@paths.design/caws-cli 10.0.1 → 10.2.0

package/dist/commands/specs.js

@@ -16,8 +16,9 @@ const { SPEC_TYPES } = require('../constants/spec-types');
 const { suggestFeatureBreakdown } = require('../utils/spec-resolver');
 const { findProjectRoot } = require('../utils/detection');
 const { loadRegistry: loadWorktreeRegistry, getRepoRoot } = require('../worktree/worktree-manager');
-const { getAgentSessionId } = require('../utils/agent-session');
+const { getAgentSessionId, refreshAgentClaim } = require('../utils/agent-session');
 const { initializeState, saveState, deleteState } = require('../utils/working-state');
+const { appendEvent } = require('../utils/event-log');
 
 /**
  * Check if a spec is referenced by any active worktree.
@@ -56,6 +57,35 @@ function getSpecsDir() {
 function getSpecsRegistry() {
   return path.join(findProjectRoot(), '.caws', 'specs', 'registry.json');
 }
+
+function detectCurrentWorktreeName() {
+  const cwd = process.cwd().replace(/\\/g, '/');
+  const worktreeMatch = cwd.match(/\/\.caws\/worktrees\/([^/]+)(?:\/|$)/);
+  if (worktreeMatch) {
+    return worktreeMatch[1];
+  }
+
+  try {
+    const root = getRepoRoot();
+    const branch = require('child_process')
+      .execFileSync('git', ['rev-parse', '--abbrev-ref', 'HEAD'], {
+        cwd: root,
+        encoding: 'utf8',
+        stdio: 'pipe',
+      })
+      .trim();
+    const registry = loadWorktreeRegistry(root);
+    for (const [name, entry] of Object.entries(registry.worktrees || {})) {
+      if (entry.branch === branch && entry.status !== 'destroyed' && entry.status !== 'merged') {
+        return name;
+      }
+    }
+  } catch {
+    // Best-effort only; specs can still be created outside a worktree.
+  }
+
+  return null;
+}
 // Legacy constants kept for backward compatibility in tests
 const SPECS_DIR = '.caws/specs';
 const SPECS_REGISTRY = '.caws/specs/registry.json';
@@ -194,6 +224,17 @@ function normalizeSpecForValidation(spec = {}) {
  * List all spec files in the specs directory
  * @returns {Promise<Array>} Array of spec file info
  */
+// Files under this subdir of `.caws/specs/` are treated as archived,
+// regardless of what the YAML's `status` field says (CAWSFIX-29 invariant:
+// directory location is authoritative for archive state).
+const ARCHIVE_SUBDIR = '.archive';
+
+function isArchivePath(relPath) {
+  if (!relPath) return false;
+  const normalized = relPath.replace(/\\/g, '/');
+  return normalized === ARCHIVE_SUBDIR || normalized.startsWith(`${ARCHIVE_SUBDIR}/`);
+}
+
 async function listSpecFiles() {
   const specsDir = getSpecsDir();
   if (!(await fs.pathExists(specsDir))) {
@@ -209,13 +250,14 @@ async function listSpecFiles() {
     try {
       const content = await fs.readFile(filePath, 'utf8');
       const spec = yaml.load(content);
+      const inArchive = isArchivePath(file);
 
       specs.push({
         id: spec.id || path.basename(file, path.extname(file)),
         path: file,
         type: spec.type || 'feature',
         title: spec.title || 'Untitled',
-        status: spec.status || 'draft',
+        status: inArchive ? 'archived' : spec.status || 'draft',
         risk_tier: spec.risk_tier || 'T3',
         mode: spec.mode || 'development',
         created_at: spec.created_at || new Date().toISOString(),
@@ -259,6 +301,40 @@ async function createSpec(id, options = {}) {
   const existingSpecPath = path.join(specsDir, `${id}.yaml`);
   const specExists = await fs.pathExists(existingSpecPath);
 
+  // CAWSFIX-30: archive-collision guard. An id that lives in `.archive/`
+  // is still a taken id — surface it before going further. Detection is
+  // filesystem-driven (not registry-driven) so manually-moved legacy
+  // specs are also caught.
+  const archivedSpecPath = path.join(specsDir, ARCHIVE_SUBDIR, `${id}.yaml`);
+  const archivedExists = !specExists && (await fs.pathExists(archivedSpecPath));
+  if (archivedExists && !force) {
+    console.error(
+      chalk.red(
+        `Spec '${id}' already exists in archive: ${path.relative(findProjectRoot(), archivedSpecPath)}`
+      )
+    );
+    console.error(
+      chalk.yellow(
+        `Use --force to remove the archived copy and resurrect the id, ` +
+          `or pick a different id.`
+      )
+    );
+    throw new Error(
+      `Spec '${id}' collides with archived spec at .archive/${id}.yaml. ` +
+        `Use --force to resurrect or choose another id.`
+    );
+  }
+  if (archivedExists && force) {
+    // Resurrection: drop the archived YAML and any registry pointer so
+    // the rest of createSpec can write a fresh draft cleanly.
+    await fs.remove(archivedSpecPath);
+    const registry = await loadSpecsRegistry();
+    if (registry.specs[id]) {
+      delete registry.specs[id];
+      await saveSpecsRegistry(registry);
+    }
+  }
+
   // Handle conflict resolution
   let answer = null;
 
@@ -374,6 +450,11 @@ async function createSpec(id, options = {}) {
     contracts: [],
   };
 
+  const detectedWorktree = detectCurrentWorktreeName();
+  if (detectedWorktree) {
+    defaultSpec.worktree = detectedWorktree;
+  }
+
   // Merge template, but preserve required structure
   // Map template.criteria to acceptance if present
   const templateAcceptance = template?.criteria || template?.acceptance;
@@ -456,6 +537,67 @@ async function createSpec(id, options = {}) {
     saveState(id, initialState, findProjectRoot());
   } catch { /* non-fatal */ }
 
+  // CAWSFIX-06: warn when a feature spec is created without contracts.
+  // Contract-first development is a CAWS value proposition; empty `contracts`
+  // on a feature-type spec is discouraged but not fatal. Emit a non-fatal
+  // warning to stderr so agents and humans notice and can update the spec.
+  //
+  // Note: the spec's acceptance text uses "mode=feature" colloquially, but in
+  // CAWS the discriminator is the `type` field (feature/fix/refactor/chore),
+  // not the `mode` field (development/pilot/etc.). We key off `type` to match
+  // the --type CLI flag and the schema.
+  const specType = parsedSpec.type || type;
+  const specContracts = Array.isArray(parsedSpec.contracts) ? parsedSpec.contracts : [];
+  if (specType === 'feature' && specContracts.length === 0) {
+    console.warn(
+      chalk.yellow(
+        `⚠  Spec ${id} has mode=feature but no contracts. ` +
+          `mode=feature without contracts is discouraged — ` +
+          `run 'caws specs update ${id}' to add a contract reference.`
+      )
+    );
+  }
+
+  // EVLOG-001: emit spec_created event alongside state write.
+  //
+  // Spec-lifecycle events (spec_created / spec_closed / spec_deleted) are
+  // **informational redundancy** with the spec file + registry, which are
+  // the true sources of truth for spec identity. In contrast, the
+  // validation/evaluation/gates/verify_acs events are the ONLY record of
+  // those verification runs and losing them is real data loss.
+  //
+  // So we deliberately wrap spec-lifecycle emits in try/catch: a
+  // filesystem error here (test mocks, readonly fs, etc.) must not crash
+  // the spec create/close/delete flow, because the spec file itself is
+  // already persisted by the time we get here. This is a principled
+  // divergence from the strict contract for the observation events —
+  // see docs/internal/EVENTS_LOG_MIGRATION.md §4.5 and EVLOG-001 spec.
+  try {
+    await appendEvent(
+      {
+        actor: 'cli',
+        event: 'spec_created',
+        spec_id: id,
+        data: {
+          id,
+          type: parsedSpec.type || type,
+          title: parsedSpec.title || title,
+          risk_tier: parsedSpec.risk_tier || numericRiskTier,
+          mode: parsedSpec.mode || mode,
+        },
+      },
+      { projectRoot: findProjectRoot() }
+    );
+  } catch (err) {
+    // Surface on stderr but don't propagate — the spec is already created.
+
+    console.error(`event-log: failed to record spec_created for ${id}: ${err.message}`);
+  }
+
+  // CAWSFIX-31: refresh the current agent's claim so agents.json reflects
+  // the current spec context. Best-effort — failures must not break the op.
+  refreshAgentClaim(findProjectRoot(), { specId: id });
+
   return {
     id,
     path: fileName,
@@ -717,6 +859,23 @@ async function deleteSpec(id) {
   delete registry.specs[id];
   await saveSpecsRegistry(registry);
 
+  // EVLOG-001: emit spec_deleted event in best-effort mode. See the
+  // createSpec commentary for why spec-lifecycle events diverge from
+  // the strict fail-loud contract used by the observation events.
+  try {
+    await appendEvent(
+      { actor: 'cli', event: 'spec_deleted', spec_id: id, data: { id } },
+      { projectRoot: findProjectRoot() }
+    );
+  } catch (err) {
+
+    console.error(`event-log: failed to record spec_deleted for ${id}: ${err.message}`);
+  }
+
+  // CAWSFIX-31: every lifecycle verb refreshes for consistency, even
+  // delete (no other cleanup runs on delete; this is signal-of-presence).
+  refreshAgentClaim(findProjectRoot(), { specId: id });
+
   return true;
 }
 
@@ -769,7 +928,178 @@ async function closeSpec(id) {
     return false;
   }
 
-  return await updateSpec(id, { status: 'closed' });
+  // CAWSFIX-15: status-only flip uses targeted line-replace so the diff
+  // stays a single line. Full `updateSpec` reserializes the whole YAML,
+  // reordering fields and injecting `*ref_0` anchors for the
+  // acceptance/acceptance_criteria alias — ~20 lines of noise for what
+  // should be a one-word change.
+  const specPath = path.join(getSpecsDir(), registry.specs[id].path);
+  const original = await fs.readFile(specPath, 'utf8');
+  const nowIso = new Date().toISOString();
+  let patched = original.replace(/^status:\s*\S+\s*$/m, 'status: closed');
+  patched = patched.replace(/^updated_at:.*$/m, `updated_at: '${nowIso}'`);
+  let ok = false;
+  if (patched !== original) {
+    await fs.writeFile(specPath, patched);
+    registry.specs[id] = {
+      ...registry.specs[id],
+      status: 'closed',
+      updated_at: nowIso,
+    };
+    await saveSpecsRegistry(registry);
+    ok = true;
+  }
+
+  // EVLOG-001: emit spec_closed event after the status update succeeds.
+  // Records the prior status so the renderer can reconstruct the lifecycle.
+  // Best-effort mode — see createSpec commentary.
+  if (ok) {
+    try {
+      await appendEvent(
+        {
+          actor: 'cli',
+          event: 'spec_closed',
+          spec_id: id,
+          data: { id, prior_status: currentStatus },
+        },
+        { projectRoot: findProjectRoot() }
+      );
+    } catch (err) {
+
+      console.error(`event-log: failed to record spec_closed for ${id}: ${err.message}`);
+    }
+
+    // CAWSFIX-31: refresh agent claim — also fires on no-op closes
+    // (already-closed specs return ok=true after an early exit) only
+    // when the status actually flipped, since this is the signal that
+    // matters: the agent is currently working on this spec.
+    refreshAgentClaim(findProjectRoot(), { specId: id });
+  }
+
+  return ok;
+}
+
+/**
+ * Archive a spec: move its YAML to `.caws/specs/.archive/<id>.yaml`,
+ * flip status to `archived`, update the registry, and emit a `spec_archived`
+ * event. The archive directory is the canonical truth for archive state —
+ * the listing layer (listSpecFiles) treats any file under `.archive/` as
+ * archived regardless of the YAML literal.
+ *
+ * @param {string} id - Spec identifier
+ * @returns {Promise<boolean>} true on success (including idempotent no-ops),
+ *   false on validation/lookup failure.
+ */
+async function archiveSpec(id) {
+  // Path-traversal guard: ids must be plain filenames, not paths.
+  // Reject before touching any filesystem state.
+  if (!id || typeof id !== 'string' || path.basename(id) !== id || id.includes('..')) {
+    console.error(chalk.red(`Invalid spec id '${id}': must be a plain identifier`));
+    return false;
+  }
+
+  const registry = await loadSpecsRegistry();
+  const entry = registry.specs[id];
+  if (!entry) {
+    console.error(chalk.red(`Spec '${id}' not found`));
+    return false;
+  }
+
+  // Block if owned by another session (mirror closeSpec/deleteSpec).
+  const currentSession = getAgentSessionId(findProjectRoot());
+  if (entry.owner && currentSession && entry.owner !== currentSession) {
+    console.error(
+      chalk.red(
+        `Cannot archive spec '${id}': owned by another session (${entry.owner}). ` +
+          `Only the creator session can archive a spec.`
+      )
+    );
+    return false;
+  }
+
+  // Block if active worktrees still reference the spec — archiving removes
+  // scope enforcement and would invalidate in-flight work.
+  const referencingWorktrees = getWorktreesReferencingSpec(id);
+  if (referencingWorktrees.length > 0) {
+    const names = referencingWorktrees.join(', ');
+    console.error(
+      chalk.red(
+        `Cannot archive spec '${id}': active worktree(s) [${names}] reference it. ` +
+          `Destroy the worktree(s) first with 'caws worktree destroy <name>'.`
+      )
+    );
+    return false;
+  }
+
+  const specsDir = getSpecsDir();
+  const priorPath = entry.path;
+  const currentSpecPath = path.join(specsDir, priorPath);
+
+  // If the file is already in the archive directory, the canonical
+  // location is satisfied — just ensure the registry status agrees and exit.
+  if (isArchivePath(priorPath)) {
+    if (entry.status !== 'archived') {
+      registry.specs[id] = { ...entry, status: 'archived' };
+      await saveSpecsRegistry(registry);
+    }
+    console.log(chalk.yellow(`Spec '${id}' is already archived.`));
+    return true;
+  }
+
+  if (!(await fs.pathExists(currentSpecPath))) {
+    console.error(
+      chalk.red(`Cannot archive spec '${id}': file missing at ${currentSpecPath}`)
+    );
+    return false;
+  }
+
+  // CAWSFIX-15-style targeted rewrite: only `status:` and `updated_at:`
+  // lines move. Comments, ordering, and YAML aliases survive untouched.
+  const original = await fs.readFile(currentSpecPath, 'utf8');
+  const priorStatus = entry.status || 'draft';
+  const nowIso = new Date().toISOString();
+  let patched = original.replace(/^status:\s*\S+\s*$/m, 'status: archived');
+  patched = patched.replace(/^updated_at:.*$/m, `updated_at: '${nowIso}'`);
+
+  const archiveDir = path.join(specsDir, ARCHIVE_SUBDIR);
+  await fs.ensureDir(archiveDir);
+  const newRelPath = `${ARCHIVE_SUBDIR}/${id}.yaml`;
+  const newAbsPath = path.join(specsDir, newRelPath);
+
+  // Write the patched content to the archive location, then remove the
+  // original. fs-extra's writeFile is atomic-enough for single-file moves
+  // on the same filesystem; we avoid `move` because we already mutated content.
+  await fs.writeFile(newAbsPath, patched);
+  await fs.remove(currentSpecPath);
+
+  registry.specs[id] = {
+    ...entry,
+    path: newRelPath,
+    status: 'archived',
+    updated_at: nowIso,
+  };
+  await saveSpecsRegistry(registry);
+
+  // Best-effort event emission, matching spec_closed/spec_deleted policy:
+  // event-log failure does not roll back the archive operation.
+  try {
+    await appendEvent(
+      {
+        actor: 'cli',
+        event: 'spec_archived',
+        spec_id: id,
+        data: { id, prior_status: priorStatus, prior_path: priorPath },
+      },
+      { projectRoot: findProjectRoot() }
+    );
+  } catch (err) {
+    console.error(`event-log: failed to record spec_archived for ${id}: ${err.message}`);
+  }
+
+  // CAWSFIX-31: refresh agent claim after a successful archive transition.
+  refreshAgentClaim(findProjectRoot(), { specId: id });
+
+  return true;
 }
 
 /**
@@ -1255,6 +1585,28 @@ async function specsCommand(action, options = {}) {
           });
         }
 
+        case 'archive': {
+          if (!options.id) {
+            throw new Error('Spec ID is required. Usage: caws specs archive <id>');
+          }
+
+          const archived = await archiveSpec(options.id);
+          if (!archived) {
+            throw new Error(`Could not archive spec '${options.id}'`);
+          }
+
+          console.log(
+            chalk.green(
+              `Archived spec: ${options.id} -- moved to .caws/specs/.archive/`
+            )
+          );
+
+          return outputResult({
+            command: 'specs archive',
+            spec: options.id,
+          });
+        }
+
         case 'types': {
           console.log(chalk.bold.cyan('\nAvailable Spec Types'));
           console.log(chalk.cyan('==============================================\n'));
@@ -1273,7 +1625,7 @@ async function specsCommand(action, options = {}) {
 
         default:
           throw new Error(
-            `Unknown specs action: ${action}. Use: list, create, show, update, delete, close, conflicts, migrate, types`
+            `Unknown specs action: ${action}. Use: list, create, show, update, delete, close, archive, conflicts, migrate, types`
           );
       }
     },
@@ -1292,10 +1644,13 @@ module.exports = {
   updateSpec,
   deleteSpec,
   closeSpec,
+  archiveSpec,
   displaySpecsTable,
   displaySpecDetails,
   askConflictResolution,
+  isArchivePath,
   SPECS_DIR,
   SPECS_REGISTRY,
+  ARCHIVE_SUBDIR,
   SPEC_TYPES,
 };

package/dist/commands/status.js

@@ -12,7 +12,11 @@ const chalk = require('chalk');
 const { safeAsync, outputResult } = require('../error-handler');
 const { parallel } = require('../utils/async-utils');
 const { resolveSpec } = require('../utils/spec-resolver');
-const { loadState } = require('../utils/working-state');
+// EVLOG-002 Phase 2 read flip: status reads working state from the event log
+// via the pure renderer. loadStateFromEvents matches loadState's null contract
+// exactly, so the `ws && ws.phase !== 'not-started'` guard and the
+// `loadState(id) || null` coalesce below stay semantically correct.
+const { loadStateFromEvents } = require('../utils/event-renderer');
 
 /**
  * Load working specification (legacy single file approach)
@@ -359,6 +363,27 @@ function displayStatus(data) {
   console.log(chalk.bold.cyan('\nCAWS Project Status'));
   console.log(chalk.cyan('==============================================\n'));
 
+  // CAWSFIX-31: Surface worktree claim if cwd is inside a worktree.
+  // Best-effort — failures (no .caws, no registry, etc.) are silent.
+  try {
+    const path = require('path');
+    const { findProjectRoot } = require('../utils/detection');
+    const { renderClaimPanel } = require('../utils/agent-display');
+    const root = findProjectRoot();
+    const cwd = process.cwd();
+    const worktreesBase = path.join(root, '.caws', 'worktrees');
+    if (cwd.startsWith(worktreesBase + path.sep)) {
+      const worktreeName = path.relative(worktreesBase, cwd).split(path.sep)[0];
+      const panel = renderClaimPanel(root, worktreeName);
+      if (panel) {
+        console.log(chalk.green(panel));
+        console.log('');
+      }
+    }
+  } catch {
+    // best-effort
+  }
+
   // Working Spec Status
   if (spec) {
     console.log(chalk.green('Working Spec'));
@@ -375,10 +400,10 @@ function displayStatus(data) {
 
   console.log('');
 
-  // Working State
+  // Working State (EVLOG-002: from event log)
   if (spec && spec.id) {
     let ws = null;
-    try { ws = loadState(spec.id); } catch { /* non-fatal */ }
+    try { ws = loadStateFromEvents(spec.id); } catch { /* non-fatal */ }
     if (ws && ws.phase !== 'not-started') {
       const phaseLabels = {
         'not-started': 'Not Started',
@@ -1052,7 +1077,7 @@ async function statusCommand(options = {}) {
               passed: gates.passed,
               message: gates.message,
             },
-            workingState: spec && spec.id ? (loadState(spec.id) || null) : null,
+            workingState: spec && spec.id ? (loadStateFromEvents(spec.id) || null) : null,
             overallProgress: calculateOverallProgress({
               spec,
               specSelection,

package/dist/commands/templates.js

@@ -53,14 +53,6 @@ const BUILTIN_TEMPLATES = {
     features: ['React', 'TypeScript', 'Storybook', 'Jest', 'Publishing'],
     path: 'templates/react/component-library',
   },
-  'vscode-extension': {
-    name: 'VS Code Extension',
-    description: 'VS Code extension with TypeScript',
-    category: 'Extension',
-    tier: 2,
-    features: ['TypeScript', 'VS Code API', 'Jest', 'Publishing'],
-    path: 'templates/vscode-extension',
-  },
 };
 
 /**

package/dist/commands/validate.js

@@ -20,6 +20,7 @@ const {
   loadSpecsRegistry,
 } = require('../utils/spec-resolver');
 const { recordValidation } = require('../utils/working-state');
+const { appendEvent } = require('../utils/event-log');
 const { lifecycle, EVENTS } = require('../utils/lifecycle-events');
 
 /**
@@ -143,19 +144,39 @@ async function validateCommand(specFile, options = {}) {
 
     const finalResult = enhancedValidation;
 
-    // Record to working state
-    try {
-      const grade = finalResult.complianceScore !== undefined
-        ? getComplianceGrade(finalResult.complianceScore)
-        : null;
-      recordValidation(spec.id, {
-        passed: finalResult.valid,
-        compliance_score: finalResult.complianceScore ?? null,
-        grade,
-        error_count: (finalResult.errors || []).length,
-        warning_count: (finalResult.warnings || []).length,
-      });
-    } catch { /* non-fatal */ }
+    // Record to working state (Phase 1 dual-write: state layer + event log)
+    const validationGrade = finalResult.complianceScore !== undefined
+      ? getComplianceGrade(finalResult.complianceScore)
+      : null;
+    const validationPayload = {
+      passed: finalResult.valid,
+      compliance_score: finalResult.complianceScore ?? null,
+      grade: validationGrade,
+      error_count: (finalResult.errors || []).length,
+      warning_count: (finalResult.warnings || []).length,
+    };
+    // CAWSFIX-02: guard recordValidation with the same `spec && spec.id`
+    // check that gates.js already uses and that the appendEvent call below
+    // enforces. Without this, legacy working-specs without an id silently
+    // wrote `.caws/state/undefined.json` — now blocked by the state-layer
+    // fence, but guarding here keeps the intent explicit.
+    if (spec && spec.id) {
+      try {
+        recordValidation(spec.id, validationPayload);
+      } catch { /* non-fatal */ }
+    }
+
+    // EVLOG-001: emit event log entry alongside state write. Only if
+    // spec.id is present — the fence in appendEvent would throw otherwise,
+    // which is intentional for the undefined.json bug class but wrong for
+    // legitimate legacy specs without an id field. Errors here are NOT
+    // swallowed: a failure to append an event is a real defect we want to
+    // surface, not a silent data-loss event.
+    if (spec && spec.id) {
+      await appendEvent(
+        { actor: 'cli', event: 'validation_completed', spec_id: spec.id, data: validationPayload }
+      );
+    }
 
     // Emit lifecycle event
     try {

package/dist/commands/verify-acs.js

@@ -12,6 +12,7 @@ const { execFileSync } = require('child_process');
 const { findProjectRoot } = require('../utils/detection');
 const { resolveSpec } = require('../utils/spec-resolver');
 const { recordACVerification } = require('../utils/working-state');
+const { appendEvent } = require('../utils/event-log');
 
 /**
  * Detect the project's test runner from config files.
@@ -350,16 +351,30 @@ async function verifyAcsCommand(options = {}) {
     else { totalUnchecked++; }
   }
 
-  // Record to working state
-  try {
-    recordACVerification(resolved.spec.id, {
-      total: totalAcs,
-      pass: totalPass,
-      fail: totalFail,
-      unchecked: totalUnchecked,
-      results: result.results,
-    }, projectRoot);
-  } catch { /* non-fatal */ }
+  // Record to working state (Phase 1 dual-write: state layer + event log)
+  const acPayload = {
+    total: totalAcs,
+    pass: totalPass,
+    fail: totalFail,
+    unchecked: totalUnchecked,
+    results: result.results,
+  };
+  // CAWSFIX-02: guard recordACVerification with `resolved.spec && resolved.spec.id`
+  // check to prevent the .caws/state/undefined.json bug class. Matches the
+  // pattern gates.js already uses and the appendEvent call below.
+  if (resolved.spec && resolved.spec.id) {
+    try {
+      recordACVerification(resolved.spec.id, acPayload, projectRoot);
+    } catch { /* non-fatal */ }
+  }
+
+  // EVLOG-001: emit verify_acs_completed event alongside state write.
+  if (resolved.spec && resolved.spec.id) {
+    await appendEvent(
+      { actor: 'cli', event: 'verify_acs_completed', spec_id: resolved.spec.id, data: acPayload },
+      { projectRoot }
+    );
+  }
 
   // Output
   if (options.format === 'json') {