@ps-neko/nekowork 0.1.0-alpha.1 → 0.1.0-alpha.2

package/CLAUDE.md

@@ -8,7 +8,7 @@
 
 ## 자동 갱신 영역
 
-<!-- HARNESS:START version=0.1.0-alpha.1 -->
+<!-- HARNESS:START version=0.1.0-alpha.2 -->
 <!-- 이 영역은 scripts/sync-claude-md.js 가 자동 갱신한다. 직접 편집 금지. -->
 
 ## 카탈로그 요약

package/README.md

@@ -20,10 +20,14 @@ NEKOWORK is not meant to become a large agent pack. Skills, hooks, profiles, and
 
 NEKOWORK intentionally keeps the catalog selective. Every agent, skill, hook, profile, module, and pack must preserve the verification loop.
 
-**Public alpha evidence:** 7 packs · 9 profiles · 36 components · 5 harness targets · 6 case-study flows · 245 tests · 0 moderate+ npm audit issues
+**Public alpha evidence:** 7 packs / 9 profiles / 36 components / 5 harness targets / 6 case-study flows / 245 tests / 0 moderate+ npm audit issues / fresh `npx @alpha` smoke
 
 NEKOWORK does not automatically commit, push, publish, deploy, or apply diffs. `apply` is explicit and requires verified ship-ready evidence.
 
+**One-minute demo:** [terminal transcript](docs/DEMO.md#one-minute-terminal-transcript) / [full report example](docs/DEMO-REPORT.md) / [alpha feedback](https://github.com/Ps-Neko/NEKOWORK/issues/new?template=alpha-feedback.yml) / [roadmap](docs/ROADMAP.md)
+
+![NEKOWORK one-minute terminal demo](docs/assets/demo-terminal.svg)
+
 ## Example Report
 
 `report` is the main trust surface. It turns session evidence into a readable `REPORT.md`:
@@ -70,11 +74,11 @@ NEKOWORK is for teams that want AI-assisted development without making the agent
 
 ## Status
 
-- Current repository version: `0.1.0-alpha.1` alpha candidate
+- Current repository version: `0.1.0-alpha.2`
 - Current package name: `@ps-neko/nekowork`
-- npm publishing: `@ps-neko/nekowork@alpha` is currently `0.1.0-alpha.0`; `0.1.0-alpha.1` publish is prepared and awaiting owner OTP/web auth
+- Current npm alpha: `@ps-neko/nekowork@0.1.0-alpha.2`
 - Supported install path today: npm alpha, clone, submodule, or local repository integration
-- Dist-tag note: `alpha` is published; `latest` also points at the first alpha because it is the only published version
+- Dist-tag note: use `@alpha` until a stable release; `latest` still points at the first alpha line
 - Default mode: mock providers, no API keys, no provider CLI calls
 
 Current local verification:
@@ -83,6 +87,7 @@ Current local verification:
 - `npm test`: 245 tests pass
 - `npm audit --audit-level=moderate`: 0 vulnerabilities
 - `npm pack --dry-run --json`: pass
+- `npx -y @ps-neko/nekowork@alpha doctor --quick`: pass with warnings only
 
 ## Case-study Evidence
 
@@ -333,7 +338,7 @@ npm run security:hardening
 npm pack --dry-run --json
 ```
 
-`npm pack --dry-run --json` currently produces a package named like `ps-neko-nekowork-0.1.0-alpha.1.tgz`. It does not publish.
+`npm pack --dry-run --json` currently produces a package named like `ps-neko-nekowork-0.1.0-alpha.2.tgz`. It does not publish.
 
 ## Documentation
 
@@ -341,6 +346,7 @@ npm pack --dry-run --json
 - [docs/WHY-NEKOWORK.md](docs/WHY-NEKOWORK.md) - comparison and product positioning
 - [docs/CATALOG-PACKS.md](docs/CATALOG-PACKS.md) - curated catalog, official packs, and case-study evidence
 - [docs/PUBLISH-ALPHA.md](docs/PUBLISH-ALPHA.md) - public npm alpha release plan
+- [docs/ROADMAP.md](docs/ROADMAP.md) - small alpha roadmap and non-goals
 - [docs/INTERNAL-PROVIDER.md](docs/INTERNAL-PROVIDER.md) - private command adapter protocol
 - [docs/DEMO.md](docs/DEMO.md) - sample command output and generated files
 - [docs/DEMO-REPORT.md](docs/DEMO-REPORT.md) - readable session report UX

package/agent.yaml

@@ -1,7 +1,7 @@
 spec_version: gitagent/0.1.0
 name: nekowork
 runtime_name: harness
-version: 0.1.0-alpha.1
+version: 0.1.0-alpha.2
 description: "NEKOWORK HARNESS - Local-first multi-AI development verification runtime"
 license: MIT
 homepage: https://github.com/Ps-Neko/NEKOWORK

package/docs/ARCHITECTURE.md

@@ -202,8 +202,8 @@ Builders project the catalog into tool-specific files:
 
 ## Release State
 
-The current release line is `0.1.0-alpha.1`:
+The current release line is `0.1.0-alpha.2`:
 
 - Repository and GitHub tarball release are available.
 - Public npm alpha is published as `@ps-neko/nekowork@alpha`.
-- Clone, submodule, and local checkout integration remain the supported install paths until the package is published.
+- Clone, submodule, and local checkout integration remain supported for repository-pinned workflows.

package/docs/AUDIT.md

@@ -1,23 +1,24 @@
 # Audit
 
-Status date: 2026-05-07
+Status date: 2026-05-08
 
-This audit summarizes the current NEKOWORK state after preparing the `0.1.0-alpha.1` alpha candidate. It replaces the older week-by-week scratch audit, which contained stale planning notes and encoding damage.
+This audit summarizes the current NEKOWORK state after publishing the `0.1.0-alpha.2` public alpha. It replaces the older week-by-week scratch audit, which contained stale planning notes and encoding damage.
 
 ## Current Status
 
 | Area | Status | Notes |
 |---|---|---|
-| Package metadata | OK | `@ps-neko/nekowork@0.1.0-alpha.1`, `agent.yaml` uses `name: nekowork`, `runtime_name: harness` |
-| npm publish | WARN | `@ps-neko/nekowork@0.1.0-alpha.0` is published; `0.1.0-alpha.1` publish is prepared but requires owner OTP/web auth |
+| Package metadata | OK | `@ps-neko/nekowork@0.1.0-alpha.2`, `agent.yaml` uses `name: nekowork`, `runtime_name: harness` |
+| npm publish | OK | `@ps-neko/nekowork@alpha` points at `0.1.0-alpha.2` |
 | Source install | OK | Clone, local checkout, and submodule workflows are documented |
-| Public npm alpha | OK | `docs/PUBLISH-ALPHA.md` records the first alpha publish and the pending `0.1.0-alpha.1` publish attempt |
+| Public npm alpha | OK | `docs/PUBLISH-ALPHA.md` records the first alpha publish and the `0.1.0-alpha.2` alpha update |
 | CLI doctor | OK | `doctor`, `doctor --quick`, and `doctor --gemini-smoke` are available |
 | Provider auth | OK | Local delegated CLI auth is the default path |
 | Internal provider adapter | OK | `HARNESS_PROVIDER_OVERRIDE=internal` can call an explicit JSON command adapter without weakening gates |
 | Catalog | OK | 7 official packs, 11 agents, 10 skills, 5 hooks, 7 modules, 36 components, 9 profiles |
 | Multi-harness output | OK | Claude, Codex, Cursor, Gemini, and OpenCode builders are present |
 | Quick demo | OK | `npm run demo:quick` verifies the shortest no-API `doctor -> run -> report -> gate status` path |
+| Fresh npm alpha smoke | OK | CI runs `npx -y @ps-neko/nekowork@alpha doctor --quick --json` from a disposable directory |
 | Report UX | OK | `report` writes inspect-only `REPORT.md` and `report-summary.json` from session evidence |
 | External demo | OK | `npm run demo:external` verifies a disposable target project flow |
 | Third-party case studies | OK | `docs/case-studies/` records real public repository runs for npm package, auth boundary, and Python protocol targets |
@@ -29,7 +30,7 @@ This audit summarizes the current NEKOWORK state after preparing the `0.1.0-alph
 | Persistent wakeup | OK | `wait` resumes supported active sessions and blocks on `HUMAN_GATE` |
 | Generated docs | OK | CODEMAP output is stable ASCII and reproducible |
 | Tests | OK | Unit, integration, and e2e suites pass locally and in CI |
-| Release | WARN | `v0.1.0-alpha.0` prerelease exists; `v0.1.0-alpha.1` should be tagged after npm publish succeeds |
+| Release | OK | `v0.1.0-alpha.2` is tagged and published as a GitHub prerelease |
 
 ## Verification Gates
 
@@ -62,8 +63,9 @@ Current local result for this working tree:
 - `npm audit --audit-level=moderate`: 0 vulnerabilities
 - `npm pack --dry-run --json`: pass
 - `npm publish --dry-run --access public --tag alpha`: pass
-- `npm publish --access public --tag alpha`: `0.1.0-alpha.1` blocked by npm `EOTP` pending owner OTP/web auth
-- `npx -y @ps-neko/nekowork@alpha doctor --quick`: previously passed for `0.1.0-alpha.0` with WARN summary from Gemini auth not checked
+- `npm publish --access public --tag alpha`: `0.1.0-alpha.2` published
+- `npm view @ps-neko/nekowork dist-tags version versions --json`: `alpha` points at `0.1.0-alpha.2`; `latest` remains `0.1.0-alpha.0`
+- `npx -y @ps-neko/nekowork@alpha doctor --quick`: passed for `0.1.0-alpha.2` with WARN summary from non-git project root and Gemini auth not checked
 
 ## Completed Work
 
@@ -91,14 +93,13 @@ Current local result for this working tree:
 - Official packs expose curated install shapes without creating a second safety model.
 - Checked-in example fixtures now cover financial UI, CI hardening, and quality lifecycle evidence flows.
 - Third-party case studies record NEKOWORK runs against `sindresorhus/is-plain-obj`, `jshttp/basic-auth`, and `python-hyper/h11`.
-- Public npm alpha `0.1.0-alpha.0` is published and smoke-tested through `npx`; `0.1.0-alpha.1` is prepared for owner-authenticated publish.
+- Public npm alpha `0.1.0-alpha.2` is published under the `alpha` dist-tag.
 
 ## Remaining Optional Work
 
 | Item | Priority | Reason |
 |---|---|---|
-| Publish `0.1.0-alpha.1` | High | Package is prepared and dry-run passes, but npm requires owner OTP/web auth |
-| Stable `latest` promotion | Medium | `alpha` is correct; npm also points `latest` at the only published version and rejected removal with `E400`, so move it to a stable version later |
+| Stable `latest` promotion | Medium | `alpha` is correct; npm keeps `latest` on the first alpha line for now, so move it to a stable version later |
 | More third-party case studies | Low | Three public repo case studies exist; more frameworks can still improve adoption evidence later |
 | More skill catalog expansion | Low | Catalog expansion should stay selective to preserve progressive disclosure |
 
@@ -116,7 +117,6 @@ Current external readiness, excluding broader adoption evidence: **9.1 / 10**.
 
 Main deductions:
 
-- `latest` currently points at the alpha because it is the only published version; docs still recommend `@alpha` until a stable release exists.
-- `0.1.0-alpha.1` publish requires owner OTP/web auth.
+- `latest` currently remains on the first alpha; docs still recommend `@alpha` until a stable release exists.
 - Three independent real-world external project case studies exist so far.
 - Advanced surfaces exist but are intentionally secondary to the public decomposed workflow and install flow.

package/docs/CHANGELOG.md

@@ -4,6 +4,21 @@
 
 ## [Unreleased]
 
+No unreleased changes yet.
+
+## [0.1.0-alpha.2] - 2026-05-08
+
+### Added
+- Add GitHub issue templates for alpha feedback and reproducible bug reports.
+- Add CI coverage for a fresh `npx @ps-neko/nekowork@alpha doctor --quick` smoke against the published alpha package.
+- Add an alpha.2 roadmap focused on release smoke evidence, demo assets, and external feedback.
+- Add a static terminal SVG for the one-minute README demo.
+
+### Changed
+- Make the published alpha smoke workflow compare against the registry's current `@alpha` version instead of a hard-coded alpha string.
+
+## [0.1.0-alpha.1] - 2026-05-07
+
 ### Added
 - Add `report` to write inspect-only `REPORT.md` and `report-summary.json` from session evidence.
 - Add official catalog packs as install aliases over safety-checked profiles.
@@ -15,7 +30,7 @@
 - Add a third-party `python-hyper/h11` Python protocol case study.
 - Add an opt-in internal provider command adapter.
 - Add the focused `acceptance-coverage` quality evidence skill.
-- Prepare public alpha `@ps-neko/nekowork@0.1.0-alpha.1` with the updated adapter, case study, and catalog evidence; actual npm publish requires owner OTP/web auth.
+- Publish public alpha `@ps-neko/nekowork@0.1.0-alpha.1` with the updated adapter, case study, catalog evidence, report sample, and demo transcript.
 - Add `npm run demo:external` to create a disposable target project and verify repository-based porting end to end.
 - Add `docs/EXAMPLE-PROJECT.md` and e2e coverage for the external project demo.
 - Add product principles and core invariants for the Claude work -> Codex verification -> Human Gate runtime.

package/docs/DEMO.md

@@ -25,6 +25,8 @@ Demo completed: verdict=approve_with_fixes, ship_ready=false, applied=false
 
 This transcript is the README-friendly demo path. It uses mock providers, so it is safe to run on a fresh checkout without Claude, Codex, Gemini, or API keys.
 
+![NEKOWORK one-minute terminal demo](assets/demo-terminal.svg)
+
 ```text
 $ npx -y @ps-neko/nekowork@alpha doctor --quick
 NEKOWORK doctor
@@ -141,7 +143,7 @@ project root : C:\path\to\harness
 
 STATUS  CHECK                   MESSAGE
 PASS    node                    Node 24.x
-PASS    package metadata        @ps-neko/nekowork@0.1.0-alpha.1; public alpha publish candidate
+PASS    package metadata        @ps-neko/nekowork@0.1.0-alpha.2; public alpha package
 PASS    git worktree            project root is inside a git worktree
 WARN    gemini cli              installed, auth status is not checked non-interactively
 

package/docs/EXAMPLE-PROJECT.md

@@ -87,6 +87,6 @@ demo-target/
 
 ## What This Does Not Prove
 
-- Public npm installation. The package metadata is ready, but publish execution still requires npm owner auth.
+- Public npm installation. This demo intentionally exercises the source-checkout path; run the npm install smoke separately for package resolution.
 - Live provider execution. Run live provider smoke checks separately after local CLI login.
 - A production rollout. Pin a release tag or submodule commit before using the tool in a shared workflow.

package/docs/PORTING.md

@@ -1,6 +1,6 @@
 # Porting NEKOWORK Into Another Project
 
-NEKOWORK `0.1.0-alpha.1` is the current repository candidate. The published `@ps-neko/nekowork@alpha` package remains `0.1.0-alpha.0` until owner-authenticated npm publish completes. Use a submodule or local checkout for repository-pinned workflows and examples.
+NEKOWORK `0.1.0-alpha.2` is the current repository version and the published `@ps-neko/nekowork@alpha` package. Use a submodule or local checkout for repository-pinned workflows and examples.
 
 ## Local Demo First
 

package/docs/PUBLISH-ALPHA.md

@@ -1,25 +1,40 @@
 # Public Alpha Publish Record
 
-NEKOWORK `0.0.3` stays a private/local alpha. The first npm release is the public alpha `0.1.0-alpha.0`; the current repository candidate is `0.1.0-alpha.1`.
+NEKOWORK `0.0.3` stays a private/local alpha. The first npm release is the public alpha `0.1.0-alpha.0`; the current public alpha is `0.1.0-alpha.2`.
 
 Do not publish from the `0.0.3` line.
 
-The repository metadata has been advanced to `0.1.0-alpha.1` with `private: false`. The `0.1.0-alpha.0` publish succeeded on 2026-05-07. The `0.1.0-alpha.1` publish dry-run passes, but actual publish requires owner OTP/web auth.
+The repository metadata has been advanced to `0.1.0-alpha.2` with `private: false`. The `0.1.0-alpha.0` publish succeeded on 2026-05-07. The `0.1.0-alpha.1` publish also succeeded on 2026-05-07. The `0.1.0-alpha.2` publish succeeded on 2026-05-08 and moved the `alpha` dist-tag forward.
+
+The matching Git tag and GitHub prerelease are published as `v0.1.0-alpha.2`:
+
+```text
+https://github.com/Ps-Neko/NEKOWORK/releases/tag/v0.1.0-alpha.2
+```
 
 ## Registry State
 
-Checked on 2026-05-07:
+Checked on 2026-05-08:
 
 ```text
 npm view @ps-neko/nekowork version --json
 -> 0.1.0-alpha.0
 ```
 
+The default version output follows `latest`, which is not the documented alpha install path.
+
+The current alpha install path points at the release line:
+
+```text
+npm view @ps-neko/nekowork@alpha version --json
+-> 0.1.0-alpha.2
+```
+
 Dist-tags:
 
 ```text
 npm view @ps-neko/nekowork dist-tags --json
--> { "alpha": "0.1.0-alpha.0", "latest": "0.1.0-alpha.0" }
+-> { "alpha": "0.1.0-alpha.2", "latest": "0.1.0-alpha.0" }
 ```
 
 The publish package shape has been checked:
@@ -29,43 +44,57 @@ npm publish --dry-run --access public --tag alpha
 -> pass
 ```
 
-The first alpha publish succeeded, and a duplicate publish attempt is correctly blocked:
+The first alpha publish succeeded, and duplicate publish attempts are correctly blocked:
 
 ```text
 npm publish --access public --tag alpha
 -> E403 previously published versions: 0.1.0-alpha.0
 ```
 
-The current alpha update is prepared with the same `alpha` dist-tag, but actual publish is blocked until owner OTP/web auth is completed:
+The alpha update was published with the same `alpha` dist-tag:
+
+```text
+npm publish --access public --tag alpha
+-> published 0.1.0-alpha.1
+```
+
+The second alpha update was also published with the same `alpha` dist-tag:
 
 ```text
 npm publish --access public --tag alpha
--> EOTP one-time password / web authentication required
+-> published 0.1.0-alpha.2
+```
+
+After publish:
+
+```text
+npm view @ps-neko/nekowork@0.1.0-alpha.2 version --json
+-> 0.1.0-alpha.2
 ```
 
 `npx` smoke passed:
 
 ```text
 npx -y @ps-neko/nekowork@alpha doctor --quick
--> WARN summary, 6 pass, 1 warn, 0 fail
+-> WARN summary, 5 pass, 2 warn, 0 fail
 ```
 
-The registry keeps `latest` on the first alpha. Attempts to remove it after 2FA returned `E400 Bad Request`:
+The registry keeps `latest` on the first alpha line. Attempts to remove it after 2FA returned `E400 Bad Request`:
 
 ```text
 npm dist-tag rm @ps-neko/nekowork latest
 -> E400 Bad Request
 ```
 
-Treat `latest` as an unavoidable first-alpha registry pointer for now. Do not promote it in docs as the stable path. When the first stable package is ready, publish or retag that stable version as `latest`.
+Treat `latest` as an unavoidable alpha-line registry pointer for now. Do not promote it in docs as the stable path. When the first stable package is ready, publish or retag that stable version as `latest`.
 
 ## Release Shape
 
-Prepared first public package:
+Published public alpha package:
 
 ```text
 name: @ps-neko/nekowork
-version: 0.1.0-alpha.1
+version: 0.1.0-alpha.2
 dist-tag: alpha
 bin: harness
 ```
@@ -80,10 +109,29 @@ Before publishing, explicitly confirm:
 - npm 2FA readiness
 - package name `@ps-neko/nekowork`
 - binary name `harness`
-- public alpha version `0.1.0-alpha.1`
+- public alpha version `0.1.0-alpha.2`
 - `private` removed or set to `false`
 - publish tag is `alpha`, not `latest`
 
+## Next Alpha Publish Checklist
+
+Use this checklist for `0.1.0-alpha.3` or any later alpha. Do not run it until the owner explicitly approves the publish.
+
+1. Confirm the candidate scope in [RELEASE-READINESS.md](RELEASE-READINESS.md).
+2. Move the intended changelog entries from `Unreleased` to the new version heading.
+3. Bump `package.json` to the approved alpha version.
+4. Run the required gates below.
+5. Inspect `npm pack --dry-run --json` and confirm issue templates, docs, examples, scripts, and assets are intentional.
+6. Confirm `npm whoami` is the owner account.
+7. Publish with `npm publish --access public --tag alpha`.
+8. Verify `npm view @ps-neko/nekowork@alpha version --json` returns the new version.
+9. Smoke test from a fresh directory with `npx -y @ps-neko/nekowork@alpha doctor --quick`.
+10. Create and push `v<version>`.
+11. Create a GitHub prerelease for `v<version>`.
+12. Update release docs from candidate/pending language to published language.
+
+Keep `latest` out of the public install path until a stable release exists.
+
 ## Required Gates
 
 Run:

package/docs/QUICKSTART.md

@@ -328,13 +328,13 @@ Remove-Item Env:GOOGLE_API_KEY -ErrorAction SilentlyContinue
 The public alpha is published as `@ps-neko/nekowork@alpha`:
 
 ```bash
-npm i --save-dev @ps-neko/nekowork
+npm i --save-dev @ps-neko/nekowork@alpha
 ```
 
 or:
 
 ```bash
-npm i -g @ps-neko/nekowork
+npm i -g @ps-neko/nekowork@alpha
 ```
 
 For alpha pinning, prefer:

package/docs/RELEASE-READINESS.md

@@ -1,24 +1,47 @@
 # Release Readiness
 
-Status date: 2026-05-07
+Status date: 2026-05-08
 
-NEKOWORK / HARNESS is release-ready for local use, repository-based installation, and public npm alpha installation. The repository is prepared for `0.1.0-alpha.1`; npm publish requires owner OTP/web auth.
+NEKOWORK / HARNESS is release-ready for local use, repository-based installation, and public npm alpha installation. The repository and npm alpha are both at `0.1.0-alpha.2`.
 
 ## Decision
 
 - Decision: do not publish 0.0.3 to npm.
-- Public alpha: `0.1.0-alpha.0`, published with `--tag alpha`.
+- Public alpha: `0.1.0-alpha.2`, published with `--tag alpha`.
 - `package.json` is set to `private: false` for the public alpha.
 - The canonical repo is `Ps-Neko/NEKOWORK`.
-- Current release track is `0.1.0-alpha.1` prepared; npm `@alpha` remains `0.1.0-alpha.0` until owner-authenticated publish completes.
+- Current release track is `0.1.0-alpha.2`; npm `@alpha` points at this version.
+- GitHub prerelease: `v0.1.0-alpha.2`.
 - Required local provider auth is delegated CLI auth, not long-lived API keys.
 - Core workflow invariant is Claude work -> Codex verification -> Human Gate.
 - Risk classifier, acceptance criteria artifacts, and profile safety validation are part of the release gate.
 - Remaining optional work is stable promotion and broader adoption evidence.
-- Public package metadata is published as `@ps-neko/nekowork@alpha`; `0.1.0-alpha.1` dry-run passes but actual publish is blocked by npm `EOTP` pending owner auth.
-- Dist-tag note: `latest` also points at the first alpha because it is the only published version; `npm dist-tag rm ... latest` returned `E400`.
+- Public package metadata is published as `@ps-neko/nekowork@alpha`.
+- Dist-tag note: `latest` remains on the first alpha line; use `@alpha` until a stable release exists.
 - See [PUBLISH-ALPHA.md](PUBLISH-ALPHA.md) for the public alpha checklist.
 
+GitHub Release:
+
+- https://github.com/Ps-Neko/NEKOWORK/releases/tag/v0.1.0-alpha.2
+
+## 0.1.0-alpha.2 Release Scope
+
+The `0.1.0-alpha.2` release scope is documentation, evidence, and feedback-loop hardening only:
+
+- fresh `npx @ps-neko/nekowork@alpha doctor --quick --json` smoke coverage in CI
+- static one-minute terminal demo SVG in README and `docs/DEMO.md`
+- alpha feedback and bug report issue forms
+- README evidence links for report, demo, feedback, and roadmap
+- no catalog expansion unless a new surface directly strengthens verification evidence
+
+Release exit criteria:
+
+- required gates below pass locally
+- `published-alpha-smoke` passes in GitHub Actions
+- `npm pack --dry-run --json` contains only intended files
+- changelog `0.1.0-alpha.2` entries match the release contents
+- `latest` remains documented as non-stable; install examples continue to use `@alpha`
+
 ## Required Gates
 
 Run these before a release tag or public package decision:
@@ -51,8 +74,10 @@ Current local verification after the decomposed workflow expansion:
 - `npm audit --audit-level=moderate`: 0 vulnerabilities
 - `npm pack --dry-run --json`: pass
 - `npm publish --dry-run --access public --tag alpha`: pass
-- `npm publish --access public --tag alpha`: `0.1.0-alpha.1` blocked by npm `EOTP` pending owner OTP/web auth
-- `npx -y @ps-neko/nekowork@alpha doctor --quick`: previously passed for `0.1.0-alpha.0` with WARN summary from Gemini auth not checked
+- `npm publish --access public --tag alpha`: `0.1.0-alpha.2` published
+- `npm view @ps-neko/nekowork dist-tags version versions --json`: `alpha` points at `0.1.0-alpha.2`; `latest` remains `0.1.0-alpha.0`
+- `npx -y @ps-neko/nekowork@alpha doctor --quick`: passed for `0.1.0-alpha.2` with WARN summary from non-git project root and Gemini auth not checked
+- GitHub Actions `published-alpha-smoke`: validates the fresh `npx @alpha` path against the published package
 
 ## Install Smoke
 
@@ -131,11 +156,11 @@ Expected target outputs:
 
 ## Public npm Checklist
 
-Already completed for the first public alpha. Repeat the owner-authenticated publish step for `0.1.0-alpha.1`:
+Already completed for `0.1.0-alpha.2`. Repeat this checklist for the next public alpha:
 
 1. Confirm the npm package name is still `@ps-neko/nekowork`.
 2. Confirm the `harness` binary is still intentional.
-3. Confirm the public alpha version is `0.1.0-alpha.1`.
+3. Bump `package.json` to the next public alpha version only when publish is approved.
 4. Run the required gates above.
 5. Inspect `npm pack --dry-run --json` and confirm only intended files are included.
 6. Confirm npm account access and 2FA readiness with `npm whoami`.

package/docs/ROADMAP.md

@@ -0,0 +1,41 @@
+# Roadmap
+
+Status date: 2026-05-08
+
+This roadmap is intentionally small. NEKOWORK should improve the evidence surface before expanding the agent catalog.
+
+## 0.1.0-alpha.2
+
+Status: released.
+
+Goal: make the published package and first-run story easier to trust from the outside.
+
+Planned scope:
+
+- Keep fresh `npx @ps-neko/nekowork@alpha doctor --quick` smoke coverage in CI.
+- Keep the generated terminal SVG for the one-minute demo path.
+- Keep README focused on evidence, report output, Human Gate, and explicit apply.
+- Keep the external feedback path for alpha users to paste `doctor --quick --json` and `REPORT.md` summaries.
+- Preserve the current catalog size unless a new agent, skill, hook, or pack directly strengthens verification evidence.
+
+## 0.1.0-alpha.3 Candidate
+
+Goal: gather external feedback and keep the release path boring.
+
+Candidate scope:
+
+- Keep `@alpha` smoke evidence green across local and GitHub Actions gates.
+- Add one more third-party case study only if it demonstrates a new risk class.
+- Improve feedback triage docs once alpha users file real reports.
+- Avoid provider/API-key-first setup changes unless they preserve delegated local auth as the default.
+
+Non-goals:
+
+- No stable `latest` promotion.
+- No automatic commit, push, publish, deploy, or apply.
+- No bulk import of external agent packs.
+- No API-key-first provider setup.
+
+## Stable Release Track
+
+Promote a stable release only after the alpha install path has repeated smoke evidence, external feedback, and no known moderate+ audit issues. Until then, docs should keep recommending `@alpha`.

package/docs/RUNBOOK.md

@@ -92,7 +92,7 @@ Do not run this checklist unless public publish is explicitly approved.
 5. Confirm npm identity with `npm whoami`.
 6. Confirm account 2FA readiness.
 7. Confirm `private: false`.
-8. Confirm the public alpha version, for example `0.1.0-alpha.1`.
+8. Confirm the public alpha version, for example `0.1.0-alpha.2`.
 9. Run `npm publish --access public --tag alpha`.
 10. Update README, Quickstart, Changelog, and release notes from "future npm path" to "published npm path".
 

package/docs/SETUP.md

@@ -2,7 +2,7 @@
 
 Start with [QUICKSTART.md](QUICKSTART.md) if this is your first run. This page is the deeper contributor setup guide.
 
-NEKOWORK `0.1.0-alpha.1` is the current repository candidate. The published `@ps-neko/nekowork@alpha` package remains `0.1.0-alpha.0` until owner-authenticated npm publish completes. Use a source checkout, submodule, or local repository integration when you need examples, tests, or repository-pinned workflows.
+NEKOWORK `0.1.0-alpha.2` is the current repository version and the published `@ps-neko/nekowork@alpha` package. Use a source checkout, submodule, or local repository integration when you need examples, tests, or repository-pinned workflows.
 
 ## Requirements
 

package/docs/assets/demo-terminal.svg

@@ -0,0 +1,41 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="960" height="610" viewBox="0 0 960 610" role="img" aria-labelledby="title desc">
+  <title id="title">NEKOWORK one-minute terminal demo</title>
+  <desc id="desc">Terminal transcript showing npx alpha doctor, quick demo, and report output.</desc>
+  <defs>
+    <linearGradient id="frame" x1="0" y1="0" x2="1" y2="1">
+      <stop offset="0" stop-color="#101820"/>
+      <stop offset="1" stop-color="#18252f"/>
+    </linearGradient>
+    <filter id="shadow" x="-10%" y="-10%" width="120%" height="130%">
+      <feDropShadow dx="0" dy="18" stdDeviation="18" flood-color="#091018" flood-opacity="0.28"/>
+    </filter>
+  </defs>
+  <rect width="960" height="610" rx="0" fill="#eef2f5"/>
+  <g filter="url(#shadow)">
+    <rect x="40" y="36" width="880" height="538" rx="8" fill="url(#frame)"/>
+    <rect x="40" y="36" width="880" height="42" rx="8" fill="#24313b"/>
+    <rect x="40" y="69" width="880" height="9" fill="#24313b"/>
+    <circle cx="66" cy="57" r="6" fill="#ef6a5f"/>
+    <circle cx="86" cy="57" r="6" fill="#f4bd4f"/>
+    <circle cx="106" cy="57" r="6" fill="#61c554"/>
+    <text x="480" y="62" text-anchor="middle" font-family="Consolas, Menlo, monospace" font-size="13" fill="#c8d2dc">NEKOWORK alpha smoke</text>
+  </g>
+  <g font-family="Consolas, Menlo, monospace" font-size="18">
+    <text x="72" y="114" fill="#7ee787">$ npx -y @ps-neko/nekowork@alpha doctor --quick</text>
+    <text x="72" y="147" fill="#d7e3ec">NEKOWORK doctor</text>
+    <text x="72" y="179" fill="#8fb3c8">STATUS  CHECK              MESSAGE</text>
+    <text x="72" y="211" fill="#9be9a8">PASS    node               Node 22+</text>
+    <text x="72" y="243" fill="#9be9a8">PASS    package metadata   @ps-neko/nekowork@0.1.0-alpha.2</text>
+    <text x="72" y="275" fill="#9be9a8">PASS    api key env        no delegated-provider API key overrides</text>
+    <text x="72" y="307" fill="#ffd166">WARN    gemini cli         auth status is not checked non-interactively</text>
+    <text x="72" y="339" fill="#d7e3ec">summary: WARN (5 pass, 2 warn, 0 fail)</text>
+
+    <text x="72" y="387" fill="#7ee787">$ npm run demo:quick -- --cleanup</text>
+    <text x="72" y="419" fill="#d7e3ec">NEKOWORK quick run demo</text>
+    <text x="72" y="451" fill="#9be9a8">doctor OK  /  run workflow OK  /  report OK  /  gate status OK</text>
+    <text x="72" y="483" fill="#d7e3ec">Demo completed: verdict=approve_with_fixes, ship_ready=false, applied=false</text>
+
+    <text x="72" y="531" fill="#7ee787">$ node scripts/cli.js report --session quick-demo --stdout</text>
+    <text x="72" y="563" fill="#d7e3ec">Status: no_ship  /  Human gate: clear  /  Evidence: work, verify, ship</text>
+  </g>
+</svg>

package/docs/workflows-stash/harness-validate.yml

@@ -1,7 +1,5 @@
 name: harness-validate
 
-# 매 push / PR 마다 매니페스트·카탈로그·테스트 빠른 검증. 5분 이내 완료 목표.
-
 on:
   push:
   pull_request:
@@ -10,18 +8,51 @@ permissions:
   contents: read
 
 jobs:
+  published-alpha-smoke:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+
+      - name: Fresh npx alpha doctor smoke
+        shell: bash
+        run: |
+          set -euo pipefail
+          workdir="$RUNNER_TEMP/nekowork-alpha-smoke"
+          mkdir -p "$workdir"
+          cd "$workdir"
+          npx -y @ps-neko/nekowork@alpha doctor --quick --json > doctor.json
+          node <<'NODE'
+          const { execSync } = require('node:child_process');
+          const fs = require('node:fs');
+          const report = JSON.parse(fs.readFileSync('doctor.json', 'utf8'));
+          const expectedVersion = JSON.parse(execSync('npm view @ps-neko/nekowork@alpha version --json', { encoding: 'utf8' }));
+          const metadata = report.checks.find((check) => check.name === 'package metadata');
+          if (report.summary.fail !== 0) {
+            throw new Error(`doctor reported ${report.summary.fail} failure(s)`);
+          }
+          if (!metadata || !metadata.message.includes(`@ps-neko/nekowork@${expectedVersion}`)) {
+            throw new Error(`unexpected package metadata: ${metadata?.message || '<missing>'}`);
+          }
+          console.log(`published alpha smoke: ${metadata.message}`);
+          NODE
+
   validate:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v5
+
       - uses: actions/setup-node@v6
         with:
           node-version: '22'
-          cache: 'npm'
+          cache: npm
+
       - run: npm ci --no-audit --no-fund
 
-      - name: 매니페스트·카탈로그 검증
+      - name: Validate manifests and catalog
         run: |
           node scripts/install-plan.js --profile core --verbose
           node scripts/install-plan.js --profile developer
@@ -31,14 +62,16 @@ jobs:
           node scripts/ci/catalog.js
           node scripts/ci/check-markers.js
 
-      - name: 단위 테스트
-        run: |
-          npm test
+      - name: Security hardening gate
+        run: npm run security:hardening
+
+      - name: Unit and integration tests
+        run: npm test
 
-      - name: 의존성 감사
+      - name: Dependency audit
         run: npm audit --audit-level=moderate
 
-      - name: 빌드 산출물
+      - name: Build projections
         run: |
           node scripts/build-claude.js
           node scripts/build-codex.js

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ps-neko/nekowork",
-  "version": "0.1.0-alpha.1",
+  "version": "0.1.0-alpha.2",
   "description": "Local-first AI development harness for Claude Code, Codex CLI, and Gemini CLI",
   "keywords": [
     "claude",

package/scripts/doctor.js

@@ -130,7 +130,7 @@ function checkPackageMetadata(root) {
       return pass('package metadata', `${pkg.name}@${pkg.version}; private publish disabled`);
     }
     if (pkg.private === false && isPublicAlphaVersion(pkg.version)) {
-      return pass('package metadata', `${pkg.name}@${pkg.version}; public alpha publish candidate`);
+      return pass('package metadata', `${pkg.name}@${pkg.version}; public alpha package`);
     }
     return warn('package metadata', `${pkg.name}@${pkg.version}; publish guard is not explicit`);
   } catch (error) {