@hegemonart/get-design-done 1.59.9 → 1.60.1

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "Get Design Done — 5-stage agent-orchestrated design pipeline (Brief → Explore → Plan → Design → Verify) for AI coding agents. 64 agents, 96 skills, 39 connection integrations, two MCP servers, opt-in SQLite state backbone, bidirectional Figma write-back, and a reflector-driven self-improvement loop. Cross-runtime install for Claude Code, Codex, Cursor, OpenCode, Gemini, and more.",
-    "version": "1.59.9"
+    "version": "1.60.1"
   },
   "plugins": [
     {
       "name": "get-design-done",
       "source": "./",
       "description": "Agent-orchestrated 5-stage design pipeline (Brief → Explore → Plan → Design → Verify) for AI coding agents. 64 specialized agents, 96 skills, 39 connection integrations (Figma, Refero, Preview, Storybook, Chromatic, Graphify, Linear, Jira, Notion, …), bidirectional Figma write-back, queryable intel store, opt-in SQLite state backbone, and a reflector-driven self-improvement loop. Two MCP servers (gdd-state for typed STATE mutators, gdd-mcp for 13 read-only project-priming tools), tier-aware routing with cost telemetry, and defense-in-depth hooks (protected paths, MCP circuit breaker, injection scanner, budget enforcer). Cross-runtime install for Claude Code, Codex, Cursor, OpenCode, Gemini, Copilot, and more.",
-      "version": "1.59.9",
+      "version": "1.60.1",
       "author": {
         "name": "hegemonart"
       },

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "get-design-done",
   "short_name": "gdd",
-  "version": "1.59.9",
+  "version": "1.60.1",
   "description": "Agent-orchestrated 5-stage design pipeline (Brief → Explore → Plan → Design → Verify) for AI coding agents. 64 specialized agents, 96 skills, 39 connection integrations (Figma, Refero, Preview, Storybook, Chromatic, Graphify, Linear, Jira, Notion, …), bidirectional Figma write-back, queryable intel store for O(1) design-surface lookups, opt-in SQLite state backbone, and a reflector-driven self-improvement loop. Two MCP servers (`gdd-state` for typed STATE mutators, `gdd-mcp` for 13 read-only project-priming tools), tier-aware agent routing with cost telemetry, defense-in-depth hooks (protected paths, MCP circuit breaker, injection scanner, budget enforcer), and a cross-runtime install layer for Claude Code, Codex, Cursor, OpenCode, Gemini, Copilot, and more.",
   "author": {
     "name": "hegemonart",

package/CHANGELOG.md

@@ -4,6 +4,48 @@ All notable changes to get-design-done are documented here. Versions follow [sem
 
 ---
 
+## [1.60.1] - 2026-06-10
+
+**Security hardening** - two HIGH-severity vulnerabilities closed before the upcoming rebrand copies the foundation layer across every runtime. Both were reachable by a prompt-injected agent, undercutting the trust boundary the plugin's own scanners exist to defend. Each fix ships with failing-then-passing regression tests; an independent adversarial audit confirmed both vectors are dead with no surviving bypass.
+
+### Security
+
+- **Path traversal in the `gdd_intel_get` MCP tool (HARDEN-01).** A `slice_id` carrying `../`, an absolute path, or a path separator flowed unsanitized into a file read and could escape `.design/intel/` to return any `.json` file's contents (cloud credentials, config) to the caller. The intel store now rejects any non-basename `slice_id` and enforces a `resolve` + `startsWith(root + sep)` containment check before touching disk. Separately, the `gdd-mcp` server **now validates every `tools/call` argument against the advertised per-tool JSON schema** at the dispatcher - previously raw arguments were passed straight to handlers with no validation.
+- **Protected-paths guard canonicalization bypass (HARDEN-02).** The hook that blocks edits to `hooks/**`, `skills/**`, `.git/**`, and `.claude/settings.json` matched a non-canonical path string, so a Windows forward-slash absolute path (`C:/…`) or a `../<cwd-basename>/…` relative re-entry slipped past the block. The guard now canonicalizes candidates with `path.resolve` + `path.relative` (forward-slash drive letters included), mandatorily resolves the nearest existing ancestor with `realpathSync` to catch symlinked-ancestor-of-a-new-file escapes, and folds case on Windows/macOS. The two bypass vectors (previously untested) now have explicit regression coverage.
+
+### Breaking changes
+
+None.
+
+5,139/5,139 tests pass.
+
+---
+
+## [1.60.0] - 2026-06-10
+
+**Foundation & Honesty** - the subtract-first base the v2.0 work and the upcoming rebrand depend on. Make the catalog enumerable and the capability claims machine-checked *before* building or renaming anything. A pre-flight audit found the catalog already clean (0 content-duplicate skills, 0 orphan skills or agents, a perfect manifest to template to generated bijection, and every count and capability claim already tracing to source), so this release does not manufacture cuts - it removes genuinely dead code and adds the guards that lock the clean state in.
+
+### Removed
+
+- **Dead jsdom/puppeteer detection scaffolding** from `gdd-detect`. The CLI carried soft `try-require` probes for a `jsdom` "DOM-aware" engine and a `puppeteer` URL engine, plus `--fast`/`--puppeteer` flags - none of which were ever wired (the engine is and was pure regex over local files). 1.59.8 stopped the misleading mode label; this release deletes the dead probes and flags outright and rewrites the comments/help to the regex-only reality. `gdd-detect --help` now matches what it does. (A real DOM/URL engine is planned separately; this removal is reversed then.)
+
+### Added
+
+- **Catalog-integrity validator** (`validate:catalog`, wired into CI): exact content-hash duplicate detection across skill templates and agents, near-duplicate description detection (calibrated above the existing distinct-but-parallel writer family, so a future copy-paste clone is caught), a manifest to template to generated three-way bijection check (no orphans in any direction), and description-length sanity. Passes on the current catalog; fails if bloat, dupes, or orphans are introduced later.
+- **Capability-honesty assertion** (in the same CI gate): every MCP server named in the plugin/marketplace manifests resolves to a real `sdk/mcp/<server>/server.ts`, and the advertised read-only MCP-tool count is derived from the actual `gdd_*.ts` tool files rather than hand-typed. Combined with the existing source-derived feature counts, the 64 agents / 96 skills / 39 integrations / 13 MCP-tools / 2 MCP-servers claims are now machine-verified.
+
+### Notes
+
+- Catalog audited clean - no skills or agents were merged or deleted. The integrity guard exists to keep it that way.
+
+### Breaking changes
+
+None.
+
+5,102/5,102 tests pass.
+
+---
+
 ## [1.59.9] - 2026-06-10
 
 New-model-family readiness and cost truth (audit `.planning/audits/SELF-AUDIT-v1.59.7.md` §4). A new or unknown Anthropic model previously degraded cost accounting silently - billed at $0 or the sonnet rate and mis-attributed to the sonnet tier. This release makes unknown models loud and conservative, handles the 1M-context `[1m]` variant, and records context-window size in the model registry.

package/hooks/gdd-protected-paths.js

@@ -38,7 +38,75 @@ function findPackageRoot(startDir) {
 
 const REPO_ROOT = findPackageRoot(__dirname) || path.resolve(__dirname, '..');
 
-const { matches } = require(path.join(REPO_ROOT, 'scripts', 'lib', 'glob-match.cjs'));
+const { matches, defaultNocase } = require(path.join(REPO_ROOT, 'scripts', 'lib', 'glob-match.cjs'));
+
+/**
+ * HARDEN-02: Canonicalize a candidate path to a cwd-relative form before glob
+ * matching, defeating equivalent spellings of a protected file:
+ *   - POSIX absolute  `/abs/cwd/hooks/x.js`
+ *   - backslash drive `C:\cwd\hooks\x.js`
+ *   - forward-slash drive `C:/cwd/hooks/x.js`   (was the bypass — backslash-only detector)
+ *   - `../<cwd-basename>/hooks/x.js` reentry     (was the bypass — raw string never matched)
+ *   - symlink / symlinked ANCESTOR redirection into a protected dir (incl. NEW files)
+ *
+ * Returns a forward-slash cwd-relative string for IN-cwd targets, or the
+ * sentinel `null` for targets that resolve OUTSIDE cwd (out-of-repo edits are
+ * not this guard's concern and must not be false-blocked).
+ */
+function canonicalizeCandidate(cand, cwd) {
+  // 1. Recognize absolute paths robustly across platforms. `path.isAbsolute`
+  //    on a backslash-normalized copy catches POSIX `/…` and native drive
+  //    paths; the drive-letter regex is the Windows-on-POSIX fallback so a
+  //    `C:/…` / `C:\…` spelling is treated as absolute even when the test
+  //    process runs on Linux.
+  const normalized = cand.replace(/\\/g, '/');
+  const isAbs = path.isAbsolute(cand)
+    || path.isAbsolute(normalized)
+    || /^[A-Za-z]:[\\/]/.test(cand);
+
+  const abs = isAbs ? normalized : path.resolve(cwd, cand);
+
+  // 2. Canonicalize through symlinks — MANDATORY, for existing AND new targets.
+  //    Full-path realpath throws (ENOENT) on a not-yet-existing write target,
+  //    so walk UP to the nearest existing ancestor, realpath THAT, then re-join
+  //    the non-existent tail. This resolves a symlinked ancestor dir of a new
+  //    file (the write-new-file symlink bypass). Any unexpected I/O error falls
+  //    back to the plain resolved path — the hook must never hard-fail.
+  let canonicalAbs = abs;
+  try {
+    canonicalAbs = fs.realpathSync(abs);
+  } catch (e) {
+    if (e && e.code === 'ENOENT') {
+      try {
+        let ancestor = path.dirname(abs);
+        const tail = [path.basename(abs)];
+        // Walk up until an existing ancestor is found (or filesystem root).
+        // Guard the loop against an unbounded climb.
+        for (let i = 0; i < 64; i++) {
+          if (fs.existsSync(ancestor)) break;
+          const parent = path.dirname(ancestor);
+          if (parent === ancestor) break;
+          tail.unshift(path.basename(ancestor));
+          ancestor = parent;
+        }
+        const realAncestor = fs.realpathSync(ancestor);
+        canonicalAbs = path.join(realAncestor, ...tail);
+      } catch {
+        canonicalAbs = abs;
+      }
+    } else {
+      canonicalAbs = abs;
+    }
+  }
+
+  // 3. cwd-relative canonical form.
+  const rel = path.relative(cwd, canonicalAbs).replace(/\\/g, '/');
+
+  // 4. Out-of-cwd sentinel — these are NOT matched against repo-internal globs.
+  if (rel === '..' || rel.startsWith('../') || path.isAbsolute(rel)) return null;
+
+  return rel;
+}
 
 function loadProtectedPaths(cwd) {
   const defaultFile = path.join(REPO_ROOT, 'reference', 'protected-paths.default.json');
@@ -248,10 +316,10 @@ async function main() {
 
   for (const cand of candidates) {
     if (!cand) continue;
-    const rel = cand.startsWith('/') || /^[A-Z]:\\/i.test(cand)
-      ? path.relative(cwd, cand).replace(/\\/g, '/')
-      : cand.replace(/\\/g, '/');
-    const r = matches(rel, protectedPaths);
+    const rel = canonicalizeCandidate(cand, cwd);
+    // Out-of-cwd targets (sentinel null) are not this guard's concern.
+    if (rel === null) continue;
+    const r = matches(rel, protectedPaths, { nocase: defaultNocase() });
     if (r.matched) {
       try {
         require('./_hook-emit.js').emitHookFired('gdd-protected-paths', 'block', {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hegemonart/get-design-done",
-  "version": "1.59.9",
+  "version": "1.60.1",
   "description": "A design-quality pipeline for AI coding agents: brief, explore, plan, design, and verify UI work against your design system.",
   "author": "Hegemon",
   "homepage": "https://github.com/hegemonart/get-design-done",
@@ -84,6 +84,7 @@
     "validate:composition-graph": "node scripts/validate-composition-graph.cjs",
     "validate:design-context": "node scripts/validate-design-context.cjs",
     "validate:skill-frontmatter": "node scripts/validate-skill-frontmatter.cjs",
+    "validate:catalog": "node scripts/validate-catalog-integrity.cjs",
     "build:skill-graph": "node scripts/generate-skill-graph.cjs",
     "build:skill-graph:check": "node scripts/generate-skill-graph.cjs --check",
     "sync:rule-catalogue": "node scripts/sync-rule-catalogue.cjs --check",

package/scripts/lib/detect/cli.cjs

@@ -1,38 +1,35 @@
 'use strict';
-// Phase 41 — gdd-detect CLI. Dep-free by default (regex-fast). The DOM-aware (jsdom) and URL
-// (puppeteer) paths are SOFT optionals loaded via try-require — never a package.json dependency, so
-// the SC#10 network-isolation scan stays clean and the plugin keeps its zero-runtime-dep guarantee.
+// Phase 41 — gdd-detect CLI. A regex anti-pattern scanner over LOCAL files: it walks a file or
+// directory and runs each BAN-NN rule's matcher against the file text. There is exactly one engine
+// (regex over file content) and it never touches the network or any optional dependency, so the
+// SC#10 network-isolation scan stays clean and the plugin keeps its zero-runtime-dep guarantee.
 //
-//   gdd-detect <path> [--json] [--fast] [--rule BAN-NN] [--puppeteer]
+//   gdd-detect <path> [--json] [--rule BAN-NN]
 //
 // Exit codes: 0 = clean · 2 = findings · 1 = invocation error.
 
 const engine = require('./engine.cjs');
 
-const HELP = `gdd-detect — scan HTML/CSS/JSX for GDD anti-patterns (BAN-NN).
+const HELP = `gdd-detect — scan local HTML/CSS/JSX for GDD anti-patterns (BAN-NN).
 
 Usage:
   gdd-detect <path> [options]
 
 Arguments:
-  <path>            A file or directory (scanned recursively), or a http(s):// URL (needs --puppeteer).
+  <path>            A file or directory (scanned recursively). Regex anti-pattern scan over local files.
 
 Options:
   --json            Machine-readable JSON output.
-  --fast            Regex-only; do not load jsdom even if present.
   --rule <BAN-NN>   Run a single rule (e.g. --rule BAN-08).
-  --puppeteer       Allow scanning a URL via Puppeteer (an optional, separately-installed dependency).
   -h, --help        This help.
 
 Exit codes: 0 clean · 2 findings · 1 invocation error.`;
 
 function parseArgs(argv) {
-  const opts = { path: null, json: false, fast: false, rule: null, puppeteer: false, help: false };
+  const opts = { path: null, json: false, rule: null, help: false };
   for (let i = 0; i < argv.length; i++) {
     const a = argv[i];
     if (a === '--json') opts.json = true;
-    else if (a === '--fast') opts.fast = true;
-    else if (a === '--puppeteer') opts.puppeteer = true;
     else if (a === '-h' || a === '--help') opts.help = true;
     else if (a === '--rule') opts.rule = argv[++i] || null;
     else if (a.startsWith('--rule=')) opts.rule = a.slice('--rule='.length);
@@ -46,22 +43,11 @@ function isUrl(p) {
 }
 
 /**
- * Select the detection engine. Returns { mode, warning }.
- *
- * There is exactly one engine path: regex over file text (see engine.cjs#run, which takes no
- * jsdom/DOM parameter and is byte-identical whether or not jsdom is installed). So the truthful
- * mode is always 'regex-fast'. We still probe jsdom (unless --fast) to surface a one-line hint
- * that a DOM-aware path is not wired in this build — but we no longer claim a 'dom-aware' mode the
- * engine does not have.
+ * Report the active engine. There is exactly one path: regex over file text (see engine.cjs#run).
+ * Returns { mode } so callers and the --json report can label output truthfully.
  */
-function selectEngine(opts, requireFn) {
-  if (opts.fast) return { mode: 'regex-fast', warning: null };
-  let hasJsdom = false;
-  try { requireFn('jsdom'); hasJsdom = true; } catch { hasJsdom = false; }
-  // jsdom presence does not change the engine — only emit a hint when it's absent, and never
-  // promise a mode we can't deliver.
-  const warning = hasJsdom ? null : 'jsdom not installed — running regex-fast (the only wired mode; a DOM-aware path is not implemented). Pass --fast to silence this.';
-  return { mode: 'regex-fast', warning };
+function selectEngine() {
+  return { mode: 'regex-fast' };
 }
 
 function renderHuman(result, mode) {
@@ -78,14 +64,13 @@ function renderHuman(result, mode) {
 
 /**
  * @param {string[]} argv  process.argv.slice(2)
- * @param {{ cwd?: string, log?: fn, err?: fn, requireFn?: fn }} [io]  injectable for tests
+ * @param {{ cwd?: string, log?: fn, err?: fn }} [io]  injectable for tests
  * @returns {number} exit code
  */
 function main(argv, io) {
   const o = io || {};
   const log = o.log || ((s) => process.stdout.write(s + '\n'));
   const err = o.err || ((s) => process.stderr.write(s + '\n'));
-  const requireFn = o.requireFn || require;
   const cwd = o.cwd || process.cwd();
   const opts = parseArgs(argv);
 
@@ -93,18 +78,13 @@ function main(argv, io) {
   if (!opts.path) { err('gdd-detect: missing <path>. See --help.'); return 1; }
   if (opts.rule && !/^BAN-\d{2}$/i.test(opts.rule)) { err(`gdd-detect: --rule expects a BAN-NN id (got "${opts.rule}").`); return 1; }
 
-  // URL path → Puppeteer (optional, separately installed). Never a stack trace.
+  // URL path is not wired: this is a regex scanner over local files. Never a stack trace.
   if (isUrl(opts.path)) {
-    if (!opts.puppeteer) { err('gdd-detect: scanning a URL requires --puppeteer. Pass --puppeteer (and `npm i -D puppeteer`) to enable URL scans.'); return 1; }
-    let hasPuppeteer = false;
-    try { requireFn('puppeteer'); hasPuppeteer = true; } catch { hasPuppeteer = false; }
-    if (!hasPuppeteer) { err('gdd-detect: --puppeteer given but puppeteer is not installed. Install it with `npm i -D puppeteer` (it stays an optional dependency).'); return 1; }
     err('gdd-detect: URL scanning is not wired in this build; clone the page locally and scan the files instead.');
     return 1;
   }
 
-  const { mode, warning } = selectEngine(opts, requireFn);
-  if (warning && !opts.json) err('gdd-detect: ' + warning);
+  const { mode } = selectEngine();
 
   let result;
   try { result = engine.run(opts.path, { ruleId: opts.rule, cwd }); }

package/scripts/lib/detect/engine.cjs

@@ -1,8 +1,8 @@
 'use strict';
-// Phase 41 — gdd-detect engine. Pure, dep-free (regex-fast path). Walks a path, runs each rule's
-// matcher against file content, returns structured findings. The DOM-aware (jsdom) + URL (puppeteer)
-// paths are layered on in cli.cjs via soft try-require; the engine itself never touches the network
-// or any optional dependency — so the SC#10 network-isolation scan stays clean.
+// Phase 41 — gdd-detect engine. Pure, dep-free regex engine over file content. Walks a path, runs
+// each rule's matcher against the text of each scannable file, and returns structured findings. The
+// engine never touches the network or any optional dependency — so the SC#10 network-isolation scan
+// stays clean.
 
 const fs = require('node:fs');
 const path = require('node:path');

package/scripts/lib/glob-match.cjs

@@ -3,9 +3,24 @@
  * scripts/lib/glob-match.cjs — tiny dependency-free glob matcher.
  * Supports: **, *, ?, and literal segments. Not a full minimatch implementation,
  * but covers the patterns used in reference/protected-paths.default.json.
+ *
+ * Case-sensitivity tracks the host filesystem by default: case-INsensitive on
+ * win32/darwin (so `HOOKS/x` matches `hooks/**`), case-sensitive elsewhere.
+ * Callers can override via `opts.nocase` (used by the protected-paths suite to
+ * exercise BOTH branches explicitly on a case-sensitive Linux CI runner).
  */
 
-function globToRegex(glob) {
+/**
+ * The platform-derived default for case-insensitive matching. Exposed so the
+ * protected-paths hook and the tests reference the SAME decision rather than
+ * duplicating the win32||darwin check.
+ */
+function defaultNocase() {
+  return process.platform === 'win32' || process.platform === 'darwin';
+}
+
+function globToRegex(glob, opts = {}) {
+  const nocase = opts.nocase !== undefined ? opts.nocase : defaultNocase();
   // Normalize separators
   const g = glob.replace(/\\/g, '/');
   let re = '^';
@@ -42,16 +57,18 @@ function globToRegex(glob) {
     i++;
   }
   re += '$';
-  return new RegExp(re);
+  // Use the `i` flag for case-insensitivity rather than lowercasing inputs,
+  // which would corrupt the returned `pattern` string callers rely on.
+  return new RegExp(re, nocase ? 'i' : '');
 }
 
-function matches(filepath, globList) {
+function matches(filepath, globList, opts = {}) {
   const norm = String(filepath).replace(/\\/g, '/').replace(/^\.\//, '');
   for (const g of globList) {
-    const re = globToRegex(g);
+    const re = globToRegex(g, opts);
     if (re.test(norm)) return { matched: true, pattern: g };
   }
   return { matched: false };
 }
 
-module.exports = { matches, globToRegex };
+module.exports = { matches, globToRegex, defaultNocase };

package/sdk/mcp/gdd-mcp/server.js

@@ -1860,12 +1860,45 @@ var require_intel_store = __commonJS({
         this.dir = dir;
       }
     };
+    var IntelInvalidSliceIdError = class extends Error {
+      constructor(sliceId) {
+        const shown = typeof sliceId === "string" ? sliceId : String(sliceId);
+        super("invalid slice_id: " + JSON.stringify(shown));
+        this.name = "IntelInvalidSliceIdError";
+        this.code = "invalid_slice_id";
+        this.sliceId = sliceId;
+      }
+    };
+    function validateSliceId(sliceId) {
+      if (typeof sliceId !== "string" || sliceId.length === 0) {
+        throw new IntelInvalidSliceIdError(sliceId);
+      }
+      if (sliceId.indexOf("\0") !== -1) {
+        throw new IntelInvalidSliceIdError(sliceId);
+      }
+      if (sliceId.indexOf("/") !== -1 || sliceId.indexOf("\\") !== -1) {
+        throw new IntelInvalidSliceIdError(sliceId);
+      }
+      if (sliceId === "." || sliceId === ".." || sliceId.includes("..")) {
+        throw new IntelInvalidSliceIdError(sliceId);
+      }
+      if (path.isAbsolute(sliceId)) {
+        throw new IntelInvalidSliceIdError(sliceId);
+      }
+    }
     async function readSlice2(rootDir, sliceId) {
+      validateSliceId(sliceId);
       const dir = path.join(rootDir, ".design", "intel");
       if (!fs.existsSync(dir)) {
         throw new IntelNotFoundError(dir);
       }
       const file = path.join(dir, sliceId + ".json");
+      const resolvedDir = path.resolve(dir);
+      const resolvedFile = path.resolve(file);
+      const withSep = resolvedDir.endsWith(path.sep) ? resolvedDir : resolvedDir + path.sep;
+      if (!resolvedFile.startsWith(withSep)) {
+        throw new IntelInvalidSliceIdError(sliceId);
+      }
       if (!fs.existsSync(file)) return null;
       const body = await fs.promises.readFile(file, "utf8");
       return JSON.parse(body);
@@ -1883,7 +1916,13 @@ var require_intel_store = __commonJS({
       }
       return ids;
     }
-    module2.exports = { readSlice: readSlice2, listSlices, IntelNotFoundError };
+    module2.exports = {
+      readSlice: readSlice2,
+      listSlices,
+      validateSliceId,
+      IntelNotFoundError,
+      IntelInvalidSliceIdError
+    };
   }
 });
 
@@ -2035,6 +2074,7 @@ __export(server_exports, {
 module.exports = __toCommonJS(server_exports);
 var import_node_fs5 = require("node:fs");
 var import_node_path5 = require("node:path");
+var import_ajv = __toESM(require("ajv"));
 var import_server = require("@modelcontextprotocol/sdk/server/index.js");
 var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
 var import_types6 = require("@modelcontextprotocol/sdk/types.js");
@@ -3427,6 +3467,24 @@ function buildServer() {
   const tools = loadTools();
   const byName = /* @__PURE__ */ new Map();
   for (const t of tools) byName.set(t.name, t);
+  const ajv = new import_ajv.default({ allErrors: true, strict: false });
+  const PASS_THROUGH = (() => {
+    const v = (() => true);
+    v.errors = null;
+    return v;
+  })();
+  const validators = /* @__PURE__ */ new Map();
+  for (const t of tools) {
+    try {
+      validators.set(t.name, ajv.compile(t.inputSchema));
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(
+        `[gdd-mcp] schema compile failed for ${t.name}; tool degraded to permissive validation: ${msg}`
+      );
+      validators.set(t.name, PASS_THROUGH);
+    }
+  }
   const server = new import_server.Server(
     { name: SERVER_NAME, version: SERVER_VERSION },
     {
@@ -3469,6 +3527,26 @@ function buildServer() {
         structuredContent: { success: false, error: payload.error }
       };
     }
+    const validate = validators.get(toolName);
+    if (validate !== void 0) {
+      const argsObj = args ?? {};
+      if (!validate(argsObj)) {
+        const detail = ajv.errorsText(validate.errors, { dataVar: "input" });
+        const payload = toToolError(
+          new Error(`input validation failed: ${detail}`)
+        );
+        return {
+          isError: true,
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({ success: false, error: payload.error })
+            }
+          ],
+          structuredContent: { success: false, error: payload.error }
+        };
+      }
+    }
     let response;
     try {
       response = await tool.handle(args ?? {});

package/sdk/mcp/gdd-mcp/server.ts

@@ -38,6 +38,8 @@
 import { readFileSync, existsSync } from 'node:fs';
 import { dirname, join, resolve } from 'node:path';
 
+import Ajv, { type ValidateFunction } from 'ajv';
+
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import {
@@ -186,6 +188,33 @@ export function buildServer(): Server {
   const byName: Map<string, LoadedTool> = new Map();
   for (const t of tools) byName.set(t.name, t);
 
+  // HARDEN-01 (Task 2): compile an ajv validator per tool from its advertised
+  // input JSON Schema, so every tools/call argument is validated against the
+  // tool's contract BEFORE the handler runs. `strict:false` tolerates the
+  // Draft-07 keywords our schemas use; `allErrors` yields complete messages.
+  const ajv = new Ajv({ allErrors: true, strict: false });
+  const PASS_THROUGH: ValidateFunction = (() => {
+    const v = (() => true) as ValidateFunction;
+    v.errors = null;
+    return v;
+  })();
+  const validators: Map<string, ValidateFunction> = new Map();
+  for (const t of tools) {
+    try {
+      validators.set(t.name, ajv.compile(t.inputSchema));
+    } catch (err) {
+      // A single malformed schema file must not brick the whole server: fall
+      // back to a permissive validator for THAT tool only (today's no-
+      // validation behavior). The other tools still enforce (T-60.1-04).
+      const msg = err instanceof Error ? err.message : String(err);
+      // eslint-disable-next-line no-console
+      console.error(
+        `[gdd-mcp] schema compile failed for ${t.name}; tool degraded to permissive validation: ${msg}`,
+      );
+      validators.set(t.name, PASS_THROUGH);
+    }
+  }
+
   const server = new Server(
     { name: SERVER_NAME, version: SERVER_VERSION },
     {
@@ -237,6 +266,30 @@ export function buildServer(): Server {
       };
     }
 
+    // HARDEN-01 (Task 2): validate arguments against the tool's advertised
+    // input schema BEFORE the handler runs. A schema-invalid call returns a
+    // structured isError result and the handler is NEVER reached.
+    const validate = validators.get(toolName);
+    if (validate !== undefined) {
+      const argsObj = args ?? {};
+      if (!validate(argsObj)) {
+        const detail = ajv.errorsText(validate.errors, { dataVar: 'input' });
+        const payload = toToolError(
+          new Error(`input validation failed: ${detail}`),
+        );
+        return {
+          isError: true,
+          content: [
+            {
+              type: 'text' as const,
+              text: JSON.stringify({ success: false, error: payload.error }),
+            },
+          ],
+          structuredContent: { success: false, error: payload.error },
+        };
+      }
+    }
+
     let response;
     try {
       response = await tool.handle(args ?? {});