voidforge-build 23.20.0 → 23.22.0

package/dist/.claude/commands/debrief.md

@@ -13,7 +13,7 @@ Bashir examines the patient. Time to diagnose.
 [ -x scripts/surfer-gate/bypass.sh ] && bash scripts/surfer-gate/bypass.sh --light || true
 ```
 
-The existence guard is a no-op on projects that predate the gate. **If the first sub-agent launch still blocks** (stale session pointer — the repo pointer pointed at a dead session, so the flag landed in the wrong dir), re-run the exact same `bypass.sh --light` line once: the first blocked `check.sh` fire repoints the pointer to the live session, so the second write lands correctly and the launch proceeds. See CLAUDE.md "Silver Surfer Gate" → "Known gate bug — stale session pointer."
+The existence guard is a no-op on projects that predate the gate. **Stale-pointer self-repair (#384 RC-3):** `bypass.sh` now repoints a stale pointer (one left by a `/clear`ed or crashed session) to the live session automatically — read from `CLAUDE_CODE_SESSION_ID` — so the bypass lands correctly on the first try. On older Claude Code builds without that env var the legacy behavior applies: if the first sub-agent launch still blocks, re-run the exact same `bypass.sh --light` line once (the first blocked `check.sh` fire repoints the pointer, so the second write lands correctly). See CLAUDE.md "Silver Surfer Gate" → "Stale session pointer — auto-repaired."
 
 ## Step 0 — Reconstruct the Timeline
 

package/dist/.claude/commands/git.md

@@ -8,8 +8,12 @@
 Scope the changes:
 1. Run `git status` — identify staged, unstaged, and untracked files
 2. Run `git diff --stat` — get a summary of what changed
-3. If there are unstaged changes, ask the user: "Stage everything, or should I be selective?"
-4. If there are no changes at all, stop: "Nothing to version. Working tree is clean."
+3. **Unrelated / pre-existing-change detection (field report #384 RC-1 — never `git add -A` blind).** Before staging, separate what this session authored from changes that were already in the working tree or fall outside the session's stated scope. Two mechanical checks:
+   - **Dependency manifests get special scrutiny.** If any manifest or lockfile appears in the diff — `package.json`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`, `requirements.txt`, `pyproject.toml`, `Cargo.toml` / `Cargo.lock`, `go.mod` / `go.sum`, `Gemfile` / `Gemfile.lock` — read the actual dependency-level diff (`git diff -- <manifest>`), not just the filename. A dependency added / changed / removed that the session did not deliberately introduce is the exact bug this check exists for: the v23.20.0 `vercel` near-miss was a stray `npm install` that added `vercel` to root `dependencies` plus ~5,900 lockfile lines, and a naive `git add -A` would have shipped it into a methodology release. Flag every dependency change for an explicit include/exclude decision and honor "no new dependencies without justification" (CLAUDE.md Coding Standards).
+   - **Scope diff.** Cross-check the full changed-file list against what this session actually touched. Anything you did not author this session — a leftover edit, a scratch/probe file, an untracked artifact — is surfaced for an explicit keep/drop decision.
+   Present the split — *session-authored (stage these)* vs *pre-existing or out-of-scope (decide)* — and get the include/exclude decision BEFORE Step 4 staging. **Never `git add -A` / `git add .` a release without this split.**
+4. If there are unstaged changes, ask the user: "Stage everything, or should I be selective?" — informed by step 3's split.
+5. If there are no changes at all, stop: "Nothing to version. Working tree is clean."
 
 ## Step 1 — Analyze (Vision)
 Read the actual diffs and classify every change:
@@ -71,7 +75,7 @@ Every hit that is not the intentional "Removed" changelog line is either updated
 ## Step 4 — Commit (Rogers)
 Stage and commit:
 1. Stage all modified version files: `VERSION.md`, the active changelog (`CHANGELOG.md` or `PROJECT_VERSION.md`), **every** bumped `package.json` (all workspace packages, not just the root), and any generated copy re-synced in Step 3
-2. Stage any other files that are part of this release (from Step 0), including any prose fixed by the Step 3.5 removal sweep
+2. Stage any other files that are part of this release — explicitly, from Step 0's *session-authored* split, including any prose fixed by the Step 3.5 removal sweep. Stage by path; do **not** `git add -A` / `git add .` (that re-admits the pre-existing/out-of-scope changes Step 0 just excluded — field report #384 RC-1)
 3. Craft commit message in the format: `vX.Y.Z: One-line summary`
    - If elaboration needed, add a blank line then details
    - Match the style of existing commits (check `git log --oneline -10`)

package/dist/.claude/commands/seal.md

@@ -18,11 +18,12 @@ The ordering is deliberate: commit and push first so the field report and vault
 ## Step 0 — Preflight (decide which stages apply)
 1. `git status` + `git diff --stat` — is there anything to commit?
    - **Working tree clean:** there is no release to ship. Skip Stages 1–2 (commit + push), tell the user "Nothing to ship — sealing without a release," and proceed to Stage 3 (debrief) + Stage 4 (vault). A clean tree is not an error.
-2. `git rev-parse --abbrev-ref HEAD` — confirm the branch. If on the default branch and a release is being cut, that is fine for this repo's flow; just surface it.
-3. Echo the plan the user is about to authorize: the stages that will run, whether a push will happen, and whether a GitHub field report will be filed. This single up-front disclosure is the contract — do not re-ask before each stage (the operator already authorized the whole ritual by invoking `/seal`).
-4. **Arm the gate bypass for Stage 3.** `/debrief --submit` deploys sub-agents (Ezri / O'Brien / Nog / Jake), and the Silver Surfer PreToolUse hook gates *every* Agent launch — `/debrief` is an analysis command, not a Surfer review roster, so it takes the documented bypass (field report #366-F4). Run, existence-guarded:
+2. **Unrelated / pre-existing-change detection (field report #384 RC-1).** Run the same split `/git` Step 0 does — separate session-authored changes from changes that were already in the tree or fall outside this session's scope, giving **dependency manifests / lockfiles** (`package.json`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`, `requirements.txt`, `Cargo.lock`, `go.sum`, …) special scrutiny via their dependency-level diff. This is exactly the vigilance that caught the v23.20.0 `vercel` near-miss by hand; doing it at Preflight surfaces it as part of the plan disclosure (step 3) instead of relying on the operator noticing mid-commit. Surface any pre-existing/out-of-scope change for an explicit include/exclude decision; **never let the downstream `/git` stage `git add -A` a release without this split.**
+3. `git rev-parse --abbrev-ref HEAD` — confirm the branch. If on the default branch and a release is being cut, that is fine for this repo's flow; just surface it.
+4. Echo the plan the user is about to authorize: the stages that will run, whether a push will happen, whether a GitHub field report will be filed, **and any pre-existing/out-of-scope changes detected in step 2 (with the include/exclude call)**. This single up-front disclosure is the contract — do not re-ask before each stage (the operator already authorized the whole ritual by invoking `/seal`).
+5. **Arm the gate bypass for Stage 3.** `/debrief --submit` deploys sub-agents (Ezri / O'Brien / Nog / Jake), and the Silver Surfer PreToolUse hook gates *every* Agent launch — `/debrief` is an analysis command, not a Surfer review roster, so it takes the documented bypass (field report #366-F4). Run, existence-guarded:
    `[ -x scripts/surfer-gate/bypass.sh ] && bash scripts/surfer-gate/bypass.sh --light || true`
-   **Stale-pointer caveat:** if the repo's session pointer is stale (points at a dead session), `bypass.sh` writes the flag to the wrong session dir and the launch still blocks. If Stage 3's first Agent call is blocked despite the bypass, re-run the same `bypass.sh --light` line once — the blocked `check.sh` fire will have repointed the pointer to the live session — then retry. Do not fight the gate beyond one re-run; if it still blocks, fall back to `/debrief --solo` for this stage.
+   **Stale-pointer self-repair (#384 RC-3):** `bypass.sh` now reads the live session id from `CLAUDE_CODE_SESSION_ID` and, when the repo pointer is stale (left by a `/clear`ed or crashed session), repoints it to the live session automatically — the bypass lands correctly on the first try. On older Claude Code builds without that env var the legacy behavior applies: if Stage 3's first Agent call is still blocked despite the bypass, re-run the same `bypass.sh --light` line once (the blocked `check.sh` fire repoints the pointer), then retry. Do not fight the gate beyond one re-run; if it still blocks, fall back to `/debrief --solo` for this stage.
 
 ## Step 1 — Ship (Coulson · `/git`)
 Run the full `/git` release flow (version bump → changelog → commit → tag → verify). Pass through `--major` / `--minor` / `--patch` / `--no-tag` if supplied.

package/dist/CHANGELOG.md

@@ -6,6 +6,39 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/), and this
 
 ---
 
+## [23.22.0] - 2026-06-24
+
+### `update` now auto-activates `/contextmeter` (matches `init`)
+
+- **Fixed** — `npx voidforge-build update` now wires the `/contextmeter` status line + `UserPromptSubmit` awareness hook into `.claude/settings.json`, the same default-on way `init` does. Previously `update` copied `scripts/statusline/` but left the meter inactive until you ran `/contextmeter` by hand. `mergeStatuslineSettings` is now shared by `init` and `update`; it stays idempotent and **non-clobbering** — never overwrites a project's own `statusLine`, never duplicates the awareness hook. `--dry-run` / diff now reports the pending `.claude/settings.json` change honestly (reading the snippet from the source so it's accurate even before the scripts are copied). +3 updater tests (suite 1420→1423).
+
+Both packages bumped in lockstep (version-consistency gate). Dep `^23.21.0` → `^23.22.0`.
+
+## [23.21.0] - 2026-06-24
+
+### Triaged field reports #382 / #383 / #384 → `/seal`-hardening + DevOps/QA/orchestration fixes + a pattern-distribution gap
+
+**From #384 (the v23.20.0 `/seal` session's own debrief):**
+
+- **Added** — Release Step 0 *unrelated / pre-existing-change detection* (`/git`, `/seal`, `RELEASE_MANAGER.md`): before staging, the working tree is split into session-authored vs pre-existing/out-of-scope changes, with dependency manifests / lockfiles getting dependency-level scrutiny — the exact vigilance that caught the v23.20.0 `vercel` near-miss, now mechanical. Never `git add -A` a release.
+- **Added** — *Creation-time native-collision gate* (`BUILD_PROTOCOL.md`, `NATIVE_CAPABILITIES.md`): a new command's name is checked against the native command/skill set *before* the file is written, and its `NATIVE_CAPABILITIES` row is added at creation — the check shifts left from release-time re-audit to command-creation (the `/statusline`→`/contextmeter` rework cause).
+- **Fixed** — `scripts/surfer-gate/bypass.sh` *stale-pointer self-repair*: reads the live session id from `CLAUDE_CODE_SESSION_ID` and repoints a pointer left by a `/clear`ed/crashed session, so a single `bypass.sh --light` lands correctly on the first try — no operator re-run. Older CLIs without the env var keep the documented re-run fallback. (+4 regression tests; gate suite 27→31.)
+
+**From #382 (QA-isolation prod outage + sandbox / spend / coverage):**
+
+- **Added** — `DEVOPS_ENGINEER.md`: locking a shared parent dir must enumerate every traversing service account and grant each an explicit traverse ACL, then `curl` the prod FE and assert 200 (a `/home/ubuntu` `0750` lock 500'd nginx). Plus a headless-OAuth-bootstrap note (SSH `-L` port-forward or paste-the-code fallback).
+- **Added** — `docs/patterns/egress-sandbox.sh`: run a `systemd-run` egress-confined workload under `--uid`/`--gid` so artifacts stay user-owned, not root-owned — `IPAddress*` filtering is a cgroup property and uid-independent.
+- **Added** — `SUB_AGENTS.md`: a global spend ceiling must reserve max-possible in-flight child budget before launching the next child (an $80 cap spent $83.72), or document the overshoot bound.
+- **Added** — `QA_ENGINEER.md`: coverage honesty — count a case covered only at the fidelity actually exercised; record proof in a per-lane ledger; never reclassify a coverage SSOT on partial evidence.
+
+**Distribution:**
+
+- **Fixed** — `prepack.sh` / `copy-assets.sh` now ship **every** `docs/patterns/` file regardless of extension. Globbing by `.ts`/`.tsx`/`.md` had silently dropped the `.sh`/`.py`/`.conf` patterns (`post-deploy-probe.sh`, `nginx-vhost.conf`, `rls-test-fixture.py`, `structural-sql-sentinel.py`) from the published package — an LRN-11 gap, now a future-proof whole-dir copy.
+
+**#383** (`/contextmeter`) shipped in v23.20.0 — closed as implemented; its creation-time-collision proposal is covered by #384 RC-2.
+
+Build clean, suite 1420 (gate 27→31). Dep `^23.20.0` → `^23.21.0`.
+
 ## [23.20.0] - 2026-06-23
 
 ### Triaged 12 upstream field reports → methodology hardening, + `/seal` and `/contextmeter`

package/dist/CLAUDE.md

@@ -35,7 +35,7 @@ ADR-051 enforces this gate at the hook level (PreToolUse). The prose below is th
 
 **Non-review commands with a fixed roster take the bypass, NOT a Surfer muster (#366 F4).** A command like `/debrief` is NOT in the gated-commands list above — but the hook blocks *every* non-Surfer Agent launch regardless of the list, so its command-prescribed sub-agents (Ezri/O'Brien/Nog/Jake) get blocked too. The fix: any fixed-roster, non-review pipeline runs `[ -x scripts/surfer-gate/bypass.sh ] && bash scripts/surfer-gate/bypass.sh --light || true` BEFORE launching its sub-agents. Its roster is command-prescribed, not cherry-picked, so the gate's anti-cherry-pick purpose doesn't apply — the bypass is correct, not a workaround. (The gated list governs *which commands must muster the Surfer*; it does not exempt unlisted commands from the hook.)
 
-**Known gate bug — stale session pointer (#366 F4, live-observed).** The repo's session pointer can point at a *dead* session (a prior `/clear`ed or crashed session whose dir still exists). When it does, `bypass.sh` writes the flag to that stale session's dir — the WRONG one — and the live session's launch still blocks. The first blocked `check.sh` fire repoints the pointer to the LIVE session. **Workaround:** re-run the exact same `bash scripts/surfer-gate/bypass.sh --light` line once after the first blocked fire; the second write lands in the now-correct live session dir and the launch proceeds. (Tracked for a real fix: `bypass.sh` should detect a stale pointer rather than rely on a re-run.)
+**Stale session pointer — auto-repaired (#366 F4, fixed in #384 RC-3).** The repo's session pointer can point at a *dead* session (a prior `/clear`ed or crashed session whose dir still exists). Historically `bypass.sh` then wrote the flag to that dead session's dir — the WRONG one — and the live session's launch still blocked until you re-ran the bypass. **`bypass.sh` now self-repairs:** it reads the live session id from `CLAUDE_CODE_SESSION_ID` (the same id Claude Code passes the `PreToolUse` hook as `session_id` — it equals the live transcript's basename), and when that disagrees with the pointer it repoints the pointer to the live session and writes the flag there. A single `bash scripts/surfer-gate/bypass.sh --light` now lands correctly on the first try; no re-run needed. **Legacy fallback:** on older Claude Code builds that don't export `CLAUDE_CODE_SESSION_ID`, `LIVE_SID` is empty and the prior behavior remains — if the first launch still blocks, re-run the same `bypass.sh --light` line once (the first blocked `check.sh` fire repoints the pointer, so the second write lands correctly).
 
 **Orchestrator contract** (you run these Bash commands at the right moments — wrap each in an existence guard so projects on older methodology versions don't error):
 
@@ -136,6 +136,7 @@ Reference implementations in `/docs/patterns/`. Match these shapes when writing.
 - `codemod-hygiene.md` — after a jscodeshift/recast codemod, strip incidental reformatting so the diff shows only the semantic change (field report #357)
 - `post-deploy-probe.sh` — deploy probe that asserts response content + Content-Type, not HTTP status only, so an SPA catch-all serving index.html for every path can't false-pass into a rollback (field report #371)
 - `exclusion-set-invariant.md` — superset invariant for multi-mechanism exclusion sets: one canonical secret/PII set with `.gitignore` / rsync / scanner derived from it (or a CI assertion) so the three never drift (field report #377)
+- `egress-sandbox.sh` — egress-confined workload (`systemd-run` `IPAddress*` cgroup filter) that drops to the invoking uid/gid so artifacts stay user-owned, not root-owned, while network confinement is preserved (field report #382)
 
 ## Slash Commands
 
@@ -262,7 +263,7 @@ See `/docs/methods/MUSTER.md` for the full Muster Protocol.
 | **Learnings** | `/docs/LEARNINGS.md` | Project-scoped operational knowledge — read at session start if exists |
 | **The Muster** | `/docs/methods/MUSTER.md` | When using `--muster` flag on any command |
 | **Time Vault** | `/docs/methods/TIME_VAULT.md` | Seldon — when preserving session intelligence for transfer |
-| **Patterns** | `/docs/patterns/` | When writing code (37 reference implementations) |
+| **Patterns** | `/docs/patterns/` | When writing code (56 reference implementations) |
 | **Lessons** | `/docs/LESSONS.md` | Cross-project learnings |
 | **Workflows** | `/docs/methods/WORKFLOWS.md` | Dynamic Workflow authoring standard (ADR-067) — when to use, API, gotchas, the ADR-064 gate-launch sequence |
 | **Native Capabilities** | `/docs/NATIVE_CAPABILITIES.md` | Command × native-skill collision tracker (ADR-066) — re-audit each release |

package/dist/VERSION.md

@@ -1,6 +1,6 @@
 # Version
 
-**Current:** 23.20.0
+**Current:** 23.22.0
 
 ## Versioning Scheme
 
@@ -14,6 +14,8 @@ This project uses [Semantic Versioning](https://semver.org/):
 
 | Version | Date | Summary |
 |---------|------|---------|
+| 23.22.0 | 2026-06-24 | **`update` now auto-activates `/contextmeter` (matches `init`).** `npx voidforge-build update` wires the context-meter status line + `UserPromptSubmit` awareness hook into `.claude/settings.json` the same default-on way `init` does — previously `update` copied `scripts/statusline/` but left the meter inactive until a manual `/contextmeter` run. `mergeStatuslineSettings` is now shared by init + update, idempotent + non-clobbering (never overwrites a project's own `statusLine`, never duplicates the hook); `--dry-run` reports the pending `.claude/settings.json` change. +3 updater tests (1420→1423). Dep `^23.21.0` → `^23.22.0`. |
+| 23.21.0 | 2026-06-24 | **Triaged field reports #382 / #383 / #384 → `/seal`-hardening + DevOps/QA/orchestration fixes + a pattern-distribution gap.** **#384:** release Step 0 unrelated/pre-existing-change detection (`/git`, `/seal`, `RELEASE_MANAGER.md`) — split session-authored vs out-of-scope changes, dependency-manifest scrutiny, never `git add -A` (the `vercel` near-miss, mechanized); creation-time native-collision gate (`BUILD_PROTOCOL.md`, `NATIVE_CAPABILITIES.md`) — check a new command's name + add its row at creation, not release re-audit; `bypass.sh` stale-pointer self-repair via `CLAUDE_CODE_SESSION_ID` (repoints a dead-session pointer on the first try, no re-run; +4 tests, gate 27→31). **#382:** DevOps ACL-traverse enumeration + post-lock prod-FE 200 check; new `egress-sandbox.sh` pattern (`systemd-run --uid/--gid`, uid-independent egress); SUB_AGENTS spend ceiling reserves in-flight child budget; QA coverage-fidelity honesty + per-lane ledger; headless-OAuth bootstrap note. **Distribution:** `prepack.sh`/`copy-assets.sh` now ship every `docs/patterns/` file regardless of extension (`.sh`/`.py`/`.conf` were silently dropped — LRN-11 gap). #383 closed as already-shipped. Build clean, suite 1420. Dep `^23.20.0` → `^23.21.0`. |
 | 23.20.0 | 2026-06-23 | **Triaged 12 upstream field reports (#364–#378) → methodology hardening, + `/seal` and `/contextmeter`.** Applied every accepted fix across ~41 method docs / agents / patterns / commands (throughput/scale gates, ADR concurrency verification, deny-list discipline, runtime-path tracers, render-gate coverage, OAuth/external-claim verification, HTTP two-principal isolation, dall-e→gpt-image-1 currency, `/debrief` gate-gap docs) + 2 new patterns (`post-deploy-probe.sh`, `exclusion-set-invariant.md`); implemented the two wizard reports — non-destructive CLAUDE.md `update` merge (#368) + legacy-marker detection (#369). **New `/seal`** — session closeout (git → debrief → vault → handoff). **New `/contextmeter`** — context-budget meter + `UserPromptSubmit` awareness hook, default-on (warn 80% / crit 92%), `scripts/statusline/` wired through all four distribution paths + npm `files`. Build clean, suite 1392→1420. Dep `^23.19.0` → `^23.20.0`. |
 | 23.19.0 | 2026-06-13 | **Gauntlet acceptance test → 14 fixes (the ADR-067 re-platform, validated by running it on itself).** Ran the new `gauntlet.workflow.js` live on the v23.13–v23.18 platform code (10-agent Surfer roster → 347 agents → 99 distinct claims → 66 confirmed + 24 crossfire, 0 Critical) and fixed the 3-lens-confirmed findings. **Gate (security):** `_paths.sh` reap was missing `-mindepth 1` → could `rm -rf` the entire `sessions/` tree (every live roster/bypass); the reaper now refreshes `$SESSION_DIR` mtime on activity + threshold raised above the TTL, closing the documented reap-vs-fresh-roster/bypass race; `shasum`→`sha256sum` fallback (gate silently broke on Alpine); `bypass.sh` run before the first hook fire now records a repo-scoped *pending* bypass that `check.sh` promotes (was a silent no-op). **Workflows:** strike no longer re-runs the same ≤5-agent roster twice; crossfire `survives:true+REFUTED` verdicts no longer vanish into no bucket (logged in `crossfireRefutedLog`); dedup keeps the **highest** severity + `raisedBy` (was first-write-wins); guarded `JSON.parse(args)`; undefined-domain prompt guard. **Distribution:** `npx voidforge-build init` now copies `.claude/workflows/` + `AGENT_CLASSIFICATION.md`; `update` now propagates `.claude/workflows` + `scripts/surfer-gate` (both were stranded). **Validation:** new `scripts/validate-workflows.sh` (wraps the runtime shape, then `node --check`) wired into `pretest` — corrects the false "scripts pass `node --check`" claim and gates syntax errors from shipping. **Docs:** `WORKFLOWS.md` example `agentType: a.id`→`a.name` + new gotchas; stale `/tmp/voidforge-*` paths fixed in gate README + CLAUDE.md (ADR-060). **CI:** `recover-partial` derives the version from `package.json` not `github.ref_name` (broke on dispatch); Playwright cache key off the committed manifests not the regenerated lockfile. Gate suite 23→27, full suite 1390→1392. Deferred (field-report candidates): concurrent same-repo pointer collision, `workflow_dispatch` branch guard. Dep `^23.18.0` → `^23.19.0`. |
 | 23.18.0 | 2026-06-13 | **Workflow re-platform of `/gauntlet` + `/assemble` (ADR-067)** — the opportunity ADR-064 unblocked. New `.claude/workflows/gauntlet.workflow.js` (discovery → JS dedupe → 3-lens adversarial REFUTE → crossfire → council, schema-validated) and `assemble-review.workflow.js` (engage+sentinel over a mission diff; build/arch/devops stay prose). New **`docs/methods/WORKFLOWS.md`** authoring standard (API, the #348/#363 gotchas, 16/1000 caps, and the ADR-064 gate-launch sequence: Surfer→record-roster→Workflow). `gauntlet.md`/`assemble.md` gain workflow-execution sections; personas + fix-application + Debate Protocol stay prose. **Distribution gate (Phase 12.75):** `.claude/workflows/` is a new shared category — added to `prepack.sh` (npm) + `copy-assets.sh` (init) so the scripts ship to consumers. Both scripts `node --check`-validated (ESM async-wrapped); the live end-to-end gauntlet run is the acceptance test. Dep `^23.17.0` → `^23.18.0`. |

package/dist/docs/methods/BUILD_PROTOCOL.md

@@ -450,6 +450,14 @@ Examples of batches that are too big:
 
 ---
 
+## Authoring a New Slash Command — Creation-Time Native-Collision Gate (field report #384 RC-2)
+
+When you create a new VoidForge slash command (a new `.claude/commands/*.md`), the **native-collision check happens at creation time, not at release re-audit.** ADR-066's `docs/NATIVE_CAPABILITIES.md` re-audit is a release-time backstop; relying on it alone let `/contextmeter` get built as `/statusline` and then renamed mid-build — after docs and scripts already referenced the dead name. Shift the check left:
+
+1. **Before writing the file, check the proposed name against the native command/skill set.** Claude Code ships native slash commands and skills (e.g. `/init`, `/review`, `/security-review`, `/code-review`, `/test`, `/commit`, `/statusline`, `/context`, `/deep-research`, plus built-ins). On surfaces with project-local resolution a same-named `.claude/commands/*.md` wins, but on surfaces without it (claude.ai web, some IDE extensions) a colliding **native** capability shadows ours — running ungated and without VoidForge semantics. Consult `docs/NATIVE_CAPABILITIES.md` for the currently-tracked native set.
+2. **If the name collides, resolve it before the name propagates.** Either rename to a non-colliding name (the `/statusline`→`/contextmeter`, `/review`→`/engage`, `/security`→`/sentinel` precedent) or, if coexistence is deliberate, record a `coexist + document` disposition. Decide *before* writing the file, so no doc/script ever references a name you'll have to retract.
+3. **Add the `NATIVE_CAPABILITIES.md` row as part of creating the command** — same commit, not a later audit. The ADR-066 coverage rule (every `.claude/commands/*.md` has a row) is then satisfied at creation, and the release-time re-audit becomes a confirmation rather than a discovery.
+
 ## Principles
 
 1. PRD is source of truth. Agents don't override product decisions. If the PRD is ambiguous, flag it and present options — don't decide product direction.

package/dist/docs/methods/DEVOPS_ENGINEER.md

@@ -45,6 +45,8 @@ When the application spawns child processes (workers, background jobs, PTY sessi
 
 (Field report #57: shell profiles re-injected environment variables that were explicitly filtered from the PTY environment.)
 
+**Egress sandbox: drop to the invoking uid, don't run as root.** When you confine a workload's outbound network with `sudo systemd-run -p IPAddressDeny=…`, pass `--uid`/`--gid` to run it as the invoking user. `IPAddress*` filtering is a cgroup property and is uid-independent, so confinement is fully preserved while artifacts stay user-owned — running as root litters root-owned state that breaks a sibling tool run later as the normal user. See `docs/patterns/egress-sandbox.sh` (field report #382 RC-2).
+
 See NAMING_REGISTRY.md for 70+ additional characters.
 
 ## Goal
@@ -406,6 +408,12 @@ When staging and production coexist on the same server, enforce full isolation:
 
 Convention isn't enough — enforcement is. The pre-push hook is the single most effective protection. (Field report #241: 68-hour production outage from shared infrastructure.)
 
+### Locking a shared parent dir: enumerate every traversing service account (field report #382, HIGH)
+
+A QA/security isolation step that revokes world-traverse on a home or parent directory can silently break any *other* service whose path runs through it — a cross-phase landmine that surfaces hours later. Real incident: `/home/ubuntu` was set to `0750` plus a traverse ACL granting only the QA containment users (`us-qa`/`us-healer`); nginx (`www-data`) serves the production SPA from a directory *under* `/home/ubuntu`, lost traverse, and 500'd the moment its workers recycled (logrotate).
+
+**Rule — when you revoke world-traverse (`o-x`, `0750`, a restrictive ACL) on any home or parent directory, enumerate EVERY service account that traverses it and grant each an explicit traverse ACL.** The web server (`www-data`/`nginx`), the app/runtime user, the process manager, backup/cron users — any uid whose working path descends through the locked dir needs `setfacl -m u:<svc>:--x <dir>` (execute/traverse only, NOT read). Then **verify with a live request, not the ACL listing**: after locking the dir, `curl` the production front-end (and any other co-located service) and assert `200`. `getfacl` proves the ACL is *set*; only a live request proves nothing downstream *broke*. Add to the containment runbook: "after locking a home/parent dir → curl prod FE → assert 200."
+
 ### Promote gate must verify the staging server's DEPLOYED COMMIT == branch HEAD
 
 A staging-first promote gate that checks only "staging branch is ahead of main" + "staging health endpoint returns 200" + "version was bumped" is **structurally blind to the one thing staging-first exists to guarantee**: that the code being promoted actually *ran on staging*. Branch-ahead proves the commit was *pushed*; health-200 proves *some* build is up. Neither proves the staging **server** is running the commit being promoted — a push-to-branch without a redeploy leaves the server lagging the branch, and "ahead + 200" both still pass. Promote at that point and you ship commits to prod that **never executed on staging** — the exact failure staging-first is built to prevent (and the same shape as the "deployed but never reloaded" stale-build outage elsewhere in this doc).
@@ -478,6 +486,8 @@ Add project-specific exclusions for any directory that receives runtime-generate
 
 **Live-fire verification per credential (field report #360).** After wiring ANY external credential — analytics, error tracking, ad platform, payment, LLM provider, anything with an API key/secret/token — exercise it against the provider's LIVE API and confirm acceptance before marking the integration done. Env-var-set is NOT done; a structurally-valid value (correct prefix/length) can still be dead. Send the smallest real authenticated request the provider supports (a no-op read, a token introspection, a `whoami`/`accounts:list`, a single test event) and assert a success status, not just a non-error transport. This single live call also surfaces latent integration bugs the stored value can't reveal: a hardcoded/sunsetting API version now returning 404 (pin a current version + add a health check), a missing required header (e.g. `login-customer-id` for a manager→client account), or wrong scopes. Evidence: a Google Ads credential that looked structurally valid was dead (`invalid_client`) and a v17 pin had been retired (404, current v21) — eyeballing would have shipped a silently-broken integration.
 
+**Interactive OAuth consent on a headless server (field report #382).** Bootstrapping an OAuth credential that uses a loopback redirect (Google's installed-app flow, many provider CLIs) assumes a browser on the *same host* as the consent step — it opens `http://127.0.0.1:<port>/` and waits. On a headless box (deploy server, CI runner) there is no local browser, so the flow hangs. Two fallbacks — document both in any OAuth-bootstrap tooling guidance: (1) **SSH local port-forward** — `ssh -L <port>:127.0.0.1:<port> user@server`, run the consent in your *local* browser, and the loopback redirect resolves back through the tunnel to the server's listener; (2) **paste-the-code / out-of-band** — use the flow's manual-code variant (e.g. `--no-launch-browser`), open the printed auth URL on any machine, and paste the returned code into the headless prompt. Use port-forward when the tool only does loopback; paste-code when it offers an OOB option.
+
 **Post-deploy OAuth sign-in failures: discriminate IdP-side from regression before rolling back.** When the first real sign-in after a deploy fails, do NOT reflexively roll back — first locate WHERE it failed. If the error page lives on the IdP's own domain (e.g. `accounts.google.com/info/unknownerror`, with a `rapt` re-auth token) and occurs BEFORE your `/callback` is hit, the failure is on the identity provider, not your migration — typically a stuck re-auth session, not a regression. Confirm your authorize request was well-formed (client_id, redirect_uri, scope, state) and then retry in a fresh/incognito session; an incognito success proves the deploy is fine and the IdP session was transient. Only an error AT your callback (state mismatch, token-exchange 4xx, cookie not set) implicates your code. A reflexive rollback on an IdP-side error falsely blames the migration and fixes nothing. (Field report #357 #3.)
 
 **Post-deploy asset verification:** After deploying, verify specifically the files that *changed* in this deploy — not pre-existing assets. Check: (a) correct content-type header (text/html on a static asset means the file is missing from the deployment), (b) correct content-length (not the index.html fallback size), (c) deployment list shows the correct environment. Do NOT verify only pre-existing assets — they prove the host is up, not that the deploy succeeded. (Field report #114)

package/dist/docs/methods/FIELD_MEDIC.md

@@ -50,7 +50,7 @@ Transform session failures into structured, actionable field reports that improv
 4. **Categorize root causes.** Every failure is one of: methodology gap, tooling limitation, communication failure, scope issue, framework-specific bug, or external dependency.
 5. **Severity matters.** Distinguish between "this affects all users" (methodology flaw) and "this was specific to my project" (edge case).
 6. **Be actionable.** Every finding should specify: which file should change, what should be added/modified, and which agent is responsible.
-7. **Take the gate bypass before dispatching the DS9 crew (#366 F4).** Bashir's Ezri/O'Brien/Nog/Jake are a fixed, command-prescribed roster — not a cherry-picked review — so `/debrief` is NOT in the Silver Surfer gated-commands list. But the gate's `PreToolUse` hook blocks *every* non-Surfer Agent launch regardless of that list, so the crew would be blocked. BEFORE launching the first sub-agent, run `[ -x scripts/surfer-gate/bypass.sh ] && bash scripts/surfer-gate/bypass.sh --light || true`. The bypass is correct here, not a workaround: a fixed roster can't be cherry-picked, so the gate's anti-cherry-pick purpose doesn't apply. **Stale-pointer bug:** if the first sub-agent launch still blocks, the repo's session pointer was stale (pointed at a dead session) and the flag landed in the wrong session dir; re-run the same `bypass.sh --light` line once — the first blocked `check.sh` fire repoints to the live session, so the second write lands correctly. (Tracked: `bypass.sh` should detect a stale pointer instead of relying on a re-run.)
+7. **Take the gate bypass before dispatching the DS9 crew (#366 F4).** Bashir's Ezri/O'Brien/Nog/Jake are a fixed, command-prescribed roster — not a cherry-picked review — so `/debrief` is NOT in the Silver Surfer gated-commands list. But the gate's `PreToolUse` hook blocks *every* non-Surfer Agent launch regardless of that list, so the crew would be blocked. BEFORE launching the first sub-agent, run `[ -x scripts/surfer-gate/bypass.sh ] && bash scripts/surfer-gate/bypass.sh --light || true`. The bypass is correct here, not a workaround: a fixed roster can't be cherry-picked, so the gate's anti-cherry-pick purpose doesn't apply. **Stale-pointer self-repair (#384 RC-3):** `bypass.sh` now detects a stale pointer itself — it reads the live session id from `CLAUDE_CODE_SESSION_ID` and repoints a pointer left by a `/clear`ed or crashed session to the live session, so the bypass lands in the right dir on the first try. On older Claude Code builds without that env var the legacy behavior applies: if the first sub-agent launch still blocks, re-run the same `bypass.sh --light` line once (the first blocked `check.sh` fire repoints to the live session, so the second write lands correctly).
 
 ## Root Cause Categories
 

package/dist/docs/methods/QA_ENGINEER.md

@@ -301,6 +301,10 @@ A shipped drift-guard (coverage gate, schema-parity `--check` CLI, lint sentinel
 
 A guard failing either condition is **High** — it manufactures false confidence in exactly the regressions it claims to prevent. (Field report #365: a coverage drift-guard shipped a `--check` CLI that enforced weaker invariants than its own pytest suite — silently passing the three likeliest regressions — AND the tests were never wired into CI. The guard looked green while guarding nothing.)
 
+### Coverage Honesty — Count at the Fidelity Actually Exercised (field report #382)
+
+A coverage SSOT (the canonical "what's tested" ledger) must record each case at the fidelity it was *actually* exercised — never reclassify it covered on partial evidence. Real incident: a new real-account smoke lane proved the *backend* integration (token → authenticated read) but not the in-browser OAuth round-trip; the temptation was to mark the front-end `external_cases` "covered." It wasn't — only the backend path was. **Rules:** (1) a case is covered only at the layer a test actually drives — a backend token test does not cover the browser consent flow; an API test does not cover the UI that calls it; (2) record proof **per lane** in a ledger (which lane exercised the case, at what fidelity, with what evidence — a log line, a screenshot, a status assertion) so a coverage claim is auditable, not asserted; (3) never promote a case to "covered" in the SSOT on a different-fidelity proxy. Counting partial evidence as full coverage manufactures the same false confidence as a vacuous gate — it just hides in the ledger instead of the code. (Reinforces the verification-discipline theme of #377.)
+
 ### Safety-Critical Return Value Verification
 
 For systems with safety-critical operations (stop-loss placement, circuit breakers, rollback triggers, payment captures, credential revocations): verify the return value of the safety operation BEFORE transitioning state. The pattern: `call safety operation → check return → only then transition`.

package/dist/docs/methods/RELEASE_MANAGER.md

@@ -43,6 +43,17 @@ Clean, consistent, well-documented releases. Every version bump tells a story. E
 4. **Never auto-push.** Push only when the user explicitly requests it.
 5. **Present before executing.** Show the changelog entry, version bump, and commit message for user approval before committing.
 6. **Breaking changes get called out.** If MAJOR, explain what breaks and why.
+7. **Never `git add -A` a release.** Run the Step-0 unrelated-change split first (see "Unrelated-Change Detection" below) and stage by path.
+
+## Unrelated-Change Detection — Step 0 (field report #384 RC-1)
+
+A release must ship only what the session authored. The working tree can also carry **pre-existing or out-of-scope changes** — a stray dependency, a leftover edit, an untracked scratch/probe file — and a naive `git add -A` bundles them into the release. The v23.20.0 near-miss: a `vercel` dependency (added to root `dependencies` by a stray `npm install`, +~5,900 `package-lock.json` lines) sat in the tree unrelated to the release; it was caught only because the lead manually diffed `package.json`. Encode that vigilance instead of relying on it.
+
+Before staging (in `/git` Step 0 and `/seal` Step 0):
+
+1. **Dependency manifests get special scrutiny.** If any manifest/lockfile is in the diff — `package.json`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`, `requirements.txt`, `pyproject.toml`, `Cargo.toml`/`Cargo.lock`, `go.mod`/`go.sum`, `Gemfile`/`Gemfile.lock` — read the **dependency-level** diff (`git diff -- <manifest>`), not just the filename. Any dependency added/changed/removed that the session did not deliberately introduce is flagged for an explicit include/exclude decision. This enforces "no new dependencies without justification" (CLAUDE.md Coding Standards) at release time.
+2. **Scope diff.** Compare the full changed-file list against what the session actually touched. Surface anything you did not author this session for an explicit keep/drop decision.
+3. **Present the split** — *session-authored (stage these)* vs *pre-existing or out-of-scope (decide)* — and stage by path from the session-authored side only. `git add -A` / `git add .` re-admits exactly the changes this split exists to exclude.
 
 ## Semver Rules
 

package/dist/docs/methods/SUB_AGENTS.md

@@ -289,6 +289,8 @@ Leads inherit the main session's model (Opus). Specialists run on Sonnet for cos
 
 **Effort tiering (per-agent spend lever).** Claude Code exposes an `effort:` level (`low`/`medium`/`high`/`xhigh`/`max`) that controls reasoning depth *independently* of the model tier. Apply by role: **Leads → `xhigh`** (the recommended start for agentic work on Opus 4.8); **Specialists → `medium`** (read-and-report review rarely needs full `high` spend across ~200 agents); **Scouts → OMIT** — **Haiku 4.5 does not support the effort parameter and errors if it is passed.** Haiku also has a **200K context ceiling (not 1M)**: the Surfer pre-scan and scout prompts must fit within it — read agent frontmatter (name/description/tags), not full bodies, on large rosters. **Verified + applied 2026-06-13:** the official sub-agents docs confirm `effort` is a supported frontmatter field; the fleet edit is live — all 20 leads carry `effort: xhigh`, all 201 Sonnet specialists `effort: medium`, the 43 Haiku scouts omit it (ADR-054). New agents should follow the same tiering.
 
+**Global spend ceiling must reserve in-flight budget (field report #382).** When a multi-child orchestration enforces a global cost ceiling, the launch gate must NOT admit the next child on *cumulative-spent-so-far < ceiling* — that ignores the children already running, so the ceiling is breached by whatever the in-flight children go on to spend (real incident: an $80 cap spent $83.72). Before launching child N, reserve the **max-possible in-flight spend**: admit only if `ceiling − spent_so_far − Σ(per-child ceiling of running children) ≥ next child's per-child ceiling`. That bounds the worst case under the cap. If per-child spend can't be bounded, the total can't be either — then document the overshoot bound explicitly (`ceiling + (concurrency − 1) × max-per-child`) rather than calling the cap hard. In a Dynamic Workflow the `budget` API (WORKFLOWS.md) is the natural enforcement point: gate `agent()` launches on `budget.remaining()` minus reserved in-flight, not on raw `spent()`.
+
 ### Tool Restrictions
 
 | Profile | Tools | Agents |

package/dist/docs/patterns/egress-sandbox.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+# egress-sandbox.sh — Pattern: run a network-egress-confined workload WITHOUT
+# making its artifacts root-owned (field report #382 RC-2).
+#
+# PROBLEM. A common "egress sandbox" wraps a workload in `sudo systemd-run` with
+# IPAddressAllow/IPAddressDeny to confine outbound network. Done naively it runs
+# the workload as ROOT (sudo's default), so every file the workload writes —
+# caches, state, lock files, output — is root-owned. A sibling/same-purpose tool
+# run later as the normal user then can't read or overwrite that state and
+# breaks. The egress confinement never REQUIRED root: IPAddress* filtering is a
+# cgroup property (systemd's BPF egress filter) and is uid-independent. Drop the
+# workload back to the invoking user and confinement is fully preserved while
+# artifacts stay user-owned.
+#
+# ── WRONG: runs as root, litters root-owned artifacts ────────────────────────
+#   sudo systemd-run --pipe --wait \
+#     -p IPAddressDeny=any -p IPAddressAllow=10.0.0.0/8 \
+#     my-workload --out ./state            # ./state is now root-owned
+#
+# ── RIGHT: same egress confinement, artifacts owned by the invoking user ──────
+INVOKING_UID="$(id -u)"
+INVOKING_GID="$(id -g)"
+
+sudo systemd-run --pipe --wait \
+  --uid="$INVOKING_UID" --gid="$INVOKING_GID" \
+  -p IPAddressDeny=any \
+  -p IPAddressAllow=localhost \
+  -p IPAddressAllow=10.0.0.0/8 \
+  my-workload --out ./state                # ./state owned by the invoking user
+#
+# WHY IT'S SAFE. IPAddressAllow/IPAddressDeny are enforced by the transient
+# unit's cgroup, which applies regardless of the process uid. --uid/--gid only
+# change the credential the workload runs under — they do not relax the network
+# policy. You get confinement AND user-owned artifacts.
+#
+# VERIFY BOTH HALVES (don't assume — one assertion per property):
+#   1. Confinement: from inside the workload, a connection to a DENIED address
+#      must fail —   curl --max-time 3 https://example.org   times out/refused.
+#   2. Ownership:    stat -c '%U' ./state   returns the invoking user, not root.
+#
+# NOTE. IPAddress* allow/deny lists need systemd ≥ 235 with cgroup v2 + BPF; on
+# hosts without it, fall back to a network namespace (`ip netns`) or a per-unit
+# firewall, but keep the same --uid/--gid drop so artifacts stay user-owned.

package/dist/docs/patterns/nginx-vhost.conf

@@ -0,0 +1,156 @@
+# nginx vhost — Cloudflare-Flexible-compatible reverse proxy with ACME passthrough
+#
+# Reference implementation for a per-tenant origin vhost that sits behind
+# Cloudflare in *Flexible* SSL mode (browser<->Cloudflare is HTTPS, but
+# Cloudflare<->origin is plain HTTP on :80). Use this when the origin app
+# does NOT terminate TLS itself and Cloudflare fronts the zone.
+#
+# Evidence: field report #344 F2 (origin 301 HTTP->HTTPS redirect loops on
+# Cloudflare Flexible zones) and #344 F4a (missing/origin-level security header
+# stack + per-tenant log isolation).
+#
+# When to use it:
+#   - Cloudflare zone SSL mode = Flexible, origin speaks HTTP only.
+#   - You want the security header stack applied at the origin so it survives
+#     even if a Cloudflare Transform/Response-Header rule is removed.
+#   - You need Let's Encrypt http-01 (ACME) to keep working through the proxy.
+#
+# When NOT to use it (use a TLS-terminating vhost instead):
+#   - Cloudflare SSL mode = Full or Full (strict): the origin must serve HTTPS
+#     and you SHOULD redirect HTTP->HTTPS. Adding the 301 below would NOT loop
+#     in that mode. This template deliberately omits the redirect for Flexible.
+#
+# Install:
+#   - Copy to /etc/nginx/sites-available/<tenant>.conf, edit the @@PLACEHOLDERS@@,
+#     symlink into sites-enabled/, then `nginx -t && systemctl reload nginx`.
+#   - Replace @@SERVER_NAME@@, @@UPSTREAM@@, @@TENANT@@ before loading.
+#
+# Placeholders:
+#   @@SERVER_NAME@@  -> e.g. app.example.com
+#   @@UPSTREAM@@     -> origin app host:port, e.g. 127.0.0.1:3000
+#   @@TENANT@@       -> short slug used for log filenames, e.g. acme-corp
+
+# ---------------------------------------------------------------------------
+# Rate-limit zone declaration.
+#
+# IMPORTANT (field report #344 F4a): limit_req_zone is an http{}-context-only
+# directive. It MUST live in the top-level http{} block (e.g. nginx.conf or a
+# file in conf.d/ that is included at http scope) — it is NOT valid inside a
+# server{} or location{} block and `nginx -t` will reject it there with
+# "limit_req_zone directive is not allowed here".
+#
+# Declare the zone ONCE at http{} scope, then *apply* it per-location with
+# `limit_req` (which IS valid in server{}/location{}). The line below is shown
+# here for reference only — move it to your http{} context:
+#
+#   limit_req_zone $binary_remote_addr zone=@@TENANT@@_perip:10m rate=20r/s;
+#
+# The WebSocket upgrade map below is ALSO http{}-context-only — declare it once
+# at http{} scope alongside the rate-limit zone, not inside server{}:
+#
+#   map $http_upgrade $connection_upgrade {
+#       default upgrade;
+#       ''      close;     # plain HTTP keep-alive: send Connection: close-able
+#   }
+# ---------------------------------------------------------------------------
+
+upstream @@TENANT@@_origin {
+    # Origin application. keepalive reduces TCP churn on the proxy hop.
+    server @@UPSTREAM@@;
+    keepalive 32;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name @@SERVER_NAME@@;
+
+    # --- Per-tenant access/error logs (field report #344 F4a) -------------
+    # Isolated per tenant so one tenant's traffic/errors never contaminate
+    # another's audit trail. Ensure /var/log/nginx exists and is writable.
+    access_log /var/log/nginx/@@TENANT@@.access.log combined;
+    error_log  /var/log/nginx/@@TENANT@@.error.log warn;
+
+    # --- ACME http-01 passthrough (field report #344 F4a) -----------------
+    # Let's Encrypt validates by fetching /.well-known/acme-challenge/<token>
+    # over plain HTTP. This location MUST be reachable on :80 and MUST NOT be
+    # redirected or proxied to the app, or certificate issuance/renewal fails.
+    # Point root at the webroot your ACME client writes challenges into.
+    location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root /var/www/acme;
+        # No proxy here — serve the challenge token straight from the webroot.
+        # NOTE: nginx add_header inheritance is replace-not-merge, but a block
+        # with zero add_header of its own inherits the parent's. The security
+        # headers declared at server{} scope below are thus also emitted here;
+        # that is harmless for a bare token response. If you must strip them on
+        # this path, redeclare the headers you want (or none) inside this block.
+        try_files $uri =404;
+    }
+
+    # --- Security header stack (field report #344 F4a) --------------------
+    # Applied at the origin so the posture survives even if a Cloudflare
+    # response-header rule is later removed. `always` ensures the headers are
+    # emitted on error responses (4xx/5xx) too, not just 2xx/3xx.
+    #
+    # HSTS-aware: behind Cloudflare Flexible the browser<->edge leg is HTTPS,
+    # so advertising HSTS is correct for the public hostname. Start with a
+    # short max-age while validating, then raise to 1y + preload once certain
+    # the apex and every subdomain are HTTPS-only at the edge.
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    # frame-ancestors is the modern replacement for X-Frame-Options; both are
+    # sent for backward compatibility with older user agents.
+    add_header Content-Security-Policy "frame-ancestors 'self'" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # --- Reverse proxy to the origin app ----------------------------------
+    # NOTE (field report #344 F2): there is deliberately NO
+    #   `return 301 https://$host$request_uri;`
+    # and NO `if ($http_x_forwarded_proto != "https") { return 301 ...; }`
+    # here. On a Cloudflare *Flexible* zone the edge talks HTTP to the origin,
+    # so any origin-level HTTP->HTTPS redirect produces an infinite redirect
+    # loop (ERR_TOO_MANY_REDIRECTS). Let Cloudflare handle the HTTPS upgrade
+    # at the edge. If you switch the zone to Full/Full-strict, terminate TLS
+    # at the origin and add the redirect in a separate :80 server block.
+    location / {
+        # Apply the http{}-scoped rate-limit zone here (this is the valid
+        # context for limit_req; the zone itself is declared at http{} scope
+        # per the note at the top of this file).
+        limit_req zone=@@TENANT@@_perip burst=40 nodelay;
+
+        proxy_pass http://@@TENANT@@_origin;
+        proxy_http_version 1.1;
+
+        # Preserve client + protocol context for the app. X-Forwarded-Proto is
+        # taken from Cloudflare's CF-Visitor / the edge; default to https since
+        # the public-facing leg is HTTPS even though this hop is HTTP.
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Host  $host;
+
+        # WebSocket / upgrade support. $connection_upgrade is the http{}-scoped
+        # map declared at the top of this file: it sends "upgrade" for WS and
+        # "close" for plain HTTP. This single directive replaces the conflicting
+        # `Connection "upgrade"` + `Connection ""` pair and lets keepalive to
+        # the upstream coexist with WebSocket upgrades.
+        proxy_set_header Upgrade    $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        proxy_connect_timeout 5s;
+        proxy_send_timeout    60s;
+        proxy_read_timeout    60s;
+
+        proxy_buffering on;
+    }
+
+    # Lightweight health endpoint that bypasses the app, for the edge/monitor.
+    location = /healthz {
+        access_log off;
+        default_type "application/json";
+        return 200 '{"status":"ok"}';
+    }
+}

package/dist/docs/patterns/post-deploy-probe.sh

@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+# Post-Deploy Probe — Assert sensitive paths are NOT publicly served.
+#
+# Reference implementation for .claude/commands/deploy.md Step 4.5.
+# Probes a denylist of paths against a live deploy URL.
+#
+# CONTENT-AWARE, NOT STATUS-ONLY (field report #371). A Single-Page App with a
+# catch-all route returns HTTP 200 for EVERY path — /.env, /.git/config,
+# /id_rsa — by serving index.html. A status-only probe reads those 200s as
+# "EXPOSED" and would trigger a ROLLBACK of a clean deploy (false positive),
+# while a real leak that happens to 200 looks identical to the shell. So we
+# assert on CONTENT and Content-Type, not status alone:
+#   - 200 + text/html shell (<!doctype html> / <html)            -> PASS  (SPA fallback)
+#   - 200 + non-HTML body (KEY=VALUE, JSON, PEM, "ref:", binary) -> EXPOSED (real leak)
+#   - non-200                                                    -> PASS  (not served)
+# A real .env leak is text/plain `KEY=VALUE`; a .git/config is an INI `[core]`
+# block; an id_rsa is a `-----BEGIN ... PRIVATE KEY-----` PEM. None are HTML.
+#
+# Evidence: field reports #305 (32-day credential leak), #303 (methodology
+# exposure), #371 (SPA catch-all status-only false-positive → would-be rollback).
+#
+# Usage:
+#   DEPLOY_URL=https://example.com bash docs/patterns/post-deploy-probe.sh
+#   DEPLOY_URL=https://example.com DEPLOY_PROBE_EXTRA=$'/admin\n/private.key' bash docs/patterns/post-deploy-probe.sh
+
+set -euo pipefail
+
+: "${DEPLOY_URL:?DEPLOY_URL is required (e.g. https://example.com)}"
+
+# Strip trailing slash for clean URL composition.
+DEPLOY_URL="${DEPLOY_URL%/}"
+
+TMP="$(mktemp -t postdeploy-probe.XXXXXX)"
+BODY="$(mktemp -t postdeploy-body.XXXXXX)"
+cleanup() { rm -f "$TMP" "$BODY"; }
+trap cleanup EXIT INT TERM
+
+# Fixed denylist — mirrors Step 4.5 in .claude/commands/deploy.md.
+DENYLIST=(
+  "/.env"
+  "/.env.production"
+  "/.env.local"
+  "/.git/config"
+  "/.git/HEAD"
+  "/.claude/agents/silver-surfer-herald.md"
+  "/docs/methods/FORGE_KEEPER.md"
+  "/HOLOCRON.md"
+  "/CHANGELOG.md"
+  "/VERSION.md"
+  "/package.json"
+  "/tsconfig.json"
+  "/id_rsa"
+  "/.ssh/id_rsa"
+)
+
+# Optional extensible denylist (newline-separated).
+if [[ -n "${DEPLOY_PROBE_EXTRA:-}" ]]; then
+  while IFS= read -r extra; do
+    [[ -n "$extra" ]] && DENYLIST+=("$extra")
+  done <<< "$DEPLOY_PROBE_EXTRA"
+fi
+
+# Decide whether a fetched path is a REAL leak vs an SPA HTML fallback.
+# Inputs: $1 status, $2 content-type header, body file at $BODY.
+# Echoes "leak" or "ok".
+classify() {
+  local status="$1" ctype="$2"
+  # Only a 200 can possibly be a leak; anything else is not served.
+  [[ "$status" == "200" ]] || { echo "ok"; return; }
+
+  # Lowercase the content-type for matching.
+  local ct; ct="$(printf '%s' "$ctype" | tr '[:upper:]' '[:lower:]')"
+
+  # An HTML response is the SPA catch-all shell, not the sensitive file. PASS.
+  if [[ "$ct" == *"text/html"* ]]; then echo "ok"; return; fi
+  # Body-sniff fallback when the server omits/mislabels Content-Type: a leading
+  # <!doctype html> or <html is the SPA shell.
+  if head -c 256 "$BODY" | tr '[:upper:]' '[:lower:]' | grep -qE '<!doctype html|<html'; then
+    echo "ok"; return
+  fi
+
+  # 200 + non-HTML body = the real file is being served. EXPOSED.
+  echo "leak"
+}
+
+hits=0
+checked=0
+
+for path in "${DENYLIST[@]}"; do
+  checked=$((checked + 1))
+  url="${DEPLOY_URL}${path}"
+  # Capture status + content-type, and the body (capped) for sniffing.
+  read -r status ctype < <(
+    curl -s -o "$BODY" --max-time 10 \
+      -w '%{http_code} %{content_type}\n' "$url" 2>/dev/null || echo "000 -"
+  )
+  verdict="$(classify "$status" "$ctype")"
+  if [[ "$verdict" == "leak" ]]; then
+    hits=$((hits + 1))
+    printf 'LEAK     %s  %-24s  -> %s\n' "$status" "$ctype" "$url" | tee -a "$TMP" >&2
+  else
+    printf 'ok       %s  %-24s  -> %s\n' "$status" "$ctype" "$url"
+  fi
+done
+
+printf '{"action":"post-deploy-probe","url":"%s","checked":%d,"hits":%d,"mode":"content-aware"}\n' \
+  "$DEPLOY_URL" "$checked" "$hits"
+
+if (( hits > 0 )); then
+  echo "[post-deploy-probe] ${hits} sensitive path(s) served as non-HTML content. Rollback and fix deploy surface." >&2
+  exit 1
+fi
+
+echo "[post-deploy-probe] clean (SPA HTML fallbacks treated as PASS)"
+exit 0

package/dist/docs/patterns/rls-test-fixture.py

@@ -0,0 +1,140 @@
+"""
+Pattern: RLS Test Fixture (db_as_app SAVEPOINT)
+
+Source: Field report #318 §5. Cara Dune (Union Station, M-05) discovered that
+Testcontainers' default `us_test` user is `SUPERUSER + BYPASSRLS=t`.
+Superusers bypass FORCE RLS at the engine level — the policy doesn't fire.
+Any test using the shared `db` fixture for cross-tenant assertions will
+silently pass even when the policy is broken.
+
+Without this pattern, RLS tests that pass in development WILL silently fail
+in production under the runtime non-owner role.
+
+Use this pattern in every Python/asyncpg + pytest project with FORCE RLS.
+The same shape ports to SQLAlchemy + sync sessions, psycopg, and Django ORM.
+"""
+
+import pytest
+import pytest_asyncio
+import asyncpg
+from contextlib import asynccontextmanager
+from typing import AsyncIterator
+
+# ── Fixtures ──────────────────────────────────────────────────────────────
+
+
+@pytest_asyncio.fixture
+async def db_as_app(db: asyncpg.Connection) -> AsyncIterator[asyncpg.Connection]:
+    """
+    Wrap the standard `db` fixture so RLS-sensitive tests run under the app
+    role (BYPASSRLS=f), not the SUPERUSER bootstrap role. Connection state
+    is restored on test teardown.
+
+    Use this fixture for any test that asserts an RLS policy fires. Use the
+    standard `db` fixture only for schema setup or admin-only operations.
+
+    Pairs with a `pg_container_app` fixture (below) that provisions an
+    app-level role with `LOGIN NOBYPASSRLS NOSUPERUSER` matching the
+    runtime DSN identity.
+    """
+    await db.execute("SAVEPOINT rls_test")
+    try:
+        await db.execute(f"SET LOCAL ROLE {APP_ROLE_NAME}")
+        # If the test sets a tenant ContextVar, wire it through:
+        #   await db.execute("SELECT set_config('app.current_org_id', $1, true)", org_id)
+        yield db
+    finally:
+        await db.execute("ROLLBACK TO SAVEPOINT rls_test")
+
+
+@pytest.fixture(scope="session")
+def app_role_name() -> str:
+    return APP_ROLE_NAME
+
+
+# ── Container provisioning (run once per test session) ────────────────────
+
+APP_ROLE_NAME = "unionstation_app"  # Match production DSN identity
+
+
+async def provision_app_role(admin_conn: asyncpg.Connection) -> None:
+    """
+    Create the runtime non-owner role inside the test container. Mirrors
+    production: NOLOGIN if password-less; LOGIN with a fixed test password
+    if the test harness needs to connect as this role directly.
+
+    NOSUPERUSER and NOBYPASSRLS are the load-bearing settings. Without these,
+    the role retains FORCE RLS bypass and the fixture buys you nothing.
+    """
+    await admin_conn.execute(f"""
+        DO $$
+        BEGIN
+            IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '{APP_ROLE_NAME}') THEN
+                CREATE ROLE {APP_ROLE_NAME}
+                    LOGIN
+                    NOSUPERUSER
+                    NOBYPASSRLS
+                    NOCREATEDB
+                    NOCREATEROLE
+                    PASSWORD 'test_app_password';
+                GRANT USAGE ON SCHEMA public TO {APP_ROLE_NAME};
+                GRANT SELECT, INSERT, UPDATE, DELETE
+                    ON ALL TABLES IN SCHEMA public TO {APP_ROLE_NAME};
+                GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO {APP_ROLE_NAME};
+            END IF;
+        END $$;
+    """)
+
+
+# ── Usage example ─────────────────────────────────────────────────────────
+
+
+@pytest.mark.asyncio
+async def test_rls_blocks_cross_org_select(db_as_app: asyncpg.Connection) -> None:
+    """
+    Use db_as_app — NOT db — for any RLS-policy assertion. Under the
+    SUPERUSER `db` fixture, this test would pass even if the policy were
+    deleted.
+    """
+    await db_as_app.execute(
+        "SELECT set_config('app.current_org_id', '1', true)"
+    )
+    rows = await db_as_app.fetch("SELECT id, org_id FROM people")
+    assert all(row["org_id"] == 1 for row in rows), \
+        "RLS allowed cross-org rows under FORCE — policy is broken or role has BYPASSRLS=t"
+
+
+# ── Asynccontextmanager variant for non-pytest contexts ───────────────────
+
+
+@asynccontextmanager
+async def as_app_role(conn: asyncpg.Connection) -> AsyncIterator[asyncpg.Connection]:
+    """
+    Imperative variant of the fixture for scripts and one-off RLS exercises.
+    """
+    await conn.execute("SAVEPOINT as_app_role")
+    try:
+        await conn.execute(f"SET LOCAL ROLE {APP_ROLE_NAME}")
+        yield conn
+    finally:
+        await conn.execute("ROLLBACK TO SAVEPOINT as_app_role")
+
+
+# ── Anti-patterns ─────────────────────────────────────────────────────────
+#
+# 1. Using `db` fixture for RLS assertions. SUPERUSER bypass means
+#    every test passes regardless of policy correctness. Production blows up.
+#
+# 2. Provisioning the app role with BYPASSRLS=t "for convenience." Defeats
+#    the entire FORCE RLS deployment.
+#
+# 3. SET ROLE without SAVEPOINT. Test pollution: subsequent tests run under
+#    whichever role the previous test ended in.
+#
+# 4. Skipping ROLLBACK TO SAVEPOINT in the finally branch. Connection
+#    pooling will hand out a connection still scoped to APP_ROLE_NAME.
+#
+# 5. SET LOCAL ROLE inside an asyncpg pool callback (which runs outside any
+#    transaction). Use SET ROLE (session-scoped) plus explicit RESET ROLE
+#    on connection release. See field report #319 §1 — same trap surfaced
+#    in M-04c W3.

package/dist/docs/patterns/structural-sql-sentinel.py

@@ -0,0 +1,134 @@
+"""
+Pattern: Structural SQL Sentinel (with adversarial-test discipline)
+
+Source: Field report #319 §3. V083 sentinel #2 originally used a single regex
+matching `current_setting(...) = ''`. Three Wave 3 reviewers independently
+flagged that the regex misses commuted (`'' = current_setting(...)`),
+cast (`current_setting(...)::text = ''`), IS NULL canonical
+(`current_setting(...) IS NULL`), and coalesce-wrapped variants. Each missed
+form is a future fail-open re-introduction the sentinel is supposed to block.
+
+A single-form structural sentinel is a single point of failure. This pattern
+documents the discipline: every structural sentinel has positive controls,
+adversarial alternation tests, AND fixture-bindability proof.
+
+Use this pattern for any SQL-shape policing — fail-open detection in RLS
+policies, dangerous catalog reads, deprecated function calls, plaintext
+storage in encrypted columns.
+"""
+
+import re
+import pytest
+from typing import Iterable
+
+
+# ── The Sentinel ──────────────────────────────────────────────────────────
+
+# Comprehensive regex that matches all known fail-open forms. Each
+# alternation is a CVE-class pattern that has bitten production at least once.
+FAIL_OPEN_RE = re.compile(
+    r"""
+    (
+        # Direct equality
+        current_setting\([^)]*\)\s*=\s*''            |
+        # Commuted (Postgres doesn't canonicalize operand order)
+        ''\s*=\s*current_setting\([^)]*\)            |
+        # Cast on the function call
+        current_setting\([^)]*\)\s*::\s*\w+\s*=\s*'' |
+        # IS NULL form (treats unset GUC as fail-open)
+        current_setting\([^)]*\)\s*IS\s+NULL         |
+        # COALESCE wrap
+        coalesce\(\s*current_setting\([^)]*\)\s*,\s*''\s*\)\s*=\s*''
+    )
+    """,
+    re.IGNORECASE | re.VERBOSE,
+)
+
+
+def policy_is_fail_open(policy_qual: str) -> bool:
+    """Return True if the policy expression contains a known fail-open arm."""
+    return bool(FAIL_OPEN_RE.search(policy_qual))
+
+
+# ── Positive controls (must trigger) ─────────────────────────────────────
+
+POSITIVE_FORMS = [
+    # Direct
+    "current_setting('app.current_org_id', true) = ''",
+    # Whitespace tolerance
+    "current_setting('app.current_org_id', true)   =   ''",
+    # Commuted
+    "'' = current_setting('app.current_org_id', true)",
+    # Cast
+    "current_setting('app.current_org_id', true)::text = ''",
+    # IS NULL
+    "current_setting('app.current_org_id', true) IS NULL",
+    # COALESCE wrap
+    "coalesce(current_setting('app.current_org_id', true), '') = ''",
+]
+
+
+# ── Negative controls (must NOT trigger) ──────────────────────────────────
+
+NEGATIVE_FORMS = [
+    # The legitimate org_id check the sentinel is protecting
+    "org_id = current_setting('app.current_org_id', true)::int",
+    "org_id::text = current_setting('app.current_org_id', true)",
+    # Other unrelated comparisons
+    "deleted_at IS NULL",
+    "tenant_id = (SELECT id FROM tenants WHERE name = 'system')",
+]
+
+
+# ── Adversarial-bindability test ──────────────────────────────────────────
+
+
+@pytest.mark.parametrize("form", POSITIVE_FORMS)
+def test_sentinel_catches_fail_open_form(form: str) -> None:
+    """Every known fail-open variant must trip the sentinel."""
+    assert policy_is_fail_open(form), \
+        f"SENTINEL GAP: form did not trip — '{form}'"
+
+
+@pytest.mark.parametrize("form", NEGATIVE_FORMS)
+def test_sentinel_does_not_false_positive(form: str) -> None:
+    """Legitimate policy expressions must not trip the sentinel."""
+    assert not policy_is_fail_open(form), \
+        f"FALSE POSITIVE: legitimate form tripped — '{form}'"
+
+
+# ── Fixture-bindability proof ─────────────────────────────────────────────
+#
+# A structural sentinel is meaningful only if it can FAIL on a deliberate
+# regression. Test that, too:
+
+
+def test_sentinel_can_bind() -> None:
+    """
+    Construct a deliberate regression and assert the sentinel catches it.
+    If this assertion ever flips, either the regex was changed silently
+    or the fail-open form is no longer detectable. Either way, an alert
+    is mandatory.
+    """
+    deliberate_regression = "current_setting('x', true) = ''"
+    assert policy_is_fail_open(deliberate_regression), \
+        "BINDABILITY FAILURE: sentinel cannot fail under any input — it's a no-op"
+
+
+# ── Anti-patterns ─────────────────────────────────────────────────────────
+#
+# 1. SUBSTRING match instead of regex (LIKE '%...%'). Misses commuted, cast,
+#    and IS NULL forms. Field report #319 §3.
+#
+# 2. Single regex variant without alternation. The first migration author who
+#    writes a different form silently re-introduces the class.
+#
+# 3. Positive controls only. Without negative controls, false positives
+#    flood the alert channel and reviewers learn to ignore them.
+#
+# 4. No bindability proof. A sentinel that algebraically cannot fail is a
+#    no-op. See /docs/patterns/adr-verification-gate.md.
+#
+# 5. Sentinel lives in one place (CI grep) without a database-side mirror.
+#    Belt-and-suspenders: lint the policy text in CI AND assert
+#    policy_is_fail_open() against pg_policies.qual at runtime.

package/dist/wizard/lib/project-init.d.ts

@@ -21,4 +21,21 @@ export interface ProjectResult {
     markerId: string;
     filesCreated: number;
 }
+/**
+ * Wire the /contextmeter status line + awareness hook into settings.json (default-on).
+ * Mirrors mergeSettingsHook: set `statusLine` only when the project doesn't already have
+ * one (never clobber a user's), and append the UserPromptSubmit awareness hook unless an
+ * equivalent is already present (idempotent). Defaults (warn 80 / crit 92) live in the
+ * scripts, so the wired commands carry no env prefix.
+ *
+ * Shared by `init` (copyMethodology) and `update` (applyUpdate) so `update` auto-activates
+ * the meter the same way `init` does (#384 follow-up). Returns `true` when it makes — or,
+ * under `{ dryRun: true }`, WOULD make — a change, so the updater can report the pending
+ * settings edit and decide `applied`. `snippetDir` lets the dry-run read the snippet from
+ * the methodology SOURCE before the scripts have been copied into the project.
+ */
+export declare function mergeStatuslineSettings(projectDir: string, opts?: {
+    dryRun?: boolean;
+    snippetDir?: string;
+}): Promise<boolean>;
 export declare function createProject(config: ProjectConfig): Promise<ProjectResult>;

package/dist/wizard/lib/project-init.js

@@ -206,17 +206,30 @@ async function mergeSettingsHook(projectDir) {
  * one (never clobber a user's), and append the UserPromptSubmit awareness hook unless an
  * equivalent is already present (idempotent). Defaults (warn 80 / crit 92) live in the
  * scripts, so the wired commands carry no env prefix.
+ *
+ * Shared by `init` (copyMethodology) and `update` (applyUpdate) so `update` auto-activates
+ * the meter the same way `init` does (#384 follow-up). Returns `true` when it makes — or,
+ * under `{ dryRun: true }`, WOULD make — a change, so the updater can report the pending
+ * settings edit and decide `applied`. `snippetDir` lets the dry-run read the snippet from
+ * the methodology SOURCE before the scripts have been copied into the project.
  */
-async function mergeStatuslineSettings(projectDir) {
-    const snippetPath = join(projectDir, 'scripts', 'statusline', 'settings-snippet.json');
+export async function mergeStatuslineSettings(projectDir, opts = {}) {
+    const snippetDir = opts.snippetDir ?? join(projectDir, 'scripts', 'statusline');
+    const snippetPath = join(snippetDir, 'settings-snippet.json');
     const settingsPath = join(projectDir, '.claude', 'settings.json');
     if (!existsSync(snippetPath))
-        return;
-    const snippet = JSON.parse(await readFile(snippetPath, 'utf-8'));
+        return false;
+    let snippet;
+    try {
+        snippet = JSON.parse(await readFile(snippetPath, 'utf-8'));
+    }
+    catch {
+        return false;
+    }
     const snippetStatusLine = snippet?.statusLine;
     const snippetUserPrompt = (snippet?.hooks?.UserPromptSubmit ?? []);
     if (!snippetStatusLine && snippetUserPrompt.length === 0)
-        return;
+        return false;
     let settings = {};
     if (existsSync(settingsPath)) {
         try {
@@ -224,15 +237,15 @@ async function mergeStatuslineSettings(projectDir) {
         }
         catch {
             // Existing settings.json is unreadable — leave it alone.
-            return;
+            return false;
         }
     }
-    else {
-        await mkdir(join(projectDir, '.claude'), { recursive: true });
-    }
+    let changed = false;
     // statusLine: never clobber a project's existing one.
     if (snippetStatusLine && !settings.statusLine) {
-        settings.statusLine = snippetStatusLine;
+        if (!opts.dryRun)
+            settings.statusLine = snippetStatusLine;
+        changed = true;
     }
     // UserPromptSubmit: append the awareness hook unless an equivalent is already present.
     const existingHooks = (settings.hooks ?? {});
@@ -242,12 +255,19 @@ async function mergeStatuslineSettings(projectDir) {
         return hooks.some((h) => typeof h?.command === 'string' && h.command.includes('context-awareness-hook'));
     });
     if (!alreadyHasMeter && snippetUserPrompt.length > 0) {
-        settings.hooks = {
-            ...existingHooks,
-            UserPromptSubmit: [...existingUserPrompt, ...snippetUserPrompt],
-        };
+        if (!opts.dryRun) {
+            settings.hooks = {
+                ...existingHooks,
+                UserPromptSubmit: [...existingUserPrompt, ...snippetUserPrompt],
+            };
+        }
+        changed = true;
     }
-    await writeFile(settingsPath, JSON.stringify(settings, null, 2) + '\n', 'utf-8');
+    if (changed && !opts.dryRun) {
+        await mkdir(join(projectDir, '.claude'), { recursive: true });
+        await writeFile(settingsPath, JSON.stringify(settings, null, 2) + '\n', 'utf-8');
+    }
+    return changed;
 }
 // ── Identity Injection ───────────────────────────────────
 async function injectIdentity(projectDir, config) {

package/dist/wizard/lib/updater.js

@@ -8,6 +8,7 @@ import { join } from 'node:path';
 import { execSync } from 'node:child_process';
 import { readMarker, writeMarker, DEFAULT_CLAUDE_MD_STRATEGY } from './marker.js';
 import { planClaudeMdUpdate, UPSTREAM_SUFFIX } from './claude-md-strategy.js';
+import { mergeStatuslineSettings } from './project-init.js';
 /**
  * Decide which `update` mode the given argv selects. Pure — no I/O, no exit.
  *
@@ -103,8 +104,9 @@ export async function diffMethodology(projectDir) {
         { src: 'docs/patterns', dest: 'docs/patterns' },
         { src: 'scripts/thumper', dest: 'scripts/thumper' },
         { src: 'scripts/surfer-gate', dest: 'scripts/surfer-gate' },
-        // Context-meter status line + awareness hook (/contextmeter). Scripts propagate on
-        // update; activation (statusLine + UserPromptSubmit hook in settings.json) stays opt-in.
+        // Context-meter status line + awareness hook (/contextmeter). Scripts propagate here;
+        // activation (statusLine + UserPromptSubmit hook in settings.json) is wired below the
+        // same way `init` does it, so `update` auto-activates the meter too (#384 follow-up).
         { src: 'scripts/statusline', dest: 'scripts/statusline' },
     ];
     // CLAUDE.md is handled via the non-destructive strategy mechanism (issue #368)
@@ -179,6 +181,22 @@ export async function diffMethodology(projectDir) {
             }
         }
     }
+    // /contextmeter activation (#384 follow-up): `update` now wires the statusLine +
+    // awareness hook into .claude/settings.json the same way `init` does. Report the pending
+    // settings change here so `--dry-run` shows it. The snippet is read from the SOURCE — the
+    // project may not have the statusline scripts yet on this update — and the check is
+    // idempotent + non-clobbering (it returns false once the meter is wired, or when the
+    // project already has its own statusLine).
+    const statuslineNeedsWiring = await mergeStatuslineSettings(projectDir, {
+        dryRun: true,
+        snippetDir: join(sourceRoot, 'scripts', 'statusline'),
+    });
+    if (statuslineNeedsWiring) {
+        const settingsEntry = '.claude/settings.json';
+        if (!plan.modified.includes(settingsEntry) && !plan.added.includes(settingsEntry)) {
+            plan.modified.push(settingsEntry);
+        }
+    }
     return plan;
 }
 // ── Apply Update ─────────────────────────────────────────
@@ -214,13 +232,20 @@ export async function applyUpdate(projectDir) {
             await writeFile(`${claudeMdDestPath}${UPSTREAM_SUFFIX}`, claudeMdPlan.sideFileContent, 'utf-8');
         }
     }
-    // The CLAUDE.md plan entries are handled above — exclude them from the
-    // generic verbatim copy loop so we don't double-write or clobber.
-    const claudeMdEntries = new Set(['CLAUDE.md', `CLAUDE.md${UPSTREAM_SUFFIX}`]);
+    // Skip from the generic verbatim copy loop:
+    //  - CLAUDE.md entries: handled above by the non-destructive strategy.
+    //  - .claude/settings.json: wired below by mergeStatuslineSettings, not copied verbatim
+    //    (the methodology source carries no project settings.json — copying it would throw,
+    //    or in dev clobber the project with the methodology repo's own dogfood settings).
+    const skipVerbatim = new Set([
+        'CLAUDE.md',
+        `CLAUDE.md${UPSTREAM_SUFFIX}`,
+        '.claude/settings.json',
+    ]);
     // Copy added + modified files
     const { mkdir } = await import('node:fs/promises');
     for (const file of [...plan.added, ...plan.modified]) {
-        if (claudeMdEntries.has(file))
+        if (skipVerbatim.has(file))
             continue;
         const srcPath = join(sourceRoot, file);
         const destPath = join(projectDir, file);
@@ -228,6 +253,12 @@ export async function applyUpdate(projectDir) {
         await mkdir(destDir, { recursive: true });
         await cp(srcPath, destPath);
     }
+    // /contextmeter activation (#384 follow-up): wire the statusLine + awareness hook into
+    // .claude/settings.json so `update` matches `init`'s default-on behavior. The scripts
+    // were copied above; this turns the meter on. Idempotent + non-clobbering — it never
+    // overwrites a user's own statusLine and never duplicates the awareness hook, so it is
+    // safe to run on every update.
+    await mergeStatuslineSettings(projectDir);
     // Update marker version
     const marker = await readMarker(projectDir);
     if (marker) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "voidforge-build",
-  "version": "23.20.0",
+  "version": "23.22.0",
   "description": "From nothing, everything. A methodology framework for building with Claude Code.",
   "type": "module",
   "engines": {
@@ -45,7 +45,7 @@
     "@aws-sdk/client-rds": "^3.700.0",
     "@aws-sdk/client-s3": "^3.700.0",
     "@aws-sdk/client-sts": "^3.700.0",
-    "voidforge-build-methodology": "^23.20.0",
+    "voidforge-build-methodology": "^23.22.0",
     "node-pty": "^1.2.0-beta.12",
     "ws": "^8.19.0"
   },