feat: enhance Figma integration with full API property coverage (#251)

* feat: expose --max-cost CLI flag with cost threshold warnings

Wire the existing maxCost infrastructure to a new --max-cost CLI option.
When no budget is set, warn users at $2/$5/$10 thresholds to encourage
setting a limit. This is opt-in only — no default limit that could break
existing long-running loops.

Closes #211

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add Figma-specific agent prompts in context builder

When sourceType is 'figma', inject domain-specific guidelines into the
agent preamble: auto-layout to flexbox/grid mapping, color token
extraction with @theme inline, typography fidelity, constraint
conversion, responsive breakpoints, and placeholder images.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: auto-inject Figma design tokens and cap spec size

When fetching from Figma in default 'spec' mode, also fetch design
tokens (CSS variables) and prepend them to the spec. The agent gets
ready-to-use tokens for @theme inline instead of parsing the raw tree.

Also pass all Figma CLI options through to fetchFromSource (previously
only label/status/limit/issue were passed).

Cap in-prompt spec at 15KB to reduce token waste — full spec remains
on disk in specs/ directory.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: show model name and cost in loop header and separator

Display the model name (e.g. '3-sonnet') and cumulative cost in the
loop header subtitle line, and add the full model name to the iteration
separator. Users can now see what model is running and how much it costs
at a glance.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test: add context-builder and task-executor tests

Add 42 new tests covering:
- buildIterationContext: preamble content, Tailwind v4 guidance,
  iteration-aware trimming (full/abbreviated/minimal), plan rules,
  design quality guidelines, validation feedback, iteration log
- compressValidationFeedback: truncation, section headers, ANSI stripping
- buildTrimmedPlanContext: task info, subtasks, completion counts
- buildCommitMessage: conventional commit detection (feat/fix/docs/
  refactor/test/chore), prefix stripping (bracket and colon formats)
- buildPrBody: task URL, description truncation, execution details

Export buildCommitMessage and buildPrBody for testability.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: enhance Figma integration with full API property coverage

Add ~20 missing Figma REST API properties to types, parsers, and agent
guidelines for significantly improved design-to-code fidelity.

Layout: layoutSizingHorizontal/Vertical (FIXED/HUG/FILL), layoutWrap,
layoutPositioning (absolute children), counterAxisSpacing, layoutAlign,
min/maxWidth/Height, clipsContent, scrollBehavior, overflowDirection.

Visual: individualStrokeWeights (per-side borders), strokeDashes,
rotation, isMask, imageTransform→object-position, image filters→CSS
filter(), hero section detection, icon SVG export.

Typography: fontStyle, textTruncation + maxLines with CSS line-clamp
hints, hyperlink detection.

Effects: progressive blur detection, backdrop-filter hints.

New parsers: font-checker (Google Fonts validation), image-collector,
icon-collector (VECTOR/INSTANCE node detection + SVG export).

Agent guidelines updated with sizing, wrap, absolute positioning,
overflow, sticky/fixed, borders, rotation, and image filter rules.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add universal design-to-code rules for z-index, image priority, and sequential patterns

- Text/content elements always get higher z-index than visual layers (universal stacking rule)
- Classify image semantic importance: person images are CRITICAL priority, never hidden at any breakpoint
- Detect sequential/numbered patterns (01, 02, 03) in sibling elements, preserve exact design order
- Add Universal Stacking & Layout Rules section to generated implementation plans
- Add image-optimizer utility and plan-generator for Figma integration

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: prevent division-by-zero in imageTransformToObjectPosition

Replace magic 0.99 threshold with epsilon-based comparison
(1e-4) to eliminate the gap where values in [0.99, 1.0) could
cause division by near-zero or inconsistent behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: sanitize Figma asset filenames and validate CDN URLs

Add sanitizeAssetFilename(), isValidFigmaCdnUrl(), and
sanitizeSvgContent() utilities. Apply to all four Figma
asset download locations in run.ts to prevent path traversal,
SSRF, and SVG XSS attacks.

Addresses GitHub Advanced Security review comments.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: harden security sanitization and eliminate TOCTOU races

- Rewrite sanitizeSvgContent with iterative stripping for nested/malformed tags
- Add PNG magic byte validation (isValidPngBuffer) for all image downloads
- Remove existsSync checks before mkdirSync (TOCTOU race conditions)
- Remove unused existsSync import from source.ts
- Update pnpm-lock.yaml for sharp optional dependency

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: resolve remaining CodeQL security alerts

- Rewrite sanitizeSvgContent with substring-based parser instead of
  regex to satisfy CodeQL js/bad-tag-filter and
  js/incomplete-multi-character-sanitization rules
- Fix TOCTOU race in readCache using fd-based stat+read (openSync/fstatSync)
- Fix TOCTOU race in image-optimizer using readFileSync buffer instead
  of separate statSync + sharp(filePath) calls

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: rubenmarcus

docs/blog/2026-02-01-figma-to-code-one-command.md

@@ -22,7 +22,7 @@ $ ralph-starter run --from figma \
   --project "https://figma.com/file/ABC123/Dashboard" \
   --figma-mode components \
   --figma-framework react \
-  --loops 5 --test --commit
+  --max-iterations 5 --test --commit
 
 🔄 Loop 1/5
   → Fetching from Figma API... 12 frames, 34 components found
@@ -83,14 +83,28 @@ Setup is dead simple, just a personal access token from Figma:
 ralph-starter config set figma.token figd_xxxxx
 ```
 
+:::tip Figma Plan Matters
+The free/starter plan limits you to **6 API requests per month** -- that is barely one fetch. For real development, you need a **Professional plan with a Dev seat** ($12/month), which gives you 10+ requests per minute. Responses are cached locally so repeated runs are free.
+:::
+
 The reason this works at all is [the loop](/blog/my-first-ralph-loop). The agent does not just generate code and stop. It generates, runs tests, sees what broke, fixes it, runs again. By loop 3 or 4 you have components that actually render and pass lint. Same [Ralph Wiggum technique](/blog/ralph-wiggum-technique) I use for everything else -- just pointed at a design file instead of a GitHub issue. I did not even plan it this way. It just... worked.
 
 Want to try it with your own Figma file?
 
 ```bash
 npx ralph-starter init
 ralph-starter config set figma.token figd_your_token_here
-ralph-starter run --from figma --project "your-figma-url" --figma-mode components --figma-framework react --loops 5
+ralph-starter run --from figma --project "your-figma-url" --figma-mode components --figma-framework react --max-iterations 5
+```
+
+You can also pick your model with `--model`. Sonnet is fast and cheap for UI work, Opus is better for complex state logic:
+
+```bash
+# Fast + cheap (recommended for most Figma workflows)
+ralph-starter run --from figma --project "your-figma-url" --figma-mode components --model claude-sonnet-4-5-20250929 --max-iterations 5
+
+# Maximum quality
+ralph-starter run --from figma --project "your-figma-url" --figma-mode components --model claude-opus-4-6 --max-iterations 3
 ```
 
 ## References

docs/docs/sources/figma.md

@@ -199,6 +199,7 @@ Create a custom mapping file to control how Figma content maps to your component
 | `--figma-target` | Target directory (content mode) | Path (e.g., `src/pages`) |
 | `--figma-preview` | Preview without applying (content mode) | Flag |
 | `--figma-mapping` | Custom mapping file (content mode) | File path (e.g., `mapping.json`) |
+| `--model` | AI model for the coding agent | Model ID (e.g., `claude-sonnet-4-5-20250929`) |
 
 ## Figma URL Formats
 
@@ -247,6 +248,30 @@ ralph-starter integrations fetch figma "ABC123" --figma-mode assets
 # Run the generated curl commands to download
 ```
 
+### Choose Your Model
+
+Use `--model` to pick which AI model implements the design. Sonnet is fast and cost-effective for most UI work; Opus produces more nuanced implementations for complex layouts:
+
+```bash
+# Fast iteration with Sonnet (recommended for most Figma workflows)
+ralph-starter run --from figma \
+  --project "https://figma.com/file/ABC123/Dashboard" \
+  --figma-mode components \
+  --model claude-sonnet-4-5-20250929 \
+  --max-iterations 5
+
+# Maximum quality with Opus
+ralph-starter run --from figma \
+  --project "https://figma.com/file/ABC123/Dashboard" \
+  --figma-mode components \
+  --model claude-opus-4-6 \
+  --max-iterations 3
+```
+
+:::tip Model Selection for Figma
+**Sonnet** is the sweet spot for Figma-to-code. It handles component structure, layout, and styling accurately at ~5x lower cost and faster iteration speed. Use **Opus** when you need complex state logic or intricate responsive behavior alongside the UI.
+:::
+
 ## Test Connection
 
 Verify your authentication:
@@ -255,8 +280,72 @@ Verify your authentication:
 ralph-starter integrations test figma
 ```
 
+## Rate Limits & Caching
+
+### Figma API Rate Limits
+
+Figma enforces rate limits based on your **plan tier** and **seat type**. This matters because it determines how many API requests you can make per minute (or per month).
+
+| Seat Type | Starter | Professional | Enterprise |
+|-----------|---------|-------------|------------|
+| Collab/Viewer (low) | 6/month | 5/min | 10/min |
+| Dev/Full (high) | 10/min | 15-50/min | 20-100/min |
+
+:::warning Free & Starter Plans
+On the **Starter plan with a Collab/Viewer seat** (`limit-type=low`), you get only **6 requests per month**. Each `ralph-starter run --from figma` uses 2-4 API calls, so you can exhaust your budget in 1-2 runs. Upgrade to a **Professional plan with a Dev seat** ($12/month) for 10+ requests per minute.
+:::
+
+### Community Files
+
+When you access a **community file** (duplicated from the Figma Community), the **file owner's plan** determines your rate limits -- not your own plan. If the original author is on a free/starter plan, you'll be limited to 6 requests per month regardless of your plan.
+
+**Fix:** Duplicate the file to your own workspace. This makes you the owner and applies your plan's limits.
+
+### Response Caching
+
+ralph-starter automatically caches Figma API responses in `~/.ralph/figma-cache/` with a 1-hour TTL. This means:
+
+- **First run** fetches from the API and populates the cache
+- **Subsequent runs** (within 1 hour) use the cache with zero API calls
+- **Rate limited (429)?** Falls back to stale cache if available
+
+This is especially useful for iterative development -- fetch once, then run the coding loop as many times as you want without touching the API.
+
+To clear the cache and force a fresh fetch:
+
+```bash
+rm -rf ~/.ralph/figma-cache/
+```
+
+### Debugging API Issues
+
+Use the `RALPH_DEBUG` environment variable to see every API request, response status, and rate limit headers:
+
+```bash
+RALPH_DEBUG=1 ralph-starter run --from figma --project "your-figma-url"
+```
+
+This shows:
+- Each API endpoint being called
+- HTTP status codes and retry-after values
+- Plan tier (`x-figma-plan-tier`) and limit type (`x-figma-rate-limit-type`)
+- Cache hits and stale cache fallbacks
+
 ## Troubleshooting
 
+### "Figma API blocked for ~N day(s)"
+
+This means CloudFront (Figma's CDN) has blocked your IP after too many rate-limited requests. The `retry-after` header shows days, not minutes.
+
+**Solutions (pick one):**
+1. **Upgrade your Figma plan** to Professional with a Dev seat ($12/month) -- gives you 10+ req/min instead of 6/month
+2. **Use a VPN** to get a fresh IP, fetch once to populate the cache, then disconnect
+3. **Wait** for the block to expire (shown in the error message)
+
+### "Figma API rate limit hit"
+
+A transient rate limit (not a CDN block). ralph-starter will automatically retry once after respecting the `retry-after` header. If it fails again, wait 1-2 minutes and try again.
+
 ### "Invalid Figma token"
 
 Your token may have expired or been revoked. Create a new token in Figma settings.
@@ -278,3 +367,4 @@ Assets are detected by name patterns. Rename your icon frames to include "icon",
 - **Variables API** requires Figma Enterprise plan (falls back to styles)
 - **Image export URLs** expire after 30 days
 - **Large files** may be slow; use `--figma-nodes` to target specific frames
+- **Starter plan (Collab seat)** limited to 6 API requests/month -- use caching or upgrade to Professional

package.json

@@ -81,6 +81,9 @@
     "yaml": "^2.7.0",
     "zod": "^4.3.6"
   },
+  "optionalDependencies": {
+    "sharp": "^0.33.0"
+  },
   "devDependencies": {
     "@biomejs/biome": "^2.3.13",
     "@commitlint/cli": "^20.3.1",