@hegemonart/get-design-done 1.60.0 → 1.60.2

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "Get Design Done — 5-stage agent-orchestrated design pipeline (Brief → Explore → Plan → Design → Verify) for AI coding agents. 64 agents, 96 skills, 39 connection integrations, two MCP servers, opt-in SQLite state backbone, bidirectional Figma write-back, and a reflector-driven self-improvement loop. Cross-runtime install for Claude Code, Codex, Cursor, OpenCode, Gemini, and more.",
-    "version": "1.60.0"
+    "version": "1.60.2"
   },
   "plugins": [
     {
       "name": "get-design-done",
       "source": "./",
       "description": "Agent-orchestrated 5-stage design pipeline (Brief → Explore → Plan → Design → Verify) for AI coding agents. 64 specialized agents, 96 skills, 39 connection integrations (Figma, Refero, Preview, Storybook, Chromatic, Graphify, Linear, Jira, Notion, …), bidirectional Figma write-back, queryable intel store, opt-in SQLite state backbone, and a reflector-driven self-improvement loop. Two MCP servers (gdd-state for typed STATE mutators, gdd-mcp for 13 read-only project-priming tools), tier-aware routing with cost telemetry, and defense-in-depth hooks (protected paths, MCP circuit breaker, injection scanner, budget enforcer). Cross-runtime install for Claude Code, Codex, Cursor, OpenCode, Gemini, Copilot, and more.",
-      "version": "1.60.0",
+      "version": "1.60.2",
       "author": {
         "name": "hegemonart"
       },

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "get-design-done",
   "short_name": "gdd",
-  "version": "1.60.0",
+  "version": "1.60.2",
   "description": "Agent-orchestrated 5-stage design pipeline (Brief → Explore → Plan → Design → Verify) for AI coding agents. 64 specialized agents, 96 skills, 39 connection integrations (Figma, Refero, Preview, Storybook, Chromatic, Graphify, Linear, Jira, Notion, …), bidirectional Figma write-back, queryable intel store for O(1) design-surface lookups, opt-in SQLite state backbone, and a reflector-driven self-improvement loop. Two MCP servers (`gdd-state` for typed STATE mutators, `gdd-mcp` for 13 read-only project-priming tools), tier-aware agent routing with cost telemetry, defense-in-depth hooks (protected paths, MCP circuit breaker, injection scanner, budget enforcer), and a cross-runtime install layer for Claude Code, Codex, Cursor, OpenCode, Gemini, Copilot, and more.",
   "author": {
     "name": "hegemonart",

package/CHANGELOG.md

@@ -4,6 +4,45 @@ All notable changes to get-design-done are documented here. Versions follow [sem
 
 ---
 
+## [1.60.2] - 2026-06-13
+
+**Security & CI hardening** - bring the SAST/dependency-audit gates the project lacked, and close the one untrusted-link gap in the injection scanner, *before* the detection engine lands its large new surface. Sourced from a reconciliation against the upstream framework's recent releases (`.planning/audits/UPSTREAM-GSD-CORE-DIFF-2026-06-13.md`).
+
+### Added
+
+- **CodeQL / SAST workflow** (`.github/workflows/codeql.yml`) - `javascript-typescript` with the `security-extended` query suite, on push / PR / weekly schedule. Analysis-only (alerts surface in the Security tab; the job is non-blocking on pre-existing findings). A regression guard for every future PR, established now on a clean tree.
+- **`npm audit` production gate in CI** - `npm audit --omit=dev --audit-level=high` in the security job. Scoped to production dependencies (what ships to consumers); dev-only advisories don't gate the build. Currently green.
+- **Dangerous-link scheme detection in the injection scanner** - `scripts/injection-patterns.cjs` now flags `javascript:` URIs, `data:text/html` / `data:` script payloads, userinfo-credential URLs (`scheme://user:pass@host`), and secret-bearing query params (cross-referenced to the redaction token shapes). These flow from untrusted markdown read by the Read hook and the design-authority watcher's feed ingest, which previously had zero coverage for them. Pattern count 21 to 27; both the runtime hook and the CI scanner auto-consume the new patterns. Tightly anchored with negative fixtures so legitimate `https://`, `mailto:`, `data:image`, and ordinary query strings are not flagged.
+
+### Changed
+
+- **`hono` override `>=4.12.23`** added to `package.json` (transitive via `@modelcontextprotocol/sdk`). Precautionary / future-proofing - our `npm audit` does not currently flag the resolved `hono@4.12.21`; this pins the dependency forward regardless. Resolves to `4.12.25`.
+
+### Breaking changes
+
+None.
+
+5,143/5,143 tests pass.
+
+---
+
+## [1.60.1] - 2026-06-10
+
+**Security hardening** - two HIGH-severity vulnerabilities closed before the upcoming rebrand copies the foundation layer across every runtime. Both were reachable by a prompt-injected agent, undercutting the trust boundary the plugin's own scanners exist to defend. Each fix ships with failing-then-passing regression tests; an independent adversarial audit confirmed both vectors are dead with no surviving bypass.
+
+### Security
+
+- **Path traversal in the `gdd_intel_get` MCP tool (HARDEN-01).** A `slice_id` carrying `../`, an absolute path, or a path separator flowed unsanitized into a file read and could escape `.design/intel/` to return any `.json` file's contents (cloud credentials, config) to the caller. The intel store now rejects any non-basename `slice_id` and enforces a `resolve` + `startsWith(root + sep)` containment check before touching disk. Separately, the `gdd-mcp` server **now validates every `tools/call` argument against the advertised per-tool JSON schema** at the dispatcher - previously raw arguments were passed straight to handlers with no validation.
+- **Protected-paths guard canonicalization bypass (HARDEN-02).** The hook that blocks edits to `hooks/**`, `skills/**`, `.git/**`, and `.claude/settings.json` matched a non-canonical path string, so a Windows forward-slash absolute path (`C:/…`) or a `../<cwd-basename>/…` relative re-entry slipped past the block. The guard now canonicalizes candidates with `path.resolve` + `path.relative` (forward-slash drive letters included), mandatorily resolves the nearest existing ancestor with `realpathSync` to catch symlinked-ancestor-of-a-new-file escapes, and folds case on Windows/macOS. The two bypass vectors (previously untested) now have explicit regression coverage.
+
+### Breaking changes
+
+None.
+
+5,139/5,139 tests pass.
+
+---
+
 ## [1.60.0] - 2026-06-10
 
 **Foundation & Honesty** - the subtract-first base the v2.0 work and the upcoming rebrand depend on. Make the catalog enumerable and the capability claims machine-checked *before* building or renaming anything. A pre-flight audit found the catalog already clean (0 content-duplicate skills, 0 orphan skills or agents, a perfect manifest to template to generated bijection, and every count and capability claim already tracing to source), so this release does not manufacture cuts - it removes genuinely dead code and adds the guards that lock the clean state in.

package/hooks/gdd-protected-paths.js

@@ -38,7 +38,75 @@ function findPackageRoot(startDir) {
 
 const REPO_ROOT = findPackageRoot(__dirname) || path.resolve(__dirname, '..');
 
-const { matches } = require(path.join(REPO_ROOT, 'scripts', 'lib', 'glob-match.cjs'));
+const { matches, defaultNocase } = require(path.join(REPO_ROOT, 'scripts', 'lib', 'glob-match.cjs'));
+
+/**
+ * HARDEN-02: Canonicalize a candidate path to a cwd-relative form before glob
+ * matching, defeating equivalent spellings of a protected file:
+ *   - POSIX absolute  `/abs/cwd/hooks/x.js`
+ *   - backslash drive `C:\cwd\hooks\x.js`
+ *   - forward-slash drive `C:/cwd/hooks/x.js`   (was the bypass — backslash-only detector)
+ *   - `../<cwd-basename>/hooks/x.js` reentry     (was the bypass — raw string never matched)
+ *   - symlink / symlinked ANCESTOR redirection into a protected dir (incl. NEW files)
+ *
+ * Returns a forward-slash cwd-relative string for IN-cwd targets, or the
+ * sentinel `null` for targets that resolve OUTSIDE cwd (out-of-repo edits are
+ * not this guard's concern and must not be false-blocked).
+ */
+function canonicalizeCandidate(cand, cwd) {
+  // 1. Recognize absolute paths robustly across platforms. `path.isAbsolute`
+  //    on a backslash-normalized copy catches POSIX `/…` and native drive
+  //    paths; the drive-letter regex is the Windows-on-POSIX fallback so a
+  //    `C:/…` / `C:\…` spelling is treated as absolute even when the test
+  //    process runs on Linux.
+  const normalized = cand.replace(/\\/g, '/');
+  const isAbs = path.isAbsolute(cand)
+    || path.isAbsolute(normalized)
+    || /^[A-Za-z]:[\\/]/.test(cand);
+
+  const abs = isAbs ? normalized : path.resolve(cwd, cand);
+
+  // 2. Canonicalize through symlinks — MANDATORY, for existing AND new targets.
+  //    Full-path realpath throws (ENOENT) on a not-yet-existing write target,
+  //    so walk UP to the nearest existing ancestor, realpath THAT, then re-join
+  //    the non-existent tail. This resolves a symlinked ancestor dir of a new
+  //    file (the write-new-file symlink bypass). Any unexpected I/O error falls
+  //    back to the plain resolved path — the hook must never hard-fail.
+  let canonicalAbs = abs;
+  try {
+    canonicalAbs = fs.realpathSync(abs);
+  } catch (e) {
+    if (e && e.code === 'ENOENT') {
+      try {
+        let ancestor = path.dirname(abs);
+        const tail = [path.basename(abs)];
+        // Walk up until an existing ancestor is found (or filesystem root).
+        // Guard the loop against an unbounded climb.
+        for (let i = 0; i < 64; i++) {
+          if (fs.existsSync(ancestor)) break;
+          const parent = path.dirname(ancestor);
+          if (parent === ancestor) break;
+          tail.unshift(path.basename(ancestor));
+          ancestor = parent;
+        }
+        const realAncestor = fs.realpathSync(ancestor);
+        canonicalAbs = path.join(realAncestor, ...tail);
+      } catch {
+        canonicalAbs = abs;
+      }
+    } else {
+      canonicalAbs = abs;
+    }
+  }
+
+  // 3. cwd-relative canonical form.
+  const rel = path.relative(cwd, canonicalAbs).replace(/\\/g, '/');
+
+  // 4. Out-of-cwd sentinel — these are NOT matched against repo-internal globs.
+  if (rel === '..' || rel.startsWith('../') || path.isAbsolute(rel)) return null;
+
+  return rel;
+}
 
 function loadProtectedPaths(cwd) {
   const defaultFile = path.join(REPO_ROOT, 'reference', 'protected-paths.default.json');
@@ -248,10 +316,10 @@ async function main() {
 
   for (const cand of candidates) {
     if (!cand) continue;
-    const rel = cand.startsWith('/') || /^[A-Z]:\\/i.test(cand)
-      ? path.relative(cwd, cand).replace(/\\/g, '/')
-      : cand.replace(/\\/g, '/');
-    const r = matches(rel, protectedPaths);
+    const rel = canonicalizeCandidate(cand, cwd);
+    // Out-of-cwd targets (sentinel null) are not this guard's concern.
+    if (rel === null) continue;
+    const r = matches(rel, protectedPaths, { nocase: defaultNocase() });
     if (r.matched) {
       try {
         require('./_hook-emit.js').emitHookFired('gdd-protected-paths', 'block', {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hegemonart/get-design-done",
-  "version": "1.60.0",
+  "version": "1.60.2",
   "description": "A design-quality pipeline for AI coding agents: brief, explore, plan, design, and verify UI work against your design system.",
   "author": "Hegemon",
   "homepage": "https://github.com/hegemonart/get-design-done",
@@ -156,6 +156,7 @@
   },
   "overrides": {
     "fast-json-patch": "^3.1.1",
+    "hono": ">=4.12.23",
     "qs": ">=6.15.2"
   }
 }

package/scripts/injection-patterns.cjs

@@ -41,6 +41,53 @@ const INJECTION_PATTERNS = [
   { name: 'tar-home-netcat',          re: /\btar\s+c[fzvj]+\s+-\s+~[^\n]*\|\s*(nc|ssh|curl)/ },
   { name: 'env-dot-leak',             re: /process\.env\.[A-Z][A-Z0-9_]*_(KEY|TOKEN|SECRET)\s*[^;,\n]*(fetch|axios|XMLHttpRequest|http\.request)/ },
   { name: 'ssh-key-cat',              re: /\bcat\s+~?\/?\.ssh\/id_(rsa|ed25519|ecdsa|dsa)\b/ },
+
+  // ── dangerous URL schemes + credential links (60.2 / SEC-CI-03) ──────
+  // These flow from untrusted markdown (Read hook) and RSS/article ingest.
+  // Each regex is anchored tightly to avoid false-positives on the repo's
+  // own shipped docs (the CI scan:injection gate scans them) and is
+  // linear-time (bounded quantifiers, no nested/overlapping repetition).
+
+  // `javascript:` used as a link/href target. The colon must be directly
+  // followed by a non-whitespace payload char — so prose like "JavaScript:"
+  // (a sentence colon, followed by a space) and the bare word "JavaScript"
+  // do NOT match. Preceded by start-of-string or a non-word char so it
+  // anchors on `](javascript:` / `href="javascript:` / `=javascript:`.
+  { name: 'javascript: uri',          re: /(?:^|[^\w])javascript:(?=\S)/i },
+
+  // `data:text/html` URIs (optional ;base64). Will NOT match `data:image/…`,
+  // nor `data: <word>` prose (colon-space): the literal `text/html` is required.
+  { name: 'data:text/html uri',       re: /\bdata:text\/html\b/i },
+
+  // `data:` URI carrying a script payload (covers data: media types beyond
+  // text/html). `[^\s<]{0,200}` is a bounded run (no ReDoS) that also
+  // EXCLUDES `<`, so it cannot reach across a `<script` that appears BEFORE
+  // `data:` on the line (e.g. export-formats.md:27 "…<script> … data: URIs"):
+  // there the char after `data:` is a backtick+space, the run stops at the
+  // space, and no script marker follows. Requires `data:` to be immediately
+  // followed (no space) by payload chars that lead into `<script`/`%3Cscript`.
+  { name: 'data: script payload',     re: /data:[^\s<]{0,200}(?:<script|%3Cscript)/i },
+
+  // userinfo-credential URL: `scheme://user:pass@host`. The `:` must appear
+  // in the userinfo segment BEFORE the `@`, and both must precede the first
+  // `/` of the path (i.e. inside the authority). Mutually-exclusive char
+  // classes on the boundary chars keep it linear. Does NOT match
+  // `mailto:user@host` (no `://`), bare `user@host` (no `://`), a plain
+  // `https://host/path` (no `@`), nor an `@` that appears only in the path.
+  { name: 'userinfo credentials url', re: /:\/\/[^/\s:@]+:[^/\s@]*@/ },
+
+  // Secret-bearing query param. Two linear alternatives:
+  //   (a) a query KEY named like a credential (token/api_key/secret/…)
+  //       followed by `=` and a non-trivial value; OR
+  //   (b) any query value matching a redact.cjs secret SHAPE
+  //       (sk-ant-/sk-/jwt/AIza/ghp_/gh[sour]_/AKIA/xox…).
+  // `[^&\s#]+` and the shape bodies are bounded by their delimiters / fixed
+  // lengths — no catastrophic backtracking. Does NOT match benign params
+  // like `?q=`, `?lang=en`, `?sort=desc`, `?page=2`.
+  {
+    name: 'secret-bearing query param',
+    re: /[?&](?:access_token|client_secret|api[_-]?key|apikey|token|secret|password|auth)=[^&\s#]+|[?&][\w-]{1,40}=(?:sk-ant-[\w-]{20,}|sk-[\w-]{20,}|eyJ[\w-]{10,}\.[\w-]{10,}\.[\w-]{10,}|AIza[\w-]{35}|ghp_[A-Za-z0-9]{36,}|gh[sour]_[A-Za-z0-9]{36,}|AKIA[0-9A-Z]{16}|xox[baprs]-[\w-]{10,})/i,
+  },
 ];
 
 /**

package/scripts/lib/glob-match.cjs

@@ -3,9 +3,24 @@
  * scripts/lib/glob-match.cjs — tiny dependency-free glob matcher.
  * Supports: **, *, ?, and literal segments. Not a full minimatch implementation,
  * but covers the patterns used in reference/protected-paths.default.json.
+ *
+ * Case-sensitivity tracks the host filesystem by default: case-INsensitive on
+ * win32/darwin (so `HOOKS/x` matches `hooks/**`), case-sensitive elsewhere.
+ * Callers can override via `opts.nocase` (used by the protected-paths suite to
+ * exercise BOTH branches explicitly on a case-sensitive Linux CI runner).
  */
 
-function globToRegex(glob) {
+/**
+ * The platform-derived default for case-insensitive matching. Exposed so the
+ * protected-paths hook and the tests reference the SAME decision rather than
+ * duplicating the win32||darwin check.
+ */
+function defaultNocase() {
+  return process.platform === 'win32' || process.platform === 'darwin';
+}
+
+function globToRegex(glob, opts = {}) {
+  const nocase = opts.nocase !== undefined ? opts.nocase : defaultNocase();
   // Normalize separators
   const g = glob.replace(/\\/g, '/');
   let re = '^';
@@ -42,16 +57,18 @@ function globToRegex(glob) {
     i++;
   }
   re += '$';
-  return new RegExp(re);
+  // Use the `i` flag for case-insensitivity rather than lowercasing inputs,
+  // which would corrupt the returned `pattern` string callers rely on.
+  return new RegExp(re, nocase ? 'i' : '');
 }
 
-function matches(filepath, globList) {
+function matches(filepath, globList, opts = {}) {
   const norm = String(filepath).replace(/\\/g, '/').replace(/^\.\//, '');
   for (const g of globList) {
-    const re = globToRegex(g);
+    const re = globToRegex(g, opts);
     if (re.test(norm)) return { matched: true, pattern: g };
   }
   return { matched: false };
 }
 
-module.exports = { matches, globToRegex };
+module.exports = { matches, globToRegex, defaultNocase };

package/sdk/mcp/gdd-mcp/server.js

@@ -1860,12 +1860,45 @@ var require_intel_store = __commonJS({
         this.dir = dir;
       }
     };
+    var IntelInvalidSliceIdError = class extends Error {
+      constructor(sliceId) {
+        const shown = typeof sliceId === "string" ? sliceId : String(sliceId);
+        super("invalid slice_id: " + JSON.stringify(shown));
+        this.name = "IntelInvalidSliceIdError";
+        this.code = "invalid_slice_id";
+        this.sliceId = sliceId;
+      }
+    };
+    function validateSliceId(sliceId) {
+      if (typeof sliceId !== "string" || sliceId.length === 0) {
+        throw new IntelInvalidSliceIdError(sliceId);
+      }
+      if (sliceId.indexOf("\0") !== -1) {
+        throw new IntelInvalidSliceIdError(sliceId);
+      }
+      if (sliceId.indexOf("/") !== -1 || sliceId.indexOf("\\") !== -1) {
+        throw new IntelInvalidSliceIdError(sliceId);
+      }
+      if (sliceId === "." || sliceId === ".." || sliceId.includes("..")) {
+        throw new IntelInvalidSliceIdError(sliceId);
+      }
+      if (path.isAbsolute(sliceId)) {
+        throw new IntelInvalidSliceIdError(sliceId);
+      }
+    }
     async function readSlice2(rootDir, sliceId) {
+      validateSliceId(sliceId);
       const dir = path.join(rootDir, ".design", "intel");
       if (!fs.existsSync(dir)) {
         throw new IntelNotFoundError(dir);
       }
       const file = path.join(dir, sliceId + ".json");
+      const resolvedDir = path.resolve(dir);
+      const resolvedFile = path.resolve(file);
+      const withSep = resolvedDir.endsWith(path.sep) ? resolvedDir : resolvedDir + path.sep;
+      if (!resolvedFile.startsWith(withSep)) {
+        throw new IntelInvalidSliceIdError(sliceId);
+      }
       if (!fs.existsSync(file)) return null;
       const body = await fs.promises.readFile(file, "utf8");
       return JSON.parse(body);
@@ -1883,7 +1916,13 @@ var require_intel_store = __commonJS({
       }
       return ids;
     }
-    module2.exports = { readSlice: readSlice2, listSlices, IntelNotFoundError };
+    module2.exports = {
+      readSlice: readSlice2,
+      listSlices,
+      validateSliceId,
+      IntelNotFoundError,
+      IntelInvalidSliceIdError
+    };
   }
 });
 
@@ -2035,6 +2074,7 @@ __export(server_exports, {
 module.exports = __toCommonJS(server_exports);
 var import_node_fs5 = require("node:fs");
 var import_node_path5 = require("node:path");
+var import_ajv = __toESM(require("ajv"));
 var import_server = require("@modelcontextprotocol/sdk/server/index.js");
 var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
 var import_types6 = require("@modelcontextprotocol/sdk/types.js");
@@ -3427,6 +3467,24 @@ function buildServer() {
   const tools = loadTools();
   const byName = /* @__PURE__ */ new Map();
   for (const t of tools) byName.set(t.name, t);
+  const ajv = new import_ajv.default({ allErrors: true, strict: false });
+  const PASS_THROUGH = (() => {
+    const v = (() => true);
+    v.errors = null;
+    return v;
+  })();
+  const validators = /* @__PURE__ */ new Map();
+  for (const t of tools) {
+    try {
+      validators.set(t.name, ajv.compile(t.inputSchema));
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(
+        `[gdd-mcp] schema compile failed for ${t.name}; tool degraded to permissive validation: ${msg}`
+      );
+      validators.set(t.name, PASS_THROUGH);
+    }
+  }
   const server = new import_server.Server(
     { name: SERVER_NAME, version: SERVER_VERSION },
     {
@@ -3469,6 +3527,26 @@ function buildServer() {
         structuredContent: { success: false, error: payload.error }
       };
     }
+    const validate = validators.get(toolName);
+    if (validate !== void 0) {
+      const argsObj = args ?? {};
+      if (!validate(argsObj)) {
+        const detail = ajv.errorsText(validate.errors, { dataVar: "input" });
+        const payload = toToolError(
+          new Error(`input validation failed: ${detail}`)
+        );
+        return {
+          isError: true,
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({ success: false, error: payload.error })
+            }
+          ],
+          structuredContent: { success: false, error: payload.error }
+        };
+      }
+    }
     let response;
     try {
       response = await tool.handle(args ?? {});

package/sdk/mcp/gdd-mcp/server.ts

@@ -38,6 +38,8 @@
 import { readFileSync, existsSync } from 'node:fs';
 import { dirname, join, resolve } from 'node:path';
 
+import Ajv, { type ValidateFunction } from 'ajv';
+
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import {
@@ -186,6 +188,33 @@ export function buildServer(): Server {
   const byName: Map<string, LoadedTool> = new Map();
   for (const t of tools) byName.set(t.name, t);
 
+  // HARDEN-01 (Task 2): compile an ajv validator per tool from its advertised
+  // input JSON Schema, so every tools/call argument is validated against the
+  // tool's contract BEFORE the handler runs. `strict:false` tolerates the
+  // Draft-07 keywords our schemas use; `allErrors` yields complete messages.
+  const ajv = new Ajv({ allErrors: true, strict: false });
+  const PASS_THROUGH: ValidateFunction = (() => {
+    const v = (() => true) as ValidateFunction;
+    v.errors = null;
+    return v;
+  })();
+  const validators: Map<string, ValidateFunction> = new Map();
+  for (const t of tools) {
+    try {
+      validators.set(t.name, ajv.compile(t.inputSchema));
+    } catch (err) {
+      // A single malformed schema file must not brick the whole server: fall
+      // back to a permissive validator for THAT tool only (today's no-
+      // validation behavior). The other tools still enforce (T-60.1-04).
+      const msg = err instanceof Error ? err.message : String(err);
+      // eslint-disable-next-line no-console
+      console.error(
+        `[gdd-mcp] schema compile failed for ${t.name}; tool degraded to permissive validation: ${msg}`,
+      );
+      validators.set(t.name, PASS_THROUGH);
+    }
+  }
+
   const server = new Server(
     { name: SERVER_NAME, version: SERVER_VERSION },
     {
@@ -237,6 +266,30 @@ export function buildServer(): Server {
       };
     }
 
+    // HARDEN-01 (Task 2): validate arguments against the tool's advertised
+    // input schema BEFORE the handler runs. A schema-invalid call returns a
+    // structured isError result and the handler is NEVER reached.
+    const validate = validators.get(toolName);
+    if (validate !== undefined) {
+      const argsObj = args ?? {};
+      if (!validate(argsObj)) {
+        const detail = ajv.errorsText(validate.errors, { dataVar: 'input' });
+        const payload = toToolError(
+          new Error(`input validation failed: ${detail}`),
+        );
+        return {
+          isError: true,
+          content: [
+            {
+              type: 'text' as const,
+              text: JSON.stringify({ success: false, error: payload.error }),
+            },
+          ],
+          structuredContent: { success: false, error: payload.error },
+        };
+      }
+    }
+
     let response;
     try {
       response = await tool.handle(args ?? {});