@c-d-cc/reap 0.13.0 → 0.13.3

package/README.ja.md

@@ -28,10 +28,10 @@ REAPはアプリケーションの設計知識 — Genome（アーキテクチ
 - [なぜREAPか？](#なぜreapか)
 - [インストール](#インストール)
 - [クイックスタート](#クイックスタート)
-- [ライフサイクル](#ライフサイクル)
-- [コアコンセプト](#コアコンセプト)
+- [ライフサイクル](#ライフサイクル-)
+- [コアコンセプト](#コアコンセプト-)
 - [分散ワークフロー — 並行開発](#分散ワークフロー--並行開発)
-- [CLIコマンド](#cliコマンド)
+- [CLIコマンド](#cliコマンド-)
 - [エージェント連携](#エージェント連携)
 - [`reap init`後のプロジェクト構造](#reap-init後のプロジェクト構造)
 - [系譜圧縮（Lineage Compression）](#系譜圧縮lineage-compression)
@@ -60,6 +60,8 @@ REAPは**世代ベースの進化モデル**でこれらの問題を解決しま
 
 ## インストール
 
+> **グローバルインストール必須。** REAPはCLIツールであり、グローバルにインストールする必要があります。ローカルプロジェクトレベルのインストール（`npm i @c-d-cc/reap`）はブロックされます。
+
 ```bash
 # npm
 npm install -g @c-d-cc/reap
@@ -240,6 +242,24 @@ REAPはスラッシュコマンドとセッションフックを通じてAIエ
 
 v0.11.0より、28個のスラッシュコマンドが**1行`.md`ラッパー + TypeScriptスクリプト**構造に移行しました。各`.md`ファイルは`reap run <cmd>`を呼び出し、TSスクリプト（`src/cli/commands/run/`）がすべての決定論的ロジックを処理して、AIエージェントにstructured JSONで指示します。一貫性とテスト容易性が大幅に向上しました。
 
+### 署名ベースロック（Signature-Based Locking） [↗](https://reap.cc/docs/advanced)
+
+REAPは暗号学的nonceチェーンを使用してステージの順序を強制します。ステージコマンドが実行されると、スクリプトがワンタイムnonceを生成し、そのハッシュを`current.yml`に保存して、nonceをAIエージェントに返します。`/reap.next`はこのnonceがなければ進行できず、なければ拒否されます。
+
+```
+Stage Command          current.yml              /reap.next
+─────────────          ───────────              ──────────
+nonce生成 ────────────→ hash(nonce)を保存
+AIにnonce返却                              ←── AIがnonceを渡す
+                                               hash(nonce)を検証
+                                               ✓ ステージ前進
+```
+
+これにより以下を防止します：
+- **ステージのスキップ** — 実行されていないステージには有効なnonceが存在しない
+- **トークンの偽造** — ハッシュは一方向であり、ハッシュからnonceを推測することは不可能
+- **古いnonceの再利用** — 各nonceはワンタイムで、現在のステージにバインドされている
+
 ### autoSubagentモード
 
 `/reap.evolve`実行時、自動的にsubagentにGenerationライフサイクル全体を委任できます：

package/README.ko.md

@@ -29,7 +29,7 @@ REAP은 Application의 설계 지식 — Genome(아키텍처, 컨벤션, 제약
 - [설치](#설치)
 - [빠른 시작](#빠른-시작)
 - [생애주기 (Life Cycle)](#생애주기-life-cycle)
-- [핵심 개념](#핵심-개념)
+- [핵심 개념](#핵심-개념-)
 - [분산 워크플로우 — 병렬 개발](#분산-워크플로우--병렬-개발)
 - [CLI 명령어](#cli-명령어)
 - [에이전트 연동](#에이전트-연동)
@@ -60,6 +60,8 @@ REAP은 **세대 기반 진화 모델**로 이 문제들을 해결합니다:
 
 ## 설치
 
+> **글로벌 설치 필수.** REAP은 CLI 도구이며 반드시 글로벌로 설치해야 합니다. 로컬 프로젝트 레벨 설치(`npm i @c-d-cc/reap`)는 차단됩니다.
+
 ```bash
 # npm
 npm install -g @c-d-cc/reap
@@ -240,6 +242,24 @@ REAP은 슬래시 커맨드와 세션 훅을 통해 AI 에이전트와 통합됩
 
 v0.11.0부터 28개 슬래시 커맨드가 **1줄 `.md` wrapper + TypeScript 스크립트** 구조로 전환되었습니다. 각 `.md` 파일은 `reap run <cmd>`를 호출하고, TS 스크립트(`src/cli/commands/run/`)가 모든 결정적 로직을 처리하여 AI에게 structured JSON으로 지시합니다. 일관성과 테스트 용이성이 크게 향상되었습니다.
 
+### 서명 기반 잠금 (Signature-Based Locking) [↗](https://reap.cc/docs/advanced)
+
+REAP은 암호학적 nonce 체인을 사용하여 stage 순서를 강제합니다. stage 커맨드가 실행되면 스크립트가 일회용 nonce를 생성하여 해시를 `current.yml`에 저장하고, nonce를 AI 에이전트에게 반환합니다. `/reap.next`는 이 nonce가 있어야 다음 단계로 진행할 수 있으며, 없으면 진행이 거부됩니다.
+
+```
+Stage Command          current.yml              /reap.next
+─────────────          ───────────              ──────────
+nonce 생성 ──────────→ hash(nonce) 저장
+AI에게 nonce 반환                          ←── AI가 nonce 전달
+                                               hash(nonce) 검증
+                                               ✓ stage 전진
+```
+
+이를 통해 방지하는 것:
+- **Stage 건너뛰기** — 실행되지 않은 stage에는 유효한 nonce가 존재하지 않음
+- **토큰 위조** — 해시는 단방향이므로 해시에서 nonce를 추측할 수 없음
+- **이전 nonce 재사용** — 각 nonce는 일회용이며 현재 stage에 바인딩됨
+
 ### autoSubagent 모드
 
 `/reap.evolve` 실행 시 자동으로 subagent에게 Generation lifecycle 전체를 위임할 수 있습니다:

package/README.md

@@ -28,13 +28,13 @@ REAP captures an application's design knowledge — the Genome (architecture, co
 - [Why REAP?](#why-reap)
 - [Installation](#installation)
 - [Quick Start](#quick-start)
-- [Life Cycle](#life-cycle)
-- [Core Concepts](#core-concepts)
-- [Distributed Workflow for Parallel Development](#distributed-workflow-for-parallel-development)
-- [CLI Commands](#cli-commands)
+- [Life Cycle](#life-cycle-)
+- [Core Concepts](#core-concepts-)
+- [Distributed Workflow](#distributed-workflow-)
+- [CLI Commands](#cli-commands-)
 - [Agent Integration](#agent-integration)
 - [Project Structure](#project-structure-after-reap-init)
-- [Lineage Compression](#lineage-compression)
+- [Lineage Compression](#lineage-compression-)
 - [Evolution Flow](#evolution-flow)
 - [Presets](#presets)
 - [Entry Modes](#entry-modes)
@@ -60,6 +60,8 @@ REAP solves these with a **generation-based evolution model**:
 
 ## Installation
 
+> **Global installation required.** REAP is a CLI tool and must be installed globally. Local project-level installation (`npm i @c-d-cc/reap`) is blocked.
+
 ```bash
 # npm
 npm install -g @c-d-cc/reap
@@ -239,6 +241,24 @@ REAP integrates with AI agents through slash commands and session hooks. Current
 
 Since v0.11.0, all 28 slash commands follow a **1-line `.md` wrapper + TypeScript script** pattern. Each `.md` file simply calls `reap run <cmd>`, and the TS script (`src/cli/commands/run/`) handles all deterministic logic — returning structured JSON instructions for the AI agent. This ensures consistency and testability.
 
+### Signature-Based Locking [↗](https://reap.cc/docs/advanced)
+
+REAP uses a cryptographic nonce chain to enforce stage ordering. When a stage command runs, the script generates a one-time nonce, stores its hash in `current.yml`, and returns the nonce to the AI agent. `/reap.next` requires this nonce to advance — without it, progression is rejected.
+
+```
+Stage Command          current.yml              /reap.next
+─────────────          ───────────              ──────────
+generate nonce ──────→ store hash(nonce)
+return nonce to AI                         ←── AI passes nonce
+                                               verify hash(nonce)
+                                               ✓ advance stage
+```
+
+This prevents:
+- **Skipping stages** — no valid nonce exists for stages that were not executed
+- **Forging tokens** — the hash is one-way; guessing the nonce from the hash is infeasible
+- **Replaying old nonces** — each nonce is single-use and bound to the current stage
+
 ### autoSubagent Mode
 
 When `/reap.evolve` is run, REAP can automatically delegate the entire generation lifecycle to a subagent. This is controlled by:

package/README.zh-CN.md

@@ -28,10 +28,10 @@ REAP记录应用程序的设计知识 — Genome（架构、约定、约束）
 - [为什么选择REAP？](#为什么选择reap)
 - [安装](#安装)
 - [快速开始](#快速开始)
-- [生命周期](#生命周期)
-- [核心概念](#核心概念)
+- [生命周期](#生命周期-)
+- [核心概念](#核心概念-)
 - [分布式工作流 — 并行开发](#分布式工作流--并行开发)
-- [CLI命令](#cli命令)
+- [CLI命令](#cli命令-)
 - [代理集成](#代理集成)
 - [`reap init`后的项目结构](#reap-init后的项目结构)
 - [谱系压缩（Lineage Compression）](#谱系压缩lineage-compression)
@@ -60,6 +60,8 @@ REAP通过**基于世代的进化模型**解决这些问题：
 
 ## 安装
 
+> **必须全局安装。** REAP是CLI工具，必须全局安装。本地项目级安装（`npm i @c-d-cc/reap`）将被阻止。
+
 ```bash
 # npm
 npm install -g @c-d-cc/reap
@@ -240,6 +242,24 @@ REAP通过斜杠命令和会话钩子与AI代理集成。当前支持的代理
 
 从v0.11.0开始，28个斜杠命令全部采用**1行`.md` wrapper + TypeScript脚本**模式。每个`.md`文件仅调用`reap run <cmd>`，TS脚本（`src/cli/commands/run/`）处理所有确定性逻辑，以structured JSON形式指示AI代理。大幅提升了一致性和可测试性。
 
+### 签名锁定（Signature-Based Locking） [↗](https://reap.cc/docs/advanced)
+
+REAP使用加密nonce链来强制执行阶段顺序。当阶段命令运行时，脚本生成一次性nonce，将其哈希存储在`current.yml`中，并将nonce返回给AI代理。`/reap.next`需要此nonce才能推进 — 没有它，推进将被拒绝。
+
+```
+Stage Command          current.yml              /reap.next
+─────────────          ───────────              ──────────
+生成nonce ────────────→ 存储hash(nonce)
+将nonce返回给AI                            ←── AI传递nonce
+                                               验证hash(nonce)
+                                               ✓ 阶段推进
+```
+
+这可以防止：
+- **跳过阶段** — 未执行的阶段不存在有效的nonce
+- **伪造令牌** — 哈希是单向的，从哈希推测nonce是不可行的
+- **重放旧nonce** — 每个nonce是一次性的，绑定到当前阶段
+
 ### autoSubagent模式
 
 执行`/reap.evolve`时，可自动将整个Generation生命周期委托给subagent：

package/dist/cli.js

@@ -13619,7 +13619,7 @@ async function runCommand(command, phase, argv = []) {
     try {
       const config = await ConfigManager.read(paths);
       if (config.autoIssueReport) {
-        const version = "0.13.0";
+        const version = "0.13.3";
         const errMsg = err instanceof Error ? err.message : String(err);
         const title = `[auto] reap run ${command}: ${errMsg.slice(0, 80)}`;
         const body = [
@@ -14205,7 +14205,7 @@ async function initProject(projectRoot, projectName, entryMode, preset, onProgre
   }
   const detectedLanguage = await AgentRegistry.readLanguage();
   const config = {
-    version: "0.13.0",
+    version: "0.13.3",
     project: projectName,
     entryMode,
     strict: false,
@@ -14804,7 +14804,7 @@ async function updateProject(projectRoot, dryRun = false) {
       result.skipped.push(`.claude/commands/ (${reapCmdFiles.length} unchanged)`);
     }
     await migrateLegacyFiles(paths, dryRun, result);
-    const currentVersion = "0.13.0";
+    const currentVersion = "0.13.3";
     const migrationResult = await MigrationRunner.run(paths, currentVersion, dryRun);
     for (const m of migrationResult.migrated) {
       result.updated.push(`[migration] ${m}`);
@@ -15002,7 +15002,7 @@ init_fs();
 init_version();
 init_config();
 import { join as join26 } from "path";
-program.name("reap").description("REAP — Recursive Evolutionary Autonomous Pipeline").version("0.13.0");
+program.name("reap").description("REAP — Recursive Evolutionary Autonomous Pipeline").version("0.13.3");
 program.command("init").description("Initialize a new REAP project (Genesis)").argument("[project-name]", "Project name (defaults to current directory name)").option("-m, --mode <mode>", "Entry mode: greenfield, migration, adoption", "greenfield").option("-p, --preset <preset>", "Bootstrap with a genome preset (e.g., bun-hono-react)").action(async (projectName, options) => {
   try {
     const cwd = process.cwd();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@c-d-cc/reap",
-  "version": "0.13.0",
+  "version": "0.13.3",
   "description": "Recursive Evolutionary Autonomous Pipeline — AI and humans evolve software across generations",
   "type": "module",
   "license": "MIT",
@@ -24,14 +24,17 @@
   },
   "files": [
     "dist/",
-    "scripts/postinstall.cjs"
+    "scripts/postinstall.cjs",
+    "scripts/preinstall.cjs"
   ],
+  "preferGlobal": true,
   "engines": {
     "node": ">=18"
   },
   "scripts": {
     "dev": "bun run src/cli/index.ts",
     "build": "node scripts/build.js",
+    "preinstall": "node scripts/preinstall.cjs",
     "postinstall": "node scripts/postinstall.cjs",
     "prepublishOnly": "npm run build",
     "test": "bun test"

package/scripts/postinstall.cjs

@@ -10,6 +10,14 @@ const { join, dirname } = require("path");
 const { homedir } = require("os");
 
 try {
+  // Warn if installed locally instead of globally
+  const isGlobal = process.env.npm_config_global === "true"
+    || (process.env.npm_config_prefix && !process.env.npm_config_prefix.includes("node_modules"));
+  if (!isGlobal) {
+    console.warn("\n  ⚠ @c-d-cc/reap is a CLI tool and should be installed globally:");
+    console.warn("    npm install -g @c-d-cc/reap\n");
+  }
+
   // Resolve commands source: dist/templates/commands/ relative to this script
   const commandsSource = join(dirname(__dirname), "dist", "templates", "commands");
   if (!existsSync(commandsSource)) {

package/scripts/preinstall.cjs

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+/**
+ * preinstall — block local (non-global) installation.
+ * REAP is a CLI tool and must be installed globally.
+ * Skipped in CI and development environments.
+ */
+const isCi = process.env.CI === "true" || process.env.GITHUB_ACTIONS === "true";
+const isDev = process.env.npm_command === "install" && process.cwd().includes("reap");
+if (!isCi && !isDev && process.env.npm_config_global !== "true") {
+  console.error("\n  ✗ @c-d-cc/reap is a CLI tool. Install globally:\n    npm install -g @c-d-cc/reap\n");
+  process.exit(1);
+}