peaks-cli 1.3.1 → 1.3.3

package/dist/src/cli/commands/sub-agent-dispatch-guard.d.ts

@@ -0,0 +1,55 @@
+/**
+ * `peaks sub-agent-dispatch-guard` — G9.5 / RL-30 strict hook-only atom.
+ *
+ * This is the **second-layer** gate (PreToolUse hook) for the G9 forced
+ * compression threshold. It re-validates the prompt size against the
+ * threshold table in `src/services/context/threshold.ts` and returns
+ * `{allow: true/false, reason, suggest}` JSON to the LLM platform.
+ *
+ * **NO `--force` flag is exposed at this layer** (RL-30 strict). The
+ * hook is the strictest layer in the G9 chain. If the CLI is bypassed
+ * (e.g. a user manually invokes the dispatch CLI with `--force` to
+ * override the 80% threshold), the hook catches it and returns
+ * `{allow: false}` regardless.
+ *
+ * This atom is **hidden from `peaks --help`** per dev-preference
+ * "skill-first / CLI-auxiliary" + PB-2 byte-stable. It is registered
+ * via the LLM platform's PreToolUse hook chain (e.g. Claude Code's
+ * `settings.json` `PreToolUse` array) and is not a user-facing command.
+ *
+ * The `peaks hooks install` command reads `IdeAdapter.promptSizeAware`
+ * to decide whether to register this hook for a given IDE.
+ */
+import { Command } from 'commander';
+import { type ContextGuardDecision } from '../../services/context/context-guard.js';
+export declare const HOOK_GUARD_RESULT_TYPE: "peaks-hook-guard/v1";
+export interface HookGuardResult {
+    readonly schema: typeof HOOK_GUARD_RESULT_TYPE;
+    readonly allow: boolean;
+    readonly code: ContextGuardDecision['code'];
+    readonly reason: string;
+    readonly suggest: string | null;
+    readonly tier: ContextGuardDecision['evaluation']['tier'];
+    readonly ratio: number;
+    readonly bytesUsed: number;
+    readonly capacityBytes: number;
+    readonly warnings: readonly string[];
+}
+/**
+ * Build the hook-guard result for a given prompt size. Pure function;
+ * no IO. The CLI atom (registered below) calls this and prints JSON.
+ *
+ * Even if the caller passes `force = true` in the input (it shouldn't —
+ * the hook CLI doesn't expose that flag), this function ignores it
+ * and treats the prompt as if no override were available. This is the
+ * RL-30 strict semantics.
+ */
+export declare function evaluateHookGuard(promptSize: number): HookGuardResult;
+/**
+ * Register the `peaks sub-agent-dispatch-guard` command. Intentionally
+ * NOT registered in the main `peaks --help` quickstart (dev-preference
+ * PB-2 byte-stable). The caller (the `peaks hooks install` flow) calls
+ * this directly via the imported function; the CLI registration in
+ * `src/cli/index.ts` uses a hidden command (no `description`, no help).
+ */
+export declare function registerSubAgentDispatchGuard(program: Command): void;

package/dist/src/cli/commands/sub-agent-dispatch-guard.js

@@ -0,0 +1,57 @@
+import { evaluatePromptSize } from '../../services/context/context-guard.js';
+export const HOOK_GUARD_RESULT_TYPE = 'peaks-hook-guard/v1';
+/**
+ * Build the hook-guard result for a given prompt size. Pure function;
+ * no IO. The CLI atom (registered below) calls this and prints JSON.
+ *
+ * Even if the caller passes `force = true` in the input (it shouldn't —
+ * the hook CLI doesn't expose that flag), this function ignores it
+ * and treats the prompt as if no override were available. This is the
+ * RL-30 strict semantics.
+ */
+export function evaluateHookGuard(promptSize) {
+    // Intentionally pass `force: false` always. The hook layer is strict.
+    const decision = evaluatePromptSize(promptSize, { force: false });
+    return {
+        schema: HOOK_GUARD_RESULT_TYPE,
+        allow: decision.allow,
+        code: decision.code,
+        reason: decision.allow
+            ? `prompt size ${promptSize} bytes within threshold (tier=${decision.evaluation.tier})`
+            : `prompt size ${promptSize} bytes exceeds threshold (tier=${decision.evaluation.tier}, ratio=${decision.evaluation.ratio.toFixed(3)})`,
+        suggest: decision.suggest,
+        tier: decision.evaluation.tier,
+        ratio: decision.evaluation.ratio,
+        bytesUsed: decision.evaluation.bytesUsed,
+        capacityBytes: decision.evaluation.capacityBytes,
+        warnings: decision.warnings
+    };
+}
+/**
+ * Register the `peaks sub-agent-dispatch-guard` command. Intentionally
+ * NOT registered in the main `peaks --help` quickstart (dev-preference
+ * PB-2 byte-stable). The caller (the `peaks hooks install` flow) calls
+ * this directly via the imported function; the CLI registration in
+ * `src/cli/index.ts` uses a hidden command (no `description`, no help).
+ */
+export function registerSubAgentDispatchGuard(program) {
+    program
+        .command('sub-agent-dispatch-guard')
+        .description('INTERNAL: PreToolUse hook guard (G9.5 / RL-30 strict)')
+        .requiredOption('--prompt <text>', 'the prompt to validate (size in bytes is what gets checked)')
+        .option('--prompt-length <bytes>', 'DOGFOOD ONLY: synthesize a prompt of this size (overrides --prompt content for size only)')
+        .action((options) => {
+        let prompt = options.prompt;
+        if (typeof options.promptLength === 'string' && options.promptLength.length > 0) {
+            const len = Number.parseInt(options.promptLength, 10);
+            if (Number.isInteger(len) && len > 0) {
+                prompt = 'x'.repeat(len);
+            }
+        }
+        const promptSize = Buffer.byteLength(prompt, 'utf8');
+        const result = evaluateHookGuard(promptSize);
+        // Always exit 0 — the LLM platform reads `allow` from JSON.
+        // The decision is encoded in `allow` / `code`, not the exit code.
+        process.stdout.write(JSON.stringify(result, null, 2) + '\n');
+    });
+}

package/dist/src/cli/commands/workspace-commands.js

@@ -89,7 +89,7 @@ export function registerWorkspaceCommands(program, io) {
     const workspace = program.command('workspace').description('Manage the Peaks per-session artifact workspace (.peaks/<session-id>/)');
     addJsonOption(workspace
         .command('init')
-        .description('Create the .peaks/<session-id>/ directory structure (prd, ui, rd, qa, sc, txt, system) and bind the session as the project current one. Pass --session-id to use a specific id, or omit it to auto-generate one (and adopt an existing binding if present). On the first call for a project, also handles the one-time "install peaks hooks" decision (sticky-marker stored in .peaks/.peaks-init-hooks-decision.json).')
+        .description('Create the .peaks/_runtime/<session-id>/ directory with ONLY the session.json metadata file (slice 006: role subdirs prd/ui/rd/qa/sc/txt and the system/ subdir are created lazily by writers, not pre-created at init). When --change-id is given, also creates the .peaks/<change-id>/ dir. Pass --session-id to use a specific id, or omit it to auto-generate one (and adopt an existing binding if present). On the first call for a project, also handles the one-time "install peaks hooks" decision (sticky-marker stored in .peaks/.peaks-init-hooks-decision.json).')
         .requiredOption('--project <path>', 'target project root')
         .option('--session-id <id>', 'optional session id in YYYY-MM-DD-<kebab-slug> format. When omitted, the CLI is the single source of truth: an existing binding is reused, otherwise a fresh id is auto-generated.')
         .option('--allow-session-rebind', 'overwrite an existing session binding when the requested session id differs from the project current one', false)
@@ -199,14 +199,24 @@ export function registerWorkspaceCommands(program, io) {
     });
     addJsonOption(workspace
         .command('reconcile')
-        .description('Scan .peaks/2026-MM-DD-session-*/ directories and re-point .peaks/_runtime/session.json ' +
-        'to the canonical session (4-tier heuristic: active-skill binding -> latest session.json mtime -> ' +
-        'latest any-file mtime -> dir-name sort). Also migrates any legacy .peaks/.session.json / ' +
-        '.peaks/.active-skill.json / .peaks/sop-state/ into .peaks/_runtime/ (idempotent; no-op on a ' +
-        'tree that is already on the new layout). By default the command is a dry-run: it reports empty / abandoned ' +
-        `session dirs older than ${DEFAULT_RECONCILE_AGE_DAYS} days as deletion candidates but does not delete them. ` +
-        'Pass --apply to actually remove the listed candidate dirs (destructive). ' +
-        'Override the age threshold with --older-than <days>.')
+        .description('Scan .peaks/2026-MM-DD-session-*/ directories and consolidate the runtime state. ' +
+        'By default (no --apply) the command performs four actions:\n' +
+        '  1. Migrates legacy runtime files into .peaks/_runtime/: ' +
+        '.peaks/.session.json -> .peaks/_runtime/session.json, ' +
+        '.peaks/.active-skill.json -> .peaks/_runtime/active-skill.json, ' +
+        '.peaks/sop-state/ -> .peaks/_runtime/sop-state/ ' +
+        '(idempotent; no-op if already on the new layout).\n' +
+        '  2. Re-points .peaks/_runtime/session.json to the canonical session ' +
+        'using a 4-tier heuristic: active-skill binding -> latest session.json mtime -> ' +
+        'latest any-file mtime -> dir-name sort.\n' +
+        '  3. (slice 006) Syncs the single change/<sid>/ live marker under ' +
+        '.peaks/_runtime/change/. The marker is an empty directory; every other ' +
+        'entry under change/ is removed. Also cleans up the F3-introduced ' +
+        '.peaks/_runtime/<sid>/system/ subdir (no-op if already absent).\n' +
+        '  4. REPORTS (but does not delete) session dirs older than --older-than <days> ' +
+        `(default ${DEFAULT_RECONCILE_AGE_DAYS}) as deletion candidates; this is the only step that is dry-run by default.\n` +
+        'Pass --apply to additionally REMOVE the listed candidate dirs (destructive). ' +
+        'Migration (1), repoint (2), and marker sync (3) always run regardless of --apply.')
         .requiredOption('--project <path>', 'target project root')
         .option('--apply', 'actually delete the deletion candidates (destructive); without it, dry-run only', false)
         .option('--older-than <days>', `age threshold in days for deletion candidates (default: ${DEFAULT_RECONCILE_AGE_DAYS})`, (value) => Number.parseFloat(value))).action((options) => {
@@ -242,6 +252,21 @@ export function registerWorkspaceCommands(program, io) {
             if (!apply && result.wouldDelete.length > 0) {
                 nextActions.push(`Re-run with --apply to delete ${result.wouldDelete.length} candidate dir(s).`);
             }
+            if (result.changeMarker.created !== null) {
+                nextActions.push(`Synced change/<${result.changeMarker.created}>/ live marker.`);
+            }
+            else if (result.canonicalSessionId !== null) {
+                nextActions.push(`change/<${result.canonicalSessionId}>/ live marker already in place.`);
+            }
+            if (result.changeMarker.removed.length > 0) {
+                nextActions.push(`Removed ${result.changeMarker.removed.length} stale change/<oldSid>/ marker(s).`);
+            }
+            if (result.systemCleaned.length > 0) {
+                nextActions.push(`Removed ${result.systemCleaned.length} F3 system/ subdir(s).`);
+            }
+            if (result.subAgentStateMigrated > 0) {
+                nextActions.push(`Migrated ${result.subAgentStateMigrated} legacy sub-agent state file(s) into .peaks/_sub_agents/.`);
+            }
             printResult(io, ok('workspace.reconcile', result, warnings, nextActions), options.json);
             if (result.errors.length > 0) {
                 process.exitCode = 1;
@@ -262,18 +287,24 @@ export function registerWorkspaceCommands(program, io) {
         'response. By default the command is a dry-run: it reports the planned moves + conflicts ' +
         'and the session dirs that WOULD be deleted. Pass --apply to actually `git mv` the files ' +
         'and `rm -rf` the emptied session dirs. Idempotent: re-running on an already-migrated tree ' +
-        'is a no-op (all files report conflicts with identical content).')
+        'is a no-op (all files report conflicts with identical content).' +
+        '\n\nSlice 003 (--to-runtime): moves every top-level `.peaks/<sid>/` to `.peaks/_runtime/<sid>/` ' +
+        'for projects still on the pre-runtime-layer layout. Idempotent: re-running on a tree ' +
+        'that is already canonical is a no-op. F15 carve-out: top-level `rd/project-scan.md` is ' +
+        'never overwritten when the runtime copy already exists with different content.')
         .requiredOption('--project <path>', 'target project root')
-        .option('--apply', 'actually `git mv` the files and delete the emptied session dirs (destructive); without it, dry-run only', false)).action(async (options) => {
+        .option('--apply', 'actually `git mv` the files and delete the emptied session dirs (destructive); without it, dry-run only', false)
+        .option('--to-runtime', 'slice 003: also consolidate every top-level .peaks/<sid>/ dir into .peaks/_runtime/<sid>/. Idempotent; conflicts are logged but never overwrite.', false)).action(async (options) => {
         try {
             const projectRoot = resolveCanonicalProjectRoot(options.project);
             const apply = options.apply === true;
-            const result = await migrateWorkspace({ projectRoot, apply });
+            const toRuntime = options.toRuntime === true;
+            const result = await migrateWorkspace({ projectRoot, apply, toRuntime });
             const warnings = [];
-            if (result.sessions.length === 0) {
+            if (result.sessions.length === 0 && (result.toRuntimePlans?.length ?? 0) === 0) {
                 warnings.push('No legacy session directories found under .peaks/. Nothing to migrate.');
             }
-            else if (result.wouldMove.length === 0) {
+            else if (result.wouldMove.length === 0 && (result.toRuntimePlans?.length ?? 0) === 0) {
                 warnings.push('Legacy session dirs found but no reviewable content to migrate (all files were cross-cutting or transient).');
             }
             const nextActions = [];
@@ -283,6 +314,31 @@ export function registerWorkspaceCommands(program, io) {
             if (result.conflicts.length > 0) {
                 nextActions.push(`${result.conflicts.length} file(s) already exist at the target path; review before --apply (or re-run after a partial migrate).`);
             }
+            if (toRuntime) {
+                const plans = result.toRuntimePlans ?? [];
+                if (apply) {
+                    if ((result.toRuntimeMoved?.length ?? 0) > 0) {
+                        nextActions.push(`Moved ${result.toRuntimeMoved?.length} top-level session dir(s) to .peaks/_runtime/ (slice 003 --to-runtime).`);
+                    }
+                    if ((result.toRuntimeConflicts?.length ?? 0) > 0) {
+                        nextActions.push(`${result.toRuntimeConflicts?.length} --to-runtime conflict(s) — see response. ${plans.filter((p) => p.action === 'f15-conflict-project-scan').length} are F15 carve-outs (deferred to a separate slice).`);
+                    }
+                }
+                else {
+                    const wouldMoveCount = plans.filter((p) => p.action === 'moved').length;
+                    const wouldSkipCount = plans.filter((p) => p.action === 'skipped-already-canonical').length;
+                    if (wouldMoveCount > 0) {
+                        nextActions.push(`Re-run with --apply to move ${wouldMoveCount} top-level session dir(s) to .peaks/_runtime/; ${wouldSkipCount} already canonical.`);
+                    }
+                    else if (wouldSkipCount > 0) {
+                        nextActions.push(`All ${wouldSkipCount} top-level session dir(s) are already canonical — no moves needed.`);
+                    }
+                    const f15Count = plans.filter((p) => p.action === 'f15-conflict-project-scan').length;
+                    if (f15Count > 0) {
+                        nextActions.push(`${f15Count} F15 carve-out conflict(s) (rd/project-scan.md differs from runtime copy) — see response.`);
+                    }
+                }
+            }
             if (apply) {
                 if (result.moved.length > 0) {
                     nextActions.push(`Migrated ${result.moved.length} file(s) into .peaks/retrospective/.`);

package/dist/src/cli/program.js

@@ -17,7 +17,10 @@ import { registerScanCommands } from './commands/scan-commands.js';
 import { registerShadcnCommands } from './commands/shadcn-commands.js';
 import { registerSliceCommands } from './commands/slice-commands.js';
 import { registerSopCommands } from './commands/sop-commands.js';
+import { registerSubAgentCommands } from './commands/sub-agent-commands.js';
+import { registerSubAgentDispatchGuard } from './commands/sub-agent-dispatch-guard.js';
 import { registerGateCommands } from './commands/gate-commands.js';
+import { registerHookHandleCommand } from './commands/hook-handle.js';
 import { registerHooksCommands } from './commands/hooks-commands.js';
 import { registerStatusLineCommands } from './commands/statusline-commands.js';
 import { registerUnderstandCommands } from './commands/understand-commands.js';
@@ -92,7 +95,13 @@ Run peaks (no arguments) for a quickstart. You likely want one of:
     registerShadcnCommands(program, io);
     registerSliceCommands(program, io);
     registerSopCommands(program, io);
+    registerSubAgentCommands(program, io);
+    // Slice #010 G9.5: register the hook-only internal atom. Hidden from
+    // `peaks --help` (no description text); used by `peaks hooks install`
+    // to wire the PreToolUse hook chain.
+    registerSubAgentDispatchGuard(program);
     registerGateCommands(program, io);
+    registerHookHandleCommand(program, io);
     registerHooksCommands(program, io);
     registerStatusLineCommands(program, io);
     registerUnderstandCommands(program, io);

package/dist/src/hooks/pre-tool-use-sub-agent.d.ts

@@ -0,0 +1,28 @@
+import { type HookGuardResult } from '../cli/commands/sub-agent-dispatch-guard.js';
+/**
+ * Read the prompt size from the LLM platform's hook stdin. Different
+ * LLMs send different payload shapes; we accept the most common:
+ *   - Claude Code: `{"tool_name": "Bash", "tool_input": {"command": "..."}}`
+ *   - Trae: `{"tool_name": "terminal", "tool_input": {"command": "..."}}`
+ *
+ * The hook reads the `command` (or `prompt`) field and computes the
+ * byte length. If neither field is present, returns 0 (always passes).
+ */
+export declare function readPromptSizeFromHookStdin(stdin: unknown): number;
+/**
+ * Execute the hook guard via spawnSync. Returns the parsed result or
+ * a fallback (allow: true) on subprocess failure.
+ *
+ * Prefer the in-process `evaluateHookGuard` (no subprocess) when the
+ * hook is called from a TypeScript context. Use `runHookGuardSubprocess`
+ * only when the hook needs to be invoked from a non-TypeScript caller
+ * (e.g. a shell script that wraps the peaks CLI).
+ */
+export declare function runHookGuardSubprocess(prompt: string): HookGuardResult;
+/**
+ * Main entry point for the hook. Reads the LLM platform's stdin,
+ * computes the prompt size, and returns the guard result. Used by
+ * the LLM platform's hook JSON to decide whether to allow the tool
+ * call.
+ */
+export declare function runHookGuard(stdin: unknown): HookGuardResult;

package/dist/src/hooks/pre-tool-use-sub-agent.js

@@ -0,0 +1,105 @@
+/**
+ * G9.5 PreToolUse hook execution body.
+ *
+ * Wraps `peaks sub-agent-dispatch-guard` for LLM platform integration.
+ * The hook reads the prompt size from the LLM platform's hook stdin
+ * (Claude Code / Trae / etc.), invokes the guard CLI, and returns
+ * `{allow: true/false, reason, suggest}` JSON to the LLM platform.
+ *
+ * The hook is registered via `peaks hooks install` in the LLM
+ * platform's `settings.json` `PreToolUse` array. Only IDEs with
+ * `IdeAdapter.promptSizeAware: true` get the hook installed.
+ *
+ * The hook layer is the **strictest** layer in the G9 chain (RL-30).
+ * The CLI 兜底 layer (`peaks sub-agent dispatch --force`) can override
+ * the 80% threshold; the hook layer CANNOT.
+ */
+import { spawnSync } from 'node:child_process';
+import { evaluateHookGuard } from '../cli/commands/sub-agent-dispatch-guard.js';
+/**
+ * Read the prompt size from the LLM platform's hook stdin. Different
+ * LLMs send different payload shapes; we accept the most common:
+ *   - Claude Code: `{"tool_name": "Bash", "tool_input": {"command": "..."}}`
+ *   - Trae: `{"tool_name": "terminal", "tool_input": {"command": "..."}}`
+ *
+ * The hook reads the `command` (or `prompt`) field and computes the
+ * byte length. If neither field is present, returns 0 (always passes).
+ */
+export function readPromptSizeFromHookStdin(stdin) {
+    if (stdin === null || typeof stdin !== 'object') {
+        return 0;
+    }
+    const obj = stdin;
+    const toolInput = obj.tool_input;
+    if (toolInput === null || typeof toolInput !== 'object') {
+        return 0;
+    }
+    const ti = toolInput;
+    const candidates = ['command', 'prompt', 'text', 'input'];
+    for (const key of candidates) {
+        const v = ti[key];
+        if (typeof v === 'string') {
+            return Buffer.byteLength(v, 'utf8');
+        }
+    }
+    return 0;
+}
+/**
+ * Execute the hook guard via spawnSync. Returns the parsed result or
+ * a fallback (allow: true) on subprocess failure.
+ *
+ * Prefer the in-process `evaluateHookGuard` (no subprocess) when the
+ * hook is called from a TypeScript context. Use `runHookGuardSubprocess`
+ * only when the hook needs to be invoked from a non-TypeScript caller
+ * (e.g. a shell script that wraps the peaks CLI).
+ */
+export function runHookGuardSubprocess(prompt) {
+    const result = spawnSync('node', [
+        process.argv[1] ?? 'peaks',
+        'sub-agent-dispatch-guard',
+        '--prompt', prompt,
+        '--json'
+    ], { encoding: 'utf8' });
+    if (result.status !== 0) {
+        // Fallback: allow (don't block the dispatch on a guard subprocess failure).
+        return {
+            schema: 'peaks-hook-guard/v1',
+            allow: true,
+            code: 'OK',
+            reason: `guard subprocess failed (status ${result.status}); falling through`,
+            suggest: null,
+            tier: 'ok',
+            ratio: 0,
+            bytesUsed: 0,
+            capacityBytes: 0,
+            warnings: ['HOOK_GUARD_SUBPROCESS_FAILED']
+        };
+    }
+    try {
+        return JSON.parse(result.stdout);
+    }
+    catch {
+        return {
+            schema: 'peaks-hook-guard/v1',
+            allow: true,
+            code: 'OK',
+            reason: 'guard subprocess produced unparseable JSON; falling through',
+            suggest: null,
+            tier: 'ok',
+            ratio: 0,
+            bytesUsed: 0,
+            capacityBytes: 0,
+            warnings: ['HOOK_GUARD_SUBPROCESS_INVALID_JSON']
+        };
+    }
+}
+/**
+ * Main entry point for the hook. Reads the LLM platform's stdin,
+ * computes the prompt size, and returns the guard result. Used by
+ * the LLM platform's hook JSON to decide whether to allow the tool
+ * call.
+ */
+export function runHookGuard(stdin) {
+    const promptSize = readPromptSizeFromHookStdin(stdin);
+    return evaluateHookGuard(promptSize);
+}

package/dist/src/services/artifacts/artifact-prerequisites.d.ts

@@ -37,6 +37,18 @@ export type CheckPrerequisitesOptions = {
      * on-disk path now agree on the same top-level dir.
      */
     changeId: string;
+    /**
+     * Session binding (the developer's local session that wrote the
+     * request artifact). Read from the file body's `- session:` line.
+     * Optional, but when present the gate falls back to
+     * `.peaks/_runtime/<sid>/<role>/` and then `.peaks/<sid>/<role>/`
+     * for prerequisite artifacts that don't exist at the per-change-id
+     * path. This mirrors the F1/F2 back-compat pattern (read new path
+     * first, then legacy) and keeps the gate working for users whose
+     * QA / tech-doc / initiated artifacts still live under the session
+     * dir rather than under the change-id dir.
+     */
+    sessionId?: string;
     role: RequestArtifactRole;
     newState: RequestArtifactState;
     requestId: string;

package/dist/src/services/artifacts/artifact-prerequisites.js

@@ -162,17 +162,25 @@ export async function checkPrerequisites(options) {
     if (requirements.length === 0) {
         return { ok: true, missing: [] };
     }
-    // As of slice 2026-06-05-change-id-as-unit-of-work, the prerequisite
-    // gate resolves paths under `.peaks/<changeId>/<role>/...` where the
-    // changeId is the file's durable scope (the top-level dir the file
-    // lives in), NOT the body's `- session:` line. The body and the path
-    // can now disagree (e.g. a request written in one session but read
-    // across sessions), and the gate follows the on-disk location.
-    const changeRoot = join(options.projectRoot, '.peaks', options.changeId);
+    // Slice 006 simplifies the resolution to a 2-tier fallback. The
+    // per-change-id scope (`.peaks/<changeId>/<role>/`) is gone — new
+    // artifacts go to the session dir directly. The 2 tiers are:
+    //   1. `.peaks/_runtime/<sid>/<role>/...` (post-F3 canonical
+    //      session home; primary).
+    //   2. `.peaks/<sid>/<role>/...` (pre-F3 legacy session home;
+    //      back-compat).
+    // The changeId is preserved in the artifact body's frontmatter for
+    // human navigation; it is no longer a filesystem path key.
+    const canonicalSessionRoot = options.sessionId !== undefined
+        ? join(options.projectRoot, '.peaks', '_runtime', options.sessionId)
+        : null;
+    const legacySessionRoot = options.sessionId !== undefined
+        ? join(options.projectRoot, '.peaks', options.sessionId)
+        : null;
     const missing = [];
     for (const prerequisite of requirements) {
         const relative = resolvePrerequisitePath(prerequisite, options.requestId);
-        const absolute = await resolvePrerequisiteAbsolutePath(changeRoot, prerequisite, options.requestId);
+        const absolute = await resolvePrerequisiteAbsolutePathWithFallback(canonicalSessionRoot, legacySessionRoot, prerequisite, options.requestId);
         if (absolute === null) {
             missing.push({ path: relative, description: prerequisite.description });
             continue;
@@ -202,3 +210,26 @@ export async function checkPrerequisites(options) {
     }
     return { ok: missing.length === 0, missing };
 }
+/**
+ * Resolve a prerequisite to an on-disk path, with a 2-tier fallback
+ * (slice 006 — the per-change-id tier was dropped because per-change-id
+ * dirs are no longer created):
+ *   1. `<canonicalSessionRoot>/<relative>` (post-F3 canonical session
+ *      home, when `canonicalSessionRoot` is provided).
+ *   2. `<legacySessionRoot>/<relative>` (pre-F3 legacy session home,
+ *      when `legacySessionRoot` is provided).
+ * Tolerates the numbered filename prefix that `request init` writes
+ * (e.g. `001-<rid>.md`) at every tier. Returns the matched absolute
+ * path, or null when nothing matches.
+ */
+async function resolvePrerequisiteAbsolutePathWithFallback(canonicalSessionRoot, legacySessionRoot, prerequisite, requestId) {
+    const roots = [canonicalSessionRoot, legacySessionRoot];
+    for (const root of roots) {
+        if (root === null)
+            continue;
+        const found = await resolvePrerequisiteAbsolutePath(root, prerequisite, requestId);
+        if (found !== null)
+            return found;
+    }
+    return null;
+}