oh-my-customcodex 0.3.9 → 0.4.0

package/README.md

@@ -13,7 +13,7 @@
 
 **[한국어 문서 (Korean)](./README_ko.md)**
 
-48 agents. 112 skills. 22 rules. One command.
+49 agents. 112 skills. 22 rules. One command.
 
 ```bash
 npm install -g oh-my-customcodex && cd your-project && omcustomcodex init
@@ -112,7 +112,7 @@ Agent(arch-documenter):haiku      ┘
 
 ---
 
-### Agents (48)
+### Agents (49)
 
 | Category | Count | Agents |
 |----------|-------|--------|
@@ -121,13 +121,14 @@ Agent(arch-documenter):haiku      ┘
 | Frontend | 5 | fe-vercel, fe-vuejs, fe-svelte, fe-flutter, fe-design |
 | Data Engineering | 6 | de-airflow, de-dbt, de-spark, de-kafka, de-snowflake, de-pipeline |
 | Database | 4 | db-supabase, db-postgres, db-redis, db-alembic |
-| Tooling | 4 | tool-npm, tool-optimizer, tool-bun, slack-cli |
+| Tooling | 3 | tool-npm, tool-optimizer, tool-bun |
 | Architecture | 2 | arch-documenter, arch-speckit |
 | Infrastructure | 2 | infra-docker, infra-aws |
 | QA | 3 | qa-planner, qa-writer, qa-engineer |
 | Security | 1 | sec-codeql |
 | Managers | 6 | mgr-creator, mgr-updater, mgr-supplier, mgr-gitnerd, mgr-sauron, mgr-claude-code-bible |
-| System | 2 | sys-memory-keeper, sys-naggy |
+| System | 3 | sys-memory-keeper, sys-naggy, tracker-checkpoint |
+| Auxiliary | 2 | slack-cli, wiki-curator |
 
 Each agent declares its tools, model, memory scope, and limitations in YAML frontmatter. Tool budgets are enforced per agent type for accuracy.
 
@@ -277,7 +278,7 @@ omcustomcodex serve-stop            # Stop Web UI
 your-project/
 ├── AGENTS.md                   # Entry point
 ├── .codex/
-│   ├── agents/                 # 48 agent definitions
+│   ├── agents/                 # 49 agent definitions
 │   ├── rules/                  # 22 governance rules (R000-R021)
 │   ├── hooks/                  # 15 lifecycle hook scripts
 │   ├── schemas/                # Tool input validation schemas

package/dist/cli/index.js

@@ -3091,7 +3091,7 @@ var init_package = __esm(() => {
     workspaces: [
       "packages/*"
     ],
-    version: "0.3.9",
+    version: "0.4.0",
     description: "Batteries-included agent harness on top of GPT Codex + OMX",
     type: "module",
     bin: {

package/dist/index.js

@@ -2180,7 +2180,7 @@ var package_default = {
   workspaces: [
     "packages/*"
   ],
-  version: "0.3.9",
+  version: "0.4.0",
   description: "Batteries-included agent harness on top of GPT Codex + OMX",
   type: "module",
   bin: {

package/package.json

@@ -3,7 +3,7 @@
   "workspaces": [
     "packages/*"
   ],
-  "version": "0.3.9",
+  "version": "0.4.0",
   "description": "Batteries-included agent harness on top of GPT Codex + OMX",
   "type": "module",
   "bin": {

package/templates/.claude/agents/mgr-sauron.md

@@ -30,7 +30,7 @@ You are an automated verification specialist that executes the mandatory R017 ve
 6. Verify philosophy compliance (R006-R011)
 7. Verify Claude-native compatibility
 8. Spec density analysis: detects agents with excessive inline implementation detail (R006 compliance)
-9. Structural linting: routing coverage (unreachable agents), orphan skill detection, circular dependency check, context:fork cap verification
+9. Structural linting: routing coverage (unreachable agents), orphan skill detection, circular dependency check, context:fork cap verification, R006 fork-list/frontmatter cross-validation
 10. Auto-fix simple issues (count mismatches, missing fields)
 11. Generate verification report
 

package/templates/.claude/agents/tracker-checkpoint.md

@@ -0,0 +1,77 @@
+---
+name: tracker-checkpoint
+description: Pipeline execution state tracker with checkpoint persistence. Reads and writes /tmp/.codex-pipeline-*-{PPID}.json state files and validates state transitions for pipeline and DAG resume flows.
+model: sonnet
+effort: medium
+tools: [Read, Write, Edit, Bash, Glob, Grep]
+memory: project
+skills: [dag-orchestration, pipeline-guards]
+domain: universal
+permissionMode: bypassPermissions
+---
+
+# Tracker Checkpoint Agent
+
+## Purpose
+
+Manage pipeline execution state through persistent checkpoint files. This agent works with `/pipeline resume`, `dag-orchestration`, and `pipeline-guards` so failed or preempted runs can resume from a known state.
+
+## Capabilities
+
+- Read and write `/tmp/.codex-pipeline-{name}-{PPID}.json` state files
+- Read and write `/tmp/.codex-dag-{PPID}.json` DAG state files when a DAG workflow owns the run
+- Validate state transitions: `pending -> running -> completed | failed`
+- Preserve failure context for halted pipeline steps
+- Support `/pipeline resume` by loading the last known state
+
+## Workflow
+
+### 1. Pipeline Start
+
+- Create `/tmp/.codex-pipeline-{name}-{PPID}.json` with initial state
+- Record pipeline name, start timestamp, total steps, and `current_step: 0`
+
+### 2. Step Checkpoint
+
+- Update state after each step
+- Record step name, status, duration, and artifact paths
+- Use atomic write semantics: write temporary JSON, then move it into place
+
+### 3. Failure Freeze
+
+- Mark the pipeline status as `halted`
+- Preserve failed step, error message, and partial artifact paths
+- Leave the checkpoint file available for resume inspection
+
+### 4. Resume Coordination
+
+- Scan `/tmp/.codex-pipeline-*-{PPID}.json`
+- Return pipeline name, failed step, error, and retry/skip/abort options to the orchestrator
+- On retry, reset the failed step to `pending` and resume execution from that step
+
+## State File Schema
+
+```json
+{
+  "pipeline": "{name}",
+  "started": "ISO-8601",
+  "status": "running|completed|halted",
+  "current_step": 0,
+  "steps": [
+    {"name": "triage", "status": "completed", "duration_ms": 5000, "artifacts": []},
+    {"name": "plan", "status": "running"}
+  ]
+}
+```
+
+## Integration Points
+
+- `pipeline` skill: `/pipeline resume` state loader
+- `dag-orchestration` skill: step dependency resolution and checkpoint restoration
+- `pipeline-guards` skill: guard gate state snapshots
+
+## Rules Compliance
+
+- R006: this is an agent artifact; checkpoint workflow logic remains in skills
+- R010: orchestrator owns scheduling, this agent owns checkpoint file operations
+- R017: structural changes to checkpoint contracts require sauron verification

package/templates/.claude/hooks/hooks.json

@@ -83,14 +83,14 @@
         "description": "Schema-based tool input validation — Phase 1 advisory only"
       },
       {
-        "matcher": "tool == \"Bash\" && tool_input.command matches \"\\\\.claude/\"",
+        "matcher": "(tool == \"Bash\" && tool_input.command matches \"\\\\.claude/\") || ((tool == \"Write\" || tool == \"Edit\") && tool_input.file_path matches \"\\\\.claude/\")",
         "hooks": [
           {
             "type": "command",
             "command": "bash .codex/hooks/scripts/claude-sensitive-path-guard.sh"
           }
         ],
-        "description": "Block Bash writes into .claude/ sensitive paths before Claude Code permission prompts fire"
+        "description": "Block Bash/Write/Edit writes into .claude/ sensitive paths before Claude Code permission prompts fire"
       },
       {
         "matcher": "tool == \"Bash\"",

package/templates/.claude/hooks/scripts/claude-sensitive-path-guard.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Block Bash write operations targeting .claude/ sensitive paths.
+# Block tool write operations targeting .claude/ sensitive paths.
 # Claude Code can surface a sensitive-file permission prompt before allow rules
 # or bypassPermissions are evaluated, so fail fast before the command runs.
 
@@ -8,11 +8,15 @@ set -euo pipefail
 command -v jq >/dev/null 2>&1 || exit 0
 
 input=$(cat)
+tool=$(echo "$input" | jq -r '.tool // .tool_name // ""')
 cmd=$(echo "$input" | jq -r '.tool_input.command // ""')
+file_path=$(echo "$input" | jq -r '.tool_input.file_path // ""')
 
-if [ -z "$cmd" ]; then
-  echo "$input"
-  exit 0
+if [[ "$tool" =~ ^(Write|Edit)$ ]] && [[ "$file_path" =~ \.claude/ ]]; then
+  echo "[Hook] BLOCKED: $tool targeting .claude/ sensitive path" >&2
+  echo "[Hook] File: $file_path" >&2
+  echo "[Hook] Sensitive-path prompts can override allow rules. Use the repo's managed sync/update path or perform this change interactively." >&2
+  exit 2
 fi
 
 targets_claude=0
@@ -32,7 +36,7 @@ fi
 if [ "$targets_claude" -eq 1 ] && [ "$writes_claude" -eq 1 ]; then
   echo "[Hook] BLOCKED: Bash write targeting .claude/ sensitive path" >&2
   echo "[Hook] Command: $cmd" >&2
-  echo "[Hook] Use Write/Edit or the repo's managed sync/update path instead of Bash for .claude/ changes." >&2
+  echo "[Hook] Sensitive-path prompts can override allow rules. Use the repo's managed sync/update path or perform this change interactively." >&2
   exit 2
 fi
 

package/templates/.claude/rules/MUST-agent-design.md

@@ -235,6 +235,26 @@ Skills persist output to `.codex/outputs/sessions/{YYYY-MM-DD}/{skill-name}-{HHm
 **Rules**: Opt-in per skill, final subagent writes with a file-write API that creates missing parent directories (R010 compliance), do not pre-create session output directories with Bash, .codex/outputs/ is git-untracked, no indexing required.
 -->
 
+## Sensitive Path Handling
+
+Claude Code treats `.claude/` and `templates/.claude/` as sensitive directories across Bash, Write, and Edit operations. The sensitive-path check runs above `bypassPermissions` and explicit allow rules, so allow rules do not override the sensitive-path check.
+
+This Codex port uses `.codex/` as the active runtime surface, but packaged compatibility templates still live under `templates/.claude/`. Any automation that writes those templates must account for Claude Code permission prompts.
+
+| Path pattern | Sensitive in Claude Code? | Affected operations |
+|--------------|---------------------------|---------------------|
+| `.claude/**` | Yes | Bash writes, Write, Edit |
+| `templates/.claude/**` | Yes | Bash writes, Write, Edit |
+| `.codex/**` | No | Normal Codex runtime writes; still follow R010/R017 |
+| `.codex/outputs/**` and `.claude/outputs/**` | Treat as constrained artifact paths | Use file-write APIs that create parents; do not pre-create with Bash |
+
+Recommended practice:
+
+1. Prefer Write/Edit in an interactive session, or managed sync/update paths, over Bash copy/mkdir/tee writes for `.claude/` and `templates/.claude/`.
+2. Keep allow rules only as defensive documentation; do not rely on them to suppress sensitive-path prompts.
+3. Do not run unattended Claude Code release automation that writes `templates/.claude/**` unless the workflow can handle interactive approval.
+4. In this Codex port, update `.codex/...` source files and their `templates/.claude/...` mirrors deliberately instead of bulk-copying with shell commands.
+
 ## Separation of Concerns
 
 | Location | Purpose | Contains |
@@ -324,7 +344,7 @@ Default: `core` (when field is omitted)
 
 ### Context Fork Criteria
 
-Use `context: fork` for multi-agent orchestration skills only. Cap: **12 total**. Current: 12/12 (secretary/dev-lead/de-lead/qa-lead-routing, dag-orchestration, task-decomposition, worker-reviewer-pipeline, pipeline-guards, deep-plan, professor-triage, evaluator-optimizer, sauron-watch).
+Use `context: fork` for multi-agent orchestration skills only. Cap: **12 total**. Current: 10/12 (secretary-routing, dev-lead-routing, de-lead-routing, qa-lead-routing, dag-orchestration, task-decomposition, worker-reviewer-pipeline, pipeline-guards, deep-plan, professor-triage).
 
 <!-- DETAIL: Context Fork decision table
 | Use context:fork | Do NOT use context:fork |

package/templates/.claude/skills/dag-orchestration/SKILL.md

@@ -193,6 +193,26 @@ Execute? [Y/n]
 
 The orchestrator builds the DAG from this inline format and executes using the same algorithm.
 
+## State Management via tracker-checkpoint
+
+Pipeline and DAG state is delegated to the `tracker-checkpoint` agent.
+
+### Flow
+
+1. Pipeline start: orchestrator delegates to `tracker-checkpoint` to create an initial state file (`/tmp/.codex-pipeline-{name}-{PPID}.json`)
+2. After each step: `tracker-checkpoint` updates step state with atomic writes
+3. Step failure: `tracker-checkpoint` freezes the state as `halted`
+4. `/pipeline resume`: `tracker-checkpoint` loads state and returns restore options to the orchestrator
+
+### Integration
+
+- PPID-scoped pipeline state path: `/tmp/.codex-pipeline-{name}-{PPID}.json`
+- PPID-scoped DAG state path: `/tmp/.codex-dag-{PPID}.json`
+- Delegate before and after step execution when resume support is required
+- On resume, rebuild the DAG from checkpoint state and continue from incomplete steps
+
+See `.codex/agents/tracker-checkpoint.md` for the agent contract.
+
 ## Limitations
 
 - No cycles allowed (DAG = acyclic)

package/templates/.claude/skills/pipeline-guards/SKILL.md

@@ -158,6 +158,25 @@ Guard warnings appear inline:
 | stuck-recovery | Guard triggers feed into stuck detection |
 | model-escalation | Repeated failures trigger escalation advisory |
 
+## Checkpoint Gate Integration
+
+Guard pass/fail state is recorded through the `tracker-checkpoint` agent when a pipeline needs resumable execution.
+
+### Flow
+
+1. Guard entry: record gate state as `running`
+2. Guard pass: record gate state as `passed` with relevant metrics
+3. Guard failure: record gate state as `failed` and freeze failure reason
+4. Next step: read checkpoint state to decide whether to resume or halt
+
+### Benefits
+
+- Long pipelines gain restore points at guard boundaries
+- Partial failures can retry from the prior guard boundary
+- Guard metrics accumulate for release-quality trend analysis
+
+See `.codex/agents/tracker-checkpoint.md` for the checkpoint contract.
+
 ## Override Policy
 
 - Defaults can be overridden in pipeline spec (within hard caps)

package/templates/.claude/skills/sauron-watch/SKILL.md

@@ -99,10 +99,22 @@ Build dependency graph:
 Count skills with context: fork in frontmatter:
   grep "context: fork" .codex/skills/*/SKILL.md
 
-  If count > 10:
-    ERROR: "Context fork cap exceeded: {count}/10"
-  If count >= 8:
-    WARN: "Context fork usage high: {count}/10 — only {10-count} slots remaining"
+  If count > 12:
+    ERROR: "Context fork cap exceeded: {count}/12"
+  If count >= 10:
+    WARN: "Context fork usage high: {count}/12 — only {12-count} slots remaining"
+```
+
+**Lint 5: R006 Fork List Cross-Validation**
+```
+Run: bash .github/scripts/verify-fork-list.sh
+
+Compare:
+  - R006 Context Fork Criteria current count/list
+  - Actual .codex/skills/*/SKILL.md frontmatter with context: fork
+
+If count or list differs:
+  ERROR: "R006 fork list drift detected"
 ```
 
 All structural lints are **advisory** (WARN level) except circular dependencies and fork cap exceeded (ERROR level — should block commit).

package/templates/.claude/skills/sdd-dev/SKILL.md

@@ -2,7 +2,7 @@
 name: sdd-dev
 description: Spec-Driven Development workflow — enforces sdd/ folder hierarchy with planning-first gates, current-state artifacts, and completion verification
 scope: core
-version: 1.0.0
+version: 1.1.0
 user-invocable: true
 argument-hint: "[task description or leave empty for guided workflow]"
 ---
@@ -27,7 +27,8 @@ sdd/
 ├── 03_build/        # Current build state, implementation notes
 ├── 04_verify/       # Verification evidence, test results, residual risks
 ├── 05_operate/      # Deployment notes, runbooks (conditional)
-└── 99_toolchain/    # Tool configs, scripts, environment setup
+├── 99_toolchain/    # Tool configs, scripts, environment setup
+└── decisions/       # Decision records for major design choices
 ```
 
 **Key Principle**: These folders are **current-state artifacts**, not history archives. Each file reflects the current state of the work — update in place rather than appending new versions.
@@ -44,7 +45,7 @@ ls sdd/ 2>/dev/null || echo "sdd/ folder not found"
 
 If `sdd/` does not exist:
 1. Inform the user that SDD workflow requires a `sdd/` folder
-2. Offer to create the folder structure: `mkdir -p sdd/{01_planning,02_plan,03_build,04_verify,05_operate,99_toolchain}`
+2. Offer to create the folder structure: `mkdir -p sdd/{01_planning,02_plan,03_build,04_verify,05_operate,99_toolchain,decisions}`
 3. Ask user to confirm before proceeding
 
 If `sdd/` exists, continue to Step 1.
@@ -121,6 +122,7 @@ Artifact to produce or update: `sdd/03_build/current.md`
 
 ## Decisions Made
 - {decision}: {rationale}
+- Write decision records for major choices: `sdd/decisions/{YYYY-MM-DD}-{topic}.md` using `templates/decision-record.md`
 
 ## Known Issues
 - {issue}: {planned resolution}
@@ -129,6 +131,7 @@ Artifact to produce or update: `sdd/03_build/current.md`
 During implementation:
 - Follow the plan from Step 2
 - Update `sdd/03_build/current.md` as work progresses
+- Create or update a decision record when a choice materially changes architecture, workflow behavior, dependency strategy, or release risk
 - Keep the artifact current (not a log — overwrite stale entries)
 
 **Display**:

package/templates/.claude/skills/sdd-dev/templates/decision-record.md

@@ -0,0 +1,45 @@
+---
+title: {Decision title}
+date: YYYY-MM-DD
+status: proposed | accepted | superseded | deprecated
+context: guides/harness-engineering/README.md
+decision_makers: [{agent or role}]
+---
+
+# {Decision title}
+
+## Context
+
+{What is the problem and why is a decision needed? Include relevant constraints, goals, and the situation that makes this decision necessary.}
+
+## Options Considered
+
+1. **Option A**: {Description}
+   - Pros: {benefits}
+   - Cons: {drawbacks, trade-offs}
+
+2. **Option B**: {Description}
+   - Pros: {benefits}
+   - Cons: {drawbacks, trade-offs}
+
+3. **Option C** *(if applicable)*: {Description}
+   - Pros: {benefits}
+   - Cons: {drawbacks, trade-offs}
+
+## Decision
+
+**Chosen**: Option {A|B|C}
+
+{Explain the rationale for the choice. Why does this option best satisfy the constraints and goals from the Context section?}
+
+## Consequences
+
+- **Positive**: {What improves as a result of this decision}
+- **Negative**: {Trade-offs and costs accepted}
+- **Risks**: {Future considerations, potential issues to monitor}
+
+## References
+
+- guides/harness-engineering/README.md
+- {related skill or agent, e.g. .codex/skills/action-validator/SKILL.md}
+- {link to issue or PR if applicable}

package/templates/.claude/skills/secretary-routing/SKILL.md

@@ -24,6 +24,7 @@ Routes agent management tasks to the appropriate manager agent. This skill conta
 | mgr-claude-code-bible | Claude Code spec compliance | "spec check", "verify compliance" |
 | sys-memory-keeper | Memory operations | "save memory", "recall", "memory search" |
 | sys-naggy | TODO management | "todo", "track tasks", "task list" |
+| tracker-checkpoint | Pipeline checkpoint state | "pipeline resume", "checkpoint", "state restore" |
 
 ## Routing Decision (Priority Order)
 
@@ -51,6 +52,7 @@ verify   → mgr-sauron
 spec     → mgr-claude-code-bible
 memory   → sys-memory-keeper
 todo            → sys-naggy
+checkpoint      → tracker-checkpoint
 improve-report  → omcodex:improve-report (skill invocation)
 auto-improve    → omcodex:auto-improve (skill invocation)
 batch           → multiple (parallel)
@@ -106,6 +108,7 @@ When command requires multiple independent operations:
 | mgr-claude-code-bible | sonnet | Spec compliance checks |
 | sys-memory-keeper | sonnet | Memory operations, search |
 | sys-naggy | haiku | Simple TODO tracking |
+| tracker-checkpoint | sonnet | Pipeline state recovery |
 
 ## No Match Fallback
 

package/templates/.github/scripts/verify-fork-list.sh

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+# Verify R006 Context Fork Criteria matches actual SKILL.md frontmatter.
+# Usage: bash .github/scripts/verify-fork-list.sh
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+RULE_FILE="${ROOT}/.codex/rules/MUST-agent-design.md"
+SKILLS_DIR="${ROOT}/.codex/skills"
+
+if [[ ! -f "${RULE_FILE}" ]]; then
+  echo "error: ${RULE_FILE} not found" >&2
+  exit 1
+fi
+
+if [[ ! -d "${SKILLS_DIR}" ]]; then
+  echo "error: ${SKILLS_DIR} not found" >&2
+  exit 1
+fi
+
+DOC_LINE="$(grep -E 'Current: [0-9]+/12 \(' "${RULE_FILE}" | head -1 || true)"
+
+if [[ -z "${DOC_LINE}" ]]; then
+  echo "error: R006 Context Fork Criteria line not found" >&2
+  exit 1
+fi
+
+DOC_COUNT="$(printf '%s\n' "${DOC_LINE}" | sed -E 's#.*Current: ([0-9]+)/12.*#\1#')"
+DOC_LIST="$(printf '%s\n' "${DOC_LINE}" | sed -E 's#.*Current: [0-9]+/12 \(([^)]*)\).*#\1#' | tr ',' '\n' | sed 's/^ *//; s/ *$//' | sort)"
+
+ACTUAL_LIST="$(
+  for skill_file in "${SKILLS_DIR}"/*/SKILL.md; do
+    [[ -f "${skill_file}" ]] || continue
+    if awk '
+      BEGIN { in_frontmatter = 0; found = 0 }
+      NR == 1 && $0 == "---" { in_frontmatter = 1; next }
+      in_frontmatter && $0 == "---" { exit }
+      in_frontmatter && $0 ~ /^context:[[:space:]]*fork[[:space:]]*$/ { found = 1 }
+      END { exit found ? 0 : 1 }
+    ' "${skill_file}"; then
+      skill_name="$(awk '
+        NR == 1 && $0 == "---" { in_frontmatter = 1; next }
+        in_frontmatter && $0 == "---" { exit }
+        in_frontmatter && $0 ~ /^name:[[:space:]]*/ {
+          sub(/^name:[[:space:]]*/, "")
+          gsub(/^"|"$/, "")
+          print
+          exit
+        }
+      ' "${skill_file}")"
+      if [[ -z "${skill_name}" ]]; then
+        echo "error: context: fork skill has no frontmatter name: ${skill_file}" >&2
+        exit 1
+      fi
+      printf '%s\n' "${skill_name}"
+    fi
+  done | sort
+)"
+
+ACTUAL_COUNT="$(printf '%s\n' "${ACTUAL_LIST}" | sed '/^$/d' | wc -l | tr -d ' ')"
+DOC_LIST_COUNT="$(printf '%s\n' "${DOC_LIST}" | sed '/^$/d' | wc -l | tr -d ' ')"
+
+DOC_TMP="$(mktemp)"
+ACTUAL_TMP="$(mktemp)"
+trap 'rm -f "${DOC_TMP}" "${ACTUAL_TMP}"' EXIT
+
+printf '%s\n' "${DOC_LIST}" | sed '/^$/d' > "${DOC_TMP}"
+printf '%s\n' "${ACTUAL_LIST}" | sed '/^$/d' > "${ACTUAL_TMP}"
+
+MISSING="$(comm -23 "${ACTUAL_TMP}" "${DOC_TMP}" || true)"
+EXTRA="$(comm -13 "${ACTUAL_TMP}" "${DOC_TMP}" || true)"
+
+echo "R006 documented count: ${DOC_COUNT}"
+echo "R006 listed skills: ${DOC_LIST_COUNT}"
+echo "Actual fork skill count: ${ACTUAL_COUNT}"
+echo ""
+echo "Actual fork skills:"
+sed 's/^/  - /' "${ACTUAL_TMP}"
+
+if [[ "${DOC_COUNT}" != "${ACTUAL_COUNT}" || "${DOC_LIST_COUNT}" != "${ACTUAL_COUNT}" || -n "${MISSING}" || -n "${EXTRA}" ]]; then
+  echo ""
+  echo "ERROR: R006 fork list drift detected"
+  [[ "${DOC_COUNT}" != "${ACTUAL_COUNT}" ]] && echo "  - documented count ${DOC_COUNT} != actual count ${ACTUAL_COUNT}"
+  [[ "${DOC_LIST_COUNT}" != "${ACTUAL_COUNT}" ]] && echo "  - listed skill count ${DOC_LIST_COUNT} != actual count ${ACTUAL_COUNT}"
+  if [[ -n "${MISSING}" ]]; then
+    echo "  - missing from R006:"
+    printf '%s\n' "${MISSING}" | sed 's/^/    - /'
+  fi
+  if [[ -n "${EXTRA}" ]]; then
+    echo "  - extra in R006:"
+    printf '%s\n' "${EXTRA}" | sed 's/^/    - /'
+  fi
+  echo "  Fix: update Context Fork Criteria in ${RULE_FILE}"
+  exit 1
+fi
+
+echo ""
+echo "OK: R006 fork list matches actual SKILL.md frontmatter (${ACTUAL_COUNT}/12)"

package/templates/AGENTS.md.en

@@ -128,7 +128,7 @@ NO EXCEPTIONS. NO EXCUSES.
 project/
 +-- AGENTS.md                    # Entry point
 +-- .codex/
-|   +-- agents/                  # Subagent definitions (44 files)
+|   +-- agents/                  # Subagent definitions (49 files)
 |   +-- rules/                   # Global rules (R000-R020)
 |   +-- hooks/                   # Hook scripts (security, validation, HUD)
 |   +-- contexts/                # Context files (ecomode)
@@ -164,17 +164,18 @@ This is the core oh-my-customcodex philosophy: **"No expert? CREATE one, connect
 |------|-------|--------|
 | SW Engineer/Language | 6 | lang-golang-expert, lang-python-expert, lang-rust-expert, lang-kotlin-expert, lang-typescript-expert, lang-java21-expert |
 | SW Engineer/Backend | 6 | be-fastapi-expert, be-springboot-expert, be-go-backend-expert, be-express-expert, be-nestjs-expert, be-django-expert |
-| SW Engineer/Frontend | 4 | fe-vercel-agent, fe-vuejs-agent, fe-svelte-agent, fe-flutter-agent |
+| SW Engineer/Frontend | 5 | fe-vercel-agent, fe-vuejs-agent, fe-svelte-agent, fe-flutter-agent, fe-design-expert |
 | SW Engineer/Tooling | 3 | tool-npm-expert, tool-optimizer, tool-bun-expert |
 | DE Engineer | 6 | de-airflow-expert, de-dbt-expert, de-spark-expert, de-kafka-expert, de-snowflake-expert, de-pipeline-expert |
-| SW Engineer/Database | 3 | db-supabase-expert, db-postgres-expert, db-redis-expert |
+| SW Engineer/Database | 4 | db-supabase-expert, db-postgres-expert, db-redis-expert, db-alembic-expert |
 | Security | 1 | sec-codeql-expert |
 | SW Architect | 2 | arch-documenter, arch-speckit-agent |
 | Infra Engineer | 2 | infra-docker-expert, infra-aws-expert |
 | QA Team | 3 | qa-planner, qa-writer, qa-engineer |
 | Manager | 6 | mgr-creator, mgr-updater, mgr-supplier, mgr-gitnerd, mgr-sauron, mgr-claude-code-bible |
-| System | 2 | sys-memory-keeper, sys-naggy |
-| **Total** | **44** | |
+| System | 3 | sys-memory-keeper, sys-naggy, tracker-checkpoint |
+| Auxiliary | 2 | slack-cli-expert, wiki-curator |
+| **Total** | **49** | |
 
 ## Agent Teams (MUST when enabled)
 

package/templates/AGENTS.md.ko

@@ -128,7 +128,7 @@ oh-my-customcodex로 구동됩니다.
 project/
 +-- AGENTS.md                    # 진입점
 +-- .codex/
-|   +-- agents/                  # 서브에이전트 정의 (44 파일)
+|   +-- agents/                  # 서브에이전트 정의 (49 파일)
 |   +-- rules/                   # 전역 규칙 (R000-R020)
 |   +-- hooks/                   # 훅 스크립트 (보안, 검증, HUD)
 |   +-- contexts/                # 컨텍스트 파일 (ecomode)
@@ -164,17 +164,18 @@ project/
 |------|------|----------|
 | SW Engineer/Language | 6 | lang-golang-expert, lang-python-expert, lang-rust-expert, lang-kotlin-expert, lang-typescript-expert, lang-java21-expert |
 | SW Engineer/Backend | 6 | be-fastapi-expert, be-springboot-expert, be-go-backend-expert, be-express-expert, be-nestjs-expert, be-django-expert |
-| SW Engineer/Frontend | 4 | fe-vercel-agent, fe-vuejs-agent, fe-svelte-agent, fe-flutter-agent |
+| SW Engineer/Frontend | 5 | fe-vercel-agent, fe-vuejs-agent, fe-svelte-agent, fe-flutter-agent, fe-design-expert |
 | SW Engineer/Tooling | 3 | tool-npm-expert, tool-optimizer, tool-bun-expert |
 | DE Engineer | 6 | de-airflow-expert, de-dbt-expert, de-spark-expert, de-kafka-expert, de-snowflake-expert, de-pipeline-expert |
-| SW Engineer/Database | 3 | db-supabase-expert, db-postgres-expert, db-redis-expert |
+| SW Engineer/Database | 4 | db-supabase-expert, db-postgres-expert, db-redis-expert, db-alembic-expert |
 | Security | 1 | sec-codeql-expert |
 | SW Architect | 2 | arch-documenter, arch-speckit-agent |
 | Infra Engineer | 2 | infra-docker-expert, infra-aws-expert |
 | QA Team | 3 | qa-planner, qa-writer, qa-engineer |
 | Manager | 6 | mgr-creator, mgr-updater, mgr-supplier, mgr-gitnerd, mgr-sauron, mgr-claude-code-bible |
-| System | 2 | sys-memory-keeper, sys-naggy |
-| **총계** | **44** | |
+| System | 3 | sys-memory-keeper, sys-naggy, tracker-checkpoint |
+| Auxiliary | 2 | slack-cli-expert, wiki-curator |
+| **총계** | **49** | |
 
 ## Agent Teams (MUST when enabled)
 

package/templates/CLAUDE.md

@@ -114,7 +114,7 @@ oh-my-customcodex로 구동됩니다.
 project/
 +-- AGENTS.md                    # 진입점
 +-- .codex/
-|   +-- agents/                  # 서브에이전트 정의 (48 파일)
+|   +-- agents/                  # 서브에이전트 정의 (49 파일)
 |   +-- rules/                   # 전역 규칙 (R000-R022)
 |   +-- hooks/                   # 훅 스크립트 (보안, 검증, HUD)
 |   +-- contexts/                # 컨텍스트 파일 (ecomode)
@@ -166,7 +166,7 @@ oh-my-customcodex는 소프트웨어 컴파일과 동일한 구조를 따릅니
 | SW Engineer/Language | 6 | lang-golang-expert, lang-python-expert, lang-rust-expert, lang-kotlin-expert, lang-typescript-expert, lang-java21-expert |
 | SW Engineer/Backend | 6 | be-fastapi-expert, be-springboot-expert, be-go-backend-expert, be-express-expert, be-nestjs-expert, be-django-expert |
 | SW Engineer/Frontend | 5 | fe-vercel-agent, fe-vuejs-agent, fe-svelte-agent, fe-flutter-agent, fe-design-expert |
-| SW Engineer/Tooling | 4 | tool-npm-expert, tool-optimizer, tool-bun-expert, slack-cli-expert |
+| SW Engineer/Tooling | 3 | tool-npm-expert, tool-optimizer, tool-bun-expert |
 | DE Engineer | 6 | de-airflow-expert, de-dbt-expert, de-spark-expert, de-kafka-expert, de-snowflake-expert, de-pipeline-expert |
 | SW Engineer/Database | 4 | db-supabase-expert, db-postgres-expert, db-redis-expert, db-alembic-expert |
 | Security | 1 | sec-codeql-expert |
@@ -174,8 +174,9 @@ oh-my-customcodex는 소프트웨어 컴파일과 동일한 구조를 따릅니
 | Infra Engineer | 2 | infra-docker-expert, infra-aws-expert |
 | QA Team | 3 | qa-planner, qa-writer, qa-engineer |
 | Manager | 6 | mgr-creator, mgr-updater, mgr-supplier, mgr-gitnerd, mgr-sauron, mgr-claude-code-bible |
-| System | 3 | sys-memory-keeper, sys-naggy, wiki-curator |
-| **총계** | **48** | |
+| System | 3 | sys-memory-keeper, sys-naggy, tracker-checkpoint |
+| Auxiliary | 2 | slack-cli-expert, wiki-curator |
+| **총계** | **49** | |
 
 ## Agent Teams (MUST when enabled)
 

package/templates/CLAUDE.md.en

@@ -131,7 +131,7 @@ NO EXCEPTIONS. NO EXCUSES.
 project/
 +-- AGENTS.md                    # Entry point
 +-- .codex/
-|   +-- agents/                  # Subagent definitions (48 files)
+|   +-- agents/                  # Subagent definitions (49 files)
 |   +-- skills/                  # Skills (109 directories)
 |   +-- rules/                   # Global rules (22 files)
 |   +-- hooks/                   # Hook scripts (security, validation, HUD)
@@ -167,7 +167,7 @@ This is the core oh-my-customcodex philosophy: **"No expert? CREATE one, connect
 | SW Engineer/Language | 6 | lang-golang-expert, lang-python-expert, lang-rust-expert, lang-kotlin-expert, lang-typescript-expert, lang-java21-expert |
 | SW Engineer/Backend | 6 | be-fastapi-expert, be-springboot-expert, be-go-backend-expert, be-express-expert, be-nestjs-expert, be-django-expert |
 | SW Engineer/Frontend | 5 | fe-vercel-agent, fe-vuejs-agent, fe-svelte-agent, fe-flutter-agent, fe-design-expert |
-| SW Engineer/Tooling | 4 | tool-npm-expert, tool-optimizer, tool-bun-expert, slack-cli-expert |
+| SW Engineer/Tooling | 3 | tool-npm-expert, tool-optimizer, tool-bun-expert |
 | DE Engineer | 6 | de-airflow-expert, de-dbt-expert, de-spark-expert, de-kafka-expert, de-snowflake-expert, de-pipeline-expert |
 | SW Engineer/Database | 4 | db-supabase-expert, db-postgres-expert, db-redis-expert, db-alembic-expert |
 | Security | 1 | sec-codeql-expert |
@@ -175,8 +175,9 @@ This is the core oh-my-customcodex philosophy: **"No expert? CREATE one, connect
 | Infra Engineer | 2 | infra-docker-expert, infra-aws-expert |
 | QA Team | 3 | qa-planner, qa-writer, qa-engineer |
 | Manager | 6 | mgr-creator, mgr-updater, mgr-supplier, mgr-gitnerd, mgr-sauron, mgr-claude-code-bible |
-| System | 3 | sys-memory-keeper, sys-naggy, wiki-curator |
-| **Total** | **48** | |
+| System | 3 | sys-memory-keeper, sys-naggy, tracker-checkpoint |
+| Auxiliary | 2 | slack-cli-expert, wiki-curator |
+| **Total** | **49** | |
 
 ## Agent Teams (MUST when enabled)
 

package/templates/CLAUDE.md.ko

@@ -131,7 +131,7 @@ oh-my-customcodex로 구동됩니다.
 project/
 +-- AGENTS.md                    # 진입점
 +-- .codex/
-|   +-- agents/                  # 서브에이전트 정의 (48 파일)
+|   +-- agents/                  # 서브에이전트 정의 (49 파일)
 |   +-- skills/                  # 스킬 (109 디렉토리)
 |   +-- rules/                   # 전역 규칙 (22 파일)
 |   +-- hooks/                   # 훅 스크립트 (보안, 검증, HUD)
@@ -167,7 +167,7 @@ project/
 | SW Engineer/Language | 6 | lang-golang-expert, lang-python-expert, lang-rust-expert, lang-kotlin-expert, lang-typescript-expert, lang-java21-expert |
 | SW Engineer/Backend | 6 | be-fastapi-expert, be-springboot-expert, be-go-backend-expert, be-express-expert, be-nestjs-expert, be-django-expert |
 | SW Engineer/Frontend | 5 | fe-vercel-agent, fe-vuejs-agent, fe-svelte-agent, fe-flutter-agent, fe-design-expert |
-| SW Engineer/Tooling | 4 | tool-npm-expert, tool-optimizer, tool-bun-expert, slack-cli-expert |
+| SW Engineer/Tooling | 3 | tool-npm-expert, tool-optimizer, tool-bun-expert |
 | DE Engineer | 6 | de-airflow-expert, de-dbt-expert, de-spark-expert, de-kafka-expert, de-snowflake-expert, de-pipeline-expert |
 | SW Engineer/Database | 4 | db-supabase-expert, db-postgres-expert, db-redis-expert, db-alembic-expert |
 | Security | 1 | sec-codeql-expert |
@@ -175,8 +175,9 @@ project/
 | Infra Engineer | 2 | infra-docker-expert, infra-aws-expert |
 | QA Team | 3 | qa-planner, qa-writer, qa-engineer |
 | Manager | 6 | mgr-creator, mgr-updater, mgr-supplier, mgr-gitnerd, mgr-sauron, mgr-claude-code-bible |
-| System | 3 | sys-memory-keeper, sys-naggy, wiki-curator |
-| **총계** | **48** | |
+| System | 3 | sys-memory-keeper, sys-naggy, tracker-checkpoint |
+| Auxiliary | 2 | slack-cli-expert, wiki-curator |
+| **총계** | **49** | |
 
 ## Agent Teams (MUST when enabled)
 

package/templates/manifest.json

@@ -1,6 +1,6 @@
 {
-  "version": "0.3.9",
-  "lastUpdated": "2026-04-24T08:45:48.000Z",
+  "version": "0.4.0",
+  "lastUpdated": "2026-04-24T14:35:00.000Z",
   "components": [
     {
       "name": "rules",
@@ -12,7 +12,7 @@
       "name": "agents",
       "path": ".codex/agents",
       "description": "AI agent definitions (flat .md files with prefixes)",
-      "files": 48
+      "files": 49
     },
     {
       "name": "skills",

package/templates/workflows/auto-dev.yaml

@@ -29,7 +29,13 @@ steps:
     foreach: release-group
 
   - name: implement
-    prompt: "Execute implementation plan with appropriate agents"
+    prompt: |
+      Execute implementation plan with appropriate agents.
+
+      Codex-native sensitive-path policy:
+      - Codex-managed `.codex/` edits use the normal edit/patch flow.
+      - Do not adopt upstream Claude-only `/tmp` bypass guidance as the default path.
+      - If a port requires `.claude` template parity changes, make the change explicit and verify sensitive-path guard tests.
     description: Execute implementation plan with appropriate agents
     foreach: planned-issue