@hanzlaa/rcode 3.4.32 → 3.5.0

package/rihal/workflows/execute-milestone.md

@@ -0,0 +1,139 @@
+<purpose>
+Execute all phases in the current milestone in dependency order, with verify gates between waves. Closes #738.
+Reads the ROADMAP.md to determine phase ordering, executes each phase via /rihal-execute, runs /rihal-verify after each, and surfaces blockers before advancing.
+</purpose>
+
+<required_reading>
+@.rihal/references/output-format.md
+Read all files referenced by the invoking prompt's execution_context before starting.
+</required_reading>
+
+## 1. Parse arguments and load context
+
+Parse `$ARGUMENTS`:
+- `--milestone <name>` — filter to a named milestone (optional; default: current milestone from state)
+- `--dry-run` — show execution plan without spawning agents
+- `--skip-verify` — skip the verify gate between phases (fast mode, not recommended)
+- `--wave <N>` — start from wave N (resume after partial failure)
+- `--phase <N>` — execute only this phase (single-phase mode)
+
+```bash
+INIT_JSON=$(node ".rihal/bin/rihal-tools.cjs" state read 2>/dev/null || echo '{}')
+CURRENT_MILESTONE=$(echo "$INIT_JSON" | grep -o '"current_milestone":"[^"]*"' | cut -d'"' -f4 || echo '')
+MILESTONE_TARGET="${MILESTONE_ARG:-$CURRENT_MILESTONE}"
+```
+
+## 2. Load phase dependency order
+
+Read `.planning/ROADMAP.md` and extract phases for the target milestone in order. For each phase, note its status in `state.json`.
+
+```bash
+ROADMAP_PHASES=$(node ".rihal/bin/rihal-tools.cjs" roadmap list-phases 2>/dev/null || echo '[]')
+```
+
+Filter to phases with status `planned` or `in_progress`. Already `complete` phases are skipped unless `--force` is passed.
+
+**Display execution plan:**
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+ RIHAL ► EXECUTE MILESTONE: {MILESTONE_TARGET}
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+Phases to execute:
+  Phase {N1}: {name} [planned]
+  Phase {N2}: {name} [planned]
+  ...
+
+Verify gates: {enabled|disabled}
+```
+
+If `--dry-run`: print the plan and exit without executing.
+
+## 3. Execute phases in dependency wave order
+
+For each pending phase (in ROADMAP order):
+
+**3a. Pre-phase gate:**
+```bash
+READINESS=$(node ".rihal/bin/rihal-tools.cjs" check-implementation-readiness --phase "${PHASE_NUM}" 2>/dev/null)
+READY=$(echo "$READINESS" | grep -o '"ready":true' | grep -c . || echo 0)
+```
+
+If `READY == 0` and `--skip-verify` is NOT set, print blockers and pause:
+```
+⛔ Phase {N} readiness check failed:
+{blockers}
+
+Options:
+  1. Fix blockers and re-run /rihal-execute-milestone
+  2. Skip this phase (--skip N) and continue
+  3. Abort milestone execution
+```
+
+**3b. Execute the phase:**
+```
+◆ Executing Phase {N}: {name}...
+```
+
+Invoke `/rihal-execute {PHASE_NUM}` via Skill or Agent dispatch.
+
+**3c. Verify gate (unless --skip-verify):**
+
+After each phase execution completes:
+```bash
+VERIFY_RESULT=$(node ".rihal/bin/rihal-tools.cjs" state read | grep -o '"status":"[^"]*"' | head -1 || echo '"status":"unknown"')
+```
+
+Spawn `rihal-verifier` for the phase. On `FAIL` or `PARTIAL`:
+```
+⚠ Verify gate: Phase {N} — {FAIL|PARTIAL}
+
+Gap count: {N}
+Recommendation: Run /rihal-sprint-plan {N} --gaps to close before advancing.
+
+Options:
+  1. Close gaps now (spawn /rihal-sprint-plan --gaps)  [Recommended]
+  2. Advance anyway (log gap, continue to next phase)
+  3. Abort milestone execution
+```
+
+**3d. Record completion:**
+```bash
+node ".rihal/bin/rihal-tools.cjs" state set-phase "${PHASE_NAME}" 2>/dev/null || true
+```
+
+## 4. Milestone completion summary
+
+After all phases complete:
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+ RIHAL ► MILESTONE COMPLETE ✓  {MILESTONE_TARGET}
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+Phases executed:   {N}
+Phases skipped:    {M}
+Verify gaps found: {K}
+
+Next step: /rihal-complete-milestone
+```
+
+## Output Format
+
+Open with banner (see step 2). Closure banner (see step 4).
+
+Per-phase lines:
+```
+✓ Phase {N}: {name} — complete
+⚠ Phase {N}: {name} — partial (gaps logged)
+✗ Phase {N}: {name} — failed (blocked)
+```
+
+## Examples
+
+**Happy path:** `/rihal-execute-milestone` → executes all planned phases in order with verify gates.
+
+**Single phase:** `/rihal-execute-milestone --phase 7` → equivalent to `/rihal-execute 7` but with the milestone verify gate wired in.
+
+**Resume:** `/rihal-execute-milestone --wave 3` → skip waves 1-2 (already complete), start from wave 3.
+
+**Dry run:** `/rihal-execute-milestone --dry-run` → print execution plan, exit.

package/rihal/workflows/execute-regression-gates.md

@@ -70,7 +70,7 @@ build/types pass because TypeScript types come from config, not the live databas
 **Run after execution completes but BEFORE verification marks success.**
 
 ```bash
-SCHEMA_DRIFT=$(node ".rihal/bin/rihal-tools.cjs" verify schema-drift "${PHASE_NUMBER}" 2>/dev/null)
+SCHEMA_DRIFT=$(node ".rihal/bin/rihal-tools.cjs" verify schema-drift "${PHASE_NUMBER}" 2>/dev/null || echo '{"ok":false,"drift_detected":true,"blocking":true,"message":"schema-drift command failed — treating as drift to fail safe"}')
 ```
 
 Parse JSON result for: `drift_detected`, `blocking`, `schema_files`, `orms`, `unpushed_orms`, `message`.

package/rihal/workflows/execute-sprint.md

@@ -25,7 +25,9 @@ INIT=$(node ".rihal/bin/rihal-tools.cjs" init execute "${PHASE}")
 if [[ "$INIT" == @file:* ]]; then INIT=$(cat "${INIT#@file:}"); fi
 ```
 
-Extract from init JSON: `executor_model`, `commit_docs`, `sub_repos`, `phase_dir`, `phase_number`, `plans`, `summaries`, `incomplete_plans`, `state_path`, `config_path`.
+Extract from init JSON: `executor_model`, `commit_docs`, `sub_repos`, `phase_dir`, `phase_number`, `plans`, `summaries`, `incomplete_plans`, `state_path`, `config_path`, `response_language`.
+
+**If `response_language` is set:** include `Respond in {response_language}.` in every spawned subagent prompt (executor, debugger, gap-closer). VERIFICATION.md, SUMMARY.md, and any human-facing prose must be written in that language. Code, identifiers, commit messages, and file paths stay English.
 
 If `.planning/` missing: error.
 </step>
@@ -41,7 +43,12 @@ Find first PLAN without matching SUMMARY. Decimal phases supported (`01.1-hotfix
 
 ```bash
 PHASE=$(echo "$PLAN_PATH" | grep -oE '[0-9]+(\.[0-9]+)?-[0-9]+')
-# config settings can be fetched via rihal-tools config-get if needed
+
+# Scoped yolo check — closes #739. Honours yolo_scope and yolo_ttl from config.
+PHASE_NUM=$(echo "$PHASE" | grep -oE '^[0-9]+(\.[0-9]+)?')
+YOLO_STATUS=$(node ".rihal/bin/rihal-tools.cjs" config-check-yolo --phase "${PHASE_NUM}" --workflow execute-sprint 2>/dev/null || echo '{"active":false}')
+YOLO_ACTIVE=$(echo "$YOLO_STATUS" | grep -o '"active":true' | grep -c . || echo 0)
+[ "$YOLO_ACTIVE" -gt 0 ] && CONFIG_MODE="yolo" || CONFIG_MODE=$(node ".rihal/bin/rihal-tools.cjs" config-get mode 2>/dev/null || echo "guided")
 ```
 
 <if mode="yolo">
@@ -335,6 +342,51 @@ If new untracked files appeared after running scripts or tools, decide for each:
 
 </task_commit>
 
+<post_step_revert_gate>
+## Post-Step Revert Detection Gate (closes #737)
+
+After committing each task, run a diff check to detect accidental reverts. This catches the class of bug where a task's implementation unknowingly undoes work from a previous task or wave.
+
+**When to run:** After every `git commit` that records a task completion (not after TDD RED commits or style-only commits).
+
+**Detection:**
+```bash
+# Compare current HEAD against the commit that started this plan execution
+# PLAN_START_SHA is captured at plan execution start (before first task commit)
+PLAN_START_SHA="${PLAN_START_SHA:-$(git rev-parse HEAD~${COMPLETED_TASK_COUNT:-1} 2>/dev/null || echo '')}"
+
+if [[ -n "$PLAN_START_SHA" ]]; then
+  REVERTED_FILES=$(git diff --name-only "${PLAN_START_SHA}"..HEAD | xargs -I{} sh -c \
+    'git show '"$PLAN_START_SHA"':{} 2>/dev/null | diff - <(git show HEAD:{} 2>/dev/null) >/dev/null 2>&1 && echo {}' 2>/dev/null || true)
+fi
+
+# Simpler check: look for net-zero or net-negative line delta on committed source files
+STAGED_SUMMARY=$(git diff --stat HEAD~1..HEAD 2>/dev/null | tail -1)
+```
+
+**Revert signal heuristics — flag for review if:**
+1. A source file that was modified by a *previous* task (visible in `git log --oneline -10 -- <file>`) has FEWER lines now than at `PLAN_START_SHA`.
+2. A function or class that was added in a prior task is no longer present in the file at `HEAD`.
+3. `git diff --stat HEAD~1..HEAD` shows a large deletion count with no corresponding additions.
+
+**On revert signal detected:**
+```
+⚠ Revert signal on task {N}: {file} appears to have fewer lines than at plan start.
+  Plan start SHA: {PLAN_START_SHA}
+  Current HEAD:   {current_hash}
+
+Review with: git diff {PLAN_START_SHA}..HEAD -- {file}
+
+Options:
+  a) The reduction is intentional (refactor/simplification) — continue
+  b) Work was accidentally overwritten — fix before proceeding
+```
+
+Pause and present this to the user. Do NOT auto-continue on a revert signal. If the user confirms it's intentional, continue. If it's an accidental revert, restore the lost work before committing the next task.
+
+**Performance:** Skip this check on tasks with zero deletions (`git diff --stat HEAD~1..HEAD | grep -q ' 0 deletions'`) — deletions are the precursor to a revert; pure additions cannot revert prior work.
+</post_step_revert_gate>
+
 <step name="checkpoint_protocol">
 On `type="checkpoint:*"`: automate everything possible first. Checkpoints are for verification/decisions only.
 

package/rihal/workflows/execute-verify-phase-goal.md

@@ -9,10 +9,12 @@ Verify phase achieved its GOAL, not just completed tasks.
 VERIFIER_SKILLS=$(node ".rihal/bin/rihal-tools.cjs" agent-skills rihal-verifier 2>/dev/null)
 ```
 
+If init JSON has `response_language` set, prepend `Respond in {response_language}.` to the prompt and require VERIFICATION.md prose (rationale, gap descriptions, human_verification items) to be written in that language. Status keys, file paths, and requirement IDs stay English.
+
 ```
 Task(
   description="Verify phase {phase_number} goal achievement",
-  prompt="Verify phase {phase_number} goal achievement.
+  prompt="${response_language ? `Respond in ${response_language}. Write VERIFICATION.md prose in ${response_language}; keep status keys, file paths, and requirement IDs in English.\n\n` : ''}Verify phase {phase_number} goal achievement.
 Phase directory: {phase_dir}
 Phase goal: {goal from ROADMAP.md}
 Phase requirement IDs: {phase_req_ids}
@@ -33,14 +35,19 @@ ${CONTEXT_WINDOW >= 500000 ? `- {phase_dir}/*-CONTEXT.md (User decisions — ver
 
 ${VERIFIER_SKILLS}",
   subagent_type="rihal-verifier",
-  model="sonnet",
   model="{verifier_model}"
 )
 ```
 
-Read status:
+Read status (fail-safe: missing or empty file means verifier never produced a result):
 ```bash
-grep "^status:" "$PHASE_DIR"/*-VERIFICATION.md | cut -d: -f2 | tr -d ' '
+VERIFICATION_FILE=$(ls "$PHASE_DIR"/*-VERIFICATION.md 2>/dev/null | head -1)
+if [ -z "$VERIFICATION_FILE" ] || [ ! -s "$VERIFICATION_FILE" ]; then
+  VERIFY_STATUS="verifier_failed"
+else
+  VERIFY_STATUS=$(grep "^status:" "$VERIFICATION_FILE" | head -1 | cut -d: -f2 | tr -d ' ')
+  [ -z "$VERIFY_STATUS" ] && VERIFY_STATUS="verifier_failed"
+fi
 ```
 
 | Status | Action |
@@ -48,6 +55,26 @@ grep "^status:" "$PHASE_DIR"/*-VERIFICATION.md | cut -d: -f2 | tr -d ' '
 | `passed` | → update_roadmap |
 | `human_needed` | Present items for human testing, get approval or feedback |
 | `gaps_found` | Present gap summary, offer `/rihal-plan {phase} --gaps ${Rihal_WS}` |
+| `verifier_failed` | Abort: VERIFICATION.md missing/empty/unparseable. Do NOT mark phase complete. Print the verifier-failure message below and exit 1. |
+
+**If verifier_failed:**
+
+```
+✖ Phase {X}: verifier agent did not produce a usable VERIFICATION.md.
+
+This means the rihal-verifier subagent crashed, returned no output, or wrote
+an invalid status header. The phase will NOT be marked complete.
+
+Next steps:
+  1. Re-run: /rihal-verify-phase {X}
+  2. If it fails again, check rihal-verifier prompt/skills:
+       node .rihal/bin/rihal-tools.cjs agent-skills rihal-verifier
+  3. As a last resort, manually create VERIFICATION.md and run /rihal-next.
+
+Do NOT run /rihal-next until VERIFICATION.md exists with a valid status.
+```
+
+Exit the workflow with non-zero status. Do not fall through to update_roadmap.
 
 **If human_needed:**
 

package/rihal/workflows/execute-waves.md

@@ -91,7 +91,6 @@ Execute each selected wave in sequence. Within a wave: parallel if `PARALLELIZAT
    ```
    Task(
      subagent_type="rihal-executor",
-  model="sonnet",
      description="Execute plan {plan_number} of phase {phase_number}",
      model="{executor_model}",
      isolation="worktree",
@@ -102,6 +101,13 @@ Execute each selected wave in sequence. Within a wave: parallel if `PARALLELIZAT
        Do NOT update STATE.md or ROADMAP.md — the orchestrator owns those writes after all worktree agents in the wave complete.
        </objective>
 
+       <!--
+         #721 i18n: when init JSON's response_language is set, prepend this line
+         verbatim to the prompt before the objective. Human-facing prose in
+         SUMMARY.md must be in {response_language}; code/identifiers stay English.
+       -->
+       ${response_language ? `Respond in ${response_language}. Write SUMMARY.md prose in ${response_language}; keep code, file paths, identifiers, and commit messages in English.` : ''}
+
        <worktree_branch_check>
        FIRST ACTION before any other work: verify this worktree's branch is based on the correct commit.
 
@@ -128,11 +134,33 @@ Execute each selected wave in sequence. Within a wave: parallel if `PARALLELIZAT
        <parallel_execution>
        You are running as a PARALLEL executor agent. To avoid pre-commit hook
        contention with other agents, acquire a file-based lock before each
-       commit and release it immediately after:
-
-         while ! mkdir .rihal/.commit-lock 2>/dev/null; do sleep 0.5; done
+       commit and release it immediately after. The spinlock has a 60-second
+       timeout and a stale-lock recovery (older than 5 minutes is broken):
+
+         LOCK_DIR=".rihal/.commit-lock"
+         LOCK_WAIT=0
+         LOCK_MAX=60         # seconds — abort if we never acquire
+         LOCK_STALE=300      # seconds — assume holder is dead and break
+         while ! mkdir "$LOCK_DIR" 2>/dev/null; do
+           if [ -d "$LOCK_DIR" ]; then
+             AGE=$(( $(date +%s) - $(stat -c %Y "$LOCK_DIR" 2>/dev/null || stat -f %m "$LOCK_DIR" 2>/dev/null || echo 0) ))
+             if [ "$AGE" -gt "$LOCK_STALE" ]; then
+               echo "⚠ Breaking stale commit lock (age ${AGE}s > ${LOCK_STALE}s)"
+               rmdir "$LOCK_DIR" 2>/dev/null
+               continue
+             fi
+           fi
+           if [ "$LOCK_WAIT" -ge "$LOCK_MAX" ]; then
+             echo "✖ Failed to acquire commit lock within ${LOCK_MAX}s — aborting wave" >&2
+             exit 1
+           fi
+           sleep 0.5
+           LOCK_WAIT=$(( LOCK_WAIT + 1 ))
+         done
+         trap 'rmdir "$LOCK_DIR" 2>/dev/null' EXIT
          git commit -m "..."           # hooks run normally
-         rmdir .rihal/.commit-lock
+         rmdir "$LOCK_DIR"
+         trap - EXIT
 
        Hooks run as designed for every commit. AGENTS.md forbids --no-verify;
        hook failures must be fixed at the source, not bypassed. The orchestrator

package/rihal/workflows/execute.md

@@ -142,7 +142,7 @@ Orchestrator coordinates, not executes. Each subagent loads the full execute-spr
 <runtime_compatibility>
 **Subagent spawning is runtime-specific:**
 - **Claude Code:** Uses `Task(subagent_type="rihal-executor",
-  model="sonnet", ...)` — blocks until complete, returns result
+  model="{executor_model}", ...)` — blocks until complete, returns result
 - **Copilot:** Subagent spawning does not reliably return completion signals. **Default to
   sequential inline execution**: read and follow execute-sprint.md directly for each plan
   instead of spawning parallel agents. Only attempt parallel spawning if the user
@@ -160,6 +160,7 @@ via filesystem and git state.
 <required_reading>
 @.rihal/references/auto-init-guard.md
 @.rihal/references/output-format.md
+@.rihal/references/git-preflight.md
 Read STATE.md before any operation to load project context.
 
 @.rihal/references/agent-contracts.md
@@ -628,12 +629,45 @@ ${REVIEWER_SKILLS}",
 
 **Parse severity counts:**
 ```bash
+# Fail-safe defaults — malformed/missing frontmatter must NOT bypass the gate (#602).
+# Empty string compared against an integer in bash evaluates to false, which
+# would silently let critical findings through. Default missing to a sentinel
+# that fails the gate so a bad REVIEW.md is treated as "block, ask the user".
+REVIEW_STATUS="malformed"
+CRITICAL_COUNT=0
+HIGH_COUNT=0
+MEDIUM_COUNT=0
+LOW_COUNT=0
+REVIEW_PARSE_OK=false
 if [[ -f "$REVIEW_FILE" ]]; then
-  REVIEW_STATUS=$(sed -n '/^---$/,/^---$/p' "$REVIEW_FILE" | grep "^status:" | head -1 | cut -d: -f2 | tr -d ' ')
-  CRITICAL_COUNT=$(sed -n '/^---$/,/^---$/p' "$REVIEW_FILE" | grep "^critical:" | head -1 | cut -d: -f2 | tr -d ' ')
-  HIGH_COUNT=$(sed -n '/^---$/,/^---$/p' "$REVIEW_FILE" | grep "^high:" | head -1 | cut -d: -f2 | tr -d ' ')
-  MEDIUM_COUNT=$(sed -n '/^---$/,/^---$/p' "$REVIEW_FILE" | grep "^medium:" | head -1 | cut -d: -f2 | tr -d ' ')
-  LOW_COUNT=$(sed -n '/^---$/,/^---$/p' "$REVIEW_FILE" | grep "^low:" | head -1 | cut -d: -f2 | tr -d ' ')
+  FRONTMATTER=$(sed -n '/^---$/,/^---$/p' "$REVIEW_FILE")
+  PARSED_STATUS=$(echo "$FRONTMATTER" | grep "^status:" | head -1 | cut -d: -f2 | tr -d ' ')
+  PARSED_CRIT=$(echo "$FRONTMATTER"   | grep "^critical:" | head -1 | cut -d: -f2 | tr -d ' ')
+  PARSED_HIGH=$(echo "$FRONTMATTER"   | grep "^high:"     | head -1 | cut -d: -f2 | tr -d ' ')
+  PARSED_MED=$(echo "$FRONTMATTER"    | grep "^medium:"   | head -1 | cut -d: -f2 | tr -d ' ')
+  PARSED_LOW=$(echo "$FRONTMATTER"    | grep "^low:"      | head -1 | cut -d: -f2 | tr -d ' ')
+  # Accept the parse only when status + all four counts are present AND counts
+  # are pure digits. Anything else = malformed → block and ask.
+  if [[ -n "$PARSED_STATUS" \
+        && "$PARSED_CRIT" =~ ^[0-9]+$ \
+        && "$PARSED_HIGH" =~ ^[0-9]+$ \
+        && "$PARSED_MED"  =~ ^[0-9]+$ \
+        && "$PARSED_LOW"  =~ ^[0-9]+$ ]]; then
+    REVIEW_STATUS="$PARSED_STATUS"
+    CRITICAL_COUNT="$PARSED_CRIT"
+    HIGH_COUNT="$PARSED_HIGH"
+    MEDIUM_COUNT="$PARSED_MED"
+    LOW_COUNT="$PARSED_LOW"
+    REVIEW_PARSE_OK=true
+  fi
+fi
+
+# Malformed REVIEW.md = treat as a blocking finding. The gate must NEVER
+# silently pass when it can't read the report (#602).
+if [[ "$REVIEW_PARSE_OK" != "true" ]]; then
+  echo "⛔ Code review gate: REVIEW.md missing or malformed at ${REVIEW_FILE}."
+  echo "   Cannot determine severity counts. Treating as blocking — re-run the reviewer."
+  CRITICAL_COUNT=1   # force the gate to block; user can override below
 fi
 ```
 

package/rihal/workflows/help.md

@@ -85,7 +85,7 @@ init → new-project → plan → execute → next → status → ship
 ├── STATE.md              # project memory
 └── phases/
     └── 01-foundation/
-        ├── 01-01-SPRINT.md   # the plan
+        ├── 01-1-SPRINT.md   # the plan
         └── 01-01-SUMMARY.md  # what got done
 ```
 

package/rihal/workflows/import.md

@@ -218,7 +218,7 @@ must_haves:
 If the imported plan references PBR plan naming (e.g., `PLAN-01.md`, `plan-01.md`), rename all references to RIHAL `{NN}-{MM}-SPRINT.md` convention during conversion.
 
 Apply RIHAL naming convention for the output filename:
-- Format: `{NN}-{MM}-SPRINT.md` (e.g., `04-01-SPRINT.md`)
+- Format: `{NN}-{MM}-SPRINT.md` (e.g., `04-1-SPRINT.md`)
 - NEVER use `PLAN-01.md`, `plan-01.md`, or any other format
 - NN = phase number (zero-padded), MM = plan number within the phase (zero-padded)
 

package/rihal/workflows/lens-audit.md

@@ -48,7 +48,7 @@ Lenses and their primary skills:
   8.  i18n             — rihal-i18n-auditor
   9.  documentation    — rihal-docs-auditor
   10. cross-platform   — rihal-cross-platform-auditor
-  11. karpathy         — rihal-code-reviewer + rihal-hanzla
+  11. karpathy         — rihal-code-reviewer + rihal-hanzla (incl. design-token bypass)
   12. sxo              — rihal-layla
   13. observability    — rihal-observability-auditor
   14. naming           — rihal-codebase-mapper + rihal-code-reviewer
@@ -63,7 +63,18 @@ STOP after printing help.
 TOOL="node .rihal/bin/rihal-tools.cjs"
 INIT=$($TOOL init 2>/dev/null || echo '{"ok":false}')
 MODE=$($TOOL config-get mode 2>/dev/null || echo "guided")
-RESPONSE_LANGUAGE=$($TOOL config-get response_language 2>/dev/null || echo "english")
+RESPONSE_LANGUAGE=$($TOOL config-get response_language 2>/dev/null || echo "")
+# Resolve audit model from profile (#723). Order: audit_model → default_model → sonnet.
+LENS_MODEL=$($TOOL config-get audit_model 2>/dev/null \
+  || $TOOL config-get default_model 2>/dev/null \
+  || echo "sonnet")
+# Build an imperative directive only when language is explicitly set (#721).
+# Empty RESPONSE_LANGUAGE = English default, no directive injected.
+if [ -n "$RESPONSE_LANGUAGE" ] && [ "$RESPONSE_LANGUAGE" != "english" ]; then
+  LANG_DIRECTIVE="Respond in $RESPONSE_LANGUAGE. Keep finding IDs, file paths, and CLI commands in English; localise only the human-facing prose."
+else
+  LANG_DIRECTIVE=""
+fi
 ```
 
 If INIT is empty or INIT.ok is false, print error and exit:
@@ -119,7 +130,7 @@ Set `LENSES` from the choice.
 SCOPE_DIRS="rihal/ .rihal/"
 [ -d src ] && SCOPE_DIRS="$SCOPE_DIRS src/"
 [ -d lib ] && SCOPE_DIRS="$SCOPE_DIRS lib/"
-SCOPE_SUMMARY="Scope: $SCOPE_DIRS. Response language: $RESPONSE_LANGUAGE."
+SCOPE_SUMMARY="Scope: $SCOPE_DIRS.${LANG_DIRECTIVE:+ $LANG_DIRECTIVE}"
 
 # Collect project context for richer prompts
 PROJECT_NAME=$($TOOL config-get project.name 2>/dev/null || basename "$PWD")
@@ -143,7 +154,7 @@ Never halt the whole audit because one lens's skill fails.
 ```
 PRIMARY = Task(
   subagent_type="rihal-security-auditor",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Audit-only — do NOT fix anything. {CONTEXT}
   
   Run Lens 1 (Security) audit. Check:
@@ -161,7 +172,7 @@ PRIMARY = Task(
 
 SECONDARY = Task(
   subagent_type="rihal-security-adversary",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Adversarial security review. {CONTEXT}
   
   Think like an attacker. Find exploitation paths in:
@@ -183,7 +194,7 @@ FINDINGS[security] = merge(PRIMARY, SECONDARY)
 ```
 RESULT = Task(
   subagent_type="rihal-code-reviewer",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Audit-only — do NOT optimize anything. {CONTEXT}
   
   Run Lens 2 (Performance) audit. Check:
@@ -209,7 +220,7 @@ FINDINGS[performance] = RESULT
 ```
 PRIMARY = Task(
   subagent_type="rihal-fatima",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Audit-only — do NOT write tests. {CONTEXT}
   
   Run Lens 3 (Testability) audit. Check:
@@ -227,7 +238,7 @@ PRIMARY = Task(
 
 SECONDARY = Task(
   subagent_type="rihal-edge-case-hunter",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Enumerate edge cases and boundary conditions. {CONTEXT}
   
   Find:
@@ -249,7 +260,7 @@ FINDINGS[testability] = merge(PRIMARY, SECONDARY)
 ```
 RESULT = Task(
   subagent_type="rihal-waleed",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Architecture audit — do NOT redesign anything. {CONTEXT}
   
   Run Lens 4 (Extensibility) audit. Check:
@@ -275,7 +286,7 @@ FINDINGS[extensibility] = RESULT
 ```
 RESULT = Task(
   subagent_type="rihal-code-reviewer",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Audit-only — do NOT install or update packages. {CONTEXT}
   
   Run Lens 5 (Dep Health) audit:
@@ -301,7 +312,7 @@ FINDINGS[dep-health] = RESULT
 ```
 RESULT = Task(
   subagent_type="rihal-debugger",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Error recovery audit — do NOT fix anything. {CONTEXT}
   
   Run Lens 6 (Error Recovery) audit. Find missing error handling:
@@ -328,7 +339,7 @@ FINDINGS[error-recovery] = RESULT
 ```
 RESULT = Task(
   subagent_type="rihal-deviation-analyzer",
-  model="sonnet",
+  model="{lens_model}",
   prompt="State machine audit — do NOT modify state. {CONTEXT}
   
   Run Lens 7 (State Machine) audit. Check:
@@ -354,7 +365,7 @@ FINDINGS[state-machine] = RESULT
 ```
 RESULT = Task(
   subagent_type="rihal-i18n-auditor",
-  model="sonnet",
+  model="{lens_model}",
   prompt="i18n audit — do NOT add translations. {CONTEXT}
   
   Run Lens 8 (i18n) audit. Check:
@@ -380,7 +391,7 @@ FINDINGS[i18n] = RESULT
 ```
 RESULT = Task(
   subagent_type="rihal-docs-auditor",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Documentation audit — do NOT write docs. {CONTEXT}
   
   Run Lens 9 (Documentation) audit. Check:
@@ -406,7 +417,7 @@ FINDINGS[documentation] = RESULT
 ```
 RESULT = Task(
   subagent_type="rihal-code-reviewer",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Cross-platform audit — do NOT fix scripts. {CONTEXT}
   
   Run Lens 10 (Cross-platform) audit. Check:
@@ -433,7 +444,7 @@ FINDINGS[cross-platform] = RESULT
 ```
 PRIMARY = Task(
   subagent_type="rihal-code-reviewer",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Karpathy 4-principle audit — do NOT fix code. {CONTEXT}
   
   Run Lens 11 (Karpathy) audit against recent changes (HEAD~20..HEAD):
@@ -442,6 +453,9 @@ PRIMARY = Task(
   Principle 2 (Simplicity First): dead code, unused imports, speculative abstractions
   Principle 3 (Surgical Changes): whitespace-only diffs, reformatting unrelated code
   Principle 4 (Goal-Driven Execution): TODOs, stubs, not-implemented errors, mock data
+  Design-token bypass (#660): raw hex/rgb/hsl/named colors in CSS outside :root
+    or @theme blocks. Two-stage check per @.rihal/references/design-tokens.md.
+    Honor .rihal/design-tokens-allowlist.txt waivers.
   
   Return: file:line — principle N violation — description [critical|warn|info]
   If clean: PASS"
@@ -449,7 +463,7 @@ PRIMARY = Task(
 
 SECONDARY = Task(
   subagent_type="rihal-hanzla",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Implementation quality audit — do NOT refactor. {CONTEXT}
   
   Review recent code (HEAD~10..HEAD) for:
@@ -457,6 +471,8 @@ SECONDARY = Task(
   - Code that could be 3 lines but is 30
   - Unclear variable/function names
   - Missing error messages that would help debug production failures
+  - Design-token bypass: raw hex in CSS classes when a semantic role exists
+    (per @.rihal/references/design-tokens.md)
   
   Return: file:line — description [warn|info]
   If clean: PASS"
@@ -472,7 +488,7 @@ FINDINGS[karpathy] = merge(PRIMARY, SECONDARY)
 ```
 RESULT = Task(
   subagent_type="rihal-layla",
-  model="sonnet",
+  model="{lens_model}",
   prompt="UX flow audit — do NOT redesign flows. {CONTEXT}
   
   Run Lens 12 (SXO/UX) audit on rihal workflows. Check:
@@ -498,7 +514,7 @@ FINDINGS[sxo] = RESULT
 ```
 RESULT = Task(
   subagent_type="rihal-code-reviewer",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Observability audit — do NOT add instrumentation. {CONTEXT}
   
   Run Lens 13 (Observability) audit. Check:
@@ -525,7 +541,7 @@ FINDINGS[observability] = RESULT
 ```
 PRIMARY = Task(
   subagent_type="rihal-codebase-mapper",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Naming consistency audit — do NOT rename anything. {CONTEXT}
   
   Run Lens 14 (Naming) audit. Produce a CONVENTIONS scan:
@@ -541,7 +557,7 @@ PRIMARY = Task(
 
 SECONDARY = Task(
   subagent_type="rihal-code-reviewer",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Variable naming audit in recent code changes. {CONTEXT}
   
   Review HEAD~10..HEAD for:
@@ -563,7 +579,7 @@ FINDINGS[naming] = merge(PRIMARY, SECONDARY)
 ```
 PRIMARY = Task(
   subagent_type="rihal-nyquist-auditor",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Coverage audit — do NOT generate tests. {CONTEXT}
   
   Run Lens 15 (Coverage) audit. Fill Nyquist gaps:
@@ -579,7 +595,7 @@ PRIMARY = Task(
 
 SECONDARY = Task(
   subagent_type="rihal-fatima",
-  model="sonnet",
+  model="{lens_model}",
   prompt="Release gate — coverage quality check. {CONTEXT}
   
   Review test strategy gaps: