peaks-cli 1.0.22 → 1.0.23

package/dist/src/cli/commands/capability-commands.d.ts

@@ -1,5 +1,16 @@
 import { Command } from 'commander';
 import type { PeaksConfig } from '../../services/config/config-types.js';
+import type { CapabilityMapSourceFilter } from '../../services/recommendations/recommendation-types.js';
 import { type ProgramIO } from '../cli-helpers.js';
+type CapabilityMapOptions = {
+    json?: boolean;
+    source: string;
+};
 export declare function registerCapabilityCommands(program: Command, io: ProgramIO): void;
+export declare function runCapabilityStatus(io: ProgramIO, options: {
+    json?: boolean;
+}): void;
+export declare function runCapabilityMap(io: ProgramIO, options: CapabilityMapOptions): void;
 export declare function getInstalledCapabilityIds(_config: PeaksConfig): string[];
+export declare function parseCapabilityMapSource(source: string): CapabilityMapSourceFilter | null;
+export {};

package/dist/src/cli/commands/capability-commands.js

@@ -7,17 +7,18 @@ import { addJsonOption, printResult } from '../cli-helpers.js';
 const CAPABILITY_SOURCE_FILTERS = new Set(['all', 'access-repo', 'mcp-server']);
 export function registerCapabilityCommands(program, io) {
     const capability = program.command('capability').description('Inspect Peaks capability catalog and runtime availability');
-    addJsonOption(capability.command('status').description('Show seed capability availability')).action((options) => {
-        const availability = resolveCapabilityAvailability(seedCapabilityItems);
-        printResult(io, ok('capability.status', { sources: seedCapabilitySources, items: seedCapabilityItems, availability }), options.json);
-    });
+    addJsonOption(capability.command("status").description("Show seed capability availability")).action((options) => runCapabilityStatus(io, options));
     addCapabilityMapOptions(capability.command('map').description('Show dry-run external capability landing map')).action((options) => runCapabilityMap(io, options));
     addCapabilityMapOptions(program.command('capabilities').description('Show dry-run external capability landing map')).action((options) => runCapabilityMap(io, options));
 }
+export function runCapabilityStatus(io, options) {
+    const availability = resolveCapabilityAvailability(seedCapabilityItems);
+    printResult(io, ok("capability.status", { sources: seedCapabilitySources, items: seedCapabilityItems, availability }), options.json);
+}
 function addCapabilityMapOptions(command) {
     return addJsonOption(command.option('--source <source>', 'Filter source group: all, access-repo, or mcp-server', 'all'));
 }
-function runCapabilityMap(io, options) {
+export function runCapabilityMap(io, options) {
     const source = parseCapabilityMapSource(options.source);
     if (!source) {
         printResult(io, fail('capabilities.map', 'UNSUPPORTED_CAPABILITY_SOURCE', 'Supported capability sources are all, access-repo, and mcp-server', { source: options.source }, ['Rerun with --source all, --source access-repo, or --source mcp-server']), options.json);
@@ -35,7 +36,7 @@ function runCapabilityMap(io, options) {
 export function getInstalledCapabilityIds(_config) {
     return [];
 }
-function parseCapabilityMapSource(source) {
+export function parseCapabilityMapSource(source) {
     if (CAPABILITY_SOURCE_FILTERS.has(source)) {
         return source;
     }

package/dist/src/cli/commands/workflow-commands.js

@@ -10,6 +10,7 @@ import { validateChangeIdOrThrow } from '../../shared/change-id.js';
 import { getEconomyAwareExecutionModelId } from '../../services/config/model-routing.js';
 import { getLocalArtifactPath } from '../../services/artifacts/workspace-service.js';
 import { getSessionId } from '../../services/session/session-manager.js';
+import { verifyPipeline } from '../../services/workflow/pipeline-verify-service.js';
 import { fail, ok } from '../../shared/result.js';
 import { addJsonOption, failUnsupportedNonDryRun, getErrorMessage, isRecommendationWorkflow, printResult } from '../cli-helpers.js';
 function getCurrentWorkspaceContext() {
@@ -303,6 +304,31 @@ export function registerWorkflowCommands(program, io) {
     addAutonomousResumeInitOptions(autonomousResume.command('init')).action((options) => runAutonomousResumeInit(io, options));
     const autonomousResumeAlias = program.command('autonomous-resume').description('Manage autonomous workflow resume artifacts');
     addAutonomousResumeInitOptions(autonomousResumeAlias.command('init')).action((options) => runAutonomousResumeInit(io, options));
+    addJsonOption(workflow
+        .command('verify-pipeline')
+        .description('Verify the complete rd→qa pipeline was followed for a request')
+        .requiredOption('--rid <rid>', 'request identifier')
+        .requiredOption('--project <path>', 'project root path')
+        .requiredOption('--session-id <id>', 'session identifier')
+        .option('--type <type>', 'request type: feature, bugfix, refactor, docs, config, chore', 'feature')).action(async (options) => {
+        try {
+            const result = await verifyPipeline({
+                projectRoot: options.project,
+                rid: options.rid,
+                sessionId: options.sessionId,
+                ...(options.type ? { requestType: options.type } : {})
+            });
+            const exitOk = result.complete ? 0 : 1;
+            printResult(io, result.complete
+                ? ok('workflow.verify-pipeline', result)
+                : fail('workflow.verify-pipeline', 'PIPELINE_INCOMPLETE', `${result.violations.length} violation(s): ${result.violations.join('; ')}`, result, result.nextActions), options.json);
+            process.exitCode = exitOk;
+        }
+        catch (error) {
+            printResult(io, fail('workflow.verify-pipeline', 'VERIFY_FAILED', getErrorMessage(error), {}, ['Check that --project, --rid, and --session-id are correct']), options.json);
+            process.exitCode = 1;
+        }
+    });
     const swarm = program.command('swarm').description('Plan RD swarm dry-run graphs');
     addSwarmPlanOptions(swarm.command('plan'), true).action((options) => runSwarmPlan(io, options));
     addSwarmPlanOptions(program.command('swarm-plan'), false).action((options) => runSwarmPlan(io, options));

package/dist/src/services/artifacts/workspace-service.d.ts

@@ -20,7 +20,7 @@ export type SyncResult = {
     error?: string;
 };
 export declare function getLocalArtifactPath(workspace: WorkspaceConfig): string;
-export declare function isArtifactWorkspaceOutsideTarget(workspace: WorkspaceConfig, artifactWorkspacePath?: string): boolean;
+export declare function isArtifactWorkspaceOutsideTarget(_workspace: WorkspaceConfig, _artifactWorkspacePath?: string): boolean;
 export declare function hasValidArtifactWorkspace(workspace: WorkspaceConfig, artifactWorkspacePath?: string): boolean;
 export declare function getArtifactRemoteRepo(workspace: WorkspaceConfig): WorkspaceConfig['artifactRepo'] | null;
 export declare function executeArtifactSync(workspaceId?: string): Promise<SyncResult>;

package/dist/src/services/artifacts/workspace-service.js

@@ -17,10 +17,8 @@ export function getLocalArtifactPath(workspace) {
     }
     return resolve(workspace.rootPath, '.peaks', 'artifacts');
 }
-export function isArtifactWorkspaceOutsideTarget(workspace, artifactWorkspacePath = getLocalArtifactPath(workspace)) {
-    const targetRoot = canonicalPath(workspace.rootPath);
-    const artifactRoot = canonicalPath(artifactWorkspacePath);
-    return !isInsidePath(artifactRoot, targetRoot);
+export function isArtifactWorkspaceOutsideTarget(_workspace, _artifactWorkspacePath) {
+    return true;
 }
 export function hasValidArtifactWorkspace(workspace, artifactWorkspacePath = getLocalArtifactPath(workspace)) {
     if (!isArtifactWorkspaceOutsideTarget(workspace, artifactWorkspacePath))
@@ -29,7 +27,6 @@ export function hasValidArtifactWorkspace(workspace, artifactWorkspacePath = get
     const peaksRoot = canonicalChildPath(artifactWorkspacePath, '.peaks');
     const changesRoot = canonicalChildPath(artifactWorkspacePath, '.peaks', 'changes');
     const configPath = canonicalChildPath(artifactWorkspacePath, '.peaks', 'config.json');
-    const targetRoot = canonicalPath(workspace.rootPath);
     if (!existsSync(resolve(artifactWorkspacePath, '.peaks', 'config.json')))
         return false;
     if (!isInsidePath(peaksRoot, artifactRoot))
@@ -38,12 +35,6 @@ export function hasValidArtifactWorkspace(workspace, artifactWorkspacePath = get
         return false;
     if (!isInsidePath(configPath, artifactRoot))
         return false;
-    if (isInsidePath(peaksRoot, targetRoot))
-        return false;
-    if (isInsidePath(changesRoot, targetRoot))
-        return false;
-    if (isInsidePath(configPath, targetRoot))
-        return false;
     return true;
 }
 export function getArtifactRemoteRepo(workspace) {

package/dist/src/services/config/config-safety.d.ts

@@ -6,7 +6,7 @@ export declare function getProjectConfigPath(projectRoot: string | null): string
 export declare function getProjectBootstrapConfigPath(projectRoot: string): string;
 export declare function validateProjectBootstrapConfigPathForWrite(projectRoot: string, configPath: string): void;
 export declare function validateUserConfigPathForWrite(configPath: string): void;
-export declare function validateArtifactWorkspaceRoot(artifactRoot: string, workspaceRoot: string): void;
+export declare function validateArtifactWorkspaceRoot(artifactRoot: string, _workspaceRoot: string): void;
 export declare function validateArtifactWorkspaceMarkerPath(artifactRoot: string, peaksPath: string, markerPath: string): void;
 export declare function readConfigFileSafely(configPath: string, errorMessage: string): string;
 export declare function writeConfigFileSafely(configPath: string, content: string, validateBeforeWrite: () => void, errorMessage: string): void;

package/dist/src/services/config/config-safety.js

@@ -54,6 +54,9 @@ export function findProjectRoot(startPath) {
         if (existsSync(resolve(current, '.peaks', 'config.json')) && isSafeProjectConfigMarker(current)) {
             return current;
         }
+        if (existsSync(resolve(current, 'package.json')) || existsSync(resolve(current, '.git'))) {
+            return current;
+        }
         parent = current;
         current = dirname(parent);
     }
@@ -154,16 +157,11 @@ export function validateUserConfigPathForWrite(configPath) {
         }
     }
 }
-export function validateArtifactWorkspaceRoot(artifactRoot, workspaceRoot) {
+export function validateArtifactWorkspaceRoot(artifactRoot, _workspaceRoot) {
     const artifactStats = lstatSync(artifactRoot);
     if (!artifactStats.isDirectory() || artifactStats.isSymbolicLink()) {
         throw new Error('Artifact workspace marker must stay inside the artifact workspace');
     }
-    const artifactRootReal = realpathSync(artifactRoot);
-    const workspaceRootReal = realpathSync(workspaceRoot);
-    if (isInsidePath(artifactRootReal, workspaceRootReal)) {
-        throw new Error('Artifact workspace must stay outside the project root');
-    }
 }
 export function validateArtifactWorkspaceMarkerPath(artifactRoot, peaksPath, markerPath) {
     const artifactStats = lstatSync(artifactRoot);

package/dist/src/services/config/config-service.d.ts

@@ -23,7 +23,7 @@ export declare function readConfig(projectRoot?: string | null): PeaksConfig;
 export declare function writeConfig(partial: Partial<PeaksConfig>, layer?: ConfigLayer): void;
 export declare function getConfig(options?: ConfigGetOptions): unknown;
 export declare function setConfig(options: ConfigSetOptions): void;
-export declare function getWorkspaceConfig(workspaceId: string, projectRoot?: string | null): WorkspaceConfig | null;
+export declare function getWorkspaceConfig(workspaceId: string, _projectRoot?: string | null): WorkspaceConfig | null;
 export declare function addWorkspace(workspace: WorkspaceConfig, layer?: ConfigLayer): void;
 export declare function removeWorkspace(workspaceId: string, layer?: ConfigLayer): boolean;
 export declare function setCurrentWorkspace(workspaceId: string, layer?: ConfigLayer): boolean;

package/dist/src/services/config/config-service.js

@@ -530,8 +530,21 @@ function writeRawWorkspaceData(data, layer) {
         writeUserConfigFile(targetPath, content);
     }
 }
-export function getWorkspaceConfig(workspaceId, projectRoot) {
-    const { workspaces } = readRawWorkspaceData('user');
+function readAllWorkspaces() {
+    const userData = readRawWorkspaceData('user');
+    const projectData = readRawWorkspaceData('project');
+    const mergedWorkspaces = new Map();
+    for (const w of userData.workspaces)
+        mergedWorkspaces.set(w.workspaceId, w);
+    for (const w of projectData.workspaces)
+        mergedWorkspaces.set(w.workspaceId, w);
+    return {
+        currentWorkspace: projectData.currentWorkspace ?? userData.currentWorkspace,
+        workspaces: [...mergedWorkspaces.values()]
+    };
+}
+export function getWorkspaceConfig(workspaceId, _projectRoot) {
+    const { workspaces } = readAllWorkspaces();
     return workspaces.find((w) => w.workspaceId === workspaceId) ?? null;
 }
 function readLayerConfig(layer) {
@@ -574,13 +587,13 @@ export function setCurrentWorkspace(workspaceId, layer = 'user') {
     return true;
 }
 export function getCurrentWorkspaceConfig() {
-    const { currentWorkspace, workspaces } = readRawWorkspaceData('user');
+    const { currentWorkspace, workspaces } = readAllWorkspaces();
     if (!currentWorkspace)
         return null;
     return workspaces.find((w) => w.workspaceId === currentWorkspace) ?? null;
 }
 export function getWorkspaceConfigForPath(path = process.cwd()) {
-    const { workspaces } = readRawWorkspaceData('user');
+    const { workspaces } = readAllWorkspaces();
     return findWorkspaceForPath(workspaces, path);
 }
 function findWorkspaceForPath(workspaces, path) {

package/dist/src/services/scan/acceptance-coverage-service.js

@@ -9,16 +9,13 @@ function extractAcceptanceItems(prdBody) {
         return [];
     }
     // Find the line where the header starts.
-    let headerLine = -1;
+    let headerLine = 0;
     for (let i = 0; i < lines.length; i += 1) {
         if (ACCEPTANCE_SECTION_PATTERN.test((lines[i] ?? '') + '\n')) {
             headerLine = i;
             break;
         }
     }
-    if (headerLine === -1) {
-        return [];
-    }
     const items = [];
     let counter = 0;
     for (let i = headerLine + 1; i < lines.length; i += 1) {

package/dist/src/services/scan/archetype-service.js

@@ -101,13 +101,7 @@ async function countSrcFiles(projectRoot, max = 500) {
         const current = queue.shift();
         if (current === undefined)
             break;
-        let entries;
-        try {
-            entries = await readdir(current, { withFileTypes: true });
-        }
-        catch {
-            continue;
-        }
+        const entries = await readdir(current, { withFileTypes: true });
         for (const entry of entries) {
             if (entry.name.startsWith('.') || entry.name === 'node_modules')
                 continue;
@@ -129,14 +123,9 @@ async function lockfileAgeDays(projectRoot) {
     for (const candidate of candidates) {
         const full = join(projectRoot, candidate);
         if (await pathExists(full)) {
-            try {
-                const stats = await stat(full);
-                const ageMs = Date.now() - stats.mtimeMs;
-                return Math.floor(ageMs / (1000 * 60 * 60 * 24));
-            }
-            catch {
-                return null;
-            }
+            const stats = await stat(full);
+            const ageMs = Date.now() - stats.mtimeMs;
+            return Math.floor(ageMs / (1000 * 60 * 60 * 24));
         }
     }
     return null;

package/dist/src/services/scan/diff-scope-service.js

@@ -57,9 +57,9 @@ export function globToRegex(pattern) {
     }
     // If the pattern ends with no trailing slash and no extension wildcard, also allow it to match files under the path (treat as dir prefix)
     // E.g. `src/services/login` should match `src/services/login/handler.ts`.
-    if (!trimmed.includes('*') && !trimmed.includes('?') && !trimmed.includes('.')) {
-        body = `${body}(?:/.*)?`;
-    }
+    body = (!trimmed.includes("*") && !trimmed.includes("?") && !trimmed.includes("."))
+        ? `${body}(?:/.*)?`
+        : body;
     return new RegExp(`^${body}$`);
 }
 function classifyPatternLine(raw) {

package/dist/src/services/scan/file-size-scan.js

@@ -15,13 +15,8 @@ function getChangedFiles(projectRoot, baseRef) {
     }
 }
 function countLines(filePath) {
-    try {
-        const content = readFileSync(filePath, 'utf8');
-        return content.split(/\r?\n/).length;
-    }
-    catch {
-        return 0;
-    }
+    const content = readFileSync(filePath, 'utf8');
+    return content.split(/\r?\n/).length;
 }
 export function scanFileSize(options) {
     const baseRef = options.baseRef ?? 'HEAD';

package/dist/src/services/scan/type-sanity-service.js

@@ -78,9 +78,7 @@ function isConsistent(declared, suggested) {
     return suggested.includes(declared);
 }
 function buildRationale(declared, breakdown, suggested, consistent) {
-    const summary = breakdown.length === 0
-        ? 'no changed files detected'
-        : breakdown.map((entry) => `${entry.category}=${entry.count}`).join(', ');
+    const summary = breakdown.map((entry) => `${entry.category}=${entry.count}`).join(', ');
     if (consistent) {
         return `declared --type=${declared} is consistent with the changed files (${summary})`;
     }

package/dist/src/services/workflow/pipeline-verify-service.d.ts

@@ -0,0 +1,31 @@
+import type { RequestType } from '../artifacts/artifact-prerequisites.js';
+export type PipelineGate = {
+    name: string;
+    description: string;
+    passed: boolean;
+    detail: string;
+};
+export type PipelineVerification = {
+    rid: string;
+    sessionId: string;
+    requestType: RequestType;
+    complete: boolean;
+    rdPhase: {
+        invoked: boolean;
+        state: string;
+        gates: PipelineGate[];
+    };
+    qaPhase: {
+        invoked: boolean;
+        state: string;
+        gates: PipelineGate[];
+    };
+    violations: string[];
+    nextActions: string[];
+};
+export declare function verifyPipeline(options: {
+    projectRoot: string;
+    rid: string;
+    sessionId: string;
+    requestType?: string;
+}): Promise<PipelineVerification>;

package/dist/src/services/workflow/pipeline-verify-service.js

@@ -0,0 +1,180 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { readFile } from 'node:fs/promises';
+import { isRequestType } from '../artifacts/artifact-prerequisites.js';
+async function readFileContent(path) {
+    try {
+        return await readFile(path, 'utf8');
+    }
+    catch {
+        return null;
+    }
+}
+function extractState(markdown) {
+    for (const rawLine of markdown.split(/\r?\n/)) {
+        const match = /^-\s*state:\s*(.+?)\s*$/.exec(rawLine.trim());
+        if (match?.[1])
+            return match[1];
+    }
+    return 'unknown';
+}
+async function findRequestFile(projectRoot, sessionId, role, rid) {
+    const dir = join(projectRoot, '.peaks', sessionId, role, 'requests');
+    if (!existsSync(dir))
+        return null;
+    const { readdir } = await import('node:fs/promises');
+    const entries = await readdir(dir, { withFileTypes: true });
+    for (const entry of entries) {
+        if (!entry.isFile() || !entry.name.endsWith('.md'))
+            continue;
+        if (entry.name === `${rid}.md` || (/^\d+-/.test(entry.name) && entry.name.endsWith(`-${rid}.md`))) {
+            const path = join(dir, entry.name);
+            const content = await readFileContent(path);
+            if (content)
+                return { path, content };
+        }
+    }
+    return null;
+}
+function rdGatesForType(requestType) {
+    const gates = [
+        { name: 'rd-request-exists', description: 'RD request artifact created', passed: false, detail: '' }
+    ];
+    if (requestType === 'feature' || requestType === 'refactor') {
+        gates.push({ name: 'tech-doc', description: 'Technical design doc', passed: false, detail: '' });
+    }
+    if (requestType === 'bugfix') {
+        gates.push({ name: 'bug-analysis', description: 'Bug root-cause analysis', passed: false, detail: '' });
+    }
+    if (requestType !== 'docs' && requestType !== 'chore' && requestType !== 'config') {
+        gates.push({ name: 'code-review', description: 'Code review evidence', passed: false, detail: '' });
+    }
+    if (requestType === 'feature' || requestType === 'refactor' || requestType === 'bugfix' || requestType === 'config') {
+        gates.push({ name: 'security-review', description: 'Security review evidence', passed: false, detail: '' });
+    }
+    return gates;
+}
+function qaGatesForType(requestType) {
+    const gates = [
+        { name: 'qa-request-exists', description: 'QA request artifact created', passed: false, detail: '' }
+    ];
+    if (requestType === 'feature' || requestType === 'refactor' || requestType === 'bugfix') {
+        gates.push({ name: 'test-cases', description: 'QA test cases', passed: false, detail: '' });
+        gates.push({ name: 'test-report', description: 'QA test report with execution results', passed: false, detail: '' });
+    }
+    if (requestType === 'feature' || requestType === 'refactor' || requestType === 'bugfix' || requestType === 'config') {
+        gates.push({ name: 'security-findings', description: 'QA security findings', passed: false, detail: '' });
+    }
+    if (requestType === 'feature' || requestType === 'refactor') {
+        gates.push({ name: 'performance-findings', description: 'QA performance findings', passed: false, detail: '' });
+    }
+    return gates;
+}
+const RD_QA_HANDOFF_STATES = new Set(['qa-handoff', 'handed-off', 'implemented']);
+const QA_COMPLETE_STATES = new Set(['verdict-issued']);
+export async function verifyPipeline(options) {
+    const requestType = isRequestType(options.requestType ?? '') ? options.requestType : 'feature';
+    const violations = [];
+    const nextActions = [];
+    const rdGates = rdGatesForType(requestType);
+    const qaGates = qaGatesForType(requestType);
+    // Check RD phase
+    const rdFile = await findRequestFile(options.projectRoot, options.sessionId, 'rd', options.rid);
+    let rdInvoked = false;
+    let rdState = 'missing';
+    if (rdFile) {
+        rdInvoked = true;
+        rdState = extractState(rdFile.content);
+        rdGates[0].passed = true;
+        rdGates[0].detail = `found at ${rdFile.path}`;
+    }
+    else {
+        violations.push('RD phase skipped: peaks-rd was never invoked for this request (no RD request artifact found)');
+        nextActions.push('Invoke Skill(skill="peaks-rd") with the request-id, then run unit tests + code review + security review');
+        rdGates[0].detail = 'not found';
+    }
+    // Check RD evidence files
+    const RD_EVIDENCE_FILE = {
+        'tech-doc': 'tech-doc.md',
+        'bug-analysis': 'bug-analysis.md',
+        'code-review': 'code-review.md',
+        'security-review': 'security-review.md'
+    };
+    for (const gate of rdGates.slice(1)) {
+        const fileName = RD_EVIDENCE_FILE[gate.name];
+        const evidencePath = join(options.projectRoot, '.peaks', options.sessionId, 'rd', fileName);
+        if (existsSync(evidencePath)) {
+            gate.passed = true;
+            gate.detail = evidencePath;
+        }
+        else {
+            gate.detail = `missing: ${evidencePath}`;
+            violations.push(`RD evidence missing: ${gate.description} (${fileName})`);
+            nextActions.push(`Create .peaks/${options.sessionId}/rd/${fileName}`);
+        }
+    }
+    // Check if RD reached qa-handoff
+    if (rdInvoked && !RD_QA_HANDOFF_STATES.has(rdState)) {
+        violations.push(`RD not ready for QA: state is "${rdState}" — must reach "qa-handoff" (unit tests, karpathy standards, code review, security review complete)`);
+        nextActions.push(`Complete RD gates → peaks request transition ${options.rid} --role rd --state qa-handoff`);
+    }
+    // Check QA phase
+    const qaFile = await findRequestFile(options.projectRoot, options.sessionId, 'qa', options.rid);
+    let qaInvoked = false;
+    let qaState = 'missing';
+    if (qaFile) {
+        qaInvoked = true;
+        qaState = extractState(qaFile.content);
+        qaGates[0].passed = true;
+        qaGates[0].detail = `found at ${qaFile.path}`;
+    }
+    else {
+        violations.push('QA phase skipped: peaks-qa was never invoked for this request (no QA request artifact found)');
+        nextActions.push('Invoke Skill(skill="peaks-qa") with the request-id for functional/performance/security testing');
+        qaGates[0].detail = 'not found';
+    }
+    // Check QA evidence files
+    const QA_EVIDENCE_FILE = {
+        'test-cases': `test-cases/${options.rid}.md`,
+        'test-report': `test-reports/${options.rid}.md`,
+        'security-findings': 'security-findings.md',
+        'performance-findings': 'performance-findings.md'
+    };
+    for (const gate of qaGates.slice(1)) {
+        const fileName = QA_EVIDENCE_FILE[gate.name];
+        const evidencePath = join(options.projectRoot, '.peaks', options.sessionId, 'qa', fileName);
+        if (existsSync(evidencePath)) {
+            gate.passed = true;
+            gate.detail = evidencePath;
+        }
+        else {
+            gate.detail = `missing: ${evidencePath}`;
+            violations.push(`QA evidence missing: ${gate.description} (${fileName})`);
+            nextActions.push(`Create .peaks/${options.sessionId}/qa/${fileName}`);
+        }
+    }
+    // Check if QA reached verdict-issued
+    if (qaInvoked && !QA_COMPLETE_STATES.has(qaState)) {
+        violations.push(`QA not complete: state is "${qaState}" — must reach "verdict-issued" (functional + performance + security checks done)`);
+        nextActions.push(`Complete QA gates → peaks request transition ${options.rid} --role qa --state verdict-issued`);
+    }
+    // RD invoked without QA
+    if (rdInvoked && !qaInvoked) {
+        violations.push('CRITICAL: peaks-rd was invoked but peaks-qa was NOT — QA functional/performance/security testing is mandatory after all RD work');
+        nextActions.push('MUST invoke Skill(skill="peaks-qa") before declaring workflow complete');
+    }
+    const allRdGatesPassed = rdGates.every((g) => g.passed);
+    const allQaGatesPassed = qaGates.every((g) => g.passed);
+    const complete = rdInvoked && qaInvoked && allRdGatesPassed && allQaGatesPassed
+        && RD_QA_HANDOFF_STATES.has(rdState) && QA_COMPLETE_STATES.has(qaState);
+    return {
+        rid: options.rid,
+        sessionId: options.sessionId,
+        requestType,
+        complete,
+        rdPhase: { invoked: rdInvoked, state: rdState, gates: rdGates },
+        qaPhase: { invoked: qaInvoked, state: qaState, gates: qaGates },
+        violations,
+        nextActions
+    };
+}

package/dist/src/shared/change-id.js

@@ -85,9 +85,6 @@ export function buildArtifactRelativePath(changeId, ...segments) {
         const number = getNextNumber(dirPath);
         const filename = buildNumberedFilename(number, changeId);
         const candidatePath = `.peaks/${sessionId}/${role}/${filename}`;
-        if (isUnsafeArtifactPath(candidatePath)) {
-            throw new ChangeIdValidationError(changeId);
-        }
         return normalizeArtifactPath(candidatePath);
     }
     // Fallback: no session or no segments - use legacy behavior

package/dist/src/shared/version.d.ts

@@ -1 +1 @@
-export declare const CLI_VERSION = "1.0.22";
+export declare const CLI_VERSION = "1.0.23";

package/dist/src/shared/version.js

@@ -1 +1 @@
-export const CLI_VERSION = "1.0.22";
+export const CLI_VERSION = "1.0.23";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "peaks-cli",
-  "version": "1.0.22",
+  "version": "1.0.23",
   "description": "Peaks CLI and short skill family for Claude Code automation.",
   "author": "SquabbyZ",
   "license": "MIT",
@@ -35,6 +35,7 @@
     "dev:watch": "node ./scripts/watch.mjs",
     "test": "vitest run",
     "test:coverage": "vitest run --coverage",
+    "pretest:coverage": "pkill -f vitest 2>/dev/null; rm -rf coverage; exit 0",
     "typecheck": "tsc -p tsconfig.json --noEmit"
   },
   "engines": {

package/skills/peaks-solo/SKILL.md

@@ -9,6 +9,39 @@ Peaks Solo is the orchestration facade for the Peaks short skill family.
 
 Use this skill to identify the user scenario, recommend an execution mode, coordinate role skills, and produce the final handoff report. Do not collapse role responsibilities into this skill.
 
+## Code-Change Red Line (BLOCKING — read before ANY tool call)
+
+**Peaks Solo is an orchestrator, NOT an implementer. You MUST NOT write, edit, or modify any application source code directly.**
+
+Every code change — bugfix, feature, refactor, or config — MUST go through the full pipeline:
+
+```
+peaks-solo (orchestrate only)
+  → Skill(skill="peaks-rd")  ← ALL code changes happen HERE
+    → Unit tests written + pass (Gate B2)
+    → Karpathy standards enforced (file-size ≤800 lines, TypeScript rules)
+    → Code review evidence (Gate B3)
+    → Security review evidence (Gate B4)
+  → Skill(skill="peaks-qa")  ← ALL validation happens HERE
+    → Functional test execution (Gate A2)
+    → Performance check (Gate A4)
+    → Security test (Gate A3)
+    → Browser E2E (when frontend; Gate D)
+    → Verdict: pass | return-to-rd | blocked
+```
+
+**Violations (BLOCKING — Solo must refuse to proceed):**
+
+1. Writing implementation code directly instead of calling `Skill(skill="peaks-rd")`
+2. Declaring work "done" without invoking `Skill(skill="peaks-qa")` after RD
+3. Skipping unit tests ("it's a small change")
+4. Skipping code review or security review
+5. Skipping QA functional/performance/security validation
+
+**If you catch yourself about to write code in this skill, STOP. Call `Skill(skill="peaks-rd")` instead.**
+
+**Before declaring workflow complete, run:** `peaks workflow verify-pipeline --rid <rid> --project <repo> --json`
+
 ## Startup sequence (MANDATORY — execute in order)
 
 ### Step 1: Mode selection (MUST run before presence:set)