peaks-cli 1.0.2 → 1.0.4

package/dist/src/services/rd/rd-service.js

@@ -98,7 +98,9 @@ function readArtifactFile(rootPath, artifactWorkspacePath, artifact) {
     try {
         const artifactWorkspaceRealPath = stableRealPath(artifactWorkspacePath);
         const rootRealPath = stableRealPath(rootPath);
-        if (!isInsidePath(rootRealPath, artifactWorkspaceRealPath)) {
+        const rdRootPath = resolve(rootPath, '..');
+        const sessionRootPath = resolve(rdRootPath, '..');
+        if (lstatSync(sessionRootPath).isSymbolicLink() || lstatSync(rdRootPath).isSymbolicLink() || lstatSync(rootPath).isSymbolicLink() || !isInsidePath(rootRealPath, artifactWorkspaceRealPath)) {
             return null;
         }
         const artifactStat = lstatSync(artifactPath);
@@ -138,7 +140,7 @@ function getConcreteTargetAreas(request, artifactWorkspacePath, hasApprovedTechA
     if (!artifactWorkspacePath || !hasApprovedTechArtifacts || !hasPlannerArtifactWorkspace(request, artifactWorkspacePath)) {
         return [];
     }
-    const architectureRoot = join(artifactWorkspacePath, '.peaks', 'changes', request.changeId, 'architecture');
+    const architectureRoot = join(artifactWorkspacePath, '.peaks', request.changeId, 'rd', 'architecture');
     const candidates = TECH_REQUIRED_ARTIFACTS.flatMap((artifact) => {
         if (artifact === 'tech-approval-record.md') {
             return [];
@@ -155,7 +157,7 @@ function buildPlan(request) {
     const executionModelId = request.executionModelId?.trim() || getConfiguredExecutionModelId(undefined);
     const { workerTarget, blockedReasons } = resolveWorkerTarget(request.maxWorkers);
     const artifactWorkspacePath = resolveArtifactWorkspacePath(request);
-    const artifactRoot = buildArtifactRelativePath(request.changeId, 'swarm');
+    const artifactRoot = buildArtifactRelativePath(request.changeId, 'rd', 'swarm');
     const techStatus = getTechStatus({
         changeId: request.changeId,
         ...(artifactWorkspacePath ? { artifactWorkspacePath } : {}),
@@ -174,10 +176,10 @@ function buildPlan(request) {
             conflictGroups: [],
             artifactRoot,
             outputs: {
-                taskGraph: buildArtifactRelativePath(request.changeId, 'swarm', 'task-graph.json'),
+                taskGraph: buildArtifactRelativePath(request.changeId, 'rd', 'swarm', 'task-graph.json'),
                 waveManifests: [],
                 workerBriefs: [],
-                reducerReport: buildArtifactRelativePath(request.changeId, 'swarm', 'reducer-report.md'),
+                reducerReport: buildArtifactRelativePath(request.changeId, 'rd', 'swarm', 'reducer-report.md'),
             },
             gateStatus: {
                 techApprovalRequired: requiresTechApproval,
@@ -199,10 +201,10 @@ function buildPlan(request) {
             conflictGroups: [],
             artifactRoot,
             outputs: {
-                taskGraph: buildArtifactRelativePath(request.changeId, 'swarm', 'task-graph.json'),
+                taskGraph: buildArtifactRelativePath(request.changeId, 'rd', 'swarm', 'task-graph.json'),
                 waveManifests: [],
                 workerBriefs: [],
-                reducerReport: buildArtifactRelativePath(request.changeId, 'swarm', 'reducer-report.md'),
+                reducerReport: buildArtifactRelativePath(request.changeId, 'rd', 'swarm', 'reducer-report.md'),
             },
             gateStatus: {
                 techApprovalRequired: true,
@@ -223,10 +225,10 @@ function buildPlan(request) {
             conflictGroups: [],
             artifactRoot,
             outputs: {
-                taskGraph: buildArtifactRelativePath(request.changeId, 'swarm', 'task-graph.json'),
+                taskGraph: buildArtifactRelativePath(request.changeId, 'rd', 'swarm', 'task-graph.json'),
                 waveManifests: [],
                 workerBriefs: [],
-                reducerReport: buildArtifactRelativePath(request.changeId, 'swarm', 'reducer-report.md'),
+                reducerReport: buildArtifactRelativePath(request.changeId, 'rd', 'swarm', 'reducer-report.md'),
             },
             gateStatus: {
                 techApprovalRequired: requiresTechApproval,
@@ -263,7 +265,7 @@ function buildPlan(request) {
     };
     const tasks = taskIds.map((taskId, index) => {
         const wave = index < 8 ? 'discovery' : index < 16 ? 'planning' : index < taskIds.length - 8 ? 'implementation candidates' : index < taskIds.length - 5 ? 'unit-test execution' : index < taskIds.length - 1 ? 'quality gates' : 'reducer';
-        const briefPath = buildArtifactRelativePath(request.changeId, 'swarm', 'workers', taskId, 'brief.md');
+        const briefPath = buildArtifactRelativePath(request.changeId, 'rd', 'swarm', 'workers', taskId, 'brief.md');
         const implementationIndex = index - 16;
         const targetArea = wave === 'implementation candidates' && hasConcreteTargetAreas(concreteTargetAreas)
             ? selectConcreteTargetArea(concreteTargetAreas, implementationIndex)
@@ -294,7 +296,7 @@ function buildPlan(request) {
     });
     const conflictGroups = waves.map((wave) => ({
         groupId: `group-${wave.name.replace(/\s+/g, '-')}`,
-        ownedPaths: wave.taskIds.map((taskId) => buildArtifactRelativePath(request.changeId, 'swarm', 'workers', taskId, 'brief.md')),
+        ownedPaths: wave.taskIds.map((taskId) => buildArtifactRelativePath(request.changeId, 'rd', 'swarm', 'workers', taskId, 'brief.md')),
         parallelismPolicy: wave.taskIds.length > 1 ? 'parallel' : 'sequential',
         reason: `${wave.name} work is isolated by worker output path`,
     }));
@@ -308,10 +310,10 @@ function buildPlan(request) {
         conflictGroups,
         artifactRoot,
         outputs: {
-            taskGraph: buildArtifactRelativePath(request.changeId, 'swarm', 'task-graph.json'),
-            waveManifests: waves.map((wave, index) => buildArtifactRelativePath(request.changeId, 'swarm', 'waves', `wave-${index + 1}-${wave.name}.json`)),
+            taskGraph: buildArtifactRelativePath(request.changeId, 'rd', 'swarm', 'task-graph.json'),
+            waveManifests: waves.map((wave, index) => buildArtifactRelativePath(request.changeId, 'rd', 'swarm', 'waves', `wave-${index + 1}-${wave.name}.json`)),
             workerBriefs: tasks.map((task) => task.outputs[0]),
-            reducerReport: buildArtifactRelativePath(request.changeId, 'swarm', 'reducer-report.md'),
+            reducerReport: buildArtifactRelativePath(request.changeId, 'rd', 'swarm', 'reducer-report.md'),
         },
         gateStatus: {
             techApprovalRequired: requiresTechApproval,

package/dist/src/services/refactor/refactor-service.js

@@ -12,7 +12,8 @@ export function createRefactorDryRun(mode) {
             'Generate strict verifiable spec before each slice',
             'Require peaks-prd and peaks-qa artifacts even for direct peaks-rd refactor',
             'Require 100% acceptance for each slice',
-            'Commit code and intermediate artifacts before the next slice'
+            'Retain code changes and intermediate artifacts in local .peaks/<session-id>/ storage before the next slice',
+            'Commit or sync artifacts only after explicit authorization'
         ],
         requiredArtifacts: [
             'project-scan.md',
@@ -20,13 +21,15 @@ export function createRefactorDryRun(mode) {
             'feature-slice-map.md',
             'slice-spec.md',
             'acceptance-spec.md',
+            'code-review-report.md',
+            'security-review-report.md',
+            'post-check-dry-run.md',
             'validation-report.md',
-            'artifact-retention-report.md',
-            'commit-required.md'
+            'retention-boundary.md'
         ],
         nextActions: [
             'Run doctor checks',
-            'Initialize or link the remote artifact repository',
+            'Create or discover local .peaks/<session-id>/ artifact workspace',
             'Generate the first refactor slice spec before implementation'
         ]
     };

package/dist/src/services/sc/sc-service.d.ts

@@ -26,7 +26,8 @@ export type ArtifactRetentionReport = {
     coverageArtifacts: string[];
     reviewArtifacts: string[];
     codeChanges: string[];
-    commitStatus: 'committed' | 'pending' | 'rolled-back';
+    retentionStatus: 'local-ready' | 'pending' | 'explicitly-committed' | 'rolled-back';
+    commitHash: string | null;
     rollbackPoint: string | null;
 };
 export type ChangeTraceabilityStatus = {

package/dist/src/services/sc/sc-service.js

@@ -1,20 +1,25 @@
 import { existsSync, lstatSync, readFileSync, realpathSync } from 'node:fs';
 import { execFileSync } from 'node:child_process';
 import { basename, relative, resolve } from 'node:path';
+import { isInsidePath } from '../../shared/path-utils.js';
 import { getCurrentWorkspaceConfig } from '../config/config-service.js';
-import { getArtifactWorkspaceStatus, getLocalArtifactPath } from '../artifacts/workspace-service.js';
+import { getArtifactRemoteRepo, getArtifactWorkspaceStatus, getLocalArtifactPath } from '../artifacts/workspace-service.js';
 const REQUIRED_ARTIFACTS = [
-    { name: 'artifact-retention-report.md', path: ['qa', 'artifact-retention-report.md'] },
+    { name: 'retention-boundary.md', path: ['sc', 'retention-boundary.md'] },
     { name: 'change-impact.json', path: ['sc', 'change-impact.json'] },
-    { name: 'commit-boundary.md', path: ['checkpoints', 'commit-boundary.md'] },
-    { name: 'coverage-report.md', path: ['qa', 'coverage-report.md'] }
+    { name: 'coverage-report.md', path: ['rd', 'coverage-report.md'] }
 ];
 const RETENTION_REQUIREMENTS = [
-    ['product', 'prd.md'],
-    ['architecture', 'slice-spec.md'],
+    ['prd', 'refactor-goal.md'],
+    ['rd', 'slice-spec.md'],
+    ['rd', 'coverage-report.md'],
+    ['rd', 'code-review-report.md'],
+    ['rd', 'security-review-report.md'],
+    ['rd', 'post-check-dry-run.md'],
     ['qa', 'validation-report.md'],
-    ['qa', 'coverage-report.md'],
-    ['review', 'code-review.md']
+    ['sc', 'change-impact.json'],
+    ['sc', 'retention-boundary.md'],
+    ['txt', 'context-capsule.md']
 ];
 const SLICE_ID_PATTERN = /^(?!\.{1,2}$)[A-Za-z0-9._-]+$/;
 function getPeaksPath(workspaceRoot) {
@@ -27,12 +32,16 @@ function resolveCurrentChangeId(peaksPath) {
     try {
         const stat = lstatSync(currentChangePath);
         if (stat.isSymbolicLink()) {
-            return basename(realpathSync(currentChangePath));
+            const targetPath = realpathSync(currentChangePath);
+            if (!isInsidePath(targetPath, realpathSync(peaksPath)))
+                return null;
+            const targetId = basename(targetPath);
+            return SLICE_ID_PATTERN.test(targetId) ? targetId : null;
         }
         const raw = readFileSync(currentChangePath, 'utf-8').trim();
-        if (!raw)
+        if (!raw || !SLICE_ID_PATTERN.test(raw))
             return null;
-        return basename(raw);
+        return raw;
     }
     catch {
         return null;
@@ -63,24 +72,42 @@ function mapSyncState(syncStatus) {
         return 'pending';
     return 'failed';
 }
-function getCurrentArtifactDir(workspaceRoot) {
-    const peaksPath = getPeaksPath(workspaceRoot);
+function getCurrentArtifactDir(artifactWorkspacePath) {
+    const peaksPath = getPeaksPath(artifactWorkspacePath);
     const changeId = resolveCurrentChangeId(peaksPath);
-    const effectiveChangeId = changeId ?? 'unknown-change';
+    const effectiveChangeId = changeId ?? 'unknown-session';
     return {
         peaksPath,
         changeId,
-        changeDir: resolve(peaksPath, 'changes', effectiveChangeId)
+        changeDir: resolve(peaksPath, effectiveChangeId)
     };
 }
-function getRetentionChangeDir(workspaceRoot, sliceId) {
-    const peaksPath = getPeaksPath(workspaceRoot);
+function getRetentionChangeDir(artifactWorkspacePath, sliceId) {
+    const peaksPath = getPeaksPath(artifactWorkspacePath);
     return {
         peaksPath,
         changeId: sliceId,
-        changeDir: resolve(peaksPath, 'changes', sliceId)
+        changeDir: resolve(peaksPath, sliceId)
     };
 }
+function isRetainedArtifactFile(filePath, artifactWorkspacePath, changesRoot, changeDir) {
+    if (!existsSync(filePath))
+        return false;
+    try {
+        const artifactWorkspaceRealPath = realpathSync(artifactWorkspacePath);
+        const changesRootRealPath = realpathSync(changesRoot);
+        const changeDirRealPath = realpathSync(changeDir);
+        const fileRealPath = realpathSync(filePath);
+        return !lstatSync(changesRoot).isSymbolicLink()
+            && !lstatSync(changeDir).isSymbolicLink()
+            && isInsidePath(changesRootRealPath, artifactWorkspaceRealPath)
+            && isInsidePath(changeDirRealPath, changesRootRealPath)
+            && isInsidePath(fileRealPath, changeDirRealPath);
+    }
+    catch {
+        return false;
+    }
+}
 export function getChangeTraceabilityStatus() {
     const workspace = getCurrentWorkspaceConfig();
     const artifactStatus = getArtifactWorkspaceStatus(workspace?.workspaceId);
@@ -92,31 +119,30 @@ export function getChangeTraceabilityStatus() {
             localArtifactPath: '.peaks-artifacts',
             requiredArtifacts: REQUIRED_ARTIFACTS.map((artifact) => ({
                 name: artifact.name,
-                path: resolve('.peaks', 'changes', '<change-id>', ...artifact.path),
+                path: resolve('.peaks', '<session-id>', ...artifact.path),
                 exists: false
             })),
             nextActions: ['Add a workspace: peaks config workspace add --id <id> --name <name> --path <path>']
         };
     }
-    const { peaksPath, changeId, changeDir } = getCurrentArtifactDir(workspace.rootPath);
-    const hasArtifactRepo = Boolean(workspace.artifactRepo);
+    const artifactWorkspacePath = getLocalArtifactPath(workspace);
+    const { peaksPath, changeId, changeDir } = getCurrentArtifactDir(artifactWorkspacePath);
+    const artifactRepo = getArtifactRemoteRepo(workspace);
+    const hasArtifactRepo = Boolean(artifactRepo);
+    const changesRoot = peaksPath;
     const requiredArtifacts = REQUIRED_ARTIFACTS.map((artifact) => {
         const artifactPath = resolve(changeDir, ...artifact.path);
         return {
             name: artifact.name,
-            path: resolve(peaksPath, 'changes', changeId ?? '<change-id>', ...artifact.path),
-            exists: existsSync(artifactPath)
+            path: resolve(peaksPath, changeId ?? '<session-id>', ...artifact.path),
+            exists: isRetainedArtifactFile(artifactPath, artifactWorkspacePath, changesRoot, changeDir)
         };
     });
     const nextActions = [];
     if (!changeId) {
         nextActions.push('Set the current change in .peaks/current-change');
     }
-    if (!hasArtifactRepo) {
-        nextActions.push('Configure artifact repo: peaks config workspace add --id <id> --provider github --repo-owner <owner> --repo-name <name>');
-        nextActions.push('Then run: peaks artifacts init --provider github --name <repo> --dry-run');
-    }
-    else if (artifactStatus.syncStatus === 'pending') {
+    if (hasArtifactRepo && artifactStatus.syncStatus === 'pending') {
         nextActions.push(`Run peaks artifacts sync --workspace ${workspace.workspaceId} --dry-run`);
     }
     return {
@@ -130,7 +156,7 @@ export function getChangeTraceabilityStatus() {
 }
 export function createChangeImpact(options) {
     const workspace = getCurrentWorkspaceConfig();
-    const artifactRepo = workspace?.artifactRepo ?? null;
+    const artifactRepo = workspace ? getArtifactRemoteRepo(workspace) : null;
     return {
         changeId: options.changeId,
         sourceArtifacts: options.sourceArtifacts ?? [],
@@ -161,7 +187,8 @@ export function createArtifactRetentionReport(options) {
         coverageArtifacts: options.coverageArtifacts ?? [],
         reviewArtifacts: options.reviewArtifacts ?? [],
         codeChanges: options.codeChanges ?? [],
-        commitStatus: 'pending',
+        retentionStatus: 'pending',
+        commitHash: null,
         rollbackPoint: null
     };
 }
@@ -192,13 +219,15 @@ export function validateArtifactRetention(sliceId) {
         return {
             valid: false,
             missingArtifacts: ['Invalid slice id'],
-            warnings: ['Slice id must stay inside .peaks/changes and only contain letters, numbers, dots, underscores, or hyphens']
+            warnings: ['Slice id must stay inside .peaks/<session-id> and only contain letters, numbers, dots, underscores, or hyphens']
         };
     }
-    const { changeDir } = getRetentionChangeDir(workspace.rootPath, sliceId);
+    const artifactWorkspacePath = getLocalArtifactPath(workspace);
+    const { peaksPath, changeDir } = getRetentionChangeDir(artifactWorkspacePath, sliceId);
+    const changesRoot = peaksPath;
     const missingArtifacts = RETENTION_REQUIREMENTS
         .map(([folder, file]) => resolve(changeDir, folder, file))
-        .filter((filePath) => !existsSync(filePath))
+        .filter((filePath) => !isRetainedArtifactFile(filePath, artifactWorkspacePath, changesRoot, changeDir))
         .map((filePath) => relative(changeDir, filePath).replace(/\\/g, '/'));
     return {
         valid: missingArtifacts.length === 0,
@@ -212,12 +241,12 @@ export function getScHelpText() {
         'peaks sc impact --change-id <id>         Generate change impact artifact',
         'peaks sc retention --slice-id <id>        Create artifact retention report',
         'peaks sc validate --slice-id <id>         Validate artifact retention',
-        'peaks sc boundary --slice-id <id>         Record commit boundary for slice',
+        'peaks sc boundary --slice-id <id>         Record retention boundary for slice',
         '',
         'Change traceability workflow integration:',
         '  1. Run peaks sc status to check current state',
         '  2. After slice completion, run peaks sc retention --slice-id <id>',
-        '  3. Artifact sync is automatic when artifact repo is configured',
-        '  4. Commit boundary is recorded when code is committed'
+        '  3. Keep artifacts local in .peaks/<session-id>/ by default',
+        '  4. Commit or sync artifacts only after explicit authorization'
     ];
 }

package/dist/src/services/tech/tech-service.js

@@ -1,4 +1,4 @@
-import { existsSync, lstatSync, readFileSync } from 'node:fs';
+import { closeSync, existsSync, fstatSync, lstatSync, openSync, readSync, statSync } from 'node:fs';
 import { join, resolve } from 'node:path';
 import { isInsidePath, stableRealPath } from '../../shared/path-utils.js';
 import { buildArtifactRelativePath, validateChangeIdOrThrow } from '../../shared/change-id.js';
@@ -28,7 +28,7 @@ function assertNonEmptyGoal(goal) {
     }
 }
 function architectureRoot(changeId) {
-    return buildArtifactRelativePath(changeId, 'architecture');
+    return buildArtifactRelativePath(changeId, 'rd', 'architecture');
 }
 function hasPlannerArtifactWorkspace(artifactWorkspacePath, workspace) {
     return !!workspace && hasValidArtifactWorkspace(workspace, artifactWorkspacePath);
@@ -38,12 +38,59 @@ function isEscapedArchitectureRoot(rootPath, artifactWorkspacePath) {
         return false;
     }
     try {
-        return !isInsidePath(stableRealPath(rootPath), stableRealPath(artifactWorkspacePath));
+        const rdRootPath = resolve(rootPath, '..');
+        const sessionRootPath = resolve(rdRootPath, '..');
+        return lstatSync(sessionRootPath).isSymbolicLink()
+            || lstatSync(rdRootPath).isSymbolicLink()
+            || lstatSync(rootPath).isSymbolicLink()
+            || !isInsidePath(stableRealPath(rootPath), stableRealPath(artifactWorkspacePath));
     }
     catch {
         return true;
     }
 }
+const MAX_TECH_ARTIFACT_BYTES = 256_000;
+function readTechArtifactFile(rootPath, artifact) {
+    const artifactPath = resolve(rootPath, artifact);
+    try {
+        const rootRealPath = stableRealPath(rootPath);
+        const artifactStat = lstatSync(artifactPath);
+        if (artifactStat.isSymbolicLink() || !artifactStat.isFile() || artifactStat.size > MAX_TECH_ARTIFACT_BYTES) {
+            return null;
+        }
+        if (!isInsidePath(stableRealPath(artifactPath), rootRealPath)) {
+            return null;
+        }
+        const fd = openSync(artifactPath, 'r');
+        try {
+            const openedStat = fstatSync(fd);
+            const currentStat = statSync(artifactPath);
+            if (!openedStat.isFile() || openedStat.size > MAX_TECH_ARTIFACT_BYTES || openedStat.dev !== artifactStat.dev || openedStat.ino !== artifactStat.ino || openedStat.dev !== currentStat.dev || openedStat.ino !== currentStat.ino) {
+                return null;
+            }
+            const buffer = Buffer.alloc(openedStat.size);
+            let offset = 0;
+            while (offset < openedStat.size) {
+                const bytesRead = readSync(fd, buffer, offset, openedStat.size - offset, offset);
+                if (bytesRead === 0) {
+                    return null;
+                }
+                offset += bytesRead;
+            }
+            const finalStat = fstatSync(fd);
+            if (finalStat.dev !== openedStat.dev || finalStat.ino !== openedStat.ino) {
+                return null;
+            }
+            return buffer.toString('utf8');
+        }
+        finally {
+            closeSync(fd);
+        }
+    }
+    catch {
+        return null;
+    }
+}
 function isValidArtifactFile(rootPath, artifact) {
     const artifactPath = resolve(rootPath, artifact);
     try {
@@ -61,7 +108,7 @@ function isValidArtifactFile(rootPath, artifact) {
     }
 }
 function waveManifestPath(changeId, index, wave) {
-    return buildArtifactRelativePath(changeId, 'architecture', 'waves', `wave-${index + 1}-${wave}.json`);
+    return buildArtifactRelativePath(changeId, 'rd', 'architecture', 'waves', `wave-${index + 1}-${wave}.json`);
 }
 function taskPurpose(taskId, goal) {
     return `${taskId.replace(/^tech-/, '').replace(/-/g, ' ')} for ${goal}`;
@@ -82,7 +129,7 @@ function createTechGraph(request) {
                 : wave.name === 'review'
                     ? [...documentTaskIds]
                     : [...reviewTaskIds];
-        const briefPath = buildArtifactRelativePath(request.changeId, 'architecture', 'workers', taskId, 'brief.md');
+        const briefPath = buildArtifactRelativePath(request.changeId, 'rd', 'architecture', 'workers', taskId, 'brief.md');
         return {
             taskId,
             wave: wave.name,
@@ -104,10 +151,10 @@ function createTechGraph(request) {
         waves,
         tasks,
         outputs: {
-            taskGraph: buildArtifactRelativePath(request.changeId, 'architecture', 'tech-task-graph.json'),
+            taskGraph: buildArtifactRelativePath(request.changeId, 'rd', 'architecture', 'tech-task-graph.json'),
             waveManifests: waves.map((wave, index) => waveManifestPath(request.changeId, index, wave.name)),
-            reviewChecklist: buildArtifactRelativePath(request.changeId, 'architecture', 'tech-review-checklist.md'),
-            approvalTemplate: buildArtifactRelativePath(request.changeId, 'architecture', 'tech-approval-record.template.md'),
+            reviewChecklist: buildArtifactRelativePath(request.changeId, 'rd', 'architecture', 'tech-review-checklist.md'),
+            approvalTemplate: buildArtifactRelativePath(request.changeId, 'rd', 'architecture', 'tech-approval-record.template.md'),
         },
         blockedReasons: [],
         nextActions: [],
@@ -156,8 +203,8 @@ export function getTechStatus(options) {
             nextActions: [...WORKSPACE_UNAVAILABLE_NEXT_ACTIONS],
         };
     }
-    const rootPath = resolve(options.artifactWorkspacePath, '.peaks', 'changes', options.changeId, 'architecture');
-    const approvalRecord = buildArtifactRelativePath(options.changeId, 'architecture', 'tech-approval-record.md');
+    const rootPath = resolve(options.artifactWorkspacePath, '.peaks', options.changeId, 'rd', 'architecture');
+    const approvalRecord = buildArtifactRelativePath(options.changeId, 'rd', 'architecture', 'tech-approval-record.md');
     if (isEscapedArchitectureRoot(rootPath, options.artifactWorkspacePath)) {
         return {
             changeId: options.changeId,
@@ -195,11 +242,8 @@ export function getTechStatus(options) {
             nextActions: ['Run peaks tech plan --dry-run, then persist and review the required tech artifacts.'],
         };
     }
-    let approvalContent;
-    try {
-        approvalContent = readFileSync(join(rootPath, 'tech-approval-record.md'), 'utf8');
-    }
-    catch {
+    const approvalContent = readTechArtifactFile(rootPath, 'tech-approval-record.md');
+    if (approvalContent === null) {
         return {
             changeId: options.changeId,
             status: 'blocked',

package/dist/src/services/workflow/workflow-autonomous-service.js

@@ -216,10 +216,10 @@ function createGoalCommand(goalPackage) {
 function getResumeRequiredArtifacts(changeId) {
     return [
         buildArtifactRelativePath(changeId, 'prd', 'autonomous-goal-package.json'),
-        buildArtifactRelativePath(changeId, 'swarm', 'autonomous-rd-plan.json'),
-        buildArtifactRelativePath(changeId, 'swarm', 'checkpoints', 'checkpoint-1.json'),
-        buildArtifactRelativePath(changeId, 'swarm', 'evidence', 'validation-report.md'),
-        buildArtifactRelativePath(changeId, 'swarm', 'resume-instructions.md')
+        buildArtifactRelativePath(changeId, 'rd', 'swarm', 'autonomous-rd-plan.json'),
+        buildArtifactRelativePath(changeId, 'rd', 'swarm', 'checkpoints', 'checkpoint-1.json'),
+        buildArtifactRelativePath(changeId, 'rd', 'swarm', 'evidence', 'validation-report.md'),
+        buildArtifactRelativePath(changeId, 'rd', 'swarm', 'resume-instructions.md')
     ];
 }
 function isObjectRecord(value) {
@@ -249,8 +249,31 @@ function readResumeArtifact(artifactWorkspacePath, artifact) {
         if (artifactStat.isSymbolicLink() || !artifactStat.isFile() || artifactStat.size > MAX_RESUME_ARTIFACT_BYTES) {
             return null;
         }
+        const pathSegments = artifact.replace(/\\/g, '/').split('/');
+        if (pathSegments.length < 4 || pathSegments[0] !== '.peaks') {
+            return null;
+        }
+        const sessionRootPath = resolve(artifactWorkspacePath, '.peaks', pathSegments[1]);
+        const roleRootPath = resolve(sessionRootPath, pathSegments[2]);
+        if (lstatSync(sessionRootPath).isSymbolicLink() || lstatSync(roleRootPath).isSymbolicLink()) {
+            return null;
+        }
+        let allowedRootRealPath;
+        if (pathSegments[2] === 'rd') {
+            const swarmRootPath = resolve(roleRootPath, 'swarm');
+            if (pathSegments[3] !== 'swarm' || lstatSync(swarmRootPath).isSymbolicLink()) {
+                return null;
+            }
+            allowedRootRealPath = realpathSync(swarmRootPath);
+        }
+        else if (pathSegments[2] === 'prd') {
+            allowedRootRealPath = realpathSync(roleRootPath);
+        }
+        else {
+            return null;
+        }
         const artifactRealPath = realpathSync(artifactPath);
-        if (!isInsidePath(artifactRealPath, artifactWorkspaceRealPath)) {
+        if (!isInsidePath(allowedRootRealPath, artifactWorkspaceRealPath) || !isInsidePath(artifactRealPath, allowedRootRealPath)) {
             return null;
         }
         const fd = openSync(artifactPath, 'r');
@@ -385,7 +408,7 @@ function isSafeEvidenceRef(ref) {
     return ref.toLowerCase() !== 'validation-report.md' && /^[A-Za-z0-9][A-Za-z0-9._-]*\.md$/.test(ref) && !ref.includes('..');
 }
 function evidenceRefsExist(artifactWorkspacePath, changeId, refs) {
-    return refs.every((ref) => isSafeEvidenceRef(ref) && readResumeArtifact(artifactWorkspacePath, buildArtifactRelativePath(changeId, 'swarm', 'evidence', ref)) !== null);
+    return refs.every((ref) => isSafeEvidenceRef(ref) && readResumeArtifact(artifactWorkspacePath, buildArtifactRelativePath(changeId, 'rd', 'swarm', 'evidence', ref)) !== null);
 }
 function hasMatchingEvidenceRefs(artifactWorkspacePath, changeId, validationReportContent, checkpointContent) {
     const expectedRefs = getCheckpointValidationRefs(checkpointContent);
@@ -425,8 +448,8 @@ function getResumeArtifactsStatus(artifactWorkspacePath, requiredArtifacts, chan
             hasInvalidArtifact = true;
         }
     }
-    const checkpointContent = artifactContents.get(buildArtifactRelativePath(changeId, 'swarm', 'checkpoints', 'checkpoint-1.json'));
-    const validationReportContent = artifactContents.get(buildArtifactRelativePath(changeId, 'swarm', 'evidence', 'validation-report.md'));
+    const checkpointContent = artifactContents.get(buildArtifactRelativePath(changeId, 'rd', 'swarm', 'checkpoints', 'checkpoint-1.json'));
+    const validationReportContent = artifactContents.get(buildArtifactRelativePath(changeId, 'rd', 'swarm', 'evidence', 'validation-report.md'));
     if (!checkpointContent || !validationReportContent || !hasMatchingEvidenceRefs(artifactWorkspacePath, changeId, validationReportContent, checkpointContent)) {
         hasInvalidArtifact = true;
     }

package/dist/src/shared/change-id.js

@@ -61,7 +61,7 @@ export function isUnsafeArtifactPath(path) {
 export function buildArtifactRelativePath(changeId, ...segments) {
     validateChangeIdOrThrow(changeId);
     const joined = segments.map((segment) => normalizeForwardSlashes(segment)).join('/');
-    const candidatePath = `.peaks/changes/${changeId}/${joined}`;
+    const candidatePath = `.peaks/${changeId}/${joined}`;
     if (isUnsafeArtifactPath(joined) || isUnsafeArtifactPath(candidatePath)) {
         throw new ChangeIdValidationError(changeId);
     }

package/dist/src/shared/version.d.ts

@@ -1 +1 @@
-export declare const CLI_VERSION = "1.0.2";
+export declare const CLI_VERSION = "1.0.4";

package/dist/src/shared/version.js

@@ -1 +1 @@
-export const CLI_VERSION = "1.0.2";
+export const CLI_VERSION = "1.0.4";