@wooojin/forgen 0.3.1 → 0.3.2

package/dist/hooks/internal/run-lifecycle-check.js

@@ -0,0 +1,32 @@
+#!/usr/bin/env node
+/**
+ * Forgen — Internal runner: compound lifecycle check.
+ *
+ * Spawned by `session-recovery.ts` as a detached background process.
+ * Exists as a dedicated script file so the caller can pass `sessionId`
+ * via argv instead of interpolating it into a `-e` template literal.
+ *
+ * Audit finding #5 (2026-04-21): prior call site used
+ *   spawn('node', ['--input-type=module', '-e',
+ *     `import('${path}').then(m => m.runLifecycleCheck('${sessionId}'))`])
+ * which interpolated `sessionId` (originating from hook stdin) into
+ * executable JS source. An attacker-controlled session id of the shape
+ * `a'); malicious(); //` would have executed arbitrary JS under the
+ * user's Claude-Code privileges. A dedicated script + argv lookup has
+ * no shell or eval surface.
+ *
+ * Contract: `process.argv[2]` is the session id. Any extra args are
+ * ignored. stdout/stderr are ignored by the caller (`stdio: 'ignore'`).
+ */
+import { runLifecycleCheck } from '../../engine/compound-lifecycle.js';
+const sessionId = process.argv[2];
+if (!sessionId || typeof sessionId !== 'string') {
+    process.exit(0);
+}
+try {
+    runLifecycleCheck(sessionId);
+}
+catch {
+    // Detached background — best effort. Surfacing errors would have no
+    // consumer and the parent hook already logged the spawn.
+}

package/dist/hooks/notepad-injector.js

@@ -21,6 +21,7 @@ import { isHookEnabled } from './hook-config.js';
 import { truncateContent } from './shared/injection-caps.js';
 import { calculateBudget } from './shared/context-budget.js';
 import { approve, approveWithContext, failOpenWithTracking } from './shared/hook-response.js';
+import { escapeAllXmlTags } from './prompt-injection-filter.js';
 // ── 메인 ──
 async function main() {
     const input = await readStdinJSON();
@@ -39,9 +40,11 @@ async function main() {
         console.log(approve());
         return;
     }
-    // 태그 이스케이프: notepad 내용 내의 닫는 태그를 안전하게 처리
-    const safeContent = truncateContent(notepadContent.trim(), calculateBudget(effectiveCwd).notepadMax)
-        .replace(/<\/forgen-notepad>/g, '&lt;/forgen-notepad&gt;');
+    // P1-S2 fix (2026-04-20): 이전에는 `</forgen-notepad>` 리터럴 하나만 치환했지만,
+    // notepad 파일에 `<system>`, `<assistant>` 같은 임의 XML 태그가 있으면 그대로
+    // LLM에 전달되어 지시 주입 위험. escapeAllXmlTags로 모든 태그를 escape한다.
+    const truncated = truncateContent(notepadContent.trim(), calculateBudget(effectiveCwd).notepadMax);
+    const safeContent = escapeAllXmlTags(truncated);
     const injection = `<forgen-notepad>\n${safeContent}\n</forgen-notepad>`;
     console.log(approveWithContext(injection, 'UserPromptSubmit'));
 }

package/dist/hooks/permission-handler.d.ts

@@ -10,5 +10,13 @@
 export declare const SAFE_TOOLS: Set<string>;
 /** autopilot 모드에서도 수동 확인이 필요한 도구 */
 export declare const ALWAYS_CONFIRM_TOOLS: Set<string>;
-/** 도구 분류: 승인/확인/통과 결정 (순수 함수) */
-export declare function classifyTool(toolName: string, isAutopilot: boolean): 'auto-approve-safe' | 'autopilot-confirm' | 'autopilot-approve' | 'pass-through';
+/**
+ * 도구 분류: pass-through 결정 (순수 함수).
+ *
+ * Audit clarification #4 (2026-04-21): 본 훅은 Claude의 기본 권한 흐름을
+ * 가로채지 않는다 — 모든 return 라벨은 "어떤 pass-through 경로인가"를
+ * 의미하며, `permissionDecision: 'allow'`를 강제하지 않는다. 과거 라벨
+ * `auto-approve-safe`, `autopilot-approve`는 승인으로 오해되어 audit log가
+ * 실제 실행 신뢰도와 어긋났다.
+ */
+export declare function classifyTool(toolName: string, isAutopilot: boolean): 'safe-pass-through' | 'autopilot-warn-pass-through' | 'autopilot-pass-through' | 'pass-through';

package/dist/hooks/permission-handler.js

@@ -24,15 +24,23 @@ export const SAFE_TOOLS = new Set([
 export const ALWAYS_CONFIRM_TOOLS = new Set([
     'Bash', 'Write', 'Edit',
 ]);
-/** 도구 분류: 승인/확인/통과 결정 (순수 함수) */
+/**
+ * 도구 분류: pass-through 결정 (순수 함수).
+ *
+ * Audit clarification #4 (2026-04-21): 본 훅은 Claude의 기본 권한 흐름을
+ * 가로채지 않는다 — 모든 return 라벨은 "어떤 pass-through 경로인가"를
+ * 의미하며, `permissionDecision: 'allow'`를 강제하지 않는다. 과거 라벨
+ * `auto-approve-safe`, `autopilot-approve`는 승인으로 오해되어 audit log가
+ * 실제 실행 신뢰도와 어긋났다.
+ */
 export function classifyTool(toolName, isAutopilot) {
     if (SAFE_TOOLS.has(toolName))
-        return 'auto-approve-safe';
+        return 'safe-pass-through';
     if (!isAutopilot)
         return 'pass-through';
     if (ALWAYS_CONFIRM_TOOLS.has(toolName))
-        return 'autopilot-confirm';
-    return 'autopilot-approve';
+        return 'autopilot-warn-pass-through';
+    return 'autopilot-pass-through';
 }
 /** autopilot 모드 활성 여부 확인 */
 function isAutopilotActive() {
@@ -80,9 +88,17 @@ async function main() {
     }
     const toolName = data.tool_name ?? data.toolName ?? '';
     const sessionId = data.session_id ?? 'default';
-    // 안전 도구는 항상 승인
+    // Audit note #4 (2026-04-21): `approve()` / `approveWithWarning()` 둘 다
+    // Claude Code hook protocol에서 `permissionDecision: 'allow'`를 설정하지
+    // 않는다. 따라서 본 훅은 실제로 도구 실행을 "승인(force-allow)"하지 않고,
+    // Claude의 기본 권한 흐름으로 pass-through 시킨다 (systemMessage UI 경고는
+    // 선택사항). 과거 로그에서 `auto-approve-safe` / `autopilot-approve` 같은
+    // 결정 이름이 실제 효과와 어긋났기에 로그 라벨을 실효에 맞춰 정정했다.
+    //
+    // SAFE_TOOLS (Read/Glob/Grep 등): Claude 기본 정책상 이미 허용되는 도구이므로
+    // 이곳에서 별도 장치 없이 pass-through. 로그는 `safe-pass-through`로 기록.
     if (SAFE_TOOLS.has(toolName)) {
-        logPermissionRequest(sessionId, toolName, 'auto-approve-safe');
+        logPermissionRequest(sessionId, toolName, 'safe-pass-through');
         console.log(approve());
         return;
     }
@@ -94,18 +110,21 @@ async function main() {
     }
     // autopilot 모드 (2차 방어선):
     // pre-tool-use 훅이 위험 패턴(rm -rf, git push --force 등)을 이미 block/warn 처리함.
-    // 여기 도달하는 도구는 pre-tool-use를 통과한 것이므로, 승인하되 메시지로 추적 가능하게 함.
+    // 여기 도달하는 도구는 pre-tool-use를 통과한 것으로 pass-through + UI 경고.
+    // 여전히 Claude의 기본 confirmation은 사용자에게 노출된다 — 본 훅이 전체
+    // 승인을 가로채는 게 아니라 추적성을 위한 어노테이션이다.
     if (ALWAYS_CONFIRM_TOOLS.has(toolName)) {
-        logPermissionRequest(sessionId, toolName, 'autopilot-confirm');
+        logPermissionRequest(sessionId, toolName, 'autopilot-warn-pass-through');
         // Bash는 pre-tool-use를 통과했더라도 경고 강도를 높임 (임의 셸 실행 위험)
         const warningLevel = toolName === 'Bash'
-            ? `[Forgen] ⚠ Autopilot: Bash tool auto-approved — passed pre-tool-use validation. Beware of unexpected commands.`
-            : `[Forgen] Autopilot: ${toolName} tool execution auto-approved.`;
+            ? `[Forgen] ⚠ Autopilot: Bash tool — passed pre-tool-use validation. Beware of unexpected commands.`
+            : `[Forgen] Autopilot: ${toolName} tool use passed through with warning.`;
         console.log(approveWithWarning(`<compound-permission>\n${warningLevel}\n</compound-permission>`));
         return;
     }
-    // 기타 도구: autopilot 모드에서 자동 승인
-    logPermissionRequest(sessionId, toolName, 'autopilot-approve');
+    // 기타 도구: autopilot 모드에서도 pass-through (force-approve 아님).
+    // 과거 로그 라벨은 `autopilot-approve`였으나 실제 효과는 pass-through.
+    logPermissionRequest(sessionId, toolName, 'autopilot-pass-through');
     console.log(approve());
 }
 main().catch((e) => {

package/dist/hooks/pre-tool-use.js

@@ -334,10 +334,16 @@ async function main() {
             log.debug('compound reflection check 실패', e);
         }
         // 활성 모드 리마인더 (10회 호출당 1회 — 결정적 카운터 기반)
-        const reminders = getActiveReminders();
-        if (reminders.length > 0 && shouldShowReminderIO()) {
-            console.log(approveWithWarning(`<compound-reminder>\n${reminders.join('\n')}\n</compound-reminder>`));
-            return;
+        // P0-4 fix (2026-04-20): 과거에는 getActiveReminders()로 STATE_DIR을 먼저
+        // readdir + N회 readFileSync한 뒤에야 shouldShowReminderIO 카운터를 체크했다.
+        // 그래서 "리마인더를 보여줄 호출이 아닌" 90%에서도 디렉터리 스캔이 발생.
+        // 이제 shouldShowReminderIO를 먼저 체크해 표시 회차일 때만 스캔한다.
+        if (shouldShowReminderIO()) {
+            const reminders = getActiveReminders();
+            if (reminders.length > 0) {
+                console.log(approveWithWarning(`<compound-reminder>\n${reminders.join('\n')}\n</compound-reminder>`));
+                return;
+            }
         }
         console.log(approve());
     }

package/dist/hooks/secret-filter.js

@@ -16,6 +16,12 @@ export const SECRET_PATTERNS = [
     { name: 'Password', pattern: /(password|passwd|pwd)\s*[=:]\s*["']?[^\s"']{8,}/i },
     { name: 'Private Key', pattern: /-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----/ },
     { name: 'Connection String', pattern: /(mongodb|postgres|mysql|redis):\/\/\w+:[^@]+@/ },
+    // 2026-04-21 follow-up audit #B: vendor-specific prefixes the generic
+    // `(sk|pk|api-key)[_-]` pattern does NOT match. Real-world leaks
+    // overwhelmingly use these formats.
+    { name: 'GitHub Token', pattern: /\b(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{36,}\b/ },
+    { name: 'Google API Key', pattern: /\bAIza[0-9A-Za-z_-]{35}\b/ },
+    { name: 'Slack Token', pattern: /\bxox[abpors]-[A-Za-z0-9-]{10,}/ },
 ];
 /** 텍스트에서 민감 정보 패턴 감지 (순수 함수) */
 export function detectSecrets(text) {

package/dist/hooks/session-recovery.js

@@ -378,7 +378,6 @@ async function main() {
         // v1: regex 기반 패턴 학습(prompt-learner) 제거. Evidence 기반으로 전환됨.
         // Compound v3: Run lifecycle check once per day
         try {
-            const lifecycleModulePath = path.join(path.dirname(fileURLToPath(import.meta.url)), '..', 'engine', 'compound-lifecycle.js');
             const lastLifecyclePath = path.join(STATE_DIR, 'last-lifecycle.json');
             let shouldRun = true;
             try {
@@ -390,13 +389,22 @@ async function main() {
             }
             catch { /* last-lifecycle.json parse failure — run lifecycle check anyway */ }
             if (shouldRun) {
-                // B-4: detached background spawn으로 분리 — hook timeout 초과 방지
+                // B-4: detached background spawn — hook timeout 초과 방지.
+                //
+                // Audit fix #5 (2026-04-21): prior invocation interpolated
+                // `sessionId` into a `-e` template literal
+                //   `import('${path}').then(m => m.runLifecycleCheck('${sessionId}'))`
+                // which created a code-injection surface (a crafted sessionId
+                // could break out of the single quotes and execute arbitrary JS
+                // under the user's Claude-Code privileges). The runner was moved
+                // to a dedicated script file and the id is now passed via argv —
+                // no shell, no eval, no interpolation.
+                const runnerPath = path.join(path.dirname(fileURLToPath(import.meta.url)), 'internal', 'run-lifecycle-check.js');
                 const { spawn: spawnLifecycle } = await import('node:child_process');
-                const lifecycleRunner = spawnLifecycle('node', [
-                    '--input-type=module',
-                    '-e',
-                    `import('${lifecycleModulePath.replace(/\\/g, '/')}').then(m => m.runLifecycleCheck('${sessionId}'))`,
-                ], { detached: true, stdio: 'ignore' });
+                const lifecycleRunner = spawnLifecycle('node', [runnerPath, sessionId], {
+                    detached: true,
+                    stdio: 'ignore',
+                });
                 lifecycleRunner.unref();
                 const { atomicWriteJSON: writeJSON } = await import('./shared/atomic-write.js');
                 writeJSON(lastLifecyclePath, { lastRun: new Date().toISOString() });

package/dist/hooks/shared/hook-response.d.ts

@@ -29,8 +29,6 @@ export declare function approveWithWarning(warning: string): string;
 export declare function deny(reason: string): string;
 /** 사용자 확인 요청 (PreToolUse 전용) */
 export declare function ask(reason: string): string;
-/** fail-open: 에러 시 안전하게 통과 */
-export declare function failOpen(): string;
 /**
  * fail-open with error tracking: 에러 시 안전하게 통과하되, 실패 정보를 기록.
  * forgen doctor의 Hook Health 섹션에서 실패 이력을 표시할 수 있도록 JSONL 로그에 기록.

package/dist/hooks/shared/hook-response.js

@@ -14,8 +14,8 @@
  *   모델에 컨텍스트를 주입하려면 반드시 additionalContext를 사용해야 함.
  */
 import * as fs from 'node:fs';
-import * as os from 'node:os';
 import * as path from 'node:path';
+import { STATE_DIR } from '../../core/paths.js';
 /** 통과 응답 (컨텍스트 없음, 모든 이벤트 공통) */
 export function approve() {
     return JSON.stringify({ continue: true });
@@ -59,10 +59,6 @@ export function ask(reason) {
         },
     });
 }
-/** fail-open: 에러 시 안전하게 통과 */
-export function failOpen() {
-    return JSON.stringify({ continue: true });
-}
 /**
  * fail-open with error tracking: 에러 시 안전하게 통과하되, 실패 정보를 기록.
  * forgen doctor의 Hook Health 섹션에서 실패 이력을 표시할 수 있도록 JSONL 로그에 기록.
@@ -71,9 +67,8 @@ export function failOpen() {
  */
 export function failOpenWithTracking(hookName) {
     try {
-        const stateDir = path.join(os.homedir(), '.forgen', 'state');
-        fs.mkdirSync(stateDir, { recursive: true });
-        const logPath = path.join(stateDir, 'hook-errors.jsonl');
+        fs.mkdirSync(STATE_DIR, { recursive: true });
+        const logPath = path.join(STATE_DIR, 'hook-errors.jsonl');
         const entry = JSON.stringify({ hook: hookName, at: Date.now() });
         fs.appendFileSync(logPath, entry + '\n');
     }

package/dist/hooks/shared/hook-timing.js

@@ -9,13 +9,22 @@ import * as path from 'node:path';
 import { STATE_DIR } from '../../core/paths.js';
 const TIMING_LOG = path.join(STATE_DIR, 'hook-timing.jsonl');
 const MAX_LINES = 500;
+// P0-2 fix (2026-04-20): rotate를 size gate로 보호. 이전에는 매 hook 완료마다
+// full-file read + length split + write까지 실행해 steady-state(500줄 근처)에서
+// 매 tool call당 ~40KB의 불필요 I/O가 발생했다. statSync 한 번으로 크기만 보고
+// threshold 이하면 read/write 둘 다 skip한다. threshold는 ~80바이트/엔트리 기준
+// MAX_LINES × 1.5 여유를 둠.
+const ROTATE_SIZE_BYTES = MAX_LINES * 80 * 2; // ~80KB
 export function recordHookTiming(hookName, durationMs, event) {
     try {
         fs.mkdirSync(STATE_DIR, { recursive: true });
         const entry = JSON.stringify({ hook: hookName, ms: durationMs, event, at: Date.now() });
         fs.appendFileSync(TIMING_LOG, entry + '\n');
-        // Rotate if too large
+        // Rotate if too large — size-gated (statSync only, skip read/write 대부분의 호출)
         try {
+            const size = fs.statSync(TIMING_LOG).size;
+            if (size < ROTATE_SIZE_BYTES)
+                return;
             const content = fs.readFileSync(TIMING_LOG, 'utf-8');
             const lines = content.trim().split('\n');
             if (lines.length > MAX_LINES) {

package/dist/hooks/solution-injector.d.ts

@@ -7,6 +7,27 @@
  *
  * knowledge-comes-to-you 원칙: 필요한 지식은 찾아와야 한다
  */
+/**
+ * Minimum relevance thresholds by fitness state (2026-04-21 gate sweep).
+ *
+ * Motivation: a flat 0.3 floor gave 100% precision but 60% recall on a
+ * synthetic 40-query workload — 10 legitimate matches that scored
+ * 0.25-0.30 were blocked alongside noise. A pure 0.25 floor pushed recall
+ * to 84% but stripped noise protection for unverified solutions.
+ *
+ * Champion-aware solution: trust graduates more. Solutions whose fitness
+ * classification is `champion` or `active` (accept/correct ratio has
+ * survived ≥5 injections under the v0.3.2 gates) earn a lower 0.25
+ * injection floor; everything else stays at 0.3. On the sweep this hit
+ * precision 95.5% / recall 84% / off-topic specificity 100% — best
+ * trade in the variant set.
+ *
+ * If fitness data is unavailable (fresh install, empty outcomes/),
+ * every solution falls into the default 0.3 bucket — identical to the
+ * pre-0.3.2 gate. No cold-start regression.
+ */
+export declare const MIN_INJECT_RELEVANCE = 0.3;
+export declare const MIN_INJECT_RELEVANCE_TRUSTED = 0.25;
 interface SessionCacheCommitResult {
     /**
      * commit 상태:

package/dist/hooks/solution-injector.js

@@ -30,6 +30,27 @@ import { STATE_DIR } from '../core/paths.js';
 import { recordHookTiming } from './shared/hook-timing.js';
 import { appendPending, flushAccept } from '../engine/solution-outcomes.js';
 const MAX_SOLUTIONS_PER_SESSION = 10;
+/**
+ * Minimum relevance thresholds by fitness state (2026-04-21 gate sweep).
+ *
+ * Motivation: a flat 0.3 floor gave 100% precision but 60% recall on a
+ * synthetic 40-query workload — 10 legitimate matches that scored
+ * 0.25-0.30 were blocked alongside noise. A pure 0.25 floor pushed recall
+ * to 84% but stripped noise protection for unverified solutions.
+ *
+ * Champion-aware solution: trust graduates more. Solutions whose fitness
+ * classification is `champion` or `active` (accept/correct ratio has
+ * survived ≥5 injections under the v0.3.2 gates) earn a lower 0.25
+ * injection floor; everything else stays at 0.3. On the sweep this hit
+ * precision 95.5% / recall 84% / off-topic specificity 100% — best
+ * trade in the variant set.
+ *
+ * If fitness data is unavailable (fresh install, empty outcomes/),
+ * every solution falls into the default 0.3 bucket — identical to the
+ * pre-0.3.2 gate. No cold-start regression.
+ */
+export const MIN_INJECT_RELEVANCE = 0.3;
+export const MIN_INJECT_RELEVANCE_TRUSTED = 0.25;
 /** 세션별 이미 주입된 솔루션 추적 (중복 방지) */
 function getSessionCachePath(sessionId) {
     return path.join(STATE_DIR, `solution-cache-${sanitizeId(sessionId)}.json`);
@@ -299,12 +320,50 @@ async function main() {
             console.log(approve());
             return;
         }
-        // 어댑티브 프롬프트당 솔루션 수 제한, experiment는 1개 제한
+        // 어댑티브 프롬프트당 솔루션 수 제한, experiment는 1개 제한.
+        // 2026-04-21: MIN_INJECT_RELEVANCE 게이트 추가. 과거 0.15~0.21짜리 저신뢰 매칭이
+        // 거의 모든 세션에 주입되어 error 귀속의 80%를 차지했음.
+        //
+        // 2026-04-21 (precision audit follow-up): 단일 태그 매칭은 주입 차단.
+        // ~/.forgen/state/match-eval-log.jsonl 7406 queries 분석 결과, top-1의
+        // 33.5%가 "forgen", "type", "file" 같은 공통 단어 한 개로 매칭되어 희귀
+        // 태그 BM25 boost로 0.5~0.8 점수를 받고 사용자 컨텍스트를 오염시켰다.
+        // Matcher는 top-5 recall 유지를 위해 permissive 하게 두고 (bootstrap eval
+        // 호환), 주입 직전에만 엄격히:
+        //   - identifier match ≥ 1 (함수/파일 이름 리터럴 매칭 — 강한 신호) OR
+        //   - matched tags ≥ 2 (의도 교차점 2개 이상)
+        // 둘 중 하나를 만족해야 주입.
+        // 2026-04-21 (champion-aware gate): fitness 상태가 champion/active인 솔루션은
+        // 검증된 신호가 있으므로 임계값 0.25로 완화. draft/underperform 은 0.3 그대로.
+        // Fitness 데이터가 없으면 전체 default 0.3 (cold-start 회귀 없음).
+        // Gate sweep 결과: precision 95.5% / recall 84% / off-topic specificity 100%.
+        const fitnessStateMap = new Map();
+        try {
+            const { computeFitness } = await import('../engine/solution-fitness.js');
+            for (const r of computeFitness()) {
+                fitnessStateMap.set(r.solution, r.state);
+            }
+        }
+        catch (e) {
+            log.debug('fitness state load 실패 — default 0.3 적용', e);
+        }
+        function minRelevanceFor(name) {
+            const state = fitnessStateMap.get(name);
+            return (state === 'champion' || state === 'active')
+                ? MIN_INJECT_RELEVANCE_TRUSTED
+                : MIN_INJECT_RELEVANCE;
+        }
         let experimentCount = 0;
         const toInject = [];
         for (const sol of matches) {
             if (injected.has(sol.name))
                 continue;
+            if (sol.relevance < minRelevanceFor(sol.name))
+                continue;
+            const idMatches = sol.matchedIdentifiers?.length ?? 0;
+            const tagMatches = Math.max(0, sol.matchedTags.length - idMatches);
+            if (idMatches < 1 && tagMatches < 2)
+                continue;
             if (sol.status === 'experiment') {
                 if (experimentCount >= 1)
                     continue;

package/dist/mcp/solution-reader.d.ts

@@ -53,6 +53,8 @@ export interface SolutionDetail {
 }
 export interface SolutionStats {
     total: number;
+    retiredCount: number;
+    extractionPrecision: number | null;
     byStatus: Record<SolutionStatus, number>;
     byType: Record<SolutionType, number>;
     byScope: Record<'me' | 'team' | 'project' | 'universal', number>;

package/dist/mcp/solution-reader.js

@@ -18,7 +18,7 @@ import * as path from 'node:path';
 import { ME_SOLUTIONS, PACKS_DIR } from '../core/paths.js';
 import { logMatchDecision } from '../engine/match-eval-log.js';
 import { maskBlockedTokens } from '../engine/phrase-blocklist.js';
-import { expandCompoundTags, expandQueryBigrams, extractTags, parseSolutionV3, } from '../engine/solution-format.js';
+import { expandCompoundTags, expandQueryBigrams, extractTags, parseFrontmatterOnly, parseSolutionV3, } from '../engine/solution-format.js';
 import { getOrBuildIndex } from '../engine/solution-index.js';
 import { calculateRelevance, shouldRejectByR4T3Rules } from '../engine/solution-matcher.js';
 import { mutateSolutionFile } from '../engine/solution-writer.js';
@@ -257,8 +257,30 @@ export function readSolution(name, options) {
 export function getSolutionStats(options) {
     const dirs = options?.dirs ?? defaultSolutionDirs();
     const index = getOrBuildIndex(dirs);
+    // retired 카운트: 인덱스에서 제외되므로 디렉토리를 직접 스캔
+    let retiredCount = 0;
+    for (const { dir } of dirs) {
+        if (!fs.existsSync(dir))
+            continue;
+        try {
+            const files = fs.readdirSync(dir).filter((f) => f.endsWith('.md'));
+            for (const file of files) {
+                try {
+                    const content = fs.readFileSync(path.join(dir, file), 'utf-8');
+                    const fm = parseFrontmatterOnly(content);
+                    if (fm?.status === 'retired')
+                        retiredCount++;
+                }
+                catch { /* ignore */ }
+            }
+        }
+        catch { /* ignore */ }
+    }
+    // extractionPrecision: verified+mature / (total active + retired)
     const stats = {
         total: index.entries.length,
+        retiredCount,
+        extractionPrecision: null,
         // retired는 인덱스에서 제외되므로 항상 0 (solution-index.ts:73)
         byStatus: { experiment: 0, candidate: 0, verified: 0, mature: 0, retired: 0 },
         byType: {
@@ -279,5 +301,10 @@ export function getSolutionStats(options) {
         if (entry.scope in stats.byScope)
             stats.byScope[entry.scope]++;
     }
+    const highConfidence = stats.byStatus.verified + stats.byStatus.mature;
+    const denominator = index.entries.length + retiredCount;
+    if (denominator > 0) {
+        stats.extractionPrecision = Math.round((highConfidence / denominator) * 100);
+    }
     return stats;
 }

package/dist/mcp/tools.js

@@ -158,7 +158,10 @@ export function registerTools(server) {
             dirs: defaultSolutionDirs(getCwd()),
         });
         const lines = [
-            `Total solutions: ${stats.total}`,
+            `Total solutions: ${stats.total} active + ${stats.retiredCount} retired`,
+            stats.extractionPrecision !== null
+                ? `Extraction precision: ${stats.extractionPrecision}%`
+                : '',
             '',
             'By status:',
             ...Object.entries(stats.byStatus)
@@ -174,7 +177,7 @@ export function registerTools(server) {
             ...Object.entries(stats.byScope)
                 .filter(([, count]) => count > 0)
                 .map(([scope, count]) => `  ${scope}: ${count}`),
-        ];
+        ].filter((l) => l !== undefined);
         return {
             content: [{
                     type: 'text',

package/dist/preset/preset-manager.js

@@ -76,8 +76,18 @@ export function computeEffectiveTrust(desired, runtime) {
         };
     }
     if (runtimeRank > desiredRank) {
-        // runtime > desired → 조용히 진행, effective만 상향
-        return { effective: runtimeTrust, warning: null };
+        // runtime > desired → 에스컬레이션.
+        //
+        // Audit fix #3 (2026-04-21): 이전에는 `warning: null`로 조용히 진행했다.
+        // 사용자가 `가드레일 우선`을 선택했는데 runtime에서 `--dangerously-skip-
+        // permissions`가 주입되면 effective가 `완전 신뢰 실행`로 무경고 상승해
+        // audit 로그와 대시보드가 실제 실행 신뢰도와 어긋났다. 이제는 상승 이유를
+        // warning으로 반환해 session state에 기록하고 사용자에게 표시한다.
+        return {
+            effective: runtimeTrust,
+            warning: `Trust 상승: desired=${desired}, runtime=${runtimeTrust} (${runtime.permission_mode}) ` +
+                `— runtime 권한이 더 관대합니다. --dangerously-skip-permissions나 config가 이번 세션을 덮어썼습니다.`,
+        };
     }
     return { effective: desired, warning: null };
 }

package/dist/store/evidence-store.js

@@ -7,11 +7,11 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as crypto from 'node:crypto';
-import { V1_EVIDENCE_DIR } from '../core/paths.js';
+import { ME_BEHAVIOR } from '../core/paths.js';
 import { atomicWriteJSON, safeReadJSON } from '../hooks/shared/atomic-write.js';
 import { createRule, saveRule, loadActiveRules } from './rule-store.js';
 function evidencePath(evidenceId) {
-    return path.join(V1_EVIDENCE_DIR, `${evidenceId}.json`);
+    return path.join(ME_BEHAVIOR, `${evidenceId}.json`);
 }
 export function createEvidence(params) {
     return {
@@ -34,13 +34,13 @@ export function loadEvidence(evidenceId) {
     return safeReadJSON(evidencePath(evidenceId), null);
 }
 export function loadAllEvidence() {
-    if (!fs.existsSync(V1_EVIDENCE_DIR))
+    if (!fs.existsSync(ME_BEHAVIOR))
         return [];
     const items = [];
-    for (const file of fs.readdirSync(V1_EVIDENCE_DIR)) {
+    for (const file of fs.readdirSync(ME_BEHAVIOR)) {
         if (!file.endsWith('.json'))
             continue;
-        const ev = safeReadJSON(path.join(V1_EVIDENCE_DIR, file), null);
+        const ev = safeReadJSON(path.join(ME_BEHAVIOR, file), null);
         if (ev)
             items.push(ev);
     }

package/dist/store/profile-store.d.ts

@@ -7,6 +7,15 @@
 import type { Profile, QualityPack, AutonomyPack, JudgmentPack, CommunicationPack, TrustPolicy } from './types.js';
 export declare function createProfile(userId: string, qualityPack: QualityPack, autonomyPack: AutonomyPack, trustPolicy: TrustPolicy, trustSource: Profile['trust_preferences']['source'], judgmentPack?: JudgmentPack, communicationPack?: CommunicationPack): Profile;
 export declare function loadProfile(): Profile | null;
+export declare function loadProfileRaw(): unknown;
 export declare function saveProfile(profile: Profile): void;
+/**
+ * File existence probe. NOTE: this returns `true` even if the on-disk
+ * file is legacy/invalid — callers that need "valid v1 profile present"
+ * should combine this with `loadProfile() !== null`. The raw existence
+ * check is kept for bootstrap logic that explicitly differentiates
+ * "file exists but legacy" from "no file at all" (e.g. to decide
+ * whether to run `runLegacyCutover`).
+ */
 export declare function profileExists(): boolean;
 export declare function isV1Profile(data: unknown): data is Profile;

package/dist/store/profile-store.js

@@ -5,7 +5,7 @@
  * Authoritative schema: docs/plans/2026-04-03-forgen-data-model-storage-spec.md §2
  */
 import * as fs from 'node:fs';
-import { V1_PROFILE } from '../core/paths.js';
+import { FORGE_PROFILE } from '../core/paths.js';
 import { atomicWriteJSON, safeReadJSON } from '../hooks/shared/atomic-write.js';
 import { qualityCentroid, autonomyCentroid, judgmentCentroid, communicationCentroid, } from '../preset/facet-catalog.js';
 const MODEL_VERSION = '2.0';
@@ -36,14 +36,35 @@ export function createProfile(userId, qualityPack, autonomyPack, trustPolicy, tr
     };
 }
 export function loadProfile() {
-    return safeReadJSON(V1_PROFILE, null);
+    const raw = safeReadJSON(FORGE_PROFILE, null);
+    if (raw === null)
+        return null;
+    // Audit fix #6 (2026-04-21): 이전에는 disk 내용을 그대로 Profile로
+    // 타입 단언해 반환 → legacy-shaped JSON (model_version 없음 / 1.x / 잘못된 모양)
+    // 이 downstream으로 흘러들어가 facets/trust_preferences 접근 시 undefined
+    // 참조가 되었다. isV1Profile 가드를 통과한 경우에만 반환, 아니면 null로
+    // 취급하여 v1-bootstrap이 cutover 흐름을 재실행하게 한다.
+    if (!isV1Profile(raw))
+        return null;
+    return raw;
+}
+export function loadProfileRaw() {
+    return safeReadJSON(FORGE_PROFILE, null);
 }
 export function saveProfile(profile) {
     profile.metadata.updated_at = new Date().toISOString();
-    atomicWriteJSON(V1_PROFILE, profile, { pretty: true });
+    atomicWriteJSON(FORGE_PROFILE, profile, { pretty: true });
 }
+/**
+ * File existence probe. NOTE: this returns `true` even if the on-disk
+ * file is legacy/invalid — callers that need "valid v1 profile present"
+ * should combine this with `loadProfile() !== null`. The raw existence
+ * check is kept for bootstrap logic that explicitly differentiates
+ * "file exists but legacy" from "no file at all" (e.g. to decide
+ * whether to run `runLegacyCutover`).
+ */
 export function profileExists() {
-    return fs.existsSync(V1_PROFILE);
+    return fs.existsSync(FORGE_PROFILE);
 }
 export function isV1Profile(data) {
     if (!data || typeof data !== 'object')