@chrono-meta/fh-gate 1.1.0 → 1.2.0

package/plugins/fh-meta/skills/source-grounding-audit/SKILL.md

@@ -0,0 +1,230 @@
+---
+name: source-grounding-audit
+description: Extracts proper nouns, numerical values, and branching conditions from artifacts (TCs, analysis reports, design documents), back-traces them to declared source files, and marks as Phantom (false) if not found in source. If steel-quench attacks output patterns (self-declarations, cushion language), source-grounding-audit attacks input tracing (where did this come from?). Triggered by "phantom detection", "source back-trace", "source audit", "verify source", "TC evidence tracing", "where did this come from", "grounding audit", "source grounding audit", "phantom claim", "false claim detection".
+user-invocable: true
+allowed-tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob"]
+model: sonnet
+---
+
+# source-grounding-audit — Input Tracing Grounding Audit
+
+> Just because an artifact looks plausible doesn't mean it's grounded in source. plausible ≠ grounded.
+
+When AI generates artifacts without reading the source, those artifacts look like domain knowledge but are actually **Phantom Claims** coming from LLM weights. This skill back-traces each claim in the artifact to the declared source to explicitly mark Phantoms.
+
+## Role Separation from steel-quench
+
+| Dimension | steel-quench | source-grounding-audit |
+|---|---|---|
+| **Attack target** | Output patterns (self-declarations, cushion language, reason for existence) | Input tracing (is the claim in the source?) |
+| **Core question** | "Is this structure flawed?" | "Where did this content come from?" |
+| **Activation timing** | All-angle quench just before completion | Immediately after source-based artifact generation or at point of suspicion |
+| **Primary attack vector** | Bus factor, self-reference, platform obsolescence | Phantom Claim, source not read, fabricated branching conditions |
+| **Representative pattern** | "Declaration only, no evidence" | "Number in TC that doesn't exist in source" |
+
+**Can be used together**: steel-quench Wave 1 real-code-based attack + source-grounding-audit Phantom marking can be run sequentially in the same session. But do not mix the roles of the two skills.
+
+---
+
+## Trigger Phrases
+
+| Phrase | Situation |
+|---|---|
+| "phantom detection", "phantom claim", "false claim detection" | Full artifact Phantom scan (primary trigger) |
+| "source back-trace", "source audit" | Analysis report, design document verification |
+| "verify source", "where did this come from" | Suspecting origin of a specific claim |
+| "TC evidence tracing", "TC source verification" | Post-TC-generation source consistency check |
+| "grounding audit", "source grounding audit" | Full artifact Phantom scan |
+| "verify evidence files" | Analysis report, design document verification |
+| `/source-grounding-audit` | Explicit call |
+
+---
+
+## Core Concept — Phantom Claim
+
+**Phantom Claim**: A claim that appears in the artifact but cannot be found in the declared source files.
+
+3 paths through which Phantoms are produced:
+
+| Path | Description | Risk |
+|---|---|:---:|
+| **Source not read** | AI generates artifact using domain knowledge without Read-ing source | S |
+| **Partial reading** | Source partially read, rest filled in with inference | A |
+| **Reconstruction contamination** | Source was read but LLM modified values/conditions during paraphrase | A |
+
+---
+
+## Execution Steps
+
+### Step 0. Confirm Audit Target
+
+If not provided by user, explicitly confirm: artifact file path, declared source files, and audit scope. Source not declared = S-grade blocker registered immediately.
+
+> **Detail**: See `SKILL_detail.md §Step0-Detail` — confirmation output format and simplification guard — read when audit target or source list is ambiguous.
+
+---
+
+### Step 0.5. Claim Distribution Profile
+
+> **Schema**: `knowledge/shared/harness-core/tpa_schema.md` — `phantom_risk` derivation rule, gate trigger conditions, §Gate Routing Table.
+
+Runs after Step 0 (target + source confirmed). Skip if user specifies scope explicitly.
+
+Scan artifact quickly to classify claim distribution:
+
+| Dimension | Signal → Audit depth shift |
+|---|---|
+| `claim_density` | > 10 claims → full Step 1-4 audit; ≤ 3 claims → light (S+A only) |
+| `artifact_type` | SKILL.md/design-doc → prioritize Branch/State-transition claims; code → prioritize Proper-noun/API claims |
+| `risk_level` | external publish / arXiv citations → all claim types, max depth |
+| `source_count` | 0 declared sources → S-grade blocker immediately (skip to Step 3 prescription) |
+| `quantitative_density` | > 3 numerical claims → focus numerical+range types first |
+
+Scope recommendation output:
+```
+Claim types to prioritize: [list]
+Audit depth: [full | prioritized | light]
+Immediate blockers detected: [yes/no — 0 sources = immediate S-grade]
+```
+
+**0-source behavioral rule**: When artifact has 0 declared sources, skip Steps 1-2 entirely and go directly to Step 3 with S-grade blocker: "Source not declared — all claims unverifiable."
+
+---
+
+### Step 1. Claim Extraction (Artifact Scan)
+
+Extract claims from the artifact that require source back-tracing. Claim types: Proper nouns (highest), Numerical/range values (highest), Branching conditions (highest), State transitions (high), Preconditions (high), Actors (medium). Exclude generic test methodology descriptions and generic UI patterns.
+
+> **Detail**: See `SKILL_detail.md §Step1-Detail` — full claim types table with examples, exclude list, and Step 1 output format template — read when deciding which claims to include or format the extraction results.
+
+---
+
+### Step 2. Source Read + Back-Trace
+
+Back-trace each claim to the declared source files using Read + Grep directly — no inference judgment. Partial match is not treated as match.
+
+Back-tracing classification:
+
+| Classification | Criteria | Marking |
+|---|---|:---:|
+| **Grounded** | Claim directly confirmed in source | ✅ |
+| **Partial** | Similar content in source but not exact match — needs re-confirmation | ⚠️ |
+| **Phantom** | Cannot be found in source | ❌ |
+| **Source-Missing** | Source itself cannot be Read or was not declared | 🔴 |
+
+> **Detail**: See `SKILL_detail.md §Step2-Detail` — back-tracing execution procedure, classification decision rules, and Step 2 output format template — read when handling edge cases or formatting results.
+
+---
+
+### Step 3. Phantom Classification + Prescription
+
+Classify Phantom and Partial claims by severity and provide prescriptions.
+
+**Severity classification criteria**:
+
+| Severity | Criteria | Examples |
+|:---:|---|---|
+| **S** (Immediate blocker) | If this claim is wrong, TC could Pass-judge incorrect behavior | Monetary boundary values, branching conditions, status values |
+| **A** (Must fix) | If this claim is wrong, TC cannot execute or runs wrong path | API endpoint names, field names, preconditions |
+| **B** (Improvement recommended) | If this claim is wrong, TC can execute but intent may differ | Descriptive text, non-critical names |
+
+Prescriptions: (1) Source Re-read — precisely re-read the relevant source section and fix; (2) Request source specification — when source doesn't exist or wasn't declared; (3) Delete/rewrite — delete claims without source grounding and rewrite from source.
+
+> **Detail**: See `SKILL_detail.md §Step3-Detail` — prescription procedures and Step 3 output format template — read when writing the classification table or applying a prescription.
+
+**S-grade Immediate Human Gate** — if 1+ S-grade Phantoms found, pause before Step 4/5 and surface:
+
+```
+⚠️  source-grounding-audit: N S-grade Phantom(s) found:
+  - [claim 1 — one-line summary, location]
+  - [claim 2 — one-line summary, location]
+
+Options:
+  (a) Continue — AI proceeds to Step 4 pattern diagnosis + Step 5 re-audit
+  (b) Human review first — inspect Phantoms directly, then proceed
+  (c) Abort — fix sources manually and re-run audit
+
+Waiting for input. (Default: a)
+```
+
+Rationale: S-grade Phantoms that enter Step 5 re-audit without human review risk LLM reconstruction contamination — the same pattern that originally produced the Phantoms can "verify" its own fixes. Human review at this threshold breaks the loop.
+
+---
+
+### Step 4. Source Not-Read Pattern Detection (Meta Diagnosis)
+
+Analyze Phantom distribution to diagnose structural problems in the artifact generation process. Reveal "why were these Phantoms produced", not just "this TC is wrong".
+
+**Pattern detection criteria**:
+
+| Pattern | Detection Condition | Meaning |
+|---|---|---|
+| **Source not read** | 3+ Phantoms and no or partial source Read history | AI generated using domain knowledge without reading source |
+| **Partial reading contamination** | Partial items exceed 30% of total | AI read source partially and filled rest with inference |
+| **Reconstruction modification** | Source value exists but unit/format/range modified in TC | LLM paraphrase process contamination |
+| **Source declaration absent** | Source file not specified when generating artifact | Process design stage problem |
+
+**Simplification guard**: If 0 Phantoms, skip Step 4 entirely. Replace with one line: "Source grounding adequate."
+
+> **Detail**: See `SKILL_detail.md §Step4-Detail` — Step 4 output format template — read when writing the pattern diagnosis section.
+
+---
+
+### Step 5. Post-Fix Re-audit (Optional)
+
+Re-run back-trace for S-grade blocker claims after fixes are complete. Activate when 1+ S-grade blockers exist and fix is immediately possible.
+
+**Done When (re-audit)**: Back-trace results for fixed claims all show Grounded (✅) status.
+
+---
+
+## Completion Declaration Format
+
+> **Template**: See `SKILL_detail.md §Report-Template` — full completion declaration format — read when producing the final audit summary.
+
+---
+
+## Connected Skills
+
+| Situation | Connected Skill |
+|---|---|
+| Simultaneously verify output patterns (self-declarations, cushion language) | `/steel-quench` Wave 1 "real-use verification" angle |
+| Re-verify Phantom patterns from external user perspective | `/sim-conductor Area A` |
+| Source not-read is a harness structure problem | `/harness-doctor` |
+| Phantom pattern is a candidate for new rule items | `fh-meta:persona-innovator` |
+| Redesign the artifact generation prompt itself | `/meta-prompt-builder` |
+
+---
+
+## External User Environment Adaptation
+
+This skill can be used independently without the full meta-harness structure.
+
+**How to declare source files**: When generating artifacts, specify "source: [file path list]", or provide source files when invoking this skill.
+
+**External environment fallback**:
+- If no `tracks/_meta/` → skip persistence step
+- If no project-specific rules (like PFD) → output Phantom pattern summary only
+
+---
+
+## Done When
+
+```
+Step 1 claim extraction complete
++ Step 2 all claims back-traced (using Read tool — no inference judgment)
++ Step 3 Phantom severity classification + prescription output
++ Step 4 process pattern diagnosis complete (skip if 0 Phantoms)
++ "source-grounding-audit Complete" declaration output
+```
+
+Verdict: PASS (0 Phantom claims) | CONDITIONAL_PASS (LOW-severity Phantoms only, prescriptions noted) | FAIL (1+ HIGH/MEDIUM Phantom — broken path, phantom file, or stale external link) | ESCALATE (scope unclear or claim extraction impossible)
+
+---
+
+## Operating Notes
+
+- **Never back-trace by inference**: Judging "this value is probably in the source" treats it as Partial not Phantom. Always directly confirm with Read + Grep.
+- **Partial is not Grounded**: Processing similar-value-in-source as Grounded misses the reconstruction modification pattern.
+- **Source not declared itself is S-grade**: If source is not declared when making an artifact, no claim can subsequently be verified. Recommend mandating source declaration in the process design stage.
+- **Recommended to use with steel-quench**: steel-quench quenches structural flaws, source-grounding-audit ensures source consistency. The two skills are orthogonal and artifact quality assurance is strengthened when used together.

package/plugins/fh-meta/skills/source-grounding-audit/SKILL_detail.md

@@ -0,0 +1,182 @@
+# source-grounding-audit — Execution Detail
+
+On-demand reference. Load the section indicated by the pointer in SKILL.md.
+
+---
+
+## §Step0-Detail
+
+**Step 0 — Audit Target Confirmation**
+
+If not provided by user, explicitly confirm all three items:
+
+1. **Artifact file**: Path to audit target file (TC file, analysis report, design document, etc.)
+2. **Declared source files**: List of source file paths that should be the basis for artifact generation
+3. **When source not declared**: Source not declared itself is registered as an S-grade blocker
+
+Output format:
+
+```
+Audit target:
+  Artifact: {file path}
+  Declared source: {file path list or "not declared"}
+  Audit scope: {full / specific section / specific claim type}
+```
+
+**Simplification guard**: If source is clear and audit scope is single section, skip Step 0 output and go straight to Step 1.
+
+---
+
+## §Step1-Detail
+
+**Step 1 — Claim Extraction Full Reference**
+
+**Claim types to extract**:
+
+| Type | Examples | Priority |
+|---|---|:---:|
+| **Proper nouns** | API endpoint names, field names, status values, screen names | Highest |
+| **Numerical/range values** | Amounts, time, ratios, counts, thresholds | Highest |
+| **Branching conditions** | if/else branches, exception cases, error codes | Highest |
+| **State transitions** | Conditions for A state → B state, allowed/forbidden combinations | High |
+| **Preconditions** | "only when ~", "when ~ is active" | High |
+| **Actors** | System, user, external API role distinctions | Medium |
+
+**Exclude from extraction** (no source back-tracing needed):
+- General test methodology descriptions ("using boundary value analysis")
+- Generic UI patterns ("click button then verify result")
+
+**Step 1 output format**:
+
+```
+## Step 1 — Claim Extraction Results
+
+| # | Claim | Type | Location (artifact file:line) |
+|:---:|---|:---:|---|
+| 1 | [claim content] | Proper noun/Numerical/Branch | [filename:line N] |
+...
+
+Total {N} extracted (Proper nouns N / Numerical N / Branch N / State transition N / Precondition N / Actor N)
+```
+
+---
+
+## §Step2-Detail
+
+**Step 2 — Source Read + Back-Trace Execution Detail**
+
+**Back-tracing principles**:
+- Read source files directly with the Read tool — do not judge from memory or inference
+- Use Grep to confirm exact value, keyword, or pattern match
+- **Partial match is not treated as match** — e.g., if source has "5 minutes" and TC has "300 seconds", treat as requiring separate confirmation
+
+**Classification decision rules**:
+
+| Classification | Criteria | Marking |
+|---|---|:---:|
+| **Grounded** | Claim directly confirmed in source | ✅ |
+| **Partial** | Similar content in source but not exact match — needs re-confirmation | ⚠️ |
+| **Phantom** | Cannot be found in source | ❌ |
+| **Source-Missing** | Source itself cannot be Read or was not declared | 🔴 |
+
+**Step 2 output format**:
+
+```
+## Step 2 — Source Back-Trace Results
+
+| # | Claim | Back-Trace Result | Source Evidence (file:line) | Notes |
+|:---:|---|:---:|---|---|
+| 1 | [claim] | ✅/⚠️/❌/🔴 | [filename:line N or "none"] | [modifications, etc.] |
+...
+
+Grounded: N / Partial: N / Phantom: N / Source-Missing: N
+```
+
+---
+
+## §Step3-Detail
+
+**Step 3 — Prescription Procedures + Output Format**
+
+**3 Prescriptions — detailed execution**:
+
+1. **Source Re-read**: Precisely Read the relevant section of that source file again → fix the claim. Use Read with line-range targeting if the source is large.
+2. **Request source specification**: When source doesn't exist or wasn't declared → ask user to specify source file. Do not proceed until source is provided for S-grade items.
+3. **Delete/rewrite**: TCs/claims without source grounding should be deleted and rewritten based on source. Rewrite must start from source Read, not from the existing artifact text.
+
+**Step 3 output format**:
+
+```
+## Step 3 — Phantom Classification + Prescription
+
+### S-grade Immediate Blockers
+
+| # | Claim (Phantom) | Prescription | Evidence |
+|:---:|---|---|---|
+| 1 | [claim] | Source Re-read / Request source specification / Delete rewrite | [source file specified or reason for absence] |
+
+### A-grade Must Fix
+
+| # | Claim (Phantom/Partial) | Prescription | Notes |
+|:---:|---|---|---|
+...
+
+### B-grade Improvement Recommended
+
+| # | Claim (Partial) | Prescription | Notes |
+|:---:|---|---|---|
+...
+
+S-grade: N / A-grade: N / B-grade: N
+```
+
+---
+
+## §Step4-Detail
+
+**Step 4 — Pattern Diagnosis Output Format**
+
+```
+## Step 4 — Source Not-Read Pattern Diagnosis
+
+Detected pattern: {pattern name or "none"}
+Evidence: {Phantom/Partial distribution analysis}
+
+Process prescription:
+- [specific process improvement suggestions]
+```
+
+---
+
+## §Report-Template
+
+**Completion Declaration Format**
+
+```
+## source-grounding-audit Complete
+
+Audit scope: {artifact file} / source {N files}
+{N} total claims audited
+
+Result summary:
+  ✅ Grounded: N
+  ⚠️ Partial: N (fix recommended)
+  ❌ Phantom: N (S: N / A: N / B: N)
+  🔴 Source-Missing: N
+
+Process pattern: {detected pattern or "none"}
+
+Next actions:
+  - S-grade Phantom → immediately Source Re-read then fix
+  - Source not-read pattern detected → add source Read prerequisite to artifact generation process
+  - 3+ Phantoms → recommend using with steel-quench Wave 1 "real-use verification" angle
+  - Repeated pattern detected → persist to tracks/_meta/ + propose as rule candidate
+```
+
+---
+
+## §Evidence
+
+**Evidence Record**
+
+- **Verified in practice**: TC generation without reading source files → steel-quench passes → source-grounding-audit back-trace detects numerous Phantoms (notifications vs. push notifications, version names vs. non-enrolled, bottom sheet vs. screen navigation). **Procedure**: Read sources in order then regenerate → replace with source-based TCs. **Recurrence prevention**: Source gate implementation — FileNotFoundError if required source files absent. steel-quench misses this because: outputs look logically sound so pattern attacks cannot identify Phantoms — only source back-tracing can detect them.

package/plugins/fh-meta/skills/steel-quench/SKILL.md

@@ -0,0 +1,226 @@
+---
+name: steel-quench
+description: >-
+  A meta-skill that concretizes a designer's anxiety into AI-driven all-angle challenger attacks (via fh-commons:quench-challenger) and shakes off flaws through defensive rounds. Systematically surfaces root weaknesses of near-complete projects wave by wave, guaranteeing near-human-review quality without direct human deep inspection. Wave 4 (Meta-Aware Adversary) is an advanced mode where the challenger uses its own AI nature — hallucination, context collapse, prompt injection, tool lock-in — as attack vectors. Built-in fh-commons:quench-challenger agent outputs harness structure 6-axis attack+prescription pairs; after convergence, fh-meta:persona-innovator auto-extracts new patterns. Triggered by: "quench this", "devil's judgment", "all-angle review", "end-to-end verification", "steel quench", "deep pre-completion inspection", "shake out design anxiety", "attack from the root".
+user-invocable: true
+allowed-tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob", "WebSearch", "Agent"]
+model: opus
+---
+
+# steel-quench — All-Angle Verification Meta-Skill
+
+> Heating steel and plunging it into water brings internal defects to the surface. quench-challenger attacks → defense → repeat = systematic surfacing and elimination of design flaws.
+
+A designer's anxiety is most dangerous when vague. steel-quench breaks that anxiety into concrete attack angles, defends against them, and closes with residual risks explicitly stated.
+
+> **Scope boundary**: steel-quench stress-tests a **near-complete artifact** (post-build). For pre-build design decisions → `deliberation`. For completed-asset validation → `sim-conductor`.
+
+## Trigger Phrases
+
+| Phrase | Situation |
+|---|---|
+| "quench this", "run quench" | All-angle verification just before completion |
+| "devil's judgment" | Focused challenger attack on specific design decision |
+| "all-angle review", "end-to-end verification" | Full project scope verification |
+| "shake out design anxiety", "deep pre-completion inspection" | Concretize vague anxiety |
+| "attack from the root" | Re-verify from reason for existence |
+| "diagnose with counterexample", "use this bad case as reference" | Phase 0 calibration |
+| `/steel-quench` | Explicit call |
+
+---
+
+## Wave Structure
+
+| Wave | Role | Termination |
+|---|---|---|
+| **Phase 0** (optional) | Counterexample calibration — extract patterns from external bad cases, merge into Wave 1 | No external case → skip |
+| **Wave 1** | Challenger attack (quench-challenger) — surface critical flaws, no defense | — |
+| **Wave 2** | Defense — defend or state as residual risk | — |
+| **Wave 3+** | Convergence — repeat until zero new S-grade | Zero new S-grade |
+| **Wave 4** (optional) | Meta-Aware Adversary — AI uses its own nature as attack vector | Zero new S-grade + AI-specific criteria |
+| **Wave-P3** (reserved) | Domain gate integration slot | Future use |
+| **Wave 5** (optional) | Multi-Team Adversarial Panel — external CLIs or cross-session Claude | Zero new S-grade cross-team |
+
+---
+
+## Step 0.3 — Artifact Vulnerability Profile
+
+> **Schema**: `knowledge/shared/harness-core/tpa_schema.md` — canonical artifact_type/risk_level/phantom_risk derivation, gate routing, meta-harness broadcast multiplier.
+
+Runs when steel-quench is invoked without a specific wave restriction.
+Skip if user specifies exact waves (e.g. "run Wave 1 and Wave 4 only").
+
+Read target artifact → classify vulnerability surface:
+
+| Dimension | Signal → Wave weight shift |
+|---|---|
+| `artifact_type` | SKILL.md/design-doc → Wave 2 (structural defense) weight↑ · bash/code → Wave 1 (real-code) weight↑ · external publish imminent → Wave 5 (cross-team) weight↑ |
+| `phantom_risk` | citations/arXiv/DOIs/http URLs present → Wave 3 (source-grounding) weight↑ |
+| `claim_density` | 3+ benefit claims → Wave 1 U3 (evidence grounding) angle weight↑ |
+| `novelty` | first-of-its-kind pattern → Wave 4 (convergence) weight↑ |
+| `scope` | internal-only doc → Wave 5 (external CLI) weight=0 (skip) |
+
+Wave selection output:
+```
+Run:  [list of selected waves with rationale]
+Skip: [list of skipped waves with reason]
+External CLIs available: [yes/no → Wave 5 available]
+```
+
+**Degraded coverage rule**: if a high-weight wave or capability is skipped (user choice, unavailable tool, or scope=internal), flag explicitly in the output header — do not silently proceed.
+
+---
+
+## Step 0.4 — Specialized Reviewer Discovery
+
+For the target artifact, scan installed agents for a domain-specific adversarial reviewer:
+
+1. Check `.claude/agents/` for a reviewer matching `artifact_type`
+2. Built-in fallback: `fh-commons:quench-challenger` (general-purpose adversarial review)
+3. GAP for high-risk artifact: query `/plugin-recommender "adversarial reviewer for [artifact_type]"` → user: install / skip / use fallback
+
+**Runtime adapter note**: In Claude Code, invoke the fallback as an isolated `Agent(subagent_type="fh-commons:quench-challenger")`. In Codex-primary or other non-Claude runtimes, use the FH adapter instead:
+
+```bash
+FH_BACKEND=codex npx --package @chrono-meta/fh-gate fh-run \
+  --agent fh-commons:quench-challenger \
+  --file {target-artifact}
+```
+
+Treat the adapter output as the isolated challenger result for Wave 1. This preserves the same workflow without depending on Claude Code's Agent tool.
+
+**Wave 5 activation rule**: Wave 5 (external CLI team) is only activated when `scope` is not internal-only AND external CLIs are available AND risk_level is high or user explicitly requests it.
+
+> **Detail**: See `SKILL_detail.md §ArtifactProfile` — worked examples (SKILL.md, bash script, README, design doc with citations) showing wave selection and rationale — read when classifying an unfamiliar artifact type.
+
+---
+
+## Wave 1 — 5 Mandatory Attack Angles
+
+**Execution principles**: Attacks must be based on real code/files/configs — abstract criticism prohibited.
+Assign severity: **S** (immediate blocker) / **A** (required before deployment) / **B** (improvement recommended).
+Call **fh-commons:quench-challenger** in isolation first (6-axis structural attack); apply 5 angles in parallel.
+
+Isolation can be achieved by Claude Code `Agent(...)` or by `fh-run --agent fh-commons:quench-challenger` under Codex. Do not run the challenger inline in the same reasoning pass when the attack result gates the defense.
+
+| # | Attack Angle | Core Question |
+|:---:|---|---|
+| 1 | **Reason for existence** | "Why this structure? Is there no simpler alternative?" |
+| 2 | **Real-use verification** | "Does what's written in the docs actually match the real code?" |
+| 3 | **Bus factor** | "Single-person dependency — can it operate if that person is absent?" |
+| 4 | **Platform obsolescence** | "Does this structure survive when the external ecosystem expands or changes?" |
+| 5 | **Self-referential structure** | "Is there a closed circuit that evaluates itself by its own criteria?" |
+
+**S-grade Immediate Human Gate**: If Wave 1 contains 1+ S-grade blocker → pause, surface options (a) proceed to Wave 2 / (b) human review first / (c) abort. Do not silently enter Wave 2 with unreviewed S-grade items.
+
+> **Detail**: See `SKILL_detail.md §Wave1` — Wave 1 output format, optional numeric score, quench-challenger invocation.
+
+---
+
+## Wave 2 — Defense Principles
+
+**3 Defense Principles**: (1) Reinforce with external cases via WebSearch — "unique to us" or "structural pattern"?
+(2) Cover with experience — other project cases defend bus factor. (3) Prioritize immediate implementation over logical construction.
+
+**Classification**: Immediate implementation (this session) / Long-term improvement (residual risk card) / Structural acceptance (declare with rationale).
+
+**"Brain in a Vat + Sandboxed Adversary"**: Challenger attacks only static code (isolated). Defender brings living system evidence. This asymmetry makes Wave 2 structurally superior to Wave 1.
+
+> **Detail**: See `SKILL_detail.md §Wave2` — Wave 2 output format, full Brain-in-Vat principle.
+
+---
+
+## Wave 4 — Meta-Aware Adversary (5 Attack Angles)
+
+The challenger (quench-challenger in Wave 4 mode) knows it's running in an isolated sub-agent sandbox and uses that knowledge as a weapon.
+
+| # | Attack Angle | Core Question |
+|:---:|---|---|
+| W4-1 | **AI dependency single point of failure** | "If Claude API goes down, does harness core function go to zero?" |
+| W4-2 | **Context Collapse** | "When initial instructions are lost to context compression, does harness go silent?" |
+| W4-3 | **Prompt Injection exposure** | "Can external data overwrite harness internal rules?" |
+| W4-4 | **Hallucination cumulative contamination** | "Do Wave defense arguments rely on LLM inference rather than actual measurement?" |
+| W4-5 | **Tool Dependency Lock-in** | "If a specific MCP/plugin/tool is removed, does harness functionality collapse?" |
+
+Wave 4 convergence = Wave 3 criteria + 3 AI-specific vectors actually reviewed + hallucination defense based on original file references.
+
+> **Detail**: See `SKILL_detail.md §Wave4` — Wave 4 output format, defense principles, convergence criteria, activation declaration format.
+
+---
+
+## Cross-Project Common Patterns (initial seed)
+
+| # | Pattern Name | Description | Response Direction |
+|:---:|---|---|---|
+| P1 | **Single-person bus factor** | System paralysis when core operator absent | Document, automate, formalize delegation |
+| P2 | **Doc-code mismatch** | Documented behavior differs from actual code | Re-sync to real code as ground truth |
+| P3 | **Self-referential diagnosis** | Creator validates — internal viewpoint closed circuit | Connect external persona or sim-conductor |
+| P4 | **No real-use verification** | Theoretically designed but never executed | Mandate 1 cold-start simulation |
+| P5 | **Platform obsolescence unplanned** | No response to external ecosystem changes | Quarterly frontier diagnosis |
+| P6 | **AI dependency single point of failure** | Claude API/MCP removal causes collapse | Document graceful degradation + fallback |
+| P7 | **Hallucination-contaminated defense** | Defense relies on LLM inference, not measurement | Mandate citing original file/commit/value |
+| P8 | **Context Collapse unguarded** | Key instructions lost to compression → harness silent | Review CLAUDE.md compact repeated insertion |
+
+Add new rows as new patterns are discovered.
+
+---
+
+## Done When
+
+```
+Wave convergence criteria met: zero new S-grade blockers
++ Residual risk card output (A-grade · B-grade items)
++ "steel-quench Complete" declaration output
+```
+
+Verdict: PASS (zero S-grade, convergence reached) | CONDITIONAL_PASS (A/B-grade remain) | FAIL (S-grade persist) | ESCALATE (structural ambiguity requiring human judgment)
+
+---
+
+## Convergence Criteria + Downstream Chaining
+
+### Convergence Criteria
+1. **Zero new S-grade blockers** → terminate
+2. A-grade or higher complex improvements → skill-ize with `/meta-prompt-builder`
+3. Full Wave results → recommend persisting to `tracks/_meta/steel_quench_YYYY_MM_DD_{slug}.md`
+
+### Connected Skills
+
+| Situation | Connected Skill | Mandatory? |
+|---|---|:---:|
+| Delegate improvements as prompts | `/meta-prompt-builder` | optional |
+| **External publish: re-validate from external user perspective** | **`/sim-conductor Area A`** | **mandatory** |
+| Re-validate structural decision | `/verify-bidirectional` | optional |
+| Attack angle is a harness structure problem | `/harness-doctor` | optional |
+| After Wave convergence, propose new pattern rules | `fh-meta:persona-innovator` | optional |
+| Wave 1 structure-specific attack (6-axis) | `fh-commons:quench-challenger` | priority |
+| Back-trace whether claims exist in source files | `/source-grounding-audit` | **mandatory** when `phantom_risk=true` OR `scope=external` (see tpa_schema.md §Gate Routing Table) |
+
+**steel-quench → sim-conductor gate**: After Wave convergence in external-publish context, `/sim-conductor Area A` is the mandatory next step.
+
+### Required Pre-External-Deployment Sequence
+
+```
+steel-quench convergence (zero new S-grade)
+        ↓  pass residual risk list
+sim-conductor Area A (external user perspective)
+        ↓  new items found that steel-quench missed?
+        ├── yes → additional steel-quench Wave round
+        └── no  → deployment approved
+```
+
+> **Detail**: See `SKILL_detail.md §Wave5` — Wave 5 Multi-Team Panel (team formation bash, parallel dispatch, cross-team synthesis) — read when activating `--sidecar` flag. See `SKILL_detail.md §Structural-Defense` for meta-harness defense layering explanation.
+
+---
+
+## Operating Notes
+
+- **Do not defend in Wave 1.** Mixing attack and defense modes dulls the attack's edge.
+- **Attacks without real code are invalid.** Abstract criticism is not included in Wave 1 results.
+- **quench-challenger first.** Call fh-commons:quench-challenger in isolation in Wave 1 if available.
+- **Always check self-referential pattern (P3).** Cross-validate Wave results with external criteria.
+- **Attack surface limit**: steel-quench attacks output content patterns. Phantom Claim detection → `source-grounding-audit`.
+
+## Failure Fallback
+
+On Claude API / MCP failure → refer to [`references/fallback-guide.md`](../../references/fallback-guide.md).