@su-record/vibe 2.9.20 → 2.9.22

package/CLAUDE.md

@@ -69,8 +69,9 @@ No `console.log` in commits · No hardcoded strings/numbers · No commented-out
 `/vibe.spec` is the single entry point — orchestrates interview → plan → spec → review → `/vibe.run` → `/vibe.verify` → `/vibe.contract` → `/vibe.trace`. For UI types (website/webapp/mobile), `/vibe.figma` branches in parallel. Smart Resume detects existing `.claude/vibe/{interviews,plans,specs}/*.md` to skip phases.
 
 **Quality-loop commands** (bug → prevention):
-- `/vibe.regress` — 회귀 테스트 자동 진화. `/vibe.verify` 실패 시 자동 register, `generate`로 예방 테스트 생성, `cluster`로 반복 패턴 승격.
-- `/vibe.contract` — API 계약 드리프트 감지. SPEC에서 추출한 계약과 구현 비교, P1 drift는 `/vibe.regress`로 자동 전파.
+- `/vibe.regress` — Regression test auto-evolution. Auto-registers on `/vibe.verify` failure; `generate` produces preventive tests; `cluster` promotes recurring patterns.
+- `/vibe.contract` — API contract drift detection. Compares the contract extracted from the SPEC against the implementation; P1 drift auto-propagates to `/vibe.regress`.
+- `/vibe.test` — vibe self-test across the CC ↔ coco harnesses. Subcommands: `parity` (static), `report` (runtime), `compare` (diff). P1 drift auto-propagates to `/vibe.regress`. Recommended before every release.
 
 | Task Size | Approach |
 |---|---|
@@ -98,7 +99,7 @@ No `console.log` in commits · No hardcoded strings/numbers · No commented-out
 
 ## Git
 
-**Include**: `.claude/vibe/{plans,specs,features,todos,research,regressions,contracts}/`, `.claude/vibe/config.json`, `CLAUDE.md`
+**Include**: `.claude/vibe/{plans,specs,features,todos,research,regressions,contracts,test-reports}/`, `.claude/vibe/config.json`, `CLAUDE.md`
 **Exclude**: `~/.claude/{rules,commands,agents,skills}/`, `.claude/settings.local.json`
 
 <!-- VIBE:END -->

package/commands/vibe.contract.md

@@ -5,57 +5,57 @@ argument-hint: "extract | check | diff [feature-name]"
 
 # /vibe.contract
 
-**API Contract Drift Detection** — SPEC에 적힌 API 계약과 실제 구현이 어긋나면 즉시 잡는다.
+**API Contract Drift Detection** — when implementation diverges from the SPEC's API contract, catch it immediately.
 
-> SPEC은 진실의 원천이다. 구현이 SPEC을 소리 없이 떠나면 테스트는 통과해도 계약은 깨진다.
+> The SPEC is the source of truth. If the implementation silently leaves the SPEC, tests can pass while the contract breaks.
 
 ## Usage
 
 ```
-/vibe.contract extract <feature>       # SPEC에서 API 계약 추출 → .claude/vibe/contracts/<feature>.md
-/vibe.contract check <feature>         # 계약 vs 구현 비교, 드리프트 리포트
-/vibe.contract diff <feature>          # 마지막 check 이후 변경된 필드만 요약
+/vibe.contract extract <feature>       # SPEC → contract record at .claude/vibe/contracts/<feature>.md
+/vibe.contract check <feature>         # contract vs implementation, drift report
+/vibe.contract diff <feature>          # changed fields since last check
 ```
 
 ## What counts as an "API contract"
 
-계약 = 외부(클라이언트, 다른 서비스)가 의존하는 **모든 인터페이스 형태**:
+A contract = any **interface shape** that external consumers (clients, other services) depend on:
 
 - HTTP endpoint: method + path + request schema + response schema + status codes
 - GraphQL: query/mutation name + args + return shape
-- 이벤트/메시지: topic + payload schema
-- 내보내진 TypeScript 함수 시그니처 (public API로 명시된 경우)
+- Event/message: topic + payload schema
+- Exported TypeScript function signature (when explicitly marked as public API)
 
 ## Process
 
 Load skill `vibe-contract` with subcommand: `$ARGUMENTS`
 
-**핵심 단계**:
+**Core steps**:
 
-1. **extract**: SPEC(.claude/vibe/specs/\<feature\>.md)의 "API" / "Endpoints" / "Interface" 섹션을 파싱, 구조화된 계약 레코드로 저장
-2. **check**: 실제 구현(코드)에서 동일 엔드포인트를 찾아 시그니처/스키마 비교 — 드리프트 발견 시 P1 리포트
-3. **diff**: 이전 check 스냅샷과 비교, **변경된 필드만** 노출 (노이즈 최소화)
+1. **extract**: parse SPEC sections like `## API` / `## Endpoints` / `## Interface` and persist as a structured contract record
+2. **check**: locate matching endpoints in the implementation, compare signature/schema, report drift as P1 findings
+3. **diff**: compare against the previous snapshot, surface only **changed fields** (noise minimized)
 
 ## Drift severity
 
-| Drift type | Severity | 예시 |
+| Drift type | Severity | Example |
 |---|---|---|
-| Missing endpoint | P1 | SPEC에는 `GET /users/:id` 있는데 구현 없음 |
-| Missing required field in response | P1 | SPEC response에 `email` 있는데 구현에서 빠짐 |
+| Missing endpoint | P1 | SPEC says `GET /users/:id`, implementation has none |
+| Missing required field in response | P1 | SPEC response includes `email`, implementation drops it |
 | Type change (breaking) | P1 | `userId: number` → `userId: string` |
-| Added required request field | P1 | 기존 클라이언트 호환성 깨짐 |
-| Added optional field | P3 | 확장은 허용 |
-| Status code added | P2 | 클라이언트가 처리해야 할 새 케이스 |
-| Status code removed | P1 | 예상 응답이 사라짐 |
+| Added required request field | P1 | breaks existing clients |
+| Added optional field | P3 | extension is allowed |
+| Status code added | P2 | client must handle a new case |
+| Status code removed | P1 | expected response disappeared |
 
-**P1 드리프트 발견 시**: `/vibe.verify` 통과 여부와 무관하게 실패로 간주. 테스트는 통과해도 계약은 깨질 수 있기 때문.
+**On any P1 drift**: treat as failure regardless of `/vibe.verify` outcome — tests can pass while the contract breaks.
 
 ## Storage Format
 
 ```
 .claude/vibe/contracts/
-  <feature>.md           # 추출된 계약 (SSOT)
-  <feature>.snapshot.md  # 마지막 check 시점의 구현 스냅샷 (diff 비교용)
+  <feature>.md           # extracted contract (SSOT)
+  <feature>.snapshot.md  # implementation snapshot at last check (for diff)
 ```
 
 ### Contract schema (frontmatter)
@@ -81,24 +81,24 @@ endpoints:
 
 ## Integration with /vibe.verify
 
-`/vibe.verify <feature>` 흐름 끝에 자동 체인:
+After `/vibe.verify <feature>` scenarios pass, auto-chain:
 
 ```
 scenarios pass → /vibe.contract check <feature>
   ├─ no drift → ✅ complete
-  └─ drift found → ❌ report + auto-register to /vibe.regress (tag: integration)
+  └─ drift found → ❌ report + auto /vibe.regress register (tag: integration)
 ```
 
 ## Integration with /vibe.spec
 
-`/vibe.spec` 작성 완료 직후 자동으로 `/vibe.contract extract` 호출하여 계약을 미리 뽑아둠. 이후 `/vibe.run` 구현 시 이 계약이 참조점.
+Right after `/vibe.spec` finishes writing the SPEC, auto-invoke `/vibe.contract extract`. The resulting contract becomes the reference for the subsequent `/vibe.run`.
 
 ## Done Criteria
 
-- [ ] `extract`는 SPEC에 API 섹션이 없으면 **에러 없이 스킵** (모든 feature가 API를 갖진 않음)
-- [ ] `check`는 드리프트 없으면 조용히 통과, 있으면 severity별 분류 출력
-- [ ] P1 드리프트는 반드시 `/vibe.regress register --from-contract` 자동 호출
-- [ ] `diff`는 이전 스냅샷이 없으면 "첫 실행"이라 안내
+- [ ] `extract` exits cleanly when SPEC has no API section (not every feature has one)
+- [ ] `check` is silent when no drift; otherwise prints findings grouped by severity
+- [ ] Every P1 drift triggers `/vibe.regress register --from-contract`
+- [ ] `diff` says "first run" when no prior snapshot exists
 
 ---
 

package/commands/vibe.regress.md

@@ -5,51 +5,51 @@ argument-hint: "register | generate | list | import | cluster [args]"
 
 # /vibe.regress
 
-**Regression Auto-Evolution** — 같은 버그를 두 번 잡지 않기 위한 도구.
+**Regression Auto-Evolution** — never fix the same bug twice.
 
-> 버그는 기록되고, 예방 테스트는 자동 생성되고, 반복 패턴은 공통 테스트로 승격된다.
+> Bugs are recorded, preventive tests are generated automatically, and recurring patterns get promoted into shared tests.
 
 ## Usage
 
 ```
-/vibe.regress register "<symptom>"           # 수동 등록 (최소, 대부분 자동)
-/vibe.regress generate <slug>                # bug → vitest 파일 생성
-/vibe.regress list                           # 미해결 목록
-/vibe.regress import                         # git log의 fix: 커밋 역추적
-/vibe.regress cluster                        # 3+ 유사 버그 → 공통 테스트 제안
+/vibe.regress register "<symptom>"           # Manual register (rare — most calls are automatic)
+/vibe.regress generate <slug>                # bug record → vitest file
+/vibe.regress list                           # Open items
+/vibe.regress import                         # Backfill from git log `fix:` commits
+/vibe.regress cluster                        # 3+ similar bugs → propose shared test
 ```
 
 ## Auto-integration
 
-- `/vibe.verify` 실패 → 자동으로 `register` 호출 (수동 개입 없음)
-- `/vibe.run "<feature>"` 시작 → 해당 feature의 미해결 회귀 항목 경고
+- `/vibe.verify` failure → auto-invokes `register` (no manual step)
+- `/vibe.run "<feature>"` start → warns about open regressions for that feature
 
 ## Process
 
 Load skill `vibe-regress` with subcommand: `$ARGUMENTS`
 
-`vibe-regress` 스킬이 등록·생성·클러스터링을 수행.
+The `vibe-regress` skill performs registration, generation, and clustering.
 
-**핵심 단계** (상세는 `skills/vibe-regress/SKILL.md` 참조):
+**Core steps** (see `skills/vibe-regress/SKILL.md` for details):
 
-1. 서브커맨드 파싱
-2. `.claude/vibe/regressions/<slug>.md` 읽기/쓰기 (frontmatter 스키마 준수)
-3. `generate` 시 프로젝트 테스트 스택 감지 → 적합한 템플릿 선택 (vitest/jest)
-4. `cluster` 시 frontmatter의 `root-cause-tag`로 그룹핑 → 3개 이상이면 공통 테스트 제안
-5. `import` 시 `git log --grep='^fix:'` 파싱 → 중복 스킵, 신규만 등록
+1. Parse subcommand
+2. Read/write `.claude/vibe/regressions/<slug>.md` (frontmatter schema enforced)
+3. On `generate`, detect the project's test stack → choose template (vitest / jest)
+4. On `cluster`, group by `root-cause-tag`; ≥3 entries → propose a shared test
+5. On `import`, parse `git log --grep='^fix:'`; skip duplicates by commit hash
 
 ## Output
 
-- `.claude/vibe/regressions/<slug>.md` — 버그 레코드 (frontmatter + 증상/재현/근본원인)
-- 프로젝트 test dir — 생성된 vitest 파일 (`*.regression.test.ts` 네이밍)
-- `list` 서브커맨드는 터미널 표
+- `.claude/vibe/regressions/<slug>.md` — bug record (frontmatter + reproduction / root cause)
+- Project test dir — generated vitest file (`*.regression.test.ts`)
+- `list` prints a terminal table
 
 ## Storage Format
 
 ```markdown
 ---
 slug: login-jwt-expiry-off-by-one
-symptom: "JWT 만료 시간이 1초 일찍 끊김"
+symptom: "JWT expiry cuts off one second early"
 root-cause-tag: timezone
 fix-commit: abc1234
 test-path: src/auth/__tests__/login.regression.test.ts

package/commands/vibe.run.md

@@ -48,18 +48,18 @@ Execute **Scenario-Driven Implementation** with automatic quality verification.
 
 ### Pre-Run Regression Check (MANDATORY, before implementation starts)
 
-시작 직후 필수 실행:
+Run immediately after start:
 
 ```
 Load skill `vibe-regress` with: list --feature "{feature-name}"
 ```
 
-- 미해결 회귀 항목 있으면:
-  - interactive 모드: 사용자에게 "먼저 회귀 테스트 생성 후 진행?" 묻기
-  - ultrawork 모드: 자동 `/vibe.regress generate <slug>`로 예방 테스트 생성 후 진행
-- 미해결 없으면 조용히 통과
+- If any open regressions exist:
+  - interactive mode: ask the user "generate preventive tests first, then proceed?"
+  - ultrawork mode: auto-invoke `/vibe.regress generate <slug>` for each, then proceed
+- No open regressions → silently continue
 
-또한 `.claude/vibe/contracts/{feature-name}.md`이 있으면 로드 — 구현 시 계약 준수 기준으로 사용.
+Also load `.claude/vibe/contracts/{feature-name}.md` if present — use it as the contract reference during implementation.
 
 ### Core Flow
 

package/commands/vibe.spec.md

@@ -372,15 +372,15 @@ Load skill `vibe-spec-review` with feature: {feature-name}
 5. Review Debate Team (2+ P1/P2 이슈 시)
 6. 사용자 최종 체크포인트
 
-### Phase 4.5: Contract Extract (자동, API 있는 feature만)
+### Phase 4.5: Contract Extract (auto, only for features with an API)
 
 ```
 Load skill `vibe-contract` with: extract "{feature-name}"
 ```
 
-SPEC에 `## API` / `## Endpoints` / `## Interface` 섹션이 있으면 계약을 `.claude/vibe/contracts/{feature-name}.md`로 추출. 섹션이 없으면 에러 없이 스킵 (모든 feature가 API를 갖지 않음).
+If the SPEC has a `## API` / `## Endpoints` / `## Interface` section, extract the contract to `.claude/vibe/contracts/{feature-name}.md`. If the section is absent, exit cleanly (not every feature has an API).
 
-이 계약은 Phase 5a 구현 시 참조되고, `/vibe.verify` 종료 시 drift 검사에 사용됨.
+The contract is referenced during Phase 5a implementation, and used by `/vibe.verify` for drift detection.
 
 ### Phase 5a: Logic Track
 
@@ -388,9 +388,9 @@ SPEC에 `## API` / `## Endpoints` / `## Interface` 섹션이 있으면 계약을
 /vibe.run "{feature-name}"
 ```
 
-SPEC → 코드 구현. 시작 시 자동 체크:
-- `/vibe.regress list --feature {feature-name}` — 미해결 회귀 항목 있으면 경고
-- `.claude/vibe/contracts/{feature-name}.md` — 있으면 로드하여 구현 가이드
+SPEC → code. Auto-checks at start:
+- `/vibe.regress list --feature {feature-name}` — warn if any open regressions exist
+- `.claude/vibe/contracts/{feature-name}.md` — load if present, use as implementation guide
 
 ### Phase 5b: UI Track (type ∈ {website, webapp, mobile}일 때만)
 

package/commands/vibe.test.md

@@ -0,0 +1,96 @@
+---
+description: Self-test vibe across CC and coco — verify every command/skill/hook/agent/tool is callable and behaves identically
+argument-hint: "parity | report | compare [args]"
+---
+
+# /vibe.test
+
+**Vibe Self-Test** — verify vibe works identically in both Claude Code and coco.
+
+> Catch features broken on one harness before users do.
+
+## Usage
+
+```
+/vibe.test parity                              # Static parity (file set + content sync) — local, fast
+/vibe.test report                              # Invoke every feature in current harness, write JSON+MD report
+/vibe.test compare <cc-report> <coco-report>   # Diff two reports, classify P1/P2/P3
+```
+
+## Key Constraint
+
+`/vibe.test report` only tests the **harness it runs in**. Run from CC for CC results, run from coco for coco results. Then `compare` merges them.
+
+```
+[CC]   /vibe.test report → .claude/vibe/test-reports/<ts>-cc.{json,md}
+[coco] /vibe.test report → .coco/vibe/test-reports/<ts>-coco.{json,md}
+[any]  /vibe.test compare → diff with parity findings
+```
+
+## Subcommand: parity (static check, stage 1)
+
+No harness execution — file system comparison only:
+
+| Check | Compared |
+|---|---|
+| **install set** | `~/.claude/{commands,skills,agents}/` vs `~/.coco/{commands,skills,agents}/` file set |
+| **content sync** | `CLAUDE.md` ↔ `AGENTS.md` body (excluding header/meta blocks) |
+| **path config** | `.claude/vibe/` vs `.coco/vibe/` directory layout |
+| **doc references** | Paths cited in CLAUDE.md/AGENTS.md actually resolve in install dir |
+
+**Output**: console table + `.claude/vibe/test-reports/<ts>-parity.json`
+
+This stage alone catches:
+- New commands missing on one harness (e.g. if `/vibe.regress` had been added only to CC)
+- AGENTS.md holding stale paths (e.g. `.codex/` references after a coco rename)
+- CLAUDE.md ↔ AGENTS.md body drift
+
+## Subcommand: report (runtime invocation)
+
+Probes every shipped feature in the current harness and writes a JSON+MD report.
+
+| Category | Probe |
+|---|---|
+| commands | frontmatter validity, body delegates to a skill |
+| skills | frontmatter validity, triggers non-empty |
+| hooks | run matching vitest suite |
+| agents | frontmatter validity, declared tools exist in harness |
+| tools | run matching vitest suite or smoke-call with minimal input |
+
+No external LLM calls. Interactive commands are not actually invoked — structural validation only. See `skills/vibe-test/SKILL.md` for full probe spec and failure-handling rules.
+
+## Subcommand: compare (diff two reports)
+
+Compare two JSON reports and classify findings:
+- **P1**: feature exists on only one side → missing
+- **P2**: both sides have it but response shape differs → behavioral drift
+- **P3**: only message wording differs, semantics identical → informational
+
+P1 findings auto-invoke `/vibe.regress register --from-test`.
+
+## Process
+
+Load skill `vibe-test` with subcommand: `$ARGUMENTS`
+
+See `skills/vibe-test/SKILL.md` for detailed logic.
+
+## Storage
+
+```
+.claude/vibe/test-reports/   (CC side)
+.coco/vibe/test-reports/     (coco side)
+  <YYYYMMDD-HHmm>-<harness>.json
+  <YYYYMMDD-HHmm>-<harness>.md
+  <YYYYMMDD-HHmm>-compare.md   (compare output)
+```
+
+## Done Criteria
+
+- [ ] `parity` runs without external calls — local file inspection only (fast, deterministic)
+- [ ] If only one install dir exists, exit cleanly with guidance (not an error)
+- [ ] `compare` warns when reports are not within ±1 minute of each other (timing drift = false positives)
+- [ ] P1 drift auto-registers via `/vibe.regress`
+
+---
+
+ARGUMENTS: $ARGUMENTS

package/commands/vibe.verify.md

@@ -235,9 +235,9 @@ For each failed scenario:
     location: {file:line}
 ```
 
-- `--from-verify` 모드는 사용자 확인 없이 등록 (verify 실패 컨텍스트에서 마찰 최소화)
-- 등록된 bug의 slug를 Failure Report의 "Fix" 섹션에 링크로 노출
-- 이후 `/vibe.regress generate <slug>`로 예방 테스트 생성 가능
+- `--from-verify` mode skips user confirmation (the user is already attentive in a verify-failure context; minimize friction)
+- The registered bug's slug appears as a link in the Failure Report's "Fix" section
+- Follow up with `/vibe.regress generate <slug>` to produce a preventive test
 
 ### Failure Report
 
@@ -402,18 +402,18 @@ node -e "import('{{VIBE_PATH_URL}}/node_modules/@su-record/vibe/dist/tools/index
 **Codex P2 발견 시:**
 - TODO 파일에 기록 후 완료 처리
 
-## Post-Verify Contract Check (자동, contract 파일 있을 때만)
+## Post-Verify Contract Check (auto, only when a contract file exists)
 
-모든 시나리오 통과 후 자동 호출:
+After all scenarios pass, auto-invoke:
 
 ```
 Load skill `vibe-contract` with: check "{feature-name}"
 ```
 
-- `.claude/vibe/contracts/{feature-name}.md`이 없으면 스킵
-- drift 없음 → verify 통과 유지
-- **P1 drift** → verify 실패로 강등 + `/vibe.regress register --from-contract` 자동 호출
-- P2/P3 drift → 경고만, 통과 유지
+- Skip if `.claude/vibe/contracts/{feature-name}.md` does not exist
+- No drift → verify still passes
+- **P1 drift** → demote verify to fail; auto-call `/vibe.regress register --from-contract`
+- P2 / P3 drift → warning only; verify still passes
 
 ## Next Step
 

package/hooks/scripts/__tests__/pre-tool-guard.test.js

@@ -280,8 +280,89 @@ describe('pre-tool-guard', () => {
         tool_name: 'Bash',
         tool_input: { command: 'DROP TABLE users' },
       });
-      // tool_input is stringified — pattern matches against the JSON string
       expect(result.exitCode).toBe(2);
+      expect(result.stdout).toContain('Database drop detected');
+    });
+  });
+
+  // ══════════════════════════════════════════════════
+  // Regression: file content false positives (issue: machine-key.ts blocked)
+  //   .claude/vibe/regressions/pre-tool-guard-content-false-positive.md
+  //
+  // 이전 구현은 tool_input 전체를 JSON.stringify해서 패턴 매칭했기 때문에
+  // 파일 내용에 '/etc/', '.env', 'secret' 같은 리터럴이 있으면 차단됐음.
+  // write/edit 패턴은 file_path만 봐야 한다.
+  // ══════════════════════════════════════════════════
+  describe('regression: write/edit content must not trigger path patterns', () => {
+    it('should ALLOW writing safe path even when content contains "/etc/" literal', () => {
+      const result = runGuardWithStdin({
+        tool_name: 'Write',
+        tool_input: {
+          file_path: 'src/machine-key.ts',
+          content: "for (const path of ['/etc/machine-id', '/var/lib/dbus/machine-id']) {}",
+        },
+      });
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).not.toContain('Writing to system directory');
+    });
+
+    it('should ALLOW writing safe path even when content contains "/usr/" literal', () => {
+      const result = runGuardWithStdin({
+        tool_name: 'Write',
+        tool_input: {
+          file_path: 'src/cli-detect.ts',
+          content: "const IOREG = '/usr/sbin/ioreg';",
+        },
+      });
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).not.toContain('Writing to system directory');
+    });
+
+    it('should ALLOW writing safe path even when content mentions ".env" / "secret"', () => {
+      const result = runGuardWithStdin({
+        tool_name: 'Write',
+        tool_input: {
+          file_path: 'src/config.ts',
+          content: "// loads from .env, never log secret values",
+        },
+      });
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).not.toContain('Writing to sensitive file');
+    });
+
+    it('should ALLOW editing safe path even when new_string contains ".env" literal', () => {
+      const result = runGuardWithStdin({
+        tool_name: 'Edit',
+        tool_input: {
+          file_path: 'src/index.ts',
+          old_string: 'const x = 1',
+          new_string: '// reads .env at startup',
+        },
+      });
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).not.toContain('Editing sensitive file');
+    });
+
+    it('should still BLOCK Write when file_path itself targets /etc/', () => {
+      const result = runGuardWithStdin({
+        tool_name: 'Write',
+        tool_input: { file_path: '/etc/passwd', content: 'root:x:0:0' },
+      });
+      expect(result.exitCode).toBe(2);
+      expect(result.stdout).toContain('Writing to system directory');
+    });
+
+    it('should still WARN Edit when file_path itself is a credentials file', () => {
+      const result = runGuardWithStdin({
+        tool_name: 'Edit',
+        tool_input: {
+          file_path: 'config/credentials.json',
+          old_string: 'a',
+          new_string: 'b',
+        },
+      });
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain('Editing sensitive file');
     });
   });
 });

package/hooks/scripts/pre-tool-guard.js

@@ -7,26 +7,35 @@
 import { VIBE_PATH, PROJECT_DIR } from './utils.js';
 
 // 위험한 명령어 패턴
+//
+// 각 엔트리의 `target`은 매칭 대상 필드:
+//   - 'command'   → tool_input.command (Bash)
+//   - 'file_path' → tool_input.file_path (Write, Edit)
+//   - 'raw'       → 전체 문자열 (스키마 모를 때 폴백)
+//
+// 예전 버전은 항상 stringify된 tool_input 전체에 매칭하여 file content가
+// 패턴(예: /etc/, .env)과 일치하면 false positive로 차단되는 버그가 있었음.
+// 회귀: .claude/vibe/regressions/pre-tool-guard-content-false-positive.md
 const DANGEROUS_PATTERNS = {
   bash: [
-    { pattern: /rm\s+-rf?\s+[\/~]/, severity: 'critical', message: 'Deleting root or home directory' },
-    { pattern: /rm\s+-rf?\s+\*/, severity: 'high', message: 'Wildcard deletion detected' },
-    { pattern: /git\s+push\s+.*--force/, severity: 'high', message: 'Force push detected' },
-    { pattern: /git\s+reset\s+--hard/, severity: 'medium', message: 'Hard reset will discard changes' },
-    { pattern: /drop\s+(table|database)/i, severity: 'critical', message: 'Database drop detected' },
-    { pattern: /truncate\s+table/i, severity: 'high', message: 'Table truncate detected' },
-    { pattern: /:(){ :|:& };:/, severity: 'critical', message: 'Fork bomb detected' },
-    { pattern: /mkfs|fdisk|dd\s+if=/, severity: 'critical', message: 'Disk operation detected' },
-    { pattern: /chmod\s+-R\s+777/, severity: 'medium', message: 'Insecure permission change' },
-    { pattern: /curl.*\|\s*(ba)?sh/, severity: 'high', message: 'Piping curl to shell' },
+    { pattern: /rm\s+-rf?\s+[\/~]/, target: 'command', severity: 'critical', message: 'Deleting root or home directory' },
+    { pattern: /rm\s+-rf?\s+\*/, target: 'command', severity: 'high', message: 'Wildcard deletion detected' },
+    { pattern: /git\s+push\s+.*--force/, target: 'command', severity: 'high', message: 'Force push detected' },
+    { pattern: /git\s+reset\s+--hard/, target: 'command', severity: 'medium', message: 'Hard reset will discard changes' },
+    { pattern: /drop\s+(table|database)/i, target: 'command', severity: 'critical', message: 'Database drop detected' },
+    { pattern: /truncate\s+table/i, target: 'command', severity: 'high', message: 'Table truncate detected' },
+    { pattern: /:(){ :|:& };:/, target: 'command', severity: 'critical', message: 'Fork bomb detected' },
+    { pattern: /mkfs|fdisk|dd\s+if=/, target: 'command', severity: 'critical', message: 'Disk operation detected' },
+    { pattern: /chmod\s+-R\s+777/, target: 'command', severity: 'medium', message: 'Insecure permission change' },
+    { pattern: /curl.*\|\s*(ba)?sh/, target: 'command', severity: 'high', message: 'Piping curl to shell' },
   ],
   edit: [
-    { pattern: /\.env|credentials|secret|password|api[_-]?key/i, severity: 'medium', message: 'Editing sensitive file' },
-    { pattern: /package-lock\.json|yarn\.lock|pnpm-lock/, severity: 'low', message: 'Editing lock file directly' },
+    { pattern: /\.env|credentials|secret|password|api[_-]?key/i, target: 'file_path', severity: 'medium', message: 'Editing sensitive file' },
+    { pattern: /package-lock\.json|yarn\.lock|pnpm-lock/, target: 'file_path', severity: 'low', message: 'Editing lock file directly' },
   ],
   write: [
-    { pattern: /\.env|credentials|secret/i, severity: 'medium', message: 'Writing to sensitive file' },
-    { pattern: /\/etc\/|\/usr\/|C:\\Windows/i, severity: 'critical', message: 'Writing to system directory' },
+    { pattern: /\.env|credentials|secret/i, target: 'file_path', severity: 'medium', message: 'Writing to sensitive file' },
+    { pattern: /\/etc\/|\/usr\/|C:\\Windows/i, target: 'file_path', severity: 'critical', message: 'Writing to system directory' },
   ],
 };
 
@@ -82,10 +91,39 @@ const SAFE_ALTERNATIVES = {
   'chmod 777': 'Use specific permissions (e.g., chmod 755 for directories)',
 };
 
+/**
+ * 패턴 매칭 대상 추출
+ *
+ * tool_input이 객체이면 target 필드만 뽑아 반환. 객체가 아니거나(레거시 argv 모드)
+ * target='raw'이면 입력 전체를 그대로 반환.
+ *
+ * 핵심: write/edit 패턴은 file_path만 봐야 한다. content에 우연히 들어간
+ * 리터럴(예: 코드 안의 '/etc/machine-id' 문자열)이 차단을 일으키지 않도록.
+ */
+function extractTarget(rawInput, target) {
+  if (target === 'raw') return typeof rawInput === 'string' ? rawInput : JSON.stringify(rawInput);
+
+  // 객체로 파싱 시도
+  let obj = rawInput;
+  if (typeof rawInput === 'string') {
+    try {
+      obj = JSON.parse(rawInput);
+    } catch {
+      // JSON 아님 → 레거시 argv 모드. argv[3]은 보통 file_path 또는 command 단일 문자열.
+      // 안전하게 그 문자열을 target 값으로 간주.
+      return rawInput;
+    }
+  }
+
+  if (typeof obj !== 'object' || obj === null) return '';
+  const value = obj[target];
+  return typeof value === 'string' ? value : '';
+}
+
 /**
  * 명령어 검증
  */
-function validateCommand(toolName, input) {
+function validateCommand(toolName, rawInput) {
   const results = {
     allowed: true,
     severity: 'none',
@@ -95,8 +133,11 @@ function validateCommand(toolName, input) {
 
   const patterns = DANGEROUS_PATTERNS[toolName.toLowerCase()] || [];
 
-  for (const { pattern, severity, message } of patterns) {
-    if (pattern.test(input)) {
+  for (const { pattern, target, severity, message } of patterns) {
+    const haystack = extractTarget(rawInput, target || 'raw');
+    if (!haystack) continue;
+
+    if (pattern.test(haystack)) {
       results.warnings.push(`[${severity.toUpperCase()}] ${message}`);
 
       // 심각도에 따른 처리
@@ -109,9 +150,9 @@ function validateCommand(toolName, input) {
         results.severity = severity;
       }
 
-      // 대안 제안
+      // 대안 제안 — 매칭된 target 필드에서만 검색
       for (const [dangerous, safe] of Object.entries(SAFE_ALTERNATIVES)) {
-        if (input.includes(dangerous)) {
+        if (haystack.includes(dangerous)) {
           results.suggestions.push(safe);
         }
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@su-record/vibe",
-  "version": "2.9.20",
+  "version": "2.9.22",
   "description": "AI Coding Framework for Claude Code — 56 agents, 45 skills, multi-LLM orchestration",
   "type": "module",
   "main": "dist/cli/index.js",