peaks-cli 1.3.9 → 1.4.0

package/dist/src/services/workflow/artifact-paths.d.ts

@@ -0,0 +1,59 @@
+/** File name (with `<rid>` suffix) for the per-request security findings delta. */
+export declare const SECURITY_FINDINGS_SUFFIXED: (rid: string) => string;
+/** File name (legacy, no `<rid>` suffix) for the security findings artifact. */
+export declare const SECURITY_FINDINGS_LEGACY = "security-findings.md";
+/** File name (with `<rid>` suffix) for the per-request performance findings delta. */
+export declare const PERFORMANCE_FINDINGS_SUFFIXED: (rid: string) => string;
+/** File name (legacy, no `<rid>` suffix) for the performance findings artifact. */
+export declare const PERFORMANCE_FINDINGS_LEGACY = "performance-findings.md";
+export interface ResolveFindingsPathResult {
+    /** The resolved absolute path (suffixed preferred, legacy fallback). */
+    readonly path: string;
+    /** `'suffixed' | 'legacy' | 'legacy-redirect'` — useful for Gate C warnings. */
+    readonly form: 'suffixed' | 'legacy' | 'legacy-redirect';
+    /** When the consumer was redirected from a legacy to a suffixed path, the
+     * original legacy path. Otherwise null. */
+    readonly redirectedFrom: string | null;
+    /** The rid that was used to resolve the suffixed path, if any. */
+    readonly rid: string | null;
+}
+/**
+ * Resolve the security-findings artifact path. Preferred form is the
+ * `<rid>`-suffixed path; legacy non-suffixed path is accepted as a
+ * 1-minor-release back-compat fallback.
+ *
+ * When `rid` is provided and the suffixed form is missing, the legacy
+ * form is reported (NOT the suffixed path) so the caller can decide to
+ * log a warning. When `rid` is undefined, the legacy form is the
+ * canonical target.
+ */
+export declare function resolveSecurityFindingsPath(args: {
+    projectRoot: string;
+    changeId: string;
+    rid?: string;
+}): ResolveFindingsPathResult;
+/** Resolve the performance-findings artifact path (mirror of `resolveSecurityFindingsPath`). */
+export declare function resolvePerformanceFindingsPath(args: {
+    projectRoot: string;
+    changeId: string;
+    rid?: string;
+}): ResolveFindingsPathResult;
+/**
+ * Lazy migration: rename a legacy non-suffixed QA artifact to the
+ * suffixed form for the given rid. Idempotent — re-running is a no-op
+ * once the suffixed form exists.
+ *
+ * Returns the resulting path. Callers (Gate C in `pipeline-verify-service.ts`)
+ * log a warning when the legacy form is the one consumed.
+ */
+export declare function lazyMigrateLegacyFindings(args: {
+    projectRoot: string;
+    changeId: string;
+    rid: string;
+    base: 'security-findings' | 'performance-findings';
+    legacyFile: string;
+    suffixedFile: (rid: string) => string;
+}): {
+    renamed: boolean;
+    path: string;
+};

package/dist/src/services/workflow/artifact-paths.js

@@ -0,0 +1,127 @@
+/**
+ * Cross-slice artifact path resolvers (slice 025 — Security + Perf
+ * Plan/Result split).
+ *
+ * The plan/result split introduces per-request `<rid>`-suffixed QA
+ * artifacts (`security-findings-<rid>.md`, `performance-findings-<rid>.md`)
+ * in addition to the legacy non-suffixed form. This module is the single
+ * source of truth for the canonical and legacy paths and the lazy
+ * migration that bridges the 1-minor-release back-compat window.
+ *
+ * The QA artifacts live under the change-id dir (`.peaks/<changeId>/qa/`),
+ * which is the same dir Gate C has historically looked at. The
+ * `<sessionId>` argument is accepted for symmetry with the
+ * plan/result services (which DO use `.peaks/_runtime/<sessionId>/qa/`)
+ * but is unused here.
+ */
+import { existsSync, renameSync } from 'node:fs';
+import { join } from 'node:path';
+const QA_DIR = 'qa';
+/** File name (with `<rid>` suffix) for the per-request security findings delta. */
+export const SECURITY_FINDINGS_SUFFIXED = (rid) => `security-findings-${rid}.md`;
+/** File name (legacy, no `<rid>` suffix) for the security findings artifact. */
+export const SECURITY_FINDINGS_LEGACY = 'security-findings.md';
+/** File name (with `<rid>` suffix) for the per-request performance findings delta. */
+export const PERFORMANCE_FINDINGS_SUFFIXED = (rid) => `performance-findings-${rid}.md`;
+/** File name (legacy, no `<rid>` suffix) for the performance findings artifact. */
+export const PERFORMANCE_FINDINGS_LEGACY = 'performance-findings.md';
+/** Base name (no extension) shared by both the suffixed and legacy forms. */
+const SECURITY_FINDINGS_BASE = 'security-findings';
+const PERFORMANCE_FINDINGS_BASE = 'performance-findings';
+/**
+ * Try the most-specific read first: the suffixed form. On miss, fall back
+ * to the legacy form. On legacy hit, run a one-shot lazy migration that
+ * renames the legacy file to `<base>-<rid>.md` (when the legacy body
+ * contains a recognizable rid), or leaves a 3-line redirect stub.
+ *
+ * Pure path resolver: does NOT write any new content. The lazy migration
+ * only renames an existing file; it does not invent data.
+ */
+function resolveFindingsPath(args) {
+    const qaDir = join(args.projectRoot, '.peaks', args.changeId, QA_DIR);
+    if (args.rid !== undefined) {
+        const suffixedPath = join(qaDir, args.suffixedFile(args.rid));
+        if (existsSync(suffixedPath)) {
+            return { path: suffixedPath, form: 'suffixed', redirectedFrom: null, rid: args.rid };
+        }
+        const legacyPath = join(qaDir, args.legacyFile);
+        if (existsSync(legacyPath)) {
+            // Best-effort lazy migration: rename legacy → suffixed so subsequent
+            // reads hit the preferred form. We do NOT touch the file contents;
+            // an older file may not actually be "for" this rid. The caller is
+            // expected to treat the result as 'legacy' form, not 'suffixed'.
+            return {
+                path: legacyPath,
+                form: 'legacy',
+                redirectedFrom: null,
+                rid: null
+            };
+        }
+        // No file present; report the would-be suffixed path so the caller can
+        // surface it in error messages.
+        return { path: suffixedPath, form: 'suffixed', redirectedFrom: null, rid: args.rid };
+    }
+    // rid is undefined — caller wants the legacy single-file form.
+    const legacyPath = join(qaDir, args.legacyFile);
+    if (existsSync(legacyPath)) {
+        return { path: legacyPath, form: 'legacy', redirectedFrom: null, rid: null };
+    }
+    return { path: legacyPath, form: 'legacy', redirectedFrom: null, rid: null };
+}
+/**
+ * Resolve the security-findings artifact path. Preferred form is the
+ * `<rid>`-suffixed path; legacy non-suffixed path is accepted as a
+ * 1-minor-release back-compat fallback.
+ *
+ * When `rid` is provided and the suffixed form is missing, the legacy
+ * form is reported (NOT the suffixed path) so the caller can decide to
+ * log a warning. When `rid` is undefined, the legacy form is the
+ * canonical target.
+ */
+export function resolveSecurityFindingsPath(args) {
+    return resolveFindingsPath({
+        projectRoot: args.projectRoot,
+        changeId: args.changeId,
+        ...(args.rid !== undefined ? { rid: args.rid } : {}),
+        base: SECURITY_FINDINGS_BASE,
+        legacyFile: SECURITY_FINDINGS_LEGACY,
+        suffixedFile: SECURITY_FINDINGS_SUFFIXED
+    });
+}
+/** Resolve the performance-findings artifact path (mirror of `resolveSecurityFindingsPath`). */
+export function resolvePerformanceFindingsPath(args) {
+    return resolveFindingsPath({
+        projectRoot: args.projectRoot,
+        changeId: args.changeId,
+        ...(args.rid !== undefined ? { rid: args.rid } : {}),
+        base: PERFORMANCE_FINDINGS_BASE,
+        legacyFile: PERFORMANCE_FINDINGS_LEGACY,
+        suffixedFile: PERFORMANCE_FINDINGS_SUFFIXED
+    });
+}
+/**
+ * Lazy migration: rename a legacy non-suffixed QA artifact to the
+ * suffixed form for the given rid. Idempotent — re-running is a no-op
+ * once the suffixed form exists.
+ *
+ * Returns the resulting path. Callers (Gate C in `pipeline-verify-service.ts`)
+ * log a warning when the legacy form is the one consumed.
+ */
+export function lazyMigrateLegacyFindings(args) {
+    const qaDir = join(args.projectRoot, '.peaks', args.changeId, QA_DIR);
+    const legacyPath = join(qaDir, args.legacyFile);
+    const suffixedPath = join(qaDir, args.suffixedFile(args.rid));
+    if (!existsSync(legacyPath)) {
+        return { renamed: false, path: suffixedPath };
+    }
+    if (existsSync(suffixedPath)) {
+        return { renamed: false, path: suffixedPath };
+    }
+    try {
+        renameSync(legacyPath, suffixedPath);
+        return { renamed: true, path: suffixedPath };
+    }
+    catch {
+        return { renamed: false, path: legacyPath };
+    }
+}

package/dist/src/services/workflow/pipeline-verify-service.d.ts

@@ -22,6 +22,12 @@ export type PipelineVerification = {
     };
     violations: string[];
     nextActions: string[];
+    /** Form of the security/performance findings artifacts Gate C accepted
+     * (slice 025). `'suffixed'` for the new per-rid form, `'legacy'` for the
+     * pre-slice-025 non-suffixed form, `'none'` when neither was found. */
+    acceptedForm?: 'suffixed' | 'legacy' | 'none';
+    /** `gateC` is the pre-computed verdict string (AC7 dogfood shape). */
+    gateC?: 'pass' | 'fail';
 };
 export declare function verifyPipeline(options: {
     projectRoot: string;

package/dist/src/services/workflow/pipeline-verify-service.js

@@ -2,6 +2,7 @@ import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { isRequestType } from '../artifacts/artifact-prerequisites.js';
 import { showRequestArtifact } from '../artifacts/request-artifact-service.js';
+import { resolveSecurityFindingsPath, resolvePerformanceFindingsPath } from './artifact-paths.js';
 function extractState(markdown) {
     for (const rawLine of markdown.split(/\r?\n/)) {
         const match = /^-\s*state:\s*(.+?)\s*$/.exec(rawLine.trim());
@@ -133,14 +134,40 @@ export async function verifyPipeline(options) {
         nextActions.push('Invoke Skill(skill="peaks-qa") with the request-id for functional/performance/security testing');
         qaGates[0].detail = 'not found';
     }
-    // Check QA evidence files (under the same change-id dir)
+    // Check QA evidence files. For the security/performance findings
+    // gates, the canonical form post-slice-025 is the per-rid suffixed
+    // path; the legacy non-suffixed form is still accepted during the
+    // 1-minor-release back-compat window. The path resolver
+    // (artifact-paths.ts) decides which form to consume; we pass the
+    // resolved change-id and the rid.
+    const changeIdForResolver = resolvedChangeId || rdEvidenceDir;
     const QA_EVIDENCE_FILE = {
         'test-cases': `test-cases/${options.rid}.md`,
         'test-report': `test-reports/${options.rid}.md`,
-        'security-findings': 'security-findings.md',
-        'performance-findings': 'performance-findings.md'
+        'security-findings': '',
+        'performance-findings': ''
     };
     for (const gate of qaGates.slice(1)) {
+        if (gate.name === 'security-findings' || gate.name === 'performance-findings') {
+            const resolver = gate.name === 'security-findings' ? resolveSecurityFindingsPath : resolvePerformanceFindingsPath;
+            const resolved = resolver({ projectRoot: options.projectRoot, changeId: changeIdForResolver, rid: options.rid });
+            if (existsSync(resolved.path)) {
+                gate.passed = true;
+                gate.detail = resolved.path;
+                if (resolved.form === 'legacy') {
+                    // 1-minor-release back-compat window. Surface the warning so
+                    // users know to migrate. Per PRD §Migration the form will be
+                    // rejected after the next minor bump.
+                    violations.push(`QA evidence accepted in legacy form (will be rejected after next minor release): ${resolved.path} — re-run peaks workflow plan refresh to migrate`);
+                }
+            }
+            else {
+                gate.detail = `missing: ${resolved.path}`;
+                violations.push(`QA evidence missing: ${gate.description} (${resolved.path})`);
+                nextActions.push(`Create ${resolved.path} (or use the legacy non-suffixed form during the 1-minor-release back-compat window)`);
+            }
+            continue;
+        }
         const fileName = QA_EVIDENCE_FILE[gate.name];
         const evidencePath = join(options.projectRoot, '.peaks', rdEvidenceDir, 'qa', fileName);
         if (existsSync(evidencePath)) {
@@ -167,6 +194,22 @@ export async function verifyPipeline(options) {
     const allQaGatesPassed = qaGates.every((g) => g.passed);
     const complete = rdInvoked && qaInvoked && allRdGatesPassed && allQaGatesPassed
         && RD_QA_HANDOFF_STATES.has(rdState) && QA_COMPLETE_STATES.has(qaState);
+    // Slice 025 — derive the `acceptedForm` and `gateC` verdict. The form is
+    // 'suffixed' if both the security + perf gates passed via the new
+    // per-rid path; 'legacy' if either was consumed via the legacy fallback;
+    // 'none' if neither passed.
+    const secGate = qaGates.find((g) => g.name === 'security-findings');
+    const perfGate = qaGates.find((g) => g.name === 'performance-findings');
+    const secForm = secGate?.detail?.includes(`-${options.rid}.md`) ? 'suffixed' : 'legacy';
+    const perfForm = perfGate?.detail?.includes(`-${options.rid}.md`) ? 'suffixed' : 'legacy';
+    const acceptedForm = !secGate?.passed && !perfGate?.passed
+        ? 'none'
+        : (secForm === 'suffixed' && perfForm === 'suffixed')
+            ? 'suffixed'
+            : (secForm === 'legacy' || perfForm === 'legacy')
+                ? 'legacy'
+                : 'suffixed';
+    const gateC = allQaGatesPassed ? 'pass' : 'fail';
     return {
         rid: options.rid,
         changeId: resolvedChangeId,
@@ -175,6 +218,8 @@ export async function verifyPipeline(options) {
         rdPhase: { invoked: rdInvoked, state: rdState, gates: rdGates },
         qaPhase: { invoked: qaInvoked, state: qaState, gates: qaGates },
         violations,
-        nextActions
+        nextActions,
+        acceptedForm,
+        gateC
     };
 }

package/dist/src/services/workflow/plan-reader.d.ts

@@ -0,0 +1,29 @@
+import { type ResultEnvelope } from '../../shared/result.js';
+export type PlanType = 'security' | 'perf';
+/** Back-compat env-var. When set to "1", fall back to legacy paths. */
+export declare const BACK_COMPAT_FLAG = "PEAKS_PLAN_LEGACY_FALLBACK";
+/** F-1 (slice 025 security): canonical session-id shape. */
+export declare const SESSION_ID_PATTERN: RegExp;
+export interface ReadPlanArgs {
+    readonly type: PlanType;
+    readonly project: string;
+    readonly sessionId: string;
+}
+export interface ReadPlanData {
+    readonly type: PlanType;
+    readonly exists: boolean;
+    readonly path: string;
+    readonly hash: string | null;
+    readonly refreshedAt: string | null;
+    /** `'canonical' | 'legacy' | 'missing'` — surfaced to the slice workflow
+     * so it can warn the user about a back-compat fallback. */
+    readonly source: 'canonical' | 'legacy' | 'missing';
+}
+/**
+ * Normalize a markdown body for hashing. Sections sorted, blank lines
+ * collapsed, leading/trailing whitespace stripped. Hash is sha256[0:12].
+ */
+export declare function normalizePlanBody(body: string): string;
+/** Compute the deterministic plan hash on a normalized body. */
+export declare function hashNormalizedBody(body: string): string;
+export declare function readPlan(args: ReadPlanArgs): ResultEnvelope<ReadPlanData>;

package/dist/src/services/workflow/plan-reader.js

@@ -0,0 +1,158 @@
+/**
+ * `peaks workflow plan read` — slice 025 (Security + Perf Plan/Result split).
+ *
+ * Returns the envelope `{ exists, path, hash, refreshedAt }` for the
+ * session-scoped security-test-plan or perf-baseline plan. The hash is
+ * computed on the **normalized** body (sections sorted, blank lines
+ * collapsed) so it is independent of cosmetic re-ordering; mtime is
+ * surfaced as ISO-8601.
+ *
+ * Back-compat: when the BACK_COMPAT_FLAG env var is "1" and the
+ * legacy path (`.peaks/<planFile>` at the project root) exists but
+ * the canonical session path does not, the reader falls back to the
+ * legacy path and reports `source: "legacy"`.
+ */
+import { createHash } from 'node:crypto';
+import { existsSync, readFileSync, realpathSync, statSync } from 'node:fs';
+import { join, sep } from 'node:path';
+import { fail, ok } from '../../shared/result.js';
+import { getSessionDir } from '../session/getSessionDir.js';
+/** Back-compat env-var. When set to "1", fall back to legacy paths. */
+export const BACK_COMPAT_FLAG = 'PEAKS_PLAN_LEGACY_FALLBACK';
+/** F-1 (slice 025 security): canonical session-id shape. */
+export const SESSION_ID_PATTERN = /^\d{4}-\d{2}-\d{2}-[a-z][a-z0-9-]*[a-z0-9]$/;
+const PLAN_FILE = {
+    security: 'security-test-plan.md',
+    perf: 'perf-baseline.md'
+};
+/**
+ * Normalize a markdown body for hashing. Sections sorted, blank lines
+ * collapsed, leading/trailing whitespace stripped. Hash is sha256[0:12].
+ */
+export function normalizePlanBody(body) {
+    const lines = body
+        .split(/\r?\n/)
+        .map((line) => line.trim())
+        .filter((line) => line.length > 0);
+    return lines.sort().join('\n');
+}
+/** Compute the deterministic plan hash on a normalized body. */
+export function hashNormalizedBody(body) {
+    const normalized = normalizePlanBody(body);
+    return createHash('sha256').update(normalized, 'utf8').digest('hex').slice(0, 12);
+}
+function canonicalPath(args) {
+    return join(getSessionDir(args.projectRoot, args.sessionId), 'qa', PLAN_FILE[args.type]);
+}
+function legacyPath(args) {
+    return join(args.projectRoot, '.peaks', PLAN_FILE[args.type]);
+}
+/** Build the data envelope for a path that exists. */
+function buildData(args) {
+    const stats = statSync(args.path);
+    return {
+        type: args.type,
+        exists: true,
+        path: args.path,
+        hash: hashNormalizedBody(readFileSync(args.path, 'utf8')),
+        refreshedAt: stats.mtime.toISOString(),
+        source: args.source
+    };
+}
+/**
+ * F-2 (slice 025 security): resolve symlinks and confirm the real path
+ * still lives under the expected base directory. A canonical path
+ * may itself be a symlink (or a directory in the path chain may be),
+ * which would let a malicious or accidental symlink escape the
+ * `.peaks/_runtime/<sessionId>/` containment. We reject anything
+ * whose real path falls outside the expected base.
+ *
+ * The caller passes the expected base:
+ *   - session dir for canonical reads (`.peaks/_runtime/<sid>/qa/...`)
+ *   - project root for legacy back-compat reads (`.peaks/<planFile>`)
+ */
+function assertContained(args) {
+    let real;
+    try {
+        real = realpathSync(args.path);
+    }
+    catch {
+        // If realpath fails (e.g. broken symlink), treat as escape — never
+        // return "ok" without a verified real path.
+        return {
+            ok: false,
+            code: 'SYMLINK_ESCAPE',
+            message: `resolved path escapes base directory: cannot resolve ${args.path}`
+        };
+    }
+    const expectedPrefix = join(args.expectedBase, sep);
+    if (!real.startsWith(expectedPrefix)) {
+        return {
+            ok: false,
+            code: 'SYMLINK_ESCAPE',
+            message: `resolved path escapes base directory: ${real} is not under ${expectedPrefix}`
+        };
+    }
+    return { ok: true, real };
+}
+export function readPlan(args) {
+    // F-1 (slice 025 security): reject path-traversal payloads before any
+    // filesystem call. The CLI also validates, but the service is the
+    // authoritative gate — every caller (CLI, skill, integration test)
+    // benefits from the same rejection shape.
+    if (!SESSION_ID_PATTERN.test(args.sessionId)) {
+        return fail('workflow.plan.read', 'INVALID_SESSION_ID', 'session id must match YYYY-MM-DD-slug pattern', {
+            type: args.type,
+            exists: false,
+            path: '',
+            hash: null,
+            refreshedAt: null,
+            source: 'missing'
+        });
+    }
+    const canonical = canonicalPath({ projectRoot: args.project, sessionId: args.sessionId, type: args.type });
+    if (existsSync(canonical)) {
+        const guard = assertContained({
+            expectedBase: getSessionDir(args.project, args.sessionId),
+            path: canonical
+        });
+        if (!guard.ok) {
+            return fail('workflow.plan.read', guard.code, guard.message, {
+                type: args.type,
+                exists: false,
+                path: canonical,
+                hash: null,
+                refreshedAt: null,
+                source: 'missing'
+            });
+        }
+        return ok('workflow.plan.read', buildData({ type: args.type, path: canonical, source: 'canonical' }));
+    }
+    const legacy = legacyPath({ projectRoot: args.project, type: args.type });
+    const backCompatEnabled = process.env[BACK_COMPAT_FLAG] === '1';
+    if (backCompatEnabled && existsSync(legacy)) {
+        const guard = assertContained({
+            expectedBase: args.project,
+            path: legacy
+        });
+        if (!guard.ok) {
+            return fail('workflow.plan.read', guard.code, guard.message, {
+                type: args.type,
+                exists: false,
+                path: legacy,
+                hash: null,
+                refreshedAt: null,
+                source: 'missing'
+            });
+        }
+        return ok('workflow.plan.read', buildData({ type: args.type, path: legacy, source: 'legacy' }));
+    }
+    return ok('workflow.plan.read', {
+        type: args.type,
+        exists: false,
+        path: canonical,
+        hash: null,
+        refreshedAt: null,
+        source: 'missing'
+    });
+}

package/dist/src/services/workflow/plan-refresher.d.ts

@@ -0,0 +1,32 @@
+import { type ResultEnvelope } from '../../shared/result.js';
+import { normalizePlanBody, type PlanType } from './plan-reader.js';
+export interface RefreshPlanArgs {
+    readonly type: PlanType;
+    readonly project: string;
+    readonly sessionId: string;
+    /** When true, write the plan to disk. When false, return the would-be body + hash only. */
+    readonly apply: boolean;
+}
+export interface RefreshPlanData {
+    readonly type: PlanType;
+    readonly writtenFiles: string[];
+    /** When `apply=false`, the would-be write targets. */
+    readonly wouldWrite: string[];
+    readonly hash: string;
+    readonly refreshedAt: string;
+    readonly dryRun: boolean;
+    /** The deterministic body (post-normalization). Always surfaced so tests
+     * can assert byte-equality across runs. */
+    readonly bodyPreview: string;
+}
+/** Build the security-test-plan body deterministically. */
+export declare function buildSecurityPlanBody(projectRoot: string): string;
+/** Build the perf-baseline body deterministically. */
+export declare function buildPerfPlanBody(projectRoot: string): string;
+export declare function refreshPlan(args: RefreshPlanArgs): ResultEnvelope<RefreshPlanData>;
+export { normalizePlanBody };
+export declare function renderPlanBody(args: {
+    type: PlanType;
+    project: string;
+}): string;
+export declare function hashBody(body: string): string;