@jigyasudham/veto 2.1.1 → 2.5.0

package/README.md

@@ -1,36 +1,36 @@
 # veto
 
-> **89 agentic tools. 49 specialists. Every major AI CLI. Self-learning. Zero extra cost on subscriptions.**
+> **92 agentic tools. 49 specialists. Every major AI CLI. Self-learning. Zero extra cost on subscriptions.**
 
 An MCP server that runs locally on your machine, plugs into Claude Code, Codex CLI, Gemini CLI, Antigravity CLI, Cursor, Windsurf, Zed, and JetBrains using your existing subscriptions — giving every AI a council of specialist agents, local LLM support, SDD agents, playwright automation, persistent cross-platform memory, a self-learning router that re-tunes its tier thresholds automatically every 20 recorded task outcomes (reviews record outcomes for you; configurable via `auto_apply_learning`), CI/CD gates, workspace discovery, and bidirectional IDE communication.
 
-> **Billing note:** "Zero cost" applies to subscription plans (Claude Max, Gemini Advanced, etc.). If you are on API/pay-per-token billing, MCP Sampling calls made by Veto agents will count toward your token usage. `veto init` detects API key environment variables and warns you automatically.
+> **Billing note:** "Zero cost" applies to subscription plans (Claude Max, Gemini Advanced, etc.). If you are on API/pay-per-token billing, LLM reasoning done for Veto agents (via the agentic loop or MCP Sampling) counts toward your token usage like any other turn. `veto init` detects API key environment variables and warns you automatically.
 
 ---
 
 ## How the Agents Work
 
-**Every tool uses a 2-phase agentic loop — no API keys required, zero extra cost.**
+**No API keys, zero extra cost.** Every worker agent is a deterministic expert module at its core, with two optional layers of LLM reasoning on top — all of it delegated to the AI you're already paying for.
 
-### Phase 1 — MCP Sampling
-The tool attempts real LLM reasoning via MCP Sampling (`server.createMessage`). If your client supports it, the agent reasons deeply and returns a structured plan or analysis.
+### Default — Deterministic expert modules
+Out of the box, each of the 42 worker agents runs as a hand-written expert module (`plan()` / `analyze()` in `src/agents/`) — **not** an LLM. They always run, work offline, and cost zero tokens. Their depth varies by design: analysis agents (security scanner, secrets, dependency audit, clone detector) apply real algorithms — regex/AST detection, OWASP/CWE rules, hash-based clone matching — while planning agents (coder, debugger, tester, …) are structured expert playbooks: curated steps, checklists, and pitfalls for the task category, built to be reasoned over by the AI you already pay for rather than to reason themselves.
 
-### Phase 2 — Agentic Fallback
-If Sampling is unavailable, Veto returns an `llm_upgrade` prompt. The host AI reads the specialist's role, performs the reasoning itself, and passes the JSON response back to complete the operation.
+### Path A — Agentic loop (most clients: Claude Code, Cursor, Windsurf)
+Veto returns the specialist's role, rubric, and an output contract as an `llm_upgrade` prompt. The host AI reasons as the specialist and passes structured JSON back to complete the operation. This is the primary path — it costs nothing beyond your existing subscription and works on every client.
 
-Every worker agent supports both modes. When multiple agents run, they execute in parallel. LLM calls delegate back to the AI you're already using — no extra billing.
+### Path B — MCP Sampling (clients that support `server.createMessage`)
+Where Sampling is available, the same upgrade happens server-side without the extra round-trip. Note: the July 2026 MCP spec revision deprecates Sampling protocol-wide (12-month sunset), so the agentic loop (Path A) is Veto's long-term default; Sampling remains a transparent optimization where it exists.
+
+The 7-agent **Council** is LLM-first — its value is the multi-agent debate — but it too falls back to a deterministic verdict when no LLM path is available. When multiple agents run, they execute in parallel.
 
 ---
 
 ## Specialist Roles
 
-| Agent Group | Specialist Roles |
-|---|---|
-| **Council** | Lead Dev · PM · Architect · UX · Devil's Advocate · Legal · Security |
-| **Development** | Coder · Reviewer · Tester · Debugger · Refactor · Database · API · Frontend · Backend · DevOps · Performance · Migration |
-| **Advanced** | Local LLM (Ollama) · Semantic Search · SDD Agent · Playwright · i18n Translate · a11y Advisor |
-| **Intelligence** | Task Planner · Researcher · Tech Advisor · Risk Assessor · Cost Analyzer · Ethics/Bias |
-| **Workflow** | File Manager · Git Agent · Search Agent · Reporter · Automation |
+**49 specialists: 42 deterministic worker agents across 6 domains + a 7-agent Council.** The Council debates trade-offs before you build; the worker agents do the hands-on analysis and planning. Each is a deterministic expert module that can upgrade to LLM reasoning — see [How the Agents Work](#how-the-agents-work). List them anytime with `veto agents`.
+
+**Council (7)**
+`Lead Dev` · `PM` · `Architect` · `UX` · `Devil's Advocate` · `Legal` · `Security`
 
 **Development (12)**
 `Coder` · `Code Reviewer` · `Tester` · `Debugger` · `Refactor` · `Database` · `API` · `Frontend` · `Backend` · `DevOps` · `Performance` · `Migration`
@@ -52,7 +52,7 @@ Every worker agent supports both modes. When multiple agents run, they execute i
 
 ---
 
-## MCP Tools (89)
+## MCP Tools (92)
 
 | Category | Tools |
 |---|---|
@@ -61,18 +61,83 @@ Every worker agent supports both modes. When multiple agents run, they execute i
 | **Council** | `veto_council_debate` · `veto_benchmark` · `veto_adr` |
 | **Agents** | `veto_agent_plan` · `veto_execute_parallel` · `veto_explain` · `veto_compose_agents` · `veto_delegate` |
 | **Review** | `veto_code_review` · `veto_security_scan` · `veto_secrets_scan` · `veto_diff_review` · `veto_full_review` · `veto_pr_review` |
-| **Pipelines** | `veto_pre_commit` · `veto_new_feature` · `veto_workflow` · `veto_task_parse` |
+| **Pipelines** | `veto_ci_gate` · `veto_pre_commit` · `veto_new_feature` · `veto_workflow` · `veto_task_parse` |
 | **Advanced** | `veto_local_llm` · `veto_semantic_search` · `veto_sdd_agent` · `veto_playwright` · `veto_notify_ide` |
 | **Quality** | `veto_clone_detector` · `veto_lint_rules` · `veto_api_contract` · `veto_a11y_advisor` · `veto_type_coverage` · `veto_test_gaps` |
+| **Advisors** | `veto_dep_advisor` · `veto_dep_verify` · `veto_query_advisor` · `veto_bundle_advisor` · `veto_dead_code` · `veto_hitl_checkpoint` · `veto_drift_check` |
 | **Watching** | `veto_watch` · `veto_watch_poll` · `veto_watch_stop` |
 | **Memory** | `veto_memory_store` · `veto_memory_search` · `veto_memory_delete` · `veto_project_map_update` · `veto_project_map_get` · `veto_pattern_store` · `veto_patterns_list` · `veto_memory_export` · `veto_memory_import` |
 | **Learning** | `veto_record_outcome` · `veto_learning_stats` · `veto_learning_apply` |
 | **Handoff** | `veto_handoff` · `veto_continue` · `veto_platform_setup` |
 | **Observability** | `veto_usage_status` · `veto_audit_log` · `veto_health` · `veto_metrics` |
 | **Discover** | `veto_discover` · `veto_summarize` · `veto_git_blame` · `veto_changelog` · `veto_onboard` · `veto_debt_register` |
-| **DevTools** | `veto_docs_fetch` · `veto_context_status` · `veto_openapi_gen` · `veto_flag_auditor` · `veto_env_setup` · `veto_commit_message` · `veto_pr_description` · `veto_pr_post` · `veto_prompt_optimizer` · `veto_sre_advisor` · `veto_diagram` · `veto_rca` · `veto_translate` · `veto_merge_conflict` |
+| **DevTools** | `veto_docs_fetch` · `veto_context_status` · `veto_openapi_gen` · `veto_flag_auditor` · `veto_env_setup` · `veto_commit_message` · `veto_pr_description` · `veto_pr_post` · `veto_prompt_optimizer` · `veto_sre_advisor` · `veto_diagram` · `veto_rca` · `veto_doc_gen` · `veto_postmortem` · `veto_release_notes` · `veto_translate` · `veto_merge_conflict` |
 | **Plugins** | `veto_plugins` |
 
+## Compact Mode — 92 tools without the context tax
+
+92 tool schemas cost a client ~16K context tokens before the user types a word. Compact mode advertises a surface that is **5–6× smaller**: seven core tools (`veto_status`, `veto_session_save`, `veto_session_restore`, `veto_route_task`, `veto_council_debate`, `veto_memory_search`, `veto_record_outcome`) plus two meta-tools — `veto_find_tools` searches the full catalog by keyword and returns matching schemas on demand; `veto_call` invokes any catalog tool by name. Every tool remains directly callable in both modes; compact only changes what is advertised up front.
+
+Enable it with `VETO_COMPACT=1` in your MCP server config env, or `"compact_tools": true` in `~/.veto/config.json`:
+
+```jsonc
+{
+  "mcpServers": {
+    "veto": {
+      "command": "npx",
+      "args": ["-y", "--package", "@jigyasudham/veto", "veto-server"],
+      "env": { "VETO_COMPACT": "1" }
+    }
+  }
+}
+```
+
+## Dependency-Hallucination Guard
+
+LLMs propose plausible-but-nonexistent package names, and adversaries register those names on public registries (slopsquatting) — a supply-chain attack class with no pre-install check in most AI workflows. `veto_dep_verify` checks every proposed package against the live registry **before** you install:
+
+```
+veto_dep_verify { packages: ["axios", "axois", "left-padd"], ecosystem: "npm" }
+→ axios      verified    (14 years old, 40M downloads/month)
+→ axois      HIGH_RISK   (1 edit from "axios" — possible typosquat)
+→ left-padd  NOT_FOUND   (likely hallucinated — do NOT retry the install later:
+                          nonexistent AI-suggested names are prime slopsquat targets)
+```
+
+Signals per package: registry existence, age, monthly downloads, version history, deprecation, and typo-distance from popular packages. Supports npm, PyPI, and crates.io. Network failures return `unverifiable` — never silently safe.
+
+## Decision-Drift Enforcement
+
+AI assistants forget architectural decisions and re-litigate them sessions later — the most common complaint about long-running AI projects. Veto's memory doesn't just store decisions; it **enforces** them. Record a decision once as a machine-checkable constraint:
+
+```
+veto_decisions {
+  action: "add",
+  rule: "We use Postgres — no Mongo",
+  why: "Decided 2026-05: relational data, team expertise",
+  forbidden_patterns: ["mongoose", "mongodb"],
+  severity: "block"
+}
+```
+
+From then on, `veto_diff_review` and `veto_ci_gate` automatically fail any diff whose **added lines** match a forbidden pattern — when an AI quietly adds `mongoose` to the imports three sessions later, the review fails with the rule and the rationale attached. Patterns are case-insensitive regexes (with substring fallback), optionally scoped to a file glob (`src/**/*.ts`), per-project or global, severity `block` or `warn`. Manage with `action: list / check / disable / enable`.
+
+## Compounding-Error Circuit Breaker
+
+Agents fail silently in loops — retrying the same broken call, re-hitting the same error, thrashing between two tools — and burn a whole session before anyone notices. `veto_drift_check` scans the recent tool-call trace for that pattern mid-flight and trips a breaker before the spiral compounds:
+
+```
+veto_drift_check
+→ DRIFT DETECTED
+  • 4 consecutive failed calls (veto_diff_review)
+  • same error repeated 3× ("no diff provided")
+  • tool veto_route_task called 6× in a row
+→ remediation (debugger agent): stop retrying; the diff is empty —
+  point at a project_dir with uncommitted changes or pass `diff` explicitly.
+```
+
+It looks for three drift signals — consecutive failures, duplicate error messages, and single-tool repetition — and when any trips, it runs the `debugger` agent over the trace for a concrete recovery step instead of letting the loop continue. Call it as a periodic checkpoint in long agentic runs.
+
 ## Which tool do I use?
 
 Several tools overlap by design (different granularity or entry point). Quick guide:
@@ -144,6 +209,9 @@ veto sessions                    # List last 20 saved sessions ([auto] badge on
 veto sessions --clean            # Remove auto-saves older than 7 days
 veto memory [query]              # Search knowledge base (blank = all entries)
 veto patterns [prefix]           # List learned agent/routing patterns
+veto tools [filter]              # List all 92 MCP tools (--json for machine output)
+veto agents [filter]             # List all 49 specialists — workers + council (--json)
+veto routing [status|log|reset]  # Inspect the opt-in routing feedback loop
 veto hook install                # Install pre-commit secrets scan hook
 veto hook remove                 # Remove the veto pre-commit hook
 veto check                       # Scan staged changes for secrets (used by hook)
@@ -297,6 +365,8 @@ veto_workflow {
 
 Every agent tool auto-records a quality signal when it completes. After any working session, `veto_learning_stats` shows live data and `veto_learning_apply` adjusts tier thresholds automatically after ~20 calls.
 
+The loop also feeds itself **implicitly**: `veto_learning_stats` mines the tool-call trace for signals nobody recorded manually — an agent-backed tool that returned an error, or the same analysis tool re-run within minutes in one session (which usually means the first answer didn't satisfy) — and records them as low-quality outcomes automatically.
+
 ```bash
 veto_route_task { task: "debug auth issue", file_ext: ".ts" }
 → { ..., recommended_agent: "debugger" }   # ← predicted from history
@@ -345,9 +415,30 @@ Platform switching is manual — Veto surfaces which platform has budget remaini
 
 ---
 
+## Release Notes
+
+### 2.5.0
+- **`veto_drift_check` — compounding-error circuit breaker.** Scans the recent tool-call trace for consecutive failures, repeated error messages, and single-tool thrashing, then runs the `debugger` agent for a concrete recovery step. See [Compounding-Error Circuit Breaker](#compounding-error-circuit-breaker).
+- **Council calibration fixes.** Tightened the deterministic council's pattern triggers so they no longer false-fire on generic words (e.g. "server", "transport") or semver strings like `v2.5.0`, and removed stale hardcoded tool counts from agent reasoning.
+
+### 2.4.0
+- **`veto_decisions` — decision-drift enforcement.** Record an architectural decision once as a machine-checkable constraint; `veto_diff_review` and `veto_ci_gate` then auto-fail any diff whose added lines reintroduce a forbidden pattern. See [Decision-Drift Enforcement](#decision-drift-enforcement).
+
+### 2.3.0
+- **`veto_dep_verify` — dependency-hallucination guard.** Verifies every proposed package against the live npm/PyPI/crates.io registry before install, flagging hallucinated names and typosquats (slopsquatting defense). See [Dependency-Hallucination Guard](#dependency-hallucination-guard).
+
+### 2.2.0
+- **Compact mode** (`VETO_COMPACT=1`) — advertises 9 tools incl. `veto_find_tools` / `veto_call` meta-tools, ~5–6× schema reduction. See [Compact Mode](#compact-mode--92-tools-without-the-context-tax).
+- **Implicit outcome mining** — `veto_learning_stats` now mines outcomes automatically from the tool-call trace (errored calls, rapid re-runs), no manual `veto_record_outcome` needed.
+- **Experimental streamable HTTP transport** (`veto-server --http`). See [HTTP Transport](#http-transport-experimental).
+
+## HTTP Transport (experimental)
+
+`veto-server --http [port]` serves MCP over streamable HTTP at `http://127.0.0.1:<port>/mcp` (default port 3939) instead of stdio — for gateways, remote clients, or anything that can't spawn a subprocess. It runs **stateless** (no session IDs — the direction of the July 2026 MCP spec) and binds loopback only; set `VETO_HTTP_HOST` to expose it deliberately.
+
 ## Project Structure
 
-Veto is a single MCP server (`src/server.ts`) that registers 89 tools, MCP Resources, and Prompts, then dispatches every tool call through a per-domain **handler registry** — there is no monolithic switch. Each domain owns a `HandlerMap` module under `src/server/handlers/`:
+Veto is a single MCP server (`src/server.ts`) that registers 92 tools, MCP Resources, and Prompts, then dispatches every tool call through a per-domain **handler registry** — there is no monolithic switch. Each domain owns a `HandlerMap` module under `src/server/handlers/`:
 
 | Module | Tools | Domain |
 |---|---|---|
@@ -355,7 +446,7 @@ Veto is a single MCP server (`src/server.ts`) that registers 89 tools, MCP Resou
 | `generators.ts` | 11 | single-agent artifact generators (adr, diagram, rca, doc_gen, onboard, …) |
 | `memory.ts` | 9 | knowledge base, patterns, project map |
 | `observability.ts` | 7 | health, metrics, usage, audit, context/rate status |
-| `advisors.ts` | 7 | project scanners (dep, query, bundle, dead-code, flag, openapi, HITL) |
+| `advisors.ts` | 8 | project scanners (dep, query, bundle, dead-code, flag, openapi, HITL, drift-check) |
 | `session.ts` | 6 | save · restore · list · handoff · continue · replay |
 | `review.ts` | 5 | diff · ci · pr · full review + pre-commit pipelines |
 | `git.ts` | 5 | blame · changelog · commit message · PR description/post |

package/VETO-MCP-DIAGNOSTIC.md

@@ -0,0 +1,73 @@
+# Veto MCP — connection failure diagnostic
+
+Run these in the **failing VS Code window's project terminal** (the project where the
+`veto_*` tools won't load). Paste all output back.
+
+Context: Veto's server imports `node:sqlite` at startup, which needs **Node >= 22.5.0**.
+If that window resolves an older Node, the server throws and exits immediately — the exact
+"launches but never runs the stdio loop" symptom. These four checks pin down the cause.
+
+---
+
+## Run this block (PowerShell)
+
+```powershell
+# 1. What command is this project actually configured to launch for veto?
+claude mcp get veto
+
+# (fallback if the above errors)
+claude mcp list
+
+# 2. Node version this window resolves — MUST be >= 22.5.0
+node --version
+
+# 3. Can a bare `veto-server` even resolve, and is it installed globally?
+where.exe veto-server
+npm ls -g @jigyasudham/veto
+
+# 4. Decisive test — launch the server directly and watch what it prints:
+npx -y --package @jigyasudham/veto veto-server
+```
+
+For step 4:
+- **GOOD** -> prints `Veto MCP server v2.1.2 running (stdio)` then hangs. Press **Ctrl+C** to exit.
+- **BAD**  -> an error/stack trace (copy the whole thing) OR it returns to the prompt instantly.
+
+---
+
+## What each result means
+
+| Check | If this is the problem | Fix |
+|---|---|---|
+| **#2 Node < 22.5.0** | `node:sqlite` import throws -> server exits immediately | Point the MCP command at a Node >= 22.5.0, or use the `npx` form below (it inherits PATH — make sure that PATH's Node is >= 22.5.0). |
+| **#3 `veto-server` not found** | config launches a bare `veto-server` that isn't on PATH | Use the `npx` command form below instead of a bare binary. |
+| **#1 config points at `dist/server.js` of a different/uninstalled path** | wrong launcher | Repoint to the `npx` form below. |
+| **#4 prints a stack trace** | the package itself errors in this environment | Copy the trace — that's the real bug; bring it back here. |
+| **#4 GOOD but tools still fail in-CLI** | config command != the working `npx` one | Repoint config to the `npx` form, then fully restart the CLI. |
+
+---
+
+## The likely fix (repoint the config to the known-good launcher)
+
+Update that project's veto MCP server entry to:
+
+```json
+{
+  "command": "npx",
+  "args": ["-y", "--package", "@jigyasudham/veto", "veto-server"]
+}
+```
+
+Or via CLI from that project dir:
+
+```powershell
+claude mcp remove veto
+claude mcp add veto -- npx -y --package @jigyasudham/veto veto-server
+```
+
+Then **fully restart Claude Code** — MCP config is read only at startup, so the current
+in-memory session won't recover; the next launch will.
+
+Note: `npx -y` now pulls **2.1.2** (latest), so a healthy run reports `v2.1.2`.
+Verify the resolved Node behind `npx` is >= 22.5.0 (`node --version`), or the npx form
+will fail the same way.

package/dist/agents/security/dep-verify.d.ts

@@ -0,0 +1,23 @@
+export type Ecosystem = 'npm' | 'pypi' | 'crates';
+export type PackageSignals = {
+    exists: boolean;
+    age_days: number | null;
+    downloads_last_month: number | null;
+    version_count: number | null;
+    deprecated: boolean;
+};
+export type PackageVerdict = {
+    name: string;
+    ecosystem: Ecosystem;
+    verdict: 'verified' | 'caution' | 'high_risk' | 'not_found' | 'unverifiable';
+    risk_signals: string[];
+    signals: PackageSignals | null;
+    similar_popular_package: string | null;
+    error?: string;
+};
+export declare function editDistance(a: string, b: string, cap?: number): number;
+export declare function findTyposquatTarget(name: string, ecosystem: Ecosystem): string | null;
+export declare function assessPackage(name: string, ecosystem: Ecosystem, signals: PackageSignals | null, fetchError?: string): PackageVerdict;
+export declare function verifyPackage(name: string, ecosystem: Ecosystem): Promise<PackageVerdict>;
+export declare function verifyPackages(names: string[], ecosystem: Ecosystem): Promise<PackageVerdict[]>;
+//# sourceMappingURL=dep-verify.d.ts.map

package/dist/agents/security/dep-verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dep-verify.d.ts","sourceRoot":"","sources":["../../../src/agents/security/dep-verify.ts"],"names":[],"mappings":"AAUA,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,MAAM,GAAG,QAAQ,CAAC;AAElD,MAAM,MAAM,cAAc,GAAG;IAC3B,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,UAAU,EAAE,OAAO,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,SAAS,CAAC;IACrB,OAAO,EAAE,UAAU,GAAG,SAAS,GAAG,WAAW,GAAG,WAAW,GAAG,cAAc,CAAC;IAC7E,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,EAAE,cAAc,GAAG,IAAI,CAAC;IAC/B,uBAAuB,EAAE,MAAM,GAAG,IAAI,CAAC;IACvC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAmCF,wBAAgB,YAAY,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,GAAG,SAAI,GAAG,MAAM,CAelE;AAID,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,MAAM,GAAG,IAAI,CAUrF;AAED,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,cAAc,GAAG,IAAI,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,cAAc,CAiDrI;AAsFD,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,cAAc,CAAC,CAO/F;AAED,wBAAsB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAErG"}

package/dist/agents/security/dep-verify.js

@@ -0,0 +1,229 @@
+// Dependency-hallucination guard. LLMs propose plausible-but-nonexistent
+// package names, and adversaries register those names on public registries
+// (slopsquatting) — a supply-chain risk class with no pre-install check in
+// most AI workflows. This module verifies a proposed package against the live
+// registry: does it exist, how old is it, how used is it, and is its name a
+// near-miss of a popular package it isn't?
+//
+// assessPackage() is pure (signals in, verdict out) so the risk logic is
+// testable offline; the per-ecosystem fetchers do the network work.
+// Top packages per ecosystem — the names adversaries typosquat. Curated, not
+// exhaustive: the check is "1–2 edits from something everyone installs".
+const POPULAR = {
+    npm: [
+        'react', 'react-dom', 'lodash', 'express', 'axios', 'chalk', 'commander',
+        'typescript', 'webpack', 'vite', 'next', 'vue', 'eslint', 'prettier',
+        'jest', 'vitest', 'mocha', 'dotenv', 'cors', 'uuid', 'zod', 'moment',
+        'dayjs', 'classnames', 'redux', 'rxjs', 'socket.io', 'mongoose', 'prisma',
+        'sequelize', 'pg', 'mysql2', 'sqlite3', 'redis', 'ioredis', 'bcrypt',
+        'jsonwebtoken', 'passport', 'multer', 'sharp', 'puppeteer', 'playwright',
+        'cheerio', 'node-fetch', 'undici', 'got', 'inquirer', 'yargs', 'minimist',
+        'glob', 'rimraf', 'fs-extra', 'semver', 'debug', 'winston', 'pino',
+        'nodemon', 'tsx', 'ts-node', 'esbuild', 'rollup', 'tailwindcss', 'sass',
+        'styled-components', 'svelte', 'electron', 'openai', 'langchain',
+    ],
+    pypi: [
+        'requests', 'numpy', 'pandas', 'flask', 'django', 'boto3', 'urllib3',
+        'pytest', 'scipy', 'matplotlib', 'pillow', 'sqlalchemy', 'pydantic',
+        'fastapi', 'uvicorn', 'celery', 'redis', 'cryptography', 'httpx', 'aiohttp',
+        'beautifulsoup4', 'lxml', 'openpyxl', 'python-dotenv', 'click', 'rich',
+        'typer', 'scikit-learn', 'torch', 'tensorflow', 'transformers', 'openai',
+        'anthropic', 'langchain', 'jinja2', 'pyyaml', 'toml', 'setuptools', 'wheel',
+        'colorama', 'tqdm', 'selenium', 'playwright', 'psycopg2', 'pymongo',
+    ],
+    crates: [
+        'serde', 'tokio', 'clap', 'rand', 'syn', 'quote', 'anyhow', 'thiserror',
+        'log', 'tracing', 'regex', 'chrono', 'reqwest', 'hyper', 'axum', 'actix-web',
+        'futures', 'itertools', 'lazy_static', 'once_cell', 'bytes', 'uuid',
+        'serde_json', 'rayon', 'crossbeam', 'parking_lot', 'libc', 'bitflags',
+    ],
+};
+// Levenshtein distance with an early-exit cap — we only care about 0/1/2/more.
+export function editDistance(a, b, cap = 3) {
+    if (a === b)
+        return 0;
+    if (Math.abs(a.length - b.length) >= cap)
+        return cap;
+    const prev = new Array(b.length + 1).fill(0).map((_, i) => i);
+    for (let i = 1; i <= a.length; i++) {
+        let cur = [i];
+        let rowMin = i;
+        for (let j = 1; j <= b.length; j++) {
+            cur[j] = Math.min(prev[j] + 1, cur[j - 1] + 1, prev[j - 1] + (a[i - 1] === b[j - 1] ? 0 : 1));
+            rowMin = Math.min(rowMin, cur[j]);
+        }
+        if (rowMin >= cap)
+            return cap;
+        prev.splice(0, prev.length, ...cur);
+    }
+    return Math.min(prev[b.length], cap);
+}
+// A popular package this name is suspiciously close to (1–2 edits) without
+// being it. Scoped npm names are compared by their base name too.
+export function findTyposquatTarget(name, ecosystem) {
+    const popular = POPULAR[ecosystem];
+    const lower = name.toLowerCase();
+    if (popular.includes(lower))
+        return null;
+    const base = lower.includes('/') ? lower.split('/').pop() : lower;
+    for (const candidate of popular) {
+        const d = Math.min(editDistance(lower, candidate), editDistance(base, candidate));
+        if (d >= 1 && d <= 2)
+            return candidate;
+    }
+    return null;
+}
+export function assessPackage(name, ecosystem, signals, fetchError) {
+    const similar = findTyposquatTarget(name, ecosystem);
+    if (fetchError || !signals) {
+        return {
+            name, ecosystem, verdict: 'unverifiable', signals: null,
+            similar_popular_package: similar,
+            risk_signals: ['Registry could not be reached — do not assume the package is safe.'],
+            error: fetchError ?? 'no signals',
+        };
+    }
+    if (!signals.exists) {
+        const risk_signals = [
+            'Package does not exist on the registry — the name is likely hallucinated.',
+            'Do NOT retry the install later: nonexistent AI-suggested names are prime slopsquatting targets.',
+        ];
+        if (similar)
+            risk_signals.push(`Did you mean "${similar}"?`);
+        return { name, ecosystem, verdict: 'not_found', signals, similar_popular_package: similar, risk_signals };
+    }
+    const risk_signals = [];
+    const young = signals.age_days !== null && signals.age_days < 90;
+    const brandNew = signals.age_days !== null && signals.age_days < 30;
+    const lowUsage = signals.downloads_last_month !== null && signals.downloads_last_month < 500;
+    const veryLowUsage = signals.downloads_last_month !== null && signals.downloads_last_month < 100;
+    const singleVersion = signals.version_count !== null && signals.version_count <= 1;
+    if (similar)
+        risk_signals.push(`Name is 1–2 edits from the popular package "${similar}" — possible typosquat.`);
+    if (brandNew)
+        risk_signals.push(`Published ${signals.age_days} days ago — too new to have a reputation.`);
+    else if (young)
+        risk_signals.push(`Only ${signals.age_days} days old.`);
+    if (veryLowUsage)
+        risk_signals.push(`Fewer than 100 downloads last month.`);
+    else if (lowUsage)
+        risk_signals.push(`Fewer than 500 downloads last month.`);
+    if (singleVersion)
+        risk_signals.push('Only one published version.');
+    if (signals.deprecated)
+        risk_signals.push('Package is marked deprecated.');
+    let verdict;
+    if (similar && (young || lowUsage || singleVersion)) {
+        // Near-miss name AND weak track record — the classic squat profile.
+        verdict = 'high_risk';
+    }
+    else if (brandNew && (veryLowUsage || singleVersion)) {
+        verdict = 'high_risk';
+    }
+    else if (risk_signals.length > 0) {
+        verdict = 'caution';
+    }
+    else {
+        verdict = 'verified';
+    }
+    return { name, ecosystem, verdict, signals, similar_popular_package: similar, risk_signals };
+}
+// ─── Registry fetchers ────────────────────────────────────────────────────────
+const FETCH_TIMEOUT_MS = 6000;
+const UA = { 'User-Agent': 'veto-dep-verify (https://github.com/jigyasudham/veto)' };
+async function getJson(url) {
+    const res = await fetch(url, { headers: UA, signal: AbortSignal.timeout(FETCH_TIMEOUT_MS) });
+    if (res.status === 404)
+        return { status: 404, body: null };
+    if (!res.ok)
+        throw new Error(`${url} -> HTTP ${res.status}`);
+    return { status: res.status, body: await res.json() };
+}
+function daysSince(iso) {
+    if (!iso)
+        return null;
+    const t = new Date(iso).getTime();
+    if (Number.isNaN(t))
+        return null;
+    return Math.max(0, Math.round((Date.now() - t) / 86_400_000));
+}
+async function fetchNpmSignals(name) {
+    const meta = await getJson(`https://registry.npmjs.org/${encodeURIComponent(name)}`);
+    if (meta.status === 404)
+        return { exists: false, age_days: null, downloads_last_month: null, version_count: null, deprecated: false };
+    const versions = meta.body?.versions ? Object.keys(meta.body.versions) : [];
+    const latestTag = meta.body?.['dist-tags']?.latest;
+    const deprecated = !!(latestTag && meta.body?.versions?.[latestTag]?.deprecated);
+    let downloads = null;
+    try {
+        const dl = await getJson(`https://api.npmjs.org/downloads/point/last-month/${encodeURIComponent(name)}`);
+        downloads = typeof dl.body?.downloads === 'number' ? dl.body.downloads : null;
+    }
+    catch { /* downloads API down — verdict degrades gracefully */ }
+    return {
+        exists: true,
+        age_days: daysSince(meta.body?.time?.created),
+        downloads_last_month: downloads,
+        version_count: versions.length || null,
+        deprecated,
+    };
+}
+async function fetchPypiSignals(name) {
+    const meta = await getJson(`https://pypi.org/pypi/${encodeURIComponent(name)}/json`);
+    if (meta.status === 404)
+        return { exists: false, age_days: null, downloads_last_month: null, version_count: null, deprecated: false };
+    const releases = meta.body?.releases ?? {};
+    const versionKeys = Object.keys(releases);
+    let earliest;
+    for (const files of Object.values(releases)) {
+        for (const f of files) {
+            if (f.upload_time_iso_8601 && (!earliest || f.upload_time_iso_8601 < earliest))
+                earliest = f.upload_time_iso_8601;
+        }
+    }
+    let downloads = null;
+    try {
+        const dl = await getJson(`https://pypistats.org/api/packages/${encodeURIComponent(name.toLowerCase())}/recent`);
+        downloads = typeof dl.body?.data?.last_month === 'number' ? dl.body.data.last_month : null;
+    }
+    catch { /* stats API is best-effort */ }
+    return {
+        exists: true,
+        age_days: daysSince(earliest),
+        downloads_last_month: downloads,
+        version_count: versionKeys.length || null,
+        deprecated: meta.body?.info?.yanked === true,
+    };
+}
+async function fetchCratesSignals(name) {
+    const meta = await getJson(`https://crates.io/api/v1/crates/${encodeURIComponent(name)}`);
+    if (meta.status === 404)
+        return { exists: false, age_days: null, downloads_last_month: null, version_count: null, deprecated: false };
+    const crate = meta.body?.crate ?? {};
+    return {
+        exists: true,
+        age_days: daysSince(crate.created_at),
+        // recent_downloads is the 90-day figure; closest available proxy.
+        downloads_last_month: typeof crate.recent_downloads === 'number' ? Math.round(crate.recent_downloads / 3) : null,
+        version_count: Array.isArray(meta.body?.versions) ? meta.body.versions.length : null,
+        deprecated: false,
+    };
+}
+const FETCHERS = {
+    npm: fetchNpmSignals,
+    pypi: fetchPypiSignals,
+    crates: fetchCratesSignals,
+};
+export async function verifyPackage(name, ecosystem) {
+    try {
+        const signals = await FETCHERS[ecosystem](name);
+        return assessPackage(name, ecosystem, signals);
+    }
+    catch (err) {
+        return assessPackage(name, ecosystem, null, err instanceof Error ? err.message : String(err));
+    }
+}
+export async function verifyPackages(names, ecosystem) {
+    return Promise.all(names.map(n => verifyPackage(n.trim(), ecosystem)));
+}
+//# sourceMappingURL=dep-verify.js.map

package/dist/agents/security/dep-verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dep-verify.js","sourceRoot":"","sources":["../../../src/agents/security/dep-verify.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,2EAA2E;AAC3E,2EAA2E;AAC3E,8EAA8E;AAC9E,4EAA4E;AAC5E,2CAA2C;AAC3C,EAAE;AACF,yEAAyE;AACzE,oEAAoE;AAsBpE,6EAA6E;AAC7E,yEAAyE;AACzE,MAAM,OAAO,GAAgC;IAC3C,GAAG,EAAE;QACH,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW;QACxE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU;QACpE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ;QACpE,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ;QACzE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ;QACpE,cAAc,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,YAAY;QACxE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU;QACzE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM;QAClE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM;QACvE,mBAAmB,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW;KACjE;IACD,IAAI,EAAE;QACJ,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS;QACpE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU;QACnE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,SAAS;QAC3E,gBAAgB,EAAE,MAAM,EAAE,UAAU,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM;QACtE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,QAAQ;QACxE,WAAW,EAAE,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,OAAO;QAC3E,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,SAAS;KACpE;IACD,MAAM,EAAE;QACN,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW;QACvE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW;QAC5E,SAAS,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM;QACnE,YAAY,EAAE,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU;KACtE;CACF,CAAC;AAEF,+EAA+E;AAC/E,MAAM,UAAU,YAAY,CAAC,CAAS,EAAE,CAAS,EAAE,GAAG,GAAG,CAAC;IACxD,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IACtB,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,GAAG;QAAE,OAAO,GAAG,CAAC;IACrD,MAAM,IAAI,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;QACd,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9F,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,MAAM,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;QAC9B,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;AACvC,CAAC;AAED,2EAA2E;AAC3E,kEAAkE;AAClE,MAAM,UAAU,mBAAmB,CAAC,IAAY,EAAE,SAAoB;IACpE,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACzC,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC,CAAC,CAAC,KAAK,CAAC;IACnE,KAAK,MAAM,SAAS,IAAI,OAAO,EAAE,CAAC;QAChC,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,KAAK,EAAE,SAAS,CAAC,EAAE,YAAY,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC;QAClF,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;IACzC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,IAAY,EAAE,SAAoB,EAAE,OAA8B,EAAE,UAAmB;IACnH,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAErD,IAAI,UAAU,IAAI,CAAC,OAAO,EAAE,CAAC;QAC3B,OAAO;YACL,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,IAAI;YACvD,uBAAuB,EAAE,OAAO;YAChC,YAAY,EAAE,CAAC,oEAAoE,CAAC;YACpF,KAAK,EAAE,UAAU,IAAI,YAAY;SAClC,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QACpB,MAAM,YAAY,GAAG;YACnB,2EAA2E;YAC3E,iGAAiG;SAClG,CAAC;QACF,IAAI,OAAO;YAAE,YAAY,CAAC,IAAI,CAAC,iBAAiB,OAAO,IAAI,CAAC,CAAC;QAC7D,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,uBAAuB,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5G,CAAC;IAED,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,KAAK,IAAI,IAAI,OAAO,CAAC,QAAQ,GAAG,EAAE,CAAC;IACjE,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,KAAK,IAAI,IAAI,OAAO,CAAC,QAAQ,GAAG,EAAE,CAAC;IACpE,MAAM,QAAQ,GAAG,OAAO,CAAC,oBAAoB,KAAK,IAAI,IAAI,OAAO,CAAC,oBAAoB,GAAG,GAAG,CAAC;IAC7F,MAAM,YAAY,GAAG,OAAO,CAAC,oBAAoB,KAAK,IAAI,IAAI,OAAO,CAAC,oBAAoB,GAAG,GAAG,CAAC;IACjG,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,KAAK,IAAI,IAAI,OAAO,CAAC,aAAa,IAAI,CAAC,CAAC;IAEnF,IAAI,OAAO;QAAE,YAAY,CAAC,IAAI,CAAC,+CAA+C,OAAO,yBAAyB,CAAC,CAAC;IAChH,IAAI,QAAQ;QAAE,YAAY,CAAC,IAAI,CAAC,aAAa,OAAO,CAAC,QAAQ,2CAA2C,CAAC,CAAC;SACrG,IAAI,KAAK;QAAE,YAAY,CAAC,IAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,YAAY,CAAC,CAAC;IACxE,IAAI,YAAY;QAAE,YAAY,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;SACvE,IAAI,QAAQ;QAAE,YAAY,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;IAC7E,IAAI,aAAa;QAAE,YAAY,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IACpE,IAAI,OAAO,CAAC,UAAU;QAAE,YAAY,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;IAE3E,IAAI,OAAkC,CAAC;IACvC,IAAI,OAAO,IAAI,CAAC,KAAK,IAAI,QAAQ,IAAI,aAAa,CAAC,EAAE,CAAC;QACpD,oEAAoE;QACpE,OAAO,GAAG,WAAW,CAAC;IACxB,CAAC;SAAM,IAAI,QAAQ,IAAI,CAAC,YAAY,IAAI,aAAa,CAAC,EAAE,CAAC;QACvD,OAAO,GAAG,WAAW,CAAC;IACxB,CAAC;SAAM,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO,GAAG,SAAS,CAAC;IACtB,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,UAAU,CAAC;IACvB,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,uBAAuB,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;AAC/F,CAAC;AAED,iFAAiF;AAEjF,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAC9B,MAAM,EAAE,GAAG,EAAE,YAAY,EAAE,uDAAuD,EAAE,CAAC;AAErF,KAAK,UAAU,OAAO,CAAC,GAAW;IAChC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC;IAC7F,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IAC3D,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,GAAG,YAAY,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7D,OAAO,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,SAAS,CAAC,GAAuB;IACxC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;IAClC,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACjC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC;AAChE,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,IAAY;IACzC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,8BAA8B,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACrF,IAAI,IAAI,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;IACtI,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5E,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IACnD,MAAM,UAAU,GAAG,CAAC,CAAC,CAAC,SAAS,IAAI,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,SAAS,CAAC,EAAE,UAAU,CAAC,CAAC;IACjF,IAAI,SAAS,GAAkB,IAAI,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,oDAAoD,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzG,SAAS,GAAG,OAAO,EAAE,CAAC,IAAI,EAAE,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;IAChF,CAAC;IAAC,MAAM,CAAC,CAAC,sDAAsD,CAAC,CAAC;IAClE,OAAO;QACL,MAAM,EAAE,IAAI;QACZ,QAAQ,EAAE,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC;QAC7C,oBAAoB,EAAE,SAAS;QAC/B,aAAa,EAAE,QAAQ,CAAC,MAAM,IAAI,IAAI;QACtC,UAAU;KACX,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,IAAY;IAC1C,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,yBAAyB,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACrF,IAAI,IAAI,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;IACtI,MAAM,QAAQ,GAA6D,IAAI,CAAC,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;IACrG,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,IAAI,QAA4B,CAAC;IACjC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5C,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,IAAI,CAAC,CAAC,oBAAoB,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,oBAAoB,GAAG,QAAQ,CAAC;gBAAE,QAAQ,GAAG,CAAC,CAAC,oBAAoB,CAAC;QACpH,CAAC;IACH,CAAC;IACD,IAAI,SAAS,GAAkB,IAAI,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,sCAAsC,kBAAkB,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,SAAS,CAAC,CAAC;QAChH,SAAS,GAAG,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7F,CAAC;IAAC,MAAM,CAAC,CAAC,8BAA8B,CAAC,CAAC;IAC1C,OAAO;QACL,MAAM,EAAE,IAAI;QACZ,QAAQ,EAAE,SAAS,CAAC,QAAQ,CAAC;QAC7B,oBAAoB,EAAE,SAAS;QAC/B,aAAa,EAAE,WAAW,CAAC,MAAM,IAAI,IAAI;QACzC,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,KAAK,IAAI;KAC7C,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,IAAY;IAC5C,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,mCAAmC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC1F,IAAI,IAAI,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;IACtI,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;IACrC,OAAO;QACL,MAAM,EAAE,IAAI;QACZ,QAAQ,EAAE,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC;QACrC,kEAAkE;QAClE,oBAAoB,EAAE,OAAO,KAAK,CAAC,gBAAgB,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,gBAAgB,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI;QAChH,aAAa,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI;QACpF,UAAU,EAAE,KAAK;KAClB,CAAC;AACJ,CAAC;AAED,MAAM,QAAQ,GAAiE;IAC7E,GAAG,EAAE,eAAe;IACpB,IAAI,EAAE,gBAAgB;IACtB,MAAM,EAAE,kBAAkB;CAC3B,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAY,EAAE,SAAoB;IACpE,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC;QAChD,OAAO,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAChG,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAe,EAAE,SAAoB;IACxE,OAAO,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;AACzE,CAAC"}

package/dist/cli.js

@@ -9,7 +9,7 @@ import { homedir } from 'node:os';
 import { fileURLToPath } from 'node:url';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const { version: VERSION } = JSON.parse(readFileSync(join(__dirname, '../package.json'), 'utf8'));
-const TAGLINE = '89 agentic tools. 49 specialists. Every major AI CLI. Self-learning. Zero extra cost on subscriptions.';
+const TAGLINE = '92 agentic tools. 49 specialists. Every major AI CLI. Self-learning. Zero extra cost on subscriptions.';
 const VETO_DIR = join(homedir(), '.veto');
 const HOME = homedir();
 const c = {
@@ -307,7 +307,7 @@ async function initCommand() {
     console.log('');
     const VETO_GUIDE = `# Veto MCP Server
 
-Veto is active. 89 tools across 6 categories:
+Veto is active. 92 tools across 6 categories:
 
 **Session & Context** — veto_status · veto_session_save · veto_continue · veto_handoff
 Save work at 60–70% context capacity. veto_status triggers auto-save above 70%.
@@ -865,7 +865,7 @@ async function patternsCommand() {
 }
 function shortHelpCommand() {
     console.log('');
-    console.log(c.bold(c.cyan('  veto')) + c.dim(` v${VERSION}`) + c.dim(` — 89 agentic tools. 49 specialists. Every major AI CLI. Zero extra cost on subscriptions.`));
+    console.log(c.bold(c.cyan('  veto')) + c.dim(` v${VERSION}`) + c.dim(` — 92 agentic tools. 49 specialists. Every major AI CLI. Zero extra cost on subscriptions.`));
     console.log('');
     console.log(c.bold('  CLI Commands'));
     console.log(c.dim('  ─────────────────────────────────────────────────────'));
@@ -886,7 +886,7 @@ function shortHelpCommand() {
     console.log(`  ${c.cyan('veto help')}                    Show this help`);
     console.log(`  ${c.cyan('veto help --troubleshoot')}     Show troubleshooting guide`);
     console.log('');
-    console.log(c.bold('  MCP Tools (89 Agentic Tools)'));
+    console.log(c.bold('  MCP Tools (92 Agentic Tools)'));
     console.log(c.dim('  ─────────────────────────────────────────────────────'));
     console.log(`  ${c.dim('Session')}       veto_status · veto_session_save · veto_session_restore · veto_sessions_list · veto_session_replay · veto_autosave_status`);
     console.log(`  ${c.dim('Council')}       veto_council_debate · veto_benchmark · veto_adr`);

package/dist/council/decision-engine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"decision-engine.d.ts","sourceRoot":"","sources":["../../src/council/decision-engine.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAa,cAAc,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG1E,KAAK,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;AAEnC,wBAAgB,MAAM,CAAC,KAAK,EAAE,KAAK,GAAG;IACpC,aAAa,EAAE,cAAc,CAAC;IAC9B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB,CAsDA;AAED,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,KAAK,EACZ,OAAO,EAAE,cAAc,EACvB,aAAa,EAAE,MAAM,EAAE,EACvB,QAAQ,EAAE,MAAM,EAAE,EAClB,WAAW,EAAE,MAAM,GAClB,MAAM,CAmHR"}
+{"version":3,"file":"decision-engine.d.ts","sourceRoot":"","sources":["../../src/council/decision-engine.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAa,cAAc,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG1E,KAAK,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;AAEnC,wBAAgB,MAAM,CAAC,KAAK,EAAE,KAAK,GAAG;IACpC,aAAa,EAAE,cAAc,CAAC;IAC9B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB,CAkEA;AAED,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,KAAK,EACZ,OAAO,EAAE,cAAc,EACvB,aAAa,EAAE,MAAM,EAAE,EACvB,QAAQ,EAAE,MAAM,EAAE,EAClB,WAAW,EAAE,MAAM,GAClB,MAAM,CAmHR"}

package/dist/council/decision-engine.js

@@ -17,6 +17,10 @@ export function decide(votes) {
     const criticalBlockers = blockers.filter(([name]) => CRITICAL.has(name));
     const secondaryBlockers = blockers.filter(([name]) => !CRITICAL.has(name));
     const criticalApprovers = approvers.filter(([name]) => CRITICAL.has(name));
+    // A warn only counts toward escalation when it names a specific risk.
+    // Hedge-warns with no concerns are recorded as warnings but can't flip the verdict.
+    const meaningfulWarners = warners.filter(([, v]) => v.concerns.some(c => typeof c === 'string' && c.length > 0));
+    const criticalMeaningfulWarners = meaningfulWarners.filter(([name]) => CRITICAL.has(name));
     const block_reasons = blockers.map(([, v]) => v.reason);
     const warnings = [
         ...blockers.flatMap(([, v]) => v.concerns),
@@ -32,8 +36,13 @@ export function decide(votes) {
         // Business/UX objections vs technical approval — genuine split
         final_verdict = 'DEADLOCK';
     }
-    else if (secondaryBlockers.length >= 1 || warners.length >= 2) {
-        // At least one concern but no hard expert block
+    else if (secondaryBlockers.length >= 1 ||
+        meaningfulWarners.length >= 3 ||
+        criticalMeaningfulWarners.length >= 2) {
+        // Escalate only on substantive dissent: a block, three agents naming real
+        // risks, or two expert-domain agents naming real risks. The Devil's
+        // Advocate warns on almost everything by design — one routine warn plus a
+        // hedge must not be enough to fence-sit, or YELLOW carries no signal.
         final_verdict = 'YELLOW';
     }
     else {