tlc-claude-code 2.2.1 → 2.4.0

package/.claude/agents/builder.md

@@ -122,6 +122,23 @@ src/modules/{entity}/
 - No credentials — use environment variables.
 - No magic numbers or strings — use named constants or enums.
 
+### Configuration
+- All `process.env` access MUST be in a config module — never in services or controllers.
+- Validate all required env vars at startup with a schema (Zod/Joi).
+- No silent empty-string fallbacks for secrets or connection strings.
+
+### Security
+- Every data-access endpoint MUST check resource ownership, not just authentication.
+- Never return secrets (API keys, tokens, passwords) in API responses or HTML.
+- Hash OTPs, reset tokens, and session secrets before storing — never plaintext.
+- Escape all dynamic values in HTML output — no raw interpolation.
+- No inline HTML string builders for new pages — use a proper frontend or templating engine.
+- Tests MUST prove that user A cannot read/modify user B's data.
+
+### Dependency Injection
+- Never manually instantiate services/providers with `new` — use DI.
+- Register all providers in the DI container.
+
 ### File and Folder Limits
 - Files: warn at 500 lines, error at 1000 lines.
 - Folders: warn at 8 files, error at 15 files.

package/.claude/commands/tlc/audit.md

@@ -52,6 +52,11 @@ Run `auditProject(projectPath)` which executes:
 | **Missing Return Types** | Exported functions without explicit return type | warning |
 | **Missing Parameter Types** | Function parameters without type annotations | error |
 | **Weak tsconfig** | `strict: true` not enabled in tsconfig.json | warning |
+| **Direct `process.env`** | `process.env.` usage outside config module files | error |
+| **Unescaped HTML** | Template literals containing HTML tags with `${` interpolation | error |
+| **Secrets in Responses** | Response objects containing fields named `apiKey`, `secret`, `token`, `password` | error |
+| **Manual Instantiation** | `new .*Provider(` or `new .*Service(` in application code | warning |
+| **Missing Ownership Check** | Controller methods with `@Param('id')` but no ownership/authorization guard | warning |
 
 ### Step 3: Generate Report
 
@@ -109,6 +114,13 @@ Status: FAILED (18 issues found)
   JSDoc Coverage:       8 issues (42% of exports undocumented)
   Import Style:         PASSED
 
+  SECURITY & CONFIG
+  Direct process.env:   3 issues (outside config module)
+  Unescaped HTML:       2 issues
+  Secrets in Responses: 1 issue
+  Manual Instantiation: 1 issue
+  Missing Ownership:    2 issues
+
 Report saved to: .planning/AUDIT-REPORT.md
 
 Fix automatically? Run /tlc:cleanup

package/.claude/commands/tlc/autofix.md

@@ -2,6 +2,37 @@
 
 Run tests, analyze failures, and automatically apply fixes for common error patterns.
 
+## Routing
+
+This command supports multi-model routing via `~/.tlc/config.json`.
+
+**Before executing this command:**
+
+1. Read routing config:
+   ```bash
+   node -e "
+     const { resolveRouting } = require('./server/lib/task-router-config');
+     const flagModel = (process.argv.find(a => a.startsWith("--model")) || "").replace("--model=", "").replace("--model ", "") || null;
+     const r = resolveRouting({ command: 'autofix', flagModel, projectDir: process.cwd(), homeDir: process.env.HOME });
+     console.log(JSON.stringify(r));
+   " 2>/dev/null
+   ```
+
+2. If `models[0]` is NOT `claude` (i.e., routed to external model):
+   - Read PROJECT.md, current phase PLAN.md, CODING-STANDARDS.md
+   - Package the agent prompt below with project context using `prompt-packager`
+   - Dispatch to the target CLI using `cli-dispatcher`
+   - Display the CLI output and stop — do NOT execute the agent prompt below
+
+3. If `models[0]` IS `claude` (or no routing config exists):
+   - Execute the agent prompt below as normal (current behavior)
+
+4. If `strategy` is `parallel`:
+   - Execute inline (Claude) AND dispatch to CLI models simultaneously
+   - Collect and merge results
+
+**Override:** Pass `--model <name>` to route this specific run to a different model.
+
 ## What This Does
 
 1. Runs test suite and captures failures

package/.claude/commands/tlc/build.md

@@ -2,6 +2,37 @@
 
 Write failing tests, then implement to make them pass.
 
+## Routing
+
+This command supports multi-model routing via `~/.tlc/config.json`.
+
+**Before executing this command:**
+
+1. Read routing config:
+   ```bash
+   node -e "
+     const { resolveRouting } = require('./server/lib/task-router-config');
+     const flagModel = (process.argv.find(a => a.startsWith("--model")) || "").replace("--model=", "").replace("--model ", "") || null;
+     const r = resolveRouting({ command: 'build', flagModel, projectDir: process.cwd(), homeDir: process.env.HOME });
+     console.log(JSON.stringify(r));
+   " 2>/dev/null
+   ```
+
+2. If `models[0]` is NOT `claude` (i.e., routed to external model):
+   - Read PROJECT.md, current phase PLAN.md, CODING-STANDARDS.md
+   - Package the agent prompt below with project context using `prompt-packager`
+   - Dispatch to the target CLI using `cli-dispatcher`
+   - Display the CLI output and stop — do NOT execute the agent prompt below
+
+3. If `models[0]` IS `claude` (or no routing config exists):
+   - Execute the agent prompt below as normal (current behavior)
+
+4. If `strategy` is `parallel`:
+   - Execute inline (Claude) AND dispatch to CLI models simultaneously
+   - Collect and merge results
+
+**Override:** Pass `--model <name>` to route this specific run to a different model.
+
 ## Engineering Standards
 
 **Code like a senior engineer with 15+ years experience.** Every line should reflect:
@@ -344,11 +375,45 @@ Task(resume="AGENT_ID", prompt="Continue from where you left off. Fix any errors
 - When user asks "check on agents"
 - After each agent completes
 
-**After all agents complete:**
-1. Run full test suite
+**Before spawning agents (integration branch):**
+
+Create an integration branch so all worktrees merge into one place, producing a single clean PR:
+
+```javascript
+const { createIntegrationBranch } = require('./server/lib/orchestration/worktree-manager');
+const { branch } = createIntegrationBranch(phaseNumber, { exec, baseBranch: 'main' });
+// branch = 'phase/42'
+```
+
+All worktrees branch off `phase/{N}`, not `main`. This means each worktree's diff is small and relative to the integration branch, not the entire main history.
+
+**After all agents complete — sequential merge-back:**
+
+```javascript
+const { mergeAllWorktrees, listWorktrees } = require('./server/lib/orchestration/worktree-manager');
+
+// Filter to only THIS phase's worktrees — don't merge unrelated work
+const allWorktrees = listWorktrees({ exec });
+const worktrees = allWorktrees.filter(wt => wt.name.startsWith(`phase-${phaseNumber}-`));
+const result = mergeAllWorktrees(worktrees, `phase/${phaseNumber}`, { exec });
+
+// result.merged = ['task-1', 'task-3', 'task-4']  — successfully merged
+// result.conflicts = ['task-2']                    — needs manual resolution
+```
+
+`mergeAllWorktrees` does the following automatically:
+1. **Analyzes file overlap** — worktrees touching disjoint files merge first
+2. **Merges one at a time** into `phase/{N}`
+3. **Rebases remaining worktrees** onto the updated `phase/{N}` after each merge
+4. **Skips conflicting worktrees** — preserves them for manual resolution, continues with others
+5. **Cleans up** merged worktrees (removes worktree dir + branch)
+
+After merge-back:
+1. Run full test suite on the integration branch
 2. Verify all tasks pass
-3. Report results
-4. Continue to Step 8 (verification)
+3. If conflicts exist, report them with file lists
+4. If clean, the integration branch is ready for a single PR to main
+5. Continue to Step 8 (verification)
 
 ### Step 1c: Sync and Claim (Multi-User, Sequential Only)
 
@@ -712,11 +777,17 @@ git diff --name-status main...HEAD
 1. **Test Coverage** - Every implementation file has a test file
 2. **TDD Compliance** - Commits show test-first pattern (score ≥ 50%)
 3. **Security Scan** - No hardcoded secrets, eval(), innerHTML, etc.
-4. **File Size** - No file exceeds 1000 lines (warning at 500+)
-5. **Folder Size** - No folder exceeds 15 files (warning at 8+)
-6. **Strict Typing** - No `any` types in new/changed files
-7. **Return Types** - All exported functions have explicit return types
-8. **Module Structure** - Files grouped by domain entity, not by type
+4. **Authorization** - Every data-access endpoint has ownership checks, not just auth guards
+5. **Secrets Exposure** - No API keys, tokens, or passwords returned in responses/HTML
+6. **Config Hygiene** - No `process.env` outside config module; config validated at startup
+7. **Output Encoding** - No unescaped `${...}` interpolation in HTML template strings
+8. **Sensitive Data** - OTPs, reset tokens, session secrets are hashed before storage
+9. **DI Compliance** - No manual `new Service()` / `new Provider()` in application code
+10. **File Size** - No file exceeds 1000 lines (warning at 500+)
+11. **Folder Size** - No folder exceeds 15 files (warning at 8+)
+12. **Strict Typing** - No `any` types in new/changed files
+13. **Return Types** - All exported functions have explicit return types
+14. **Module Structure** - Files grouped by domain entity, not by type
 
 **Review output:**
 
@@ -727,8 +798,11 @@ git diff --name-status main...HEAD
 Test Coverage: ✅ 5/5 files covered
 TDD Score: 75% ✅
 Security: ✅ No issues
+Authorization: ✅ All endpoints have ownership checks
+Secrets Exposure: ✅ No secrets in responses
+Config Hygiene: ✅ No process.env outside config
+Output Encoding: ✅ All HTML output escaped
 File Sizes: ✅ All under 1000 lines
-Folder Sizes: ✅ All under 15 files
 Strict Typing: ✅ No `any` found
 Return Types: ✅ All exports typed
 
@@ -899,10 +973,10 @@ Found: 2-PLAN.md (4 tasks)
 🚀 Overdrive Mode Available (Opus 4.6)
 
 Phase 2 has 4 independent tasks:
-  - Task 1: Create API routes         [sonnet] (standard)
-  - Task 2: Add input validation      [sonnet] (standard)
-  - Task 3: Write error handlers      [sonnet] (standard)
-  - Task 4: Add rate limiting config  [haiku]  (light)
+  - Task 1: Create API routes         [opus]
+  - Task 2: Add input validation      [opus]
+  - Task 3: Write error handlers      [opus]
+  - Task 4: Add rate limiting config  [opus]
 
 Recommended: 4 agents (one per task)
 
@@ -916,17 +990,17 @@ User: 1
 Claude: 🚀 Launching Overdrive Mode (Opus 4.6)
 
 Spawning 4 agents...
-[Agent 1] Task 1: Create API routes        [sonnet] - STARTED
-[Agent 2] Task 2: Add input validation     [sonnet] - STARTED
-[Agent 3] Task 3: Write error handlers     [sonnet] - STARTED
-[Agent 4] Task 4: Add rate limiting config [haiku]  - STARTED
+[Agent 1] Task 1: Create API routes        [opus] - STARTED
+[Agent 2] Task 2: Add input validation     [opus] - STARTED
+[Agent 3] Task 3: Write error handlers     [opus] - STARTED
+[Agent 4] Task 4: Add rate limiting config [opus] - STARTED
 
 ... agents working in background ...
 
-[Agent 4] ✅ Task 4 complete (1 commit)   [haiku - fast]
-[Agent 2] ✅ Task 2 complete (3 commits)  [sonnet]
-[Agent 1] ✅ Task 1 complete (4 commits)  [sonnet]
-[Agent 3] ✅ Task 3 complete (2 commits)  [sonnet]
+[Agent 4] ✅ Task 4 complete (1 commit)   [opus]
+[Agent 2] ✅ Task 2 complete (3 commits)  [opus]
+[Agent 1] ✅ Task 1 complete (4 commits)  [opus]
+[Agent 3] ✅ Task 3 complete (2 commits)  [opus]
 
 All agents complete. Running full test suite...
 ✅ 24 tests passing
@@ -957,7 +1031,7 @@ Phase 2 complete. Ready for /tlc:verify 2
 - Merge conflicts → Agents working on same files (rare if tasks are truly independent)
 - One agent failed → Other agents continue; resume failed agent or fix manually
 - Want sequential instead → Use `--sequential` flag: `/tlc:build 2 --sequential`
-- Cost too high → Use `--model haiku` to force all agents to haiku
+- Cost too high → Use `--agents 2` to limit parallelism
 - Agent running too long → Use `--max-turns 30` to limit execution
 
 ## Flags
@@ -966,7 +1040,7 @@ Phase 2 complete. Ready for /tlc:verify 2
 |------|-------------|
 | `--sequential` | Force sequential execution even if tasks are independent |
 | `--agents N` | Limit parallel agents to N (default: one per independent task) |
-| `--model MODEL` | Force all agents to use a specific model (opus, sonnet, haiku) |
+| `--model opus` | Force all agents to opus (default — all tiers use opus) |
 | `--max-turns N` | Limit each agent's execution to N turns (default: 50) |
 | `--providers claude,codex` | Force specific providers (default: auto-detect from router state) |
 | `--no-tmux` | Skip tmux panes, run worktree agents in background |

package/.claude/commands/tlc/coverage.md

@@ -2,6 +2,37 @@
 
 Scan existing code, identify what's untested, and offer to write retrospective tests.
 
+## Routing
+
+This command supports multi-model routing via `~/.tlc/config.json`.
+
+**Before executing this command:**
+
+1. Read routing config:
+   ```bash
+   node -e "
+     const { resolveRouting } = require('./server/lib/task-router-config');
+     const flagModel = (process.argv.find(a => a.startsWith("--model")) || "").replace("--model=", "").replace("--model ", "") || null;
+     const r = resolveRouting({ command: 'coverage', flagModel, projectDir: process.cwd(), homeDir: process.env.HOME });
+     console.log(JSON.stringify(r));
+   " 2>/dev/null
+   ```
+
+2. If `models[0]` is NOT `claude` (i.e., routed to external model):
+   - Read PROJECT.md, current phase PLAN.md, CODING-STANDARDS.md
+   - Package the agent prompt below with project context using `prompt-packager`
+   - Dispatch to the target CLI using `cli-dispatcher`
+   - Display the CLI output and stop — do NOT execute the agent prompt below
+
+3. If `models[0]` IS `claude` (or no routing config exists):
+   - Execute the agent prompt below as normal (current behavior)
+
+4. If `strategy` is `parallel`:
+   - Execute inline (Claude) AND dispatch to CLI models simultaneously
+   - Collect and merge results
+
+**Override:** Pass `--model <name>` to route this specific run to a different model.
+
 ## When to Use
 
 - After `/tlc:init` to add tests to existing code

package/.claude/commands/tlc/discuss.md

@@ -2,6 +2,37 @@
 
 Capture implementation preferences before planning.
 
+## Routing
+
+This command supports multi-model routing via `~/.tlc/config.json`.
+
+**Before executing this command:**
+
+1. Read routing config:
+   ```bash
+   node -e "
+     const { resolveRouting } = require('./server/lib/task-router-config');
+     const flagModel = (process.argv.find(a => a.startsWith("--model")) || "").replace("--model=", "").replace("--model ", "") || null;
+     const r = resolveRouting({ command: 'discuss', flagModel, projectDir: process.cwd(), homeDir: process.env.HOME });
+     console.log(JSON.stringify(r));
+   " 2>/dev/null
+   ```
+
+2. If `models[0]` is NOT `claude` (i.e., routed to external model):
+   - Read PROJECT.md, current phase PLAN.md, CODING-STANDARDS.md
+   - Package the agent prompt below with project context using `prompt-packager`
+   - Dispatch to the target CLI using `cli-dispatcher`
+   - Display the CLI output and stop — do NOT execute the agent prompt below
+
+3. If `models[0]` IS `claude` (or no routing config exists):
+   - Execute the agent prompt below as normal (current behavior)
+
+4. If `strategy` is `parallel`:
+   - Execute inline (Claude) AND dispatch to CLI models simultaneously
+   - Collect and merge results
+
+**Override:** Pass `--model <name>` to route this specific run to a different model.
+
 ## What This Does
 
 Gathers your preferences for HOW a phase should be built through adaptive questioning. Saves decisions to guide planning and test writing.

package/.claude/commands/tlc/docs.md

@@ -2,6 +2,37 @@
 
 Automatically maintain your project's documentation, screenshots, and wiki.
 
+## Routing
+
+This command supports multi-model routing via `~/.tlc/config.json`.
+
+**Before executing this command:**
+
+1. Read routing config:
+   ```bash
+   node -e "
+     const { resolveRouting } = require('./server/lib/task-router-config');
+     const flagModel = (process.argv.find(a => a.startsWith("--model")) || "").replace("--model=", "").replace("--model ", "") || null;
+     const r = resolveRouting({ command: 'docs', flagModel, projectDir: process.cwd(), homeDir: process.env.HOME });
+     console.log(JSON.stringify(r));
+   " 2>/dev/null
+   ```
+
+2. If `models[0]` is NOT `claude` (i.e., routed to external model):
+   - Read PROJECT.md, current phase PLAN.md, CODING-STANDARDS.md
+   - Package the agent prompt below with project context using `prompt-packager`
+   - Dispatch to the target CLI using `cli-dispatcher`
+   - Display the CLI output and stop — do NOT execute the agent prompt below
+
+3. If `models[0]` IS `claude` (or no routing config exists):
+   - Execute the agent prompt below as normal (current behavior)
+
+4. If `strategy` is `parallel`:
+   - Execute inline (Claude) AND dispatch to CLI models simultaneously
+   - Collect and merge results
+
+**Override:** Pass `--model <name>` to route this specific run to a different model.
+
 ## Usage
 
 ```bash

package/.claude/commands/tlc/edge-cases.md

@@ -2,6 +2,37 @@
 
 Analyze code and generate comprehensive edge case tests to improve test coverage.
 
+## Routing
+
+This command supports multi-model routing via `~/.tlc/config.json`.
+
+**Before executing this command:**
+
+1. Read routing config:
+   ```bash
+   node -e "
+     const { resolveRouting } = require('./server/lib/task-router-config');
+     const flagModel = (process.argv.find(a => a.startsWith("--model")) || "").replace("--model=", "").replace("--model ", "") || null;
+     const r = resolveRouting({ command: 'edge-cases', flagModel, projectDir: process.cwd(), homeDir: process.env.HOME });
+     console.log(JSON.stringify(r));
+   " 2>/dev/null
+   ```
+
+2. If `models[0]` is NOT `claude` (i.e., routed to external model):
+   - Read PROJECT.md, current phase PLAN.md, CODING-STANDARDS.md
+   - Package the agent prompt below with project context using `prompt-packager`
+   - Dispatch to the target CLI using `cli-dispatcher`
+   - Display the CLI output and stop — do NOT execute the agent prompt below
+
+3. If `models[0]` IS `claude` (or no routing config exists):
+   - Execute the agent prompt below as normal (current behavior)
+
+4. If `strategy` is `parallel`:
+   - Execute inline (Claude) AND dispatch to CLI models simultaneously
+   - Collect and merge results
+
+**Override:** Pass `--model <name>` to route this specific run to a different model.
+
 ## What This Does
 
 1. Analyzes target file/function

package/.claude/commands/tlc/guard.md

@@ -89,6 +89,15 @@ For a phase that's been (partially) built, verify TLC compliance:
 - [ ] No hardcoded secrets, URLs, or credentials (check for patterns)
 - [ ] No skipped tests (`.skip`, `xit`, `xdescribe`)
 
+**Security & Config (CODING-STANDARDS §6, §21, §22):**
+- [ ] Every data-access endpoint has ownership check (not just auth — verify user owns the resource)
+- [ ] No secrets (API keys, tokens, passwords) returned in API responses or rendered in HTML
+- [ ] No `process.env` in services/controllers — all config through validated config module
+- [ ] No unescaped `${...}` interpolation in HTML template strings
+- [ ] OTPs, reset tokens, session secrets are hashed before storage (not plaintext)
+- [ ] No `new ServiceClass()` / `new ProviderClass()` — use DI container
+- [ ] Tests prove user A cannot read/modify user B's data (ownership test)
+
 **Process:**
 - [ ] Phase plan exists and tasks are checked off
 - [ ] Implementation matches what was planned (no scope creep)

package/.claude/commands/tlc/init.md

@@ -207,7 +207,18 @@ Start writing tests now, or save backlog for later?
 
 **If "Start now":** Begin writing tests for the first critical path item using Red-Green-Refactor (but code already exists, so focus on capturing current behavior).
 
-### 9. Create CLAUDE.md
+### 9. Inject Standards (CLAUDE.md + CODING-STANDARDS.md)
+
+**First, inject both standards files using the standards-injector module:**
+
+```javascript
+const { injectStandards } = require('./lib/standards/standards-injector');
+const results = await injectStandards(projectPath);
+// Creates CLAUDE.md and CODING-STANDARDS.md from templates if missing
+// Appends TLC section to existing CLAUDE.md if present
+```
+
+**If the module is not available** (e.g., TLC server not installed locally), create `CLAUDE.md` manually and copy `CODING-STANDARDS.md` from the TLC templates directory.
 
 Create `CLAUDE.md` to enforce TLC workflow over Claude's default behaviors:
 

package/.claude/commands/tlc/plan.md

@@ -2,6 +2,37 @@
 
 Research and create implementation plans with clear tasks.
 
+## Routing
+
+This command supports multi-model routing via `~/.tlc/config.json`.
+
+**Before executing this command:**
+
+1. Read routing config:
+   ```bash
+   node -e "
+     const { resolveRouting } = require('./server/lib/task-router-config');
+     const flagModel = (process.argv.find(a => a.startsWith("--model")) || "").replace("--model=", "").replace("--model ", "") || null;
+     const r = resolveRouting({ command: 'plan', flagModel, projectDir: process.cwd(), homeDir: process.env.HOME });
+     console.log(JSON.stringify(r));
+   " 2>/dev/null
+   ```
+
+2. If `models[0]` is NOT `claude` (i.e., routed to external model):
+   - Read PROJECT.md, current phase PLAN.md, CODING-STANDARDS.md
+   - Package the agent prompt below with project context using `prompt-packager`
+   - Dispatch to the target CLI using `cli-dispatcher`
+   - Display the CLI output and stop — do NOT execute the agent prompt below
+
+3. If `models[0]` IS `claude` (or no routing config exists):
+   - Execute the agent prompt below as normal (current behavior)
+
+4. If `strategy` is `parallel`:
+   - Execute inline (Claude) AND dispatch to CLI models simultaneously
+   - Collect and merge results
+
+**Override:** Pass `--model <name>` to route this specific run to a different model.
+
 ## Architectural Standards
 
 **Plan like a principal engineer designing for scale:**

package/.claude/commands/tlc/quick.md

@@ -2,6 +2,37 @@
 
 For ad-hoc tasks that don't need full phase planning, but still deserve tests.
 
+## Routing
+
+This command supports multi-model routing via `~/.tlc/config.json`.
+
+**Before executing this command:**
+
+1. Read routing config:
+   ```bash
+   node -e "
+     const { resolveRouting } = require('./server/lib/task-router-config');
+     const flagModel = (process.argv.find(a => a.startsWith("--model")) || "").replace("--model=", "").replace("--model ", "") || null;
+     const r = resolveRouting({ command: 'quick', flagModel, projectDir: process.cwd(), homeDir: process.env.HOME });
+     console.log(JSON.stringify(r));
+   " 2>/dev/null
+   ```
+
+2. If `models[0]` is NOT `claude` (i.e., routed to external model):
+   - Read PROJECT.md, current phase PLAN.md, CODING-STANDARDS.md
+   - Package the agent prompt below with project context using `prompt-packager`
+   - Dispatch to the target CLI using `cli-dispatcher`
+   - Display the CLI output and stop — do NOT execute the agent prompt below
+
+3. If `models[0]` IS `claude` (or no routing config exists):
+   - Execute the agent prompt below as normal (current behavior)
+
+4. If `strategy` is `parallel`:
+   - Execute inline (Claude) AND dispatch to CLI models simultaneously
+   - Collect and merge results
+
+**Override:** Pass `--model <name>` to route this specific run to a different model.
+
 ## Engineering Standards
 
 Even quick tasks follow senior engineer standards:

package/.claude/commands/tlc/review.md

@@ -2,6 +2,37 @@
 
 Review changes on current branch before pushing. **Runs in a loop until clean.**
 
+## Routing
+
+This command supports multi-model routing via `~/.tlc/config.json`.
+
+**Before executing this command:**
+
+1. Read routing config:
+   ```bash
+   node -e "
+     const { resolveRouting } = require('./server/lib/task-router-config');
+     const flagModel = (process.argv.find(a => a.startsWith("--model")) || "").replace("--model=", "").replace("--model ", "") || null;
+     const r = resolveRouting({ command: 'review', flagModel, projectDir: process.cwd(), homeDir: process.env.HOME });
+     console.log(JSON.stringify(r));
+   " 2>/dev/null
+   ```
+
+2. If `models[0]` is NOT `claude` (i.e., routed to external model):
+   - Read PROJECT.md, current phase PLAN.md, CODING-STANDARDS.md
+   - Package the agent prompt below with project context using `prompt-packager`
+   - Dispatch to the target CLI using `cli-dispatcher`
+   - Display the CLI output and stop — do NOT execute the agent prompt below
+
+3. If `models[0]` IS `claude` (or no routing config exists):
+   - Execute the agent prompt below as normal (current behavior)
+
+4. If `strategy` is `parallel`:
+   - Execute inline (Claude) AND dispatch to CLI models simultaneously
+   - Collect and merge results
+
+**Override:** Pass `--model <name>` to route this specific run to a different model.
+
 ## What This Does
 
 1. Compares current branch to main/master
@@ -116,6 +147,8 @@ git log --oneline --name-status main..HEAD
 
 Scan diff for common security issues:
 
+**Pattern-Based Checks:**
+
 | Pattern | Issue | Severity |
 |---------|-------|----------|
 | `password = "..."` | Hardcoded password | HIGH |
@@ -126,6 +159,17 @@ Scan diff for common security issues:
 | `exec("..." + var)` | Command injection | HIGH |
 | `SELECT...WHERE...+` | SQL injection | HIGH |
 
+**Semantic Security Checks (read the code, not just grep):**
+
+| Check | What to Look For | Severity |
+|-------|-----------------|----------|
+| **Ownership/IDOR** | Controller methods that take an ID param (`req.params.id`, `@Param('id')`) and query data without checking the requesting user owns the resource. Every data-access endpoint MUST verify ownership, not just authentication. | HIGH |
+| **Secrets in responses** | Response objects, DTOs, or `res.json()`/`res.send()` calls that include fields like `apiKey`, `secret`, `token`, `password`, `webhookSecret`. Secrets are write-only — never return them. | HIGH |
+| **Direct `process.env`** | `process.env.` usage in service, controller, or middleware files. All env access MUST go through a validated config module. Grep: `process\.env\.` in non-config files. | MEDIUM |
+| **Unescaped HTML** | Template literals that build HTML with `${...}` interpolation of variables (e.g., `` `<h1>${user.name}</h1>` ``). All dynamic values in HTML MUST be escaped. | HIGH |
+| **Plaintext sensitive data** | OTP codes, reset tokens, or session secrets stored without hashing. Look for database inserts/updates of these values without a hash step. | HIGH |
+| **Manual instantiation** | `new SomeProvider(...)` or `new SomeService(...)` in application code instead of using DI. | MEDIUM |
+
 **Fail if:** Any HIGH severity issues found.
 
 ### Step 5b: Coding Standards Check
@@ -311,6 +355,12 @@ After Steps 2-6 complete, if ANY issues were found:
 | `any` type | Replace with proper interface | If domain type unclear |
 | File >1000 lines | Split into sub-modules | If split strategy unclear |
 | Security vulnerability | Patch it | If fix might break behavior |
+| Missing ownership check | Add guard/check | If ownership model unclear |
+| Secrets in response | Remove or mask fields | If field is needed by client |
+| Direct `process.env` | Move to config module | If config module doesn't exist yet |
+| Unescaped HTML | Add escapeHtml() | If templating engine preferred |
+| Plaintext sensitive data | Add hash step | - |
+| Manual `new Service()` | Convert to DI | If DI container not set up |
 | Codex-flagged bug | Apply suggestion | If suggestion conflicts with Claude |
 | Merge conflict | - | Always human |
 

package/.claude/hooks/tlc-session-init.sh

@@ -10,6 +10,17 @@ fi
 
 echo "TLC project detected. All work goes through /tlc commands. Run /tlc for current status and next action."
 
+# ─── TLC Update Notification ─────────────────────────────
+UPDATE_FILE="$HOME/.tlc/.update-available"
+if [ -f "$UPDATE_FILE" ]; then
+  CURRENT=$(grep '^current=' "$UPDATE_FILE" | cut -d= -f2)
+  LATEST=$(grep '^latest=' "$UPDATE_FILE" | cut -d= -f2)
+  CMD=$(grep '^command=' "$UPDATE_FILE" | cut -d= -f2-)
+  if [ -n "$CURRENT" ] && [ -n "$LATEST" ]; then
+    echo "TLC update available: ${CURRENT} → ${LATEST}. Run: ${CMD}"
+  fi
+fi
+
 PROJECT_DIR="${CLAUDE_PROJECT_DIR:-$(pwd)}"
 
 # ─── TLC Server ───────────────────────────────────────────
@@ -53,9 +64,9 @@ fi
 
 if [ "$STALE" = true ]; then
   # Probe each provider
-  CLAUDE_PATH=$(which claude 2>/dev/null || echo "")
-  CODEX_PATH=$(which codex 2>/dev/null || echo "")
-  GEMINI_PATH=$(which gemini 2>/dev/null || echo "")
+  CLAUDE_PATH=$(command -v claude 2>/dev/null || echo "")
+  CODEX_PATH=$(command -v codex 2>/dev/null || echo "")
+  GEMINI_PATH=$(command -v gemini 2>/dev/null || echo "")
 
   CLAUDE_OK="false"
   CODEX_OK="false"