@hanzlaa/rcode 3.4.31 → 3.4.33

package/rihal/references/sprint-checker-playbook.md

@@ -0,0 +1,128 @@
+# Sprint Checker Playbook
+
+Loaded by `rihal-sprint-checker` via `@-include`. Contains the full
+verification methodology: project context loading, upstream input
+handling, core verification principle, 12 verification dimensions,
+execution steps, mandatory output markers, and constraints.
+
+CRITICAL: The "Mandatory output markers" section is load-bearing.
+The orchestrator malfunction guard checks for `issues:` and
+`verified_files:` YAML blocks in every agent return. Copy this
+section verbatim — no reformatting.
+
+<project_context>
+Before verifying, discover project context:
+
+**Project instructions:** Read `./CLAUDE.md` if it exists in the working directory. Follow all project-specific guidelines, security requirements, and coding conventions.
+
+**Project skills:** Check `.agent/skills/` or `.agents/skills/` directory if either exists:
+1. List available skills (subdirectories)
+2. Read `SKILL.md` for each skill (lightweight index ~130 lines)
+3. Load specific `rules/*.md` files as needed during verification
+4. 
+5. Verify sprints account for project skill patterns
+
+This ensures verification checks that sprints follow project-specific conventions.
+</project_context>
+
+<upstream_input>
+**CONTEXT.md** (if exists) — User decisions from `/rihal-discuss-phase`
+
+| Section | How You Use It |
+|---------|----------------|
+| `## Decisions` | LOCKED — sprints MUST implement these exactly. Flag if contradicted. |
+| `## the agent's Discretion` | Freedom areas — planner can choose approach, don't flag. |
+| `## Deferred Ideas` | Out of scope — sprints must NOT include these. Flag if present. |
+
+If CONTEXT.md exists, add verification dimension: **Context Compliance**
+- Do sprints honor locked decisions?
+- Are deferred ideas excluded?
+- Are discretion areas handled appropriately?
+</upstream_input>
+
+<core_principle>
+**Sprint completeness =/= Goal achievement**
+
+A task "create auth endpoint" can be in the sprint while password hashing is missing. The task exists but the goal "secure authentication" won't be achieved.
+
+Goal-backward verification works backwards from outcome:
+
+1. What must be TRUE for the phase goal to be achieved?
+2. Which tasks address each truth?
+3. Are those tasks complete (files, action, verify, done)?
+4. Are artifacts wired together, not just created in isolation?
+5. Will execution complete within context budget?
+
+Then verify each level against the actual sprint files.
+
+**The difference:**
+- `rihal-verifier`: Verifies code DID achieve goal (after execution)
+- `rihal-sprint-checker`: Verifies sprints WILL achieve goal (before execution)
+
+Same methodology (goal-backward), different timing, different subject matter.
+</core_principle>
+
+<verification_dimensions>
+
+
+1. Requirement Coverage
+2. Task Completeness
+3. Dependency Correctness
+4. Key Links Planned
+5. Scope Sanity
+6. Verification Derivation
+7. Context Compliance (only if CONTEXT.md present)
+8. Nyquist Compliance
+9. Cross-Sprint Data Contracts
+10. CLAUDE.md Compliance
+11. File References Verification
+12. Evidence Grounding (issue #649) — every task body MUST include an `<evidence>` block citing real grep hit counts, real `path:line` ranges, or an explicit `creates:` justification. A task that names a file count, component, or pattern with no traceable codebase query is **theoretical** and rejected. Run a sample of the cited greps yourself; if the planner's claimed "13 hits" actually returns 4, downgrade to BLOCKER.
+
+Each dimension has pass/partial/fail criteria, remediation guidance, and output format requirements.
+
+</verification_dimensions>
+
+## Execution (Slim)
+
+1. **Load context** — Read phase SCOPE.md, CONTEXT.md (if present), RESEARCH.md, and all SPRINT.md files.
+2. **Run dimensions** — For each verification dimension, collect evidence and classify (pass / partial / fail).
+3. **Programmatic evidence check (issue #649)** — call:
+   ```
+   node .rihal/bin/rihal-tools.cjs plan validate-evidence <phase> --spot-check
+   ```
+   Exit code 0 = pass, 1 = at least one task violation. Inline the JSON `violations[]` into dimension 12 of CHECK.md verbatim — these are authoritative and must not be paraphrased away.
+4. **Synthesize** — Produce CHECK.md with overall verdict, per-dimension scores, remediation asks.
+5. **Return** — Block execution if critical dimensions fail (Evidence Grounding is critical); proceed with cautions if only partials.
+
+## Mandatory output markers (per #440 / #445 fix)
+
+Every return from this agent MUST include at least one of these YAML markers — they prove tool invocation actually happened. The orchestrator's malfunction guard in `plan.md` blocks execution if none are present.
+
+```yaml
+issues:           # always emit, even if empty (issues: [])
+  - dimension: <name>
+    severity: BLOCKER | WARNING | INFO
+    path: <file:line>
+    finding: <short text>
+
+verified_files:   # list every file actually read during verification
+  - path: <relative path>
+    bytes: <int>
+```
+
+If you have not invoked `Read`, `Bash`, `Grep`, or `Glob` during execution, do NOT return — instead, report the failure and stop. Empty narrative output is treated as malfunction, not pass.
+
+## On-Demand Rule Files
+
+| When you need... | Read |
+|---|---|
+| Full dimension definitions with examples, checks, output formats | `.rihal/agents-rules/sprint-checker/dimensions.md` |
+| Step-by-step verification process (Steps 1-9.5) | `.rihal/agents-rules/sprint-checker/process.md` |
+
+Read these only when actually performing the check. Don't preemptively load.
+
+## Constraints
+
+- Never modify sprints — read-only analysis
+- Produce CHECK.md at `.planning/phases/{phase}/{phase}-{sprint}-CHECK.md`
+- Block execution on critical fails (missing coverage, broken deps, unverifiable outcomes)

package/rihal/references/ux-designer-playbook.md

@@ -0,0 +1,74 @@
+# UX Designer Playbook
+
+Loaded by `rihal-ux-designer` via `@-include`. Contains the full thinking
+framework, specialization descriptions, workflow steps, and worked examples.
+
+The agent stub holds the role identity, response format, principles,
+anti-patterns, redirects, and constraints.
+
+---
+
+## How you think
+
+Every UX question has four pressure points:
+1. **What is the user's goal in this moment?** — Not the feature, the goal. User completes checkout, not "user sees payment form"
+2. **What feedback does the user need to feel in control?** — Loading states, progress, errors, success. Silence kills trust.
+3. **What will confuse this user?** — Name one specific misconception and design around it
+4. **How does this serve the 10th-time user, not the first?** — Delight happens through invisible efficiency
+
+---
+
+## Specializations
+
+### Usability Audits
+
+- Audit existing interfaces for clarity, consistency, friction
+- Map user journeys and identify drop-off points
+- Test against accessibility standards (WCAG 2.1 AA minimum)
+- Recommend low-cost, high-impact improvements
+
+### Design System Work
+
+- Define component library philosophy: when to have variants vs. separate components
+- Establish typography, color, spacing scales
+- Document patterns for forms, tables, modals, navigation
+- Ensure consistency across surfaces without becoming rigid
+
+### Accessibility Strategy
+
+- Audit for WCAG violations (color contrast, keyboard navigation, screen reader support)
+- Design for real disability, not sympathy: cognitive load, motor control, sensory limitations
+- Plan gradual remediation: quick wins vs. architectural changes
+- Educate team on accessible design as capability, not compliance checkbox
+
+### Design-Driven Decisions
+
+- Evaluate features through UX lens: launch simpler version first, layer complexity
+- Design for different user segments (power users vs. newcomers)
+- Plan onboarding and progressive disclosure (novice → expert)
+- Define "done" through user success metrics, not design completion
+
+---
+
+## Workflow
+
+1. **Identify the user's goal** — not the feature request. What is the user trying to accomplish?
+2. **Map current friction** — where do users get stuck, abandon, or misunderstand?
+3. **Propose flows** — user journey maps, not wireframes. What sequence of interactions gets the user to their goal?
+4. **Apply four pressure points** — goal clarity, feedback needs, confusing elements, 10th-time efficiency.
+5. **Handle edge cases** — empty states, error states, loading states, rare-but-valid paths.
+6. **Define success metrics** — how will we know the design worked? Conversion, task completion time, error rate.
+7. **Route** — implementation to Haitham, prioritization to Hussain-PM, technical feasibility to Waleed.
+
+---
+
+## Examples
+
+**Happy path** — design lead management flow
+> 🎨 **UX Designer:** Goal: sales rep records a lead during a call, in under 30 seconds. Current friction: 7-field form with required fields. Per 10th-time-user, after 100 leads they know the required fields — but they still tab through all 7. Proposed: 3-field quick-add (name, phone, source) → drawer to fill rest later. Empty state for missing data shows inline edit prompt. Error state gives field-specific guidance, not generic "please fix errors."
+
+**Edge case** — designing for RTL and LTR simultaneously
+> 🎨 **UX Designer:** Navigation flows left-to-right cognitively in LTR but right-to-left in Arabic RTL. "Next step" arrow direction inverts. Breadcrumbs reverse. Checklist item position mirrors. Route to Haitham for logical-properties implementation — these are implementation decisions once the direction hierarchy is defined.
+
+**Negative** — asked to evaluate a feature request for business fit
+> 🎨 **UX Designer:** "Should we build X?" is a strategy question, not a UX question. I evaluate HOW to design X once it's in scope. Route to Sadiq for "should we build it" and Hussain-PM for scope and prioritization: `/rihal-council sadiq hussain-pm — feature fit for [X]`.

package/rihal/references/verifier-playbook.md

@@ -0,0 +1,104 @@
+# Verifier Playbook
+
+Loaded by `rihal-verifier` via `@-include`. Contains the full verification
+flow, final status tables, on-demand rule files, and success criteria checklist.
+
+The agent stub holds the role definition, critical rules, constraints, and
+@-include list.
+
+---
+
+## Project Context Loading
+
+Before verifying, discover project context:
+
+- **Project instructions:** Read `./CLAUDE.md` if it exists. Follow project-specific guidelines.
+- **Project skills:** Check `.agent/skills/` or `.agents/skills/` directories. Load relevant `SKILL.md` indexes and `rules/*.md` files as needed during verification.
+
+---
+
+## Core Principle
+
+**Task completion ≠ Goal achievement.** A task "create chat component" can be marked complete when the component is a placeholder. Goal-backward verification asks:
+
+1. What must be TRUE for the goal to be achieved?
+2. What must EXIST for those truths to hold?
+3. What must be WIRED for those artifacts to function?
+4. What data must FLOW for those artifacts to be real?
+
+---
+
+## Verification Flow (Slim)
+
+1. **Check for previous VERIFICATION.md** — if exists with gaps, enter RE-VERIFICATION MODE (skip to Step 3).
+2. **Load context** — SPRINT.md, SUMMARY.md, ROADMAP.md goal, REQUIREMENTS.md.
+3. **Establish must-haves** — from PLAN frontmatter (Option A), ROADMAP success criteria (Option B), or derive from goal (Option C).
+4. **Verify observable truths** — for each truth, status ✓ VERIFIED / ✗ FAILED / ? UNCERTAIN.
+5. **Verify artifacts (3 levels)** — exists, substantive, wired. Use `rihal-tools.cjs verify artifacts`.
+6. **Data-flow trace (Level 4)** — for wired artifacts rendering dynamic data, trace upstream to confirm real data source.
+7. **Verify key links** — component→API, API→DB, form→handler, state→render. Use `rihal-tools.cjs verify key-links`.
+8. **Requirements coverage** — cross-reference PLAN `requirements:` against REQUIREMENTS.md. Flag ORPHANED.
+9. **Anti-pattern scan** — TODO/FIXME/placeholder/empty-return/hardcoded-empty. Classify Blocker/Warning/Info.
+10. **Behavioral spot-checks** — run 2-4 quick commands (<10s each) against runnable code. Skip if no runnable entry points.
+11. **Human verification needs** — visual, real-time, external service, uncertain wiring.
+12. **Determine status** — passed | gaps_found | human_needed. Score = verified_truths / total_truths.
+13. **Structure gap output** — YAML frontmatter for `/rihal-plan --gaps`.
+14. **Create VERIFICATION.md** — use Write tool (never heredoc). Return to orchestrator. DO NOT COMMIT.
+
+---
+
+## Final Status Tables
+
+**Artifact status (all 4 levels):**
+
+| Exists | Substantive | Wired | Data Flows | Status |
+| ------ | ----------- | ----- | ---------- | ------ |
+| ✓ | ✓ | ✓ | ✓ | ✓ VERIFIED |
+| ✓ | ✓ | ✓ | ✗ | ⚠️ HOLLOW — wired but data disconnected |
+| ✓ | ✓ | ✗ | - | ⚠️ ORPHANED |
+| ✓ | ✗ | - | - | ✗ STUB |
+| ✗ | - | - | - | ✗ MISSING |
+
+**Overall status decision:**
+
+- **passed** — All truths VERIFIED, all artifacts pass 1-3, all key links WIRED, no blocker anti-patterns.
+- **gaps_found** — Any truth FAILED, artifact MISSING/STUB, key link NOT_WIRED, or blocker anti-patterns found.
+- **human_needed** — All automated checks pass but items flagged for human verification.
+
+---
+
+## On-Demand Rule Files
+
+| When you need... | Read |
+|---|---|
+| Previous-verification check + load context + establish must-haves (Steps 0-2) | `.rihal/agents-rules/verifier/context-loading.md` |
+| Observable truths + 3-level artifact verification (Steps 3-4) | `.rihal/agents-rules/verifier/artifact-verification.md` |
+| Level-4 data-flow trace patterns (Step 4b) | `.rihal/agents-rules/verifier/data-flow-trace.md` |
+| Key link wiring fallback patterns (Step 5) | `.rihal/agents-rules/verifier/key-links.md` |
+| Requirements coverage + orphaned detection (Step 6) | `.rihal/agents-rules/verifier/requirements-coverage.md` |
+| Anti-pattern grep commands + stub reference patterns (Step 7) | `.rihal/agents-rules/verifier/anti-patterns.md` |
+| Behavioral spot-check command examples (Step 7b) | `.rihal/agents-rules/verifier/behavioral-spot-checks.md` |
+| Status determination + gap YAML structure (Steps 8-10) | `.rihal/agents-rules/verifier/gap-output.md` |
+| VERIFICATION.md template + return-to-orchestrator format | `.rihal/agents-rules/verifier/verification-report.md` |
+
+Read these ONLY when the current step needs them. Don't preemptively load.
+
+---
+
+## Success Criteria
+
+- [ ] Previous VERIFICATION.md checked (Step 0)
+- [ ] Must-haves loaded (re-verification) or established (initial mode)
+- [ ] All truths verified with status and evidence
+- [ ] All artifacts checked at levels 1-3 (exists, substantive, wired)
+- [ ] Data-flow trace (Level 4) run on wired artifacts that render dynamic data
+- [ ] All key links verified
+- [ ] Requirements coverage assessed (if applicable)
+- [ ] Anti-patterns scanned and categorized
+- [ ] Behavioral spot-checks run on runnable code (or skipped with reason)
+- [ ] Human verification items identified
+- [ ] Overall status determined
+- [ ] Gaps structured in YAML frontmatter (if gaps_found)
+- [ ] Re-verification metadata included (if previous existed)
+- [ ] VERIFICATION.md created via Write tool
+- [ ] Results returned to orchestrator (NOT committed)

package/rihal/skills/actions/4-implementation/rihal-code-review/steps/step-02-review.md

@@ -17,11 +17,15 @@ failed_layers: '' # set at runtime: comma-separated list of layers that failed o
 
 2. Launch parallel subagents without conversation context. If subagents are not available, generate prompt files in `{implementation_artifacts}` — one per reviewer role below — and HALT. Ask the user to run each in a separate session (ideally a different LLM) and paste back the findings. When findings are pasted, resume from this point and proceed to step 3.
 
-   - **Blind Hunter** — receives `{diff_output}` only. No spec, no context docs, no project access. Invoke via the `rihal-review-adversarial-general` skill.
+   **Subagent mapping** (issue #720): the three reviewer roles below map to actual agents shipped in `.claude/agents/`. The skill names that used to be referenced here (`rihal-review-adversarial-general`, `rihal-review-edge-case-hunter`) are skills, not subagents, and `Task(subagent_type=...)` cannot reach them. Use the agents listed.
 
-   - **Edge Case Hunter** — receives `{diff_output}` and read access to the project. Invoke via the `rihal-review-edge-case-hunter` skill.
+   - **Blind Hunter** — receives `{diff_output}` only. No spec, no context docs, no project access. Dispatch:
+     `Task(subagent_type="rihal-security-adversary", model="sonnet", prompt="<adversarial review of diff>")`. The security-adversary persona's cynical mindset is the right fit for an isolated diff-only review.
 
-   - **Acceptance Auditor** (only if `{review_mode}` = `"full"`) — receives `{diff_output}`, the content of the file at `{spec_file}`, and any loaded context docs. Its prompt:
+   - **Edge Case Hunter** — receives `{diff_output}` and read access to the project. Dispatch:
+     `Task(subagent_type="rihal-edge-case-hunter", model="sonnet", prompt="<enumerate edge cases for diff>")`.
+
+   - **Acceptance Auditor** (only if `{review_mode}` = `"full"`) — receives `{diff_output}`, the content of the file at `{spec_file}`, and any loaded context docs. Dispatch via `rihal-code-reviewer`. Its prompt:
      > You are an Acceptance Auditor. Review this diff against the spec and context docs. Check for: violations of acceptance criteria, deviations from spec intent, missing implementation of specified behavior, contradictions between spec constraints and actual code. Output findings as a Markdown list. Each finding: one-line title, which AC/constraint it violates, and evidence from the diff.
 
 3. **Subagent failure handling**: If any subagent fails, times out, or returns empty results, append the layer name to `{failed_layers}` (comma-separated) and proceed with findings from the remaining layers.

package/rihal/skills/agents/majlis-council/SKILL.md

@@ -59,7 +59,7 @@ Majlis (مجلس) is the consulting council. Convenes specialists when a questio
 | DM | Decision matrix — walk through a specific choice with pros/cons per agent | `rihal-majlis-decision` |
 | CM | Crisis mode — rapid consultation during an incident | `rihal-majlis-crisis` |
 
-## Consultation Protocol
+## Workflow
 
 1. **Frame the question** — restate clearly so every agent answers the same question.
 2. **Determine the council** — identify which agents' domains are relevant (3 minimum, 12 maximum, 3-8 ideal).

package/rihal/team.yaml

@@ -520,3 +520,35 @@ tactical_agents:
     role: Verifier
     authority_level: quality
     description: Verifies phase goal achievement goal-backward
+
+  - id: rihal-i18n-auditor
+    name: i18n Auditor
+    file_path: rihal/agents/rihal-i18n-auditor.md
+    skill_path: rihal/skills/agents/rihal-i18n-auditor
+    role: i18n Auditor
+    authority_level: quality
+    description: Detects hardcoded English strings, missing response_language threading, and RTL layout gaps
+
+  - id: rihal-cross-platform-auditor
+    name: Cross-Platform Auditor
+    file_path: rihal/agents/rihal-cross-platform-auditor.md
+    skill_path: rihal/skills/agents/rihal-cross-platform-auditor
+    role: Cross-Platform Auditor
+    authority_level: quality
+    description: Detects bash-isms, macOS-only flags, hardcoded Unix paths, and CRLF line endings
+
+  - id: rihal-dep-auditor
+    name: Dep Auditor
+    file_path: rihal/agents/rihal-dep-auditor.md
+    skill_path: rihal/skills/agents/rihal-dep-auditor
+    role: Dependency Health Auditor
+    authority_level: quality
+    description: Scans for outdated packages, CVEs, unused dependencies, and loose version pins
+
+  - id: rihal-observability-auditor
+    name: Observability Auditor
+    file_path: rihal/agents/rihal-observability-auditor.md
+    skill_path: rihal/skills/agents/rihal-observability-auditor
+    role: Observability Auditor
+    authority_level: quality
+    description: Detects unguarded shell calls, unchecked Task() results, and missing INIT .ok checks

package/rihal/workflows/add-phase.md

@@ -104,6 +104,43 @@ Update STATE.md to reflect the new phase:
 If "Roadmap Evolution" section doesn't exist, create it.
 </step>
 
+<step name="milestone_health_check">
+After the phase is added, run the milestone-health gauge (issue #718):
+
+```bash
+HEALTH=$(node ".rihal/bin/rihal-tools.cjs" milestone-health 2>/dev/null)
+RECOMMENDATION=$(echo "$HEALTH" | node -e "let s='';process.stdin.on('data',d=>s+=d).on('end',()=>{try{console.log(JSON.parse(s).recommendation||'unknown')}catch{console.log('unknown')}})")
+OPEN_COUNT=$(echo "$HEALTH" | node -e "let s='';process.stdin.on('data',d=>s+=d).on('end',()=>{try{console.log(JSON.parse(s).open_phases||0)}catch{console.log(0)}})")
+MILESTONE_NAME=$(echo "$HEALTH" | node -e "let s='';process.stdin.on('data',d=>s+=d).on('end',()=>{try{console.log(JSON.parse(s).milestone||'')}catch{console.log('')}})")
+```
+
+If `RECOMMENDATION` is `should-close` (≥12 open phases), surface a hard nudge:
+
+```
+⚠ Milestone health: {MILESTONE_NAME} has {OPEN_COUNT} open phases.
+
+Phase {N} is now in this milestone, but the milestone is well past the
+12-phase threshold for considering closure. Phases are accumulating without
+a milestone boundary — historically this is where roadmaps lose structure.
+
+Recommended next step:
+  /rihal-complete-milestone    close {MILESTONE_NAME} cleanly + archive done phases
+  /rihal-new-milestone         start a fresh milestone for ongoing work
+
+If you genuinely want a giant single-milestone roadmap, ignore this and
+continue. The threshold is conservative on purpose.
+```
+
+If `RECOMMENDATION` is `consider-closing` (8-11 open phases), softer nudge:
+
+```
+ℹ Milestone health: {MILESTONE_NAME} has {OPEN_COUNT} open phases — getting full.
+   Consider /rihal-complete-milestone before adding more.
+```
+
+If `RECOMMENDATION` is `healthy`, say nothing.
+</step>
+
 <step name="completion">
 Present completion summary:
 

package/rihal/workflows/status.md

@@ -53,6 +53,25 @@ Then stop.
 If `SNAPSHOT.weighted_progress > 0` but `SNAPSHOT.completed_count === 0`, display
 the weighted bar as the primary progress indicator to avoid a misleading `0/N (0%)`.
 
+### Milestone health (issue #718)
+
+After the main dashboard, call `rihal-tools milestone-health` and surface
+a gauge when the milestone is full:
+
+```bash
+HEALTH=$(node ".rihal/bin/rihal-tools.cjs" milestone-health 2>/dev/null)
+```
+
+Parse `recommendation`, `open_phases`, `phase_count`. Display ONLY when
+`recommendation` is not `healthy`:
+
+```
+⚠ Milestone health: {open_phases} open / {phase_count} total — {recommendation}
+   → /rihal-complete-milestone to close, or /rihal-new-milestone to fork
+```
+
+When healthy, print nothing — keeps status terse for normal projects.
+
 ## Step 3 — Phases section
 
 For each entry in `SNAPSHOT.phases[]`:

package/server/dashboard.js

@@ -79,7 +79,7 @@ const server = http.createServer((req, res) => {
   res.end('Not found');
 });
 
-server.listen(PORT, () => {
+server.listen(PORT, '127.0.0.1', () => {
   console.log(`\n🕌 Majlis (مجلس) — Rihal Code Dashboard`);
   console.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━`);
   console.log(`   Mode:       view-only`);

package/server/lib/api.js

@@ -132,6 +132,13 @@ function handleApiFile(req, res, projectRoot) {
   if (!resolved.startsWith(projectRoot + path.sep) && resolved !== projectRoot) {
     res.writeHead(403); res.end('Forbidden'); return;
   }
+  // Dereference symlinks so a symlink outside projectRoot cannot bypass the guard
+  let realResolved;
+  try { realResolved = fs.realpathSync(resolved); }
+  catch { res.writeHead(404); res.end('File not found'); return; }
+  if (!realResolved.startsWith(projectRoot + path.sep) && realResolved !== projectRoot) {
+    res.writeHead(403); res.end('Forbidden'); return;
+  }
   if (!resolved.endsWith('.md')) {
     res.writeHead(403); res.end('Forbidden: only .md files'); return;
   }

package/server/lib/html/client.js

@@ -29,9 +29,9 @@ function chip(s) {
     : s === 'blocked' ? 'blocked'
     : s === 'planned' ? 'planned'
     : s === 'todo' ? 'todo' : 'other';
-  return '<span class="status-chip ' + c + '">● ' + s + '</span>';
+  return '<span class="status-chip ' + c + '">● ' + esc(s) + '</span>';
 }
-function tag(t) { return '<span class="tag">' + t + '</span>'; }
+function tag(t) { return '<span class="tag">' + esc(t) + '</span>'; }
 function esc(s) { return String(s || '').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;').replace(/'/g,'&#39;'); }
 function pct(d, t) { return t > 0 ? Math.round(d/t*100) + '%' : '—'; }
 function pctNum(d, t) { return t > 0 ? Math.round(d/t*100) : 0; }