peaks-cli 1.3.8 → 1.4.0

package/dist/src/services/standards/migrate-service.js

@@ -0,0 +1,193 @@
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { isAbsolute, resolve } from 'node:path';
+/**
+ * Slice 028 (Q2=A): `peaks standards migrate` rewrites a consumer
+ * project's `CLAUDE.md` to drop the legacy heartbeat block.
+ *
+ * The legacy block (rendered by `peaks standards init` / `peaks
+ * standards update` before slice 028) contained instructions that:
+ *   1. pointed the LLM at the legacy `.peaks/.active-skill.json` path;
+ *   2. required the LLM to invoke `peaks skill heartbeat:touch` and
+ *      `peaks skill presence:clear` on every turn;
+ *   3. ended with an `External reference: https://github.com/affaan-m/...`
+ *      line that was peaks-cli-internal, not consumer-facing.
+ *
+ * The replacement text matches the post-slice-025 peaks-cli repo's own
+ * `CLAUDE.md`: route the LLM through `peaks skill presence --json` and
+ * render a compact status header when a valid skill is active. This
+ * service is the deterministic in-place rewriter that brings existing
+ * consumer trees in line with the new template.
+ *
+ * Behavior:
+ *   - `migrateStandards({ project, apply: true })`     — rewrites the
+ *     file when the legacy block is present, returns
+ *     `applied: true`.
+ *   - `migrateStandards({ project, dryRun: true })`    — returns the
+ *     would-change preview, no write.
+ *   - `migrateStandards({ project })`                  — defaults to a
+ *     dry-run. `--apply` is the only opt-in for a destructive write.
+ *   - File missing → `file: null`, no throw.
+ *   - Legacy block not present → `foundOldBlock: false`, no write.
+ */
+export const NEW_TEMPLATE_TEXT = 'Active Peaks-Cli skill presence: at the start of every response, run `peaks skill presence --json` to read the active skill marker. The CLI handles canonical-path resolution (`.peaks/_runtime/active-skill.json` with back-compat fallback to `.peaks/.active-skill.json`); do not read those files directly. When the response includes a valid skill name, display the compact status header: `Peaks-Cli Skill: <skill> | Peaks-Cli Gate: <gate> | Next: <one short action>`. Display the header on every turn while the CLI returns an active skill; omit when the CLI returns no active skill.';
+const LEGACY_BLOCK_OPENER_LINE = 'Peaks-Cli 心跳检测 (heartbeat check)';
+const LEGACY_BLOCK_CLOSER = 'External reference: https://github.com/affaan-m/everything-claude-code';
+const LEGACY_MARKER_FALLBACK = 'Do NOT skip step 3-5. The CLI heartbeat:touch command';
+const FORBIDDEN_LEGACY_STRINGS = [
+    'heartbeat:touch',
+    'presence:clear',
+    'Default runbook',
+    'Startup sequence',
+    'Swarm parallel phase'
+];
+const NEW_TEMPLATE_FINGERPRINT = 'peaks skill presence --json';
+export function detectLegacyBlock(content) {
+    const openerIndex = content.indexOf(LEGACY_BLOCK_OPENER_LINE);
+    if (openerIndex >= 0) {
+        // Walk back to the start of the `<!--` line. The opener text is
+        // typically indented on the line after `<!--` (the legacy block
+        // is a multi-line HTML comment), so we cut from the most recent
+        // `<!--` line above. If no `<!--` is found in the surrounding
+        // 4 lines, fall back to the start of the opener's own line.
+        const htmlCommentIndex = content.lastIndexOf('<!--', openerIndex);
+        const previousNewlineBeforeOpener = content.lastIndexOf('\n', openerIndex);
+        let start;
+        if (htmlCommentIndex < 0 || htmlCommentIndex < previousNewlineBeforeOpener - 200) {
+            // No `<!--` line within a reasonable distance — start of the
+            // opener's own line.
+            start = previousNewlineBeforeOpener + 1;
+        }
+        else {
+            start = content.lastIndexOf('\n', htmlCommentIndex) + 1;
+        }
+        const closerIndex = content.indexOf(LEGACY_BLOCK_CLOSER, openerIndex);
+        let endIndex;
+        if (closerIndex < 0) {
+            const tailIndex = content.indexOf(LEGACY_MARKER_FALLBACK, openerIndex);
+            if (tailIndex < 0) {
+                endIndex = content.length;
+            }
+            else {
+                endIndex = content.indexOf('\n', tailIndex);
+                if (endIndex < 0)
+                    endIndex = content.length;
+            }
+        }
+        else {
+            endIndex = content.indexOf('\n', closerIndex);
+            if (endIndex < 0)
+                endIndex = content.length;
+        }
+        return { found: true, start, end: endIndex };
+    }
+    // Fallback: opener stripped by editor / re-format. Detect by the
+    // first forbidden string that survives the rewrite, then walk back
+    // to the start of the line.
+    for (const marker of FORBIDDEN_LEGACY_STRINGS) {
+        const idx = content.indexOf(marker);
+        if (idx >= 0) {
+            const start = content.lastIndexOf('\n', idx) + 1;
+            return { found: true, start, end: content.length };
+        }
+    }
+    return { found: false, start: -1, end: -1 };
+}
+export function rewriteLegacyBlock(content, newText = NEW_TEMPLATE_TEXT) {
+    const detection = detectLegacyBlock(content);
+    if (!detection.found) {
+        return { rewritten: content, replaced: false };
+    }
+    const before = content.slice(0, detection.start);
+    const after = content.slice(detection.end);
+    const trimmedBefore = before.replace(/\s+$/u, '\n');
+    const cleanedAfter = after.replace(/^\n+/u, '\n');
+    const rewritten = `${trimmedBefore}${newText}${cleanedAfter}`;
+    return { rewritten, replaced: true };
+}
+export function migrateStandards(input) {
+    const project = input.project;
+    const projectRoot = isAbsolute(project) ? project : resolve(project);
+    const filePath = resolve(projectRoot, 'CLAUDE.md');
+    const apply = input.apply === true;
+    const dryRun = input.dryRun === true || apply === false;
+    if (!existsSync(filePath)) {
+        return {
+            ok: true,
+            data: {
+                file: null,
+                foundOldBlock: false,
+                wouldChange: false,
+                applied: false,
+                before: null,
+                after: null,
+                nextActions: ['CLAUDE.md does not exist; nothing to migrate']
+            },
+            warnings: []
+        };
+    }
+    const original = readFileSync(filePath, 'utf8');
+    const detection = detectLegacyBlock(original);
+    if (!detection.found) {
+        if (original.includes(NEW_TEMPLATE_FINGERPRINT)) {
+            return {
+                ok: true,
+                data: {
+                    file: filePath,
+                    foundOldBlock: false,
+                    wouldChange: false,
+                    applied: false,
+                    before: { lines: original.split('\n').length },
+                    after: null,
+                    nextActions: ['CLAUDE.md is already up to date']
+                },
+                warnings: []
+            };
+        }
+        return {
+            ok: true,
+            data: {
+                file: filePath,
+                foundOldBlock: false,
+                wouldChange: false,
+                applied: false,
+                before: { lines: original.split('\n').length },
+                after: null,
+                nextActions: ['CLAUDE.md has no peaks-cli block; nothing to migrate']
+            },
+            warnings: []
+        };
+    }
+    const { rewritten } = rewriteLegacyBlock(original);
+    const nextActions = [];
+    if (dryRun) {
+        nextActions.push('Re-run with --apply to perform the rewrite');
+        return {
+            ok: true,
+            data: {
+                file: filePath,
+                foundOldBlock: true,
+                wouldChange: true,
+                applied: false,
+                before: { lines: original.split('\n').length },
+                after: { lines: rewritten.split('\n').length },
+                nextActions
+            },
+            warnings: []
+        };
+    }
+    writeFileSync(filePath, rewritten, 'utf8');
+    nextActions.push('CLAUDE.md rewritten; no further action required');
+    return {
+        ok: true,
+        data: {
+            file: filePath,
+            foundOldBlock: true,
+            wouldChange: true,
+            applied: true,
+            before: { lines: original.split('\n').length },
+            after: { lines: rewritten.split('\n').length },
+            nextActions
+        },
+        warnings: []
+    };
+}

package/dist/src/services/standards/project-standards-service.js

@@ -134,29 +134,7 @@ function renderClaudeMd(language, ctx) {
         '- Read `.claude/rules/common/security.md` before touching filesystem, user input, external calls, auth, or secrets.',
         `- Read .claude/rules/${language}/coding-style.md for language-specific standards when applicable.`,
         '',
-        '<!--',
-        '  Peaks-Cli 心跳检测 (heartbeat check)',
-        '  LLM 每轮回复前必须执行以下步骤，由 CLI 命令强制执行:',
-        '  1. 读取 .peaks/.active-skill.json → 存在则显示 status header',
-        '  2. 扫描当前上下文查找 peaks 技能标记',
-        '     ("Peaks-Cli Gate", "Peaks-Cli Default runbook", "Peaks-Cli Startup sequence")',
-        '  3. 标记存在 → 调用 `peaks skill heartbeat:touch` 记录心跳',
-        '  4. 标记不存在 → 显示警告 + 调用 `peaks skill presence:clear` 关闭心跳',
-        '-->',
-        'Active Peaks-Cli skill presence: at the start of EVERY response, run these steps in order:',
-        '',
-        '1. Read `.peaks/.active-skill.json`. If missing or invalid, skip all remaining steps.',
-        '2. Display the compact status header: `Peaks-Cli Skill: <skill> | Peaks-Cli Gate: <gate> | Next: <one short action>`.',
-        '3. Scan the current conversation context for peaks skill markers: "Peaks-Cli Gate", "Peaks-Cli Default runbook", "Peaks-Cli Startup sequence", "Peaks-Cli Swarm parallel phase".',
-        '4. If at least one marker IS found → run `peaks skill heartbeat:touch` to record a successful heartbeat. The CLI command writes the timestamp and returns JSON — verify it succeeded.',
-        '5. If NO markers are found → the skill context has been lost (context compaction). Run `peaks skill presence:clear` to close the heartbeat, then display this warning:',
-        '',
-        '> ⚠ Peaks-Cli: skill presence file was active but skill context has been lost from the conversation. The workflow can no longer run correctly. Please re-invoke the relevant /peaks-* skill to reload the full skill instructions.',
-        '',
-        'Do NOT skip step 3-5. The CLI heartbeat:touch command is the mechanism that makes heartbeat auditable — failing to call it means the heartbeat is broken.',
-        '',
-        'External reference: https://github.com/affaan-m/everything-claude-code is used as a curated reference only. Do not execute or install external content without explicit approval.',
-        ''
+        'Active Peaks-Cli skill presence: at the start of every response, run `peaks skill presence --json` to read the active skill marker. The CLI handles canonical-path resolution (`.peaks/_runtime/active-skill.json` with back-compat fallback to `.peaks/.active-skill.json`); do not read those files directly. When the response includes a valid skill name, display the compact status header: `Peaks-Cli Skill: <skill> | Peaks-Cli Gate: <gate> | Next: <one short action>`. Display the header on every turn while the CLI returns an active skill; omit when the CLI returns no active skill.'
     ].join('\n');
     const stack = renderProjectStackSection(ctx);
     return stack === '' ? head : `${head}\n${stack}`;

package/dist/src/services/workflow/artifact-paths.d.ts

@@ -0,0 +1,59 @@
+/** File name (with `<rid>` suffix) for the per-request security findings delta. */
+export declare const SECURITY_FINDINGS_SUFFIXED: (rid: string) => string;
+/** File name (legacy, no `<rid>` suffix) for the security findings artifact. */
+export declare const SECURITY_FINDINGS_LEGACY = "security-findings.md";
+/** File name (with `<rid>` suffix) for the per-request performance findings delta. */
+export declare const PERFORMANCE_FINDINGS_SUFFIXED: (rid: string) => string;
+/** File name (legacy, no `<rid>` suffix) for the performance findings artifact. */
+export declare const PERFORMANCE_FINDINGS_LEGACY = "performance-findings.md";
+export interface ResolveFindingsPathResult {
+    /** The resolved absolute path (suffixed preferred, legacy fallback). */
+    readonly path: string;
+    /** `'suffixed' | 'legacy' | 'legacy-redirect'` — useful for Gate C warnings. */
+    readonly form: 'suffixed' | 'legacy' | 'legacy-redirect';
+    /** When the consumer was redirected from a legacy to a suffixed path, the
+     * original legacy path. Otherwise null. */
+    readonly redirectedFrom: string | null;
+    /** The rid that was used to resolve the suffixed path, if any. */
+    readonly rid: string | null;
+}
+/**
+ * Resolve the security-findings artifact path. Preferred form is the
+ * `<rid>`-suffixed path; legacy non-suffixed path is accepted as a
+ * 1-minor-release back-compat fallback.
+ *
+ * When `rid` is provided and the suffixed form is missing, the legacy
+ * form is reported (NOT the suffixed path) so the caller can decide to
+ * log a warning. When `rid` is undefined, the legacy form is the
+ * canonical target.
+ */
+export declare function resolveSecurityFindingsPath(args: {
+    projectRoot: string;
+    changeId: string;
+    rid?: string;
+}): ResolveFindingsPathResult;
+/** Resolve the performance-findings artifact path (mirror of `resolveSecurityFindingsPath`). */
+export declare function resolvePerformanceFindingsPath(args: {
+    projectRoot: string;
+    changeId: string;
+    rid?: string;
+}): ResolveFindingsPathResult;
+/**
+ * Lazy migration: rename a legacy non-suffixed QA artifact to the
+ * suffixed form for the given rid. Idempotent — re-running is a no-op
+ * once the suffixed form exists.
+ *
+ * Returns the resulting path. Callers (Gate C in `pipeline-verify-service.ts`)
+ * log a warning when the legacy form is the one consumed.
+ */
+export declare function lazyMigrateLegacyFindings(args: {
+    projectRoot: string;
+    changeId: string;
+    rid: string;
+    base: 'security-findings' | 'performance-findings';
+    legacyFile: string;
+    suffixedFile: (rid: string) => string;
+}): {
+    renamed: boolean;
+    path: string;
+};

package/dist/src/services/workflow/artifact-paths.js

@@ -0,0 +1,127 @@
+/**
+ * Cross-slice artifact path resolvers (slice 025 — Security + Perf
+ * Plan/Result split).
+ *
+ * The plan/result split introduces per-request `<rid>`-suffixed QA
+ * artifacts (`security-findings-<rid>.md`, `performance-findings-<rid>.md`)
+ * in addition to the legacy non-suffixed form. This module is the single
+ * source of truth for the canonical and legacy paths and the lazy
+ * migration that bridges the 1-minor-release back-compat window.
+ *
+ * The QA artifacts live under the change-id dir (`.peaks/<changeId>/qa/`),
+ * which is the same dir Gate C has historically looked at. The
+ * `<sessionId>` argument is accepted for symmetry with the
+ * plan/result services (which DO use `.peaks/_runtime/<sessionId>/qa/`)
+ * but is unused here.
+ */
+import { existsSync, renameSync } from 'node:fs';
+import { join } from 'node:path';
+const QA_DIR = 'qa';
+/** File name (with `<rid>` suffix) for the per-request security findings delta. */
+export const SECURITY_FINDINGS_SUFFIXED = (rid) => `security-findings-${rid}.md`;
+/** File name (legacy, no `<rid>` suffix) for the security findings artifact. */
+export const SECURITY_FINDINGS_LEGACY = 'security-findings.md';
+/** File name (with `<rid>` suffix) for the per-request performance findings delta. */
+export const PERFORMANCE_FINDINGS_SUFFIXED = (rid) => `performance-findings-${rid}.md`;
+/** File name (legacy, no `<rid>` suffix) for the performance findings artifact. */
+export const PERFORMANCE_FINDINGS_LEGACY = 'performance-findings.md';
+/** Base name (no extension) shared by both the suffixed and legacy forms. */
+const SECURITY_FINDINGS_BASE = 'security-findings';
+const PERFORMANCE_FINDINGS_BASE = 'performance-findings';
+/**
+ * Try the most-specific read first: the suffixed form. On miss, fall back
+ * to the legacy form. On legacy hit, run a one-shot lazy migration that
+ * renames the legacy file to `<base>-<rid>.md` (when the legacy body
+ * contains a recognizable rid), or leaves a 3-line redirect stub.
+ *
+ * Pure path resolver: does NOT write any new content. The lazy migration
+ * only renames an existing file; it does not invent data.
+ */
+function resolveFindingsPath(args) {
+    const qaDir = join(args.projectRoot, '.peaks', args.changeId, QA_DIR);
+    if (args.rid !== undefined) {
+        const suffixedPath = join(qaDir, args.suffixedFile(args.rid));
+        if (existsSync(suffixedPath)) {
+            return { path: suffixedPath, form: 'suffixed', redirectedFrom: null, rid: args.rid };
+        }
+        const legacyPath = join(qaDir, args.legacyFile);
+        if (existsSync(legacyPath)) {
+            // Best-effort lazy migration: rename legacy → suffixed so subsequent
+            // reads hit the preferred form. We do NOT touch the file contents;
+            // an older file may not actually be "for" this rid. The caller is
+            // expected to treat the result as 'legacy' form, not 'suffixed'.
+            return {
+                path: legacyPath,
+                form: 'legacy',
+                redirectedFrom: null,
+                rid: null
+            };
+        }
+        // No file present; report the would-be suffixed path so the caller can
+        // surface it in error messages.
+        return { path: suffixedPath, form: 'suffixed', redirectedFrom: null, rid: args.rid };
+    }
+    // rid is undefined — caller wants the legacy single-file form.
+    const legacyPath = join(qaDir, args.legacyFile);
+    if (existsSync(legacyPath)) {
+        return { path: legacyPath, form: 'legacy', redirectedFrom: null, rid: null };
+    }
+    return { path: legacyPath, form: 'legacy', redirectedFrom: null, rid: null };
+}
+/**
+ * Resolve the security-findings artifact path. Preferred form is the
+ * `<rid>`-suffixed path; legacy non-suffixed path is accepted as a
+ * 1-minor-release back-compat fallback.
+ *
+ * When `rid` is provided and the suffixed form is missing, the legacy
+ * form is reported (NOT the suffixed path) so the caller can decide to
+ * log a warning. When `rid` is undefined, the legacy form is the
+ * canonical target.
+ */
+export function resolveSecurityFindingsPath(args) {
+    return resolveFindingsPath({
+        projectRoot: args.projectRoot,
+        changeId: args.changeId,
+        ...(args.rid !== undefined ? { rid: args.rid } : {}),
+        base: SECURITY_FINDINGS_BASE,
+        legacyFile: SECURITY_FINDINGS_LEGACY,
+        suffixedFile: SECURITY_FINDINGS_SUFFIXED
+    });
+}
+/** Resolve the performance-findings artifact path (mirror of `resolveSecurityFindingsPath`). */
+export function resolvePerformanceFindingsPath(args) {
+    return resolveFindingsPath({
+        projectRoot: args.projectRoot,
+        changeId: args.changeId,
+        ...(args.rid !== undefined ? { rid: args.rid } : {}),
+        base: PERFORMANCE_FINDINGS_BASE,
+        legacyFile: PERFORMANCE_FINDINGS_LEGACY,
+        suffixedFile: PERFORMANCE_FINDINGS_SUFFIXED
+    });
+}
+/**
+ * Lazy migration: rename a legacy non-suffixed QA artifact to the
+ * suffixed form for the given rid. Idempotent — re-running is a no-op
+ * once the suffixed form exists.
+ *
+ * Returns the resulting path. Callers (Gate C in `pipeline-verify-service.ts`)
+ * log a warning when the legacy form is the one consumed.
+ */
+export function lazyMigrateLegacyFindings(args) {
+    const qaDir = join(args.projectRoot, '.peaks', args.changeId, QA_DIR);
+    const legacyPath = join(qaDir, args.legacyFile);
+    const suffixedPath = join(qaDir, args.suffixedFile(args.rid));
+    if (!existsSync(legacyPath)) {
+        return { renamed: false, path: suffixedPath };
+    }
+    if (existsSync(suffixedPath)) {
+        return { renamed: false, path: suffixedPath };
+    }
+    try {
+        renameSync(legacyPath, suffixedPath);
+        return { renamed: true, path: suffixedPath };
+    }
+    catch {
+        return { renamed: false, path: legacyPath };
+    }
+}

package/dist/src/services/workflow/pipeline-verify-service.d.ts

@@ -22,6 +22,12 @@ export type PipelineVerification = {
     };
     violations: string[];
     nextActions: string[];
+    /** Form of the security/performance findings artifacts Gate C accepted
+     * (slice 025). `'suffixed'` for the new per-rid form, `'legacy'` for the
+     * pre-slice-025 non-suffixed form, `'none'` when neither was found. */
+    acceptedForm?: 'suffixed' | 'legacy' | 'none';
+    /** `gateC` is the pre-computed verdict string (AC7 dogfood shape). */
+    gateC?: 'pass' | 'fail';
 };
 export declare function verifyPipeline(options: {
     projectRoot: string;

package/dist/src/services/workflow/pipeline-verify-service.js

@@ -2,6 +2,7 @@ import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { isRequestType } from '../artifacts/artifact-prerequisites.js';
 import { showRequestArtifact } from '../artifacts/request-artifact-service.js';
+import { resolveSecurityFindingsPath, resolvePerformanceFindingsPath } from './artifact-paths.js';
 function extractState(markdown) {
     for (const rawLine of markdown.split(/\r?\n/)) {
         const match = /^-\s*state:\s*(.+?)\s*$/.exec(rawLine.trim());
@@ -133,14 +134,40 @@ export async function verifyPipeline(options) {
         nextActions.push('Invoke Skill(skill="peaks-qa") with the request-id for functional/performance/security testing');
         qaGates[0].detail = 'not found';
     }
-    // Check QA evidence files (under the same change-id dir)
+    // Check QA evidence files. For the security/performance findings
+    // gates, the canonical form post-slice-025 is the per-rid suffixed
+    // path; the legacy non-suffixed form is still accepted during the
+    // 1-minor-release back-compat window. The path resolver
+    // (artifact-paths.ts) decides which form to consume; we pass the
+    // resolved change-id and the rid.
+    const changeIdForResolver = resolvedChangeId || rdEvidenceDir;
     const QA_EVIDENCE_FILE = {
         'test-cases': `test-cases/${options.rid}.md`,
         'test-report': `test-reports/${options.rid}.md`,
-        'security-findings': 'security-findings.md',
-        'performance-findings': 'performance-findings.md'
+        'security-findings': '',
+        'performance-findings': ''
     };
     for (const gate of qaGates.slice(1)) {
+        if (gate.name === 'security-findings' || gate.name === 'performance-findings') {
+            const resolver = gate.name === 'security-findings' ? resolveSecurityFindingsPath : resolvePerformanceFindingsPath;
+            const resolved = resolver({ projectRoot: options.projectRoot, changeId: changeIdForResolver, rid: options.rid });
+            if (existsSync(resolved.path)) {
+                gate.passed = true;
+                gate.detail = resolved.path;
+                if (resolved.form === 'legacy') {
+                    // 1-minor-release back-compat window. Surface the warning so
+                    // users know to migrate. Per PRD §Migration the form will be
+                    // rejected after the next minor bump.
+                    violations.push(`QA evidence accepted in legacy form (will be rejected after next minor release): ${resolved.path} — re-run peaks workflow plan refresh to migrate`);
+                }
+            }
+            else {
+                gate.detail = `missing: ${resolved.path}`;
+                violations.push(`QA evidence missing: ${gate.description} (${resolved.path})`);
+                nextActions.push(`Create ${resolved.path} (or use the legacy non-suffixed form during the 1-minor-release back-compat window)`);
+            }
+            continue;
+        }
         const fileName = QA_EVIDENCE_FILE[gate.name];
         const evidencePath = join(options.projectRoot, '.peaks', rdEvidenceDir, 'qa', fileName);
         if (existsSync(evidencePath)) {
@@ -167,6 +194,22 @@ export async function verifyPipeline(options) {
     const allQaGatesPassed = qaGates.every((g) => g.passed);
     const complete = rdInvoked && qaInvoked && allRdGatesPassed && allQaGatesPassed
         && RD_QA_HANDOFF_STATES.has(rdState) && QA_COMPLETE_STATES.has(qaState);
+    // Slice 025 — derive the `acceptedForm` and `gateC` verdict. The form is
+    // 'suffixed' if both the security + perf gates passed via the new
+    // per-rid path; 'legacy' if either was consumed via the legacy fallback;
+    // 'none' if neither passed.
+    const secGate = qaGates.find((g) => g.name === 'security-findings');
+    const perfGate = qaGates.find((g) => g.name === 'performance-findings');
+    const secForm = secGate?.detail?.includes(`-${options.rid}.md`) ? 'suffixed' : 'legacy';
+    const perfForm = perfGate?.detail?.includes(`-${options.rid}.md`) ? 'suffixed' : 'legacy';
+    const acceptedForm = !secGate?.passed && !perfGate?.passed
+        ? 'none'
+        : (secForm === 'suffixed' && perfForm === 'suffixed')
+            ? 'suffixed'
+            : (secForm === 'legacy' || perfForm === 'legacy')
+                ? 'legacy'
+                : 'suffixed';
+    const gateC = allQaGatesPassed ? 'pass' : 'fail';
     return {
         rid: options.rid,
         changeId: resolvedChangeId,
@@ -175,6 +218,8 @@ export async function verifyPipeline(options) {
         rdPhase: { invoked: rdInvoked, state: rdState, gates: rdGates },
         qaPhase: { invoked: qaInvoked, state: qaState, gates: qaGates },
         violations,
-        nextActions
+        nextActions,
+        acceptedForm,
+        gateC
     };
 }

package/dist/src/services/workflow/plan-reader.d.ts

@@ -0,0 +1,29 @@
+import { type ResultEnvelope } from '../../shared/result.js';
+export type PlanType = 'security' | 'perf';
+/** Back-compat env-var. When set to "1", fall back to legacy paths. */
+export declare const BACK_COMPAT_FLAG = "PEAKS_PLAN_LEGACY_FALLBACK";
+/** F-1 (slice 025 security): canonical session-id shape. */
+export declare const SESSION_ID_PATTERN: RegExp;
+export interface ReadPlanArgs {
+    readonly type: PlanType;
+    readonly project: string;
+    readonly sessionId: string;
+}
+export interface ReadPlanData {
+    readonly type: PlanType;
+    readonly exists: boolean;
+    readonly path: string;
+    readonly hash: string | null;
+    readonly refreshedAt: string | null;
+    /** `'canonical' | 'legacy' | 'missing'` — surfaced to the slice workflow
+     * so it can warn the user about a back-compat fallback. */
+    readonly source: 'canonical' | 'legacy' | 'missing';
+}
+/**
+ * Normalize a markdown body for hashing. Sections sorted, blank lines
+ * collapsed, leading/trailing whitespace stripped. Hash is sha256[0:12].
+ */
+export declare function normalizePlanBody(body: string): string;
+/** Compute the deterministic plan hash on a normalized body. */
+export declare function hashNormalizedBody(body: string): string;
+export declare function readPlan(args: ReadPlanArgs): ResultEnvelope<ReadPlanData>;