peaks-cli 1.0.14 → 1.0.16

package/dist/src/cli/commands/project-commands.js

@@ -22,6 +22,11 @@ export function registerProjectCommands(program, io) {
                 process.exitCode = 1;
                 return;
             }
+            if (dashboard.skillPresence.active && !dashboard.skillPresence.fresh) {
+                printResult(io, fail('project.dashboard', 'PROJECT_DASHBOARD_STALE_SKILL_PRESENCE', `Active Peaks skill presence ${dashboard.skillPresence.skill ?? '<unknown>'} is stale (set ${dashboard.skillPresence.setAt ?? '<unknown>'})`, dashboard, ['Run `peaks skill presence:clear` if the role has ended, or `peaks skill presence:set <skill>` to refresh it']), options.json);
+                process.exitCode = 1;
+                return;
+            }
             if (!dashboard.doctor.ok) {
                 printResult(io, fail('project.dashboard', 'PROJECT_DASHBOARD_DOCTOR_FAILED', `Doctor reports ${dashboard.doctor.failed} failed check(s) (${dashboard.doctor.passed} passed)`, dashboard, ['Run `peaks doctor --json` and resolve the failing checks before re-running the dashboard']), options.json);
                 process.exitCode = 1;

package/dist/src/cli/commands/request-commands.js

@@ -2,7 +2,7 @@ import { InvalidArgumentError } from 'commander';
 import { allowedStatesForRole, createRequestArtifact, listRequestArtifacts, showRequestArtifact, transitionRequestArtifact } from '../../services/artifacts/request-artifact-service.js';
 import { fail, ok } from '../../shared/result.js';
 import { addJsonOption, getErrorMessage, printResult } from '../cli-helpers.js';
-const VALID_ROLES = ['prd', 'ui', 'rd', 'qa'];
+const VALID_ROLES = ['prd', 'ui', 'rd', 'qa', 'sc'];
 function parseRole(value) {
     if (!VALID_ROLES.includes(value)) {
         throw new InvalidArgumentError(`must be one of ${VALID_ROLES.join(', ')}`);

package/dist/src/cli/commands/workflow-commands.js

@@ -2,6 +2,7 @@ import { createRdSwarmPlan } from '../../services/rd/rd-service.js';
 import { createTechPlan, getTechStatus } from '../../services/tech/tech-service.js';
 import { createWorkflowRouterPlan, isSoloMode, isWorkflowMode } from '../../services/workflow/workflow-router-service.js';
 import { createAutonomousWorkflowPlan } from '../../services/workflow/workflow-autonomous-service.js';
+import { writeAutonomousResumeArtifacts } from '../../services/workflow/autonomous-resume-writer.js';
 import { createRecommendationPlan } from '../../services/recommendations/recommendation-service.js';
 import { createRefactorDryRun } from '../../services/refactor/refactor-service.js';
 import { ensureWorkspaceConfigForCurrentPath, getCurrentWorkspaceConfig, readConfig } from '../../services/config/config-service.js';
@@ -196,6 +197,31 @@ function runSwarmPlan(io, options) {
         process.exitCode = 1;
     }
 }
+async function runAutonomousResumeInit(io, options) {
+    try {
+        if (!options.project || !options.project.trim()) {
+            throw new Error('Project path must be non-empty');
+        }
+        const result = await writeAutonomousResumeArtifacts({
+            changeId: options.changeId,
+            goal: options.goal,
+            artifactWorkspacePath: options.project,
+            apply: options.apply === true
+        });
+        const data = {
+            applied: result.applied,
+            files: result.files.map((file) => file.path)
+        };
+        const nextActions = result.applied
+            ? ['Run peaks workflow autonomous --change-id ' + options.changeId + ' --goal "<goal>" --json to verify resumePlan.status']
+            : ['Re-run with --apply to write the resume scaffold to disk'];
+        printResult(io, ok('autonomous-resume.init', data, [], nextActions), options.json);
+    }
+    catch (error) {
+        printResult(io, fail('autonomous-resume.init', 'AUTONOMOUS_RESUME_INIT_FAILED', getErrorMessage(error), {}, ['Use a safe change id, a non-empty goal, and a writable project path']), options.json);
+        process.exitCode = 1;
+    }
+}
 function addTechPlanOptions(command) {
     return addJsonOption(command
         .description('Generate a technical dry-run graph')
@@ -232,6 +258,14 @@ function addSwarmPlanOptions(command, includeSkill) {
     }
     return addJsonOption(configured);
 }
+function addAutonomousResumeInitOptions(command) {
+    return addJsonOption(command
+        .description('Write the autonomous resume artifact scaffold for a change-id')
+        .requiredOption('--change-id <id>', 'change identifier')
+        .requiredOption('--goal <goal>', 'planning goal')
+        .requiredOption('--project <path>', 'artifact workspace path to write under')
+        .option('--apply', 'write the artifacts to disk (default is dry-run preview)'));
+}
 export function registerWorkflowCommands(program, io) {
     const refactor = program.command('refactor').description('Plan a Peaks refactor run without modifying code');
     addJsonOption(refactor
@@ -261,6 +295,10 @@ export function registerWorkflowCommands(program, io) {
     addWorkflowRouteOptions(program.command('route'), 'Plan a workflow routing dry-run summary').action((options) => runWorkflowRoute(io, options));
     addWorkflowRouteOptions(workflow.command('autonomous'), 'Plan an autonomous workflow handoff summary').action((options) => runAutonomousWorkflow(io, options));
     addWorkflowRouteOptions(program.command('autonomous'), 'Plan an autonomous workflow handoff summary').action((options) => runAutonomousWorkflow(io, options));
+    const autonomousResume = workflow.command('autonomous-resume').description('Manage autonomous workflow resume artifacts');
+    addAutonomousResumeInitOptions(autonomousResume.command('init')).action((options) => runAutonomousResumeInit(io, options));
+    const autonomousResumeAlias = program.command('autonomous-resume').description('Manage autonomous workflow resume artifacts');
+    addAutonomousResumeInitOptions(autonomousResumeAlias.command('init')).action((options) => runAutonomousResumeInit(io, options));
     const swarm = program.command('swarm').description('Plan RD swarm dry-run graphs');
     addSwarmPlanOptions(swarm.command('plan'), true).action((options) => runSwarmPlan(io, options));
     addSwarmPlanOptions(program.command('swarm-plan'), false).action((options) => runSwarmPlan(io, options));

package/dist/src/services/artifacts/request-artifact-service.d.ts

@@ -1,4 +1,4 @@
-export type RequestArtifactRole = 'prd' | 'ui' | 'rd' | 'qa';
+export type RequestArtifactRole = 'prd' | 'ui' | 'rd' | 'qa' | 'sc';
 export type CreateRequestArtifactOptions = {
     role: RequestArtifactRole;
     requestId: string;
@@ -40,7 +40,7 @@ export type ShowRequestArtifactResult = RequestArtifactSummary & {
 };
 export declare function listRequestArtifacts(options: ListRequestArtifactsOptions): Promise<RequestArtifactSummary[]>;
 export declare function showRequestArtifact(options: ShowRequestArtifactOptions): Promise<ShowRequestArtifactResult | null>;
-export type RequestArtifactState = 'draft' | 'confirmed-by-user' | 'direction-locked' | 'spec-locked' | 'implemented' | 'qa-handoff' | 'running' | 'verdict-issued' | 'handed-off' | 'blocked';
+export type RequestArtifactState = 'draft' | 'confirmed-by-user' | 'direction-locked' | 'spec-locked' | 'implemented' | 'qa-handoff' | 'running' | 'verdict-issued' | 'impact-recorded' | 'boundary-recorded' | 'handed-off' | 'blocked';
 export declare function allowedStatesForRole(role: RequestArtifactRole): ReadonlyArray<RequestArtifactState>;
 export type TransitionRequestArtifactOptions = {
     role: RequestArtifactRole;

package/dist/src/services/artifacts/request-artifact-service.js

@@ -2,7 +2,7 @@ import { mkdir, readFile, readdir, writeFile } from 'node:fs/promises';
 import { dirname, join } from 'node:path';
 import { isDirectory, listDirectories, pathExists } from '../../shared/fs.js';
 const REQUEST_ID_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._-]*$/;
-const VALID_ROLES = new Set(['prd', 'ui', 'rd', 'qa']);
+const VALID_ROLES = new Set(['prd', 'ui', 'rd', 'qa', 'sc']);
 function defaultClock() {
     return new Date().toISOString();
 }
@@ -215,6 +215,58 @@ function renderQaTemplate(requestId, sessionId, timestamp) {
 
 ## Status
 
+- created: ${timestamp}
+- last update: ${timestamp}
+- state: draft
+`;
+}
+function renderScTemplate(requestId, sessionId, timestamp) {
+    return `# SC Request ${requestId}
+
+- session: ${sessionId}
+- linked-prd: .peaks/${sessionId}/prd/requests/${requestId}.md
+- linked-rd:  .peaks/${sessionId}/rd/requests/${requestId}.md
+- linked-qa:  .peaks/${sessionId}/qa/requests/${requestId}.md
+- linked-ui:  .peaks/${sessionId}/ui/requests/${requestId}.md  (when UI involved)
+- type: feature | bug | refactor | clarification
+
+## Change impact
+
+- modules / files / routes / data models touched
+- blast radius: local | cross-cutting | release-critical
+- rollback strategy
+
+## Commit boundaries
+
+- one commit per OpenSpec heading (when openspec/ exists)
+- otherwise: list of slice ids → commit message + scope
+
+## Artifact retention
+
+- prd artifact: ...
+- rd artifact: ...
+- qa artifact: ...
+- ui artifact: ... (when UI involved)
+- coverage evidence: ...
+- code review evidence: ...
+
+## Sync / authorization
+
+- artifact workspace path: .peaks/${sessionId}/
+- memory sync authorized: yes | no
+- artifact sync authorized: yes | no
+- rationale if not authorized: keep local
+
+## Rollback points
+
+- commits / tags / branches that can revert each boundary
+
+## Handoff
+
+- to peaks-txt: .peaks/${sessionId}/txt/skill-usage-lessons.md (when reusable lesson exists)
+
+## Status
+
 - created: ${timestamp}
 - last update: ${timestamp}
 - state: draft
@@ -230,11 +282,13 @@ function renderTemplate(role, requestId, sessionId, timestamp) {
             return renderRdTemplate(requestId, sessionId, timestamp);
         case 'qa':
             return renderQaTemplate(requestId, sessionId, timestamp);
+        case 'sc':
+            return renderScTemplate(requestId, sessionId, timestamp);
     }
 }
 export async function createRequestArtifact(options) {
     if (!VALID_ROLES.has(options.role)) {
-        throw new Error(`Invalid role: ${String(options.role)} (expected prd, ui, rd, or qa)`);
+        throw new Error(`Invalid role: ${String(options.role)} (expected prd, ui, rd, qa, or sc)`);
     }
     if (!REQUEST_ID_PATTERN.test(options.requestId)) {
         throw new Error(`Invalid request id: ${options.requestId} (expected letters, digits, dots, underscores, or dashes)`);
@@ -313,7 +367,7 @@ export async function listRequestArtifacts(options) {
 }
 export async function showRequestArtifact(options) {
     if (!VALID_ROLES.has(options.role)) {
-        throw new Error(`Invalid role: ${String(options.role)} (expected prd, ui, rd, or qa)`);
+        throw new Error(`Invalid role: ${String(options.role)} (expected prd, ui, rd, qa, or sc)`);
     }
     if (!REQUEST_ID_PATTERN.test(options.requestId)) {
         throw new Error(`Invalid request id: ${options.requestId} (expected letters, digits, dots, underscores, or dashes)`);
@@ -347,7 +401,8 @@ const ALLOWED_STATES_PER_ROLE = {
     prd: ['draft', 'confirmed-by-user', 'handed-off', 'blocked'],
     ui: ['draft', 'direction-locked', 'handed-off', 'blocked'],
     rd: ['draft', 'spec-locked', 'implemented', 'qa-handoff', 'handed-off', 'blocked'],
-    qa: ['draft', 'running', 'verdict-issued', 'blocked']
+    qa: ['draft', 'running', 'verdict-issued', 'blocked'],
+    sc: ['draft', 'impact-recorded', 'boundary-recorded', 'handed-off', 'blocked']
 };
 export function allowedStatesForRole(role) {
     return ALLOWED_STATES_PER_ROLE[role];
@@ -391,7 +446,7 @@ function updateStatusBlock(markdown, newState, timestamp, reason) {
 }
 export async function transitionRequestArtifact(options) {
     if (!VALID_ROLES.has(options.role)) {
-        throw new Error(`Invalid role: ${String(options.role)} (expected prd, ui, rd, or qa)`);
+        throw new Error(`Invalid role: ${String(options.role)} (expected prd, ui, rd, qa, or sc)`);
     }
     if (!REQUEST_ID_PATTERN.test(options.requestId)) {
         throw new Error(`Invalid request id: ${options.requestId} (expected letters, digits, dots, underscores, or dashes)`);

package/dist/src/services/config/config-safety.d.ts

@@ -0,0 +1,14 @@
+export declare function getUserConfigPath(): string;
+export declare function isInsidePath(childPath: string, parentPath: string): boolean;
+export declare function findProjectRoot(startPath: string): string | null;
+export declare function resolveProjectRootForConfig(startPath: string): string;
+export declare function getProjectConfigPath(projectRoot: string | null): string | null;
+export declare function getProjectBootstrapConfigPath(projectRoot: string): string;
+export declare function validateProjectBootstrapConfigPathForWrite(projectRoot: string, configPath: string): void;
+export declare function validateUserConfigPathForWrite(configPath: string): void;
+export declare function validateArtifactWorkspaceRoot(artifactRoot: string, workspaceRoot: string): void;
+export declare function validateArtifactWorkspaceMarkerPath(artifactRoot: string, peaksPath: string, markerPath: string): void;
+export declare function readConfigFileSafely(configPath: string, errorMessage: string): string;
+export declare function writeConfigFileSafely(configPath: string, content: string, validateBeforeWrite: () => void, errorMessage: string): void;
+export declare function writeProjectConfigFile(projectRoot: string, configPath: string, content: string): void;
+export declare function writeUserConfigFile(configPath: string, content: string): void;

package/dist/src/services/config/config-safety.js

@@ -0,0 +1,275 @@
+import { closeSync, constants, existsSync, fchmodSync, fstatSync, lstatSync, mkdirSync, openSync, readFileSync, realpathSync, renameSync, unlinkSync, writeFileSync } from 'node:fs';
+import { randomUUID } from 'node:crypto';
+import { dirname, isAbsolute, relative, resolve } from 'node:path';
+import { homedir } from 'node:os';
+export function getUserConfigPath() {
+    return resolve(homedir(), '.peaks', 'config.json');
+}
+export function isInsidePath(childPath, parentPath) {
+    const relativePath = relative(parentPath, childPath);
+    return relativePath === '' || (!relativePath.startsWith('..') && !isAbsolute(relativePath));
+}
+function isSafeProjectConfigMarker(projectRoot) {
+    const peaksPath = resolve(projectRoot, '.peaks');
+    const markerPath = resolve(peaksPath, 'config.json');
+    try {
+        const projectRootReal = realpathSync(projectRoot);
+        const peaksStats = lstatSync(peaksPath);
+        const peaksReal = realpathSync(peaksPath);
+        const markerStats = lstatSync(markerPath);
+        if (!peaksStats.isDirectory() || peaksStats.isSymbolicLink())
+            return false;
+        if (!markerStats.isFile() || markerStats.isSymbolicLink() || markerStats.nlink !== 1)
+            return false;
+        const markerReal = realpathSync(markerPath);
+        if (!isInsidePath(peaksReal, projectRootReal))
+            return false;
+        if (!isInsidePath(markerReal, projectRootReal))
+            return false;
+        return isInsidePath(markerReal, peaksReal);
+    }
+    catch {
+        return false;
+    }
+}
+function normalizeBoundaryPath(path) {
+    const resolved = resolve(path);
+    let realPath = resolved;
+    try {
+        realPath = existsSync(resolved) ? realpathSync.native(resolved) : resolved;
+    }
+    catch {
+        realPath = resolved;
+    }
+    return process.platform === 'win32' || process.platform === 'darwin' ? realPath.toLowerCase() : realPath;
+}
+function getHomeBoundaryPaths() {
+    return new Set([homedir(), process.env.HOME, process.env.USERPROFILE].filter((path) => typeof path === 'string' && path.length > 0).map(normalizeBoundaryPath));
+}
+export function findProjectRoot(startPath) {
+    const homeBoundaryPaths = getHomeBoundaryPaths();
+    let current = resolve(startPath);
+    let parent = dirname(current);
+    while (current !== parent && !homeBoundaryPaths.has(normalizeBoundaryPath(current))) {
+        if (existsSync(resolve(current, '.peaks', 'config.json')) && isSafeProjectConfigMarker(current)) {
+            return current;
+        }
+        parent = current;
+        current = dirname(parent);
+    }
+    return null;
+}
+export function resolveProjectRootForConfig(startPath) {
+    const start = resolve(startPath);
+    const homeBoundaryPaths = getHomeBoundaryPaths();
+    let current = start;
+    let parent = dirname(current);
+    while (current !== parent && !homeBoundaryPaths.has(normalizeBoundaryPath(current))) {
+        if (existsSync(resolve(current, '.peaks', 'config.json')) && isSafeProjectConfigMarker(current)) {
+            return current;
+        }
+        if (existsSync(resolve(current, 'package.json')) || existsSync(resolve(current, '.git'))) {
+            return current;
+        }
+        parent = current;
+        current = dirname(parent);
+    }
+    return start;
+}
+export function getProjectConfigPath(projectRoot) {
+    if (!projectRoot)
+        return null;
+    if (!isSafeProjectConfigMarker(projectRoot))
+        return null;
+    return resolve(projectRoot, '.peaks', 'config.json');
+}
+export function getProjectBootstrapConfigPath(projectRoot) {
+    const projectRootPath = resolve(projectRoot);
+    const peaksPath = resolve(projectRootPath, '.peaks');
+    const configPath = resolve(peaksPath, 'config.json');
+    if (!isInsidePath(configPath, projectRootPath)) {
+        throw new Error('Project config path must stay inside the project root');
+    }
+    if (!existsSync(peaksPath)) {
+        mkdirSync(peaksPath, { recursive: true });
+    }
+    validateProjectBootstrapConfigPath(projectRootPath, peaksPath, configPath);
+    return configPath;
+}
+function validateProjectBootstrapConfigPath(projectRootPath, peaksPath, configPath) {
+    const projectRootReal = realpathSync(projectRootPath);
+    const peaksStats = lstatSync(peaksPath);
+    const peaksReal = realpathSync(peaksPath);
+    if (!peaksStats.isDirectory() || peaksStats.isSymbolicLink() || peaksReal !== resolve(projectRootReal, '.peaks')) {
+        throw new Error('Project config path must stay inside the project root');
+    }
+    try {
+        const markerStats = lstatSync(configPath);
+        if (!markerStats.isFile() || markerStats.isSymbolicLink()) {
+            throw new Error('Project config path must stay inside the project root');
+        }
+        if (markerStats.nlink !== 1) {
+            throw new Error('Config path must not be hardlinked');
+        }
+        const markerReal = realpathSync(configPath);
+        if (!isInsidePath(markerReal, projectRootReal) || !isInsidePath(markerReal, peaksReal)) {
+            throw new Error('Project config path must stay inside the project root');
+        }
+    }
+    catch (error) {
+        if (error.code !== 'ENOENT') {
+            throw error;
+        }
+    }
+}
+export function validateProjectBootstrapConfigPathForWrite(projectRoot, configPath) {
+    const projectRootPath = resolve(projectRoot);
+    validateProjectBootstrapConfigPath(projectRootPath, resolve(projectRootPath, '.peaks'), configPath);
+}
+export function validateUserConfigPathForWrite(configPath) {
+    const userRoot = resolve(homedir());
+    const peaksPath = resolve(userRoot, '.peaks');
+    const userRootReal = realpathSync(userRoot);
+    const peaksStats = lstatSync(peaksPath);
+    const peaksReal = realpathSync(peaksPath);
+    if (!peaksStats.isDirectory() || peaksStats.isSymbolicLink() || peaksReal !== resolve(userRootReal, '.peaks')) {
+        throw new Error('User config path must stay inside the user root');
+    }
+    try {
+        const markerStats = lstatSync(configPath);
+        if (!markerStats.isFile() || markerStats.isSymbolicLink()) {
+            throw new Error('User config path must stay inside the user root');
+        }
+        if (markerStats.nlink !== 1) {
+            throw new Error('Config path must not be hardlinked');
+        }
+        const markerReal = realpathSync(configPath);
+        if (!isInsidePath(markerReal, userRootReal) || !isInsidePath(markerReal, peaksReal)) {
+            throw new Error('User config path must stay inside the user root');
+        }
+    }
+    catch (error) {
+        if (error.code !== 'ENOENT') {
+            throw error;
+        }
+    }
+}
+export function validateArtifactWorkspaceRoot(artifactRoot, workspaceRoot) {
+    const artifactStats = lstatSync(artifactRoot);
+    if (!artifactStats.isDirectory() || artifactStats.isSymbolicLink()) {
+        throw new Error('Artifact workspace marker must stay inside the artifact workspace');
+    }
+    const artifactRootReal = realpathSync(artifactRoot);
+    const workspaceRootReal = realpathSync(workspaceRoot);
+    if (isInsidePath(artifactRootReal, workspaceRootReal)) {
+        throw new Error('Artifact workspace must stay outside the project root');
+    }
+}
+export function validateArtifactWorkspaceMarkerPath(artifactRoot, peaksPath, markerPath) {
+    const artifactStats = lstatSync(artifactRoot);
+    if (!artifactStats.isDirectory() || artifactStats.isSymbolicLink()) {
+        throw new Error('Artifact workspace marker must stay inside the artifact workspace');
+    }
+    const artifactRootReal = realpathSync(artifactRoot);
+    const peaksStats = lstatSync(peaksPath);
+    const peaksReal = realpathSync(peaksPath);
+    if (!peaksStats.isDirectory() || peaksStats.isSymbolicLink() || peaksReal !== resolve(artifactRootReal, '.peaks')) {
+        throw new Error('Artifact workspace marker must stay inside the artifact workspace');
+    }
+    try {
+        const markerStats = lstatSync(markerPath);
+        if (!markerStats.isFile() || markerStats.isSymbolicLink()) {
+            throw new Error('Artifact workspace marker must stay inside the artifact workspace');
+        }
+        if (markerStats.nlink !== 1) {
+            throw new Error('Config path must not be hardlinked');
+        }
+        const markerReal = realpathSync(markerPath);
+        if (!isInsidePath(markerReal, artifactRootReal) || !isInsidePath(markerReal, peaksReal)) {
+            throw new Error('Artifact workspace marker must stay inside the artifact workspace');
+        }
+    }
+    catch (error) {
+        if (error.code !== 'ENOENT') {
+            throw error;
+        }
+    }
+}
+function validateOpenConfigFile(fd, tempPath, errorMessage) {
+    const fdStats = fstatSync(fd);
+    const pathStats = lstatSync(tempPath);
+    if (!fdStats.isFile() || !pathStats.isFile() || fdStats.dev !== pathStats.dev || fdStats.ino !== pathStats.ino) {
+        throw new Error(errorMessage);
+    }
+    if (fdStats.nlink !== 1 || pathStats.nlink !== 1) {
+        throw new Error('Config path must not be hardlinked');
+    }
+}
+function getSafeTempOpenFlags() {
+    const baseFlags = constants.O_WRONLY | constants.O_CREAT | constants.O_EXCL;
+    return typeof constants.O_NOFOLLOW === 'number' ? baseFlags | constants.O_NOFOLLOW : baseFlags;
+}
+function getSafeReadOpenFlags() {
+    return typeof constants.O_NOFOLLOW === 'number' ? constants.O_RDONLY | constants.O_NOFOLLOW : constants.O_RDONLY;
+}
+export function readConfigFileSafely(configPath, errorMessage) {
+    const fd = openSync(configPath, getSafeReadOpenFlags());
+    try {
+        validateOpenConfigFile(fd, configPath, errorMessage);
+        return readFileSync(fd, 'utf-8');
+    }
+    finally {
+        closeSync(fd);
+    }
+}
+export function writeConfigFileSafely(configPath, content, validateBeforeWrite, errorMessage) {
+    validateBeforeWrite();
+    const tempPath = `${configPath}.${process.pid}.${randomUUID()}.tmp`;
+    let fd = openSync(tempPath, getSafeTempOpenFlags(), 0o600);
+    let renamed = false;
+    let closeError;
+    try {
+        validateOpenConfigFile(fd, tempPath, errorMessage);
+        fchmodSync(fd, 0o600);
+        writeFileSync(fd, content, 'utf-8');
+        const writeFd = fd;
+        fd = null;
+        closeSync(writeFd);
+        validateBeforeWrite();
+        const readFd = openSync(tempPath, getSafeReadOpenFlags());
+        try {
+            validateOpenConfigFile(readFd, tempPath, errorMessage);
+        }
+        finally {
+            closeSync(readFd);
+        }
+        renameSync(tempPath, configPath);
+        renamed = true;
+    }
+    finally {
+        if (fd !== null) {
+            try {
+                closeSync(fd);
+            }
+            catch (error) {
+                closeError = error;
+            }
+        }
+        try {
+            if (!renamed && existsSync(tempPath)) {
+                unlinkSync(tempPath);
+            }
+        }
+        finally {
+            if (closeError) {
+                throw closeError;
+            }
+        }
+    }
+}
+export function writeProjectConfigFile(projectRoot, configPath, content) {
+    writeConfigFileSafely(configPath, content, () => validateProjectBootstrapConfigPathForWrite(projectRoot, configPath), 'Project config path must stay inside the project root');
+}
+export function writeUserConfigFile(configPath, content) {
+    writeConfigFileSafely(configPath, content, () => validateUserConfigPathForWrite(configPath), 'User config path must stay inside the user root');
+}

package/dist/src/services/config/config-service.d.ts

@@ -1,5 +1,5 @@
 import type { ConfigGetOptions, ConfigLayer, ConfigSetOptions, MiniMaxProviderConfig, PeaksConfig, TokenRef, WorkspaceConfig } from './config-types.js';
-export declare function resolveProjectRootForConfig(startPath: string): string;
+export { resolveProjectRootForConfig } from './config-safety.js';
 export declare function isConfigLayer(value: string): value is ConfigLayer;
 export declare function isSensitiveConfigPath(path: string): boolean;
 export declare function containsSensitiveConfigValue(value: unknown): boolean;