@hanzlaa/rcode 3.4.32 → 3.4.33

package/cli/agent.js

@@ -39,8 +39,9 @@ module.exports = function agent(args, { packageRoot }) {
     process.exit(1);
   }
 
-  // Check claude binary is on PATH
-  const claudeCheck = spawnSync('which', ['claude'], { encoding: 'utf8' });
+  // Check claude binary is on PATH (cross-platform: 'where' on Windows, 'which' elsewhere)
+  const whichCmd = process.platform === 'win32' ? 'where' : 'which';
+  const claudeCheck = spawnSync(whichCmd, ['claude'], { encoding: 'utf8' });
   if (claudeCheck.status !== 0) {
     console.error('Error: claude binary not found. Install Claude Code: https://claude.ai/code');
     process.exit(1);

package/dist/rcode.js

@@ -18904,7 +18904,8 @@ var require_agent = __commonJS({
         console.error(`Available: ${available}`);
         process.exit(1);
       }
-      const claudeCheck = spawnSync("which", ["claude"], { encoding: "utf8" });
+      const whichCmd = process.platform === "win32" ? "where" : "which";
+      const claudeCheck = spawnSync(whichCmd, ["claude"], { encoding: "utf8" });
       if (claudeCheck.status !== 0) {
         console.error("Error: claude binary not found. Install Claude Code: https://claude.ai/code");
         process.exit(1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hanzlaa/rcode",
-  "version": "3.4.32",
+  "version": "3.4.33",
   "description": "rcode — the memory bank for AI-driven SaaS teams. Persistent project context, distinctive engineering personas, and phase-based workflows. Built by Rihal. Works in Claude Code, Cursor, Gemini, VS Code, and Antigravity.",
   "main": "cli/index.js",
   "bin": {

package/rihal/agents/rihal-cross-platform-auditor.md

@@ -0,0 +1,15 @@
+---
+name: rihal-cross-platform-auditor
+description: |
+  Cross-platform portability auditor. Detects bash-isms, macOS-only flags
+  (BSD sed/awk), hardcoded absolute Unix paths in Node code, Windows path
+  separators, and CRLF line endings. Audit-only — never modifies scripts.
+  Activates: "cross-platform audit", "bash-isms", "macOS only",
+  "Windows compatibility", "portability check".
+  Do NOT use for: fixing scripts, frontend RTL, or translation.
+tools: Read, Bash, Grep, Glob
+color: yellow
+---
+
+@.rihal/references/response-style.md
+@.rihal/skills/agents/rihal-cross-platform-auditor/SKILL.md

package/rihal/agents/rihal-dep-auditor.md

@@ -0,0 +1,15 @@
+---
+name: rihal-dep-auditor
+description: |
+  Dependency health auditor — scans for outdated packages, CVEs, unused
+  dependencies, loose version pins, and missing lock files. Audit-only:
+  never modifies package.json or runs installs.
+  Activates: "audit dependencies", "dep health", "CVE scan", "check packages",
+  "outdated deps", "loose pins", "lock file".
+  Do NOT use for: installing packages, updating deps, or security penetration testing.
+tools: Read, Bash, Grep, Glob
+color: yellow
+---
+
+@.rihal/references/response-style.md
+@.rihal/skills/agents/rihal-dep-auditor/SKILL.md

package/rihal/agents/rihal-i18n-auditor.md

@@ -0,0 +1,16 @@
+---
+name: rihal-i18n-auditor
+description: |
+  Internationalization and localization auditor. Detects hardcoded English
+  strings in workflow output, missing response_language pass-through to
+  subagents, AskUserQuestion with English-only prompts, and RTL/Arabic
+  layout gaps. Audit-only — never modifies string files.
+  Activates: "i18n audit", "translation check", "hardcoded strings",
+  "response_language missing", "RTL audit", "Arabic layout", "multilingual audit".
+  Do NOT use for: adding translations, RTL CSS (use rihal-haitham), content translation.
+tools: Read, Bash, Grep, Glob
+color: yellow
+---
+
+@.rihal/references/response-style.md
+@.rihal/skills/agents/rihal-i18n-auditor/SKILL.md

package/rihal/agents/rihal-observability-auditor.md

@@ -0,0 +1,16 @@
+---
+name: rihal-observability-auditor
+description: |
+  Observability and silent-failure auditor. Detects unguarded rihal-tools
+  shell calls, Task() results that are never checked, bare 2>/dev/null
+  without fallback echo, INIT calls without .ok checks, and unstructured
+  console.log in production code. Audit-only — never adds instrumentation.
+  Activates: "observability audit", "silent failures", "unguarded calls",
+  "missing error handling", "tool call guard".
+  Do NOT use for: adding logging, instrumentation setup, or fixing error handlers.
+tools: Read, Bash, Grep, Glob
+color: yellow
+---
+
+@.rihal/references/response-style.md
+@.rihal/skills/agents/rihal-observability-auditor/SKILL.md

package/rihal/agents/rihal-phase-researcher.md

@@ -8,7 +8,7 @@ color: cyan
 
 @.rihal/references/response-style.md
 @.rihal/references/karpathy-guidelines.md
-@rihal/brain/best-practices/no-theoretical-suggestions.md
+@.rihal/brain/best-practices/no-theoretical-suggestions.md
 @.rihal/references/researcher-shared.md
 
 <role>

package/rihal/agents/rihal-planner.md

@@ -8,7 +8,7 @@ color: green
 @.rihal/references/response-style.md
 @.rihal/references/karpathy-guidelines-full.md
 @.rihal/references/output-realism.md
-@rihal/brain/best-practices/no-theoretical-suggestions.md
+@.rihal/brain/best-practices/no-theoretical-suggestions.md
 @.rihal/references/planner-playbook.md
 
 <role>

package/rihal/skills/actions/4-implementation/rihal-code-review/steps/step-02-review.md

@@ -17,11 +17,15 @@ failed_layers: '' # set at runtime: comma-separated list of layers that failed o
 
 2. Launch parallel subagents without conversation context. If subagents are not available, generate prompt files in `{implementation_artifacts}` — one per reviewer role below — and HALT. Ask the user to run each in a separate session (ideally a different LLM) and paste back the findings. When findings are pasted, resume from this point and proceed to step 3.
 
-   - **Blind Hunter** — receives `{diff_output}` only. No spec, no context docs, no project access. Invoke via the `rihal-review-adversarial-general` skill.
+   **Subagent mapping** (issue #720): the three reviewer roles below map to actual agents shipped in `.claude/agents/`. The skill names that used to be referenced here (`rihal-review-adversarial-general`, `rihal-review-edge-case-hunter`) are skills, not subagents, and `Task(subagent_type=...)` cannot reach them. Use the agents listed.
 
-   - **Edge Case Hunter** — receives `{diff_output}` and read access to the project. Invoke via the `rihal-review-edge-case-hunter` skill.
+   - **Blind Hunter** — receives `{diff_output}` only. No spec, no context docs, no project access. Dispatch:
+     `Task(subagent_type="rihal-security-adversary", model="sonnet", prompt="<adversarial review of diff>")`. The security-adversary persona's cynical mindset is the right fit for an isolated diff-only review.
 
-   - **Acceptance Auditor** (only if `{review_mode}` = `"full"`) — receives `{diff_output}`, the content of the file at `{spec_file}`, and any loaded context docs. Its prompt:
+   - **Edge Case Hunter** — receives `{diff_output}` and read access to the project. Dispatch:
+     `Task(subagent_type="rihal-edge-case-hunter", model="sonnet", prompt="<enumerate edge cases for diff>")`.
+
+   - **Acceptance Auditor** (only if `{review_mode}` = `"full"`) — receives `{diff_output}`, the content of the file at `{spec_file}`, and any loaded context docs. Dispatch via `rihal-code-reviewer`. Its prompt:
      > You are an Acceptance Auditor. Review this diff against the spec and context docs. Check for: violations of acceptance criteria, deviations from spec intent, missing implementation of specified behavior, contradictions between spec constraints and actual code. Output findings as a Markdown list. Each finding: one-line title, which AC/constraint it violates, and evidence from the diff.
 
 3. **Subagent failure handling**: If any subagent fails, times out, or returns empty results, append the layer name to `{failed_layers}` (comma-separated) and proceed with findings from the remaining layers.

package/rihal/skills/agents/majlis-council/SKILL.md

@@ -59,7 +59,7 @@ Majlis (مجلس) is the consulting council. Convenes specialists when a questio
 | DM | Decision matrix — walk through a specific choice with pros/cons per agent | `rihal-majlis-decision` |
 | CM | Crisis mode — rapid consultation during an incident | `rihal-majlis-crisis` |
 
-## Consultation Protocol
+## Workflow
 
 1. **Frame the question** — restate clearly so every agent answers the same question.
 2. **Determine the council** — identify which agents' domains are relevant (3 minimum, 12 maximum, 3-8 ideal).

package/rihal/team.yaml

@@ -520,3 +520,35 @@ tactical_agents:
     role: Verifier
     authority_level: quality
     description: Verifies phase goal achievement goal-backward
+
+  - id: rihal-i18n-auditor
+    name: i18n Auditor
+    file_path: rihal/agents/rihal-i18n-auditor.md
+    skill_path: rihal/skills/agents/rihal-i18n-auditor
+    role: i18n Auditor
+    authority_level: quality
+    description: Detects hardcoded English strings, missing response_language threading, and RTL layout gaps
+
+  - id: rihal-cross-platform-auditor
+    name: Cross-Platform Auditor
+    file_path: rihal/agents/rihal-cross-platform-auditor.md
+    skill_path: rihal/skills/agents/rihal-cross-platform-auditor
+    role: Cross-Platform Auditor
+    authority_level: quality
+    description: Detects bash-isms, macOS-only flags, hardcoded Unix paths, and CRLF line endings
+
+  - id: rihal-dep-auditor
+    name: Dep Auditor
+    file_path: rihal/agents/rihal-dep-auditor.md
+    skill_path: rihal/skills/agents/rihal-dep-auditor
+    role: Dependency Health Auditor
+    authority_level: quality
+    description: Scans for outdated packages, CVEs, unused dependencies, and loose version pins
+
+  - id: rihal-observability-auditor
+    name: Observability Auditor
+    file_path: rihal/agents/rihal-observability-auditor.md
+    skill_path: rihal/skills/agents/rihal-observability-auditor
+    role: Observability Auditor
+    authority_level: quality
+    description: Detects unguarded shell calls, unchecked Task() results, and missing INIT .ok checks

package/server/dashboard.js

@@ -79,7 +79,7 @@ const server = http.createServer((req, res) => {
   res.end('Not found');
 });
 
-server.listen(PORT, () => {
+server.listen(PORT, '127.0.0.1', () => {
   console.log(`\n🕌 Majlis (مجلس) — Rihal Code Dashboard`);
   console.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━`);
   console.log(`   Mode:       view-only`);

package/server/lib/api.js

@@ -132,6 +132,13 @@ function handleApiFile(req, res, projectRoot) {
   if (!resolved.startsWith(projectRoot + path.sep) && resolved !== projectRoot) {
     res.writeHead(403); res.end('Forbidden'); return;
   }
+  // Dereference symlinks so a symlink outside projectRoot cannot bypass the guard
+  let realResolved;
+  try { realResolved = fs.realpathSync(resolved); }
+  catch { res.writeHead(404); res.end('File not found'); return; }
+  if (!realResolved.startsWith(projectRoot + path.sep) && realResolved !== projectRoot) {
+    res.writeHead(403); res.end('Forbidden'); return;
+  }
   if (!resolved.endsWith('.md')) {
     res.writeHead(403); res.end('Forbidden: only .md files'); return;
   }

package/server/lib/html/client.js

@@ -29,9 +29,9 @@ function chip(s) {
     : s === 'blocked' ? 'blocked'
     : s === 'planned' ? 'planned'
     : s === 'todo' ? 'todo' : 'other';
-  return '<span class="status-chip ' + c + '">● ' + s + '</span>';
+  return '<span class="status-chip ' + c + '">● ' + esc(s) + '</span>';
 }
-function tag(t) { return '<span class="tag">' + t + '</span>'; }
+function tag(t) { return '<span class="tag">' + esc(t) + '</span>'; }
 function esc(s) { return String(s || '').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;').replace(/'/g,'&#39;'); }
 function pct(d, t) { return t > 0 ? Math.round(d/t*100) + '%' : '—'; }
 function pctNum(d, t) { return t > 0 ? Math.round(d/t*100) : 0; }