npm - @xenonbyte/req-2-plan - Versions diffs - 0.5.1 → 0.6.0 - Mend

@xenonbyte/req-2-plan 0.5.1 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@xenonbyte/req-2-plan",
-  "version": "0.5.1",
+  "version": "0.6.0",
   "description": "Requirement-to-PLAN workflow CLI and agent integration installer.",
   "bin": {
     "r2p": "bin/r2p.js"

package/tools/workflow_cli/agent_templates/claude/commands/r2p-execute.md CHANGED Viewed

@@ -31,6 +31,15 @@ Before dispatching Task 1, read `07-plan.md` once and scan for:
 Batch all findings into one question to the human **before** execution begins. If the scan is clean, proceed without comment.
 If a finding requires PLAN, SPEC, or DESIGN repair, stop and ask the human to reopen from the affected stage rather than patching over it in execution.
+## Model Selection
+Use the least powerful model that can handle each role:
+- **Mechanical implementation** (isolated, clear spec, complete `Skeleton`, 1–2 files): fast/cheap model.
+- **Integration / judgment / debugging** (multi-file coordination, pattern matching): standard model.
+- **Architecture / design AND the final whole-branch review**: most capable model.
+- Always specify the model explicitly when dispatching; an omitted model inherits the session model.
+- **Turn count beats token price**: use a mid-tier floor for reviewers and for implementers working from prose descriptions; drop to cheapest only for complete-code/single-file mechanical tasks.
 ## Per-Task Loop
 For each PLAN-TASK (in order):
@@ -41,6 +50,8 @@ Read the task text directly from `07-plan.md`. Note the task's `Skeleton`, `Step
 ### 2. Dispatch a fresh implementer subagent
+Record BASE (`git rev-parse HEAD`) BEFORE dispatching the implementer — **never use `HEAD~1`** as BASE (it drops all but the last commit of a multi-commit task). For Task 1, this BASE is also `<execution-base-commit>` for the final whole-branch review. Persist the Task 1 BASE immediately in tracked execution state by adding `Execution BASE: <execution-base-commit>` to `execution/progress.md`.
 Provide the subagent with:
 - The task text (from `07-plan.md`)
 - Scene-setting context (project, dependencies, architectural constraints)
@@ -68,12 +79,12 @@ The fresh implementer subagent verifies-then-removes ambiguity by evidence and T
 ### 5. Write diff and dispatch task-reviewer
 After the implementer reports DONE:
-1. Record the diff inline: `git diff -U10 <base-commit> HEAD` (no external script needed)
+1. `mkdir -p .req-to-plan/<work-id>/logs` then `git diff -U10 <base-commit> HEAD > .req-to-plan/<work-id>/logs/task-N-diff.md`. Keep diff scratch under `logs/` (gitignored), never under `execution/`.
 2. Dispatch a task-reviewer subagent with:
    - The task text and `Spec References` from `07-plan.md`
    - The implementer's report
-   - The diff
-   - Global constraints from the plan
+   - The diff file path (`.req-to-plan/<work-id>/logs/task-N-diff.md`)
+   - Global constraints from the plan (copy verbatim from `## Global Constraints`); never pre-judge a finding's severity; never paste prior-task summaries into a later dispatch
 The task-reviewer returns two verdicts:
 - **Spec compliance**: checked against `Spec References` + `Verification`
@@ -86,14 +97,27 @@ The task-reviewer returns two verdicts:
 - Only when the task-reviewer is clean (both spec ✅ and quality Approved, and `Verification` satisfied), update the matching `execution/progress.md` checkbox from `- [ ] PLAN-TASK-NNN ...` to `- [x] PLAN-TASK-NNN ...` and append one line:
   `Task N: complete (commits <base7>..<head7>, review clean)`
+**Continuous execution**: execute all PLAN-TASKs without pausing to ask "should I continue?" between tasks. Stop only on: unresolvable `BLOCKED`, upstream defect requiring repair, dirty-tree block, or all tasks complete. `Verification` requires fresh command output; "should pass" / "looks correct" is not evidence; do not report `DONE` without it.
 ## Final Whole-Branch Review
-After all tasks complete, dispatch a final whole-branch review subagent:
-- Scope: all commits since the branch started (or since `closed_at_plan_checkpoint`)
-- Include the diff (`git diff -U10 <merge-base> HEAD`)
-- Dispatch fix subagents for any Critical/Important findings before marking done
+After all tasks complete, dispatch a final whole-branch review subagent on the **most capable model**:
+- First create the whole-branch diff: `mkdir -p .req-to-plan/<work-id>/logs` then `git diff -U10 <execution-base-commit> HEAD > .req-to-plan/<work-id>/logs/final-diff.md`
+- Scope: review the complete execution range `git diff -U10 <execution-base-commit> HEAD`, where `<execution-base-commit>` is the Task 1 BASE captured before dispatching the first implementer
+- Include the diff file path (`.req-to-plan/<work-id>/logs/final-diff.md`) in the reviewer dispatch; do not ask the reviewer to infer the changed range
+- **re-run the full verification suite** on the final HEAD and attach the fresh output (per-task greens do not catch cross-task regressions)
+- Walk the PLAN task-by-task as a line-by-line requirements checklist; report any gap
+- Dispatch ONE fix subagent carrying the complete findings list (not one fixer per finding)
 - This whole-branch review is the merge gate
+After the review settles, write `execution/final-review.md` recording the reviewed range, a one-line summary, and the verdict:
+- `Verdict: Approved` when the review is clean
+- `Verdict: Changes Requested` while findings remain
+- After any final-review fix wave, regenerate `.req-to-plan/<work-id>/logs/final-diff.md` from the same `<execution-base-commit>` to current `HEAD`, re-run the full verification suite, and re-dispatch the final whole-branch reviewer with the refreshed diff and output
+- Repeat until the post-fix reviewer is clean; only then append `Verdict: Approved` as the final unfenced verdict (the gate reads the last one)
+Note: `r2p-archive` refuses to archive an executing run unless this file's current verdict is `Verdict: Approved`.
 ## Auto-Archive on Completion
 When all tasks are done and the final whole-branch review is clean, call:
@@ -109,6 +133,7 @@ Commits are already on the **current branch**. `push` and PR creation still requ
 ## Durable Progress
 Track progress in `execution/progress.md` (not only in todos). On resume, read the ledger and skip tasks already marked complete.
+On resume, read `execution/progress.md` before the final review and reuse its `Execution BASE:` line as `<execution-base-commit>`. Do not recalculate it from `HEAD` or from the latest task range. If the line is missing, stop and ask the human for the original Task 1 BASE instead of inferring a range.
 ## Error Reference

package/tools/workflow_cli/agent_templates/claude/commands/r2p-start.md CHANGED Viewed

@@ -9,4 +9,4 @@ To start from a requirement document, pass `--file <path>` instead of inline tex
 Use `--separate` to create an independent run when another open run exists.
-Optionally pass `--repo-path <dir>` to ground tier estimation and the Project Context Pack in real repo facts.
+Tier estimation and the Project Context Pack are grounded in the current directory by default; pass `--repo-path <dir>` to ground them in a different repository instead.

package/tools/workflow_cli/agent_templates/codex/skills/r2p-execute/SKILL.md CHANGED Viewed

@@ -32,6 +32,15 @@ Before dispatching Task 1, read `07-plan.md` once and scan for:
 Batch all findings into one question to the human **before** execution begins — one interrupt, not one per discovery. If the scan is clean, proceed without comment. The task-reviewer loop catches conflicts that only emerge from implementation.
 If a finding requires PLAN, SPEC, or DESIGN repair, stop and ask the human to reopen from the affected stage rather than patching over it in execution.
+## Model Selection
+Use the least powerful model that can handle each role:
+- **Mechanical implementation** (isolated, clear spec, complete `Skeleton`, 1–2 files): fast/cheap model.
+- **Integration / judgment / debugging** (multi-file coordination, pattern matching): standard model.
+- **Architecture / design AND the final whole-branch review**: most capable model.
+- Always specify the model explicitly when dispatching; an omitted model inherits the session model.
+- **Turn count beats token price**: use a mid-tier floor for reviewers and for implementers working from prose descriptions; drop to cheapest only for complete-code/single-file mechanical tasks.
 ## Per-Task Loop
 For each PLAN-TASK (in order):
@@ -42,6 +51,8 @@ Read the task text directly from `07-plan.md`. Note the task's `Skeleton`, `Step
 ### 2. Dispatch a fresh implementer subagent
+Record BASE (`git rev-parse HEAD`) BEFORE dispatching the implementer — **never use `HEAD~1`** as BASE (it drops all but the last commit of a multi-commit task). For Task 1, this BASE is also `<execution-base-commit>` for the final whole-branch review. Persist the Task 1 BASE immediately in tracked execution state by adding `Execution BASE: <execution-base-commit>` to `execution/progress.md`.
 Provide the subagent with:
 - The task text (from `07-plan.md`)
 - Scene-setting context (project, dependencies, architectural constraints)
@@ -69,12 +80,12 @@ The fresh implementer subagent verifies-then-removes ambiguity by evidence and T
 ### 5. Write diff and dispatch task-reviewer
 After the implementer reports DONE:
-1. Record the diff inline: `git diff -U10 <base-commit> HEAD`
+1. `mkdir -p .req-to-plan/<work-id>/logs` then `git diff -U10 <base-commit> HEAD > .req-to-plan/<work-id>/logs/task-N-diff.md`. Keep diff scratch under `logs/` (gitignored), never under `execution/`.
 2. Dispatch a task-reviewer subagent with:
    - The task text and `Spec References` from `07-plan.md`
    - The implementer's report
-   - The diff
-   - Global constraints from the plan
+   - The diff file path (`.req-to-plan/<work-id>/logs/task-N-diff.md`)
+   - Global constraints from the plan (copy verbatim from `## Global Constraints`); never pre-judge a finding's severity; never paste prior-task summaries into a later dispatch
 The task-reviewer returns two verdicts:
 - **Spec compliance**: checked against `Spec References` + `Verification`
@@ -87,13 +98,26 @@ The task-reviewer returns two verdicts:
 - Only when the task-reviewer is clean (both spec ✅ and quality Approved, and `Verification` satisfied), update the matching `execution/progress.md` checkbox from `- [ ] PLAN-TASK-NNN ...` to `- [x] PLAN-TASK-NNN ...` and append one line:
   `Task N: complete (commits <base7>..<head7>, review clean)`
+**Continuous execution**: execute all PLAN-TASKs without pausing to ask "should I continue?" between tasks. Stop only on: unresolvable `BLOCKED`, upstream defect requiring repair, dirty-tree block, or all tasks complete. `Verification` requires fresh command output; "should pass" / "looks correct" is not evidence; do not report `DONE` without it.
 ## Final Whole-Branch Review
-After all tasks complete, dispatch a final whole-branch review subagent:
-- Scope: all commits since the branch started (or since `closed_at_plan_checkpoint`)
-- Include the diff (`git diff -U10 <merge-base> HEAD`)
+After all tasks complete, dispatch a final whole-branch review subagent on the **most capable model**:
+- First create the whole-branch diff: `mkdir -p .req-to-plan/<work-id>/logs` then `git diff -U10 <execution-base-commit> HEAD > .req-to-plan/<work-id>/logs/final-diff.md`
+- Scope: review the complete execution range `git diff -U10 <execution-base-commit> HEAD`, where `<execution-base-commit>` is the Task 1 BASE captured before dispatching the first implementer
+- Include the diff file path (`.req-to-plan/<work-id>/logs/final-diff.md`) in the reviewer dispatch; do not ask the reviewer to infer the changed range
+- **re-run the full verification suite** on the final HEAD and attach the fresh output (per-task greens do not catch cross-task regressions)
+- Walk the PLAN task-by-task as a line-by-line requirements checklist; report any gap
+- Dispatch ONE fix subagent carrying the complete findings list (not one fixer per finding)
 - This whole-branch review is the merge gate
-- Dispatch fix subagents for any Critical/Important findings before marking done
+After the review settles, write `execution/final-review.md` recording the reviewed range, a one-line summary, and the verdict:
+- `Verdict: Approved` when the review is clean
+- `Verdict: Changes Requested` while findings remain
+- After any final-review fix wave, regenerate `.req-to-plan/<work-id>/logs/final-diff.md` from the same `<execution-base-commit>` to current `HEAD`, re-run the full verification suite, and re-dispatch the final whole-branch reviewer with the refreshed diff and output
+- Repeat until the post-fix reviewer is clean; only then append `Verdict: Approved` as the final unfenced verdict (the gate reads the last one)
+Note: `r2p-archive` refuses to archive an executing run unless this file's current verdict is `Verdict: Approved`.
 ## Auto-Archive on Completion
@@ -110,6 +134,7 @@ Commits are already on the **current branch**. `push` and PR creation still requ
 ## Durable Progress
 Track progress in `execution/progress.md` (not only in todos). On resume, read the ledger and skip tasks already marked complete.
+On resume, read `execution/progress.md` before the final review and reuse its `Execution BASE:` line as `<execution-base-commit>`. Do not recalculate it from `HEAD` or from the latest task range. If the line is missing, stop and ask the human for the original Task 1 BASE instead of inferring a range.
 ## Error Reference

package/tools/workflow_cli/agent_templates/codex/skills/r2p-start/SKILL.md CHANGED Viewed

@@ -13,4 +13,4 @@ To start from a requirement document, pass `--file <path>` instead of inline tex
 Use `--separate` to create an independent run when another open run exists.
-Optionally pass `--repo-path <dir>` to ground tier estimation and the Project Context Pack in real repo facts.
+Tier estimation and the Project Context Pack are grounded in the current directory by default; pass `--repo-path <dir>` to ground them in a different repository instead.

package/tools/workflow_cli/agent_templates/gemini/commands/r2p-start.toml CHANGED Viewed

@@ -1,4 +1,4 @@
 name = "r2p-start"
-description = "Start a new requirement-to-PLAN workflow run. Optionally pass --repo-path <dir> to ground tier estimation and the Project Context Pack in real repo facts."
+description = "Start a new requirement-to-PLAN workflow run. Tier estimation and the Project Context Pack are grounded in the current directory by default; pass --repo-path <dir> to ground them in a different repository instead."
 command = "{{R2P_BIN_DIR}}/r2p-start"
 version = "{{R2P_VERSION}}"

package/tools/workflow_cli/cli.py CHANGED Viewed

@@ -47,11 +47,16 @@ from tools.workflow_cli.gates import (
     check_quality_gate,
     check_forced_subagent_review,
     check_execution_complete,
+    check_final_review_recorded,
 )
 from tools.workflow_cli.output import (
+    COMPACT_DETAIL_LIMIT,
+    COMPACT_FILE_LIST_LIMIT,
+    compact_human_list,
     format_success,
     format_error,
     format_gate_result,
+    is_json_mode,
     print_and_exit,
     EXIT_OK,
     EXIT_CLI_ERR,
@@ -95,6 +100,53 @@ def _load_run(work_id: str, base_path: Path | None = None):
         )
+def _write_recovery_list(run_dir: Path, work_id: str, filename: str, items: list[str]) -> str | None:
+    logs_dir = run_dir / "logs"
+    if logs_dir.is_symlink():
+        return None
+    try:
+        logs_dir.mkdir(parents=True, exist_ok=True)
+        recovery_path = logs_dir / filename
+        atomic_write_text(recovery_path, "\n".join(items) + "\n")
+    except OSError:
+        return None
+    return f".req-to-plan/{work_id}/logs/{filename}"
+def _human_list_payload(
+    *,
+    run_dir: Path,
+    work_id: str,
+    label: str,
+    items: list,
+    limit: int,
+    recovery_filename: str,
+    recovery_items: list[str] | None = None,
+) -> dict:
+    if is_json_mode() or len(items) <= limit:
+        return {label: items}
+    recovery_path = _write_recovery_list(
+        run_dir,
+        work_id,
+        recovery_filename,
+        recovery_items if recovery_items is not None else [str(item) for item in items],
+    )
+    if recovery_path is None:
+        return {label: items}
+    payload = compact_human_list(
+        label=label,
+        items=items,
+        limit=limit,
+        recovery_path=recovery_path,
+    )
+    payload[f"{label}_summary"] = (
+        f"{payload[f'{label}_shown']} shown, {payload[f'{label}_total']} total"
+    )
+    return payload
 def _validate_work_id(raw: str) -> WorkId:
     """Parse WorkId or exit with CLI error."""
     try:
@@ -233,7 +285,16 @@ def _cmd_run_start(args):
             format_error("Requirement must not be blank", exit_code=EXIT_CLI_ERR),
             EXIT_CLI_ERR,
         )
-    repo_path = _validate_repo_path(args.repo_path) if args.repo_path else None
+    if args.repo_path:
+        repo_path = _validate_repo_path(args.repo_path)
+    else:
+        # --repo-path is optional: default to the workspace root (--base-path,
+        # which itself defaults to the current directory) so tier estimation and
+        # the Project Context Pack are grounded in real repo facts without an
+        # explicit flag. A standard-tier PLAN later requires a usable Context Pack
+        # (R11), so grounding by default avoids a silent gate failure. Using
+        # base_path (not literal Path.cwd()) preserves --base-path test isolation.
+        repo_path = args.base_path or Path.cwd()
     run_dir = _reject_symlinked_run_paths(work_id, args.base_path)
     mgr = RunStateManager(run_dir)
@@ -334,6 +395,15 @@ def _cmd_run_start(args):
 def _cmd_run_resume(args):
     record, mgr, run_dir = _load_run(args.work_id, args.base_path)
     rc = record.resume_context
+    reread_targets = list(rc.required_reread_targets)
+    reread_payload = _human_list_payload(
+        run_dir=run_dir,
+        work_id=str(record.work_id),
+        label="required_reread_targets",
+        items=reread_targets,
+        limit=COMPACT_FILE_LIST_LIMIT,
+        recovery_filename="run-resume-reread-targets.txt",
+    )
     print_and_exit(
         format_success(
             {
@@ -344,6 +414,7 @@ def _cmd_run_resume(args):
                 "next_operation": rc.next_allowed_operation,
                 "active_item": rc.active_item,
                 "resume_reason": rc.resume_reason,
+                **reread_payload,
             },
             message="Resume context",
         ),
@@ -552,7 +623,13 @@ def _cmd_run_reopen(args):
             last_operation="reopen_from_execution",
             next_operation=f"continue_reopened_run:{new_work_id}",
         )
-        source_mgr.save(source_record)
+        try:
+            source_mgr.save(source_record)
+        except Exception:
+            # Roll back the just-created new run so no orphan is left and the
+            # source stays consistently EXECUTING.
+            shutil.rmtree(new_run_dir, ignore_errors=True)
+            raise
     print_and_exit(
         format_success(
@@ -595,6 +672,17 @@ def _cmd_run_archive(args):
                 ),
                 gate.exit_code,
             )
+        # 0b. Final-review gate: the whole-branch review verdict must be recorded.
+        # --force bypasses (abandoned/superseded run already skips this block).
+        review_gate = check_final_review_recorded(run_dir)
+        if not review_gate.passed:
+            print_and_exit(
+                format_error(
+                    " ".join(review_gate.issues),
+                    exit_code=review_gate.exit_code,
+                ),
+                review_gate.exit_code,
+            )
     # 1. Refuse to clobber an existing archived copy before mutating state.
     archive_dir = base / ".req-to-plan" / "archive" / str(record.work_id)
     if archive_dir.exists():
@@ -1223,6 +1311,22 @@ def _cmd_status_run(args):
         for s in record.stale_artifacts
     ]
     outstanding_stale = [aa.stage.value for aa in record.active_artifacts if aa.status == "stale"]
+    approved_checkpoints = [cp.stage.value for cp in record.approved_checkpoints]
+    approved_payload = _human_list_payload(
+        run_dir=run_dir,
+        work_id=str(record.work_id),
+        label="approved_checkpoints",
+        items=approved_checkpoints,
+        limit=COMPACT_DETAIL_LIMIT,
+        recovery_filename="status-run-approved-checkpoints.txt",
+        recovery_items=[
+            (
+                f"{cp.stage.value}\t{cp.artifact}\tv{cp.version}\t"
+                f"{cp.approved_at}\t{cp.downstream_authorization}\t{cp.bundle_id or ''}"
+            )
+            for cp in record.approved_checkpoints
+        ],
+    )
     print_and_exit(
         format_success(
@@ -1237,7 +1341,7 @@ def _cmd_status_run(args):
                 "open_routes_detail": open_routes_detail,
                 "stale_artifacts": stale_artifacts,
                 "outstanding_stale": outstanding_stale,
-                "approved_checkpoints": [cp.stage.value for cp in record.approved_checkpoints],
+                **approved_payload,
             },
             message="Run status",
         ),
@@ -1537,7 +1641,11 @@ def _register_run_commands(subparsers):
         default=None,
         help="Path to a file whose contents are the raw requirement",
     )
-    p.add_argument("--repo-path", default=None, help="Path to repository for baseline scan")
+    p.add_argument(
+        "--repo-path",
+        default=None,
+        help="Path to repository for baseline scan (default: current directory / --base-path)",
+    )
     p.add_argument("--overwrite", action="store_true", help="Overwrite an existing run")
     p.set_defaults(func=_cmd_run_start)

package/tools/workflow_cli/context_pack.py CHANGED Viewed

@@ -11,6 +11,7 @@ try:
 except ImportError:  # pragma: no cover - older interpreters: pyproject parsing degrades to a no-op
     tomllib = None
+from tools.workflow_cli.atomic import atomic_write_text
 from tools.workflow_cli.repo_baseline import SKIP_DIRS, scan_repo_baseline
 _CONFIG_NAMES = {
@@ -167,6 +168,9 @@ def to_markdown(pack: ProjectContextPack) -> str:
 def write_context_pack(pack: ProjectContextPack, run_dir: Path) -> tuple[Path, Path]:
     json_path = run_dir / "02-project-context.json"
     md_path = run_dir / "02-project-context.md"
-    json_path.write_text(to_json(pack), encoding="utf-8")
-    md_path.write_text(to_markdown(pack), encoding="utf-8")
+    for target in (json_path, md_path):
+        if target.is_symlink():
+            raise ValueError(f"refusing to write through symlink: {target}")
+    atomic_write_text(json_path, to_json(pack))
+    atomic_write_text(md_path, to_markdown(pack))
     return md_path, json_path

package/tools/workflow_cli/gates.py CHANGED Viewed

@@ -1110,6 +1110,90 @@ def check_forced_subagent_review(
     )
+# ---------------------------------------------------------------------------
+# Final Review Presence Gate
+# ---------------------------------------------------------------------------
+_FINAL_REVIEW_DISCLAIMER = (
+    "Presence check on the review audit trail — not a correctness guarantee."
+)
+_SUPPORTED_VERDICTS = {"approved", "changes requested"}
+_CANONICAL_NOT_APPROVED_MSG = (
+    "Final whole-branch review not approved: execution/final-review.md is missing, "
+    "or its current (last unfenced) 'Verdict:' line is not 'Approved'. "
+    + _FINAL_REVIEW_DISCLAIMER
+    + " Record 'Verdict: Approved', or re-run with --force to archive an abandoned run."
+)
+def _fail_gate(msg: str) -> GateResult:
+    return GateResult(passed=False, issues=[msg], exit_code=EXIT_GATE_FAIL)
+def _current_verdict(text: str) -> str | None:
+    """Return the last unfenced 'Verdict:' value (stripped, lowercased), or None."""
+    value = None
+    for line, _, _ in unfenced_markdown_lines(text):
+        s = line.strip()
+        if s[:8].lower() == "verdict:":
+            value = s[8:].strip().lower()  # last one wins
+    return value
+def _has_verdict(text: str) -> bool:
+    return _current_verdict(text) is not None
+def check_final_review_recorded(run_dir: Path) -> GateResult:
+    """Archive precondition: the final whole-branch review verdict is recorded.
+    Presence/audit only — never runs code or tests, never asserts the verdict is
+    true. Same trust level as the PLAN-TASK checkbox gate.
+    """
+    marker = run_dir / "execution" / "final-review.md"
+    text, err = _read_regular_text_no_symlink(marker)
+    if err == "missing":
+        return _fail_gate(_CANONICAL_NOT_APPROVED_MSG)
+    if err == "symlink":
+        return _fail_gate(
+            "execution/final-review.md is a symlink; refusing to read "
+            "outside the run directory. " + _FINAL_REVIEW_DISCLAIMER
+        )
+    if err == "not_regular":
+        return _fail_gate(
+            "execution/final-review.md is not a regular file. "
+            + _FINAL_REVIEW_DISCLAIMER
+        )
+    assert text is not None
+    if not _has_verdict(text):
+        # Case d: regular file, zero unfenced Verdict: lines
+        return _fail_gate(_CANONICAL_NOT_APPROVED_MSG)
+    current = _current_verdict(text)  # last unfenced 'Verdict:' value, lowercased
+    assert current is not None  # guarded by _has_verdict above
+    if current not in _SUPPORTED_VERDICTS:
+        return _fail_gate(
+            "execution/final-review.md current 'Verdict:' value is unsupported. "
+            + _FINAL_REVIEW_DISCLAIMER
+        )
+    if current == "changes requested":
+        return _fail_gate(
+            "Final whole-branch review not approved: current 'Verdict:' is "
+            "'Changes Requested'. " + _FINAL_REVIEW_DISCLAIMER
+        )
+    # current == "approved"
+    return GateResult(passed=True, issues=[], exit_code=0)
 # ---------------------------------------------------------------------------
 # Execution Completion Gate
 # ---------------------------------------------------------------------------

package/tools/workflow_cli/install.py CHANGED Viewed

@@ -6,6 +6,7 @@ Supports: claude, codex, gemini, opencode
 from __future__ import annotations
 import os
+import secrets
 import json
 import hashlib
 import shutil
@@ -204,15 +205,7 @@ class InstallService:
                 "r2p_version": R2P_VERSION,
                 "schema_version": SCHEMA_VERSION,
             }
-            self._validate_install_path(manifest_path, field="manifest")
-            manifest_path.parent.mkdir(parents=True, exist_ok=True)
-            tmp = manifest_path.with_name(manifest_path.name + ".tmp")
-            # The temp sibling shares the (validated) parent, but its own path is
-            # untrusted: reject a planted symlink so the atomic write cannot be
-            # redirected outside the manifest dir.
-            self._validate_install_path(tmp, field="manifest")
-            tmp.write_text(_dump_manifest(manifest), encoding="utf-8")
-            tmp.replace(manifest_path)
+            self._write_manifest_atomic(manifest_path, _dump_manifest(manifest))
             manifest_written = True
             # Remove obsolete managed shared wrappers (e.g. a 0.1.2 r2p-adapt) that
@@ -671,7 +664,14 @@ class InstallService:
             for mpath in sorted(install_dir.glob("*.yaml")):
                 if self._load_manifest_for_cleanup(mpath) is None:
                     continue
-                self._strip_path_from_manifest(mpath, path_str)
+                try:
+                    self._strip_path_from_manifest(mpath, path_str)
+                except ValueError:
+                    # Best-effort cleanup: _write_manifest_atomic rejects writes
+                    # that would follow an untrusted symlink. A symlinked or
+                    # otherwise unsafe manifest is left in place for operator
+                    # repair rather than aborting the in-progress install.
+                    continue
             # Delete the obsolete managed wrapper only when there was no user
             # original to restore in its place.
             if not restored and path_str not in preserve_paths:
@@ -772,7 +772,7 @@ class InstallService:
             changed = True
         if changed:
-            manifest_path.write_text(_dump_manifest(manifest), encoding="utf-8")
+            self._write_manifest_atomic(manifest_path, _dump_manifest(manifest))
     def _load_manifest_for_cleanup(self, manifest_path: Path) -> dict[str, Any] | None:
         """Load a manifest during best-effort shared-wrapper cleanup.
@@ -829,8 +829,44 @@ class InstallService:
                 file_snapshot.path.chmod(file_snapshot.mode)
             except OSError:
                 pass
-        snapshot.manifest_path.parent.mkdir(parents=True, exist_ok=True)
-        snapshot.manifest_path.write_text(snapshot.manifest_text, encoding="utf-8")
+        self._write_manifest_atomic(snapshot.manifest_path, snapshot.manifest_text)
+    def _write_manifest_atomic(self, manifest_path: Path, data: str) -> None:
+        """Write manifest data via a unique temp sibling, then atomically replace.
+        Closes the fixed-name temp collision + check-then-write TOCTOU window.
+        _validate_install_path is called on both the manifest path and each
+        candidate temp path (preserving the existing symlink-rejection rules).
+        """
+        self._validate_install_path(manifest_path, field="manifest")
+        manifest_path.parent.mkdir(parents=True, exist_ok=True)
+        flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL
+        flags |= getattr(os, "O_NOFOLLOW", 0) | getattr(os, "O_CLOEXEC", 0)
+        last_err: Exception | None = None
+        for _ in range(100):
+            tmp = manifest_path.with_name(
+                f".{manifest_path.name}.{os.getpid()}.{secrets.token_hex(8)}.tmp"
+            )
+            self._validate_install_path(tmp, field="manifest")
+            try:
+                fd = os.open(tmp, flags, 0o666)
+            except FileExistsError as exc:
+                last_err = exc
+                continue
+            try:
+                with os.fdopen(fd, "w", encoding="utf-8") as fh:
+                    fh.write(data)
+                os.replace(tmp, manifest_path)
+                return
+            except BaseException:
+                try:
+                    tmp.unlink()
+                except FileNotFoundError:
+                    pass
+                raise
+        raise FileExistsError(
+            f"could not create unique manifest temp for {manifest_path}"
+        ) from last_err
     def _validate_install_path(self, path: Path, *, field: str) -> None:
         """Reject install writes that would follow untrusted symlinks."""

package/tools/workflow_cli/output.py CHANGED Viewed

@@ -11,12 +11,38 @@ EXIT_REVIEW_REQ = 5  # forced subagent review required
 EXIT_CONFLICT = 6  # state conflict (run already closed, etc.)
 EXIT_NOT_FOUND = 7 # resource not found (run.md, artifact, etc.)
+# Opt-in compact display limits. Default formatters remain uncapped.
+COMPACT_DETAIL_LIMIT = 10
+COMPACT_FILE_LIST_LIMIT = 15
 def is_json_mode() -> bool:
     """Check if JSON output mode is enabled via R2P_JSON environment variable."""
     return os.environ.get("R2P_JSON", "0") == "1"
+def compact_human_list(
+    *,
+    label: str,
+    items: list,
+    limit: int,
+    recovery_path: str | None = None,
+) -> dict:
+    """Build an opt-in compact list payload without touching the filesystem."""
+    if limit < 0:
+        raise ValueError("limit must be non-negative")
+    visible_items = list(items[:limit])
+    result = {
+        label: visible_items,
+        f"{label}_shown": len(visible_items),
+        f"{label}_total": len(items),
+    }
+    if recovery_path:
+        result[f"{label}_full_list"] = recovery_path
+    return result
 def format_success(data: dict, message: str = "") -> str:
     """Format a success response."""
     if is_json_mode():

package/tools/workflow_cli/version.py CHANGED Viewed

	@@ -1 +1 @@
1	- R2P_VERSION = "0.5.1"
1	+ R2P_VERSION = "0.6.0"

package/tools/workflow_cli/workspace.py CHANGED Viewed

@@ -14,7 +14,7 @@ from pathlib import Path
 from tools.workflow_cli.atomic import atomic_write_text
-_WORKSPACE_GITIGNORE_LINES = ("/archive", "/.workflow-active")
+_WORKSPACE_GITIGNORE_LINES = ("/archive", "/.workflow-active", "/*/logs/")
 def ensure_workspace_gitignore(base_path: Path) -> None: