npm - @vibecheckai/cli - Versions diffs - 3.3.0 → 3.4.0 - Mend

@vibecheckai/cli 3.3.0 → 3.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/bin/registry.js +255 -226
package/bin/runners/lib/analyzers.js +55 -123
package/bin/runners/lib/entitlements-v2.js +96 -505
package/bin/runners/lib/scan-output.js +18 -19
package/bin/runners/lib/ship-output.js +18 -25
package/bin/runners/lib/upsell.js +90 -338
package/bin/runners/runScan.js +14 -1
package/bin/vibecheck.js +6 -11
package/mcp-server/index.js +13 -623
package/mcp-server/lib/api-client.cjs +7 -299
package/mcp-server/package.json +1 -1
package/mcp-server/tier-auth.js +175 -574
package/mcp-server/tools-v3.js +495 -533
package/package.json +1 -1

package/mcp-server/tier-auth.js CHANGED Viewed

@@ -1,607 +1,216 @@
-/* vibecheck-disable */
 /**
- * MCP Server Tier Authentication & Authorization
+ * MCP Server Tier Authentication
  *
- * UNIFIED AUTHORITY SYSTEM for MCP tools.
+ * Simple 2-tier model:
+ * - FREE ($0): Inspect & Observe
+ * - PRO ($69/mo): Fix, Prove & Enforce
  *
- * Authority Rules:
- * - FREE: May see problems, never resolve certainty. Read-only context tools.
- * - STARTER: May fix, but not prove. Read tools + advisory actions.
- * - PRO: May enforce reality. Full MCP access with proof generation.
- * - ENTERPRISE: All features + compliance tools.
- *
- * Verdict authority is paid. Evidence beats explanations.
+ * PRO includes:
+ * - Authority System (verdicts, approvals)
+ * - Agent Conductor (multi-agent coordination)
+ * - Agent Firewall (enforce mode)
  */
 import fs from "fs/promises";
 import path from "path";
 import os from "os";
-// ═══════════════════════════════════════════════════════════════════════════════
-// TIER DEFINITIONS - UNIFIED AUTHORITY SYSTEM
-// Synchronized with packages/core/src/tier-config.ts
-//
-// Authority Rules:
-// - FREE: May see problems, never resolve certainty
-// - STARTER: May fix, but not prove (Advisory verdicts only)
-// - PRO: May enforce reality (Full verdict authority)
-// ═══════════════════════════════════════════════════════════════════════════════
+// ============================================================================
+// TIERS
+// ============================================================================
 export const TIERS = {
-  free: {
-    name: 'FREE',
-    price: 0,
-    order: 0,
-    // Verdict authority
-    verdictAuthority: 'NONE',
-    canIssueVerdicts: false,
-    canEnforceCI: false,
-    canGenerateProof: false,
-    // Agent Firewall configuration
-    firewall: {
-      mode: 'observe',        // Log only, never block
-      canOverride: false,     // Cannot override blocks
-      auditEnabled: false,    // No audit trail
-    },
-    // Limits
-    limits: {
-      scans: -1,  // Unlimited scans
-      realityMaxPages: 5,
-      realityMaxClicks: 20,
-      mcpRateLimit: 10,
-    },
-    // MCP tools allowed on FREE (read-only context only)
-    mcpTools: [
-      'vibecheck.get_truthpack',
-      'vibecheck.compile_context',
-      'vibecheck.search_evidence',
-      'vibecheck_agent_firewall_intercept',  // Observe mode
-      'vibecheck_conductor_status',  // Read-only coordination status
-      // Authority System - FREE tier
-      'vibecheck.classify',         // Inventory authority (read-only)
-      'vibecheck.authority_list',   // List available authorities
-    ],
-    // Authority System configuration
-    authority: {
-      canClassify: true,          // Can run inventory analysis
-      canApprove: false,          // Cannot get verdicts
-      canEnforce: false,          // Cannot enforce in CI
-      canGenerateBadge: false,    // Cannot generate badges
-      availableAuthorities: ['inventory'],
-    },
-  },
-  starter: {
-    name: 'STARTER',
-    price: 39,
-    order: 1,
-    // Verdict authority - ADVISORY (verdicts not enforced)
-    verdictAuthority: 'ADVISORY',
-    canIssueVerdicts: true,  // SHIP, WARN only
-    canEnforceCI: false,     // Cannot block builds
-    canGenerateProof: false, // Cannot generate proof
-    // Agent Firewall configuration
-    firewall: {
-      mode: 'advisory',       // Warn but allow
-      canOverride: true,      // Can override with reason
-      auditEnabled: true,     // Basic audit trail
-    },
-    // Limits
-    limits: {
-      scans: -1,           // Unlimited scans
-      realityMaxPages: -1, // Unlimited browser testing
-      realityMaxClicks: -1,
-      mcpRateLimit: 60,
-    },
-    // MCP tools allowed on STARTER (read + advisory actions)
-    mcpTools: [
-      'vibecheck.ctx',
-      'vibecheck.scan',
-      'vibecheck.ship',      // Advisory verdicts only
-      'vibecheck.get_truthpack',
-      'vibecheck.validate_claim',
-      'vibecheck.compile_context',
-      'vibecheck.search_evidence',
-      'vibecheck.find_counterexamples',
-      'vibecheck.check_invariants',
-      'vibecheck.fix',       // Plan mode only
-      'vibecheck_agent_firewall_intercept',  // Advisory mode
-      // Conductor - multi-agent coordination
-      'vibecheck_conductor_register',
-      'vibecheck_conductor_acquire_lock',
-      'vibecheck_conductor_release_lock',
-      'vibecheck_conductor_propose',
-      'vibecheck_conductor_status',
-      'vibecheck_conductor_terminate',
-      // Authority System - STARTER tier
-      'vibecheck.classify',         // Inventory authority
-      'vibecheck.approve',          // Advisory verdicts
-      'vibecheck.authority_list',   // List authorities
-      'vibecheck.authority_approve', // Authority approval (advisory)
-    ],
-    // Authority System configuration
-    authority: {
-      canClassify: true,          // Can run inventory analysis
-      canApprove: true,           // Can get advisory verdicts
-      canEnforce: false,          // Cannot enforce in CI
-      canGenerateBadge: false,    // Cannot generate badges
-      availableAuthorities: ['inventory', 'safe-consolidation'],
-    },
-  },
-  pro: {
-    name: 'PRO',
-    price: 99,
-    order: 2,
-    // Verdict authority - ENFORCED (verdicts block CI/PRs)
-    verdictAuthority: 'ENFORCED',
-    canIssueVerdicts: true,  // SHIP, WARN, BLOCK
-    canEnforceCI: true,      // Can block builds
-    canGenerateProof: true,  // Can generate cryptographic proof
-    // Agent Firewall configuration
-    firewall: {
-      mode: 'enforce',        // Block violations
-      canOverride: true,      // Can override with approval
-      auditEnabled: true,     // Full audit trail
-      criticEnabled: true,    // Enable Critic LLM
-    },
-    // Limits
-    limits: {
-      scans: -1,
-      realityMaxPages: -1,
-      realityMaxClicks: -1,
-      mcpRateLimit: -1,  // Unlimited
-    },
-    // MCP tools - FULL ACCESS
-    mcpTools: ['*'],  // All tools unlocked
-    // Authority System configuration
-    authority: {
-      canClassify: true,          // Can run inventory analysis
-      canApprove: true,           // Can get verdicts
-      canEnforce: true,           // Can enforce in CI (STOP verdicts block)
-      canGenerateBadge: true,     // Can generate authority badges
-      availableAuthorities: ['inventory', 'safe-consolidation', 'security-remediation'],
-    },
-  },
-  enterprise: {
-    name: 'ENTERPRISE',
-    price: 0, // Custom pricing
-    order: 3,
-    // Verdict authority - ENFORCED + Compliance
-    verdictAuthority: 'ENFORCED',
-    canIssueVerdicts: true,
-    canEnforceCI: true,
-    canGenerateProof: true,
-    // Agent Firewall configuration
-    firewall: {
-      mode: 'enforce',        // Block violations
-      canOverride: true,      // Can override with multi-approval
-      auditEnabled: true,     // Full compliance audit trail
-      criticEnabled: true,    // Enable Critic LLM
-      complianceMode: true,   // Generate compliance artifacts
-    },
-    // Limits
-    limits: {
-      scans: -1,
-      realityMaxPages: -1,
-      realityMaxClicks: -1,
-      mcpRateLimit: -1,
-    },
-    // MCP tools - FULL ACCESS + Compliance
-    mcpTools: ['*'],
-    // Authority System configuration
-    authority: {
-      canClassify: true,          // Can run inventory analysis
-      canApprove: true,           // Can get verdicts
-      canEnforce: true,           // Can enforce in CI (STOP verdicts block)
-      canGenerateBadge: true,     // Can generate authority badges
-      canCustomize: true,         // Can create custom authorities
-      availableAuthorities: ['*'], // All authorities including custom
-    },
-  }
+  free: { name: 'FREE', price: 0 },
+  pro: { name: 'PRO', price: 69 },
 };
-// ═══════════════════════════════════════════════════════════════════════════════
-// CLI FEATURE → TIER MAPPING
-// Maps CLI features (not MCP tools) to minimum required tier
-// ═══════════════════════════════════════════════════════════════════════════════
-export const CLI_FEATURE_TIERS = {
-  // FREE - Basic scanning (always available)
-  'scan': 'free',
-  'ctx': 'free',
-  'ship': 'free',
-  'classify': 'free',         // Authority: inventory (read-only)
-  // STARTER - Enhanced features
-  'gate': 'starter',
-  'badge': 'starter',
-  'fix': 'starter',           // Plan mode
-  'approve': 'starter',       // Authority: advisory verdicts
-  'authority.starter': 'starter', // Authority System access
-  // PRO - Full enforcement
-  'prove': 'pro',
-  'fix.apply_patches': 'pro', // Apply mode
-  'reality': 'pro',
-  'autopilot': 'pro',
-  'verify': 'pro',
-  'authority.pro': 'pro',     // Authority: enforced verdicts + badges
-  'authority.enforce': 'pro', // Authority: CI blocking
-};
-// ═══════════════════════════════════════════════════════════════════════════════
-// MCP TOOL → TIER MAPPING (Unified Authority System)
-// Aligned with packages/core/src/features.ts
-// ═══════════════════════════════════════════════════════════════════════════════
-export const MCP_TOOL_TIERS = {
-  // FREE - Read-only context tools ONLY
-  // Free users may see problems, never resolve certainty
-  'vibecheck.get_truthpack': 'free',
-  'vibecheck.compile_context': 'free',
-  'vibecheck.search_evidence': 'free',
-  'vibecheck_agent_firewall_intercept': 'free',  // Observe mode only
-  'vibecheck.classify': 'free',         // Authority: inventory (read-only)
-  'vibecheck.authority_list': 'free',   // List available authorities
-  // STARTER - Advisory verdict authority
-  // Starter users may fix, but not prove
-  'vibecheck.ctx': 'starter',
-  'vibecheck.scan': 'starter',
-  'vibecheck.ship': 'starter',          // SHIP/WARN (advisory, not enforced)
-  'vibecheck.fix': 'starter',           // Plan mode only (no apply)
-  'vibecheck.validate_claim': 'starter',
-  'vibecheck.find_counterexamples': 'starter',
-  'vibecheck.check_invariants': 'starter',
-  'vibecheck.gate': 'starter',          // Advisory gates
-  'vibecheck.badge': 'starter',         // Unverified badges
-  'vibecheck.approve': 'starter',       // Authority: advisory verdicts
-  'vibecheck.authority_approve': 'starter', // Authority approval (advisory)
-  // PRO - Full verdict authority & enforcement
-  // Pro users may enforce reality
-  'vibecheck.prove': 'pro',             // Cryptographic proof generation
-  'vibecheck.fix.apply': 'pro',         // Apply fixes
-  'vibecheck.fix.verify': 'pro',        // Verify fixes with proof
-  'vibecheck.reality': 'pro',           // Full browser testing
-  'vibecheck.reality.prove': 'pro',     // Prove runtime behavior
-  'vibecheck.enforce': 'pro',           // Enforce verdicts in CI
-  'vibecheck.ai_test': 'pro',           // AI agent testing
-  'vibecheck.autopilot': 'pro',         // Autonomous protection
-  'vibecheck.report': 'pro',            // Advanced reporting
-  'vibecheck.allowlist': 'pro',         // Manage allowlists
-  'vibecheck.status': 'pro',            // Advanced status
-  'vibecheck.authority_enforce': 'pro', // Authority: enforced verdicts
-  'vibecheck.authority_badge': 'pro',   // Authority: generate badges
-};
+// ============================================================================
+// MCP TOOLS - 15 Core + PRO Features
+// ============================================================================
 /**
- * Load user configuration from ~/.vibecheck/credentials.json
+ * FREE TOOLS (7) - Inspect & Observe
  */
-async function loadUserConfig() {
-  try {
-    const configPath = path.join(os.homedir(), '.vibecheck', 'credentials.json');
-    const configData = await fs.readFile(configPath, 'utf-8');
-    return JSON.parse(configData);
-  } catch (error) {
-    return null;
-  }
-}
-// ═══════════════════════════════════════════════════════════════════════════════
-// SECURE TIER VALIDATION - API-First with Caching
-// SECURITY: Never trust API key prefix alone - always validate with API
-// ═══════════════════════════════════════════════════════════════════════════════
+export const FREE_TOOLS = [
+  // Core FREE tools
+  'vibecheck.scan',
+  'vibecheck.ctx',
+  'vibecheck.verify',
+  'vibecheck.report',
+  'vibecheck.status',
+  'vibecheck.doctor',
+  'vibecheck.firewall',           // Observe mode only
+  // Authority (read-only)
+  'authority.list',
+  'authority.classify',
+  // Conductor (status only)
+  'vibecheck_conductor_status',
+];
 /**
- * Tier cache to avoid hammering the API on every request
- * Structure: Map<apiKeyHash, { tier, validatedAt, expiresAt }>
+ * PRO TOOLS (8 Core + Authority + Conductor + Firewall) - Fix, Prove & Enforce
  */
+export const PRO_TOOLS = [
+  // Core PRO tools
+  'vibecheck.ship',
+  'vibecheck.fix',
+  'vibecheck.prove',
+  'vibecheck.gate',
+  'vibecheck.badge',
+  'vibecheck.reality',
+  'vibecheck.ai_test',
+  'vibecheck.share',
+  // Authority System (full)
+  'authority.approve',
+  'authority.enforce',
+  // Agent Conductor (full multi-agent coordination)
+  'vibecheck_conductor_register',
+  'vibecheck_conductor_acquire_lock',
+  'vibecheck_conductor_release_lock',
+  'vibecheck_conductor_propose',
+  'vibecheck_conductor_terminate',
+  // Agent Firewall (enforce mode)
+  'vibecheck_agent_firewall_intercept',
+  'vibecheck.firewall.enforce',
+];
+export const ALL_TOOLS = [...FREE_TOOLS, ...PRO_TOOLS];
+// ============================================================================
+// TIER CACHE
+// ============================================================================
 const tierCache = new Map();
-const TIER_CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
-const TIER_CACHE_MAX_SIZE = 1000; // Prevent unbounded growth
+const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
-/**
- * Hash API key for cache key (don't store raw keys in memory)
- */
-function hashApiKey(apiKey) {
+function hashKey(apiKey) {
   const crypto = require('crypto');
-  return crypto.createHash('sha256').update(apiKey).digest('hex').slice(0, 32);
+  return crypto.createHash('sha256').update(apiKey).digest('hex').slice(0, 16);
 }
-/**
- * Evict expired entries and enforce max size
- */
-function cleanupTierCache() {
-  const now = Date.now();
-  for (const [key, value] of tierCache) {
-    if (value.expiresAt < now) {
-      tierCache.delete(key);
-    }
-  }
-  // If still too large, evict oldest entries
-  if (tierCache.size > TIER_CACHE_MAX_SIZE) {
-    const entries = Array.from(tierCache.entries())
-      .sort((a, b) => a[1].validatedAt - b[1].validatedAt);
-    const toDelete = entries.slice(0, tierCache.size - TIER_CACHE_MAX_SIZE);
-    for (const [key] of toDelete) {
-      tierCache.delete(key);
-    }
-  }
-}
+// ============================================================================
+// TIER VALIDATION
+// ============================================================================
-/**
- * Determine tier from API key - ALWAYS validates with API first
- *
- * SECURITY FIX: Previous version checked prefix patterns BEFORE API validation,
- * allowing attackers to spoof tier with fake keys like "gr_pro_anything".
- * Now we ALWAYS validate with API first. Prefix is never authoritative.
- *
- * @param {string} apiKey - The API key to validate
- * @returns {Promise<string|null>} - Tier name or null if invalid
- */
-async function getTierFromApiKey(apiKey) {
-  if (!apiKey || typeof apiKey !== 'string') return null;
-  // Validate key format (basic sanity check)
-  if (apiKey.length < 10 || apiKey.length > 256) return null;
+export async function getTierFromApiKey(apiKey) {
+  if (!apiKey || typeof apiKey !== 'string' || apiKey.length < 10) {
+    return null;
+  }
-  const keyHash = hashApiKey(apiKey);
+  const keyHash = hashKey(apiKey);
   const now = Date.now();
-  // Check cache first (only if not expired)
+  // Check cache
   const cached = tierCache.get(keyHash);
   if (cached && cached.expiresAt > now) {
     return cached.tier;
   }
-  // ALWAYS validate with API - this is the authoritative source
+  // Validate with API
   try {
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), 10000); // 10s timeout
     const response = await fetch('https://api.vibecheckai.dev/whoami', {
-      headers: {
-        'Authorization': `Bearer ${apiKey}`,
-        'Content-Type': 'application/json',
-      },
-      signal: controller.signal,
+      headers: { 'Authorization': `Bearer ${apiKey}` },
+      signal: AbortSignal.timeout(10000),
     });
-    clearTimeout(timeoutId);
     if (!response.ok) {
-      // API explicitly rejected this key - it's invalid
-      // Cache the rejection briefly to avoid hammering on invalid keys
-      tierCache.set(keyHash, {
-        tier: null,
-        validatedAt: now,
-        expiresAt: now + 60000, // Cache rejections for 1 minute
-      });
       return null;
     }
     const data = await response.json();
+    const plan = data.plan?.toLowerCase() || 'free';
-    // Map API response to tier
-    let tier;
-    switch (data.plan?.toLowerCase()) {
-      case 'starter':
-        tier = 'starter';
-        break;
-      case 'pro':
-        tier = 'pro';
-        break;
-      case 'enterprise':
-        tier = 'enterprise';
-        break;
-      default:
-        tier = 'free';
-    }
-    // Cache the validated tier
-    tierCache.set(keyHash, {
-      tier,
-      validatedAt: now,
-      expiresAt: now + TIER_CACHE_TTL_MS,
-    });
-    // Periodic cleanup
-    if (tierCache.size > TIER_CACHE_MAX_SIZE * 0.9) {
-      cleanupTierCache();
-    }
+    // Any paid plan = pro
+    const tier = (plan === 'free') ? 'free' : 'pro';
+    tierCache.set(keyHash, { tier, expiresAt: now + CACHE_TTL });
     return tier;
-  } catch (error) {
-    // Network error - check if we have a recent valid cache entry
-    // (This allows graceful degradation during brief network issues)
-    if (cached && cached.tier !== null) {
-      // Only use stale cache if it was validated within last 15 minutes
-      // and the original validation was successful (tier !== null)
-      const staleTolerance = 15 * 60 * 1000; // 15 minutes
-      if (now - cached.validatedAt < staleTolerance) {
-        console.error(`[TIER-AUTH] API unreachable, using stale cache for ${keyHash.slice(0, 8)}...`);
-        return cached.tier;
-      }
-    }
-    // No valid cache - fail closed for security
-    console.error('[TIER-AUTH] API validation failed with no valid cache, denying access:', error.message);
+  } catch {
+    // Network error - check stale cache
+    if (cached) return cached.tier;
     return null;
   }
 }
+// ============================================================================
+// ACCESS CONTROL
+// ============================================================================
+export function isPro(tier) {
+  return tier === 'pro';
+}
+export function canAccessTool(tier, toolName) {
+  // PRO gets everything
+  if (tier === 'pro') return true;
+  // FREE can access FREE tools
+  return FREE_TOOLS.includes(toolName);
+}
 /**
- * Check if user has access to a specific feature
- * Matches CLI entitlements-v2.js logic
+ * Get firewall mode based on tier
+ * - FREE: observe (log only)
+ * - PRO: enforce (block violations)
  */
-export async function getFeatureAccessStatus(featureName, providedApiKey = null) {
-  // Try to load user config
-  const userConfig = await loadUserConfig();
-  const apiKey = providedApiKey || userConfig?.apiKey;
-  if (!apiKey) {
-    return {
-      hasAccess: false,
-      tier: null,
-      reason: 'No API key provided. Please set your API key with `vibecheck login`.',
-      upgradeUrl: 'https://vibecheckai.dev'
-    };
-  }
-  const currentTier = await getTierFromApiKey(apiKey);
-  if (!currentTier) {
-    return {
-      hasAccess: false,
-      tier: null,
-      reason: 'Invalid API key. Please check your API key or get a new one at https://vibecheckai.dev',
-      upgradeUrl: 'https://vibecheckai.dev'
-    };
-  }
-  const currentTierConfig = TIERS[currentTier];
-  // Find which tier requires this feature using CLI_FEATURE_TIERS mapping
-  const requiredTier = CLI_FEATURE_TIERS[featureName];
-  // If feature not found in mapping, allow it (default to free)
-  if (!requiredTier) {
-    return {
-      hasAccess: true,
-      tier: currentTier,
-      reason: `Feature '${featureName}' has no tier restriction`
-    };
-  }
-  const requiredTierConfig = TIERS[requiredTier];
-  // Check if current tier meets minimum requirement (using order)
-  const hasAccess = currentTierConfig.order >= requiredTierConfig.order;
-  if (!hasAccess) {
-    return {
-      hasAccess: false,
-      tier: currentTier,
-      requiredTier,
-      reason: `${featureName} requires ${requiredTierConfig.name} tier ($${requiredTierConfig.price}/mo) or higher. Current tier: ${currentTierConfig.name}`,
-      upgradeUrl: 'https://vibecheckai.dev'
-    };
-  }
-  return {
-    hasAccess: true,
-    tier: currentTier,
-    reason: 'Access granted'
-  };
+export function getFirewallMode(tier) {
+  return tier === 'pro' ? 'enforce' : 'observe';
 }
 /**
- * Middleware for MCP tool handlers
+ * Check if user can use full conductor features
  */
-export function withTierCheck(featureName, handler) {
-  return async (args) => {
-    const access = await getFeatureAccessStatus(featureName, args?.apiKey);
-    if (!access.hasAccess) {
-      return {
-        content: [{
-          type: "text",
-          text: `🚫 UPGRADE REQUIRED\n\n${access.reason}\n\nUpgrade at: ${access.upgradeUrl}`
-        }],
-        isError: true
-      };
-    }
-    // Add tier info to args for the handler
-    args._tier = access.tier;
-    return handler(args);
-  };
+export function canUseCondcutor(tier) {
+  return tier === 'pro';
 }
 /**
- * Check if user has access to a specific MCP tool
- * MCP tools have specific tier requirements separate from CLI features
+ * Check if user can approve authorities
  */
-export async function getMcpToolAccess(toolName, providedApiKey = null) {
-  const userConfig = await loadUserConfig();
-  const apiKey = providedApiKey || userConfig?.apiKey;
+export function canApproveAuthority(tier) {
+  return tier === 'pro';
+}
+export async function getMcpToolAccess(toolName, apiKey) {
   if (!apiKey) {
     return {
-      hasAccess: false,
-      tier: null,
-      reason: 'No API key provided. Please set your API key with `vibecheck login`.',
-      upgradeUrl: 'https://vibecheckai.dev'
+      hasAccess: FREE_TOOLS.includes(toolName),
+      tier: 'free',
+      reason: FREE_TOOLS.includes(toolName)
+        ? 'Access granted (free tool)'
+        : 'This tool requires Pro. Set API key with `vibecheck login`.',
     };
   }
-  const currentTier = await getTierFromApiKey(apiKey);
+  const tier = await getTierFromApiKey(apiKey);
-  if (!currentTier) {
+  if (!tier) {
     return {
       hasAccess: false,
       tier: null,
-      reason: 'Invalid API key. Please check your API key or get a new one at https://vibecheckai.dev',
-      upgradeUrl: 'https://vibecheckai.dev'
+      reason: 'Invalid API key.',
     };
   }
-  const currentTierConfig = TIERS[currentTier];
-  // Check if tool is allowed for current tier
-  const allowedTools = [];
-  // Accumulate tools from current tier and all lower tiers
-  for (const [tierName, tierConfig] of Object.entries(TIERS)) {
-    if (tierConfig.order <= currentTierConfig.order) {
-      if (tierConfig.mcpTools) {
-        if (tierConfig.mcpTools.includes('*')) {
-          // Compliance tier - all tools allowed
-          return {
-            hasAccess: true,
-            tier: currentTier,
-            reason: 'Full MCP access'
-          };
-        }
-        allowedTools.push(...tierConfig.mcpTools);
-      }
-    }
-  }
-  // Check if tool is in allowed list
-  const hasAccess = allowedTools.includes(toolName);
-  if (!hasAccess) {
-    // Find which tier has this tool
-    let requiredTier = null;
-    for (const [tierName, tierConfig] of Object.entries(TIERS)) {
-      if (tierConfig.mcpTools?.includes(toolName) || tierConfig.mcpTools?.includes('*')) {
-        requiredTier = tierName;
-        break;
-      }
-    }
-    const requiredTierConfig = requiredTier ? TIERS[requiredTier] : null;
-    return {
-      hasAccess: false,
-      tier: currentTier,
-      requiredTier,
-      reason: requiredTierConfig
-        ? `${toolName} requires ${requiredTierConfig.name} tier ($${requiredTierConfig.price}/mo). Current: ${currentTierConfig.name}`
-        : `${toolName} is not available`,
-      upgradeUrl: 'https://vibecheckai.dev'
-    };
-  }
+  const hasAccess = canAccessTool(tier, toolName);
   return {
-    hasAccess: true,
-    tier: currentTier,
-    reason: 'Access granted'
+    hasAccess,
+    tier,
+    firewallMode: getFirewallMode(tier),
+    reason: hasAccess
+      ? 'Access granted'
+      : `${toolName} requires Pro ($69/mo). Upgrade at https://vibecheckai.dev/pricing`,
   };
 }
-/**
- * Middleware for MCP tool handlers with tool-specific checking
- */
-export function withMcpToolCheck(toolName, handler) {
+// ============================================================================
+// MIDDLEWARE
+// ============================================================================
+export function withTierCheck(toolName, handler) {
   return async (args) => {
     const access = await getMcpToolAccess(toolName, args?.apiKey);
@@ -609,77 +218,69 @@ export function withMcpToolCheck(toolName, handler) {
       return {
         content: [{
           type: "text",
-          text: `🚫 UPGRADE REQUIRED\n\n${access.reason}\n\nUpgrade at: ${access.upgradeUrl}`
+          text: `This tool requires Pro.\n\n${toolName} is a Pro feature.\n\nUpgrade to Pro ($69/mo) to unlock:\n- Authority System (verdicts & approvals)\n- Agent Conductor (multi-agent coordination)\n- Agent Firewall (enforce mode)\n\nhttps://vibecheckai.dev/pricing`
         }],
         isError: true
       };
     }
-    // Add tier info to args for the handler
     args._tier = access.tier;
+    args._firewallMode = access.firewallMode;
     return handler(args);
   };
 }
-/**
- * Get current user info
- */
+// ============================================================================
+// USER INFO
+// ============================================================================
+async function loadUserConfig() {
+  try {
+    const configPath = path.join(os.homedir(), '.vibecheck', 'credentials.json');
+    const data = await fs.readFile(configPath, 'utf-8');
+    return JSON.parse(data);
+  } catch {
+    return null;
+  }
+}
 export async function getUserInfo() {
   const config = await loadUserConfig();
-  if (!config) {
+  if (!config?.apiKey) {
     return {
       authenticated: false,
       tier: 'free',
-      message: 'Not authenticated. Run: vibecheck auth --key YOUR_API_KEY'
+      tools: FREE_TOOLS,
+      firewallMode: 'observe',
     };
   }
-  const tier = getTierFromApiKey(config.apiKey);
-  const tierConfig = TIERS[tier];
-  // Get features available for this tier from CLI_FEATURE_TIERS
-  const availableFeatures = Object.entries(CLI_FEATURE_TIERS)
-    .filter(([, reqTier]) => TIERS[reqTier].order <= tierConfig.order)
-    .map(([feature]) => feature);
+  const tier = await getTierFromApiKey(config.apiKey);
   return {
     authenticated: true,
-    tier,
+    tier: tier || 'free',
     email: config.email,
-    authenticatedAt: config.authenticatedAt,
-    features: availableFeatures,
-    limits: tierConfig.limits,
-    mcpTools: tierConfig.mcpTools,
+    tools: tier === 'pro' ? ALL_TOOLS : FREE_TOOLS,
+    firewallMode: getFirewallMode(tier || 'free'),
   };
 }
-/**
- * Get list of MCP tools available for current tier
- */
-export async function getAvailableMcpTools(providedApiKey = null) {
-  const userConfig = await loadUserConfig();
-  const apiKey = providedApiKey || userConfig?.apiKey;
-  const currentTier = getTierFromApiKey(apiKey);
-  const currentTierConfig = TIERS[currentTier];
-  const allowedTools = new Set();
-  // Accumulate tools from current tier and all lower tiers
-  for (const [tierName, tierConfig] of Object.entries(TIERS)) {
-    if (tierConfig.order <= currentTierConfig.order) {
-      if (tierConfig.mcpTools) {
-        if (tierConfig.mcpTools.includes('*')) {
-          return { tier: currentTier, tools: ['*'], unlimited: true };
-        }
-        tierConfig.mcpTools.forEach(t => allowedTools.add(t));
-      }
-    }
-  }
+export async function getAvailableMcpTools(apiKey) {
+  const tier = apiKey ? await getTierFromApiKey(apiKey) : 'free';
   return {
-    tier: currentTier,
-    tools: Array.from(allowedTools),
-    unlimited: false
+    tier: tier || 'free',
+    tools: (tier === 'pro') ? ALL_TOOLS : FREE_TOOLS,
+    firewallMode: getFirewallMode(tier || 'free'),
   };
 }
+// Legacy exports for backward compatibility
+export async function getFeatureAccessStatus(featureName, apiKey) {
+  return getMcpToolAccess(featureName, apiKey);
+}
+export function withMcpToolCheck(toolName, handler) {
+  return withTierCheck(toolName, handler);
+}