@xenonbyte/req-2-plan 0.4.4 → 0.4.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xenonbyte/req-2-plan",
-  "version": "0.4.4",
+  "version": "0.4.5",
   "description": "Requirement-to-PLAN workflow CLI and agent integration installer.",
   "bin": {
     "r2p": "bin/r2p.js"

package/tools/workflow_cli/agent_shortcuts.py

@@ -14,6 +14,7 @@ import sys
 from datetime import datetime, timezone
 from pathlib import Path
 
+from tools.workflow_cli.atomic import atomic_write_text
 from tools.workflow_cli.models import RunStatus, WorkId
 from tools.workflow_cli.output import EXIT_CONFLICT
 
@@ -53,7 +54,7 @@ def write_active_pointer(base_path: Path, work_id: str, reason: str = "workflow_
         f"updated_at: {updated_at}\n"
         f"reason: {reason}\n"
     )
-    path.write_text(content, encoding="utf-8")
+    atomic_write_text(path, content)
 
 
 def _validate_work_id(raw: str) -> str:
@@ -122,7 +123,9 @@ def generate_work_id(
         words = [f"run-{h}"]
 
     candidate = "-".join(words[:5])
-    candidate = re.sub(r"-+", "-", candidate).strip("-")[:max_slug_len]
+    # Truncate first, then strip dashes: stripping before truncation can leave a
+    # trailing "-" at the slice boundary, producing an invalid WorkId.
+    candidate = re.sub(r"-+", "-", candidate)[:max_slug_len].strip("-")
     if len(candidate) < 2:
         import hashlib
         h = hashlib.md5(requirement.encode()).hexdigest()[:8]
@@ -138,7 +141,8 @@ def generate_work_id(
 
     for n in range(2, 100):
         suffix = f"-{n}"
-        alt = f"{prefix}{candidate[:max_slug_len - len(suffix)]}{suffix}"
+        alt_candidate = candidate[:max_slug_len - len(suffix)].rstrip("-")
+        alt = f"{prefix}{alt_candidate}{suffix}"
         if not (base_path / ".req-to-plan" / alt).exists():
             return alt
 
@@ -234,12 +238,18 @@ def _prev_stage(stage):
 def _seed_for_stage(stage, tier, upstream_summary: str = "", context_summary: str = "") -> str:
     """Build the seed text for a stage content file: template + upstream summary + context pack."""
     from tools.workflow_cli.stage_templates import template_for
+    from tools.workflow_cli.markdown import strip_readonly_sections
     base = tier.base if tier is not None else None
     text = template_for(stage, base) if base is not None else ""
-    if upstream_summary.strip():
+    # Upstream artifacts persist the read-only blocks they were seeded with
+    # (nothing strips them at store time). Strip them here, like every other
+    # consumer (gates/trace), so the freshly injected Upstream Summary / Project
+    # Context wrappers below are not duplicated or accumulated across stages.
+    upstream_summary = strip_readonly_sections(upstream_summary).strip()
+    if upstream_summary:
         text += (
             "\n## Upstream Summary (read-only)\n"
-            + upstream_summary.strip()
+            + upstream_summary
             + "\n<!-- /r2p-read-only -->\n"
         )
     if context_summary.strip():

package/tools/workflow_cli/artifact.py

@@ -9,6 +9,7 @@ from __future__ import annotations
 from datetime import datetime, timezone
 from pathlib import Path
 
+from tools.workflow_cli.atomic import atomic_write_text
 from tools.workflow_cli.models import Stage, STAGE_ARTIFACT_MAP
 
 
@@ -98,7 +99,9 @@ def write_artifact(
         fm, _ = _parse_frontmatter(path.read_text(encoding="utf-8"))
         created_at = fm.get("r2p_created_at", now)
     full_text = _frontmatter(stage, version, status, created_at, now) + content
-    path.write_text(full_text, encoding="utf-8")
+    # Atomic write: a crash mid-write must not leave a truncated artifact that
+    # fails to parse on the next load. Write a unique sibling temp then replace.
+    atomic_write_text(path, full_text)
     return path
 
 
@@ -225,4 +228,4 @@ class ArtifactManager:
             f"r2p_replaced_by: {replaced_by}\n"
             f"---\n\n"
         ) + body
-        path.write_text(content, encoding="utf-8")
+        atomic_write_text(path, content)

package/tools/workflow_cli/atomic.py

@@ -0,0 +1,45 @@
+"""Atomic filesystem write helpers."""
+from __future__ import annotations
+
+import os
+import secrets
+from pathlib import Path
+
+
+def atomic_write_text(path: Path, content: str, *, encoding: str = "utf-8") -> None:
+    """Write text via a unique sibling temp file, then atomically replace path."""
+    tmp_path, fd = _open_unique_sibling_tmp(path)
+    try:
+        with os.fdopen(fd, "w", encoding=encoding) as tmp:
+            fd = -1
+            tmp.write(content)
+        os.replace(tmp_path, path)
+        tmp_path = None
+    finally:
+        if fd != -1:
+            os.close(fd)
+        if tmp_path is not None:
+            try:
+                tmp_path.unlink()
+            except FileNotFoundError:
+                pass
+
+
+def _open_unique_sibling_tmp(path: Path) -> tuple[Path, int]:
+    flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL
+    if hasattr(os, "O_CLOEXEC"):
+        flags |= os.O_CLOEXEC
+    if hasattr(os, "O_NOFOLLOW"):
+        flags |= os.O_NOFOLLOW
+
+    last_error: FileExistsError | None = None
+    for _ in range(100):
+        candidate = path.with_name(
+            f".{path.name}.{os.getpid()}.{secrets.token_hex(8)}.tmp"
+        )
+        try:
+            return candidate, os.open(candidate, flags, 0o666)
+        except FileExistsError as exc:
+            last_error = exc
+
+    raise FileExistsError(f"Could not create unique temp file for {path}") from last_error

package/tools/workflow_cli/cli.py

@@ -231,8 +231,8 @@ def _cmd_run_start(args):
     link_results = []
     if repo_path is not None:
         from tools.workflow_cli.link_expander import expand_links
-        # Local relative links expand; HTTP is recorded as not-expanded (needs confirmation).
-        link_results = expand_links(requirement, base_path=repo_path, fetch_urls=False)
+        # Local relative links expand; HTTP URLs are recorded as external references only.
+        link_results = expand_links(requirement, base_path=repo_path)
 
     # Tier estimation
     tier_estimate, evidence = estimate_tier(requirement, repo_path=repo_path, link_results=link_results)
@@ -473,6 +473,19 @@ def _cmd_run_reopen(args):
         if cp_stage_idx < target_idx:
             new_record.approved_checkpoints.append(cp)
 
+    # Repopulate active_artifacts for copied stages so the reopened record
+    # matches the on-disk artifacts and approved checkpoints.
+    for cp in new_record.approved_checkpoints:
+        artifact_name = STAGE_ARTIFACT_MAP.get(cp.stage)
+        if artifact_name and (new_run_dir / artifact_name).exists():
+            upsert_active_artifact(
+                new_record,
+                stage=cp.stage,
+                artifact=cp.artifact,
+                version=cp.version,
+                status="approved",
+            )
+
     new_mgr = RunStateManager(new_run_dir)
     new_mgr.save(new_record)
 
@@ -723,14 +736,6 @@ def _cmd_tier_lock(args):
         record.tier_estimate = TierEstimate(base=TierBase.LIGHT, modifiers=frozenset())
 
     if args.override_floor:
-        if not args.confirm:
-            print_and_exit(
-                format_error(
-                    "Overriding floor requires --confirm flag as well",
-                    exit_code=EXIT_CLI_ERR,
-                ),
-                EXIT_CLI_ERR,
-            )
         from tools.workflow_cli.models import TierEstimate
         record.tier_locked = TierEstimate(base=base, modifiers=modifiers)
     else:
@@ -808,11 +813,12 @@ def _cmd_tier_escalate(args):
             active_item=record.current_stage.value,
         )
 
-    # Revoke affected bundle authorizations that cover high-tier stages
+    # Revoke affected bundle authorizations that cover high-tier stages.
+    # Reuse the gates definition so bundle revocation stays in lockstep with
+    # forced-review behavior if the high-risk modifier set ever changes.
     from tools.workflow_cli.gates import _FORCED_REVIEW_MODIFIERS
-    high_modifiers = {TierModifier.MIGRATION, TierModifier.SAFETY, TierModifier.CROSS_PROJECT}
     from datetime import datetime, timezone
-    if modifier in high_modifiers:
+    if modifier in _FORCED_REVIEW_MODIFIERS:
         revoke_ts = datetime.now(timezone.utc).isoformat()
         from tools.workflow_cli.models import STAGE_REQUIRED_UPSTREAM_CHECKPOINTS
         affected_stages = {Stage.DESIGN, Stage.SPEC, Stage.PLAN}

package/tools/workflow_cli/install.py

@@ -188,7 +188,13 @@ class InstallService:
             }
             self._validate_install_path(manifest_path, field="manifest")
             manifest_path.parent.mkdir(parents=True, exist_ok=True)
-            manifest_path.write_text(_dump_manifest(manifest), encoding="utf-8")
+            tmp = manifest_path.with_name(manifest_path.name + ".tmp")
+            # The temp sibling shares the (validated) parent, but its own path is
+            # untrusted: reject a planted symlink so the atomic write cannot be
+            # redirected outside the manifest dir.
+            self._validate_install_path(tmp, field="manifest")
+            tmp.write_text(_dump_manifest(manifest), encoding="utf-8")
+            tmp.replace(manifest_path)
             manifest_written = True
 
             # Remove obsolete managed shared wrappers (e.g. a 0.1.2 r2p-adapt) that

package/tools/workflow_cli/link_expander.py

@@ -2,14 +2,11 @@ from __future__ import annotations
 from dataclasses import dataclass
 from enum import Enum
 from pathlib import Path
-from urllib import request, error as urllib_error
 import re
 
 
 class LinkStatus(str, Enum):
-    REACHABLE = "reachable"
-    UNREACHABLE = "unreachable"
-    REQUIRES_AUTH = "requires_auth"
+    EXTERNAL = "external"  # http(s) link recorded as an external reference; not fetched
     LOCAL_FOUND = "local_found"
     LOCAL_MISSING = "local_missing"
 
@@ -45,20 +42,6 @@ def extract_links(text: str) -> list[str]:
     return result
 
 
-def _fetch_url(url: str) -> LinkExpansionResult:
-    try:
-        req = request.Request(url, headers={"User-Agent": "r2p-link-expander/1.0"})
-        with request.urlopen(req, timeout=5) as resp:
-            content = resp.read(500).decode("utf-8", errors="replace")
-            return LinkExpansionResult(url=url, status=LinkStatus.REACHABLE, content_preview=content)
-    except urllib_error.HTTPError as e:
-        if e.code in (401, 403):
-            return LinkExpansionResult(url=url, status=LinkStatus.REQUIRES_AUTH, error=str(e))
-        return LinkExpansionResult(url=url, status=LinkStatus.UNREACHABLE, error=str(e))
-    except Exception as e:
-        return LinkExpansionResult(url=url, status=LinkStatus.UNREACHABLE, error=str(e))
-
-
 def _local_preview_block_reason(path_str: str, candidate: Path, base: Path | None) -> str | None:
     try:
         relative = candidate.relative_to(base) if base is not None else Path(path_str)
@@ -109,8 +92,14 @@ def _expand_local(path_str: str, base_path: Path | None) -> LinkExpansionResult:
 def expand_links(
     text: str,
     base_path: Path | None = None,
-    fetch_urls: bool = True,
 ) -> list[LinkExpansionResult]:
+    """Expand links found in requirement text.
+
+    Local relative links are read for context. http(s) URLs are recorded as
+    external references only: r2p never makes outbound requests for URLs found in
+    (untrusted) requirement text, so a link cannot drive the tool to reach
+    cloud-metadata endpoints, localhost, or internal services.
+    """
     results = []
     links = extract_links(text)
     seen: set[str] = set()
@@ -119,12 +108,7 @@ def expand_links(
             continue
         seen.add(link)
         if link.startswith("http://") or link.startswith("https://"):
-            if fetch_urls:
-                results.append(_fetch_url(link))
-            else:
-                results.append(LinkExpansionResult(
-                    url=link, status=LinkStatus.UNREACHABLE, error="URL fetching disabled"
-                ))
+            results.append(LinkExpansionResult(url=link, status=LinkStatus.EXTERNAL))
         else:
             results.append(_expand_local(link, base_path))
     return results

package/tools/workflow_cli/state.py

@@ -8,6 +8,7 @@ from datetime import datetime, timezone
 from pathlib import Path
 from typing import Optional
 
+from tools.workflow_cli.atomic import atomic_write_text
 from tools.workflow_cli.models import (
     ActiveArtifact,
     BundleAuthorization,
@@ -227,11 +228,6 @@ def _escape_cell(val: str) -> str:
     return val.replace("\\", "\\\\").replace("|", "\\|")
 
 
-def _unescape_cell(val: str) -> str:
-    """Unescape backslashes and pipes in a parsed markdown table cell."""
-    return val.replace("\\|", "|").replace("\\\\", "\\")
-
-
 def _split_cells(row_text: str) -> list[str]:
     """Split pipe-delimited row, honouring \\| and \\\\ escape sequences."""
     cells: list[str] = []
@@ -608,7 +604,10 @@ class RunStateManager:
 
     def save(self, record: RunRecord) -> None:
         self.run_dir.mkdir(parents=True, exist_ok=True)
-        self.run_path.write_text(run_record_to_markdown(record), encoding="utf-8")
+        text = run_record_to_markdown(record)
+        # Atomic write: a crash mid-write must not leave a truncated run.md that
+        # bricks the run. Write a unique sibling temp then atomically replace.
+        atomic_write_text(self.run_path, text)
 
     def load(self) -> RunRecord:
         if not self.run_path.exists():

package/tools/workflow_cli/tier.py

@@ -106,7 +106,7 @@ def compute_floor(
         or repo.is_monorepo
         or repo.module_count > module_threshold
         or _has_multi_repo_refs(requirement_text)
-        or any(r.status in (LinkStatus.UNREACHABLE, LinkStatus.REQUIRES_AUTH) for r in link_results)
+        or any(r.status == LinkStatus.EXTERNAL for r in link_results)
     ):
         base = TierBase.STANDARD
 

package/tools/workflow_cli/version.py

@@ -1 +1 @@
-R2P_VERSION = "0.4.4"
+R2P_VERSION = "0.4.5"