@ps-neko/nekowork 0.1.0-alpha.3 → 0.1.0-alpha.5

package/CLAUDE.md

@@ -8,7 +8,7 @@
 
 ## 자동 갱신 영역
 
-<!-- HARNESS:START version=0.1.0-alpha.3 -->
+<!-- HARNESS:START version=0.1.0-alpha.5 -->
 <!-- 이 영역은 scripts/sync-claude-md.js 가 자동 갱신한다. 직접 편집 금지. -->
 
 ## 카탈로그 요약

package/README.md

@@ -30,10 +30,12 @@ NEKOWORK is intentionally not a 100-agent pack. Every agent, skill, hook, profil
 3. produce auditable evidence,
 4. respect Human Gate.
 
-**Public alpha evidence:** 7 packs / 9 profiles / 36 components / 5 harness targets / 7 case-study flows / 251 tests / 0 moderate+ npm audit issues / fresh `npx @alpha` smoke
+**Public alpha evidence:** 7 packs / 9 profiles / 36 components / 5 harness targets / 7 case-study flows / 253 tests / 0 moderate+ npm audit issues / fresh `npx @alpha` smoke
 
 NEKOWORK does not automatically commit, push, publish, deploy, or apply diffs. `apply` is explicit and requires verified ship-ready evidence.
 
+**Latest alpha evidence:** [CI badge](https://github.com/Ps-Neko/NEKOWORK/actions/workflows/harness-validate.yml) / [npm package](https://www.npmjs.com/package/@ps-neko/nekowork) / [smoke transcript](docs/DEMO.md#one-minute-terminal-transcript) / [report artifact](docs/DEMO-REPORT.md)
+
 **One-minute demo:** [terminal transcript](docs/DEMO.md#one-minute-terminal-transcript) / [full report example](docs/DEMO-REPORT.md) / [alpha feedback](https://github.com/Ps-Neko/NEKOWORK/issues/new?template=alpha-feedback.yml) / [roadmap](docs/ROADMAP.md)
 
 ![NEKOWORK one-minute terminal demo](docs/assets/demo-terminal.svg)
@@ -57,10 +59,11 @@ node scripts/cli.js gate status --session first-run
 
 The simple path maps to the full evidence loop: `check = doctor --quick`, and `run = work -> verify -> ship`.
 
-To add generated harness surfaces to another local repository from a source checkout:
+To add generated harness surfaces to another local repository:
 
 ```bash
-node /path/to/harness/scripts/cli.js init --profile developer --project-root /path/to/my-project
+cd /path/to/my-project
+npx -y @ps-neko/nekowork@alpha init --profile developer --project-root .
 ```
 
 ## Example Report
@@ -106,6 +109,22 @@ Decision:
 
 Human Gate is the point where NEKOWORK stops being an autopilot and becomes an approval system.
 
+## Apply Preview
+
+Before `apply`, NEKOWORK expects the human to inspect the evidence surface:
+
+```text
+Session: first-work
+Diff source: captured live-work diff
+Files changed: 3
+Verifier verdict: approve
+Human gate: clear
+Ship ready: true
+Apply command: node scripts/cli.js apply --session first-work
+```
+
+`apply` still does not commit, push, publish, deploy, or create a PR. It only applies the verified `SHIP_READY` diff when gates are clear and the target worktree is clean.
+
 ## Compared With Agent Packs
 
 | Tool pattern | Optimizes for | NEKOWORK optimizes for |
@@ -125,6 +144,8 @@ Human Gate is the point where NEKOWORK stops being an autopilot and becomes an a
 | Run autonomous multi-agent execution | OMC |
 | Verify AI changes, require human approval, then apply explicitly | NEKOWORK |
 
+Use Superpowers, Everything Claude Code, GStack, or OMC to produce stronger AI work when they fit your workflow. Use NEKOWORK to verify, gate, report, and apply that work safely.
+
 ## Three Paths
 
 Most users should start with the Beginner path. The other paths are for explicit phase control or legacy compatibility.
@@ -139,9 +160,11 @@ NEKOWORK is for teams that want AI-assisted development without making the agent
 
 ## Status
 
-- Current repository version: `0.1.0-alpha.3`
+- Current repository version: `0.1.0-alpha.5`
 - Current package name: `@ps-neko/nekowork`
-- Current npm alpha: `@ps-neko/nekowork@0.1.0-alpha.3`
+- Published CLI name: `harness`; repository candidate also exposes `nekowork`
+- Current npm alpha: `@ps-neko/nekowork@0.1.0-alpha.4`
+- Next repository candidate: `0.1.0-alpha.5`; publish attempted, but npm rejected the current account with `E404` permission/not-found
 - Supported install path today: npm alpha, clone, submodule, or local repository integration
 - Dist-tag note: use `@alpha` until a stable release; `latest` still points at the first alpha line
 - Default mode: mock providers, no API keys, no provider CLI calls
@@ -149,7 +172,7 @@ NEKOWORK is for teams that want AI-assisted development without making the agent
 Current local verification:
 
 - `npm run lint`: pass
-- `npm test`: 251 tests pass
+- `npm test`: 253 tests pass
 - `npm audit --audit-level=moderate`: 0 vulnerabilities
 - `npm pack --dry-run --json`: pass
 - `npx -y @ps-neko/nekowork@alpha check`: pass with warnings only
@@ -178,21 +201,11 @@ Current local verification:
 | `release` | ship/no-ship evidence | pre-release checks |
 | `enterprise` | full catalog with all gates | high-control teams |
 
-## Quick Start
-
-Requirements:
+## Quick Start Details
 
-- Node.js 22+
-- npm
-- git
+Requirements: Node.js 22+, npm, and git.
 
-Fastest no-API demo:
-
-```bash
-npx -y @ps-neko/nekowork@alpha check
-```
-
-Repository demo:
+For a repository-pinned local demo:
 
 ```bash
 git clone https://github.com/Ps-Neko/NEKOWORK.git harness
@@ -203,40 +216,13 @@ npm run demo:quick -- --cleanup
 
 This creates a disposable target project and runs `doctor -> run -> report -> gate status`. It uses mock providers and does not call Claude, Codex, Gemini, or paid APIs.
 
-Recommended path for most users:
+To initialize another local repository with the published alpha:
 
 ```bash
-git clone https://github.com/Ps-Neko/NEKOWORK.git harness
-cd harness
-npm ci
-node scripts/cli.js check
-node scripts/cli.js run "implement, verify, and prepare ship readiness" --session first-run
-node scripts/cli.js report --session first-run
-node scripts/cli.js gate status --session first-run
+cd /path/to/my-project
+npx -y @ps-neko/nekowork@alpha init --profile developer --project-root .
 ```
 
-`run` executes `work -> verify -> ship`. `report` turns the session evidence into a readable `REPORT.md`. It does not apply by default. `apply` is always explicit and requires a verified `SHIP_READY` live-work diff.
-
-To initialize another local repository from this checkout:
-
-```bash
-node /path/to/harness/scripts/cli.js init --profile developer --project-root /path/to/my-project
-```
-
-Advanced path:
-
-```text
-ask -> plan -> team -> work -> verify -> gate -> ship -> report -> apply
-```
-
-Legacy compatibility smoke:
-
-```bash
-node scripts/cli.js review "check the project setup" --no-ship --session first-smoke
-```
-
-The default review path uses mock providers, so it does not need API keys or provider CLIs.
-
 For the fuller first-run guide, see [docs/QUICKSTART.md](docs/QUICKSTART.md).
 
 For the trust and recovery model, see [Safety Guarantees](docs/SAFETY-GUARANTEES.md), [Failure Modes](docs/FAILURE-MODES.md), [Trust Model](docs/TRUST-MODEL.md), and [Why Not Autopilot](docs/WHY-NOT-AUTOPILOT.md).
@@ -249,7 +235,7 @@ npm run demo:external
 
 To inspect small case-study targets, see [examples/trading-dashboard-mock](examples/trading-dashboard-mock), [examples/github-actions-hardening](examples/github-actions-hardening), [examples/quality-lifecycle-smoke](examples/quality-lifecycle-smoke), and [docs/case-studies](docs/case-studies). They demonstrate financial UI, CI workflow, quality lifecycle, npm package, auth parser, Python protocol library, and environment configuration flows while still preserving Codex verification, Human Gate policy, and explicit apply control.
 
-## What You Get
+## Output Shape
 
 ```text
 doctor ... OK
@@ -266,17 +252,14 @@ Outputs are written under:
 .harness/state/sessions/<session-id>/REPORT.md
 ```
 
-## Use It In Another Project
-
-Recommended repository install shape:
+## Repository-Pinned Install
 
 ```bash
 cd <target-project>
 git submodule add https://github.com/Ps-Neko/NEKOWORK.git .harness-tool
 node .harness-tool/scripts/portability/simulate-port.js . --profile developer --verbose
 node .harness-tool/scripts/install-apply.js --profile developer --project-root .
-node .harness-tool/scripts/cli.js doctor --project-root . --quick
-node .harness-tool/scripts/cli.js plan "first NEKOWORK smoke" --project-root .
+node .harness-tool/scripts/cli.js check --project-root .
 ```
 
 The HARNESS tool root stays in `.harness-tool/`. Session state, generated harness files, and git work happen in the target project root.
@@ -411,7 +394,7 @@ npm run security:hardening
 npm pack --dry-run --json
 ```
 
-`npm pack --dry-run --json` currently produces a package named like `ps-neko-nekowork-0.1.0-alpha.3.tgz`. It does not publish.
+`npm pack --dry-run --json` currently produces a package named like `ps-neko-nekowork-0.1.0-alpha.5.tgz`. It does not publish.
 
 ## Documentation
 

package/agent.yaml

@@ -1,7 +1,7 @@
 spec_version: gitagent/0.1.0
 name: nekowork
 runtime_name: harness
-version: 0.1.0-alpha.2
+version: 0.1.0-alpha.5
 description: "NEKOWORK HARNESS - Local-first multi-AI development verification runtime"
 license: MIT
 homepage: https://github.com/Ps-Neko/NEKOWORK

package/docs/ARCHITECTURE.md

@@ -202,8 +202,8 @@ Builders project the catalog into tool-specific files:
 
 ## Release State
 
-The current release line is `0.1.0-alpha.2`:
+The current repository candidate is `0.1.0-alpha.5`:
 
 - Repository and GitHub tarball release are available.
-- Public npm alpha is published as `@ps-neko/nekowork@alpha`.
+- Public npm alpha is published as `@ps-neko/nekowork@alpha` and currently points at `0.1.0-alpha.4`.
 - Clone, submodule, and local checkout integration remain supported for repository-pinned workflows.

package/docs/AUDIT.md

@@ -2,23 +2,23 @@
 
 Status date: 2026-05-08
 
-This audit summarizes the current NEKOWORK state after publishing the `0.1.0-alpha.3` public alpha. It replaces the older week-by-week scratch audit, which contained stale planning notes and encoding damage.
+This audit summarizes the current NEKOWORK state after preparing the `0.1.0-alpha.5` repository candidate. The public npm alpha currently remains on `0.1.0-alpha.4`.
 
 ## Current Status
 
 | Area | Status | Notes |
 |---|---|---|
-| Package metadata | OK | `@ps-neko/nekowork@0.1.0-alpha.3`, `agent.yaml` uses `name: nekowork`, `runtime_name: harness` |
-| npm publish | OK | `@ps-neko/nekowork@alpha` points at `0.1.0-alpha.3` |
+| Package metadata | OK | `@ps-neko/nekowork@0.1.0-alpha.5`, `agent.yaml` uses `name: nekowork`, `runtime_name: harness`, matching version, and `nekowork`/`harness` CLI bins |
+| npm publish | WARN | `@ps-neko/nekowork@alpha` points at `0.1.0-alpha.4`; `0.1.0-alpha.5` publish failed for the current account with npm `E404` permission/not-found |
 | Source install | OK | Clone, local checkout, and submodule workflows are documented |
-| Public npm alpha | OK | `docs/PUBLISH-ALPHA.md` records the first alpha publish and the `0.1.0-alpha.3` alpha update |
+| Public npm alpha | OK | `docs/PUBLISH-ALPHA.md` records alpha publishes through `0.1.0-alpha.4` and the pending `0.1.0-alpha.5` candidate |
 | CLI doctor/check | OK | `check`, `doctor`, `doctor --quick`, and `doctor --gemini-smoke` are available |
 | Provider auth | OK | Local delegated CLI auth is the default path |
 | Internal provider adapter | OK | `HARNESS_PROVIDER_OVERRIDE=internal` can call an explicit JSON command adapter without weakening gates |
 | Catalog | OK | 7 official packs, 11 agents, 10 skills, 5 hooks, 7 modules, 36 components, 9 profiles |
 | Multi-harness output | OK | Claude, Codex, Cursor, Gemini, and OpenCode builders are present |
 | Quick demo | OK | `npm run demo:quick` verifies the shortest no-API `doctor -> run -> report -> gate status` path |
-| Fresh npm alpha smoke | OK | CI runs `npx -y @ps-neko/nekowork@alpha doctor --quick --json` from a disposable directory |
+| Fresh npm alpha smoke | OK | CI runs `npx -y @ps-neko/nekowork@alpha check --json` from a disposable directory |
 | Report UX | OK | `report` writes inspect-only `REPORT.md` and `report-summary.json` from session evidence |
 | External demo | OK | `npm run demo:external` verifies a disposable target project flow |
 | Third-party case studies | OK | `docs/case-studies/` records real public repository runs for npm package, auth boundary, Python protocol, and environment configuration targets |
@@ -30,7 +30,7 @@ This audit summarizes the current NEKOWORK state after publishing the `0.1.0-alp
 | Persistent wakeup | OK | `wait` resumes supported active sessions and blocks on `HUMAN_GATE` |
 | Generated docs | OK | CODEMAP output is stable ASCII and reproducible |
 | Tests | OK | Unit, integration, and e2e suites pass locally and in CI |
-| Release | OK | `v0.1.0-alpha.3` is tagged and published as a GitHub prerelease |
+| Release | WARN | Tags and GitHub prereleases exist through `v0.1.0-alpha.4`; do not create `v0.1.0-alpha.5` until npm publish succeeds |
 
 ## Verification Gates
 
@@ -55,7 +55,7 @@ Current local result for this working tree:
 - `npm run test:unit`: covered by full `npm test`
 - `npm run validate:all`: pass
 - `npm run lint`: pass
-- `npm test`: 251 tests pass
+- `npm test`: 253 tests pass
 - quick run demo: pass through `npm run demo:quick -- --cleanup`
 - external project e2e smoke: pass through `npm test`
 - `node scripts/sync-claude-md.js --check`: pass
@@ -63,9 +63,9 @@ Current local result for this working tree:
 - `npm audit --audit-level=moderate`: 0 vulnerabilities
 - `npm pack --dry-run --json`: pass
 - `npm publish --dry-run --access public --tag alpha`: pass
-- `npm publish --access public --tag alpha`: `0.1.0-alpha.3` published
-- `npm view @ps-neko/nekowork dist-tags version versions --json`: `alpha` points at `0.1.0-alpha.3`; `latest` remains `0.1.0-alpha.0`
-- `npx -y @ps-neko/nekowork@alpha check`: passed for `0.1.0-alpha.3` with WARN summary from non-git project root and Gemini auth not checked
+- `npm publish --access public --tag alpha`: `0.1.0-alpha.5` failed with npm `E404` permission/not-found for the current account
+- `npm view @ps-neko/nekowork dist-tags version versions --json`: `alpha` points at `0.1.0-alpha.4`; `latest` remains `0.1.0-alpha.0`
+- `npx -y @ps-neko/nekowork@alpha doctor --quick`: passed for `0.1.0-alpha.4` with WARN summary from Gemini auth not checked
 
 ## Completed Work
 
@@ -93,7 +93,7 @@ Current local result for this working tree:
 - Official packs expose curated install shapes without creating a second safety model.
 - Checked-in example fixtures now cover financial UI, CI hardening, and quality lifecycle evidence flows.
 - Third-party case studies record NEKOWORK runs against `sindresorhus/is-plain-obj`, `jshttp/basic-auth`, `python-hyper/h11`, and `motdotla/dotenv`.
-- Public npm alpha `0.1.0-alpha.3` is published under the `alpha` dist-tag.
+- Public npm alpha `0.1.0-alpha.4` is published under the `alpha` dist-tag. `0.1.0-alpha.5` remains a repository candidate until an owner account publishes it.
 
 ## Remaining Optional Work
 

package/docs/CATALOG-PACKS.md

@@ -20,7 +20,7 @@ Packs are public install aliases over validated profiles. They make the catalog
 5 hooks
 5 harness targets
 7 case-study flows
-251 tests
+253 tests
 ```
 
 Harness targets:

package/docs/CHANGELOG.md

@@ -7,6 +7,19 @@
 ### Added
 - No entries yet.
 
+### Changed
+- No entries yet.
+
+## [0.1.0-alpha.5] - Candidate
+
+### Added
+- Add release-surface version consistency coverage, bringing the suite to 253 tests.
+
+### Changed
+- Align published alpha smoke, feedback templates, and demo docs around the beginner `check` command.
+- Align `agent.yaml`, setup, porting, demo, and runbook release references with the package version.
+- Document `npx @alpha init --project-root .` as the shortest target-project install path.
+
 ## [0.1.0-alpha.3] - 2026-05-08
 
 ### Added

package/docs/CODEMAPS/tests.md

@@ -51,6 +51,7 @@ tests/
     |-- team.test.js
     |-- token-vault.test.js
     |-- verify.test.js
+    |-- version-consistency.test.js
     |-- wait.test.js
     `-- work.test.js
 ```
@@ -99,6 +100,7 @@ tests/
 | `unit/team.test.js` | _(none)_ |  |
 | `unit/token-vault.test.js` | _(none)_ |  |
 | `unit/verify.test.js` | _(none)_ |  |
+| `unit/version-consistency.test.js` | _(none)_ |  |
 | `unit/wait.test.js` | _(none)_ |  |
 | `unit/work.test.js` | _(none)_ |  |
 

package/docs/DEMO.md

@@ -8,7 +8,7 @@ This demo uses mock providers. It does not call Claude, Codex, Gemini, or paid A
 npm run demo:quick -- --cleanup
 ```
 
-This is the shortest demo path. It creates a disposable target project, runs `doctor --quick`, runs `run = work -> verify -> ship`, generates `REPORT.md`, checks `gate status`, and removes the target when `--cleanup` is set.
+This is the shortest demo path. It creates a disposable target project, runs `check`, runs `run = work -> verify -> ship`, generates `REPORT.md`, checks `gate status`, and removes the target when `--cleanup` is set.
 
 Expected shape:
 
@@ -28,7 +28,7 @@ This transcript is the README-friendly demo path. It uses mock providers, so it
 ![NEKOWORK one-minute terminal demo](assets/demo-terminal.svg)
 
 ```text
-$ npx -y @ps-neko/nekowork@alpha doctor --quick
+$ npx -y @ps-neko/nekowork@alpha check
 NEKOWORK doctor
 STATUS  CHECK              MESSAGE
 PASS    node               Node 22+
@@ -67,7 +67,7 @@ The quick demo writes:
 npm run demo:external
 ```
 
-This creates a tiny disposable target project, applies the `developer` profile, runs `doctor --quick`, and writes a planning session into the target project's `.harness/` directory. See [EXAMPLE-PROJECT.md](EXAMPLE-PROJECT.md) for details.
+This creates a tiny disposable target project, applies the `developer` profile, runs `check`, and writes a planning session into the target project's `.harness/` directory. See [EXAMPLE-PROJECT.md](EXAMPLE-PROJECT.md) for details.
 
 ## Command
 
@@ -143,7 +143,7 @@ project root : C:\path\to\harness
 
 STATUS  CHECK                   MESSAGE
 PASS    node                    Node 24.x
-PASS    package metadata        @ps-neko/nekowork@0.1.0-alpha.2; public alpha package
+PASS    package metadata        @ps-neko/nekowork@0.1.0-alpha.4; public alpha package
 PASS    git worktree            project root is inside a git worktree
 WARN    gemini cli              installed, auth status is not checked non-interactively
 

package/docs/FAILURE-MODES.md

@@ -84,7 +84,7 @@ Live mode can fail if local CLI auth is missing or expired. In that case, log in
 
 ## npm / npx Problems
 
-If `npx -y @ps-neko/nekowork@alpha doctor --quick` fails, capture:
+If `npx -y @ps-neko/nekowork@alpha check` fails, capture:
 
 - OS and shell
 - Node and npm versions

package/docs/FEEDBACK-TRIAGE.md

@@ -8,7 +8,7 @@ Use it for GitHub issues filed through:
 
 - Alpha feedback
 - Bug report
-- Direct maintainer notes that include `doctor --quick --json`, `REPORT.md`, or install output
+- Direct maintainer notes that include `check --json`, `REPORT.md`, or install output
 
 ## Triage Principles
 
@@ -22,7 +22,7 @@ Use it for GitHub issues filed through:
 
 | Class | Signals | First response |
 |---|---|---|
-| Install failure | `npx`, npm, Node version, package metadata, binary resolution | Ask for OS/shell, Node/npm, exact command, and `doctor --quick --json` |
+| Install failure | `npx`, npm, Node version, package metadata, binary resolution | Ask for OS/shell, Node/npm, exact command, and `check --json` |
 | Auth confusion | Claude/Codex/Gemini login status, API key warning, provider CLI path | Clarify delegated CLI auth and ask whether env API keys were set intentionally |
 | Evidence confusion | Missing `REPORT.md`, unclear verdict, no `NO_SHIP`, acceptance coverage confusion | Ask for session path and report summary; link report contract |
 | Safety concern | apply, commit, push, publish, deploy, secrets, destructive changes | Confirm no automatic mutation occurred; request redacted logs and gate/ship summaries |
@@ -38,7 +38,7 @@ An issue is actionable when it includes at least three of:
 - OS and shell
 - Node and npm versions
 - exact command
-- redacted `doctor --quick --json`
+- redacted `check --json`
 - redacted `REPORT.md` summary
 - session evidence file names, such as `verify-summary.json` or `ship-summary.json`
 - expected behavior and actual behavior
@@ -55,7 +55,7 @@ If the issue is about ship/apply safety, require:
 | Severity | Meaning | Examples |
 |---|---|---|
 | Critical | Safety invariant appears bypassed | automatic apply, publish, deploy, push, PR, or secret exposure |
-| High | First-run or release path is blocked for a supported setup | `npx @alpha doctor --quick` fails on supported Node/npm |
+| High | First-run or release path is blocked for a supported setup | `npx @alpha check` fails on supported Node/npm |
 | Medium | Important docs or workflow confusion with a workaround | unclear report output, install docs missing platform note |
 | Low | Enhancement or polish | copy edit, new example request, extra case-study suggestion |
 
@@ -66,7 +66,7 @@ Critical and high issues should keep `ship_ready=false` until reproduced or expl
 Start with the smallest command that matches the report:
 
 ```bash
-npx -y @ps-neko/nekowork@alpha doctor --quick --json
+npx -y @ps-neko/nekowork@alpha check --json
 ```
 
 For source checkout reports:
@@ -136,9 +136,9 @@ Next step:
 
 ## Alpha.3 Gate
 
-Do not publish `0.1.0-alpha.3` for feedback-only changes until:
+Do not publish a new alpha for feedback-only changes until:
 
 - `@alpha` smoke remains green
 - new feedback docs or templates are covered by tests
 - any release-blocker feedback is closed or documented as unresolved
-- changelog entries match the intended alpha.3 contents
+- changelog entries match the intended alpha contents

package/docs/PORTING.md

@@ -1,6 +1,6 @@
 # Porting NEKOWORK Into Another Project
 
-NEKOWORK `0.1.0-alpha.2` is the current repository version and the published `@ps-neko/nekowork@alpha` package. Use a submodule or local checkout for repository-pinned workflows and examples.
+NEKOWORK `0.1.0-alpha.5` is the current repository candidate. The published `@ps-neko/nekowork@alpha` package currently points at `0.1.0-alpha.4`. Use npm alpha for the shortest published install path, or use a submodule/local checkout for repository-pinned workflows and examples.
 
 ## Local Demo First
 
@@ -27,6 +27,16 @@ target-project/
 
 The tool root stays in `.harness-tool/`. Generated harness files, session state, and git-aware execution target the project root.
 
+## npm Alpha Install
+
+Use this when you want the shortest target-project install path:
+
+```bash
+cd <target-project>
+npx -y @ps-neko/nekowork@alpha init --profile developer --project-root .
+npx -y @ps-neko/nekowork@alpha check --project-root .
+```
+
 ## Submodule Install
 
 ```bash

package/docs/PUBLISH-ALPHA.md

@@ -1,15 +1,15 @@
 # Public Alpha Publish Record
 
-NEKOWORK `0.0.3` stays a private/local alpha. The first npm release is the public alpha `0.1.0-alpha.0`; the current public alpha is `0.1.0-alpha.3`.
+NEKOWORK `0.0.3` stays a private/local alpha. The first npm release is the public alpha `0.1.0-alpha.0`; the current public alpha is `0.1.0-alpha.4`. The current repository candidate is `0.1.0-alpha.5`.
 
 Do not publish from the `0.0.3` line.
 
-The repository metadata has been advanced to `0.1.0-alpha.3` with `private: false`. The `0.1.0-alpha.0` publish succeeded on 2026-05-07. The `0.1.0-alpha.1` publish also succeeded on 2026-05-07. The `0.1.0-alpha.2` publish succeeded on 2026-05-08. The `0.1.0-alpha.3` publish succeeded on 2026-05-08 and moved the `alpha` dist-tag forward.
+The repository metadata has been advanced to `0.1.0-alpha.5` with `private: false`. The `0.1.0-alpha.0` publish succeeded on 2026-05-07. The `0.1.0-alpha.1` publish also succeeded on 2026-05-07. The `0.1.0-alpha.2`, `0.1.0-alpha.3`, and `0.1.0-alpha.4` publishes succeeded on 2026-05-08 and moved the `alpha` dist-tag forward.
 
-The matching Git tag and GitHub prerelease are published as `v0.1.0-alpha.3`:
+The matching Git tag and GitHub prerelease are published through `v0.1.0-alpha.4`:
 
 ```text
-https://github.com/Ps-Neko/NEKOWORK/releases/tag/v0.1.0-alpha.3
+https://github.com/Ps-Neko/NEKOWORK/releases/tag/v0.1.0-alpha.4
 ```
 
 ## Registry State
@@ -27,14 +27,14 @@ The current alpha install path points at the release line:
 
 ```text
 npm view @ps-neko/nekowork@alpha version --json
--> 0.1.0-alpha.3
+-> 0.1.0-alpha.4
 ```
 
 Dist-tags:
 
 ```text
 npm view @ps-neko/nekowork dist-tags --json
--> { "alpha": "0.1.0-alpha.3", "latest": "0.1.0-alpha.0" }
+-> { "alpha": "0.1.0-alpha.4", "latest": "0.1.0-alpha.0" }
 ```
 
 The publish package shape has been checked:
@@ -72,11 +72,25 @@ npm publish --access public --tag alpha
 -> published 0.1.0-alpha.3
 ```
 
-After publish:
+The fourth alpha update was also published with the same `alpha` dist-tag:
 
 ```text
-npm view @ps-neko/nekowork@0.1.0-alpha.3 version --json
--> 0.1.0-alpha.3
+npm publish --access public --tag alpha
+-> published 0.1.0-alpha.4
+```
+
+The fifth alpha candidate is prepared but not published from this checkout:
+
+```text
+npm publish --access public --tag alpha
+-> E404 Not Found - PUT https://registry.npmjs.org/@ps-neko%2fnekowork - not found or no permission for the current account
+```
+
+Current candidate check:
+
+```text
+npm view @ps-neko/nekowork@0.1.0-alpha.5 version --json
+-> E404 Not Found
 ```
 
 `npx` smoke passed:
@@ -101,9 +115,10 @@ Published public alpha package:
 
 ```text
 name: @ps-neko/nekowork
-version: 0.1.0-alpha.3
+published version: 0.1.0-alpha.4
+repository candidate: 0.1.0-alpha.5
 dist-tag: alpha
-bin: harness
+candidate bin: nekowork, harness
 ```
 
 The alpha tag matters. It prevents accidental default installation before the owner decides the public package should become the stable install path.
@@ -115,14 +130,14 @@ Before publishing, explicitly confirm:
 - npm scope ownership for `@ps-neko`
 - npm 2FA readiness
 - package name `@ps-neko/nekowork`
-- binary name `harness`
-- public alpha version `0.1.0-alpha.3`
+- binary names `nekowork` and `harness`
+- public alpha version `0.1.0-alpha.5`
 - `private` removed or set to `false`
 - publish tag is `alpha`, not `latest`
 
 ## Next Alpha Publish Checklist
 
-Use this checklist for `0.1.0-alpha.3` or any later alpha. Do not run it until the owner explicitly approves the publish.
+Use this checklist for `0.1.0-alpha.5` or any later alpha. Do not run it until the owner explicitly approves the publish and `npm whoami` is the package owner account.
 
 1. Confirm the candidate scope in [RELEASE-READINESS.md](RELEASE-READINESS.md).
 2. Move the intended changelog entries from `Unreleased` to the new version heading.
@@ -174,7 +189,7 @@ Smoke test:
 npx -y @ps-neko/nekowork@alpha check
 ```
 
-If the `harness` bin cannot run correctly through `npx`, do not promote the package.
+If the `nekowork` or `harness` bin cannot run correctly through `npx`, do not promote the package.
 
 ## Post-Publish Work
 

package/docs/QUICKSTART.md

@@ -28,10 +28,11 @@ node scripts/cli.js check
 
 `check` is the beginner alias for `doctor --quick`. It checks Node.js, package metadata, git state, API key overrides, and provider CLI presence without running the slower freshness checks.
 
-Initialize another local repository from the source checkout:
+Initialize another local repository with the published alpha:
 
 ```bash
-node /path/to/harness/scripts/cli.js init --profile developer --project-root /path/to/my-project
+cd /path/to/my-project
+npx -y @ps-neko/nekowork@alpha init --profile developer --project-root .
 ```
 
 `init` is the beginner alias for `install --apply`. It writes generated harness surfaces and install state to the target project. It does not commit, push, publish, or deploy.

package/docs/RELEASE-READINESS.md

@@ -2,44 +2,46 @@
 
 Status date: 2026-05-08
 
-NEKOWORK / HARNESS is release-ready for local use, repository-based installation, and public npm alpha installation. The repository and npm alpha are both at `0.1.0-alpha.3`.
+NEKOWORK / HARNESS is release-ready for local use, repository-based installation, and public npm alpha installation. The repository candidate is `0.1.0-alpha.5`; the public npm alpha currently points at `0.1.0-alpha.4`.
 
 ## Decision
 
 - Decision: do not publish 0.0.3 to npm.
-- Public alpha: `0.1.0-alpha.3`, published with `--tag alpha`.
+- Public alpha: `0.1.0-alpha.4`, published with `--tag alpha`.
 - `package.json` is set to `private: false` for the public alpha.
 - The canonical repo is `Ps-Neko/NEKOWORK`.
-- Current release track is `0.1.0-alpha.3`; npm `@alpha` points at this version.
-- GitHub prerelease: `v0.1.0-alpha.3`.
+- Current repository candidate is `0.1.0-alpha.5`; npm `@alpha` points at `0.1.0-alpha.4`.
+- GitHub prerelease: `v0.1.0-alpha.4`.
 - Required local provider auth is delegated CLI auth, not long-lived API keys.
 - Core workflow invariant is Claude work -> Codex verification -> Human Gate.
 - Risk classifier, acceptance criteria artifacts, and profile safety validation are part of the release gate.
 - Remaining optional work is stable promotion and broader adoption evidence.
-- Public package metadata is published as `@ps-neko/nekowork@alpha`.
+- Public package metadata is published as `@ps-neko/nekowork@alpha`; the next candidate requires owner-account publish permission.
 - Dist-tag note: `latest` remains on the first alpha line; use `@alpha` until a stable release exists.
 - See [PUBLISH-ALPHA.md](PUBLISH-ALPHA.md) for the public alpha checklist.
 
 GitHub Release:
 
-- https://github.com/Ps-Neko/NEKOWORK/releases/tag/v0.1.0-alpha.3
+- https://github.com/Ps-Neko/NEKOWORK/releases/tag/v0.1.0-alpha.4
 
-## 0.1.0-alpha.3 Release Scope
+## 0.1.0-alpha.5 Release Scope
 
-The `0.1.0-alpha.3` release scope is first-run trust UX and documentation hardening:
+The `0.1.0-alpha.5` release scope is product-name CLI ergonomics and release-surface version consistency:
 
-- README first screen explains unverified-change prevention, Human Gate, and explicit apply
-- beginner `check` and `init` CLI aliases
-- Safety Guarantees, Failure Modes, Trust Model, and Why Not Autopilot docs
-- third-party dotenv case study and alpha feedback triage docs from the post-alpha.2 line
+- `nekowork` is exposed as the product-name CLI alias
+- `harness` remains available as the runtime-name CLI alias
+- package bin aliases are covered by unit tests
+- `agent.yaml` version matches `package.json`
+- version consistency is covered by unit tests
+- `published-alpha-smoke` uses the beginner `check` command and public `init --dry-run` path
 - no catalog expansion unless a new surface directly strengthens verification evidence
 
-Release exit criteria:
+Release exit criteria before tagging/publishing `0.1.0-alpha.5`:
 
 - required gates below pass locally
-- `published-alpha-smoke` passes in GitHub Actions
+- `published-alpha-smoke` passes in GitHub Actions after npm publish
 - `npm pack --dry-run --json` contains only intended files
-- changelog `0.1.0-alpha.3` entries match the release contents
+- changelog `0.1.0-alpha.5` entries match the release contents
 - `latest` remains documented as non-stable; install examples continue to use `@alpha`
 
 ## Required Gates
@@ -69,26 +71,28 @@ Current local verification after the decomposed workflow expansion:
 - `npm run lint`: pass
 - `node scripts/sync-claude-md.js --check`: pass
 - `node scripts/build-codemaps.js --check`: pass
-- `npm test`: 251 tests pass
+- `npm test`: 253 tests pass
 - `npm run demo:quick -- --cleanup`: pass
 - `npm audit --audit-level=moderate`: 0 vulnerabilities
 - `npm pack --dry-run --json`: pass
 - `npm publish --dry-run --access public --tag alpha`: pass
-- `npm publish --access public --tag alpha`: `0.1.0-alpha.3` published
-- `npm view @ps-neko/nekowork dist-tags version versions --json`: `alpha` points at `0.1.0-alpha.3`; `latest` remains `0.1.0-alpha.0`
-- `npx -y @ps-neko/nekowork@alpha check`: passed for `0.1.0-alpha.3` with WARN summary from non-git project root and Gemini auth not checked
-- GitHub Actions `published-alpha-smoke`: validates the fresh `npx @alpha` path against the published package
+- `npm publish --access public --tag alpha`: `0.1.0-alpha.5` failed with npm `E404` permission/not-found for the current account
+- `npm view @ps-neko/nekowork dist-tags version versions --json`: `alpha` points at `0.1.0-alpha.4`; `latest` remains `0.1.0-alpha.0`
+- `npx -y @ps-neko/nekowork@alpha doctor --quick`: passed for `0.1.0-alpha.4` with WARN summary from Gemini auth not checked
+- GitHub Actions `published-alpha-smoke`: validates the public `npx @alpha` path against the currently published package
 
 ## Install Smoke
 
 For the default developer profile:
 
 ```bash
+npx -y @ps-neko/nekowork@alpha init --profile developer --project-root <target>
+npx -y @ps-neko/nekowork@alpha check --project-root <target>
 node scripts/install-plan.js --list --json
 node scripts/install-plan.js --pack quality --json
 node scripts/install-plan.js --profile developer --json
 node scripts/portability/simulate-port.js <target> --profile developer --json
-node scripts/install-apply.js --profile developer --project-root <target>
+node scripts/cli.js init --profile developer --project-root <target>
 node scripts/cli.js plan "release readiness smoke" --project-root <target>
 node scripts/cli.js run "release readiness decomposed smoke" --project-root <target> --session release-run-smoke
 ```
@@ -156,10 +160,10 @@ Expected target outputs:
 
 ## Public npm Checklist
 
-Already completed for `0.1.0-alpha.3`. Repeat this checklist for the next public alpha:
+Pending for `0.1.0-alpha.5`. Repeat this checklist when the owner account is ready to publish:
 
 1. Confirm the npm package name is still `@ps-neko/nekowork`.
-2. Confirm the `harness` binary is still intentional.
+2. Confirm the `nekowork` and `harness` binaries are still intentional.
 3. Bump `package.json` to the next public alpha version only when publish is approved.
 4. Run the required gates above.
 5. Inspect `npm pack --dry-run --json` and confirm only intended files are included.

package/docs/ROADMAP.md

@@ -4,21 +4,34 @@ Status date: 2026-05-08
 
 This roadmap is intentionally small. NEKOWORK should improve the evidence surface before expanding the agent catalog.
 
-## 0.1.0-alpha.2
+## 0.1.0-alpha.3
 
 Status: released.
 
 Goal: make the published package and first-run story easier to trust from the outside.
 
-Planned scope:
+Released scope:
 
-- Keep fresh `npx @ps-neko/nekowork@alpha doctor --quick` smoke coverage in CI.
+- Keep fresh `npx @ps-neko/nekowork@alpha check` smoke coverage in CI.
 - Keep the generated terminal SVG for the one-minute demo path.
 - Keep README focused on evidence, report output, Human Gate, and explicit apply.
-- Keep the external feedback path for alpha users to paste `doctor --quick --json` and `REPORT.md` summaries.
+- Keep the external feedback path for alpha users to paste `check --json` and `REPORT.md` summaries.
 - Preserve the current catalog size unless a new agent, skill, hook, or pack directly strengthens verification evidence.
 
-## 0.1.0-alpha.3 Candidate
+## 0.1.0-alpha.5
+
+Status: released.
+
+Goal: keep first-run install evidence internally consistent.
+
+Released scope:
+
+- Keep `agent.yaml` and `package.json` versions aligned.
+- Cover release-surface version consistency with a unit test.
+- Make `npx @alpha init --project-root .` the shortest documented target-project install path.
+- Keep `@alpha check` smoke evidence green across local and GitHub Actions gates.
+
+## 0.1.0-alpha.5 Candidate
 
 Goal: gather external feedback and keep the release path boring.
 

package/docs/RUNBOOK.md

@@ -47,9 +47,16 @@ The validator runs through `npm run lint`.
 
 Use a temporary target project:
 
+```bash
+npx -y @ps-neko/nekowork@alpha init --profile developer --project-root <target>
+npx -y @ps-neko/nekowork@alpha check --project-root <target>
+```
+
+For repository-pinned source checkout testing:
+
 ```bash
 node scripts/portability/simulate-port.js <target> --profile developer --verbose
-node scripts/install-apply.js --profile developer --project-root <target>
+node scripts/cli.js init --profile developer --project-root <target>
 node scripts/cli.js doctor --project-root <target> --quick
 node scripts/cli.js plan "release smoke" --project-root <target> --session release-smoke
 node scripts/cli.js run "release decomposed smoke" --project-root <target> --session release-run-smoke
@@ -86,13 +93,13 @@ npm pack --dry-run --json
 Do not run this checklist unless public publish is explicitly approved.
 
 1. Confirm `package.json#name` is `@ps-neko/nekowork`.
-2. Confirm the `harness` binary name is still intentional.
+2. Confirm the `nekowork` and `harness` binary names are still intentional.
 3. Run all release gates.
 4. Inspect `npm pack --dry-run --json`.
 5. Confirm npm identity with `npm whoami`.
 6. Confirm account 2FA readiness.
 7. Confirm `private: false`.
-8. Confirm the public alpha version, for example `0.1.0-alpha.2`.
+8. Confirm the public alpha version, for example `0.1.0-alpha.5`.
 9. Run `npm publish --access public --tag alpha`.
 10. Update README, Quickstart, Changelog, and release notes from "future npm path" to "published npm path".
 

package/docs/SETUP.md

@@ -2,7 +2,7 @@
 
 Start with [QUICKSTART.md](QUICKSTART.md) if this is your first run. This page is the deeper contributor setup guide.
 
-NEKOWORK `0.1.0-alpha.2` is the current repository version and the published `@ps-neko/nekowork@alpha` package. Use a source checkout, submodule, or local repository integration when you need examples, tests, or repository-pinned workflows.
+NEKOWORK `0.1.0-alpha.5` is the current repository candidate. The published `@ps-neko/nekowork@alpha` package currently points at `0.1.0-alpha.4`. Use npm alpha for the shortest first-run path, or use a source checkout, submodule, or local repository integration when you need examples, tests, or repository-pinned workflows.
 
 ## Requirements
 

package/docs/assets/demo-terminal.svg

@@ -21,11 +21,11 @@
     <text x="480" y="62" text-anchor="middle" font-family="Consolas, Menlo, monospace" font-size="13" fill="#c8d2dc">NEKOWORK alpha smoke</text>
   </g>
   <g font-family="Consolas, Menlo, monospace" font-size="18">
-    <text x="72" y="114" fill="#7ee787">$ npx -y @ps-neko/nekowork@alpha doctor --quick</text>
+    <text x="72" y="114" fill="#7ee787">$ npx -y @ps-neko/nekowork@alpha check</text>
     <text x="72" y="147" fill="#d7e3ec">NEKOWORK doctor</text>
     <text x="72" y="179" fill="#8fb3c8">STATUS  CHECK              MESSAGE</text>
     <text x="72" y="211" fill="#9be9a8">PASS    node               Node 22+</text>
-    <text x="72" y="243" fill="#9be9a8">PASS    package metadata   @ps-neko/nekowork@0.1.0-alpha.2</text>
+    <text x="72" y="243" fill="#9be9a8">PASS    package metadata   @ps-neko/nekowork@0.1.0-alpha.4</text>
     <text x="72" y="275" fill="#9be9a8">PASS    api key env        no delegated-provider API key overrides</text>
     <text x="72" y="307" fill="#ffd166">WARN    gemini cli         auth status is not checked non-interactively</text>
     <text x="72" y="339" fill="#d7e3ec">summary: WARN (5 pass, 2 warn, 0 fail)</text>

package/docs/dev-log/2026-04-29-p1-recovery.md

@@ -0,0 +1,142 @@
+# Dev-log — 2026-04-29 P1 회수 세션
+
+> Week 1~4 마감 후 AUDIT 의 P1 항목 + 일부 P2 를 한 세션 (4 시간) 안에 회수.
+> 본 문서는 사후 기록. 의사결정·발견된 이슈·다음 후속을 정리한다.
+
+## 1. 진입 상황
+
+`docs/AUDIT.md` (2026-04-29 작성 시점) 기준 부채:
+
+- 빈 디렉터리 6개: `docs/CODEMAPS/`, `rules/{common,typescript,python}/`, `tests/{integration,e2e}/`
+- 미구현 스크립트 9개: `validate-{agents,skills,hooks,manifests}.js`, `build-{cursor,gemini,opencode}.js`, `sync-claude-md.js`, `repair.js`
+- stub 메시지 흔적: `cli.js` / `mcp-server.js` / `pre-bash-dispatcher.js` / `daemon/wait.js` / `orchestrators/ralph.js` / `ci/catalog.js` 의 "Day N" 잔존
+- `install-apply` 의 `source_sha256: "0".repeat(64)` placeholder
+- ARCHITECTURE.md 가 stub (50줄, 18절 매핑만)
+
+## 2. 처리 순서 (실행 순)
+
+| # | 항목 | 산출 | 시간(추정) |
+|---|---|---|---|
+| 1 | `scripts/sync-claude-md.js` | 마커 자동 갱신 + version 주입 + dry-run/check | 30분 |
+| 2 | `scripts/repair.js` | install-state sha256 비교 + 변경분 재빌드 | 30분 |
+| 3 | `scripts/build-{cursor,gemini,opencode}.js` | 3 빌더, 각 80~150줄 | 60분 |
+| 4 | `scripts/ci/validate-{agents,skills,hooks,manifests}.js` | ajv + frontmatter + 그래프 무결성 | 30분 |
+| 5 | `rules/{common,typescript,python}/` 콘텐츠 | 8 파일 (common 3 + ts 3 + py 2) | 60분 |
+| 6 | `docs/ARCHITECTURE.md` 18절 본문 | 528줄, ASCII 다이어그램 + 8계층 + 라우팅 + Codex Loop + 12-item Bar | 60~90분 |
+| 7 | stub 메시지 정리 | 6 파일에서 "Day N" 흔적 제거. `package.json` lint/test 실 매핑 | 10분 |
+| 8 | `install-apply` sha256 실값화 | `sha256OfDir` + `sha256OfCatalog` 추가 | 20분 |
+| 9 | `scripts/build-codemaps.js` (보너스) | 디렉터리 트리 + export 추출. 9 영역 자동 산출 | 60분 |
+| 10 | `tests/integration/build-pipeline.test.js` | 격리 sandbox + 풀체인 10 케이스 | 60분 |
+| 11 | `tests/e2e/review-cycle.test.js` | demo-review 시뮬 7 케이스 + CLI 검증 | 60~90분 |
+| 12 | AUDIT 갱신 + dev-log 추가 | 본 문서 + AUDIT §1~5, §7, §8 갱신 | 30분 |
+
+## 3. 이번 세션의 의사결정
+
+### 3.1 "## 자동 갱신 영역" 헤딩과 마커 위치
+
+처음 sync-claude-md 실행 시 기존 CLAUDE.md 의 `## 빌드 후 확인` 블록이 마커 바깥(원본 상태)에 있던 것을 인지 못 하고 자동 영역에도 똑같이 생성 → 중복.
+
+**결정**: 자동 영역에서 `## 빌드 후 확인` 빼고, 사용자 작성 영역으로 유지. 사유: 빌드 후 확인 명령은 카탈로그가 바뀌어도 안 바뀌는 정적 가이드. 자동 갱신 대상 아님.
+
+### 3.2 install-apply 의 5 빌더 일괄 실행
+
+기존 `install-apply.js` 는 `['claude', 'codex']` 하드코딩. 새 빌더 3개를 추가했지만 install 흐름이 안 잡으면 의미 없음.
+
+**결정**: `agent.yaml.harnesses[].name` 을 그대로 사용. 매니페스트 단일 진실 원본 원칙과 일치.
+
+### 3.3 sha256 의 의미 분리
+
+스키마는 `source_sha256` 과 `targets[].sha256` 둘 다 정의. 둘의 의미가 다름.
+
+**결정**:
+- `source_sha256` = 카탈로그 입력 전체의 단일 해시 (`agent.yaml + agents/ + skills/ + commands/ + hooks/ + manifests/`). 모든 빌더에 동일.
+- `targets[].sha256` = 출력 디렉터리 (`.claude/`, `.codex/`, ...) 의 해시. 빌더별로 다름.
+
+repair 는 `targets[].sha256` 만 비교 (출력 변조 / 누락 검출).
+
+### 3.4 e2e 테스트의 "auth 자동 활성"
+
+`demo-review.js` 는 `isAuthChange = true` 하드코딩. 따라서 항상 codex-challenge 활성.
+
+**결정**: 회귀 안전성을 위해 본 동작을 명시 검증하는 케이스를 추가. 사양 변경(`isAuthChange` 가 진짜 path 검사로 바뀌면) 시 본 테스트가 알람.
+
+### 3.5 codemaps 의 보너스 추가
+
+원래 P2 였지만 build-codemaps 가 build-{claude,codex,...} 패턴과 동질 → 같은 세션 안에 끼워 넣음. 별도 npm 스크립트 (`npm run build:codemaps`) 만 추가, install 흐름엔 안 묶음 (선택적).
+
+## 4. 발견된 마찰
+
+| 마찰 | 회수 방안 |
+|---|---|
+| sandbox 카피 시 `node_modules` symlink 권한 부족 가능 (Windows) | 폴백으로 cp. 첫 실행 느림 (~5초) — 수용. |
+| `node --test tests/unit/` 디렉터리 호출 | 글로브 명시 (`tests/unit/*.test.js`) 로 우회. `npm test` 가 표준 진입점이 됨. |
+| `read-only` 가 sandbox 영역인지 헷갈림 | agent frontmatter 의 `sandbox: read-only` 와 OS sandbox 는 별개. CLAUDE.md 에 주석 추가 필요 (다음 세션). |
+
+## 5. 검증
+
+```
+node --test tests/unit/*.test.js tests/integration/*.test.js tests/e2e/*.test.js
+  → 73/73 PASS, duration ~3.4 s
+
+npm run lint
+  → catalog + validate:all 모두 통과 (경고 4건은 사실, 오류 0)
+
+node scripts/repair.js --check
+  → 모든 하네스 정합
+
+node scripts/sync-claude-md.js --check
+  → CLAUDE.md 자동 영역 동기화 OK
+
+node scripts/build-codemaps.js --check
+  → 모든 codemap 최신 상태
+```
+
+## 6. 다음 세션 진입 후보
+
+`docs/AUDIT.md §5` 갱신본 참조. 요약:
+
+- **P0** (사용자 동의 필요): Anthropic SDK live 1회, GitHub push, 사내 PoC 결합.
+- **P2** (외부 의존): Rust 컴파일, Codex/Gemini CLI live 검증, GitHub Actions 실 동작.
+- **P3** (사내 임팩트): 사용자 명시 사내 프로젝트에 풀 결합.
+
+## 7. 산출 파일 목록
+
+```
+신규
+  scripts/sync-claude-md.js
+  scripts/repair.js
+  scripts/build-cursor.js
+  scripts/build-gemini.js
+  scripts/build-opencode.js
+  scripts/build-codemaps.js
+  scripts/ci/validate-agents.js
+  scripts/ci/validate-skills.js
+  scripts/ci/validate-hooks.js
+  scripts/ci/validate-manifests.js
+  rules/common/coding-style.md
+  rules/common/testing.md
+  rules/common/security.md
+  rules/typescript/coding-style.md
+  rules/typescript/testing.md
+  rules/typescript/security.md
+  rules/python/coding-style.md
+  rules/python/testing.md
+  tests/integration/build-pipeline.test.js
+  tests/e2e/review-cycle.test.js
+  docs/CODEMAPS/{README,scripts,agents,skills,hooks,manifests,schemas,bridge,rules,tests}.md
+  docs/dev-log/2026-04-29-p1-recovery.md  ← 본 문서
+
+수정
+  scripts/install-apply.js  (5 빌더 + sha256 실값)
+  scripts/cli.js  (Day N 메시지 정리)
+  scripts/ci/catalog.js  (Day 2/3 흔적)
+  scripts/daemon/wait.js  (Day 8/9 흔적)
+  scripts/orchestrators/ralph.js  (Day 9 흔적)
+  bridge/mcp-server.js  (Day 4/5 흔적)
+  hooks/scripts/pre-bash-dispatcher.js  (Day 3/5 흔적)
+  package.json  (lint/test 실 매핑 + test:* 분리 + build:codemaps)
+  CLAUDE.md  (자동 영역 마커 정합 + 컨텐츠 갱신)
+  .claude/CLAUDE.md  (동일)
+  docs/ARCHITECTURE.md  (stub 50줄 → 풀 528줄)
+  docs/AUDIT.md  (P1 회수 반영)
+```

package/docs/dev-log/2026-04-29-week1-4.md

@@ -0,0 +1,81 @@
+# WORKING-CONTEXT
+
+> 현재 스프린트의 액티브 메모리. 스프린트가 끝나면 archive 또는 docs 로 옮긴다. CHANGELOG 가 아니라 working memory.
+> Last updated: 2026-04-29
+
+## Purpose
+
+차세대 통합 AI 개발 에이전트 하네스 HARNESS 의 부트스트랩. ECC + OMC + claude-led-codex-review 의 통합 설계를 코드로 옮긴다.
+
+## Current Truth
+
+- Day 1 진행 중. 위치: `D:\claude\harness\`.
+- 인접 사내 프로젝트는 다루지 않는다 (사용자 룰).
+- 기술 스택: Node 22 + TypeScript strict, 추후 Rust(runtime/) TUI.
+- 한국어 응답 강제. 사용자 글로벌 룰 우선.
+
+## Current Constraints
+
+- 4시간 풀 사이클로 Day 1 완료 목표.
+- MVP 카탈로그: 11 agents, 5 skills, 4 hooks, 6 modules.
+- 184 스킬 풀 카탈로그 채택 안 함 (progressive 확장).
+- tmux 기반 team 런타임은 Q2 (Windows 환경 마찰).
+
+## Active Queues
+
+### In Progress
+- Day 1: 골격 + 거버넌스 + 매니페스트 + 스키마 + plan stub.
+
+### Next
+- Day 2: agents/ 11 frontmatter, skills/claude-led-codex-review/SKILL.md, codex-reviewer 페르소나.
+- Day 3: hooks/hooks.json + 4훅 stub, scripts/build-claude.js.
+- Day 4: bridge/mcp-server.cjs 최소 4도구.
+- Day 5: gateguard-fact-force + quality-gate 실 구현.
+
+## Open PR Classification
+
+(없음 — Day 1)
+
+## Interfaces
+
+- CLI: `harness <verb> <args>`
+- MCP: `mcp__harness__<tool>` (단일 게이트웨이)
+- Hooks: PreToolUse / PostToolUse / PreCompact / Stop / UserPromptSubmit / SessionStart
+
+## Update Rule
+
+이 파일은 **현재 스프린트만** 디테일하게 유지한다. 끝난 작업은 `docs/CHANGELOG.md` 로 옮긴다. 1주 이상 갱신 안 되면 archive 후보.
+
+## Latest Execution Notes
+
+- 2026-04-29 **Week 1 풀 진행 완료**.
+  - Day 1: 골격 + 거버넌스 6 + agent.yaml + manifests + schemas 10 + install plan stub.
+  - Day 2: agents 11 + skills 5 + commands 1 (catalog warnings 0).
+  - Day 3: hooks 5 + build-claude (22 components) + build-codex (config.toml + TOML agents).
+  - Day 4: MCP gateway (4도구, smoke PASS) + install-apply 풀체인.
+  - Day 5: gateguard 실 (importer/exports 정적 추출 + 답변 강제), quality-gate 실 (tsc/ruff 차단), demo-review 7단계 풀사이클 검증.
+  - 통계: 66 파일, 6,765 LOC. 137 packages 의존성.
+- 2026-04-29 **Day 6 완료**.
+  - 4 provider runner (mock/claude/codex/gemini) + dispatch + 7단계 orchestrator + cli wiring.
+  - mock 디폴트 (API 키 / Codex CLI 미보유 환경에서도 동작), --live 옵션으로 실 호출.
+  - sensitive path 자동 감지 (auth/crypto/payment/jwt 등) → 단계 6 자동 활성.
+  - round 한도 + critical 발견 → HUMAN_GATE 자동.
+  - node --test 5/5 PASS. harness review CLI 데모 OK.
+- 2026-04-29 **Week 2 완료**.
+  - Day 7: lib/{severity,router,costs}.js + MCP 3 신규 도구 (severity_classify, route_decide, cost_record) + harness costs CLI + routing.jsonl 자동 적층.
+  - Day 8: skills/ralph/SKILL.md + scripts/orchestrators/ralph.js (PRD AC 누적 PASS) + scripts/daemon/wait.js (start/stop/status). 명시 옵트인만 (자동 키워드 활성 OFF).
+  - Day 9-10: .github/workflows/{harness-review,harness-validate}.yml + docs/PORTING.md (사내 PoC 이식 가이드).
+  - 단위 테스트 24/24 PASS. 83 파일. 풀체인 동작 (review / ralph / costs / sessions / wait).
+- 2026-04-29 **Week 3 완료 (Day 11~15)**.
+  - Day 11: instincts 시스템 (record/list/promote/prune) + orchestrator 자동 누적 + CLI + 11/11 테스트.
+  - Day 12: simulate-port.js + 5/5 테스트 (외부 디렉터리 인용 제거).
+  - Day 13: claude/codex extractJson + buildPrompt export + 12/12 테스트.
+  - Day 14-15: CHANGELOG Week 3, WORKING-CONTEXT 갱신, 최종 회귀.
+  - 누적: 4 커밋, ~92 파일, ~10,500 LOC, 단위 테스트 52/52 PASS.
+- 2026-04-29 **Week 4 완료 (Day 16~20)**.
+  - Day 16: instincts.ready() + CLI + 4 신규 단위 테스트 (15/15 PASS).
+  - Day 17-18: Rust runtime 골격 — Cargo.toml + 5 .rs 파일 (529 LOC, 컴파일은 rustup 설치 후).
+  - Day 19: 사용자 D 선택 — 외부 환경 변경 보류, AUDIT 집중.
+  - Day 20: docs/AUDIT.md — Week 1~4 통합 검토 (18절 매핑, 8계층 매핑, 빠진 항목 / 부채 / P0~P3 우선순위).
+  - 누적: 5 커밋 예정, ~100 파일, ~12,000 LOC, 단위 테스트 56/56 PASS.
+- **세션 종료**. 다음 세션 P0: 실 LLM 호출 / PoC 결합 / GitHub push (사용자 명시 동의 시).

package/docs/workflows-stash/harness-validate.yml

@@ -16,22 +16,22 @@ jobs:
         with:
           node-version: '22'
 
-      - name: Fresh npx alpha doctor smoke
+      - name: Fresh npx alpha check smoke
         shell: bash
         run: |
           set -euo pipefail
           workdir="$RUNNER_TEMP/nekowork-alpha-smoke"
           mkdir -p "$workdir"
           cd "$workdir"
-          npx -y @ps-neko/nekowork@alpha doctor --quick --json > doctor.json
+          npx -y @ps-neko/nekowork@alpha check --json > check.json
           node <<'NODE'
           const { execSync } = require('node:child_process');
           const fs = require('node:fs');
-          const report = JSON.parse(fs.readFileSync('doctor.json', 'utf8'));
+          const report = JSON.parse(fs.readFileSync('check.json', 'utf8'));
           const expectedVersion = JSON.parse(execSync('npm view @ps-neko/nekowork@alpha version --json', { encoding: 'utf8' }));
           const metadata = report.checks.find((check) => check.name === 'package metadata');
           if (report.summary.fail !== 0) {
-            throw new Error(`doctor reported ${report.summary.fail} failure(s)`);
+            throw new Error(`check reported ${report.summary.fail} failure(s)`);
           }
           if (!metadata || !metadata.message.includes(`@ps-neko/nekowork@${expectedVersion}`)) {
             throw new Error(`unexpected package metadata: ${metadata?.message || '<missing>'}`);
@@ -39,6 +39,23 @@ jobs:
           console.log(`published alpha smoke: ${metadata.message}`);
           NODE
 
+      - name: Fresh npx alpha init smoke
+        shell: bash
+        run: |
+          set -euo pipefail
+          workdir="$RUNNER_TEMP/nekowork-alpha-init-smoke"
+          mkdir -p "$workdir"
+          cd "$workdir"
+          git init -q
+          expected_version="$(npm view @ps-neko/nekowork@alpha version --json | node -p "JSON.parse(require('node:fs').readFileSync(0, 'utf8'))")"
+          npx -y @ps-neko/nekowork@alpha init --profile developer --project-root . --dry-run > init.txt
+          if ! grep -Fq "HARNESS install --plan  (v${expected_version})" init.txt; then
+            echo "expected init plan version: v${expected_version}"
+            cat init.txt
+            exit 1
+          fi
+          echo "published alpha init smoke: v${expected_version}"
+
   validate:
     runs-on: ubuntu-latest
     timeout-minutes: 10

package/package.json

@@ -1,14 +1,20 @@
 {
   "name": "@ps-neko/nekowork",
-  "version": "0.1.0-alpha.3",
-  "description": "Local-first AI development harness for Claude Code, Codex CLI, and Gemini CLI",
+  "version": "0.1.0-alpha.5",
+  "description": "Local-first AI development quality runtime that verifies, gates, and explicitly applies AI coding changes",
   "keywords": [
     "claude",
     "claude-code",
     "codex",
     "ai-agent",
+    "ai-code-review",
+    "ai-safety",
     "code-review",
+    "human-gate",
+    "local-first",
     "second-opinion",
+    "ship-readiness",
+    "verification",
     "mcp",
     "harness",
     "multi-agent"
@@ -24,7 +30,8 @@
     "node": ">=22.0.0"
   },
   "bin": {
-    "harness": "scripts/cli.js"
+    "harness": "scripts/cli.js",
+    "nekowork": "scripts/cli.js"
   },
   "files": [
     "agent.yaml",