@ironbee-ai/cli 0.8.2 → 0.9.0

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## 0.9.0 (2026-05-11)
+
+### Features
+
+* **backend:** support backend platform ([#10](https://github.com/ironbee-ai/ironbee-cli/issues/10)) ([516aad3](https://github.com/ironbee-ai/ironbee-cli/commit/516aad32915d05da07e971fa151678652d97b5b4))
+
+## 0.8.3 (2026-05-09)
+
+### Features
+
+* **config:** optional .ironbee/config.local.json personal-override layer ([770c2f3](https://github.com/ironbee-ai/ironbee-cli/commit/770c2f333f5d1d9146aaafb6fd975c5966e1d681))
+
 ## 0.8.2 (2026-05-08)
 
 ### Features

package/README.md

@@ -115,15 +115,37 @@ ironbee import --all-projects --since 6m --concurrency 2
 - `--concurrency <N>` — parallel sessions (default 4, clamped to `[1, 32]`); also configurable via `import.concurrency` in `~/.ironbee/config.json` or `<project>/.ironbee/config.json`
 
 
-### Optional: enable Node backend verification
+### Optional: opt out of the browser cycle
 
 ```bash
-ironbee enable-backend node
+ironbee browser disable
 ```
 
-Run this once per project that has Node backend code you want IronBee to gate. It writes opinionated default `verifyPatterns` (e.g. `server/**`, `pages/api/**`, `**/server.{ts,js,mjs,cjs}`) under `backend.node.verifyPatterns` in the project config. From then on, edits to matching paths require Node-cycle verification (connect + probes/logs) alongside any browser-cycle verification.
+The **browser cycle** is the default-on cycle — every code-file edit (40+ extensions: `.ts`, `.tsx`, `.css`, `.html`, `.py`, `.go`, `.java`, …) requires browser-driven verification (navigate / screenshot / aria / console). Run `browser disable` for projects where you don't want browser-cycle enforcement (e.g. backend-only services where only `node enable` / `backend enable` apply). It writes `browser.verifyPatterns: []` to override the legacy 40+ extension default; customizations of `alwaysRequired` / `evidencePaths` / `additionalVerifyPatterns` are preserved.
 
-To revert: `ironbee disable-backend node`. This empties `verifyPatterns` (no enforcement) but preserves any customizations you made to `alwaysRequired` / `evidencePaths`, so re-enabling later restores your tuned setup.
+To re-enable: `ironbee browser enable` — strips the `verifyPatterns: []` override so the code defaults (legacy 40+ extension list) flow back in at runtime. `config.json` stays minimal; the default list is NOT materialized into the file (it lives in code and tracks the CLI version automatically).
+
+### Optional: enable Node.js runtime debug verification
+
+```bash
+ironbee node enable
+```
+
+Run this once per project whose backend is Node.js and you want IronBee to gate at the runtime level (V8 inspector probes via `node-devtools`). It writes a minimal `{ "node": {} }` block to config — code defaults (e.g. `server/**`, `pages/api/**`, `**/server.{ts,js,mjs,cjs}`) flow in at runtime; nothing is materialized into the file. From then on, edits to matching paths require Node-cycle verification (connect + probes/logs) alongside any browser-cycle verification. To customize, set `node.verifyPatterns` (replaces defaults) or `node.additionalVerifyPatterns` (appends).
+
+To revert: `ironbee node disable`. With no customizations the entire `node` block is dropped (clean config). With customizations or a lower-layer override, writes `verifyPatterns: []` (hard kill, preserves `alwaysRequired` / `evidencePaths` / `additionalVerifyPatterns` so re-enabling later restores your tuned setup).
+
+### Optional: enable runtime-agnostic backend protocol verification
+
+```bash
+ironbee backend enable
+```
+
+Activates the **backend protocol cycle** — drives real HTTP / gRPC / GraphQL / WebSocket calls against your running backend service via the `backend-devtools` MCP (`bedt_*` tools) and verifies the responses. Works for any backend runtime: Node, Java, Python, Go, Rust, Ruby, .NET, PHP, Elixir, Kotlin, Scala. The command writes a minimal `{ "backend": {} }` block to config — code defaults (multi-language paths covering `server/**`, `api/**`, `routes/**`, `controllers/**`, `handlers/**`, `services/**`) flow in at runtime.
+
+The backend cycle is independent of the node cycle — node attaches to a Node.js process and sets non-blocking debug probes; backend drives the wire protocol from outside. Both can be enabled simultaneously; both must pass.
+
+To revert: `ironbee backend disable` (drops the block clean if no customizations / lower-layer override; otherwise hard-kills via `verifyPatterns: []`).
 
 ### Optional: monitoring-only mode (no enforcement)
 
@@ -140,7 +162,7 @@ The toggle re-renders all client artifacts (hooks, skill, rule, MCP servers, per
 Cursor requires manual activation of MCP servers after install:
 
 1. **Restart Cursor** to load the new hooks and MCP config
-2. Go to **Settings → Tools & MCP** and verify both **browser-devtools** and **node-devtools** are enabled
+2. Go to **Settings → Tools & MCP** and verify all three of **browser-devtools**, **node-devtools**, and **backend-devtools** are enabled
 3. If a server shows as enabled but tools are unavailable, toggle it off and on
 
 > **Note:** This is a [known Cursor limitation](https://forum.cursor.com/t/mcp-tools-only-available-to-agent-after-manually-toggling-server-off-on-even-when-already-enabled/152859) — MCP servers added via `mcp.json` may need manual activation.
@@ -157,8 +179,9 @@ ironbee uninstall [project-dir] [--client <name>] [--all] [-y]   Remove hooks an
 ironbee status [project-dir]                      Show verdict status for active sessions
 ironbee verify [session-id]                       Dry-run verdict validation
 ironbee analyze [session-id]                      Analyze session metrics (or all sessions)
-ironbee enable-backend <runtime>                  Opt into backend verification (today: node)
-ironbee disable-backend <runtime>                 Opt out (resets verifyPatterns to []; preserves customizations)
+ironbee browser <enable|disable>                  Manage the browser cycle (default-on; bdt_* tools via browser-devtools)
+ironbee node <enable|disable>                     Manage the Node.js runtime debug cycle (V8 inspector probes via node-devtools)
+ironbee backend <enable|disable>                  Manage the runtime-agnostic backend protocol cycle (HTTP/gRPC/GraphQL/WS via backend-devtools)
 ironbee enable-verification                       Turn enforcement on (default state)
 ironbee disable-verification                      Monitoring-only mode (no enforcement; sessions still ship to collector)
 ironbee config get <key>                          Read a config value (default: merged effective value)
@@ -176,7 +199,7 @@ ironbee unregister                                Remove this project from the u
 
 - **`ironbee install --all`** — explicit batch op that re-runs install on every registered project. Use after a global config change to propagate it everywhere; uses each project's currently detected clients (or pass `--client <name>` to override).
 - **`ironbee uninstall --all`** — destructive batch op that wipes ironbee from every registered project. Prompts with default-No before acting; pass `--yes` / `-y` to skip the prompt. Refuses without `--yes` in non-interactive contexts.
-- **Prompt on global config writes** — `ironbee config set <key> <val> -g` (and `unset`) on an artifact-affecting key (`collector`, `verification`, `browser`, `backend`, `browserDevTools`, `nodeDevTools`) lists up to 10 other registered project paths still on the prior state and asks `Apply this change to these N projects now? [Y/n]` (default Yes). Pass `--apply-all` / `--no-apply-all` to skip the prompt; non-TTY contexts skip it and print a hint pointing at `install --all`.
+- **Prompt on global config writes** — `ironbee config set <key> <val> -g` (and `unset`) on an artifact-affecting key (`collector`, `verification`, `browser`, `node`, `backend`, `browserDevTools`, `nodeDevTools`, `backendDevTools`) lists up to 10 other registered project paths still on the prior state and asks `Apply this change to these N projects now? [Y/n]` (default Yes). Pass `--apply-all` / `--no-apply-all` to skip the prompt; non-TTY contexts skip it and print a hint pointing at `install --all`.
 
 For pure inventory bookkeeping (no artifact writes):
 
@@ -222,21 +245,27 @@ IronBee loads config from two locations (project deep-merges over global):
 
   "verification": {
     "enable": false
+  },
+
+  "fileChange": {
+    "captureChangeset": true
   }
 }
 ```
 
 | Key | Description | Default |
 |-----|-------------|---------|
-| `browser.verifyPatterns` | Glob patterns for files requiring **browser** verification (replaces defaults) | 40+ code extensions |
+| `browser.verifyPatterns` | Glob patterns for files requiring **browser** verification (replaces defaults). Four-state semantic: block-absent → code defaults (40+ ext, default-on); block-present + verifyPatterns unset → code defaults (post-`browser enable` shape); `[]` → hard kill (also disables `additionalVerifyPatterns`); custom `[...]` → user-defined. | 40+ code extensions when block absent OR `verifyPatterns` unset |
 | `browser.additionalVerifyPatterns` | Extra browser patterns appended to defaults | `[]` |
-| `backend.<runtime>.verifyPatterns` | Glob patterns for files requiring **backend** verification, per runtime (today: `node`). Empty by default — opt in via `ironbee enable-backend <runtime>`. | `[]` |
-| `backend.<runtime>.additionalVerifyPatterns` | Extra backend patterns | `[]` |
+| `node.verifyPatterns` | Glob patterns activating the **Node.js runtime debug cycle** (`node-devtools` MCP, `ndt_*` tools — V8 inspector probes). Empty by default — opt in via `ironbee node enable`. | `[]` |
+| `node.additionalVerifyPatterns` | Extra patterns appended to `node.verifyPatterns` | `[]` |
+| `backend.verifyPatterns` | Glob patterns activating the **runtime-agnostic backend protocol cycle** (`backend-devtools` MCP, `bedt_*` tools — HTTP/gRPC/GraphQL/WebSocket). Empty by default — opt in via `ironbee backend enable`. | `[]` |
+| `backend.additionalVerifyPatterns` | Extra patterns appended to `backend.verifyPatterns` | `[]` |
 | `ignoredVerifyPatterns` | Patterns to exclude from verification (checked first, applies to all cycles) | `[]` |
 | `maxRetries` | Max retry attempts before allowing completion (single global counter regardless of how many cycles run) | `3` |
 | `verification.enable` | Master switch for enforcement. **Inverse semantics from `recording`/`jobQueue`/`collector`** — verification is the core feature, opt-out via `enable: false`. When disabled, ironbee runs in monitoring-only mode (no enforcement hooks, skill, rule, or MCP servers; only session/activity/tool_call telemetry flows to the collector). | `true` |
-
-> **Migrating from older versions:** the previous flat `verifyPatterns` / `additionalVerifyPatterns` at the top level is no longer supported. The config loader fails loudly on legacy shape — move them under `browser.*` (or the appropriate runtime under `backend.<runtime>.*`).
+| `fileChange.captureChangeset` | When `true`, every `file_change` event carries a hunks-only unified-diff `changeset` string (`@@` headers + `space`/`-`/`+` lines, no filename header — `file_path` already lives on the parent event). Off by default — the default `tool_input` whitelist deliberately strips file content from the wire; turning this on routes content through `file_change` instead. PreToolUse pre-reads the file when enabled so PostToolUse can produce a real before/after diff (Write/Edit on Claude; Write/StrReplace/Delete on Cursor). Skipped on binary content (NUL byte in first 4 KB). | `false` |
+| `fileChange.maxChangesetBytes` | Hard cap on the `changeset` string size. Diffs over the cap are sliced on a UTF-8 byte boundary and end with a `\n... (truncated, N bytes omitted)\n` footer so the collector POST stays within typical reverse-proxy body limits. | `65536` (64 KB) |
 
 ### Editing config from the CLI (`ironbee config`)
 
@@ -267,7 +296,7 @@ ironbee config path                # print the project config file path
 
 **Type coercion** — `set` parses the value as JSON when it can (`true`/`42`/`[…]`/`{…}`) and falls back to a raw string when JSON parse fails. URLs and paths pass through unquoted; pass `--json` to force strict JSON parsing (e.g. when you want the literal string `"42"` instead of the number `42`).
 
-**Smart artifact re-render** — when a top-level key affects installed client artifacts (`verification`, `collector`, `browser`, `backend`, `browserDevTools`, `nodeDevTools`), `set` and `unset` re-render the client files (hooks, MCP entries, skill, rule, permissions) automatically — same code path `enable-verification` / `enable-backend` use. Other keys (`maxRetries`, `recording`, `jobQueue`, `analytics`, `import`, `ignoredVerifyPatterns`) are pure config flips that the next agent session picks up — no rerender needed.
+**Smart artifact re-render** — when a top-level key affects installed client artifacts (`verification`, `collector`, `browser`, `node`, `backend`, `browserDevTools`, `nodeDevTools`, `backendDevTools`), `set` and `unset` re-render the client files (hooks, MCP entries, skill, rule, permissions) automatically — same code path `enable-verification` / `node enable` / `backend enable` use. Other keys (`maxRetries`, `recording`, `jobQueue`, `analytics`, `import`, `ignoredVerifyPatterns`) are pure config flips that the next agent session picks up — no rerender needed.
 
 Pass `--no-rerender` to skip the rerender on artifact-affecting keys (handy for scripted bulk edits — follow up with `ironbee install` to resync). If a rerender fails midway, the config file is rolled back to its prior bytes so disk state never diverges from installed artifacts.
 
@@ -275,9 +304,11 @@ Pass `--no-rerender` to skip the rerender on artifact-affecting keys (handy for
 
 ### Default verify patterns
 
-By default, the **browser cycle** matches common code file extensions: `.ts`, `.tsx`, `.js`, `.jsx`, `.css`, `.scss`, `.html`, `.py`, `.go`, `.rs`, `.java`, `.vue`, `.svelte`, and [many more](src/lib/config.ts). Backend file edits trigger browser verification by default since they often affect frontend behavior.
+By default, the **browser cycle** is enabled and matches common code file extensions: `.ts`, `.tsx`, `.js`, `.jsx`, `.css`, `.scss`, `.html`, `.py`, `.go`, `.rs`, `.java`, `.vue`, `.svelte`, and [many more](src/lib/config.ts) (`DEFAULT_BROWSER_VERIFY_PATTERNS`). Backend file edits trigger browser verification by default since they often affect frontend behavior. Run `ironbee browser disable` for projects where the browser-cycle gate isn't appropriate (e.g. backend-only services); `ironbee browser enable` re-enables.
+
+**Patterns are NOT materialized into `config.json`** — they live in the CLI source (`DEFAULT_BROWSER_VERIFY_PATTERNS` / `DEFAULT_NODE_VERIFY_PATTERNS` / `DEFAULT_BACKEND_VERIFY_PATTERNS`) and flow in at runtime when the cycle block exists without an explicit `verifyPatterns` key. Keeps `config.json` minimal AND lets defaults track CLI updates automatically (no frozen-at-install-time drift). To customize, set the explicit `<cycle>.verifyPatterns` (replaces defaults) or `<cycle>.additionalVerifyPatterns` (appends).
 
-The **node cycle** has no default patterns — running `ironbee enable-backend node` writes opinionated defaults (`server/**`, `pages/api/**`, etc.) which you can customize after.
+The **node cycle** is opt-in via `ironbee node enable` (only meaningful for Node.js backends — `node-devtools` is a V8 inspector wrapper). The **backend cycle** is opt-in via `ironbee backend enable` and is runtime-agnostic (drives wire protocols via `backend-devtools`).
 
 Non-code files like `README.md`, `package.json`, or `.gitignore` do not trigger any cycle.
 
@@ -336,7 +367,7 @@ You can mix-and-match: full config replacement via `mcp`, or just env-var additi
 When the agent tries to complete a task, IronBee runs these checks:
 
 1. **Were code files edited?** — If no matching files were changed, the agent completes normally.
-2. **Which cycles are active?** — IronBee matches each edited file against `browser.verifyPatterns` and (if you opted in) `backend.<runtime>.verifyPatterns`. A single file may activate both cycles; both then run in parallel.
+2. **Which cycles are active?** — IronBee matches each edited file against `browser.verifyPatterns` and (if you opted in) `node.verifyPatterns` and/or `backend.verifyPatterns`. A single file may activate two or three cycles; they all run in parallel and pass/fail combine with AND.
 3. **Were the cycle's required tools used?**
    - **Browser cycle**: navigate, screenshot, accessibility snapshot, console check (all-of)
    - **Node cycle**: connect; then either probe path (`(put-tracepoint | put-logpoint | put-exceptionpoint) AND get-probe-snapshots`) OR log path (`get-logs`)

package/dist/clients/claude/commands/ironbee-verify.md

@@ -1,120 +1,38 @@
 # IronBee Verify
 
-Verify the current code changes through real tools — browser interaction for frontend, runtime-specific debugger for any enabled backend cycle.
+Verify the current code changes through real tools. The gate runs every cycle that has been wired up for this project, and all active cycles must be satisfied within a single verification cycle for `status: pass`. Each cycle has its own tools, flow, and verdict fields — **see the platform sections near the bottom of this file** for which cycles apply and what to call.
 
-## Usage
-- `/ironbee-verify` — **default** — focus on what changed, visual + functional checks on affected areas (browser-cycle modes; any enabled backend-runtime cycle runs alongside automatically — see runtime section below)
-- `/ironbee-verify full` — **full scope** — entire application, all checklists, edge cases, responsive, accessibility deep dive
-- `/ironbee-verify visual` — **visual only** — contrast, layout, spacing, fonts, images, theming
-- `/ironbee-verify functional` — **functional only** — clicks, forms, navigation, data flow, error handling
-
-If no argument is given, use **default** mode. The mode argument controls only the browser-cycle thoroughness — any active backend-runtime cycle runs the same way regardless of mode.
-
-A backend-runtime cycle (e.g. `node` after `ironbee enable-backend node`) may also be active for this project — **see the runtime section near the bottom of this file** for whether it applies and which tools to call.
-
----
-
-## Steps (all modes)
+## Universal steps
 
 1. **Start verification**: Run `echo '{"session_id":"<your-session-id>"}' | ironbee hook verification-start` via Bash (substitute the actual session ID printed by the SessionStart hook).
-2. **Build and start** the application if not already running
-3. **For EVERY page you visit**, repeat this cycle:
-   a. **Navigate** using `mcp__browser-devtools__bdt_navigation_go-to`
-   b. **Take a FULL PAGE screenshot** using `mcp__browser-devtools__bdt_content_take-screenshot` with `fullPage: true`
-   c. **Take an ARIA snapshot** using `mcp__browser-devtools__bdt_a11y_take-aria-snapshot`
-   d. **STOP and visually analyze the screenshot** — switch your focus entirely to finding visual problems. Look at this screenshot as if your ONLY job is to find visual defects:
-      **WARNING: ARIA reports DOM content, not what the user actually sees.** Do NOT assume the page looks correct just because ARIA shows the right content. Only the screenshot tells you what the user actually sees.
-      - Text readability — is it readable against its background? Look for text that blends in or poor contrast
-      - Layout — overlapping elements, unexpected gaps, overflow, content cut off
-      - Spacing — consistent padding/margin? Too cramped or too far apart?
-      - Colors — intentional and consistent? Any jarring mismatches?
-      - Typography — right sizes? Clipped or truncated text?
-      - Images/icons — loaded? Right size and aspect ratio?
-      - States — empty, loading, disabled, error states rendered properly?
-      Report your visual findings before continuing.
-   e. **Read the ARIA snapshot** — verify headings, labels, landmarks, and structure
-   f. If anything looks wrong → note it as an issue
-4. **Functionally test** — run the checklist for your mode (see below). After each significant interaction, take another screenshot and repeat the visual analysis.
-5. **Check console** for errors using `mcp__browser-devtools__bdt_o11y_get-console-messages`
-6. **Stop** the dev server when verification is complete
-7. **If recording was started, stop it now** — `mcp__browser-devtools__bdt_content_stop-recording`. submit-verdict rejects with `"recording is still active"` when this step is skipped. (Recording is a server-side opt-in via `recording.enable` — when on, the gate forces `bdt_content_start-recording` BEFORE the steps above and demands the matching stop here.)
-8. **Submit your verdict** via Bash:
-    - Pass: `echo '{"session_id":"...","status":"pass","pages_tested":[...],"checks":[...],"console_errors":0,"network_failures":0}' | ironbee hook submit-verdict`
-    - Fail: `echo '{"session_id":"...","status":"fail","pages_tested":[...],"checks":[...],"console_errors":N,"network_failures":N,"issues":["describe what failed"]}' | ironbee hook submit-verdict`
-9. **If failed** → collect ALL issues first (finish testing all affected pages), submit one fail verdict with all issues, then fix everything, rebuild, and re-verify. Do not fix one issue at a time — batch fixes to avoid repeated build/restart cycles.
-10. If pass after a previous fail, include `"fixes"` in the verdict describing what was fixed
-
----
-
-## Default Mode
-
-Focus on the code you changed — not the entire application.
-
-### 1. Study the changes
-1. Run `git diff --name-only` and `git diff --name-only HEAD~1`
-2. **Ignore `.ironbee/`, `.claude/`, `.cursor/`** — tool config, not application code
-3. **Read the full diff** (`git diff` and/or `git diff HEAD~1`) — understand every change: what was added, removed, modified. Note specific values (colors, sizes, conditions, logic, API endpoints, component props).
-4. Before opening the browser, you should be able to answer: what exactly changed, what should look or behave differently, and what could go wrong?
-
-### 2. Verify in the browser
-- **Cross-reference the diff against what you see.** For each change in the diff, verify it is correctly reflected in the browser. If the diff changes a color → check that color. If it changes a calculation → verify the result. If it adds a component → confirm it renders.
-- **Test the flow end-to-end** — navigate, click, fill forms, submit, verify the outcome
-- **Check one edge case** — empty input, invalid data, or double-click
-- **Console** — any new errors or warnings?
-
----
-
-## Full Mode (`/ironbee-verify full`)
-
-Comprehensive verification of the **entire application**. Do NOT run `git diff` or scope to recent changes. Test every page, every flow, every visual detail. Any issue is a failure, regardless of when it was introduced.
-
-### Visual Checklist
-In addition to the per-page visual analysis in step 3d:
-- **Responsiveness** — does the layout adapt if viewport changes? No horizontal scrolling on standard widths
-- **Borders & separators** — visible and consistent? Not too faint or missing
-- **Scroll behavior** — does the page scroll smoothly? No content hidden behind sticky headers/footers?
-
-### Functional Checklist
-- **Navigation** — do links and buttons navigate to the correct pages?
-- **Forms** — fill inputs with real data, select options, submit. Do validation messages appear correctly?
-- **Buttons & interactions** — do click handlers fire? Do toggles, dropdowns, and modals work?
-- **Data flow** — does submitted data appear where expected?
-- **Error handling** — what happens with invalid input? Does the UI handle errors gracefully?
-- **Authentication** — if applicable, do protected routes redirect correctly?
-- **API calls** — do network requests succeed? Check for failed requests in console/network
-- **State persistence** — does state survive page refresh where expected?
-- **Edge cases** — empty inputs, very long text, special characters, rapid clicks
-
-### Accessibility (deep dive)
-- Are headings hierarchical? Do form inputs have labels? Are landmarks present?
-- Check for missing alt text on images
+2. **Build and start** the application if not already running.
+3. **For every active cycle, run its flow** as described in the platform sections near the bottom of this file. All active cycles must be exercised within this same verification cycle.
+4. **Stop** the dev server when verification is complete.
+5. **Honor any cycle-specific teardown** noted in the platform sections BEFORE submitting your verdict.
+6. **Submit your verdict** via Bash. Include fields for every active cycle:
+    - Pass: `echo '{"session_id":"...","status":"pass", ...cycle-specific fields...}' | ironbee hook submit-verdict`
+    - Fail: `echo '{"session_id":"...","status":"fail", ...cycle-specific fields..., "issues":["describe what failed"]}' | ironbee hook submit-verdict`
+7. **If failed** → collect ALL issues first (finish testing every active cycle), submit one fail verdict with all issues, then fix everything, rebuild, and re-verify. Do not fix one issue at a time — batch fixes to avoid repeated build/restart cycles.
+8. If pass after a previous fail, include `"fixes"` in the verdict describing what was fixed.
 
 ---
 
-## Visual Mode (`/ironbee-verify visual`)
+<!--IRONBEE:PLATFORM:browser-->
+<!--/IRONBEE:PLATFORM:browser-->
 
-Focus exclusively on visual quality. Run the per-page visual analysis from step 3d on every page, plus:
-- **Responsiveness** — viewport changes, no horizontal scrolling
-- **Borders & separators** — visible and consistent?
-- **Scroll behavior** — smooth scrolling, no hidden content
+<!--IRONBEE:PLATFORM:node-->
+<!--/IRONBEE:PLATFORM:node-->
 
-Take screenshots of **multiple states** if applicable (hover, active, disabled, empty, populated).
-
----
-
-## Functional Mode (`/ironbee-verify functional`)
-
-Focus exclusively on behavior. Use the same functional checklist as Full Mode above.
-
-Test the **complete user flow**, not just the single step you changed.
+<!--IRONBEE:PLATFORM:backend-->
+<!--/IRONBEE:PLATFORM:backend-->
 
 ---
 
 ## When to FAIL
 
-If you observe ANY problem — wrong data, unexpected errors, visual defects, broken interactions, console errors, data inconsistency between pages — you MUST submit a **fail** verdict.
+If you observe ANY problem on any active cycle — wrong data, unexpected errors, broken interactions, missing evidence, anything that doesn't match the spec — you MUST submit a **fail** verdict.
 
-**Do NOT rationalize away problems.** If something looks wrong or behaves unexpectedly, it IS wrong. In **full** mode, there is no such thing as "pre-existing" — if it's broken, fail it.
+**Do NOT rationalize away problems.** If something looks wrong or behaves unexpectedly, it IS wrong.
 
 **After a fail verdict, you MUST fix the issues and re-verify.** Do not just report and stop.
 
@@ -128,8 +46,3 @@ Your `checks` array must list **specific observations**, not generic statements:
 - ALWAYS submit a verdict after every verification attempt — both pass AND fail
 - Do NOT edit code before submitting a fail verdict
 - **Noticing a bug and submitting pass is the #1 violation** — if you see it, fail it
-
----
-
-<!--IRONBEE:RUNTIME:node-->
-<!--/IRONBEE:RUNTIME:node-->

package/dist/clients/claude/hooks/clear-verdict.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"clear-verdict.d.ts","sourceRoot":"","sources":["../../../../src/clients/claude/hooks/clear-verdict.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AA6DH,wBAAsB,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA0D3D"}
+{"version":3,"file":"clear-verdict.d.ts","sourceRoot":"","sources":["../../../../src/clients/claude/hooks/clear-verdict.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAmFH,wBAAsB,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAgE3D"}

package/dist/clients/claude/hooks/clear-verdict.js

@@ -15,6 +15,7 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.run = run;
+const fs_1 = require("fs");
 const clear_verdict_1 = require("../../../hooks/core/clear-verdict");
 const actions_1 = require("../../../hooks/core/actions");
 const session_state_1 = require("../../../hooks/core/session-state");
@@ -29,27 +30,41 @@ function deriveChangeFacts(input, sessionId) {
     if (!ti) {
         return null;
     }
+    const stash = input.tool_use_id
+        ? (0, tool_use_stash_1.consumeToolUseData)(sessionId, input.tool_use_id)
+        : null;
     if (tool === "Edit") {
         const oldStr = ti.old_string ?? "";
         const newStr = ti.new_string ?? "";
         const counts = (0, file_diff_1.diffLineCounts)(oldStr, newStr);
-        return { tool_name: "Edit", operation: "update", lines_added: counts.added, lines_removed: counts.removed };
+        return { tool_name: "Edit", operation: "update", lines_added: counts.added, lines_removed: counts.removed, stash };
     }
     if (tool === "Write") {
         const content = ti.content ?? "";
-        const stash = input.tool_use_id
-            ? (0, tool_use_stash_1.consumeToolUseData)(sessionId, input.tool_use_id)
-            : null;
         const fileExisted = stash?.file_existed ?? false;
         return {
             tool_name: "Write",
             operation: fileExisted ? "update" : "create",
             lines_added: (0, file_diff_1.countLines)(content),
             lines_removed: fileExisted ? null : 0,
+            stash,
         };
     }
     return null;
 }
+function buildChangeset(filePath, stash, maxBytes) {
+    const priorContent = stash?.prior_content ?? "";
+    let postContent;
+    try {
+        postContent = (0, fs_1.existsSync)(filePath) ? (0, fs_1.readFileSync)(filePath, "utf-8") : "";
+    }
+    catch (e) {
+        logger_1.logger.debug(`failed to read post-edit content of ${filePath} for changeset: ${e}`);
+        return undefined;
+    }
+    const diff = (0, file_diff_1.createUnifiedDiff)(priorContent, postContent, maxBytes);
+    return diff ?? undefined;
+}
 async function run(projectDir) {
     let sessionId = "default";
     let input;
@@ -95,6 +110,12 @@ async function run(projectDir) {
         activity_id: (0, session_state_1.getActiveActivityId)(sessionDir),
         fix_id: (0, session_state_1.getActiveFixId)(sessionDir),
     };
+    if ((0, config_1.getCaptureFileChangeset)(config)) {
+        const changeset = buildChangeset(writtenFile, facts.stash, (0, config_1.getMaxChangesetBytes)(config));
+        if (changeset !== undefined) {
+            entry.changeset = changeset;
+        }
+    }
     await (0, actions_1.appendAction)(actionsFile, entry);
     (0, clear_verdict_1.runClearVerdict)({
         verdictFile: `${projectDir}/.ironbee/sessions/${sessionId}/verdict.json`,

package/dist/clients/claude/hooks/clear-verdict.js.map

@@ -1 +1 @@
-{"version":3,"file":"clear-verdict.js","sourceRoot":"","sources":["../../../../src/clients/claude/hooks/clear-verdict.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AA6DH,kBA0DC;AArHD,qEAAoE;AACpE,yDAA8G;AAC9G,qEAAwF;AACxF,uEAAwF;AACxF,6DAA2F;AAC3F,gDAAsF;AACtF,gDAAyD;AACzD,8CAA+C;AAqB/C,SAAS,iBAAiB,CAAC,KAA6B,EAAE,SAAiB;IACvE,MAAM,IAAI,GAAuB,KAAK,CAAC,SAAS,CAAC;IACjD,MAAM,EAAE,GAAyC,KAAK,CAAC,UAAU,CAAC;IAClE,IAAI,CAAC,EAAE,EAAE,CAAC;QACN,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QAClB,MAAM,MAAM,GAAW,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC;QAC3C,MAAM,MAAM,GAAW,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC;QAC3C,MAAM,MAAM,GAAmB,IAAA,0BAAc,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9D,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC;IAChH,CAAC;IAED,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACnB,MAAM,OAAO,GAAW,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC;QACzC,MAAM,KAAK,GAA0B,KAAK,CAAC,WAAW;YAClD,CAAC,CAAC,IAAA,mCAAkB,EAAiB,SAAS,EAAE,KAAK,CAAC,WAAW,CAAC;YAClE,CAAC,CAAC,IAAI,CAAC;QACX,MAAM,WAAW,GAAY,KAAK,EAAE,YAAY,IAAI,KAAK,CAAC;QAC1D,OAAO;YACH,SAAS,EAAE,OAAO;YAClB,SAAS,EAAE,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ;YAC5C,WAAW,EAAE,IAAA,sBAAU,EAAC,OAAO,CAAC;YAChC,aAAa,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;SACxC,CAAC;IACN,CAAC;IAED,OAAO,IAAI,CAAC;AAChB,CAAC;AAEM,KAAK,UAAU,GAAG,CAAC,UAAkB;IACxC,IAAI,SAAS,GAAW,SAAS,CAAC;IAClC,IAAI,KAA6B,CAAC;IAClC,IAAI,CAAC;QACD,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAS,GAAE,CAA2B,CAAC;QAC1D,SAAS,GAAG,KAAK,CAAC,UAAU,IAAI,SAAS,CAAC;QAC1C,IAAA,mBAAU,EAAC,GAAG,UAAU,sBAAsB,SAAS,cAAc,CAAC,CAAC;IAC3E,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QAClB,eAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,MAAM,WAAW,GAAuB,KAAK,CAAC,UAAU,EAAE,SAAS,CAAC;IACpE,IAAI,WAAW,IAAI,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACpG,eAAM,CAAC,KAAK,CAAC,wDAAwD,WAAW,EAAE,CAAC,CAAC;QACpF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,CAAC,WAAW,EAAE,CAAC;QACf,eAAM,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;QACxE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,MAAM,MAAM,GAAkB,IAAA,mBAAU,EAAC,UAAU,CAAC,CAAC;IACrD,IAAI,CAAC,IAAA,6BAAoB,EAAC,WAAW,EAAE,MAAM,CAAC,EAAE,CAAC;QAC7C,eAAM,CAAC,KAAK,CAAC,+DAA+D,WAAW,GAAG,CAAC,CAAC;QAC5F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,MAAM,UAAU,GAAW,GAAG,UAAU,sBAAsB,SAAS,EAAE,CAAC;IAC1E,MAAM,WAAW,GAAW,GAAG,UAAU,gBAAgB,CAAC;IAE1D,MAAM,KAAK,GAAuB,iBAAiB,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACT,eAAM,CAAC,KAAK,CAAC,4CAA4C,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;QAC5E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,MAAM,KAAK,GAAqB;QAC5B,GAAG,IAAA,oBAAU,EAAC,WAAW,CAAC;QAC1B,IAAI,EAAE,aAAa;QACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,SAAS,EAAE,WAAW;QACtB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,WAAW,EAAE,IAAA,mCAAmB,EAAC,UAAU,CAAE;QAC7C,MAAM,EAAE,IAAA,8BAAc,EAAC,UAAU,CAAE;KACtC,CAAC;IACF,MAAM,IAAA,sBAAY,EAAC,WAAW,EAAE,KAAK,CAAC,CAAC;IAEvC,IAAA,+BAAe,EAAC;QACZ,WAAW,EAAE,GAAG,UAAU,sBAAsB,SAAS,eAAe;QACxE,UAAU;KACb,CAAC,CAAC;IAEH,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC"}
+{"version":3,"file":"clear-verdict.js","sourceRoot":"","sources":["../../../../src/clients/claude/hooks/clear-verdict.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAmFH,kBAgEC;AAjJD,2BAA8C;AAC9C,qEAAoE;AACpE,yDAA8G;AAC9G,qEAAwF;AACxF,uEAAwF;AACxF,6DAA8G;AAC9G,gDAM6B;AAC7B,gDAAyD;AACzD,8CAA+C;AAsB/C,SAAS,iBAAiB,CAAC,KAA6B,EAAE,SAAiB;IACvE,MAAM,IAAI,GAAuB,KAAK,CAAC,SAAS,CAAC;IACjD,MAAM,EAAE,GAAyC,KAAK,CAAC,UAAU,CAAC;IAClE,IAAI,CAAC,EAAE,EAAE,CAAC;QACN,OAAO,IAAI,CAAC;IAChB,CAAC;IACD,MAAM,KAAK,GAA0B,KAAK,CAAC,WAAW;QAClD,CAAC,CAAC,IAAA,mCAAkB,EAAiB,SAAS,EAAE,KAAK,CAAC,WAAW,CAAC;QAClE,CAAC,CAAC,IAAI,CAAC;IAEX,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QAClB,MAAM,MAAM,GAAW,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC;QAC3C,MAAM,MAAM,GAAW,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC;QAC3C,MAAM,MAAM,GAAmB,IAAA,0BAAc,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9D,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,MAAM,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;IACvH,CAAC;IAED,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACnB,MAAM,OAAO,GAAW,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC;QACzC,MAAM,WAAW,GAAY,KAAK,EAAE,YAAY,IAAI,KAAK,CAAC;QAC1D,OAAO;YACH,SAAS,EAAE,OAAO;YAClB,SAAS,EAAE,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ;YAC5C,WAAW,EAAE,IAAA,sBAAU,EAAC,OAAO,CAAC;YAChC,aAAa,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACrC,KAAK;SACR,CAAC;IACN,CAAC;IAED,OAAO,IAAI,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB,EAAE,KAA4B,EAAE,QAAgB;IACpF,MAAM,YAAY,GAAW,KAAK,EAAE,aAAa,IAAI,EAAE,CAAC;IACxD,IAAI,WAAmB,CAAC;IACxB,IAAI,CAAC;QACD,WAAW,GAAG,IAAA,eAAU,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAA,iBAAY,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9E,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QAClB,eAAM,CAAC,KAAK,CAAC,uCAAuC,QAAQ,mBAAmB,CAAC,EAAE,CAAC,CAAC;QACpF,OAAO,SAAS,CAAC;IACrB,CAAC;IACD,MAAM,IAAI,GAAkB,IAAA,6BAAiB,EAAC,YAAY,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;IACnF,OAAO,IAAI,IAAI,SAAS,CAAC;AAC7B,CAAC;AAEM,KAAK,UAAU,GAAG,CAAC,UAAkB;IACxC,IAAI,SAAS,GAAW,SAAS,CAAC;IAClC,IAAI,KAA6B,CAAC;IAClC,IAAI,CAAC;QACD,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAS,GAAE,CAA2B,CAAC;QAC1D,SAAS,GAAG,KAAK,CAAC,UAAU,IAAI,SAAS,CAAC;QAC1C,IAAA,mBAAU,EAAC,GAAG,UAAU,sBAAsB,SAAS,cAAc,CAAC,CAAC;IAC3E,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QAClB,eAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,MAAM,WAAW,GAAuB,KAAK,CAAC,UAAU,EAAE,SAAS,CAAC;IACpE,IAAI,WAAW,IAAI,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACpG,eAAM,CAAC,KAAK,CAAC,wDAAwD,WAAW,EAAE,CAAC,CAAC;QACpF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,CAAC,WAAW,EAAE,CAAC;QACf,eAAM,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;QACxE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,MAAM,MAAM,GAAkB,IAAA,mBAAU,EAAC,UAAU,CAAC,CAAC;IACrD,IAAI,CAAC,IAAA,6BAAoB,EAAC,WAAW,EAAE,MAAM,CAAC,EAAE,CAAC;QAC7C,eAAM,CAAC,KAAK,CAAC,+DAA+D,WAAW,GAAG,CAAC,CAAC;QAC5F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,MAAM,UAAU,GAAW,GAAG,UAAU,sBAAsB,SAAS,EAAE,CAAC;IAC1E,MAAM,WAAW,GAAW,GAAG,UAAU,gBAAgB,CAAC;IAE1D,MAAM,KAAK,GAAuB,iBAAiB,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACT,eAAM,CAAC,KAAK,CAAC,4CAA4C,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;QAC5E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,MAAM,KAAK,GAAqB;QAC5B,GAAG,IAAA,oBAAU,EAAC,WAAW,CAAC;QAC1B,IAAI,EAAE,aAAa;QACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,SAAS,EAAE,WAAW;QACtB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,WAAW,EAAE,IAAA,mCAAmB,EAAC,UAAU,CAAE;QAC7C,MAAM,EAAE,IAAA,8BAAc,EAAC,UAAU,CAAE;KACtC,CAAC;IACF,IAAI,IAAA,gCAAuB,EAAC,MAAM,CAAC,EAAE,CAAC;QAClC,MAAM,SAAS,GAAuB,cAAc,CAAC,WAAW,EAAE,KAAK,CAAC,KAAK,EAAE,IAAA,6BAAoB,EAAC,MAAM,CAAC,CAAC,CAAC;QAC7G,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC1B,KAAK,CAAC,SAAS,GAAG,SAAS,CAAC;QAChC,CAAC;IACL,CAAC;IACD,MAAM,IAAA,sBAAY,EAAC,WAAW,EAAE,KAAK,CAAC,CAAC;IAEvC,IAAA,+BAAe,EAAC;QACZ,WAAW,EAAE,GAAG,UAAU,sBAAsB,SAAS,eAAe;QACxE,UAAU;KACb,CAAC,CAAC;IAEH,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC"}

package/dist/clients/claude/hooks/require-verdict.d.ts

@@ -2,9 +2,9 @@
  * Claude Code — require-verdict hook adapter
  *
  * PreToolUse hook for Write|Edit — blocks file edits if the agent used
- * any devtools tools (browser-devtools or node-devtools) but hasn't
- * submitted a verdict yet. Forces the agent to submit a fail verdict
- * before fixing code.
+ * any devtools tools (browser-devtools / node-devtools / backend-devtools)
+ * but hasn't submitted a verdict yet. Forces the agent to submit a fail
+ * verdict before fixing code.
  *
  * Side effect: when `tool_name === "Write"`, stashes whether the target
  * file already exists so the matching PostToolUse adapter can decide

package/dist/clients/claude/hooks/require-verdict.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"require-verdict.d.ts","sourceRoot":"","sources":["../../../../src/clients/claude/hooks/require-verdict.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAkBH,wBAAsB,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAkC3D"}
+{"version":3,"file":"require-verdict.d.ts","sourceRoot":"","sources":["../../../../src/clients/claude/hooks/require-verdict.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAmBH,wBAAsB,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAmD3D"}

package/dist/clients/claude/hooks/require-verdict.js

@@ -3,9 +3,9 @@
  * Claude Code — require-verdict hook adapter
  *
  * PreToolUse hook for Write|Edit — blocks file edits if the agent used
- * any devtools tools (browser-devtools or node-devtools) but hasn't
- * submitted a verdict yet. Forces the agent to submit a fail verdict
- * before fixing code.
+ * any devtools tools (browser-devtools / node-devtools / backend-devtools)
+ * but hasn't submitted a verdict yet. Forces the agent to submit a fail
+ * verdict before fixing code.
  *
  * Side effect: when `tool_name === "Write"`, stashes whether the target
  * file already exists so the matching PostToolUse adapter can decide
@@ -21,6 +21,7 @@ const fs_1 = require("fs");
 const actions_1 = require("../../../hooks/core/actions");
 const activity_1 = require("../../../hooks/core/activity");
 const tool_use_stash_1 = require("../../../hooks/core/tool-use-stash");
+const config_1 = require("../../../lib/config");
 const logger_1 = require("../../../lib/logger");
 const stdin_1 = require("../../../lib/stdin");
 async function run(projectDir) {
@@ -37,18 +38,35 @@ async function run(projectDir) {
     const sessionDir = `${projectDir}/.ironbee/sessions/${sessionId}`;
     const actionsFile = `${sessionDir}/actions.jsonl`;
     if ((0, actions_1.hasToolCallsSinceLastVerdict)(actionsFile)) {
-        process.stderr.write(`BLOCKED: You used verification tools (browser-devtools or node-devtools) but did not submit a verdict. You MUST submit a verdict (pass or fail) before editing code.
+        process.stderr.write(`BLOCKED: You used verification tools (browser-devtools / node-devtools / backend-devtools) but did not submit a verdict. You MUST submit a verdict (pass or fail) before editing code.
 
-Submit your verdict first (include cycle-appropriate fields — browser fields for bdt_*, backend_node_* fields for ndt_*):
+Submit your verdict first (include cycle-appropriate fields — browser fields for bdt_*, backend_node_* for ndt_*, backend_endpoints_called/backend_response_statuses for bedt_*):
   echo '{"session_id":"${sessionId}","status":"fail","checks":[...],"issues":["describe what failed"], ...}' | ironbee hook submit-verdict
 
 Then you can edit code to fix the issues.
 `);
         process.exit(2);
     }
-    if (input.tool_name === "Write" && input.tool_input?.file_path && input.tool_use_id) {
-        const state = { file_existed: (0, fs_1.existsSync)(input.tool_input.file_path) };
-        (0, tool_use_stash_1.stashToolUseData)(sessionId, input.tool_use_id, state);
+    const filePath = input.tool_input?.file_path;
+    if (filePath && input.tool_use_id) {
+        const config = (0, config_1.loadConfig)(projectDir);
+        const captureChangeset = (0, config_1.getCaptureFileChangeset)(config);
+        const fileExisted = (0, fs_1.existsSync)(filePath);
+        // We always stash for Write so PostToolUse can label create vs update.
+        // For Edit we only stash when changeset capture is on — there's no
+        // operation-derivation need otherwise (Edit is always "update").
+        if (input.tool_name === "Write" || (input.tool_name === "Edit" && captureChangeset)) {
+            const state = { file_existed: fileExisted };
+            if (captureChangeset && fileExisted) {
+                try {
+                    state.prior_content = (0, fs_1.readFileSync)(filePath, "utf-8");
+                }
+                catch (e) {
+                    logger_1.logger.debug(`failed to pre-read ${filePath} for changeset capture: ${e}`);
+                }
+            }
+            (0, tool_use_stash_1.stashToolUseData)(sessionId, input.tool_use_id, state);
+        }
     }
     await (0, activity_1.startActivity)({ sessionDir, actionsFile, source: "pre_tool_use" });
     process.exit(0);

package/dist/clients/claude/hooks/require-verdict.js.map

@@ -1 +1 @@
-{"version":3,"file":"require-verdict.js","sourceRoot":"","sources":["../../../../src/clients/claude/hooks/require-verdict.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;AAkBH,kBAkCC;AAlDD,2BAAgC;AAChC,yDAA2E;AAC3E,2DAA6D;AAC7D,uEAAsF;AACtF,gDAAyD;AACzD,8CAA+C;AAWxC,KAAK,UAAU,GAAG,CAAC,UAAkB;IACxC,IAAI,KAA4B,CAAC;IACjC,IAAI,CAAC;QACD,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAS,GAAE,CAA0B,CAAC;IAC7D,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QAClB,eAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,MAAM,SAAS,GAAW,KAAK,CAAC,UAAU,IAAI,SAAS,CAAC;IACxD,IAAA,mBAAU,EAAC,GAAG,UAAU,sBAAsB,SAAS,cAAc,CAAC,CAAC;IAEvE,MAAM,UAAU,GAAW,GAAG,UAAU,sBAAsB,SAAS,EAAE,CAAC;IAC1E,MAAM,WAAW,GAAW,GAAG,UAAU,gBAAgB,CAAC;IAE1D,IAAI,IAAA,sCAA4B,EAAC,WAAW,CAAC,EAAE,CAAC;QAC5C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;;;yBAGJ,SAAS;;;CAGjC,CAAC,CAAC;QACK,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,KAAK,CAAC,SAAS,KAAK,OAAO,IAAI,KAAK,CAAC,UAAU,EAAE,SAAS,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QAClF,MAAM,KAAK,GAAmB,EAAE,YAAY,EAAE,IAAA,eAAU,EAAC,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACvF,IAAA,iCAAgB,EAAC,SAAS,EAAE,KAAK,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,IAAA,wBAAa,EAAC,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;IAEzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC"}
+{"version":3,"file":"require-verdict.js","sourceRoot":"","sources":["../../../../src/clients/claude/hooks/require-verdict.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;AAmBH,kBAmDC;AApED,2BAA8C;AAC9C,yDAA2E;AAC3E,2DAA6D;AAC7D,uEAAsF;AACtF,gDAAyF;AACzF,gDAAyD;AACzD,8CAA+C;AAWxC,KAAK,UAAU,GAAG,CAAC,UAAkB;IACxC,IAAI,KAA4B,CAAC;IACjC,IAAI,CAAC;QACD,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAS,GAAE,CAA0B,CAAC;IAC7D,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QAClB,eAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,MAAM,SAAS,GAAW,KAAK,CAAC,UAAU,IAAI,SAAS,CAAC;IACxD,IAAA,mBAAU,EAAC,GAAG,UAAU,sBAAsB,SAAS,cAAc,CAAC,CAAC;IAEvE,MAAM,UAAU,GAAW,GAAG,UAAU,sBAAsB,SAAS,EAAE,CAAC;IAC1E,MAAM,WAAW,GAAW,GAAG,UAAU,gBAAgB,CAAC;IAE1D,IAAI,IAAA,sCAA4B,EAAC,WAAW,CAAC,EAAE,CAAC;QAC5C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;;;yBAGJ,SAAS;;;CAGjC,CAAC,CAAC;QACK,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IAED,MAAM,QAAQ,GAAuB,KAAK,CAAC,UAAU,EAAE,SAAS,CAAC;IACjE,IAAI,QAAQ,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QAChC,MAAM,MAAM,GAAkB,IAAA,mBAAU,EAAC,UAAU,CAAC,CAAC;QACrD,MAAM,gBAAgB,GAAY,IAAA,gCAAuB,EAAC,MAAM,CAAC,CAAC;QAClE,MAAM,WAAW,GAAY,IAAA,eAAU,EAAC,QAAQ,CAAC,CAAC;QAElD,uEAAuE;QACvE,mEAAmE;QACnE,iEAAiE;QACjE,IAAI,KAAK,CAAC,SAAS,KAAK,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,KAAK,MAAM,IAAI,gBAAgB,CAAC,EAAE,CAAC;YAClF,MAAM,KAAK,GAAmB,EAAE,YAAY,EAAE,WAAW,EAAE,CAAC;YAC5D,IAAI,gBAAgB,IAAI,WAAW,EAAE,CAAC;gBAClC,IAAI,CAAC;oBACD,KAAK,CAAC,aAAa,GAAG,IAAA,iBAAY,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAC1D,CAAC;gBAAC,OAAO,CAAU,EAAE,CAAC;oBAClB,eAAM,CAAC,KAAK,CAAC,sBAAsB,QAAQ,2BAA2B,CAAC,EAAE,CAAC,CAAC;gBAC/E,CAAC;YACL,CAAC;YACD,IAAA,iCAAgB,EAAC,SAAS,EAAE,KAAK,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;QAC1D,CAAC;IACL,CAAC;IAED,MAAM,IAAA,wBAAa,EAAC,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;IAEzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC"}

package/dist/clients/claude/hooks/require-verification.d.ts

@@ -1,15 +1,16 @@
 /**
  * Claude Code — require-verification hook adapter
  *
- * PreToolUse hook for `mcp__browser-devtools__.*|mcp__node-devtools__.*`
- * — blocks devtools tool usage if no active verification cycle. Forces
- * the agent to call `ironbee hook verification-start` before using any
- * verification tooling (browser or node).
+ * PreToolUse hook for the three devtools matchers — `mcp__browser-devtools__.*`,
+ * `mcp__node-devtools__.*`, `mcp__backend-devtools__.*` — blocks devtools tool
+ * usage if no active verification cycle. Forces the agent to call
+ * `ironbee hook verification-start` before using any verification tooling
+ * (browser, node, or backend).
  *
  * When allowed, injects `_metadata` into tool input with sessionId and traceId
  * so the MCP server knows the active session/trace context. The `mcpServer`
  * field is parsed from `tool_name` so each server (browser-devtools /
- * node-devtools) sees its own correct identity.
+ * node-devtools / backend-devtools) sees its own correct identity.
  *
  * Exit 0 = allow tool (with updatedInput containing _metadata)
  * Exit 2 = block tool

package/dist/clients/claude/hooks/require-verification.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"require-verification.d.ts","sourceRoot":"","sources":["../../../../src/clients/claude/hooks/require-verification.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAgCH,wBAAsB,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAoH3D"}
+{"version":3,"file":"require-verification.d.ts","sourceRoot":"","sources":["../../../../src/clients/claude/hooks/require-verification.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAiCH,wBAAsB,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqH3D"}

package/dist/clients/claude/hooks/require-verification.js

@@ -2,15 +2,16 @@
 /**
  * Claude Code — require-verification hook adapter
  *
- * PreToolUse hook for `mcp__browser-devtools__.*|mcp__node-devtools__.*`
- * — blocks devtools tool usage if no active verification cycle. Forces
- * the agent to call `ironbee hook verification-start` before using any
- * verification tooling (browser or node).
+ * PreToolUse hook for the three devtools matchers — `mcp__browser-devtools__.*`,
+ * `mcp__node-devtools__.*`, `mcp__backend-devtools__.*` — blocks devtools tool
+ * usage if no active verification cycle. Forces the agent to call
+ * `ironbee hook verification-start` before using any verification tooling
+ * (browser, node, or backend).
  *
  * When allowed, injects `_metadata` into tool input with sessionId and traceId
  * so the MCP server knows the active session/trace context. The `mcpServer`
  * field is parsed from `tool_name` so each server (browser-devtools /
- * node-devtools) sees its own correct identity.
+ * node-devtools / backend-devtools) sees its own correct identity.
  *
  * Exit 0 = allow tool (with updatedInput containing _metadata)
  * Exit 2 = block tool
@@ -26,9 +27,10 @@ const logger_1 = require("../../../lib/logger");
 const util_1 = require("../util");
 const stdin_1 = require("../../../lib/stdin");
 /** Fallback MCP server when `tool_name` parsing fails. The matcher routes
- *  both `mcp__browser-devtools__.*` and `mcp__node-devtools__.*` here, so
- *  `extractMcpServerName` is the source of truth — this is only used if the
- *  tool_name field is malformed or absent. */
+ *  all three of `mcp__browser-devtools__.*`, `mcp__node-devtools__.*`, and
+ *  `mcp__backend-devtools__.*` here, so `extractMcpServerName` is the source
+ *  of truth — this fallback is only used if the tool_name field is malformed
+ *  or absent. */
 const FALLBACK_MCP_SERVER_NAME = "browser-devtools";
 async function run(projectDir) {
     let input;
@@ -45,12 +47,12 @@ async function run(projectDir) {
     const actionsFile = `${sessionDir}/actions.jsonl`;
     const verificationId = (0, session_state_1.getActiveVerificationId)(sessionDir);
     if (!verificationId) {
-        process.stderr.write(`BLOCKED: You must start a verification cycle before using devtools tools (browser-devtools or node-devtools).
+        process.stderr.write(`BLOCKED: You must start a verification cycle before using devtools tools (browser-devtools / node-devtools / backend-devtools).
 
 Start verification first:
   echo '{"session_id":"${sessionId}"}' | ironbee hook verification-start
 
-Then use the verification tools for the active cycle(s) — bdt_* for browser, ndt_* for node.
+Then use the verification tools for the active cycle(s) — bdt_* for browser, ndt_* for node, bedt_* for backend.
 `);
         process.exit(2);
     }
@@ -108,13 +110,14 @@ Then use the verification tools for the active cycle(s) — bdt_* for browser, n
     if (input.tool_use_id) {
         metadata.toolUseId = input.tool_use_id;
     }
-    // The matcher routes both `mcp__browser-devtools__.*` and
-    // `mcp__node-devtools__.*` here, so the tool_name reliably encodes a
-    // server. Parse it so each server gets its correct identity in the
-    // metadata. Falls back to a hardcoded browser-devtools constant if
-    // parsing ever fails (malformed tool_name, missing field, …). This
-    // keeps MCP-emitted OTel events tagged with the same `mcp_server`
-    // dimension our own tool_call events carry.
+    // The matcher routes all three of `mcp__browser-devtools__.*`,
+    // `mcp__node-devtools__.*`, and `mcp__backend-devtools__.*` here, so
+    // the tool_name reliably encodes a server. Parse it so each server
+    // gets its correct identity in the metadata. Falls back to a
+    // hardcoded browser-devtools constant if parsing ever fails (malformed
+    // tool_name, missing field, …). This keeps MCP-emitted OTel events
+    // tagged with the same `mcp_server` dimension our own tool_call
+    // events carry.
     metadata.mcpServer = (0, util_1.extractMcpServerName)(input.tool_name) ?? FALLBACK_MCP_SERVER_NAME;
     const userEmail = (0, session_state_1.getUserEmail)(sessionDir);
     if (userEmail) {