repo-harness 0.2.2 → 0.2.4

package/README.es.md

@@ -187,13 +187,11 @@ npx -y repo-harness init
 ```
 
 La npm package release line es ahora `0.2.x`; el workflow compatibility model line
-generado se rastrea por separado como `5.x`. `repo-harness@0.2.1` separa el
-bootstrap global inicial (`repo-harness init`) del refresco repo-local
-(`repo-harness update`), conserva el instalador global de plugin/hook
-(`scripts/setup-plugins.sh`), el centinela de seguridad de configuración de solo
-lectura (`repo-harness security scan`), el ciclo de vida draft-plan explícito de
-Claude/Codex y añade inicialización no bloqueante del índice CodeGraph para el
-routing estructural de prompts.
+generado se rastrea por separado como `5.x`. `repo-harness init` es el bootstrap
+global y `repo-harness update` es el refresco repo-local. `repo-harness init`
+configura el CLI, los hook adapters de nivel usuario, Waza, Mermaid, el brain
+root y CodeGraph MCP; el viejo camino Claude plugin `scripts/setup-plugins.sh`
+queda retirado.
 
 Si trabajas desde un checkout del código fuente:
 
@@ -237,9 +235,9 @@ Aplica solo después de que el reporte del dry-run sea correcto:
 npx -y repo-harness update
 ```
 
-Para un proyecto o módulo nuevo, usa el command skill `repo-harness-scaffold`. Para
-un repositorio existente, usa `repo-harness-init`; este instala o refresca el
-harness y no crea el stack tecnológico de la aplicación.
+Para un proyecto o módulo nuevo, usa la branch command `repo-harness-scaffold`.
+Para un repositorio existente, usa `repo-harness update`; este instala o refresca
+el harness y no crea el stack tecnológico de la aplicación.
 
 ### Cómo se ve el éxito
 
@@ -328,7 +326,7 @@ Guards habituales:
 
 ## Release actual
 
-- npm package: `repo-harness@0.2.1`
+- npm package: `repo-harness@0.2.4`
 - Generated workflow compatibility: `5.2.3`
 - GitHub repository: `Ancienttwo/repo-harness`
 - Release history: [`docs/CHANGELOG.md`](docs/CHANGELOG.md)
@@ -346,22 +344,23 @@ Guards habituales:
 - `repo-harness update` refresca las runtime pieces:
   - los `repo-harness` skill aliases
   - los global Codex/Claude hook adapters
-  - las Waza skills: `check`, `design`, `health`, `hunt`, `learn`, `read`, `think`, `write`
-  - sincroniza `diagram-design` si existe la source copy
+  - las Waza skills: `think`, `hunt`, `check`, `health`
+  - Mermaid
 - El resto del external tooling se mantiene advisory-only:
   - `bash scripts/check-agent-tooling.sh --host both --check-updates`
   - no configura automáticamente gstack, gbrain, CodeGraph MCP, daemon ni provider
 
 ## Action Command Skills
 
-Los command skill facades públicos están en `assets/skill-commands/`:
+Los command facades públicos están en `assets/skill-commands/`; preservan la
+compatibilidad de discovery por skills, mientras el CLI y los hooks ejecutan:
 
 - Planning / review: `repo-harness-plan`, `repo-harness-review`, `repo-harness-autoplan`
 - Repo workflow actions: `repo-harness-ship`, `repo-harness-init`, `repo-harness-migrate`, `repo-harness-upgrade`, `repo-harness-capability`, `repo-harness-architecture`, `repo-harness-handoff`, `repo-harness-deploy`, `repo-harness-repair`, `repo-harness-check`
-- Project creation: `repo-harness-scaffold`
+- Branch project creation: `repo-harness-scaffold`
 
-`repo-harness-init` se usa para repositorios existentes; `repo-harness-scaffold` se
-usa para crear proyectos o módulos nuevos. `hooks-init`, `docs-init` y
+`repo-harness update` se usa para repositorios existentes; `repo-harness-scaffold`
+queda como branch command para crear proyectos o módulos nuevos. `hooks-init`, `docs-init` y
 `create-project-dirs` son pasos internos, no commands públicos.
 
 ## Maintainer Reference

package/README.fr.md

@@ -191,18 +191,11 @@ npx -y repo-harness init
 ```
 
 La release line du package npm est désormais `0.2.x` ; la generated workflow
-compatibility model line est suivie séparément en `5.x`. `repo-harness@0.2.1`
-sépare le bootstrap global initial (`repo-harness init`) du rafraîchissement
-repo-local (`repo-harness update`), conserve l'installateur global de plugin/hook
-(`scripts/setup-plugins.sh`), la sentinelle de sécurité en lecture seule
-(`repo-harness security scan`), le cycle de vie draft-plan explicite de
-Claude/Codex, et ajoute l'initialisation non bloquante de l'index CodeGraph pour
-le routing structurel des prompts. Ces capacités reposent sur le CLI renommé, le
-bootstrap de l'adapter de hook de niveau utilisateur, les AI-native scaffold
-overlays, le typed prompt-guard decision engine, le nommage des task artifacts par
-plan-stem, les runtime aliases
-`REPO_HARNESS_*`, la Waza runtime skill sync, et le release gate que le maintainer
-utilise avant de publier sur npm.
+compatibility model line est suivie séparément en `5.x`. `repo-harness init`
+sert au bootstrap global et `repo-harness update` sert au rafraîchissement
+repo-local. `repo-harness init` configure le CLI, les hook adapters de niveau
+utilisateur, Waza, Mermaid, le brain root et CodeGraph MCP ; l'ancien chemin
+Claude plugin `scripts/setup-plugins.sh` est retiré.
 
 Si vous travaillez depuis un checkout source :
 
@@ -246,9 +239,9 @@ Appliquez seulement une fois que le rapport du dry-run est correct :
 npx -y repo-harness update
 ```
 
-Pour un nouveau projet ou un nouveau module, utilisez la command skill
-`repo-harness-scaffold`. Pour un dépôt existant, utilisez `repo-harness-init` ; il
-installe ou rafraîchit le harness sans créer de stack applicatif.
+Pour un nouveau projet ou un nouveau module, utilisez la branch command
+`repo-harness-scaffold`. Pour un dépôt existant, utilisez `repo-harness update` ;
+il installe ou rafraîchit le harness sans créer de stack applicatif.
 
 ### À quoi ressemble le succès
 
@@ -337,7 +330,7 @@ Guards courants :
 
 ## Release actuelle
 
-- npm package : `repo-harness@0.2.1`
+- npm package : `repo-harness@0.2.4`
 - Generated workflow compatibility : `5.2.3`
 - GitHub repository : `Ancienttwo/repo-harness`
 - Release history : [`docs/CHANGELOG.md`](docs/CHANGELOG.md)
@@ -355,22 +348,24 @@ Guards courants :
 - `repo-harness update` rafraîchit les runtime pieces :
   - les `repo-harness` skill aliases
   - les global Codex/Claude hook adapters
-  - les Waza skills : `check`, `design`, `health`, `hunt`, `learn`, `read`, `think`, `write`
-  - synchronise `diagram-design` si la source copy existe
+  - les Waza skills : `think`, `hunt`, `check`, `health`
+  - Mermaid
 - Les autres outils externes restent advisory-only :
   - `bash scripts/check-agent-tooling.sh --host both --check-updates`
   - pas de configuration automatique de gstack, gbrain, CodeGraph MCP, daemon ou provider
 
 ## Action Command Skills
 
-Les command skill facades publics se trouvent dans `assets/skill-commands/` :
+Les command facades publics se trouvent dans `assets/skill-commands/` ; ils
+préservent la découverte par skills, tandis que l'exécution appartient au CLI et
+aux hooks :
 
 - Planning / review : `repo-harness-plan`, `repo-harness-review`, `repo-harness-autoplan`
 - Repo workflow actions : `repo-harness-ship`, `repo-harness-init`, `repo-harness-migrate`, `repo-harness-upgrade`, `repo-harness-capability`, `repo-harness-architecture`, `repo-harness-handoff`, `repo-harness-deploy`, `repo-harness-repair`, `repo-harness-check`
-- Project creation : `repo-harness-scaffold`
+- Branch project creation : `repo-harness-scaffold`
 
-`repo-harness-init` sert aux dépôts existants ; `repo-harness-scaffold` sert à
-créer un nouveau projet ou module. `hooks-init`, `docs-init` et
+`repo-harness update` sert aux dépôts existants ; `repo-harness-scaffold` sert de
+branch command pour créer un nouveau projet ou module. `hooks-init`, `docs-init` et
 `create-project-dirs` sont des étapes internes, pas des commands publiques.
 
 ## Maintainer Reference

package/README.ja.md

@@ -77,7 +77,7 @@ product boundary は意図的に地味です。対象リポジトリを検査し
 
 設計は 3 層に分かれます。
 
-1. **ソースパッケージ層**：本リポジトリが CLI、command skill facades、templates、hook assets、
+1. **ソースパッケージ層**：本リポジトリが CLI、CLI-backed command facades、templates、hook assets、
    workflow contract、tests、release gate を所有します。
 2. **対象リポジトリ contract 層**：`repo-harness update` または migration が、`docs/spec.md`、
    `plans/`、`tasks/`、`.ai/context/`、`.ai/harness/`、helper scripts、`.ai/hooks/` といった
@@ -160,11 +160,9 @@ npx -y repo-harness init
 ```
 
 npm package の release line は現在 `0.2.x` です。生成される workflow compatibility model line は
-別途 `5.x` として追跡されます。`repo-harness@0.2.1` は、初回 global bootstrap
-（`repo-harness init`）と repo-local refresh（`repo-harness update`）を分離し、グローバルな
-plugin/hook インストールスクリプト（`scripts/setup-plugins.sh`）、読み取り専用の設定セキュリティ哨兵
-（`repo-harness security scan`）、明示的な Claude/Codex draft-plan ライフサイクルを保ち、
-構造的 prompt routing 用の非ブロッキング CodeGraph index 初期化を追加します。
+別途 `5.x` として追跡されます。`repo-harness init` は global bootstrap、`repo-harness update` は
+repo-local refresh です。`repo-harness init` は CLI、user-level hook adapters、Waza、Mermaid、
+brain root、CodeGraph MCP を設定し、退役した `scripts/setup-plugins.sh` の Claude plugin path は使いません。
 
 ソースの checkout から作業する場合：
 
@@ -206,8 +204,8 @@ dry-run のレポートが正しいことを確認してから適用します。
 npx -y repo-harness update
 ```
 
-新しいプロジェクトやモジュールには `repo-harness-scaffold` command skill を使います。既存リポジトリには
-`repo-harness-init` を使います。これは harness をインストールまたはリフレッシュするもので、アプリケーション
+新しいプロジェクトやモジュールには支線 command `repo-harness-scaffold` を使います。既存リポジトリには
+`repo-harness update` を使います。これは harness をインストールまたはリフレッシュするもので、アプリケーション
 スタックは作成しません。
 
 ### 成功した状態
@@ -295,7 +293,7 @@ hook がブロックしたときは、まず terminal の構造化された出
 
 ## 現在の Release
 
-- npm package：`repo-harness@0.2.1`
+- npm package：`repo-harness@0.2.4`
 - Generated workflow compatibility：`5.2.3`
 - GitHub repository：`Ancienttwo/repo-harness`
 - Release history：[`docs/CHANGELOG.md`](docs/CHANGELOG.md)
@@ -313,21 +311,21 @@ hook がブロックしたときは、まず terminal の構造化された出
 - `repo-harness update` は runtime pieces をリフレッシュします：
   - `repo-harness` skill aliases
   - global Codex/Claude hook adapters
-  - Waza skills：`check`、`design`、`health`、`hunt`、`learn`、`read`、`think`、`write`
-  - source copy が存在すれば `diagram-design` を同期
+  - Waza skills：`think`、`hunt`、`check`、`health`
+  - Mermaid
 - その他の外部ツールは advisory-only のままです：
   - `bash scripts/check-agent-tooling.sh --host both --check-updates`
   - gstack、gbrain、CodeGraph MCP、daemon、provider を自動設定しない
 
 ## Action Command Skills
 
-公開 command skill facades は `assets/skill-commands/` にあります。
+公開 command facades は `assets/skill-commands/` にあります。host skill discovery との互換性を残しつつ、実行は CLI と hooks が担います。
 
 - Planning / review：`repo-harness-plan`、`repo-harness-review`、`repo-harness-autoplan`
 - Repo workflow actions：`repo-harness-ship`、`repo-harness-init`、`repo-harness-migrate`、`repo-harness-upgrade`、`repo-harness-capability`、`repo-harness-architecture`、`repo-harness-handoff`、`repo-harness-deploy`、`repo-harness-repair`、`repo-harness-check`
-- Project creation：`repo-harness-scaffold`
+- Branch project creation：`repo-harness-scaffold`
 
-`repo-harness-init` は既存リポジトリ向け、`repo-harness-scaffold` は新しいプロジェクトやモジュールの作成向けです。
+`repo-harness update` は既存リポジトリ向け、`repo-harness-scaffold` は支線 command として新しいプロジェクトやモジュールを作成します。
 `hooks-init`、`docs-init`、`create-project-dirs` は内部ステップであり、公開 commands ではありません。
 
 ## Maintainer Reference

package/README.md

@@ -34,41 +34,30 @@ This repository now dogfoods its own tasks-first contract. It is both:
   read a 1KB capability contract or query the index instead of spending thousands of
   tokens rediscovering structure.
 
-## What's New in 0.2.2
-
-- **Safer global init defaults.** `repo-harness init` now streams setup progress
-  directly to the terminal and no longer installs the Superpowers Claude
-  marketplace plugin by default. Use `repo-harness init --with-superpowers` only
-  when you explicitly want that marketplace plugin.
-- **Global init command (`repo-harness init`).** One command bootstraps the global
-  Claude environment: essential plugins, configurable policy hooks (worktree guard,
-  atomic commit/pending), optional LSP plugins by project type, and four hook profiles
-  (`standard`, `minimal`, `biome`, `biome-strict`).
-  Run `npx -y repo-harness init`; no source checkout is required.
-- **Repo refresh command (`repo-harness update`).** Existing-repo install and
-  refresh now has its own command surface, preserving the previous repo-local
-  harness migration path while keeping `init` focused on global runtime setup.
-- **CodeGraph index self-heal.** When the prompt hook detects structural
-  code-navigation intent and the repo has no `.codegraph` index, it initializes
-  the index with the local or PATH-visible CodeGraph binary before emitting the
-  route hint. This remains advisory: no dependency install, no heavy readiness
-  probe, and no prompt block if CodeGraph is unavailable.
-- **Security sentinel (`repo-harness security scan` + `security-sentinel.sh`).** A
-  read-only check over high-value config injection surfaces (`~/.claude/settings.json`,
-  `~/.codex/hooks.json`, repo-local `.vscode/tasks.json`, and legacy project-level
-  `.claude`/`.codex` adapters). It flags suspicious command patterns — remote-shell
-  pipes, base64-decode-to-exec, `osascript`, `launchctl`/`crontab` persistence, netcat,
-  inline interpreter exec — plus unmanaged hooks and auto-run `folderOpen` tasks, and it
-  never mutates config. The `SessionStart` sentinel fingerprints the set and re-scans
-  only when a fingerprint changes, so there is no session-start noise. Audit on demand:
-  `repo-harness security scan --json`.
-- **Claude/Codex draft-plan lifecycle.** Plan mode is explicitly two-stage: Draft vs
-  Approved. Hooks detect plan-creation intent and track pending orchestration; a stop gate
-  (`stop-orchestrator.sh`) requires one self-review pass before a session ends mid-plan.
-  Capture a draft with `scripts/capture-plan.sh --slug <slug> --title <title> --status
-  Draft`, then promote to Approved and project into execution with `--execute` or
-  `scripts/plan-to-todo.sh --plan <plan>`. Plans become the file-backed source of truth in
-  `plans/`.
+## What's New in 0.2.4
+
+- **Plan consultation stays advisory.** Questions and status reports that mention
+  plans, workflows, hooks, `new plan`, or `方案` no longer fall into
+  `PlanStatusGuard` or create plan files unless they explicitly start execution.
+- **Autoresearch is no longer a background hook.** The self-host-only
+  `autoresearch-advisory.sh` route is retired from `.ai/hooks`, generated hook
+  installers, and user-level adapters. Autoresearch evidence is now gathered by
+  an explicit agent-run workflow, not by an always-on hook.
+- **Hook parity is stricter.** Self-host `.ai/hooks/` and installable
+  `assets/hooks/` now match without maintainer-only hook exceptions.
+- **Copied hook fallback.** Installed prompt hooks now keep PlanCaptureGate
+  guidance working even when the copied runtime cannot reach the TypeScript
+  decision engine.
+- **Darwin readiness gates.** Workflow checks now catch stale handoff/resume
+  plan references, and public action-command skills have static quality gates
+  for failure modes, boundaries, and high-risk checkpoints.
+- **Authoritative eval evidence.** Benchmark reports now include
+  `full_test_count`, `dry_run_ratio`, `grader_pass_rate`, and
+  `effectiveness_authority`, so dry-run smoke output cannot be mistaken for
+  release-grade skill effectiveness proof.
+- **Tooling freshness.** The self-host CodeGraph dev dependency is refreshed to
+  `0.9.9`, and gbrain readiness probes try `doctor --json --fast` before the
+  full doctor path.
 
 ## What repo-harness Does
 
@@ -91,7 +80,7 @@ workflow surfaces stay consistent.
 
 The design has three layers:
 
-1. **Source package**: this repository owns the CLI, command skill facades,
+1. **Source package**: this repository owns the CLI, CLI-backed command facades,
    templates, hook assets, workflow contract, tests, and release gate.
 2. **Target repo contract**: `repo-harness update` or migration writes repo-local
    files such as `docs/spec.md`, `plans/`, `tasks/`, `.ai/context/`,
@@ -177,10 +166,11 @@ safe to adopt in a real repo.
 npx -y repo-harness init
 ```
 
-`init` is the first-run global bootstrap path. It runs the packaged
-`scripts/setup-plugins.sh`, installs global Claude plugins and hook profiles, and
-defaults to `--hooks standard`. Use `--hooks <profile>` or `--no-hooks` when you
-need a different hook profile.
+`init` is the first-run global bootstrap path. It installs the current npm
+package as the global CLI, refreshes repo-harness skill aliases, installs
+user-level hook adapters, configures Waza runtime skills, persists a brain root
+under `~/.repo-harness/config.json`, and configures CodeGraph MCP. It does not
+apply repo-local workflow files to the current directory.
 
 ### Install or refresh a repo-local harness
 
@@ -194,13 +184,13 @@ repository to install or refresh workflow files, hook assets, host adapters,
 skill aliases, and repo-local verification surfaces from the current npm package.
 
 The npm package release line is now `0.2.x`; generated workflow compatibility is
-tracked separately as the `5.x` model line. The `0.2.2` package splits first-run
-global bootstrap (`repo-harness init`) from repo-local refresh
-(`repo-harness update`), keeps the global plugin/hook installer
-(`scripts/setup-plugins.sh`), the read-only config security sentinel
-(`repo-harness security scan`), the explicit Claude/Codex draft-plan lifecycle,
-adds non-blocking CodeGraph index initialization for structural prompt routing,
-and keeps Superpowers behind the explicit `--with-superpowers` opt-in flag.
+tracked separately as the `5.x` model line. The `0.2.4` package keeps first-run
+global bootstrap (`repo-harness init`) separate from repo-local refresh
+(`repo-harness update`), preserves the typed global bootstrap and read-only
+config security sentinel, tightens hook parity, retires the self-host
+autoresearch advisory hook, prevents consultative plan/workflow prompts from
+being mistaken for execution, and adds copied-hook fallback, readiness checks,
+and skill-eval authority reporting.
 These sit on top of the renamed `repo-harness` CLI, user-level hook
 adapter bootstrap, AI-native scaffold overlays, the typed prompt-guard decision
 engine, plan-stem task artifact naming, `REPO_HARNESS_*` runtime aliases, Waza
@@ -250,8 +240,8 @@ Apply only after the dry-run report looks correct:
 npx -y repo-harness update
 ```
 
-For a new project or module, use the `repo-harness-scaffold` command skill. For
-an existing repo, use `repo-harness-init`; it installs or refreshes the harness
+For a new project or module, use the branch command `repo-harness-scaffold`. For
+an existing repo, use `repo-harness update`; it installs or refreshes the harness
 without creating an application stack.
 
 ### Success looks like this
@@ -340,7 +330,7 @@ Most common guards:
 
 ## Current Release
 
-- npm package: `repo-harness@0.2.2`
+- npm package: `repo-harness@0.2.4`
 - Generated workflow compatibility: `5.2.3`
 - GitHub repository: `Ancienttwo/repo-harness`
 - Release history: [`docs/CHANGELOG.md`](docs/CHANGELOG.md)
@@ -371,16 +361,17 @@ Most common guards:
   - `complex -> gstack`
   - `simple -> Waza` with Codex-first runtime copies in `~/.codex/skills`
   - `knowledge -> gbrain`
-- `repo-harness update` bootstraps the Codex/Claude runtime pieces needed for the
+- `repo-harness init` bootstraps the Codex/Claude runtime pieces needed for the
   default workflow:
   - refreshes `repo-harness` skill aliases
   - installs global Codex/Claude hook adapters
-  - installs Waza skills (`think`, `hunt`, `check`, `health`) through the skills CLI
-  - installs `mermaid` into Codex/Claude skill roots through the skills CLI
+  - installs Waza skills (`think`, `hunt`, `check`, `health`) and Mermaid through the skills CLI
+  - persists the brain root in `~/.repo-harness/config.json`
+  - configures CodeGraph MCP for selected host agents
 - Other external tooling stays advisory-only:
   - `bash scripts/check-agent-tooling.sh --host both --check-updates`
   - Waza update checks compare upstream `tw93/Waza` `SKILL.md` hashes without running `npx skills check`
-  - no automatic gstack, gbrain, CodeGraph MCP, daemon, or provider setup
+  - no automatic gstack, gbrain MCP, CodeGraph daemon, or provider setup
 - Manual distillation stays repo-local:
   - repeated corrections -> `tasks/lessons.md`
   - deep findings and hidden contracts -> `tasks/research.md`
@@ -407,17 +398,16 @@ are not all bundled product dependencies.
 
 ## Action Command Skills
 
-Source-owned command skill facades live in `assets/skill-commands/`. They keep
-the public surface action-style while sharing the same router, contract, scripts,
-and tests:
+Source-owned command facades live in `assets/skill-commands/`. They keep host
+skill discovery compatible while the CLI and hooks own execution:
 
 - Planning and review: `repo-harness-plan`, `repo-harness-review`, `repo-harness-autoplan`
 - Repo workflow actions: `repo-harness-ship`, `repo-harness-init`, `repo-harness-migrate`, `repo-harness-upgrade`, `repo-harness-capability`, `repo-harness-architecture`, `repo-harness-handoff`, `repo-harness-deploy`, `repo-harness-repair`, `repo-harness-check`
-- Project creation: `repo-harness-scaffold`
+- Branch project creation command: `repo-harness-scaffold`
 
-`repo-harness-init` is for an existing repo; `repo-harness-scaffold` creates a new
-project or module scaffold. `hooks-init`, `docs-init`, and `create-project-dirs`
-are internal steps, not public commands.
+`repo-harness update` is for an existing repo; `repo-harness-scaffold` creates a
+new project or module scaffold as a side command. `hooks-init`, `docs-init`, and
+`create-project-dirs` are internal steps, not public commands.
 
 `repo-harness-scaffold` keeps the A-K plan catalog as the project-type authority
 and adds AI-native app structure through an optional `ai_native_profile` overlay.
@@ -428,6 +418,12 @@ UI runtime, Bun/Hono gateway, shared contracts, observability, and MCP/HTTP
 sidecar rules without installing model providers or making Python, Go, Rust, or
 A2UI mandatory defaults.
 
+Webapp rendering is a separate overlay. Client-only Vite remains Plan B, while
+React webapps that need public SEO/SSR plus an authenticated workspace should
+use Plan C: one TanStack Start + Vite app deployed as a Cloudflare Worker under
+`apps/web`, with `/` SSR/prerender-capable and `/app` client-only. The scaffold
+does not default to separate `apps/marketing` and `apps/web` frontend deploys.
+
 Use `repo-harness-capability` when the harness already exists and only selected
 capability boundaries should be added. It updates `.ai/context/capabilities.json`,
 syncs the requested local `AGENTS.md` / `CLAUDE.md` contract files, and validates
@@ -480,6 +476,9 @@ bun scripts/assemble-template.ts --target agents --plan C --name "MyProject"
 bun run benchmark:skills --dry-run
 ```
 
+Dry-run benchmark output is a wiring smoke only. Release or readiness evidence
+needs a non-dry-run eval with grader output.
+
 ### Run one eval across both Claude and Codex
 
 ```bash
@@ -534,5 +533,5 @@ bash scripts/check-task-workflow.sh --strict
 bun scripts/inspect-project-state.ts --repo . --format text
 bash scripts/migrate-project-template.sh --repo . --dry-run
 bash scripts/check-agent-tooling.sh --host both --check-updates
-bun run benchmark:skills --dry-run
+bun run benchmark:skills --eval route-workflow-check
 ```

package/README.zh-CN.md

@@ -23,31 +23,25 @@ repo-local workflow 的自托管样例。
   做渐进式上下文加载：一份小而稳定的 root context（约 12KB），加上只在改到对应文件时才加载的
   capability 块。agent 读一份 1KB 的 capability 合约或查索引，而不是花上千 token 重新摸清结构。
 
-## 0.2.2 新特性
-
-- **更安全的全局初始化默认值。** `repo-harness init` 现在会把 setup 进度直接输出到终端，
-  不再默认安装 Superpowers Claude marketplace plugin。只有你明确需要它时，才使用
-  `repo-harness init --with-superpowers`。
-- **全局初始化命令（`repo-harness init`）。** 一条命令引导全局 Claude 环境：essential plugins、
-  可配置 policy hooks（worktree guard、atomic commit/pending）、按项目类型可选的 LSP plugins，以及
-  四档 hook profile（`standard`、`minimal`、`biome`、`biome-strict`）。运行
-  `npx -y repo-harness init`，不需要 clone 源码仓库。
-- **仓库刷新命令（`repo-harness update`）。** 已有仓库的安装/刷新入口独立成命令，继续复用
-  原 repo-local harness migration 路径，同时让 `init` 专注于全局 runtime setup。
-- **CodeGraph index 自愈。** prompt hook 检测到结构化代码导航意图、且仓库还没有 `.codegraph`
-  index 时，会先用 repo-local 或 PATH 上的 CodeGraph binary 初始化 index，再发路由提示。这个动作仍是
-  advisory：不安装依赖、不跑重 readiness probe，CodeGraph 不可用时也不阻塞 prompt。
-- **安全哨兵（`repo-harness security scan` + `security-sentinel.sh`）。** 对高价值配置注入面做只读检查
-  （`~/.claude/settings.json`、`~/.codex/hooks.json`、仓库本地 `.vscode/tasks.json`，以及 legacy 项目级
-  `.claude`/`.codex` adapter）。它标记危险命令模式——远程 shell 管道、base64 解码执行、`osascript`、
-  `launchctl`/`crontab` 持久化、netcat、内联解释器执行——以及未托管 hook 和自动运行的 `folderOpen`
-  任务，且绝不改写任何配置。`SessionStart` 哨兵对这组文件做指纹，只在指纹变化时才重扫，不制造
-  session-start 噪音。按需审计：`repo-harness security scan --json`。
-- **Claude/Codex draft-plan 生命周期。** Plan mode 显式分两段：Draft 与 Approved。hooks 识别建 plan 的
-  意图并追踪 pending orchestration；stop 门（`stop-orchestrator.sh`）要求会话在 plan 未定时结束前先做
-  一次自审。用 `scripts/capture-plan.sh --slug <slug> --title <title> --status Draft` 落草稿，审批后改
-  Approved 并用 `--execute` 或 `scripts/plan-to-todo.sh --plan <plan>` 投射到执行。plans/ 成为文件级
-  事实来源。
+## 0.2.4 新特性
+
+- **计划咨询保持 advisory。** 提到 plans、workflow、hooks、`new plan` 或 `方案` 的问题和状态报告，
+  不再因为包含执行相关词就进入 `PlanStatusGuard` 或创建 plan 文件；只有明确开始执行时才触发执行门。
+- **Autoresearch 不再是后台 hook。** 自托管专用的 `autoresearch-advisory.sh` route 已从
+  `.ai/hooks`、生成的 hook installer 和 user-level adapters 里退休。需要 autoresearch 证据时，
+  由 agent 显式运行实验流程，而不是靠常驻 hook 提示。
+- **Hook parity 更严格。** 自托管 `.ai/hooks/` 和可安装的 `assets/hooks/` 现在必须完全一致，
+  不再保留 maintainer-only hook exception。
+- **复制版 hook fallback。** 已安装的 prompt hook 即使找不到 TypeScript decision
+  engine，也会保留 PlanCaptureGate guidance，而不是直接报 engine unavailable。
+- **Darwin readiness gates。** Workflow checks 现在会抓 stale handoff/resume plan
+  references；公共 action-command skills 也增加 failure modes、boundaries 和高风险
+  checkpoint 的静态质量门。
+- **权威 eval evidence。** Benchmark report 现在输出 `full_test_count`、
+  `dry_run_ratio`、`grader_pass_rate` 和 `effectiveness_authority`，避免把 dry-run
+  smoke 当成 release-grade skill effectiveness 证明。
+- **Tooling freshness。** self-host CodeGraph dev dependency 刷到 `0.9.9`，gbrain
+  readiness 会先尝试 `doctor --json --fast`，再 fallback 到完整 doctor。
 
 ## 产品做什么
 
@@ -68,7 +62,7 @@ repo-local hooks，然后验证这些 workflow surfaces 仍然一致。
 
 整体分三层：
 
-1. **源码包层**：本仓库维护 CLI、command skill facades、templates、hook assets、
+1. **源码包层**：本仓库维护 CLI、CLI-backed command facades、templates、hook assets、
    workflow contract、tests 和 release gate。
 2. **目标仓库合约层**：`repo-harness update` 或 migration 会写入 `docs/spec.md`、
    `plans/`、`tasks/`、`.ai/context/`、`.ai/harness/`、helper scripts 和
@@ -149,9 +143,10 @@ flowchart TD
 npx -y repo-harness init
 ```
 
-`init` 是首次全局引导入口。它运行 npm 包里自带的 `scripts/setup-plugins.sh`，
-安装全局 Claude plugins 和 hook profiles，默认等价于 `--hooks standard`。
-需要不同 hook profile 时再传 `--hooks <profile>` 或 `--no-hooks`。
+`init` 是首次全局引导入口。它把当前 npm 包安装成全局 CLI，刷新 repo-harness
+skill aliases，安装 user-level hook adapters，配置 Waza runtime skills，把 brain
+root 持久化到 `~/.repo-harness/config.json`，并配置 CodeGraph MCP。它不会把当前目录
+默认迁移成 repo-local workflow。
 
 ### 安装或刷新 repo-local harness
 
@@ -165,11 +160,12 @@ npx -y repo-harness update
 repo-local verification surfaces。
 
 npm package release line 现在是 `0.2.x`；生成的 workflow compatibility model line
-单独以 `5.x` 追踪。`repo-harness@0.2.2` 把首次全局引导（`repo-harness init`）
-和 repo-local 刷新（`repo-harness update`）拆开，同时保留全局 plugin/hook 安装脚本
-（`scripts/setup-plugins.sh`）、只读配置安全哨兵（`repo-harness security scan`）、
-显式 Claude/Codex draft-plan 生命周期，新增 prompt hook 的非阻塞 CodeGraph index 初始化，
-并把 Superpowers 放到显式 `--with-superpowers` opt-in 后面。这些能力叠加在改名后的 CLI、user-level hook adapter bootstrap、AI-native scaffold overlays、
+单独以 `5.x` 追踪。`repo-harness@0.2.4` 继续把首次全局引导（`repo-harness init`）
+和 repo-local 刷新（`repo-harness update`）拆开，保留 typed global bootstrap 与只读
+配置安全哨兵，同时收紧 hook parity，退休自托管 autoresearch advisory hook，避免
+计划/工作流咨询 prompt 被误判成执行请求，并增加复制版 hook fallback、readiness checks
+和 skill-eval authority reporting。
+这些能力叠加在改名后的 CLI、user-level hook adapter bootstrap、AI-native scaffold overlays、
 typed prompt-guard decision engine、plan-stem task artifact 命名、`REPO_HARNESS_*`
 runtime aliases、Waza runtime skill sync，以及 maintainer 发布 npm 前使用的 release gate 之上。
 
@@ -213,8 +209,8 @@ dry-run 报告正确后再应用：
 npx -y repo-harness update
 ```
 
-新项目或新模块使用 `repo-harness-scaffold` command skill。已有仓库使用
-`repo-harness-init`；它会安装或刷新 harness，不会创建应用技术栈。
+新项目或新模块使用支线 command `repo-harness-scaffold`。已有仓库使用
+`repo-harness update`；它会安装或刷新 harness，不会创建应用技术栈。
 
 ### 成功长什么样
 
@@ -301,7 +297,7 @@ hook block 工作时，先看 terminal 里的结构化输出。核心字段是
 
 ## 当前 Release
 
-- npm package：`repo-harness@0.2.2`
+- npm package：`repo-harness@0.2.4`
 - Generated workflow compatibility：`5.2.3`
 - GitHub repository：`Ancienttwo/repo-harness`
 - Release history：[`docs/CHANGELOG.md`](docs/CHANGELOG.md)
@@ -316,26 +312,35 @@ hook block 工作时，先看 terminal 里的结构化输出。核心字段是
   - `assets/workflow-contract.v1.json`
 - Generated repos 默认使用 repo-local harness flow：
   - `docs/spec.md -> plans/ -> tasks/contracts/ -> tasks/reviews/ -> .ai/context/context-map.json -> .ai/harness/*`
-- `repo-harness update` 会刷新 runtime pieces：
+- `repo-harness init` 会刷新 runtime pieces：
   - `repo-harness` skill aliases
   - global Codex/Claude hook adapters
-  - Waza skills：`check`、`design`、`health`、`hunt`、`learn`、`read`、`think`、`write`
-  - 如果 source copy 存在，同步 `diagram-design`
+  - Waza skills：`think`、`hunt`、`check`、`health`
+  - 持久化 brain root 到 `~/.repo-harness/config.json`
+  - 配置 CodeGraph MCP
 - 其他外部工具保持 advisory-only：
   - `bash scripts/check-agent-tooling.sh --host both --check-updates`
-  - 不自动设置 gstack、gbrain、CodeGraph MCP、daemon 或 provider
+  - 不自动设置 gstack、gbrain MCP、CodeGraph daemon 或 provider
 
 ## Action Command Skills
 
-公共 command skill facades 在 `assets/skill-commands/`：
+公共 command facades 在 `assets/skill-commands/`；它们保留 host skill discovery
+兼容性，真正执行由 CLI 和 hooks 负责：
 
 - Planning / review：`repo-harness-plan`、`repo-harness-review`、`repo-harness-autoplan`
 - Repo workflow actions：`repo-harness-ship`、`repo-harness-init`、`repo-harness-migrate`、`repo-harness-upgrade`、`repo-harness-capability`、`repo-harness-architecture`、`repo-harness-handoff`、`repo-harness-deploy`、`repo-harness-repair`、`repo-harness-check`
-- Project creation：`repo-harness-scaffold`
+- 支线项目创建 command：`repo-harness-scaffold`
 
-`repo-harness-init` 用于已有仓库；`repo-harness-scaffold` 用于创建新项目或模块。
+`repo-harness update` 用于已有仓库；`repo-harness-scaffold` 作为支线 command 创建新项目或模块。
 `hooks-init`、`docs-init` 和 `create-project-dirs` 是内部步骤，不是公共 commands。
 
+`repo-harness-scaffold` 保持 A-K plan catalog 作为项目类型 authority；AI-native
+能力通过可选 `ai_native_profile` overlay 叠加。Webapp rendering 也是独立 overlay：
+Plan B 保留为 client-only Vite；需要 public SEO/SSR landing 加 authenticated
+workspace 的 React webapp 使用 Plan C，也就是一个部署在 Cloudflare Workers 上的
+TanStack Start + Vite `apps/web`。`/` 走 SSR/prerender，`/app` 保持 client-only。
+scaffold 不默认生成 `apps/marketing` + `apps/web` 两个前端部署。
+
 ## Maintainer Reference
 
 ### 检查本仓库 workflow contract
@@ -363,7 +368,7 @@ bash scripts/check-task-workflow.sh --strict
 bun scripts/inspect-project-state.ts --repo . --format text
 bash scripts/migrate-project-template.sh --repo . --dry-run
 bash scripts/check-agent-tooling.sh --host both --check-updates
-bun run benchmark:skills --dry-run
+bun run benchmark:skills --eval route-workflow-check
 ```
 
 ## Key Files