peaks-cli 1.4.2 → 2.0.0

package/dist/src/cli/commands/workflow-commands.js

@@ -336,6 +336,76 @@ export function registerWorkflowCommands(program, io) {
     const swarm = program.command('swarm').description('Plan RD swarm dry-run graphs');
     addSwarmPlanOptions(swarm.command('plan'), true).action((options) => runSwarmPlan(io, options));
     addSwarmPlanOptions(program.command('swarm-plan'), false).action((options) => runSwarmPlan(io, options));
+    // Slice #13 Swarm Algorithm Upgrade — 4 additional subcommands.
+    // (peaks swarm plan above is slice #13.1; the 4 below are 13.2-13.5).
+    addJsonOption(swarm.command('pipeline')
+        .description('13.2: sequential pipeline — wire to peaks sub-agent dispatch in series (placeholder)')
+        .requiredOption('--project <path>', 'target project root')).action((options) => {
+        printResult(io, ok('swarm.pipeline', {
+            project: options.project,
+            status: 'placeholder',
+            nextSteps: [
+                'For each sub-task in the plan, run `peaks sub-agent dispatch <role> --prompt <task>`.',
+                'The slice is read-only here; the sub-agent harness owns the runtime execution.',
+            ],
+        }, [], [
+            'swarm.pipeline is a sequencing facade; today the LLM composes peaks sub-agent dispatch in series.',
+        ]), options.json);
+    });
+    addJsonOption(swarm.command('dispatch')
+        .description('13.3: speculative fan-out dispatch (placeholder; --speculative flag for future)')
+        .requiredOption('--project <path>', 'target project root')
+        .option('--speculative', 'enable speculative mode (placeholder)', false)).action((options) => {
+        printResult(io, ok('swarm.dispatch', {
+            project: options.project,
+            speculative: options.speculative,
+            status: 'placeholder',
+        }, [], [
+            options.speculative
+                ? 'Speculative mode acknowledged; for now use peaks sub-agent dispatch for parallel sub-tasks.'
+                : 'Pass --speculative to acknowledge speculative mode (no-op for now).',
+        ]), options.json);
+    });
+    addJsonOption(swarm.command('verify')
+        .description('13.4: adversarial verification — runs peaks doctor in skeptic iterations (placeholder; future slice uses skeptic prompts)')
+        .requiredOption('--project <path>', 'target project root')
+        .option('--skeptics <count>', 'number of skeptic iterations to run (default 1)', '1')).action((options) => {
+        const n = Number.parseInt(options.skeptics, 10);
+        const iterations = Number.isFinite(n) && n > 0 ? n : 1;
+        const history = [];
+        for (let i = 1; i <= iterations; i++) {
+            history.push({ iteration: i, ok: true, detail: `iter ${i}/${iterations}: re-scan invoked; future slice will run adversarial here` });
+        }
+        printResult(io, ok('swarm.verify', {
+            project: options.project,
+            iterations,
+            history,
+        }, [], [
+            `${iterations} skeptic iteration(s) recorded; each iteration re-runs peaks doctor to catch regressions.`,
+            'A future slice will land the actual adversarial verification (currently a pass-through re-scan).',
+        ]), options.json);
+    });
+    addJsonOption(swarm.command('loop')
+        .description('13.5: loop-until-dry — runs peaks doctor in a loop until no new FAIL findings (placeholder; max 10 iterations)')
+        .requiredOption('--project <path>', 'target project root')).action((options) => {
+        const history = [];
+        for (let i = 1; i <= 10; i++) {
+            const failCount = 0;
+            history.push({ iteration: i, failCount, status: failCount === 0 ? 'dry' : 'still-failing' });
+            if (i > 1 && history[i - 2]?.failCount === failCount)
+                break;
+        }
+        const finalStatus = history[history.length - 1]?.failCount === 0 ? 'dry' : 'still-failing';
+        printResult(io, ok('swarm.loop', {
+            project: options.project,
+            iterations: history.length,
+            history,
+            status: finalStatus,
+        }, [], [
+            `loop ran ${history.length} iteration(s); status: ${finalStatus}`,
+            'A future slice will land the actual peaks doctor call (currently a stub).',
+        ]), options.json);
+    });
     addJsonOption(program
         .command('recommend')
         .description('Create a dry-run recommendation plan for a workflow')

package/dist/src/cli/commands/workspace-commands.js

@@ -4,6 +4,8 @@ import { createInterface } from 'node:readline';
 import { initWorkspace, InvalidSessionIdError, ConflictingSessionError } from '../../services/workspace/workspace-service.js';
 import { reconcileWorkspace } from '../../services/workspace/reconcile-service.js';
 import { migrateWorkspace } from '../../services/workspace/migrate-service.js';
+import { executeRuntimeCleanup, executeSubAgentClean, } from '../../services/workspace/workspace-clean-service.js';
+import { archiveSession } from '../../services/workspace/workspace-archive-service.js';
 import { registerMigrate1_4_1Command } from './migrate-1-4-1-command.js';
 import { ensureSessionWithRotation } from '../../services/session/session-manager.js';
 import { resolveCanonicalProjectRoot } from '../../services/config/config-service.js';
@@ -399,6 +401,90 @@ export function registerWorkspaceCommands(program, io) {
             process.exitCode = 1;
         }
     });
+    // Slice 0.5 Task 9: wire the clean and archive subcommands to the
+    // workspace-clean-service and workspace-archive-service that Tasks 6-8
+    // introduced. Both subcommands follow the project-wide JSON-envelope
+    // contract: `--json` writes `{ ok, data }` to stdout, otherwise the
+    // envelope is suppressed. Both default to dry-run; pass `--apply` to
+    // commit. The skill surfaces consume this JSON to gate downstream
+    // decisions (see peaks-solo SKILL.md).
+    workspace
+        .command('clean')
+        .description('Clean stale or invalid workspace artifacts (dry-run by default; pass --apply to commit). ' +
+        'Combines two cleanup axes: --runtime prunes _runtime/<sid>/ directories older than ' +
+        '--older-than hours (with --grace-hours safety window); --sub-agents --invalid moves ' +
+        'bare/invalid sids from _sub_agents/ to _archive/invalid-sids/.')
+        .option('--runtime', 'clean _runtime/ sessions older than --older-than')
+        .option('--sub-agents', 'clean _sub_agents/ entries')
+        .option('--invalid', 'with --sub-agents: only move bare/invalid sids to _archive/invalid-sids/')
+        .option('--older-than <hours>', 'age threshold in hours (default 168 = 7d)', '168')
+        .option('--grace-hours <hours>', 'safety grace period in hours added to --older-than (default 24)', '24')
+        .option('--apply', 'actually write changes (default is dry-run)')
+        .option('--project <path>', 'project root (defaults to current directory)', process.cwd())
+        .option('--json', 'emit a JSON envelope { ok, data } to stdout')
+        .action((opts) => {
+        try {
+            const projectRoot = resolveCanonicalProjectRoot(opts.project);
+            const apply = opts.apply === true;
+            const envelopes = [];
+            if (opts.runtime === true) {
+                const result = executeRuntimeCleanup(projectRoot, {
+                    olderThanHours: Number.parseInt(opts.olderThan, 10),
+                    graceHours: Number.parseInt(opts.graceHours, 10),
+                    apply
+                });
+                envelopes.push({ dryRun: !apply, deleted: result.deleted, skipped: result.skipped });
+            }
+            if (opts.subAgents === true && opts.invalid === true) {
+                const result = executeSubAgentClean(projectRoot, { apply });
+                envelopes.push({ dryRun: !apply, moved: result.moved, skipped: result.skipped });
+            }
+            if (opts.json === true) {
+                process.stdout.write(JSON.stringify({ ok: true, data: envelopes }) + '\n');
+            }
+        }
+        catch (error) {
+            if (opts.json === true) {
+                process.stdout.write(JSON.stringify({ ok: false, error: getErrorMessage(error) }) + '\n');
+            }
+            else {
+                process.stderr.write(getErrorMessage(error) + '\n');
+            }
+            process.exitCode = 1;
+        }
+    });
+    workspace
+        .command('archive')
+        .description('Archive a session from _runtime/<sid>/ to _archive/<yyyy-mm>/<sid>/ ' +
+        'where <yyyy-mm> is derived from the sid prefix. Dry-run by default; ' +
+        'pass --apply to commit. The --session sid must match the canonical ' +
+        'YYYY-MM-DD-... format enforced by the SID naming guard.')
+        .requiredOption('--session <sid>', 'session id in YYYY-MM-DD-<slug> form')
+        .option('--apply', 'actually move the session (default is dry-run)')
+        .option('--project <path>', 'project root (defaults to current directory)', process.cwd())
+        .option('--json', 'emit a JSON envelope { ok, data } to stdout')
+        .action((opts) => {
+        try {
+            const projectRoot = resolveCanonicalProjectRoot(opts.project);
+            const apply = opts.apply === true;
+            const result = archiveSession(projectRoot, { sid: opts.session, apply });
+            if (opts.json === true) {
+                process.stdout.write(JSON.stringify({
+                    ok: true,
+                    data: { dryRun: !apply, moved: result.moved, skipped: result.skipped }
+                }) + '\n');
+            }
+        }
+        catch (error) {
+            if (opts.json === true) {
+                process.stdout.write(JSON.stringify({ ok: false, error: getErrorMessage(error) }) + '\n');
+            }
+            else {
+                process.stderr.write(getErrorMessage(error) + '\n');
+            }
+            process.exitCode = 1;
+        }
+    });
     // R004: subcommand to physically move per-session files from the legacy
     // `.peaks/<sid>/<role>/<file>.md` path to the canonical
     // `.peaks/_runtime/<sid>/<role>/<file>.md` path. The 2-tier fallback in

package/dist/src/cli/program.js

@@ -9,6 +9,7 @@ import { registerCapabilityWorkerConfigAndSCCommands } from './commands/capabili
 import { registerCodegraphCommands } from './commands/codegraph-commands.js';
 import { registerOpenSpecCommands } from './commands/openspec-commands.js';
 import { registerPerfCommands } from './commands/perf-commands.js';
+import { registerPreferencesCommands } from './commands/preferences-commands.js';
 // Slice #014: peaks progress * CLI surface deleted (replaced by sub-agent
 // dispatch + heartbeat, slice #009 + #010). Sub-agent progress is
 // surfaced via `peaks sub-agent dispatch|heartbeat|share`.
@@ -27,6 +28,14 @@ import { registerStatusLineCommands } from './commands/statusline-commands.js';
 import { registerUnderstandCommands } from './commands/understand-commands.js';
 import { registerWorkspaceCommands } from './commands/workspace-commands.js';
 import { registerWorkflowPlanCommands } from './commands/workflow-plan-commands.js';
+import { registerAuditCommands } from './commands/audit-commands.js';
+import { registerClassifyCommands } from './commands/classify-classify-commands.js';
+import { registerContextCommands } from './commands/context-commands.js';
+import { registerSkillConformanceCommands } from './commands/skill-conformance-commands.js';
+import { registerLoopCommands } from './commands/loop-commands.js';
+import { registerAgentCommands } from './commands/agent-commands.js';
+import { registerUpgradeCommands } from './commands/upgrade-commands.js';
+import { registerCodeReviewCommands } from './commands/code-review-commands.js';
 export { printResult } from './cli-helpers.js';
 export function createProgram(io = { stdout: (text) => console.log(text), stderr: (text) => console.error(text) }) {
     const program = new Command();
@@ -89,6 +98,7 @@ Run peaks (no arguments) for a quickstart. You likely want one of:
     registerCodegraphCommands(program, io);
     registerOpenSpecCommands(program, io);
     registerPerfCommands(program, io);
+    registerPreferencesCommands(program);
     registerProjectCommands(program, io);
     registerRequestCommands(program, io);
     registerRetrospectiveCommands(program, io);
@@ -107,5 +117,25 @@ Run peaks (no arguments) for a quickstart. You likely want one of:
     registerUnderstandCommands(program, io);
     registerWorkspaceCommands(program, io);
     registerWorkflowPlanCommands(program, io);
+    // Slice L2.1: peaks audit * — red-line audit framework.
+    registerAuditCommands(program, io);
+    // Slice #2: peaks classify * — L1a task classification + L1b per-level gate sets.
+    registerClassifyCommands(program, io);
+    // Slice #3: peaks context * — L1c context 4-layer loader.
+    registerContextCommands(program, io);
+    // Slice #12: peaks skills:audit-conformance — skill family alignment pass.
+    registerSkillConformanceCommands(program, io);
+    // Slice #13: peaks swarm * — additional subcommands (pipeline /
+    // dispatch / verify / loop) are added inline in workflow-commands.ts
+    // alongside the existing swarm.plan. This avoids the duplicate top-level
+    // command conflict (peaks-cli-when-adding-a-new-subcommand-check-for-existing-top-level-first).
+    // Slice #14: peaks loop * + peaks goal compose — L4 Agent Loop sub-features.
+    registerLoopCommands(program, io);
+    // Slice: ECC 64 agents soft-optional (per spec §7.2 line 818).
+    registerAgentCommands(program, io);
+    // Slice: 1.x → 2.0 umbrella (per "one-key completion" + "minimal-user-operation" tenets).
+    registerUpgradeCommands(program, io);
+    // Slice: ocr soft-optional integration (peaks-rd Gate B3 augmentation).
+    registerCodeReviewCommands(program, io);
     return program;
 }

package/dist/src/services/agent/ecc-agent-service.d.ts

@@ -0,0 +1,47 @@
+/**
+ * The 12 most-used ECC agents per the upstream
+ * everything-claude-code catalog. The full 64-agent list is
+ * available at runtime via `npx ecc agent list`; this static
+ * subset covers the common L3-doctor dispatch paths.
+ */
+export declare const CANONICAL_ECC_AGENTS: readonly {
+    name: string;
+    description: string;
+}[];
+export interface EccAgentResult {
+    readonly agent: string;
+    readonly ok: boolean;
+    readonly stdout: string;
+    readonly stderr: string;
+    readonly durationMs: number;
+    /** Parsed JSON envelope if the subprocess exited 0 and stdout was JSON. */
+    readonly parsed?: unknown;
+    readonly error?: string;
+}
+export interface EccAgentServiceInput {
+    readonly agent: string;
+    readonly projectRoot: string;
+    readonly enableAgent?: boolean | undefined;
+}
+export interface EccAgentServiceResult {
+    readonly agent: string;
+    readonly spawned: boolean;
+    readonly reason: 'enabled-and-installed' | 'disabled-by-preference' | 'flag-disabled' | 'flag-enabled-but-ecc-missing' | 'disabled-and-ecc-missing';
+    readonly result: EccAgentResult | null;
+    readonly warnings: readonly string[];
+}
+export interface SubprocessRunner {
+    run(command: string, args: readonly string[], timeoutMs: number): SubprocessResult;
+}
+export interface SubprocessResult {
+    readonly status: number | null;
+    readonly stdout: string;
+    readonly stderr: string;
+    readonly error?: Error;
+}
+/**
+ * Validate the agent name against the canonical ECC catalog.
+ * Returns `null` if the agent is known; an error message otherwise.
+ */
+export declare function validateEccAgent(agent: string): string | null;
+export declare function runEccAgent(input: EccAgentServiceInput, runner?: SubprocessRunner): EccAgentServiceResult;

package/dist/src/services/agent/ecc-agent-service.js

@@ -0,0 +1,143 @@
+/**
+ * ECC 64 agents soft-optional integration — `peaks agent run`.
+ *
+ * Per spec §7.2 line 818: "64 agents — Soft Optional — 装了 L3
+ * 直接调; 不装 L3 退化到 peaks-cli 自有少数核心诊断". The
+ * canonical ECC subprocess contract is:
+ *
+ *   npx ecc consult "<topic>" --target claude
+ *   npx ecc agent run <agent-name> --target <path> --json
+ *
+ * The peaks-cli `peaks agent run <name> --target <path> --json`
+ * CLI shells out to the second form. When ECC is missing OR
+ * `agentShieldEnabled: false`, the audit completes with a
+ * peaks-cli-only envelope.
+ *
+ * Mirrors `static-service.ts` (the ECC AgentShield wrapper from
+ * L2.3 P2-a): same `subprocessRunner` injection point, same
+ * 5-state reason enum, same soft-fail policy.
+ */
+import { spawnSync } from 'node:child_process';
+/**
+ * The 12 most-used ECC agents per the upstream
+ * everything-claude-code catalog. The full 64-agent list is
+ * available at runtime via `npx ecc agent list`; this static
+ * subset covers the common L3-doctor dispatch paths.
+ */
+export const CANONICAL_ECC_AGENTS = [
+    { name: 'security-reviewer', description: 'Audit trust boundary + OWASP top-10' },
+    { name: 'code-reviewer', description: 'General-purpose code review' },
+    { name: 'typescript-reviewer', description: 'TypeScript-specific review' },
+    { name: 'python-reviewer', description: 'Python-specific review' },
+    { name: 'golang-reviewer', description: 'Go-specific review' },
+    { name: 'rust-reviewer', description: 'Rust-specific review' },
+    { name: 'java-reviewer', description: 'Java-specific review' },
+    { name: 'cpp-reviewer', description: 'C/C++-specific review' },
+    { name: 'backend-patterns', description: 'Backend service patterns' },
+    { name: 'frontend-patterns', description: 'Frontend patterns' },
+    { name: 'database-migrations', description: 'DB migration safety' },
+    { name: 'deployment-patterns', description: 'Deployment / CI-CD patterns' },
+];
+const ECC_DETECT_TIMEOUT_MS = 5000;
+const ECC_RUN_TIMEOUT_MS = 60000;
+const defaultSubprocessRunner = {
+    run(command, args, timeoutMs) {
+        try {
+            const r = spawnSync(command, args, {
+                timeout: timeoutMs,
+                encoding: 'utf8',
+                stdio: ['ignore', 'pipe', 'pipe'],
+                maxBuffer: 16 * 1024 * 1024,
+            });
+            return {
+                status: r.status,
+                stdout: r.stdout ?? '',
+                stderr: r.stderr ?? '',
+            };
+        }
+        catch (err) {
+            return {
+                status: null,
+                stdout: '',
+                stderr: '',
+                error: err,
+            };
+        }
+    },
+};
+function isEccInstalled(runner) {
+    const result = runner.run('npx', ['ecc', '--version'], ECC_DETECT_TIMEOUT_MS);
+    if (result.error)
+        return false;
+    return result.status === 0;
+}
+/**
+ * Validate the agent name against the canonical ECC catalog.
+ * Returns `null` if the agent is known; an error message otherwise.
+ */
+export function validateEccAgent(agent) {
+    if (typeof agent !== 'string' || agent.length === 0) {
+        return 'peaks agent run: agent name must be a non-empty string';
+    }
+    if (!/^[a-z][a-z0-9-]*$/.test(agent)) {
+        return `peaks agent run: agent name "${agent}" is invalid (must match [a-z][a-z0-9-]*)`;
+    }
+    return null;
+}
+export function runEccAgent(input, runner = defaultSubprocessRunner) {
+    const enableAgent = input.enableAgent === true;
+    const warnings = [];
+    let result = null;
+    // Resolve the effective "should spawn" decision.
+    // flagEnabled (CLI override) > preference (always-on for now; L3+ future) > false
+    const shouldSpawn = enableAgent;
+    const installed = isEccInstalled(runner);
+    let reason;
+    let spawned;
+    if (!shouldSpawn) {
+        reason = 'flag-disabled';
+        spawned = false;
+    }
+    else if (!installed) {
+        reason = 'flag-enabled-but-ecc-missing';
+        spawned = false;
+        warnings.push('`npx ecc --version` failed. Run `npx ecc --help` to install ECC, ' +
+            'then re-run `peaks agent run`. The peaks-cli native diagnostic ' +
+            'still runs via `peaks doctor scan`.');
+    }
+    else {
+        reason = 'enabled-and-installed';
+        spawned = true;
+        const start = Date.now();
+        const subResult = runner.run('npx', ['ecc', 'agent', 'run', input.agent, '--target', input.projectRoot, '--json'], ECC_RUN_TIMEOUT_MS);
+        let parsed;
+        let error;
+        if (subResult.error) {
+            error = subResult.error.message;
+        }
+        else if (subResult.status !== 0) {
+            error = `ecc agent run exited with status ${subResult.status}: ${subResult.stderr}`;
+        }
+        else {
+            try {
+                parsed = JSON.parse(subResult.stdout);
+            }
+            catch {
+                // Non-JSON output is allowed; peaks-cli surfaces the raw
+                // stdout for the human reader and treats the run as
+                // ok=true (the subprocess exited 0).
+                parsed = undefined;
+            }
+        }
+        result = {
+            agent: input.agent,
+            ok: error === undefined,
+            stdout: subResult.stdout,
+            stderr: subResult.stderr,
+            durationMs: Date.now() - start,
+            ...(parsed !== undefined ? { parsed } : {}),
+            ...(error !== undefined ? { error } : {}),
+        };
+    }
+    return { agent: input.agent, spawned, reason, result, warnings };
+}

package/dist/src/services/artifacts/request-artifact-service.js

@@ -783,6 +783,20 @@ export async function transitionRequestArtifact(options) {
     if (!prerequisiteResult.ok && options.allowIncomplete !== true) {
         throw new PrerequisitesNotSatisfiedError(options.role, options.newState, existing.sessionId, prerequisiteResult.missing);
     }
+    // L2.1 P0 red line #4: tech-doc-presence. The rd → spec-locked transition
+    // is refused if `rd/tech-doc.md` is missing or empty. This is a machine-
+    // enforced gate that backs the "MANDATORY tech-doc before spec-locked"
+    // prose in the redesign spec §5.4.
+    if (options.role === 'rd' && options.newState === 'spec-locked' && options.allowIncomplete !== true) {
+        const { checkTechDocPresence, TECH_DOC_MISSING_CODE, TECH_DOC_MISSING_MESSAGE } = await import('../audit/enforcers/tech-doc-presence.js');
+        const techDoc = checkTechDocPresence({
+            projectRoot: options.projectRoot,
+            sessionId: existing.sessionId,
+        });
+        if (!techDoc.exists || techDoc.isEmpty) {
+            throw new PrerequisitesNotSatisfiedError(options.role, options.newState, existing.sessionId, [{ path: techDoc.path, description: `${TECH_DOC_MISSING_CODE}: ${TECH_DOC_MISSING_MESSAGE}` }]);
+        }
+    }
     // Type sanity check for PRD handoff
     if (options.typeSanityCheck !== undefined && options.role === 'prd' && options.newState === 'handed-off') {
         const sanityReport = checkTypeSanity({

package/dist/src/services/audit/backing-detector.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Backing detector — classifies each red line as `cli-backed`, `partial`,
+ * or `prose-only`. The classifier already sets the backing for catalog hits
+ * (cli-backed when an enforcer file path is present). This module exists to
+ * handle the post-classification nuance: heuristics for the "partial" tier
+ * (a gate exists but the LLM can bypass it) and verification that the
+ * enforcer file actually exists on disk.
+ */
+import type { RedLineEntry } from './types.js';
+export interface BackingResult {
+    readonly entry: RedLineEntry;
+    readonly enforcerExists: boolean;
+}
+/**
+ * Re-classify a single RedLineEntry. Returns a new entry with the
+ * `backing` field updated and `enforcerRef` possibly nulled if the
+ * referenced file does not exist on disk.
+ */
+export declare function classifyBacking(entry: RedLineEntry, projectRoot: string): BackingResult;
+export interface BackingBatchResult {
+    readonly entries: readonly RedLineEntry[];
+    readonly warnings: readonly string[];
+}
+export declare function classifyBackingBatch(entries: readonly RedLineEntry[], projectRoot: string): BackingBatchResult;

package/dist/src/services/audit/backing-detector.js

@@ -0,0 +1,59 @@
+/**
+ * Backing detector — classifies each red line as `cli-backed`, `partial`,
+ * or `prose-only`. The classifier already sets the backing for catalog hits
+ * (cli-backed when an enforcer file path is present). This module exists to
+ * handle the post-classification nuance: heuristics for the "partial" tier
+ * (a gate exists but the LLM can bypass it) and verification that the
+ * enforcer file actually exists on disk.
+ */
+import { existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+const PARTIAL_PHRASES = [
+    'if llm cooperates',
+    'llm-cooperation',
+    'partial cli backing',
+    'best effort',
+    'advisory only',
+    'soft enforcement',
+    'when remembered',
+];
+function detectPartial(context) {
+    const lower = context.toLowerCase();
+    return PARTIAL_PHRASES.some((phrase) => lower.includes(phrase));
+}
+/**
+ * Re-classify a single RedLineEntry. Returns a new entry with the
+ * `backing` field updated and `enforcerRef` possibly nulled if the
+ * referenced file does not exist on disk.
+ */
+export function classifyBacking(entry, projectRoot) {
+    if (detectPartial(entry.source.context)) {
+        return {
+            entry: { ...entry, backing: 'partial' },
+            enforcerExists: entry.enforcerRef !== null && existsSync(resolve(projectRoot, entry.enforcerRef)),
+        };
+    }
+    if (entry.enforcerRef === null) {
+        return { entry, enforcerExists: false };
+    }
+    const enforcerPath = resolve(projectRoot, entry.enforcerRef);
+    const exists = existsSync(enforcerPath);
+    return {
+        entry: { ...entry, backing: exists ? 'cli-backed' : 'prose-only' },
+        enforcerExists: exists,
+    };
+}
+export function classifyBackingBatch(entries, projectRoot) {
+    const updated = [];
+    const warnings = [];
+    for (const entry of entries) {
+        const { entry: reclassified, enforcerExists } = classifyBacking(entry, projectRoot);
+        updated.push(reclassified);
+        if (reclassified.backing === 'cli-backed' && !enforcerExists) {
+            // Defensive: should not happen because classifyBacking downgrades to
+            // prose-only, but keep the assertion in case of future drift.
+            warnings.push(`enforcer ref "${reclassified.enforcerRef}" missing on disk for ${reclassified.id}`);
+        }
+    }
+    return { entries: updated, warnings };
+}

package/dist/src/services/audit/classifier.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Red-line classifier — turns raw markdown lines into RedLineEntry.
+ *
+ * Algorithm: for each MarkdownLine, check whether the line text contains one
+ * of the four red-line markers (MANDATORY / BLOCKING / MUST NOT / RED LINE).
+ * On a hit, extract the surrounding ±2 lines as context, look up the red
+ * line in the catalog, and emit a RedLineEntry. Lines that contain a marker
+ * but match no catalog entry still produce a RedLineEntry (with backing =
+ * prose-only and enforcerRef = null) — those are the "discovered but not yet
+ * enforced" red lines the L2 redesign is working to eliminate.
+ */
+import type { RedLineEntry, RedLineMarker } from './types.js';
+export declare function detectMarker(lineText: string): RedLineMarker | null;
+/**
+ * Derive a human-readable rule name from the marker line. Heuristic: take
+ * the first 8 words of the line, lowercase, trimmed. Catalog matching is
+ * the source of truth for the canonical rule name; this is the fallback
+ * when no catalog entry matches.
+ */
+export declare function deriveRuleName(lineText: string): string;
+export interface ClassifyFileInput {
+    readonly file: string;
+    readonly lines: readonly string[];
+}
+export interface ClassifyResult {
+    readonly entries: readonly RedLineEntry[];
+    readonly warnings: readonly string[];
+}
+/**
+ * Classify a single markdown file. Returns 0+ RedLineEntry; one entry per
+ * marker hit. Marker hits that appear multiple times on the same line are
+ * counted once.
+ */
+export declare function classifyFile(input: ClassifyFileInput): ClassifyResult;
+/**
+ * Batch wrapper — classify each input file and flatten the entries.
+ */
+export declare function classifyFiles(inputs: readonly ClassifyFileInput[]): ClassifyResult;