@complior/engine 0.9.0

package/src/infra/saas-client.ts

@@ -0,0 +1,123 @@
+import { createLogger } from './logger.js';
+
+const log = createLogger('saas-client');
+
+export interface SyncPassportPayload {
+  readonly name: string;
+  readonly vendorName?: string;
+  readonly vendorUrl?: string;
+  readonly description?: string;
+  readonly purpose?: string;
+  readonly domain?: string;
+  readonly riskLevel?: string;
+  readonly slug?: string;
+  readonly detectionPatterns?: unknown;
+  readonly versions?: unknown;
+  readonly autonomyLevel?: string;
+  readonly framework?: string;
+  readonly modelProvider?: string;
+  readonly modelId?: string;
+  readonly dataResidency?: string;
+  readonly lifecycleStatus?: string;
+  readonly compliorScore?: number;
+  readonly manifestVersion?: string;
+  readonly signature?: unknown;
+  readonly extendedFields?: unknown;
+}
+
+export interface SyncScanPayload {
+  readonly projectPath: string;
+  readonly score?: number;
+  readonly findings?: readonly { severity: string; message: string; tool?: string }[];
+  readonly toolsDetected: readonly { name: string; version?: string; vendor?: string; category?: string }[];
+}
+
+export interface SyncDocPayload {
+  readonly type: string;
+  readonly title: string;
+  readonly content: string;
+  readonly obligationId?: string;
+  readonly toolSlug?: string;
+}
+
+export interface SaasClient {
+  readonly syncPassport: (token: string, payload: SyncPassportPayload) => Promise<Record<string, unknown>>;
+  readonly syncScan: (token: string, payload: SyncScanPayload) => Promise<Record<string, unknown>>;
+  readonly syncDocuments: (token: string, documents: readonly SyncDocPayload[]) => Promise<Record<string, unknown>>;
+  readonly syncFria: (token: string, payload: Record<string, unknown>) => Promise<Record<string, unknown>>;
+  readonly syncStatus: (token: string) => Promise<Record<string, unknown>>;
+  readonly fetchDataBundle: (etag?: string) => Promise<{ data: Record<string, unknown> | null; etag?: string }>;
+  readonly syncAudit: (token: string, entries: readonly Record<string, unknown>[]) => Promise<Record<string, unknown>>;
+  readonly syncEvidence: (token: string, summary: Record<string, unknown>) => Promise<Record<string, unknown>>;
+  readonly syncRegistry: (token: string, entries: readonly Record<string, unknown>[]) => Promise<Record<string, unknown>>;
+}
+
+export const createSaasClient = (baseUrl: string): SaasClient => {
+  const url = baseUrl.replace(/\/$/, '');
+
+  const postJson = async (endpoint: string, token: string, body: unknown): Promise<Record<string, unknown>> => {
+    log.debug(`POST ${endpoint}`);
+    const resp = await fetch(`${url}${endpoint}`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+      },
+      body: JSON.stringify(body),
+      signal: AbortSignal.timeout(30_000),
+    });
+    if (!resp.ok) {
+      const text = await resp.text().catch(() => '');
+      throw new Error(`SaaS ${endpoint} failed (${resp.status}): ${text}`);
+    }
+    const data: Record<string, unknown> = await resp.json();
+    return data;
+  };
+
+  const getJson = async (endpoint: string, token: string): Promise<Record<string, unknown>> => {
+    log.debug(`GET ${endpoint}`);
+    const resp = await fetch(`${url}${endpoint}`, {
+      method: 'GET',
+      headers: { 'Authorization': `Bearer ${token}` },
+      signal: AbortSignal.timeout(30_000),
+    });
+    if (!resp.ok) {
+      const text = await resp.text().catch(() => '');
+      throw new Error(`SaaS ${endpoint} failed (${resp.status}): ${text}`);
+    }
+    const data: Record<string, unknown> = await resp.json();
+    return data;
+  };
+
+  return Object.freeze({
+    syncPassport: (token: string, payload: SyncPassportPayload) => postJson('/api/sync/passport', token, payload),
+    syncScan: (token: string, payload: SyncScanPayload) => postJson('/api/sync/scan', token, payload),
+    syncDocuments: (token: string, documents: readonly SyncDocPayload[]) => postJson('/api/sync/documents', token, { documents }),
+    syncFria: (token: string, payload: Record<string, unknown>) => postJson('/api/sync/fria', token, payload),
+    syncStatus: (token: string) => getJson('/api/sync/status', token),
+    syncAudit: (token: string, entries: readonly Record<string, unknown>[]) => postJson('/api/sync/audit', token, { entries }),
+    syncEvidence: (token: string, summary: Record<string, unknown>) => postJson('/api/sync/evidence', token, summary),
+    syncRegistry: (token: string, entries: readonly Record<string, unknown>[]) => postJson('/api/sync/registry', token, { entries }),
+    fetchDataBundle: async (etag?: string) => {
+      log.debug('Fetching data bundle');
+      const headers: Record<string, string> = {};
+      if (etag) headers['If-None-Match'] = etag;
+
+      const resp = await fetch(`${url}/v1/data/bundle`, {
+        method: 'GET',
+        headers,
+        signal: AbortSignal.timeout(30_000),
+      });
+
+      if (resp.status === 304) {
+        return { data: null, etag };
+      }
+      if (!resp.ok) {
+        throw new Error(`Data bundle fetch failed (${resp.status})`);
+      }
+      const newEtag = resp.headers.get('etag') ?? undefined;
+      const data: Record<string, unknown> = await resp.json();
+      return { data, etag: newEtag };
+    },
+  });
+};

package/src/infra/search-adapter.ts

@@ -0,0 +1,113 @@
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import { readdir, readFile } from 'node:fs/promises';
+import { join, extname } from 'node:path';
+// search utilities
+
+const execFileAsync = promisify(execFile);
+
+export interface SearchResult {
+  readonly file: string;
+  readonly line: number;
+  readonly content: string;
+}
+
+const ripgrepSearch = async (
+  pattern: string,
+  searchPath: string,
+): Promise<readonly SearchResult[]> => {
+  try {
+    const { stdout } = await execFileAsync('rg', [
+      '--json',
+      '--max-count', '50',
+      '--max-filesize', '1M',
+      '-g', '!node_modules',
+      '-g', '!.git',
+      '-g', '!dist',
+      pattern,
+      searchPath,
+    ], { timeout: 10_000, maxBuffer: 5 * 1024 * 1024 });
+
+    const results: SearchResult[] = [];
+
+    for (const line of stdout.split('\n')) {
+      if (line.trim() === '') continue;
+      try {
+        const isRec = (v: unknown): v is Record<string, unknown> =>
+          typeof v === 'object' && v !== null;
+        const raw: unknown = JSON.parse(line);
+        if (!isRec(raw) || raw['type'] !== 'match') continue;
+        const data = isRec(raw['data']) ? raw['data'] : {};
+        const pathObj = isRec(data['path']) ? data['path'] : {};
+        const linesObj = isRec(data['lines']) ? data['lines'] : {};
+        results.push({
+          file: typeof pathObj['text'] === 'string' ? pathObj['text'] : '',
+          line: typeof data['line_number'] === 'number' ? data['line_number'] : 0,
+          content: typeof linesObj['text'] === 'string' ? linesObj['text'].trim() : '',
+        });
+      } catch {
+        // skip malformed JSON lines
+      }
+    }
+
+    return results;
+  } catch {
+    return [];
+  }
+};
+
+const SEARCH_EXTENSIONS = new Set(['.ts', '.tsx', '.js', '.jsx', '.py', '.md', '.json', '.html']);
+
+const nativeSearch = async (
+  pattern: string,
+  searchPath: string,
+): Promise<readonly SearchResult[]> => {
+  const results: SearchResult[] = [];
+  const regex = new RegExp(pattern, 'gi');
+
+  const walk = async (dir: string, depth: number): Promise<void> => {
+    if (depth > 8 || results.length > 50) return;
+
+    const entries = await readdir(dir, { withFileTypes: true }).catch(() => []);
+
+    for (const entry of entries) {
+      if (results.length > 50) break;
+      if (entry.name === 'node_modules' || entry.name === '.git' || entry.name === 'dist') continue;
+
+      const fullPath = join(dir, entry.name);
+
+      if (entry.isDirectory()) {
+        await walk(fullPath, depth + 1);
+      } else if (entry.isFile() && SEARCH_EXTENSIONS.has(extname(entry.name))) {
+        try {
+          const content = await readFile(fullPath, 'utf-8');
+          const lines = content.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            if (regex.test(lines[i] ?? '')) {
+              results.push({ file: fullPath, line: i + 1, content: (lines[i] ?? '').trim() });
+            }
+            regex.lastIndex = 0;
+          }
+        } catch {
+          // skip unreadable files
+        }
+      }
+    }
+  };
+
+  await walk(searchPath, 0);
+  return results;
+};
+
+export const search = async (
+  pattern: string,
+  searchPath: string,
+): Promise<readonly SearchResult[]> => {
+  // Try ripgrep first, fall back to native
+  const rgResults = await ripgrepSearch(pattern, searchPath);
+  if (rgResults.length > 0) {
+    return rgResults;
+  }
+
+  return nativeSearch(pattern, searchPath);
+};

package/src/infra/shell-adapter.ts

@@ -0,0 +1,68 @@
+import { exec } from 'node:child_process';
+import { promisify } from 'node:util';
+import { ToolError } from '../types/errors.js';
+
+const execAsync = promisify(exec);
+
+const ALLOWED_COMMANDS = new Set([
+  'bun', 'npm', 'npx', 'node', 'tsc', 'eslint', 'prettier',
+  'git', 'cargo', 'rustc', 'rustfmt', 'clippy',
+  'ls', 'cat', 'head', 'tail', 'wc', 'find', 'grep', 'rg',
+  'echo', 'pwd', 'which', 'env', 'mkdir', 'cp', 'mv', 'touch',
+]);
+
+const DEFAULT_TIMEOUT = 30_000;
+const MAX_TIMEOUT = 30_000;
+
+export interface CommandResult {
+  readonly stdout: string;
+  readonly stderr: string;
+  readonly exitCode: number;
+}
+
+const extractFirstToken = (command: string): string => {
+  const trimmed = command.trim();
+  // Handle env var prefixes like "FOO=bar cmd"
+  const withoutEnvVars = trimmed.replace(/^(?:\w+=\S+\s+)+/, '');
+  const firstToken = withoutEnvVars.split(/[\s;|&]/)[0] ?? '';
+  // Handle paths like /usr/bin/git → git
+  return firstToken.split('/').pop() ?? '';
+};
+
+export const runCommand = async (
+  command: string,
+  cwd?: string,
+  timeout?: number,
+): Promise<CommandResult> => {
+  const token = extractFirstToken(command);
+
+  if (!ALLOWED_COMMANDS.has(token)) {
+    throw new ToolError(`Command not allowed: "${token}". Allowed: ${[...ALLOWED_COMMANDS].join(', ')}`);
+  }
+
+  const effectiveTimeout = Math.min(timeout ?? DEFAULT_TIMEOUT, MAX_TIMEOUT);
+
+  try {
+    const { stdout, stderr } = await execAsync(command, {
+      cwd,
+      timeout: effectiveTimeout,
+      maxBuffer: 5 * 1024 * 1024,
+      env: { ...process.env, NODE_ENV: 'development' },
+    });
+
+    return { stdout, stderr, exitCode: 0 };
+  } catch (error: unknown) {
+    if (error !== null && typeof error === 'object' && 'killed' in error && error.killed) {
+      throw new ToolError(`Command timed out after ${effectiveTimeout}ms`);
+    }
+
+    if (error !== null && typeof error === 'object') {
+      const stdout = 'stdout' in error && typeof error.stdout === 'string' ? error.stdout : '';
+      const stderr = 'stderr' in error && typeof error.stderr === 'string' ? error.stderr : '';
+      const code = 'code' in error && typeof error.code === 'number' ? error.code : 1;
+      return { stdout, stderr, exitCode: code };
+    }
+
+    return { stdout: '', stderr: String(error), exitCode: 1 };
+  }
+};

package/src/infra/tool-manager.test.ts

@@ -0,0 +1,99 @@
+import { describe, it, expect, vi } from 'vitest';
+import { createToolManager, type ProcessRunner } from './tool-manager.js';
+
+const createMockRunner = (responses: Record<string, { stdout: string; stderr: string; exitCode: number }>): ProcessRunner => {
+  return async (cmd: string, args: readonly string[]) => {
+    const key = `${cmd} ${args.join(' ')}`;
+    // Find matching response by prefix
+    for (const [pattern, response] of Object.entries(responses)) {
+      if (key.startsWith(pattern) || key.includes(pattern)) {
+        return response;
+      }
+    }
+    return { stdout: '', stderr: 'command not found', exitCode: 127 };
+  };
+};
+
+describe('createToolManager', () => {
+  it('reports uv not available when uv --version fails', async () => {
+    const runner = createMockRunner({
+      'uv --version': { stdout: '', stderr: 'not found', exitCode: 127 },
+    });
+    const mgr = createToolManager('/tmp/tools', runner);
+    expect(await mgr.isUvAvailable()).toBe(false);
+  });
+
+  it('reports uv available when uv --version succeeds', async () => {
+    const runner = createMockRunner({
+      'uv --version': { stdout: 'uv 0.5.10\n', stderr: '', exitCode: 0 },
+    });
+    const mgr = createToolManager('/tmp/tools', runner);
+    expect(await mgr.isUvAvailable()).toBe(true);
+  });
+
+  it('returns error status for all tools when uv is not available', async () => {
+    const runner = createMockRunner({
+      'uv --version': { stdout: '', stderr: 'not found', exitCode: 127 },
+    });
+    const mgr = createToolManager('/tmp/tools', runner);
+    const statuses = await mgr.ensureTools(['semgrep', 'bandit']);
+    expect(statuses).toHaveLength(2);
+    expect(statuses[0]!.installed).toBe(false);
+    expect(statuses[0]!.error).toContain('uv not available');
+    expect(statuses[1]!.installed).toBe(false);
+  });
+
+  it('detects already installed tool', async () => {
+    const runner = createMockRunner({
+      'uv --version': { stdout: 'uv 0.5.10\n', stderr: '', exitCode: 0 },
+      'uv tool run semgrep --version': { stdout: '1.67.0\n', stderr: '', exitCode: 0 },
+      'uv tool run -- which semgrep': { stdout: '/home/user/.local/bin/semgrep\n', stderr: '', exitCode: 0 },
+    });
+    const mgr = createToolManager('/tmp/tools', runner);
+    const statuses = await mgr.ensureTools(['semgrep']);
+    expect(statuses).toHaveLength(1);
+    expect(statuses[0]!.installed).toBe(true);
+    expect(statuses[0]!.version).toBe('1.67.0');
+  });
+
+  it('installs tool when not already installed', async () => {
+    let installCalled = false;
+    const runner: ProcessRunner = async (cmd, args) => {
+      const key = `${cmd} ${args.join(' ')}`;
+      if (key === 'uv --version') return { stdout: 'uv 0.5.10\n', stderr: '', exitCode: 0 };
+      if (key.includes('tool run semgrep --version') && !installCalled) return { stdout: '', stderr: 'not installed', exitCode: 1 };
+      if (key.includes('tool install semgrep==')) {
+        installCalled = true;
+        return { stdout: 'Installed semgrep\n', stderr: '', exitCode: 0 };
+      }
+      if (key.includes('tool run semgrep --version') && installCalled) return { stdout: '1.67.0\n', stderr: '', exitCode: 0 };
+      if (key.includes('which semgrep')) return { stdout: '/home/user/.local/bin/semgrep\n', stderr: '', exitCode: 0 };
+      return { stdout: '', stderr: 'unknown command', exitCode: 1 };
+    };
+    const mgr = createToolManager('/tmp/tools', runner);
+    const statuses = await mgr.ensureTools(['semgrep']);
+    expect(statuses).toHaveLength(1);
+    expect(statuses[0]!.installed).toBe(true);
+    expect(installCalled).toBe(true);
+  });
+
+  it('getToolPath returns null for unknown tools', () => {
+    const runner = createMockRunner({});
+    const mgr = createToolManager('/tmp/tools', runner);
+    expect(mgr.getToolPath('nonexistent')).toBeNull();
+  });
+
+  it('getToolStatus returns status for all known tools', async () => {
+    const runner = createMockRunner({
+      'uv --version': { stdout: 'uv 0.5.10\n', stderr: '', exitCode: 0 },
+      'uv tool run': { stdout: '', stderr: 'not installed', exitCode: 1 },
+    });
+    const mgr = createToolManager('/tmp/tools', runner);
+    const statuses = await mgr.getToolStatus();
+    expect(statuses.length).toBeGreaterThanOrEqual(4);
+    for (const s of statuses) {
+      expect(s.name).toBeTruthy();
+      expect(s.expectedVersion).toBeTruthy();
+    }
+  });
+});

package/src/infra/tool-manager.ts

@@ -0,0 +1,197 @@
+import { execFile } from 'node:child_process';
+import { resolve } from 'node:path';
+import { homedir } from 'node:os';
+import { mkdir, readFile } from 'node:fs/promises';
+import { fileURLToPath } from 'node:url';
+
+// Load pinned tool versions at module level
+const TOOL_VERSIONS_PATH = resolve(
+  fileURLToPath(import.meta.url), '..', '..', 'data', 'tool-versions.json',
+);
+
+export interface ToolVersionEntry {
+  readonly package: string;
+  readonly version: string;
+  readonly description: string;
+}
+
+export interface ToolStatus {
+  readonly name: string;
+  readonly installed: boolean;
+  readonly version?: string;
+  readonly expectedVersion: string;
+  readonly path?: string;
+  readonly error?: string;
+}
+
+// Re-export ProcessRunner from port for backward compatibility
+export type { ProcessRunner } from '../ports/process.port.js';
+
+export interface ToolManager {
+  readonly ensureTools: (tools: readonly string[]) => Promise<readonly ToolStatus[]>;
+  readonly getToolStatus: () => Promise<readonly ToolStatus[]>;
+  readonly updateTools: () => Promise<readonly ToolStatus[]>;
+  readonly getToolPath: (name: string) => string | null;
+  readonly isUvAvailable: () => Promise<boolean>;
+}
+
+/** Default tools dir — user-level, shared across projects, complior-scoped. */
+export const DEFAULT_TOOLS_DIR = resolve(homedir(), '.complior', 'tools');
+
+/** Create a process runner that passes UV_TOOL_DIR so uv installs to ~/.complior/tools/. */
+const createUvProcessRunner = (toolsDir: string): ProcessRunner => (cmd, args, options) => {
+  return new Promise((resolve) => {
+    execFile(cmd, [...args], {
+      timeout: options?.timeout ?? 60_000,
+      maxBuffer: 10 * 1024 * 1024,
+      env: { ...process.env, UV_TOOL_DIR: toolsDir },
+    }, (error, stdout, stderr) => {
+      resolve({
+        stdout: stdout ?? '',
+        stderr: stderr ?? '',
+        exitCode: error ? (error as NodeJS.ErrnoException & { code?: number }).code === 'ENOENT' ? 127 : (error as { code?: number }).code ?? 1 : 0,
+      });
+    });
+  });
+};
+
+export const createToolManager = (
+  toolsDir?: string,
+  runProcess?: ProcessRunner,
+): ToolManager => {
+  const dir = toolsDir ?? DEFAULT_TOOLS_DIR;
+  const run = runProcess ?? createUvProcessRunner(dir);
+  const installedPaths = new Map<string, string>();
+  let toolVersions: Record<string, ToolVersionEntry> | null = null;
+
+  const loadVersions = async (): Promise<Record<string, ToolVersionEntry>> => {
+    if (toolVersions) return toolVersions;
+    const raw = await readFile(TOOL_VERSIONS_PATH, 'utf-8');
+    toolVersions = JSON.parse(raw) as Record<string, ToolVersionEntry>;
+    return toolVersions;
+  };
+
+  const isUvAvailable = async (): Promise<boolean> => {
+    const result = await run('uv', ['--version'], { timeout: 5000 });
+    return result.exitCode === 0;
+  };
+
+  const checkInstalled = async (name: string, versions: Record<string, ToolVersionEntry>): Promise<ToolStatus> => {
+    const entry = versions[name];
+    if (!entry) {
+      return { name, installed: false, expectedVersion: 'unknown', error: `Unknown tool: ${name}` };
+    }
+
+    // Check if uv tool is installed — `uv tool run <pkg> --version`
+    const result = await run('uv', ['tool', 'run', entry.package, '--version'], { timeout: 15_000 });
+    if (result.exitCode === 0) {
+      // Extract semver from potentially verbose output (e.g. "bandit 1.7.8\n  python version = ...")
+      const semverMatch = result.stdout.match(/(\d+\.\d+\.\d+)/);
+      const version = semverMatch?.[1] ?? result.stdout.trim().split('\n')[0]?.trim() ?? '';
+      // Try to find the tool path
+      const whichResult = await run('uv', ['tool', 'run', '--', 'which', entry.package], { timeout: 5000 });
+      const toolPath = whichResult.exitCode === 0 ? whichResult.stdout.trim() : undefined;
+      if (toolPath) installedPaths.set(name, toolPath);
+      return { name, installed: true, version, expectedVersion: entry.version, path: toolPath };
+    }
+
+    return { name, installed: false, expectedVersion: entry.version };
+  };
+
+  const installTool = async (name: string, versions: Record<string, ToolVersionEntry>): Promise<ToolStatus> => {
+    const entry = versions[name];
+    if (!entry) {
+      return { name, installed: false, expectedVersion: 'unknown', error: `Unknown tool: ${name}` };
+    }
+
+    // Ensure tools directory exists
+    await mkdir(dir, { recursive: true });
+
+    // Install via uv tool install
+    const result = await run('uv', [
+      'tool', 'install',
+      `${entry.package}==${entry.version}`,
+    ], { timeout: 120_000 });
+
+    if (result.exitCode !== 0) {
+      // Check if already installed (uv returns non-zero if already installed)
+      if (result.stderr.includes('already installed') || result.stderr.includes('is already available')) {
+        return checkInstalled(name, versions);
+      }
+      return {
+        name,
+        installed: false,
+        expectedVersion: entry.version,
+        error: `Install failed: ${result.stderr.slice(0, 200)}`,
+      };
+    }
+
+    return checkInstalled(name, versions);
+  };
+
+  const ensureTools = async (tools: readonly string[]): Promise<readonly ToolStatus[]> => {
+    const versions = await loadVersions();
+
+    // Check if uv is available
+    const uvOk = await isUvAvailable();
+    if (!uvOk) {
+      return tools.map((name) => ({
+        name,
+        installed: false,
+        expectedVersion: versions[name]?.version ?? 'unknown',
+        error: 'uv not available — install with: curl -LsSf https://astral.sh/uv/install.sh | sh',
+      }));
+    }
+
+    const results: ToolStatus[] = [];
+    for (const name of tools) {
+      const status = await checkInstalled(name, versions);
+      if (status.installed) {
+        results.push(status);
+      } else {
+        results.push(await installTool(name, versions));
+      }
+    }
+    return results;
+  };
+
+  const getToolStatus = async (): Promise<readonly ToolStatus[]> => {
+    const versions = await loadVersions();
+    const uvOk = await isUvAvailable();
+    if (!uvOk) {
+      return Object.keys(versions).map((name) => ({
+        name,
+        installed: false,
+        expectedVersion: versions[name]!.version,
+        error: 'uv not available',
+      }));
+    }
+
+    return Promise.all(
+      Object.keys(versions).map((name) => checkInstalled(name, versions)),
+    );
+  };
+
+  const updateTools = async (): Promise<readonly ToolStatus[]> => {
+    const versions = await loadVersions();
+    const uvOk = await isUvAvailable();
+    if (!uvOk) {
+      return Object.keys(versions).map((name) => ({
+        name,
+        installed: false,
+        expectedVersion: versions[name]!.version,
+        error: 'uv not available',
+      }));
+    }
+
+    return Promise.all(
+      Object.keys(versions).map((name) => installTool(name, versions)),
+    );
+  };
+
+  const getToolPath = (name: string): string | null => {
+    return installedPaths.get(name) ?? null;
+  };
+
+  return Object.freeze({ ensureTools, getToolStatus, updateTools, getToolPath, isUvAvailable });
+};

package/src/llm/agents/agent-modes.test.ts

@@ -0,0 +1,44 @@
+import { describe, it, expect } from 'vitest';
+import { getAgentConfig, getAllModes, nextMode } from './modes.js';
+
+describe('Agent Modes', () => {
+  it('provides 4 modes', () => {
+    expect(getAllModes()).toEqual(['build', 'comply', 'audit', 'learn']);
+  });
+
+  it('build mode enables writes', () => {
+    const config = getAgentConfig('build');
+    expect(config.writeEnabled).toBe(true);
+    expect(config.label).toBe('BUILD');
+  });
+
+  it('comply mode disables writes', () => {
+    const config = getAgentConfig('comply');
+    expect(config.writeEnabled).toBe(false);
+  });
+
+  it('audit mode disables writes', () => {
+    const config = getAgentConfig('audit');
+    expect(config.writeEnabled).toBe(false);
+  });
+
+  it('learn mode disables writes', () => {
+    const config = getAgentConfig('learn');
+    expect(config.writeEnabled).toBe(false);
+  });
+
+  it('all modes have disclaimer in system prompt', () => {
+    for (const mode of getAllModes()) {
+      const config = getAgentConfig(mode);
+      expect(config.systemPrompt).toContain('not a legal advisor');
+      expect(config.systemPrompt).toContain('NEVER');
+    }
+  });
+
+  it('nextMode cycles through modes', () => {
+    expect(nextMode('build')).toBe('comply');
+    expect(nextMode('comply')).toBe('audit');
+    expect(nextMode('audit')).toBe('learn');
+    expect(nextMode('learn')).toBe('build');
+  });
+});