fix: critical bugs, stale refs, README rewrite, security fixes

- Fix evaluator bypass on last story (moved completion check)
- Fix all stale command name references across README, loop.sh, skills, plugin.json
- Fix explore evaluator false rejects (.loop/ files are expected)
- Fix stderr capture order in headless mode
- Fix shell injection risk in hooks.sh python fallback
- Remove .DS_Store from tracking
- Rewrite README to match current architecture (single entry point, tmux, optional tools)
- Add XcodeBuildMCP and iOS simulator MCP to optional tools docs

loop.sh

@@ -124,7 +124,7 @@ while [[ $# -gt 0 ]]; do
         --dry-run) DRY_RUN=true; shift ;;
         --headless) export LOOP_HEADLESS=true; shift ;;
         --resume) RESUME=true; shift ;;
-        --replan) log "ERROR: --replan is not yet implemented. Use /loop-plan interactively."; exit 1 ;;
+        --replan) log "ERROR: --replan is not yet implemented. Use /agent-loop:stories interactively."; exit 1 ;;
         [0-9]*) MAX_ITERATIONS="$1"; shift ;;
         *) log "Unknown option: $1"; exit 1 ;;
     esac
@@ -162,7 +162,7 @@ check_archive
 
 # Validate prd.json exists (AFTER archive check, which may delete it on branch change)
 if [ ! -f "$LOOP_DIR/prd.json" ]; then
-    log "ERROR: No prd.json found. Run /loop-plan first to create one."
+    log "ERROR: No prd.json found. Run /agent-loop:stories first to create one."
     exit 1
 fi
 
@@ -240,11 +240,11 @@ run_agent() {
                 claude)
                     printf '%s\n' "$prompt" | timeout "${LOOP_AGENT_TIMEOUT:-600}" \
                         claude --dangerously-skip-permissions --output-format text \
-                        --print 2>&1 > "$output_file"
+                        --print > "$output_file" 2>&1
                     ;;
                 amp)
                     printf '%s\n' "$prompt" | timeout "${LOOP_AGENT_TIMEOUT:-600}" \
-                        amp --dangerously-allow-all 2>&1 > "$output_file"
+                        amp --dangerously-allow-all > "$output_file" 2>&1
                     ;;
                 *)
                     log "ERROR: Unknown tool '$TOOL'"
@@ -319,7 +319,7 @@ while [ "$ITERATION" -lt "$MAX_ITERATIONS" ]; do
         fi
         snapshot_for_archive
         if any_stories_blocked 2>/dev/null; then
-            log "Some stories are blocked and need human review. Run /loop-triage for details."
+            log "Some stories are blocked and need human review. Run /agent-loop:triage for details."
             exit $EXIT_ALL_BLOCKED
         fi
         exit $EXIT_OK
@@ -364,7 +364,7 @@ while [ "$ITERATION" -lt "$MAX_ITERATIONS" ]; do
     # --- Scope budget check ---
     # Verify the generator stayed within configured limits (files modified, lines written).
     # Advisory in implement/fix modes (log warning), but enforced as rejection reason for evaluator.
-    if [ -n "$PRE_GENERATOR_SHA" ] && [ "$PRE_GENERATOR_SHA" != "" ]; then
+    if [ -n "$PRE_GENERATOR_SHA" ]; then
         SCOPE_FILES_MODIFIED=$(git diff --name-only "$PRE_GENERATOR_SHA" HEAD 2>/dev/null | wc -l | tr -d ' ')
         SCOPE_LINES_WRITTEN=$(git diff --stat "$PRE_GENERATOR_SHA" HEAD 2>/dev/null | tail -1 | grep -oE '[0-9]+ insertion' | grep -oE '[0-9]+' || echo "0")
 
@@ -381,18 +381,9 @@ while [ "$ITERATION" -lt "$MAX_ITERATIONS" ]; do
         export SCOPE_FILES_MODIFIED SCOPE_LINES_WRITTEN
     fi
 
-    # Check for completion — in interactive mode, check prd.json directly
-    if all_stories_pass 2>/dev/null; then
-        log_header "All Stories Complete! ($(story_counts))"
-        snapshot_for_archive
-        exit 0
-    fi
-    # Headless mode: also check output sentinel
-    if [ -n "$GENERATOR_OUTPUT" ] && echo "$GENERATOR_OUTPUT" | grep -q "<promise>COMPLETE</promise>"; then
-        log_header "Generator signaled COMPLETE ($(story_counts))"
-        snapshot_for_archive
-        exit 0
-    fi
+    # NOTE: Do NOT check all_stories_pass here. The generator marks its own story
+    # as passed, but the evaluator hasn't verified yet. Checking here would skip
+    # evaluation on the last story. The completion check is at the top of the loop.
 
     # --- Evaluator pass ---
     if [ "$SKIP_EVAL" != true ]; then
@@ -460,6 +451,6 @@ done
 # --- Max iterations reached ---
 log_header "Max Iterations Reached ($MAX_ITERATIONS)"
 log "Stories completed: $(story_counts)"
-log "Run /loop-triage to generate a handoff brief."
+log "Run /agent-loop:triage to generate a handoff brief."
 snapshot_for_archive
 exit $EXIT_MAX_ITERATIONS