@byh3071/vhk 0.5.0 → 0.5.2

package/dist/index.js

@@ -485,8 +485,7 @@ var require_ignore = __commonJS({
 
 // src/index.ts
 import { Command, Help } from "commander";
-import chalk15 from "chalk";
-import inquirer7 from "inquirer";
+import inquirer8 from "inquirer";
 
 // src/lib/nlp-router.ts
 function normalize(input) {
@@ -495,8 +494,8 @@ function normalize(input) {
 var NLP_KEYWORDS = {
   save: ["\uC800\uC7A5", "\uC138\uC774\uBE0C", "\uCEE4\uBC0B", "\uC62C\uB824", "\uC62C\uB9AC\uAE30", "\uD478\uC2DC", "push", "commit"],
   undo: ["\uB418\uB3CC\uB824", "\uB418\uB3CC\uB9AC\uAE30", "\uCDE8\uC18C", "\uC6D0\uB798\uB300\uB85C", "\uB864\uBC31", "\uB9AC\uC14B", "reset", "rollback"],
-  status: ["\uC0C1\uD0DC", "\uD604\uD669", "\uC5B4\uB5BB\uAC8C", "\uC5B4\uB54C", "\uC9C0\uAE08", "\uD655\uC778"],
-  diff: ["\uBCC0\uACBD", "\uBC14\uB010", "\uBB50\uBC14\uB01C", "\uCC28\uC774", "\uB2EC\uB77C\uC9C4", "\uC218\uC815\uB41C"]
+  status: ["\uC0C1\uD0DC", "\uD604\uD669", "\uC5B4\uB5BB\uAC8C", "\uC5B4\uB54C", "\uC9C0\uAE08"],
+  diff: ["\uBCC0\uACBD", "\uBC14\uB010", "\uBB50\uBC14\uB01C", "\uBC14\uB00C\uC5C8", "\uCC28\uC774", "\uB2EC\uB77C\uC9C4", "\uC218\uC815\uB41C"]
 };
 function matchesKeywords(text, command) {
   const keywords = NLP_KEYWORDS[command];
@@ -524,11 +523,29 @@ var RULES = [
     confidence: "high",
     test: (t2) => /프로젝트.*(만들|시작)|폴더.*만들|만들고\s*싶|하네스|초기화/.test(t2) || /^시작$/.test(t2)
   },
+  {
+    command: "secure",
+    explanation: "\uBCF4\uC548 \uC2A4\uCE94 (vhk \uBCF4\uC548)",
+    confidence: "high",
+    test: (t2) => /보안|시크릿|비밀|키\s*유출|secure|scan/.test(t2)
+  },
+  {
+    command: "check",
+    explanation: "\uADDC\uCE59 \uC810\uAC80 (vhk \uC810\uAC80)",
+    confidence: "high",
+    test: (t2) => /규칙.*(점검|위반)|린트|check|위반/.test(t2)
+  },
+  {
+    command: "doctor",
+    explanation: "\uD658\uACBD \uC810\uAC80 (vhk doctor)",
+    confidence: "high",
+    test: (t2) => /뭔가\s*안|안\s*돼|안돼|환경\s*(점검|진단|확인)|진단|doctor|설치.*확인|왜\s*안/.test(t2)
+  },
   {
     command: "diff",
     explanation: "\uBCC0\uACBD\uC0AC\uD56D \uC694\uC57D (vhk diff)",
     confidence: "high",
-    test: (t2) => (matchesKeywords(t2, "diff") || /^diff$/.test(t2) || /변경사항|수정\s*내역|차이\s*보/.test(t2)) && !/저장|커밋|push|푸시|상태|현황|세이브|commit/.test(t2)
+    test: (t2) => (matchesKeywords(t2, "diff") || /^diff$/.test(t2) || /변경사항|수정\s*내역|차이\s*보|뭐\s*바뀌/.test(t2)) && !/저장|커밋|push|푸시|상태|현황|세이브|commit/.test(t2)
   },
   {
     command: "undo",
@@ -540,7 +557,7 @@ var RULES = [
     command: "status",
     explanation: "\uD504\uB85C\uC81D\uD2B8 \uC0C1\uD0DC \uD655\uC778 (vhk \uC0C1\uD0DC)",
     confidence: "high",
-    test: (t2) => matchesKeywords(t2, "status") || /^status$/.test(t2) || /브랜치.*(뭐|어디)|git\s*상태|동기화\s*상태/.test(t2)
+    test: (t2) => (matchesKeywords(t2, "status") || /^status$/.test(t2) || /브랜치.*(뭐|어디)|git\s*상태|동기화\s*상태|프로젝트\s*상태/.test(t2)) && !/보안|시크릿|규칙|점검|린트|환경|진단|doctor|secure|check|스캔|설치/.test(t2)
   },
   {
     command: "save",
@@ -554,30 +571,12 @@ var RULES = [
     confidence: "high",
     test: (t2) => /오늘.*(정리|기록)|한\s*일|세션|회고|recap|정리해/.test(t2)
   },
-  {
-    command: "doctor",
-    explanation: "\uD658\uACBD \uC810\uAC80 (vhk doctor)",
-    confidence: "high",
-    test: (t2) => /뭔가\s*안|안\s*돼|안돼|환경\s*(점검|진단)|진단|doctor|설치.*확인|왜\s*안/.test(t2)
-  },
   {
     command: "gate",
     explanation: "\uC544\uC774\uB514\uC5B4 \uAC80\uC99D (vhk \uAC80\uC99D)",
     confidence: "high",
     test: (t2) => /아이디어|검증|gate|go\/refine|pain\s*point/.test(t2)
   },
-  {
-    command: "secure",
-    explanation: "\uBCF4\uC548 \uC2A4\uCE94 (vhk \uBCF4\uC548 scan)",
-    confidence: "high",
-    test: (t2) => /보안|시크릿|비밀|키\s*유출|secure|scan/.test(t2)
-  },
-  {
-    command: "check",
-    explanation: "\uADDC\uCE59 \uC810\uAC80 (vhk \uC810\uAC80)",
-    confidence: "high",
-    test: (t2) => /규칙.*(점검|위반)|린트|check|위반/.test(t2)
-  },
   {
     command: "sync",
     explanation: "\uADDC\uCE59 \uD30C\uC77C \uB3D9\uAE30\uD654 (vhk \uADDC\uCE59)",
@@ -611,6 +610,69 @@ function extractNotionUrl(input) {
   return m?.[0];
 }
 
+// src/lib/cli-args.ts
+var KNOWN_COMMAND_TOKENS = /* @__PURE__ */ new Set([
+  "gate",
+  "\uAC80\uC99D",
+  "\uC544\uC774\uB514\uC5B4",
+  "init",
+  "\uC2DC\uC791",
+  "\uB9CC\uB4E4\uAE30",
+  "recap",
+  "\uC815\uB9AC",
+  "\uC624\uB298",
+  "sync",
+  "\uB9DE\uCD94\uAE30",
+  "\uADDC\uCE59",
+  "check",
+  "\uC810\uAC80",
+  "\uB9B0\uD2B8",
+  "secure",
+  "\uBCF4\uC548",
+  "scan",
+  "\uC2A4\uCE94",
+  "ship",
+  "\uBC30\uD3EC",
+  "\uB9B4\uB9AC\uC988",
+  "doctor",
+  "\uD658\uACBD",
+  "\uC9C4\uB2E8",
+  "save",
+  "\uC800\uC7A5",
+  "undo",
+  "\uB418\uB3CC\uB9AC\uAE30",
+  "status",
+  "\uC0C1\uD0DC",
+  "\uD604\uD669",
+  "diff",
+  "\uBCC0\uACBD",
+  "\uCC28\uC774",
+  "help"
+]);
+function isOptionToken(token) {
+  return token.startsWith("-");
+}
+function detectNaturalLanguageInput(argv) {
+  const rest = argv.slice(2);
+  if (rest.length === 0) return null;
+  const first = rest[0];
+  if (isOptionToken(first)) return null;
+  const input = rest.join(" ").trim();
+  if (!input) return null;
+  const firstIsKnown = KNOWN_COMMAND_TOKENS.has(first);
+  if (firstIsKnown && rest.length === 1) return null;
+  if (firstIsKnown && rest.slice(1).every(isOptionToken)) return null;
+  if (firstIsKnown && rest.length > 1) {
+    if (routeNaturalLanguage(input)) return input;
+    return null;
+  }
+  return input;
+}
+
+// src/lib/nlp-run.ts
+import chalk16 from "chalk";
+import inquirer7 from "inquirer";
+
 // src/i18n/ko.ts
 var ko = {
   status: {
@@ -642,7 +704,15 @@ var ko = {
     successLocal: "\uB85C\uCEEC \uC800\uC7A5 \uC644\uB8CC!",
     noRemote: "\uC6D0\uACA9 \uC800\uC7A5\uC18C\uAC00 \uC124\uC815\uB418\uC9C0 \uC54A\uC544 push\uB97C \uAC74\uB108\uB6F0\uC5C8\uC2B5\uB2C8\uB2E4.",
     failed: "\uC800\uC7A5 \uC2E4\uD328",
-    done: (n) => `${n}\uAC1C \uD30C\uC77C \uC800\uC7A5 \uC644\uB8CC!`
+    stagedAfterFail: "\uCEE4\uBC0B\uC740 \uC2E4\uD328\uD588\uC9C0\uB9CC \uD30C\uC77C\uC740 \uC2A4\uD14C\uC774\uC9D5\uB418\uC5B4 \uC788\uC2B5\uB2C8\uB2E4. \uD655\uC778: git status / \uCDE8\uC18C: git reset HEAD",
+    securityWarnHeader: "\uC800\uC7A5 \uC804 \uBCF4\uC548 \uD655\uC778:",
+    secretsFound: (n) => `\uCF54\uB4DC\uC5D0\uC11C CRITICAL/HIGH \uC2DC\uD06C\uB9BF \uD328\uD134 ${n}\uAC74 \uAC10\uC9C0`,
+    secretsConfirm: "\uADF8\uB798\uB3C4 \uCEE4\uBC0B\xB7push\uB97C \uC9C4\uD589\uD560\uAE4C\uC694?",
+    cancelled: "\uC800\uC7A5\uC744 \uCDE8\uC18C\uD588\uC2B5\uB2C8\uB2E4.",
+    pushFailed: "push \uC2E4\uD328 (\uB85C\uCEEC \uCEE4\uBC0B\uC740 \uC644\uB8CC\uB428)",
+    commitOkPushFailed: "\uB85C\uCEEC \uCEE4\uBC0B\uC740 \uB410\uC9C0\uB9CC \uC6D0\uACA9 push\uC5D0 \uC2E4\uD328\uD588\uC2B5\uB2C8\uB2E4. git push\uB97C \uC9C1\uC811 \uD655\uC778\uD558\uC138\uC694.",
+    done: (n) => `${n}\uAC1C \uD30C\uC77C \uC800\uC7A5 \uC644\uB8CC!`,
+    doneLocalOnly: (n) => `${n}\uAC1C \uD30C\uC77C \uB85C\uCEEC \uC800\uC7A5\uB428 (push\uB294 \uC2E4\uD328)`
   },
   undo: {
     title: "\uB418\uB3CC\uB9AC\uAE30",
@@ -651,10 +721,14 @@ var ko = {
     recentHeader: "\u{1F4CB} \uCD5C\uADFC \uCEE4\uBC0B:",
     howMany: "\uBA87 \uAC1C\uC758 \uCEE4\uBC0B\uC744 \uB418\uB3CC\uB9B4\uAE4C\uC694?",
     alreadyPushed: "\uC774 \uCEE4\uBC0B\uC740 \uC774\uBBF8 \uC6D0\uACA9\uC5D0 \uC62C\uB77C\uAC14\uC2B5\uB2C8\uB2E4. \uB418\uB3CC\uB9AC\uBA74 \uCDA9\uB3CC\uC774 \uC0DD\uAE38 \uC218 \uC788\uC5B4\uC694.",
+    noUpstreamWarning: "upstream \uBE0C\uB79C\uCE58\uAC00 \uC5C6\uC2B5\uB2C8\uB2E4. \uC774\uBBF8 push\uD55C \uCEE4\uBC0B\uC77C \uC218 \uC788\uC5B4\uC694. \uB418\uB3CC\uB9B0 \uB4A4 force push\uAC00 \uD544\uC694\uD560 \uC218 \uC788\uC2B5\uB2C8\uB2E4.",
     confirmMessage: "\uCD5C\uADFC \uCEE4\uBC0B\uC744 \uB418\uB3CC\uB9AC\uC2DC\uACA0\uC2B5\uB2C8\uAE4C?",
+    confirmRisky: (n) => `\u26A0\uFE0F \uC704\uD5D8: \uCD5C\uADFC ${n}\uAC1C \uCEE4\uBC0B\uC744 soft reset\uD569\uB2C8\uB2E4. \uC6D0\uACA9\uACFC \uC5B4\uAE0B\uB0A0 \uC218 \uC788\uC2B5\uB2C8\uB2E4. \uACC4\uC18D\uD560\uAE4C\uC694?`,
     cancelled: "\uCDE8\uC18C\uB428",
     success: "\uB418\uB3CC\uB9AC\uAE30 \uC644\uB8CC! \uBCC0\uACBD\uC0AC\uD56D\uC740 \uADF8\uB300\uB85C \uB0A8\uC544\uC788\uC2B5\uB2C8\uB2E4.",
     stagedHint: "\uBCC0\uACBD\uC0AC\uD56D\uC740 \uC2A4\uD14C\uC774\uC9D5 \uC601\uC5ED\uC5D0 \uB0A8\uC544 \uC788\uC5B4\uC694.",
+    rootCommit: "\uCCAB \uCEE4\uBC0B\uB9CC \uC788\uC5B4\uC11C \uB354 \uB418\uB3CC\uB9B4 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.",
+    forcePushHint: "\uC6D0\uACA9\uACFC \uB9DE\uCD94\uB824\uBA74: git push --force-with-lease (\uD63C\uC790 \uC791\uC5C5\uD55C \uBE0C\uB79C\uCE58\uC5D0\uC11C\uB9CC, \uD300\uACFC \uD569\uC758 \uD6C4)",
     failed: "\uB418\uB3CC\uB9AC\uAE30 \uC2E4\uD328"
   },
   diff: {
@@ -1016,9 +1090,9 @@ ${ko.gate.verdictTitle}
 
 // src/commands/init.ts
 import inquirer2 from "inquirer";
-import chalk4 from "chalk";
-import fs2 from "fs";
-import path2 from "path";
+import chalk5 from "chalk";
+import fs3 from "fs";
+import path3 from "path";
 
 // src/templates/claude-md.ts
 function CLAUDE_MD_TEMPLATE(name, _stack) {
@@ -1228,27 +1302,113 @@ function COMMANDS_MD_TEMPLATE() {
   ].join("\n");
 }
 
-// src/utils/logger.ts
+// src/lib/check-secure.ts
+var import_ignore = __toESM(require_ignore(), 1);
+import fs from "fs";
+import path from "path";
 import chalk3 from "chalk";
+function loadGitignore(rootDir) {
+  const ig = (0, import_ignore.default)();
+  const gitignorePath = path.join(rootDir, ".gitignore");
+  if (fs.existsSync(gitignorePath)) {
+    const content = fs.readFileSync(gitignorePath, "utf-8");
+    ig.add(content);
+  }
+  return ig;
+}
+function isPathIgnored(ig, relativePath) {
+  const normalized = relativePath.replace(/\\/g, "/");
+  return ig.ignores(normalized);
+}
+function findExposedSensitiveFiles(rootDir, ig = loadGitignore(rootDir), maxDepth = 8) {
+  const exposed = [];
+  function walk(dir, depth) {
+    if (depth > maxDepth) return;
+    let entries;
+    try {
+      entries = fs.readdirSync(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (entry.name === "node_modules" || entry.name === ".git") continue;
+      const fullPath = path.join(dir, entry.name);
+      const rel = path.relative(rootDir, fullPath).replace(/\\/g, "/");
+      if (entry.isDirectory()) {
+        if (!isPathIgnored(ig, rel + "/")) walk(fullPath, depth + 1);
+        continue;
+      }
+      if (isSensitiveName(entry.name) && !isPathIgnored(ig, rel)) {
+        exposed.push(rel);
+      }
+    }
+  }
+  walk(rootDir, 0);
+  return exposed;
+}
+function isSensitiveName(name) {
+  const lower = name.toLowerCase();
+  if (lower === ".env" || lower.startsWith(".env.")) return true;
+  if (lower.endsWith(".pem") || lower.endsWith(".key")) return true;
+  if (lower === "credentials.json" || lower === "secrets.json") return true;
+  if (lower.startsWith("id_rsa")) return true;
+  return false;
+}
+function checkProjectSecurity(rootDir = process.cwd()) {
+  const gitignorePath = path.join(rootDir, ".gitignore");
+  const missingGitignore = !fs.existsSync(gitignorePath);
+  const ig = loadGitignore(rootDir);
+  const exposedPaths = findExposedSensitiveFiles(rootDir, ig);
+  const warnings = [];
+  if (missingGitignore) {
+    warnings.push(".gitignore \uD30C\uC77C\uC774 \uC5C6\uC2B5\uB2C8\uB2E4. \uBBFC\uAC10\uD55C \uD30C\uC77C\uC774 \uC2E4\uC218\uB85C \uC62C\uB77C\uAC08 \uC218 \uC788\uC5B4\uC694.");
+  }
+  if (exposedPaths.length > 0) {
+    warnings.push(
+      `ignore\uB418\uC9C0 \uC54A\uC740 \uBBFC\uAC10 \uD30C\uC77C ${exposedPaths.length}\uAC1C: ${exposedPaths.join(", ")}`
+    );
+  }
+  return {
+    ok: !missingGitignore && exposedPaths.length === 0,
+    missingGitignore,
+    exposedPaths,
+    warnings
+  };
+}
+function printSecurityWarnings(rootDir = process.cwd()) {
+  const result = checkProjectSecurity(rootDir);
+  if (result.ok) return true;
+  for (const w of result.warnings) {
+    console.log(chalk3.yellow(`   \u26A0\uFE0F  ${w}`));
+  }
+  return false;
+}
+function filterTrackedPaths(paths, rootDir = process.cwd()) {
+  const ig = loadGitignore(rootDir);
+  return paths.filter((p) => !isPathIgnored(ig, p.replace(/\\/g, "/")));
+}
+
+// src/utils/logger.ts
+import chalk4 from "chalk";
 var log = {
-  success: (msg) => console.log(chalk3.green(`\u2705 ${msg}`)),
-  error: (msg) => console.log(chalk3.red(`\u274C ${msg}`)),
-  warn: (msg) => console.log(chalk3.yellow(`\u26A0\uFE0F ${msg}`)),
-  info: (msg) => console.log(chalk3.blue(`\u2139\uFE0F ${msg}`)),
-  step: (msg) => console.log(chalk3.bold(`
+  success: (msg) => console.log(chalk4.green(`\u2705 ${msg}`)),
+  error: (msg) => console.log(chalk4.red(`\u274C ${msg}`)),
+  warn: (msg) => console.log(chalk4.yellow(`\u26A0\uFE0F ${msg}`)),
+  info: (msg) => console.log(chalk4.blue(`\u2139\uFE0F ${msg}`)),
+  step: (msg) => console.log(chalk4.bold(`
 \u25B8 ${msg}`))
 };
 
 // src/utils/file.ts
-import fs from "fs";
-import path from "path";
+import fs2 from "fs";
+import path2 from "path";
 function writeFile(filePath, content) {
-  const dir = path.dirname(filePath);
-  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-  fs.writeFileSync(filePath, content, "utf-8");
+  const dir = path2.dirname(filePath);
+  if (!fs2.existsSync(dir)) fs2.mkdirSync(dir, { recursive: true });
+  fs2.writeFileSync(filePath, content, "utf-8");
 }
 function fileExists(filePath) {
-  return fs.existsSync(filePath);
+  return fs2.existsSync(filePath);
 }
 
 // src/lib/notion-import.ts
@@ -1440,13 +1600,14 @@ async function collectAnswers(options, defaults = {}) {
 async function init(options = {}) {
   const skipGate = Boolean(options.skipGate || options.fromNotion);
   if (skipGate) {
-    console.log(chalk4.dim(`
+    console.log(chalk5.dim(`
 ${ko.init.skipGate}
 `));
   }
-  console.log(chalk4.bold(`
+  console.log(chalk5.bold(`
 ${ko.init.title}
 `));
+  printSecurityWarnings();
   let prdContent = {};
   const defaults = {};
   if (options.fromNotion) {
@@ -1468,7 +1629,7 @@ ${ko.init.title}
     process.exit(1);
   }
   const stack = STACK_PRESETS[answers.type];
-  console.log(chalk4.dim(`
+  console.log(chalk5.dim(`
 ${ko.init.recommendedStack} ${stack.join(" + ")}
 `));
   if (!options.yes) {
@@ -1487,7 +1648,7 @@ ${ko.init.recommendedStack} ${stack.join(" + ")}
   const files = generateFiles(answers.name, answers.description, stack, prdContent);
   log.step(ko.init.filesGenerating);
   for (const [filePath, content] of Object.entries(files)) {
-    const fullPath = path2.join(cwd, filePath);
+    const fullPath = path3.join(cwd, filePath);
     if (fileExists(fullPath)) {
       const { overwrite } = await inquirer2.prompt([{
         type: "confirm",
@@ -1504,21 +1665,21 @@ ${ko.init.recommendedStack} ${stack.join(" + ")}
     log.success(filePath);
   }
   await writeInitExtras(cwd);
-  console.log(chalk4.bold.green(`
+  console.log(chalk5.bold.green(`
 ${ko.init.done}`));
-  console.log(chalk4.dim(`
+  console.log(chalk5.dim(`
 ${ko.init.nextSteps}`));
   if (options.fromNotion) {
     console.log(`  1. ${ko.init.notionReviewHint}`);
     console.log(`  2. ${ko.init.gitHintLabel}`);
-    console.log(`     ${chalk4.cyan(ko.init.gitHintCommand)}`);
+    console.log(`     ${chalk5.cyan(ko.init.gitHintCommand)}`);
     console.log(`  3. ${ko.init.startDev}
 `);
   } else {
     console.log(`  1. ${ko.init.fillHint}`);
     console.log(`  2. ${ko.init.prdHint}`);
     console.log(`  3. ${ko.init.gitHintLabel}`);
-    console.log(`     ${chalk4.cyan(ko.init.gitHintCommand)}`);
+    console.log(`     ${chalk5.cyan(ko.init.gitHintCommand)}`);
     console.log(`  4. ${ko.init.startDev}
 `);
   }
@@ -1558,7 +1719,7 @@ function generateFiles(name, description, stack, prdContent = {}) {
   };
 }
 var VHK_PACKAGE_SCRIPTS = {
-  save: "git add . && git commit -m",
+  save: "vhk save",
   check: "vhk check",
   scan: "vhk secure scan",
   recap: "vhk recap",
@@ -1566,15 +1727,15 @@ var VHK_PACKAGE_SCRIPTS = {
   doctor: "vhk doctor"
 };
 function enhancePackageScripts(projectDir) {
-  const pkgPath = path2.join(projectDir, "package.json");
-  if (!fs2.existsSync(pkgPath)) return false;
-  const pkg = JSON.parse(fs2.readFileSync(pkgPath, "utf-8"));
+  const pkgPath = path3.join(projectDir, "package.json");
+  if (!fs3.existsSync(pkgPath)) return false;
+  const pkg = JSON.parse(fs3.readFileSync(pkgPath, "utf-8"));
   pkg.scripts = { ...pkg.scripts, ...VHK_PACKAGE_SCRIPTS };
-  fs2.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + "\n", "utf-8");
+  fs3.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + "\n", "utf-8");
   return true;
 }
 async function writeInitExtras(projectDir) {
-  const commandsPath = path2.join(projectDir, "COMMANDS.md");
+  const commandsPath = path3.join(projectDir, "COMMANDS.md");
   if (fileExists(commandsPath)) {
     const { overwrite } = await inquirer2.prompt([{
       type: "confirm",
@@ -1599,37 +1760,13 @@ async function writeInitExtras(projectDir) {
 
 // src/commands/recap.ts
 import inquirer3 from "inquirer";
-import chalk5 from "chalk";
+import chalk6 from "chalk";
 import fs5 from "fs";
 import path6 from "path";
 
 // src/lib/git.ts
 import path4 from "path";
 import simpleGit from "simple-git";
-
-// src/lib/check-secure.ts
-var import_ignore = __toESM(require_ignore(), 1);
-import fs3 from "fs";
-import path3 from "path";
-function loadGitignore(rootDir) {
-  const ig = (0, import_ignore.default)();
-  const gitignorePath = path3.join(rootDir, ".gitignore");
-  if (fs3.existsSync(gitignorePath)) {
-    const content = fs3.readFileSync(gitignorePath, "utf-8");
-    ig.add(content);
-  }
-  return ig;
-}
-function isPathIgnored(ig, relativePath) {
-  const normalized = relativePath.replace(/\\/g, "/");
-  return ig.ignores(normalized);
-}
-function filterTrackedPaths(paths, rootDir = process.cwd()) {
-  const ig = loadGitignore(rootDir);
-  return paths.filter((p) => !isPathIgnored(ig, p.replace(/\\/g, "/")));
-}
-
-// src/lib/git.ts
 var git = simpleGit();
 function isNoiseRecapPath(filePath) {
   const base = path4.basename(filePath);
@@ -1646,29 +1783,19 @@ function filterRecapFiles(files) {
   const tracked = new Set(filterTrackedPaths(paths));
   return files.filter((f) => tracked.has(f.file) && !isNoiseRecapPath(f.file));
 }
-function fileStatus(workingDir) {
-  if (workingDir === "?") return "new";
-  if (workingDir === "D") return "deleted";
-  if (workingDir === "R") return "renamed";
+function inferFileStatusFromDiff(insertions, deletions) {
+  if (deletions > 0 && insertions === 0) return "deleted";
+  if (insertions > 0 && deletions === 0) return "new";
   return "modified";
 }
-async function getSessionDiff(since) {
-  const sinceDate = since || (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-  const diffSummary = await git.diffSummary([`--since=${sinceDate}`]);
-  const statusResult = await git.status();
-  const statByFile = new Map(
-    diffSummary.files.map((f) => [f.file, f])
-  );
+function buildSessionDiffFromSummary(diffSummary) {
   const files = filterRecapFiles(
-    statusResult.files.map((f) => {
-      const stat = statByFile.get(f.path);
-      return {
-        file: f.path,
-        insertions: stat?.insertions ?? 0,
-        deletions: stat?.deletions ?? 0,
-        status: fileStatus(f.working_dir)
-      };
-    })
+    diffSummary.files.map((f) => ({
+      file: f.file,
+      insertions: f.insertions,
+      deletions: f.deletions,
+      status: inferFileStatusFromDiff(f.insertions, f.deletions)
+    }))
   );
   return {
     filesChanged: files.length,
@@ -1677,6 +1804,11 @@ async function getSessionDiff(since) {
     files
   };
 }
+async function getSessionDiff(since) {
+  const sinceDate = since || (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+  const diffSummary = await git.diffSummary([`--since=${sinceDate}`]);
+  return buildSessionDiffFromSummary(diffSummary);
+}
 async function getRecentCommits(count = 10, since) {
   const options = { maxCount: count };
   if (since) options["--since"] = since;
@@ -1787,39 +1919,40 @@ function createAdrFile(cwd, title, context, decision, consequences) {
 
 // src/commands/recap.ts
 async function recap(options = {}) {
-  console.log(chalk5.bold(`
+  console.log(chalk6.bold(`
 ${ko.recap.title}
 `));
   if (!await isGitRepo()) {
-    console.log(chalk5.red(ko.recap.noRepo));
+    console.log(chalk6.red(ko.recap.noRepo));
     return;
   }
-  console.log(chalk5.dim(`${ko.recap.analyzing}
+  printSecurityWarnings();
+  console.log(chalk6.dim(`${ko.recap.analyzing}
 `));
   const since = options.since || (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
   const diff2 = await getSessionDiff(since);
   const commits = await getRecentCommits(10, since);
   if (diff2.filesChanged === 0 && commits.length === 0) {
-    console.log(chalk5.yellow(ko.recap.noChanges));
+    console.log(chalk6.yellow(ko.recap.noChanges));
     return;
   }
-  console.log(chalk5.bold("\u{1F4CA} \uBCC0\uACBD \uC694\uC57D:"));
-  console.log(`  \uD30C\uC77C: ${chalk5.cyan(String(diff2.filesChanged))}\uAC1C \uBCC0\uACBD`);
-  console.log(`  \uCD94\uAC00: ${chalk5.green("+" + diff2.insertions)} / \uC0AD\uC81C: ${chalk5.red("-" + diff2.deletions)}`);
+  console.log(chalk6.bold("\u{1F4CA} \uBCC0\uACBD \uC694\uC57D:"));
+  console.log(`  \uD30C\uC77C: ${chalk6.cyan(String(diff2.filesChanged))}\uAC1C \uBCC0\uACBD`);
+  console.log(`  \uCD94\uAC00: ${chalk6.green("+" + diff2.insertions)} / \uC0AD\uC81C: ${chalk6.red("-" + diff2.deletions)}`);
   if (diff2.files.length > 0) {
-    console.log(chalk5.dim("\n  \uBCC0\uACBD \uD30C\uC77C:"));
+    console.log(chalk6.dim("\n  \uBCC0\uACBD \uD30C\uC77C:"));
     diff2.files.slice(0, 15).forEach((f) => {
-      const icon = f.status === "new" ? chalk5.green("\u{1F195}") : f.status === "deleted" ? chalk5.red("\u{1F5D1}\uFE0F") : chalk5.yellow("\u270F\uFE0F");
+      const icon = f.status === "new" ? chalk6.green("\u{1F195}") : f.status === "deleted" ? chalk6.red("\u{1F5D1}\uFE0F") : chalk6.yellow("\u270F\uFE0F");
       console.log(`  ${icon} ${f.file}`);
     });
     if (diff2.files.length > 15) {
-      console.log(chalk5.dim(`  ... \uC678 ${diff2.files.length - 15}\uAC1C`));
+      console.log(chalk6.dim(`  ... \uC678 ${diff2.files.length - 15}\uAC1C`));
     }
   }
   if (commits.length > 0) {
-    console.log(chalk5.dim("\n  \uCD5C\uADFC \uCEE4\uBC0B:"));
+    console.log(chalk6.dim("\n  \uCD5C\uADFC \uCEE4\uBC0B:"));
     commits.slice(0, 5).forEach((c) => {
-      console.log(chalk5.dim(`  \u2022 ${c.message}`));
+      console.log(chalk6.dim(`  \u2022 ${c.message}`));
     });
   }
   console.log("");
@@ -1887,11 +2020,11 @@ ${ko.recap.title}
   fs5.writeFileSync(filePath, content, "utf-8");
   const adrCandidates = detectAdrCandidates(diff2);
   if (adrCandidates.length > 0) {
-    console.log(chalk5.cyan.bold(`
+    console.log(chalk6.cyan.bold(`
 ${ko.recap.adrDetected} (${adrCandidates.length}\uAC74)`));
     for (const candidate of adrCandidates) {
-      console.log(chalk5.cyan(`  \u2022 ${candidate.title}: ${candidate.context}`));
-      candidate.files.forEach((f) => console.log(chalk5.dim(`    ${f}`)));
+      console.log(chalk6.cyan(`  \u2022 ${candidate.title}: ${candidate.context}`));
+      candidate.files.forEach((f) => console.log(chalk6.dim(`    ${f}`)));
     }
     const { createAdr } = await inquirer3.prompt([{
       type: "confirm",
@@ -1921,17 +2054,17 @@ ${ko.recap.adrDetected} (${adrCandidates.length}\uAC74)`));
           adrAnswers.decision,
           adrAnswers.consequences
         );
-        console.log(chalk5.green(`  \u2705 ADR \uC0DD\uC131: ${path6.relative(process.cwd(), adrPath)}`));
+        console.log(chalk6.green(`  \u2705 ADR \uC0DD\uC131: ${path6.relative(process.cwd(), adrPath)}`));
       }
     }
   }
   const troubleshootingKeywords = /fix|bug|error|crash|hotfix|patch|revert|트러블|에러|버그|수정|핫픽스/i;
   const troubleCommits = commits.filter((c) => troubleshootingKeywords.test(c.message));
   if (troubleCommits.length > 0) {
-    console.log(chalk5.yellow.bold(`
+    console.log(chalk6.yellow.bold(`
 ${ko.recap.troubleDetected} (${troubleCommits.length}\uAC74)`));
     troubleCommits.forEach((c) => {
-      console.log(chalk5.dim(`  \u2022 ${c.message}`));
+      console.log(chalk6.dim(`  \u2022 ${c.message}`));
     });
     const { createTroubleshoot } = await inquirer3.prompt([{
       type: "confirm",
@@ -1982,12 +2115,12 @@ ${ko.recap.troubleDetected} (${troubleCommits.length}\uAC74)`));
         `*Generated by \`vhk recap\` at ${(/* @__PURE__ */ new Date()).toISOString()}*`
       ].join("\n");
       fs5.writeFileSync(tsFilePath, tsContent, "utf-8");
-      console.log(chalk5.green(`  \u2705 \uD2B8\uB7EC\uBE14\uC288\uD305 \uBB38\uC11C \uC0DD\uC131: ${path6.relative(process.cwd(), tsFilePath)}`));
+      console.log(chalk6.green(`  \u2705 \uD2B8\uB7EC\uBE14\uC288\uD305 \uBB38\uC11C \uC0DD\uC131: ${path6.relative(process.cwd(), tsFilePath)}`));
     }
   }
-  console.log(chalk5.green.bold(`
+  console.log(chalk6.green.bold(`
 ${ko.recap.done}`));
-  console.log(chalk5.dim(`  \u{1F4C4} ${path6.relative(process.cwd(), filePath)}`));
+  console.log(chalk6.dim(`  \u{1F4C4} ${path6.relative(process.cwd(), filePath)}`));
   const claudeMdPath = path6.join(process.cwd(), "CLAUDE.md");
   if (fs5.existsSync(claudeMdPath)) {
     const { updateClaude } = await inquirer3.prompt([{
@@ -2007,7 +2140,7 @@ ${ko.recap.done}`));
         `- **\uB2E4\uC74C \uC561\uC158:** ${answers.nextTodo}`
       );
       fs5.writeFileSync(claudeMdPath, claudeContent, "utf-8");
-      console.log(chalk5.green("  \u2705 CLAUDE.md \uC5C5\uB370\uC774\uD2B8 \uC644\uB8CC"));
+      console.log(chalk6.green("  \u2705 CLAUDE.md \uC5C5\uB370\uC774\uD2B8 \uC644\uB8CC"));
     }
   }
   const gitSaveCmd = process.platform === "win32" ? 'git add .; git commit -m "recap: \uC138\uC158 \uAE30\uB85D"' : 'git add . && git commit -m "recap: \uC138\uC158 \uAE30\uB85D"';
@@ -2019,7 +2152,7 @@ ${ko.recap.done}`));
 }
 
 // src/commands/sync.ts
-import chalk6 from "chalk";
+import chalk7 from "chalk";
 import fs6 from "fs";
 import path7 from "path";
 var CURSORRULES_KEYS = ["\uCF54\uB529 \uADDC\uCE59", "\uAE30\uC220 \uC2A4\uD0DD", "\uC544\uD0A4\uD14D\uCC98", "\uB514\uC790\uC778", "Anti-patterns", "\uCEE4\uBC0B"];
@@ -2089,32 +2222,32 @@ function toClaudeMd(sections, existing) {
   return lines.join("\n");
 }
 async function sync() {
-  console.log(chalk6.bold(`
+  console.log(chalk7.bold(`
 ${ko.sync.title}
 `));
   const cwd = process.cwd();
   const rulesPath = path7.join(cwd, "RULES.md");
   if (!fs6.existsSync(rulesPath)) {
-    console.log(chalk6.yellow(ko.sync.noRules));
-    console.log(chalk6.dim("  RULES.md\uB294 \uD504\uB85C\uC81D\uD2B8 \uADDC\uCE59\uC758 Single Source of Truth\uC785\uB2C8\uB2E4."));
-    console.log(chalk6.dim("  \uC0DD\uC131\uD558\uB824\uBA74: vhk init \uC2E4\uD589 \uD6C4 RULES.md\uB97C \uC791\uC131\uD558\uC138\uC694."));
+    console.log(chalk7.yellow(ko.sync.noRules));
+    console.log(chalk7.dim("  RULES.md\uB294 \uD504\uB85C\uC81D\uD2B8 \uADDC\uCE59\uC758 Single Source of Truth\uC785\uB2C8\uB2E4."));
+    console.log(chalk7.dim("  \uC0DD\uC131\uD558\uB824\uBA74: vhk init \uC2E4\uD589 \uD6C4 RULES.md\uB97C \uC791\uC131\uD558\uC138\uC694."));
     console.log("");
-    console.log(chalk6.dim("  RULES.md \uAE30\uBCF8 \uAD6C\uC870:"));
-    console.log(chalk6.dim("  ## \uD504\uB85C\uC81D\uD2B8 \uC815\uCCB4\uC131"));
-    console.log(chalk6.dim("  ## \uAE30\uC220 \uC2A4\uD0DD"));
-    console.log(chalk6.dim("  ## \uCF54\uB529 \uADDC\uCE59"));
-    console.log(chalk6.dim("  ## \uAE30\uB85D \uADDC\uCE59"));
-    console.log(chalk6.dim("  ## \uCEE4\uBC0B \uCEE8\uBCA4\uC158"));
+    console.log(chalk7.dim("  RULES.md \uAE30\uBCF8 \uAD6C\uC870:"));
+    console.log(chalk7.dim("  ## \uD504\uB85C\uC81D\uD2B8 \uC815\uCCB4\uC131"));
+    console.log(chalk7.dim("  ## \uAE30\uC220 \uC2A4\uD0DD"));
+    console.log(chalk7.dim("  ## \uCF54\uB529 \uADDC\uCE59"));
+    console.log(chalk7.dim("  ## \uAE30\uB85D \uADDC\uCE59"));
+    console.log(chalk7.dim("  ## \uCEE4\uBC0B \uCEE8\uBCA4\uC158"));
     return;
   }
   const rulesContent = fs6.readFileSync(rulesPath, "utf-8");
   const sections = parseRulesMd(rulesContent);
-  console.log(chalk6.dim(`  \u{1F4C4} RULES.md \uD30C\uC2F1 \uC644\uB8CC \u2014 ${sections.length}\uAC1C \uC139\uC158`));
+  console.log(chalk7.dim(`  \u{1F4C4} RULES.md \uD30C\uC2F1 \uC644\uB8CC \u2014 ${sections.length}\uAC1C \uC139\uC158`));
   const firstLine = rulesContent.split("\n")[0];
   const projectName = firstLine.replace(/^#\s*/, "").replace(/\s*—.*/, "").trim() || "Project";
   const cursorrulesPath = path7.join(cwd, ".cursorrules");
   fs6.writeFileSync(cursorrulesPath, toCursorrules(sections, projectName), "utf-8");
-  console.log(chalk6.green(`  ${ko.sync.cursorrulesDone}`));
+  console.log(chalk7.green(`  ${ko.sync.cursorrulesDone}`));
   const claudePath = path7.join(cwd, "CLAUDE.md");
   const existingClaude = fs6.existsSync(claudePath) ? fs6.readFileSync(claudePath, "utf-8") : `# \uAE30\uB85D \uADDC\uCE59 (${projectName})
 
@@ -2124,11 +2257,11 @@ ${ko.sync.title}
 - **\uB2E4\uC74C \uC561\uC158:** __FILL__
 - **\uB9C8\uC9C0\uB9C9 \uC5C5\uB370\uC774\uD2B8:** ${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}`;
   fs6.writeFileSync(claudePath, toClaudeMd(sections, existingClaude), "utf-8");
-  console.log(chalk6.green(`  ${ko.sync.claudeDone}`));
-  console.log(chalk6.bold.green(`
+  console.log(chalk7.green(`  ${ko.sync.claudeDone}`));
+  console.log(chalk7.bold.green(`
 ${ko.sync.done}`));
-  console.log(chalk6.dim("  RULES.md (\uC6D0\uBCF8) \u2192 .cursorrules + CLAUDE.md (\uC790\uB3D9 \uC0DD\uC131)"));
-  console.log(chalk6.dim("  \uADDC\uCE59 \uBCC0\uACBD\uC740 \uD56D\uC0C1 RULES.md\uC5D0\uC11C\uB9CC \uD558\uC138\uC694."));
+  console.log(chalk7.dim("  RULES.md (\uC6D0\uBCF8) \u2192 .cursorrules + CLAUDE.md (\uC790\uB3D9 \uC0DD\uC131)"));
+  console.log(chalk7.dim("  \uADDC\uCE59 \uBCC0\uACBD\uC740 \uD56D\uC0C1 RULES.md\uC5D0\uC11C\uB9CC \uD558\uC138\uC694."));
   printNextStep({
     message: "\uADDC\uCE59 \uB3D9\uAE30\uD654 \uC644\uB8CC! \uC774\uC81C Cursor\uAC00 \uC0C8 \uADDC\uCE59\uC744 \uB530\uB985\uB2C8\uB2E4.",
     command: "vhk \uC810\uAC80",
@@ -2137,7 +2270,7 @@ ${ko.sync.done}`));
 }
 
 // src/commands/check.ts
-import chalk7 from "chalk";
+import chalk8 from "chalk";
 import path9 from "path";
 import fs8 from "fs";
 
@@ -2196,15 +2329,6 @@ function parseRules(rulesPath) {
         ));
       }
     }
-    if (/반드시|필수|항상|must|always|required/i.test(ruleText)) {
-      rules.push({
-        id: `required-${ruleIndex}`,
-        section: currentSection,
-        type: "custom",
-        description: ruleText,
-        check: () => []
-      });
-    }
   }
   return rules;
 }
@@ -2305,22 +2429,22 @@ function escapeRegex(str) {
 
 // src/commands/check.ts
 async function check() {
-  console.log(chalk7.bold(`
+  console.log(chalk8.bold(`
 ${ko.check.title}
 `));
   const cwd = process.cwd();
   const rulesPath = path9.join(cwd, "RULES.md");
   if (!fs8.existsSync(rulesPath)) {
-    console.log(chalk7.yellow(ko.check.noRules));
-    console.log(chalk7.dim("  vhk init\uC73C\uB85C \uC2DC\uC791\uD558\uAC70\uB098 RULES.md\uB97C \uB9CC\uB4E4\uC5B4 \uBCF4\uC138\uC694."));
+    console.log(chalk8.yellow(ko.check.noRules));
+    console.log(chalk8.dim("  vhk init\uC73C\uB85C \uC2DC\uC791\uD558\uAC70\uB098 RULES.md\uB97C \uB9CC\uB4E4\uC5B4 \uBCF4\uC138\uC694."));
     return;
   }
   const rules = parseRules(rulesPath);
-  console.log(chalk7.dim(`  \u{1F4CF} ${rules.length}\uAC1C \uAC80\uC99D \uAC00\uB2A5\uD55C \uADDC\uCE59 \uAC10\uC9C0
+  console.log(chalk8.dim(`  \u{1F4CF} ${rules.length}\uAC1C \uAC80\uC99D \uAC00\uB2A5\uD55C \uADDC\uCE59 \uAC10\uC9C0
 `));
   if (rules.length === 0) {
-    console.log(chalk7.yellow(ko.check.noAutoRules));
-    console.log(chalk7.dim("  RULES.md\uC5D0 \uD30C\uC77C \uC774\uB984\xB7\uD3F4\uB354 \uADDC\uCE59\uC744 \uC801\uC73C\uBA74 \uC790\uB3D9\uC73C\uB85C \uC810\uAC80\uD574\uC694."));
+    console.log(chalk8.yellow(ko.check.noAutoRules));
+    console.log(chalk8.dim("  RULES.md\uC5D0 \uD30C\uC77C \uC774\uB984\xB7\uD3F4\uB354 \uADDC\uCE59\uC744 \uC801\uC73C\uBA74 \uC790\uB3D9\uC73C\uB85C \uC810\uAC80\uD574\uC694."));
     return;
   }
   const allViolations = [];
@@ -2328,13 +2452,13 @@ ${ko.check.title}
   for (const rule of rules) {
     const violations = rule.check(cwd);
     if (violations.length === 0) {
-      console.log(chalk7.green(`  \u2705 ${rule.id}`) + chalk7.dim(` \u2014 ${rule.description.slice(0, 60)}`));
+      console.log(chalk8.green(`  \u2705 ${rule.id}`) + chalk8.dim(` \u2014 ${rule.description.slice(0, 60)}`));
       passCount++;
     } else {
-      console.log(chalk7.red(`  \u274C ${rule.id}`) + chalk7.dim(` \u2014 ${violations.length}\uAC74 \uC704\uBC18`));
+      console.log(chalk8.red(`  \u274C ${rule.id}`) + chalk8.dim(` \u2014 ${violations.length}\uAC74 \uC704\uBC18`));
       violations.forEach((v) => {
-        const loc = v.file ? chalk7.dim(` (${v.file}${v.line ? ":" + v.line : ""})`) : "";
-        const icon = v.severity === "error" ? chalk7.red("\u2716") : v.severity === "warning" ? chalk7.yellow("\u26A0") : chalk7.blue("\u2139");
+        const loc = v.file ? chalk8.dim(` (${v.file}${v.line ? ":" + v.line : ""})`) : "";
+        const icon = v.severity === "error" ? chalk8.red("\u2716") : v.severity === "warning" ? chalk8.yellow("\u26A0") : chalk8.blue("\u2139");
         console.log(`    ${icon} ${v.message}${loc}`);
       });
       allViolations.push(...violations);
@@ -2344,17 +2468,17 @@ ${ko.check.title}
   const errors = allViolations.filter((v) => v.severity === "error").length;
   const warnings = allViolations.filter((v) => v.severity === "warning").length;
   if (allViolations.length === 0) {
-    console.log(chalk7.green.bold(`${ko.check.allPassed} (${passCount}/${rules.length})`));
+    console.log(chalk8.green.bold(`${ko.check.allPassed} (${passCount}/${rules.length})`));
     printNextStep({
       message: "\uBAA8\uB4E0 \uADDC\uCE59 \uD1B5\uACFC! \uBCF4\uC548 \uC2A4\uCE94\uB3C4 \uD574\uBCFC\uAE4C\uC694?",
       command: "vhk \uBCF4\uC548 scan",
       cursorHint: "\uBCF4\uC548 \uC2A4\uCE94 \uB3CC\uB824\uC918"
     });
   } else {
-    console.log(chalk7.bold(ko.check.summary));
-    console.log(`  \uADDC\uCE59: ${chalk7.cyan(String(rules.length))}\uAC1C | \uD1B5\uACFC: ${chalk7.green(String(passCount))}\uAC1C | \uC704\uBC18: ${chalk7.red(String(allViolations.length))}\uAC74`);
-    if (errors > 0) console.log(`  ${chalk7.red(`\u2716 ${errors}\uAC1C \uC5D0\uB7EC`)}`);
-    if (warnings > 0) console.log(`  ${chalk7.yellow(`\u26A0 ${warnings}\uAC1C \uACBD\uACE0`)}`);
+    console.log(chalk8.bold(ko.check.summary));
+    console.log(`  \uADDC\uCE59: ${chalk8.cyan(String(rules.length))}\uAC1C | \uD1B5\uACFC: ${chalk8.green(String(passCount))}\uAC1C | \uC704\uBC18: ${chalk8.red(String(allViolations.length))}\uAC74`);
+    if (errors > 0) console.log(`  ${chalk8.red(`\u2716 ${errors}\uAC1C \uC5D0\uB7EC`)}`);
+    if (warnings > 0) console.log(`  ${chalk8.yellow(`\u26A0 ${warnings}\uAC1C \uACBD\uACE0`)}`);
     printNextStep({
       message: "\uC704\uBC18 \uD56D\uBAA9\uC744 \uC218\uC815\uD55C \uD6C4 \uB2E4\uC2DC \uC810\uAC80\uD558\uC138\uC694.",
       command: "vhk \uC810\uAC80",
@@ -2367,10 +2491,13 @@ ${ko.check.title}
 }
 
 // src/commands/secure.ts
-import chalk8 from "chalk";
-import fs10 from "fs";
+import chalk9 from "chalk";
+import fs11 from "fs";
 import path11 from "path";
 
+// src/lib/scan-secrets.ts
+import fs10 from "fs";
+
 // src/lib/secret-patterns.ts
 var SECRET_PATTERNS = [
   {
@@ -2395,7 +2522,7 @@ var SECRET_PATTERNS = [
     id: "notion-token",
     name: "Notion Integration Token",
     severity: "critical",
-    pattern: /secret_[A-Za-z0-9]{24,}/
+    pattern: /secret_[A-Za-z0-9]{40,50}/
   },
   {
     id: "github-token",
@@ -2407,7 +2534,7 @@ var SECRET_PATTERNS = [
     id: "openai-key",
     name: "OpenAI API Key",
     severity: "critical",
-    pattern: /sk-[A-Za-z0-9]{20,}/
+    pattern: /\bsk-(?:proj-|ant-api03-|live-)[A-Za-z0-9_-]{16,}\b/
   },
   {
     id: "generic-api-key",
@@ -2509,69 +2636,88 @@ function walkProjectFiles(rootDir, onFile, ig = loadGitignore(rootDir)) {
   walk(rootDir);
 }
 
-// src/commands/secure.ts
-var MAX_FINDINGS = 200;
+// src/lib/scan-secrets.ts
+var MAX_SECRET_FINDINGS = 200;
 var MAX_LINE_CHARS = 4e3;
+function globalPattern(pattern) {
+  const flags = pattern.flags.includes("g") ? pattern.flags : `${pattern.flags}g`;
+  return new RegExp(pattern.source, flags);
+}
+function findSecretsInLine(line, relPath, lineNum) {
+  const found = [];
+  const trimmed = line.trim();
+  if (trimmed.startsWith("//") && trimmed.includes("example")) return found;
+  if (trimmed.startsWith("#") && trimmed.includes("example")) return found;
+  if (line.length > MAX_LINE_CHARS) return found;
+  for (const pattern of SECRET_PATTERNS) {
+    const regex = globalPattern(pattern.pattern);
+    for (const match of line.matchAll(regex)) {
+      found.push({
+        patternId: pattern.id,
+        patternName: pattern.name,
+        severity: pattern.severity,
+        file: relPath,
+        line: lineNum,
+        match: maskSecret(match[0])
+      });
+    }
+  }
+  return found;
+}
+function scanProjectForSecrets(cwd) {
+  const findings = [];
+  let scannedFiles = 0;
+  let truncated = false;
+  walkProjectFiles(cwd, (filePath, relPath) => {
+    scannedFiles++;
+    const content = fs10.readFileSync(filePath, "utf-8");
+    const lines = content.split("\n");
+    lines.forEach((line, idx) => {
+      if (truncated) return;
+      const lineFindings = findSecretsInLine(line, relPath, idx + 1);
+      for (const f of lineFindings) {
+        findings.push(f);
+        if (findings.length >= MAX_SECRET_FINDINGS) {
+          truncated = true;
+          return;
+        }
+      }
+    });
+  });
+  return { findings, scannedFiles, truncated };
+}
+function filterSevereFindings(findings) {
+  return findings.filter((f) => f.severity === "critical" || f.severity === "high");
+}
+
+// src/commands/secure.ts
 async function secure() {
-  console.log(chalk8.bold(`
+  console.log(chalk9.bold(`
 ${ko.secure.title}
 `));
   const cwd = process.cwd();
-  const findings = [];
-  let scannedFiles = 0;
-  let truncated = false;
   const gitignorePath = path11.join(cwd, ".gitignore");
-  const hasGitignore = fs10.existsSync(gitignorePath);
+  const hasGitignore = fs11.existsSync(gitignorePath);
   if (!hasGitignore) {
-    console.log(chalk8.yellow(`  ${ko.secure.noGitignore}`));
-    console.log(chalk8.dim("  .env \uD30C\uC77C\uC774 \uCEE4\uBC0B\uB420 \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n"));
+    console.log(chalk9.yellow(`  ${ko.secure.noGitignore}`));
+    console.log(chalk9.dim("  .env \uD30C\uC77C\uC774 \uCEE4\uBC0B\uB420 \uC218 \uC788\uC2B5\uB2C8\uB2E4.\n"));
   } else {
-    const gitignoreContent = fs10.readFileSync(gitignorePath, "utf-8");
+    const gitignoreContent = fs11.readFileSync(gitignorePath, "utf-8");
     if (!gitignoreContent.includes(".env")) {
-      console.log(chalk8.yellow(`  ${ko.secure.noEnvInGitignore}`));
-      console.log(chalk8.dim("  \uCD94\uAC00\uB97C \uAD8C\uC7A5\uD569\uB2C8\uB2E4.\n"));
+      console.log(chalk9.yellow(`  ${ko.secure.noEnvInGitignore}`));
+      console.log(chalk9.dim("  \uCD94\uAC00\uB97C \uAD8C\uC7A5\uD569\uB2C8\uB2E4.\n"));
     }
   }
-  console.log(chalk8.dim(`  ${ko.secure.scanning}
+  console.log(chalk9.dim(`  ${ko.secure.scanning}
 `));
-  walkProjectFiles(cwd, (filePath, relPath) => {
-    scannedFiles++;
-    const content = fs10.readFileSync(filePath, "utf-8");
-    const lines = content.split("\n");
-    for (const pattern of SECRET_PATTERNS) {
-      if (truncated) break;
-      lines.forEach((line, idx) => {
-        if (truncated) return;
-        if (line.length > MAX_LINE_CHARS) return;
-        const trimmed = line.trim();
-        if (trimmed.startsWith("//") && trimmed.includes("example")) return;
-        if (trimmed.startsWith("#") && trimmed.includes("example")) return;
-        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
-        let match;
-        while ((match = regex.exec(line)) !== null) {
-          findings.push({
-            patternId: pattern.id,
-            patternName: pattern.name,
-            severity: pattern.severity,
-            file: relPath,
-            line: idx + 1,
-            match: maskSecret(match[0])
-          });
-          if (findings.length >= MAX_FINDINGS) {
-            truncated = true;
-            return;
-          }
-        }
-      });
-    }
-  });
-  console.log(chalk8.dim(`  \u{1F4C2} ${scannedFiles}\uAC1C \uD30C\uC77C \uC2A4\uCE94 \uC644\uB8CC (lock\xB7node_modules\xB7>${MAX_SCAN_FILE_BYTES / 1024}KB \uC81C\uC678)`));
+  const { findings, scannedFiles, truncated } = scanProjectForSecrets(cwd);
+  console.log(chalk9.dim(`  \u{1F4C2} ${scannedFiles}\uAC1C \uD30C\uC77C \uC2A4\uCE94 \uC644\uB8CC (lock\xB7node_modules\xB7>${MAX_SCAN_FILE_BYTES / 1024}KB \uC81C\uC678)`));
   if (truncated) {
-    console.log(chalk8.yellow(`  \u26A0\uFE0F  \uACB0\uACFC ${MAX_FINDINGS}\uAC74\uC5D0\uC11C \uCD9C\uB825\uC744 \uC81C\uD55C\uD588\uC2B5\uB2C8\uB2E4. lock \uD30C\uC77C \uB4F1\uC740 \uC790\uB3D9 \uC81C\uC678\uB429\uB2C8\uB2E4.`));
+    console.log(chalk9.yellow(`  \u26A0\uFE0F  \uACB0\uACFC ${MAX_SECRET_FINDINGS}\uAC74\uC5D0\uC11C \uCD9C\uB825\uC744 \uC81C\uD55C\uD588\uC2B5\uB2C8\uB2E4. lock \uD30C\uC77C \uB4F1\uC740 \uC790\uB3D9 \uC81C\uC678\uB429\uB2C8\uB2E4.`));
   }
   console.log("");
   if (findings.length === 0) {
-    console.log(chalk8.green.bold(`  ${ko.secure.clean}`));
+    console.log(chalk9.green.bold(`  ${ko.secure.clean}`));
     printNextStep({
       message: "\uBCF4\uC548 \uC774\uC0C1 \uC5C6\uC74C! \uAE68\uB057\uD569\uB2C8\uB2E4.",
       command: "vhk \uC815\uB9AC",
@@ -2583,45 +2729,45 @@ ${ko.secure.title}
   const high = findings.filter((f) => f.severity === "high");
   const medium = findings.filter((f) => f.severity === "medium");
   if (critical.length > 0) {
-    console.log(chalk8.red.bold(`  \u{1F6A8} CRITICAL \u2014 ${critical.length}\uAC74`));
+    console.log(chalk9.red.bold(`  \u{1F6A8} CRITICAL \u2014 ${critical.length}\uAC74`));
     critical.forEach((f) => {
-      console.log(chalk8.red(`    \u2716 ${f.patternName}`));
-      console.log(chalk8.dim(`      ${f.file}:${f.line} \u2192 ${f.match}`));
+      console.log(chalk9.red(`    \u2716 ${f.patternName}`));
+      console.log(chalk9.dim(`      ${f.file}:${f.line} \u2192 ${f.match}`));
     });
     console.log("");
   }
   if (high.length > 0) {
-    console.log(chalk8.yellow.bold(`  \u26A0\uFE0F HIGH \u2014 ${high.length}\uAC74`));
+    console.log(chalk9.yellow.bold(`  \u26A0\uFE0F HIGH \u2014 ${high.length}\uAC74`));
     high.forEach((f) => {
-      console.log(chalk8.yellow(`    \u26A0 ${f.patternName}`));
-      console.log(chalk8.dim(`      ${f.file}:${f.line} \u2192 ${f.match}`));
+      console.log(chalk9.yellow(`    \u26A0 ${f.patternName}`));
+      console.log(chalk9.dim(`      ${f.file}:${f.line} \u2192 ${f.match}`));
     });
     console.log("");
   }
   if (medium.length > 0) {
-    console.log(chalk8.blue.bold(`  \u2139 MEDIUM \u2014 ${medium.length}\uAC74`));
+    console.log(chalk9.blue.bold(`  \u2139 MEDIUM \u2014 ${medium.length}\uAC74`));
     medium.forEach((f) => {
-      console.log(chalk8.blue(`    \u2139 ${f.patternName}`));
-      console.log(chalk8.dim(`      ${f.file}:${f.line} \u2192 ${f.match}`));
+      console.log(chalk9.blue(`    \u2139 ${f.patternName}`));
+      console.log(chalk9.dim(`      ${f.file}:${f.line} \u2192 ${f.match}`));
     });
     console.log("");
   }
-  console.log(chalk8.bold(`  ${ko.secure.summary}`));
-  console.log(`  \uCD1D ${chalk8.red(String(findings.length))}\uAC74 \uAC10\uC9C0 | CRITICAL: ${critical.length} | HIGH: ${high.length} | MEDIUM: ${medium.length}`);
+  console.log(chalk9.bold(`  ${ko.secure.summary}`));
+  console.log(`  \uCD1D ${chalk9.red(String(findings.length))}\uAC74 \uAC10\uC9C0 | CRITICAL: ${critical.length} | HIGH: ${high.length} | MEDIUM: ${medium.length}`);
   console.log("");
-  console.log(chalk8.dim("  \u{1F4A1} \uC870\uCE58 \uBC29\uBC95:"));
-  console.log(chalk8.dim("    1. \uD574\uB2F9 \uD30C\uC77C\uC5D0\uC11C \uC2DC\uD06C\uB9BF\uC744 \uC81C\uAC70\uD558\uACE0 \uD658\uACBD\uBCC0\uC218\uB85C \uC774\uB3D9"));
-  console.log(chalk8.dim("    2. git history\uC5D0\uC11C\uB3C4 \uC81C\uAC70: git filter-branch \uB610\uB294 BFG Repo-Cleaner"));
-  console.log(chalk8.dim("    3. \uC720\uCD9C\uB41C \uD0A4\uB294 \uC989\uC2DC \uD3D0\uAE30\uD558\uACE0 \uC7AC\uBC1C\uAE09\n"));
-  if (critical.length > 0) {
+  console.log(chalk9.dim("  \u{1F4A1} \uC870\uCE58 \uBC29\uBC95:"));
+  console.log(chalk9.dim("    1. \uD574\uB2F9 \uD30C\uC77C\uC5D0\uC11C \uC2DC\uD06C\uB9BF\uC744 \uC81C\uAC70\uD558\uACE0 \uD658\uACBD\uBCC0\uC218\uB85C \uC774\uB3D9"));
+  console.log(chalk9.dim("    2. git history\uC5D0\uC11C\uB3C4 \uC81C\uAC70: git filter-branch \uB610\uB294 BFG Repo-Cleaner"));
+  console.log(chalk9.dim("    3. \uC720\uCD9C\uB41C \uD0A4\uB294 \uC989\uC2DC \uD3D0\uAE30\uD558\uACE0 \uC7AC\uBC1C\uAE09\n"));
+  if (critical.length > 0 || high.length > 0) {
     process.exitCode = 1;
   }
 }
 
 // src/commands/doctor.ts
-import chalk9 from "chalk";
+import chalk10 from "chalk";
 import { execSync } from "child_process";
-import fs11 from "fs";
+import fs12 from "fs";
 import path12 from "path";
 import { fileURLToPath } from "url";
 function checkCommand(name, command, hint) {
@@ -2640,8 +2786,8 @@ function getVhkVersion() {
   ];
   for (const pkgPath of candidates) {
     try {
-      if (fs11.existsSync(pkgPath)) {
-        const pkg = JSON.parse(fs11.readFileSync(pkgPath, "utf-8"));
+      if (fs12.existsSync(pkgPath)) {
+        const pkg = JSON.parse(fs12.readFileSync(pkgPath, "utf-8"));
         return pkg.version;
       }
     } catch {
@@ -2651,7 +2797,7 @@ function getVhkVersion() {
   return void 0;
 }
 async function doctor() {
-  console.log(chalk9.bold(`
+  console.log(chalk10.bold(`
 ${ko.doctor.title}
 `));
   const checks = [
@@ -2663,22 +2809,22 @@ ${ko.doctor.title}
   let allOk = true;
   for (const check2 of checks) {
     if (check2.ok) {
-      console.log(chalk9.green(`  \u2705 ${check2.name}`) + chalk9.dim(` \u2014 ${check2.version}`));
+      console.log(chalk10.green(`  \u2705 ${check2.name}`) + chalk10.dim(` \u2014 ${check2.version}`));
     } else {
-      console.log(chalk9.red(`  \u274C ${check2.name} \uC5C6\uC74C`));
-      console.log(chalk9.dim(`     \u2192 ${check2.hint}`));
+      console.log(chalk10.red(`  \u274C ${check2.name} \uC5C6\uC74C`));
+      console.log(chalk10.dim(`     \u2192 ${check2.hint}`));
       allOk = false;
     }
   }
   console.log("");
   const vhkVersion = getVhkVersion();
   if (vhkVersion) {
-    console.log(chalk9.green("  \u2705 VHK") + chalk9.dim(` \u2014 v${vhkVersion}`));
+    console.log(chalk10.green("  \u2705 VHK") + chalk10.dim(` \u2014 v${vhkVersion}`));
   } else {
-    console.log(chalk9.green("  \u2705 VHK") + chalk9.dim(" \u2014 \uC124\uCE58\uB428"));
+    console.log(chalk10.green("  \u2705 VHK") + chalk10.dim(" \u2014 \uC124\uCE58\uB428"));
   }
   console.log("");
-  console.log(chalk9.bold(`  ${ko.doctor.projectFiles}`));
+  console.log(chalk10.bold(`  ${ko.doctor.projectFiles}`));
   const cwd = process.cwd();
   const projectFiles = [
     { name: "RULES.md", hint: "vhk init\uC73C\uB85C \uC0DD\uC131 \uAC00\uB2A5" },
@@ -2688,32 +2834,32 @@ ${ko.doctor.title}
     { name: ".env", hint: ".gitignore\uC5D0 \uD3EC\uD568\uB418\uC5B4 \uC788\uB294\uC9C0 \uD655\uC778" }
   ];
   for (const file of projectFiles) {
-    const exists = fs11.existsSync(path12.join(cwd, file.name));
+    const exists = fs12.existsSync(path12.join(cwd, file.name));
     if (exists) {
-      console.log(chalk9.green(`    \u2705 ${file.name}`));
+      console.log(chalk10.green(`    \u2705 ${file.name}`));
       if (file.name === ".env") {
         const gitignorePath = path12.join(cwd, ".gitignore");
-        if (fs11.existsSync(gitignorePath)) {
-          const gitignore = fs11.readFileSync(gitignorePath, "utf-8");
+        if (fs12.existsSync(gitignorePath)) {
+          const gitignore = fs12.readFileSync(gitignorePath, "utf-8");
           if (!gitignore.includes(".env")) {
-            console.log(chalk9.yellow(`    ${ko.doctor.envNotIgnored}`));
+            console.log(chalk10.yellow(`    ${ko.doctor.envNotIgnored}`));
           }
         }
       }
     } else {
-      console.log(chalk9.dim(`    \u2B1A ${file.name}`) + chalk9.dim(` \u2014 ${file.hint}`));
+      console.log(chalk10.dim(`    \u2B1A ${file.name}`) + chalk10.dim(` \u2014 ${file.hint}`));
     }
   }
   console.log("");
   if (allOk) {
-    console.log(chalk9.green.bold(`  ${ko.doctor.allOk}`));
+    console.log(chalk10.green.bold(`  ${ko.doctor.allOk}`));
     printNextStep({
       message: ko.doctor.nextOkMessage,
       command: "vhk \uC2DC\uC791",
       cursorHint: "\uD504\uB85C\uC81D\uD2B8 \uB9CC\uB4E4\uC5B4\uC918"
     });
   } else {
-    console.log(chalk9.yellow.bold(`  ${ko.doctor.missing} ${ko.doctor.missingHint}`));
+    console.log(chalk10.yellow.bold(`  ${ko.doctor.missing} ${ko.doctor.missingHint}`));
     printNextStep({
       message: ko.doctor.nextRetryMessage,
       command: "vhk doctor",
@@ -2724,9 +2870,9 @@ ${ko.doctor.title}
 }
 
 // src/commands/ship.ts
-import chalk10 from "chalk";
+import chalk11 from "chalk";
 import inquirer4 from "inquirer";
-import fs12 from "fs";
+import fs13 from "fs";
 import path13 from "path";
 var CHECKLIST = [
   { id: "build", questionKey: "checkBuild", hintKey: "hintBuild" },
@@ -2740,29 +2886,29 @@ function sanitizeVersion(version) {
   return version.trim().replace(/^v/i, "").replace(/[^a-zA-Z0-9._-]/g, "-") || "0.0.0";
 }
 async function ship() {
-  console.log(chalk10.bold(`
+  console.log(chalk11.bold(`
 ${ko.ship.title}
 `));
   const cwd = process.cwd();
-  console.log(chalk10.cyan.bold(`  ${ko.ship.checklist}
+  console.log(chalk11.cyan.bold(`  ${ko.ship.checklist}
 `));
   const { passed } = await inquirer4.prompt([{
     type: "checkbox",
     name: "passed",
     message: ko.ship.checkboxPrompt,
     choices: CHECKLIST.map((c) => ({
-      name: `${ko.ship[c.questionKey]} ${chalk10.dim(`(${ko.ship[c.hintKey]})`)}`,
+      name: `${ko.ship[c.questionKey]} ${chalk11.dim(`(${ko.ship[c.hintKey]})`)}`,
       value: c.id
     }))
   }]);
   const allPassed = passed.length === CHECKLIST.length;
   const skipped = CHECKLIST.filter((c) => !passed.includes(c.id));
   if (!allPassed) {
-    console.log(chalk10.yellow(`
+    console.log(chalk11.yellow(`
   ${ko.ship.incompleteHeader}`));
     skipped.forEach((s) => {
-      console.log(chalk10.yellow(`    \u2022 ${ko.ship[s.questionKey]}`));
-      console.log(chalk10.dim(`      \u2192 ${ko.ship[s.hintKey]}`));
+      console.log(chalk11.yellow(`    \u2022 ${ko.ship[s.questionKey]}`));
+      console.log(chalk11.dim(`      \u2192 ${ko.ship[s.hintKey]}`));
     });
     const { proceed } = await inquirer4.prompt([{
       type: "confirm",
@@ -2779,13 +2925,13 @@ ${ko.ship.title}
       return;
     }
   } else {
-    console.log(chalk10.green(`
+    console.log(chalk11.green(`
   ${ko.ship.allPassed}
 `));
   }
-  console.log(chalk10.cyan.bold(`  ${ko.ship.retro}
+  console.log(chalk11.cyan.bold(`  ${ko.ship.retro}
 `));
-  console.log(chalk10.dim(`  ${ko.ship.versionHint}`));
+  console.log(chalk11.dim(`  ${ko.ship.versionHint}`));
   const retro = await inquirer4.prompt([
     { type: "input", name: "version", message: ko.ship.versionPrompt },
     { type: "input", name: "whatWentWell", message: ko.ship.questionWell },
@@ -2794,7 +2940,7 @@ ${ko.ship.title}
     { type: "input", name: "nextVersion", message: ko.ship.questionNext }
   ]);
   const buildLogDir = path13.join(cwd, "docs", "build-log");
-  if (!fs12.existsSync(buildLogDir)) fs12.mkdirSync(buildLogDir, { recursive: true });
+  if (!fs13.existsSync(buildLogDir)) fs13.mkdirSync(buildLogDir, { recursive: true });
   const today = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
   const versionSlug = sanitizeVersion(retro.version);
   const fileName = `${today}-v${versionSlug}.md`;
@@ -2827,8 +2973,8 @@ ${ko.ship.title}
     "---",
     `*Generated by \`vhk ship\` at ${(/* @__PURE__ */ new Date()).toISOString()}*`
   ].join("\n");
-  fs12.writeFileSync(filePath, content, "utf-8");
-  console.log(chalk10.green(`
+  fs13.writeFileSync(filePath, content, "utf-8");
+  console.log(chalk11.green(`
   ${ko.ship.buildLogDone(path13.relative(cwd, filePath))}`));
   printNextStep({
     message: ko.ship.deployMessage,
@@ -2839,16 +2985,63 @@ ${ko.ship.title}
 }
 
 // src/commands/save.ts
-import { execFileSync, execSync as execSync2 } from "child_process";
-import chalk11 from "chalk";
+import { execFileSync as execFileSync2 } from "child_process";
+import chalk12 from "chalk";
 import ora from "ora";
 import inquirer5 from "inquirer";
-function gitOut(args) {
-  return execFileSync("git", args, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
+
+// src/lib/git-porcelain.ts
+function normalizePorcelain(raw) {
+  return raw.replace(/\r\n/g, "\n").trimEnd();
+}
+function parsePorcelainLines(raw) {
+  return normalizePorcelain(raw).split("\n").filter(Boolean);
+}
+
+// src/lib/git-repo.ts
+import { execFileSync } from "child_process";
+function getGitRoot(cwd = process.cwd()) {
+  return execFileSync("git", ["rev-parse", "--show-toplevel"], {
+    encoding: "utf-8",
+    cwd,
+    stdio: ["pipe", "pipe", "pipe"]
+  }).trim();
+}
+function gitOut(args, cwd) {
+  return execFileSync("git", args, {
+    encoding: "utf-8",
+    cwd,
+    stdio: ["pipe", "pipe", "pipe"]
+  });
+}
+function gitRun(args, cwd) {
+  execFileSync("git", args, { stdio: "pipe", cwd });
+}
+function getExecErrorMessage(err) {
+  if (err && typeof err === "object" && "stderr" in err) {
+    const stderr = err.stderr;
+    if (Buffer.isBuffer(stderr)) return stderr.toString("utf-8").trim();
+    if (typeof stderr === "string") return stderr.trim();
+  }
+  return err instanceof Error ? err.message : String(err);
 }
-function gitRun(args) {
-  execFileSync("git", args, { stdio: "pipe" });
+function hasGitRemote(cwd) {
+  try {
+    return gitOut(["remote"], cwd).trim().length > 0;
+  } catch {
+    return false;
+  }
 }
+function countLocalCommits(cwd) {
+  try {
+    const out = gitOut(["rev-list", "--count", "HEAD"], cwd).trim();
+    return parseInt(out, 10) || 0;
+  } catch {
+    return 0;
+  }
+}
+
+// src/commands/save.ts
 function formatDefaultCommitMessage(date = /* @__PURE__ */ new Date()) {
   const y = date.getFullYear();
   const m = String(date.getMonth() + 1).padStart(2, "0");
@@ -2864,24 +3057,49 @@ function statusIcon(code) {
   return "\u{1F4C4}";
 }
 async function save() {
-  console.log(chalk11.bold(`
+  console.log(chalk12.bold(`
 \u{1F4BE} ${t("save.title")}`));
-  console.log(chalk11.gray("\u2500".repeat(40)));
+  console.log(chalk12.gray("\u2500".repeat(40)));
+  let gitRoot;
   try {
-    execSync2("git rev-parse --is-inside-work-tree", { stdio: "pipe" });
+    execFileSync2("git", ["rev-parse", "--is-inside-work-tree"], { stdio: "pipe" });
+    gitRoot = getGitRoot();
   } catch {
-    console.log(chalk11.red(`\u274C ${t("save.notGitRepo")}`));
+    console.log(chalk12.red(`\u274C ${t("save.notGitRepo")}`));
     return;
   }
-  const status2 = gitOut(["status", "--porcelain"]).trim();
-  if (!status2) {
-    console.log(chalk11.yellow(`\u{1F4ED} ${t("save.noChanges")}`));
+  console.log(chalk12.cyan(`
+\u{1F512} ${t("save.securityWarnHeader")}`));
+  printSecurityWarnings(gitRoot);
+  const severe = filterSevereFindings(scanProjectForSecrets(gitRoot).findings);
+  if (severe.length > 0) {
+    console.log(chalk12.red(`
+\u26A0\uFE0F  ${t("save.secretsFound", severe.length)}`));
+    severe.slice(0, 5).forEach((f) => {
+      console.log(chalk12.dim(`   ${f.file}:${f.line} \u2014 ${f.patternName}`));
+    });
+    if (severe.length > 5) {
+      console.log(chalk12.dim(`   ... \uC678 ${severe.length - 5}\uAC74 (vhk \uBCF4\uC548 scan)`));
+    }
+    const { proceed } = await inquirer5.prompt([{
+      type: "confirm",
+      name: "proceed",
+      message: t("save.secretsConfirm"),
+      default: false
+    }]);
+    if (!proceed) {
+      console.log(chalk12.gray(t("save.cancelled")));
+      return;
+    }
+  }
+  const lines = parsePorcelainLines(gitOut(["status", "--porcelain"], gitRoot));
+  if (lines.length === 0) {
+    console.log(chalk12.yellow(`\u{1F4ED} ${t("save.noChanges")}`));
     return;
   }
-  const files = status2.split("\n").filter(Boolean);
-  console.log(chalk11.cyan(`
-\u{1F4CB} ${t("save.filesHeader", files.length)}`));
-  files.forEach((line) => {
+  console.log(chalk12.cyan(`
+\u{1F4CB} ${t("save.filesHeader", lines.length)}`));
+  lines.forEach((line) => {
     const code = line.substring(0, 2);
     const name = line.substring(3);
     console.log(`   ${statusIcon(code)} ${name}`);
@@ -2893,43 +3111,62 @@ async function save() {
     default: formatDefaultCommitMessage()
   }]);
   const spinner = ora(t("save.saving")).start();
+  let didAdd = false;
   try {
-    gitRun(["add", "."]);
-    gitRun(["commit", "-m", message]);
+    gitRun(["add", "."], gitRoot);
+    didAdd = true;
+    gitRun(["commit", "-m", message], gitRoot);
     spinner.text = t("save.pushing");
-    try {
-      gitRun(["push"]);
-      spinner.succeed(t("save.successWithPush"));
-    } catch {
+    if (!hasGitRemote(gitRoot)) {
       spinner.succeed(t("save.successLocal"));
-      console.log(chalk11.yellow(`   \u{1F4A1} ${t("save.noRemote")}`));
+      console.log(chalk12.yellow(`   \u{1F4A1} ${t("save.noRemote")}`));
+    } else {
+      try {
+        gitRun(["push"], gitRoot);
+        spinner.succeed(t("save.successWithPush"));
+      } catch (pushErr) {
+        spinner.fail(t("save.pushFailed"));
+        console.log(chalk12.red(getExecErrorMessage(pushErr)));
+        console.log(chalk12.yellow(`
+\u{1F4A1} ${t("save.commitOkPushFailed")}`));
+        process.exitCode = 1;
+      }
+    }
+    if (process.exitCode !== 1) {
+      console.log(chalk12.green(`
+\u2705 ${t("save.done", lines.length)}`));
+    } else {
+      console.log(chalk12.green(`
+\u2705 ${t("save.doneLocalOnly", lines.length)}`));
     }
-    console.log(chalk11.green(`
-\u2705 ${t("save.done", files.length)}`));
   } catch (err) {
     spinner.fail(t("save.failed"));
-    const msg = err instanceof Error ? err.message : String(err);
-    console.log(chalk11.red(msg));
+    console.log(chalk12.red(getExecErrorMessage(err)));
+    if (didAdd) {
+      try {
+        const staged = gitOut(["diff", "--cached", "--stat"], gitRoot).trim();
+        if (staged) {
+          console.log(chalk12.yellow(`
+\u{1F4A1} ${t("save.stagedAfterFail")}`));
+        }
+      } catch {
+      }
+    }
     process.exitCode = 1;
   }
 }
 
 // src/commands/undo.ts
-import { execFileSync as execFileSync2, execSync as execSync3 } from "child_process";
-import chalk12 from "chalk";
+import { execFileSync as execFileSync3 } from "child_process";
+import chalk13 from "chalk";
 import inquirer6 from "inquirer";
-function gitOut2(args) {
-  return execFileSync2("git", args, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
-}
-function gitRun2(args) {
-  execFileSync2("git", args, { stdio: "pipe" });
-}
 function parseRecentCommits(logOutput) {
   return logOutput.split("\n").map((l) => l.trim()).filter(Boolean);
 }
-function countUnpushedCommits() {
+function countUnpushedCommits(gitRoot) {
+  const cwd = gitRoot ?? process.cwd();
   try {
-    const out = gitOut2(["rev-list", "--count", "@{u}..HEAD"]).trim();
+    const out = gitOut(["rev-list", "--count", "@{u}..HEAD"], cwd).trim();
     return parseInt(out, 10) || 0;
   } catch {
     return -1;
@@ -2939,29 +3176,36 @@ function willUndoPushedCommits(undoCount, unpushedCount) {
   if (unpushedCount < 0) return false;
   return undoCount > unpushedCount;
 }
+function isUndoRisky(undoCount, unpushedCount, hasRemote) {
+  if (willUndoPushedCommits(undoCount, unpushedCount)) return true;
+  if (unpushedCount < 0 && hasRemote) return true;
+  return false;
+}
 async function undo() {
-  console.log(chalk12.bold(`
+  console.log(chalk13.bold(`
 \u23EA ${t("undo.title")}`));
-  console.log(chalk12.gray("\u2500".repeat(40)));
+  console.log(chalk13.gray("\u2500".repeat(40)));
+  let gitRoot;
   try {
-    execSync3("git rev-parse --is-inside-work-tree", { stdio: "pipe" });
+    execFileSync3("git", ["rev-parse", "--is-inside-work-tree"], { stdio: "pipe" });
+    gitRoot = getGitRoot();
   } catch {
-    console.log(chalk12.red(`\u274C ${t("undo.notGitRepo")}`));
+    console.log(chalk13.red(`\u274C ${t("undo.notGitRepo")}`));
     return;
   }
   let logOutput;
   try {
-    logOutput = gitOut2(["log", "--oneline", "-5"]).trim();
+    logOutput = gitOut(["log", "--oneline", "-5"], gitRoot).trim();
   } catch {
-    console.log(chalk12.yellow(`\u{1F4ED} ${t("undo.noCommits")}`));
+    console.log(chalk13.yellow(`\u{1F4ED} ${t("undo.noCommits")}`));
     return;
   }
   const commits = parseRecentCommits(logOutput);
   if (commits.length === 0) {
-    console.log(chalk12.yellow(`\u{1F4ED} ${t("undo.noCommits")}`));
+    console.log(chalk13.yellow(`\u{1F4ED} ${t("undo.noCommits")}`));
     return;
   }
-  console.log(chalk12.cyan(`
+  console.log(chalk13.cyan(`
 ${t("undo.recentHeader")}`));
   commits.forEach((c, i) => {
     console.log(`   ${i === 0 ? "\u{1F449}" : "  "} ${c}`);
@@ -2976,135 +3220,68 @@ ${t("undo.recentHeader")}`));
     max: maxUndo
   }]);
   const undoCount = Math.min(Math.max(1, count || 1), maxUndo);
-  const unpushed = countUnpushedCommits();
-  if (willUndoPushedCommits(undoCount, unpushed)) {
-    console.log(chalk12.red(`
+  const headCount = countLocalCommits(gitRoot);
+  if (undoCount >= headCount) {
+    console.log(chalk13.yellow(`
+\u{1F4ED} ${t("undo.rootCommit")}`));
+    return;
+  }
+  const unpushed = countUnpushedCommits(gitRoot);
+  const remote = hasGitRemote(gitRoot);
+  const risky = isUndoRisky(undoCount, unpushed, remote);
+  if (risky) {
+    if (unpushed < 0) {
+      console.log(chalk13.red(`
+\u26A0\uFE0F  ${t("undo.noUpstreamWarning")}`));
+    } else {
+      console.log(chalk13.red(`
 \u26A0\uFE0F  ${t("undo.alreadyPushed")}`));
+    }
   }
   const { confirm } = await inquirer6.prompt([{
     type: "confirm",
     name: "confirm",
-    message: t("undo.confirmMessage", undoCount),
+    message: risky ? t("undo.confirmRisky", undoCount) : t("undo.confirmMessage"),
     default: false
   }]);
   if (!confirm) {
-    console.log(chalk12.gray(t("undo.cancelled")));
+    console.log(chalk13.gray(t("undo.cancelled")));
     return;
   }
   try {
-    gitRun2(["reset", "--soft", `HEAD~${undoCount}`]);
-    console.log(chalk12.green(`
-\u2705 ${t("undo.success", undoCount)}`));
-    console.log(chalk12.gray(`   \u{1F4A1} ${t("undo.stagedHint")}`));
+    gitRun(["reset", "--soft", `HEAD~${undoCount}`], gitRoot);
+    console.log(chalk13.green(`
+\u2705 ${t("undo.success")}`));
+    console.log(chalk13.gray(`   \u{1F4A1} ${t("undo.stagedHint")}`));
+    if (risky) {
+      console.log(chalk13.yellow(`
+\u{1F4A1} ${t("undo.forcePushHint")}`));
+    }
   } catch (err) {
-    console.log(chalk12.red(`\u274C ${t("undo.failed")}`));
+    console.log(chalk13.red(`\u274C ${t("undo.failed")}`));
     const msg = err instanceof Error ? err.message : String(err);
-    console.log(chalk12.red(msg));
+    console.log(chalk13.red(msg));
     process.exitCode = 1;
   }
 }
 
-// src/commands/diff.ts
-import { execFileSync as execFileSync3, execSync as execSync4 } from "child_process";
-import chalk13 from "chalk";
-function gitOut3(args) {
-  try {
-    return execFileSync3("git", args, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim();
-  } catch {
-    return "";
-  }
-}
-function parseDiffStat(stat) {
-  const files = [];
-  const lines = stat.split("\n");
-  for (const line of lines) {
-    const match = line.match(/^\s*(.+?)\s*\|\s*(\d+)/);
-    if (!match) continue;
-    const name = match[1].trim();
-    if (name.includes("changed") || name.includes("file")) continue;
-    const plusMatch = line.match(/(\++)/);
-    const minusMatch = line.match(/(\-+)/);
-    files.push({
-      name,
-      additions: plusMatch ? plusMatch[1].length : 0,
-      deletions: minusMatch ? minusMatch[1].length : 0
-    });
-  }
-  return files;
-}
-function summarizeNumstat(numstat) {
-  let totalAdd = 0;
-  let totalDel = 0;
-  let fileCount = 0;
-  for (const line of numstat.split("\n").filter(Boolean)) {
-    const [add, del] = line.split("	");
-    if (add === void 0 || del === void 0) continue;
-    totalAdd += parseInt(add, 10) || 0;
-    totalDel += parseInt(del, 10) || 0;
-    fileCount++;
-  }
-  return { fileCount, totalAdd, totalDel };
-}
-function printFile(f) {
-  const adds = f.additions > 0 ? chalk13.green(`+${f.additions}`) : "";
-  const dels = f.deletions > 0 ? chalk13.red(`-${f.deletions}`) : "";
-  const change = [adds, dels].filter(Boolean).join(" ");
-  console.log(`   ${f.name} ${change}`);
-}
-async function diff() {
-  console.log(chalk13.bold(`
-\u{1F50D} ${t("diff.title")}`));
-  console.log(chalk13.gray("\u2500".repeat(40)));
-  try {
-    execSync4("git rev-parse --is-inside-work-tree", { stdio: "pipe" });
-  } catch {
-    console.log(chalk13.red(`\u274C ${t("diff.notGitRepo")}`));
-    return;
-  }
-  const unstaged = gitOut3(["diff", "--stat"]);
-  const staged = gitOut3(["diff", "--cached", "--stat"]);
-  const untracked = gitOut3(["ls-files", "--others", "--exclude-standard"]);
-  if (!unstaged && !staged && !untracked) {
-    console.log(chalk13.green(`
-\u2705 ${t("diff.noChanges")}`));
-    return;
-  }
-  if (staged) {
-    console.log(chalk13.cyan(`
-${t("diff.stagedHeader")}`));
-    parseDiffStat(staged).forEach((f) => printFile(f));
-  }
-  if (unstaged) {
-    console.log(chalk13.cyan(`
-${t("diff.unstagedHeader")}`));
-    parseDiffStat(unstaged).forEach((f) => printFile(f));
-  }
-  if (untracked) {
-    const files = untracked.split("\n").filter(Boolean);
-    console.log(chalk13.cyan(`
-${t("diff.untrackedHeader", files.length)}`));
-    files.forEach((f) => console.log(`   ${chalk13.green("+")} ${f}`));
-  }
-  const numstat = gitOut3(["diff", "--numstat", "HEAD"]);
-  if (numstat) {
-    const { fileCount, totalAdd, totalDel } = summarizeNumstat(numstat);
-    console.log(chalk13.cyan(`
-${t("diff.summaryHeader")}`));
-    console.log(`   ${t("diff.filesLine", fileCount)}`);
-    console.log(`   \uCD94\uAC00: ${chalk13.green(`+${totalAdd}`)}\uC904`);
-    console.log(`   \uC0AD\uC81C: ${chalk13.red(`-${totalDel}`)}\uC904`);
-  }
-  console.log("");
-}
-
 // src/commands/status.ts
-import { execFileSync as execFileSync4, execSync as execSync5 } from "child_process";
-import fs13 from "fs";
+import { execFileSync as execFileSync4 } from "child_process";
+import fs15 from "fs";
 import path14 from "path";
 import chalk14 from "chalk";
-function gitOut4(args) {
-  return execFileSync4("git", args, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
+
+// src/lib/read-json.ts
+import fs14 from "fs";
+function stripBom(text) {
+  return text.charCodeAt(0) === 65279 ? text.slice(1) : text;
+}
+function readJsonFile(filePath) {
+  const raw = stripBom(fs14.readFileSync(filePath, "utf-8"));
+  return JSON.parse(raw);
 }
+
+// src/commands/status.ts
 function countFileChanges(porcelain) {
   const lines = porcelain.split("\n").filter(Boolean);
   let staged = 0;
@@ -3143,9 +3320,9 @@ function parseRecentCommitLines(logOutput) {
 }
 function readProjectPackage(cwd = process.cwd()) {
   const pkgPath = path14.join(cwd, "package.json");
-  if (!fs13.existsSync(pkgPath)) return null;
+  if (!fs15.existsSync(pkgPath)) return null;
   try {
-    const pkg = JSON.parse(fs13.readFileSync(pkgPath, "utf-8"));
+    const pkg = readJsonFile(pkgPath);
     if (!pkg.name && !pkg.version) return null;
     return {
       name: pkg.name ?? "(no name)",
@@ -3155,9 +3332,9 @@ function readProjectPackage(cwd = process.cwd()) {
     return null;
   }
 }
-function getSyncCounts() {
+function getSyncCounts(gitRoot) {
   try {
-    const out = gitOut4(["rev-list", "--left-right", "--count", "HEAD...@{u}"]);
+    const out = gitOut(["rev-list", "--left-right", "--count", "HEAD...@{u}"], gitRoot);
     return parseSyncCounts(out);
   } catch {
     return { ahead: 0, behind: 0, hasUpstream: false };
@@ -3167,24 +3344,26 @@ async function status() {
   console.log(chalk14.bold(`
 \u{1F4CA} ${t("status.title")}`));
   console.log(chalk14.gray("\u2500".repeat(40)));
+  let gitRoot;
   try {
-    execSync5("git rev-parse --is-inside-work-tree", { stdio: "pipe" });
+    execFileSync4("git", ["rev-parse", "--is-inside-work-tree"], { stdio: "pipe" });
+    gitRoot = getGitRoot();
   } catch {
     console.log(chalk14.red(`\u274C ${t("status.notGitRepo")}`));
     return;
   }
   let branch;
   try {
-    branch = gitOut4(["branch", "--show-current"]).trim() || t("status.detached");
+    branch = gitOut(["branch", "--show-current"], gitRoot).trim() || t("status.detached");
   } catch {
     branch = t("status.unknownBranch");
   }
-  const porcelain = gitOut4(["status", "--porcelain"]).trim();
+  const porcelain = normalizePorcelain(gitOut(["status", "--porcelain"], gitRoot));
   const counts = countFileChanges(porcelain);
-  const sync2 = getSyncCounts();
+  const sync2 = getSyncCounts(gitRoot);
   let commits = [];
   try {
-    commits = parseRecentCommitLines(gitOut4(["log", "--oneline", "-3"]).trim());
+    commits = parseRecentCommitLines(gitOut(["log", "--oneline", "-3"], gitRoot).trim());
   } catch {
     commits = [];
   }
@@ -3216,6 +3395,158 @@ async function status() {
   console.log("");
 }
 
+// src/commands/diff.ts
+import { execFileSync as execFileSync5, execSync as execSync2 } from "child_process";
+import chalk15 from "chalk";
+function gitOut2(args) {
+  try {
+    return execFileSync5("git", args, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim();
+  } catch {
+    return "";
+  }
+}
+function parseDiffStat(stat) {
+  const files = [];
+  const lines = stat.split("\n");
+  for (const line of lines) {
+    const match = line.match(/^\s*(.+?)\s*\|\s*(\d+)/);
+    if (!match) continue;
+    const name = match[1].trim();
+    if (name.includes("changed") || name.includes("file")) continue;
+    const plusMatch = line.match(/(\++)/);
+    const minusMatch = line.match(/(\-+)/);
+    files.push({
+      name,
+      additions: plusMatch ? plusMatch[1].length : 0,
+      deletions: minusMatch ? minusMatch[1].length : 0
+    });
+  }
+  return files;
+}
+function summarizeNumstat(numstat) {
+  let totalAdd = 0;
+  let totalDel = 0;
+  let fileCount = 0;
+  for (const line of numstat.split("\n").filter(Boolean)) {
+    const [add, del] = line.split("	");
+    if (add === void 0 || del === void 0) continue;
+    totalAdd += parseInt(add, 10) || 0;
+    totalDel += parseInt(del, 10) || 0;
+    fileCount++;
+  }
+  return { fileCount, totalAdd, totalDel };
+}
+function printFile(f) {
+  const adds = f.additions > 0 ? chalk15.green(`+${f.additions}`) : "";
+  const dels = f.deletions > 0 ? chalk15.red(`-${f.deletions}`) : "";
+  const change = [adds, dels].filter(Boolean).join(" ");
+  console.log(`   ${f.name} ${change}`);
+}
+async function diff() {
+  console.log(chalk15.bold(`
+\u{1F50D} ${t("diff.title")}`));
+  console.log(chalk15.gray("\u2500".repeat(40)));
+  try {
+    execSync2("git rev-parse --is-inside-work-tree", { stdio: "pipe" });
+  } catch {
+    console.log(chalk15.red(`\u274C ${t("diff.notGitRepo")}`));
+    return;
+  }
+  const unstaged = gitOut2(["diff", "--stat"]);
+  const staged = gitOut2(["diff", "--cached", "--stat"]);
+  const untracked = gitOut2(["ls-files", "--others", "--exclude-standard"]);
+  if (!unstaged && !staged && !untracked) {
+    console.log(chalk15.green(`
+\u2705 ${t("diff.noChanges")}`));
+    return;
+  }
+  if (staged) {
+    console.log(chalk15.cyan(`
+${t("diff.stagedHeader")}`));
+    parseDiffStat(staged).forEach((f) => printFile(f));
+  }
+  if (unstaged) {
+    console.log(chalk15.cyan(`
+${t("diff.unstagedHeader")}`));
+    parseDiffStat(unstaged).forEach((f) => printFile(f));
+  }
+  if (untracked) {
+    const files = untracked.split("\n").filter(Boolean);
+    console.log(chalk15.cyan(`
+${t("diff.untrackedHeader", files.length)}`));
+    files.forEach((f) => console.log(`   ${chalk15.green("+")} ${f}`));
+  }
+  const numstat = gitOut2(["diff", "--numstat", "HEAD"]);
+  if (numstat) {
+    const { fileCount, totalAdd, totalDel } = summarizeNumstat(numstat);
+    console.log(chalk15.cyan(`
+${t("diff.summaryHeader")}`));
+    console.log(`   ${t("diff.filesLine", fileCount)}`);
+    console.log(`   \uCD94\uAC00: ${chalk15.green(`+${totalAdd}`)}\uC904`);
+    console.log(`   \uC0AD\uC81C: ${chalk15.red(`-${totalDel}`)}\uC904`);
+  }
+  console.log("");
+}
+
+// src/lib/nlp-run.ts
+async function dispatchNlpRoute(route, input) {
+  switch (route.command) {
+    case "gate":
+      return gate();
+    case "init":
+      return init({
+        skipGate: route.args?.includes("--skip-gate"),
+        fromNotion: route.args?.includes("--from-notion") ? extractNotionUrl(input) : void 0
+      });
+    case "recap":
+      return recap({});
+    case "sync":
+      return sync();
+    case "check":
+      return check();
+    case "secure":
+      return secure();
+    case "ship":
+      return ship();
+    case "doctor":
+      return doctor();
+    case "save":
+      return save();
+    case "undo":
+      return undo();
+    case "status":
+      return status();
+    case "diff":
+      return diff();
+  }
+}
+async function runNaturalLanguageRoute(input) {
+  const route = routeNaturalLanguage(input);
+  if (!route) {
+    console.log(chalk16.yellow(`
+  \u2753 "${input}" \u2014 ${ko.nlp.notMatched}
+`));
+    return;
+  }
+  console.log("");
+  console.log(chalk16.cyan(`  \u{1F4AC} "${input}"`));
+  console.log(chalk16.cyan(`  \u2192 ${route.explanation}`));
+  if (route.confidence === "low") {
+    const { confirm } = await inquirer7.prompt([{
+      type: "confirm",
+      name: "confirm",
+      message: `${route.explanation} \u2014 ${ko.nlp.matched}`,
+      default: true
+    }]);
+    if (!confirm) {
+      console.log(chalk16.dim(`  ${ko.nlp.menuHint}`));
+      return;
+    }
+  }
+  console.log("");
+  await dispatchNlpRoute(route, input);
+}
+
 // src/index.ts
 var program = new Command();
 var defaultHelp = new Help();
@@ -3233,7 +3564,7 @@ var KO_ALIASES = {
   status: "\uC0C1\uD0DC",
   diff: "\uBCC0\uACBD"
 };
-program.name("vhk").description("VHK \u2014 \uBC14\uC774\uBE0C\uCF54\uB529 \uD504\uB85C\uC81D\uD2B8 \uCF54\uCE58 (\uD55C\uAD6D\uC5B4\uB85C \uC548\uB0B4\uD569\uB2C8\uB2E4)").version("0.5.0");
+program.name("vhk").description("VHK \u2014 \uBC14\uC774\uBE0C\uCF54\uB529 \uD504\uB85C\uC81D\uD2B8 \uCF54\uCE58 (\uD55C\uAD6D\uC5B4\uB85C \uC548\uB0B4\uD569\uB2C8\uB2E4)").version("0.5.2");
 program.configureHelp({
   formatHelp(cmd, helper) {
     if (cmd.parent) {
@@ -3259,7 +3590,7 @@ program.command("init").alias("\uC2DC\uC791").alias("\uB9CC\uB4E4\uAE30").descri
 program.command("recap").alias("\uC815\uB9AC").alias("\uC624\uB298").description("\uC624\uB298 \uD55C \uC77C \uC815\uB9AC + ADR/\uD2B8\uB7EC\uBE14\uC288\uD305 \uC790\uB3D9 \uBD84\uB9AC").option("--since <date>", "\uBD84\uC11D \uC2DC\uC791\uC77C (YYYY-MM-DD)").action(recap);
 program.command("sync").alias("\uB9DE\uCD94\uAE30").alias("\uADDC\uCE59").description("RULES.md \u2192 .cursorrules + CLAUDE.md \uB3D9\uAE30\uD654").action(sync);
 program.command("check").alias("\uC810\uAC80").alias("\uB9B0\uD2B8").description("RULES.md \uADDC\uCE59 \uC810\uAC80 \u2014 \uCF54\uB4DC \uC704\uBC18 \uAC80\uC0AC").action(check);
-var secureCmd = program.command("secure").alias("\uBCF4\uC548").description("\uBCF4\uC548 \uB3C4\uAD6C \uBAA8\uC74C");
+var secureCmd = program.command("secure").alias("\uBCF4\uC548").description("\uBCF4\uC548 \uB3C4\uAD6C \uBAA8\uC74C \u2014 scan: \uC2DC\uD06C\uB9BF\xB7\uD0A4 \uC720\uCD9C \uAC80\uC0AC").action(secure);
 secureCmd.command("scan").alias("\uC2A4\uCE94").description("\uC2DC\uD06C\uB9BF/\uD0A4 \uC720\uCD9C \uC2A4\uCE94").action(secure);
 program.command("ship").alias("\uBC30\uD3EC").alias("\uB9B4\uB9AC\uC988").description("\uBC30\uD3EC \uCCB4\uD06C\uB9AC\uC2A4\uD2B8 + \uD68C\uACE0 + \uBE4C\uB4DC \uB85C\uADF8 \uC0DD\uC131").action(ship);
 program.command("doctor").alias("\uD658\uACBD").alias("\uC9C4\uB2E8").description("\uAC1C\uBC1C \uD658\uACBD \uC810\uAC80 \u2014 Node/Git/npm \uC0C1\uD0DC \uD655\uC778").action(doctor);
@@ -3274,62 +3605,14 @@ program.command("status").alias("\uC0C1\uD0DC").description("\uD504\uB85C\uC81D\
 });
 program.command("diff").alias("\uBCC0\uACBD").alias("\uCC28\uC774").description("Git \uBCC0\uACBD\uC0AC\uD56D \uD55C\uAD6D\uC5B4 \uC694\uC57D (staged / unstaged / \uC0C8 \uD30C\uC77C)").action(diff);
 program.on("command:*", async (operands) => {
-  const input = operands.join(" ");
-  const route = routeNaturalLanguage(input);
-  if (route) {
-    console.log("");
-    console.log(chalk15.cyan(`  \u{1F4AC} "${input}"`));
-    console.log(chalk15.cyan(`  \u2192 ${route.explanation}`));
-    if (route.confidence === "low") {
-      const { confirm } = await inquirer7.prompt([{
-        type: "confirm",
-        name: "confirm",
-        message: `${route.explanation} \u2014 ${ko.nlp.matched}`,
-        default: true
-      }]);
-      if (!confirm) {
-        console.log(chalk15.dim(`  ${ko.nlp.menuHint}`));
-        return;
-      }
-    }
-    console.log("");
-    switch (route.command) {
-      case "gate":
-        return gate();
-      case "init":
-        return init({
-          skipGate: route.args?.includes("--skip-gate"),
-          fromNotion: route.args?.includes("--from-notion") ? extractNotionUrl(input) : void 0
-        });
-      case "recap":
-        return recap({});
-      case "sync":
-        return sync();
-      case "check":
-        return check();
-      case "secure":
-        return secure();
-      case "ship":
-        return ship();
-      case "doctor":
-        return doctor();
-      case "save":
-        return save();
-      case "undo":
-        return undo();
-      case "status":
-        return status();
-      case "diff":
-        return diff();
-    }
-  }
-  console.log(chalk15.yellow(`
-  \u2753 "${input}" \u2014 ${ko.nlp.notMatched}
-`));
+  const unknown = operands[0] ?? "";
+  const rest = operands.slice(1);
+  const input = [unknown, ...rest].join(" ").trim();
+  await runNaturalLanguageRoute(input);
 });
 program.action(async () => {
   console.log("\n\u{1F3AF} VHK \u2014 \uBC14\uC774\uBE0C\uCF54\uB529 \uD504\uB85C\uC81D\uD2B8 \uCF54\uCE58\n");
-  const { choice } = await inquirer7.prompt([{
+  const { choice } = await inquirer8.prompt([{
     type: "list",
     name: "choice",
     message: "\uBB58 \uB3C4\uC640\uB4DC\uB9B4\uAE4C\uC694?",
@@ -3375,4 +3658,9 @@ program.action(async () => {
       return diff();
   }
 });
-program.parse();
+var nlInput = detectNaturalLanguageInput(process.argv);
+if (nlInput !== null) {
+  await runNaturalLanguageRoute(nlInput);
+} else {
+  await program.parseAsync(process.argv);
+}