codeharness 0.19.4 → 0.20.0

package/dist/index.js

@@ -1941,7 +1941,7 @@ async function scaffoldDocs(opts) {
 }
 
 // src/modules/infra/init-project.ts
-var HARNESS_VERSION = true ? "0.19.4" : "0.0.0-dev";
+var HARNESS_VERSION = true ? "0.20.0" : "0.0.0-dev";
 function failResult(opts, error) {
   return {
     status: "fail",
@@ -2693,6 +2693,153 @@ function generateRalphPrompt(config) {
   return prompt;
 }
 
+// src/lib/dashboard-formatter.ts
+function formatElapsed(ms) {
+  const totalSeconds = Math.max(0, Math.floor(ms / 1e3));
+  const minutes = Math.floor(totalSeconds / 60);
+  const remainingSeconds = totalSeconds % 60;
+  return minutes > 0 ? `${minutes}m ${remainingSeconds}s` : `${remainingSeconds}s`;
+}
+var TIMESTAMP_PREFIX = /^\[[\d-]+\s[\d:]+\]\s*/;
+var ANSI_ESCAPE = /\x1b\[[0-9;]*m/g;
+var SUCCESS_STORY = /\[SUCCESS\]\s+Story\s+([\w-]+):\s+DONE(.*)/;
+var ERROR_LINE = /\[ERROR\]\s+(.+)/;
+var WARN_STORY_RETRY = /\[WARN\]\s+Story\s+([\w-]+)\s+exceeded retry limit.*flagging/;
+var WARN_STORY_RETRYING = /\[WARN\]\s+Story\s+([\w-]+)\s+.*retry\s+(\d+)\/(\d+)/;
+var INFO_SPRINT = /\[INFO\]\s+Sprint:\s+(.+)/;
+var INFO_PROGRESS = /\[INFO\]\s+Progress:\s+(.+)/;
+var INFO_STORY_PHASE = /\[INFO\]\s+Story\s+([\w-]+):\s+(create|dev|review|verify)(?:\s+\((.+)\))?/;
+var INFO_STORY_AC = /\[INFO\]\s+Story\s+([\w-]+):\s+verify\s+\(AC\s+(.+)\)/;
+var INFO_NEXT = /\[INFO\]\s+Next up:\s+([\w-]+)/;
+var DEBUG_LINE = /\[DEBUG\]/;
+var INFO_NOISE = /\[INFO\]\s+(Plugin:|Starting\s+|Sleeping\s|Capturing\s|Timeout report)/;
+var LOOP_LINE = /\[LOOP\]\s+(.+)/;
+var WARN_LINE = /\[WARN\]\s+(.+)/;
+var SUCCESS_STARTING = /\[SUCCESS\]\s+Ralph loop starting/;
+var SUCCESS_ALL_DONE = /\[SUCCESS\]\s+All stories complete\.(.+)/;
+var INFO_SESSION = /\[INFO\]\s+(━━━.*━━━)/;
+var DashboardFormatter = class {
+  currentStory = null;
+  currentPhase = null;
+  phaseStartTime = null;
+  /**
+   * Parse a raw ralph output line and return formatted dashboard output,
+   * or null to suppress the line.
+   */
+  formatLine(rawLine) {
+    const clean = rawLine.replace(ANSI_ESCAPE, "").replace(TIMESTAMP_PREFIX, "").trim();
+    if (clean.length === 0) return null;
+    if (DEBUG_LINE.test(clean)) return null;
+    if (SUCCESS_STARTING.test(clean)) {
+      return "--- Ralph loop starting ---";
+    }
+    const allDone = SUCCESS_ALL_DONE.exec(clean);
+    if (allDone) {
+      return `\u2713 All stories complete.${allDone[1]}`;
+    }
+    const success = SUCCESS_STORY.exec(clean);
+    if (success) {
+      const key = success[1];
+      const rest = success[2].trim();
+      const formatted = rest ? ` (${rest.replace(/^—\s*/, "")})` : "";
+      this.currentStory = null;
+      this.currentPhase = null;
+      this.phaseStartTime = null;
+      return `\u2713 Story ${key}: DONE${formatted}`;
+    }
+    const acMatch = INFO_STORY_AC.exec(clean);
+    if (acMatch) {
+      this.currentStory = acMatch[1];
+      this.currentPhase = `verify (AC ${acMatch[2]})`;
+      if (this.phaseStartTime === null) {
+        this.phaseStartTime = Date.now();
+      }
+      return null;
+    }
+    const phaseMatch = INFO_STORY_PHASE.exec(clean);
+    if (phaseMatch) {
+      const newStory = phaseMatch[1];
+      const newPhase = phaseMatch[2];
+      if (newStory !== this.currentStory || newPhase !== this.currentPhase) {
+        this.phaseStartTime = Date.now();
+      }
+      this.currentStory = newStory;
+      this.currentPhase = phaseMatch[3] ? `${newPhase} (${phaseMatch[3]})` : newPhase;
+      return null;
+    }
+    const sprint = INFO_SPRINT.exec(clean);
+    if (sprint) {
+      return `\u25C6 Sprint: ${sprint[1]}`;
+    }
+    const progress = INFO_PROGRESS.exec(clean);
+    if (progress) {
+      return `\u25C6 Progress: ${progress[1]}`;
+    }
+    const next = INFO_NEXT.exec(clean);
+    if (next) {
+      return `\u25C6 Next: ${next[1]}`;
+    }
+    if (INFO_NOISE.test(clean)) return null;
+    const session = INFO_SESSION.exec(clean);
+    if (session) {
+      return session[1];
+    }
+    const errorMatch = ERROR_LINE.exec(clean);
+    if (errorMatch) {
+      const msg = errorMatch[1].trim();
+      if (msg.startsWith("\u2717")) {
+        return `\u2717 ${msg.replace(/^\u2717\s*/, "")}`;
+      }
+      return `\u2717 ${msg}`;
+    }
+    const retryExceeded = WARN_STORY_RETRY.exec(clean);
+    if (retryExceeded) {
+      return `\u2717 Story ${retryExceeded[1]}: FAIL \u2014 exceeded retry limit`;
+    }
+    const retrying = WARN_STORY_RETRYING.exec(clean);
+    if (retrying) {
+      return `\u25C6 Story ${retrying[1]}: retry ${retrying[2]}/${retrying[3]}`;
+    }
+    const loop = LOOP_LINE.exec(clean);
+    if (loop) {
+      return `\u25C6 ${loop[1]}`;
+    }
+    const warn2 = WARN_LINE.exec(clean);
+    if (warn2) {
+      return `! ${warn2[1]}`;
+    }
+    if (clean.startsWith("[")) {
+      return clean;
+    }
+    return clean;
+  }
+  /**
+   * Returns the current ticker line showing active story progress,
+   * or null if no story is active.
+   */
+  getTickerLine() {
+    if (!this.currentStory || !this.currentPhase || this.phaseStartTime === null) {
+      return null;
+    }
+    const elapsed = formatElapsed(Date.now() - this.phaseStartTime);
+    return `\u25C6 ${this.currentStory} \u2014 ${this.currentPhase} (elapsed ${elapsed})`;
+  }
+  /** Get current tracked story (for testing) */
+  getCurrentStory() {
+    return this.currentStory;
+  }
+  /** Get current tracked phase (for testing) */
+  getCurrentPhase() {
+    return this.currentPhase;
+  }
+  /** Reset internal state */
+  reset() {
+    this.currentStory = null;
+    this.currentPhase = null;
+    this.phaseStartTime = null;
+  }
+};
+
 // src/commands/run.ts
 var SPRINT_STATUS_REL = "_bmad-output/implementation-artifacts/sprint-status.yaml";
 var STORY_KEY_PATTERN = /^\d+-\d+-/;
@@ -2743,16 +2890,13 @@ function buildSpawnArgs(opts) {
   if (opts.maxStoryRetries !== void 0) {
     args.push("--max-story-retries", String(opts.maxStoryRetries));
   }
-  if (opts.live) {
-    args.push("--live");
-  }
   if (opts.reset) {
     args.push("--reset");
   }
   return args;
 }
 function registerRunCommand(program) {
-  program.command("run").description("Execute the autonomous coding loop").option("--max-iterations <n>", "Maximum loop iterations", "50").option("--timeout <seconds>", "Total loop timeout in seconds", "43200").option("--iteration-timeout <minutes>", "Per-iteration timeout in minutes", "30").option("--live", "Show live output streaming", false).option("--calls <n>", "Max API calls per hour", "100").option("--max-story-retries <n>", "Max retries per story before flagging", "10").option("--reset", "Clear retry counters, flagged stories, and circuit breaker before starting", false).action(async (options, cmd) => {
+  program.command("run").description("Execute the autonomous coding loop").option("--max-iterations <n>", "Maximum loop iterations", "50").option("--timeout <seconds>", "Total loop timeout in seconds", "43200").option("--iteration-timeout <minutes>", "Per-iteration timeout in minutes", "30").option("--quiet", "Suppress terminal output (background mode)", false).option("--calls <n>", "Max API calls per hour", "100").option("--max-story-retries <n>", "Max retries per story before flagging", "10").option("--reset", "Clear retry counters, flagged stories, and circuit breaker before starting", false).action(async (options, cmd) => {
     const globalOpts = cmd.optsWithGlobals();
     const isJson = !!globalOpts.json;
     const outputOpts = { json: isJson };
@@ -2820,7 +2964,7 @@ function registerRunCommand(program) {
       timeout,
       iterationTimeout,
       calls,
-      live: options.live,
+      quiet: options.quiet,
       maxStoryRetries,
       reset: options.reset
     });
@@ -2829,16 +2973,47 @@ function registerRunCommand(program) {
       env.CLAUDE_OUTPUT_FORMAT = "json";
     }
     try {
+      const quiet = options.quiet;
       const child = spawn("bash", args, {
-        stdio: "inherit",
+        stdio: quiet ? "ignore" : ["inherit", "pipe", "pipe"],
         cwd: projectDir,
         env
       });
+      let tickerInterval = null;
+      if (!quiet && child.stdout && child.stderr) {
+        const formatter = new DashboardFormatter();
+        const makeFilterOutput = () => {
+          let partial = "";
+          return (data) => {
+            const text = partial + data.toString();
+            const parts = text.split("\n");
+            partial = parts.pop() ?? "";
+            for (const line of parts) {
+              if (line.trim().length === 0) continue;
+              const formatted = formatter.formatLine(line);
+              if (formatted !== null) {
+                process.stdout.write(`\r\x1B[K${formatted}
+`);
+              }
+            }
+          };
+        };
+        child.stdout.on("data", makeFilterOutput());
+        child.stderr.on("data", makeFilterOutput());
+        tickerInterval = setInterval(() => {
+          const tickerLine = formatter.getTickerLine();
+          if (tickerLine) {
+            process.stdout.write(`\r\x1B[K${tickerLine}`);
+          }
+        }, 1e4);
+      }
       const exitCode = await new Promise((resolve3, reject) => {
         child.on("error", (err) => {
+          if (tickerInterval) clearInterval(tickerInterval);
           reject(err);
         });
         child.on("close", (code) => {
+          if (tickerInterval) clearInterval(tickerInterval);
           resolve3(code ?? 1);
         });
       });
@@ -4740,7 +4915,11 @@ function defaultState() {
       iteration: 0,
       cost: 0,
       completed: [],
-      failed: []
+      failed: [],
+      currentStory: null,
+      currentPhase: null,
+      lastAction: null,
+      acProgress: null
     },
     actionItems: []
   };
@@ -4764,7 +4943,16 @@ function getSprintState() {
     try {
       const raw = readFileSync15(fp, "utf-8");
       const parsed = JSON.parse(raw);
-      return ok2(parsed);
+      const defaults = defaultState();
+      const run = parsed.run;
+      const state = {
+        ...parsed,
+        run: {
+          ...defaults.run,
+          ...run
+        }
+      };
+      return ok2(state);
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       return fail2(`Failed to read sprint state: ${msg}`);
@@ -4791,6 +4979,43 @@ function computeSprintCounts(stories) {
   }
   return { total, done, failed, blocked, inProgress };
 }
+function updateRunProgress(update) {
+  const stateResult = getSprintState();
+  if (!stateResult.success) {
+    return fail2(stateResult.error);
+  }
+  const current = stateResult.data;
+  const updatedRun = {
+    ...current.run,
+    ...update.currentStory !== void 0 && { currentStory: update.currentStory },
+    ...update.currentPhase !== void 0 && { currentPhase: update.currentPhase },
+    ...update.lastAction !== void 0 && { lastAction: update.lastAction },
+    ...update.acProgress !== void 0 && { acProgress: update.acProgress }
+  };
+  const updatedState = {
+    ...current,
+    run: updatedRun
+  };
+  return writeStateAtomic(updatedState);
+}
+function clearRunProgress() {
+  const stateResult = getSprintState();
+  if (!stateResult.success) {
+    return fail2(stateResult.error);
+  }
+  const current = stateResult.data;
+  const updatedState = {
+    ...current,
+    run: {
+      ...current.run,
+      currentStory: null,
+      currentPhase: null,
+      lastAction: null,
+      acProgress: null
+    }
+  };
+  return writeStateAtomic(updatedState);
+}
 
 // src/modules/sprint/selector.ts
 var MAX_STORY_ATTEMPTS = 10;
@@ -5382,6 +5607,12 @@ function writeStateAtomic2(state) {
 function computeSprintCounts2(stories) {
   return computeSprintCounts(stories);
 }
+function updateRunProgress2(update) {
+  return updateRunProgress(update);
+}
+function clearRunProgress2() {
+  return clearRunProgress();
+}
 
 // src/modules/verify/validation-runner.ts
 var MAX_VALIDATION_ATTEMPTS = 10;
@@ -10191,8 +10422,58 @@ function outputHuman(p, cycles, allPassed) {
   fail("RELEASE GATE: FAIL");
 }
 
+// src/commands/progress.ts
+function registerProgressCommand(program) {
+  program.command("progress").description("Update live run progress in sprint-state.json").option("--story <key>", "Set run.currentStory").option("--phase <phase>", "Set run.currentPhase (create|dev|review|verify)").option("--action <text>", "Set run.lastAction").option("--ac-progress <progress>", 'Set run.acProgress (e.g., "4/12")').option("--clear", "Clear all run progress fields to null").action((opts, cmd) => {
+    const globalOpts = cmd.optsWithGlobals();
+    const isJson = globalOpts.json;
+    const validPhases = ["create", "dev", "review", "verify"];
+    if (opts.phase !== void 0 && !validPhases.includes(opts.phase)) {
+      fail(`Invalid phase "${opts.phase}". Must be one of: ${validPhases.join(", ")}`, { json: isJson });
+      process.exitCode = 1;
+      return;
+    }
+    if (opts.clear) {
+      const result2 = clearRunProgress2();
+      if (result2.success) {
+        if (isJson) {
+          jsonOutput({ status: "ok", cleared: true });
+        } else {
+          ok("Run progress cleared");
+        }
+      } else {
+        fail(result2.error, { json: isJson });
+        process.exitCode = 1;
+      }
+      return;
+    }
+    const update = {
+      ...opts.story !== void 0 && { currentStory: opts.story },
+      ...opts.phase !== void 0 && { currentPhase: opts.phase },
+      ...opts.action !== void 0 && { lastAction: opts.action },
+      ...opts.acProgress !== void 0 && { acProgress: opts.acProgress }
+    };
+    if (Object.keys(update).length === 0) {
+      fail("No progress fields specified. Use --story, --phase, --action, --ac-progress, or --clear.", { json: isJson });
+      process.exitCode = 1;
+      return;
+    }
+    const result = updateRunProgress2(update);
+    if (result.success) {
+      if (isJson) {
+        jsonOutput({ status: "ok", updated: update });
+      } else {
+        ok("Run progress updated");
+      }
+    } else {
+      fail(result.error, { json: isJson });
+      process.exitCode = 1;
+    }
+  });
+}
+
 // src/index.ts
-var VERSION = true ? "0.19.4" : "0.0.0-dev";
+var VERSION = true ? "0.20.0" : "0.0.0-dev";
 function createProgram() {
   const program = new Command();
   program.name("codeharness").description("Makes autonomous coding agents produce software that actually works").version(VERSION).option("--json", "Output in machine-readable JSON format");
@@ -10216,6 +10497,7 @@ function createProgram() {
   registerTimeoutReportCommand(program);
   registerValidateStateCommand(program);
   registerValidateCommand(program);
+  registerProgressCommand(program);
   return program;
 }
 if (!process.env["VITEST"]) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeharness",
-  "version": "0.19.4",
+  "version": "0.20.0",
   "type": "module",
   "description": "CLI for codeharness — makes autonomous coding agents produce software that actually works",
   "bin": {

package/patches/AGENTS.md

@@ -17,7 +17,20 @@ patches/
   retro/enforcement.md      — Retrospective quality metrics
 ```
 
-Subdirectories map to BMAD workflow roles.
+Subdirectories map to BMAD workflow roles (or analysis categories like `observability/`).
+
+## Observability Module (`observability/`)
+
+Semgrep YAML rules for static analysis of observability gaps. Each `.yaml` file is a standalone Semgrep config — no build step required. Deleting a rule file removes that check.
+
+**Rules:**
+- `catch-without-logging.yaml` — Detects catch blocks without error/warn logging (WARNING)
+- `function-no-debug-log.yaml` — Detects functions without debug/info logging (INFO)
+- `error-path-no-log.yaml` — Detects error paths (throw/return err) without preceding log (WARNING)
+
+**Testing:** `semgrep --test patches/observability/` runs annotated test fixtures (`.ts` files alongside rules).
+
+**Customization:** Edit YAML rules to add custom logger patterns (e.g., `logger.error(...)` for winston). Rules use `pattern-not` / `pattern-not-inside` to detect absence of logging.
 
 ## How Patches Work
 

package/patches/observability/__tests__/catch-without-logging.ts

@@ -0,0 +1,36 @@
+// Test cases for catch-without-logging Semgrep rule
+
+// ruleid: catch-without-logging
+try { doSomething(); } catch (e) { /* no logging at all */ }
+
+// ruleid: catch-without-logging
+try {
+  riskyOperation();
+} catch (err) {
+  cleanup();
+}
+
+// ok: catch-without-logging
+try { doSomething(); } catch (e) { console.error('failed', e); }
+
+// ok: catch-without-logging
+try {
+  riskyOperation();
+} catch (err) {
+  console.warn('operation failed', err);
+  cleanup();
+}
+
+// ok: catch-without-logging
+try {
+  riskyOperation();
+} catch (err) {
+  logger.error('operation failed', err);
+}
+
+// ok: catch-without-logging
+try {
+  riskyOperation();
+} catch (err) {
+  logger.warn('operation failed', err);
+}

package/patches/observability/__tests__/error-path-no-log.ts

@@ -0,0 +1,47 @@
+// Test cases for error-path-no-log Semgrep rule
+
+function badThrow() {
+  // ruleid: error-path-no-log
+  throw new Error('something went wrong');
+}
+
+function badReturn() {
+  // ruleid: error-path-no-log
+  return err('something went wrong');
+}
+
+function goodThrow() {
+  // ok: error-path-no-log
+  console.error('about to throw');
+  throw new Error('something went wrong');
+}
+
+function goodReturn() {
+  // ok: error-path-no-log
+  console.error('returning error');
+  return err('something went wrong');
+}
+
+function goodThrowWithLogger() {
+  // ok: error-path-no-log
+  logger.error('about to throw');
+  throw new Error('something went wrong');
+}
+
+function goodReturnWithLogger() {
+  // ok: error-path-no-log
+  logger.error('returning error');
+  return err('something went wrong');
+}
+
+function goodThrowWithWarn() {
+  // ok: error-path-no-log
+  console.warn('about to throw');
+  throw new Error('something went wrong');
+}
+
+function goodReturnWithLoggerWarn() {
+  // ok: error-path-no-log
+  logger.warn('returning error');
+  return err('something went wrong');
+}

package/patches/observability/__tests__/function-no-debug-log.ts

@@ -0,0 +1,54 @@
+// Test cases for function-no-debug-log Semgrep rule
+
+// ruleid: function-no-debug-log
+function processData(input: string) {
+  return input.trim();
+}
+
+// ruleid: function-no-debug-log
+function handleRequest(req: any) {
+  const result = compute(req);
+  return result;
+}
+
+// ruleid: function-no-debug-log
+const transformData = (input: string) => {
+  return input.toUpperCase();
+};
+
+// ok: function-no-debug-log
+function processDataWithLog(input: string) {
+  console.log('processing data', input);
+  return input.trim();
+}
+
+// ok: function-no-debug-log
+function handleRequestWithDebug(req: any) {
+  console.debug('handling request', req);
+  const result = compute(req);
+  return result;
+}
+
+// ok: function-no-debug-log
+function serviceCall(params: any) {
+  logger.debug('service call', params);
+  return fetch(params.url);
+}
+
+// ok: function-no-debug-log
+function anotherService(params: any) {
+  logger.info('another service call', params);
+  return fetch(params.url);
+}
+
+// ok: function-no-debug-log
+const transformWithLog = (input: string) => {
+  console.log('transforming', input);
+  return input.toUpperCase();
+};
+
+// ok: function-no-debug-log
+const arrowWithDebug = (input: string) => {
+  logger.debug('arrow function', input);
+  return input.toLowerCase();
+};

package/patches/observability/catch-without-logging.ts

@@ -0,0 +1,36 @@
+// Test cases for catch-without-logging Semgrep rule
+
+// ruleid: catch-without-logging
+try { doSomething(); } catch (e) { /* no logging at all */ }
+
+// ruleid: catch-without-logging
+try {
+  riskyOperation();
+} catch (err) {
+  cleanup();
+}
+
+// ok: catch-without-logging
+try { doSomething(); } catch (e) { console.error('failed', e); }
+
+// ok: catch-without-logging
+try {
+  riskyOperation();
+} catch (err) {
+  console.warn('operation failed', err);
+  cleanup();
+}
+
+// ok: catch-without-logging
+try {
+  riskyOperation();
+} catch (err) {
+  logger.error('operation failed', err);
+}
+
+// ok: catch-without-logging
+try {
+  riskyOperation();
+} catch (err) {
+  logger.warn('operation failed', err);
+}

package/patches/observability/catch-without-logging.yaml

@@ -0,0 +1,35 @@
+rules:
+  - id: catch-without-logging
+    patterns:
+      - pattern: |
+          try { ... } catch ($ERR) { ... }
+      - pattern-not: |
+          try { ... } catch ($ERR) {
+            ...
+            console.error(...)
+            ...
+          }
+      - pattern-not: |
+          try { ... } catch ($ERR) {
+            ...
+            console.warn(...)
+            ...
+          }
+      - pattern-not: |
+          try { ... } catch ($ERR) {
+            ...
+            logger.error(...)
+            ...
+          }
+      - pattern-not: |
+          try { ... } catch ($ERR) {
+            ...
+            logger.warn(...)
+            ...
+          }
+    message: "Catch block without error logging — observability gap"
+    languages: [typescript, javascript]
+    severity: WARNING
+    metadata:
+      category: observability
+      cwe: "CWE-778: Insufficient Logging"

package/patches/observability/error-path-no-log.ts

@@ -0,0 +1,47 @@
+// Test cases for error-path-no-log Semgrep rule
+
+function badThrow() {
+  // ruleid: error-path-no-log
+  throw new Error('something went wrong');
+}
+
+function badReturn() {
+  // ruleid: error-path-no-log
+  return err('something went wrong');
+}
+
+function goodThrow() {
+  // ok: error-path-no-log
+  console.error('about to throw');
+  throw new Error('something went wrong');
+}
+
+function goodReturn() {
+  // ok: error-path-no-log
+  console.error('returning error');
+  return err('something went wrong');
+}
+
+function goodThrowWithLogger() {
+  // ok: error-path-no-log
+  logger.error('about to throw');
+  throw new Error('something went wrong');
+}
+
+function goodReturnWithLogger() {
+  // ok: error-path-no-log
+  logger.error('returning error');
+  return err('something went wrong');
+}
+
+function goodThrowWithWarn() {
+  // ok: error-path-no-log
+  console.warn('about to throw');
+  throw new Error('something went wrong');
+}
+
+function goodReturnWithLoggerWarn() {
+  // ok: error-path-no-log
+  logger.warn('returning error');
+  return err('something went wrong');
+}

package/patches/observability/error-path-no-log.yaml

@@ -0,0 +1,68 @@
+rules:
+  - id: error-path-no-log
+    patterns:
+      - pattern-either:
+          - pattern: throw $ERR;
+          - pattern: return err(...);
+      - pattern-not-inside: |
+          {
+            ...
+            console.error(...)
+            ...
+            throw $ERR;
+          }
+      - pattern-not-inside: |
+          {
+            ...
+            console.warn(...)
+            ...
+            throw $ERR;
+          }
+      - pattern-not-inside: |
+          {
+            ...
+            logger.error(...)
+            ...
+            throw $ERR;
+          }
+      - pattern-not-inside: |
+          {
+            ...
+            logger.warn(...)
+            ...
+            throw $ERR;
+          }
+      - pattern-not-inside: |
+          {
+            ...
+            console.error(...)
+            ...
+            return err(...);
+          }
+      - pattern-not-inside: |
+          {
+            ...
+            console.warn(...)
+            ...
+            return err(...);
+          }
+      - pattern-not-inside: |
+          {
+            ...
+            logger.error(...)
+            ...
+            return err(...);
+          }
+      - pattern-not-inside: |
+          {
+            ...
+            logger.warn(...)
+            ...
+            return err(...);
+          }
+    message: "Error path without logging — observability gap"
+    languages: [typescript, javascript]
+    severity: WARNING
+    metadata:
+      category: observability
+      cwe: "CWE-778: Insufficient Logging"

package/patches/observability/function-no-debug-log.ts

@@ -0,0 +1,54 @@
+// Test cases for function-no-debug-log Semgrep rule
+
+// ruleid: function-no-debug-log
+function processData(input: string) {
+  return input.trim();
+}
+
+// ruleid: function-no-debug-log
+function handleRequest(req: any) {
+  const result = compute(req);
+  return result;
+}
+
+// ruleid: function-no-debug-log
+const transformData = (input: string) => {
+  return input.toUpperCase();
+};
+
+// ok: function-no-debug-log
+function processDataWithLog(input: string) {
+  console.log('processing data', input);
+  return input.trim();
+}
+
+// ok: function-no-debug-log
+function handleRequestWithDebug(req: any) {
+  console.debug('handling request', req);
+  const result = compute(req);
+  return result;
+}
+
+// ok: function-no-debug-log
+function serviceCall(params: any) {
+  logger.debug('service call', params);
+  return fetch(params.url);
+}
+
+// ok: function-no-debug-log
+function anotherService(params: any) {
+  logger.info('another service call', params);
+  return fetch(params.url);
+}
+
+// ok: function-no-debug-log
+const transformWithLog = (input: string) => {
+  console.log('transforming', input);
+  return input.toUpperCase();
+};
+
+// ok: function-no-debug-log
+const arrowWithDebug = (input: string) => {
+  logger.debug('arrow function', input);
+  return input.toLowerCase();
+};

package/patches/observability/function-no-debug-log.yaml

@@ -0,0 +1,114 @@
+rules:
+  - id: function-no-debug-log
+    patterns:
+      - pattern-either:
+          - pattern: |
+              function $FUNC(...) { ... }
+          - pattern: |
+              const $FUNC = (...) => { ... }
+          - pattern: |
+              let $FUNC = (...) => { ... }
+          - pattern: |
+              $FUNC(...) { ... }
+      - pattern-not: |
+          function $FUNC(...) {
+            ...
+            console.log(...)
+            ...
+          }
+      - pattern-not: |
+          function $FUNC(...) {
+            ...
+            console.debug(...)
+            ...
+          }
+      - pattern-not: |
+          function $FUNC(...) {
+            ...
+            logger.debug(...)
+            ...
+          }
+      - pattern-not: |
+          function $FUNC(...) {
+            ...
+            logger.info(...)
+            ...
+          }
+      - pattern-not: |
+          const $FUNC = (...) => {
+            ...
+            console.log(...)
+            ...
+          }
+      - pattern-not: |
+          const $FUNC = (...) => {
+            ...
+            console.debug(...)
+            ...
+          }
+      - pattern-not: |
+          const $FUNC = (...) => {
+            ...
+            logger.debug(...)
+            ...
+          }
+      - pattern-not: |
+          const $FUNC = (...) => {
+            ...
+            logger.info(...)
+            ...
+          }
+      - pattern-not: |
+          let $FUNC = (...) => {
+            ...
+            console.log(...)
+            ...
+          }
+      - pattern-not: |
+          let $FUNC = (...) => {
+            ...
+            console.debug(...)
+            ...
+          }
+      - pattern-not: |
+          let $FUNC = (...) => {
+            ...
+            logger.debug(...)
+            ...
+          }
+      - pattern-not: |
+          let $FUNC = (...) => {
+            ...
+            logger.info(...)
+            ...
+          }
+      - pattern-not: |
+          $FUNC(...) {
+            ...
+            console.log(...)
+            ...
+          }
+      - pattern-not: |
+          $FUNC(...) {
+            ...
+            console.debug(...)
+            ...
+          }
+      - pattern-not: |
+          $FUNC(...) {
+            ...
+            logger.debug(...)
+            ...
+          }
+      - pattern-not: |
+          $FUNC(...) {
+            ...
+            logger.info(...)
+            ...
+          }
+    message: "Function without debug/info logging — observability gap"
+    languages: [typescript, javascript]
+    severity: INFO
+    metadata:
+      category: observability
+      cwe: "CWE-778: Insufficient Logging"

package/ralph/ralph.sh

@@ -98,6 +98,14 @@ log_status() {
         "LOOP")    color=$PURPLE ;;
     esac
 
+    # DEBUG level: log file only, no terminal output
+    if [[ "$level" == "DEBUG" ]]; then
+        if [[ -n "$LOG_DIR" ]]; then
+            echo "[$timestamp] [$level] $message" >> "$LOG_DIR/ralph.log"
+        fi
+        return
+    fi
+
     echo -e "${color}[$timestamp] [$level] $message${NC}" >&2
     if [[ -n "$LOG_DIR" ]]; then
         echo "[$timestamp] [$level] $message" >> "$LOG_DIR/ralph.log"
@@ -444,6 +452,58 @@ detect_story_changes() {
     done <<< "$after_snapshot"
 }
 
+# ─── Sprint State Progress Polling ─────────────────────────────────────────
+
+# Previous state tracking for change detection
+PREV_STORY=""
+PREV_PHASE=""
+PREV_AC_PROGRESS=""
+PREV_LAST_ACTION=""
+
+# Poll sprint-state.json for progress changes during background execution.
+# Prints structured update lines when progress fields change.
+poll_sprint_state_progress() {
+    local state_file="sprint-state.json"
+    [[ -f "$state_file" ]] || return 0
+
+    # Single jq call to extract all fields (avoids 4 process spawns per poll cycle)
+    local raw
+    raw=$(jq -r '[.run.currentStory // "", .run.currentPhase // "", .run.lastAction // "", .run.acProgress // ""] | join("\t")' "$state_file" 2>/dev/null) || return 0
+    [[ -n "$raw" ]] || return 0
+
+    local cur_story cur_phase cur_action cur_ac
+    IFS=$'\t' read -r cur_story cur_phase cur_action cur_ac <<< "$raw"
+
+    # Nothing to report if no story is active
+    [[ -z "$cur_story" ]] && return 0
+
+    # Detect changes and print structured updates
+    if [[ "$cur_story" != "$PREV_STORY" || "$cur_phase" != "$PREV_PHASE" ]]; then
+        if [[ -n "$cur_action" && "$cur_action" != "null" ]]; then
+            log_status "INFO" "Story ${cur_story}: ${cur_phase} (${cur_action})"
+        else
+            log_status "INFO" "Story ${cur_story}: ${cur_phase}"
+        fi
+    elif [[ "$cur_ac" != "$PREV_AC_PROGRESS" && -n "$cur_ac" && "$cur_ac" != "null" ]]; then
+        log_status "INFO" "Story ${cur_story}: verify (AC ${cur_ac})"
+    elif [[ "$cur_action" != "$PREV_LAST_ACTION" && -n "$cur_action" && "$cur_action" != "null" ]]; then
+        log_status "INFO" "Story ${cur_story}: ${cur_phase} (${cur_action})"
+    fi
+
+    PREV_STORY="$cur_story"
+    PREV_PHASE="$cur_phase"
+    PREV_AC_PROGRESS="$cur_ac"
+    PREV_LAST_ACTION="$cur_action"
+}
+
+# Reset polling state between iterations
+reset_poll_state() {
+    PREV_STORY=""
+    PREV_PHASE=""
+    PREV_AC_PROGRESS=""
+    PREV_LAST_ACTION=""
+}
+
 # ─── Progress Summary ───────────────────────────────────────────────────────
 
 print_progress_summary() {
@@ -463,7 +523,51 @@ print_progress_summary() {
         elapsed_fmt="${elapsed}s"
     fi
 
-    log_status "INFO" "Progress: ${completed}/${total} done, ${remaining} remaining (iterations: ${loop_count}, elapsed: ${elapsed_fmt})"
+    # Read cost and failed stories from sprint-state.json (single jq call)
+    local cost=""
+    local cost_fmt=""
+    local failed_stories=""
+    if [[ -f "sprint-state.json" ]]; then
+        local state_data
+        state_data=$(jq -r '(.run.cost // 0 | tostring) + "\n" + ((.run.failed // []) | join("\n"))' "sprint-state.json" 2>/dev/null) || state_data=""
+        if [[ -n "$state_data" ]]; then
+            cost=$(head -1 <<< "$state_data")
+            failed_stories=$(tail -n +2 <<< "$state_data")
+            if [[ -n "$cost" && "$cost" != "0" && "$cost" != "null" ]]; then
+                cost_fmt=", cost: \$${cost}"
+            fi
+        fi
+    fi
+
+    log_status "INFO" "Progress: ${completed}/${total} done, ${remaining} remaining (iterations: ${loop_count}, elapsed: ${elapsed_fmt}${cost_fmt})"
+
+    # Show completed stories with ✓
+    if [[ -f "$SPRINT_STATUS_FILE" ]]; then
+        while IFS=: read -r key value; do
+            key=$(echo "$key" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+            value=$(echo "$value" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+            [[ -z "$key" || "$key" == \#* ]] && continue
+            if [[ "$key" =~ ^[0-9]+-[0-9]+- && "$value" == "done" ]]; then
+                log_status "SUCCESS" "  ✓ ${key}"
+            fi
+        done < "$SPRINT_STATUS_FILE"
+    fi
+
+    # Show failed stories with ✗ from sprint-state.json
+    if [[ -n "$failed_stories" ]]; then
+        while IFS= read -r fkey; do
+            [[ -z "$fkey" ]] && continue
+            log_status "ERROR" "  ✗ ${fkey}"
+        done <<< "$failed_stories"
+    fi
+
+    # Show flagged/blocked stories with ✕
+    if [[ -f "$FLAGGED_STORIES_FILE" ]]; then
+        while IFS= read -r bkey; do
+            [[ -z "$bkey" ]] && continue
+            log_status "WARN" "  ✕ ${bkey} (blocked)"
+        done < "$FLAGGED_STORIES_FILE"
+    fi
 
     # Show the next story in line (first non-done, non-flagged)
     if [[ -f "$SPRINT_STATUS_FILE" ]]; then
@@ -541,7 +645,7 @@ load_platform_driver() {
         CLAUDE_ALLOWED_TOOLS=$(IFS=','; echo "${VALID_TOOL_PATTERNS[*]}")
     fi
 
-    log_status "INFO" "Platform driver: $(driver_display_name) ($(driver_cli_binary))"
+    log_status "DEBUG" "Platform driver: $(driver_display_name) ($(driver_cli_binary))"
 }
 
 # ─── Execution ───────────────────────────────────────────────────────────────
@@ -588,8 +692,12 @@ execute_iteration() {
     local deadline=$(( $(date +%s) + timeout_seconds ))
     echo "$deadline" > "ralph/.iteration_deadline"
 
-    # DEBUG: log the command being run
-    log_status "DEBUG" "Command: ${CLAUDE_CMD_ARGS[*]}"
+    # DEBUG: log command (truncate prompt content to avoid dumping entire prompt to terminal)
+    local cmd_summary="${CLAUDE_CMD_ARGS[*]}"
+    if [[ ${#cmd_summary} -gt 200 ]]; then
+        cmd_summary="${cmd_summary:0:200}... (truncated)"
+    fi
+    log_status "DEBUG" "Command: $cmd_summary"
     log_status "DEBUG" "Output file: $output_file"
     log_status "DEBUG" "LIVE_OUTPUT=$LIVE_OUTPUT, timeout=${timeout_seconds}s"
 
@@ -620,11 +728,13 @@ execute_iteration() {
 
         log_status "DEBUG" "Background PID: $claude_pid"
 
+        reset_poll_state
         while kill -0 $claude_pid 2>/dev/null; do
             progress_counter=$((progress_counter + 1))
             if [[ -f "$output_file" && -s "$output_file" ]]; then
                 cp "$output_file" "$LIVE_LOG_FILE" 2>/dev/null
             fi
+            poll_sprint_state_progress
             sleep 10
         done
 
@@ -788,6 +898,41 @@ The loop:
 HELPEOF
 }
 
+# ─── Sprint Summary ──────────────────────────────────────────────────────────
+
+# Print a compact sprint summary at startup
+print_sprint_summary() {
+    local counts
+    counts=$(get_task_counts)
+    local total=${counts%% *}
+    local completed=${counts##* }
+    local remaining=$((total - completed))
+
+    # Find next story
+    local next_story=""
+    local next_status=""
+    if [[ -f "$SPRINT_STATUS_FILE" ]]; then
+        while IFS=: read -r key value; do
+            key=$(echo "$key" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+            value=$(echo "$value" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+            [[ -z "$key" || "$key" == \#* ]] && continue
+            if [[ "$key" =~ ^[0-9]+-[0-9]+- && "$value" != "done" ]]; then
+                if ! is_story_flagged "$key"; then
+                    next_story="$key"
+                    next_status="$value"
+                    break
+                fi
+            fi
+        done < "$SPRINT_STATUS_FILE"
+    fi
+
+    if [[ -n "$next_story" ]]; then
+        log_status "INFO" "Sprint: ${completed}/${total} done, ${remaining} remaining — next: ${next_story} (${next_status})"
+    else
+        log_status "INFO" "Sprint: ${completed}/${total} done, ${remaining} remaining"
+    fi
+}
+
 # ─── Main ────────────────────────────────────────────────────────────────────
 
 main() {
@@ -876,15 +1021,17 @@ main() {
     # .story_retries and .flagged_stories are file-based — they persist automatically
 
     log_status "SUCCESS" "Ralph loop starting"
-    log_status "INFO" "Plugin: $PLUGIN_DIR"
-    log_status "INFO" "Max iterations: $MAX_ITERATIONS | Timeout: $((LOOP_TIMEOUT_SECONDS / 3600))h"
-    log_status "INFO" "Prompt: $PROMPT_FILE"
-    log_status "INFO" "Sprint status: $SPRINT_STATUS_FILE"
-    log_status "INFO" "Max story retries: $MAX_STORY_RETRIES"
+    log_status "DEBUG" "Plugin: $PLUGIN_DIR"
+    log_status "DEBUG" "Max iterations: $MAX_ITERATIONS | Timeout: $((LOOP_TIMEOUT_SECONDS / 3600))h"
+    log_status "DEBUG" "Prompt: $PROMPT_FILE"
+    log_status "DEBUG" "Sprint status: $SPRINT_STATUS_FILE"
+    log_status "DEBUG" "Max story retries: $MAX_STORY_RETRIES"
 
     # Record loop start time for timeout
     loop_start_time=$(date +%s)
 
+    print_sprint_summary
+
     local consecutive_failures=0
     local max_consecutive_failures=3