npm - @wooojin/forgen - Versions diffs - 0.4.1 → 0.4.4 - Mend

@wooojin/forgen 0.4.1 → 0.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (151) hide show

package/.claude-plugin/plugin.json +5 -5
package/CHANGELOG.md +267 -15
package/CONTRIBUTING.md +2 -2
package/README.ja.md +17 -9
package/README.ko.md +34 -12
package/README.md +65 -12
package/README.zh.md +17 -9
package/assets/README.md +86 -0
package/assets/architecture.svg +100 -0
package/assets/banner.png +0 -0
package/assets/banner.svg +53 -0
package/{commands → assets/claude/commands}/calibrate.md +4 -3
package/{commands → assets/claude/commands}/retro.md +2 -2
package/assets/demo/01-install.gif +0 -0
package/assets/demo/01-install.tape +54 -0
package/assets/demo/02-compound-learning.gif +0 -0
package/assets/demo/02-compound-learning.tape +50 -0
package/assets/demo/03-forge-personalization.gif +0 -0
package/assets/demo/03-forge-personalization.tape +64 -0
package/assets/demo/before-after.gif +0 -0
package/assets/demo/before-after.tape +98 -0
package/assets/demo-preview.svg +96 -0
package/assets/icon.png +0 -0
package/{hooks → assets/shared}/hook-registry.json +2 -1
package/dist/checks/_shared/text-sanitizer.d.ts +21 -0
package/dist/checks/_shared/text-sanitizer.js +60 -0
package/dist/checks/dangerous-response-pattern.d.ts +32 -0
package/dist/checks/dangerous-response-pattern.js +65 -0
package/dist/checks/fact-vs-agreement.js +25 -1
package/dist/cli.js +78 -6
package/dist/core/auto-compound-runner.js +90 -39
package/dist/core/behavior-classifier.d.ts +28 -0
package/dist/core/behavior-classifier.js +46 -0
package/dist/core/dashboard.d.ts +7 -0
package/dist/core/dashboard.js +32 -0
package/dist/core/doctor.js +92 -0
package/dist/core/git-stats.d.ts +36 -0
package/dist/core/git-stats.js +79 -0
package/dist/core/harness.d.ts +1 -1
package/dist/core/harness.js +27 -20
package/dist/core/host-detect.d.ts +42 -0
package/dist/core/host-detect.js +68 -0
package/dist/core/installer.js +2 -2
package/dist/core/migrate-cli.d.ts +1 -0
package/dist/core/migrate-cli.js +19 -0
package/dist/core/migrate-evidence-host.d.ts +36 -0
package/dist/core/migrate-evidence-host.js +49 -0
package/dist/core/settings-injector.js +4 -2
package/dist/core/spawn.d.ts +1 -1
package/dist/core/spawn.js +4 -11
package/dist/core/stats-cli.js +12 -0
package/dist/core/trust-layer-intent.d.ts +35 -0
package/dist/core/trust-layer-intent.js +30 -0
package/dist/core/types.d.ts +1 -1
package/dist/engine/compound-extractor.js +7 -9
package/dist/engine/learn-cli.js +4 -2
package/dist/engine/lifecycle/bypass-detector.d.ts +6 -1
package/dist/engine/lifecycle/bypass-detector.js +57 -5
package/dist/fgx.js +2 -1
package/dist/forge/evidence-processor.js +12 -0
package/dist/forge/onboarding.d.ts +3 -2
package/dist/forge/onboarding.js +3 -2
package/dist/hooks/db-guard.js +3 -3
package/dist/hooks/forge-loop-progress.d.ts +9 -0
package/dist/hooks/forge-loop-progress.js +38 -0
package/dist/hooks/hook-registry.js +1 -1
package/dist/hooks/hooks-generator.d.ts +15 -1
package/dist/hooks/hooks-generator.js +18 -16
package/dist/hooks/keyword-detector.js +1 -1
package/dist/hooks/post-tool-use.d.ts +1 -1
package/dist/hooks/post-tool-use.js +13 -4
package/dist/hooks/pre-compact.js +1 -1
package/dist/hooks/pre-tool-use.js +4 -4
package/dist/hooks/rate-limiter.js +2 -2
package/dist/hooks/session-recovery.js +11 -0
package/dist/hooks/shared/blocking-allowlist.d.ts +28 -0
package/dist/hooks/shared/blocking-allowlist.js +38 -0
package/dist/hooks/shared/forge-loop-state.d.ts +36 -0
package/dist/hooks/shared/forge-loop-state.js +116 -0
package/dist/hooks/shared/hook-response.d.ts +18 -0
package/dist/hooks/shared/hook-response.js +31 -0
package/dist/hooks/skill-injector.js +1 -1
package/dist/hooks/stop-guard.js +57 -25
package/dist/host/capabilities-claude.d.ts +8 -0
package/dist/host/capabilities-claude.js +46 -0
package/dist/host/capabilities-codex.d.ts +11 -0
package/dist/host/capabilities-codex.js +50 -0
package/dist/host/capabilities-registry.d.ts +11 -0
package/dist/host/capabilities-registry.js +30 -0
package/dist/host/codex-adapter.d.ts +8 -5
package/dist/host/codex-adapter.js +10 -82
package/dist/host/codex-output-parser.d.ts +39 -0
package/dist/host/codex-output-parser.js +75 -0
package/dist/host/exec-host.d.ts +54 -0
package/dist/host/exec-host.js +92 -0
package/dist/host/host-runtime.d.ts +37 -0
package/dist/host/host-runtime.js +51 -0
package/dist/host/install-claude.d.ts +35 -0
package/dist/host/install-claude.js +238 -0
package/dist/host/install-codex.d.ts +44 -0
package/dist/host/install-codex.js +276 -0
package/dist/host/install-orchestrator.d.ts +34 -0
package/dist/host/install-orchestrator.js +126 -0
package/dist/host/invoke-agent.d.ts +27 -0
package/dist/host/invoke-agent.js +115 -0
package/dist/host/parity-harness.d.ts +62 -0
package/dist/host/parity-harness.js +283 -0
package/dist/host/projection.d.ts +35 -0
package/dist/host/projection.js +126 -0
package/dist/mcp/server.js +11 -0
package/dist/mcp/tools.js +51 -0
package/dist/renderer/rule-renderer.d.ts +1 -1
package/dist/renderer/rule-renderer.js +73 -1
package/dist/services/session.d.ts +6 -3
package/dist/services/session.js +33 -4
package/dist/store/compound-usage-store.d.ts +28 -0
package/dist/store/compound-usage-store.js +59 -0
package/dist/store/evidence-store.d.ts +1 -0
package/dist/store/evidence-store.js +34 -3
package/dist/store/host-mismatch.d.ts +42 -0
package/dist/store/host-mismatch.js +65 -0
package/dist/store/profile-store.d.ts +29 -0
package/dist/store/profile-store.js +53 -0
package/dist/store/types.d.ts +13 -0
package/hooks/hooks.json +6 -1
package/package.json +6 -4
package/plugin.json +4 -4
package/scripts/postinstall.js +100 -25
package/skills/calibrate/SKILL.md +4 -3
package/skills/retro/SKILL.md +2 -2
/package/{agents → assets/claude/agents}/analyst.md +0 -0
/package/{agents → assets/claude/agents}/architect.md +0 -0
/package/{agents → assets/claude/agents}/code-reviewer.md +0 -0
/package/{agents → assets/claude/agents}/critic.md +0 -0
/package/{agents → assets/claude/agents}/debugger.md +0 -0
/package/{agents → assets/claude/agents}/designer.md +0 -0
/package/{agents → assets/claude/agents}/executor.md +0 -0
/package/{agents → assets/claude/agents}/explore.md +0 -0
/package/{agents → assets/claude/agents}/git-master.md +0 -0
/package/{agents → assets/claude/agents}/planner.md +0 -0
/package/{agents → assets/claude/agents}/solution-evolver.md +0 -0
/package/{agents → assets/claude/agents}/test-engineer.md +0 -0
/package/{agents → assets/claude/agents}/verifier.md +0 -0
/package/{commands → assets/claude/commands}/architecture-decision.md +0 -0
/package/{commands → assets/claude/commands}/code-review.md +0 -0
/package/{commands → assets/claude/commands}/compound.md +0 -0
/package/{commands → assets/claude/commands}/deep-interview.md +0 -0
/package/{commands → assets/claude/commands}/docker.md +0 -0
/package/{commands → assets/claude/commands}/forge-loop.md +0 -0
/package/{commands → assets/claude/commands}/learn.md +0 -0
/package/{commands → assets/claude/commands}/ship.md +0 -0

package/dist/forge/onboarding.js CHANGED Viewed

@@ -1,8 +1,9 @@
 /**
  * Forgen v1 — Onboarding
  *
- * 2문항 온보딩, 점수 계산, pack 추천.
- * Authoritative spec: docs/plans/2026-04-03-forgen-onboarding-adaptation-spec.md §3-4
+ * 4문항 온보딩 (quality / autonomy / judgment / communication 4축), 점수 계산, pack 추천.
+ * Authoritative spec: docs/history/2026-04-03-tenetx-onboarding-adaptation-spec.md
+ *   (spec §3 은 v0.1 시점 2문항 기준 — v0.4 부터 4문항으로 확장됨, src/forge/onboarding-cli.ts:69-75 참조)
  */
 import { createRecommendation } from '../store/recommendation-store.js';
 // 질문 1: 애매한 구현 요청 + 인접 영향 가능성

package/dist/hooks/db-guard.js CHANGED Viewed

@@ -9,7 +9,7 @@ import * as path from 'node:path';
 import { readStdinJSON } from './shared/read-stdin.js';
 import { atomicWriteJSON } from './shared/atomic-write.js';
 import { isHookEnabled } from './hook-config.js';
-import { approve, approveWithWarning, deny, failOpenWithTracking } from './shared/hook-response.js';
+import { approve, approveWithWarning, denyOrObserve, failOpenWithTracking } from './shared/hook-response.js';
 import { STATE_DIR } from '../core/paths.js';
 import { preprocessForMatch } from './shared/command-parser.js';
 const FAIL_COUNTER_PATH = path.join(STATE_DIR, 'db-guard-fail-counter.json');
@@ -89,7 +89,7 @@ async function main() {
     if (!data) {
         const failCount = getAndIncrementFailCount();
         if (failCount >= FAIL_CLOSE_THRESHOLD) {
-            console.log(deny(`[Forgen] DB Guard: stdin parse failed ${failCount} consecutive times — blocking for safety.`));
+            console.log(denyOrObserve('db-guard', `[Forgen] DB Guard: stdin parse failed ${failCount} consecutive times — blocking for safety.`));
         }
         else {
             process.stderr.write(`[ch-hook] db-guard stdin parse failed (${failCount}/${FAIL_CLOSE_THRESHOLD})\n`);
@@ -106,7 +106,7 @@ async function main() {
     const toolInput = data.tool_input ?? data.toolInput ?? {};
     const check = checkDangerousSql(toolName, toolInput);
     if (check.action === 'block') {
-        console.log(deny(`[Forgen] Dangerous SQL blocked: ${check.description}`));
+        console.log(denyOrObserve('db-guard', `[Forgen] Dangerous SQL blocked: ${check.description}`));
         return;
     }
     if (check.action === 'warn') {

package/dist/hooks/forge-loop-progress.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+/**
+ * Forgen — Forge Loop Progress Injector
+ *
+ * Claude Code UserPromptSubmit 훅. forge-loop active=true 인 동안 매 프롬프트
+ * 마다 진행 상황(N/M, next story)을 컨텍스트에 inject 한다. RC6 가드의 두 번째
+ * 축 — 세션 도중에도 forge-loop 가 컨텍스트에서 사라지지 않게 함.
+ */
+export {};

package/dist/hooks/forge-loop-progress.js ADDED Viewed

@@ -0,0 +1,38 @@
+#!/usr/bin/env node
+/**
+ * Forgen — Forge Loop Progress Injector
+ *
+ * Claude Code UserPromptSubmit 훅. forge-loop active=true 인 동안 매 프롬프트
+ * 마다 진행 상황(N/M, next story)을 컨텍스트에 inject 한다. RC6 가드의 두 번째
+ * 축 — 세션 도중에도 forge-loop 가 컨텍스트에서 사라지지 않게 함.
+ */
+import { readStdinJSON } from './shared/read-stdin.js';
+import { isHookEnabled } from './hook-config.js';
+import { approve, approveWithContext, failOpenWithTracking } from './shared/hook-response.js';
+import { recordHookTiming } from './shared/hook-timing.js';
+import { readForgeLoopState, renderForgeLoopForPrompt } from './shared/forge-loop-state.js';
+import { createLogger } from '../core/logger.js';
+const log = createLogger('forge-loop-progress');
+async function main() {
+    const _hookStart = Date.now();
+    try {
+        await readStdinJSON().catch((e) => { log.debug('stdin read failed', e); return null; });
+        if (!isHookEnabled('forge-loop-progress')) {
+            console.log(approve());
+            return;
+        }
+        const block = renderForgeLoopForPrompt(readForgeLoopState());
+        if (!block) {
+            console.log(approve());
+            return;
+        }
+        console.log(approveWithContext(block, 'UserPromptSubmit'));
+    }
+    finally {
+        recordHookTiming('forge-loop-progress', Date.now() - _hookStart, 'UserPromptSubmit');
+    }
+}
+main().catch((e) => {
+    process.stderr.write(`[ch-hook] forge-loop-progress: ${e instanceof Error ? e.message : String(e)}\n`);
+    console.log(failOpenWithTracking('forge-loop-progress', e));
+});

package/dist/hooks/hook-registry.js CHANGED Viewed

@@ -20,7 +20,7 @@ const require = createRequire(import.meta.url);
  *     (Code Reflection + permission hints 주입 타이밍)
  *   - 같은 이벤트 내 훅은 배열 순서대로 실행됨
  */
-import registryData from '../../hooks/hook-registry.json' with { type: 'json' };
+import registryData from '../../assets/shared/hook-registry.json' with { type: 'json' };
 export const HOOK_REGISTRY = registryData;
 /** 티어별 훅 목록 조회 */
 export function getHooksByTier(tier) {

package/dist/hooks/hooks-generator.d.ts CHANGED Viewed

@@ -9,7 +9,7 @@
  *   - forgen config hooks (사용자 설정 변경 후)
  *   - forgen install (플러그인 설치 후)
  */
-import { type RuntimeHost } from '../core/types.js';
+import type { RuntimeHost } from '../core/types.js';
 interface HookCommand {
     type: 'command';
     command: string;
@@ -30,6 +30,12 @@ interface GenerateOptions {
     pluginRoot?: string;
     /** 런타임 (claude|codex) */
     runtime?: RuntimeHost;
+    /**
+     * 환경 독립 산출물 모드 (W4, 2026-04-27).
+     * true 시 plugin 감지 + hook-config 비활성화 모두 건너뛰어 모든 hook 이 active.
+     * 배포(prepack), 테스트 결정론, runtime 환경 분리에 사용.
+     */
+    releaseMode?: boolean;
 }
 /**
  * 활성 훅만 포함한 hooks.json 객체를 생성합니다.
@@ -39,6 +45,14 @@ interface GenerateOptions {
  *   2. 충돌 훅 식별
  *   3. hook-config.json 설정 적용
  *   4. 활성 훅만 hooks.json 구조로 변환
+ *
+ * releaseMode: 환경 독립 산출물 모드 (W4, 2026-04-27).
+ *   - true 시 plugin 감지를 건너뛰고, hook-config.json 의 사용자 비활성화도 무시한다.
+ *   - 결과는 항상 모든 hook active — 배포 산출물 결정론화 + 테스트 안정화.
+ *   - prepack-hooks.cjs 는 이미 HOME swap 으로 같은 효과를 내지만, 본 옵션은
+ *     명시적 API 로 동일 보장을 제공해 테스트가 환경 독립 검증 가능.
+ *   - 자기증거: 본 세션이 사용자 HOME 에서 19/21 active 산출물을 받아 우회한
+ *     사례 — docs/issues/W4-W5-self-evidence.md 박제.
  */
 export declare function generateHooksJson(options?: GenerateOptions): HooksJson;
 /**

package/dist/hooks/hooks-generator.js CHANGED Viewed

@@ -14,6 +14,7 @@ import * as path from 'node:path';
 import { HOOK_REGISTRY } from './hook-registry.js';
 import { isHookEnabled } from './hook-config.js';
 import { detectInstalledPlugins, getHookConflicts } from '../core/plugin-detector.js';
+import { getHostRuntime } from '../host/host-runtime.js';
 function splitCommand(raw) {
     const tokens = raw.match(/"([^"]+)"|\S+/g) ?? [];
     const unquoted = tokens.map(token => token.replace(/^"/, '').replace(/"$/, ''));
@@ -24,16 +25,9 @@ function quoteArg(raw) {
 }
 function buildHookCommand(pluginRoot, rawScript, runtime) {
     const { script, args } = splitCommand(rawScript);
-    const scriptPath = `${pluginRoot}/${script}`;
     const quotedArgs = args.map(quoteArg).join(' ');
-    if (runtime === 'codex') {
-        const adapterPath = `${pluginRoot}/host/codex-adapter.js`;
-        const baseCommand = `node ${quoteArg(adapterPath)} ${quoteArg(scriptPath)}`;
-        return `${baseCommand}${quotedArgs ? ` ${quotedArgs}` : ''}`;
-    }
-    return quotedArgs
-        ? `node ${quoteArg(scriptPath)} ${quotedArgs}`
-        : `node ${quoteArg(scriptPath)}`;
+    // Phase 2: host-runtime 위임 — Codex 표면 (codex-adapter 경유) 을 core 가 모르도록.
+    return getHostRuntime(runtime).wrapHookCommand(pluginRoot, script, quotedArgs);
 }
 /**
  * 활성 훅만 포함한 hooks.json 객체를 생성합니다.
@@ -43,23 +37,31 @@ function buildHookCommand(pluginRoot, rawScript, runtime) {
  *   2. 충돌 훅 식별
  *   3. hook-config.json 설정 적용
  *   4. 활성 훅만 hooks.json 구조로 변환
+ *
+ * releaseMode: 환경 독립 산출물 모드 (W4, 2026-04-27).
+ *   - true 시 plugin 감지를 건너뛰고, hook-config.json 의 사용자 비활성화도 무시한다.
+ *   - 결과는 항상 모든 hook active — 배포 산출물 결정론화 + 테스트 안정화.
+ *   - prepack-hooks.cjs 는 이미 HOME swap 으로 같은 효과를 내지만, 본 옵션은
+ *     명시적 API 로 동일 보장을 제공해 테스트가 환경 독립 검증 가능.
+ *   - 자기증거: 본 세션이 사용자 HOME 에서 19/21 active 산출물을 받아 우회한
+ *     사례 — docs/issues/W4-W5-self-evidence.md 박제.
  */
 export function generateHooksJson(options) {
     const cwd = options?.cwd;
+    const releaseMode = options?.releaseMode ?? false;
     // biome-ignore lint/suspicious/noTemplateCurlyInString: CLAUDE_PLUGIN_ROOT is a Claude Code Plugin SDK variable resolved at runtime
     const pluginRoot = options?.pluginRoot ?? '${CLAUDE_PLUGIN_ROOT}/dist';
     const runtime = options?.runtime ?? 'claude';
-    // 다른 플러그인의 충돌 훅 감지
-    const hookConflicts = getHookConflicts(cwd);
-    const detectedPlugins = detectInstalledPlugins(cwd);
-    const hasOtherPlugins = detectedPlugins.length > 0;
+    // 다른 플러그인의 충돌 훅 감지 — releaseMode 시 건너뜀
+    const hookConflicts = releaseMode ? new Set() : getHookConflicts(cwd);
+    const hasOtherPlugins = !releaseMode && detectInstalledPlugins(cwd).length > 0;
     // 활성 훅 필터링
     const activeHooks = HOOK_REGISTRY.filter(hook => {
-        // 1) hook-config.json에서 명시적 비활성화
-        if (!isHookEnabled(hook.name))
+        // 1) hook-config.json에서 명시적 비활성화 (releaseMode 시 무시)
+        if (!releaseMode && !isHookEnabled(hook.name))
             return false;
         // 2) 다른 플러그인과 충돌하는 workflow 훅은 자동 비활성
-        //    (단, compound-critical 훅은 항상 유지)
+        //    (단, compound-critical 훅은 항상 유지. releaseMode 면 분기 조건이 false)
         if (hasOtherPlugins && hook.tier === 'workflow' && hookConflicts.has(hook.name) && !hook.compoundCritical) {
             return false;
         }

package/dist/hooks/keyword-detector.js CHANGED Viewed

@@ -106,7 +106,7 @@ function loadSkillContent(skillName) {
     // 글로벌 스킬 경로
     searchPaths.push(path.join(FORGEN_HOME, 'skills', `${skillName}.md`));
     // forgen 패키지 내장 스킬
-    const pkgSkillPath = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..', '..', 'commands', `${skillName}.md`);
+    const pkgSkillPath = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..', '..', 'assets', 'claude', 'commands', `${skillName}.md`);
     searchPaths.push(pkgSkillPath);
     for (const p of searchPaths) {
         if (fs.existsSync(p)) {

package/dist/hooks/post-tool-use.d.ts CHANGED Viewed

@@ -38,7 +38,7 @@ export interface AgentValidationResult {
     severity: 'info' | 'warning' | 'error';
     message: string;
 }
-export declare function validateAgentOutput(toolResponse: string): AgentValidationResult | null;
+export declare function validateAgentOutput(toolResponse: unknown): AgentValidationResult | null;
 export declare function trackModifiedFile(state: ModifiedFilesState, filePath: string, toolName: string): {
     state: ModifiedFilesState;
     count: number;

package/dist/hooks/post-tool-use.js CHANGED Viewed

@@ -75,15 +75,21 @@ const AGENT_QUALITY_PATTERNS = [
     { pattern: /(?:context (?:window|limit) (?:exceeded|reached)|too (?:large|long) to (?:read|process))/i, signal: 'agent_context_overflow', severity: 'warning', message: 'Agent hit context limits — output may be incomplete' },
 ];
 export function validateAgentOutput(toolResponse) {
-    if (!toolResponse || toolResponse.trim().length < AGENT_MIN_OUTPUT_LENGTH) {
+    // tool_response 는 string / object / array 모두 가능. main() 측에서 stringify 를 한 번 더
+    // 하지만 직접 호출 보호 (defense in depth).
+    if (typeof toolResponse !== 'string') {
+        toolResponse = toolResponse == null ? '' : JSON.stringify(toolResponse);
+    }
+    const r = toolResponse;
+    if (!r || r.trim().length < AGENT_MIN_OUTPUT_LENGTH) {
         return {
             signal: 'agent_empty_output',
             severity: 'warning',
-            message: `Agent returned minimal output (${toolResponse?.trim().length ?? 0} chars). Verify the result is usable.`,
+            message: `Agent returned minimal output (${r.trim().length} chars). Verify the result is usable.`,
         };
     }
     for (const p of AGENT_QUALITY_PATTERNS) {
-        if (p.pattern.test(toolResponse)) {
+        if (p.pattern.test(r)) {
             return { signal: p.signal, severity: p.severity, message: p.message };
         }
     }
@@ -114,7 +120,10 @@ async function main() {
         }
         const toolName = data.tool_name ?? data.toolName ?? '';
         const toolInput = data.tool_input ?? data.toolInput ?? {};
-        const toolResponse = data.tool_response ?? data.toolOutput ?? '';
+        // tool_response 는 string / object / array 모두 가능 (sub-agent 결과는 object 가 흔함).
+        // 모든 downstream 이 string 가정이라 stringify 로 normalize. 회귀 박제: tests/hooks/post-tool-use.test.ts
+        const rawResponse = data.tool_response ?? data.toolOutput ?? '';
+        const toolResponse = typeof rawResponse === 'string' ? rawResponse : JSON.stringify(rawResponse);
         const sessionId = data.session_id ?? 'default';
         const modState = loadModifiedFiles(sessionId);
         modState.toolCallCount = (modState.toolCallCount ?? 0) + 1;

package/dist/hooks/pre-compact.js CHANGED Viewed

@@ -74,7 +74,7 @@ export function buildSessionBrief(sessionId) {
     }
     catch { /* fail-open */ }
     // solutionsInjected: read injection-cache-*.json files, collect solutions[].name
-    let solutionsInjected = [];
+    const solutionsInjected = [];
     try {
         if (fs.existsSync(STATE_DIR)) {
             for (const f of fs.readdirSync(STATE_DIR)) {

package/dist/hooks/pre-tool-use.js CHANGED Viewed

@@ -19,7 +19,7 @@ import { sanitizeId } from './shared/sanitize-id.js';
 import { incrementEvidence } from '../engine/solution-writer.js';
 import { isReflectionCandidate } from './compound-reflection.js';
 import { isHookEnabled } from './hook-config.js';
-import { approve, approveWithWarning, deny, failOpenWithTracking } from './shared/hook-response.js';
+import { approve, approveWithWarning, denyOrObserve, failOpenWithTracking } from './shared/hook-response.js';
 import { FORGEN_HOME, STATE_DIR } from '../core/paths.js';
 import { recordHookTiming } from './shared/hook-timing.js';
 import { maskQuotedContent } from './shared/command-parser.js';
@@ -305,7 +305,7 @@ async function main() {
             // for `forgen doctor` / log inspection. Mirrors `db-guard.ts:85-96`.
             const failCount = getAndIncrementFailCount();
             if (failCount >= FAIL_CLOSE_THRESHOLD) {
-                console.log(deny(`[Forgen] PreToolUse: stdin parse failed ${failCount} consecutive times — blocking for safety.`));
+                console.log(denyOrObserve('pre-tool-use', `[Forgen] PreToolUse: stdin parse failed ${failCount} consecutive times — blocking for safety.`));
             }
             else {
                 process.stderr.write(`[ch-hook] pre-tool-use stdin parse failed (${failCount}/${FAIL_CLOSE_THRESHOLD})\n`);
@@ -366,7 +366,7 @@ async function main() {
                         const baseMsg = spec.block_message ?? `[${rule.rule_id}] policy violation: ${rule.policy.slice(0, 120)}`;
                         // G8: override 힌트 — FORGEN_USER_CONFIRMED=1 으로 사용자 명시 승인 가능, 감사 로그 기록됨.
                         const msgWithHint = `${baseMsg}\n\n(override: set FORGEN_USER_CONFIRMED=1 (bypass will be audited in violations.jsonl))`;
-                        console.log(deny(msgWithHint));
+                        console.log(denyOrObserve('pre-tool-use', msgWithHint));
                         return;
                     }
                     if (requiresFlag && confirmed) {
@@ -388,7 +388,7 @@ async function main() {
         // Bash 도구: 위험 명령어 감지 (빌트인 safety net)
         const check = checkDangerousCommand(toolName, toolInput);
         if (check.action === 'block') {
-            console.log(deny(`[Forgen] Dangerous command blocked: ${check.description}\nCommand: ${check.command}`));
+            console.log(denyOrObserve('pre-tool-use', `[Forgen] Dangerous command blocked: ${check.description}\nCommand: ${check.command}`));
             return;
         }
         if (check.action === 'warn') {

package/dist/hooks/rate-limiter.js CHANGED Viewed

@@ -10,7 +10,7 @@ import * as path from 'node:path';
 import { readStdinJSON } from './shared/read-stdin.js';
 import { atomicWriteJSON } from './shared/atomic-write.js';
 import { isHookEnabled } from './hook-config.js';
-import { approve, deny, failOpenWithTracking } from './shared/hook-response.js';
+import { approve, denyOrObserve, failOpenWithTracking } from './shared/hook-response.js';
 import { STATE_DIR } from '../core/paths.js';
 const RATE_LIMIT_PATH = path.join(STATE_DIR, 'rate-limit.json');
 const DEFAULT_LIMIT = 30; // calls per minute
@@ -75,7 +75,7 @@ async function main() {
         saveRateLimitState(updatedState);
     }
     if (exceeded) {
-        console.log(deny(`[Forgen] Rate limit exceeded (${count}/${DEFAULT_LIMIT}/min). Wait before retrying.`));
+        console.log(denyOrObserve('rate-limiter', `[Forgen] Rate limit exceeded (${count}/${DEFAULT_LIMIT}/min). Wait before retrying.`));
         return;
     }
     console.log(approve());

package/dist/hooks/session-recovery.js CHANGED Viewed

@@ -320,6 +320,17 @@ async function main() {
             }
         }
         catch { /* fail-open */ }
+        // US-M1 (RC6 가드): 직전 forge-loop findings 또는 진행 중 stories 자동 inject.
+        // 본 세션 자기증거 — head -80 truncation 으로 findings 누락 → 같은 가설 재발.
+        try {
+            const { readForgeLoopState, renderForgeLoopForSession } = await import('./shared/forge-loop-state.js');
+            const block = renderForgeLoopForSession(readForgeLoopState());
+            if (block)
+                recoveryMessages.push(block);
+        }
+        catch (e) {
+            log.debug('forge-loop findings inject 실패', e);
+        }
         const sessionId = sessionContext.sessionId;
         // 이전 세션 자동 compound (fire-and-forget)
         // /new로 세션 리셋 시 SessionStart가 다시 호출됨 — 이때 이전 transcript를 compound

package/dist/hooks/shared/blocking-allowlist.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * Blocking ALLOW-LIST — P3' (2026-04-27)
+ *
+ * 사용자 작업을 차단(block)할 권한을 가진 hook 의 명시적 화이트리스트.
+ * 목록 외 hook 의 부정적 판정은 "관찰 신호"(log only) 로만 처리되어야 한다.
+ *
+ * RC5 (retro-v040): 분산된 detector 가 각자 block 결정을 내리면서 false-positive
+ * 가 메인 로직 흐름까지 차단하는 회귀 패턴 발생. ALLOW-LIST 명시화로 차단 권한
+ * 의 source-of-truth 를 단일화.
+ *
+ * v0.4.2 정책:
+ *   - 본 모듈은 ALLOW-LIST 정의 + 검증 helper. 기존 deny() 직접 호출 hook 들은
+ *     v0.4.2 에서 denyOrObserve(name, reason) 로 마이그레이션 완료.
+ *   - 신규 hook 추가 시 차단 권한이 필요하면 본 ALLOW-LIST 에 추가 + 본 파일의
+ *     사유 문서화 의무. 본 commit diff 가 review 필수 항목.
+ *
+ * 멤버 사유:
+ *   - stop-guard: Stop hook — false-completion 메타 가드 (자가 검증 강제)
+ *   - pre-tool-use: Bash dangerous-pattern + 수동 confirm 가드
+ *   - secret-filter: Write/Edit 결과의 .env / API key 노출 차단
+ *   - db-guard: Bash 의 destructive DB 명령 (DROP/TRUNCATE/DELETE) 차단
+ *   - rate-limiter: 사용자 작업 빈도 임계 초과 시 cool-down 차단 (resource abuse 방어)
+ */
+export declare const BLOCKING_ALLOWLIST: ReadonlySet<string>;
+/** hook 이 block 결정을 출력할 권한이 있는지. */
+export declare function canBlock(hookName: string): boolean;
+/** ALLOW-LIST 에 추가하려는 hook 이 정책 문서화를 요구하는지 (lint helper). */
+export declare function requiresPolicyDoc(hookName: string): boolean;

package/dist/hooks/shared/blocking-allowlist.js ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * Blocking ALLOW-LIST — P3' (2026-04-27)
+ *
+ * 사용자 작업을 차단(block)할 권한을 가진 hook 의 명시적 화이트리스트.
+ * 목록 외 hook 의 부정적 판정은 "관찰 신호"(log only) 로만 처리되어야 한다.
+ *
+ * RC5 (retro-v040): 분산된 detector 가 각자 block 결정을 내리면서 false-positive
+ * 가 메인 로직 흐름까지 차단하는 회귀 패턴 발생. ALLOW-LIST 명시화로 차단 권한
+ * 의 source-of-truth 를 단일화.
+ *
+ * v0.4.2 정책:
+ *   - 본 모듈은 ALLOW-LIST 정의 + 검증 helper. 기존 deny() 직접 호출 hook 들은
+ *     v0.4.2 에서 denyOrObserve(name, reason) 로 마이그레이션 완료.
+ *   - 신규 hook 추가 시 차단 권한이 필요하면 본 ALLOW-LIST 에 추가 + 본 파일의
+ *     사유 문서화 의무. 본 commit diff 가 review 필수 항목.
+ *
+ * 멤버 사유:
+ *   - stop-guard: Stop hook — false-completion 메타 가드 (자가 검증 강제)
+ *   - pre-tool-use: Bash dangerous-pattern + 수동 confirm 가드
+ *   - secret-filter: Write/Edit 결과의 .env / API key 노출 차단
+ *   - db-guard: Bash 의 destructive DB 명령 (DROP/TRUNCATE/DELETE) 차단
+ *   - rate-limiter: 사용자 작업 빈도 임계 초과 시 cool-down 차단 (resource abuse 방어)
+ */
+export const BLOCKING_ALLOWLIST = new Set([
+    'stop-guard',
+    'pre-tool-use',
+    'secret-filter',
+    'db-guard',
+    'rate-limiter',
+]);
+/** hook 이 block 결정을 출력할 권한이 있는지. */
+export function canBlock(hookName) {
+    return BLOCKING_ALLOWLIST.has(hookName);
+}
+/** ALLOW-LIST 에 추가하려는 hook 이 정책 문서화를 요구하는지 (lint helper). */
+export function requiresPolicyDoc(hookName) {
+    return !BLOCKING_ALLOWLIST.has(hookName);
+}

package/dist/hooks/shared/forge-loop-state.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * Forge Loop State — RC6 가드 (US-M1)
+ *
+ * 직전 forge-loop 의 findings 또는 진행 중 stories 를 ≤1KB 요약으로 렌더한다.
+ * SessionStart 와 UserPromptSubmit 두 hook 이 공유하는 단일 진입점.
+ *
+ * RC6 자기증거: 본 세션 R1 에서 head -80 으로 forge-loop.json 을 읽어 findings
+ * 8줄(line 92~99)이 잘렸음. 결과적으로 직전 결론을 컨텍스트에 못 가져 같은
+ * 가설을 재발. 이 모듈은 그 회귀를 시스템 레벨에서 차단한다.
+ */
+interface ForgeLoopStory {
+    id: string;
+    title: string;
+    passes?: boolean;
+}
+export interface ForgeLoopState {
+    active?: boolean;
+    task?: string;
+    startedAt?: string;
+    completedAt?: string;
+    stories?: ForgeLoopStory[];
+    findings?: Record<string, string>;
+}
+export declare function readForgeLoopState(filePath?: string): ForgeLoopState | null;
+/** SessionStart 용 — 완료된 forge-loop 의 findings 또는 진행 중 stories 요약. */
+export declare function renderForgeLoopForSession(state: ForgeLoopState | null, now?: number): string | null;
+/** UserPromptSubmit 용 — active=true 시에만 짧은 진행 상황 1~2줄. */
+export declare function renderForgeLoopForPrompt(state: ForgeLoopState | null, now?: number): string | null;
+/** 테스트 노출용 상수 — 회귀 시 임계값 변경 즉시 감지. */
+export declare const FORGE_LOOP_LIMITS: {
+    readonly SOFT_STALE_MS: number;
+    readonly HARD_STALE_MS: number;
+    readonly MAX_INJECT_BYTES: 1024;
+    readonly MAX_PENDING: 5;
+};
+export {};

package/dist/hooks/shared/forge-loop-state.js ADDED Viewed

@@ -0,0 +1,116 @@
+/**
+ * Forge Loop State — RC6 가드 (US-M1)
+ *
+ * 직전 forge-loop 의 findings 또는 진행 중 stories 를 ≤1KB 요약으로 렌더한다.
+ * SessionStart 와 UserPromptSubmit 두 hook 이 공유하는 단일 진입점.
+ *
+ * RC6 자기증거: 본 세션 R1 에서 head -80 으로 forge-loop.json 을 읽어 findings
+ * 8줄(line 92~99)이 잘렸음. 결과적으로 직전 결론을 컨텍스트에 못 가져 같은
+ * 가설을 재발. 이 모듈은 그 회귀를 시스템 레벨에서 차단한다.
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { STATE_DIR } from '../../core/paths.js';
+const FORGE_LOOP_PATH = path.join(STATE_DIR, 'forge-loop.json');
+const SOFT_STALE_MS = 24 * 60 * 60 * 1000;
+const HARD_STALE_MS = 7 * 24 * 60 * 60 * 1000;
+const MAX_INJECT_BYTES = 1024;
+const MAX_TASK_CHARS = 240;
+const MAX_FINDING_CHARS = 240;
+const MAX_PENDING = 5;
+export function readForgeLoopState(filePath = FORGE_LOOP_PATH) {
+    try {
+        if (!fs.existsSync(filePath))
+            return null;
+        const raw = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+        if (typeof raw !== 'object' || raw === null)
+            return null;
+        return raw;
+    }
+    catch {
+        return null;
+    }
+}
+function ageMs(state, now = Date.now()) {
+    const ts = state.completedAt ?? state.startedAt;
+    if (!ts)
+        return Number.POSITIVE_INFINITY;
+    const t = new Date(ts).getTime();
+    if (Number.isNaN(t))
+        return Number.POSITIVE_INFINITY;
+    return now - t;
+}
+function clipBlock(block) {
+    if (block.length <= MAX_INJECT_BYTES)
+        return block;
+    return `${block.slice(0, MAX_INJECT_BYTES - 3)}...`;
+}
+function escXml(s) {
+    return s.replace(/[<>&"]/g, c => ({ '<': '&lt;', '>': '&gt;', '&': '&amp;', '"': '&quot;' })[c] ?? c);
+}
+/** SessionStart 용 — 완료된 forge-loop 의 findings 또는 진행 중 stories 요약. */
+export function renderForgeLoopForSession(state, now = Date.now()) {
+    if (!state)
+        return null;
+    const age = ageMs(state, now);
+    if (age > HARD_STALE_MS)
+        return null;
+    const stale = age > SOFT_STALE_MS;
+    const lines = [];
+    const task = String(state.task ?? '').trim();
+    if (task)
+        lines.push(`Task: ${escXml(task.slice(0, MAX_TASK_CHARS))}`);
+    if (state.active && Array.isArray(state.stories)) {
+        const total = state.stories.length;
+        const done = state.stories.filter(s => s?.passes).length;
+        lines.push(`Status: in-progress ${done}/${total}${stale ? ' (stale)' : ''}`);
+        const pending = state.stories
+            .filter(s => !s?.passes)
+            .slice(0, MAX_PENDING)
+            .map(s => `- ${escXml(String(s.id))}: ${escXml(String(s.title))}`);
+        if (pending.length) {
+            lines.push('Pending:');
+            lines.push(...pending);
+        }
+    }
+    else if (state.findings && typeof state.findings === 'object') {
+        lines.push(`Status: completed${stale ? ' (stale)' : ''}`);
+        for (const [id, val] of Object.entries(state.findings)) {
+            const text = String(val ?? '').slice(0, MAX_FINDING_CHARS);
+            if (text)
+                lines.push(`- ${escXml(id)}: ${escXml(text)}`);
+        }
+    }
+    else {
+        return null;
+    }
+    if (lines.length === 0)
+        return null;
+    const tag = stale ? '<forge-loop-state stale="true">' : '<forge-loop-state>';
+    const body = lines.join('\n');
+    return clipBlock(`${tag}\n${body}\n</forge-loop-state>`);
+}
+/** UserPromptSubmit 용 — active=true 시에만 짧은 진행 상황 1~2줄. */
+export function renderForgeLoopForPrompt(state, now = Date.now()) {
+    if (!state || !state.active || !Array.isArray(state.stories))
+        return null;
+    const age = ageMs(state, now);
+    if (age > HARD_STALE_MS)
+        return null;
+    const total = state.stories.length;
+    const done = state.stories.filter(s => s?.passes).length;
+    const next = state.stories.find(s => !s?.passes);
+    if (!next)
+        return null;
+    const stale = age > SOFT_STALE_MS;
+    const tag = stale ? '<forge-loop-active stale="true">' : '<forge-loop-active>';
+    const body = `Progress: ${done}/${total} | next: ${escXml(String(next.id))} ${escXml(String(next.title))}`;
+    return clipBlock(`${tag}\n${body}\n</forge-loop-active>`);
+}
+/** 테스트 노출용 상수 — 회귀 시 임계값 변경 즉시 감지. */
+export const FORGE_LOOP_LIMITS = {
+    SOFT_STALE_MS,
+    HARD_STALE_MS,
+    MAX_INJECT_BYTES,
+    MAX_PENDING,
+};

package/dist/hooks/shared/hook-response.d.ts CHANGED Viewed

@@ -34,6 +34,24 @@ export declare function approveWithWarning(warning: string): string;
 export declare function deny(reason: string): string;
 /** 사용자 확인 요청 (PreToolUse 전용) */
 export declare function ask(reason: string): string;
+/**
+ * P3' enforcement helper (2026-04-27)
+ *
+ * ALLOW-LIST 에 있는 hook 만 진짜 deny — 아닌 경우 approve + 관찰 신호로 강등.
+ *
+ * 사용:
+ * ```ts
+ * import { canBlock } from './blocking-allowlist.js';
+ * if (someCondition) {
+ *   console.log(blockOrObserve(hookName, 'reason', logCallback));
+ *   return;
+ * }
+ * ```
+ *
+ * 점진 마이그레이션 — 본 helper 를 새로 사용하는 hook 은 ALLOW-LIST 외라면
+ * 자동 관찰 모드로 작동. 기존 hook 들은 별도 PR 에서 마이그레이션.
+ */
+export declare function denyOrObserve(hookName: string, reason: string, observer?: (msg: string) => void): string;
 /**
  * Stop hook only — block the agent from stopping and feed a self-check
  * question back to Claude so the current session resumes with new guidance.

package/dist/hooks/shared/hook-response.js CHANGED Viewed

@@ -16,6 +16,7 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import { STATE_DIR } from '../../core/paths.js';
+import { canBlock } from './blocking-allowlist.js';
 /** 통과 응답 (컨텍스트 없음, 모든 이벤트 공통) */
 export function approve() {
     return JSON.stringify({ continue: true });
@@ -65,6 +66,36 @@ export function ask(reason) {
         },
     });
 }
+/**
+ * P3' enforcement helper (2026-04-27)
+ *
+ * ALLOW-LIST 에 있는 hook 만 진짜 deny — 아닌 경우 approve + 관찰 신호로 강등.
+ *
+ * 사용:
+ * ```ts
+ * import { canBlock } from './blocking-allowlist.js';
+ * if (someCondition) {
+ *   console.log(blockOrObserve(hookName, 'reason', logCallback));
+ *   return;
+ * }
+ * ```
+ *
+ * 점진 마이그레이션 — 본 helper 를 새로 사용하는 hook 은 ALLOW-LIST 외라면
+ * 자동 관찰 모드로 작동. 기존 hook 들은 별도 PR 에서 마이그레이션.
+ */
+export function denyOrObserve(hookName, reason, observer) {
+    if (canBlock(hookName)) {
+        return deny(reason);
+    }
+    // ALLOW-LIST 외 — log only, approve
+    if (observer) {
+        try {
+            observer(`[${hookName}] would-deny (observe-only): ${reason}`);
+        }
+        catch { /* fail-open */ }
+    }
+    return approve();
+}
 /**
  * Stop hook only — block the agent from stopping and feed a self-check
  * question back to Claude so the current session resumes with new guidance.

package/dist/hooks/skill-injector.js CHANGED Viewed

@@ -181,7 +181,7 @@ function collectSkills() {
     const skills = [];
     const seen = new Map(); // name → source dir
     // 패키지 내장 스킬 경로 (dist/../skills/)
-    const pkgSkillsDir = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..', '..', 'commands');
+    const pkgSkillsDir = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..', '..', 'assets', 'claude', 'commands');
     // 프로젝트 .forgen > 프로젝트 .compound > 개인 > 글로벌 > 패키지 내장
     const dirs = [
         path.join(process.cwd(), '.forgen', 'skills'),