MARKET_TRIGGERS.some((t) => normalized.includes(t));
-  const tiebreakOrder = isMarket ? MARKET_PADDING_ORDER : isStrategic ? STRATEGIC_PADDING_ORDER : AGENT_IDS;
+  const domain = detectDomain(normalized, scores);
+  const maxPanel = opts.maxPanel || DOMAIN_MAX_PANEL[domain];
+  const minPanel = opts.minPanel || DOMAIN_MIN_PANEL[domain];
+  const paddingPool = DOMAIN_PADDING[domain];
+
   const ranked = [...AGENT_IDS]
     .map((id) => ({ id, score: scores[id] }))
     .sort((a, b) => {
       if (b.score !== a.score) return b.score - a.score;
-      return tiebreakOrder.indexOf(a.id) - tiebreakOrder.indexOf(b.id);
+      return paddingPool.indexOf(a.id) - paddingPool.indexOf(b.id);
     });
 
   const scored = ranked.filter((a) => a.score > 0).slice(0, maxPanel);
+
+  // If we have at least minPanel scored agents, return them — no padding needed.
   if (scored.length >= minPanel) return scored.map((a) => a.id);
 
+  // Pad only up to minPanel using domain-appropriate agents.
   const alreadyPicked = new Set(scored.map((a) => a.id));
-  const paddingPool = isMarket ? MARKET_PADDING_ORDER : isStrategic ? STRATEGIC_PADDING_ORDER : AGENT_IDS;
   const padding = [];
   for (const id of paddingPool) {
     if (alreadyPicked.has(id)) continue;
@@ -410,11 +562,16 @@ function explainSelection(question, opts = {}) {
   const scores = {};
   for (const agentId of AGENT_IDS) scores[agentId] = scoreAgent(agentId, normalized);
   applyPriorityBoosts(scores, normalized);
+  const domain = detectDomain(normalized, scores);
   const panel = selectPanel(question, opts);
   return {
-    question, normalized, scores, panel,
+    question, normalized, scores, panel, domain,
     sadiq_triggered: SADIQ_TRIGGERS.some((t) => normalized.includes(t)),
     pm_triggered: PM_TRIGGERS.some((t) => normalized.includes(t)),
+    fe_triggered: FE_TRIGGERS.some((t) => normalized.includes(t)),
+    be_triggered: BE_TRIGGERS.some((t) => normalized.includes(t)),
+    ml_triggered: ML_TRIGGERS.some((t) => normalized.includes(t)),
+    deploy_triggered: DEPLOY_TRIGGERS.some((t) => normalized.includes(t)),
   };
 }
 
@@ -494,8 +651,13 @@ function loadTeamConfig(projectRoot) {
 }
 
 module.exports = {
-  AGENT_IDS, KEYWORDS, SADIQ_TRIGGERS, PM_TRIGGERS, MARKET_TRIGGERS, AGENT_NAMES,
+  AGENT_IDS, KEYWORDS, AGENT_NAMES,
+  SADIQ_TRIGGERS, PM_TRIGGERS, MARKET_TRIGGERS,
+  FE_TRIGGERS, BE_TRIGGERS, ML_TRIGGERS, DEPLOY_TRIGGERS, QUALITY_TRIGGERS,
   STRATEGIC_PADDING_ORDER, MARKET_PADDING_ORDER,
-  normalize, scoreAgent, applyPriorityBoosts, selectPanel, explainSelection,
-  loadTeamConfig,
+  FRONTEND_PADDING_ORDER, BACKEND_PADDING_ORDER, ML_PADDING_ORDER,
+  DEPLOY_PADDING_ORDER, QUALITY_PADDING_ORDER,
+  DOMAIN_PADDING, DOMAIN_MAX_PANEL, DOMAIN_MIN_PANEL,
+  normalize, scoreAgent, applyPriorityBoosts, detectDomain,
+  selectPanel, explainSelection, loadTeamConfig,
 };

package/rihal/bin/lib/roadmap.cjs

@@ -19,7 +19,11 @@ function roadmapPathFor(projectRoot) {
  *   number, name, goal, section (raw markdown slice), headerIndex, sectionEnd
  */
 function extractPhases(content) {
-  const phasePattern = /#{2,4}\s*Phase\s+(\d+[A-Z]?(?:\.\d+)*)\s*:\s*([^\n]+)/gi;
+  // Accept any of: ":", "—" (em-dash), "-" (hyphen) between phase number and name.
+  // Pre-#464 the regex required ":" only, which silently rejected heading-style
+  // ROADMAP using em-dash ("## Phase 6 — Name") and broke roadmap list-phases
+  // and roadmap get-phase. Same drift family as #455.
+  const phasePattern = /#{2,4}\s*Phase\s+(\d+[A-Z]?(?:\.\d+)*)\s*[—\-:]\s*([^\n]+)/gi;
   const hits = [];
   let m;
   while ((m = phasePattern.exec(content)) !== null) {
@@ -32,10 +36,26 @@ function extractPhases(content) {
     const section = content.slice(h.headerIndex, end).trim();
     const goalMatch = section.match(/\*\*Goal(?::\*\*|\*\*:)\s*([^\n]+)/i);
     const goal = goalMatch ? goalMatch[1].trim() : null;
+
+    // Status parsing (Phase 10 / #466 / closes secondary part of #464).
+    // Maps the literal **Status:** line to a canonical enum.
+    const statusMatch = section.match(/\*\*Status(?::\*\*|\*\*:)\s*([^\n]+)/i);
+    const statusRaw = statusMatch ? statusMatch[1].trim() : null;
+    let status = 'unknown';
+    if (statusRaw) {
+      const s = statusRaw.toLowerCase();
+      if (s.startsWith('complete')) status = 'complete';
+      else if (s.startsWith('active') || s.startsWith('in progress') || s.includes('sprint')) status = 'active';
+      else if (s.startsWith('planned')) status = 'planned';
+      else if (s.startsWith('closed')) status = 'closed';
+    }
+
     phases.push({
       number: h.number,
       name: h.name,
       goal,
+      status,
+      status_raw: statusRaw,
       section,
       headerIndex: h.headerIndex,
       sectionEnd: end,
@@ -129,10 +149,15 @@ function cmdListPhases(projectRoot) {
   const rp = roadmapPathFor(projectRoot);
   if (!fs.existsSync(rp)) return [];
   const content = fs.readFileSync(rp, 'utf8');
+  // Phase 10 / #466 — prefer the parsed Status field from extractPhases over
+  // the legacy phaseStatus() heuristic, which only matched literal "completed"
+  // in the header and missed our **Status:** Complete convention. Fall back to
+  // phaseStatus() only when extractPhases couldn't parse a Status line.
   return extractPhases(content).map((p) => ({
     number: p.number,
     name: p.name,
-    status: phaseStatus(p.section),
+    status: p.status === 'unknown' ? phaseStatus(p.section) : p.status,
+    status_raw: p.status_raw,
   }));
 }