@hegemonart/get-design-done 1.57.1 → 1.57.2

package/reference/runtime-models.md

@@ -1,6 +1,16 @@
 # Runtime Models - Per-Runtime Tier→Model Adapter Map
 
-**Phase 26 source-of-truth (D-01).** Single canonical map from canonical Anthropic tier names (`opus|sonnet|haiku`) and runtime-neutral reasoning-class aliases (`high|medium|low`, D-10) to concrete model identifiers for each of the 14 runtimes the multi-runtime installer ships to (Phase 24 D-02).
+Single canonical map from Anthropic tier names (`opus|sonnet|haiku`) and runtime-neutral reasoning-class aliases (`high|medium|low`) to concrete model identifiers for each of the 14 runtimes the multi-runtime installer ships to.
+
+> ## ⚠️ Verification status
+>
+> 4 of 14 runtime entries below are **verified** against their author docs (claude, codex, gemini, qwen).
+>
+> 10 entries are **unverified** placeholder fills (Anthropic-default mapping where the runtime is BYOK / multi-provider; or single-tier marker when only one model is exposed). Their `source_url` is prefixed with `<TODO: confirm at …>`. Treat these tier names as best-effort; the resolved model may differ for users whose runtime config diverges from the published default.
+>
+> Unverified: kilo, copilot, cursor, windsurf, antigravity, augment, trae, codebuddy, cline, opencode.
+>
+> The schema (`reference/schemas/runtime-models.schema.json`) explicitly accepts the placeholder marker so the file ships shape-valid; the unverified-ness is a content gap, not a structural defect.
 
 This file is parsed by `scripts/lib/install/parse-runtime-models.cjs` and consumed by:
 

package/reference/shared-preamble.md

@@ -2,18 +2,17 @@
 name: shared-preamble
 type: preamble
 version: 2.0.0
-phase: 28.5
 tags: [shared, preamble, principles, design-quality, agent-import, cache-prefix, extracted]
-last_updated: 2026-05-18
+last_updated: 2026-06-03
 ---
 
-# GSD Agent Shared Preamble
+# GDD Agent Shared Preamble
 
-> **This file is imported via `@reference/shared-preamble.md` as the first line of every agent body in `agents/*.md`. Its placement is essential for Anthropic's 5-minute prompt cache (see `./model-tiers.md` and Phase 10.1 decision D-08 Layer A): because every agent opens with the identical preamble prefix, the second and subsequent agent spawns in a session pay `cached_input_per_1m` rates rather than full `input_per_1m` rates for these bytes. Do not inline this content into agent bodies - always import.**
+> **This file is imported via `@reference/shared-preamble.md` as the first line of every agent body in `agents/*.md`. Its placement is essential for Anthropic's 5-minute prompt cache (see `./model-tiers.md`): because every agent opens with the identical preamble prefix, the second and subsequent agent spawns in a session pay `cached_input_per_1m` rates rather than full `input_per_1m` rates for these bytes. Do not inline this content into agent bodies - always import.**
 >
-> **As of Phase 14.5 this file is an aggregator.** The framework-invariant subsections (Required Reading Discipline, Writes Protocol, Deviation Handling, Completion Markers, Context-Exhaustion & Budget awareness) live in `./meta-rules.md` (tier L0) so the L2 heuristics/anti-patterns/checklists churn never invalidates the L0 prefix.
+> **This file is an aggregator.** The framework-invariant subsections (Required Reading Discipline, Writes Protocol, Deviation Handling, Completion Markers, Context-Exhaustion & Budget awareness) live in `./meta-rules.md` (tier L0) so the L2 heuristics/anti-patterns/checklists churn never invalidates the L0 prefix.
 >
-> **As of Phase 28.5 this file also serves the design-family skills.** Sections below the agent-preamble block (## Design Quality Pillars, ## Token-First Reasoning, ## Output Contract Reminders, ## Connection Handshake Summary) are the canonical home for principle-recitation that previously inlined across `skills/audit`, `skills/style`, `skills/darkmode`, `skills/compare`, `skills/figma-write`, `skills/connections`, `skills/benchmark`. Skills cross-link here instead of restating these lists.
+> **This file also serves the design-family skills.** Sections below the agent-preamble block (## Design Quality Pillars, ## Token-First Reasoning, ## Output Contract Reminders, ## Connection Handshake Summary) are the canonical home for principle-recitation that previously inlined across `skills/audit`, `skills/style`, `skills/darkmode`, `skills/compare`, `skills/figma-write`, `skills/connections`, `skills/benchmark`. Skills cross-link here instead of restating these lists.
 
 @reference/meta-rules.md
 
@@ -21,16 +20,16 @@ last_updated: 2026-05-18
 
 Two distinct consumers, one canonical home:
 
-1. **Agents** (`agents/*.md`) import this file via `@reference/shared-preamble.md` to inherit the GSD framework identity + L0 invariants (cache-stable prefix). Agents do not "read" the design-family sections below; those are passive content the cache covers for free.
-2. **Skills** (`skills/<name>/SKILL.md`) cross-link to specific sections (`./shared-preamble.md#design-quality-pillars`, etc.) instead of restating recurring principle lists inline. This is the D-10 extract-then-link discipline from Phase 28.5: principle text lives in one place; skills point at it.
+1. **Agents** (`agents/*.md`) import this file via `@reference/shared-preamble.md` to inherit the GDD framework identity + L0 invariants (cache-stable prefix). Agents do not "read" the design-family sections below; those are passive content the cache covers for free.
+2. **Skills** (`skills/<name>/SKILL.md`) cross-link to specific sections (`./shared-preamble.md#design-quality-pillars`, etc.) instead of restating recurring principle lists inline. This is the extract-then-link discipline: principle text lives in one place; skills point at it.
 
 ## Framework Identity
 
-You are a GSD agent operating under the `get-design-done` plugin contract (see `agents/README.md` for the full authoring contract). You are spawned by a pipeline stage (or by another agent) via the Claude Code `Task` tool with a fully self-contained prompt. You have **zero session memory** - everything you need is in the prompt string and the files listed inside its `<required_reading>` block.
+You are a GDD agent operating under the `get-design-done` plugin contract (see `agents/README.md` for the full authoring contract). You are spawned by a pipeline stage (or by another agent) via the Claude Code `Task` tool with a fully self-contained prompt. You have **zero session memory** - everything you need is in the prompt string and the files listed inside its `<required_reading>` block.
 
 You are one step in a pipeline. You do not own the pipeline. The orchestrator decides what runs next based on your output.
 
-## Ordering Convention (D-17)
+## Ordering Convention
 
 Your agent body is structured in this exact order so the cache prefix stays stable:
 
@@ -42,9 +41,9 @@ Do not reorder. Do not inline this preamble. Do not splice dynamic content ahead
 
 ## Pre-Warming
 
-The `/gdd:warm-cache` command (ships in Plan 10.1-02) pre-warms this identical prefix in the Anthropic cache before a design sprint, so the first real agent spawn of the sprint is already a cache hit on the shared-preamble bytes. You do not need to do anything special to participate - just keep the import directive at the top of your body.
+The `/gdd:warm-cache` command pre-warms this identical prefix in the Anthropic cache before a design sprint, so the first real agent spawn of the sprint is already a cache hit on the shared-preamble bytes. You do not need to do anything special to participate - just keep the import directive at the top of your body.
 
-## Design Philosophy Layer (Phase 19.6)
+## Design Philosophy Layer
 
 The framework is anchored to three design philosophy references that agents may read during brief, audit, and verify stages:
 
@@ -106,8 +105,8 @@ Probe pattern (used by `skills/darkmode`, `skills/compare`, `skills/figma-write`
 2. **Live tool call** - invoke a metadata endpoint (e.g., `preview_list`, `get_metadata`). Success → `available`. Error → `unavailable`.
 3. **Write to STATE.md `<connections>`** - three-value schema (`available | unavailable | not_configured`). Never add new values.
 
-For full per-connection probe scripts (figma, refero, preview, etc.) see the individual `connections/<name>.md` files. For the onboarding wizard flow, see `./connections-onboarding.md` (Phase 28.5 extract).
+For full per-connection probe scripts (figma, refero, preview, etc.) see the individual `connections/<name>.md` files. For the onboarding wizard flow, see `./connections-onboarding.md`.
 
 ---
 
-*Imported by: every file under `agents/*.md` (except `agents/README.md`). Cross-linked by: design-family skills under `skills/{audit,style,darkmode,compare,figma-write,connections,benchmark}/SKILL.md`. Maintained as part of Phase 10.1 (OPT-07), Phase 14.5 (L0/L2 split), and Phase 28.5 (Bucket 2 design-family rework - D-10). Edits to this file affect every agent simultaneously - verify across the full agent suite before committing.*
+*Imported by: every file under `agents/*.md` (except `agents/README.md`). Cross-linked by: design-family skills under `skills/{audit,style,darkmode,compare,figma-write,connections,benchmark}/SKILL.md`. Edits to this file affect every agent simultaneously - verify across the full agent suite before committing.*

package/reference/skill-graph.md

@@ -9,7 +9,7 @@ is a `composes_with` edge (the source calls the target as sub-orchestration); a
 a `next_skills` edge (a pipeline hint for what runs next). Stage grouping is best-effort and
 inferred from the skill name; skills with no stage keyword fall under Utility.
 
-Skills: 94. Composition edges: 0 composes_with, 6 next_skills.
+Skills: 96. Composition edges: 21 composes_with, 6 next_skills.
 
 ```mermaid
 flowchart TD
@@ -91,10 +91,12 @@ flowchart TD
     n_note["note"]
     n_openrouter_status["openrouter-status"]
     n_override["override"]
+    n_paper_write["paper-write"]
     n_pause["pause"]
     n_peer_cli_add["peer-cli-add"]
     n_peer_cli_customize["peer-cli-customize"]
     n_peers["peers"]
+    n_pencil_write["pencil-write"]
     n_pin["pin"]
     n_plant_seed["plant-seed"]
     n_pr_branch["pr-branch"]
@@ -122,10 +124,31 @@ flowchart TD
     n_zoom_out["zoom-out"]
   end
 
+  n_apply_reflections --> n_audit
+  n_brief --> n_explore
   n_brief -.-> n_explore
+  n_compare --> n_verify
+  n_complete_cycle --> n_audit
+  n_darkmode --> n_audit
+  n_design --> n_figma_write
+  n_design --> n_paper_write
+  n_design --> n_pencil_write
   n_design -.-> n_verify
+  n_discover --> n_explore
+  n_discuss --> n_list_assumptions
+  n_explore --> n_discuss
+  n_explore --> n_list_assumptions
+  n_explore --> n_sketch
   n_explore -.-> n_plan
+  n_new_cycle --> n_brief
+  n_new_project --> n_brief
   n_new_project -.-> n_brief
   n_plan -.-> n_design
+  n_scan --> n_explore
+  n_ship --> n_pr_branch
+  n_sketch --> n_sketch_wrap_up
+  n_spike --> n_spike_wrap_up
+  n_verify --> n_audit
+  n_verify --> n_debug
   n_verify -.-> n_ship
 ```

package/scripts/bootstrap.cjs

@@ -0,0 +1,373 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * Pure-Node port of scripts/bootstrap.sh.
+ *
+ * Original: scripts/bootstrap.sh — get-design-done SessionStart bootstrap.
+ * Auto-provisions companion resources that get-design-done references but
+ * which are not Claude Code plugins (so they cannot be listed in `dependencies`).
+ *
+ * Idempotency: a marker file under ${CLAUDE_PLUGIN_DATA}/bootstrap-manifest.txt
+ * is compared byte-for-byte to the bundled scripts/bootstrap-manifest.txt.
+ * If they match, the script no-ops — only first install (or a manifest bump)
+ * triggers the network/IO work.
+ *
+ * Behavior preserved from the .sh:
+ *   - Env-var fallbacks: CLAUDE_PLUGIN_DATA → ~/.claude/plugins/data/get-design-done,
+ *     CLAUDE_PLUGIN_ROOT → resolved relative to this script (../).
+ *   - Windows backslash normalization for both env vars (\ → /).
+ *   - mkdir -p of PLUGIN_DATA, ~/.claude/libs, ~/.claude/skills.
+ *   - Clone (--depth 1 --quiet) or `git -C <target> pull --quiet --ff-only`
+ *     for VoltAgent/awesome-design-md. We DO shell out to the `git` CLI
+ *     (that's a real dep, not bash) via spawnSync — the rule against
+ *     spawnSync is specifically against spawnSync('bash', …).
+ *   - Soft-notice (stderr only) if ~/.claude/skills/emil-design-eng is absent.
+ *   - Ensures cwd/.design/budget.json with the literal default JSON from the .sh
+ *     (written atomically via .tmp + rename).
+ *   - Ensures cwd/.design/telemetry/.
+ *   - Copies manifest → marker on success.
+ *   - Silent-on-failure: every error path collapses to exit 0. Only logs go to
+ *     stderr with the `[get-design-done bootstrap]` prefix.
+ *
+ * Sourcing-guard pattern: helpers are exported on module.exports; main() only
+ * runs when this file is the entry point (require.main === module). Tests can
+ * require() this module and exercise helpers without triggering the network
+ * clone or the cwd/.design/ side effects.
+ *
+ * Module.exports.run({argv, env, cwd}) accepts optional injection for tests.
+ */
+
+const fs = require('node:fs');
+const path = require('node:path');
+const os = require('node:os');
+const { spawnSync } = require('node:child_process');
+
+const LOG_PREFIX = '[get-design-done bootstrap]';
+
+/**
+ * Stderr logger matching the .sh `log()` function.
+ * @param {string} msg
+ */
+function log(msg) {
+  // The .sh used: printf '[get-design-done bootstrap] %s\n' "$*" >&2
+  process.stderr.write(`${LOG_PREFIX} ${msg}\n`);
+}
+
+/**
+ * Normalize Windows backslashes to forward slashes, mirroring the bash
+ * `${VAR//\\//}` parameter expansion used in the .sh.
+ * @param {string|undefined|null} p
+ * @returns {string}
+ */
+function normalizeSlashes(p) {
+  if (p === undefined || p === null) return '';
+  return String(p).replace(/\\/g, '/');
+}
+
+/**
+ * Default for CLAUDE_PLUGIN_DATA — matches the .sh fallback exactly.
+ * Returns forward-slash form so the bash-style normalization is a no-op
+ * here; the env-var path still gets normalized in resolveContext.
+ * @param {string} home
+ */
+function defaultPluginData(home) {
+  return normalizeSlashes(path.join(home, '.claude', 'plugins', 'data', 'get-design-done'));
+}
+
+/**
+ * Default for CLAUDE_PLUGIN_ROOT — matches the .sh fallback:
+ *   `cd "$(dirname "$0")/.." && pwd`
+ * In Node terms: the parent of __dirname.
+ */
+function defaultPluginRoot() {
+  return normalizeSlashes(path.resolve(__dirname, '..'));
+}
+
+/**
+ * Resolve the full set of paths/flags the script needs.
+ * Pure — no IO. Exposed for tests.
+ * @param {{env?: NodeJS.ProcessEnv, home?: string}} [opts]
+ */
+function resolveContext(opts = {}) {
+  const env = opts.env || process.env;
+  const home = opts.home || os.homedir();
+
+  const pluginDataRaw = env.CLAUDE_PLUGIN_DATA || defaultPluginData(home);
+  const pluginData = normalizeSlashes(pluginDataRaw);
+
+  const pluginRootRaw = env.CLAUDE_PLUGIN_ROOT || defaultPluginRoot();
+  const pluginRoot = normalizeSlashes(pluginRootRaw);
+
+  const manifest = `${pluginRoot}/scripts/bootstrap-manifest.txt`;
+  const marker = `${pluginData}/bootstrap-manifest.txt`;
+
+  return {
+    home,
+    pluginData,
+    pluginRoot,
+    manifest,
+    marker,
+    libsDir: path.join(home, '.claude', 'libs'),
+    skillsDir: path.join(home, '.claude', 'skills'),
+    awesomeRepoTarget: path.join(home, '.claude', 'libs', 'awesome-design-md'),
+    emilSkillTarget: path.join(home, '.claude', 'skills', 'emil-design-eng'),
+  };
+}
+
+/**
+ * Best-effort `mkdir -p`. Swallows EEXIST; logs and swallows everything else.
+ * @param {string} dir
+ */
+function ensureDir(dir) {
+  try {
+    fs.mkdirSync(dir, { recursive: true });
+  } catch (err) {
+    if (err && err.code !== 'EEXIST') {
+      log(`mkdir failed for ${dir} (${err.code || err.message}) — continuing`);
+    }
+  }
+}
+
+/**
+ * Byte-for-byte comparison of two files. Returns true only if both exist and
+ * have identical contents. Any error path → false (we'd rather re-run than
+ * skip).
+ * @param {string} a
+ * @param {string} b
+ */
+function filesEqual(a, b) {
+  try {
+    if (!fs.existsSync(a) || !fs.existsSync(b)) return false;
+    const bufA = fs.readFileSync(a);
+    const bufB = fs.readFileSync(b);
+    if (bufA.length !== bufB.length) return false;
+    return bufA.equals(bufB);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Match the .sh `clone_or_update`:
+ *   - target/.git exists  → `git -C target pull --quiet --ff-only`, log on fail
+ *   - target exists, no .git → log+skip
+ *   - target absent → `git clone --quiet --depth 1 <url> <target>`, log on fail
+ *
+ * We invoke the `git` CLI directly via spawnSync. spawnSync('git', …) is fine —
+ * the prohibition is on spawnSync('bash', …).
+ *
+ * @param {string} repoUrl
+ * @param {string} target
+ */
+function cloneOrUpdate(repoUrl, target) {
+  let isGitCheckout = false;
+  let targetExists = false;
+  try {
+    targetExists = fs.existsSync(target);
+    if (targetExists) {
+      isGitCheckout = fs.existsSync(path.join(target, '.git'));
+    }
+  } catch {
+    // fall through — treat as absent
+  }
+
+  if (isGitCheckout) {
+    log(`updating ${target}`);
+    const r = spawnSync('git', ['-C', target, 'pull', '--quiet', '--ff-only'], {
+      stdio: ['ignore', 'ignore', 'ignore'],
+      windowsHide: true,
+    });
+    if (r.error || r.status !== 0) {
+      log(`pull failed for ${target} (continuing)`);
+    }
+    return;
+  }
+
+  if (targetExists) {
+    log(`${target} exists and is not a git checkout — skipping`);
+    return;
+  }
+
+  // Defense in depth: refuse repoUrl / target arguments that look like git
+  // CLI flags (e.g. --upload-pack=evil). Even though both args originate
+  // from compile-time constants in resolveContext(), a future refactor
+  // could let env-derived values reach this point — fail closed.
+  if (typeof repoUrl !== 'string' || repoUrl.startsWith('-') ||
+      typeof target !== 'string' || target.startsWith('-')) {
+    log(`refusing suspicious clone args for ${repoUrl} -> ${target}`);
+    return;
+  }
+
+  log(`cloning ${repoUrl} -> ${target}`);
+  // Use `--` to terminate option parsing so a malicious URL that looks
+  // like a flag is treated as a positional arg by git.
+  const r = spawnSync('git', ['clone', '--quiet', '--depth', '1', '--', repoUrl, target], {
+    stdio: ['ignore', 'ignore', 'ignore'],
+    windowsHide: true,
+  });
+  if (r.error || r.status !== 0) {
+    log(`clone failed for ${repoUrl}`);
+  }
+}
+
+/**
+ * Default budget.json content — copied verbatim from the heredoc in the .sh
+ * (BUDGET_EOF block, lines 60–69). Trailing newline preserved to match
+ * `cat > file <<'EOF'` output.
+ */
+const DEFAULT_BUDGET_JSON = `{
+  "per_task_cap_usd": 2.00,
+  "per_phase_cap_usd": 20.00,
+  "tier_overrides": {},
+  "auto_downgrade_on_cap": true,
+  "cache_ttl_seconds": 3600,
+  "enforcement_mode": "enforce"
+}
+`;
+
+/**
+ * Atomic write: write to <dest>.tmp then rename. Silent on failure.
+ * @param {string} dest
+ * @param {string} content
+ */
+function atomicWrite(dest, content) {
+  const tmp = `${dest}.tmp`;
+  try {
+    fs.writeFileSync(tmp, content);
+    fs.renameSync(tmp, dest);
+    return true;
+  } catch (err) {
+    log(`write failed for ${dest} (${err && (err.code || err.message)}) — continuing`);
+    // Best-effort cleanup of the .tmp; ignore any error.
+    try { fs.unlinkSync(tmp); } catch {}
+    return false;
+  }
+}
+
+/**
+ * Ensure cwd/.design/budget.json (with defaults) and cwd/.design/telemetry/.
+ * Mirrors lines 56–73 of the .sh.
+ * @param {string} cwd
+ */
+function ensureDesignDir(cwd) {
+  const designDir = path.join(cwd, '.design');
+  ensureDir(designDir);
+
+  const budgetPath = path.join(designDir, 'budget.json');
+  let budgetExists = false;
+  try {
+    budgetExists = fs.existsSync(budgetPath);
+  } catch {
+    budgetExists = false;
+  }
+  if (!budgetExists) {
+    atomicWrite(budgetPath, DEFAULT_BUDGET_JSON);
+  }
+
+  ensureDir(path.join(designDir, 'telemetry'));
+}
+
+/**
+ * Best-effort `cp manifest marker`. The .sh wraps this in `if [[ -f MANIFEST ]]`.
+ * @param {string} manifest
+ * @param {string} marker
+ */
+function copyManifestToMarker(manifest, marker) {
+  try {
+    if (!fs.existsSync(manifest)) return;
+  } catch {
+    return;
+  }
+  try {
+    const data = fs.readFileSync(manifest);
+    // Write atomically so a partial copy doesn't leave a half-written marker
+    // that would later equal-compare false but trigger weird states.
+    const tmp = `${marker}.tmp`;
+    fs.writeFileSync(tmp, data);
+    fs.renameSync(tmp, marker);
+  } catch (err) {
+    log(`copy manifest→marker failed (${err && (err.code || err.message)}) — continuing`);
+  }
+}
+
+/**
+ * Main entry — equivalent to executing bootstrap.sh top-to-bottom.
+ * Always returns 0 (silent-on-failure policy from the .sh: `set -u` + final
+ * `exit 0`; no `set -e`, every IO action is guarded). Optional opts allow
+ * tests to inject env/cwd/home without mutating process state.
+ *
+ * @param {{env?: NodeJS.ProcessEnv, cwd?: string, home?: string}} [opts]
+ * @returns {number} exit code (always 0)
+ */
+function run(opts = {}) {
+  const ctx = resolveContext({ env: opts.env, home: opts.home });
+  const cwd = opts.cwd || process.cwd();
+
+  // mkdir -p "${PLUGIN_DATA}" "${HOME}/.claude/libs" "${HOME}/.claude/skills"
+  ensureDir(ctx.pluginData);
+  ensureDir(ctx.libsDir);
+  ensureDir(ctx.skillsDir);
+
+  // Early-exit: bundled manifest matches last-run marker.
+  if (filesEqual(ctx.manifest, ctx.marker)) {
+    return 0;
+  }
+
+  // Required library: VoltAgent/awesome-design-md.
+  cloneOrUpdate(
+    'https://github.com/VoltAgent/awesome-design-md.git',
+    ctx.awesomeRepoTarget
+  );
+
+  // Soft notice for companion skills we cannot auto-install.
+  try {
+    if (!fs.existsSync(ctx.emilSkillTarget)) {
+      log('optional: emil-design-eng skill not found in ~/.claude/skills. See get-design-done README for install options.');
+    }
+  } catch {
+    // ignore — emil notice is purely advisory
+  }
+
+  // Phase 10.1: .design/budget.json + .design/telemetry/ (D-12).
+  ensureDesignDir(cwd);
+
+  // Record success so we don't re-run until the bundled manifest changes.
+  copyManifestToMarker(ctx.manifest, ctx.marker);
+
+  return 0;
+}
+
+module.exports = {
+  run,
+  // Helpers exported so test/suite/* can exercise them in isolation
+  // (sourcing-guard equivalent).
+  log,
+  normalizeSlashes,
+  defaultPluginData,
+  defaultPluginRoot,
+  resolveContext,
+  ensureDir,
+  filesEqual,
+  cloneOrUpdate,
+  atomicWrite,
+  ensureDesignDir,
+  copyManifestToMarker,
+  DEFAULT_BUDGET_JSON,
+  LOG_PREFIX,
+};
+
+// Run main() only when invoked as the entry point.
+if (require.main === module) {
+  // Match the .sh: always exit 0 unless a programmer error blows up.
+  // run() never throws; if it ever did, we'd still rather no-op silently
+  // than crash a SessionStart hook.
+  try {
+    process.exit(run());
+  } catch (err) {
+    // Last-resort guard. Surface to stderr (the hook is fire-and-forget)
+    // then exit 0 to match silent-on-failure.
+    try { log(`unhandled error: ${err && (err.stack || err.message || String(err))} — exiting 0`); } catch {}
+    process.exit(0);
+  }
+}

package/scripts/injection-patterns.cjs

@@ -0,0 +1,58 @@
+'use strict';
+// Shared prompt-injection patterns — single source of truth for both
+// hooks/gdd-read-injection-scanner.js (runtime hook) and
+// scripts/run-injection-scanner-ci.cjs (CI scanner).
+// Add new patterns here; both consumers pick them up automatically.
+//
+// Phase 14.5 adds three new families: invisible-Unicode obfuscation,
+// HTML-comment instruction hijacks, and secret-exfil trigger patterns.
+
+// Zero-width + word-joiner + BOM + bidi overrides. Used for detection
+// AND as a normalization stripper for hooks that run scan after NFKC.
+const _CONTEXT_INVISIBLE_CHARS = /[\u200B-\u200D\u2060\uFEFF\u202A-\u202E]/;
+
+const INJECTION_PATTERNS = [
+  // ── classic prompt-injection verbs ──────────────────────────────────
+  { name: 'ignore previous',         re: /ignore\s+(all\s+)?(previous|prior|above)\s+instructions?/i },
+  { name: 'disregard previous',      re: /disregard\s+(all\s+)?(previous|prior|above)\s+instructions?/i },
+  { name: 'forget previous',         re: /forget\s+(the\s+|all\s+)?(previous|prior|above)/i },
+  { name: 'you are now a different', re: /you\s+are\s+now\s+a\s+different/i },
+  { name: 'system: you are',         re: /system\s*:\s*you\s+are/i },
+  { name: 'role tag injection',      re: /<\s*\/?\s*(system|assistant|human)\s*>/i },
+  { name: '[INST] fragment',         re: /\[INST\]/i },
+  { name: '### instruction fragment',re: /###\s*instruction/i },
+
+  // ── invisible-Unicode obfuscation (14.5 new family) ─────────────────
+  { name: 'invisible-unicode chars', re: _CONTEXT_INVISIBLE_CHARS },
+  { name: 'bidi-override instruction', re: /[\u202A-\u202E][^\n]*(ignore|disregard|forget|system\s*:)/i },
+
+  // ── HTML-comment / hidden-element instruction hijack (14.5 new) ─────
+  { name: 'html-comment system',      re: /<!--\s*system\s*:/i },
+  { name: 'html-comment assistant',   re: /<!--\s*assistant\s*:/i },
+  { name: 'html-comment ignore',      re: /<!--\s*(ignore|disregard|forget)\b/i },
+  { name: 'hidden div system',        re: /<div\s+[^>]*style\s*=\s*["'][^"']*display\s*:\s*none[^"']*["'][^>]*>\s*(system|ignore|disregard)/i },
+  { name: 'hidden span system',       re: /<span\s+[^>]*style\s*=\s*["'][^"']*visibility\s*:\s*hidden[^"']*["'][^>]*>\s*(system|ignore|disregard)/i },
+  { name: 'zero-font-size trick',     re: /style\s*=\s*["'][^"']*font-size\s*:\s*0[^"']*["'][^>]*>\s*(ignore|system|disregard)/i },
+
+  // ── secret-exfil trigger patterns (14.5 new) ─────────────────────────
+  { name: 'curl-with-api-key-env',    re: /curl\s+[^|\n]*\$\{?[A-Z][A-Z0-9_]*_(KEY|TOKEN|SECRET|PASSWORD|AUTH)\}?/ },
+  { name: 'cat-dotenv',               re: /\bcat\s+\.env(\.[a-z]+)?\b/ },
+  { name: 'printenv-leak',            re: /\bprintenv\b[^\n]{0,80}\|\s*(curl|wget|nc|ssh)/ },
+  { name: 'tar-home-netcat',          re: /\btar\s+c[fzvj]+\s+-\s+~[^\n]*\|\s*(nc|ssh|curl)/ },
+  { name: 'env-dot-leak',             re: /process\.env\.[A-Z][A-Z0-9_]*_(KEY|TOKEN|SECRET)\s*[^;,\n]*(fetch|axios|XMLHttpRequest|http\.request)/ },
+  { name: 'ssh-key-cat',              re: /\bcat\s+~?\/?\.ssh\/id_(rsa|ed25519|ecdsa|dsa)\b/ },
+];
+
+/**
+ * Apply patterns to content and return matched pattern names (deduped).
+ */
+function scan(content) {
+  if (typeof content !== 'string' || !content) return [];
+  const hits = [];
+  for (const { name, re } of INJECTION_PATTERNS) {
+    if (re.test(content)) hits.push(name);
+  }
+  return hits;
+}
+
+module.exports = { INJECTION_PATTERNS, _CONTEXT_INVISIBLE_CHARS, scan };