peaks-cli 1.4.2 → 2.0.1

package/dist/src/services/audit/enforcers/prototype-fidelity.js

@@ -0,0 +1,75 @@
+/**
+ * prototype-fidelity enforcer (L2.2 P1) — verifies a prototype is
+ * functional (not a stub).
+ *
+ * Two red lines:
+ *   - rl-prototype-fidelity-001: prototype files must not contain TODO/FIXME/XXX
+ *   - rl-prototype-fidelity-002: prototype must have at least 1 passing test
+ *
+ * (L2.2 ships the source-level check; deeper test-running integration is
+ * deferred to a follow-up slice.)
+ */
+import { existsSync, readdirSync, readFileSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+const STUB_MARKER_PATTERNS = [
+    /\bTODO\b/,
+    /\bFIXME\b/,
+    /\bXXX\b/,
+    /\bHACK\b/,
+    /\bstub\b\s*[:=]/i,
+    /\bnot implemented\b/i,
+];
+export function findStubMarkers(input) {
+    const markers = [];
+    for (const filePath of input.filePaths) {
+        const abs = join(input.projectRoot, filePath);
+        let content;
+        try {
+            content = readFileSync(abs, 'utf8');
+        }
+        catch {
+            continue;
+        }
+        for (const pattern of STUB_MARKER_PATTERNS) {
+            const match = pattern.exec(content);
+            if (match !== null) {
+                markers.push({ filePath, pattern: pattern.source, snippet: match[0] });
+            }
+        }
+    }
+    return { stubMarkers: markers, testFiles: [] };
+}
+export function findTestFiles(projectRoot, sourceDir) {
+    const testsDir = join(projectRoot, sourceDir.replace(/^src\//, 'tests/'));
+    if (!existsSync(testsDir))
+        return [];
+    try {
+        const stat = statSync(testsDir);
+        if (!stat.isDirectory())
+            return [];
+    }
+    catch {
+        return [];
+    }
+    const result = [];
+    const walk = (dir) => {
+        let entries;
+        try {
+            entries = readdirSync(dir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            const full = join(dir, entry.name);
+            if (entry.isDirectory()) {
+                walk(full);
+            }
+            else if (entry.isFile() && /\.(test|spec)\.ts$/.test(entry.name)) {
+                result.push(full);
+            }
+        }
+    };
+    walk(testsDir);
+    return result;
+}

package/dist/src/services/audit/enforcers/resume-detection.d.ts

@@ -0,0 +1,21 @@
+/**
+ * resume-detection enforcer (L2.2 P1) — verifies a slice can be resumed
+ * before the LLM continues work on it.
+ *
+ * Two red lines:
+ *   - rl-resume-detection-001: session-binding file must exist
+ *   - rl-resume-detection-002: existing rd request state must be in
+ *     {spec-locked, implemented, qa-handoff} (resumable states)
+ */
+export interface ResumeDetectionInput {
+    readonly projectRoot: string;
+    readonly sessionId: string;
+}
+export interface ResumeDetectionResult {
+    readonly sessionBindingExists: boolean;
+    readonly sessionBindingPath: string;
+    readonly requestState: string | null;
+    readonly requestStatePath: string;
+    readonly canResume: boolean;
+}
+export declare function checkResume(input: ResumeDetectionInput): ResumeDetectionResult;

package/dist/src/services/audit/enforcers/resume-detection.js

@@ -0,0 +1,52 @@
+/**
+ * resume-detection enforcer (L2.2 P1) — verifies a slice can be resumed
+ * before the LLM continues work on it.
+ *
+ * Two red lines:
+ *   - rl-resume-detection-001: session-binding file must exist
+ *   - rl-resume-detection-002: existing rd request state must be in
+ *     {spec-locked, implemented, qa-handoff} (resumable states)
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+const RESUMABLE_STATES = new Set(['spec-locked', 'implemented', 'qa-handoff']);
+export function checkResume(input) {
+    const sessionBindingPath = join(input.projectRoot, '.peaks/_runtime', input.sessionId, 'session.json');
+    const sessionBindingExists = existsSync(sessionBindingPath);
+    // The rd request artifact lives under .peaks/_runtime/<sid>/rd/requests/<rid>.md
+    // (canonical session layout per `src-services-session-canonical-workspace-resolver.md`).
+    // We look at the most-recent rd request to detect state. The full request-artifact
+    // service is the authoritative source; this is a lightweight check for the audit
+    // scanner.
+    const rdDir = join(input.projectRoot, '.peaks/_runtime', input.sessionId, 'rd/requests');
+    let requestState = null;
+    let requestStatePath = '';
+    if (existsSync(rdDir)) {
+        try {
+            const files = require('node:fs').readdirSync(rdDir);
+            for (const file of files) {
+                if (!file.endsWith('.md'))
+                    continue;
+                const path = join(rdDir, file);
+                const content = readFileSync(path, 'utf8');
+                const match = /state:\s*([a-z0-9-]+)/i.exec(content);
+                if (match !== null) {
+                    requestState = match[1] ?? null;
+                    requestStatePath = path;
+                    break;
+                }
+            }
+        }
+        catch {
+            // ignore read errors
+        }
+    }
+    const canResume = sessionBindingExists && requestState !== null && RESUMABLE_STATES.has(requestState);
+    return {
+        sessionBindingExists,
+        sessionBindingPath,
+        requestState,
+        requestStatePath,
+        canResume,
+    };
+}

package/dist/src/services/audit/enforcers/solo-code-ban.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Solo-code-ban enforcer — PreToolUse Bash guard.
+ *
+ * Per L2 redesign §5.4. Deny `git commit` or `git apply` invocations from
+ * a peaks-* skill. The Solo Code-Change Red Line says peaks-solo / peaks-rd
+ * are orchestrators, not implementers; the actual `git commit` step must
+ * go through `peaks request transition`, which itself enforces spec-locked
+ * + tech-doc-presence.
+ *
+ * Trust red line (per `gate-enforcement-hook.md`): if the registry or
+ * manifest read fails, the hook must fail-OPEN (warn + allow). The LLM is
+ * never bricked by a peaks bug.
+ */
+export interface SoloCodeBanInput {
+    readonly skill: string;
+    readonly command: string;
+}
+export interface SoloCodeBanResult {
+    readonly denied: boolean;
+    readonly reason: string;
+}
+export declare function isSoloCodeCommit(skill: string, command: string): boolean;
+export declare function evaluateSoloCodeBan(input: SoloCodeBanInput): SoloCodeBanResult;

package/dist/src/services/audit/enforcers/solo-code-ban.js

@@ -0,0 +1,27 @@
+/**
+ * Solo-code-ban enforcer — PreToolUse Bash guard.
+ *
+ * Per L2 redesign §5.4. Deny `git commit` or `git apply` invocations from
+ * a peaks-* skill. The Solo Code-Change Red Line says peaks-solo / peaks-rd
+ * are orchestrators, not implementers; the actual `git commit` step must
+ * go through `peaks request transition`, which itself enforces spec-locked
+ * + tech-doc-presence.
+ *
+ * Trust red line (per `gate-enforcement-hook.md`): if the registry or
+ * manifest read fails, the hook must fail-OPEN (warn + allow). The LLM is
+ * never bricked by a peaks bug.
+ */
+const COMMIT_APPLY_PATTERN = /^\s*git\s+(commit|apply)\b/;
+const DENY_REASON = 'Solo Code-Change Red Line: peaks-* skills must go through peaks-solo / peaks-rd. ' +
+    'Use `peaks request transition` instead of `git commit` / `git apply` directly.';
+export function isSoloCodeCommit(skill, command) {
+    if (!skill.startsWith('peaks-'))
+        return false;
+    return COMMIT_APPLY_PATTERN.test(command);
+}
+export function evaluateSoloCodeBan(input) {
+    if (isSoloCodeCommit(input.skill, input.command)) {
+        return { denied: true, reason: DENY_REASON };
+    }
+    return { denied: false, reason: '' };
+}

package/dist/src/services/audit/enforcers/sub-agent-sid.d.ts

@@ -0,0 +1,25 @@
+/**
+ * sub-agent-sid enforcer — dogfood of Slice 0.5 sid-naming-guard.
+ *
+ * Per L2 redesign §5.4, "sub-agent-sid" is one of the 5 P0 red lines.
+ * Slice 0.5 (Task 7) shipped `isValidSessionId` in
+ * `src/services/workspace/sid-naming-guard.ts`. This enforcer exposes the
+ * same check to the red-line audit framework, so any invalid sid under
+ * `.peaks/_sub_agents/` shows up as a backable red line in the audit.
+ */
+export interface SubAgentSidCheckResult {
+    readonly invalid: readonly string[];
+    readonly valid: readonly string[];
+    readonly scanned: boolean;
+}
+/**
+ * Find sids under `.peaks/_sub_agents/<sid>/` that fail `isValidSessionId`.
+ * Bare forms (sid-3, unknown-sid) and date-mismatched sids all fail.
+ */
+export declare function findInvalidSubAgentSids(projectRoot: string): SubAgentSidCheckResult;
+/**
+ * Same check, for `.peaks/_runtime/<sid>/`. Slice 0.5's clean-service
+ * already handles the sub-agents dir; the audit framework also wants to
+ * know about invalid runtime sids (which would be a different failure mode).
+ */
+export declare function findInvalidRuntimeSids(projectRoot: string): SubAgentSidCheckResult;

package/dist/src/services/audit/enforcers/sub-agent-sid.js

@@ -0,0 +1,63 @@
+/**
+ * sub-agent-sid enforcer — dogfood of Slice 0.5 sid-naming-guard.
+ *
+ * Per L2 redesign §5.4, "sub-agent-sid" is one of the 5 P0 red lines.
+ * Slice 0.5 (Task 7) shipped `isValidSessionId` in
+ * `src/services/workspace/sid-naming-guard.ts`. This enforcer exposes the
+ * same check to the red-line audit framework, so any invalid sid under
+ * `.peaks/_sub_agents/` shows up as a backable red line in the audit.
+ */
+import { existsSync, readdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { isValidSessionId } from '../../workspace/sid-naming-guard.js';
+const SUB_AGENTS_DIR = '.peaks/_sub_agents';
+const RUNTIME_DIR = '.peaks/_runtime';
+/**
+ * Find sids under `.peaks/_sub_agents/<sid>/` that fail `isValidSessionId`.
+ * Bare forms (sid-3, unknown-sid) and date-mismatched sids all fail.
+ */
+export function findInvalidSubAgentSids(projectRoot) {
+    const subAgentsRoot = join(projectRoot, SUB_AGENTS_DIR);
+    if (!existsSync(subAgentsRoot)) {
+        return { invalid: [], valid: [], scanned: false };
+    }
+    const entries = readdirSync(subAgentsRoot, { withFileTypes: true })
+        .filter((e) => e.isDirectory())
+        .map((e) => e.name);
+    const invalid = [];
+    const valid = [];
+    for (const name of entries) {
+        if (isValidSessionId(name)) {
+            valid.push(name);
+        }
+        else {
+            invalid.push(name);
+        }
+    }
+    return { invalid, valid, scanned: true };
+}
+/**
+ * Same check, for `.peaks/_runtime/<sid>/`. Slice 0.5's clean-service
+ * already handles the sub-agents dir; the audit framework also wants to
+ * know about invalid runtime sids (which would be a different failure mode).
+ */
+export function findInvalidRuntimeSids(projectRoot) {
+    const runtimeRoot = join(projectRoot, RUNTIME_DIR);
+    if (!existsSync(runtimeRoot)) {
+        return { invalid: [], valid: [], scanned: false };
+    }
+    const entries = readdirSync(runtimeRoot, { withFileTypes: true })
+        .filter((e) => e.isDirectory())
+        .map((e) => e.name);
+    const invalid = [];
+    const valid = [];
+    for (const name of entries) {
+        if (isValidSessionId(name)) {
+            valid.push(name);
+        }
+        else {
+            invalid.push(name);
+        }
+    }
+    return { invalid, valid, scanned: true };
+}

package/dist/src/services/audit/enforcers/tech-doc-presence.d.ts

@@ -0,0 +1,28 @@
+/**
+ * tech-doc-presence enforcer — refuses `peaks request transition <rid>
+ * spec-locked` if the slice's tech-doc.md is missing.
+ *
+ * Per L2 redesign §5.4. The tech-doc is the BLOCKING artifact for the
+ * spec-locked transition. This enforcer is called from
+ * `request-transition-service.ts` BEFORE the state machine runs.
+ *
+ * The session id is resolved from the current working directory using
+ * the canonical workspace resolver (per
+ * `src-services-session-canonical-workspace-resolver.md` memory).
+ */
+export interface TechDocPresenceInput {
+    readonly projectRoot: string;
+    readonly sessionId: string;
+}
+export interface TechDocPresenceResult {
+    readonly exists: boolean;
+    readonly path: string;
+    readonly isEmpty: boolean;
+}
+export declare function checkTechDocPresence(input: TechDocPresenceInput): TechDocPresenceResult;
+/**
+ * Hard-coded error message used by `request-transition-service.ts` when
+ * the spec-locked transition is refused.
+ */
+export declare const TECH_DOC_MISSING_MESSAGE: string;
+export declare const TECH_DOC_MISSING_CODE = "TECH_DOC_MISSING";

package/dist/src/services/audit/enforcers/tech-doc-presence.js

@@ -0,0 +1,35 @@
+/**
+ * tech-doc-presence enforcer — refuses `peaks request transition <rid>
+ * spec-locked` if the slice's tech-doc.md is missing.
+ *
+ * Per L2 redesign §5.4. The tech-doc is the BLOCKING artifact for the
+ * spec-locked transition. This enforcer is called from
+ * `request-transition-service.ts` BEFORE the state machine runs.
+ *
+ * The session id is resolved from the current working directory using
+ * the canonical workspace resolver (per
+ * `src-services-session-canonical-workspace-resolver.md` memory).
+ */
+import { existsSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+export function checkTechDocPresence(input) {
+    const docPath = join(input.projectRoot, '.peaks/_runtime', input.sessionId, 'rd/tech-doc.md');
+    if (!existsSync(docPath)) {
+        return { exists: false, path: docPath, isEmpty: false };
+    }
+    let stat;
+    try {
+        stat = statSync(docPath);
+    }
+    catch {
+        return { exists: false, path: docPath, isEmpty: false };
+    }
+    return { exists: true, path: docPath, isEmpty: stat.size === 0 };
+}
+/**
+ * Hard-coded error message used by `request-transition-service.ts` when
+ * the spec-locked transition is refused.
+ */
+export const TECH_DOC_MISSING_MESSAGE = 'spec-locked transition requires `rd/tech-doc.md` to exist and be non-empty. ' +
+    'Run `peaks-rd` to produce the tech-doc first, then retry the transition.';
+export const TECH_DOC_MISSING_CODE = 'TECH_DOC_MISSING';

package/dist/src/services/audit/red-line-catalog-p2-a.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Red-line catalog — P2-a entries (Slice #6 L2.3).
+ *
+ * These 25 entries close the lint-style gap left by L2.1 (P0) and
+ * L2.2 (P1). Per spec §5.4, P2-a targets 25-40 lint-style red-lines
+ * for SKILL.md, references/, and openspec/. They are small,
+ * pattern-based, and reference the existing CLI surface (no new
+ * runtime dependencies).
+ *
+ * Enforcer functions live in `enforcers/lint-style-*.ts` and are
+ * wired into the audit framework via the same `enforcerRef`
+ * discovery path as the P0 / P1 entries.
+ */
+import type { RedLineCatalogEntry } from './red-line-catalog.js';
+/**
+ * The 25 P2-a entries, in stable display order. Appending to a single
+ * readonly array keeps the catalog growable: future slices (L2.4, L3.x)
+ * can spread this list into RED_LINE_CATALOG and add their own without
+ * touching this file.
+ */
+export declare const RED_LINE_CATALOG_P2_A: readonly RedLineCatalogEntry[];

package/dist/src/services/audit/red-line-catalog-p2-a.js

@@ -0,0 +1,233 @@
+/** Theme A — Section structure (5 enforcers). The section-shape and
+ *  frontmatter-shape enforcers both live in lint-style.ts (a single
+ *  file groups the small per-skill pattern scans). */
+const SECTION_HARD_CONTRACTS = {
+    id: 'rl-section-hard-contracts-001',
+    rule: 'Section structure: Hard contracts for browser/IO surface',
+    markers: ['MANDATORY', 'BLOCKING'],
+    phrases: ['hard contract', 'hard contracts for browser', 'must be read before'],
+    enforcerRef: 'src/services/audit/enforcers/lint-style.ts',
+};
+const SECTION_MANDATORY_ARTIFACT = {
+    id: 'rl-section-mandatory-artifact-001',
+    rule: 'Section structure: Mandatory per-request artifact',
+    markers: ['MANDATORY', 'BLOCKING'],
+    phrases: ['mandatory per-request artifact', 'mandatory per-slice', 'mandatory .peaks/'],
+    enforcerRef: 'src/services/audit/enforcers/lint-style.ts',
+};
+const SECTION_DEFAULT_RUNBOOK = {
+    id: 'rl-section-default-runbook-001',
+    rule: 'Section structure: Default runbook pointer',
+    markers: ['MANDATORY'],
+    phrases: ['default runbook', 'runbook is in the references', 'full runbook', '## Default runbook'],
+    enforcerRef: 'src/services/audit/enforcers/lint-style.ts',
+};
+const SECTION_GATE_INDEX = {
+    id: 'rl-section-gate-index-001',
+    rule: 'Section structure: Gate index',
+    markers: ['MANDATORY'],
+    phrases: ['gate index', 'rd gate index', 'qa gate index', 'cli-backed gates'],
+    enforcerRef: 'src/services/audit/enforcers/lint-style.ts',
+};
+const SECTION_NAMING_AXIOM = {
+    id: 'rl-section-naming-axiom-001',
+    rule: 'Section structure: Two-axis naming axiom',
+    markers: ['MANDATORY'],
+    phrases: ['two-axis naming', 'change-id', 'session-id', 'two orthogonal axes'],
+    enforcerRef: 'src/services/audit/enforcers/lint-style.ts',
+};
+/** Theme A wireframe — the "ASCII wireframe" hint from spec §5.4
+ *  line 647. The section-order enforcer in lint-style.ts checks
+ *  that the canonical sections appear in the documented order. */
+const SECTION_ORDER_WIREFRAME = {
+    id: 'rl-section-order-wireframe-001',
+    rule: 'Section structure: ASCII wireframe — sections in canonical order',
+    markers: ['MANDATORY'],
+    phrases: ['wireframe', 'section order', 'canonical order', 'ascii wireframe'],
+    enforcerRef: 'src/services/audit/enforcers/lint-style.ts',
+};
+/** Theme B — Frontmatter shape (3 enforcers). Grouped with Theme A
+ *  in lint-style.ts; the loadStrategy check is a helper
+ *  `lintReferenceLoadStrategy` that takes the references dir. */
+const FRONTMATTER_PARSEABLE = {
+    id: 'rl-frontmatter-skills-md-001',
+    rule: 'Frontmatter shape: skills_md parseable frontmatter',
+    markers: ['MANDATORY'],
+    phrases: ['frontmatter', 'parseable', 'name: peaks-', 'description:'],
+    enforcerRef: 'src/services/audit/enforcers/lint-style.ts',
+};
+const FRONTMATTER_REFERENCES_LOAD_STRATEGY = {
+    id: 'rl-frontmatter-references-load-strategy-001',
+    rule: 'Frontmatter shape: references loadStrategy declared',
+    markers: ['MANDATORY'],
+    phrases: ['loadstrategy', 'load-strategy', 'always | on-demand'],
+    enforcerRef: 'src/services/audit/enforcers/lint-style.ts',
+};
+const FRONTMATTER_APPLICABLE_TASK_LEVELS = {
+    id: 'rl-frontmatter-applicable-task-levels-001',
+    rule: 'Frontmatter shape: skill applicable task levels',
+    markers: ['MANDATORY'],
+    phrases: ['applicabletasklevels', 'task levels invoke', 'applies to'],
+    enforcerRef: 'src/services/audit/enforcers/lint-style.ts',
+};
+/** Theme C — Output style (3 enforcers) */
+const OUTPUT_STYLE_STATUS_HEADER = {
+    id: 'rl-output-style-status-header-001',
+    rule: 'Output style: Peaks-Cli status header on every response',
+    markers: ['MANDATORY'],
+    phrases: ['peaks-cli skill:', 'peaks-cli gate:', 'peaks-cli next:', 'status header'],
+    enforcerRef: 'src/services/audit/enforcers/lint-output-style.ts',
+};
+const OUTPUT_STYLE_NO_FLUFF = {
+    id: 'rl-output-style-no-fluff-001',
+    rule: 'Output style: no greeting / persona fluff in SKILL.md',
+    markers: ['MUST NOT'],
+    phrases: ['你好,', '你好!', 'hello, i am', 'i am a', '作为一个', '我是'],
+    enforcerRef: 'src/services/audit/enforcers/lint-output-style.ts',
+};
+const OUTPUT_STYLE_NO_CLOSING_PROMPT = {
+    id: 'rl-output-style-no-closing-prompt-001',
+    rule: 'Output style: no closing-prompt flattery',
+    markers: ['MUST NOT'],
+    phrases: ['let me know if', '如有任何需要', '如有需要', 'feel free to ask', 'do not hesitate'],
+    enforcerRef: 'src/services/audit/enforcers/lint-output-style.ts',
+};
+/** Theme D — CLI-back gaps (4 enforcers) */
+const CLI_BACK_MANDATORY_TEXT = {
+    id: 'rl-cli-back-mandatory-text-001',
+    rule: 'CLI-back: MANDATORY text has peaks * enforcer in the surrounding ±2 lines',
+    markers: ['MANDATORY'],
+    phrases: ['mandatory', 'mandatory peaks', 'cli-enforced-by', 'enforced by peaks'],
+    enforcerRef: 'src/services/audit/enforcers/lint-cli-back.ts',
+};
+const CLI_BACK_NO_ORPHAN_BLOCKING = {
+    id: 'rl-cli-back-no-orphan-blocking-001',
+    rule: 'CLI-back: no orphan BLOCKING marker without a peaks * enforcer',
+    markers: ['BLOCKING'],
+    phrases: ['blocking', 'blocking peaks', 'blocking gate'],
+    enforcerRef: 'src/services/audit/enforcers/lint-cli-back.ts',
+};
+const CLI_BACK_NO_ORPHAN_MUST_NOT = {
+    id: 'rl-cli-back-no-orphan-must-not-001',
+    rule: 'CLI-back: no orphan MUST NOT marker without a peaks * enforcer',
+    markers: ['MUST NOT'],
+    phrases: ['must not', 'must not peaks', 'must not be'],
+    enforcerRef: 'src/services/audit/enforcers/lint-cli-back.ts',
+};
+const CLI_BACK_PROSE_ONLY_THRESHOLD = {
+    id: 'rl-cli-back-prose-only-threshold-001',
+    rule: 'CLI-back: prose-only ratio must stay ≤ 5%',
+    markers: ['MANDATORY'],
+    phrases: ['prose-only', 'prose only', 'prose-only ratio', 'prose-only threshold'],
+    enforcerRef: 'src/services/audit/enforcers/lint-cli-back.ts',
+};
+/** Theme E — Reference integrity (4 enforcers) */
+const REF_PATH_RESOLVES = {
+    id: 'rl-ref-path-resolves-001',
+    rule: 'Reference integrity: every references/<file>.md link resolves',
+    markers: ['MANDATORY'],
+    phrases: ['see references/', 'see `references/', 'see the references file', '→ see'],
+    enforcerRef: 'src/services/audit/enforcers/lint-reference-integrity.ts',
+};
+const REF_NO_BROKEN_MKDIR = {
+    id: 'rl-ref-no-broken-mkdir-001',
+    rule: 'Reference integrity: no `mkdir -p` outside the project root',
+    markers: ['MUST NOT'],
+    phrases: ['mkdir -p', 'mkdir -p /', 'mkdir outside', 'mkdir the'],
+    enforcerRef: 'src/services/audit/enforcers/lint-reference-integrity.ts',
+};
+const REF_NO_PWD_SYMLINK_JUMPS = {
+    id: 'rl-ref-no-pwd-symlink-jumps-001',
+    rule: 'Reference integrity: no `cd ..` chain jumping outside the project',
+    markers: ['MUST NOT'],
+    phrases: ['cd ..', 'cd ../..', 'cd ../../..', 'cd outside the project'],
+    enforcerRef: 'src/services/audit/enforcers/lint-reference-integrity.ts',
+};
+const REF_NO_RELATIVE_ARCHIVE_PATHS = {
+    id: 'rl-ref-no-relative-archive-paths-001',
+    rule: 'Reference integrity: no `cp`/`mv`/`ln` to absolute /tmp paths',
+    markers: ['MUST NOT'],
+    phrases: ['cp /tmp', 'mv /tmp', 'ln /tmp', 'cp -r /tmp', 'do not use /tmp'],
+    enforcerRef: 'src/services/audit/enforcers/lint-reference-integrity.ts',
+};
+/** Theme F — Workflow-bound shape (4 enforcers) */
+const OPENSPEC_PROPOSAL_HAS_AC_BULLETS = {
+    id: 'rl-openspec-proposal-has-acceptance-bullets-001',
+    rule: 'Workflow: openspec proposal has non-empty Acceptance Criteria bullets',
+    markers: ['MANDATORY'],
+    phrases: ['acceptance criteria', 'a1 —', 'a2 —', '## acceptance criteria'],
+    enforcerRef: 'src/services/audit/enforcers/lint-workflow-shape.ts',
+};
+const OPENSPEC_PROPOSAL_HAS_SPEC_CHANGES = {
+    id: 'rl-openspec-proposal-has-spec-changes-001',
+    rule: 'Workflow: openspec proposal has Spec reference (canonical) link',
+    markers: ['MANDATORY'],
+    phrases: ['spec reference (canonical)', 'spec reference', 'see the spec'],
+    enforcerRef: 'src/services/audit/enforcers/lint-workflow-shape.ts',
+};
+const TECH_DOC_PRESENCE_PRE_RD = {
+    id: 'rl-tech-doc-presence-pre-rd-001',
+    rule: 'Workflow: rd/tech-doc.md has Red-line scope + Implementation evidence',
+    markers: ['MANDATORY'],
+    phrases: ['red-line scope', 'implementation evidence', '## red-line scope', '## implementation evidence'],
+    enforcerRef: 'src/services/audit/enforcers/lint-workflow-shape.ts',
+};
+const PEAKS_DOCTOR_SKILL_ACKNOWLEDGED = {
+    id: 'rl-peaks-doctor-skill-acknowledged-001',
+    rule: 'Workflow: skill that writes a request artifact acknowledges peaks doctor',
+    markers: ['MANDATORY'],
+    phrases: ['peaks doctor', 'peaks-doctor', 'doctor scan', 'doctor route'],
+    enforcerRef: 'src/services/audit/enforcers/lint-workflow-shape.ts',
+};
+/** Theme G — Catalog governance (2 enforcers). The catalog-size
+ *  enforcer was already planned; the prose-only-ratio enforcer is
+ *  the partner check that flags when the catalog has too many
+ *  prose-only entries (i.e. when CLI-back coverage is regressing). */
+const CATALOG_TOTAL_LE_45 = {
+    id: 'rl-catalog-total-001',
+    rule: 'Catalog governance: catalog size must grow to ≥ 40 (L2.3 P2-a target)',
+    markers: ['MANDATORY'],
+    phrases: ['total red lines', 'totalredlines', 'catalog size', 'catalog grows'],
+    enforcerRef: 'src/services/audit/enforcers/lint-catalog-governance.ts',
+};
+const CATALOG_PROSE_ONLY_RATIO = {
+    id: 'rl-catalog-prose-only-ratio-001',
+    rule: 'Catalog governance: prose-only ratio must stay ≤ 5% (per §10.2 L2 acceptance)',
+    markers: ['MANDATORY'],
+    phrases: ['prose-only ratio', 'prose-only threshold', 'prose-only ≤ 5%', 'prose-only < 10%'],
+    enforcerRef: 'src/services/audit/enforcers/lint-catalog-governance.ts',
+};
+/**
+ * The 25 P2-a entries, in stable display order. Appending to a single
+ * readonly array keeps the catalog growable: future slices (L2.4, L3.x)
+ * can spread this list into RED_LINE_CATALOG and add their own without
+ * touching this file.
+ */
+export const RED_LINE_CATALOG_P2_A = [
+    SECTION_HARD_CONTRACTS,
+    SECTION_MANDATORY_ARTIFACT,
+    SECTION_DEFAULT_RUNBOOK,
+    SECTION_GATE_INDEX,
+    SECTION_NAMING_AXIOM,
+    SECTION_ORDER_WIREFRAME,
+    FRONTMATTER_PARSEABLE,
+    FRONTMATTER_REFERENCES_LOAD_STRATEGY,
+    FRONTMATTER_APPLICABLE_TASK_LEVELS,
+    OUTPUT_STYLE_STATUS_HEADER,
+    OUTPUT_STYLE_NO_FLUFF,
+    OUTPUT_STYLE_NO_CLOSING_PROMPT,
+    CLI_BACK_MANDATORY_TEXT,
+    CLI_BACK_NO_ORPHAN_BLOCKING,
+    CLI_BACK_NO_ORPHAN_MUST_NOT,
+    CLI_BACK_PROSE_ONLY_THRESHOLD,
+    REF_PATH_RESOLVES,
+    REF_NO_BROKEN_MKDIR,
+    REF_NO_PWD_SYMLINK_JUMPS,
+    REF_NO_RELATIVE_ARCHIVE_PATHS,
+    OPENSPEC_PROPOSAL_HAS_AC_BULLETS,
+    OPENSPEC_PROPOSAL_HAS_SPEC_CHANGES,
+    TECH_DOC_PRESENCE_PRE_RD,
+    PEAKS_DOCTOR_SKILL_ACKNOWLEDGED,
+    CATALOG_TOTAL_LE_45,
+    CATALOG_PROSE_ONLY_RATIO,
+];

package/dist/src/services/audit/red-line-catalog-p2-b.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Red-line catalog — P2-b entries (Slice #7 L2.4).
+ *
+ * These 25 entries close the references/*.md + audit-regression
+ * gap left by L2.1 (P0), L2.2 (P1), and L2.3 (P2-a). Per spec
+ * §5.4, P2-b targets 25-40 lint-style red-lines for
+ * references/*.md and the audit regression stage.
+ *
+ * Enforcer functions live in:
+ *   - enforcers/lint-reference-shape.ts (Themes H-K, M-P)
+ *   - enforcers/lint-audit-regression.ts (Theme L)
+ */
+import type { RedLineCatalogEntry } from './red-line-catalog.js';
+/**
+ * The 25 P2-b entries, in stable display order. Spread into
+ * RED_LINE_CATALOG (after P2-a's block) so future slices can
+ * append without touching this file.
+ */
+export declare const RED_LINE_CATALOG_P2_B: readonly RedLineCatalogEntry[];