@vibecheckai/cli 3.2.6 → 3.4.0

package/mcp-server/tools-v3.js

@@ -1,28 +1,14 @@
 /**
- * vibecheck MCP Tools v3 - Consolidated 10 Tools
+ * vibecheck MCP Tools v3 - Consolidated Tools
  * 
- * ALL tools require STARTER tier or above.
- * No free MCP tools - this is a premium feature.
+ * Simple 2-tier model:
+ * - FREE ($0): Inspect & Observe (10 tools)
+ * - PRO ($69/mo): Fix, Prove & Enforce (18 tools)
  * 
- * 10 TOOLS (STARTER+):
- * 
- * CORE (4):
- *   1. vibecheck.ship       - Get ship verdict with evidence
- *   2. vibecheck.scan       - Deep scan for issues  
- *   3. vibecheck.fix        - Generate/apply fixes
- *   4. vibecheck.prove      - Full proof loop (PRO)
- * 
- * TRUTH (3):
- *   5. vibecheck.truthpack  - Get ground truth (routes, env, auth, billing)
- *   6. vibecheck.validate   - Validate a claim with evidence
- *   7. vibecheck.search     - Search codebase with evidence
- * 
- * OUTPUT (2):
- *   8. vibecheck.report     - Generate reports (HTML, SARIF, etc.)
- *   9. vibecheck.allowlist  - Manage false positive allowlist
- * 
- * UTILITY (1):
- *   10. vibecheck.status    - Health check and status
+ * PRO includes:
+ * - Authority System (verdicts, approvals)
+ * - Agent Conductor (multi-agent coordination)
+ * - Agent Firewall (enforce mode)
  */
 
 import fs from 'fs/promises';
@@ -30,388 +16,503 @@ import path from 'path';
 import { execSync } from 'child_process';
 
 // =============================================================================
-// TIER ENFORCEMENT
+// TIER SYSTEM
 // =============================================================================
 
 const TOOL_TIERS = {
-  'vibecheck.ship': 'starter',
-  'vibecheck.scan': 'starter',
-  'vibecheck.fix': 'starter',
+  // FREE - Inspect & Observe
+  'vibecheck.scan': 'free',
+  'vibecheck.ctx': 'free',
+  'vibecheck.verify': 'free',
+  'vibecheck.report': 'free',
+  'vibecheck.status': 'free',
+  'vibecheck.doctor': 'free',
+  'vibecheck.firewall': 'free',         // Observe mode
+  'authority.list': 'free',
+  'authority.classify': 'free',
+  'vibecheck_conductor_status': 'free',
+  
+  // PRO - Fix, Prove & Enforce
+  'vibecheck.ship': 'pro',
+  'vibecheck.fix': 'pro',
   'vibecheck.prove': 'pro',
-  'vibecheck.truthpack': 'starter',
-  'vibecheck.validate': 'starter',
-  'vibecheck.search': 'starter',
-  'vibecheck.report': 'starter',
-  'vibecheck.allowlist': 'starter',
-  'vibecheck.status': 'starter',
+  'vibecheck.gate': 'pro',
+  'vibecheck.badge': 'pro',
+  'vibecheck.reality': 'pro',
+  'vibecheck.ai_test': 'pro',
+  'vibecheck.share': 'pro',
+  // Authority (full)
+  'authority.approve': 'pro',
+  // Conductor (full)
+  'vibecheck_conductor_register': 'pro',
+  'vibecheck_conductor_acquire_lock': 'pro',
+  'vibecheck_conductor_release_lock': 'pro',
+  'vibecheck_conductor_propose': 'pro',
+  'vibecheck_conductor_terminate': 'pro',
+  // Firewall (enforce)
+  'vibecheck_agent_firewall_intercept': 'pro',
 };
 
+function isPro(tier) {
+  return tier === 'pro';
+}
+
 function checkTierAccess(toolName, userTier) {
-  const requiredTier = TOOL_TIERS[toolName] || 'starter';
-  const tierOrder = { free: 0, starter: 1, pro: 2, compliance: 3 };
-  
-  const userLevel = tierOrder[userTier] || 0;
-  const requiredLevel = tierOrder[requiredTier] || 1;
+  const required = TOOL_TIERS[toolName] || 'pro';
   
-  if (userLevel < requiredLevel) {
-    return {
-      allowed: false,
-      error: `🔒 ${toolName} requires ${requiredTier.toUpperCase()} tier. You have: ${userTier.toUpperCase()}. Upgrade at vibecheck.dev/pricing`
-    };
-  }
+  if (required === 'free') return { allowed: true };
+  if (isPro(userTier)) return { allowed: true };
   
-  return { allowed: true };
+  return {
+    allowed: false,
+    error: `This tool requires Pro ($69/mo).\n\n${toolName} is a Pro feature.\n\nUpgrade at https://vibecheckai.dev/pricing`
+  };
 }
 
 // =============================================================================
-// TOOL DEFINITIONS (10 tools)
+// TOOL DEFINITIONS
 // =============================================================================
 
 export const MCP_TOOLS_V3 = [
   // ═══════════════════════════════════════════════════════════════════════════
-  // CORE TOOLS (4)
+  // FREE TOOLS - Inspect & Observe
   // ═══════════════════════════════════════════════════════════════════════════
   
   {
-    name: "vibecheck.ship",
-    description: `🚀 Get ship verdict: SHIP | WARN | BLOCK
-
-Returns a verdict with evidence-backed findings. Use this to check if code is ready to ship.
+    name: "vibecheck.scan",
+    description: `🔍 Scan codebase for issues
 
-Returns:
-- verdict: SHIP (ready) | WARN (review) | BLOCK (must fix)
-- score: 0-100 confidence score
-- findings: Issues found with file/line evidence
-- aiHallucinationScore: Risk of AI-generated issues
+Scans for:
+- Missing routes (client refs to non-existent endpoints)
+- Env gaps (used but undeclared env vars)
+- Ghost auth (unprotected sensitive endpoints)
+- Dead UI (buttons that do nothing)
+- Security issues
 
-[STARTER tier required]`,
+[FREE]`,
     inputSchema: {
       type: "object",
       properties: {
-        projectPath: {
-          type: "string",
-          description: "Project path (default: current directory)",
-        },
-        strict: {
-          type: "boolean",
-          description: "Treat warnings as blockers",
-          default: false,
+        projectPath: { type: "string", description: "Project path" },
+        categories: {
+          type: "array",
+          items: { type: "string" },
+          description: "Categories: routes, env, auth, billing, security",
         },
       },
     },
   },
 
   {
-    name: "vibecheck.scan",
-    description: `🔍 Deep scan for ship-killers
+    name: "vibecheck.ctx",
+    description: `📦 Generate truth context for AI agents
 
-Scans code for:
-- Missing routes (client refs to non-existent endpoints)
-- Env gaps (used but undeclared env vars)
-- Fake success (success UI without verification)
-- Ghost auth (unprotected sensitive endpoints)
-- Dead UI (buttons that do nothing)
+Returns verified facts about:
+- routes: Server routes and client references
+- env: Environment variables (used, declared, gaps)
+- auth: Authentication model and protected routes
+- billing: Payment gates and enforcement
 
-[STARTER tier required]`,
+Use this BEFORE making assertions about the codebase.
+
+[FREE]`,
     inputSchema: {
       type: "object",
       properties: {
-        projectPath: {
+        projectPath: { type: "string", description: "Project path" },
+        scope: {
           type: "string",
-          description: "Project path",
-        },
-        categories: {
-          type: "array",
-          items: { type: "string" },
-          description: "Categories to scan: routes, env, auth, billing, security",
+          enum: ["all", "routes", "env", "auth", "billing"],
+          description: "What to include",
+          default: "all",
         },
       },
     },
   },
 
   {
-    name: "vibecheck.fix",
-    description: `🔧 Generate or apply fixes for findings
+    name: "vibecheck.verify",
+    description: `✅ Verify AI-generated code before applying
 
-Modes:
-- plan: Generate fix plan with AI missions (default)
-- apply: Apply patches automatically (PRO)
-- loop: Fix → verify → fix until SHIP (PRO)
+Checks for:
+- Secrets in code
+- Dangerous commands
+- Path traversal
+- Incomplete stubs
+- Hallucinated imports
 
-[STARTER: plan mode | PRO: apply/loop modes]`,
+[FREE]`,
     inputSchema: {
       type: "object",
       properties: {
-        projectPath: {
-          type: "string",
-          description: "Project path",
-        },
-        mode: {
-          type: "string",
-          enum: ["plan", "apply", "loop"],
-          description: "Fix mode (default: plan)",
-          default: "plan",
-        },
-        findingIds: {
-          type: "array",
-          items: { type: "string" },
-          description: "Specific finding IDs to fix (optional)",
-        },
+        code: { type: "string", description: "Code to verify" },
+        file: { type: "string", description: "Target file path" },
+        projectPath: { type: "string", description: "Project path" },
       },
+      required: ["code"],
     },
   },
 
   {
-    name: "vibecheck.prove",
-    description: `🔬 Full proof loop with runtime verification
+    name: "vibecheck.report",
+    description: `📄 Generate reports
 
-Orchestrates: truthpack → reality → ship → fix
-Continues until SHIP verdict or stuck.
+Formats: html, md, sarif, json
 
-Includes:
-- Browser verification with Playwright
-- Video/trace recording
-- Auth boundary testing
-- Evidence pack generation
+[FREE]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: { type: "string" },
+        format: { type: "string", enum: ["html", "md", "sarif", "json"], default: "html" },
+      },
+    },
+  },
 
-[PRO tier required]`,
+  {
+    name: "vibecheck.status",
+    description: `📊 Check vibecheck status and health [FREE]`,
+    inputSchema: {
+      type: "object",
+      properties: { projectPath: { type: "string" } },
+    },
+  },
+
+  {
+    name: "vibecheck.doctor",
+    description: `🩺 Diagnose and fix environment issues [FREE]`,
     inputSchema: {
       type: "object",
       properties: {
-        projectPath: {
-          type: "string",
-          description: "Project path",
-        },
-        url: {
-          type: "string",
-          description: "Base URL for runtime testing (e.g., http://localhost:3000)",
-        },
-        maxIterations: {
-          type: "number",
-          description: "Max fix iterations (default: 5)",
-          default: 5,
-        },
-        recordVideo: {
-          type: "boolean",
-          description: "Record video of browser sessions",
-          default: true,
-        },
+        projectPath: { type: "string" },
+        fix: { type: "boolean", default: false },
       },
     },
   },
 
+  {
+    name: "vibecheck.firewall",
+    description: `🛡️ Agent Firewall - observe mode
+
+Validates AI code changes against repo truth.
+FREE tier: Observe only (logs but doesn't block).
+PRO tier: Enforce mode (blocks violations).
+
+[FREE - observe mode]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        action: { type: "string", enum: ["check", "status", "log"] },
+        code: { type: "string" },
+        file: { type: "string" },
+      },
+    },
+  },
+
+  {
+    name: "authority.list",
+    description: `📋 List available authorities [FREE]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        tier: { type: "string", enum: ["free", "pro"] },
+      },
+    },
+  },
+
+  {
+    name: "authority.classify",
+    description: `📊 Inventory Authority - analyze duplication and legacy code [FREE]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: { type: "string", default: "." },
+        includeNear: { type: "boolean", default: true },
+        format: { type: "string", enum: ["json", "table", "markdown"], default: "json" },
+      },
+    },
+  },
+
+  {
+    name: "vibecheck_conductor_status",
+    description: `📡 Get multi-agent coordination status [FREE]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectRoot: { type: "string" },
+        includeDetails: { type: "boolean", default: false },
+      },
+      required: ["projectRoot"],
+    },
+  },
+
   // ═══════════════════════════════════════════════════════════════════════════
-  // TRUTH TOOLS (3)
+  // PRO TOOLS - Fix, Prove & Enforce
   // ═══════════════════════════════════════════════════════════════════════════
 
   {
-    name: "vibecheck.truthpack",
-    description: `📦 Get ground truth about the codebase
+    name: "vibecheck.ship",
+    description: `🚀 Get ship verdict: SHIP | WARN | BLOCK
 
-Returns verified facts about:
-- routes: Server routes and client references
-- env: Environment variables (used, declared, gaps)
-- auth: Authentication model and protected routes
-- billing: Payment gates and enforcement
+Returns evidence-backed verdict.
+
+[PRO - $69/mo]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: { type: "string" },
+        strict: { type: "boolean" },
+      },
+    },
+  },
 
-Every fact has file/line citations and confidence scores.
+  {
+    name: "vibecheck.fix",
+    description: `🔧 AI-powered fixes with proof
 
-⚠️ Use this BEFORE making assertions about the codebase.
+Modes: plan, apply, loop
 
-[STARTER tier required]`,
+[PRO - $69/mo]`,
     inputSchema: {
       type: "object",
       properties: {
-        projectPath: {
-          type: "string",
-          description: "Project path",
-        },
-        scope: {
-          type: "string",
-          enum: ["all", "routes", "env", "auth", "billing"],
-          description: "What to include (default: all)",
-          default: "all",
-        },
-        refresh: {
-          type: "boolean",
-          description: "Force rebuild (default: use cache)",
-          default: false,
-        },
+        projectPath: { type: "string" },
+        mode: { type: "string", enum: ["plan", "apply", "loop"], default: "plan" },
+        findingIds: { type: "array", items: { type: "string" } },
       },
     },
   },
 
   {
-    name: "vibecheck.validate",
-    description: `🔍 Validate a claim with evidence
-
-Returns: true | false | unknown
-- true: Claim verified with evidence citations
-- false: Claim disproven with counterexamples
-- unknown: Insufficient evidence (DO NOT proceed)
-
-Claim types:
-- route_exists: Check if route exists
-- env_var_exists: Check if env var is declared
-- auth_enforced: Check if route is protected
-- file_exists: Check if file exists
-- function_exists: Check if function exists
-
-[STARTER tier required]`,
+    name: "vibecheck.prove",
+    description: `🔬 Full proof loop with runtime verification
+
+[PRO - $69/mo]`,
     inputSchema: {
       type: "object",
       properties: {
-        claim: {
-          type: "string",
-          enum: ["route_exists", "env_var_exists", "auth_enforced", "file_exists", "function_exists"],
-          description: "Type of claim to validate",
-        },
-        subject: {
-          type: "object",
-          description: "What the claim is about",
-          properties: {
-            path: { type: "string", description: "Route path or file path" },
-            method: { type: "string", description: "HTTP method (for routes)" },
-            name: { type: "string", description: "Name of env var/function" },
-          },
-        },
-        projectPath: {
-          type: "string",
-          description: "Project path",
-        },
+        projectPath: { type: "string" },
+        url: { type: "string" },
+        maxIterations: { type: "number", default: 5 },
+        recordVideo: { type: "boolean", default: true },
       },
-      required: ["claim", "subject"],
     },
   },
 
   {
-    name: "vibecheck.search",
-    description: `🔎 Search codebase with evidence citations
+    name: "vibecheck.gate",
+    description: `🚧 CI/CD enforcement - fail builds on issues [PRO - $69/mo]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: { type: "string" },
+        strict: { type: "boolean" },
+      },
+    },
+  },
 
-Searches code and returns results with file/line citations.
-Use for finding specific patterns, functions, or implementations.
+  {
+    name: "vibecheck.badge",
+    description: `🏷️ Generate ship badge [PRO - $69/mo]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: { type: "string" },
+        outputPath: { type: "string" },
+      },
+    },
+  },
 
-[STARTER tier required]`,
+  {
+    name: "vibecheck.reality",
+    description: `🧪 Full runtime verification with auth boundary testing [PRO - $69/mo]`,
     inputSchema: {
       type: "object",
       properties: {
-        query: {
-          type: "string",
-          description: "Search query (regex supported)",
-        },
-        projectPath: {
-          type: "string",
-          description: "Project path",
-        },
-        filePattern: {
-          type: "string",
-          description: "File glob pattern (e.g., '**/*.ts')",
-        },
-        maxResults: {
-          type: "number",
-          description: "Max results to return (default: 20)",
-          default: 20,
-        },
+        url: { type: "string" },
+        auth: { type: "string" },
+        headed: { type: "boolean" },
+        maxPages: { type: "number", default: 20 },
+      },
+      required: ["url"],
+    },
+  },
+
+  {
+    name: "vibecheck.ai_test",
+    description: `🤖 AI agent testing - autonomous exploration [PRO - $69/mo]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        url: { type: "string" },
+        goal: { type: "string" },
+        maxActions: { type: "number", default: 50 },
+      },
+      required: ["url"],
+    },
+  },
+
+  {
+    name: "vibecheck.share",
+    description: `📤 Generate PR/review bundle [PRO - $69/mo]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: { type: "string" },
+        format: { type: "string", enum: ["github", "gitlab", "slack", "json"], default: "github" },
       },
-      required: ["query"],
     },
   },
 
   // ═══════════════════════════════════════════════════════════════════════════
-  // OUTPUT TOOLS (2)
+  // AUTHORITY SYSTEM (PRO)
   // ═══════════════════════════════════════════════════════════════════════════
 
   {
-    name: "vibecheck.report",
-    description: `📄 Generate reports in various formats
+    name: "authority.approve",
+    description: `🛡️ Authority Approval - Execute authority & get verdict (PROCEED/STOP/DEFER)
 
-Formats:
-- html: Interactive HTML report
-- md: Markdown report
-- sarif: SARIF for GitHub code scanning
-- json: Machine-readable JSON
+Execute an authority to get a structured verdict with proofs.
 
-[STARTER tier required]`,
+[PRO - $69/mo]`,
     inputSchema: {
       type: "object",
       properties: {
-        projectPath: {
-          type: "string",
-          description: "Project path",
-        },
-        format: {
-          type: "string",
-          enum: ["html", "md", "sarif", "json"],
-          description: "Output format (default: html)",
-          default: "html",
-        },
-        outputPath: {
-          type: "string",
-          description: "Output file path (optional)",
-        },
+        authority: { type: "string", description: "Authority ID (e.g., 'safe-consolidation')" },
+        projectPath: { type: "string", default: "." },
+        dryRun: { type: "boolean", default: false },
       },
+      required: ["authority"],
     },
   },
 
+  // ═══════════════════════════════════════════════════════════════════════════
+  // AGENT CONDUCTOR (PRO) - Multi-Agent Coordination
+  // ═══════════════════════════════════════════════════════════════════════════
+
   {
-    name: "vibecheck.allowlist",
-    description: `📝 Manage false positive allowlist
+    name: "vibecheck_conductor_register",
+    description: `📡 Register AI agent for multi-agent coordination
 
-Actions:
-- list: Show all allowlist entries
-- add: Add finding to allowlist
-- remove: Remove from allowlist
-- check: Check if finding is allowlisted
+Call this at the start of any multi-agent workflow.
 
-[STARTER tier required]`,
+[PRO - $69/mo]`,
     inputSchema: {
       type: "object",
       properties: {
-        action: {
-          type: "string",
-          enum: ["list", "add", "remove", "check"],
-          description: "Action to perform",
-        },
-        findingId: {
-          type: "string",
-          description: "Finding ID (for add/remove/check)",
-        },
-        reason: {
-          type: "string",
-          description: "Reason for allowlisting (for add)",
-        },
-        projectPath: {
-          type: "string",
-          description: "Project path",
+        agentId: { type: "string", description: "Agent ID (e.g., 'cursor', 'copilot')" },
+        projectRoot: { type: "string" },
+        workingFiles: { type: "array", items: { type: "string" } },
+      },
+      required: ["agentId", "projectRoot"],
+    },
+  },
+
+  {
+    name: "vibecheck_conductor_acquire_lock",
+    description: `🔒 Acquire lock on file/folder for exclusive access
+
+Prevents concurrent modifications by other agents.
+
+[PRO - $69/mo]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        sessionId: { type: "string" },
+        path: { type: "string" },
+        type: { type: "string", enum: ["exclusive", "shared"], default: "exclusive" },
+        reason: { type: "string" },
+      },
+      required: ["sessionId", "path"],
+    },
+  },
+
+  {
+    name: "vibecheck_conductor_release_lock",
+    description: `🔓 Release a previously acquired lock [PRO - $69/mo]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        lockId: { type: "string" },
+        sessionId: { type: "string" },
+      },
+      required: ["lockId", "sessionId"],
+    },
+  },
+
+  {
+    name: "vibecheck_conductor_propose",
+    description: `📋 Submit change proposal for multi-agent coordination
+
+Checks for conflicts with other agents before proceeding.
+
+[PRO - $69/mo]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        sessionId: { type: "string" },
+        proposalId: { type: "string" },
+        intent: { type: "string" },
+        operations: {
+          type: "array",
+          items: {
+            type: "object",
+            properties: {
+              type: { type: "string", enum: ["create", "modify", "delete", "move"] },
+              path: { type: "string" },
+              content: { type: "string" },
+            },
+          },
         },
+        projectRoot: { type: "string" },
       },
-      required: ["action"],
+      required: ["sessionId", "proposalId", "intent", "operations", "projectRoot"],
+    },
+  },
+
+  {
+    name: "vibecheck_conductor_terminate",
+    description: `🛑 Terminate agent session and release all locks [PRO - $69/mo]`,
+    inputSchema: {
+      type: "object",
+      properties: {
+        sessionId: { type: "string" },
+      },
+      required: ["sessionId"],
     },
   },
 
   // ═══════════════════════════════════════════════════════════════════════════
-  // UTILITY TOOLS (1)
+  // AGENT FIREWALL (PRO) - Enforce Mode
   // ═══════════════════════════════════════════════════════════════════════════
 
   {
-    name: "vibecheck.status",
-    description: `📊 Get vibecheck status and health
+    name: "vibecheck_agent_firewall_intercept",
+    description: `🛡️ Agent Firewall (Sentinel) - ENFORCE MODE
+
+Intercepts AI code changes and validates against repo truth.
+Blocks violations. Generates proof artifacts.
+
+Features:
+- Reality state validation (routes, env, services)
+- Risk scoring (surface area, blast radius)
+- Diff simulation (broken imports, orphaned files)
+- Assumption verification
+- Proof artifact generation
 
-Returns:
-- version: CLI version
-- lastVerdict: Last ship verdict
-- findingsCount: Current findings
-- truthpackAge: When truthpack was last built
-- config: Project configuration
+Call BEFORE any file write operations.
 
-[STARTER tier required]`,
+[PRO - $69/mo]`,
     inputSchema: {
       type: "object",
+      required: ["agentId", "filePath", "content"],
       properties: {
-        projectPath: {
-          type: "string",
-          description: "Project path",
-        },
+        agentId: { type: "string", description: "Agent ID" },
+        filePath: { type: "string", description: "File to write" },
+        content: { type: "string", description: "New content" },
+        operation: { type: "string", enum: ["create", "modify", "delete"], default: "modify" },
+        intent: { type: "string", description: "What this change accomplishes" },
+        projectRoot: { type: "string" },
       },
     },
   },
@@ -424,321 +525,182 @@ Returns:
 export async function handleToolV3(toolName, args, context = {}) {
   const userTier = context.tier || 'free';
   
-  // Check tier access
   const access = checkTierAccess(toolName, userTier);
   if (!access.allowed) {
-    return { error: access.error, tier: userTier, required: TOOL_TIERS[toolName] };
+    return { error: access.error };
   }
   
   const projectPath = args.projectPath || process.cwd();
   
   try {
     switch (toolName) {
-      case 'vibecheck.ship':
-        return await runShip(projectPath, args);
-      
       case 'vibecheck.scan':
-        return await runScan(projectPath, args);
-      
+      case 'vibecheck.ctx':
+      case 'vibecheck.report':
+      case 'vibecheck.status':
+      case 'vibecheck.doctor':
+      case 'vibecheck.ship':
       case 'vibecheck.fix':
-        return await runFix(projectPath, args, userTier);
-      
       case 'vibecheck.prove':
-        return await runProve(projectPath, args);
-      
-      case 'vibecheck.truthpack':
-        return await getTruthpack(projectPath, args);
+      case 'vibecheck.gate':
+      case 'vibecheck.badge':
+      case 'vibecheck.reality':
+      case 'vibecheck.ai_test':
+      case 'vibecheck.share':
+        return await runCliCommand(projectPath, toolName.replace('vibecheck.', ''), args);
       
-      case 'vibecheck.validate':
-        return await validateClaim(projectPath, args);
+      case 'vibecheck.verify':
+        return await verifyCode(args);
       
-      case 'vibecheck.search':
-        return await searchCode(projectPath, args);
+      case 'vibecheck.firewall':
+        return await firewallCheck(args, userTier);
       
-      case 'vibecheck.report':
-        return await generateReport(projectPath, args);
+      case 'authority.list':
+      case 'authority.classify':
+      case 'authority.approve':
+        return await runCliCommand(projectPath, toolName.replace('authority.', 'authority '), args);
       
-      case 'vibecheck.allowlist':
-        return await manageAllowlist(projectPath, args);
+      case 'vibecheck_conductor_status':
+      case 'vibecheck_conductor_register':
+      case 'vibecheck_conductor_acquire_lock':
+      case 'vibecheck_conductor_release_lock':
+      case 'vibecheck_conductor_propose':
+      case 'vibecheck_conductor_terminate':
+        return await handleConductorTool(toolName, args, userTier);
       
-      case 'vibecheck.status':
-        return await getStatus(projectPath);
+      case 'vibecheck_agent_firewall_intercept':
+        return await handleFirewallIntercept(args, userTier);
       
       default:
         return { error: `Unknown tool: ${toolName}` };
     }
   } catch (error) {
-    return { error: error.message, stack: error.stack };
+    return { error: error.message };
   }
 }
 
 // =============================================================================
-// TOOL IMPLEMENTATIONS
+// IMPLEMENTATIONS
 // =============================================================================
 
-async function runShip(projectPath, args) {
-  const strictFlag = args.strict ? '--strict' : '';
-  const result = execSync(
-    `node "${path.join(projectPath, 'node_modules/.bin/vibecheck')}" ship --json ${strictFlag}`,
-    { cwd: projectPath, encoding: 'utf8', timeout: 120000 }
-  );
-  return JSON.parse(result);
-}
-
-async function runScan(projectPath, args) {
+async function runCliCommand(projectPath, command, args) {
+  const flags = Object.entries(args)
+    .filter(([k, v]) => k !== 'projectPath' && v !== undefined && v !== null)
+    .map(([k, v]) => {
+      if (typeof v === 'boolean') return v ? `--${k}` : '';
+      if (Array.isArray(v)) return `--${k} ${v.join(',')}`;
+      return `--${k} "${v}"`;
+    })
+    .filter(Boolean)
+    .join(' ');
+  
   const result = execSync(
-    `node "${path.join(projectPath, 'node_modules/.bin/vibecheck')}" scan --json`,
-    { cwd: projectPath, encoding: 'utf8', timeout: 120000 }
+    `npx vibecheck ${command} --json ${flags}`,
+    { cwd: projectPath, encoding: 'utf8', timeout: 300000 }
   );
-  return JSON.parse(result);
+  
+  try {
+    return JSON.parse(result);
+  } catch {
+    return { output: result };
+  }
 }
 
-async function runFix(projectPath, args, userTier) {
-  const mode = args.mode || 'plan';
+async function verifyCode(args) {
+  const { code } = args;
+  const issues = [];
   
-  // Apply/loop modes require PRO
-  if ((mode === 'apply' || mode === 'loop') && userTier !== 'pro' && userTier !== 'compliance') {
-    return { error: `🔒 fix --${mode} requires PRO tier. Use 'plan' mode for STARTER.` };
+  if (/(?:password|secret|api_?key|token)\s*[:=]\s*['"][^'"]+['"]/i.test(code)) {
+    issues.push({ type: 'secret', message: 'Possible hardcoded secret' });
+  }
+  if (/eval\s*\(|Function\s*\(/.test(code)) {
+    issues.push({ type: 'danger', message: 'eval() or Function() detected' });
+  }
+  if (/TODO|FIXME|XXX|HACK/i.test(code)) {
+    issues.push({ type: 'stub', message: 'Incomplete code stub' });
   }
   
-  const modeFlag = mode === 'plan' ? '--prompt-only' : mode === 'loop' ? '--loop --apply' : '--apply';
-  const result = execSync(
-    `node "${path.join(projectPath, 'node_modules/.bin/vibecheck')}" fix ${modeFlag} --json`,
-    { cwd: projectPath, encoding: 'utf8', timeout: 300000 }
-  );
-  return JSON.parse(result);
+  return { verified: issues.length === 0, issues };
 }
 
-async function runProve(projectPath, args) {
-  const url = args.url || '';
-  const videoFlag = args.recordVideo ? '--video' : '';
-  const urlFlag = url ? `--url "${url}"` : '';
-  
-  const result = execSync(
-    `node "${path.join(projectPath, 'node_modules/.bin/vibecheck')}" prove ${urlFlag} ${videoFlag} --json`,
-    { cwd: projectPath, encoding: 'utf8', timeout: 600000 }
-  );
-  return JSON.parse(result);
+async function firewallCheck(args, tier) {
+  const mode = tier === 'pro' ? 'enforce' : 'observe';
+  return {
+    mode,
+    checked: true,
+    message: mode === 'observe' 
+      ? 'Agent Firewall in observe mode (FREE). Upgrade to PRO for enforce mode.'
+      : 'Agent Firewall in enforce mode (PRO).',
+  };
 }
 
-async function getTruthpack(projectPath, args) {
-  const truthpackPath = path.join(projectPath, '.vibecheck', 'truthpack.json');
-  
-  if (args.refresh) {
-    execSync(
-      `node "${path.join(projectPath, 'node_modules/.bin/vibecheck')}" ctx build`,
-      { cwd: projectPath, encoding: 'utf8', timeout: 60000 }
-    );
+async function handleConductorTool(toolName, args, tier) {
+  // For full conductor features, require PRO
+  if (toolName !== 'vibecheck_conductor_status' && tier !== 'pro') {
+    return {
+      error: 'Full Conductor features require PRO. Upgrade at https://vibecheckai.dev/pricing'
+    };
   }
   
+  // Import and delegate to conductor handlers
   try {
-    const content = await fs.readFile(truthpackPath, 'utf8');
-    const truthpack = JSON.parse(content);
+    const { 
+      handleConductorRegister, 
+      handleConductorAcquireLock,
+      handleConductorReleaseLock,
+      handleConductorPropose,
+      handleConductorStatus,
+      handleConductorTerminate,
+    } = await import('./conductor/tools.js');
     
-    // Filter by scope if specified
-    if (args.scope && args.scope !== 'all') {
-      return { [args.scope]: truthpack[args.scope] };
+    switch (toolName) {
+      case 'vibecheck_conductor_status':
+        return await handleConductorStatus(args);
+      case 'vibecheck_conductor_register':
+        return await handleConductorRegister(args);
+      case 'vibecheck_conductor_acquire_lock':
+        return await handleConductorAcquireLock(args);
+      case 'vibecheck_conductor_release_lock':
+        return await handleConductorReleaseLock(args);
+      case 'vibecheck_conductor_propose':
+        return await handleConductorPropose(args);
+      case 'vibecheck_conductor_terminate':
+        return await handleConductorTerminate(args);
+      default:
+        return { error: `Unknown conductor tool: ${toolName}` };
     }
-    
-    return truthpack;
   } catch (error) {
-    return { error: 'Truthpack not found. Run vibecheck init first.' };
+    return { error: `Conductor not available: ${error.message}` };
   }
 }
 
-async function validateClaim(projectPath, args) {
-  const { claim, subject } = args;
-  const truthpack = await getTruthpack(projectPath, { scope: 'all' });
-  
-  if (truthpack.error) return truthpack;
-  
-  switch (claim) {
-    case 'route_exists': {
-      const routes = truthpack.routes?.server || [];
-      const found = routes.find(r => 
-        r.path === subject.path && 
-        (!subject.method || r.method === subject.method || r.method === '*')
-      );
-      return {
-        result: found ? 'true' : 'false',
-        evidence: found ? [{ file: found.file, line: found.line }] : [],
-        claim,
-        subject,
-      };
-    }
-    
-    case 'env_var_exists': {
-      const declared = new Set(truthpack.env?.declared || []);
-      return {
-        result: declared.has(subject.name) ? 'true' : 'false',
-        evidence: [],
-        claim,
-        subject,
-      };
-    }
-    
-    case 'auth_enforced': {
-      const authRoutes = truthpack.auth?.protectedRoutes || [];
-      const found = authRoutes.find(r => r.path === subject.path);
-      return {
-        result: found ? 'true' : 'unknown',
-        evidence: found ? [{ file: found.file, line: found.line }] : [],
-        claim,
-        subject,
-      };
-    }
-    
-    case 'file_exists': {
-      try {
-        await fs.access(path.join(projectPath, subject.path));
-        return { result: 'true', evidence: [{ file: subject.path }], claim, subject };
-      } catch {
-        return { result: 'false', evidence: [], claim, subject };
-      }
-    }
-    
-    case 'function_exists': {
-      // Simple grep-based search
-      try {
-        const result = execSync(
-          `grep -rn "function ${subject.name}\\|const ${subject.name}\\|${subject.name} =" --include="*.ts" --include="*.js" .`,
-          { cwd: projectPath, encoding: 'utf8', timeout: 10000 }
-        );
-        const lines = result.trim().split('\n').filter(Boolean);
-        return {
-          result: lines.length > 0 ? 'true' : 'false',
-          evidence: lines.slice(0, 3).map(l => {
-            const [file, line] = l.split(':');
-            return { file, line: parseInt(line) };
-          }),
-          claim,
-          subject,
-        };
-      } catch {
-        return { result: 'false', evidence: [], claim, subject };
-      }
-    }
-    
-    default:
-      return { result: 'unknown', error: `Unknown claim type: ${claim}` };
+async function handleFirewallIntercept(args, tier) {
+  if (tier !== 'pro') {
+    return {
+      allowed: true,
+      mode: 'observe',
+      message: 'Firewall intercept in observe mode (FREE). Changes logged but not blocked.',
+      violations: [],
+    };
   }
-}
-
-async function searchCode(projectPath, args) {
-  const { query, filePattern, maxResults = 20 } = args;
   
+  // Import and delegate to firewall interceptor
   try {
-    const globFlag = filePattern ? `--include="${filePattern}"` : '--include="*.ts" --include="*.js" --include="*.tsx" --include="*.jsx"';
-    const result = execSync(
-      `grep -rn "${query}" ${globFlag} . | head -${maxResults}`,
-      { cwd: projectPath, encoding: 'utf8', timeout: 30000 }
-    );
-    
-    const matches = result.trim().split('\n').filter(Boolean).map(line => {
-      const colonIndex = line.indexOf(':');
-      const secondColon = line.indexOf(':', colonIndex + 1);
-      return {
-        file: line.substring(0, colonIndex),
-        line: parseInt(line.substring(colonIndex + 1, secondColon)),
-        content: line.substring(secondColon + 1).trim(),
-      };
-    });
-    
-    return { query, matches, total: matches.length };
+    const { interceptFileWrite } = await import('./agent-firewall-interceptor.js');
+    return await interceptFileWrite(args);
   } catch (error) {
-    return { query, matches: [], total: 0, error: error.message };
+    return { error: `Firewall intercept failed: ${error.message}` };
   }
 }
 
-async function generateReport(projectPath, args) {
-  const format = args.format || 'html';
-  const result = execSync(
-    `node "${path.join(projectPath, 'node_modules/.bin/vibecheck')}" report --format ${format} --json`,
-    { cwd: projectPath, encoding: 'utf8', timeout: 60000 }
-  );
-  return JSON.parse(result);
-}
-
-async function manageAllowlist(projectPath, args) {
-  const { action, findingId, reason } = args;
-  
-  switch (action) {
-    case 'list':
-      return execSync(
-        `node "${path.join(projectPath, 'node_modules/.bin/vibecheck')}" scan --allowlist list --json`,
-        { cwd: projectPath, encoding: 'utf8', timeout: 30000 }
-      );
-    
-    case 'add':
-      if (!findingId || !reason) {
-        return { error: 'findingId and reason required for add' };
-      }
-      return execSync(
-        `node "${path.join(projectPath, 'node_modules/.bin/vibecheck')}" scan --allowlist add --id "${findingId}" --reason "${reason}"`,
-        { cwd: projectPath, encoding: 'utf8', timeout: 30000 }
-      );
-    
-    case 'remove':
-      if (!findingId) {
-        return { error: 'findingId required for remove' };
-      }
-      return execSync(
-        `node "${path.join(projectPath, 'node_modules/.bin/vibecheck')}" scan --allowlist remove --id "${findingId}"`,
-        { cwd: projectPath, encoding: 'utf8', timeout: 30000 }
-      );
-    
-    case 'check':
-      if (!findingId) {
-        return { error: 'findingId required for check' };
-      }
-      return execSync(
-        `node "${path.join(projectPath, 'node_modules/.bin/vibecheck')}" scan --allowlist check --id "${findingId}" --json`,
-        { cwd: projectPath, encoding: 'utf8', timeout: 30000 }
-      );
-    
-    default:
-      return { error: `Unknown action: ${action}` };
-  }
-}
-
-async function getStatus(projectPath) {
-  const configPath = path.join(projectPath, '.vibecheck', 'config.json');
-  const truthpackPath = path.join(projectPath, '.vibecheck', 'truthpack.json');
-  const resultsPath = path.join(projectPath, '.vibecheck', 'results', 'latest.json');
-  
-  const status = {
-    version: '3.2.0',
-    projectPath,
-    initialized: false,
-    lastVerdict: null,
-    findingsCount: 0,
-    truthpackAge: null,
-  };
-  
-  try {
-    await fs.access(configPath);
-    status.initialized = true;
-  } catch {}
-  
-  try {
-    const stats = await fs.stat(truthpackPath);
-    status.truthpackAge = stats.mtime.toISOString();
-  } catch {}
-  
-  try {
-    const results = JSON.parse(await fs.readFile(resultsPath, 'utf8'));
-    status.lastVerdict = results.verdict;
-    status.findingsCount = results.findings?.length || 0;
-  } catch {}
-  
-  return status;
-}
+// =============================================================================
+// EXPORTS
+// =============================================================================
 
-export { TOOL_TIERS, checkTierAccess };
+export { TOOL_TIERS, checkTierAccess, isPro };
 
 export default {
   MCP_TOOLS_V3,
   handleToolV3,
   TOOL_TIERS,
-  checkTierAccess,
 };