oh-my-customcode 0.40.0 → 0.42.2

package/README.md

@@ -13,7 +13,7 @@
 
 **[한국어 문서 (Korean)](./README_ko.md)**
 
-44 agents. 74 skills. 21 rules. One command.
+44 agents. 75 skills. 21 rules. One command.
 
 ```bash
 npm install -g oh-my-customcode && cd your-project && omcustom init
@@ -138,7 +138,7 @@ Each agent declares its tools, model, memory scope, and limitations in YAML fron
 
 ---
 
-### Skills (74)
+### Skills (75)
 
 | Category | Count | Includes |
 |----------|-------|----------|
@@ -150,7 +150,7 @@ Each agent declares its tools, model, memory scope, and limitations in YAML fron
 | Memory | 3 | memory-save, memory-recall, memory-management |
 | Package | 3 | npm-publish, npm-version, npm-audit |
 | Optimization | 3 | optimize-analyze, optimize-bundle, optimize-report |
-| Security | 2 | cve-triage, jinja2-prompts |
+| Security | 3 | adversarial-review, cve-triage, jinja2-prompts |
 | Other | 8 | codex-exec, vercel-deploy, skills-sh-search, result-aggregation, writing-clearly-and-concisely, and more |
 
 Skills use a 3-tier scope system: `core` (universal), `harness` (agent/skill maintenance), `package` (project-specific).
@@ -257,7 +257,7 @@ your-project/
 ├── CLAUDE.md                   # Entry point
 ├── .claude/
 │   ├── agents/                 # 44 agent definitions
-│   ├── skills/                 # 74 skill modules
+│   ├── skills/                 # 75 skill modules
 │   ├── rules/                  # 21 governance rules (R000-R021)
 │   ├── hooks/                  # 15 lifecycle hook scripts
 │   ├── schemas/                # Tool input validation schemas

package/dist/cli/index.js

@@ -13443,6 +13443,158 @@ function getComponentPath(component) {
   return `.claude/${component}`;
 }
 
+// src/core/lockfile.ts
+init_fs();
+import { createHash } from "node:crypto";
+import { createReadStream } from "node:fs";
+import { readdir, stat } from "node:fs/promises";
+import { join as join5, relative as relative2 } from "node:path";
+var LOCKFILE_NAME = ".omcustom.lock.json";
+var LOCKFILE_VERSION = 1;
+var LOCKFILE_COMPONENTS = [
+  "rules",
+  "agents",
+  "skills",
+  "hooks",
+  "contexts",
+  "ontology",
+  "guides"
+];
+var COMPONENT_PATHS = LOCKFILE_COMPONENTS.map((component) => [getComponentPath(component), component]);
+function computeFileHash(filePath) {
+  return new Promise((resolve2, reject) => {
+    const hash = createHash("sha256");
+    const stream = createReadStream(filePath);
+    stream.on("error", (err) => {
+      reject(err);
+    });
+    stream.on("data", (chunk) => {
+      hash.update(chunk);
+    });
+    stream.on("end", () => {
+      resolve2(hash.digest("hex"));
+    });
+  });
+}
+async function readLockfile(targetDir) {
+  const lockfilePath = join5(targetDir, LOCKFILE_NAME);
+  const exists2 = await fileExists(lockfilePath);
+  if (!exists2) {
+    debug("lockfile.not_found", { path: lockfilePath });
+    return null;
+  }
+  try {
+    const data = await readJsonFile(lockfilePath);
+    if (typeof data !== "object" || data === null || data.lockfileVersion !== LOCKFILE_VERSION) {
+      warn("lockfile.invalid_version", { path: lockfilePath });
+      return null;
+    }
+    const record = data;
+    if (typeof record.files !== "object" || record.files === null) {
+      warn("lockfile.invalid_structure", { path: lockfilePath });
+      return null;
+    }
+    return data;
+  } catch (err) {
+    warn("lockfile.read_failed", { path: lockfilePath, error: String(err) });
+    return null;
+  }
+}
+async function writeLockfile(targetDir, lockfile) {
+  const lockfilePath = join5(targetDir, LOCKFILE_NAME);
+  await writeJsonFile(lockfilePath, lockfile);
+  debug("lockfile.written", { path: lockfilePath });
+}
+function resolveComponent(relativePath) {
+  const normalized = relativePath.replace(/\\/g, "/");
+  for (const [prefix, component] of COMPONENT_PATHS) {
+    if (normalized === prefix || normalized.startsWith(`${prefix}/`)) {
+      return component;
+    }
+  }
+  return "unknown";
+}
+async function collectFiles(dir2, projectRoot, isTopLevel) {
+  const results = [];
+  let entries;
+  try {
+    entries = await readdir(dir2);
+  } catch {
+    return results;
+  }
+  for (const entry of entries) {
+    if (isTopLevel && entry.startsWith(".") && entry !== ".claude") {
+      continue;
+    }
+    const fullPath = join5(dir2, entry);
+    let fileStat;
+    try {
+      fileStat = await stat(fullPath);
+    } catch {
+      continue;
+    }
+    if (fileStat.isDirectory()) {
+      const subFiles = await collectFiles(fullPath, projectRoot, false);
+      results.push(...subFiles);
+    } else if (fileStat.isFile()) {
+      results.push(fullPath);
+    }
+  }
+  return results;
+}
+async function generateLockfile(targetDir, generatorVersion, templateVersion) {
+  const files = {};
+  const componentRoots = COMPONENT_PATHS.map(([prefix]) => join5(targetDir, prefix));
+  for (const componentRoot of componentRoots) {
+    const exists2 = await fileExists(componentRoot);
+    if (!exists2) {
+      debug("lockfile.component_dir_missing", { path: componentRoot });
+      continue;
+    }
+    const allFiles = await collectFiles(componentRoot, targetDir, false);
+    for (const absolutePath of allFiles) {
+      const relativePath = relative2(targetDir, absolutePath).replace(/\\/g, "/");
+      let hash;
+      let size;
+      try {
+        hash = await computeFileHash(absolutePath);
+        const fileStat = await stat(absolutePath);
+        size = fileStat.size;
+      } catch (err) {
+        warn("lockfile.hash_failed", { path: absolutePath, error: String(err) });
+        continue;
+      }
+      const component = resolveComponent(relativePath);
+      files[relativePath] = {
+        templateHash: hash,
+        size,
+        component
+      };
+      debug("lockfile.entry_added", { path: relativePath, component });
+    }
+  }
+  return {
+    lockfileVersion: LOCKFILE_VERSION,
+    generatorVersion,
+    generatedAt: new Date().toISOString(),
+    templateVersion,
+    files
+  };
+}
+async function generateAndWriteLockfileForDir(targetDir) {
+  try {
+    const packageRoot = getPackageRoot();
+    const manifest = await readJsonFile(join5(packageRoot, "templates", "manifest.json"));
+    const { version: generatorVersion } = await readJsonFile(join5(packageRoot, "package.json"));
+    const lockfile = await generateLockfile(targetDir, generatorVersion, manifest.version);
+    await writeLockfile(targetDir, lockfile);
+    return { fileCount: Object.keys(lockfile.files).length };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { fileCount: 0, warning: `Lockfile generation failed: ${msg}` };
+  }
+}
+
 // src/cli/doctor.ts
 async function pathExists(targetPath) {
   try {
@@ -13454,8 +13606,8 @@ async function pathExists(targetPath) {
 }
 async function isDirectory(targetPath) {
   try {
-    const stat = await fs.stat(targetPath);
-    return stat.isDirectory();
+    const stat2 = await fs.stat(targetPath);
+    return stat2.isDirectory();
   } catch {
     return false;
   }
@@ -13491,8 +13643,8 @@ async function collectSymlinksFromRefsDir(refsDir) {
     for (const entry of entries) {
       const entryPath = path.join(refsDir, entry.name);
       try {
-        const stat = await fs.lstat(entryPath);
-        if (stat.isSymbolicLink()) {
+        const stat2 = await fs.lstat(entryPath);
+        if (stat2.isSymbolicLink()) {
           symlinks.push(entryPath);
         }
       } catch {}
@@ -13890,6 +14042,45 @@ function readCurrentVersion() {
     return "0.0.0";
   }
 }
+async function checkLockfileDrift(targetDir) {
+  const lockfile = await readLockfile(targetDir);
+  if (!lockfile) {
+    return null;
+  }
+  const modified = [];
+  const removed = [];
+  for (const [relativePath, entry] of Object.entries(lockfile.files)) {
+    const absolutePath = path.join(targetDir, relativePath);
+    try {
+      const currentHash = await computeFileHash(absolutePath);
+      if (currentHash !== entry.templateHash) {
+        modified.push(relativePath);
+      }
+    } catch {
+      removed.push(relativePath);
+    }
+  }
+  const driftedFiles = [...modified, ...removed];
+  if (driftedFiles.length === 0) {
+    return {
+      name: "Lockfile",
+      status: "pass",
+      message: `Lockfile OK — no drift detected (${Object.keys(lockfile.files).length} files tracked)`,
+      fixable: false
+    };
+  }
+  const details = [
+    ...modified.map((f) => `modified: ${f}`),
+    ...removed.map((f) => `removed: ${f}`)
+  ];
+  return {
+    name: "Lockfile",
+    status: "warn",
+    message: `Lockfile drift detected: ${driftedFiles.length} file(s) changed since install`,
+    fixable: false,
+    details
+  };
+}
 async function checkFrameworkDrift(targetDir, currentVersion) {
   const result = await checkFrameworkVersion(targetDir, currentVersion);
   if (!result)
@@ -13957,7 +14148,9 @@ async function runAllChecks(targetDir, layout, packageVersion, includeUpdates) {
   ]);
   const frameworkCheck = await checkFrameworkDrift(targetDir, packageVersion);
   const checksWithFramework = frameworkCheck ? [...baseChecks, frameworkCheck] : baseChecks;
-  return includeUpdates ? [...checksWithFramework, checkUpdateAvailable(packageVersion)] : checksWithFramework;
+  const lockfileCheck = await checkLockfileDrift(targetDir);
+  const checksWithLockfile = lockfileCheck ? [...checksWithFramework, lockfileCheck] : checksWithFramework;
+  return includeUpdates ? [...checksWithLockfile, checkUpdateAvailable(packageVersion)] : checksWithLockfile;
 }
 async function doctorCommand(options = {}) {
   const targetDir = process.cwd();
@@ -14029,7 +14222,7 @@ import { basename as basename2, join as join7 } from "node:path";
 
 // src/core/file-preservation.ts
 init_fs();
-import { basename, join as join5 } from "node:path";
+import { basename, join as join6 } from "node:path";
 var DEFAULT_CRITICAL_FILES = ["settings.json", "settings.local.json"];
 var DEFAULT_CRITICAL_DIRECTORIES = ["agent-memory", "agent-memory-local"];
 var PROTECTED_FRAMEWORK_FILES = ["CLAUDE.md", "AGENTS.md"];
@@ -14052,8 +14245,8 @@ function matchesGlobPattern(filePath, pattern) {
   return regex.test(filePath);
 }
 async function extractSingleFile(fileName, rootDir, tempDir, result) {
-  const srcPath = join5(rootDir, fileName);
-  const destPath = join5(tempDir, fileName);
+  const srcPath = join6(rootDir, fileName);
+  const destPath = join6(tempDir, fileName);
   try {
     if (await fileExists(srcPath)) {
       await copyFile(srcPath, destPath);
@@ -14067,8 +14260,8 @@ async function extractSingleFile(fileName, rootDir, tempDir, result) {
   }
 }
 async function extractSingleDir(dirName, rootDir, tempDir, result) {
-  const srcPath = join5(rootDir, dirName);
-  const destPath = join5(tempDir, dirName);
+  const srcPath = join6(rootDir, dirName);
+  const destPath = join6(tempDir, dirName);
   try {
     if (await fileExists(srcPath)) {
       await copyDirectory(srcPath, destPath, { overwrite: true, preserveTimestamps: true });
@@ -14105,8 +14298,8 @@ async function restoreCriticalFiles(rootDir, preservation) {
     failures: []
   };
   for (const fileName of preservation.extractedFiles) {
-    const preservedPath = join5(preservation.tempDir, fileName);
-    const targetPath = join5(rootDir, fileName);
+    const preservedPath = join6(preservation.tempDir, fileName);
+    const targetPath = join6(rootDir, fileName);
     try {
       if (fileName.endsWith(".json")) {
         await mergeJsonFile(preservedPath, targetPath);
@@ -14122,8 +14315,8 @@ async function restoreCriticalFiles(rootDir, preservation) {
     }
   }
   for (const dirName of preservation.extractedDirs) {
-    const preservedPath = join5(preservation.tempDir, dirName);
-    const targetPath = join5(rootDir, dirName);
+    const preservedPath = join6(preservation.tempDir, dirName);
+    const targetPath = join6(rootDir, dirName);
     try {
       await copyDirectory(preservedPath, targetPath, {
         overwrite: false,
@@ -14422,134 +14615,6 @@ function getDefaultWorkflow() {
   };
 }
 
-// src/core/lockfile.ts
-init_fs();
-import { createHash } from "node:crypto";
-import { createReadStream } from "node:fs";
-import { readdir, stat } from "node:fs/promises";
-import { join as join6, relative as relative2 } from "node:path";
-var LOCKFILE_NAME = ".omcustom.lock.json";
-var LOCKFILE_VERSION = 1;
-var LOCKFILE_COMPONENTS = [
-  "rules",
-  "agents",
-  "skills",
-  "hooks",
-  "contexts",
-  "ontology",
-  "guides"
-];
-var COMPONENT_PATHS = LOCKFILE_COMPONENTS.map((component) => [getComponentPath(component), component]);
-function computeFileHash(filePath) {
-  return new Promise((resolve2, reject) => {
-    const hash = createHash("sha256");
-    const stream = createReadStream(filePath);
-    stream.on("error", (err) => {
-      reject(err);
-    });
-    stream.on("data", (chunk) => {
-      hash.update(chunk);
-    });
-    stream.on("end", () => {
-      resolve2(hash.digest("hex"));
-    });
-  });
-}
-async function writeLockfile(targetDir, lockfile) {
-  const lockfilePath = join6(targetDir, LOCKFILE_NAME);
-  await writeJsonFile(lockfilePath, lockfile);
-  debug("lockfile.written", { path: lockfilePath });
-}
-function resolveComponent(relativePath) {
-  const normalized = relativePath.replace(/\\/g, "/");
-  for (const [prefix, component] of COMPONENT_PATHS) {
-    if (normalized === prefix || normalized.startsWith(`${prefix}/`)) {
-      return component;
-    }
-  }
-  return "unknown";
-}
-async function collectFiles(dir2, projectRoot, isTopLevel) {
-  const results = [];
-  let entries;
-  try {
-    entries = await readdir(dir2);
-  } catch {
-    return results;
-  }
-  for (const entry of entries) {
-    if (isTopLevel && entry.startsWith(".") && entry !== ".claude") {
-      continue;
-    }
-    const fullPath = join6(dir2, entry);
-    let fileStat;
-    try {
-      fileStat = await stat(fullPath);
-    } catch {
-      continue;
-    }
-    if (fileStat.isDirectory()) {
-      const subFiles = await collectFiles(fullPath, projectRoot, false);
-      results.push(...subFiles);
-    } else if (fileStat.isFile()) {
-      results.push(fullPath);
-    }
-  }
-  return results;
-}
-async function generateLockfile(targetDir, generatorVersion, templateVersion) {
-  const files = {};
-  const componentRoots = COMPONENT_PATHS.map(([prefix]) => join6(targetDir, prefix));
-  for (const componentRoot of componentRoots) {
-    const exists2 = await fileExists(componentRoot);
-    if (!exists2) {
-      debug("lockfile.component_dir_missing", { path: componentRoot });
-      continue;
-    }
-    const allFiles = await collectFiles(componentRoot, targetDir, false);
-    for (const absolutePath of allFiles) {
-      const relativePath = relative2(targetDir, absolutePath).replace(/\\/g, "/");
-      let hash;
-      let size;
-      try {
-        hash = await computeFileHash(absolutePath);
-        const fileStat = await stat(absolutePath);
-        size = fileStat.size;
-      } catch (err) {
-        warn("lockfile.hash_failed", { path: absolutePath, error: String(err) });
-        continue;
-      }
-      const component = resolveComponent(relativePath);
-      files[relativePath] = {
-        templateHash: hash,
-        size,
-        component
-      };
-      debug("lockfile.entry_added", { path: relativePath, component });
-    }
-  }
-  return {
-    lockfileVersion: LOCKFILE_VERSION,
-    generatorVersion,
-    generatedAt: new Date().toISOString(),
-    templateVersion,
-    files
-  };
-}
-async function generateAndWriteLockfileForDir(targetDir) {
-  try {
-    const packageRoot = getPackageRoot();
-    const manifest = await readJsonFile(join6(packageRoot, "templates", "manifest.json"));
-    const { version: generatorVersion } = await readJsonFile(join6(packageRoot, "package.json"));
-    const lockfile = await generateLockfile(targetDir, generatorVersion, manifest.version);
-    await writeLockfile(targetDir, lockfile);
-    return { fileCount: Object.keys(lockfile.files).length };
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    return { fileCount: 0, warning: `Lockfile generation failed: ${msg}` };
-  }
-}
-
 // src/core/scope-filter.ts
 function getSkillScope(content) {
   const cleaned = content.replace(/^\uFEFF/, "");
@@ -14936,12 +15001,21 @@ async function generateMCPConfig(targetDir) {
   if (!ontologyExists) {
     return;
   }
+  try {
+    execSync3("uv --version", { stdio: "pipe" });
+  } catch {
+    warn("uv (Python package manager) not found. Install it with: curl -LsSf https://astral.sh/uv/install.sh | sh");
+    warn("Skipping ontology-rag MCP configuration. You can set it up manually later.");
+    return;
+  }
   try {
     execSync3("uv venv .venv", { cwd: targetDir, stdio: "pipe" });
     execSync3('uv pip install "ontology-rag @ git+https://github.com/baekenough/oh-my-customcode.git#subdirectory=packages/ontology-rag"', { cwd: targetDir, stdio: "pipe" });
   } catch (error2) {
     const msg = error2 instanceof Error ? error2.message : String(error2);
-    throw new Error(`Failed to setup Python environment: ${msg}`);
+    warn(`Failed to setup ontology-rag: ${msg}`);
+    warn("You can configure the MCP server manually. See: https://github.com/baekenough/oh-my-customcode/tree/develop/packages/ontology-rag");
+    return;
   }
   const config = {
     mcpServers: {
@@ -14975,6 +15049,7 @@ async function generateMCPConfig(targetDir) {
     await writeFile(mcpConfigPath, `${JSON.stringify(config, null, 2)}
 `);
   }
+  info("ontology-rag MCP server configured successfully");
 }
 async function checkUvAvailable() {
   try {
@@ -16078,6 +16153,15 @@ async function initCommand(options) {
     logInstallResultInfo(installResult);
     logSuccessDetails(installedPaths, installResult.skippedComponents);
     await setupMcpConfig(targetDir);
+    console.log("");
+    console.log("Required plugins (install manually):");
+    console.log("  /plugin marketplace add obra/superpowers-marketplace");
+    console.log("  /plugin install superpowers");
+    console.log("  /plugin install superpowers-developing-for-claude-code");
+    console.log("  /plugin install elements-of-style");
+    console.log("  /plugin install context7");
+    console.log("");
+    console.log('See CLAUDE.md "외부 의존성" section for details.');
     return {
       success: true,
       message: i18n.t("cli.init.success"),

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "oh-my-customcode",
   "workspaces": ["packages/*"],
-  "version": "0.40.0",
+  "version": "0.42.2",
   "description": "Batteries-included agent harness for Claude Code",
   "type": "module",
   "bin": {

package/templates/.claude/agents/sec-codeql-expert.md

@@ -7,6 +7,7 @@ memory: project
 isolation: sandbox
 skills:
   - cve-triage
+  - adversarial-review
 tools:
   - Read
   - Write

package/templates/.claude/config/required-plugins.json

@@ -0,0 +1,30 @@
+{
+  "requiredPlugins": [
+    {
+      "name": "superpowers",
+      "source": "claude-plugins-official",
+      "description": "TDD, debugging, collaboration patterns"
+    },
+    {
+      "name": "superpowers-developing-for-claude-code",
+      "source": "superpowers-marketplace",
+      "description": "Claude Code development documentation"
+    },
+    {
+      "name": "elements-of-style",
+      "source": "superpowers-marketplace",
+      "description": "Writing clarity guidelines"
+    },
+    {
+      "name": "context7",
+      "source": "claude-plugins-official",
+      "description": "Library documentation lookup"
+    }
+  ],
+  "marketplaces": [
+    {
+      "name": "superpowers-marketplace",
+      "url": "obra/superpowers-marketplace"
+    }
+  ]
+}

package/templates/.claude/hooks/scripts/audit-log.sh

@@ -6,6 +6,7 @@
 # Always exits 0 (advisory only)
 
 set -euo pipefail
+HOOK_START=$(date +%s%N 2>/dev/null || echo 0)
 
 # Dependency check: exit silently if jq not available
 command -v jq >/dev/null 2>&1 || exit 0
@@ -55,4 +56,9 @@ fi
 
 # Pass through
 echo "$input"
+HOOK_END=$(date +%s%N 2>/dev/null || echo 0)
+if [ "$HOOK_START" != "0" ] && [ "$HOOK_END" != "0" ]; then
+  HOOK_MS=$(( (HOOK_END - HOOK_START) / 1000000 ))
+  echo "[Hook Perf] $(basename "$0"): ${HOOK_MS}ms" >> "/tmp/.claude-hook-perf-${PPID}.log"
+fi
 exit 0

package/templates/.claude/hooks/scripts/context-budget-advisor.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 set -euo pipefail
+HOOK_START=$(date +%s%N 2>/dev/null || echo 0)
 
 # Dependency check: exit silently if jq not available
 command -v jq >/dev/null 2>&1 || exit 0
@@ -86,4 +87,9 @@ fi
 
 # Pass through
 echo "$input"
+HOOK_END=$(date +%s%N 2>/dev/null || echo 0)
+if [ "$HOOK_START" != "0" ] && [ "$HOOK_END" != "0" ]; then
+  HOOK_MS=$(( (HOOK_END - HOOK_START) / 1000000 ))
+  echo "[Hook Perf] $(basename "$0"): ${HOOK_MS}ms" >> "/tmp/.claude-hook-perf-${PPID}.log"
+fi
 exit 0

package/templates/.claude/hooks/scripts/session-env-check.sh

@@ -185,6 +185,10 @@ case "$DRIFT_STATUS" in
     echo "  Skipped (not a git repository)" >&2
     ;;
 esac
+echo "" >&2
+echo "  [Lockfile Drift]" >&2
+echo "  Note: file-level lockfile drift (template hash changes) is checked via 'omcustom doctor'" >&2
+echo "  Run 'omcustom doctor' to detect modified/removed template files since install." >&2
 echo "------------------------------------" >&2
 
 # SessionEnd hooks timeout (v2.1.74+)

package/templates/.claude/hooks/scripts/stuck-detector.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 set -euo pipefail
+HOOK_START=$(date +%s%N 2>/dev/null || echo 0)
 
 # Dependency check: exit silently if jq not available
 command -v jq >/dev/null 2>&1 || exit 0
@@ -180,9 +181,19 @@ if [ "$hard_block" = true ]; then
   echo "  Recovery: Step back, re-read the error, and try a fundamentally different approach." >&2
   echo "=====================================" >&2
   echo "$input"
+  HOOK_END=$(date +%s%N 2>/dev/null || echo 0)
+  if [ "$HOOK_START" != "0" ] && [ "$HOOK_END" != "0" ]; then
+    HOOK_MS=$(( (HOOK_END - HOOK_START) / 1000000 ))
+    echo "[Hook Perf] $(basename "$0"): ${HOOK_MS}ms" >> "/tmp/.claude-hook-perf-${PPID}.log"
+  fi
   exit 1
 fi
 
 # Pass through
 echo "$input"
+HOOK_END=$(date +%s%N 2>/dev/null || echo 0)
+if [ "$HOOK_START" != "0" ] && [ "$HOOK_END" != "0" ]; then
+  HOOK_MS=$(( (HOOK_END - HOOK_START) / 1000000 ))
+  echo "[Hook Perf] $(basename "$0"): ${HOOK_MS}ms" >> "/tmp/.claude-hook-perf-${PPID}.log"
+fi
 exit 0

package/templates/.claude/ontology/skills.yaml

@@ -85,6 +85,7 @@ skills:
     description: "Audit agent dependencies and references"
     user_invocable: true
     model_invocable: true
+    scope: harness
     summary: "Audit agent dependencies to ensure all skill and guide references are valid"
     keywords: [audit, dependencies, validation, references]
     rule_references: []
@@ -103,6 +104,7 @@ skills:
     description: "Fetch and verify Claude Code official documentation. Use when checking official spec compliance or updating local reference docs."
     user_invocable: true
     model_invocable: false
+    scope: harness
     summary: "Maintain up-to-date local copies of Claude Code official documentation"
     keywords: [claude-code, documentation, spec, compliance, verification]
     rule_references: []
@@ -112,6 +114,7 @@ skills:
     description: "Create a new agent with complete structure"
     user_invocable: true
     model_invocable: false
+    scope: harness
     summary: "Create a new agent with complete directory structure and validation"
     keywords: [create, agent, structure, validation]
     rule_references: []
@@ -203,6 +206,7 @@ skills:
     description: "Fix broken agent references and symlinks"
     user_invocable: true
     model_invocable: false
+    scope: harness
     summary: "Fix broken references, missing symlinks, and agent dependency issues"
     keywords: [fix, references, symlinks, dependencies]
     rule_references: []
@@ -230,6 +234,7 @@ skills:
     description: "Show help information for commands and system"
     user_invocable: true
     model_invocable: true
+    scope: harness
     summary: "Show help information for commands, agents, and system rules"
     keywords: [help, documentation, commands, agents, rules]
     rule_references: []
@@ -266,6 +271,7 @@ skills:
     description: "Show all available commands"
     user_invocable: true
     model_invocable: true
+    scope: harness
     summary: "Show all available commands with optional filtering and detailed information"
     keywords: [lists, commands, categories, system]
     rule_references: []
@@ -302,6 +308,7 @@ skills:
     description: "Enable/disable OpenTelemetry console monitoring for Claude Code usage tracking"
     user_invocable: true
     model_invocable: true
+    scope: package
     summary: "Enable or disable OpenTelemetry console monitoring for usage metrics"
     keywords: [monitoring, telemetry, otel, metrics, usage]
     rule_references: []
@@ -311,6 +318,7 @@ skills:
     description: "Audit npm dependencies for security and updates"
     user_invocable: true
     model_invocable: true
+    scope: package
     summary: "Audit npm dependencies for security vulnerabilities and outdated packages"
     keywords: [npm, audit, security, dependencies, vulnerabilities]
     rule_references: []
@@ -320,6 +328,7 @@ skills:
     description: "Publish package to npm registry with pre-checks"
     user_invocable: true
     model_invocable: false
+    scope: package
     summary: "Publish package to npm registry with comprehensive pre-publish checks"
     keywords: [npm, publish, package, registry, validation]
     rule_references: []
@@ -329,6 +338,7 @@ skills:
     description: "Manage semantic versions for npm packages"
     user_invocable: true
     model_invocable: false
+    scope: package
     summary: "Manage semantic versions for npm packages with changelog and git integration"
     keywords: [npm, version, semantic, changelog, git]
     rule_references: []
@@ -447,6 +457,7 @@ skills:
     description: "Full R017 verification (5+3 rounds) before commit"
     user_invocable: true
     model_invocable: false
+    scope: harness
     summary: "Execute full R017 verification with 5 rounds of manager verification and 3 rounds of deep review"
     keywords: [verification, r017, sync, validation, compliance]
     rule_references: [R017]
@@ -493,6 +504,7 @@ skills:
     description: "Show system status and health checks"
     user_invocable: true
     model_invocable: true
+    scope: harness
     summary: "Show comprehensive system status including agents, skills, guides, and health checks"
     keywords: [status, health, system, agents, skills]
     rule_references: []
@@ -520,6 +532,7 @@ skills:
     description: "Sync documentation with project structure"
     user_invocable: true
     model_invocable: false
+    scope: harness
     summary: "Ensure documentation accurately reflects current project state and agents work together"
     keywords: [update, documentation, sync, validation, consistency]
     rule_references: []
@@ -529,6 +542,7 @@ skills:
     description: "Update agents from external sources (GitHub, docs, etc.)"
     user_invocable: true
     model_invocable: false
+    scope: harness
     summary: "Update agents, skills, and guides from external sources to latest versions"
     keywords: [update, external, github, sources, versioning]
     rule_references: []

package/templates/.claude/rules/MUST-agent-design.md

@@ -203,10 +203,10 @@ Use `context: fork` for skills that orchestrate multi-agent workflows. Cap at **
 | Multi-agent coordination patterns | Single-agent reference skills |
 | Task decomposition/planning | External tool integrations |
 
-Current skills with `context: fork` (11/12 cap):
+Current skills with `context: fork` (9/12 cap):
 - secretary-routing, dev-lead-routing, de-lead-routing, qa-lead-routing
 - dag-orchestration, task-decomposition, worker-reviewer-pipeline, pipeline-guards
-- deep-plan, evaluator-optimizer, sauron-watch
+- deep-plan
 
 ## Naming
 

package/templates/.claude/rules/MUST-agent-teams.md

@@ -13,6 +13,7 @@ Available when `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1` or TeamCreate/SendMessag
 | Scenario | Preferred | Reason |
 |----------|-----------|--------|
 | Simple independent subtasks | Agent Tool | Lower cost, no coordination overhead |
+| Sequential-dependency init/scaffolding | Agent Tool | Blocked agents waste tokens polling; single agent faster |
 | Multi-step with shared state | **Agent Teams** | Shared task list, peer messaging |
 | Research requiring discussion | **Agent Teams** | Iterative discovery, synthesis |
 | Cost-sensitive batch ops | Agent Tool | Minimal token overhead |
@@ -46,9 +47,14 @@ Before using Agent tool for 2+ agent tasks, complete this check:
 ║                                                                   ║
 ║  4. Are 2+ issues being fixed in the same release batch?        ║
 ║     YES → prefer Agent Teams (coordination benefit)              ║
-║     NO  → Proceed with Agent tool                                ║
+║     NO  → Check #5                                               ║
+║                                                                   ║
+║  5. Are tasks sequentially dependent (init/scaffold)?            ║
+║     YES → prefer Agent Tool (single agent, no coordination)     ║
+║     NO  → Continue with Agent Teams                              ║
 ║                                                                   ║
 ║  Simple rule: 3+ agents OR review cycle → use Agent Teams        ║
+║  Sequential deps / scaffolding → Agent Tool (single agent)       ║
 ║  2+ issues in same batch → prefer Agent Teams                    ║
 ║  Everything else → Agent tool                                    ║
 ╚══════════════════════════════════════════════════════════════════╝
@@ -189,6 +195,36 @@ When Agent Teams creates a new agent via mgr-creator:
 4. New agent joins team immediately
 5. Team continues with expanded capabilities
 
+## Blocked Agent Behavior
+
+When a team member is blocked by task dependencies:
+
+| Strategy | When | Benefit |
+|----------|------|---------|
+| Deferred spawn | Dependency chain is clear | No wasted tokens; spawn after blocker completes |
+| Silent wait | Agent already spawned, short wait expected | Minimal overhead |
+| Reassign | Agent blocked >2 min with no progress | Reuse agent for unblocked work |
+
+### Prompt Guidelines for Blocked Agents
+
+When spawning agents that may be blocked:
+1. Include explicit instruction: "If your task is blocked, wait silently. Do NOT send periodic status messages."
+2. Set check interval: "Check TaskList once per minute, not continuously."
+3. Prefer deferred spawn when the dependency resolution time is unpredictable.
+
+### Anti-Pattern: Idle Polling
+
+```
+❌ WRONG: Blocked agent sends repeated status messages
+   docker-dev: "Task #1 still pending..."  (×5 messages, wasting tokens)
+
+✓ CORRECT: Deferred spawn after dependency resolves
+   (Task #1 completes) → then spawn docker-dev for Task #3
+
+✓ ALSO CORRECT: Silent wait with infrequent checks
+   docker-dev spawned with: "Wait silently if blocked. Check TaskList once per minute."
+```
+
 ## Lifecycle
 
 ```

package/templates/.claude/skills/adversarial-review/SKILL.md

@@ -0,0 +1,72 @@
+---
+name: adversarial-review
+description: Adversarial code review using attacker mindset — trust boundary, attack surface, business logic, and defense evaluation
+scope: core
+argument-hint: "<file-or-directory> [--depth quick|thorough]"
+user-invocable: true
+---
+
+# Adversarial Code Review
+
+Review code from an attacker's perspective using STRIDE + OWASP frameworks.
+
+## 4-Phase Review Process
+
+### Phase 1: Trust Boundary Analysis
+Identify where trust transitions occur:
+- External input reaching internal logic without validation → **Tampering**
+- Implicit trust between services → **Elevation of Privilege**
+- Shared storage without isolation → **Information Disclosure**
+- Authentication boundaries not clearly marked → **Spoofing**
+
+Output: `[TRUST-BOUNDARY]` findings with location, threat type, and current validation level.
+
+### Phase 2: Attack Surface Mapping
+Map all entry points and exposure:
+- Public API endpoints and auth requirements
+- File upload/download paths → Path traversal risk
+- External system calls (URLs, queries) → SSRF/Injection
+- Event handlers and callbacks → Race conditions
+- Error message verbosity → Information Disclosure
+
+Output: `[ATTACK-SURFACE]` table with endpoint, exposure level, and mitigation status.
+
+### Phase 3: Business Logic Review
+Analyze logic flaws that static analysis misses:
+- State machine violations (skip steps, replay)
+- Authorization != authentication (authn ok but authz missing)
+- Race conditions in multi-step operations
+- Numeric overflow/underflow in financial calculations
+- Default-allow vs default-deny patterns
+
+Output: `[LOGIC-FLAW]` findings with exploitation scenario and impact.
+
+### Phase 4: Defense Evaluation
+Assess existing defense mechanisms:
+- Input validation completeness (allowlist vs blocklist)
+- Output encoding consistency
+- Rate limiting and abuse prevention
+- Logging coverage for security events
+- Secret management (hardcoded credentials, env leaks)
+
+Output: `[DEFENSE-GAP]` findings with recommendation.
+
+## Output Format
+
+For each finding:
+```
+[CATEGORY] Severity: HIGH|MEDIUM|LOW
+Location: file:line
+Finding: Description
+Attack: How an attacker would exploit this
+Fix: Recommended remediation
+```
+
+## Depth Modes
+- **quick**: Phase 1 + 2 only (trust boundaries + attack surface)
+- **thorough**: All 4 phases with detailed exploitation scenarios
+
+## Integration
+- Complements `dev-review` (best practices) with attacker perspective
+- Works with `sec-codeql-expert` for pattern-based + logic-based coverage
+- Can be chained: `dev-review` → `adversarial-review` for complete coverage

package/templates/.claude/skills/deep-plan/SKILL.md

@@ -2,6 +2,7 @@
 name: deep-plan
 description: Research-validated planning — research → plan → verify cycle for high-confidence implementation plans
 scope: core
+context: fork
 version: 1.0.0
 user-invocable: true
 argument-hint: "<topic-or-issue>"

package/templates/CLAUDE.md

@@ -102,6 +102,7 @@ oh-my-customcode로 구동됩니다.
 | `/omcustom:audit-agents` | 에이전트 의존성 감사 |
 | `/omcustom:fix-refs` | 깨진 참조 수정 |
 | `/omcustom:takeover` | 기존 에이전트/스킬에서 canonical spec 추출 |
+| `/adversarial-review` | 공격자 관점 보안 코드 리뷰 |
 | `/dev-review` | 코드 베스트 프랙티스 리뷰 |
 | `/dev-refactor` | 코드 리팩토링 |
 | `/memory-save` | 세션 컨텍스트를 claude-mem에 저장 |
@@ -130,7 +131,7 @@ project/
 +-- CLAUDE.md                    # 진입점
 +-- .claude/
 |   +-- agents/                  # 서브에이전트 정의 (44 파일)
-|   +-- skills/                  # 스킬 (74 디렉토리)
+|   +-- skills/                  # 스킬 (75 디렉토리)
 |   +-- rules/                   # 전역 규칙 (R000-R021)
 |   +-- hooks/                   # 훅 스크립트 (보안, 검증, HUD)
 |   +-- contexts/                # 컨텍스트 파일 (ecomode)

package/templates/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.40.0",
+  "version": "0.42.2",
   "lastUpdated": "2026-03-16T00:00:00.000Z",
   "components": [
     {
@@ -18,7 +18,7 @@
       "name": "skills",
       "path": ".claude/skills",
       "description": "Reusable skill modules (includes slash commands)",
-      "files": 74
+      "files": 75
     },
     {
       "name": "guides",