peaks-cli 2.0.2 → 2.0.3

package/.claude-plugin/marketplace.json

@@ -1,13 +1,13 @@
 {
   "metadata": {
     "pluginRoot": ".",
-    "version": "2.0.2"
+    "version": "2.0.3"
   },
   "plugins": [
     {
       "name": "peaks-cli",
       "description": "Cross-AI-IDE workflow-gating CLI + 11-skill family. Turns LLM improvisation into auditable engineering process. Skills cover PRD / R&D / UI / QA / change-control / context / SOP definition / orchestration. Soft-fail gates block irreversible actions mid-conversation (even under --dangerously-skip-permissions).",
-      "version": "2.0.2",
+      "version": "2.0.3",
       "author": {
         "name": "SquabbyZ"
       },

package/CHANGELOG.md

@@ -7,6 +7,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [2.0.3] — 2026-06-13
+
+### Fixed
+
+- **`@alibaba-group/open-code-review` reverted to `optionalDependency`**
+  (was promoted to a hard `dependency` in 2.0.1 and carried through
+  2.0.2). The ocr npm package's `postinstall` downloads a Go binary
+  via HTTPS, which fails in restricted/proxied environments and was
+  aborting the whole `npm i -g peaks-cli` flow. The 5-state detector
+  (`ready` / `package-missing` / `binary-missing` / `config-missing` /
+  `detection-failed`) and the soft-fail policy are unchanged — peaks-cli
+  never blocks on ocr being installed; it just no longer forces the
+  install. Users who want the second-opinion review run
+  `npm i -g @alibaba-group/open-code-review` explicitly. Under pnpm
+  they also need `pnpm approve-builds @alibaba-group/open-code-review`
+  for the binary download to run. Source-of-truth refactor (ocr config
+  under `peaksConfig.ocr.llm`) from 2.0.1 is unchanged.
+
+---
+
 ## [2.0.0] — 2026-06-12
 
 ### 🎯 Headline
@@ -29,6 +49,15 @@ alongside the LLM-only review. Soft-fails so missing ocr never blocks
 a slice. New CLI: `peaks code-review detect-ocr` / `run-ocr`. See
 `skills/peaks-rd/references/ocr-integration.md` for the contract.
 
+> **Note:** This `optionalDependency` classification was briefly
+> promoted to a hard `dependency` in 2.0.1 (alongside the source-of-truth
+> refactor) because the user feedback was "peaks-cli should not leave
+> install to the user". 2.0.3 reverts just the classification — the
+> source-of-truth refactor stays — because the ocr postinstall
+> downloads a Go binary via HTTPS, which fails in restricted/proxied
+> environments and was aborting `npm i -g peaks-cli`. See the 2.0.3
+> entry above for the full rationale.
+
 ### Breaking Changes
 
 - **`.claude/rules/` is no longer the source of truth for project standards.**
@@ -71,6 +100,14 @@ config surface.
   to download the platform binary still soft-fail at runtime
   (`binary-missing` state) — the install-time failure risk is the
   trade-off.
+
+  > **Reverted in 2.0.3.** The install-time failure risk turned out
+  > to bite too many real-world installs (corporate proxies, region
+  > firewalls, sandboxed dev environments all abort the whole
+  > `npm i -g peaks-cli`). 2.0.3 puts ocr back under
+  > `optionalDependencies`; everything else in this section
+  > (env-var injection, `config-template` CLI, `missingKeys`,
+  > source-of-truth under `peaksConfig.ocr.llm`) is unchanged.
 - **`detectOcr` / `runOcrReview` no longer read `~/.opencodereview/config.json`.**
   The source of truth is `peaksConfig.ocr.llm` (parsed by
   `getOcrLlmConfig()` in `config-service.ts`). Missing fields surface

package/dist/src/cli/commands/code-review-commands.js

@@ -5,7 +5,7 @@ import { fail, ok } from '../../shared/result.js';
 export function registerCodeReviewCommands(program, io) {
     const codeReview = program
         .command('code-review')
-        .description('Code-review primitives for peaks-rd Gate B3. Wraps the soft-optional `@alibaba-group/open-code-review` (ocr) tool when it is installed + configured; peaks-rd uses the structured JSON output as a second-opinion review alongside its own LLM review. ocr ships as a peaks-cli dependency (not optional). LLM endpoint config lives under `peaksConfig.ocr.llm` in the user config — run `peaks code-review config-template` to see the JSON snippet to paste.');
+        .description('Code-review primitives for peaks-rd Gate B3. Wraps the soft-optional `@alibaba-group/open-code-review` (ocr) tool when it is installed + configured; peaks-rd uses the structured JSON output as a second-opinion review alongside its own LLM review. ocr is an optional dependency of peaks-cli 2.0.3+ (was briefly promoted to a hard dependency in 2.0.1/2.0.2 — reverted because its postinstall downloads a Go binary via HTTPS and would otherwise abort `npm i -g peaks-cli` in restricted environments). LLM endpoint config lives under `peaksConfig.ocr.llm` in the user config — run `peaks code-review config-template` to see the JSON snippet to paste.');
     addJsonOption(codeReview
         .command('detect-ocr')
         .description('Read-only probe: returns the ocr install + config state as a JSON envelope (5 reasons: ready / package-missing / binary-missing / config-missing / detection-failed). peaks-rd calls this first to decide whether to invoke `run-ocr`. Reads the LLM endpoint from `peaksConfig.ocr.llm` (not from ~/.opencodereview/config.json).')

package/dist/src/services/code-review/ocr-service.js

@@ -36,12 +36,17 @@
  * To see the JSON template to paste, run:
  *   `peaks code-review config-template`
  *
- * The ocr package is declared in package.json:dependencies (was
- * previously optionalDependencies) so `npm i -g peaks-cli@2.0.x`
- * pulls it automatically (npm runs the ocr postinstall by default,
- * which downloads the Go binary). pnpm-based installs need
- * `pnpm approve-builds @alibaba-group/open-code-review`. Either
- * way, peaks-cli detects the install state and reports it.
+ * The ocr package is declared in package.json:optionalDependencies
+ * (was promoted to `dependencies` in 2.0.1 and reverted in 2.0.3 —
+ * the ocr postinstall downloads a Go binary via HTTPS, which fails
+ * in restricted/proxied environments and would otherwise abort the
+ * whole `npm i -g peaks-cli` flow). Peaks-cli ships with ocr *not*
+ * installed; if the user wants it, they run
+ *   `npm i -g @alibaba-group/open-code-review`
+ * and peaks-cli's 5-state detector (below) reports whether the
+ * binary is actually usable. pnpm-based installs additionally need
+ * `pnpm approve-builds @alibaba-group/open-code-review` for the
+ * binary download to run. Either way, peaks-cli never blocks on it.
  */
 import { spawnSync } from 'node:child_process';
 import { existsSync } from 'node:fs';
@@ -50,7 +55,7 @@ import { fileURLToPath } from 'node:url';
 import { dirname } from 'node:path';
 const OCR_DETECT_TIMEOUT_MS = 5000;
 const OCR_REVIEW_TIMEOUT_MS = 180000;
-const OCR_INSTALL_HINT = 'Install: `npm i -g @alibaba-group/open-code-review` (it is a hard dependency of peaks-cli 2.0.x and ships in the regular `npm install` flow). Then add your LLM endpoint to ~/.peaks/config.json — run `peaks code-review config-template` for the JSON snippet to paste.';
+const OCR_INSTALL_HINT = 'Install: `npm i -g @alibaba-group/open-code-review` (peaks-cli 2.0.3 ships with ocr as an optional dependency — its postinstall downloads a Go binary via HTTPS, which fails in some restricted/proxied environments; that\'s why peaks-cli does not auto-install it). Then add your LLM endpoint to ~/.peaks/config.json — run `peaks code-review config-template` for the JSON snippet to paste. Under pnpm you also need `pnpm approve-builds @alibaba-group/open-code-review` to allow the binary download.';
 const OCR_CONFIG_TEMPLATE = JSON.stringify({
     ocr: {
         llm: {

package/dist/src/shared/version.d.ts

@@ -1 +1 @@
-export declare const CLI_VERSION = "2.0.2";
+export declare const CLI_VERSION = "2.0.3";

package/dist/src/shared/version.js

@@ -1 +1 @@
-export const CLI_VERSION = "2.0.2";
+export const CLI_VERSION = "2.0.3";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "peaks-cli",
-  "version": "2.0.2",
+  "version": "2.0.3",
   "description": "Cross-AI-IDE workflow-gating CLI + skill family (Claude Code shipped, Trae in progress; Codex / Cursor / Qoder / Tongyi Lingma on the roadmap).",
   "author": "SquabbyZ",
   "license": "MIT",
@@ -59,12 +59,14 @@
     "node": ">=20.0.0"
   },
   "dependencies": {
-    "@alibaba-group/open-code-review": "1.3.1",
     "@colbymchenry/codegraph": "0.7.10",
     "commander": "^12.1.0",
     "fzf": "^0.5.2",
     "headroom-ai": "0.22.4"
   },
+  "optionalDependencies": {
+    "@alibaba-group/open-code-review": "1.3.1"
+  },
   "devDependencies": {
     "@types/node": "^22.10.2",
     "@vitest/coverage-v8": "^2.1.8",

package/skills/peaks-rd/references/ocr-integration.md

@@ -2,11 +2,16 @@
 
 > Soft-optional second-opinion code review for peaks-rd Gate B3.
 > Mirrors the ECC 64-agents pattern (spec §7.2): peaks-cli ships
-> `@alibaba-group/open-code-review` as a **required dependency** and
-> reads the LLM endpoint config from `peaksConfig.ocr.llm` in the
-> user's `~/.peaks/config.json` (single source of truth, user-managed).
-> When present + configured, the wrapper turns the output into
-> structured `code-review.md` evidence.
+> `@alibaba-group/open-code-review` as an **`optionalDependency`**
+> (was promoted to `dependencies` in 2.0.1 and reverted in 2.0.3
+> because its postinstall downloads a Go binary via HTTPS and would
+> otherwise abort `npm i -g peaks-cli` in restricted/proxied
+> environments). The LLM endpoint config still lives under
+> `peaksConfig.ocr.llm` in the user's `~/.peaks/config.json` (single
+> source of truth, user-managed). When the user installs + configures
+> ocr, the wrapper turns its output into structured `code-review.md`
+> evidence; when missing, peaks-rd proceeds LLM-only and the slice
+> ships without the second opinion.
 
 ## What ocr is
 
@@ -34,9 +39,19 @@ ships without the second opinion.
 
 ## Install
 
-`@alibaba-group/open-code-review` is a **required `dependency`** of
-peaks-cli 2.0.1+. `npm i -g peaks-cli` pulls it automatically and
-downloads the platform binary in the postinstall step. Verify with:
+`@alibaba-group/open-code-review` is an **`optionalDependency`** of
+peaks-cli 2.0.3+ (was a required `dependency` in 2.0.1/2.0.2; reverted
+because the postinstall downloads a Go binary via HTTPS, which fails in
+restricted/proxied environments and would otherwise abort
+`npm i -g peaks-cli`). peaks-cli does NOT auto-install it. To enable
+the second-opinion review:
+
+```bash
+npm i -g @alibaba-group/open-code-review
+```
+
+(Under pnpm you also need `pnpm approve-builds @alibaba-group/open-code-review`
+so the binary download script can run.) Verify with:
 
 ```bash
 peaks code-review detect-ocr --json
@@ -47,7 +62,7 @@ Five possible states:
 | state | Meaning | Recovery |
 |---|---|---|
 | `ready` | Installed + binary downloaded + peaks-cli's `peaksConfig.ocr.llm` valid | Nothing — `run-ocr` will work. |
-| `package-missing` | npm dep not installed (corrupt node_modules, or user removed it) | `npm i -g @alibaba-group/open-code-review` (peaks-cli 2.0.1+ does this automatically; this state is rare) |
+| `package-missing` | npm dep not installed (peaks-cli 2.0.3+ ships with ocr as an `optionalDependency`, so the common cause is the user has not installed it yet, or it was removed from node_modules) | `npm i -g @alibaba-group/open-code-review` (peaks-cli no longer auto-installs it; under pnpm also run `pnpm approve-builds @alibaba-group/open-code-review`) |
 | `binary-missing` | npm dep present but Go binary did not download | `pnpm approve-builds @alibaba-group/open-code-review`, OR run `node node_modules/@alibaba-group/open-code-review/scripts/install.js`, OR manually fetch from https://github.com/alibaba/open-code-review/releases and place the binary at the path shown in `nextActions[2]`. |
 | `config-missing` | binary present but `peaksConfig.ocr.llm` is empty or partial | See "Configure" below. |
 | `detection-failed` | Unexpected error during detection | Inspect stderr; re-run probe. |