@hegemonart/get-design-done 1.14.4 → 1.14.7

package/reference/meta-rules.md

@@ -0,0 +1,66 @@
+# Meta-Rules (L0)
+
+These rules are framework-invariant across the GDD pipeline. They do not change between cycles, phases, or tasks. Every agent imports `reference/shared-preamble.md`, which aggregates `reference/meta-rules.md` first.
+
+**Tier: L0** (frozen prefix; stabilizes the Anthropic 5-min prompt-cache prefix across agent spawns — the churning L2 body below does NOT invalidate this).
+
+---
+
+## Required Reading Discipline
+
+When the orchestrator's prompt contains a `<required_reading>` block, you MUST read every file it lists with the `Read` tool before taking any other action. Paths prefixed with `@` are file paths — pass them directly to `Read`. Skipping required reading is a hard violation: you will produce stale output that the downstream verifier catches, wasting a full spawn cycle.
+
+## Writes Protocol
+
+Only write files declared in your frontmatter `writes:` list. Agents with `reads-only: true` must never call `Write` or `Edit` on any file. If the task appears to require writing outside your declared scope, stop and return a `<blocker>` in STATE.md rather than expanding your write surface.
+
+If your agent runs in a phase that enforces atomic commits (most do), commit only files in your declared `writes:` list. Use the repo commit convention: `docs(phase-N-P): short imperative description` for documentation-class changes, `feat(phase-N-P): ...` for new capability, `fix(phase-N-P): ...` for bug fixes. Phase and plan numbers come from `.design/STATE.md` `phase:` and the invoking plan's frontmatter.
+
+## Deviation Handling
+
+If an expected file is missing, a required reading entry fails to load, or the prompt references an artifact that contradicts STATE.md, **stop** before taking any destructive action. Return a structured blocker to STATE.md and terminate your response with your completion marker:
+
+```markdown
+<blocker>
+type: missing-artifact | stale-state | contract-violation
+detail: <one sentence>
+suggested-fix: <one sentence or leave blank>
+</blocker>
+
+## {STAGE} COMPLETE
+```
+
+## Completion Markers
+
+Valid completion markers per agent class (from `agents/README.md` §Completion Markers):
+- Research agent → `## RESEARCH COMPLETE`
+- Planning agent → `## PLANNING COMPLETE`
+- Execution agent → `## EXECUTION COMPLETE`
+- Verification agent → `## VERIFICATION COMPLETE`
+- Stage-specific agents → the stage name: `## SCAN COMPLETE`, `## DISCOVER COMPLETE`, `## PLAN COMPLETE`, `## DESIGN COMPLETE`, `## VERIFY COMPLETE`.
+
+The orchestrator detects failure by reading STATE.md for a `<blocker>`, not by the absence of a marker. Always emit the marker.
+
+## Context-Exhaustion & Budget Awareness
+
+A PostToolUse hook at `hooks/context-exhaustion.js` watches your tool output for the string `<context-exhaustion>` in your response. If you determine you cannot finish the task in the remaining context, emit:
+
+```xml
+<context-exhaustion>
+reason: <one-sentence cause — e.g., "required_reading totals 47KB exceeding remaining context">
+resume-hint: <one-sentence instruction for a resumption spawn>
+</context-exhaustion>
+```
+
+…before your completion marker. The hook captures this into STATE.md so the orchestrator can re-spawn you with a narrower scope. Do not guess when you're near exhaustion — only emit when a concrete obstacle (file too large to read, required diff too wide) forced the call.
+
+A PreToolUse hook at `hooks/budget-enforcer.js` intercepts every `Task` spawn (including the one that invoked you). The hook may:
+- **Short-circuit** your spawn with a cached result from `.design/cache-manifest.json` (transparent — you never run).
+- **Downgrade** your tier to Haiku at the 80% per-task cap soft-threshold, silently (`auto_downgrade_on_cap: true` in `.design/budget.json`, D-03).
+- **Hard-block** your spawn at the 100% per-task or per-phase cap with an actionable error (D-02).
+
+Implication for you as the agent: **do not assume a specific model tier is live.** Your output must be correct whether you run on Haiku, Sonnet, or Opus. If a task genuinely requires reasoning density beyond Haiku, the `size_budget` + `default-tier` combination should have been set at authoring time so the router routes it correctly — the remedy is a frontmatter update (a Phase 11 reflector proposal), not a mid-run assumption.
+
+---
+
+*Framework-invariant meta-rules. Aggregated by `reference/shared-preamble.md`.*

package/reference/protected-paths.default.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "./schemas/protected-paths.schema.json",
+  "version": 1,
+  "description": "Paths the plugin refuses to Edit/Write or mutate via Bash without an explicit user override. User additions in .design/config.json.protected_paths MERGE into this list — they can extend but cannot reduce the default set.",
+  "protected_paths": [
+    "reference/**",
+    ".design/archive/**",
+    ".design/config.json",
+    ".design/telemetry/**",
+    "skills/**",
+    "commands/**",
+    "hooks/**",
+    ".git/**",
+    ".claude/settings.json",
+    ".claude-plugin/plugin.json",
+    ".claude-plugin/marketplace.json"
+  ]
+}

package/reference/registry.json

@@ -0,0 +1,34 @@
+{
+  "$schema": "./schemas/registry.schema.json",
+  "version": 1,
+  "generated_at": "2026-04-24T00:00:00.000Z",
+  "entries": [
+    { "name": "shared-preamble",         "path": "reference/shared-preamble.md",         "type": "preamble",        "tier": "L0", "description": "L0 aggregator — imports meta-rules first and exposes Framework Identity + Ordering Convention + Pre-Warming" },
+    { "name": "meta-rules",              "path": "reference/meta-rules.md",              "type": "meta-rules",      "tier": "L0", "description": "Framework-invariant rules: Required Reading Discipline, Writes Protocol, Deviation Handling, Completion Markers, Context-Exhaustion & Budget awareness" },
+    { "name": "cycle-handoff-preamble",  "path": "reference/cycle-handoff-preamble.md",  "type": "preamble",                       "description": "Framing prose for archived cycle material — read as reference, not as current request" },
+    { "name": "retrieval-contract",      "path": "reference/retrieval-contract.md",      "type": "preamble",                       "description": "3-layer search → metadata → full-doc protocol with per-row token-cost labels" },
+    { "name": "heuristics",              "path": "reference/heuristics.md",              "type": "heuristic",       "tier": "L2", "description": "NNG heuristics + GDD-specific rubrics used by auditor / verifier" },
+    { "name": "anti-patterns",           "path": "reference/anti-patterns.md",           "type": "heuristic",       "tier": "L2", "description": "Catalog of design anti-patterns surfaced during audit" },
+    { "name": "checklists",              "path": "reference/checklists.md",              "type": "heuristic",       "tier": "L2", "description": "Per-category gate checklists" },
+    { "name": "accessibility",           "path": "reference/accessibility.md",           "type": "heuristic",                     "description": "WCAG + focus + keyboard-nav heuristics referenced by a11y-mapper" },
+    { "name": "debugger-philosophy",     "path": "reference/debugger-philosophy.md",     "type": "heuristic",                     "description": "Philosophy guide for systematic-debugging agents" },
+    { "name": "parallelism-rules",       "path": "reference/parallelism-rules.md",       "type": "heuristic",                     "description": "Rules for serial/parallel agent dispatch and Touches conflict detection" },
+    { "name": "priority-matrix",         "path": "reference/priority-matrix.md",         "type": "heuristic",                     "description": "Severity × Effort priority-score formula used by gap prioritizers" },
+    { "name": "project-skills-guide",    "path": "reference/project-skills-guide.md",    "type": "heuristic",                     "description": "Guide for authoring project-skill artifacts (sketch/spike wrap-ups)" },
+    { "name": "audit-scoring",           "path": "reference/audit-scoring.md",           "type": "output-contract",                "description": "6-pillar + 7-category audit score rubric and output schema" },
+    { "name": "review-format",           "path": "reference/review-format.md",           "type": "output-contract",                "description": "Format of code-review output documents" },
+    { "name": "authority-feeds",         "path": "reference/authority-feeds.md",         "type": "authority-feed",                 "description": "Whitelist of design-authority feed sources for the watcher" },
+    { "name": "motion",                  "path": "reference/motion.md",                  "type": "motion",                         "description": "Motion vocabulary seed (extended in Phase 18)" },
+    { "name": "typography",              "path": "reference/typography.md",              "type": "heuristic",                     "description": "Typography-system heuristics used by visual-hierarchy-mapper" },
+    { "name": "ai-native-tool-interface","path": "reference/ai-native-tool-interface.md","type": "surfaces",                       "description": "AI-native tool interface contract used across connections" },
+    { "name": "intel-schema",            "path": "reference/intel-schema.md",            "type": "schema",                         "description": "Schema documentation for .design/intel/ files" },
+    { "name": "config-schema",           "path": "reference/config-schema.md",           "type": "schema",                         "description": "Schema documentation for .design/config.json" },
+    { "name": "DEPRECATIONS",            "path": "reference/DEPRECATIONS.md",            "type": "schema",                         "description": "Deprecation records and redirect mappings" },
+    { "name": "STATE-TEMPLATE",          "path": "reference/STATE-TEMPLATE.md",          "type": "schema",                         "description": "Template for .design/STATE.md scaffolded by /gdd:scan" },
+    { "name": "model-prices",            "path": "reference/model-prices.md",            "type": "data",                           "description": "Anthropic model pricing table used by the telemetry aggregator" },
+    { "name": "model-tiers",             "path": "reference/model-tiers.md",             "type": "data",                           "description": "Per-agent default tier map and rationale" },
+    { "name": "figma-sandbox",           "path": "reference/figma-sandbox.md",           "type": "defaults",                       "description": "Four Figma plugin-sandbox pitfalls encoded as hard rules" },
+    { "name": "mcp-budget.default",      "path": "reference/mcp-budget.default.json",    "type": "defaults",                       "description": "Default MCP per-task budget (calls + consecutive-timeout thresholds)" },
+    { "name": "protected-paths.default", "path": "reference/protected-paths.default.json","type": "defaults",                       "description": "Default glob list the plugin refuses to Edit/Write/mutate-via-Bash without override" }
+  ]
+}

package/reference/registry.schema.json

@@ -0,0 +1,52 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://github.com/hegemonart/get-design-done/reference/schemas/registry.schema.json",
+  "title": "Reference Registry",
+  "description": "Typed index of every reference/*.md (and reference/*.json default) in the plugin. Enables agents to query by type instead of grep-hunting import strings. Round-trip enforced: every reference/*.md must appear in entries[], every entry must resolve to an existing file.",
+  "type": "object",
+  "required": ["version", "generated_at", "entries"],
+  "properties": {
+    "$schema": { "type": "string" },
+    "version": { "const": 1 },
+    "generated_at": { "type": "string", "format": "date-time" },
+    "entries": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["name", "path", "type"],
+        "properties": {
+          "name": { "type": "string", "minLength": 1, "pattern": "^[a-z0-9][a-z0-9-._]*$" },
+          "path": { "type": "string", "minLength": 1 },
+          "type": {
+            "type": "string",
+            "enum": [
+              "easing",
+              "taxonomy",
+              "preamble",
+              "output-contract",
+              "heuristic",
+              "schema",
+              "defaults",
+              "surfaces",
+              "motion",
+              "influences",
+              "meta-rules",
+              "data",
+              "authority-feed",
+              "principles",
+              "emotional-design",
+              "experience",
+              "palette",
+              "style-vocabulary"
+            ]
+          },
+          "tier": { "enum": ["L0", "L1", "L2"] },
+          "description": { "type": "string" },
+          "registered_at": { "type": "string", "format": "date-time" }
+        },
+        "additionalProperties": false
+      }
+    }
+  },
+  "additionalProperties": false
+}

package/reference/retrieval-contract.md

@@ -0,0 +1,30 @@
+# Retrieval Contract — 3-Layer Search
+
+When an agent or skill needs information from `.design/` artifacts or the `reference/` library, apply this protocol in order. Token economy matters — ladder from cheapest to most expensive.
+
+## Layer 1 — Search (~50–100 tokens per hit)
+
+Open `reference/registry.json` or the intel index at `.design/intel/`. Read one row per candidate: `{name, path, type, tier, description}`. This is enough to decide whether to descend further.
+
+- `list({type})` — everything tagged with a given type (e.g., `"heuristic"`, `"motion"`, `"preamble"`).
+- `find(name)` — direct lookup for a specific reference file by short name.
+
+## Layer 2 — Metadata (~200–300 tokens per hit)
+
+Open the candidate file's frontmatter + first 20 lines + heading outline. Decide if the full body is on the critical path.
+
+## Layer 3 — Full document (~500–1000+ tokens)
+
+Read the file with the `Read` tool. Only do this when layers 1 and 2 confirmed the doc is load-bearing for the current task.
+
+## Token economy
+
+A `/gdd:recall "term"` query that returns 5 Layer-1 hits ≈ 400 tokens. Opening all 5 full docs blind ≈ 4000 tokens. **Always ladder.** Skipping to Layer 3 is the #1 cause of context exhaustion in long pipeline runs.
+
+## FTS5 backend (Phase 19.5)
+
+Layer 1 becomes `scripts/lib/design-search.cjs` — same protocol, same output shape, but backed by `.design/search.db` instead of grep. Agents do not need to change anything; the backend swap is transparent.
+
+---
+
+*Imported by every skill that reads `.design/` artifacts: `/gdd:progress`, `/gdd:resume`, `/gdd:reflect`, `/gdd:pause`, `/gdd:recall` (Phase 19.5+), `/gdd:timeline` (Phase 19.5+). Tier: preamble. Phase: 14.5.*

package/reference/schemas/mcp-budget.schema.json

@@ -0,0 +1,21 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://github.com/hegemonart/get-design-done/reference/schemas/mcp-budget.schema.json",
+  "title": "MCP Budget",
+  "description": "Thresholds for the MCP circuit-breaker hook. Applies to use_figma / use_paper / use_pencil and any tracked_tools entry the user extends.",
+  "type": "object",
+  "required": ["version", "max_calls_per_task", "max_consecutive_timeouts"],
+  "properties": {
+    "$schema": { "type": "string" },
+    "version": { "const": 1 },
+    "description": { "type": "string" },
+    "max_calls_per_task": { "type": "integer", "minimum": 0, "maximum": 10000 },
+    "max_consecutive_timeouts": { "type": "integer", "minimum": 0, "maximum": 1000 },
+    "reset_on_success": { "type": "boolean" },
+    "tracked_tools": {
+      "type": "array",
+      "items": { "type": "string", "minLength": 1 }
+    }
+  },
+  "additionalProperties": false
+}

package/reference/schemas/protected-paths.schema.json

@@ -0,0 +1,19 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://github.com/hegemonart/get-design-done/reference/schemas/protected-paths.schema.json",
+  "title": "Protected Paths",
+  "description": "Glob list describing paths the plugin refuses to Edit/Write or mutate via destructive Bash. User additions MERGE with this default list; users cannot reduce the default set.",
+  "type": "object",
+  "required": ["version", "protected_paths"],
+  "properties": {
+    "$schema": { "type": "string" },
+    "version": { "const": 1 },
+    "description": { "type": "string" },
+    "protected_paths": {
+      "type": "array",
+      "minItems": 1,
+      "items": { "type": "string", "minLength": 1 }
+    }
+  },
+  "additionalProperties": false
+}

package/reference/shared-preamble.md

@@ -1,6 +1,10 @@
 # GSD Agent Shared Preamble
 
-> **This file is imported via `@reference/shared-preamble.md` as the first line of every agent body in `agents/*.md`. Its placement is load-bearing for Anthropic's 5-minute prompt cache (see `reference/model-tiers.md` and phase 10.1 decision D-08 Layer A): because every agent opens with the identical preamble prefix, the second and subsequent agent spawns in a session pay `cached_input_per_1m` rates rather than full `input_per_1m` rates for these bytes. Do not inline this content into agent bodies — always import.**
+> **This file is imported via `@reference/shared-preamble.md` as the first line of every agent body in `agents/*.md`. Its placement is load-bearing for Anthropic's 5-minute prompt cache (see `reference/model-tiers.md` and Phase 10.1 decision D-08 Layer A): because every agent opens with the identical preamble prefix, the second and subsequent agent spawns in a session pay `cached_input_per_1m` rates rather than full `input_per_1m` rates for these bytes. Do not inline this content into agent bodies — always import.**
+>
+> **As of Phase 14.5 this file is an aggregator.** The framework-invariant subsections (Required Reading Discipline, Writes Protocol, Deviation Handling, Completion Markers, Context-Exhaustion & Budget awareness) live in `reference/meta-rules.md` (tier L0) so the L2 heuristics/anti-patterns/checklists churn never invalidates the L0 prefix.
+
+@reference/meta-rules.md
 
 ## Framework Identity
 
@@ -8,61 +12,6 @@ You are a GSD agent operating under the `get-design-done` plugin contract (see `
 
 You are one step in a pipeline. You do not own the pipeline. The orchestrator decides what runs next based on your output.
 
-## Required Reading Discipline
-
-When the orchestrator's prompt contains a `<required_reading>` block, you MUST read every file it lists with the `Read` tool before taking any other action. Paths prefixed with `@` are file paths — pass them directly to `Read`. Skipping required reading is a hard violation: you will produce stale output that the downstream verifier catches, wasting a full spawn cycle.
-
-## Writes Protocol
-
-Only write files declared in your frontmatter `writes:` list. Agents with `reads-only: true` must never call `Write` or `Edit` on any file. If the task appears to require writing outside your declared scope, stop and return a `<blocker>` in STATE.md rather than expanding your write surface.
-
-If your agent runs in a phase that enforces atomic commits (most do), commit only files in your declared `writes:` list. Use the repo commit convention: `docs(phase-N-P): short imperative description` for documentation-class changes, `feat(phase-N-P): ...` for new capability, `fix(phase-N-P): ...` for bug fixes. Phase and plan numbers come from `.design/STATE.md` `phase:` and the invoking plan's frontmatter.
-
-## Deviation Handling
-
-If an expected file is missing, a required reading entry fails to load, or the prompt references an artifact that contradicts STATE.md, **stop** before taking any destructive action. Return a structured blocker to STATE.md and terminate your response with your completion marker:
-
-```markdown
-<blocker>
-type: missing-artifact | stale-state | contract-violation
-detail: <one sentence>
-suggested-fix: <one sentence or leave blank>
-</blocker>
-
-## {STAGE} COMPLETE
-```
-
-Valid completion markers per agent class (from `agents/README.md` §Completion Markers):
-- Research agent → `## RESEARCH COMPLETE`
-- Planning agent → `## PLANNING COMPLETE`
-- Execution agent → `## EXECUTION COMPLETE`
-- Verification agent → `## VERIFICATION COMPLETE`
-- Stage-specific agents → the stage name: `## SCAN COMPLETE`, `## DISCOVER COMPLETE`, `## PLAN COMPLETE`, `## DESIGN COMPLETE`, `## VERIFY COMPLETE`.
-
-The orchestrator detects failure by reading STATE.md for a `<blocker>`, not by the absence of a marker. Always emit the marker.
-
-## Context-Exhaustion Hook Awareness
-
-A PostToolUse hook at `hooks/context-exhaustion.js` watches your tool output for the string `<context-exhaustion>` in your response. If you determine you cannot finish the task in the remaining context, emit:
-
-```xml
-<context-exhaustion>
-reason: <one-sentence cause — e.g., "required_reading totals 47KB exceeding remaining context">
-resume-hint: <one-sentence instruction for a resumption spawn>
-</context-exhaustion>
-```
-
-…before your completion marker. The hook captures this into STATE.md so the orchestrator can re-spawn you with a narrower scope. Do not guess when you're near exhaustion — only emit when a concrete obstacle (file too large to read, required diff too wide) forced the call.
-
-## Budget-Enforcer Hook Awareness (Phase 10.1)
-
-A PreToolUse hook at `hooks/budget-enforcer.js` intercepts every `Task` spawn (including the one that invoked you). The hook may:
-- **Short-circuit** your spawn with a cached result from `.design/cache-manifest.json` (transparent — you never run).
-- **Downgrade** your tier to Haiku at the 80% per-task cap soft-threshold, silently (`auto_downgrade_on_cap: true` in `.design/budget.json`, D-03).
-- **Hard-block** your spawn at the 100% per-task or per-phase cap with an actionable error (D-02).
-
-Implication for you as the agent: **do not assume a specific model tier is live.** Your output must be correct whether you run on Haiku, Sonnet, or Opus. If a task genuinely requires reasoning density beyond Haiku, the `size_budget` + `default-tier` combination should have been set at authoring time so the router routes it correctly — the remedy is a frontmatter update (a Phase 11 reflector proposal), not a mid-run assumption.
-
 ## Ordering Convention (D-17)
 
 Your agent body is structured in this exact order so the cache prefix stays stable:
@@ -79,4 +28,4 @@ The `/gdd:warm-cache` command (ships in Plan 10.1-02) pre-warms this identical p
 
 ---
 
-*Imported by: every file under `agents/*.md` (except `agents/README.md`). Maintained as part of Phase 10.1 (OPT-07). Edits to this file affect every agent simultaneously — verify across the full agent suite before committing.*
+*Imported by: every file under `agents/*.md` (except `agents/README.md`). Maintained as part of Phase 10.1 (OPT-07) and Phase 14.5 (L0/L2 split). Edits to this file affect every agent simultaneously — verify across the full agent suite before committing.*

package/scripts/aggregate-agent-metrics.js

@@ -76,6 +76,10 @@ function readTelemetryRows() {
 function aggregate(rows) {
   const byAgent = new Map();
   for (const r of rows) {
+    // Blocked rows represent a spawn that was denied at the hook — the agent
+    // never actually ran, so it must not contribute to spawn counts, cost, or
+    // token totals. Skip them here (mirror of the filter in aggregateByPhase).
+    if (r.block_reason) continue;
     const agent = r.agent || 'unknown';
     if (!byAgent.has(agent)) {
       byAgent.set(agent, {
@@ -129,6 +133,11 @@ function writeAtomic(filePath, content) {
 function aggregateByPhase(rows) {
   const byPhase = {};
   for (const r of rows) {
+    // Blocked rows represent spawns that were denied by the hook — the agent
+    // never ran, so their est_cost_usd must not inflate cumulative phase spend.
+    // Counting them would make future hard-block and soft-threshold checks
+    // stricter than intended on every repeat cap hit.
+    if (r.block_reason) continue;
     const phase = r.phase || 'unknown';
     byPhase[phase] = (byPhase[phase] || 0) + Number(r.est_cost_usd || 0);
   }

package/scripts/build-intel.cjs

@@ -435,6 +435,26 @@ async function main() {
 
   console.log(`  discovered ${allFiles.length} files, ${changed.length} changed`);
 
+  // Phase 14.5: validate reference registry round-trip whenever any reference/*
+  // changed (or on --force). Fail the build on dangling/missing/duplicate.
+  const referenceChanged = FORCE || changed.some(f => f.startsWith('reference/'));
+  if (referenceChanged) {
+    try {
+      const { validateRegistry } = require(path.join(__dirname, 'lib', 'reference-registry.cjs'));
+      const v = validateRegistry({ cwd: ROOT });
+      if (!v.ok) {
+        console.error('build-intel: reference registry validation failed:');
+        if (v.missingInRegistry.length) console.error('  missing in registry:', v.missingInRegistry);
+        if (v.danglingInRegistry.length) console.error('  dangling entries:', v.danglingInRegistry);
+        if (v.duplicates.length) console.error('  duplicate entries:', v.duplicates);
+        process.exit(1);
+      }
+      console.log('  reference registry: ok');
+    } catch (err) {
+      if (err && err.code !== 'MODULE_NOT_FOUND') throw err;
+    }
+  }
+
   // Always rebuild files slice when any file changed
   const filesSlice = buildFilesSlice(allFiles);
   writeSlice('files.json', filesSlice);

package/scripts/injection-patterns.cjs

@@ -3,15 +3,56 @@
 // hooks/gdd-read-injection-scanner.js (runtime hook) and
 // scripts/run-injection-scanner-ci.cjs (CI scanner).
 // Add new patterns here; both consumers pick them up automatically.
+//
+// Phase 14.5 adds three new families: invisible-Unicode obfuscation,
+// HTML-comment instruction hijacks, and secret-exfil trigger patterns.
+
+// Zero-width + word-joiner + BOM + bidi overrides. Used for detection
+// AND as a normalization stripper for hooks that run scan after NFKC.
+const _CONTEXT_INVISIBLE_CHARS = /[\u200B-\u200D\u2060\uFEFF\u202A-\u202E]/;
 
 const INJECTION_PATTERNS = [
+  // ── classic prompt-injection verbs ──────────────────────────────────
   { name: 'ignore previous',         re: /ignore\s+(all\s+)?(previous|prior|above)\s+instructions?/i },
   { name: 'disregard previous',      re: /disregard\s+(all\s+)?(previous|prior|above)\s+instructions?/i },
+  { name: 'forget previous',         re: /forget\s+(the\s+|all\s+)?(previous|prior|above)/i },
   { name: 'you are now a different', re: /you\s+are\s+now\s+a\s+different/i },
   { name: 'system: you are',         re: /system\s*:\s*you\s+are/i },
   { name: 'role tag injection',      re: /<\s*\/?\s*(system|assistant|human)\s*>/i },
   { name: '[INST] fragment',         re: /\[INST\]/i },
   { name: '### instruction fragment',re: /###\s*instruction/i },
+
+  // ── invisible-Unicode obfuscation (14.5 new family) ─────────────────
+  { name: 'invisible-unicode chars', re: _CONTEXT_INVISIBLE_CHARS },
+  { name: 'bidi-override instruction', re: /[\u202A-\u202E][^\n]*(ignore|disregard|forget|system\s*:)/i },
+
+  // ── HTML-comment / hidden-element instruction hijack (14.5 new) ─────
+  { name: 'html-comment system',      re: /<!--\s*system\s*:/i },
+  { name: 'html-comment assistant',   re: /<!--\s*assistant\s*:/i },
+  { name: 'html-comment ignore',      re: /<!--\s*(ignore|disregard|forget)\b/i },
+  { name: 'hidden div system',        re: /<div\s+[^>]*style\s*=\s*["'][^"']*display\s*:\s*none[^"']*["'][^>]*>\s*(system|ignore|disregard)/i },
+  { name: 'hidden span system',       re: /<span\s+[^>]*style\s*=\s*["'][^"']*visibility\s*:\s*hidden[^"']*["'][^>]*>\s*(system|ignore|disregard)/i },
+  { name: 'zero-font-size trick',     re: /style\s*=\s*["'][^"']*font-size\s*:\s*0[^"']*["'][^>]*>\s*(ignore|system|disregard)/i },
+
+  // ── secret-exfil trigger patterns (14.5 new) ─────────────────────────
+  { name: 'curl-with-api-key-env',    re: /curl\s+[^|\n]*\$\{?[A-Z][A-Z0-9_]*_(KEY|TOKEN|SECRET|PASSWORD|AUTH)\}?/ },
+  { name: 'cat-dotenv',               re: /\bcat\s+\.env(\.[a-z]+)?\b/ },
+  { name: 'printenv-leak',            re: /\bprintenv\b[^\n]{0,80}\|\s*(curl|wget|nc|ssh)/ },
+  { name: 'tar-home-netcat',          re: /\btar\s+c[fzvj]+\s+-\s+~[^\n]*\|\s*(nc|ssh|curl)/ },
+  { name: 'env-dot-leak',             re: /process\.env\.[A-Z][A-Z0-9_]*_(KEY|TOKEN|SECRET)\s*[^;,\n]*(fetch|axios|XMLHttpRequest|http\.request)/ },
+  { name: 'ssh-key-cat',              re: /\bcat\s+~?\/?\.ssh\/id_(rsa|ed25519|ecdsa|dsa)\b/ },
 ];
 
-module.exports = { INJECTION_PATTERNS };
+/**
+ * Apply patterns to content and return matched pattern names (deduped).
+ */
+function scan(content) {
+  if (typeof content !== 'string' || !content) return [];
+  const hits = [];
+  for (const { name, re } of INJECTION_PATTERNS) {
+    if (re.test(content)) hits.push(name);
+  }
+  return hits;
+}
+
+module.exports = { INJECTION_PATTERNS, _CONTEXT_INVISIBLE_CHARS, scan };

package/scripts/lib/blast-radius.cjs

@@ -0,0 +1,97 @@
+'use strict';
+/**
+ * scripts/lib/blast-radius.cjs — per-task blast-radius preflight.
+ *
+ * Exports:
+ *   estimate({touchedPaths, diffStats, config?}) →
+ *     { files, lines, exceeds, overBy, limit: {files, lines} }
+ *   estimateMCPCalls({toolCalls, config?}) →
+ *     { count, exceeds, overBy, limit }
+ *   formatDiffSummary({touchedPaths, diffStats, result}) → string
+ *   loadConfig(cwd?) → { max_files_per_task, max_lines_per_task, max_mcp_calls_per_task }
+ *
+ * Config precedence: .design/config.json.blast_radius.{max_files_per_task, max_lines_per_task, max_mcp_calls_per_task}
+ * then .design/config.json top-level same keys, then built-in defaults.
+ *
+ * Zero-value limits DISABLE that dimension.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const DEFAULTS = {
+  max_files_per_task: 10,
+  max_lines_per_task: 400,
+  max_mcp_calls_per_task: 30,
+};
+
+function loadConfig(cwd) {
+  const configPath = path.join(cwd || process.cwd(), '.design', 'config.json');
+  let cfg = {};
+  try { cfg = JSON.parse(fs.readFileSync(configPath, 'utf8')); } catch { cfg = {}; }
+  const br = (cfg && typeof cfg === 'object' && cfg.blast_radius) || {};
+  return {
+    max_files_per_task: numberOr(br.max_files_per_task, cfg.max_files_per_task, DEFAULTS.max_files_per_task),
+    max_lines_per_task: numberOr(br.max_lines_per_task, cfg.max_lines_per_task, DEFAULTS.max_lines_per_task),
+    max_mcp_calls_per_task: numberOr(br.max_mcp_calls_per_task, cfg.max_mcp_calls_per_task, DEFAULTS.max_mcp_calls_per_task),
+  };
+}
+
+function numberOr(...candidates) {
+  for (const v of candidates) {
+    if (typeof v === 'number' && Number.isFinite(v) && v >= 0) return v;
+  }
+  return undefined;
+}
+
+function estimate({ touchedPaths = [], diffStats = {}, config } = {}) {
+  const cfg = config || loadConfig();
+  const files = new Set((touchedPaths || []).filter(Boolean)).size;
+  const lines = (diffStats.insertions || 0) + (diffStats.deletions || 0);
+  const fileLimit = cfg.max_files_per_task;
+  const lineLimit = cfg.max_lines_per_task;
+  const fileExceeds = fileLimit > 0 && files > fileLimit;
+  const lineExceeds = lineLimit > 0 && lines > lineLimit;
+  return {
+    files,
+    lines,
+    exceeds: fileExceeds || lineExceeds,
+    overBy: {
+      files: fileExceeds ? files - fileLimit : 0,
+      lines: lineExceeds ? lines - lineLimit : 0,
+    },
+    limit: { files: fileLimit, lines: lineLimit },
+  };
+}
+
+function estimateMCPCalls({ toolCalls = [], config } = {}) {
+  const cfg = config || loadConfig();
+  const count = Array.isArray(toolCalls) ? toolCalls.length : 0;
+  const limit = cfg.max_mcp_calls_per_task;
+  const exceeds = limit > 0 && count > limit;
+  return {
+    count,
+    exceeds,
+    overBy: exceeds ? count - limit : 0,
+    limit,
+  };
+}
+
+function formatDiffSummary({ touchedPaths = [], diffStats = {}, result }) {
+  const r = result || estimate({ touchedPaths, diffStats });
+  const lines = [];
+  lines.push('## Blast-Radius Preflight — Over Limit');
+  lines.push('');
+  lines.push(`Files touched: ${r.files} (limit ${r.limit.files || 'disabled'})`);
+  lines.push(`Lines changed: ${r.lines} (limit ${r.limit.lines || 'disabled'})`);
+  if (r.overBy.files) lines.push(`Over by: +${r.overBy.files} files`);
+  if (r.overBy.lines) lines.push(`Over by: +${r.overBy.lines} lines`);
+  lines.push('');
+  lines.push('Touched paths:');
+  for (const p of touchedPaths) lines.push(`  - ${p}`);
+  lines.push('');
+  lines.push('To proceed: split the task into ≤-limit chunks, or raise the ceiling in `.design/config.json.blast_radius.{max_files_per_task,max_lines_per_task}`.');
+  return lines.join('\n');
+}
+
+module.exports = { estimate, estimateMCPCalls, formatDiffSummary, loadConfig, DEFAULTS };