@soulbatical/tetra-dev-toolkit 1.20.2 → 2.0.0

package/bin/tetra-migration-lint.js

@@ -1,317 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * Tetra Migration Lint — HARD BLOCK before supabase db push
- *
- * Scans SQL migration files OFFLINE (no Supabase connection needed) for:
- * 1. SECURITY DEFINER on data RPCs (must be INVOKER)
- * 2. Tables without ENABLE ROW LEVEL SECURITY
- * 3. DROP POLICY / DROP TABLE without explicit confirmation
- * 4. GRANT to public/anon on sensitive tables
- * 5. Missing WITH CHECK on INSERT/UPDATE policies
- *
- * Usage:
- *   tetra-migration-lint                     # Lint all migrations
- *   tetra-migration-lint --staged            # Only git-staged .sql files (for pre-commit)
- *   tetra-migration-lint --file path.sql     # Lint a specific file
- *   tetra-migration-lint --fix-suggestions   # Show fix SQL for each violation
- *   tetra-migration-lint --json              # JSON output for CI
- *
- * Exit codes:
- *   0 = all clean
- *   1 = violations found (CRITICAL or HIGH)
- *   2 = warnings only (MEDIUM/LOW) — does not block
- *
- * Hook usage (.husky/pre-commit):
- *   tetra-migration-lint --staged || exit 1
- *
- * Wrapper usage (replace `supabase db push`):
- *   tetra-migration-lint && supabase db push
- */
-
-import { readFileSync, existsSync } from 'fs'
-import { join, resolve, basename, relative } from 'path'
-import { globSync } from 'glob'
-import { execSync } from 'child_process'
-import chalk from 'chalk'
-import { program } from 'commander'
-
-// ─── Dangerous patterns ────────────────────────────────────────────
-const RULES = [
-  {
-    id: 'DEFINER_DATA_RPC',
-    severity: 'critical',
-    pattern: /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+(?:public\.)?(\w+)\s*\([^)]*\)[\s\S]*?SECURITY\s+DEFINER/gi,
-    test: (match, fullContent) => {
-      const funcName = match[1]
-      // Auth helpers are OK as DEFINER
-      const authWhitelist = [
-        // Auth helpers (need DEFINER to read auth schema)
-        'auth_org_id', 'auth_uid', 'auth_role', 'auth_user_role',
-        'auth_admin_organizations', 'auth_user_id', 'requesting_user_id',
-        'get_auth_org_id', 'get_current_user_id',
-        'auth_user_organizations', 'auth_creator_organizations',
-        'auth_organization_id', 'auth_is_admin', 'auth_is_superadmin',
-        // Public RPCs (anon access, DEFINER needed to bypass RLS and return safe columns)
-        'search_public_ad_library',
-        // System/billing RPCs (no user context)
-        'get_org_credit_limits',
-        // Supabase internal
-        'handle_new_user', 'moddatetime'
-      ]
-      return !authWhitelist.includes(funcName)
-    },
-    message: (match) => `SECURITY DEFINER on RPC "${match[1]}" — bypasses RLS completely. Use SECURITY INVOKER instead.`,
-    fix: (match) => `ALTER FUNCTION ${match[1]} SECURITY INVOKER;`
-  },
-  {
-    id: 'CREATE_TABLE_NO_RLS',
-    severity: 'critical',
-    // Match CREATE TABLE that is NOT followed by ENABLE ROW LEVEL SECURITY in the same migration
-    test: (match, fullContent) => {
-      const tableName = match[1]
-      const rlsPattern = new RegExp(`ALTER\\s+TABLE\\s+(?:public\\.)?${tableName}\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, 'i')
-      return !rlsPattern.test(fullContent)
-    },
-    pattern: /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?(\w+)\s*\(/gi,
-    message: (match) => `CREATE TABLE "${match[1]}" without ENABLE ROW LEVEL SECURITY in same migration.`,
-    fix: (match) => `ALTER TABLE ${match[1]} ENABLE ROW LEVEL SECURITY;`
-  },
-  {
-    id: 'DROP_POLICY',
-    severity: 'high',
-    pattern: /DROP\s+POLICY\s+(?:IF\s+EXISTS\s+)?["']?(\w+)["']?\s+ON\s+(?:public\.)?(\w+)/gi,
-    message: (match) => `DROP POLICY "${match[1]}" on "${match[2]}" — removes security. Ensure a replacement policy exists in the same migration.`,
-    test: (match, fullContent) => {
-      const table = match[2]
-      // OK if there's a CREATE POLICY in the same migration for the same table
-      const createPattern = new RegExp(`CREATE\\s+POLICY.*ON\\s+(?:public\\.)?${table}`, 'i')
-      if (createPattern.test(fullContent)) return false
-      // OK if there's a DO $$ block that references the table (dynamic policy creation)
-      const doBlockPattern = new RegExp(`DO\\s+\\$\\$[\\s\\S]*?['"]${table}['"][\\s\\S]*?\\$\\$`, 'i')
-      if (doBlockPattern.test(fullContent)) return false
-      // OK if DROP POLICY IF EXISTS (safe — only drops if present)
-      const dropIfExists = new RegExp(`DROP\\s+POLICY\\s+IF\\s+EXISTS`, 'i')
-      const matchStr = match[0]
-      if (dropIfExists.test(matchStr)) {
-        // Check if ANY policy creation exists for this table (even dynamic)
-        const anyCreate = new RegExp(`(CREATE\\s+POLICY|EXECUTE\\s+format.*CREATE\\s+POLICY)`, 'i')
-        if (anyCreate.test(fullContent)) return false
-      }
-      return true
-    },
-    fix: (match) => `-- Add replacement policy:\n-- CREATE POLICY "${match[1]}" ON ${match[2]} FOR ALL USING (organization_id = auth_org_id());`
-  },
-  {
-    id: 'GRANT_PUBLIC_ANON',
-    severity: 'critical',
-    pattern: /GRANT\s+(?:ALL|INSERT|UPDATE|DELETE)\s+ON\s+(?:TABLE\s+)?(?:public\.)?(\w+)\s+TO\s+(public|anon)/gi,
-    message: (match) => `GRANT ${match[0].match(/GRANT\s+(\w+)/)[1]} to ${match[2]} on "${match[1]}" — allows unauthenticated access.`,
-    fix: (match) => `-- Remove this GRANT or restrict to authenticated:\n-- GRANT SELECT ON ${match[1]} TO authenticated;`
-  },
-  {
-    id: 'DISABLE_RLS',
-    severity: 'critical',
-    pattern: /ALTER\s+TABLE\s+(?:public\.)?(\w+)\s+DISABLE\s+ROW\s+LEVEL\s+SECURITY/gi,
-    message: (match) => `DISABLE ROW LEVEL SECURITY on "${match[1]}" — removes ALL protection.`,
-    fix: (match) => `-- Do NOT disable RLS. If you need service-level access, use systemDB() in backend code.`
-  },
-  {
-    id: 'POLICY_NO_WITH_CHECK',
-    severity: 'medium',
-    pattern: /CREATE\s+POLICY\s+["']?(\w+)["']?\s+ON\s+(?:public\.)?(\w+)\s+FOR\s+(INSERT|UPDATE)\s+TO\s+\w+\s+USING\s*\([^)]+\)(?!\s*WITH\s+CHECK)/gi,
-    message: (match) => `Policy "${match[1]}" on "${match[2]}" for ${match[3]} has USING but no WITH CHECK — users could write data they can't read.`,
-    fix: (match) => `-- Add WITH CHECK clause matching the USING clause`
-  },
-  {
-    id: 'USING_TRUE_WRITE',
-    severity: 'critical',
-    pattern: /CREATE\s+POLICY\s+["']?(\w+)["']?\s+ON\s+(?:public\.)?(\w+)\s+FOR\s+(INSERT|UPDATE|DELETE|ALL)\s+(?:TO\s+\w+\s+)?USING\s*\(\s*true\s*\)/gi,
-    message: (match) => `Policy "${match[1]}" on "${match[2]}" allows ${match[3]} with USING(true) — anyone can write.`,
-    fix: (match) => `-- Replace USING(true) with proper org/user scoping:\n-- USING (organization_id = auth_org_id())`
-  },
-  {
-    id: 'RAW_SERVICE_KEY',
-    severity: 'critical',
-    pattern: /eyJ[A-Za-z0-9_-]{20,}\.eyJ[A-Za-z0-9_-]{20,}/g,
-    message: () => `Hardcoded JWT/service key found in migration file.`,
-    fix: () => `-- NEVER put keys in migrations. Use environment variables or Vault.`
-  }
-]
-
-// ─── Load whitelist from .tetra-quality.json ───────────────────────
-function loadWhitelist(projectRoot) {
-  const configPath = join(projectRoot, '.tetra-quality.json')
-  if (!existsSync(configPath)) return { securityDefinerWhitelist: [], tables: { noRls: [] } }
-  try {
-    const config = JSON.parse(readFileSync(configPath, 'utf-8'))
-    return {
-      securityDefinerWhitelist: config?.supabase?.securityDefinerWhitelist || [],
-      tables: { noRls: config?.supabase?.backendOnlyTables || [] }
-    }
-  } catch { return { securityDefinerWhitelist: [], tables: { noRls: [] } } }
-}
-
-// ─── Find migration files ──────────────────────────────────────────
-function findMigrations(projectRoot, options) {
-  if (options.file) {
-    const filePath = resolve(options.file)
-    return existsSync(filePath) ? [filePath] : []
-  }
-
-  if (options.staged) {
-    try {
-      const staged = execSync('git diff --cached --name-only --diff-filter=ACM', {
-        cwd: projectRoot, encoding: 'utf-8'
-      })
-      return staged.split('\n')
-        .filter(f => f.endsWith('.sql'))
-        .map(f => join(projectRoot, f))
-        .filter(f => existsSync(f))
-    } catch { return [] }
-  }
-
-  // All migrations
-  const patterns = [
-    'supabase/migrations/**/*.sql',
-    'backend/supabase/migrations/**/*.sql',
-    'migrations/**/*.sql'
-  ]
-  const files = []
-  for (const pattern of patterns) {
-    files.push(...globSync(pattern, { cwd: projectRoot, absolute: true }))
-  }
-  return [...new Set(files)]
-}
-
-// ─── Lint a single file ────────────────────────────────────────────
-function lintFile(filePath, projectRoot, whitelist) {
-  const content = readFileSync(filePath, 'utf-8')
-  const relPath = relative(projectRoot, filePath)
-  const findings = []
-
-  for (const rule of RULES) {
-    // Reset regex lastIndex
-    rule.pattern.lastIndex = 0
-    let match
-    while ((match = rule.pattern.exec(content)) !== null) {
-      // Check whitelist for DEFINER rules
-      if (rule.id === 'DEFINER_DATA_RPC' && whitelist.securityDefinerWhitelist.includes(match[1])) {
-        continue
-      }
-      // Check backendOnlyTables for CREATE_TABLE_NO_RLS
-      if (rule.id === 'CREATE_TABLE_NO_RLS' && whitelist.tables.noRls.includes(match[1])) {
-        continue
-      }
-
-      // Run custom test if exists
-      if (rule.test && !rule.test(match, content)) {
-        continue
-      }
-
-      // Find line number
-      const lineNum = content.substring(0, match.index).split('\n').length
-
-      findings.push({
-        file: relPath,
-        line: lineNum,
-        rule: rule.id,
-        severity: rule.severity,
-        message: rule.message(match),
-        fix: rule.fix ? rule.fix(match) : null
-      })
-    }
-  }
-
-  return findings
-}
-
-// ─── Main ──────────────────────────────────────────────────────────
-program
-  .name('tetra-migration-lint')
-  .description('Lint SQL migrations for security issues before pushing to Supabase')
-  .option('--staged', 'Only lint git-staged .sql files (for pre-commit hook)')
-  .option('--file <path>', 'Lint a specific SQL file')
-  .option('--fix-suggestions', 'Show fix SQL for each violation')
-  .option('--json', 'JSON output for CI')
-  .option('--project <path>', 'Project root (default: cwd)')
-  .parse()
-
-const opts = program.opts()
-const projectRoot = resolve(opts.project || process.cwd())
-const whitelist = loadWhitelist(projectRoot)
-const files = findMigrations(projectRoot, opts)
-
-if (files.length === 0) {
-  if (!opts.json) console.log(chalk.gray('No migration files to lint.'))
-  process.exit(0)
-}
-
-const allFindings = []
-for (const file of files) {
-  allFindings.push(...lintFile(file, projectRoot, whitelist))
-}
-
-// ─── Output ────────────────────────────────────────────────────────
-if (opts.json) {
-  console.log(JSON.stringify({
-    files: files.length,
-    findings: allFindings,
-    critical: allFindings.filter(f => f.severity === 'critical').length,
-    high: allFindings.filter(f => f.severity === 'high').length,
-    medium: allFindings.filter(f => f.severity === 'medium').length,
-    passed: allFindings.filter(f => f.severity === 'critical' || f.severity === 'high').length === 0
-  }, null, 2))
-} else {
-  const critical = allFindings.filter(f => f.severity === 'critical')
-  const high = allFindings.filter(f => f.severity === 'high')
-  const medium = allFindings.filter(f => f.severity === 'medium')
-
-  console.log('')
-  console.log(chalk.bold('  Tetra Migration Lint'))
-  console.log(chalk.gray(`  ${files.length} migration files scanned`))
-  console.log('')
-
-  if (allFindings.length === 0) {
-    console.log(chalk.green('  ✅ All migrations pass security lint'))
-    console.log('')
-    process.exit(0)
-  }
-
-  // Group by file
-  const byFile = {}
-  for (const f of allFindings) {
-    if (!byFile[f.file]) byFile[f.file] = []
-    byFile[f.file].push(f)
-  }
-
-  for (const [file, findings] of Object.entries(byFile)) {
-    console.log(chalk.underline(`  ${file}`))
-    for (const f of findings) {
-      const icon = f.severity === 'critical' ? '🔴' : f.severity === 'high' ? '🟠' : '🟡'
-      const color = f.severity === 'critical' ? chalk.red : f.severity === 'high' ? chalk.yellow : chalk.gray
-      console.log(`    ${icon} ${color(`[${f.severity.toUpperCase()}]`)} Line ${f.line}: ${f.message}`)
-      if (opts.fixSuggestions && f.fix) {
-        console.log(chalk.cyan(`       Fix: ${f.fix}`))
-      }
-    }
-    console.log('')
-  }
-
-  console.log(chalk.bold('  Summary:'))
-  if (critical.length) console.log(chalk.red(`    ${critical.length} CRITICAL`))
-  if (high.length) console.log(chalk.yellow(`    ${high.length} HIGH`))
-  if (medium.length) console.log(chalk.gray(`    ${medium.length} MEDIUM`))
-  console.log('')
-
-  if (critical.length || high.length) {
-    console.log(chalk.red.bold('  ❌ BLOCKED — fix CRITICAL/HIGH issues before pushing migrations'))
-    console.log(chalk.gray('  Run with --fix-suggestions to see fix SQL'))
-    console.log('')
-    process.exit(1)
-  } else {
-    console.log(chalk.yellow('  ⚠️  Warnings found but not blocking'))
-    console.log('')
-    process.exit(0)
-  }
-}

package/bin/tetra-security-gate.js

@@ -1,293 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * Tetra Security Gate — AI-powered pre-push security review
- *
- * Detects security-sensitive file changes in the current git diff,
- * submits them to ralph-manager's security gate agent for review,
- * and blocks the push if the agent denies the changes.
- *
- * Usage:
- *   tetra-security-gate                     # Auto-detect ralph-manager URL
- *   tetra-security-gate --url <url>         # Explicit ralph-manager URL
- *   tetra-security-gate --timeout 120       # Custom timeout (seconds)
- *   tetra-security-gate --dry-run           # Show what would be sent, don't block
- *
- * Exit codes:
- *   0 = approved (or no security files changed)
- *   1 = denied (security violation found)
- *   0 = ralph-manager offline (graceful fallback, doesn't block)
- */
-
-import { program } from 'commander'
-import { execSync } from 'child_process'
-import chalk from 'chalk'
-
-// Security-sensitive file patterns
-const SECURITY_PATTERNS = [
-  /supabase\/migrations\/.*\.sql$/i,
-  /\.rls\./i,
-  /rls[-_]?policy/i,
-  /auth[-_]?config/i,
-  /middleware\/auth/i,
-  /middleware\/security/i,
-  /security\.ts$/i,
-  /security\.js$/i,
-  /\.env$/,
-  /\.env\.\w+$/,
-  /doppler\.yaml$/,
-  /auth-config/i,
-  /permissions/i,
-  /checks\/security\//i,
-]
-
-function isSecurityFile(file) {
-  return SECURITY_PATTERNS.some(p => p.test(file))
-}
-
-function getChangedFiles() {
-  try {
-    // Files changed between HEAD and upstream (what's being pushed)
-    const upstream = execSync('git rev-parse --abbrev-ref @{upstream} 2>/dev/null', { encoding: 'utf8' }).trim()
-    if (upstream) {
-      return execSync(`git diff --name-only ${upstream}...HEAD`, { encoding: 'utf8' }).trim().split('\n').filter(Boolean)
-    }
-  } catch {
-    // No upstream — compare against origin/main or origin/master
-  }
-
-  for (const base of ['origin/main', 'origin/master']) {
-    try {
-      return execSync(`git diff --name-only ${base}...HEAD`, { encoding: 'utf8' }).trim().split('\n').filter(Boolean)
-    } catch { /* try next */ }
-  }
-
-  // Fallback: last commit
-  try {
-    return execSync('git diff --name-only HEAD~1', { encoding: 'utf8' }).trim().split('\n').filter(Boolean)
-  } catch {
-    return []
-  }
-}
-
-function getDiff(files) {
-  try {
-    const upstream = execSync('git rev-parse --abbrev-ref @{upstream} 2>/dev/null', { encoding: 'utf8' }).trim()
-    if (upstream) {
-      return execSync(`git diff ${upstream}...HEAD -- ${files.join(' ')}`, { encoding: 'utf8', maxBuffer: 1024 * 1024 })
-    }
-  } catch { /* fallback */ }
-
-  for (const base of ['origin/main', 'origin/master']) {
-    try {
-      return execSync(`git diff ${base}...HEAD -- ${files.join(' ')}`, { encoding: 'utf8', maxBuffer: 1024 * 1024 })
-    } catch { /* try next */ }
-  }
-
-  try {
-    return execSync(`git diff HEAD~1 -- ${files.join(' ')}`, { encoding: 'utf8', maxBuffer: 1024 * 1024 })
-  } catch {
-    return ''
-  }
-}
-
-function getProjectName() {
-  try {
-    const remoteUrl = execSync('git remote get-url origin 2>/dev/null', { encoding: 'utf8' }).trim()
-    const match = remoteUrl.match(/\/([^/]+?)(?:\.git)?$/)
-    if (match) return match[1]
-  } catch { /* fallback */ }
-
-  try {
-    return execSync('basename "$(git rev-parse --show-toplevel)"', { encoding: 'utf8' }).trim()
-  } catch {
-    return 'unknown'
-  }
-}
-
-function getRalphManagerUrl() {
-  // Check .ralph/ports.json first
-  try {
-    const portsJson = execSync('cat .ralph/ports.json 2>/dev/null', { encoding: 'utf8' })
-    const ports = JSON.parse(portsJson)
-    if (ports.api_url) return ports.api_url
-  } catch { /* fallback */ }
-
-  // Check RALPH_MANAGER_API env
-  if (process.env.RALPH_MANAGER_API) return process.env.RALPH_MANAGER_API
-
-  // Default
-  return 'http://localhost:3005'
-}
-
-async function pollForVerdict(baseUrl, gateId, timeoutSeconds) {
-  const deadline = Date.now() + timeoutSeconds * 1000
-  const pollInterval = 3000 // 3 seconds
-
-  while (Date.now() < deadline) {
-    try {
-      const resp = await fetch(`${baseUrl}/api/internal/security-gate/${gateId}`)
-      if (!resp.ok) {
-        console.error(chalk.yellow(`  Poll failed: HTTP ${resp.status}`))
-        break
-      }
-
-      const { data } = await resp.json()
-
-      if (data.status === 'approved') {
-        return { status: 'approved', reason: data.reason, findings: data.findings }
-      }
-      if (data.status === 'denied') {
-        return { status: 'denied', reason: data.reason, findings: data.findings }
-      }
-      if (data.status === 'error') {
-        return { status: 'error', reason: data.reason }
-      }
-
-      // Still pending — wait and retry
-      await new Promise(r => setTimeout(r, pollInterval))
-    } catch {
-      // Network error — ralph-manager might be restarting
-      await new Promise(r => setTimeout(r, pollInterval))
-    }
-  }
-
-  return { status: 'timeout', reason: `No verdict within ${timeoutSeconds}s` }
-}
-
-program
-  .name('tetra-security-gate')
-  .description('AI-powered pre-push security gate — reviews RLS/auth/security changes')
-  .version('1.0.0')
-  .option('--url <url>', 'Ralph Manager URL (default: auto-detect)')
-  .option('--timeout <seconds>', 'Max wait time for agent verdict', '180')
-  .option('--dry-run', 'Show what would be submitted, do not block')
-  .action(async (options) => {
-    try {
-      console.log(chalk.blue.bold('\n  Tetra Security Gate\n'))
-
-      // Step 1: Detect changed files
-      const allFiles = getChangedFiles()
-      const securityFiles = allFiles.filter(isSecurityFile)
-
-      if (securityFiles.length === 0) {
-        console.log(chalk.green('  No security-sensitive files changed — skipping gate.'))
-        console.log(chalk.gray(`  (checked ${allFiles.length} files)\n`))
-        process.exit(0)
-      }
-
-      console.log(chalk.yellow(`  ${securityFiles.length} security-sensitive file(s) detected:`))
-      for (const f of securityFiles) {
-        console.log(chalk.gray(`    - ${f}`))
-      }
-      console.log()
-
-      // Step 2: Get the diff
-      const diff = getDiff(securityFiles)
-      if (!diff.trim()) {
-        console.log(chalk.green('  No actual diff content — skipping gate.\n'))
-        process.exit(0)
-      }
-
-      const project = getProjectName()
-
-      if (options.dryRun) {
-        console.log(chalk.cyan('  [DRY RUN] Would submit to security gate:'))
-        console.log(chalk.gray(`    Project: ${project}`))
-        console.log(chalk.gray(`    Files: ${securityFiles.length}`))
-        console.log(chalk.gray(`    Diff size: ${diff.length} chars`))
-        console.log()
-        process.exit(0)
-      }
-
-      // Step 3: Submit to ralph-manager
-      const baseUrl = options.url || getRalphManagerUrl()
-      const timeout = parseInt(options.timeout, 10)
-
-      console.log(chalk.gray(`  Submitting to ${baseUrl}...`))
-
-      let gateId
-      try {
-        const resp = await fetch(`${baseUrl}/api/internal/security-gate`, {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({ project, files_changed: securityFiles, diff }),
-          signal: AbortSignal.timeout(10_000),
-        })
-
-        if (!resp.ok) {
-          const body = await resp.text()
-          console.error(chalk.yellow(`  Ralph Manager returned ${resp.status}: ${body}`))
-          console.log(chalk.yellow('  Falling back to PASS (ralph-manager error).\n'))
-          process.exit(0)
-        }
-
-        const { data } = await resp.json()
-        gateId = data.id
-
-        // If already resolved (e.g. fallback auto-approve)
-        if (data.status === 'approved') {
-          console.log(chalk.green(`  ${chalk.bold('APPROVED')} (immediate): ${data.reason || 'OK'}\n`))
-          process.exit(0)
-        }
-        if (data.status === 'denied') {
-          console.error(chalk.red.bold(`\n  PUSH BLOCKED — Security Gate DENIED\n`))
-          console.error(chalk.red(`  Reason: ${data.reason}\n`))
-          process.exit(1)
-        }
-      } catch (err) {
-        // Ralph-manager offline — don't block the push
-        console.log(chalk.yellow(`  Cannot reach ralph-manager at ${baseUrl}`))
-        console.log(chalk.yellow('  Falling back to PASS (offline fallback).\n'))
-        process.exit(0)
-      }
-
-      // Step 4: Poll for verdict
-      console.log(chalk.gray(`  Agent reviewing... (timeout: ${timeout}s)`))
-      const result = await pollForVerdict(baseUrl, gateId, timeout)
-
-      if (result.status === 'approved') {
-        console.log(chalk.green.bold(`\n  APPROVED: ${result.reason || 'No issues found'}`))
-        if (result.findings?.length) {
-          for (const f of result.findings) {
-            console.log(chalk.yellow(`    ⚠ ${f}`))
-          }
-        }
-        console.log()
-        process.exit(0)
-      }
-
-      if (result.status === 'denied') {
-        console.error(chalk.red.bold(`\n  ════════════════════════════════════════════════════════════`))
-        console.error(chalk.red.bold(`  PUSH BLOCKED — Security Gate DENIED`))
-        console.error(chalk.red.bold(`  ════════════════════════════════════════════════════════════`))
-        console.error(chalk.red(`\n  Reason: ${result.reason}`))
-        if (result.findings?.length) {
-          console.error(chalk.red(`\n  Findings:`))
-          for (const f of result.findings) {
-            console.error(chalk.red(`    - ${f}`))
-          }
-        }
-        console.error(chalk.yellow(`\n  Fix the issues and try again.\n`))
-        process.exit(1)
-      }
-
-      if (result.status === 'timeout') {
-        console.log(chalk.yellow(`  Agent did not respond within ${timeout}s.`))
-        console.log(chalk.yellow('  Falling back to PASS (timeout fallback).\n'))
-        process.exit(0)
-      }
-
-      // Unknown status — don't block
-      console.log(chalk.yellow(`  Unexpected verdict status: ${result.status}`))
-      console.log(chalk.yellow('  Falling back to PASS.\n'))
-      process.exit(0)
-
-    } catch (err) {
-      console.error(chalk.red(`\n  ERROR: ${err.message}\n`))
-      // Never block on internal errors
-      process.exit(0)
-    }
-  })
-
-program.parse()