peaks-cli 1.0.2 → 1.0.4

package/dist/src/cli/commands/config-commands.js

@@ -144,7 +144,8 @@ function registerWorkspaceCommands(config, io) {
         const artifactRepo = parseArtifactRepoInput(io, options, options.json);
         if (artifactRepo === null)
             return;
-        const workspace = { workspaceId: options.id, name: options.name, rootPath: options.path, installedCapabilityIds: [] };
+        const artifactStorage = artifactRepo ? { mode: 'local-with-remote-sync', remote: artifactRepo } : { mode: 'local' };
+        const workspace = { workspaceId: options.id, name: options.name, rootPath: options.path, installedCapabilityIds: [], artifactStorage };
         const configLayer = layer ?? 'user';
         if (artifactRepo) {
             addWorkspace({ ...workspace, artifactRepo }, configLayer);
@@ -152,7 +153,7 @@ function registerWorkspaceCommands(config, io) {
         else {
             addWorkspace(workspace, configLayer);
         }
-        printResult(io, ok('config.workspace.add', { workspaceId: options.id, name: options.name, rootPath: options.path, artifactRepo }), options.json);
+        printResult(io, ok('config.workspace.add', { workspaceId: options.id, name: options.name, rootPath: options.path, artifactRepo, artifactStorage }), options.json);
     });
     addJsonOption(configWorkspace.command('remove').description('Remove a workspace').requiredOption('--id <id>', 'workspace identifier').option('--layer <layer>', 'user or project')).action((options) => {
         const layer = parseConfigLayer(options.layer);

package/dist/src/cli/commands/sc-commands.js

@@ -31,7 +31,7 @@ function registerSCArtifactCommands(sc, io) {
     addJsonOption(sc.command('validate').description('Validate artifact retention for a slice').requiredOption('--slice-id <id>', 'slice identifier')).action((options) => {
         printResult(io, ok('sc.validate', validateArtifactRetention(options.sliceId)), options.json);
     });
-    addJsonOption(sc.command('boundary').description('Record commit boundary for a slice').requiredOption('--slice-id <id>', 'slice identifier').option('--artifact <path>', 'artifact path', multipleOption).option('--code <file>', 'code file path', multipleOption)).action((options) => {
+    addJsonOption(sc.command('boundary').description('Record retention boundary for a slice').requiredOption('--slice-id <id>', 'slice identifier').option('--artifact <path>', 'artifact path', multipleOption).option('--code <file>', 'code file path', multipleOption)).action((options) => {
         printResult(io, ok('sc.boundary', recordCommitBoundary({ sliceId: options.sliceId, ...(options.artifact ? { artifacts: options.artifact } : {}), ...(options.code ? { codeFiles: options.code } : {}) })), options.json);
     });
 }

package/dist/src/cli/commands/workflow-commands.js

@@ -5,6 +5,7 @@ import { createAutonomousWorkflowPlan } from '../../services/workflow/workflow-a
 import { createRecommendationPlan } from '../../services/recommendations/recommendation-service.js';
 import { createRefactorDryRun } from '../../services/refactor/refactor-service.js';
 import { getCurrentWorkspaceConfig, readConfig } from '../../services/config/config-service.js';
+import { validateChangeIdOrThrow } from '../../shared/change-id.js';
 import { getEconomyAwareExecutionModelId } from '../../services/config/model-routing.js';
 import { getLocalArtifactPath } from '../../services/artifacts/workspace-service.js';
 import { fail, ok } from '../../shared/result.js';
@@ -24,6 +25,12 @@ function parseMaxWorkers(io, command, value, asJson) {
     }
     return maxWorkers;
 }
+function validatePlanningInput(changeId, goal) {
+    validateChangeIdOrThrow(changeId);
+    if (!goal.trim()) {
+        throw new Error('Goal must be non-empty');
+    }
+}
 function parseSoloMode(io, command, mode, soloMode, asJson) {
     if (mode !== 'solo' && soloMode) {
         printResult(io, fail(command, 'SOLO_MODE_REQUIRES_SOLO_WORKFLOW', '--solo-mode can only be used with --mode solo', {}, ['Remove --solo-mode or use --mode solo']), asJson);
@@ -46,6 +53,7 @@ function runTechPlan(io, options) {
         return;
     }
     try {
+        validatePlanningInput(options.changeId, options.goal);
         const workspaceContext = getWorkspaceContext();
         const plan = createTechPlan({
             changeId: options.changeId,
@@ -88,6 +96,7 @@ function runWorkflowRoute(io, options) {
     if (soloMode === null)
         return;
     try {
+        validatePlanningInput(options.changeId, options.goal);
         const workspaceContext = getWorkspaceContext();
         const plan = createWorkflowRouterPlan({
             changeId: options.changeId,
@@ -123,6 +132,7 @@ function runAutonomousWorkflow(io, options) {
     if (soloMode === null)
         return;
     try {
+        validatePlanningInput(options.changeId, options.goal);
         const workspaceContext = getWorkspaceContext();
         const plan = createAutonomousWorkflowPlan({
             changeId: options.changeId,
@@ -155,6 +165,7 @@ function runSwarmPlan(io, options) {
     if (maxWorkers === null)
         return;
     try {
+        validatePlanningInput(options.changeId, options.goal);
         const workspaceContext = getWorkspaceContext();
         const config = readConfig();
         const plan = createRdSwarmPlan({
@@ -246,12 +257,12 @@ export function registerWorkflowCommands(program, io) {
         .command('recommend')
         .description('Create a dry-run recommendation plan for a workflow')
         .requiredOption('--workflow <workflow>', 'workflow: code-refactor, product-refactor, or frontend-design')
-        .option('--language <language>', 'human presentation language', 'en')).action((options) => {
+        .option('--language <language>', 'human presentation language')).action((options) => {
         if (!isRecommendationWorkflow(options.workflow)) {
             printResult(io, fail('recommend', 'UNSUPPORTED_RECOMMENDATION_WORKFLOW', `Unsupported recommendation workflow ${options.workflow}`, {}, ['Use --workflow code-refactor, product-refactor, or frontend-design']), options.json);
             process.exitCode = 1;
             return;
         }
-        printResult(io, ok('recommend', createRecommendationPlan({ workflow: options.workflow, language: options.language })), options.json);
+        printResult(io, ok('recommend', createRecommendationPlan({ workflow: options.workflow, language: options.language ?? readConfig().language })), options.json);
     });
 }

package/dist/src/services/artifacts/artifact-service.js

@@ -3,7 +3,7 @@ import { execFileSync } from 'node:child_process';
 import { homedir } from 'node:os';
 import { resolve } from 'node:path';
 import { getCurrentWorkspaceConfig } from '../config/config-service.js';
-import { getLocalArtifactPath } from './workspace-service.js';
+import { getArtifactRemoteRepo, getLocalArtifactPath } from './workspace-service.js';
 function getRemoteUrl(artifactRepo) {
     if (!artifactRepo)
         return null;
@@ -46,7 +46,7 @@ export function createArtifactInitPlan(options) {
 }
 export function createGuidedArtifactSetup() {
     const workspace = getCurrentWorkspaceConfig();
-    const artifactRepo = workspace?.artifactRepo ?? null;
+    const artifactRepo = workspace ? getArtifactRemoteRepo(workspace) : null;
     const validationResult = {
         workspaceExists: workspace !== null,
         gitAvailable: hasGit(),
@@ -65,7 +65,7 @@ export function createGuidedArtifactSetup() {
         localPath,
         remoteUrl,
         validationResult,
-        nextStep: workspace ? (artifactRepo ? 'validate' : 'configure') : 'configure',
+        nextStep: workspace ? (artifactRepo ? 'validate' : 'complete') : 'configure',
         guidance: [
             'Step 1: Detect current workspace and environment',
             `  - Workspace: ${workspace?.workspaceId ?? 'not configured'}`,
@@ -74,6 +74,7 @@ export function createGuidedArtifactSetup() {
             `  - SSH key for code push: ${validationResult.sshKeyAvailable ? 'available' : 'not found'}`,
             '',
             'Step 2: Configure artifact repository',
+            '  - Optional for local-only storage',
             '  - Run: peaks artifacts init --provider github --name <repo> --dry-run',
             '  - Or add to workspace: peaks config workspace add --id <id> --provider github --repo-owner <owner> --repo-name <name>',
             '',
@@ -82,7 +83,7 @@ export function createGuidedArtifactSetup() {
             '  - Run: peaks artifacts workspace',
             '',
             'Step 4: Complete',
-            '  - Artifact sync is ready when workspace has artifactRepo configured'
+            artifactRepo ? '  - Artifact sync is ready when workspace has remote artifact storage configured' : '  - Local artifact storage is ready'
         ]
     };
 }

package/dist/src/services/artifacts/workspace-service.d.ts

@@ -22,6 +22,7 @@ export type SyncResult = {
 export declare function getLocalArtifactPath(workspace: WorkspaceConfig): string;
 export declare function isArtifactWorkspaceOutsideTarget(workspace: WorkspaceConfig, artifactWorkspacePath?: string): boolean;
 export declare function hasValidArtifactWorkspace(workspace: WorkspaceConfig, artifactWorkspacePath?: string): boolean;
+export declare function getArtifactRemoteRepo(workspace: WorkspaceConfig): WorkspaceConfig['artifactRepo'] | null;
 export declare function executeArtifactSync(workspaceId?: string): Promise<SyncResult>;
 export declare function getArtifactWorkspaceStatus(workspaceId?: string): ArtifactWorkspaceStatus;
 export declare function planArtifactSync(workspaceId?: string, dryRun?: boolean): {

package/dist/src/services/artifacts/workspace-service.js

@@ -1,6 +1,7 @@
 import { existsSync } from 'node:fs';
 import { Buffer } from 'node:buffer';
-import { basename, dirname, resolve } from 'node:path';
+import { homedir } from 'node:os';
+import { resolve } from 'node:path';
 import { isInsidePath, stablePath } from '../../shared/path-utils.js';
 import { readConfig, getCurrentWorkspaceConfig } from '../config/config-service.js';
 import { pathExists } from '../../shared/fs.js';
@@ -12,8 +13,10 @@ function canonicalChildPath(parentPath, ...segments) {
     return stablePath(resolve(parentPath, ...segments));
 }
 export function getLocalArtifactPath(workspace) {
-    const rootPath = resolve(workspace.rootPath);
-    return resolve(dirname(rootPath), `${basename(rootPath)}.peaks-artifacts`);
+    if (workspace.artifactStorage?.localPath) {
+        return resolve(workspace.artifactStorage.localPath);
+    }
+    return resolve(homedir(), '.peaks', 'workspaces', workspace.workspaceId, 'artifacts');
 }
 export function isArtifactWorkspaceOutsideTarget(workspace, artifactWorkspacePath = getLocalArtifactPath(workspace)) {
     const targetRoot = canonicalPath(workspace.rootPath);
@@ -44,6 +47,15 @@ export function hasValidArtifactWorkspace(workspace, artifactWorkspacePath = get
         return false;
     return true;
 }
+export function getArtifactRemoteRepo(workspace) {
+    if (workspace.artifactStorage?.mode === 'local-with-remote-sync') {
+        return workspace.artifactStorage.remote;
+    }
+    if (workspace.artifactStorage?.mode === 'local') {
+        return null;
+    }
+    return workspace.artifactRepo ?? null;
+}
 function getPublicRemoteUrl(artifactRepo) {
     if (!artifactRepo)
         return null;
@@ -78,7 +90,7 @@ export async function executeArtifactSync(workspaceId) {
     const workspace = workspaceId
         ? readConfig().workspaces.find((w) => w.workspaceId === workspaceId) ?? null
         : getCurrentWorkspaceConfig();
-    if (!workspace || !workspace.artifactRepo) {
+    if (!workspace) {
         return {
             workspaceId: workspaceId ?? 'unknown',
             success: false,
@@ -86,7 +98,7 @@ export async function executeArtifactSync(workspaceId) {
             remoteUrl: null,
             commands: [],
             output: [],
-            error: 'No artifact repository configured for this workspace'
+            error: 'Workspace not found'
         };
     }
     const localPath = getLocalArtifactPath(workspace);
@@ -101,8 +113,19 @@ export async function executeArtifactSync(workspaceId) {
             error: 'Artifact workspace must be outside the target repository'
         };
     }
-    const remoteUrl = getPublicRemoteUrl(workspace.artifactRepo);
-    const gitAuthEnv = getGitAuthEnv(workspace.artifactRepo);
+    const artifactRepo = getArtifactRemoteRepo(workspace);
+    if (!artifactRepo) {
+        return {
+            workspaceId: workspace.workspaceId,
+            success: true,
+            localPath,
+            remoteUrl: null,
+            commands: [],
+            output: ['Local artifact storage is configured']
+        };
+    }
+    const remoteUrl = getPublicRemoteUrl(artifactRepo);
+    const gitAuthEnv = getGitAuthEnv(artifactRepo);
     if (!remoteUrl) {
         return {
             workspaceId: workspace.workspaceId,
@@ -183,9 +206,9 @@ export function getArtifactWorkspaceStatus(workspaceId) {
     }
     const localPath = getLocalArtifactPath(workspace);
     const hasLocalDir = existsSync(localPath);
-    const hasArtifactRepo = !!workspace.artifactRepo;
+    const artifactRepo = getArtifactRemoteRepo(workspace);
     const hasSafeBoundary = isArtifactWorkspaceOutsideTarget(workspace, localPath);
-    const syncStatus = !hasArtifactRepo || !hasSafeBoundary
+    const syncStatus = !hasSafeBoundary
         ? 'unknown'
         : !hasLocalDir
             ? 'pending'
@@ -193,23 +216,23 @@ export function getArtifactWorkspaceStatus(workspaceId) {
     return {
         workspaceId: workspace.workspaceId,
         localPath,
-        configured: hasArtifactRepo && hasSafeBoundary,
+        configured: hasSafeBoundary,
         syncStatus,
         lastSync: null,
         hasLocalChanges: false,
-        artifactRepo: workspace.artifactRepo ?? null,
+        artifactRepo,
         nextActions: !hasSafeBoundary
             ? ['Configure artifact workspace outside the target repository.']
-            : hasArtifactRepo
+            : artifactRepo
                 ? [`Run peaks artifacts sync --workspace ${workspace.workspaceId} --dry-run`]
-                : [`Configure artifact repo: peaks config workspace add --id ${workspace.workspaceId} --provider github --repo-owner <owner> --repo-name <name>`]
+                : [`Local artifact storage ready at ${localPath}`]
     };
 }
 export function planArtifactSync(workspaceId, dryRun = true) {
     const workspace = workspaceId
         ? readConfig().workspaces.find((w) => w.workspaceId === workspaceId) ?? null
         : getCurrentWorkspaceConfig();
-    if (!workspace || !workspace.artifactRepo) {
+    if (!workspace) {
         return {
             workspaceId: workspaceId ?? 'unknown',
             dryRun,
@@ -228,21 +251,26 @@ export function planArtifactSync(workspaceId, dryRun = true) {
             plannedCommands: ['Artifact workspace must be outside the target repository']
         };
     }
-    const remoteUrl = workspace.artifactRepo.provider === 'github'
-        ? `https://github.com/${workspace.artifactRepo.owner}/${workspace.artifactRepo.name}.git`
-        : `https://gitlab.com/${workspace.artifactRepo.owner}/${workspace.artifactRepo.name}.git`;
-    const plannedCommands = dryRun
-        ? [
-            `# Sync plan for workspace ${workspace.workspaceId}`,
-            `# Local: ${localPath}`,
-            `# Remote: ${remoteUrl}`,
-            '# peaks artifacts sync --workspace ' + workspace.workspaceId,
-            '# (dry-run only — no changes made)'
-        ]
+    const artifactRepo = getArtifactRemoteRepo(workspace);
+    const remoteUrl = getPublicRemoteUrl(artifactRepo);
+    const plannedCommands = artifactRepo
+        ? dryRun
+            ? [
+                `# Sync plan for workspace ${workspace.workspaceId}`,
+                `# Local: ${localPath}`,
+                `# Remote: ${remoteUrl}`,
+                '# peaks artifacts sync --workspace ' + workspace.workspaceId,
+                '# (dry-run only — no changes made)'
+            ]
+            : [
+                `# Sync execution for workspace ${workspace.workspaceId}`,
+                `# Confirm: will sync ${localPath} with ${remoteUrl}`,
+                '# Exit 1 if not confirmed'
+            ]
         : [
-            `# Sync execution for workspace ${workspace.workspaceId}`,
-            `# Confirm: will sync ${localPath} with ${remoteUrl}`,
-            '# Exit 1 if not confirmed'
+            `# Local artifact storage for workspace ${workspace.workspaceId}`,
+            `# Local: ${localPath}`,
+            '# No remote repository is configured or required'
         ];
     return {
         workspaceId: workspace.workspaceId,

package/dist/src/services/config/config-service.d.ts

@@ -1,4 +1,5 @@
 import type { ConfigGetOptions, ConfigLayer, ConfigSetOptions, MiniMaxProviderConfig, PeaksConfig, TokenRef, WorkspaceConfig } from './config-types.js';
+export declare function resolveProjectRootForConfig(startPath: string): string;
 export declare function isConfigLayer(value: string): value is ConfigLayer;
 export declare function isSensitiveConfigPath(path: string): boolean;
 export declare function containsSensitiveConfigValue(value: unknown): boolean;
@@ -17,6 +18,7 @@ export type MiniMaxProviderStatus = {
 export declare function getMiniMaxProviderConfig(): MiniMaxProviderConfig;
 export declare function getMiniMaxProviderStatus(): MiniMaxProviderStatus;
 export declare function setMiniMaxProviderConfig(input: MiniMaxProviderConfig): MiniMaxProviderStatus;
+export declare function bootstrapProjectLanguageConfig(projectRoot: string, language: string): void;
 export declare function readConfig(projectRoot?: string | null): PeaksConfig;
 export declare function writeConfig(partial: Partial<PeaksConfig>, layer?: ConfigLayer): void;
 export declare function getConfig(options?: ConfigGetOptions): unknown;

package/dist/src/services/config/config-service.js

@@ -1,4 +1,4 @@
-import { existsSync, mkdirSync, readFileSync, realpathSync, writeFileSync } from 'node:fs';
+import { existsSync, lstatSync, mkdirSync, readFileSync, realpathSync, writeFileSync } from 'node:fs';
 import { dirname, isAbsolute, relative, resolve } from 'node:path';
 import { homedir } from 'node:os';
 import { DEFAULT_CONFIG } from './config-types.js';
@@ -38,6 +38,23 @@ function findProjectRoot(startPath) {
     }
     return null;
 }
+export function resolveProjectRootForConfig(startPath) {
+    const start = resolve(startPath);
+    const homePath = resolve(homedir());
+    let current = start;
+    let parent = dirname(current);
+    while (current !== parent && current !== homePath) {
+        if (existsSync(resolve(current, '.peaks', 'config.json')) && isSafeProjectConfigMarker(current)) {
+            return current;
+        }
+        if (existsSync(resolve(current, 'package.json')) || existsSync(resolve(current, '.git'))) {
+            return current;
+        }
+        parent = current;
+        current = dirname(parent);
+    }
+    return start;
+}
 function getProjectConfigPath(projectRoot) {
     if (!projectRoot)
         return null;
@@ -45,6 +62,46 @@ function getProjectConfigPath(projectRoot) {
         return null;
     return resolve(projectRoot, '.peaks', 'config.json');
 }
+function getProjectBootstrapConfigPath(projectRoot) {
+    const projectRootPath = resolve(projectRoot);
+    const peaksPath = resolve(projectRootPath, '.peaks');
+    const configPath = resolve(peaksPath, 'config.json');
+    if (!isInsidePath(configPath, projectRootPath)) {
+        throw new Error('Project config path must stay inside the project root');
+    }
+    if (!existsSync(peaksPath)) {
+        mkdirSync(peaksPath, { recursive: true });
+    }
+    validateProjectBootstrapConfigPath(projectRootPath, peaksPath, configPath);
+    return configPath;
+}
+function validateProjectBootstrapConfigPath(projectRootPath, peaksPath, configPath) {
+    const projectRootReal = realpathSync(projectRootPath);
+    const peaksStats = lstatSync(peaksPath);
+    const peaksReal = realpathSync(peaksPath);
+    if (!peaksStats.isDirectory() || peaksStats.isSymbolicLink() || peaksReal !== resolve(projectRootReal, '.peaks')) {
+        throw new Error('Project config path must stay inside the project root');
+    }
+    try {
+        const markerStats = lstatSync(configPath);
+        if (!markerStats.isFile() || markerStats.isSymbolicLink()) {
+            throw new Error('Project config path must stay inside the project root');
+        }
+        const markerReal = realpathSync(configPath);
+        if (!isInsidePath(markerReal, projectRootReal) || !isInsidePath(markerReal, peaksReal)) {
+            throw new Error('Project config path must stay inside the project root');
+        }
+    }
+    catch (error) {
+        if (error.code !== 'ENOENT') {
+            throw error;
+        }
+    }
+}
+function validateProjectBootstrapConfigPathForWrite(projectRoot, configPath) {
+    const projectRootPath = resolve(projectRoot);
+    validateProjectBootstrapConfigPath(projectRootPath, resolve(projectRootPath, '.peaks'), configPath);
+}
 function readJsonFile(path) {
     if (!path || !existsSync(path))
         return null;
@@ -55,6 +112,16 @@ function readJsonFile(path) {
         return null;
     }
 }
+function readExistingJsonFile(path, errorMessage) {
+    if (!existsSync(path))
+        return null;
+    try {
+        return JSON.parse(readFileSync(path, 'utf-8'));
+    }
+    catch {
+        throw new Error(errorMessage);
+    }
+}
 function ensureDir(dirPath) {
     if (!existsSync(dirPath)) {
         mkdirSync(dirPath, { recursive: true });
@@ -97,9 +164,9 @@ function setNestedValue(obj, path, value) {
     const last = parts[parts.length - 1];
     current[last] = value;
 }
-function removeProjectProviderSecrets(config) {
-    const { providers, ...safeConfig } = config;
-    return safeConfig;
+function removeProjectSensitiveConfig(config) {
+    const { providers, proxy, tokens, ...safeConfig } = config;
+    return Object.fromEntries(Object.entries(safeConfig).filter(([key, value]) => !isSecretKey(key) && !containsSensitiveConfigValue(value)));
 }
 export function isConfigLayer(value) {
     return value === 'user' || value === 'project';
@@ -214,18 +281,48 @@ function validateProxyConfig(partial) {
 function isRecord(value) {
     return value !== null && typeof value === 'object' && !Array.isArray(value);
 }
+function isSafeConfigSegment(value) {
+    return /^[A-Za-z0-9][A-Za-z0-9._-]*$/.test(value) && !value.includes('..') && !value.endsWith('.');
+}
+function toArtifactRemoteRepoConfig(value) {
+    if (!isRecord(value) || (value.provider !== 'github' && value.provider !== 'gitlab') || typeof value.owner !== 'string' || typeof value.name !== 'string') {
+        return null;
+    }
+    if (!isSafeConfigSegment(value.owner) || !isSafeConfigSegment(value.name)) {
+        return null;
+    }
+    return { provider: value.provider, owner: value.owner, name: value.name };
+}
+function toArtifactStorageConfig(value) {
+    if (!isRecord(value))
+        return null;
+    const localPath = typeof value.localPath === 'string' ? { localPath: value.localPath } : {};
+    if (value.mode === 'local') {
+        return { mode: 'local', ...localPath };
+    }
+    const remote = toArtifactRemoteRepoConfig(value.remote);
+    if (value.mode === 'local-with-remote-sync' && remote) {
+        return { mode: 'local-with-remote-sync', ...localPath, remote };
+    }
+    return null;
+}
 function toWorkspaceConfig(value) {
     if (!isRecord(value))
         return null;
     const { workspaceId, name, rootPath, installedCapabilityIds } = value;
-    if (typeof workspaceId !== 'string' || typeof name !== 'string' || typeof rootPath !== 'string' || !Array.isArray(installedCapabilityIds) || !installedCapabilityIds.every((id) => typeof id === 'string')) {
+    if (typeof workspaceId !== 'string' || !isSafeConfigSegment(workspaceId) || typeof name !== 'string' || typeof rootPath !== 'string' || !Array.isArray(installedCapabilityIds) || !installedCapabilityIds.every((id) => typeof id === 'string')) {
         return null;
     }
-    let artifactRepo;
-    if (isRecord(value.artifactRepo) && (value.artifactRepo.provider === 'github' || value.artifactRepo.provider === 'gitlab') && typeof value.artifactRepo.owner === 'string' && typeof value.artifactRepo.name === 'string') {
-        artifactRepo = { provider: value.artifactRepo.provider, owner: value.artifactRepo.owner, name: value.artifactRepo.name };
-    }
-    return artifactRepo ? { workspaceId, name, rootPath, installedCapabilityIds, artifactRepo } : { workspaceId, name, rootPath, installedCapabilityIds };
+    const artifactRepo = toArtifactRemoteRepoConfig(value.artifactRepo);
+    const artifactStorage = toArtifactStorageConfig(value.artifactStorage);
+    return {
+        workspaceId,
+        name,
+        rootPath,
+        installedCapabilityIds,
+        ...(artifactRepo ? { artifactRepo } : {}),
+        ...(artifactStorage ? { artifactStorage } : {})
+    };
 }
 function toWorkspaceConfigs(value) {
     return Array.isArray(value) ? value.map(toWorkspaceConfig).filter((workspace) => workspace !== null) : [];
@@ -355,6 +452,19 @@ export function setMiniMaxProviderConfig(input) {
     writeConfig({ providers }, 'user');
     return createMiniMaxProviderStatus(providers.minimax ?? {});
 }
+function inferHumanLanguage(value) {
+    const normalized = value.trim();
+    if (!normalized) {
+        throw new Error('Language must be non-empty');
+    }
+    if (/^zh(?:-|$)/i.test(normalized) || /[㐀-鿿]/u.test(normalized)) {
+        return 'zh-CN';
+    }
+    if (/^en(?:-|$)/i.test(normalized)) {
+        return 'en';
+    }
+    return 'en';
+}
 function toPeaksConfig(value) {
     if (!isRecord(value))
         return {};
@@ -372,12 +482,22 @@ function toPeaksConfig(value) {
         ...(proxy ? { proxy } : {})
     };
 }
+export function bootstrapProjectLanguageConfig(projectRoot, language) {
+    const inferredLanguage = inferHumanLanguage(language);
+    const projectPath = getProjectBootstrapConfigPath(projectRoot);
+    const existing = readExistingJsonFile(projectPath, 'Project config must contain valid JSON') ?? {};
+    if (typeof existing.language === 'string' && existing.language.trim().length > 0) {
+        return;
+    }
+    validateProjectBootstrapConfigPathForWrite(projectRoot, projectPath);
+    writeFileSync(projectPath, JSON.stringify({ ...existing, language: inferredLanguage }, null, 2), 'utf-8');
+}
 export function readConfig(projectRoot) {
     const detectedRoot = projectRoot ?? findProjectRoot(process.cwd());
     const userPath = getUserConfigPath();
     const projectPath = getProjectConfigPath(detectedRoot);
     const userConfig = toPeaksConfig(readJsonFile(userPath));
-    const projectConfig = removeProjectProviderSecrets(toPeaksConfig(readJsonFile(projectPath)));
+    const projectConfig = removeProjectSensitiveConfig(toPeaksConfig(readJsonFile(projectPath)));
     const { proxy: projectProxy, ...projectConfigWithoutProxy } = projectConfig;
     return {
         ...DEFAULT_CONFIG,
@@ -413,7 +533,7 @@ export function writeConfig(partial, layer = 'user') {
 export function getConfig(options = {}) {
     const projectRoot = findProjectRoot(process.cwd());
     const userConfig = readJsonFile(getUserConfigPath()) ?? {};
-    const projectConfig = removeProjectProviderSecrets(readJsonFile(getProjectConfigPath(projectRoot)) ?? {});
+    const projectConfig = removeProjectSensitiveConfig(readJsonFile(getProjectConfigPath(projectRoot)) ?? {});
     const { proxy: projectProxy, ...projectConfigWithoutProxy } = projectConfig;
     const source = options.layer === 'user' ? userConfig : options.layer === 'project' ? projectConfig : { ...userConfig, ...projectConfigWithoutProxy };
     const config = isRecord(source) ? { ...source, ...(source.tokens !== undefined ? { tokens: toTokenConfig(source.tokens) } : {}) } : source;
@@ -465,6 +585,9 @@ function readLayerConfig(layer) {
         : { currentWorkspace: null, workspaces: [] };
 }
 export function addWorkspace(workspace, layer = 'user') {
+    if (!isSafeConfigSegment(workspace.workspaceId)) {
+        throw new Error('Workspace id must only contain letters, numbers, dots, underscores, or hyphens and must not contain path traversal');
+    }
     const config = readLayerConfig(layer);
     const workspaces = config.workspaces;
     const existing = workspaces.findIndex((w) => w.workspaceId === workspace.workspaceId);
@@ -474,6 +597,8 @@ export function addWorkspace(workspace, layer = 'user') {
     writeConfig({ workspaces: updatedWorkspaces }, layer);
 }
 export function removeWorkspace(workspaceId, layer = 'user') {
+    if (!isSafeConfigSegment(workspaceId))
+        return false;
     const config = readLayerConfig(layer);
     const workspaces = config.workspaces;
     const idx = workspaces.findIndex((w) => w.workspaceId === workspaceId);
@@ -485,6 +610,8 @@ export function removeWorkspace(workspaceId, layer = 'user') {
     return true;
 }
 export function setCurrentWorkspace(workspaceId, layer = 'user') {
+    if (!isSafeConfigSegment(workspaceId))
+        return false;
     const config = readLayerConfig(layer);
     const workspaces = config.workspaces;
     const exists = workspaces.some((w) => w.workspaceId === workspaceId);

package/dist/src/services/config/config-types.d.ts

@@ -27,15 +27,26 @@ export type ModelProviderConfig = {
 export type ProxyConfig = {
     httpProxy?: string;
 };
+export type ArtifactProvider = 'github' | 'gitlab';
+export type ArtifactRemoteRepoConfig = {
+    provider: ArtifactProvider;
+    owner: string;
+    name: string;
+};
+export type ArtifactStorageConfig = {
+    mode: 'local';
+    localPath?: string;
+} | {
+    mode: 'local-with-remote-sync';
+    localPath?: string;
+    remote: ArtifactRemoteRepoConfig;
+};
 export type WorkspaceConfig = {
     workspaceId: string;
     name: string;
     rootPath: string;
-    artifactRepo?: {
-        provider: 'github' | 'gitlab';
-        owner: string;
-        name: string;
-    };
+    artifactRepo?: ArtifactRemoteRepoConfig;
+    artifactStorage?: ArtifactStorageConfig;
     installedCapabilityIds: string[];
 };
 export type PeaksConfig = {