@luanpdd/kit-mcp 1.13.0 → 1.14.0

package/kit/file-manifest.json

@@ -1,74 +1,124 @@
 {
-  "version": "1.4.0",
-  "timestamp": "2026-05-05T05:44:24.485Z",
+  "version": "1.13.0",
+  "timestamp": "2026-05-09T10:48:54.396Z",
   "files": {
-    "agents/advisor-researcher.md": "63ce6018f06ff91aa15ec2720772e3cc86a7ea35df81ea70b688b484fb1ae5cf",
-    "agents/assumptions-analyzer.md": "e5a3ccd540d0cb9570de5c0feb87c6a7ab023e456f278cad73ed476a06db5c5d",
-    "agents/codebase-mapper.md": "39aacc0aa8f47090fd51b9c1067d981da5d6db9d021b6e1cedad665ccb383cc8",
-    "agents/debugger.md": "0de712c2db2460a791caef93c95235457b2da52bb11f7626142e73c1f34b6104",
+    "agents/advisor-researcher.md": "d97659db09bdd7859a48343dbf133748182eda77d2db87388cb248d586168a1e",
+    "agents/ai-mutation-tester.md": "e19aea6a305011f8cc2da92c099d54236846d119025cab7f11aa9a1e4a7f79bd",
+    "agents/assumptions-analyzer.md": "2854fc24d163a4b7b362e511f4346d852d3d3d293cecc0b3329c22efa1c2a1cb",
+    "agents/burn-rate-forecaster.md": "f49a95f41605c0534cfe644610199a13be29b1663829776d5f84bcb0ceda35f9",
+    "agents/cascading-failures-auditor.md": "c4a3cda5c4aac5d79f533b543243e20c421d734376cd7d7c41904e90f5f8209b",
+    "agents/codebase-mapper.md": "a72b64ce4cf40614cf219b8656520ba3a38ae9878be47c415ebd70db817d9b6a",
+    "agents/debugger.md": "dc9871fce0aba27a20fa875df37b0ef1de4a79792e1ce1bd6df8a0d4a8ab63a8",
     "agents/example-reviewer.md": "39640853182b94db6016993d8e5f9692bfd425b5cae34d3222ae64a515bb60ac",
-    "agents/executor.md": "4c839dd43e162c4d11a9b71418a5b2e4ad8a75aa7edae4c45a3406e471a26dab",
-    "agents/integration-checker.md": "09b9d9f2ae90ac4e78e17cad2214d3e2d0f528d6fd6b1f93ce8e55dbde7fe657",
-    "agents/nyquist-auditor.md": "824bb174e26008c00726c3dda61ac383605c6162786c0ee35e71a4510871b1c5",
-    "agents/phase-researcher.md": "e284595e8963e7a75ddf1d0042d158369de2f82e1c97020504982448016cd4bb",
-    "agents/plan-checker.md": "21080be2713c4953a61f20456bfb38518cc1383944469f3acc4540e2ef1f86d2",
-    "agents/planner.md": "119ceab982a40791e6b3918b79115c6d60a2173724b4db9f1791dbc0a535aa0c",
-    "agents/project-researcher.md": "034f1d14f6b96da75a1b1d63a97dbe1045ed5bc2097cf86cf19a2a6e4e23b9ed",
-    "agents/research-synthesizer.md": "0085d2eaed83d068a5e62d155346b1ebff26080b8d264fd90644bb8ab64ecadc",
-    "agents/roadmapper.md": "b43389ee951e84bea39893523fa060abcb50e1b1f676f87c17c47cd14c205c22",
-    "agents/schema-checker.md": "5f2c8ca2b1988992803433df2e1f140c22166892a1fb89b67d77ac1c7a1f2c8b",
-    "agents/ui-auditor.md": "3122bb74be30b2bfde07f6e241d4efd4001aaf9aa590c166fddea3db16924848",
-    "agents/ui-checker.md": "8ebfb508a162a01731a4fecf18f03ba00b7336ca1662393d4843cee12a72c34b",
-    "agents/ui-researcher.md": "444d8ce32dfd55fd1c305dceb90130214776030a2834a3fee280118cad543432",
-    "agents/user-profiler.md": "588c53ac8dc5d8be2fcec5db310c4b8779e744af0aac3a44a1dbbad92c96db66",
-    "agents/verifier.md": "7d4811ef74f1e05198dfec12363064f27d270652021b530aeaadb3a5e0c8320e",
+    "agents/executor.md": "ef8af96163c3f19a446b1917a6fdb4097f0417ef30640c23ed7b22fda1edbbf9",
+    "agents/golden-signals-instrumenter.md": "72d4b8b8906e55efe4b162e5590ad95764fcb0dd1593687b02e50f259a0856e5",
+    "agents/incident-investigator.md": "0dcfa74f50f86d35f2219a6f30ac82114bc5bca56c7260d2fcedb4111b97c12c",
+    "agents/integration-checker.md": "a1d780d93124a2a0f34fa6fa38d338221db45644c997c21eafe29bd2c7d9b7ac",
+    "agents/legacy-characterizer.md": "e7e033227fb965f501955d7b842a6f5a5360625a90ad2d20e6e3316d7e0a1f65",
+    "agents/load-shedding-instrumenter.md": "65bbcbc9b637c637cdabc11e82314d1f3f082db0ec3612a72c9d2ca284082df0",
+    "agents/nyquist-auditor.md": "86aa561c0dd3fda6312db9e26609ceb486c4c15ebf8d4910f6edab17428372f2",
+    "agents/observability-coverage-auditor.md": "3e5cba68b8a03340067c8b08b39b3444fda916286a92b1bc5ffb0dc81f7d6cb7",
+    "agents/observability-instrumenter.md": "a2cd327e6fcdfab5ff9fb3d4e710e2c185e6c1894305195d00c7132ebf5e9d21",
+    "agents/omm-auditor.md": "4fde55e0712ad9598f876339deef88ad861e5746e4e5e88fa960710474286ca7",
+    "agents/payload-capture-instrumenter.md": "eabcc2af247c8af8332176c6cae7aedb2a570f8c00ec204d0bf02e16c59940fd",
+    "agents/phase-researcher.md": "9a29843684c657fb021506ed52b6b469d00584f3524114d6fe88400fe5d61a47",
+    "agents/plan-checker.md": "d38512ff8dafb6bb7b96181bb40cefecb13a1aa97b22bfbe4d69462c9fc104e0",
+    "agents/planner.md": "72f79def69ba102e62966a967e10a28c89aa81d0cfe8904f4b6a85b1ea5d9d88",
+    "agents/postmortem-writer.md": "6b993df5d51fcce513b640824e4f985e1fb381987fdd755d4b17e1580c224a8a",
+    "agents/project-researcher.md": "6a79b16edf7d08dff66549516fb6711e236ed54b03b5f94bf3d55003edec4605",
+    "agents/prr-conductor.md": "90243b9c8dd3dc07a2e97c80409547b897266e4c1d7f0cff8ed061e68dc7e5f9",
+    "agents/refactor-safety-auditor.md": "43d761876cd0392d31e2e566733b1c865e2a3c465c137d0b9d17b4e3473f68b0",
+    "agents/release-pipeline-auditor.md": "98a0a98994499eb00740046b89ebdd5e4ce51185e454f4be31bd1208041d4bd3",
+    "agents/research-synthesizer.md": "4d6a7ceb3ce74e42f989e09e866e110c9010460cc80ec866b3e3ecf8ad9725c9",
+    "agents/roadmapper.md": "5b913c351aa78c4b5ef791505788598ecb9af5df9442a57ea18127f022edbe0a",
+    "agents/schema-checker.md": "065398b08fc023516b1798b3c00ed8e135a74b5bbef7fc2a2cc4086ef9085d03",
+    "agents/seam-finder.md": "9061e2a45f1e4b909af963e3296ac8a632f2dc69e843f8ba19315c09f72d14fb",
+    "agents/shotgun-surgery-detector.md": "8a3090032e23f63f7493102ce8a53ad7de50819ebd8a9000c1ee01fbaa69a8d3",
+    "agents/slo-engineer.md": "0542da827fb684e670592ab85d4e5b48e49e90e80e421b872cb322f900e63f5b",
+    "agents/storytelling-analyst.md": "c7c32c1b24343aadd5dbf50a256875775253d72f855f1b97279325a5f594336b",
+    "agents/supabase-architect.md": "3251fd2cfd26022a3608408984ebd31ed7b822129c0bd4f2c73f19d23b60be30",
+    "agents/supabase-auth-bootstrapper.md": "8843d64a14a77d560544800810e3b310f8c3df9fe6b206f884ed36e8506f378d",
+    "agents/supabase-edge-fn-writer.md": "022a81c86337b429a038c6b9e0a7a8d91eb9c6025934f051b744c1424318806c",
+    "agents/supabase-migration-writer.md": "15802438cfe22f45ae8f254a45af7ff3febacd77e99e64cdb61a2440117546e6",
+    "agents/supabase-realtime-implementer.md": "0d97073ccfa38535a33d513a8cf1f6fa537c1d8c16c4f4f7a0115e7219b059c6",
+    "agents/supabase-rls-writer.md": "86602a130e3ce046739ea42e43e51c918a11625b8c8f1c590551c9221136fc1c",
+    "agents/supabase-storage-implementer.md": "b22c05fb8ccb8d416e8d24754e403c994dfe62231164a77f8ebfe0194b68d432",
+    "agents/toil-auditor.md": "aa69bf8d6c1d2bbf674fbe456c0948dd2f9d641643a7b813e71b7a8aaaf4908b",
+    "agents/ui-auditor.md": "5b0aa08c028283e44361ea0c2e513daeffe5d6346e73f32c9f657150527380b4",
+    "agents/ui-checker.md": "0fa1ec709b40a3bc4eeabad82dc51cb7e925244614e289a4c65f5e615977d8f5",
+    "agents/ui-researcher.md": "1246d063322f718d4f342c3376b98f5f5532dfcd9686e3b1feb4d504ae4496e3",
+    "agents/user-profiler.md": "32449e1effbeaa4fa63a4fb42ee01f9104c4ff300531879a5debe61604122794",
+    "agents/verifier.md": "d171f69f4b26ab21fa6e8127f700f51eb9e773445e3ed59bfe2226910fc02db6",
+    "COMANDOS.md": "12877b7893a76dbfe87751603c23880e025b6062e796251014923f11f06fcf29",
     "commands/adicionar-backlog.md": "0f9e06be029e7bde58cdcdce38e9ecb217b339c6df38fe8fbab48e640e4359c8",
     "commands/adicionar-fase.md": "9fad5b16912e229870a91001b647190e6a089dcf694948bd2e0f9f7cd85ac29d",
     "commands/adicionar-tarefa.md": "49bf391a75a72b4bfb5b7f28dc85d32a303261e8468f365bb25efb3d545f5675",
     "commands/adicionar-testes.md": "5f196dbde95d2434f908cfb51cc044a545470a7661b37d80e9f1f38e34ad7aa3",
     "commands/ajuda.md": "c564e7eb370b103bce862384eb71be72f6f44877ddf6931362c85ed6bf887dcf",
     "commands/atualizar.md": "9b021e7eb7a1eaf0bedc6ff722356ccda65fae7e03c16ead2b18bb91853075b2",
-    "commands/auditar-marco.md": "4260f00672b860806e84432fbb5894e8c9fe12881c616f887ec3189ee41d1b36",
+    "commands/auditar-cascading.md": "4ab5b6d9e80d8c0f802a835df3df1359ffccdca8b0d9ff4743971388f95bbcc4",
+    "commands/auditar-marco.md": "31b0ffbcc2f17862cda7a05acb4b9ebfeb14c8e0ca34bdcb741355b7831b98ed",
+    "commands/auditar-observabilidade-cobertura.md": "53f85cb70492f583acc095a70e20d15e5447990955327bd43d96091723ee7c53",
+    "commands/auditar-observabilidade.md": "167543a04e41f4dae70209c4af5d8a6d94ae56939132229b5681b8fb37322a1c",
+    "commands/auditar-refactor.md": "c20fc1e1796702e1f7dea7f5abfefdac8645a115568a4a57df035b54105415e0",
+    "commands/auditar-release.md": "c9c3c46f0b8e3f7fb17ca57c6f8e7d40542318c9b1557c74532bc561d1ce62ac",
+    "commands/auditar-toil.md": "ee4c80ad8f01f97e930387b3df749cee159fd9e1ccac2c05d4d33a6df5d9cb15",
     "commands/auditar-uat.md": "78166757f397bfe2a58419546257970f2a1c25c78f0e5bcbc9718109a14d576c",
     "commands/autonomo.md": "c89d7b0d3bb5808e66b724c46c0e6132d4578d9182ff49bc0efa2223da835c4a",
     "commands/branch-pr.md": "347a11aed1b822111f8cdbfe1d628c61c9dbc347fa6ac4f182fa6cd89dc75c15",
-    "commands/concluir-marco.md": "a2252f84755dd85ce10ad85f772036d9a8120d3269a5126af5dc75aafaf26ccd",
+    "commands/burn-rate-status.md": "d5316301d4ac576bf57dbd24a56b1c2063610819520af3f75026499c6525c438",
+    "commands/capturar-payloads.md": "507d009d9fb28fe12d18c3d3a599fbb23605254564e5753b056e0f32fb92f20b",
+    "commands/caracterizar-prompt.md": "996b923d6c807d94be77d14dbfec3fdabf98d3bf111f6928932421b724847fb3",
+    "commands/caracterizar.md": "994ce4136ba44b74890874f3274c26bcdc9f4feb5f4852cb0288687142ab1403",
+    "commands/concluir-marco.md": "39c9d292e6e9e8195a47e0088ee8c43851322d82b7dc6b4af19e3ad1466477eb",
     "commands/configuracoes.md": "adf76d992a0d85dc0d0ead0d1ff1fe0c42fe1d08fb544744554c145028f53875",
     "commands/definir-perfil.md": "ebb168c109012651051dc8240034750349b6878525ff3095efbf5939546d1eea",
-    "commands/depurar.md": "3363c6e296644013f10cebb240e94982f6bd133687db9af60c4be80e948dc897",
-    "commands/discutir-fase.md": "52f9bac3b678a533e755f80f8accb6181a2ce19696d0e8ee6b662ee2ee9fe050",
+    "commands/definir-slo.md": "2f891393b6b46bffd28264d6cc340baf74297c7cd58be137d67c92313e942480",
+    "commands/depurar.md": "adfcd7f7b29c009740d476a487cd229082c271447c4fe57c6befab16dd7144f6",
+    "commands/detectar-duplicacao.md": "b236106af0c6dff02b60426e79f2c899d433b66610abbce9dea321493fd8237d",
+    "commands/discutir-fase.md": "0f426c72a1dc4d0391135de304db9f73ab44d407a0a6847162753f1c5cd2970a",
+    "commands/encontrar-seams.md": "11e6c17139976deae22d183ae83a9f33247af3c2f5a551c9457ded41c477dae7",
     "commands/entrar-discord.md": "3f587ecf8b1cba032581fd6d4370d9363a20c1145d30241f3e0be2b1771a139c",
     "commands/estatisticas.md": "6caaa4056298cabfe903f1971db00ef872dcf0c8d6f4c2a2d5565990cf8f6664",
     "commands/example-greeting.md": "5e6ccdbded49991850b3e2cf2bf7bf473a73aa45c05ce637061fdf8e15d0fd21",
     "commands/executar-fase.md": "ae189eee59e14b9dff729f5bd5caeaf46c2a59b2a10fa0fd947dc6484e41feed",
-    "commands/expresso.md": "51bf1122f72a0a5961977167ad957cd441a0d55b8d25fc8b3e20cc912f4d80d9",
+    "commands/expresso.md": "15ef1e57a83d982cab6a78189e6a96368bb8c740789ccd018a4a6a4f4f82cf77",
     "commands/fase-ui.md": "ab3950a3c1733ed4bfb891367144f859094facc8c5b1bc3ef708d621a9480049",
-    "commands/fazer.md": "6da30b30eb69cce0aaaafde7bd8b8e2b8ba764b488bf2471a3d22d9cb9ca594e",
+    "commands/fazer.md": "0ab3afa437b95ea36fac58b46951237c5a67c972e48495f4b88266c386089109",
     "commands/fio.md": "da2b4230e018840e66dc633cebf45e43e353d5ea3102116b71bc3560d5ef798c",
     "commands/fluxos-trabalho.md": "807d0af5b68ab2af94ec3db8e5d70841f6cfc0f821a2b6f130836887dea560ec",
-    "commands/forense.md": "8b5e97edb0e6f79860cae83c81ac1618db0d6c27bffd8ffed9f60f155cdd0fc3",
+    "commands/forense.md": "c8d0c76a54a08c4645cd6693dfe3e012aed0f13f9b0a3509e2e01d7d5515a2b7",
     "commands/gerenciador.md": "3aa02fcbcdaad376e1c8077237d2393432f441880bd06c3fbecc0f4a2f4a6bd1",
+    "commands/golden-signals.md": "91782048215162822b04e87ff898bff25233edaa0a78843193e9176a2c4a8b37",
     "commands/inserir-fase.md": "23dd3443237a1ddaf3aabba5d08d8200da73de944f6bee1c217fd266d778cdd4",
+    "commands/instrumentar-fase.md": "4391db97e11eb5d8808b10b7b9e9ea1d754ebd413e1543fa3885cb1968899980",
+    "commands/investigar-producao.md": "25da1f5f95e19327d40c9d299aa4e4a7627ee79dd95ceafa6245a1942f1dc16b",
+    "commands/legacy.md": "6d549b168ebdd12fce7bf6a65c834d273799a2c43759f4407fdf9606ebd0fa9e",
     "commands/limpeza.md": "3d68e6d9b7169697c097421bcc51d25f289b065cbde441f91804e09016e6c711",
     "commands/listar-hipoteses-fase.md": "ae5cbac9a65290017625e0aa910de9b372f27b4d7d4c3021da232b1df0f515d4",
     "commands/listar-workspaces.md": "e41cb3b66a845f19534fdf8d5c91ae9f7e5c2c315a51a600c086c7a04b9de73f",
+    "commands/load-shedding.md": "cf51027e9a19b65aaf0e8f2f299bedb8a623fc82bc142f348583ca21e1ab2e73",
     "commands/mapear-codebase.md": "f2e5aa848582b84f5444130235b9577b96e99b3f01652a72aabbff14e71f1ee5",
     "commands/nota.md": "6bb3f3fbc9450b7da52d40b8ef73eb14acd52ec02e24ea0e9ab959ed3877a709",
     "commands/novo-marco.md": "79f9a0290059627c5a152764cf51f21715e28c80aadade578faeba07305cdaa4",
     "commands/novo-projeto.md": "acef0b0a55a21add529ac7d7c0f831d98ccf8611f5f4363df9d1a3f02d70e665",
     "commands/novo-workspace.md": "be21420b05ddd716109b34fa0ef1be65d21a5ced09cc5b665a83aa1aabc71c75",
+    "commands/observabilidade.md": "d7fbb6d930da711496f9f1786a04e76b924fbeeb94828dbd6463f23f6a703ec0",
     "commands/pausar-trabalho.md": "db940126985c8cd0cbb5a449c3e4394cb738a3f657836a76231e19b52c00a656",
     "commands/perfil-usuario.md": "b809efa169f94a712987cdf430bad2ba29a94d5302e86118030d700162b31c3d",
     "commands/pesquisar-fase.md": "6d77b002ab60634e1a523ab3751cf101b5f1b898df77e88d75cd6076d8aa748a",
-    "commands/planejar-fase.md": "603ccbd831cf1e20549ecf86686869e5031878a7af183c5128225f996b089950",
+    "commands/planejar-fase.md": "20396bbc60baa30f48a197147184fc4c13a02b5d67ae4c879f65fd71f560fe1c",
     "commands/planejar-lacunas.md": "63d5cc584508968baec6ff4e570be1756554defd4196519fbbb0da51db7eb385",
     "commands/plantar-ideia.md": "ee766e5b7feadc08224b2eea0abf6d4730e41bbeac79257a284f6c0bfa6d3764",
+    "commands/postmortem.md": "c0f1ae7530e7abc1b29e43ec3764382eb8a83642878b78cedda27a0a3f41dda5",
     "commands/progresso.md": "c69f48daa69f897ae2d695b20d6b994983e7272b049302cc5a85ea92d8321c1f",
-    "commands/proximo.md": "f7d3dcd7d8d951eb5d8aeba56d124f5001fa27867bd674fdd11e9029f8f27186",
+    "commands/proximo.md": "3bd3f1c1d5a338ce96694b10ec29c52778163e1ede823de38cd821202c1c0845",
+    "commands/prr.md": "cfa599c1e75dcf54d7bc26cedf5aa2530998dc28889ecbe8b07d81f0cbbd07aa",
     "commands/publicar-rapido.md": "e666c754618789530099efd99245739fbeafa9661c01d6d6ed999f83789a04dd",
     "commands/publicar.md": "64f94fb0c5e2310dbcba23544f742349e175c8de482aa357426c11ca5bbb5dc8",
-    "commands/rapido.md": "01041b0bda4eb1c5034f7c4732f01ba95cf440ca08f029daf0055b354741fede",
+    "commands/rapido.md": "6a670562102036d24db7a2b9b6531f4b9544d204a43eaecd393a13633f837748",
     "commands/reaplicar-patches.md": "607c2e8d18296c34f082ad53da58cf486ab4d48d3187eb54c0c121ad822fe69e",
+    "commands/refactor-seguro.md": "c59893c876c60cc437ab287a7983f35e48ce9e233d6f1761a5af98ea04820b2f",
     "commands/relatorio-sessao.md": "fe4613a3fbae8d532fdbad60b25108631c6fde5a3016bc5c5e05b22ed7d48084",
     "commands/remover-fase.md": "ebc88099c0e2b735f5ae3ab2c4855c0415bcc1ebb084caf73047b38e5fbe9185",
     "commands/remover-workspace.md": "9384515fd3151930d9af34ef436277270911384944d6a457470b13ed08d9ca24",
@@ -77,13 +127,16 @@
     "commands/revisar-backlog.md": "c4b789918d6a07561c7440d09bf605be36011e25e1e52308dc04392f6cf666c6",
     "commands/revisar-ui.md": "83deb6af8cd1cde8be7e6498a39246dd5fbbc33121498b435eda22ee5fb01630",
     "commands/revisar.md": "201f8880c8e0878061db721765876d045e8d0f2c61641da83830ed60d3c87022",
+    "commands/risk-budget.md": "57602c0424479d882b2a84d4d0640b963a02dafc33994f87c8cd59898c7206b7",
     "commands/saude.md": "47895ec1a520f14e63f497606e510c56009deadd90a07872f873fdd96e9bebea",
     "commands/setup-notion.md": "e73212cbb255140226f0e927b141de254a0806a0554906d6334f9471766db677",
+    "commands/sre.md": "eb4701d8d5fd98671ef562eddc4f021fce6ca5474cd840bb06df5b81f4741c2d",
+    "commands/storytelling.md": "84b3344392e4562d9b92da86be70cf4d4804ca75fbdfcb11265511be801f390e",
+    "commands/supabase.md": "bda09c62f1c1d1ce5c339f0f4421347abffb86591c1af49880a1f2ac437a2c6b",
     "commands/sync-main.md": "36449f97ec346ac29477578bc3650c9d364240dd69e81a6a227aff8f1a8f79c1",
     "commands/validar-fase.md": "313bb45e12fb02b0ae34dc66ddae1571ffe45a101ccfad9d64655f0c18bf6db2",
     "commands/verificar-tarefas.md": "5d314b9a1c2f75d7f23fd718714bc1d1ad5c543d63e7305aa3c393299857c09a",
-    "commands/verificar-trabalho.md": "c7cfce9636c6e684b2ac2695ecef3d2fbfe5ed574f75906bc4e552bbd28ec59e",
-    "framework/VERSION": "539402d2694f8bdccbced843d22a2efdea47865e66833e92d06d2bfedee9ce02",
+    "commands/verificar-trabalho.md": "1f1add39268276545d60372cfd83979a5f6543750059def940999affdc26fbbb",
     "framework/bin/lib/commands.cjs": "963229089f099e20fa1dd5f1499ae3b12642d97eb33b5ab544ef2c38943286e2",
     "framework/bin/lib/config.cjs": "080c684b09f70ab08c2b14162f128846808f4de0997466b3007e1d3615fcafff",
     "framework/bin/lib/core.cjs": "da9c0bdc282fc3f4c93c52976a163ff1d1ca2b9b9908b104fbb2d26e41b24b45",
@@ -110,6 +163,7 @@
     "framework/references/git-planning-commit.md": "7288eb79d4f13c0580008e05ef8d3fba32317631e56ca7e2da53d1c23dd448c0",
     "framework/references/model-profile-resolution.md": "20597ae1bc054a71d804e480280f91b993a685993e37a82c44fc9b0892223fe4",
     "framework/references/model-profiles.md": "dfeec83dc58abc25c2a095c8a36c728b49fb8aa261478d5b6716df89bb182366",
+    "framework/references/output-style.md": "c8deb936571362d28e9e6a87aef0ae2f14c13d0bee05ff79f76ad507b1c26b40",
     "framework/references/phase-argument-parsing.md": "3e7e4f0f0aff64f540215e49ed8a43f6f89518c5348d4fa2ee7c47cfd0534553",
     "framework/references/planning-config.md": "600b11141bbe01311a7fa1d98d7763790319a5ea42629b56b6dec36c6583f5ee",
     "framework/references/questioning.md": "571019dbfbfb06223fe05fbd9846bdb7d02547bf838ffcd3efdbad72bb517f72",
@@ -118,10 +172,6 @@
     "framework/references/user-profiling.md": "d259e269fce088e3b22dbaee0cc9e8958adefd0b83b5a289dde6bf5fa5d6523f",
     "framework/references/verification-patterns.md": "bd4f11f96c402b85ab646f7c90c960f7f934c3ab6712ac1d4e9881b62fa79ebb",
     "framework/references/workstream-flag.md": "5b92615c6972e8a2d3ae2874511118e058b1773a0f9914f39b00d9d39c08785d",
-    "framework/templates/DEBUG.md": "0fb768753ca0bcf4f92edbe2467127ff6f3494356204dfa50b98a83c6fe312aa",
-    "framework/templates/UAT.md": "4dd49b87e7b6388864250222935c63757b626965cba8670e3ce4dd718fe77506",
-    "framework/templates/UI-SPEC.md": "67ba1e6a0229cc39b57ad9448b178b2030b51eab957474d38fb752711d423178",
-    "framework/templates/VALIDATION.md": "1a23b46fb0ebb9a7ebfe3374cb2943a3f107558d36e73980354a0a9d1b98f446",
     "framework/templates/claude-md.md": "01b9233701857c8864fae0fe2649c6474d17a3a37889a1ab9082ff19f8f21b67",
     "framework/templates/codebase/architecture.md": "04270ad3658101a6e1199a582de6c8283ff3f668c05b72c58a379985e2656530",
     "framework/templates/codebase/concerns.md": "11c9b006ec01d015326f0376abc4b4e6dc9745a513a50b0b346e93b050a6b8e9",
@@ -135,6 +185,7 @@
     "framework/templates/continue-here.md": "98542845ed545c7348b33a3e41d887ea3ae0c7e73ca5cae132b75ec4b81eb41f",
     "framework/templates/copilot-instructions.md": "c01ae3d4c5519eb02f1edc1eb8a6a260c09577c0283fcf27de25eebac84ad716",
     "framework/templates/debug-subagent-prompt.md": "08b553607bf59f2c58756b24e19f3b2ab75f18a5003b189456b1f3630d3ebd6c",
+    "framework/templates/DEBUG.md": "0fb768753ca0bcf4f92edbe2467127ff6f3494356204dfa50b98a83c6fe312aa",
     "framework/templates/dev-preferences.md": "7d58e518c9a403f96710b8b6b4b833ac21d7b03fd8e164e8f3d88b95c4692b39",
     "framework/templates/discovery.md": "5cb283c838781b4043becf6dfa532fff6ac4c2970c769b80ebb5685429cc593b",
     "framework/templates/discussion-log.md": "72576f1a09bbc93562d0fcab1a729dde8aa2a566c23692c4c9e3ff9316e1c926",
@@ -157,9 +208,13 @@
     "framework/templates/summary-minimal.md": "3f11855b489f6786991436fff63f547f6e1d1c61253a55674828d3e4cb187f5a",
     "framework/templates/summary-standard.md": "66c8c95aad2b23f5282654cffe836399f2b3044382dacdef8c89cceba67f8e34",
     "framework/templates/summary.md": "9b533592f5d3de45a65e5229c67cf5bd8f6f5aee847c1bebfbb08e5cdf05d9ff",
+    "framework/templates/UAT.md": "4dd49b87e7b6388864250222935c63757b626965cba8670e3ce4dd718fe77506",
+    "framework/templates/UI-SPEC.md": "67ba1e6a0229cc39b57ad9448b178b2030b51eab957474d38fb752711d423178",
     "framework/templates/user-profile.md": "80c41b335b93ac78d4cc1e142a537ff86685966808662f1c1154805f790235d6",
     "framework/templates/user-setup.md": "9287c2091ce51b6857de431dfab0ee4c97f0bb1ead46e2881118b3f8aaca18f4",
+    "framework/templates/VALIDATION.md": "1a23b46fb0ebb9a7ebfe3374cb2943a3f107558d36e73980354a0a9d1b98f446",
     "framework/templates/verification-report.md": "8ab09647540a2168e55efd9b284faf165ef59e063a553add14e311557b28f30f",
+    "framework/VERSION": "539402d2694f8bdccbced843d22a2efdea47865e66833e92d06d2bfedee9ce02",
     "framework/workflows/add-phase.md": "280542375ceb4aa191e7fd3ff4fe159f95330c5462aead89b486cc4371ae9fb3",
     "framework/workflows/add-tests.md": "b1e46277e98d209d89ee33dbdfdb572d75951e7f20fa9495da769f8a9cad5b70",
     "framework/workflows/add-todo.md": "be4cc5c425f42184d87a7cb705799318f5a272a162873cec0eac14b48fe5b6a5",
@@ -172,14 +227,14 @@
     "framework/workflows/diagnose-issues.md": "fc52ab55a0acb60862f1709f71f008e25474ea66b0a29bffdf28972aa67f1d6f",
     "framework/workflows/discovery-phase.md": "62dd0b2472b7bb3b50b00ec96d56da7372579de275a56f4ae2c99be716b6c13e",
     "framework/workflows/discuss-phase-assumptions.md": "d23591bfa49b0993f3366f6a8fb399df0d01358ec62a372cd121352cb7dedab0",
-    "framework/workflows/discuss-phase.md": "4e9cce107141186d722c1422cfb46e5eb8671b68d997ed2bd164ca80569bca74",
+    "framework/workflows/discuss-phase.md": "decc9c46240277fbbac9ff05c23d84d76c0129621940276927e177451cec025f",
     "framework/workflows/do.md": "088ca2c867519609462c74d1574072028863dac9e39ab93084fdbf57fa47cec0",
     "framework/workflows/execute-phase.md": "c4fe9c75273f5e851fa51133cffce3069e56ccb47e2df87daa4171ee3f4b6b4c",
     "framework/workflows/execute-plan.md": "72c64a78ca12d55d2fa825f58c46d6867095940e5dd2d423c5167f4321464f85",
     "framework/workflows/fast.md": "d5d71ec22e223636dd82d201967d0519664a96a61a6f8d475ded067f83f599da",
     "framework/workflows/forensics.md": "8998c4a674abccf6f143e39a6535868b4196aa06305c049328d1df308362dc3e",
     "framework/workflows/health.md": "0dd758e0a5237ac2cf3a17dfd18199c78e5bcfff97d560e5bc3ab8da30ada426",
-    "framework/workflows/help.md": "63b60c21ea32c6d0228884f69cb6d6a72ef874fe474eeee34499bae1272a4256",
+    "framework/workflows/help.md": "e25b55c5be13bd12a0172e4dca4bc925358dee66ccafccb8505c9df68eb1da5d",
     "framework/workflows/insert-phase.md": "a19cb900f330f6e7c7c92c0778db1f625f6606e7a2337bbd1cf9bd3e8e485a37",
     "framework/workflows/list-phase-assumptions.md": "f3a901667e7aa3c6d0830b172613cf287323bc893a0af02aa3f35d50434a7e1f",
     "framework/workflows/list-workspaces.md": "ead82fddbf1d95e7bc6e0dce02933b96eb25c95116c952adc20537af83314188",
@@ -187,14 +242,14 @@
     "framework/workflows/map-codebase.md": "3829dc3272a9a50236ef83ec445e2ed4d16fd2f43dbf4cd0c1ecbd1959d01e15",
     "framework/workflows/milestone-summary.md": "66945a6408ae1b817ec0eac70ccc0b2fceaf1ea6c5e13038e700634922c18618",
     "framework/workflows/new-milestone.md": "ed0b9df2de4e6c33832a696f6b8115623348d6ce9396ee6445718e4458d1d774",
-    "framework/workflows/new-project.md": "a1e13dd283bf3a1efdedaad2eb095cf41c619bfef391451447fcc87ee251ab74",
+    "framework/workflows/new-project.md": "777d9c24bf92db70689be5be114e4662fcdefc419229b007b6c4c68352a45467",
     "framework/workflows/new-workspace.md": "cfa092028c7c9c8e976cac8f3043f8d63ca79a292e229113821f7aa279c796ad",
     "framework/workflows/next.md": "39fc5560b841868755a1ead52347d226b58f49b6d66120e6545f866faffcec11",
     "framework/workflows/node-repair.md": "4c378c7d2cfb8906ae8b6b6e96fc58ff8e64ac6a2b4a0c71d7805537d003bd27",
     "framework/workflows/note.md": "c1f6fd674c49a2317cf35a00f65b35cddae5799054f43aea763e1785e3dbf70b",
     "framework/workflows/pause-work.md": "f8bb39c7ff3b829c805f2669c93f34bc16a04e6521646858f8aac33fb7cb5c99",
     "framework/workflows/plan-milestone-gaps.md": "6a730d8d894dfd3c6c22107852573103d661247a36d9822f561332c78ef0c120",
-    "framework/workflows/plan-phase.md": "36cad37b03338475848454502a4864dcae0faadf9c233a96889ddd70ddd49590",
+    "framework/workflows/plan-phase.md": "383bd4487c10ab03ac3e6f9f6cbb208dbbb0c9cc83b345afbf70b5c67a06b3e7",
     "framework/workflows/plant-seed.md": "4e24701ae713697d896ce8e0dc1d742e8ca1b5e5bc9298bb8fe66b68684ef8c6",
     "framework/workflows/pr-branch.md": "141bd554ca9d402c1f81fe83f4083a4537ce158bb05ba8383a853359d946b534",
     "framework/workflows/profile-user.md": "9f8f7e3830d48ceee537e5af8475580ccd8acb1bc44def72007ee358e9a689d5",
@@ -216,12 +271,63 @@
     "framework/workflows/validate-phase.md": "0908d762ee79a8ab4e7c5356932974e184efd1344780c12ade74cfbba9b615ed",
     "framework/workflows/verify-phase.md": "36583bc1944f315ecf82f256e8ac15038f04bfac3bb6a3ba8cb860be72066887",
     "framework/workflows/verify-work.md": "bc22a9d10c6d700caf3858c23292313d124c6155a14ee832e2c4f0dd61b1d3a5",
-    "hooks/check-update.js": "723ba16afaa6817b3da5e4859c8625e5c360f7b2c5fb9c07d2d2afe1ed465ba4",
-    "hooks/context-monitor.js": "b6e1ede5b0574a818ea09bb4f0211507dea7f2dbae7103fdb4955cbec3b633d1",
-    "hooks/post-apply-migration.js": "eb80b0abae3d4f48c29d514e26d6c34c2065273550ae6f5b9eb7cae24041fb72",
-    "hooks/prompt-guard.js": "e8ba8c23312bac1cb2468025831e401a86b48c6cc0bd8eec991542b67473b97b",
-    "hooks/statusline.js": "3e83e84e0be401ce6dcc41ed7919f8ffd949337a88e6d28f426f0de8c1e81bd4",
-    "hooks/workflow-guard.js": "86a07dc30e1984eae54d02b0a752a0a34ef9d3d15327acd1ea464273044afcea",
-    "skills/example-skill/SKILL.md": "8a888ffea8f03aca0d2692b61f103a178052e1c5670b13ddeb6c0b8f54dd4e4d"
+    "hooks/check-update.js": "c4f35a55455d17c0eb8976760d3198bd62c2bf67e0589018a343697393ae6545",
+    "hooks/context-monitor.js": "294bc2ad2308a898e15437ca2992215c7605a489af06dec74eef3e71fa7ba90f",
+    "hooks/post-apply-migration.js": "cd67f24ca9ba0a064087b9abeacee094ae24baad0cdc06f776d7a2f8ccad9685",
+    "hooks/prompt-guard.js": "5aa2b8ddb028e976d34fe54c3d258b0b3fa5d0f449cc3cee85f1d52f76d91c59",
+    "hooks/sidecar-tool-publisher.js": "b8357ae80e82bfc875acb6c616cf82a943a2d77cf2ceba2f23a50b7d1f335f2d",
+    "hooks/statusline.js": "5860cc06bc8424a95d12adb1fa68391c6e3705d7fe83720e18fd0e853675e37a",
+    "hooks/workflow-guard.js": "05460574aedc9881f0b0314fedee4719f5a1dfdf9755189fcfb5e9c681944e97",
+    "README.md": "3d5c18da9178a728a13f7f80b60ff565aa9274329103e72fdc6337327bd4cf67",
+    "settings.json": "4e6514cc18c2710f33038b9654d2df2ba5f47e7ce5adceef4b0c338fe1a73e4e",
+    "skills/_shared-legacy/glossary.md": "7dabc31ddd3b2b597f76d1a55ef51b0bd59315aaef59245873c224c4fd21c86d",
+    "skills/_shared-observability/glossary.md": "ec3892c226af03299c0875e36fd0170cc9f801b02df52a2e0ec5c7468229912a",
+    "skills/_shared-sre/glossary.md": "55a052c7d2292622150ed1cbb5aa0d675c332287b00ee4e3dd84900f9cf0ec84",
+    "skills/_shared-supabase/glossary.md": "2ebb4e09d9eda88a4f388f406f5cdb36fafa26a3ce6fb33d5c1976bcfac19327",
+    "skills/ai-prompt-characterization/SKILL.md": "1a8114296c754e2018b1c1fd428c364f8de4485fedd5df78d3afcb33c3fef1a4",
+    "skills/blameless-postmortems/SKILL.md": "55c386c055c869474b6164c0b871a882369a5e57ddf7de8eddcd881ceba70dfa",
+    "skills/burn-rate-alerting/SKILL.md": "19cbd991efbb3b5d9ab6c53ada448b2624e6ab3f87ac500c0787bc4c8f2988e3",
+    "skills/cascading-failures/SKILL.md": "d308982fea601e8b9fa3ae9ec4bb7052475b57b039323f7398a956199f5edcd4",
+    "skills/core-analysis-loop/SKILL.md": "298f27d1706abe0e64fa7dfa925eba3255328dccd03b24589be1e80d6d673dd3",
+    "skills/distributed-tracing/SKILL.md": "7747bbd0563b28cba11b11064012c0b7a696ac04bd65c64debb42987781b26ff",
+    "skills/eliminating-toil/SKILL.md": "451c7dfc5dd5af925f0b38657553ddbc1cc95923b3a572ac79d18201acb136cd",
+    "skills/event-based-slos/SKILL.md": "6bf107d86cc409ab24773e16f26b4eca6e228dfd2db027de7b384e88a05bd50e",
+    "skills/example-skill/SKILL.md": "8a888ffea8f03aca0d2692b61f103a178052e1c5670b13ddeb6c0b8f54dd4e4d",
+    "skills/four-golden-signals/SKILL.md": "c83bac06bb676a3a7ee24c11d9d5d72388ae8bfd21ad9e7face24c5fcebd7b60",
+    "skills/hermetic-builds/SKILL.md": "56c7c5c4121a51e895d28a6bdfb6373580625b600f3b96516ba41434a4035026",
+    "skills/legacy-api-only-applications/SKILL.md": "7390c2dcde6eccb9ec6c66d54fe31c811ff25feac47ab61b0816bd4e156cea67",
+    "skills/legacy-characterization-tests/SKILL.md": "1580b5d27cb8f4a388d83718aceb3b2527f60c63a4c10b00e5a705d50667a7ce",
+    "skills/legacy-effect-analysis/SKILL.md": "d7613aeca4e789ca6f8a34046eedbd981731bf79e1fba926a4a97ad1be92d1ab",
+    "skills/legacy-extract-class/SKILL.md": "5c0392979f4e2c68cbe894a334ef7feee0ff1642363e18085ca4575b33feae8d",
+    "skills/legacy-monster-methods/SKILL.md": "e57c272627d22e63c763e442ffa69eb52a8b7421aaffeb426acfb9759d92e5a0",
+    "skills/legacy-programming-by-difference/SKILL.md": "42069c8124f1a704600d2f6eb01162ca00798a960bf26f7d79d13cfa5894ccfe",
+    "skills/legacy-seams-and-test-harness/SKILL.md": "5b43d123ea032e488a854bcf68083695b14b9150b01009b83e149e36a36c321b",
+    "skills/legacy-shotgun-surgery/SKILL.md": "3b0c7c143a498ad0b7b177be046a7c94532a99afa4acb59ca5f08cc3e5db8f54",
+    "skills/legacy-sprout-wrap-techniques/SKILL.md": "26c39659b0bc2ea83f1b5879ed94f9782a608c12bba15c4507bfa4a79e1b899e",
+    "skills/legacy-storytelling-naked-crc/SKILL.md": "100cef2fc06b27b10f74e0ec26faaf0a04c7cb52b25f0f322368ed2c266697bf",
+    "skills/llm-as-dependency/SKILL.md": "3c0ea7c7a923d14f62ba1d231b7c1b1fd2f09f4622e3601111a70e68f384a6f7",
+    "skills/load-shedding-graceful-degradation/SKILL.md": "b261e4ff756e4aea689ccfd3c4dc721df22c6ae91b08a029db2b7a9f2a172b6f",
+    "skills/observability-driven-development/SKILL.md": "9abaec925bbb59391597d92164c43b432eef32884ce3b4623f419f421322fa83",
+    "skills/observability-maturity-model/SKILL.md": "49bccaa9e122651fbbe5457f7fef96114f9b3e8626faf6e3a8cc6ded66c7da10",
+    "skills/opentelemetry-standard/SKILL.md": "891099b62991c74598f1e1c51889475cd69ca624f92bd0e7931b2613e4f90f01",
+    "skills/pre-refactor-characterization/SKILL.md": "9124f9ca0636a75474ea3f6d851e587be2f75505b3a835af0a4aaa0855bd20d3",
+    "skills/production-readiness-review/SKILL.md": "2a9731265163c9fe7ba4fd05ceaf164ee4d1188b0d147ddff3b13bd9d3058c04",
+    "skills/release-engineering/SKILL.md": "01e69f50d2bb207d348552a01d0d69b6159b47573fe7e31aec53f6df52c3d057",
+    "skills/retry-strategies/SKILL.md": "017a38146787592cde5c009bc06c8f483ca2b609a018d0b526972ddf5e46f52a",
+    "skills/sre-risk-management/SKILL.md": "6e56a30b081abffbf9ce97e86b9c376361d6af765fe5475970f1646351c54e39",
+    "skills/structured-events/SKILL.md": "a693c8a19709066ea60860a01ba54731406d7daf41ed51adea9c29a2de131fac",
+    "skills/supabase-auth-ssr/SKILL.md": "941d80ad88b4cbeccadf852d82f64f0167bce204005f72b32bc2aaf81a460af6",
+    "skills/supabase-cron-queues/SKILL.md": "e7abbb57de2f49a3feefe8d160b4bc1c3e00629fa824755872d7b6cb84eba5d0",
+    "skills/supabase-database-functions/SKILL.md": "9eaf17a5b75f3e8c398211f032a939fa4f7517c0453e977d84bf364f39cf550d",
+    "skills/supabase-declarative-schema/SKILL.md": "8a78cae2d74287002c02bafdfb8218a9ac20b7d75047c269c702d9b8e3d22476",
+    "skills/supabase-edge-functions/SKILL.md": "bf195e3fbce2bd94cb782ce15ecc60260217ac40d9ac5cbc787362de6629f960",
+    "skills/supabase-migrations/SKILL.md": "bd502f715d816187b45ae34e400c47ea548fe0f6c077813ce99f2d451ac3db7c",
+    "skills/supabase-pgvector-rag/SKILL.md": "cd50663c5b19d08d9bc17bc9b4444f7fc2f6910f5c52502e7c50b1578ebe7e70",
+    "skills/supabase-postgres-style/SKILL.md": "4e48bd0a9ed46bea7c3be97ef749e5c148369ceca08ef3dc8d813d8a03a48703",
+    "skills/supabase-realtime/SKILL.md": "ca2584a59742b30f5351fad23f4a1957218ca730ce3af990affe79f03854f460",
+    "skills/supabase-rls-policies/SKILL.md": "b8cab2e5813a00fea6aa19a59be94dfa536d675067c2e87c94576e97d472d16e",
+    "skills/supabase-storage/SKILL.md": "f7360aa9149e55f68fa794a91c18994329e4f304cc263f90f0607e43053e9da8",
+    "skills/telemetry-pipelines/SKILL.md": "7623244afdf8e6b0b865e572c8e8537c73255914a4562a95f99f22be7448f80e",
+    "skills/telemetry-sampling/SKILL.md": "d448f9022ba0f53a9f692189d2515e45fc3e9de52256bd0715b4c1374c8cc203"
   }
 }

package/kit/hooks/sidecar-tool-publisher.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-// hook-version: 1.6.1
+// hook-version: 1.14.0
 // kit-mcp · Sidecar Tool Publisher (PostToolUse)
 //
 // Publishes every Claude Code tool invocation to the kit-mcp sidecar so the
@@ -52,12 +52,13 @@ process.stdin.on('end', () => {
     // kit-mcp-ui-*.lock files in tmpdir and pick one that healthz-responds.
     // This makes the hook resilient to projectRoot mismatch (case, separators,
     // trailing slash, parent-of-project edits, etc).
-    let port = readSidecarPort(projectRoot);
-    if (!port) port = scanAnyRunningSidecar();
-    if (!port) {
+    let sidecar = readSidecarLock(projectRoot);
+    if (!sidecar) sidecar = scanAnyRunningSidecar();
+    if (!sidecar) {
       debugLog({ phase: 'no_sidecar', projectRoot });
       process.exit(0);
     }
+    const { port, token } = sidecar;
 
     const payload = {
       tool: toolName,
@@ -74,29 +75,34 @@ process.stdin.on('end', () => {
       payload,
     };
 
-    publish(port, event).then(() => process.exit(0));
+    publish(port, token, event).then(() => process.exit(0));
   } catch (err) {
     process.stderr.write(`[sidecar-tool-publisher] ${err.message}\n`);
     process.exit(0);
   }
 });
 
-function readSidecarPort(projectRoot) {
+function readSidecarLock(projectRoot) {
   // Mirror src/ui/lockfile.js#lockPathFor (sha1(projectRoot).slice(0,16))
   try {
     const hash = crypto.createHash('sha1').update(projectRoot).digest('hex').slice(0, 16);
     const lockPath = path.join(os.tmpdir(), `kit-mcp-ui-${hash}.lock`);
     const raw = fs.readFileSync(lockPath, 'utf8');
     const lock = JSON.parse(raw);
-    return typeof lock.port === 'number' ? lock.port : null;
+    if (typeof lock.port !== 'number') return null;
+    return {
+      port: lock.port,
+      // SEC-14-02 (kit-mcp v1.14+): null for sidecars from v1.13 and earlier.
+      token: typeof lock.token === 'string' && /^[0-9a-f]{64}$/.test(lock.token) ? lock.token : null,
+    };
   } catch {
     return null;
   }
 }
 
-// Scan os.tmpdir() for any kit-mcp-ui-*.lock and return the first valid port.
-// Used as a fallback when projectRoot doesn't match any known lockfile (case
-// variants, separator differences, parent-dir edits, etc).
+// Scan os.tmpdir() for any kit-mcp-ui-*.lock and return the first { port, token }
+// of a live sidecar. Used as a fallback when projectRoot doesn't match any
+// known lockfile (case variants, separator differences, parent-dir edits, etc).
 function scanAnyRunningSidecar() {
   try {
     const dir = os.tmpdir();
@@ -107,8 +113,16 @@ function scanAnyRunningSidecar() {
         const raw = fs.readFileSync(path.join(dir, name), 'utf8');
         const lock = JSON.parse(raw);
         if (typeof lock.port === 'number' && typeof lock.pid === 'number') {
-          // Best-effort liveness check.
-          try { process.kill(lock.pid, 0); return lock.port; } catch { /* dead */ }
+          try {
+            process.kill(lock.pid, 0);
+            // SEC-14-02: return token from same lockfile so cross-project
+            // publishing can authenticate. If token missing (older sidecar),
+            // returns null → publish degrades to 401 silent-fail.
+            return {
+              port: lock.port,
+              token: typeof lock.token === 'string' && /^[0-9a-f]{64}$/.test(lock.token) ? lock.token : null,
+            };
+          } catch { /* dead */ }
         }
       } catch { /* skip unreadable */ }
     }
@@ -158,7 +172,7 @@ function detectIde() {
   return 'unknown';
 }
 
-function publish(port, event) {
+function publish(port, token, event) {
   return new Promise((resolve) => {
     const body = JSON.stringify(event);
     const req = http.request({
@@ -173,9 +187,17 @@ function publish(port, event) {
         'content-length': Buffer.byteLength(body, 'utf8'),
         origin: `http://127.0.0.1:${port}`,
         connection: 'close',
+        // SEC-14-02: token is null for sidecars from v1.13 and earlier; in that
+        // case we omit the header and the server returns 401, which the hook
+        // silent-fails on (matching pre-existing soft-fail discipline). A
+        // shipped hook v1.14 talking to a still-running sidecar v1.13 just
+        // loses the event — acceptable trade-off.
+        ...(token ? { authorization: `Bearer ${token}` } : {}),
       },
     }, (res) => {
-      // Drain response body to ensure server has fully processed before resolve
+      // Drain response body to ensure server has fully processed before resolve.
+      // v1.12.1 fix: await BOTH 'end' and 'close' to avoid premature exit before
+      // sidecar publishes via SSE. Preserve that pattern here.
       res.resume();
       res.on('end', resolve);
       res.on('close', resolve);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@luanpdd/kit-mcp",
-  "version": "1.13.0",
+  "version": "1.14.0",
   "description": "Generic infrastructure to ship YOUR personal kit of agents/commands/skills as an MCP server, with cross-IDE sync (Claude Code, Cursor, Codex, Gemini, Windsurf, Antigravity, Copilot, Trae).",
   "type": "module",
   "bin": {

package/src/cli/index.js

@@ -429,7 +429,7 @@ ui.command('stop')
     const lock = readLock(projectRoot);
     if (!lock) return out({ ok: false, reason: 'no_sidecar' }, () => `${icons.warn} no sidecar running for this project\n`);
     try {
-      await postShutdown(lock.port);
+      await postShutdown(lock.port, lock.token);
       out({ ok: true, port: lock.port }, () => `${icons.check} sidecar at port ${lock.port} stopped\n`);
     } catch (err) {
       fail(`could not stop sidecar at port ${lock.port}: ${err.message}`);
@@ -640,15 +640,24 @@ async function runDoctorChecks(projectRoot) {
 }
 
 // Helpers for kit ui (live in cli/ — stdout/console allowed here)
-async function postShutdown(port) {
+// SEC-14-02: /shutdown now requires Authorization Bearer <token>. Caller must
+// pass the per-process token read from the lockfile (lock.token from readLock).
+async function postShutdown(port, token) {
   return new Promise((resolve, reject) => {
+    const headers = {
+      host: `127.0.0.1:${port}`,
+      origin: `http://127.0.0.1:${port}`,
+      'content-length': 0,
+      connection: 'close',
+    };
+    if (token) headers.authorization = `Bearer ${token}`;
     const req = http.request({
       method: 'POST',
       host: '127.0.0.1',
       port,
       path: '/shutdown',
       agent: false,
-      headers: { host: `127.0.0.1:${port}`, origin: `http://127.0.0.1:${port}`, 'content-length': 0, connection: 'close' },
+      headers,
     }, (res) => {
       res.resume();
       res.on('end', () => res.statusCode < 400 ? resolve() : reject(new Error(`http_${res.statusCode}`)));

package/src/core/error-redaction.js

@@ -0,0 +1,76 @@
+// SEC-14-06 — central redaction helpers shared by mcp-server, reflect, and replays.
+//
+// Pure module: no I/O, no globals other than the constant regex set.
+//
+// Why a single choke point: the threat model is "leakage of API keys, Bearer
+// tokens, and absolute filesystem paths through MCP error envelopes / persisted
+// replays". Scattering redaction across each call site invites drift. One file,
+// one regex set, three import sites — and a single grep proves coverage.
+//
+// Order rationale (PATTERNS array):
+//   1. sk-ant-* before sk-* — Anthropic prefix is more specific. (In practice
+//      the openai pattern's [A-Za-z0-9] character class would NOT swallow
+//      "sk-ant-" because of the dash, but ordering keeps intent legible.)
+//   2. x-api-key header before Bearer — both are distinct shapes; order is
+//      arbitrary but stable.
+//   3. Path patterns last — broadest character class, matched after specific
+//      secrets so a secret that contains slash-like characters has been
+//      stripped already.
+//
+// Non-false-positive contract (verified by test/unit/error-redaction.test.js):
+//   - "Compare A:B" stays unchanged          (no `\` or `/` after `:`)
+//   - "Modal: hello"  stays unchanged        (no `\` or `/` after `:`)
+//   - "Visit https://example.com/path" stays (lowercase scheme, no Drive: pattern)
+//   - "Bearer x"      stays unchanged        (1 char, below 20 minimum)
+//   - "sk-foo"        stays unchanged        (3 chars after sk-, below 20 minimum)
+//   - "see /etc/passwd" stays unchanged      (etc not in {home,Users,root} allowlist)
+//
+// Idempotency: redactSecrets(redactSecrets(x)) === redactSecrets(x). The
+// substitution strings ('[REDACTED:*]', '[PATH]', etc.) contain no characters
+// that match any of the patterns themselves.
+
+const PATTERNS = [
+  { re: /sk-ant-[A-Za-z0-9_\-]{20,}/g,        sub: '[REDACTED:anthropic_key]' },
+  { re: /sk-[A-Za-z0-9]{20,}/g,                sub: '[REDACTED:openai_key]' },
+  { re: /x-api-key\s*:\s*[^\s,;'"]+/gi,        sub: 'x-api-key: [REDACTED]' },
+  { re: /Bearer\s+[A-Za-z0-9._\-]{20,}/gi,     sub: 'Bearer [REDACTED]' },
+  { re: /[A-Z]:[\\\/][^\s'"`<>]+/g,            sub: '[PATH]' },
+  { re: /\/(home|Users|root)\/[^\s'"`<>]+/g,   sub: '[PATH]' },
+];
+
+/**
+ * Strip secrets and absolute filesystem paths from a string. Defensive: coerces
+ * non-string inputs via String(value); null/undefined return ''.
+ *
+ * @param {unknown} text
+ * @returns {string}
+ */
+export function redactSecrets(text) {
+  if (text == null) return '';
+  let s = String(text);
+  for (const { re, sub } of PATTERNS) {
+    s = s.replace(re, sub);
+  }
+  return s;
+}
+
+/**
+ * Build the public MCP error envelope for an arbitrary thrown value. The
+ * server-side stderr keeps the full trace for operator debugging; the
+ * JSON-RPC client receives only `{error, code}` — no trace field is emitted.
+ *
+ * Preserves err.code when present (Phase 83.03 added `EMANIFESTMISMATCH`;
+ * downstream callers can keep dispatching on that code).
+ *
+ * @param {unknown} err
+ * @returns {{ error: string, code: string }}
+ */
+export function sanitizeMcpError(err) {
+  const msg = err && typeof err === 'object' && 'message' in err
+    ? err.message
+    : err;
+  return {
+    error: redactSecrets(msg ?? 'unknown error'),
+    code:  (err && typeof err === 'object' && err.code) ? err.code : 'MCP_INTERNAL_ERROR',
+  };
+}

package/src/core/gate-runner.js

@@ -132,9 +132,17 @@ function extractCodeBlocks(text) {
 // --- exec ---
 
 async function execScript(script, cwd) {
-  // Write to a temp file and run with bash. We don't try to inline -c because
-  // the scripts can be multiline and contain quoting we'd have to escape.
-  const tmp = path.join(os.tmpdir(), `kit-gate-${Date.now()}-${Math.random().toString(36).slice(2)}.sh`);
+  // SEC-14-04: use mkdtemp for crypto-safe random directory naming, write the
+  // script INSIDE it, then cleanup recursive. Predictable timestamp+rand-suffix
+  // filenames are unsafe in multi-user /tmp — attacker can pre-create a symlink
+  // at the predicted path before fs.writeFile, and `spawn(bash, [tmp])` would
+  // execute the symlink target. mkdtemp uses the OS-level mkdtemp(3) syscall
+  // (POSIX) / equivalent (Windows) which atomically creates a directory with
+  // a random suffix and returns the actual path. The new dir gets 0700 from
+  // process umask on POSIX (umask 022 → 0700; default Node runtime). Even if
+  // umask is permissive, the script file inside is written with mode 0o700.
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), 'kit-gate-'));
+  const tmp = path.join(dir, 'gate.sh');
   await fs.writeFile(tmp, script, { encoding: 'utf8', mode: 0o700 });
   try {
     const child = spawn('bash', [tmp], { cwd, env: process.env });
@@ -151,7 +159,11 @@ async function execScript(script, cwd) {
       stderr: Buffer.concat(stderrOut).toString('utf8'),
     };
   } finally {
-    await fs.unlink(tmp).catch(() => {});
+    // Recursive cleanup — even if spawn errored above, the dir gets removed.
+    // force:true swallows ENOENT (e.g. if script self-deleted). recursive:true
+    // walks the dir; even if the gate body wrote temp files inside cwd, cwd is
+    // separate from `dir` so we won't blast user files.
+    await fs.rm(dir, { recursive: true, force: true }).catch(() => {});
   }
 }