@wazir-dev/cli 1.2.0 → 1.3.0

package/tooling/src/checks/security-sensitivity.js

@@ -0,0 +1,69 @@
+const SECURITY_PATTERNS = [
+  'auth', 'password', 'passwd', 'token', 'query', 'sql',
+  'fetch', 'upload', 'secret', 'env', 'api[._-]?key',
+  'session', 'cookie', 'cors', 'csrf', 'jwt', 'oauth',
+  'encrypt', 'decrypt', 'hash', 'salt', 'credential',
+  'private[._-]?key', 'access[._-]?token', 'refresh[._-]?token',
+];
+
+const PATTERN_REGEX = new RegExp(
+  `\\b(${SECURITY_PATTERNS.join('|')})\\b`,
+  'gi'
+);
+
+/**
+ * Scan diff text for security-sensitive patterns.
+ * Returns which patterns were found and in which files.
+ */
+export function detectSecurityPatterns(diffText) {
+  if (!diffText || typeof diffText !== 'string') {
+    return { triggered: false, patterns: [], files: [] };
+  }
+
+  const matchedPatterns = new Set();
+  const matchedFiles = new Set();
+  let currentFile = null;
+
+  for (const line of diffText.split('\n')) {
+    // Track current file from diff headers
+    const fileMatch = line.match(/^(?:diff --git a\/\S+ b\/|[+]{3} b\/)(.+)/);
+    if (fileMatch) {
+      currentFile = fileMatch[1];
+      continue;
+    }
+
+    // Only scan added/modified lines (starting with +, not +++)
+    if (!line.startsWith('+') || line.startsWith('+++')) continue;
+
+    const lineMatches = line.match(PATTERN_REGEX);
+    if (lineMatches) {
+      for (const m of lineMatches) {
+        matchedPatterns.add(m.toLowerCase());
+      }
+      if (currentFile) {
+        matchedFiles.add(currentFile);
+      }
+    }
+  }
+
+  const patterns = [...matchedPatterns].sort();
+  const files = [...matchedFiles].sort();
+
+  return {
+    triggered: patterns.length > 0,
+    patterns,
+    files,
+  };
+}
+
+/**
+ * Security review dimensions to add when patterns are detected.
+ */
+export const SECURITY_REVIEW_DIMENSIONS = [
+  'Injection (SQL, command, template, header)',
+  'Authentication bypass',
+  'Data exposure (PII, secrets, tokens in logs/responses)',
+  'CSRF / SSRF',
+  'XSS (stored, reflected, DOM)',
+  'Secrets leakage (hardcoded keys, env vars in client code)',
+];

package/tooling/src/cli.js

@@ -1,20 +1,20 @@
 #!/usr/bin/env node
 
+// Suppress Node.js ExperimentalWarning for built-in SQLite (node:sqlite).
+// Must run before any module that transitively imports node:sqlite loads,
+// so command handlers are lazy-imported below instead of using static imports.
+const _originalEmit = process.emit;
+process.emit = function (event, ...args) {
+  if (event === 'warning' && args[0]?.name === 'ExperimentalWarning' &&
+      args[0]?.message?.includes('SQLite')) {
+    return false;
+  }
+  return _originalEmit.apply(this, [event, ...args]);
+};
+
 import fs from 'node:fs';
 import { fileURLToPath } from 'node:url';
 
-import { runCaptureCommand } from './capture/command.js';
-import { runValidateCommand } from './commands/validate.js';
-import { runDoctorCommand } from './doctor/command.js';
-import { runExportCommand as runGeneratedExportCommand } from './export/command.js';
-import { runIndexCommand } from './index/command.js';
-import { runInitCommand } from './init/command.js';
-import { runRecallCommand } from './recall/command.js';
-import { runReportCommand } from './reports/command.js';
-import { runStateCommand } from './state/command.js';
-import { runStatsCommand } from './commands/stats.js';
-import { runStatusCommand } from './status/command.js';
-
 const COMMAND_FAMILIES = [
   'export',
   'validate',
@@ -29,18 +29,19 @@ const COMMAND_FAMILIES = [
   'capture'
 ];
 
-const COMMAND_HANDLERS = {
-  export: runGeneratedExportCommand,
-  validate: runValidateCommand,
-  doctor: runDoctorCommand,
-  index: runIndexCommand,
-  init: runInitCommand,
-  recall: runRecallCommand,
-  report: runReportCommand,
-  state: runStateCommand,
-  status: runStatusCommand,
-  stats: runStatsCommand,
-  capture: runCaptureCommand,
+// Lazy-load command handlers so the warning filter is active before node:sqlite loads
+const COMMAND_LOADERS = {
+  export:   () => import('./export/command.js').then(m => m.runExportCommand),
+  validate: () => import('./commands/validate.js').then(m => m.runValidateCommand),
+  doctor:   () => import('./doctor/command.js').then(m => m.runDoctorCommand),
+  index:    () => import('./index/command.js').then(m => m.runIndexCommand),
+  init:     () => import('./init/command.js').then(m => m.runInitCommand),
+  recall:   () => import('./recall/command.js').then(m => m.runRecallCommand),
+  report:   () => import('./reports/command.js').then(m => m.runReportCommand),
+  state:    () => import('./state/command.js').then(m => m.runStateCommand),
+  status:   () => import('./status/command.js').then(m => m.runStatusCommand),
+  stats:    () => import('./commands/stats.js').then(m => m.runStatsCommand),
+  capture:  () => import('./capture/command.js').then(m => m.runCaptureCommand),
 };
 
 export function parseArgs(argv) {
@@ -88,9 +89,9 @@ export async function main(argv = process.argv.slice(2)) {
     return 1;
   }
 
-  const handler = COMMAND_HANDLERS[parsed.command];
+  const loader = COMMAND_LOADERS[parsed.command];
 
-  if (!handler) {
+  if (!loader) {
     console.error(`wazir ${parsed.command} is not implemented yet`);
     return 2;
   }
@@ -98,6 +99,7 @@ export async function main(argv = process.argv.slice(2)) {
   let result;
 
   try {
+    const handler = await loader();
     result = await handler(parsed);
   } catch (error) {
     console.error(error.message);

package/tooling/src/guards/phase-prerequisite-guard.js

@@ -4,6 +4,64 @@ import path from 'node:path';
 import { readYamlFile } from '../loaders.js';
 import { getRunPaths, readPhaseExitEvents } from '../capture/store.js';
 
+/**
+ * Validates that every enabled workflow has a phase_exit event
+ * in the run's events.ndjson before the run can be marked complete.
+ *
+ * If a run-config with workflow_policy exists, only workflows with
+ * enabled: true are checked. Otherwise falls back to the manifest list.
+ */
+export function validateRunCompletion(runDir, manifestPath) {
+  const manifest = readYamlFile(manifestPath);
+  const declaredWorkflows = manifest.workflows ?? [];
+
+  if (declaredWorkflows.length === 0) {
+    return { complete: true, missing: [] };
+  }
+
+  // Filter to enabled workflows if run-config exists
+  const runConfigPath = path.join(runDir, 'run-config.yaml');
+  let enabledWorkflows = declaredWorkflows;
+  if (fs.existsSync(runConfigPath)) {
+    try {
+      const runConfig = readYamlFile(runConfigPath);
+      const policy = runConfig.workflow_policy;
+      if (policy && typeof policy === 'object') {
+        enabledWorkflows = declaredWorkflows.filter(w => {
+          const wPolicy = policy[w] ?? policy[w.replace(/_/g, '-')];
+          // If no policy entry, assume enabled; if entry exists, check enabled field
+          return wPolicy ? (wPolicy.enabled !== false) : true;
+        });
+      }
+    } catch {
+      // If run-config can't be read, fall back to full manifest list
+    }
+  }
+
+  const eventsPath = path.join(runDir, 'events.ndjson');
+  const completedWorkflows = new Set();
+
+  if (fs.existsSync(eventsPath)) {
+    const content = fs.readFileSync(eventsPath, 'utf8');
+    for (const line of content.split('\n')) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      try {
+        const event = JSON.parse(trimmed);
+        if (event.event === 'phase_exit' && event.status === 'completed' && event.phase) {
+          completedWorkflows.add(event.phase);
+        }
+      } catch {
+        // Skip malformed lines
+      }
+    }
+  }
+
+  const missing = enabledWorkflows.filter(w => !completedWorkflows.has(w));
+
+  return { complete: missing.length === 0, missing };
+}
+
 export function evaluateScopeCoverageGuard(payload) {
   const { input_item_count: inputCount, plan_task_count: planCount, user_approved_reduction: userApproved } = payload;
 

package/tooling/src/init/auto-detect.js

@@ -244,8 +244,6 @@ export function autoInit(projectRoot, opts = {}) {
     model_mode: 'claude-only',
     default_depth: 'standard',
     default_intent: 'feature',
-    team_mode: 'sequential',
-    parallel_backend: 'none',
     context_mode: contextMode,
     detected_host: host.host,
     detected_stack: stack,

package/tooling/src/init/command.js

@@ -4,10 +4,9 @@ import path from 'node:path';
 import { autoInit, detectHost, detectProjectStack } from './auto-detect.js';
 
 /**
- * wazir init [--auto|--interactive|--force]
+ * wazir init [--auto|--force]
  *
  * Default: --auto (zero-config, no prompts, infer everything)
- * --interactive: legacy mode with @inquirer/prompts (may fail in non-TTY)
  * --force: reinitialize even if already initialized
  */
 export async function runInitCommand(parsed, context = {}) {
@@ -15,7 +14,6 @@ export async function runInitCommand(parsed, context = {}) {
   const wazirDir = path.join(cwd, '.wazir');
   const configPath = path.join(wazirDir, 'state', 'config.json');
   const isForce = parsed.args.includes('--force');
-  const isInteractive = parsed.args.includes('--interactive');
 
   // Already initialized check
   if (fs.existsSync(configPath) && !isForce) {
@@ -25,12 +23,7 @@ export async function runInitCommand(parsed, context = {}) {
     };
   }
 
-  // Interactive mode — legacy prompts (may fail in non-TTY environments like Claude Code)
-  if (isInteractive) {
-    return runInteractiveInit(parsed, context);
-  }
-
-  // Default: auto mode — zero-config
+  // Auto mode — zero-config
   try {
     const result = autoInit(cwd, { context, force: isForce });
 
@@ -65,8 +58,7 @@ export async function runInitCommand(parsed, context = {}) {
       '',
       'Next: /wazir <what you want to build>',
       '',
-      'Power users: `wazir init --interactive` for manual config.',
-      'Override:    `wazir config set model_mode multi-tool`',
+      'Override: `wazir config set model_mode multi-tool`',
       '',
     ];
 
@@ -75,87 +67,3 @@ export async function runInitCommand(parsed, context = {}) {
     return { exitCode: 1, stderr: `Auto-init failed: ${error.message}\n` };
   }
 }
-
-/**
- * Legacy interactive init with @inquirer/prompts.
- * Kept for power users who want manual control.
- * Will fail in non-TTY environments (Claude Code Bash tool).
- */
-async function runInteractiveInit(parsed, context = {}) {
-  const cwd = context.cwd ?? process.cwd();
-  const wazirDir = path.join(cwd, '.wazir');
-  const configPath = path.join(wazirDir, 'state', 'config.json');
-
-  try {
-    const { select } = await import('@inquirer/prompts');
-
-    for (const dir of ['input', 'state', 'runs']) {
-      fs.mkdirSync(path.join(wazirDir, dir), { recursive: true });
-    }
-
-    const modelMode = await select({
-      message: 'How should Wazir run in this project?',
-      choices: [
-        { name: 'Single model (Recommended)', value: 'claude-only' },
-        { name: 'Multi-model (Haiku/Sonnet/Opus routing)', value: 'multi-model' },
-        { name: 'Multi-tool (current model + external reviewers)', value: 'multi-tool' },
-      ],
-      default: 'claude-only',
-    });
-
-    let multiToolTools = [];
-    if (modelMode === 'multi-tool') {
-      const toolChoice = await select({
-        message: 'Which external tools for reviews?',
-        choices: [
-          { name: 'Codex', value: 'codex' },
-          { name: 'Gemini', value: 'gemini' },
-          { name: 'Both', value: 'both' },
-        ],
-      });
-      multiToolTools = toolChoice === 'both' ? ['codex', 'gemini'] : [toolChoice];
-    }
-
-    let codexModel = null;
-    if (multiToolTools.includes('codex')) {
-      codexModel = await select({
-        message: 'Codex model?',
-        choices: [
-          { name: 'gpt-5.3-codex-spark (Recommended)', value: 'gpt-5.3-codex-spark' },
-          { name: 'gpt-5.4', value: 'gpt-5.4' },
-        ],
-        default: 'gpt-5.3-codex-spark',
-      });
-    }
-
-    const host = detectHost();
-    const stack = detectProjectStack(cwd);
-
-    const config = {
-      model_mode: modelMode,
-      ...(modelMode === 'multi-tool' && {
-        multi_tool: {
-          tools: multiToolTools,
-          ...(codexModel && { codex: { model: codexModel } }),
-        },
-      }),
-      default_depth: 'standard',
-      default_intent: 'feature',
-      team_mode: 'sequential',
-      parallel_backend: 'none',
-      detected_host: host.host,
-      detected_stack: stack,
-    };
-    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n');
-
-    return {
-      exitCode: 0,
-      stdout: `\nInitialized (${modelMode}). Host: ${host.host}. Next: /wazir <request>\n`,
-    };
-  } catch (error) {
-    if (error.name === 'ExitPromptError') {
-      return { exitCode: 130, stderr: '\nInit cancelled.\n' };
-    }
-    return { exitCode: 1, stderr: `${error.message}\n` };
-  }
-}

package/tooling/src/status/command.js

@@ -54,7 +54,12 @@ function success(payload, options = {}) {
     };
   }
 
-  let output = `${payload.run_id} ${payload.phase} ${payload.status}\n`;
+  const parentPhase = payload.parent_phase ?? payload.phase;
+  const workflow = payload.workflow;
+  const phaseLabel = workflow
+    ? `Phase: ${parentPhase} > Workflow: ${workflow}`
+    : `Phase: ${parentPhase}`;
+  let output = `${payload.run_id} ${phaseLabel} ${payload.status}\n`;
 
   if (payload.savings_summary) {
     output += `${payload.savings_summary}\n`;

package/tooling/src/verify/proof-collector.js

@@ -0,0 +1,299 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { execFileSync } from 'node:child_process';
+
+const WEB_FRAMEWORKS = ['next', 'vite', 'react-scripts', '@angular/cli', 'nuxt', 'astro', 'gatsby'];
+const API_FRAMEWORKS = ['express', 'fastify', 'hono', 'koa', '@nestjs/core', '@hapi/hapi'];
+
+/**
+ * Detect whether a project produces runnable output and what type.
+ *
+ * @param {string} projectRoot
+ * @returns {'web' | 'api' | 'cli' | 'library'}
+ */
+export function detectRunnableType(projectRoot) {
+  const pkgPath = path.join(projectRoot, 'package.json');
+  if (!fs.existsSync(pkgPath)) return 'library';
+
+  let pkg;
+  try {
+    pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+  } catch {
+    return 'library';
+  }
+
+  const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+
+  if (WEB_FRAMEWORKS.some((fw) => fw in allDeps)) return 'web';
+  if (API_FRAMEWORKS.some((fw) => fw in allDeps)) return 'api';
+  if (pkg.bin) return 'cli';
+
+  return 'library';
+}
+
+/**
+ * Run a command safely using execFileSync (no shell injection).
+ *
+ * @param {string} cmd - The executable
+ * @param {string[]} args - Arguments array
+ * @param {string} cwd
+ * @returns {{ exit_code: number, stdout: string, stderr: string }}
+ */
+function runCommand(cmd, args, cwd) {
+  try {
+    const stdout = execFileSync(cmd, args, {
+      cwd,
+      encoding: 'utf8',
+      timeout: 60000,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    return { exit_code: 0, stdout: stdout.trim(), stderr: '' };
+  } catch (err) {
+    return {
+      exit_code: err.status ?? 1,
+      stdout: (err.stdout ?? '').trim(),
+      stderr: (err.stderr ?? '').trim(),
+    };
+  }
+}
+
+/**
+ * Summarize command output to a short string.
+ *
+ * @param {string} stdout
+ * @param {number} maxLen
+ * @returns {string}
+ */
+function summarize(stdout, maxLen = 200) {
+  if (!stdout) return '';
+  const lines = stdout.split('\n');
+  if (lines.length <= 5) return stdout.slice(0, maxLen);
+  return [...lines.slice(0, 3), `... (${lines.length} lines total)`, ...lines.slice(-2)]
+    .join('\n')
+    .slice(0, maxLen);
+}
+
+/**
+ * Check if a package.json has a specific script.
+ *
+ * @param {string} projectRoot
+ * @param {string} scriptName
+ * @returns {boolean}
+ */
+function hasScript(projectRoot, scriptName) {
+  try {
+    const pkg = JSON.parse(fs.readFileSync(path.join(projectRoot, 'package.json'), 'utf8'));
+    return !!(pkg.scripts && pkg.scripts[scriptName]);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if a config file exists for a tool.
+ *
+ * @param {string} projectRoot
+ * @param {string[]} candidates
+ * @returns {boolean}
+ */
+function hasConfigFile(projectRoot, candidates) {
+  return candidates.some((f) => fs.existsSync(path.join(projectRoot, f)));
+}
+
+/**
+ * Collect library-type proof: tests, lint, format, type-check.
+ *
+ * @param {string} projectRoot
+ * @returns {{ tool: string, command: string, exit_code: number, stdout_summary: string, passed: boolean }[]}
+ */
+function collectLibraryEvidence(projectRoot) {
+  const evidence = [];
+
+  // npm test
+  if (hasScript(projectRoot, 'test')) {
+    const result = runCommand('npm', ['test'], projectRoot);
+    evidence.push({
+      tool: 'npm test',
+      command: 'npm test',
+      exit_code: result.exit_code,
+      stdout_summary: summarize(result.stdout),
+      passed: result.exit_code === 0,
+    });
+  }
+
+  // TypeScript type check
+  if (
+    hasConfigFile(projectRoot, ['tsconfig.json']) ||
+    hasScript(projectRoot, 'typecheck')
+  ) {
+    const cmd = hasScript(projectRoot, 'typecheck')
+      ? ['npm', ['run', 'typecheck']]
+      : ['npx', ['tsc', '--noEmit']];
+    const result = runCommand(cmd[0], cmd[1], projectRoot);
+    evidence.push({
+      tool: 'tsc',
+      command: cmd[0] + ' ' + cmd[1].join(' '),
+      exit_code: result.exit_code,
+      stdout_summary: summarize(result.exit_code === 0 ? 'No type errors' : result.stdout || result.stderr),
+      passed: result.exit_code === 0,
+    });
+  }
+
+  // ESLint
+  if (
+    hasConfigFile(projectRoot, ['.eslintrc', '.eslintrc.js', '.eslintrc.json', '.eslintrc.yml', 'eslint.config.js', 'eslint.config.mjs']) ||
+    hasScript(projectRoot, 'lint')
+  ) {
+    const cmd = hasScript(projectRoot, 'lint')
+      ? ['npm', ['run', 'lint']]
+      : ['npx', ['eslint', '.']];
+    const result = runCommand(cmd[0], cmd[1], projectRoot);
+    evidence.push({
+      tool: 'eslint',
+      command: cmd[0] + ' ' + cmd[1].join(' '),
+      exit_code: result.exit_code,
+      stdout_summary: summarize(result.exit_code === 0 ? 'No lint errors' : result.stdout || result.stderr),
+      passed: result.exit_code === 0,
+    });
+  }
+
+  // Prettier
+  if (
+    hasConfigFile(projectRoot, ['.prettierrc', '.prettierrc.js', '.prettierrc.json', '.prettierrc.yml', 'prettier.config.js', 'prettier.config.mjs']) ||
+    hasScript(projectRoot, 'format:check')
+  ) {
+    const cmd = hasScript(projectRoot, 'format:check')
+      ? ['npm', ['run', 'format:check']]
+      : ['npx', ['prettier', '--check', '.']];
+    const result = runCommand(cmd[0], cmd[1], projectRoot);
+    evidence.push({
+      tool: 'prettier',
+      command: cmd[0] + ' ' + cmd[1].join(' '),
+      exit_code: result.exit_code,
+      stdout_summary: summarize(result.exit_code === 0 ? 'All files formatted' : result.stdout || result.stderr),
+      passed: result.exit_code === 0,
+    });
+  }
+
+  return evidence;
+}
+
+/**
+ * Collect web-type proof: build + library checks.
+ *
+ * @param {string} projectRoot
+ * @returns {{ tool: string, command: string, exit_code: number, stdout_summary: string, passed: boolean }[]}
+ */
+function collectWebEvidence(projectRoot) {
+  const evidence = [];
+
+  // Build
+  if (hasScript(projectRoot, 'build')) {
+    const result = runCommand('npm', ['run', 'build'], projectRoot);
+    evidence.push({
+      tool: 'build',
+      command: 'npm run build',
+      exit_code: result.exit_code,
+      stdout_summary: summarize(result.stdout),
+      passed: result.exit_code === 0,
+    });
+  }
+
+  // Also run library checks (tests, lint, etc.)
+  evidence.push(...collectLibraryEvidence(projectRoot));
+
+  return evidence;
+}
+
+/**
+ * Collect API-type proof: library checks (server start/stop is complex, defer to manual).
+ *
+ * @param {string} projectRoot
+ * @returns {{ tool: string, command: string, exit_code: number, stdout_summary: string, passed: boolean }[]}
+ */
+function collectApiEvidence(projectRoot) {
+  return collectLibraryEvidence(projectRoot);
+}
+
+/**
+ * Collect CLI-type proof: --help output + library checks.
+ *
+ * @param {string} projectRoot
+ * @returns {{ tool: string, command: string, exit_code: number, stdout_summary: string, passed: boolean }[]}
+ */
+function collectCliEvidence(projectRoot) {
+  const evidence = [];
+
+  try {
+    const pkg = JSON.parse(fs.readFileSync(path.join(projectRoot, 'package.json'), 'utf8'));
+    const binEntry = typeof pkg.bin === 'string' ? pkg.bin : Object.values(pkg.bin || {})[0];
+    if (binEntry) {
+      const binPath = path.join(projectRoot, binEntry);
+      if (fs.existsSync(binPath)) {
+        const result = runCommand('node', [binPath, '--help'], projectRoot);
+        evidence.push({
+          tool: 'cli --help',
+          command: `node ${binEntry} --help`,
+          exit_code: result.exit_code,
+          stdout_summary: summarize(result.stdout),
+          passed: result.exit_code === 0,
+        });
+      }
+    }
+  } catch { /* ignore */ }
+
+  evidence.push(...collectLibraryEvidence(projectRoot));
+
+  return evidence;
+}
+
+/**
+ * Collect proof of implementation for a task.
+ *
+ * @param {{ id: string, title: string }} taskSpec
+ * @param {{ projectRoot: string, runId?: string, stateRoot?: string }} runConfig
+ * @returns {Promise<{ task_id: string, type: string, timestamp: string, evidence: object[], status: string, all_passed: boolean }>}
+ */
+export async function collectProof(taskSpec, runConfig) {
+  const { projectRoot } = runConfig;
+  const type = detectRunnableType(projectRoot);
+
+  let evidence;
+  switch (type) {
+    case 'web':
+      evidence = collectWebEvidence(projectRoot);
+      break;
+    case 'api':
+      evidence = collectApiEvidence(projectRoot);
+      break;
+    case 'cli':
+      evidence = collectCliEvidence(projectRoot);
+      break;
+    default:
+      evidence = collectLibraryEvidence(projectRoot);
+  }
+
+  const allPassed = evidence.length === 0 || evidence.every((e) => e.passed);
+
+  const result = {
+    task_id: taskSpec.id,
+    type,
+    timestamp: new Date().toISOString(),
+    evidence,
+    status: allPassed ? 'pass' : 'fail',
+    all_passed: allPassed,
+  };
+
+  // Save to artifacts if runId provided
+  if (runConfig.runId && runConfig.stateRoot) {
+    const artifactDir = path.join(runConfig.stateRoot, 'runs', runConfig.runId, 'artifacts');
+    if (fs.existsSync(artifactDir)) {
+      fs.writeFileSync(
+        path.join(artifactDir, `proof-${taskSpec.id}.json`),
+        JSON.stringify(result, null, 2) + '\n',
+      );
+    }
+  }
+
+  return result;
+}

package/workflows/plan-review.md

@@ -39,7 +39,9 @@ On completing this phase, run:
 
 ## Loop Structure
 
-Follows the review loop pattern in `docs/reference/review-loop-pattern.md` with plan dimensions. The planner role resolves findings. Pass count determined by depth. No extension.
+Follows the review loop pattern in `docs/reference/review-loop-pattern.md` with 8 plan dimensions (including Input Coverage). The planner role resolves findings. Pass count determined by depth. No extension.
+
+**Input Coverage dimension:** The reviewer reads the original input/briefing, counts distinct items, and compares against tasks in the plan. If `tasks_in_plan < items_in_input`, this is a HIGH finding listing the missing items. This prevents silent scope reduction where 21 input items become 5 tasks.
 
 ## Failure Conditions