@wooojin/forgen 0.1.0

package/dist/hooks/pre-tool-use.js

@@ -0,0 +1,325 @@
+#!/usr/bin/env node
+/**
+ * Forgen — PreToolUse Hook
+ *
+ * 도구 실행 전 위험 명령어 차단 및 컨텍스트 리마인더 주입.
+ * - rm -rf, git push --force 등 위험 패턴 감지
+ * - 활성 모드 상태 리마인더 주입
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { createLogger } from '../core/logger.js';
+const log = createLogger('pre-tool-use');
+import { HookError } from '../core/errors.js';
+import { readStdinJSON } from './shared/read-stdin.js';
+import { atomicWriteJSON } from './shared/atomic-write.js';
+import { withFileLockSync, FileLockError } from './shared/file-lock.js';
+import { sanitizeId } from './shared/sanitize-id.js';
+import { incrementEvidence } from '../engine/solution-writer.js';
+import { isReflectionCandidate } from './compound-reflection.js';
+import { isHookEnabled } from './hook-config.js';
+import { approve, approveWithWarning, deny, failOpen } from './shared/hook-response.js';
+import { FORGEN_HOME, STATE_DIR } from '../core/paths.js';
+const FAIL_COUNTER_PATH = path.join(STATE_DIR, 'pre-tool-fail-counter.json');
+const FAIL_CLOSE_THRESHOLD = 3; // 연속 3회 파싱 실패 시에만 reject
+/** RegExp 안전성 검증 (ReDoS 방지) — 매칭/비매칭 양쪽 모두 테스트 */
+function isSafeRegex(pattern, flags) {
+    try {
+        const re = new RegExp(pattern, flags);
+        const testStr = 'a'.repeat(25);
+        // 매칭 성공 케이스
+        let start = Date.now();
+        re.test(testStr);
+        if (Date.now() - start >= 100)
+            return false;
+        // 매칭 실패 케이스 (ReDoS는 주로 여기서 발생)
+        start = Date.now();
+        re.test(`${testStr}!`);
+        return Date.now() - start < 100;
+    }
+    catch {
+        return false;
+    }
+}
+/** JSON에서 패턴 로드 (패키지 내장 + 사용자 커스텀 병합) */
+function loadDangerousPatterns() {
+    const results = [];
+    // 1. 패키지 내장 패턴 (dangerous-patterns.json)
+    try {
+        const builtinPath = path.join(path.dirname(fileURLToPath(import.meta.url)), 'dangerous-patterns.json');
+        const raw = JSON.parse(fs.readFileSync(builtinPath, 'utf-8'));
+        for (const entry of raw) {
+            if (!isSafeRegex(entry.pattern, entry.flags ?? '')) {
+                log.debug(`내장 패턴 건너뜀 (ReDoS 위험): ${entry.description}`);
+                continue;
+            }
+            results.push({
+                pattern: new RegExp(entry.pattern, entry.flags ?? ''),
+                description: entry.description,
+                severity: entry.severity,
+            });
+        }
+    }
+    catch {
+        // JSON 로드 실패 시 하드코딩 폴백 (최소 안전장치)
+        results.push({ pattern: /rm\s+(-rf|-fr)\s+[/~]/, description: 'rm -rf on root/home path', severity: 'block' }, { pattern: /curl\s+.*\|\s*(ba)?sh/, description: 'curl pipe to shell', severity: 'block' }, { pattern: /:\(\)\s*\{\s*:\|:&\s*\}\s*;:/, description: 'fork bomb', severity: 'block' });
+    }
+    // 2. 사용자 커스텀 패턴 (~/.compound/dangerous-patterns.json)
+    try {
+        const customPath = path.join(FORGEN_HOME, 'dangerous-patterns.json');
+        if (fs.existsSync(customPath)) {
+            const custom = JSON.parse(fs.readFileSync(customPath, 'utf-8'));
+            for (const entry of custom) {
+                if (!isSafeRegex(entry.pattern, entry.flags ?? '')) {
+                    log.debug(`사용자 커스텀 패턴 건너뜀 (ReDoS 위험): ${entry.description}`);
+                    continue;
+                }
+                results.push({
+                    pattern: new RegExp(entry.pattern, entry.flags ?? ''),
+                    description: entry.description,
+                    severity: entry.severity,
+                });
+            }
+        }
+    }
+    catch {
+        log.debug('사용자 커스텀 위험 패턴 로드 실패');
+    }
+    return results;
+}
+/** 위험 Bash 명령어 패턴 (패키지 내장 + 사용자 커스텀 병합) */
+export const DANGEROUS_PATTERNS = loadDangerousPatterns();
+const REMINDER_INTERVAL = 10; // 10회 호출당 1회 리마인더
+const REMINDER_COUNTER_PATH = path.join(STATE_DIR, 'reminder-counter.json');
+/** 위험 명령어 검사 (순수 함수) */
+export function checkDangerousCommand(toolName, toolInput) {
+    if (toolName !== 'Bash')
+        return { action: 'pass' };
+    const command = typeof toolInput === 'string'
+        ? toolInput
+        : (toolInput.command ?? '');
+    for (const { pattern, description, severity } of DANGEROUS_PATTERNS) {
+        if (pattern.test(command)) {
+            return { action: severity, description, command: command.slice(0, 100) };
+        }
+    }
+    return { action: 'pass' };
+}
+/** 카운터 기반 리마인더 표시 여부 판정 (순수 함수 — I/O 없음) */
+export function shouldShowReminder(count, interval = REMINDER_INTERVAL) {
+    return count > 0 && count % interval === 0;
+}
+/** 카운터 기반 리마인더 표시 여부 (I/O 포함 — main에서 사용) */
+function shouldShowReminderIO() {
+    try {
+        let count;
+        if (fs.existsSync(REMINDER_COUNTER_PATH)) {
+            const data = JSON.parse(fs.readFileSync(REMINDER_COUNTER_PATH, 'utf-8'));
+            count = (data.count ?? 0) + 1;
+        }
+        else {
+            // 파일 없음 = 최초 호출: 1부터 시작하여 10번째 호출에 첫 리마인더 표시
+            count = 1;
+        }
+        atomicWriteJSON(REMINDER_COUNTER_PATH, { count });
+        return shouldShowReminder(count);
+    }
+    catch {
+        return false;
+    }
+}
+/** 활성 모드 상태를 리마인더로 수집 */
+function getActiveReminders() {
+    const reminders = [];
+    if (!fs.existsSync(STATE_DIR))
+        return reminders;
+    try {
+        for (const f of fs.readdirSync(STATE_DIR)) {
+            if (!f.endsWith('-state.json') || f.startsWith('context-guard') || f.startsWith('skill-cache'))
+                continue;
+            try {
+                const data = JSON.parse(fs.readFileSync(path.join(STATE_DIR, f), 'utf-8'));
+                if (data.active) {
+                    const mode = f.replace('-state.json', '');
+                    reminders.push(`[${mode}] mode active`);
+                }
+            }
+            catch { /* skip corrupt files */ }
+        }
+    }
+    catch (e) {
+        log.debug('상태 디렉토리 읽기 실패', e);
+    }
+    return reminders;
+}
+/** 연속 파싱 실패 카운터 관리 */
+function getAndIncrementFailCount() {
+    try {
+        let count = 0;
+        if (fs.existsSync(FAIL_COUNTER_PATH)) {
+            const data = JSON.parse(fs.readFileSync(FAIL_COUNTER_PATH, 'utf-8'));
+            count = (data.count ?? 0) + 1;
+        }
+        else {
+            count = 1;
+        }
+        atomicWriteJSON(FAIL_COUNTER_PATH, { count, updatedAt: new Date().toISOString() });
+        return count;
+    }
+    catch {
+        return 1;
+    }
+}
+function resetFailCount() {
+    try {
+        if (fs.existsSync(FAIL_COUNTER_PATH))
+            fs.unlinkSync(FAIL_COUNTER_PATH);
+    }
+    catch (e) {
+        log.debug('fail counter reset failed — counter stays elevated', e);
+    }
+}
+/**
+ * Compound v3: detect if Edit/Write code reflects injected solution identifiers.
+ *
+ * false positive 방지를 위한 3중 필터 적용 (compound-reflection.ts):
+ *   1. 시간 윈도우: 주입 후 15분 이내만 반영 인정
+ *   2. 매칭 비율: 유효 식별자의 50% 이상 매칭 필요
+ *   3. 공통 식별자 차단: 프레임워크 기본 용어 제외
+ */
+function checkCompoundReflection(toolName, toolInput, sessionId) {
+    if (toolName !== 'Edit' && toolName !== 'Write')
+        return;
+    const code = String(toolInput.new_string ?? toolInput.content ?? '');
+    if (!code || code.length < 10)
+        return;
+    const cachePath = path.join(STATE_DIR, `injection-cache-${sanitizeId(sessionId)}.json`);
+    if (!fs.existsSync(cachePath))
+        return;
+    // PR2c-1 + M-2 fix: lock-narrowing.
+    // cache lock 안에서는 cache 갱신(_sessionCounted 비트)만 수행하고,
+    // evidence 갱신은 lock 밖에서 수행한다. 이전 구조는 cache lock을 잡은 채로
+    // 매 솔루션마다 .md 파일 lock을 잡아서 cache lock holding time이 N×해졌고
+    // 다른 hook이 cache lock을 잡지 못해 FileLockError가 빈발할 수 있었다.
+    const reflectedNames = [];
+    const newlySessionCounted = [];
+    try {
+        withFileLockSync(cachePath, () => {
+            const cache = JSON.parse(fs.readFileSync(cachePath, 'utf-8'));
+            if (!Array.isArray(cache.solutions))
+                return;
+            const now = new Date();
+            let mutated = false;
+            for (const sol of cache.solutions) {
+                if (!Array.isArray(sol.identifiers) || sol.identifiers.length === 0)
+                    continue;
+                const result = isReflectionCandidate({
+                    identifiers: sol.identifiers,
+                    code,
+                    injectedAt: sol.injectedAt ?? '',
+                    now,
+                });
+                if (result.reflected) {
+                    reflectedNames.push(sol.name);
+                    if (!sol._sessionCounted) {
+                        sol._sessionCounted = true;
+                        mutated = true;
+                        newlySessionCounted.push(sol.name);
+                    }
+                }
+            }
+            if (mutated) {
+                // mode 0o600 — solution-injector와 일관성
+                atomicWriteJSON(cachePath, cache, { mode: 0o600, dirMode: 0o700 });
+            }
+        });
+    }
+    catch (e) {
+        if (e instanceof FileLockError) {
+            log.warn('compound reflection lock 실패 — write skipped', e);
+        }
+        else {
+            log.debug('compound reflection 체크 실패', e);
+        }
+        return;
+    }
+    // Evidence 갱신은 lock 밖에서 (M-2 fix). solution-writer가 자체 lock을 가지므로 안전.
+    for (const name of reflectedNames) {
+        updateSolutionEvidence(name, 'reflected');
+    }
+    for (const name of newlySessionCounted) {
+        updateSolutionEvidence(name, 'sessions');
+    }
+}
+/**
+ * Update evidence counter in a solution file.
+ * PR2b: solution-writer.incrementEvidence로 위임. lock + fresh re-read + atomic write.
+ *
+ * Exported for use by solution-injector.
+ */
+export function updateSolutionEvidence(solutionName, field) {
+    incrementEvidence(solutionName, field);
+}
+async function main() {
+    const data = await readStdinJSON();
+    if (!data) {
+        // graceful fail-close: consecutive failure counter.
+        // At threshold, block with a user-visible deny message (the block itself
+        // is actionable — the user needs to know why their tool call was
+        // rejected). Below threshold, pass SILENTLY via plain approve() so a
+        // transient parse glitch doesn't leak `systemMessage` noise to the
+        // user's terminal on every tool call. stderr still gets the counter
+        // for `forgen doctor` / log inspection. Mirrors `db-guard.ts:85-96`.
+        const failCount = getAndIncrementFailCount();
+        if (failCount >= FAIL_CLOSE_THRESHOLD) {
+            console.log(deny(`[Forgen] PreToolUse: stdin parse failed ${failCount} consecutive times — blocking for safety.`));
+        }
+        else {
+            process.stderr.write(`[ch-hook] pre-tool-use stdin parse failed (${failCount}/${FAIL_CLOSE_THRESHOLD})\n`);
+            console.log(approve());
+        }
+        return;
+    }
+    // 정상 파싱 성공 시 연속 실패 카운터 리셋
+    resetFailCount();
+    if (!isHookEnabled('pre-tool-use')) {
+        console.log(approve());
+        return;
+    }
+    const toolName = data.tool_name ?? data.toolName ?? '';
+    const toolInput = data.tool_input ?? data.toolInput ?? {};
+    const sessionId = data.session_id ?? 'default';
+    // Bash 도구: 위험 명령어 감지
+    const check = checkDangerousCommand(toolName, toolInput);
+    if (check.action === 'block') {
+        console.log(deny(`[Forgen] Dangerous command blocked: ${check.description}\nCommand: ${check.command}`));
+        return;
+    }
+    if (check.action === 'warn') {
+        console.log(approveWithWarning(`<compound-tool-warning>\n[Forgen] ⚠ Dangerous command detected: ${check.description}\nProceed with caution.\n</compound-tool-warning>`));
+        return;
+    }
+    // Compound v3: Code Reflection check (non-blocking)
+    try {
+        checkCompoundReflection(toolName, toolInput, sessionId);
+    }
+    catch (e) {
+        log.debug('compound reflection check 실패', e);
+    }
+    // 활성 모드 리마인더 (10회 호출당 1회 — 결정적 카운터 기반)
+    const reminders = getActiveReminders();
+    if (reminders.length > 0 && shouldShowReminderIO()) {
+        console.log(approveWithWarning(`<compound-reminder>\n${reminders.join('\n')}\n</compound-reminder>`));
+        return;
+    }
+    console.log(approve());
+}
+main().catch((e) => {
+    const hookErr = new HookError(e instanceof Error ? e.message : String(e), {
+        hookName: 'pre-tool-use', eventType: 'PreToolUse', cause: e,
+    });
+    process.stderr.write(`[ch-hook] ${hookErr.name}: ${hookErr.message}\n`);
+    // fail-open: approve on internal error to avoid blocking all tool calls
+    console.log(failOpen());
+});

package/dist/hooks/prompt-injection-filter.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Security module for filtering prompt injection attacks from solution content
+ * before it gets injected into Claude's context.
+ *
+ * NOTE: This is a shared utility, NOT a standalone hook.
+ * Used by: solution-injector.ts (via import)
+ * Exported via: lib.ts (public API for programmatic use)
+ * Not registered in hooks.json — intentional.
+ */
+type Severity = 'block' | 'warn';
+type Category = 'injection' | 'exfiltration' | 'obfuscation';
+interface SecurityPattern {
+    id: string;
+    pattern: RegExp;
+    severity: Severity;
+    category: Category;
+}
+export interface ScanFinding {
+    patternId: string;
+    severity: Severity;
+    category: Category;
+    matchedText: string;
+}
+export interface ScanResult {
+    verdict: 'safe' | 'warn' | 'block';
+    findings: ScanFinding[];
+    sanitized: string;
+}
+/** Structured security patterns with severity and category metadata */
+export declare const SECURITY_PATTERNS: SecurityPattern[];
+/**
+ * Legacy flat array for backwards-compatible exports.
+ * Contains only the RegExp patterns from SECURITY_PATTERNS.
+ */
+export declare const PROMPT_INJECTION_PATTERNS: RegExp[];
+/** Normalize text for injection detection: strip zero-width chars, NFKC normalize */
+export declare function normalizeForInjectionCheck(text: string): string;
+/**
+ * Escape ALL XML-like tags in text to prevent tag injection.
+ */
+export declare function escapeAllXmlTags(text: string): string;
+/**
+ * Combined filter: checks for prompt injection and escapes XML tags.
+ * - block 패턴 매칭 → verdict: 'block', sanitized: ''
+ * - warn만 매칭   → verdict: 'warn',  sanitized: XML 이스케이프된 텍스트
+ * - 매칭 없음     → verdict: 'safe',  sanitized: XML 이스케이프된 텍스트
+ */
+export declare function filterSolutionContent(text: string): ScanResult;
+/**
+ * Check if text contains prompt injection patterns.
+ * Normalizes Unicode before matching to prevent bypass via homoglyphs/zero-width chars.
+ *
+ * @returns true only when a 'block'-severity pattern matches (하위 호환 유지).
+ */
+export declare function containsPromptInjection(text: string): boolean;
+export {};

package/dist/hooks/prompt-injection-filter.js

@@ -0,0 +1,287 @@
+/**
+ * Security module for filtering prompt injection attacks from solution content
+ * before it gets injected into Claude's context.
+ *
+ * NOTE: This is a shared utility, NOT a standalone hook.
+ * Used by: solution-injector.ts (via import)
+ * Exported via: lib.ts (public API for programmatic use)
+ * Not registered in hooks.json — intentional.
+ */
+// ── Pattern registry ───────────────────────────────────────────────────────
+/** Structured security patterns with severity and category metadata */
+export const SECURITY_PATTERNS = [
+    // --- injection / block: 명시적 지시 무효화 ---
+    {
+        id: 'ignore-previous-instructions',
+        pattern: /ignore\s+(all\s+)?previous\s+instructions/i,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'ignore-above-prior',
+        pattern: /ignore\s+(all\s+)?(above|prior)/i,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'disregard-previous',
+        pattern: /disregard\s+(all\s+)?(previous|above|prior)/i,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'new-instructions',
+        pattern: /new\s+instructions?\s*:/i,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'forget-context',
+        pattern: /forget\s+(everything|all|previous|your)/i,
+        severity: 'block',
+        category: 'injection',
+    },
+    // --- injection / block: 특수 태그 ---
+    {
+        id: 'system-tag',
+        pattern: /<\s*\/?system\s*>/i,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'assistant-tag',
+        pattern: /<\s*\/?assistant\s*>/i,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'user-tag',
+        pattern: /<\s*\/?user\s*>/i,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'human-tag',
+        pattern: /<\s*\/?human\s*>/i,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'inst-tag',
+        pattern: /\[INST\]/i,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'sys-tag',
+        pattern: /<<SYS>>/i,
+        severity: 'block',
+        category: 'injection',
+    },
+    // --- injection / block: 한국어 명시적 인젝션 ---
+    {
+        id: 'ko-ignore-previous',
+        pattern: /이전\s*(지시|명령|설정|규칙).*무시/,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'ko-ignore-all',
+        pattern: /(모든|전부|앞의|위의)\s*(지시|명령|설정).*무시/,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'ko-forget',
+        pattern: /(잊어|잊으|잊어버려|잊어라)/,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'ko-you-are-now',
+        pattern: /넌\s+이제부터/,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'ko-new-role',
+        pattern: /새로운\s*(역할|지시|명령|규칙)/,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'ko-change-role',
+        pattern: /너(는|의)\s*(역할|정체).*바꿔/,
+        severity: 'block',
+        category: 'injection',
+    },
+    {
+        id: 'ko-system-prompt',
+        pattern: /(시스템|어시스턴트)\s*(프롬프트|메시지)/,
+        severity: 'block',
+        category: 'injection',
+    },
+    // --- injection / warn: 맥락에 따라 합법적일 수 있는 패턴 ---
+    {
+        id: 'you-are-now',
+        pattern: /you\s+are\s+now/i,
+        severity: 'warn',
+        category: 'injection',
+    },
+    {
+        id: 'act-as',
+        pattern: /act\s+as\s+(a|an|if)\b/i,
+        severity: 'warn',
+        category: 'injection',
+    },
+    {
+        id: 'pretend-to',
+        pattern: /pretend\s+(you|to\s+be)/i,
+        severity: 'warn',
+        category: 'injection',
+    },
+    {
+        id: 'ko-pretend',
+        pattern: /인척\s*(해|하세요|해봐)/,
+        severity: 'warn',
+        category: 'injection',
+    },
+    // --- exfiltration / block: 비밀키·파일 유출 ---
+    {
+        id: 'exfil-secret-curl',
+        pattern: /curl.*\$\{?\w*(KEY|TOKEN|SECRET|PASSWORD|API)/i,
+        severity: 'block',
+        category: 'exfiltration',
+    },
+    {
+        id: 'exfil-secret-file',
+        pattern: /cat\s+[^\n]*(\.env|credentials|\.netrc)/i,
+        severity: 'block',
+        category: 'exfiltration',
+    },
+    {
+        id: 'exfil-wget-post',
+        pattern: /wget\s+--post-data[^\n]*\$\{?\w*(KEY|TOKEN|SECRET|PASSWORD)/i,
+        severity: 'block',
+        category: 'exfiltration',
+    },
+    {
+        id: 'exfil-nc-pipe',
+        pattern: /\|\s*nc\s+\S+\s+\d+/,
+        severity: 'block',
+        category: 'exfiltration',
+    },
+    {
+        id: 'exfil-ssh-key-read',
+        pattern: /cat\s+[^\n]*\.ssh\/(id_rsa|id_ed25519|authorized_keys)/i,
+        severity: 'block',
+        category: 'exfiltration',
+    },
+    // --- destructive / block: 파괴적 명령 패턴 ---
+    {
+        id: 'destruct-rm-rf-root',
+        pattern: /rm\s+-[^\n]*rf\s+\//,
+        severity: 'block',
+        category: 'exfiltration',
+    },
+    {
+        id: 'destruct-chmod-777',
+        pattern: /chmod\s+(-R\s+)?777\s+\//,
+        severity: 'block',
+        category: 'exfiltration',
+    },
+    {
+        id: 'destruct-drop-database',
+        pattern: /DROP\s+(DATABASE|TABLE)\s+/i,
+        severity: 'block',
+        category: 'exfiltration',
+    },
+    // --- obfuscation / warn: base64 디코드 파이프 ---
+    {
+        id: 'obfusc-base64-decode',
+        pattern: /base64\s+(-d|--decode)\s*\|/,
+        severity: 'warn',
+        category: 'obfuscation',
+    },
+    // --- obfuscation / block: 난독화 실행 ---
+    {
+        id: 'obfusc-echo-exec',
+        pattern: /echo\s+[^\n]*\|\s*(bash|sh|python|node)/i,
+        severity: 'block',
+        category: 'obfuscation',
+    },
+    {
+        id: 'obfusc-eval-dynamic',
+        pattern: /eval\s*\(\s*(atob|Buffer\.from|decodeURI)/i,
+        severity: 'block',
+        category: 'obfuscation',
+    },
+];
+/**
+ * Legacy flat array for backwards-compatible exports.
+ * Contains only the RegExp patterns from SECURITY_PATTERNS.
+ */
+export const PROMPT_INJECTION_PATTERNS = SECURITY_PATTERNS.map((sp) => sp.pattern);
+// ── Utilities ─────────────────────────────────────────────────────────────
+/** Normalize text for injection detection: strip zero-width chars, NFKC normalize */
+export function normalizeForInjectionCheck(text) {
+    return text
+        .replace(/[\u200B-\u200F\u2028-\u202F\uFEFF\u00AD]/g, '')
+        .normalize('NFKC');
+}
+/**
+ * Escape ALL XML-like tags in text to prevent tag injection.
+ */
+export function escapeAllXmlTags(text) {
+    return text.replace(/<\/?[a-zA-Z][\w-]*(?:\s[^>]*)?\/?>/g, (match) => match.replace(/</g, '&lt;').replace(/>/g, '&gt;'));
+}
+// ── Core scan ─────────────────────────────────────────────────────────────
+/**
+ * Scan text against all SECURITY_PATTERNS and return structured findings.
+ */
+function scanText(text) {
+    const normalized = normalizeForInjectionCheck(text);
+    const findings = [];
+    for (const sp of SECURITY_PATTERNS) {
+        const match = sp.pattern.exec(normalized);
+        if (match) {
+            findings.push({
+                patternId: sp.id,
+                severity: sp.severity,
+                category: sp.category,
+                matchedText: match[0],
+            });
+        }
+    }
+    return findings;
+}
+// ── Public API ────────────────────────────────────────────────────────────
+/**
+ * Combined filter: checks for prompt injection and escapes XML tags.
+ * - block 패턴 매칭 → verdict: 'block', sanitized: ''
+ * - warn만 매칭   → verdict: 'warn',  sanitized: XML 이스케이프된 텍스트
+ * - 매칭 없음     → verdict: 'safe',  sanitized: XML 이스케이프된 텍스트
+ */
+export function filterSolutionContent(text) {
+    const findings = scanText(text);
+    const hasBlock = findings.some((f) => f.severity === 'block');
+    if (hasBlock) {
+        return { verdict: 'block', findings, sanitized: '' };
+    }
+    const hasWarn = findings.some((f) => f.severity === 'warn');
+    const sanitized = escapeAllXmlTags(text);
+    if (hasWarn) {
+        return { verdict: 'warn', findings, sanitized };
+    }
+    return { verdict: 'safe', findings: [], sanitized };
+}
+/**
+ * Check if text contains prompt injection patterns.
+ * Normalizes Unicode before matching to prevent bypass via homoglyphs/zero-width chars.
+ *
+ * @returns true only when a 'block'-severity pattern matches (하위 호환 유지).
+ */
+export function containsPromptInjection(text) {
+    const findings = scanText(text);
+    return findings.some((f) => f.severity === 'block');
+}

package/dist/hooks/rate-limiter.d.ts

@@ -0,0 +1,21 @@
+#!/usr/bin/env node
+/**
+ * Forgen — PreToolUse: Rate Limiter Hook
+ *
+ * MCP 도구 호출 빈도를 제한하여 남용을 방지합니다.
+ * 기본 제한: 30회/분
+ */
+interface RateLimitState {
+    calls: number[];
+}
+/** 상태 파일 로드 (스키마 검증 포함) */
+export declare function loadRateLimitState(): RateLimitState;
+/** 상태 파일 저장 (atomic write로 동시 세션 안전) */
+export declare function saveRateLimitState(state: RateLimitState): void;
+/** 오래된 호출 기록 정리 + 제한 초과 여부 판정 (순수 함수) */
+export declare function checkRateLimit(state: RateLimitState, now?: number, limit?: number): {
+    exceeded: boolean;
+    count: number;
+    updatedState: RateLimitState;
+};
+export {};