@hanzlaa/rcode 3.4.32 → 3.5.0

package/rihal/workflows/session-report.md

@@ -75,7 +75,40 @@ Extract counts:
 - **Chains:** count of `*-chain.md` files
 - **Discusses:** count of `*-discuss.md` files
 
-## Step 5 — Estimate token usage
+## Step 5 — Token usage (measured or estimated)
+
+### Step 5a — Prefer measured totals from cost.jsonl
+
+If the `cost-track` hook (#745) is enabled, it appends one usage record per
+response to `.rihal/telemetry/cost.jsonl`. Check for it first:
+
+```bash
+test -f .rihal/telemetry/cost.jsonl && echo "measured" || echo "estimated"
+```
+
+**If `.rihal/telemetry/cost.jsonl` exists:** sum the `input_tokens` and
+`output_tokens` across every line and report the **measured** totals — label
+them clearly as "measured":
+
+```bash
+node -e "
+const fs=require('fs');
+let i=0,o=0,n=0;
+for(const l of fs.readFileSync('.rihal/telemetry/cost.jsonl','utf8').split('\n').filter(Boolean)){
+  try{const r=JSON.parse(l);i+=r.input_tokens||0;o+=r.output_tokens||0;n++;}catch{}
+}
+console.log('responses='+n,'input='+i,'output='+o,'total='+(i+o));
+"
+```
+
+Report: `Total (measured): {input} input + {output} output = {total} tokens
+across {responses} responses`. Skip the heuristic estimate below — measured
+data supersedes it.
+
+**If `.rihal/telemetry/cost.jsonl` does NOT exist:** fall back to the heuristic
+estimate in Step 5b and label the result "estimated".
+
+### Step 5b — Heuristic estimate (fallback only)
 
 Calculate estimated tokens (note: these are rough approximations, not actual measurements).
 
@@ -135,9 +168,16 @@ Write `.planning/SESSION-REPORT-{YYYY-MM-DD-HHmmss}.md` with this structure:
 - **Blockers Identified:** {count} ({open_count} open)
 - **Commits:** {count}
 
-## Estimated Token Usage
+## Token Usage ({measured|estimated})
+
+**If cost.jsonl exists — measured:**
+
+- Responses tracked: {count}
+- Input tokens: {input}
+- Output tokens: {output}
+- **Total (measured): {grand_total} tokens**
 
-**Note:** Token estimates are approximations based on artifact counts.
+**If cost.jsonl absent — estimated** (approximations based on artifact counts):
 
 - Council Sessions: {count} × 50K = {total}K
 - Chains: {count} × 30K = {total}K

package/rihal/workflows/verify-work.md

@@ -523,7 +523,7 @@ Plans must be executable prompts.
 </downstream_consumer>
 """,
   subagent_type="rihal-planner",
-  model="sonnet",
+  model="{model}",
   model="{planner_model}",
   description="Plan gap fixes for Phase {phase}"
 )
@@ -573,7 +573,7 @@ Return one of:
 </expected_output>
 """,
   subagent_type="rihal-sprint-checker",
-  model="sonnet",
+  model="{model}",
   model="{checker_model}",
   description="Verify Phase {phase} fix plans"
 )
@@ -618,7 +618,7 @@ Do NOT replan from scratch unless issues are fundamental.
 </instructions>
 """,
   subagent_type="rihal-planner",
-  model="sonnet",
+  model="{model}",
   model="{planner_model}",
   description="Revise Phase {phase} plans"
 )

package/server/dashboard.js

@@ -20,8 +20,10 @@
  * Stop: kill $(lsof -t -i:7717)
  */
 
-const http = require('http');
-const path = require('path');
+const http    = require('http');
+const path    = require('path');
+const crypto  = require('crypto');
+const { spawn } = require('child_process');
 
 const { scanState } = require('./lib/scanner');
 const { handleApiState, handleApiFiles, handleApiFile, handleApiHierarchy, handleApiMemory } = require('./lib/api');
@@ -32,6 +34,9 @@ const PORT = parseInt(process.env.PORT || '7717', 10);
 const RIHAL_DIR = process.env.RIHAL_DIR || path.join(process.cwd(), '.rihal');
 const PROJECT_ROOT = path.dirname(RIHAL_DIR);
 
+// Shared orchestrator token — generated once, passed to orchestrator via env and embedded in HTML
+const ORCH_TOKEN = process.env.ORCH_TOKEN || crypto.randomBytes(24).toString('hex');
+
 // ---------- HTTP Server ----------
 const server = http.createServer((req, res) => {
   const url = req.url || '/';
@@ -69,7 +74,7 @@ const server = http.createServer((req, res) => {
 
   if (url === '/' || url === '/index.html') {
     const state = scanState(RIHAL_DIR);
-    const html = renderHtml(state);
+    const html = renderHtml(state, ORCH_TOKEN);
     res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
     res.end(html);
     return;
@@ -79,7 +84,7 @@ const server = http.createServer((req, res) => {
   res.end('Not found');
 });
 
-server.listen(PORT, () => {
+server.listen(PORT, '127.0.0.1', () => {
   console.log(`\n🕌 Majlis (مجلس) — Rihal Code Dashboard`);
   console.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━`);
   console.log(`   Mode:       view-only`);
@@ -91,6 +96,48 @@ server.listen(PORT, () => {
   console.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n`);
 });
 
+// ── Auto-spawn orchestrator (port 7718) ──────────────────────────
+const ORCH_BIN = path.join(__dirname, 'orchestrator.js');
+let _orchProc = null;
+
+function spawnOrchestrator() {
+  try {
+    _orchProc = spawn(process.execPath, [ORCH_BIN], {
+      cwd: path.join(__dirname, '..'),
+      env: { ...process.env, ORCH_TOKEN },
+      stdio: 'pipe',
+    });
+    _orchProc.stdout.on('data', chunk => {
+      const msg = chunk.toString().trim();
+      if (msg) console.log('[orch]', msg);
+    });
+    _orchProc.stderr.on('data', chunk => {
+      const msg = chunk.toString().trim();
+      if (msg && !msg.includes('no stdin')) console.error('[orch]', msg);
+    });
+    _orchProc.on('exit', (code, signal) => {
+      _orchProc = null;
+      if (signal !== 'SIGTERM' && signal !== 'SIGINT') {
+        console.log(`[orch] exited (${code}) — restarting in 3s…`);
+        setTimeout(spawnOrchestrator, 3000);
+      }
+    });
+    _orchProc.on('error', err => {
+      console.error('[orch] spawn error:', err.message);
+      _orchProc = null;
+    });
+    console.log('[orch] orchestrator started (port 7718)');
+  } catch (err) {
+    console.error('[orch] failed to start:', err.message);
+  }
+}
+
+spawnOrchestrator();
+
 // Graceful shutdown
-process.on('SIGTERM', () => server.close(() => process.exit(0)));
-process.on('SIGINT',  () => server.close(() => process.exit(0)));
+function shutdown() {
+  if (_orchProc) { try { _orchProc.kill('SIGTERM'); } catch {} }
+  server.close(() => process.exit(0));
+}
+process.on('SIGTERM', shutdown);
+process.on('SIGINT',  shutdown);

package/server/lib/api.js

@@ -132,6 +132,13 @@ function handleApiFile(req, res, projectRoot) {
   if (!resolved.startsWith(projectRoot + path.sep) && resolved !== projectRoot) {
     res.writeHead(403); res.end('Forbidden'); return;
   }
+  // Dereference symlinks so a symlink outside projectRoot cannot bypass the guard
+  let realResolved;
+  try { realResolved = fs.realpathSync(resolved); }
+  catch { res.writeHead(404); res.end('File not found'); return; }
+  if (!realResolved.startsWith(projectRoot + path.sep) && realResolved !== projectRoot) {
+    res.writeHead(403); res.end('Forbidden'); return;
+  }
   if (!resolved.endsWith('.md')) {
     res.writeHead(403); res.end('Forbidden: only .md files'); return;
   }