peaks-cli 1.4.1 → 2.0.0

package/dist/src/services/audit/enforcers/login-gate.js

@@ -0,0 +1,40 @@
+/**
+ * login-gate enforcer (L2.2 P1) — verifies destructive / auth-required
+ * paths require explicit user confirmation.
+ *
+ * Two red lines:
+ *   - rl-login-gate-001: destructive paths (uninstall, drop, force-push) must
+ *     require user confirmation
+ *   - rl-login-gate-002: protected paths (auth-required) must check session
+ *
+ * This is a static-check enforcer: the actual runtime gate is in
+ * `peaks mode-enforcement` (the requireUserConfirmation function). The
+ * catalog entry points to this file; the audit flags it as cli-backed
+ * when the integration is wired (L2.2 ships the wiring).
+ */
+const DESTRUCTIVE_PATH_PATTERNS = [
+    /uninstall/i,
+    /\bdrop\b/i,
+    /force-push/i,
+    /--force\b/,
+    /--hard\b/,
+    /rm\s+-rf?\b/,
+];
+const PROTECTED_PATH_PATTERNS = [
+    /auth/i,
+    /login/i,
+    /session/i,
+];
+export function checkLoginGate(input) {
+    for (const pattern of DESTRUCTIVE_PATH_PATTERNS) {
+        if (pattern.test(input.command)) {
+            return { destructive: true, protected: false, matchedPattern: pattern.source };
+        }
+    }
+    for (const pattern of PROTECTED_PATH_PATTERNS) {
+        if (pattern.test(input.command)) {
+            return { destructive: false, protected: true, matchedPattern: pattern.source };
+        }
+    }
+    return { destructive: false, protected: false, matchedPattern: null };
+}

package/dist/src/services/audit/enforcers/mock-placement.d.ts

@@ -0,0 +1,25 @@
+/**
+ * mock-placement enforcer — scans changed files for inline mock-data
+ * patterns and fails the slice check if any changed file under `src/` or
+ * `skills/` contains `mockData: { ... }`, `fixtures = { ... }`, or a
+ * multi-line `const fooMock = { ... }` literal.
+ *
+ * Per L2 redesign §5.4. Mocks belong in `tests/fixtures/`, not inline.
+ * Per `references/mock-data-placement.md` from peaks-rd: framework-aware
+ * mock placement. peaks-cli has no UI framework, but the rule still
+ * applies for non-fixture files.
+ */
+export interface MockPlacementCheckInput {
+    readonly filePath: string;
+    readonly content: string;
+}
+export interface MockPlacementViolation {
+    readonly filePath: string;
+    readonly pattern: string;
+    readonly snippet: string;
+}
+export declare function hasInlineMock(content: string): MockPlacementViolation | null;
+export declare function findMockViolations(changedFiles: readonly {
+    filePath: string;
+    content: string;
+}[]): readonly MockPlacementViolation[];

package/dist/src/services/audit/enforcers/mock-placement.js

@@ -0,0 +1,48 @@
+/**
+ * mock-placement enforcer — scans changed files for inline mock-data
+ * patterns and fails the slice check if any changed file under `src/` or
+ * `skills/` contains `mockData: { ... }`, `fixtures = { ... }`, or a
+ * multi-line `const fooMock = { ... }` literal.
+ *
+ * Per L2 redesign §5.4. Mocks belong in `tests/fixtures/`, not inline.
+ * Per `references/mock-data-placement.md` from peaks-rd: framework-aware
+ * mock placement. peaks-cli has no UI framework, but the rule still
+ * applies for non-fixture files.
+ */
+const MOCK_PATTERNS = [
+    /\bmockData\s*[:=]\s*\{/,
+    /\bfixtures?\s*=\s*\{/,
+    /const\s+\w*[Mm]ock\w*\s*=\s*\{[\s\S]{20,}/,
+];
+export function hasInlineMock(content) {
+    for (const pattern of MOCK_PATTERNS) {
+        const match = pattern.exec(content);
+        if (match) {
+            return {
+                filePath: '',
+                pattern: pattern.source,
+                snippet: match[0].slice(0, 80),
+            };
+        }
+    }
+    return null;
+}
+export function findMockViolations(changedFiles) {
+    const violations = [];
+    for (const { filePath, content } of changedFiles) {
+        // Mocks are allowed in tests/fixtures/. The slice check is invoked
+        // with the diff-vs-scope output, which already filters out
+        // test/fixture paths; this guard is a safety net.
+        if (filePath.includes('tests/fixtures/'))
+            continue;
+        if (filePath.includes('__fixtures__'))
+            continue;
+        if (!filePath.startsWith('src/') && !filePath.startsWith('skills/'))
+            continue;
+        const violation = hasInlineMock(content);
+        if (violation) {
+            violations.push({ ...violation, filePath });
+        }
+    }
+    return violations;
+}

package/dist/src/services/audit/enforcers/no-root-pollution.d.ts

@@ -0,0 +1,21 @@
+/**
+ * no-root-pollution enforcer — PreToolUse Write/Edit guard.
+ *
+ * Per L2 redesign §5.4. Deny writes to <project>/root for files NOT in
+ * the documented allowlist. The allowlist is hand-maintained for v1; a
+ * follow-up slice can expose it via `peaks standards`.
+ *
+ * Trust red line: this hook MUST fail-open on registry / FS errors. The
+ * LLM is never bricked by a peaks bug.
+ */
+export interface RootWriteCheckInput {
+    readonly projectRoot: string;
+    readonly filePath: string;
+}
+export interface RootWriteCheckResult {
+    readonly isRoot: boolean;
+    readonly allowed: boolean;
+    readonly topSegment: string;
+    readonly denyReason: string;
+}
+export declare function isRootWrite(input: RootWriteCheckInput): RootWriteCheckResult;

package/dist/src/services/audit/enforcers/no-root-pollution.js

@@ -0,0 +1,56 @@
+/**
+ * no-root-pollution enforcer — PreToolUse Write/Edit guard.
+ *
+ * Per L2 redesign §5.4. Deny writes to <project>/root for files NOT in
+ * the documented allowlist. The allowlist is hand-maintained for v1; a
+ * follow-up slice can expose it via `peaks standards`.
+ *
+ * Trust red line: this hook MUST fail-open on registry / FS errors. The
+ * LLM is never bricked by a peaks bug.
+ */
+import { resolve } from 'node:path';
+const ROOT_FILE_ALLOWLIST = new Set([
+    // Top-level docs
+    'README.md', 'README-en.md', 'LICENSE', 'LICENSE.md', 'NOTICE', 'CONTRIBUTING.md',
+    'CHANGELOG.md', 'AUTHORS', 'CONTRIBUTORS',
+    // Build / package manifests
+    'package.json', 'pnpm-lock.yaml', 'pnpm-workspace.yaml', 'tsconfig.json',
+    'tsconfig.*.json', 'vitest.config.ts', 'vite.config.ts', '.npmrc', '.nvmrc',
+    // VCS / editor
+    '.gitignore', '.gitattributes', '.editorconfig', '.gitkeep',
+    // Project-local config dirs (peaks-cli convention)
+    'openspec', '.peaks', '.claude', '.peaksrc',
+    // Source dirs (writes into them are normal)
+    'src', 'tests', 'bin', 'scripts', 'schemas', 'output-styles', 'docs',
+    // Skills are allowed at root
+    'skills',
+    // Generated / ignored
+    'dist', 'node_modules', 'coverage', '.nyc_output',
+]);
+export function isRootWrite(input) {
+    const projectRoot = resolve(input.projectRoot);
+    const filePath = resolve(input.filePath);
+    const rel = filePath.startsWith(projectRoot)
+        ? filePath.slice(projectRoot.length).replace(/^[\\/]+/, '')
+        : filePath;
+    const topSegment = rel.split(/[\\/]/)[0] ?? '';
+    // If file is NOT at root (e.g. src/foo/bar.ts), the top segment is "src"
+    // which is in the allowlist. This handler only flags FILES AT THE ROOT
+    // (top-level), so check whether the file is exactly at root depth.
+    const segments = rel.split(/[\\/]/).filter(Boolean);
+    const isAtRoot = segments.length === 1;
+    if (!isAtRoot) {
+        return { isRoot: false, allowed: true, topSegment, denyReason: '' };
+    }
+    if (ROOT_FILE_ALLOWLIST.has(topSegment)) {
+        return { isRoot: true, allowed: true, topSegment, denyReason: '' };
+    }
+    return {
+        isRoot: true,
+        allowed: false,
+        topSegment,
+        denyReason: `no-root-pollution: file "${rel}" is not in the root allowlist. ` +
+            `Move it under docs/, tests/, skills/, or another documented directory, ` +
+            `or add it to ROOT_FILE_ALLOWLIST in src/services/audit/enforcers/no-root-pollution.ts.`,
+    };
+}

package/dist/src/services/audit/enforcers/pre-rd-scan.d.ts

@@ -0,0 +1,22 @@
+/**
+ * pre-rd-scan enforcer (L2.2 P1) — verifies the project has been scanned
+ * before the rd implementation phase begins.
+ *
+ * Two red lines:
+ *   - rl-pre-rd-scan-001: peaks scan archetype must have been run
+ *   - rl-pre-rd-scan-002: peaks standards preflight must have been run
+ *
+ * Detected by checking for the project-scan.md and standards reports in
+ * the session dir. Both are produced by the pre-RD workflow.
+ */
+export interface PreRdScanInput {
+    readonly projectRoot: string;
+    readonly sessionId: string;
+}
+export interface PreRdScanResult {
+    readonly archetypeScanned: boolean;
+    readonly archetypeReportPath: string;
+    readonly standardsPreflightDone: boolean;
+    readonly standardsReportPath: string;
+}
+export declare function checkPreRdScan(input: PreRdScanInput): PreRdScanResult;

package/dist/src/services/audit/enforcers/pre-rd-scan.js

@@ -0,0 +1,23 @@
+/**
+ * pre-rd-scan enforcer (L2.2 P1) — verifies the project has been scanned
+ * before the rd implementation phase begins.
+ *
+ * Two red lines:
+ *   - rl-pre-rd-scan-001: peaks scan archetype must have been run
+ *   - rl-pre-rd-scan-002: peaks standards preflight must have been run
+ *
+ * Detected by checking for the project-scan.md and standards reports in
+ * the session dir. Both are produced by the pre-RD workflow.
+ */
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+export function checkPreRdScan(input) {
+    const archetypeReportPath = join(input.projectRoot, '.peaks/_runtime', input.sessionId, 'rd/project-scan.md');
+    const standardsReportPath = join(input.projectRoot, '.peaks/_runtime', input.sessionId, 'standards-preflight.json');
+    return {
+        archetypeScanned: existsSync(archetypeReportPath),
+        archetypeReportPath,
+        standardsPreflightDone: existsSync(standardsReportPath),
+        standardsReportPath,
+    };
+}

package/dist/src/services/audit/enforcers/prototype-fidelity.d.ts

@@ -0,0 +1,25 @@
+/**
+ * prototype-fidelity enforcer (L2.2 P1) — verifies a prototype is
+ * functional (not a stub).
+ *
+ * Two red lines:
+ *   - rl-prototype-fidelity-001: prototype files must not contain TODO/FIXME/XXX
+ *   - rl-prototype-fidelity-002: prototype must have at least 1 passing test
+ *
+ * (L2.2 ships the source-level check; deeper test-running integration is
+ * deferred to a follow-up slice.)
+ */
+export interface PrototypeFidelityInput {
+    readonly projectRoot: string;
+    readonly filePaths: readonly string[];
+}
+export interface PrototypeFidelityResult {
+    readonly stubMarkers: readonly {
+        filePath: string;
+        pattern: string;
+        snippet: string;
+    }[];
+    readonly testFiles: readonly string[];
+}
+export declare function findStubMarkers(input: PrototypeFidelityInput): PrototypeFidelityResult;
+export declare function findTestFiles(projectRoot: string, sourceDir: string): readonly string[];

package/dist/src/services/audit/enforcers/prototype-fidelity.js

@@ -0,0 +1,75 @@
+/**
+ * prototype-fidelity enforcer (L2.2 P1) — verifies a prototype is
+ * functional (not a stub).
+ *
+ * Two red lines:
+ *   - rl-prototype-fidelity-001: prototype files must not contain TODO/FIXME/XXX
+ *   - rl-prototype-fidelity-002: prototype must have at least 1 passing test
+ *
+ * (L2.2 ships the source-level check; deeper test-running integration is
+ * deferred to a follow-up slice.)
+ */
+import { existsSync, readdirSync, readFileSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+const STUB_MARKER_PATTERNS = [
+    /\bTODO\b/,
+    /\bFIXME\b/,
+    /\bXXX\b/,
+    /\bHACK\b/,
+    /\bstub\b\s*[:=]/i,
+    /\bnot implemented\b/i,
+];
+export function findStubMarkers(input) {
+    const markers = [];
+    for (const filePath of input.filePaths) {
+        const abs = join(input.projectRoot, filePath);
+        let content;
+        try {
+            content = readFileSync(abs, 'utf8');
+        }
+        catch {
+            continue;
+        }
+        for (const pattern of STUB_MARKER_PATTERNS) {
+            const match = pattern.exec(content);
+            if (match !== null) {
+                markers.push({ filePath, pattern: pattern.source, snippet: match[0] });
+            }
+        }
+    }
+    return { stubMarkers: markers, testFiles: [] };
+}
+export function findTestFiles(projectRoot, sourceDir) {
+    const testsDir = join(projectRoot, sourceDir.replace(/^src\//, 'tests/'));
+    if (!existsSync(testsDir))
+        return [];
+    try {
+        const stat = statSync(testsDir);
+        if (!stat.isDirectory())
+            return [];
+    }
+    catch {
+        return [];
+    }
+    const result = [];
+    const walk = (dir) => {
+        let entries;
+        try {
+            entries = readdirSync(dir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            const full = join(dir, entry.name);
+            if (entry.isDirectory()) {
+                walk(full);
+            }
+            else if (entry.isFile() && /\.(test|spec)\.ts$/.test(entry.name)) {
+                result.push(full);
+            }
+        }
+    };
+    walk(testsDir);
+    return result;
+}

package/dist/src/services/audit/enforcers/resume-detection.d.ts

@@ -0,0 +1,21 @@
+/**
+ * resume-detection enforcer (L2.2 P1) — verifies a slice can be resumed
+ * before the LLM continues work on it.
+ *
+ * Two red lines:
+ *   - rl-resume-detection-001: session-binding file must exist
+ *   - rl-resume-detection-002: existing rd request state must be in
+ *     {spec-locked, implemented, qa-handoff} (resumable states)
+ */
+export interface ResumeDetectionInput {
+    readonly projectRoot: string;
+    readonly sessionId: string;
+}
+export interface ResumeDetectionResult {
+    readonly sessionBindingExists: boolean;
+    readonly sessionBindingPath: string;
+    readonly requestState: string | null;
+    readonly requestStatePath: string;
+    readonly canResume: boolean;
+}
+export declare function checkResume(input: ResumeDetectionInput): ResumeDetectionResult;

package/dist/src/services/audit/enforcers/resume-detection.js

@@ -0,0 +1,52 @@
+/**
+ * resume-detection enforcer (L2.2 P1) — verifies a slice can be resumed
+ * before the LLM continues work on it.
+ *
+ * Two red lines:
+ *   - rl-resume-detection-001: session-binding file must exist
+ *   - rl-resume-detection-002: existing rd request state must be in
+ *     {spec-locked, implemented, qa-handoff} (resumable states)
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+const RESUMABLE_STATES = new Set(['spec-locked', 'implemented', 'qa-handoff']);
+export function checkResume(input) {
+    const sessionBindingPath = join(input.projectRoot, '.peaks/_runtime', input.sessionId, 'session.json');
+    const sessionBindingExists = existsSync(sessionBindingPath);
+    // The rd request artifact lives under .peaks/_runtime/<sid>/rd/requests/<rid>.md
+    // (canonical session layout per `src-services-session-canonical-workspace-resolver.md`).
+    // We look at the most-recent rd request to detect state. The full request-artifact
+    // service is the authoritative source; this is a lightweight check for the audit
+    // scanner.
+    const rdDir = join(input.projectRoot, '.peaks/_runtime', input.sessionId, 'rd/requests');
+    let requestState = null;
+    let requestStatePath = '';
+    if (existsSync(rdDir)) {
+        try {
+            const files = require('node:fs').readdirSync(rdDir);
+            for (const file of files) {
+                if (!file.endsWith('.md'))
+                    continue;
+                const path = join(rdDir, file);
+                const content = readFileSync(path, 'utf8');
+                const match = /state:\s*([a-z0-9-]+)/i.exec(content);
+                if (match !== null) {
+                    requestState = match[1] ?? null;
+                    requestStatePath = path;
+                    break;
+                }
+            }
+        }
+        catch {
+            // ignore read errors
+        }
+    }
+    const canResume = sessionBindingExists && requestState !== null && RESUMABLE_STATES.has(requestState);
+    return {
+        sessionBindingExists,
+        sessionBindingPath,
+        requestState,
+        requestStatePath,
+        canResume,
+    };
+}

package/dist/src/services/audit/enforcers/solo-code-ban.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Solo-code-ban enforcer — PreToolUse Bash guard.
+ *
+ * Per L2 redesign §5.4. Deny `git commit` or `git apply` invocations from
+ * a peaks-* skill. The Solo Code-Change Red Line says peaks-solo / peaks-rd
+ * are orchestrators, not implementers; the actual `git commit` step must
+ * go through `peaks request transition`, which itself enforces spec-locked
+ * + tech-doc-presence.
+ *
+ * Trust red line (per `gate-enforcement-hook.md`): if the registry or
+ * manifest read fails, the hook must fail-OPEN (warn + allow). The LLM is
+ * never bricked by a peaks bug.
+ */
+export interface SoloCodeBanInput {
+    readonly skill: string;
+    readonly command: string;
+}
+export interface SoloCodeBanResult {
+    readonly denied: boolean;
+    readonly reason: string;
+}
+export declare function isSoloCodeCommit(skill: string, command: string): boolean;
+export declare function evaluateSoloCodeBan(input: SoloCodeBanInput): SoloCodeBanResult;

package/dist/src/services/audit/enforcers/solo-code-ban.js

@@ -0,0 +1,27 @@
+/**
+ * Solo-code-ban enforcer — PreToolUse Bash guard.
+ *
+ * Per L2 redesign §5.4. Deny `git commit` or `git apply` invocations from
+ * a peaks-* skill. The Solo Code-Change Red Line says peaks-solo / peaks-rd
+ * are orchestrators, not implementers; the actual `git commit` step must
+ * go through `peaks request transition`, which itself enforces spec-locked
+ * + tech-doc-presence.
+ *
+ * Trust red line (per `gate-enforcement-hook.md`): if the registry or
+ * manifest read fails, the hook must fail-OPEN (warn + allow). The LLM is
+ * never bricked by a peaks bug.
+ */
+const COMMIT_APPLY_PATTERN = /^\s*git\s+(commit|apply)\b/;
+const DENY_REASON = 'Solo Code-Change Red Line: peaks-* skills must go through peaks-solo / peaks-rd. ' +
+    'Use `peaks request transition` instead of `git commit` / `git apply` directly.';
+export function isSoloCodeCommit(skill, command) {
+    if (!skill.startsWith('peaks-'))
+        return false;
+    return COMMIT_APPLY_PATTERN.test(command);
+}
+export function evaluateSoloCodeBan(input) {
+    if (isSoloCodeCommit(input.skill, input.command)) {
+        return { denied: true, reason: DENY_REASON };
+    }
+    return { denied: false, reason: '' };
+}

package/dist/src/services/audit/enforcers/sub-agent-sid.d.ts

@@ -0,0 +1,25 @@
+/**
+ * sub-agent-sid enforcer — dogfood of Slice 0.5 sid-naming-guard.
+ *
+ * Per L2 redesign §5.4, "sub-agent-sid" is one of the 5 P0 red lines.
+ * Slice 0.5 (Task 7) shipped `isValidSessionId` in
+ * `src/services/workspace/sid-naming-guard.ts`. This enforcer exposes the
+ * same check to the red-line audit framework, so any invalid sid under
+ * `.peaks/_sub_agents/` shows up as a backable red line in the audit.
+ */
+export interface SubAgentSidCheckResult {
+    readonly invalid: readonly string[];
+    readonly valid: readonly string[];
+    readonly scanned: boolean;
+}
+/**
+ * Find sids under `.peaks/_sub_agents/<sid>/` that fail `isValidSessionId`.
+ * Bare forms (sid-3, unknown-sid) and date-mismatched sids all fail.
+ */
+export declare function findInvalidSubAgentSids(projectRoot: string): SubAgentSidCheckResult;
+/**
+ * Same check, for `.peaks/_runtime/<sid>/`. Slice 0.5's clean-service
+ * already handles the sub-agents dir; the audit framework also wants to
+ * know about invalid runtime sids (which would be a different failure mode).
+ */
+export declare function findInvalidRuntimeSids(projectRoot: string): SubAgentSidCheckResult;

package/dist/src/services/audit/enforcers/sub-agent-sid.js

@@ -0,0 +1,63 @@
+/**
+ * sub-agent-sid enforcer — dogfood of Slice 0.5 sid-naming-guard.
+ *
+ * Per L2 redesign §5.4, "sub-agent-sid" is one of the 5 P0 red lines.
+ * Slice 0.5 (Task 7) shipped `isValidSessionId` in
+ * `src/services/workspace/sid-naming-guard.ts`. This enforcer exposes the
+ * same check to the red-line audit framework, so any invalid sid under
+ * `.peaks/_sub_agents/` shows up as a backable red line in the audit.
+ */
+import { existsSync, readdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { isValidSessionId } from '../../workspace/sid-naming-guard.js';
+const SUB_AGENTS_DIR = '.peaks/_sub_agents';
+const RUNTIME_DIR = '.peaks/_runtime';
+/**
+ * Find sids under `.peaks/_sub_agents/<sid>/` that fail `isValidSessionId`.
+ * Bare forms (sid-3, unknown-sid) and date-mismatched sids all fail.
+ */
+export function findInvalidSubAgentSids(projectRoot) {
+    const subAgentsRoot = join(projectRoot, SUB_AGENTS_DIR);
+    if (!existsSync(subAgentsRoot)) {
+        return { invalid: [], valid: [], scanned: false };
+    }
+    const entries = readdirSync(subAgentsRoot, { withFileTypes: true })
+        .filter((e) => e.isDirectory())
+        .map((e) => e.name);
+    const invalid = [];
+    const valid = [];
+    for (const name of entries) {
+        if (isValidSessionId(name)) {
+            valid.push(name);
+        }
+        else {
+            invalid.push(name);
+        }
+    }
+    return { invalid, valid, scanned: true };
+}
+/**
+ * Same check, for `.peaks/_runtime/<sid>/`. Slice 0.5's clean-service
+ * already handles the sub-agents dir; the audit framework also wants to
+ * know about invalid runtime sids (which would be a different failure mode).
+ */
+export function findInvalidRuntimeSids(projectRoot) {
+    const runtimeRoot = join(projectRoot, RUNTIME_DIR);
+    if (!existsSync(runtimeRoot)) {
+        return { invalid: [], valid: [], scanned: false };
+    }
+    const entries = readdirSync(runtimeRoot, { withFileTypes: true })
+        .filter((e) => e.isDirectory())
+        .map((e) => e.name);
+    const invalid = [];
+    const valid = [];
+    for (const name of entries) {
+        if (isValidSessionId(name)) {
+            valid.push(name);
+        }
+        else {
+            invalid.push(name);
+        }
+    }
+    return { invalid, valid, scanned: true };
+}

package/dist/src/services/audit/enforcers/tech-doc-presence.d.ts

@@ -0,0 +1,28 @@
+/**
+ * tech-doc-presence enforcer — refuses `peaks request transition <rid>
+ * spec-locked` if the slice's tech-doc.md is missing.
+ *
+ * Per L2 redesign §5.4. The tech-doc is the BLOCKING artifact for the
+ * spec-locked transition. This enforcer is called from
+ * `request-transition-service.ts` BEFORE the state machine runs.
+ *
+ * The session id is resolved from the current working directory using
+ * the canonical workspace resolver (per
+ * `src-services-session-canonical-workspace-resolver.md` memory).
+ */
+export interface TechDocPresenceInput {
+    readonly projectRoot: string;
+    readonly sessionId: string;
+}
+export interface TechDocPresenceResult {
+    readonly exists: boolean;
+    readonly path: string;
+    readonly isEmpty: boolean;
+}
+export declare function checkTechDocPresence(input: TechDocPresenceInput): TechDocPresenceResult;
+/**
+ * Hard-coded error message used by `request-transition-service.ts` when
+ * the spec-locked transition is refused.
+ */
+export declare const TECH_DOC_MISSING_MESSAGE: string;
+export declare const TECH_DOC_MISSING_CODE = "TECH_DOC_MISSING";

package/dist/src/services/audit/enforcers/tech-doc-presence.js

@@ -0,0 +1,35 @@
+/**
+ * tech-doc-presence enforcer — refuses `peaks request transition <rid>
+ * spec-locked` if the slice's tech-doc.md is missing.
+ *
+ * Per L2 redesign §5.4. The tech-doc is the BLOCKING artifact for the
+ * spec-locked transition. This enforcer is called from
+ * `request-transition-service.ts` BEFORE the state machine runs.
+ *
+ * The session id is resolved from the current working directory using
+ * the canonical workspace resolver (per
+ * `src-services-session-canonical-workspace-resolver.md` memory).
+ */
+import { existsSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+export function checkTechDocPresence(input) {
+    const docPath = join(input.projectRoot, '.peaks/_runtime', input.sessionId, 'rd/tech-doc.md');
+    if (!existsSync(docPath)) {
+        return { exists: false, path: docPath, isEmpty: false };
+    }
+    let stat;
+    try {
+        stat = statSync(docPath);
+    }
+    catch {
+        return { exists: false, path: docPath, isEmpty: false };
+    }
+    return { exists: true, path: docPath, isEmpty: stat.size === 0 };
+}
+/**
+ * Hard-coded error message used by `request-transition-service.ts` when
+ * the spec-locked transition is refused.
+ */
+export const TECH_DOC_MISSING_MESSAGE = 'spec-locked transition requires `rd/tech-doc.md` to exist and be non-empty. ' +
+    'Run `peaks-rd` to produce the tech-doc first, then retry the transition.';
+export const TECH_DOC_MISSING_CODE = 'TECH_DOC_MISSING';

package/dist/src/services/audit/red-line-catalog-p2-a.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Red-line catalog — P2-a entries (Slice #6 L2.3).
+ *
+ * These 25 entries close the lint-style gap left by L2.1 (P0) and
+ * L2.2 (P1). Per spec §5.4, P2-a targets 25-40 lint-style red-lines
+ * for SKILL.md, references/, and openspec/. They are small,
+ * pattern-based, and reference the existing CLI surface (no new
+ * runtime dependencies).
+ *
+ * Enforcer functions live in `enforcers/lint-style-*.ts` and are
+ * wired into the audit framework via the same `enforcerRef`
+ * discovery path as the P0 / P1 entries.
+ */
+import type { RedLineCatalogEntry } from './red-line-catalog.js';
+/**
+ * The 25 P2-a entries, in stable display order. Appending to a single
+ * readonly array keeps the catalog growable: future slices (L2.4, L3.x)
+ * can spread this list into RED_LINE_CATALOG and add their own without
+ * touching this file.
+ */
+export declare const RED_LINE_CATALOG_P2_A: readonly RedLineCatalogEntry[];