IJFW used to write its project files into every directory a session started in,
including throwaway scratch dirs and ephemeral "temporary spaces" (e.g. Wayland).
A one-shot chat in a temp space got ijfw/, AGENTS.md, and CLAUDE.md it never
asked for. This release gates all on-disk writes behind a single rule.

Changed (behavior)

• IJFW now only materializes project files in a real project. "Real project"
  means the directory carries a recognized marker (a VCS dir like .git, or a
  language manifest like package.json / pyproject.toml / go.mod / Cargo.toml
  / tsconfig.json and friends), or you explicitly ran ijfw init (which drops
  .ijfw/project). With no marker, memory recall still works in-session, but
  nothing is written to disk. This is the same rule the codebase indexer already
  enforced (issue #16), now applied to every write surface: the visible ijfw/
  brain layer (dream pipeline), AGENTS.md, CLAUDE.md / GEMINI.md, and the
  .ijfw/project.type cold scan.
• ijfw init is the one-command override for a real project that lacks a VCS dir
  or manifest.

Fixed

• Codex and Gemini session-start hooks gained the $HOME / filesystem-root
  refusal they never had. The shared seed gate refuses to author config in the
  home directory, its ancestors, or the filesystem root, closing a latent
  global-config-bleed path on those two platforms (Claude already had this guard).
• Release-gate flake: the gitleaks preflight gate runs detect --no-git,
  which walks node_modules (~95 MB) and could exceed the gate's 30s spawn
  timeout, killing a clean scan mid-flight and reporting a false FAIL. The spawn
  timeout is now 120s, and node_modules / dist / .git are allowlisted so a
  third-party fixture cannot itself flag the gate.
• esbuild bumped to 0.28.1 (build-only devDep) to clear advisory
  GHSA-gv7w-rqvm-qjhr. Not shipped to users; build tooling only.

The seed rule lives once per language surface (seed-gate.js, seed-gate.sh, and
the indexer guard) and the three marker lists are locked together by a drift test.

A 14-angle audit of the entire codebase (every finding adversarially verified
against the live code before it made the fix list) surfaced 57 confirmed
issues. All are fixed in this release. The headline themes: enforcement
surfaces that looked alive but never blocked, config writes that could lose
user data, and hot-path costs that grew with session length.

Changed (scriptable behavior -- read these three if you automate IJFW)

• ijfw uninstall --purge from a non-TTY now requires --yes. Piped or
  scripted invocations used to skip the confirmation prompt silently; an
  irreversible purge now needs the explicit flag when there is no terminal to
  ask. Interactive behavior is unchanged.
• ijfw cross exits 3 (INCONCLUSIVE) when zero auditors fire. It used to
  exit 0, which let CI treat "no audit happened" as "audit passed." If your
  pipeline gates on it, treat 0 as pass, 3 as no-auditors-reachable.
• Copilot / VS Code MCP registration moved to the servers key. IJFW
  wrote mcpServers into .vscode/mcp.json, but VS Code's schema reads
  servers -- the registration was never loaded. Re-install migrates the old
  key automatically.

Fixed

• The extension permission sandbox now actually blocks. Every deny path in
  the PreToolUse hook exited with code 1, but the hook contract only blocks a
  tool call on exit 2 -- so undeclared tools ran anyway while the hook printed
  a denial message. Deny paths now exit 2 and emit the structured
  permissionDecision envelope, on Claude, Codex, and Gemini. The runtime
  mediator also gates all MCP tools now (4, including write-capable
  ijfw_state and ijfw_brain, used to bypass permission and quota checks).
• Hook timeouts are now real. hooks.json values were authored in
  milliseconds but the platform reads seconds -- the intended 15s session-start
  watchdog was actually 4.2 hours. All values converted; a check-all gate caps
  every hook at 60s.
• ijfw_metrics token/cost totals are accurate. The Stop hook fires after
  every turn and appended cumulative rows that the aggregator then summed,
  overcounting roughly quadratically with session length. Rows now carry a
  session id and the aggregator dedupes last-row-wins; the transcript is read
  incrementally via a byte cursor instead of fully re-parsed every turn.
• Installer and uninstaller close every found data-loss path. Re-clone
  restore is transactional (a mid-restore crash can no longer destroy restored
  memory); --dir/IJFW_HOME targets must look like an IJFW install before
  any destructive git op; every platform-config rewrite takes a backup first
  (the old backup gate was dead code); corrupt configs are preserved to a
  timestamped .bak and announced instead of silently replaced with IJFW-only
  content; BOM-prefixed valid configs parse instead of being treated as
  corrupt; uninstall deletes only hook files IJFW created, takes YAML backups
  before rewriting, preserves file modes, and its purge guard requires a real
  IJFW marker (and works on Windows).
• Memory engine correctness. Warm-tier auto-indexing now routes content
  through the same secret-redaction scrub as ingest; LIKE escapes carry the
  ESCAPE clause in both staleness engines (snake_case symbol flagging
  silently matched nothing); PRAGMA quick_check moved from every single-row
  insert to a throttled cadence in both FTS tiers -- the corruption tripwire
  stays, the per-write full-database scan goes.
• Hot paths trimmed. Per-tool-call node spawn eliminated (pattern cache),
  per-prompt spawns consolidated, the observation ledger appends without
  re-reading the whole file, and session start no longer blocks on a
  synchronous dashboard render.
• Hermes re-install no longer corrupts config.yaml (the MCP block landed
  under plugins: and emptied mcp_servers); Gemini upgrades refresh hook
  registration; YAML scalars escape Windows backslashes; plugin lists dedupe.
• Windows: update check, auditor probe, recovery verification, codex cost
  reader, design preview, and the dashboard browser-opener all spawn
  platform-appropriate binaries; Claude-native memory path encoding handles
  drive letters.
• Release pipeline honesty. publish.yml now runs check-all.sh as a
  blocking job before npm publish, and the gitleaks gate fails (instead of
  warning) in CI when the binary is missing -- with the workflow installing
  it, the secret scan runs for real. The e2e scope-leak gate covers all 17
  written platform configs. The flaky dream-trigger/cold-scan tests are fixed
  at the root: the poll busy-spun a CPU core and starved the detached runner
  it was waiting for; it now sleeps via Atomics.wait with a generous
  ceiling (verified 8/8 green with all cores saturated).
• Indexer privacy parity with ijfw init: refuses any filesystem root and
  ancestors of $HOME, writes into the validated root (not the cwd), and
  announces truncation.

A focused patch closing two community-reported bugs (#16, #17) and a sweep of
privacy, security, and performance fixes from a full audit. No behavior changes
for existing users beyond the bugs being gone.

Fixed

• #16 — the codebase indexer no longer walks your home directory. A session
  whose working directory was $HOME would recursively index everything under it
  (Dropbox, Downloads, Documents, Library), capturing the first line of each file
  and, on macOS, firing a cascade of permission prompts. The indexer now refuses
  to index $HOME or /, indexes only a folder with a real project marker
  (.git, package.json, go.mod, ...) or one you bless with the new
  ijfw init, excludes user-data dirs as defense-in-depth, and is bounded so it
  can never run unbounded. Regression test ships as an e2e gate.
• #17 — ijfw-uninstall --purge now leaves nothing behind. Install and
  uninstall are driven from one shared manifest plus a created-vs-merged ledger
  written at install time, so removal is symmetric. This removes the orphaned
  ijfw-memory MCP entry (the host no longer tries to spawn a deleted binary),
  the Codex hook scripts on disk, the Hermes plugin tree and its plugins.enabled
  • hook wiring, the stale known_marketplaces.json entry, the Pi AGENTS.md,
    and any tool dirs IJFW created for CLIs that were never installed — while never
    deleting a directory you already had. A sandboxed install → uninstall → grep
    test asserts zero references remain.

Added

• ijfw init — explicitly approve the current folder for codebase indexing
  (for working folders with no VCS marker). Refuses to bless $HOME or /.
• ijfw-install --dry-run / --print-plan — print every file and directory
  the install would touch, writing nothing.
• IJFW_MINIMAL=1 — one master switch for "memory only, nothing else":
  disables the indexer, update check, dashboard auto-start, transcript parsing,
  AGENTS.md generation, style/voice capture, and cross-project surfacing.
• IJFW_NO_VOICE_EXEMPLAR=1 and IJFW_NO_CROSS_PROJECT=1 — granular
  privacy opt-outs. docs/PRIVACY.md now carries the full collect/disable table
  and the complete network-egress accounting.

Security & privacy

• Uninstall --purge refuses to delete the home root, the filesystem root, a
  shallow path, or any directory that does not look like an IJFW install — closes
  a --dir / IJFW_HOME data-loss footgun and a symlink-escape.
• The Google model-list probe sends the API key as a header, not a URL query
  param (keeps it out of proxy/CDN logs). Error-signal and registry files are
  written owner-only (0600).
• The local dashboard rejects cross-origin browser requests to its data API
  (Sec-Fetch-Site guard), so a page in another tab cannot read your memory or
  cost data even though the server already binds to loopback only.
• A HOME-unset edge (containers/cron) can no longer resolve a relative .ijfw
  path; it falls back to the OS user directory.

Performance

• The session-start dashboard wait is now a short poll instead of a hard 500ms
  sleep on the hot path.
• The codebase indexer uses one awk pass per file instead of a five-process
  pipeline (wc + grep | head | sed | cut) — roughly 5x fewer subprocesses on
  large trees, identical output.
• The two best-effort per-prompt capture spawns now run detached instead of
  blocking, removing about 100ms of synchronous Node cold-start from each prompt.

IJFW now learns your working style and keeps a portable, private profile you control — plus a sweep of reliability and polish across the CLI and the cross-AI engine.

Added — Cross-system learning

• IJFW learns how you work, privately and on by default. From your first session, IJFW builds a lightweight model of your communication style — terseness, formality, rhythm, tone — derived locally from interaction metadata only (never your message text) at zero LLM cost. Captured across Claude Code, Codex, and Gemini; stored as plain markdown you can read, edit, or wipe; available to every MCP-connected AI on your stack.
• ijfw personalize — one switch, fully in your control. on / off toggles whether your learned style rides into your AI's context (low-sensitivity by default, opt-in — capture is local-only and never injected until you say so). status shows what's been learned and the current settings; forget wipes the profile. IJFW_PROFILE_KILL is an instant kill-switch. Full controls in the README's eighth engine.

Improved — CLI

• Friendlier command surface. ijfw now offers "did you mean...?" guidance for mistyped or subcommand-style verbs, and checkpoint / worktree are available as top-level shortcuts — fewer dead ends, faster discovery.

Improved — Multi-AI Trident (cross-audit)

• Broader, more dependable auditor support. The cross-audit roster was refreshed against the current generation of partner CLIs (Gemini, OpenCode, Qwen, Kimi, Copilot) for more reliable multi-model reviews across the stack, with regression coverage that keeps the roster current as those tools evolve.

Documentation and honesty

• README rebuilt as a visual, benefit-first landing page. Every engine (memory, build discipline, cross-audit, specialist bench, token economy, observability, learns-you, design contract, platforms, and "it is yours") now leads with what it does for you, backed by a deep-dive doc. Proof is up front, ties are stated as ties, and there are no em dashes anywhere.
• Observability now describes exactly what ships. The dashboard's savings tile reports only measured, defensible numbers (real cache-read savings at Anthropic's posted cache pricing, first-recall memory savings, and pre-ship cross-audit findings). An earlier "estimated spend without IJFW" multiplier with no empirical baseline was removed for honesty, and the docs were corrected to match the shipping code.

Packaging

• The benchmark and lab-study harness no longer ships in the product package. The research tooling that compares IJFW against other memory systems (competitor adapters, dataset loaders, judge calibration, and run scripts) is not part of what the product runtime uses, so it was moved to a separate repository. The published packages are smaller and contain no benchmark sidecars or research scaffolding. The product keeps its own self-contained retrieval-quality harness (ijfw metrics --benchmark).

Stability & optimizations

• Reliability and robustness improvements across the memory, learning, capture, and CLI layers, with expanded functional and end-to-end test coverage.

A focused patch closing the one regression that escaped the v1.5.5 sweep and adding a new platform.

Fixed — Windows installer

The PowerShell installer (installer/src/install.ps1) now clones from github.com/FerroxLabs/ijfw. v1.5.5 migrated the Node installer to the new home but the PS path was missed — Windows users were still cloning from GitLab via \$DEFAULT_REPO. v1.5.6 lands the same migration on the PS path:

• DEFAULT_REPO updated to FerroxLabs/ijfw
• The iwr one-liner header updated to GitHub raw
• Stale-origin allowlist now includes the gitlab URL, so existing Windows installs self-heal their origin on next `ijfw install`

The `ijfw guide` fallback URL also moves to the GitHub blob path.

Added — Pi platform support

Pi (earendil-works/pi) joins the platform roster as rules-only tier #16. Pi loads `AGENTS.md` from `~/.pi/agent/` + parent dirs + cwd — IJFW now deploys `pi/AGENTS.md` to that path on install. No MCP wiring yet because Pi has no native MCP client (extension bridge required for the memory layer).

Updated — documentation

• `docs/SECURITY.md` shasum cross-check description now references GitHub release bodies (matches the v1.5.5 code change in `shasum-verify.js` — closes the doc-vs-code drift).
• `docs/CI-PUBLISH.md` flagged as legacy GitLab CI documentation. `.gitlab-ci.yml` was removed in v1.5.5; active publish pipeline is `.github/workflows/publish.yml`.
• `claude/agents/ijfw-release-eng.md` CI publish-watch step updated to reference GitHub Actions.

Repo move (informational)

The previous personal repository `github.com/TheRealSeanDonahoe/ijfw` was transferred to FerroxLabs to consolidate 162 stars + 26 forks + 30 tags of history under one canonical org. Old URLs continue to resolve via GitHub's automatic redirect.

First release under the Ferrox Labs organisation.

IJFW is Ferrox Labs' shared development infrastructure for AI coding agents. Open-sourced because the discipline travels with the tool.

Highlights

Strengthened — update flow integrity. ijfw update now verifies the post-install version on disk (npm-global, git-clone, and manual installs each verified at their canonical location) before writing state. If filesystem and announced version disagree, the state write is refused with a clear actionable error.

Strengthened — multi-AI cross-audit framework. Trident lens converge logic now emits distinct result shapes for clean-pass, intentional-bypass, and gate-execution-fail outcomes. Swarm task completion requires evidence (commitSha or diffStats) with an explicit skipEvidence opt-out for admin flows.

Strengthened — install bootstrap on broken-repo paths. cloneOrPull restore now uses cpSync + rmSync instead of renameSync — cross-filesystem restores (Docker volumes, NFS mounts, separate /tmp) no longer throw EXDEV after the destination is cleared. Restore allowlist expanded to cover the full v1.5.2+ brain content tree.

Strengthened — Windows + cross-platform parity. process.env.HOME paired with USERPROFILE across hooks. startsWith('/') heuristic replaced with path.isAbsolute() at every site. pack-hub-extension realpath aligned with macOS /var → /private/var resolution.

Strengthened — preflight gate. upgrade-smoke honours IJFW_SKIP_NETWORK=1, actually spawns the installer binary, and asserts settings.json as an unconditional post-condition.

Strengthened — extension installer truthfulness. Strict-bool ok plus tri-state status (success / partial / failed). Legacy if (r.ok) callers no longer treat partial deploys as success.

Strengthened — release notes + registry fetchers. shasum-verify ported to GitHub Releases API. update-check changelog URL points at github.com/FerroxLabs/ijfw/releases/tag/v<version>. Back-compat aliases preserved.

Strengthened — input validation surface. wave.advance payload merge recursively rejects prototype-polluting keys at any depth. commitRange validated against a strict shape regex before reaching git. appendStructuredToKnowledge gains content-hash dedup.

Strengthened — locking and replay semantics. state.replay body-restore acquires per-snapshot-target locks. Wave-state body write folded into the SDK's journaled critical section. Wiki-compiler and layout-sentinel delegate to the canonical withFsLock mechanism.

Retired. ijfw_update_apply MCP tool retired — redundant since ijfw_update_check started writing the sentinel in v1.5.0. 13 MCP tools active (within the ≤14 cap).

Rebranded. Source moved to github.com/FerroxLabs/ijfw. Package author flipped to Ferrox Labs across @ijfw/install, @ijfw/memory-server, and all plugin manifests.

Install

npm install -g @ijfw/install
ijfw install

One command. Thirteen AI coding agents configured. Local-first. Nothing to log into.

Platform support

Claude Code · Codex · Gemini · Cursor · Windsurf · Copilot · Hermes · Wayland · OpenCode · Qwen · Kimi · OpenClaw · Antigravity — fourteen via MCP. Plus Aider via the rules-only tier. Fifteen agents total.

If your AI codes, IJFW already runs there.

Verification

• mcp-server full suite: 2764 pass / 1 skipped (Windows-only) / 0 fail
• Installer preflight: 11/11 PASS
• Hub-extension integration: 13/13 PASS

ijfw-design -- three-option picker, cross-platform

• Reads DESIGN.md from project root first. If present, it becomes the design contract and the picker is skipped.
• When absent, presents three options: (1) reference a brand (smart suggestions from brand-atlas, auto-detected from project domain), (2) pick a style (12 curated templates), (3) blank slate.
• 12 curated DESIGN.md templates -- swiss-minimal, editorial-warm, terminal-native, cinematic-dark, glassmorphic, brutalist-luxe, maximalist-vibrant, neo-swiss-tech, data-dense-dashboard, warm-organic, bento-grid, magazine-editorial. Each follows the canonical 9-section spec. Compatible with Claude Design out of the box.
• New brand-atlas.json -- 12 domains x 3-5 brand suggestions each, with keyword-based auto-detection.
• Cross-platform parity -- Claude, Codex, Gemini, Hermes, Wayland all receive the updated SKILL.md + brand-atlas + 12 templates on install. 15 new E2E gates assert picker resources land on every platform.
• Rule 0 added -- real HTML mockups, never ASCII. Baked into the skill so downstream specialists carry the rule.

Dashboard -- dollar-saved ledger

Replaces the old 25% efficiency tile with: $X.XX spent / ~$Y.YY without IJFW / $Z.ZZ saved (N%).

Baseline via three multipliers: cache hit rate (vs 25% no-IJFW baseline, since natural conversation has some cache reuse), model routing (Haiku fraction vs all-Sonnet baseline), output discipline (30% fixed midpoint of the 20-40% range). Composite capped at 5x for defensibility. Inline methodology toggle cites every number's source -- skeptics can trace the math.

Fix #6 -- cross audit/critique sends file contents, not path (@shawnvink)

Previously ijfw cross audit <file> sent only the path string to auditors, who hallucinated findings from the filename/extension. Fixed via new resolveTarget() helper in mcp-server/src/cross-orchestrator-cli.js: substitutes File: <path>\n\n<contents> with a 64 KB size cap. Topics, git ranges, and non-existent paths pass through unchanged. 9 new unit tests + 1 E2E regression gate.

Other

• Cursor + Copilot now covered by E2E smoke (4 new gates).
• ijfw-workflow tier echo now carries Quick (3-5 min) / Deep (20-45 min) / Express (<1 min) time ranges.
• Cleaned up three long-standing TypeScript 6133 unused-var diagnostics.
• Banned-char sweep extended to U+2013 (en-dash), U+00B7 (middle dot), U+00E8 (accented characters).

Verification

35 E2E gates + check-all.sh + oxlint all green. Post-publish install-from-registry E2E verified picker + issue #6 fix reach installed platforms.

Install:
```
npm install -g @ijfw/install && ijfw-install
```

Full details in CHANGELOG.md.

Contributors

• @shawnvink

Docs + CLI polish release. Cuts the path to announcement clean.

What changed

• README rewritten with the six-lever savings framing. The single "25%+ output reduction" claim is gone. Replaced with a six-row table showing every compounding cost lever and its source: prompt cache (90% off, Anthropic-posted), smart routing (5-25x across Haiku/Sonnet/Opus), output discipline (20-40%), skill hot-load (55-line core + 19 lazy skills), memory recall (1 MCP call vs 10-20 tool grep cascade), compression (40-50%). Every number is either Anthropic-published, architecture-forced, or dashboard-measurable -- no single made-up percentage to defend against a close read.

• Trident section embeds a real cross-audit screenshot from a shipping project: 3 parallel audits, 30 consolidated findings, 18 fixes landed by 3 specialist swarms, final gauntlet 57/57 unit + 84/84 Playwright. One model's blind spot never reaches production alone.

• ijfw help actually opens the guide now. Pre-existing bug since 1.1.1: two ijfw binaries on disk, only the npx-reachable one knew the help subcommand. The ~/.local/bin/ijfw symlink resolves to a different launcher that had no help case. Fix: ported handleGuide(useBrowser) into cross-orchestrator-cli.js. Terminal mode pages through less -R. Browser mode renders via marked.js + GitHub-dark CSS to ~/.ijfw/guide/index.html and opens in default browser.

• Launch post + browser render at docs/announcements/ijfw-1.1.4-launch.md and .html. Three versions inside: Long (blog/LinkedIn), Short (X 6-tweet thread), HN (stripped of emoji + founder-tone, numbered lever citations). Cross-audited by parallel Gemini-strategic + Codex-technical critic passes before V3.

• Docs discoverability -- new README section embeds the ijfw help --browser render so readers see the dedicated docs command.

• Platform count corrected to 8 (Claude Code, Codex, Gemini, Cursor, Windsurf, Copilot, Hermes, Wayland). Hermes + Wayland were missing from the README hero copy.

Install

npm install -g @ijfw/install && ijfw-install

No behavioral change to the installer, MCP server, or any platform config surface. Safe upgrade from 1.1.3. Users running ijfw update pick up the ijfw help fix automatically.

See CHANGELOG.md for full details.

Windows hot-fix. npx -p @ijfw/install ijfw-install on Windows now works even when Git for Windows was installed with the default (non-PATH) bash setting.

Windows npx path fixed

• install.js resolves bash.exe via git.exe's install root instead of requiring bash on PATH. Git for Windows installs bash.exe at C:\Program Files\Git\bin\bash.exe but by default does NOT add that directory to PATH. Previous preflight (hasBin('bash')) always failed on a perfectly-functional Git for Windows install. New findBash() helper mirrors install.ps1's Resolve-GitBash: walks where git to the sibling bash.exe, falls back to Program Files defaults.
• runInstallScript() now spawns the resolved bash.exe path directly.
• Error message when git is missing points at a single winget install --id Git.Git command; drops the irm | iex PS1 fallback (Windows Defender heuristically flags that pattern as malicious).

Windows CI gate

• New .github/workflows/windows-smoke.yml runs on every push/PR on windows-latest. Two matrix jobs: default-path and stripped-path (removes Git\bin and Git\usr\bin from PATH to simulate the real end-user scenario). Both must pass. Would have caught the 1.1.2 regression at source.

Cross-platform build script

• installer/scripts/build.js replaces the old rm -rf && mkdir -p && cp && chmod pipeline with a pure-Node equivalent. npm run build now works identically on macOS, Linux, and Windows PowerShell. No new dependencies.

Internal

• installer and mcp-server bumped 1.1.2 -> 1.1.3 in lockstep.

Verified

• Local install on Windows (fresh clone + node dist/install.js --dir <scratch>): 8 platforms configured, 5/5 post-install gates, MCP handshake passes.
• macOS e2e harness (scripts/e2e-smoke.sh): 13/13 gates pass (no regression from 1.1.2).

Install:
```
npx -p @ijfw/install@1.1.3 ijfw-install
```

Upgrade from 1.1.2: rerun the command above. No config-schema changes; the Codex hooks.json nested format from 1.1.2 stays.

See CHANGELOG.md for the full release log.

Two new CLI platforms, deep installer repairs uncovered by live remote-server testing, and a 13-gate end-to-end smoke harness that has to pass before any future release.

New platforms (8 total)

• Hermes -- Python CLI. MCP registered in ~/.hermes/config.yaml, HERMES.md context file, 19 IJFW skills in ~/.hermes/skills/ijfw-* (agentskills.io format).
• Wayland -- same shape. MCP in ~/.wayland/config.yaml, WAYLAND.md, skills bundle.

scripts/install.sh gains a merge_yaml_mcp helper (python3+PyYAML preferred, sentinel-anchored fallback). Default target list expands to 8: claude, codex, gemini, cursor, windsurf, copilot, hermes, wayland.

Installer repairs

• Bug A -- platform-config writes (Codex, Gemini, Claude settings, Windsurf) now respect IJFW_CUSTOM_DIR. Scratch installs no longer leak paths into real user configs.
• Bug B -- Codex hooks.json migrated to nested schema ({"hooks": {EventName: [MatcherGroup]}}) per codex-cli 0.120+. Drops invalid AfterAgent event, renames script to command, adds "type": "command" discriminator.
• Bug C -- suppress_unstable_features_warning = true now written to ~/.codex/config.toml. Silences the codex_hooks under-development banner.
• Bug D -- Self-loop guards canonicalize $HOME via cd -P. Fixes recursive symlinks on macOS where /var/folders is a symlink to /private/var/folders.
• Bug E -- C_RED color variable declared in both tty/non-tty branches. Fixes installer crash under set -u when a post-install gate fails in CI or the smoke harness.

End-to-end smoke harness

scripts/e2e-smoke.sh. 13 gates across two modes:

1. Scratch-guard -- runs installer with IJFW_CUSTOM_DIR=1, verifies zero drift across 10 real-home config paths.
2. Isolated-HOME canonical install -- runs a full install into mktemp -d, parses every platform's written config against its expected schema, completes the MCP initialize + tools/list handshake.

Must pass before any future npm publish.

Uninstaller

• removeCodexHooks handles all three historical hook-file shapes.
• New removeYamlMcpEntry for Hermes + Wayland.
• Covers all 8 platforms.

Behavioral sync (all platforms)

• Banned openers + sharpened two-strikes reset (ijfw-core + platform rules).
• Two-strikes Step 6 (ijfw-debug).
• "Plausibility is not correctness" (ijfw-verify).
• Five concrete goal-rewrite examples (ijfw-workflow Quick FRAME).
• Pruning question (ijfw-memory-audit).
• Refactor reframe (ijfw-critique).

Next up

npm publish from author terminal (web-auth 2FA).

See CHANGELOG.md for the full release log.