totopo 3.5.1 → 3.6.0

package/README.md

@@ -194,10 +194,10 @@ totopo keeps all three CLIs on their latest published versions, checking for upd
 For convenience, every Claude session opens with a status line at the bottom of the terminal:
 
 ```
-174k / 1M (17%) · Opus 4.7 high · Claude Code v2.1.132 · ▓░░░░░░░░░ (12% used, resets in 3 hr 35 min)
+174k (17%) · Opus 4.7 (1M context) xhigh · 5h limit ▓░░░░░░░░░ (resets in 2h 15m) · Claude Code v2.1.132
 ```
 
-Four segments: current context usage (count / window / percentage), model and reasoning effort, the installed Claude Code CLI version with a freshness hint that escalates as the install ages, and a 10-block gauge of the 5-hour rate-limit window with current usage and time-to-reset (subscriber accounts only). The line stays on a calm grey baseline and only escalates to yellow or red when something genuinely warrants attention. Ask Claude `/totopo-statusline` to customize or restore the default.
+Four segments: current context usage (count and percentage), the model display name as provided by Claude Code followed by reasoning effort in purple, a 10-block gauge of the 5-hour rate-limit window with a relative countdown to reset (subscriber accounts only), and the installed Claude Code CLI version with a freshness hint that escalates as the install ages. The line stays on a calm grey baseline and only escalates to yellow or red when something genuinely warrants attention. Ask Claude `/totopo-statusline` to customize or restore the default.
 
 ### Persistent Agent Memory
 

package/dist/commands/dev.js

@@ -9,7 +9,7 @@ import { join, relative } from "node:path";
 import { cancel, confirm, isCancel, log, outro, select } from "@clack/prompts";
 import { buildAgentContextDocs, buildAgentMountArgs, injectAgentContext } from "../lib/agent-context.js";
 import { CONTAINER_STARTUP, CONTAINER_WORKSPACE, GIT_MODE, LABEL_GIT_MODE, LABEL_MANAGED, LABEL_PROFILE, LABEL_RUNTIME_ENV, LABEL_SHADOWS, PROFILE, RUNTIME_ENV, } from "../lib/constants.js";
-import { buildDockerfile, buildImageWithTempfile } from "../lib/dockerfile-builder.js";
+import { buildDockerfile, buildImageWithTempfile, computeBuildHash } from "../lib/dockerfile-builder.js";
 import { isImageStale } from "../lib/migrate-to-latest.js";
 import { buildPnpmStoreMountArgs } from "../lib/pnpm-store.js";
 import { buildShadowMountArgs, ensureShadowsInSync, expandShadowPatterns } from "../lib/shadows.js";
@@ -299,7 +299,9 @@ export async function run(packageDir, ctx, options) {
     };
     startContainer(containerOpts);
     // --- Stale image check - prompt user to rebuild if image is outdated ------------------------------------------------------------------
-    let stale = isImageStale(containerName);
+    const dockerfileContent = buildDockerfile(join(templatesDir, "Dockerfile"), profileHook);
+    const expectedBuildHash = computeBuildHash(dockerfileContent, templatesDir);
+    let stale = isImageStale(containerName, expectedBuildHash);
     if (stale) {
         log.warn("totopo's latest release includes an updated container image.\n  Please rebuild to update — this will not affect agent memory, settings, or your data.");
         const rebuild = await confirm({

package/dist/lib/constants.js

@@ -38,6 +38,7 @@ export const LABEL_SHADOWS = "totopo.shadows";
 export const LABEL_PROFILE = "totopo.profile";
 export const LABEL_RUNTIME_ENV = "totopo.runtime-env";
 export const LABEL_GIT_MODE = "totopo.git-mode";
+export const LABEL_BUILD_HASH = "totopo.build-hash";
 // Built-in profile names (must match keys in buildDefaultTotopoYaml in totopo-yaml.ts)
 export const PROFILE = {
     default: "default",
@@ -52,10 +53,12 @@ import { GIT_MODE, GIT_WRAPPER_PATH, GIT_WRAPPER_SOURCE } from "../../templates/
 export { GIT_MODE, GIT_WRAPPER_PATH, GIT_WRAPPER_SOURCE };
 export const GIT_MODES = Object.values(GIT_MODE);
 // Runtime env vars injected into every container via docker run -e.
-// DISABLE_AUTOUPDATER suppresses Claude Code's in-process auto-updater, which always fails inside
-// the container (devuser can't write to the root-owned global npm prefix). totopo's startup script
-// already keeps Claude on the latest version - see templates/startup.mjs.
+// Each flag suppresses a Claude Code feature that is inapplicable or disruptive inside the container.
 export const RUNTIME_ENV = {
     CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY: "1",
-    DISABLE_AUTOUPDATER: "1",
+    DISABLE_AUTOUPDATER: "1", // In-process updater fails (root-owned prefix); startup.mjs handles updates
+    DISABLE_ERROR_REPORTING: "1", // Container errors include sandbox paths not useful to Anthropic
+    DISABLE_INSTALLATION_CHECKS: "1", // npm install is by design; native installer is not applicable
+    DISABLE_TELEMETRY: "1", // Container sessions should not phone home
+    DISABLE_UPGRADE_COMMAND: "1", // /upgrade is wrong path inside container; totopo manages CLI version
 };

package/dist/lib/dockerfile-builder.js

@@ -3,11 +3,11 @@
 // Combines base template + profile hook + USER instruction at build time
 // =========================================================================================================================================
 import { spawnSync } from "node:child_process";
-import { randomBytes } from "node:crypto";
-import { readFileSync, unlinkSync, writeFileSync } from "node:fs";
+import { createHash, randomBytes } from "node:crypto";
+import { existsSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { CONTAINER_HOME, CONTAINER_NAME_PREFIX, CONTAINER_STARTUP, CONTAINER_USER, LABEL_MANAGED } from "./constants.js";
+import { CONTAINER_HOME, CONTAINER_NAME_PREFIX, CONTAINER_STARTUP, CONTAINER_USER, LABEL_BUILD_HASH, LABEL_MANAGED } from "./constants.js";
 // --- User shell config appended after USER instruction -----------------------------------------------------------------------------------
 const USER_SHELL_CONFIG = `
 # ---------------------------------------------------------------------------
@@ -42,6 +42,40 @@ export function buildDockerfile(baseTemplatePath, profileHook) {
     content += USER_SHELL_CONFIG;
     return content;
 }
+// --- Build hash for image staleness detection --------------------------------------------------------------------------------------------
+// Filenames (relative to the templates dir) of every artifact that the Dockerfile bakes into the image
+// via COPY. Edits to any of these change the build hash and trigger a rebuild prompt at session start.
+// Kept in sync with templates/Dockerfile by the bidirectional test in tests/dockerfile-builder.test.ts.
+export const BAKED_TEMPLATE_FILES = [
+    "claude-statusline.sh",
+    "git-readonly-wrapper.mjs",
+    "npmrc",
+    "runtime-constants.mjs",
+    "startup-git-mode.mjs",
+    "startup.mjs",
+];
+/**
+ * Fingerprint everything the package contributes to the image: the assembled Dockerfile content
+ * plus every file in BAKED_TEMPLATE_FILES, hashed in deterministic order.
+ *
+ * Tolerates missing files in buildContextDir. In production (real package install) all baked files
+ * exist, so the existsSync branch never fires. In tests that build minimal images from a temp
+ * contextDir, missing files naturally produce a different hash than production - exactly the
+ * contract the staleness tests rely on.
+ */
+export function computeBuildHash(dockerfileContent, buildContextDir) {
+    const h = createHash("sha256");
+    h.update("dockerfile:\n");
+    h.update(dockerfileContent);
+    for (const name of [...BAKED_TEMPLATE_FILES].sort()) {
+        h.update(`\nfile:${name}\n`);
+        const path = join(buildContextDir, name);
+        if (existsSync(path)) {
+            h.update(readFileSync(path));
+        }
+    }
+    return h.digest("hex");
+}
 // --- Build image with temp file ----------------------------------------------------------------------------------------------------------
 /**
  * Write Dockerfile content to a temp file, run docker build, then clean up.
@@ -51,7 +85,18 @@ export function buildImageWithTempfile(dockerfileContent, buildContextDir, image
     const tmpFile = join(tmpdir(), `${CONTAINER_NAME_PREFIX}Dockerfile-${randomBytes(8).toString("hex")}`);
     try {
         writeFileSync(tmpFile, dockerfileContent);
-        const buildArgs = ["build", "--label", `${LABEL_MANAGED}=true`, "-f", tmpFile, "-t", imageName];
+        const buildHash = computeBuildHash(dockerfileContent, buildContextDir);
+        const buildArgs = [
+            "build",
+            "--label",
+            `${LABEL_MANAGED}=true`,
+            "--label",
+            `${LABEL_BUILD_HASH}=${buildHash}`,
+            "-f",
+            tmpFile,
+            "-t",
+            imageName,
+        ];
         if (noCache)
             buildArgs.push("--no-cache");
         buildArgs.push(buildContextDir);

package/dist/lib/migrate-to-latest.js

@@ -22,13 +22,12 @@
 // All migrations are idempotent - each checks if needed and skips if not.
 // =========================================================================================================================================
 import { spawnSync } from "node:child_process";
-import { createHash } from "node:crypto";
 import { cpSync, existsSync, mkdirSync, readdirSync, readFileSync, renameSync, statSync, writeFileSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
 import { confirm, isCancel, log, note } from "@clack/prompts";
 import { load as loadYaml } from "js-yaml";
-import { AGENTS_DIR, CLAUDE_STATUSLINE_PATH, CONTAINER_STARTUP, GIT_MODE, GIT_WRAPPER_SOURCE, LOCK_FILE, PACKAGE_ROOT, PROFILE, SHADOWS_DIR, TOTOPO_DIR, TOTOPO_YAML, WORKSPACES_DIR, } from "./constants.js";
+import { AGENTS_DIR, GIT_MODE, LABEL_BUILD_HASH, LOCK_FILE, PROFILE, SHADOWS_DIR, TOTOPO_DIR, TOTOPO_YAML, WORKSPACES_DIR, } from "./constants.js";
 import { safeRmSync } from "./safe-rm.js";
 import { buildDefaultTotopoYaml, readTotopoYaml, slugifyForWorkspaceId, validateWorkspaceId, writeTotopoYaml, } from "./totopo-yaml.js";
 import { findTotopoYamlDir, getWorkspacesBaseDir, initWorkspaceDir, LOCK_KEYS } from "./workspace-identity.js";
@@ -504,54 +503,34 @@ export async function runMigration(cwd, skipAnyConfirmations = true) {
 }
 // =========================================================================================================================================
 // Image staleness detection
-// Called at session start to detect outdated container images that need rebuilding.
-// Add new conditions here when the base image changes in future releases.
+//
+// Called at session start; returns true if the running container's image is older than the current
+// package and needs a rebuild prompt.
+//
+// Mechanism: at build time, dockerfile-builder.ts stamps every image with a totopo.build-hash label
+// that fingerprints the assembled Dockerfile + every baked template file. At session start we
+// recompute the expected hash from current package sources and compare. Any change to
+// templates/Dockerfile, the active profile hook, or any baked template file produces a different
+// hash -> rebuild prompt fires.
+//
+// When shipping a new bake-time artifact:
+//   - Editing an existing template file or the Dockerfile -> auto-detected. No action.
+//   - Adding a NEW templated COPY -> add the filename to BAKED_TEMPLATE_FILES in
+//     dockerfile-builder.ts. The unit test in tests/dockerfile-builder.test.ts will fail until
+//     you do.
+//
+// Cosmetic Dockerfile edits (comment-only, whitespace) DO trigger a rebuild for users on prior
+// images. This is intentional: the Dockerfile and template files are rarely edited, so any change
+// is treated as meaningful. The release skill warns when a release contains diffs to these files
+// that look cosmetic, so the author can decide whether the rebuild cost is worth it.
 // =========================================================================================================================================
-/** Check if a running container's image is stale (missing expected files/features). */
-export function isImageStale(containerName) {
-    // v3.2.0: startup.mjs replaced post-start.mjs + update-ai-clis.mjs
-    const startupCheck = spawnSync("docker", ["exec", containerName, "test", "-f", CONTAINER_STARTUP], { stdio: "pipe" });
-    if (startupCheck.status !== 0)
-        return true;
-    // v3.3.0: file added to the base image for artifact inspection
-    const fileCheck = spawnSync("docker", ["exec", containerName, "test", "-x", "/usr/bin/file"], { stdio: "pipe" });
-    if (fileCheck.status !== 0)
-        return true;
-    // v3.3.0: bubblewrap added for Codex sandboxing prerequisites
-    const bubblewrapCheck = spawnSync("docker", ["exec", containerName, "test", "-x", "/usr/bin/bwrap"], { stdio: "pipe" });
-    if (bubblewrapCheck.status !== 0)
-        return true;
-    // v3.4.0: git read-only wrapper baked in for strict git mode
-    const wrapperCheck = spawnSync("docker", ["exec", containerName, "test", "-x", GIT_WRAPPER_SOURCE], {
-        stdio: "pipe",
-    });
-    if (wrapperCheck.status !== 0)
-        return true;
-    // v3.4.0: runtime-constants module imported by startup-git-mode.mjs
-    const constantsCheck = spawnSync("docker", ["exec", containerName, "test", "-f", "/home/devuser/runtime-constants.mjs"], {
+/** Returns true if the container's stamped totopo.build-hash label does not match the expected hash. */
+export function isImageStale(containerName, expectedBuildHash) {
+    const result = spawnSync("docker", ["inspect", "--format", `{{ index .Config.Labels "${LABEL_BUILD_HASH}" }}`, containerName], {
+        encoding: "utf8",
         stdio: "pipe",
     });
-    if (constantsCheck.status !== 0)
-        return true;
-    // v3.5.1: explicit pnpm store-dir baked into ~/.npmrc to prevent pnpm's volume-check
-    // relocation, which would otherwise create .pnpm-store at the repo root.
-    const npmrcCheck = spawnSync("docker", ["exec", containerName, "grep", "-q", "^store-dir=", "/home/devuser/.npmrc"], { stdio: "pipe" });
-    if (npmrcCheck.status !== 0)
+    if (result.status !== 0)
         return true;
-    // SHA-256 of the host claude-statusline.sh vs the file inside the container - any refinement to
-    // the shipped script triggers an automatic rebuild prompt on next session.
-    const hostScriptPath = join(PACKAGE_ROOT, "templates", "claude-statusline.sh");
-    if (existsSync(hostScriptPath)) {
-        const expectedHash = createHash("sha256").update(readFileSync(hostScriptPath)).digest("hex");
-        const sumResult = spawnSync("docker", ["exec", containerName, "sha256sum", CLAUDE_STATUSLINE_PATH], {
-            encoding: "utf8",
-            stdio: "pipe",
-        });
-        if (sumResult.status !== 0)
-            return true;
-        const actualHash = sumResult.stdout.trim().split(/\s+/)[0] ?? "";
-        if (actualHash !== expectedHash)
-            return true;
-    }
-    return false;
+    return result.stdout.trim() !== expectedBuildHash;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "totopo",
-  "version": "3.5.1",
+  "version": "3.6.0",
   "description": "Run AI coding agents safely in your local codebase",
   "type": "module",
   "bin": {

package/templates/Dockerfile

@@ -87,16 +87,16 @@ RUN groupadd --gid 1001 devuser && \
     useradd --uid 1001 --gid devuser --shell /bin/bash --create-home devuser && \
     mkdir -p /home/devuser/.local/state /home/devuser/.local/share /home/devuser/.local/share/pnpm /home/devuser/.local/bin && \
     date -u +"%Y-%m-%dT%H:%M:%S.000Z" > /home/devuser/.ai-cli-updated && \
-    printf 'store-dir=/home/devuser/.local/share/pnpm/store\npackage-import-method=copy\n' > /home/devuser/.npmrc && \
     chown -R devuser:devuser /home/devuser
 
 # ---------------------------------------------------------------------------
 # Layer 9 — Bake startup script + git mode helper + shared constants into image
 # ---------------------------------------------------------------------------
+COPY npmrc /home/devuser/.npmrc
 COPY startup.mjs /home/devuser/startup.mjs
 COPY startup-git-mode.mjs /home/devuser/startup-git-mode.mjs
 COPY runtime-constants.mjs /home/devuser/runtime-constants.mjs
-RUN chown devuser:devuser /home/devuser/startup.mjs /home/devuser/startup-git-mode.mjs /home/devuser/runtime-constants.mjs
+RUN chown devuser:devuser /home/devuser/.npmrc /home/devuser/startup.mjs /home/devuser/startup-git-mode.mjs /home/devuser/runtime-constants.mjs
 
 # ---------------------------------------------------------------------------
 # Layer 10 — Bake git read-only wrapper into image

package/templates/claude-statusline.sh

@@ -5,10 +5,10 @@
 # Referenced from ~/.claude/settings.json -> statusLine.command
 #
 # Render pattern (4 segments separated by mid-dot):
-#   1. <tokens>k / <ctx> (<pct>%)
-#   2. <model> <effort>
-#   3. Claude Code v<version> (<age>[, hint])
-#   4. <bar> (<rate>% used, resets in <hr> hr <min> min)
+#   1. <tokens>k (<pct>%)
+#   2. <model_full> <effort>
+#   3. <bar> (resets in <Xh Ym>)
+#   4. Claude Code v<version> (<age>[, hint])
 #
 # Designed to degrade gracefully: every field uses jq's // fallback, and any field that goes
 # missing in a future Claude Code release is silently skipped rather than failing the script.
@@ -24,9 +24,7 @@
 parsed=$(jq -r '
     .model.display_name // "",
     ((.context_window.used_percentage // 0) | round),
-    (((.context_window.current_usage.input_tokens // 0)
-      + (.context_window.current_usage.cache_creation_input_tokens // 0)
-      + (.context_window.current_usage.cache_read_input_tokens // 0)) | floor),
+    (.context_window.total_input_tokens // 0),
     .effort.level // "",
     (.rate_limits.five_hour.used_percentage | if . == null then "" else round end),
     (.rate_limits.five_hour.resets_at // "")
@@ -43,30 +41,24 @@ parsed=$(jq -r '
 $parsed
 EOF
 
-# Split "Opus 4.7 (1M context)" into model "Opus 4.7" + ctx_size "1M" via POSIX parameter expansion.
-ctx_size=""
-model_display="$model_full"
-case "$model_full" in
-  *"("*")"*)
-    inside=${model_full#*\(}
-    inside=${inside%%\)*}
-    ctx_size=${inside% context}
-    model_display=${model_full%% \(*}
-    ;;
-esac
+# Capture "now" once for both the rate-limit countdown and the Claude Code freshness check.
+# Status line runs on every prompt render, so avoid spawning `date` twice.
+now_epoch=$(date +%s)
 
 # Colors
 GREEN='\033[32m'
 YELLOW='\033[33m'
 RED='\033[31m'
 BLUE='\033[34m'
+PURPLE='\033[38;5;177m'
 GREY='\033[90m'
 GREY_LIGHT='\033[38;5;245m'
 RESET='\033[0m'
 
-# Normalize tokens & pct (may arrive empty when current_usage is null).
-[ -z "$used_tokens" ] && used_tokens=0
-[ -z "$used_pct" ] && used_pct=0
+# Normalize tokens & pct to integers (may arrive empty, non-numeric, or fractional when
+# current_usage is null or the JSON schema changes in a future Claude Code release).
+case "$used_tokens" in ''|*[!0-9]*) used_tokens=0 ;; esac
+case "$used_pct"    in ''|*[!0-9]*) used_pct=0    ;; esac
 
 # Token color by absolute count: <100k green, 100k-500k yellow, >500k red.
 if [ "$used_tokens" -lt 100000 ]; then
@@ -114,47 +106,35 @@ awk_out=$(awk -v t="$used_tokens" -v r="$rate_pct" 'BEGIN {
 $awk_out
 EOF
 
-# Bar color by rate-limit usage: <50% light grey, <80% yellow, >=80% red.
-# Light grey at the calm baseline keeps the line quiet until usage actually warrants attention.
+# Bar color by rate-limit usage: <50% light grey (calm baseline), 50-79% yellow, >=80% red.
+# Light grey keeps the line quiet until usage actually warrants attention.
 bar_color="$GREY_LIGHT"
-if [ -n "$rate_pct" ]; then
-  if [ "$rate_pct" -lt 50 ]; then
-    bar_color="$GREY_LIGHT"
-  elif [ "$rate_pct" -lt 80 ]; then
+if [ -n "$rate_pct" ] && [ "$rate_pct" -ge 50 ]; then
+  if [ "$rate_pct" -lt 80 ]; then
     bar_color="$YELLOW"
   else
     bar_color="$RED"
   fi
 fi
 
-# Time until the rate-limit window resets, formatted as "X hr Y min" / "Y min" / "X day Y hr".
+# Relative countdown until the rate-limit window resets (e.g. "2h 15m", "43m").
+# Uses a delta from now so the display is correct regardless of container timezone.
 # Skipped silently when resets_at is missing or non-numeric (forward compat with future schemas).
 reset_label=""
 case "$rate_resets_at" in
   '' | *[!0-9]*) ;;
   *)
-    now=$(date +%s)
-    secs=$((rate_resets_at - now))
-    [ "$secs" -lt 60 ] && secs=60
-    total_min=$(((secs + 30) / 60))
-    if [ "$total_min" -lt 60 ]; then
-      reset_label="${total_min} min"
-    elif [ "$total_min" -lt 1440 ]; then
-      hr=$((total_min / 60))
-      min=$((total_min % 60))
-      if [ "$min" -eq 0 ]; then
-        reset_label="${hr} hr"
+    delta=$(( rate_resets_at - now_epoch ))
+    if [ "$delta" -gt 0 ]; then
+      delta_h=$(( delta / 3600 ))
+      delta_m=$(( (delta % 3600) / 60 ))
+      if [ "$delta_h" -gt 0 ]; then
+        reset_label="${delta_h}h ${delta_m}m"
       else
-        reset_label="${hr} hr ${min} min"
+        reset_label="${delta_m}m"
       fi
     else
-      day=$((total_min / 1440))
-      hr=$(((total_min % 1440) / 60))
-      if [ "$hr" -eq 0 ]; then
-        reset_label="${day} day"
-      else
-        reset_label="${day} day ${hr} hr"
-      fi
+      reset_label="now"
     fi
     ;;
 esac
@@ -177,8 +157,7 @@ if [ -r "$cc_ts_file" ]; then
   if [ -n "$cc_iso" ]; then
     cc_secs=$(date -d "$cc_iso" +%s 2>/dev/null)
     if [ -n "$cc_secs" ]; then
-      cc_now=$(date +%s)
-      cc_age_days=$(( (cc_now - cc_secs) / 86400 ))
+      cc_age_days=$(( (now_epoch - cc_secs) / 86400 ))
       [ "$cc_age_days" -lt 0 ] && cc_age_days=0
     fi
   fi
@@ -216,28 +195,29 @@ fi
 SEP=" ${GREY}·${RESET} "
 
 # Segment 1: tokens (always rendered; used_tokens defaults to 0).
-ctx_seg="${tokens_color}${tokens_label}${RESET}"
-[ -n "$ctx_size" ] && ctx_seg="${ctx_seg} ${GREY}/ ${ctx_size}${RESET}"
-ctx_seg="${ctx_seg} ${GREY}(${used_pct}%)${RESET}"
+ctx_seg="${tokens_color}${tokens_label}${RESET} ${GREY}(${used_pct}%)${RESET}"
 
-# Segment 2: model + effort (rendered only when model name is present; effort shares model color).
+# Segment 2: model display name + effort (rendered only when model name is present).
+# model_full is rendered as-is (e.g. "Opus 4.7 (1M context)") -- future-proof and requires no parsing.
+# Effort renders unparenthesized in purple to avoid double-parens when the model name itself
+# already contains a parenthetical (e.g. "Opus 4.7 (1M context)") -- the color shift is the cue.
 model_seg=""
-if [ -n "$model_display" ]; then
-  model_seg="${BLUE}${model_display}${RESET}"
-  [ -n "$effort" ] && model_seg="${model_seg} ${BLUE}${effort}${RESET}"
+if [ -n "$model_full" ]; then
+  model_seg="${BLUE}${model_full}${RESET}"
+  [ -n "$effort" ] && model_seg="${model_seg} ${PURPLE}${effort}${RESET}"
 fi
 
-# Segment 3: cc_seg (computed above; may be empty).
-
-# Segment 4: rate-limit gauge (rendered only when rate-limit data is present).
+# Segment 3: rate-limit gauge (rendered only when rate-limit data is present).
 quota_seg=""
 if [ -n "$bar" ] && [ -n "$reset_label" ]; then
-  quota_seg="${bar_color}${bar}${RESET} ${GREY}(${rate_pct}% used, resets in ${reset_label})${RESET}"
+  quota_seg="${GREY}5h limit${RESET} ${bar_color}${bar}${RESET} ${GREY}(resets in ${reset_label})${RESET}"
 fi
 
-# Join non-empty segments with SEP, in order: tokens -> model -> claude-code -> gauge.
+# Segment 4: cc_seg (computed above; may be empty).
+
+# Join non-empty segments with SEP, in order: tokens -> model -> gauge -> claude-code.
 out=""
-for seg in "$ctx_seg" "$model_seg" "$cc_seg" "$quota_seg"; do
+for seg in "$ctx_seg" "$model_seg" "$quota_seg" "$cc_seg"; do
   [ -z "$seg" ] && continue
   if [ -z "$out" ]; then
     out="$seg"

package/templates/git-readonly-wrapper.mjs

@@ -130,6 +130,11 @@ const CONFIG_WRITE_FLAGS = new Set([
 // Flags that take their next arg as a value -- skip the value when counting tokens.
 // --file/-f/--blob = scope; --type = value coercion; --default = fallback for --get.
 const CONFIG_TWO_ARG_FLAGS = new Set(["--file", "-f", "--blob", "--type", "--default"]);
+// Keys whose write form is allowed in strict mode. Narrow by design: each entry must be
+// safe (cannot escalate to remote ops or weaken protocol.allow). core.hooksPath unblocks
+// `pnpm install` for repos whose prepare script points git at a tracked hooks directory.
+// Compared lowercased: git treats section/variable names case-insensitively.
+const CONFIG_WRITE_ALLOWLIST = new Set(["core.hookspath"]);
 
 // -- remote: block these subactions, allow the rest (default = list) ----------
 const REMOTE_MUTATING_ACTIONS = new Set(["add", "remove", "rm", "rename", "set-url", "prune", "update", "set-head", "set-branches"]);
@@ -213,9 +218,10 @@ export function classify(argv) {
         }
         // Otherwise count non-flag tokens after the subcommand:
         //   `config <key>`           -> 1 token  -> read
-        //   `config <key> <value>`   -> 2 tokens -> write
+        //   `config <key> <value>`   -> 2 tokens -> write (allowed only if key is in allowlist)
         // Scope flags (--system, --global, ...) are flags and don't count.
         let nonFlagCount = 0;
+        let firstKey = null;
         for (let i = 0; i < rest.length; i++) {
             const a = rest[i];
             if (a.startsWith("-")) {
@@ -223,7 +229,11 @@ export function classify(argv) {
                 continue;
             }
             nonFlagCount++;
-            if (nonFlagCount >= 2) return blocked("config (write)");
+            if (nonFlagCount === 1) firstKey = a;
+            if (nonFlagCount >= 2) {
+                if (firstKey !== null && CONFIG_WRITE_ALLOWLIST.has(firstKey.toLowerCase())) return { allow: true };
+                return blocked("config (write)");
+            }
         }
         return { allow: true };
     }

package/templates/npmrc

@@ -0,0 +1,2 @@
+store-dir=/home/devuser/.local/share/pnpm/store
+package-import-method=copy

package/templates/skills/totopo-statusline/SKILL.md

@@ -27,13 +27,13 @@ Tell the user which state they are in, and the exact command path if custom.
 Four segments, left to right, separated by a mid-dot:
 
 ```
-174k / 1M (17%) · Opus 4.7 high · Claude Code v2.1.132 · ▓░░░░░░░░░ (12% used, resets in 3 hr 35 min)
+174k (17%) · Opus 4.7 (1M context) high · 5h limit ▓░░░░░░░░░ (resets in 2h 15m) · Claude Code v2.1.132
 ```
 
-1. **Tokens** - current context-window usage (count / window size / percentage).
-2. **Model** - name and reasoning effort.
-3. **Claude Code** - installed CLI version, with a freshness hint shown only once the install starts to age.
-4. **Rate-limit gauge** - share of the 5-hour window used and time until it resets. Hidden on free accounts and before the first API response.
+1. **Tokens** - current context-window usage (count and percentage).
+2. **Model** - display name as provided by Claude Code (rendered as-is), followed by reasoning effort in purple (no parentheses, since the model name itself may already contain a parenthetical).
+3. **Rate-limit gauge** - bar showing share of the 5-hour window used, plus a relative countdown until it resets. Hidden on free accounts and before the first API response.
+4. **Claude Code** - installed CLI version, with a freshness hint shown only once the install starts to age.
 
 Most of the line stays calm; individual segments turn **yellow** or **red** when something deserves attention - typically a nudge to *clear or compact the context*, *update the harness by opening a new totopo session*, or *watch the rate-limit window*.
 
@@ -106,4 +106,4 @@ If the user wants something completely different:
 
 - Always preserve other fields in `settings.json` when editing. The file may contain unrelated user settings.
 - If `settings.json` does not exist or is unparseable, create it fresh as `{ "statusLine": { ... } }`.
-- The format Claude Code passes via stdin includes `workspace.current_dir`, `model.display_name`, `context_window.used_percentage`, and `context_window.current_usage.{input_tokens, cache_creation_input_tokens, cache_read_input_tokens}`. Use these as the data sources for any custom script.
+- Any statusline changes must use only the fields documented in the official Claude Code statusline reference: https://code.claude.com/docs/en/statusline#available-data -- consult that page for the full list of available JSON fields, their types, nullability, and conditional presence.