@hegemonart/get-design-done 1.14.5 → 1.14.7

package/reference/shared-preamble.md

@@ -1,6 +1,10 @@
 # GSD Agent Shared Preamble
 
-> **This file is imported via `@reference/shared-preamble.md` as the first line of every agent body in `agents/*.md`. Its placement is load-bearing for Anthropic's 5-minute prompt cache (see `reference/model-tiers.md` and phase 10.1 decision D-08 Layer A): because every agent opens with the identical preamble prefix, the second and subsequent agent spawns in a session pay `cached_input_per_1m` rates rather than full `input_per_1m` rates for these bytes. Do not inline this content into agent bodies — always import.**
+> **This file is imported via `@reference/shared-preamble.md` as the first line of every agent body in `agents/*.md`. Its placement is load-bearing for Anthropic's 5-minute prompt cache (see `reference/model-tiers.md` and Phase 10.1 decision D-08 Layer A): because every agent opens with the identical preamble prefix, the second and subsequent agent spawns in a session pay `cached_input_per_1m` rates rather than full `input_per_1m` rates for these bytes. Do not inline this content into agent bodies — always import.**
+>
+> **As of Phase 14.5 this file is an aggregator.** The framework-invariant subsections (Required Reading Discipline, Writes Protocol, Deviation Handling, Completion Markers, Context-Exhaustion & Budget awareness) live in `reference/meta-rules.md` (tier L0) so the L2 heuristics/anti-patterns/checklists churn never invalidates the L0 prefix.
+
+@reference/meta-rules.md
 
 ## Framework Identity
 
@@ -8,61 +12,6 @@ You are a GSD agent operating under the `get-design-done` plugin contract (see `
 
 You are one step in a pipeline. You do not own the pipeline. The orchestrator decides what runs next based on your output.
 
-## Required Reading Discipline
-
-When the orchestrator's prompt contains a `<required_reading>` block, you MUST read every file it lists with the `Read` tool before taking any other action. Paths prefixed with `@` are file paths — pass them directly to `Read`. Skipping required reading is a hard violation: you will produce stale output that the downstream verifier catches, wasting a full spawn cycle.
-
-## Writes Protocol
-
-Only write files declared in your frontmatter `writes:` list. Agents with `reads-only: true` must never call `Write` or `Edit` on any file. If the task appears to require writing outside your declared scope, stop and return a `<blocker>` in STATE.md rather than expanding your write surface.
-
-If your agent runs in a phase that enforces atomic commits (most do), commit only files in your declared `writes:` list. Use the repo commit convention: `docs(phase-N-P): short imperative description` for documentation-class changes, `feat(phase-N-P): ...` for new capability, `fix(phase-N-P): ...` for bug fixes. Phase and plan numbers come from `.design/STATE.md` `phase:` and the invoking plan's frontmatter.
-
-## Deviation Handling
-
-If an expected file is missing, a required reading entry fails to load, or the prompt references an artifact that contradicts STATE.md, **stop** before taking any destructive action. Return a structured blocker to STATE.md and terminate your response with your completion marker:
-
-```markdown
-<blocker>
-type: missing-artifact | stale-state | contract-violation
-detail: <one sentence>
-suggested-fix: <one sentence or leave blank>
-</blocker>
-
-## {STAGE} COMPLETE
-```
-
-Valid completion markers per agent class (from `agents/README.md` §Completion Markers):
-- Research agent → `## RESEARCH COMPLETE`
-- Planning agent → `## PLANNING COMPLETE`
-- Execution agent → `## EXECUTION COMPLETE`
-- Verification agent → `## VERIFICATION COMPLETE`
-- Stage-specific agents → the stage name: `## SCAN COMPLETE`, `## DISCOVER COMPLETE`, `## PLAN COMPLETE`, `## DESIGN COMPLETE`, `## VERIFY COMPLETE`.
-
-The orchestrator detects failure by reading STATE.md for a `<blocker>`, not by the absence of a marker. Always emit the marker.
-
-## Context-Exhaustion Hook Awareness
-
-A PostToolUse hook at `hooks/context-exhaustion.js` watches your tool output for the string `<context-exhaustion>` in your response. If you determine you cannot finish the task in the remaining context, emit:
-
-```xml
-<context-exhaustion>
-reason: <one-sentence cause — e.g., "required_reading totals 47KB exceeding remaining context">
-resume-hint: <one-sentence instruction for a resumption spawn>
-</context-exhaustion>
-```
-
-…before your completion marker. The hook captures this into STATE.md so the orchestrator can re-spawn you with a narrower scope. Do not guess when you're near exhaustion — only emit when a concrete obstacle (file too large to read, required diff too wide) forced the call.
-
-## Budget-Enforcer Hook Awareness (Phase 10.1)
-
-A PreToolUse hook at `hooks/budget-enforcer.js` intercepts every `Task` spawn (including the one that invoked you). The hook may:
-- **Short-circuit** your spawn with a cached result from `.design/cache-manifest.json` (transparent — you never run).
-- **Downgrade** your tier to Haiku at the 80% per-task cap soft-threshold, silently (`auto_downgrade_on_cap: true` in `.design/budget.json`, D-03).
-- **Hard-block** your spawn at the 100% per-task or per-phase cap with an actionable error (D-02).
-
-Implication for you as the agent: **do not assume a specific model tier is live.** Your output must be correct whether you run on Haiku, Sonnet, or Opus. If a task genuinely requires reasoning density beyond Haiku, the `size_budget` + `default-tier` combination should have been set at authoring time so the router routes it correctly — the remedy is a frontmatter update (a Phase 11 reflector proposal), not a mid-run assumption.
-
 ## Ordering Convention (D-17)
 
 Your agent body is structured in this exact order so the cache prefix stays stable:
@@ -79,4 +28,4 @@ The `/gdd:warm-cache` command (ships in Plan 10.1-02) pre-warms this identical p
 
 ---
 
-*Imported by: every file under `agents/*.md` (except `agents/README.md`). Maintained as part of Phase 10.1 (OPT-07). Edits to this file affect every agent simultaneously — verify across the full agent suite before committing.*
+*Imported by: every file under `agents/*.md` (except `agents/README.md`). Maintained as part of Phase 10.1 (OPT-07) and Phase 14.5 (L0/L2 split). Edits to this file affect every agent simultaneously — verify across the full agent suite before committing.*

package/scripts/build-intel.cjs

@@ -435,6 +435,26 @@ async function main() {
 
   console.log(`  discovered ${allFiles.length} files, ${changed.length} changed`);
 
+  // Phase 14.5: validate reference registry round-trip whenever any reference/*
+  // changed (or on --force). Fail the build on dangling/missing/duplicate.
+  const referenceChanged = FORCE || changed.some(f => f.startsWith('reference/'));
+  if (referenceChanged) {
+    try {
+      const { validateRegistry } = require(path.join(__dirname, 'lib', 'reference-registry.cjs'));
+      const v = validateRegistry({ cwd: ROOT });
+      if (!v.ok) {
+        console.error('build-intel: reference registry validation failed:');
+        if (v.missingInRegistry.length) console.error('  missing in registry:', v.missingInRegistry);
+        if (v.danglingInRegistry.length) console.error('  dangling entries:', v.danglingInRegistry);
+        if (v.duplicates.length) console.error('  duplicate entries:', v.duplicates);
+        process.exit(1);
+      }
+      console.log('  reference registry: ok');
+    } catch (err) {
+      if (err && err.code !== 'MODULE_NOT_FOUND') throw err;
+    }
+  }
+
   // Always rebuild files slice when any file changed
   const filesSlice = buildFilesSlice(allFiles);
   writeSlice('files.json', filesSlice);

package/scripts/injection-patterns.cjs

@@ -3,15 +3,56 @@
 // hooks/gdd-read-injection-scanner.js (runtime hook) and
 // scripts/run-injection-scanner-ci.cjs (CI scanner).
 // Add new patterns here; both consumers pick them up automatically.
+//
+// Phase 14.5 adds three new families: invisible-Unicode obfuscation,
+// HTML-comment instruction hijacks, and secret-exfil trigger patterns.
+
+// Zero-width + word-joiner + BOM + bidi overrides. Used for detection
+// AND as a normalization stripper for hooks that run scan after NFKC.
+const _CONTEXT_INVISIBLE_CHARS = /[\u200B-\u200D\u2060\uFEFF\u202A-\u202E]/;
 
 const INJECTION_PATTERNS = [
+  // ── classic prompt-injection verbs ──────────────────────────────────
   { name: 'ignore previous',         re: /ignore\s+(all\s+)?(previous|prior|above)\s+instructions?/i },
   { name: 'disregard previous',      re: /disregard\s+(all\s+)?(previous|prior|above)\s+instructions?/i },
+  { name: 'forget previous',         re: /forget\s+(the\s+|all\s+)?(previous|prior|above)/i },
   { name: 'you are now a different', re: /you\s+are\s+now\s+a\s+different/i },
   { name: 'system: you are',         re: /system\s*:\s*you\s+are/i },
   { name: 'role tag injection',      re: /<\s*\/?\s*(system|assistant|human)\s*>/i },
   { name: '[INST] fragment',         re: /\[INST\]/i },
   { name: '### instruction fragment',re: /###\s*instruction/i },
+
+  // ── invisible-Unicode obfuscation (14.5 new family) ─────────────────
+  { name: 'invisible-unicode chars', re: _CONTEXT_INVISIBLE_CHARS },
+  { name: 'bidi-override instruction', re: /[\u202A-\u202E][^\n]*(ignore|disregard|forget|system\s*:)/i },
+
+  // ── HTML-comment / hidden-element instruction hijack (14.5 new) ─────
+  { name: 'html-comment system',      re: /<!--\s*system\s*:/i },
+  { name: 'html-comment assistant',   re: /<!--\s*assistant\s*:/i },
+  { name: 'html-comment ignore',      re: /<!--\s*(ignore|disregard|forget)\b/i },
+  { name: 'hidden div system',        re: /<div\s+[^>]*style\s*=\s*["'][^"']*display\s*:\s*none[^"']*["'][^>]*>\s*(system|ignore|disregard)/i },
+  { name: 'hidden span system',       re: /<span\s+[^>]*style\s*=\s*["'][^"']*visibility\s*:\s*hidden[^"']*["'][^>]*>\s*(system|ignore|disregard)/i },
+  { name: 'zero-font-size trick',     re: /style\s*=\s*["'][^"']*font-size\s*:\s*0[^"']*["'][^>]*>\s*(ignore|system|disregard)/i },
+
+  // ── secret-exfil trigger patterns (14.5 new) ─────────────────────────
+  { name: 'curl-with-api-key-env',    re: /curl\s+[^|\n]*\$\{?[A-Z][A-Z0-9_]*_(KEY|TOKEN|SECRET|PASSWORD|AUTH)\}?/ },
+  { name: 'cat-dotenv',               re: /\bcat\s+\.env(\.[a-z]+)?\b/ },
+  { name: 'printenv-leak',            re: /\bprintenv\b[^\n]{0,80}\|\s*(curl|wget|nc|ssh)/ },
+  { name: 'tar-home-netcat',          re: /\btar\s+c[fzvj]+\s+-\s+~[^\n]*\|\s*(nc|ssh|curl)/ },
+  { name: 'env-dot-leak',             re: /process\.env\.[A-Z][A-Z0-9_]*_(KEY|TOKEN|SECRET)\s*[^;,\n]*(fetch|axios|XMLHttpRequest|http\.request)/ },
+  { name: 'ssh-key-cat',              re: /\bcat\s+~?\/?\.ssh\/id_(rsa|ed25519|ecdsa|dsa)\b/ },
 ];
 
-module.exports = { INJECTION_PATTERNS };
+/**
+ * Apply patterns to content and return matched pattern names (deduped).
+ */
+function scan(content) {
+  if (typeof content !== 'string' || !content) return [];
+  const hits = [];
+  for (const { name, re } of INJECTION_PATTERNS) {
+    if (re.test(content)) hits.push(name);
+  }
+  return hits;
+}
+
+module.exports = { INJECTION_PATTERNS, _CONTEXT_INVISIBLE_CHARS, scan };

package/scripts/lib/blast-radius.cjs

@@ -0,0 +1,97 @@
+'use strict';
+/**
+ * scripts/lib/blast-radius.cjs — per-task blast-radius preflight.
+ *
+ * Exports:
+ *   estimate({touchedPaths, diffStats, config?}) →
+ *     { files, lines, exceeds, overBy, limit: {files, lines} }
+ *   estimateMCPCalls({toolCalls, config?}) →
+ *     { count, exceeds, overBy, limit }
+ *   formatDiffSummary({touchedPaths, diffStats, result}) → string
+ *   loadConfig(cwd?) → { max_files_per_task, max_lines_per_task, max_mcp_calls_per_task }
+ *
+ * Config precedence: .design/config.json.blast_radius.{max_files_per_task, max_lines_per_task, max_mcp_calls_per_task}
+ * then .design/config.json top-level same keys, then built-in defaults.
+ *
+ * Zero-value limits DISABLE that dimension.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const DEFAULTS = {
+  max_files_per_task: 10,
+  max_lines_per_task: 400,
+  max_mcp_calls_per_task: 30,
+};
+
+function loadConfig(cwd) {
+  const configPath = path.join(cwd || process.cwd(), '.design', 'config.json');
+  let cfg = {};
+  try { cfg = JSON.parse(fs.readFileSync(configPath, 'utf8')); } catch { cfg = {}; }
+  const br = (cfg && typeof cfg === 'object' && cfg.blast_radius) || {};
+  return {
+    max_files_per_task: numberOr(br.max_files_per_task, cfg.max_files_per_task, DEFAULTS.max_files_per_task),
+    max_lines_per_task: numberOr(br.max_lines_per_task, cfg.max_lines_per_task, DEFAULTS.max_lines_per_task),
+    max_mcp_calls_per_task: numberOr(br.max_mcp_calls_per_task, cfg.max_mcp_calls_per_task, DEFAULTS.max_mcp_calls_per_task),
+  };
+}
+
+function numberOr(...candidates) {
+  for (const v of candidates) {
+    if (typeof v === 'number' && Number.isFinite(v) && v >= 0) return v;
+  }
+  return undefined;
+}
+
+function estimate({ touchedPaths = [], diffStats = {}, config } = {}) {
+  const cfg = config || loadConfig();
+  const files = new Set((touchedPaths || []).filter(Boolean)).size;
+  const lines = (diffStats.insertions || 0) + (diffStats.deletions || 0);
+  const fileLimit = cfg.max_files_per_task;
+  const lineLimit = cfg.max_lines_per_task;
+  const fileExceeds = fileLimit > 0 && files > fileLimit;
+  const lineExceeds = lineLimit > 0 && lines > lineLimit;
+  return {
+    files,
+    lines,
+    exceeds: fileExceeds || lineExceeds,
+    overBy: {
+      files: fileExceeds ? files - fileLimit : 0,
+      lines: lineExceeds ? lines - lineLimit : 0,
+    },
+    limit: { files: fileLimit, lines: lineLimit },
+  };
+}
+
+function estimateMCPCalls({ toolCalls = [], config } = {}) {
+  const cfg = config || loadConfig();
+  const count = Array.isArray(toolCalls) ? toolCalls.length : 0;
+  const limit = cfg.max_mcp_calls_per_task;
+  const exceeds = limit > 0 && count > limit;
+  return {
+    count,
+    exceeds,
+    overBy: exceeds ? count - limit : 0,
+    limit,
+  };
+}
+
+function formatDiffSummary({ touchedPaths = [], diffStats = {}, result }) {
+  const r = result || estimate({ touchedPaths, diffStats });
+  const lines = [];
+  lines.push('## Blast-Radius Preflight — Over Limit');
+  lines.push('');
+  lines.push(`Files touched: ${r.files} (limit ${r.limit.files || 'disabled'})`);
+  lines.push(`Lines changed: ${r.lines} (limit ${r.limit.lines || 'disabled'})`);
+  if (r.overBy.files) lines.push(`Over by: +${r.overBy.files} files`);
+  if (r.overBy.lines) lines.push(`Over by: +${r.overBy.lines} lines`);
+  lines.push('');
+  lines.push('Touched paths:');
+  for (const p of touchedPaths) lines.push(`  - ${p}`);
+  lines.push('');
+  lines.push('To proceed: split the task into ≤-limit chunks, or raise the ceiling in `.design/config.json.blast_radius.{max_files_per_task,max_lines_per_task}`.');
+  return lines.join('\n');
+}
+
+module.exports = { estimate, estimateMCPCalls, formatDiffSummary, loadConfig, DEFAULTS };

package/scripts/lib/dangerous-patterns.cjs

@@ -0,0 +1,118 @@
+'use strict';
+/**
+ * scripts/lib/dangerous-patterns.cjs — canonical dangerous-shell pattern list
+ * + Unicode NFKC + ANSI-strip + zero-width/bidi normalization used by
+ * hooks/gdd-bash-guard.js and any downstream audit tooling.
+ *
+ * Contract: exports
+ *   - normalize(s): string  — NFKC + ANSI strip + zero-width/bidi strip
+ *   - patterns: Array<{name, regex, description, severity}>
+ *   - match(command): { matched: boolean, pattern?, description?, severity? }
+ *
+ * Severity levels: 'critical' (system-destroying), 'high' (data-destroying / credential),
+ * 'medium' (destructive but scoped).
+ */
+
+const ANSI_RE = /\x1b\[[0-9;]*[A-Za-z]/g;
+const INVISIBLE_RE = /[\u200B-\u200D\u2060\uFEFF\u202A-\u202E]/g;
+
+function normalize(s) {
+  if (typeof s !== 'string') return '';
+  return s.normalize('NFKC').replace(ANSI_RE, '').replace(INVISIBLE_RE, '');
+}
+
+// Hex-decode helper so obfuscated `\x72\x6d` attacks land in the same pattern space.
+function hexDecodedVariant(s) {
+  return s.replace(/\\x([0-9a-fA-F]{2})/g, (_, h) => String.fromCharCode(parseInt(h, 16)));
+}
+
+// Ordered: critical first so the first match is always the worst.
+const patterns = [
+  // ── filesystem destruction ────────────────────────────────────────────
+  { name: 'rm-rf-root',             regex: /\brm\s+-[rRfF]+\s+\/(\s|$)/, description: 'rm -rf / — root filesystem deletion', severity: 'critical' },
+  { name: 'rm-rf-no-preserve-root', regex: /\brm\s+-[rRfF]+\s+(--no-preserve-root)/, description: 'rm -rf with --no-preserve-root', severity: 'critical' },
+  { name: 'rm-rf-home',             regex: /\brm\s+-[rRfF]+\s+(~|\/home(\s|\/|$))/, description: 'rm -rf of home directory', severity: 'critical' },
+  { name: 'rm-rf-etc',              regex: /\brm\s+-[rRfF]+\s+\/etc(\s|\/|$)/, description: 'rm -rf of /etc', severity: 'critical' },
+  { name: 'rm-rf-wildcard-root',    regex: /\brm\s+-[rRfF]+\s+\/\*/, description: 'rm -rf /*', severity: 'critical' },
+  { name: 'rm-rf-usr',              regex: /\brm\s+-[rRfF]+\s+\/usr(\s|\/|$)/, description: 'rm -rf /usr', severity: 'critical' },
+  { name: 'rm-rf-var',              regex: /\brm\s+-[rRfF]+\s+\/var(\s|\/|$)/, description: 'rm -rf /var', severity: 'critical' },
+  { name: 'fork-bomb',              regex: /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:/, description: 'classic :(){ :|:& };: fork bomb', severity: 'critical' },
+
+  // ── disk / device mutation ───────────────────────────────────────────
+  { name: 'dd-zero-to-device',      regex: /\bdd\s+if=\/dev\/(zero|random|urandom)\s+of=\/dev\/(sd|hd|nvme)/, description: 'dd overwrite of block device', severity: 'critical' },
+  { name: 'mkfs-device',            regex: /\bmkfs(\.[a-z0-9]+)?\s+\/dev\//, description: 'mkfs on a block device', severity: 'critical' },
+  { name: 'redirect-to-device',     regex: />\s*\/dev\/(sd|hd|nvme)[a-z]\d*/, description: 'shell redirect overwrites a block device', severity: 'critical' },
+
+  // ── permission escalation ────────────────────────────────────────────
+  { name: 'chmod-777',              regex: /\bchmod\s+(-[A-Za-z]+\s+)?777\b/, description: 'chmod 777 — world-writable permissions', severity: 'high' },
+  { name: 'chmod-recursive-world',  regex: /\bchmod\s+-R\s+[0-7]*[0-7]7[0-7]\b/, description: 'chmod -R with world-writable bits', severity: 'high' },
+  { name: 'chown-root-recursive',   regex: /\bchown\s+-R\s+root(:root)?\s+\//, description: 'chown -R root on absolute path', severity: 'high' },
+
+  // ── pipe to shell ─────────────────────────────────────────────────────
+  { name: 'curl-pipe-sh',           regex: /\bcurl\s[^|;&\n]*\|\s*(sh|bash|zsh|sudo\s+sh|sudo\s+bash)\b/i, description: 'curl … | sh  (remote-code execution)', severity: 'critical' },
+  { name: 'wget-pipe-sh',           regex: /\bwget\b[^|;&\n]*\|\s*(sh|bash|zsh|sudo\s+sh|sudo\s+bash)\b/i, description: 'wget … | sh  (remote-code execution)', severity: 'critical' },
+  { name: 'fetch-pipe-sh',          regex: /\bfetch\s[^|;&\n]*\|\s*(sh|bash)\b/i, description: 'fetch … | sh', severity: 'critical' },
+  { name: 'eval-curl',              regex: /\beval\s*"?\s*\$\s*\(\s*(curl|wget)/i, description: 'eval $(curl|wget …) — remote-code execution via eval', severity: 'critical' },
+
+  // ── git destruction ─────────────────────────────────────────────────
+  { name: 'git-reset-hard-HEAD',    regex: /\bgit\s+reset\s+--hard\s*(HEAD)?(\s|$)/, description: 'git reset --hard (unscoped) — discards uncommitted work', severity: 'high' },
+  { name: 'git-clean-fd',           regex: /\bgit\s+clean\s+-[a-z]*[fF][a-z]*[dD][a-z]*\b/, description: 'git clean -fd — untracked file wipe', severity: 'high' },
+  { name: 'git-push-force-main',    regex: /\bgit\s+push\s+(--force|-f)(\s+\S+)?\s+(main|master|trunk)/i, description: 'git push --force to a protected branch', severity: 'high' },
+  { name: 'git-branch-delete-main', regex: /\bgit\s+branch\s+-D\s+(main|master|trunk)\b/i, description: 'git branch -D on the main branch', severity: 'high' },
+  { name: 'git-filter-repo',        regex: /\bgit\s+filter-(branch|repo)\s+/, description: 'git history rewrite', severity: 'high' },
+  { name: 'git-checkout-all',       regex: /\bgit\s+checkout\s+\.\s*$/, description: 'git checkout . — overwrites all uncommitted edits', severity: 'medium' },
+
+  // ── system mutation / config ────────────────────────────────────────
+  { name: 'sed-inplace-etc',        regex: /\bsed\s+-i\s+[^\n]*\/etc\//, description: 'sed -i on /etc/* config', severity: 'high' },
+  { name: 'shutdown-now',           regex: /\b(shutdown|halt|poweroff|reboot)\s+(-[a-z]\s+)*(now|0|\+0)\b/, description: 'shutdown/halt/reboot now', severity: 'high' },
+  { name: 'init-0-6',               regex: /\binit\s+[06]\b/, description: 'init 0/6 — system halt or reboot', severity: 'high' },
+
+  // ── process nuking ────────────────────────────────────────────────
+  { name: 'kill-all-pgrep',         regex: /\bkill\s+-9\s+\$\(\s*pgrep/, description: 'kill -9 $(pgrep …) — broad process kill', severity: 'medium' },
+  { name: 'killall-9',              regex: /\bkillall\s+-9\b/, description: 'killall -9', severity: 'medium' },
+  { name: 'pkill-9-dotall',         regex: /\bpkill\s+-9\s+-f\s+['"]?\.\*['"]?/, description: 'pkill -9 -f .* — process kill everything', severity: 'high' },
+
+  // ── credential exfil ────────────────────────────────────────────────
+  { name: 'env-to-curl',            regex: /\b(cat\s+)?\.env(\.[a-z]+)?\s*\|\s*curl/i, description: 'exfil .env via curl', severity: 'critical' },
+  { name: 'ssh-key-to-curl',        regex: /\bcat\s+~?\/?\.ssh\/id_(rsa|ed25519|ecdsa|dsa)\b[^\n]*\|\s*(curl|nc|ssh)/, description: 'ssh private-key exfiltration', severity: 'critical' },
+  { name: 'printenv-to-curl',       regex: /\bprintenv\b[^\n]*\|\s*(curl|wget|nc)/, description: 'printenv | curl — environment exfiltration', severity: 'critical' },
+  { name: 'tar-home-to-netcat',     regex: /\btar\s+c[fzvj]+\s+-\s+~[^\n]*\|\s*(nc|ssh|curl)/, description: 'tar ~ | nc|ssh — home-directory exfil', severity: 'critical' },
+  { name: 'aws-credentials-read',   regex: /\bcat\s+~\/\.aws\/credentials\b/, description: 'reading AWS credentials file', severity: 'high' },
+
+  // ── shell mutation / obfuscation ────────────────────────────────────
+  { name: 'bash-decode-base64',     regex: /\becho\s+[A-Za-z0-9+\/=]{40,}\s*\|\s*base64\s+-d\s*\|\s*(sh|bash)/, description: 'base64 decode | shell — obfuscated exec', severity: 'critical' },
+  { name: 'exec-python-c',          regex: /\bpython[23]?\s+-c\s+["']import\s+os[^"']*os\.(system|popen|exec)\b/i, description: 'python -c inline os.system shell-out', severity: 'high' },
+  { name: 'bash-c-remote',          regex: /\bbash\s+-c\s+["'][^"']*(curl|wget)\s+[^"']*\|/, description: 'bash -c with embedded curl|wget pipe', severity: 'critical' },
+
+  // ── path traversal ────────────────────────────────────────────────
+  { name: 'path-traversal-deep',    regex: /(\.\.\/){5,}/, description: '5+ chained ../../../../../ traversal', severity: 'medium' },
+
+  // ── npm / package registry abuse ────────────────────────────────────
+  { name: 'npm-install-remote-tgz', regex: /\bnpm\s+(install|i)\s+https?:\/\/[^\s]+\.tgz/, description: 'npm install from an arbitrary HTTP tarball URL', severity: 'high' },
+  { name: 'npm-publish-force',      regex: /\bnpm\s+publish\s+(--force|-f)\b/, description: 'npm publish --force (bypasses version checks)', severity: 'medium' },
+  { name: 'npm-run-in-quotes-eval', regex: /\bnpm\s+run\s+\S+\s+--\s+--?eval=/, description: 'npm run … --eval= (code injection through script runner)', severity: 'medium' },
+
+  // ── docker / container escape ───────────────────────────────────────
+  { name: 'docker-run-privileged',  regex: /\bdocker\s+run\b[^\n]*--privileged\b[^\n]*(--|[^\n]*(-v|--volume)\s+\/:\/host|\/var\/run\/docker\.sock)/, description: 'docker run --privileged mounting host fs / docker socket', severity: 'critical' },
+  { name: 'docker-socket-mount',    regex: /-v\s+\/var\/run\/docker\.sock:\/var\/run\/docker\.sock/, description: 'host docker socket mount (escape vector)', severity: 'high' },
+
+  // ── firewall / networking flip ──────────────────────────────────────
+  { name: 'iptables-flush',         regex: /\biptables\s+-F(\s|$)/, description: 'iptables -F — flush all firewall rules', severity: 'high' },
+  { name: 'ufw-disable',            regex: /\bufw\s+disable\b/, description: 'ufw disable — firewall off', severity: 'high' },
+
+  // ── sudo bypass ────────────────────────────────────────────────────
+  { name: 'sudo-nopasswd-write',    regex: /\becho\s+[^\n]*NOPASSWD[^\n]*\|\s*sudo\s+tee\s+\/etc\/sudoers/, description: 'sudo NOPASSWD injection via tee', severity: 'critical' },
+];
+
+function match(command) {
+  const normalized = normalize(command);
+  const hexVariant = hexDecodedVariant(normalized);
+  for (const p of patterns) {
+    if (p.regex.test(normalized) || p.regex.test(hexVariant)) {
+      return { matched: true, pattern: p.name, description: p.description, severity: p.severity };
+    }
+  }
+  return { matched: false };
+}
+
+module.exports = { normalize, patterns, match, _INVISIBLE_RE: INVISIBLE_RE, _ANSI_RE: ANSI_RE };

package/scripts/lib/glob-match.cjs

@@ -0,0 +1,57 @@
+'use strict';
+/**
+ * scripts/lib/glob-match.cjs — tiny dependency-free glob matcher.
+ * Supports: **, *, ?, and literal segments. Not a full minimatch implementation,
+ * but covers the patterns used in reference/protected-paths.default.json.
+ */
+
+function globToRegex(glob) {
+  // Normalize separators
+  const g = glob.replace(/\\/g, '/');
+  let re = '^';
+  let i = 0;
+  while (i < g.length) {
+    const c = g[i];
+    if (c === '*' && g[i + 1] === '*') {
+      // `**` — match zero or more of ANY characters (including path separators).
+      // Consume a trailing `/` so `reference/**/foo` becomes `reference/.*foo`
+      // and also matches `reference/foo` (the empty-match case).
+      let j = i + 2;
+      if (g[j] === '/') j++;
+      re += '.*';
+      i = j;
+      continue;
+    }
+    if (c === '*') {
+      // single-segment wildcard
+      re += '[^/]*';
+      i++;
+      continue;
+    }
+    if (c === '?') {
+      re += '[^/]';
+      i++;
+      continue;
+    }
+    if ('.+^$(){}[]|\\'.includes(c)) {
+      re += '\\' + c;
+      i++;
+      continue;
+    }
+    re += c;
+    i++;
+  }
+  re += '$';
+  return new RegExp(re);
+}
+
+function matches(filepath, globList) {
+  const norm = String(filepath).replace(/\\/g, '/').replace(/^\.\//, '');
+  for (const g of globList) {
+    const re = globToRegex(g);
+    if (re.test(norm)) return { matched: true, pattern: g };
+  }
+  return { matched: false };
+}
+
+module.exports = { matches, globToRegex };

package/scripts/lib/reference-registry.cjs

@@ -0,0 +1,101 @@
+'use strict';
+/**
+ * scripts/lib/reference-registry.cjs — typed index over reference/*.md.
+ *
+ * Exports:
+ *   list({type}) → Entry[]            (filter by type; omit to return all)
+ *   find(name)   → Entry | null       (exact-name lookup)
+ *   validateRegistry({cwd})           → { ok, missingInRegistry, danglingInRegistry, duplicates }
+ *   loadRegistry({cwd}) → Registry    (read-through; caches at module scope)
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const REPO_ROOT = path.resolve(__dirname, '..', '..');
+const DEFAULT_REGISTRY_PATH = path.join(REPO_ROOT, 'reference', 'registry.json');
+
+let _cache = null;
+let _cachePath = null;
+
+function loadRegistry({ cwd } = {}) {
+  const p = cwd ? path.join(cwd, 'reference', 'registry.json') : DEFAULT_REGISTRY_PATH;
+  if (_cache && _cachePath === p) return _cache;
+  _cachePath = p;
+  _cache = JSON.parse(fs.readFileSync(p, 'utf8'));
+  return _cache;
+}
+
+function list({ type, cwd } = {}) {
+  const reg = loadRegistry({ cwd });
+  if (!type) return reg.entries.slice();
+  return reg.entries.filter(e => e.type === type);
+}
+
+function find(name, { cwd } = {}) {
+  const reg = loadRegistry({ cwd });
+  return reg.entries.find(e => e.name === name) || null;
+}
+
+/**
+ * Walk reference/*.md + reference/*.json (excluding schemas/**, data/**) and
+ * compare to the registry. Returns:
+ *   - missingInRegistry : files on disk not referenced by any entry
+ *   - danglingInRegistry: entries whose paths do not exist on disk
+ *   - duplicates         : entries sharing the same `name` OR the same `path`
+ */
+function validateRegistry({ cwd } = {}) {
+  const root = cwd || REPO_ROOT;
+  const refDir = path.join(root, 'reference');
+  const reg = (() => {
+    try { return JSON.parse(fs.readFileSync(path.join(refDir, 'registry.json'), 'utf8')); }
+    catch { return { entries: [] }; }
+  })();
+
+  const onDisk = new Set();
+  for (const leaf of walk(refDir)) {
+    const rel = path.relative(root, leaf).replace(/\\/g, '/');
+    // Exclude registry itself, all .schema.json files (non-registerable),
+    // schemas tree, data tree, and non-md/non-json files.
+    if (rel === 'reference/registry.json') continue;
+    if (rel.endsWith('.schema.json')) continue;
+    if (rel.startsWith('reference/schemas/')) continue;
+    if (rel.startsWith('reference/data/')) continue;
+    if (!/\.(md|json)$/.test(rel)) continue;
+    onDisk.add(rel);
+  }
+
+  const registryPaths = new Set(reg.entries.map(e => e.path));
+  const missingInRegistry = [...onDisk].filter(p => !registryPaths.has(p)).sort();
+  const danglingInRegistry = reg.entries
+    .filter(e => !fs.existsSync(path.join(root, e.path)))
+    .map(e => ({ name: e.name, path: e.path }));
+
+  const nameCount = {}, pathCount = {};
+  for (const e of reg.entries) {
+    nameCount[e.name] = (nameCount[e.name] || 0) + 1;
+    pathCount[e.path] = (pathCount[e.path] || 0) + 1;
+  }
+  const duplicates = [];
+  for (const [k, v] of Object.entries(nameCount)) if (v > 1) duplicates.push({ kind: 'name', key: k, count: v });
+  for (const [k, v] of Object.entries(pathCount)) if (v > 1) duplicates.push({ kind: 'path', key: k, count: v });
+
+  return {
+    ok: missingInRegistry.length === 0 && danglingInRegistry.length === 0 && duplicates.length === 0,
+    missingInRegistry,
+    danglingInRegistry,
+    duplicates,
+  };
+}
+
+function* walk(dir) {
+  let entries;
+  try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
+  for (const e of entries) {
+    const full = path.join(dir, e.name);
+    if (e.isDirectory()) yield* walk(full);
+    else if (e.isFile()) yield full;
+  }
+}
+
+module.exports = { list, find, validateRegistry, loadRegistry };

package/skills/pause/SKILL.md

@@ -5,6 +5,9 @@ argument-hint: "[context note]"
 tools: Read, Write, AskUserQuestion
 ---
 
+@reference/retrieval-contract.md
+@reference/cycle-handoff-preamble.md
+
 # /gdd:pause
 
 Captures enough state that a killed or stopped session can resume cleanly via `/gdd:resume`.

package/skills/progress/SKILL.md

@@ -5,6 +5,8 @@ argument-hint: "[--forensic]"
 tools: Read, Bash, Grep, Glob
 ---
 
+@reference/retrieval-contract.md
+
 # /gdd:progress
 
 **Role:** Show current position in the pipeline and recommend the next action. With `--forensic`, run a 6-check integrity audit.

package/skills/reflect/SKILL.md

@@ -5,6 +5,8 @@ argument-hint: "[--dry-run] [--cycle <slug>]"
 tools: Read, Write, Task
 ---
 
+@reference/retrieval-contract.md
+
 # /gdd:reflect
 
 Run `design-reflector` on demand against the current (or specified) cycle. Produces `.design/reflections/<cycle-slug>.md` with numbered improvement proposals. Every proposal requires explicit user review — nothing is auto-applied.

package/skills/resume/SKILL.md

@@ -5,6 +5,9 @@ argument-hint: ""
 tools: Read, Write, Bash, Glob
 ---
 
+@reference/retrieval-contract.md
+@reference/cycle-handoff-preamble.md
+
 # /gdd:resume
 
 Inverse of `/gdd:pause`. Reads the handoff file, prints a clear "you were here" summary, and routes to the next command.