@sugar-crash-studios/vibe-forge 0.4.0

package/bin/lib/database.sh

@@ -0,0 +1,310 @@
+#!/usr/bin/env bash
+#
+# Vibe Forge - SQLite Database Operations
+# Handles daemon state persistence and agent status aggregation
+#
+
+# Database file location (set after FORGE_ROOT is known)
+FORGE_DB=""
+
+# =============================================================================
+# Security Functions
+# =============================================================================
+
+# Escape a string for safe use in SQLite queries
+# Escapes single quotes by doubling them (SQL standard)
+# Also removes null bytes and other dangerous characters
+db_escape() {
+    local input="$1"
+    # Remove null bytes
+    input="${input//$'\0'/}"
+    # Escape single quotes by doubling them
+    input="${input//\'/\'\'}"
+    # Remove backslashes that could escape quotes
+    input="${input//\\/}"
+    echo "$input"
+}
+
+# Validate that input contains only safe characters for identifiers
+# Returns 0 if safe, 1 if unsafe
+db_validate_identifier() {
+    local input="$1"
+    # Allow only alphanumeric, underscore, hyphen
+    if [[ "$input" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+        return 0
+    fi
+    return 1
+}
+
+# =============================================================================
+# Database Initialization
+# =============================================================================
+
+# Require FORGE_DB to be set before database operations
+# Call this at the start of database functions that need the path
+# Usage: db_require_init || return 1
+db_require_init() {
+    if [[ -z "$FORGE_DB" ]]; then
+        echo "Error: FORGE_DB not set. Set FORGE_DB path before calling database functions." >&2
+        return 1
+    fi
+    return 0
+}
+
+# Initialize the database with schema
+# Requires: FORGE_DB must be set before calling
+db_init() {
+    db_require_init || return 1
+    local db_dir
+    db_dir=$(dirname "$FORGE_DB")
+
+    # Create directory if needed
+    mkdir -p "$db_dir"
+    chmod 700 "$db_dir"
+
+    # Enable WAL mode for concurrent reads without blocking writes.
+    # WAL + NORMAL synchronous is the recommended pairing for local tooling:
+    # faster than DELETE+FULL while still durable against OS crashes.
+    sqlite3 "$FORGE_DB" "PRAGMA journal_mode=WAL; PRAGMA synchronous=NORMAL;"
+
+    # Create tables if they don't exist
+    sqlite3 "$FORGE_DB" <<'SQL'
+-- Daemon configuration (single row)
+CREATE TABLE IF NOT EXISTS daemon_config (
+    id INTEGER PRIMARY KEY CHECK (id = 1),
+    state TEXT DEFAULT 'idle',
+    poll_interval_ms INTEGER DEFAULT 5000,
+    last_activity_at TEXT,
+    updated_at TEXT DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Polling presets
+CREATE TABLE IF NOT EXISTS poll_presets (
+    state TEXT PRIMARY KEY,
+    interval_ms INTEGER NOT NULL
+);
+
+-- Insert default presets if not exist
+INSERT OR IGNORE INTO poll_presets (state, interval_ms) VALUES
+    ('active', 5000),
+    ('idle', 30000),
+    ('stopped', 60000);
+
+-- Initialize daemon_config if empty
+INSERT OR IGNORE INTO daemon_config (id, state, poll_interval_ms)
+VALUES (1, 'idle', 30000);
+
+-- Agent status (aggregated from JSON files)
+CREATE TABLE IF NOT EXISTS agent_status (
+    agent TEXT PRIMARY KEY,
+    status TEXT DEFAULT 'unknown',
+    task TEXT,
+    message TEXT,
+    updated_at TEXT,
+    file_mtime INTEGER DEFAULT 0
+);
+
+-- Status history for metrics (optional, pruned periodically)
+CREATE TABLE IF NOT EXISTS status_history (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    agent TEXT NOT NULL,
+    status TEXT NOT NULL,
+    task TEXT,
+    recorded_at TEXT DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Index for history queries
+CREATE INDEX IF NOT EXISTS idx_history_agent ON status_history(agent);
+CREATE INDEX IF NOT EXISTS idx_history_recorded ON status_history(recorded_at);
+SQL
+
+    # Set secure permissions on database file
+    chmod 600 "$FORGE_DB" 2>/dev/null || true
+}
+
+# =============================================================================
+# Daemon State Operations
+# =============================================================================
+
+# Get current daemon state (active/idle/stopped)
+db_get_daemon_state() {
+    db_require_init || return 1
+    sqlite3 "$FORGE_DB" "SELECT state FROM daemon_config WHERE id = 1;"
+}
+
+# Set daemon state and update poll interval accordingly
+db_set_daemon_state() {
+    db_require_init || return 1
+    local new_state="$1"
+    local interval
+
+    # SECURITY: Validate state is a known value
+    case "$new_state" in
+        active|idle|stopped) ;;
+        *)
+            echo "Invalid daemon state: $new_state" >&2
+            return 1
+            ;;
+    esac
+
+    # Get interval for this state from presets (safe - validated above)
+    interval=$(sqlite3 "$FORGE_DB" "SELECT interval_ms FROM poll_presets WHERE state = '$new_state';")
+    interval="${interval:-30000}"
+
+    sqlite3 "$FORGE_DB" <<SQL
+UPDATE daemon_config
+SET state = '$new_state',
+    poll_interval_ms = $interval,
+    updated_at = datetime('now')
+WHERE id = 1;
+SQL
+}
+
+# Get current poll interval in milliseconds
+db_get_poll_interval_ms() {
+    sqlite3 "$FORGE_DB" "SELECT poll_interval_ms FROM daemon_config WHERE id = 1;"
+}
+
+# Update last activity timestamp
+db_touch_activity() {
+    sqlite3 "$FORGE_DB" <<SQL
+UPDATE daemon_config
+SET last_activity_at = datetime('now'),
+    updated_at = datetime('now')
+WHERE id = 1;
+SQL
+}
+
+# =============================================================================
+# Agent Status Operations
+# =============================================================================
+
+# Upsert agent status (from JSON file data)
+db_upsert_agent_status() {
+    db_require_init || return 1
+    local agent="$1"
+    local status="$2"
+    local task="$3"
+    local message="$4"
+    local updated_at="$5"
+    local file_mtime="$6"
+
+    # SECURITY: Escape all string inputs to prevent SQL injection
+    agent=$(db_escape "$agent")
+    status=$(db_escape "$status")
+    task=$(db_escape "$task")
+    message=$(db_escape "$message")
+    updated_at=$(db_escape "$updated_at")
+
+    # Validate file_mtime is numeric
+    if ! [[ "$file_mtime" =~ ^[0-9]+$ ]]; then
+        file_mtime=0
+    fi
+
+    sqlite3 "$FORGE_DB" <<SQL
+INSERT INTO agent_status (agent, status, task, message, updated_at, file_mtime)
+VALUES ('$agent', '$status', '$task', '$message', '$updated_at', $file_mtime)
+ON CONFLICT(agent) DO UPDATE SET
+    status = excluded.status,
+    task = excluded.task,
+    message = excluded.message,
+    updated_at = excluded.updated_at,
+    file_mtime = excluded.file_mtime;
+SQL
+}
+
+# Get stored mtime for an agent's status file
+db_get_agent_mtime() {
+    local agent="$1"
+    # SECURITY: Escape agent name to prevent SQL injection
+    agent=$(db_escape "$agent")
+    sqlite3 "$FORGE_DB" "SELECT file_mtime FROM agent_status WHERE agent = '$agent';" 2>/dev/null || echo "0"
+}
+
+# Get all agent statuses
+db_get_all_agent_statuses() {
+    sqlite3 -separator '|' "$FORGE_DB" <<SQL
+SELECT agent, status, task, message, updated_at
+FROM agent_status
+ORDER BY agent;
+SQL
+}
+
+# Get agents with specific status
+db_get_agents_by_status() {
+    local status="$1"
+    # SECURITY: Escape status to prevent SQL injection
+    status=$(db_escape "$status")
+    sqlite3 "$FORGE_DB" "SELECT agent FROM agent_status WHERE status = '$status';"
+}
+
+# Count active workers (status = 'working')
+db_count_active_workers() {
+    sqlite3 "$FORGE_DB" "SELECT COUNT(*) FROM agent_status WHERE status = 'working';"
+}
+
+# Delete stale agent status entries
+db_cleanup_stale_agents() {
+    local minutes="${1:-30}"
+    # SECURITY: Validate minutes is numeric to prevent SQL injection
+    if ! [[ "$minutes" =~ ^[0-9]+$ ]]; then
+        minutes=30
+    fi
+    sqlite3 "$FORGE_DB" <<SQL
+DELETE FROM agent_status
+WHERE updated_at < datetime('now', '-$minutes minutes');
+SQL
+}
+
+# =============================================================================
+# History Operations (for future metrics)
+# =============================================================================
+
+# Record status change in history
+db_record_status_history() {
+    local agent="$1"
+    local status="$2"
+    local task="$3"
+
+    # SECURITY: Escape all inputs to prevent SQL injection
+    agent=$(db_escape "$agent")
+    status=$(db_escape "$status")
+    task=$(db_escape "$task")
+
+    sqlite3 "$FORGE_DB" <<SQL
+INSERT INTO status_history (agent, status, task)
+VALUES ('$agent', '$status', '$task');
+SQL
+}
+
+# Prune old history entries (keep last N days)
+db_prune_history() {
+    local days="${1:-7}"
+    # SECURITY: Validate days is numeric to prevent SQL injection
+    if ! [[ "$days" =~ ^[0-9]+$ ]]; then
+        days=7
+    fi
+    sqlite3 "$FORGE_DB" <<SQL
+DELETE FROM status_history
+WHERE recorded_at < datetime('now', '-$days days');
+SQL
+}
+
+# =============================================================================
+# Utility Functions
+# =============================================================================
+
+# Check if database exists and is valid
+db_exists() {
+    [[ -n "$FORGE_DB" ]] && [[ -f "$FORGE_DB" ]] && sqlite3 "$FORGE_DB" "SELECT 1 FROM daemon_config LIMIT 1;" &>/dev/null
+}
+
+# Get database stats for debugging
+db_stats() {
+    db_require_init || return 1
+    echo "Database: $FORGE_DB"
+    echo "Agent count: $(sqlite3 "$FORGE_DB" "SELECT COUNT(*) FROM agent_status;")"
+    echo "History entries: $(sqlite3 "$FORGE_DB" "SELECT COUNT(*) FROM status_history;")"
+    echo "Current state: $(db_get_daemon_state)"
+    echo "Poll interval: $(db_get_poll_interval_ms)ms"
+}

package/bin/lib/heimdall-setup.js

@@ -0,0 +1,113 @@
+#!/usr/bin/env node
+/**
+ * Heimdall Setup -- writes .claude/settings.local.json into a worker's
+ * working directory to register Heimdall as a PreToolUse hook.
+ *
+ * Called by the forge daemon at inbox-write time, before the worker
+ * picks up a lab task.
+ *
+ * Uses a merge strategy: if settings.local.json already exists, the
+ * Heimdall hooks are merged into the existing PreToolUse array rather
+ * than overwriting the file.
+ */
+
+'use strict'
+
+const fs = require('fs')
+const path = require('path')
+
+// Absolute path to heimdall.js -- resolvable from any working directory
+const HEIMDALL_PATH = path.resolve(__dirname, 'heimdall.js').replace(/\\/g, '/')
+
+const HEIMDALL_HOOKS = ['Bash', 'Write', 'Edit'].map(matcher => ({
+  matcher,
+  hooks: [{ type: 'command', command: `node "${HEIMDALL_PATH}"` }],
+}))
+
+/**
+ * writeHeimdallHooks(worktreePath)
+ *
+ * Writes or merges Heimdall PreToolUse hooks into:
+ *   <worktreePath>/.claude/settings.local.json
+ *
+ * Safe to call multiple times -- idempotent.
+ *
+ * @param {string} worktreePath  Absolute path to the worker's worktree root
+ */
+function writeHeimdallHooks(worktreePath) {
+  const claudeDir = path.join(worktreePath, '.claude')
+  const settingsPath = path.join(claudeDir, 'settings.local.json')
+
+  // Ensure .claude/ exists
+  if (!fs.existsSync(claudeDir)) {
+    fs.mkdirSync(claudeDir, { recursive: true })
+  }
+
+  // Read existing settings if present
+  let existing = {}
+  if (fs.existsSync(settingsPath)) {
+    try {
+      existing = JSON.parse(fs.readFileSync(settingsPath, 'utf8'))
+    } catch (_) {
+      // Corrupt file -- start fresh
+      existing = {}
+    }
+  }
+
+  // Ensure hooks structure exists
+  if (!existing.hooks) existing.hooks = {}
+  if (!existing.hooks.PreToolUse) existing.hooks.PreToolUse = []
+
+  // Merge: add Heimdall hook entries for matchers not already registered
+  const existingMatchers = new Set(
+    existing.hooks.PreToolUse.map(h => h.matcher)
+  )
+
+  for (const heimdallHook of HEIMDALL_HOOKS) {
+    if (!existingMatchers.has(heimdallHook.matcher)) {
+      existing.hooks.PreToolUse.push(heimdallHook)
+    }
+  }
+
+  fs.writeFileSync(settingsPath, JSON.stringify(existing, null, 2) + '\n')
+}
+
+/**
+ * writeContextFile(worktreePath, context)
+ *
+ * Writes the Heimdall context file to the worktree root so Heimdall
+ * can read per-task policy on every invocation.
+ *
+ * @param {string} worktreePath  Absolute path to the worker's worktree root
+ * @param {object} context       Context object matching the schema below
+ *
+ * Context schema:
+ * {
+ *   story_id:       string   -- lab story ID (e.g. "FORGE-3")
+ *   agent:          string   -- worker name (e.g. "anvil")
+ *   worktree_path:  string   -- absolute path to worktree (same as worktreePath)
+ *   assigned_branch: string  -- git branch for this story
+ *   handoff_dir:    string   -- absolute path to _vibe-chain-output/handoffs/
+ *   escalation_dir: string   -- absolute path to worker-inbox/<agent>/ dir
+ *   audit_log:      string   -- absolute path to heimdall-audit.log
+ *   has_db_migration: boolean
+ *   has_api_changes:  boolean
+ *   allowed_paths:  string[] -- absolute paths the worker may read/write
+ * }
+ */
+function writeContextFile(worktreePath, context) {
+  const contextPath = path.join(worktreePath, '.context.json')
+  fs.writeFileSync(contextPath, JSON.stringify(context, null, 2) + '\n')
+}
+
+/**
+ * setup(worktreePath, context)
+ *
+ * Convenience function: writes both hooks and context file in one call.
+ */
+function setup(worktreePath, context) {
+  writeHeimdallHooks(worktreePath)
+  writeContextFile(worktreePath, context)
+}
+
+module.exports = { setup, writeHeimdallHooks, writeContextFile, HEIMDALL_PATH }

package/bin/lib/heimdall.js

@@ -0,0 +1,265 @@
+#!/usr/bin/env node
+/**
+ * Heimdall -- Forge worker pre-tool hook interceptor (PLAT-1)
+ *
+ * Guards the Bifrost: intercepts every tool call before execution,
+ * checks it against per-task policy, and blocks or allows.
+ *
+ * Registered as a PreToolUse hook via .claude/settings.local.json
+ * written by the forge daemon at worker startup.
+ *
+ * Exit codes:
+ *   0 -- allow (optionally with audit log entry)
+ *   2 -- block (explanation written to stdout, fed back to model)
+ *
+ * Context file (.context.json in process.cwd()) is written by the forge
+ * daemon alongside each inbox task. If absent, Heimdall exits 0 immediately
+ * -- forge-native tasks are not restricted.
+ */
+
+'use strict'
+
+const fs = require('fs')
+const path = require('path')
+
+// ── Input ─────────────────────────────────────────────────────────────────────
+
+let input
+try {
+  input = JSON.parse(fs.readFileSync(0, 'utf8'))
+} catch (e) {
+  // Malformed input -- allow and exit rather than blocking the worker
+  process.exit(0)
+}
+
+const { tool_name, tool_input } = input
+
+// ── Context file ──────────────────────────────────────────────────────────────
+
+const contextPath = path.join(process.cwd(), '.context.json')
+
+// No context file = forge-native task. Heimdall does not restrict forge-native work.
+if (!fs.existsSync(contextPath)) {
+  process.exit(0)
+}
+
+let ctx
+try {
+  ctx = JSON.parse(fs.readFileSync(contextPath, 'utf8'))
+} catch (e) {
+  // Unreadable context -- fail open to avoid blocking forge-native work
+  process.exit(0)
+}
+
+const {
+  story_id,
+  agent,
+  worktree_path,
+  has_db_migration,
+  allowed_paths,
+  escalation_dir,
+  audit_log: ctxAuditLog,
+} = ctx
+
+// ── Logging ───────────────────────────────────────────────────────────────────
+
+const AUDIT_LOG = ctxAuditLog
+  || path.join(process.cwd(), '_vibe-chain-output', 'heimdall-audit.log')
+
+const MAX_VIOLATIONS = parseInt(process.env.HEIMDALL_MAX_VIOLATIONS || '3', 10)
+
+// Violation tracking lives in the worktree root (process.cwd())
+const VIOLATION_FILE = path.join(process.cwd(), `.${story_id}.violations`)
+
+// Escalation signal written to the inbox agent dir so the daemon detects it
+const ESCALATION_DIR = escalation_dir || process.cwd()
+
+function timestamp() {
+  return new Date().toISOString()
+}
+
+function audit(level, message) {
+  const line = `[${timestamp()}] HEIMDALL ${level} ${agent}/${story_id}: ${message}\n`
+  try {
+    const dir = path.dirname(AUDIT_LOG)
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })
+    fs.appendFileSync(AUDIT_LOG, line)
+  } catch (_) {
+    // Audit log write failure must never block or crash the hook
+  }
+}
+
+function block(reason) {
+  audit('BLOCKED', reason)
+
+  // Track violations
+  let violations = 0
+  try {
+    if (fs.existsSync(VIOLATION_FILE)) {
+      violations = parseInt(fs.readFileSync(VIOLATION_FILE, 'utf8').trim(), 10) || 0
+    }
+  } catch (_) {}
+
+  violations++
+
+  try {
+    fs.writeFileSync(VIOLATION_FILE, String(violations))
+  } catch (_) {}
+
+  if (violations >= MAX_VIOLATIONS) {
+    // Sound the Gjallarhorn
+    const escalationFile = path.join(ESCALATION_DIR, `${story_id}.escalation`)
+    try {
+      fs.writeFileSync(escalationFile, JSON.stringify({
+        story_id,
+        agent,
+        violations,
+        last_reason: reason,
+        timestamp: timestamp(),
+      }, null, 2))
+    } catch (_) {}
+
+    audit('SOUNDED', `${violations} violations -- escalating to human review`)
+
+    console.log(
+      `[HEIMDALL] Action blocked: ${reason}\n` +
+      `[HEIMDALL] GJALLARHORN SOUNDED: ${violations} violations recorded.\n` +
+      `[HEIMDALL] Story ${story_id} has been escalated to human review. Stop working on this story.`
+    )
+  } else {
+    console.log(
+      `[HEIMDALL] Action blocked: ${reason}\n` +
+      `[HEIMDALL] Violation ${violations}/${MAX_VIOLATIONS}. Self-correct and continue.`
+    )
+  }
+
+  process.exit(2)
+}
+
+function allow(note) {
+  if (note) audit('ALLOWED', note)
+  process.exit(0)
+}
+
+// ── Path helpers ──────────────────────────────────────────────────────────────
+
+function isOutsideAllowedPaths(targetPath) {
+  if (!targetPath) return false
+  try {
+    const resolved = path.resolve(targetPath)
+    return !allowed_paths.some(p => resolved.startsWith(path.resolve(p)))
+  } catch (_) {
+    return true // Unresolvable path -- treat as outside
+  }
+}
+
+// ── Bash tool checks ──────────────────────────────────────────────────────────
+
+if (tool_name === 'Bash') {
+  const cmd = (tool_input && tool_input.command || '').trim()
+
+  // Destructive rm -- check if target escapes worktree
+  if (/rm\s+-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r/.test(cmd) && /\brm\b/.test(cmd)) {
+    // Extract everything after the flags as the target
+    const rmMatch = cmd.match(/rm\s+(?:-\S+\s+)(.+)/)
+    const rmTarget = rmMatch ? rmMatch[1].trim().replace(/^['"]|['"]$/g, '') : ''
+
+    const isRootTarget = /^(\/|~)/.test(rmTarget) || rmTarget === '' || rmTarget.includes('..')
+    const isOutside = !rmTarget || isRootTarget || isOutsideAllowedPaths(rmTarget)
+
+    if (isOutside) {
+      block(`destructive rm outside worktree: ${cmd}`)
+    }
+  }
+
+  // Credential access
+  if (/\.(env|pem|key|cert)\b/.test(cmd) && !/\.env\.(example|sample|template)/.test(cmd)) {
+    block(`credential file access: ${cmd}`)
+  }
+  if (/~\/\.(ssh|aws|gnupg)\b/.test(cmd)) {
+    block(`credential directory access: ${cmd}`)
+  }
+  // Echoing or exporting secrets (but not reading them as part of build)
+  if (/(echo|printf|export)\s+.*\b(TOKEN|SECRET|PASSWORD|API_KEY)\s*=/.test(cmd)) {
+    block(`credential assignment in shell: ${cmd}`)
+  }
+
+  // Dangerous git operations
+  if (/git\s+push\b.*--force(-with-lease)?/.test(cmd)) {
+    block(`force push blocked: ${cmd}`)
+  }
+  if (/git\s+reset\s+--hard\s+HEAD~[2-9]/.test(cmd)) {
+    block(`multi-commit hard reset blocked: ${cmd}`)
+  }
+  if (/git\s+clean\s+-[a-zA-Z]*f[a-zA-Z]*d|-[a-zA-Z]*d[a-zA-Z]*f/.test(cmd) && /\bgit\b/.test(cmd)) {
+    block(`git clean -fd blocked: ${cmd}`)
+  }
+  // Push to a non-origin remote (e.g. git push upstream)
+  if (/git\s+push\s+(?!origin\b)(\S+)/.test(cmd)) {
+    const remoteMatch = cmd.match(/git\s+push\s+(\S+)/)
+    if (remoteMatch && remoteMatch[1] !== 'origin' && !remoteMatch[1].startsWith('-')) {
+      block(`push to non-origin remote blocked: ${cmd}`)
+    }
+  }
+  // Direct push to main/master — all changes must go through PRs
+  if (/git\s+push\b/.test(cmd) && /\b(main|master)\b/.test(cmd)) {
+    block(`direct push to main/master blocked — create a feature branch and open a PR`)
+  }
+
+  // DB destructive operations without authorization
+  if (/(DROP\s+TABLE|TRUNCATE\s+TABLE)/i.test(cmd) && !has_db_migration) {
+    block(`DROP/TRUNCATE requires has_db_migration: true on the story`)
+  }
+  if (/DELETE\s+FROM\s+\S+\s*;?\s*$/i.test(cmd) && !/WHERE\s+/i.test(cmd)) {
+    block(`DELETE without WHERE clause blocked: ${cmd}`)
+  }
+
+  // High-risk but legitimate -- audit log only
+  if (/\b(npm|yarn|pnpm)\s+(install|add|ci)\b/.test(cmd)) {
+    allow(`dependency install: ${cmd}`)
+  }
+  if (/\b(pip|pip3)\s+install\b/.test(cmd)) {
+    allow(`pip install: ${cmd}`)
+  }
+  if (/\bcargo\s+(build|install)\b/.test(cmd)) {
+    allow(`cargo build: ${cmd}`)
+  }
+  if (/\b(curl|wget)\b/.test(cmd)) {
+    allow(`network request: ${cmd}`)
+  }
+  if (/git\s+commit\s+--amend/.test(cmd)) {
+    allow(`git commit --amend`)
+  }
+}
+
+// ── Write / Edit tool checks ──────────────────────────────────────────────────
+
+if (tool_name === 'Write' || tool_name === 'Edit') {
+  const filePath = tool_input && (tool_input.file_path || tool_input.path) || ''
+
+  if (filePath) {
+    // Credential files
+    if (/\.(env|pem|key|cert)$/.test(filePath) && !/\.(example|sample|template)$/.test(filePath)) {
+      block(`write to credential file: ${filePath}`)
+    }
+
+    // Settings that could override Heimdall
+    if (/\.claude[/\\]settings(\.local)?\.json$/.test(filePath)) {
+      block(`write to .claude/settings blocked -- Heimdall config is daemon-managed`)
+    }
+
+    // Path escape check
+    if (isOutsideAllowedPaths(filePath)) {
+      block(`path escape: ${filePath} is outside allowed paths`)
+    }
+
+    // Pipeline output writes -- allowed but logged
+    if (filePath.includes('_vibe-chain-output')) {
+      allow(`pipeline output write: ${filePath}`)
+    }
+  }
+}
+
+// ── Default: allow ────────────────────────────────────────────────────────────
+
+allow(null)