npm - @vibecheckai/cli - Versions diffs - 3.5.0 → 3.5.1 - Mend

@vibecheckai/cli 3.5.0 → 3.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (326) hide show

package/bin/registry.js +174 -449
package/bin/runners/cli-utils.js +33 -2
package/bin/runners/context/generators/cursor.js +2 -49
package/bin/runners/context/generators/mcp.js +13 -15
package/bin/runners/context/proof-context.js +1 -248
package/bin/runners/lib/analysis-core.js +180 -198
package/bin/runners/lib/analyzers.js +241 -2212
package/bin/runners/lib/cli-output.js +210 -242
package/bin/runners/lib/detectors-v2.js +785 -547
package/bin/runners/lib/entitlements-v2.js +431 -161
package/bin/runners/lib/error-handler.js +9 -16
package/bin/runners/lib/global-flags.js +0 -37
package/bin/runners/lib/html-proof-report.js +700 -350
package/bin/runners/lib/missions/plan.js +6 -46
package/bin/runners/lib/missions/templates.js +0 -232
package/bin/runners/lib/route-truth.js +322 -1167
package/bin/runners/lib/scan-output.js +467 -493
package/bin/runners/lib/ship-output.js +27 -280
package/bin/runners/lib/terminal-ui.js +700 -310
package/bin/runners/lib/truth.js +321 -1004
package/bin/runners/lib/unified-output.js +158 -162
package/bin/runners/lib/upsell.js +204 -104
package/bin/runners/runAIAgent.js +10 -5
package/bin/runners/runAllowlist.js +324 -0
package/bin/runners/runAuth.js +94 -344
package/bin/runners/runCheckpoint.js +45 -43
package/bin/runners/runContext.js +24 -139
package/bin/runners/runDoctor.js +101 -136
package/bin/runners/runEvidencePack.js +219 -0
package/bin/runners/runFix.js +71 -82
package/bin/runners/runGuard.js +119 -606
package/bin/runners/runInit.js +60 -22
package/bin/runners/runInstall.js +281 -0
package/bin/runners/runLabs.js +341 -0
package/bin/runners/runMcp.js +62 -139
package/bin/runners/runPolish.js +83 -282
package/bin/runners/runPromptFirewall.js +12 -5
package/bin/runners/runProve.js +58 -33
package/bin/runners/runReality.js +58 -81
package/bin/runners/runReport.js +7 -34
package/bin/runners/runRuntime.js +8 -5
package/bin/runners/runScan.js +844 -219
package/bin/runners/runShip.js +59 -721
package/bin/runners/runValidate.js +11 -24
package/bin/runners/runWatch.js +76 -131
package/bin/vibecheck.js +69 -295
package/mcp-server/ARCHITECTURE.md +339 -0
package/mcp-server/__tests__/cache.test.ts +313 -0
package/mcp-server/__tests__/executor.test.ts +239 -0
package/mcp-server/__tests__/fixtures/exclusion-test/.cache/webpack/cache.pack +1 -0
package/mcp-server/__tests__/fixtures/exclusion-test/.next/server/chunk.js +3 -0
package/mcp-server/__tests__/fixtures/exclusion-test/.turbo/cache.json +3 -0
package/mcp-server/__tests__/fixtures/exclusion-test/.venv/lib/env.py +3 -0
package/mcp-server/__tests__/fixtures/exclusion-test/dist/bundle.js +3 -0
package/mcp-server/__tests__/fixtures/exclusion-test/package.json +5 -0
package/mcp-server/__tests__/fixtures/exclusion-test/src/app.ts +5 -0
package/mcp-server/__tests__/fixtures/exclusion-test/venv/lib/config.py +4 -0
package/mcp-server/__tests__/ids.test.ts +345 -0
package/mcp-server/__tests__/integration/tools.test.ts +410 -0
package/mcp-server/__tests__/registry.test.ts +365 -0
package/mcp-server/__tests__/sandbox.test.ts +323 -0
package/mcp-server/__tests__/schemas.test.ts +372 -0
package/mcp-server/benchmarks/run-benchmarks.ts +304 -0
package/mcp-server/examples/doctor.request.json +14 -0
package/mcp-server/examples/doctor.response.json +53 -0
package/mcp-server/examples/error.response.json +15 -0
package/mcp-server/examples/scan.request.json +14 -0
package/mcp-server/examples/scan.response.json +108 -0
package/mcp-server/handlers/tool-handler.ts +671 -0
package/mcp-server/index-v1.js +698 -0
package/mcp-server/index-v3.ts +293 -0
package/mcp-server/index.js +1080 -1757
package/mcp-server/index.old.js +4137 -0
package/mcp-server/lib/cache.ts +341 -0
package/mcp-server/lib/errors.ts +346 -0
package/mcp-server/lib/executor.ts +792 -0
package/mcp-server/lib/ids.ts +238 -0
package/mcp-server/lib/logger.ts +368 -0
package/mcp-server/lib/metrics.ts +365 -0
package/mcp-server/lib/sandbox.ts +337 -0
package/mcp-server/lib/validator.ts +229 -0
package/mcp-server/package-lock.json +165 -0
package/mcp-server/package.json +32 -7
package/mcp-server/premium-tools.js +2 -2
package/mcp-server/registry/tools.json +476 -0
package/mcp-server/schemas/error-envelope.schema.json +125 -0
package/mcp-server/schemas/finding.schema.json +167 -0
package/mcp-server/schemas/report-artifact.schema.json +88 -0
package/mcp-server/schemas/run-request.schema.json +75 -0
package/mcp-server/schemas/verdict.schema.json +168 -0
package/mcp-server/tier-auth.d.ts +71 -0
package/mcp-server/tier-auth.js +371 -183
package/mcp-server/truth-context.js +90 -131
package/mcp-server/truth-firewall-tools.js +1000 -1611
package/mcp-server/tsconfig.json +34 -0
package/mcp-server/vibecheck-tools.js +2 -2
package/mcp-server/vitest.config.ts +16 -0
package/package.json +3 -4
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +0 -474
package/bin/runners/lib/agent-firewall/change-packet/builder.js +0 -488
package/bin/runners/lib/agent-firewall/change-packet/schema.json +0 -228
package/bin/runners/lib/agent-firewall/change-packet/store.js +0 -200
package/bin/runners/lib/agent-firewall/claims/claim-types.js +0 -21
package/bin/runners/lib/agent-firewall/claims/extractor.js +0 -303
package/bin/runners/lib/agent-firewall/claims/patterns.js +0 -24
package/bin/runners/lib/agent-firewall/critic/index.js +0 -151
package/bin/runners/lib/agent-firewall/critic/judge.js +0 -432
package/bin/runners/lib/agent-firewall/critic/prompts.js +0 -305
package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js +0 -88
package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js +0 -75
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +0 -127
package/bin/runners/lib/agent-firewall/evidence/resolver.js +0 -102
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +0 -213
package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js +0 -145
package/bin/runners/lib/agent-firewall/fs-hook/daemon.js +0 -19
package/bin/runners/lib/agent-firewall/fs-hook/installer.js +0 -87
package/bin/runners/lib/agent-firewall/fs-hook/watcher.js +0 -184
package/bin/runners/lib/agent-firewall/git-hook/pre-commit.js +0 -163
package/bin/runners/lib/agent-firewall/ide-extension/cursor.js +0 -107
package/bin/runners/lib/agent-firewall/ide-extension/vscode.js +0 -68
package/bin/runners/lib/agent-firewall/ide-extension/windsurf.js +0 -66
package/bin/runners/lib/agent-firewall/interceptor/base.js +0 -304
package/bin/runners/lib/agent-firewall/interceptor/cursor.js +0 -35
package/bin/runners/lib/agent-firewall/interceptor/vscode.js +0 -35
package/bin/runners/lib/agent-firewall/interceptor/windsurf.js +0 -34
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +0 -465
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +0 -604
package/bin/runners/lib/agent-firewall/lawbook/index.js +0 -304
package/bin/runners/lib/agent-firewall/lawbook/registry.js +0 -514
package/bin/runners/lib/agent-firewall/lawbook/schema.js +0 -420
package/bin/runners/lib/agent-firewall/learning/learning-engine.js +0 -849
package/bin/runners/lib/agent-firewall/logger.js +0 -141
package/bin/runners/lib/agent-firewall/policy/default-policy.json +0 -90
package/bin/runners/lib/agent-firewall/policy/engine.js +0 -103
package/bin/runners/lib/agent-firewall/policy/loader.js +0 -451
package/bin/runners/lib/agent-firewall/policy/rules/auth-drift.js +0 -50
package/bin/runners/lib/agent-firewall/policy/rules/contract-drift.js +0 -50
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +0 -86
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +0 -162
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +0 -189
package/bin/runners/lib/agent-firewall/policy/rules/scope.js +0 -93
package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js +0 -57
package/bin/runners/lib/agent-firewall/policy/schema.json +0 -183
package/bin/runners/lib/agent-firewall/policy/verdict.js +0 -54
package/bin/runners/lib/agent-firewall/proposal/extractor.js +0 -394
package/bin/runners/lib/agent-firewall/proposal/index.js +0 -212
package/bin/runners/lib/agent-firewall/proposal/schema.js +0 -251
package/bin/runners/lib/agent-firewall/proposal/validator.js +0 -386
package/bin/runners/lib/agent-firewall/reality/index.js +0 -332
package/bin/runners/lib/agent-firewall/reality/state.js +0 -625
package/bin/runners/lib/agent-firewall/reality/watcher.js +0 -322
package/bin/runners/lib/agent-firewall/risk/index.js +0 -173
package/bin/runners/lib/agent-firewall/risk/scorer.js +0 -328
package/bin/runners/lib/agent-firewall/risk/thresholds.js +0 -321
package/bin/runners/lib/agent-firewall/risk/vectors.js +0 -421
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +0 -472
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +0 -346
package/bin/runners/lib/agent-firewall/simulator/index.js +0 -181
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +0 -380
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +0 -661
package/bin/runners/lib/agent-firewall/time-machine/index.js +0 -267
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +0 -436
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +0 -490
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +0 -530
package/bin/runners/lib/agent-firewall/truthpack/index.js +0 -67
package/bin/runners/lib/agent-firewall/truthpack/loader.js +0 -137
package/bin/runners/lib/agent-firewall/unblock/planner.js +0 -337
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +0 -118
package/bin/runners/lib/api-client.js +0 -269
package/bin/runners/lib/audit-logger.js +0 -532
package/bin/runners/lib/authority/authorities/architecture.js +0 -364
package/bin/runners/lib/authority/authorities/compliance.js +0 -341
package/bin/runners/lib/authority/authorities/human.js +0 -343
package/bin/runners/lib/authority/authorities/quality.js +0 -420
package/bin/runners/lib/authority/authorities/security.js +0 -228
package/bin/runners/lib/authority/index.js +0 -293
package/bin/runners/lib/authority-badge.js +0 -425
package/bin/runners/lib/bundle/bundle-intelligence.js +0 -846
package/bin/runners/lib/cli-charts.js +0 -368
package/bin/runners/lib/cli-config-display.js +0 -405
package/bin/runners/lib/cli-demo.js +0 -275
package/bin/runners/lib/cli-errors.js +0 -438
package/bin/runners/lib/cli-help-formatter.js +0 -439
package/bin/runners/lib/cli-interactive-menu.js +0 -509
package/bin/runners/lib/cli-prompts.js +0 -441
package/bin/runners/lib/cli-scan-cards.js +0 -362
package/bin/runners/lib/compliance-reporter.js +0 -710
package/bin/runners/lib/conductor/index.js +0 -671
package/bin/runners/lib/easy/README.md +0 -123
package/bin/runners/lib/easy/index.js +0 -140
package/bin/runners/lib/easy/interactive-wizard.js +0 -788
package/bin/runners/lib/easy/one-click-firewall.js +0 -564
package/bin/runners/lib/easy/zero-config-reality.js +0 -714
package/bin/runners/lib/engines/accessibility-engine.js +0 -390
package/bin/runners/lib/engines/api-consistency-engine.js +0 -467
package/bin/runners/lib/engines/ast-cache.js +0 -99
package/bin/runners/lib/engines/async-patterns-engine.js +0 -444
package/bin/runners/lib/engines/bundle-size-engine.js +0 -433
package/bin/runners/lib/engines/code-quality-engine.js +0 -255
package/bin/runners/lib/engines/confidence-scoring.js +0 -276
package/bin/runners/lib/engines/console-logs-engine.js +0 -115
package/bin/runners/lib/engines/context-detection.js +0 -264
package/bin/runners/lib/engines/cross-file-analysis-engine.js +0 -533
package/bin/runners/lib/engines/database-patterns-engine.js +0 -429
package/bin/runners/lib/engines/dead-code-engine.js +0 -198
package/bin/runners/lib/engines/deprecated-api-engine.js +0 -226
package/bin/runners/lib/engines/duplicate-code-engine.js +0 -354
package/bin/runners/lib/engines/empty-catch-engine.js +0 -260
package/bin/runners/lib/engines/env-variables-engine.js +0 -458
package/bin/runners/lib/engines/error-handling-engine.js +0 -437
package/bin/runners/lib/engines/false-positive-prevention.js +0 -630
package/bin/runners/lib/engines/file-filter.js +0 -131
package/bin/runners/lib/engines/framework-adapters/index.js +0 -607
package/bin/runners/lib/engines/framework-detection.js +0 -508
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +0 -251
package/bin/runners/lib/engines/import-order-engine.js +0 -429
package/bin/runners/lib/engines/mock-data-engine.js +0 -315
package/bin/runners/lib/engines/naming-conventions-engine.js +0 -544
package/bin/runners/lib/engines/noise-reduction-engine.js +0 -452
package/bin/runners/lib/engines/orchestrator.js +0 -334
package/bin/runners/lib/engines/parallel-processor.js +0 -71
package/bin/runners/lib/engines/performance-issues-engine.js +0 -405
package/bin/runners/lib/engines/react-patterns-engine.js +0 -457
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +0 -571
package/bin/runners/lib/engines/todo-fixme-engine.js +0 -115
package/bin/runners/lib/engines/type-aware-engine.js +0 -376
package/bin/runners/lib/engines/unsafe-regex-engine.js +0 -225
package/bin/runners/lib/engines/vibecheck-engines/README.md +0 -53
package/bin/runners/lib/engines/vibecheck-engines/index.js +0 -124
package/bin/runners/lib/engines/vibecheck-engines/lib/ai-hallucination-engine.js +0 -806
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +0 -439
package/bin/runners/lib/engines/vibecheck-engines/lib/smart-fix-engine.js +0 -577
package/bin/runners/lib/engines/vibecheck-engines/lib/vibe-score-engine.js +0 -543
package/bin/runners/lib/engines/vibecheck-engines/package.json +0 -13
package/bin/runners/lib/engines/vibecheck-engines.js +0 -514
package/bin/runners/lib/enhanced-features/index.js +0 -305
package/bin/runners/lib/enhanced-output.js +0 -631
package/bin/runners/lib/enterprise.js +0 -300
package/bin/runners/lib/exit-codes.js +0 -275
package/bin/runners/lib/fingerprint.js +0 -377
package/bin/runners/lib/firewall/command-validator.js +0 -351
package/bin/runners/lib/firewall/config.js +0 -341
package/bin/runners/lib/firewall/content-validator.js +0 -519
package/bin/runners/lib/firewall/index.js +0 -101
package/bin/runners/lib/firewall/path-validator.js +0 -256
package/bin/runners/lib/help-formatter.js +0 -413
package/bin/runners/lib/intelligence/cross-repo-intelligence.js +0 -817
package/bin/runners/lib/logger.js +0 -38
package/bin/runners/lib/mcp-utils.js +0 -425
package/bin/runners/lib/output/index.js +0 -1022
package/bin/runners/lib/policy-engine.js +0 -652
package/bin/runners/lib/polish/autofix/accessibility-fixes.js +0 -333
package/bin/runners/lib/polish/autofix/async-handlers.js +0 -273
package/bin/runners/lib/polish/autofix/dead-code.js +0 -280
package/bin/runners/lib/polish/autofix/imports-optimizer.js +0 -344
package/bin/runners/lib/polish/autofix/index.js +0 -200
package/bin/runners/lib/polish/autofix/remove-consoles.js +0 -209
package/bin/runners/lib/polish/autofix/strengthen-types.js +0 -245
package/bin/runners/lib/polish/backend-checks.js +0 -148
package/bin/runners/lib/polish/documentation-checks.js +0 -111
package/bin/runners/lib/polish/frontend-checks.js +0 -168
package/bin/runners/lib/polish/index.js +0 -71
package/bin/runners/lib/polish/infrastructure-checks.js +0 -131
package/bin/runners/lib/polish/library-detection.js +0 -175
package/bin/runners/lib/polish/performance-checks.js +0 -100
package/bin/runners/lib/polish/security-checks.js +0 -148
package/bin/runners/lib/polish/utils.js +0 -203
package/bin/runners/lib/prompt-builder.js +0 -540
package/bin/runners/lib/proof-certificate.js +0 -634
package/bin/runners/lib/reality/accessibility-audit.js +0 -946
package/bin/runners/lib/reality/api-contract-validator.js +0 -1012
package/bin/runners/lib/reality/chaos-engineering.js +0 -1084
package/bin/runners/lib/reality/performance-tracker.js +0 -1077
package/bin/runners/lib/reality/scenario-generator.js +0 -1404
package/bin/runners/lib/reality/visual-regression.js +0 -852
package/bin/runners/lib/reality-profiler.js +0 -717
package/bin/runners/lib/replay/flight-recorder-viewer.js +0 -1160
package/bin/runners/lib/review/ai-code-review.js +0 -832
package/bin/runners/lib/rules/custom-rule-engine.js +0 -985
package/bin/runners/lib/sbom-generator.js +0 -641
package/bin/runners/lib/scan-output-enhanced.js +0 -512
package/bin/runners/lib/security/owasp-scanner.js +0 -939
package/bin/runners/lib/ship-output-enterprise.js +0 -239
package/bin/runners/lib/unified-cli-output.js +0 -777
package/bin/runners/lib/validators/contract-validator.js +0 -283
package/bin/runners/lib/validators/dead-export-detector.js +0 -279
package/bin/runners/lib/validators/dep-audit.js +0 -245
package/bin/runners/lib/validators/env-validator.js +0 -319
package/bin/runners/lib/validators/index.js +0 -120
package/bin/runners/lib/validators/license-checker.js +0 -252
package/bin/runners/lib/validators/route-validator.js +0 -290
package/bin/runners/runAgent.d.ts +0 -5
package/bin/runners/runAgent.js +0 -164
package/bin/runners/runApprove.js +0 -1233
package/bin/runners/runAuthority.js +0 -528
package/bin/runners/runClassify.js +0 -862
package/bin/runners/runConductor.js +0 -772
package/bin/runners/runContainer.js +0 -366
package/bin/runners/runContext.d.ts +0 -4
package/bin/runners/runEasy.js +0 -410
package/bin/runners/runFirewall.d.ts +0 -5
package/bin/runners/runFirewall.js +0 -137
package/bin/runners/runFirewallHook.d.ts +0 -5
package/bin/runners/runFirewallHook.js +0 -59
package/bin/runners/runIaC.js +0 -372
package/bin/runners/runPolish.d.ts +0 -4
package/bin/runners/runProof.zip +0 -0
package/bin/runners/runTruth.d.ts +0 -5
package/bin/runners/runTruth.js +0 -104
package/bin/runners/runVibe.js +0 -791
package/mcp-server/HARDENING_SUMMARY.md +0 -299
package/mcp-server/agent-firewall-interceptor.js +0 -500
package/mcp-server/authority-tools.js +0 -569
package/mcp-server/conductor/conflict-resolver.js +0 -588
package/mcp-server/conductor/execution-planner.js +0 -544
package/mcp-server/conductor/index.js +0 -377
package/mcp-server/conductor/lock-manager.js +0 -615
package/mcp-server/conductor/request-queue.js +0 -550
package/mcp-server/conductor/session-manager.js +0 -500
package/mcp-server/conductor/tools.js +0 -510
package/mcp-server/lib/api-client.cjs +0 -13
package/mcp-server/lib/logger.cjs +0 -30
package/mcp-server/logger.js +0 -173
package/mcp-server/tools-v3.js +0 -1039
package/mcp-server/tools.js +0 -495
package/mcp-server/vibecheck-mcp-server-3.2.0.tgz +0 -0

package/bin/runners/runGuard.js CHANGED Viewed

@@ -1,487 +1,73 @@
 /**
- * vibecheck guard - Agent Firewall System
+ * vibecheck guard - Unified trust boundary enforcement
  *
- * ═══════════════════════════════════════════════════════════════════════════════
- * Monitors and blocks AI agent actions based on policy
- * ═══════════════════════════════════════════════════════════════════════════════
+ * Combines: validate + claim-verifier + prompt-firewall
  *
- * Modes:
- * - observe (FREE): Logs violations but doesn't block
- * - enforce (PRO): Blocks AI writes that violate policy
- *
- * What It Guards Against:
- * - Forbidden paths (secrets, .env, config files)
- * - Scope violations (writing outside allowed directories)
- * - Dangerous commands (rm -rf, curl | bash)
- * - Hallucination patterns (fake APIs, placeholder data)
- * - Policy violations (custom rules)
+ * Usage:
+ *   vibecheck guard                    # Run all checks
+ *   vibecheck guard --claims           # Verify AI claims against truthpack
+ *   vibecheck guard --prompts          # Check for prompt injection
+ *   vibecheck guard --hallucinations   # Detect AI hallucination patterns
  */
 const path = require("path");
 const fs = require("fs");
-const { parseGlobalFlags, shouldSuppressOutput, isJsonMode } = require("./lib/global-flags");
-const { EXIT } = require("./lib/exit-codes");
-const { tierHasFeature, getCurrentTier } = require("./lib/entitlements-v2");
-const {
-  ansi,
-  sym,
-  renderMinimalHeader,
-  renderSectionHeader,
-  renderVerdict,
-  renderSuccess,
-  renderError,
-  renderWarning,
-  renderInfo,
-  renderFooter,
-  Spinner,
-  getTierFromKey,
-} = require("./lib/unified-cli-output");
-// Unified Output System
-const { output } = require("./lib/output/index.js");
-// Import firewall components
-const {
-  loadFirewallConfig,
-  PathValidator,
-  CommandValidator,
-  ContentValidator,
-  createFirewall,
-  initFirewallConfig,
-} = require("./lib/firewall");
-// Import underlying implementations for legacy support
-let runValidate, runPromptFirewall;
-try {
-  runValidate = require("./runValidate").runValidate;
-} catch {
-  runValidate = null;
-}
-try {
-  runPromptFirewall = require("./runPromptFirewall").runPromptFirewall;
-} catch {
-  runPromptFirewall = null;
-}
-// ═══════════════════════════════════════════════════════════════════════════════
-// HELP OUTPUT
-// ═══════════════════════════════════════════════════════════════════════════════
+// Import underlying implementations
+const { runValidate } = require("./runValidate");
+const { runPromptFirewall } = require("./runPromptFirewall");
+// ANSI colors
+const c = {
+  reset: "\x1b[0m",
+  dim: "\x1b[2m",
+  bold: "\x1b[1m",
+  cyan: "\x1b[36m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  red: "\x1b[31m",
+  magenta: "\x1b[35m",
+};
 function printHelp() {
   console.log(`
-  ${ansi.bold}USAGE${ansi.reset}
-    ${ansi.cyan}vibecheck guard${ansi.reset} [options]
-  ${ansi.dim}Aliases: ai-guard, firewall, validate${ansi.reset}
-  Agent Firewall - Monitor and block AI agent actions based on policy.
-  Protects against unauthorized file writes, dangerous commands, and
-  hallucination patterns.
-  ${ansi.bold}MODES${ansi.reset}
-    ${ansi.cyan}--mode observe${ansi.reset}    Log violations but don't block ${ansi.green}(FREE)${ansi.reset}
-    ${ansi.cyan}--mode enforce${ansi.reset}    Block AI writes that violate policy ${ansi.yellow}(PRO)${ansi.reset}
-  ${ansi.bold}ACTIONS${ansi.reset}
-    ${ansi.cyan}--action write${ansi.reset}    Validate file write operation
-    ${ansi.cyan}--action delete${ansi.reset}   Validate file delete operation
-    ${ansi.cyan}--action execute${ansi.reset}  Validate command execution
-  ${ansi.bold}OPTIONS${ansi.reset}
-    ${ansi.cyan}--path <path>${ansi.reset}     File path to validate
-    ${ansi.cyan}--content <str>${ansi.reset}   Content to validate (or use stdin)
-    ${ansi.cyan}--command <cmd>${ansi.reset}   Shell command to validate
-    ${ansi.cyan}--config <path>${ansi.reset}   Path to firewall config (default: .vibecheck/firewall.json)
-  ${ansi.bold}LEGACY CHECK MODES${ansi.reset}
-    ${ansi.cyan}--claims${ansi.reset}           Verify AI claims against truthpack
-    ${ansi.cyan}--prompts${ansi.reset}          Check code for prompt injection
-    ${ansi.cyan}--hallucinations${ansi.reset}   Detect AI hallucination patterns
-    ${ansi.dim}(default: run all checks)${ansi.reset}
-  ${ansi.bold}OTHER OPTIONS${ansi.reset}
-    ${ansi.cyan}--init${ansi.reset}             Initialize firewall configuration
-    ${ansi.cyan}--strict${ansi.reset}           Fail on warnings (default: fail on errors only)
-    ${ansi.cyan}--json${ansi.reset}             Output as JSON (CI integration)
-    ${ansi.cyan}--quiet, -q${ansi.reset}        Suppress non-essential output
-    ${ansi.cyan}--help, -h${ansi.reset}         Show this help
-  ${ansi.bold}EXAMPLES${ansi.reset}
-    ${ansi.dim}# Initialize firewall configuration${ansi.reset}
-    vibecheck guard --init
-    ${ansi.dim}# Check if path is allowed (observe mode)${ansi.reset}
-    vibecheck guard --mode observe --action write --path .env
-    ${ansi.dim}# Block write to sensitive file (enforce mode, PRO)${ansi.reset}
-    vibecheck guard --mode enforce --action write --path .env
-    ${ansi.dim}# Validate command before execution${ansi.reset}
-    vibecheck guard --action execute --command "rm -rf /"
-    ${ansi.dim}# Validate content for hallucinations${ansi.reset}
-    echo "fetch('https://example.com/api')" | vibecheck guard --action write --path api.js
-    ${ansi.dim}# CI pipeline (strict, JSON output)${ansi.reset}
-    vibecheck guard --strict --json
-  ${ansi.bold}EXIT CODES${ansi.reset}
-    0  Action allowed / checks passed
-    1  Warnings found (non-blocking)
-    2  Action blocked / errors found
-    3  Pro feature required
-  ${ansi.bold}CONFIGURATION${ansi.reset}
-    Configure via ${ansi.cyan}.vibecheck/firewall.json${ansi.reset}:
-    {
-      "mode": "observe",
-      "paths": {
-        "forbidden": [".env", "secrets/**"],
-        "allowed": ["src/**", "lib/**"]
-      },
-      "commands": {
-        "blocked": ["rm -rf /", "curl | bash"]
-      }
-    }
-  ${ansi.dim}────────────────────────────────────────────────────────────────────${ansi.reset}
-  ${ansi.dim}Documentation: https://docs.vibecheckai.dev/cli/guard${ansi.reset}
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+  ${c.bold}vibecheck guard${c.reset} - Trust boundary enforcement for AI outputs
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+${c.green}USAGE${c.reset}
+  vibecheck guard [options]
+${c.yellow}OPTIONS${c.reset}
+  --claims           Verify AI claims against truthpack (route_exists, auth_enforced, etc.)
+  --prompts          Check code for prompt injection vulnerabilities
+  --hallucinations   Detect AI hallucination patterns in generated code
+  --file <path>      Check specific file(s)
+  --json             Output JSON for CI integration
+  --strict           Fail on warnings (default: fail on errors only)
+${c.magenta}EXAMPLES${c.reset}
+  vibecheck guard                           # Run all checks
+  vibecheck guard --claims --file api.ts    # Verify claims in specific file
+  vibecheck guard --prompts                 # Prompt injection scan
+  vibecheck guard --json                    # CI-friendly output
+${c.dim}This command unifies trust boundary checks for AI-generated code.${c.reset}
 `);
 }
-// ═══════════════════════════════════════════════════════════════════════════════
-// MAIN GUARD FUNCTION - New Firewall Mode
-// ═══════════════════════════════════════════════════════════════════════════════
-/**
- * Run the firewall validation
- * @param {object} options - Validation options
- * @returns {object} Validation result
- */
-async function runFirewallCheck(options) {
-  const { mode = "observe", action, path: filePath, content, command, configPath } = options;
-  // Enforce mode requires PRO
-  if (mode === "enforce") {
-    const tier = await getCurrentTier();
-    if (!tierHasFeature(tier, "firewall.enforce")) {
-      return {
-        allowed: true,
-        reason: "free-tier-passthrough",
-        message: "Enforce mode requires VibeCheck Pro. Running in observe mode.",
-        tier,
-      };
-    }
-  }
-  // Load configuration
-  const config = loadFirewallConfig(configPath || ".vibecheck/firewall.json");
-  // Create validators
-  const pathValidator = new PathValidator(config);
-  const commandValidator = new CommandValidator(config);
-  const contentValidator = new ContentValidator(config);
-  const violations = [];
-  const warnings = [];
-  // Validate path
-  if (filePath && (action === "write" || action === "delete" || !action)) {
-    const pathResult = pathValidator.validate({ action: action || "write", path: filePath });
-    if (!pathResult.valid) {
-      violations.push({
-        type: "path",
-        ...pathResult,
-      });
-    }
-  }
-  // Validate command
-  if (command && (action === "execute" || !action)) {
-    const cmdResult = commandValidator.validate({ command });
-    if (!cmdResult.valid) {
-      violations.push({
-        type: "command",
-        ...cmdResult,
-      });
-    } else if (cmdResult.requiresConfirmation) {
-      warnings.push({
-        type: "command",
-        ...cmdResult,
-      });
-    }
-  }
-  // Validate content
-  if (content && (action === "write" || !action)) {
-    const contentResult = contentValidator.validate({ content, path: filePath });
-    if (!contentResult.valid) {
-      violations.push({
-        type: "content",
-        ...contentResult,
-      });
-    } else if (contentResult.hasWarnings) {
-      warnings.push(...contentResult.warnings.map(w => ({
-        type: "content",
-        ...w,
-      })));
-    }
-  }
-  const hasViolations = violations.length > 0;
-  // Determine if action is allowed based on mode
-  let allowed;
-  if (mode === "enforce") {
-    allowed = !hasViolations;
-  } else {
-    // Observe mode: always allow, but log violations
-    allowed = true;
-  }
-  return {
-    allowed,
-    mode,
-    violations,
-    warnings,
-    violationCount: violations.length,
-    warningCount: warnings.length,
-  };
-}
-// ═══════════════════════════════════════════════════════════════════════════════
-// MAIN ENTRY POINT
-// ═══════════════════════════════════════════════════════════════════════════════
 async function runGuard(args = []) {
-  const { flags: globalFlags } = parseGlobalFlags(args);
-  const quiet = shouldSuppressOutput(globalFlags);
-  const json = isJsonMode(globalFlags) || args.includes("--json");
-  const startTime = Date.now();
   // Parse arguments
-  if (globalFlags.help || args.includes("--help") || args.includes("-h")) {
+  if (args.includes("--help") || args.includes("-h")) {
     printHelp();
-    return EXIT.SUCCESS;
-  }
-  // Check for --init flag
-  if (args.includes("--init")) {
-    try {
-      const configPath = initFirewallConfig(process.cwd());
-      if (!quiet && !json) {
-        renderSuccess(`Firewall configuration created at ${configPath}`);
-        renderInfo("Edit .vibecheck/firewall.json to customize rules");
-      }
-      if (json) {
-        console.log(JSON.stringify({ success: true, configPath }));
-      }
-      return EXIT.SUCCESS;
-    } catch (error) {
-      if (json) {
-        console.log(JSON.stringify({ success: false, error: error.message }));
-      } else {
-        renderError(`Failed to initialize firewall: ${error.message}`);
-      }
-      return EXIT.INTERNAL_ERROR;
-    }
-  }
-  // Detect if using new firewall mode (--action, --path, --content, --command)
-  const hasAction = args.includes("--action");
-  const hasPath = args.includes("--path");
-  const hasContent = args.includes("--content");
-  const hasCommand = args.includes("--command");
-  const hasMode = args.includes("--mode");
-  const isFirewallMode = hasAction || hasPath || hasContent || hasCommand || hasMode;
-  if (isFirewallMode) {
-    // New firewall validation mode
-    return await runFirewallValidation(args, { quiet, json, startTime });
-  } else {
-    // Legacy guard mode (claims, prompts, hallucinations)
-    return await runLegacyGuard(args, { quiet, json, startTime, globalFlags });
-  }
-}
-// ═══════════════════════════════════════════════════════════════════════════════
-// FIREWALL VALIDATION MODE
-// ═══════════════════════════════════════════════════════════════════════════════
-async function runFirewallValidation(args, { quiet, json, startTime }) {
-  // Parse firewall-specific options
-  const modeIndex = args.indexOf("--mode");
-  const mode = modeIndex !== -1 ? args[modeIndex + 1] : "observe";
-  const actionIndex = args.indexOf("--action");
-  const action = actionIndex !== -1 ? args[actionIndex + 1] : null;
-  const pathIndex = args.indexOf("--path");
-  const filePath = pathIndex !== -1 ? args[pathIndex + 1] : null;
-  const contentIndex = args.indexOf("--content");
-  let content = contentIndex !== -1 ? args[contentIndex + 1] : null;
-  const commandIndex = args.indexOf("--command");
-  const command = commandIndex !== -1 ? args[commandIndex + 1] : null;
-  const configIndex = args.indexOf("--config");
-  const configPath = configIndex !== -1 ? args[configIndex + 1] : null;
-  // Read content from stdin if not provided
-  if (!content && !process.stdin.isTTY) {
-    content = await readStdin();
-  }
-  // Validate mode
-  if (mode && !["observe", "enforce"].includes(mode)) {
-    if (json) {
-      console.log(JSON.stringify({ success: false, error: `Invalid mode: ${mode}` }));
-    } else {
-      renderError(`Invalid mode: ${mode}. Must be 'observe' or 'enforce'`);
-    }
-    return EXIT.USER_ERROR;
+    return 0;
   }
-  // Validate action
-  if (action && !["write", "delete", "execute"].includes(action)) {
-    if (json) {
-      console.log(JSON.stringify({ success: false, error: `Invalid action: ${action}` }));
-    } else {
-      renderError(`Invalid action: ${action}. Must be 'write', 'delete', or 'execute'`);
-    }
-    return EXIT.USER_ERROR;
-  }
-  try {
-    if (!quiet && !json) {
-      renderMinimalHeader("guard", "starter");
-      renderSectionHeader(`Agent Firewall (${mode} mode)`, sym.shield);
-    }
-    // Run firewall check
-    const result = await runFirewallCheck({
-      mode,
-      action,
-      path: filePath,
-      content,
-      command,
-      configPath,
-    });
-    const duration = Date.now() - startTime;
-    // Output results
-    if (json) {
-      console.log(JSON.stringify({
-        ...result,
-        duration,
-        success: result.allowed,
-      }, null, 2));
-    } else if (!quiet) {
-      // Display violations
-      for (const violation of result.violations) {
-        console.log();
-        renderError(`${sym.cross} ${violation.rule}: ${violation.message}`);
-        if (violation.details) {
-          console.log(`   ${ansi.dim}Path: ${violation.details.path || violation.details.command || "N/A"}${ansi.reset}`);
-          if (violation.details.suggestion) {
-            console.log(`   ${ansi.cyan}Suggestion: ${violation.details.suggestion}${ansi.reset}`);
-          }
-        }
-      }
-      // Display warnings
-      for (const warning of result.warnings) {
-        console.log();
-        renderWarning(`${sym.warn} ${warning.rule || warning.type}: ${warning.message}`);
-      }
-      console.log();
-      if (result.allowed) {
-        if (result.violations.length > 0 && mode === "observe") {
-          renderVerdict("WARN", {
-            warnings: result.violationCount,
-            duration,
-            message: `${result.violationCount} violation(s) logged (observe mode - not blocking)`,
-          });
-        } else {
-          renderVerdict("PASS", {
-            warnings: result.warningCount,
-            duration,
-          });
-        }
-      } else {
-        renderVerdict("BLOCK", {
-          critical: result.violationCount,
-          duration,
-          message: `Action blocked: ${result.violations[0]?.message}`,
-        });
-      }
-      renderFooter({
-        nextSteps: result.allowed ? [
-          { cmd: "vibecheck scan", desc: "run full code analysis" },
-        ] : [
-          { cmd: "vibecheck guard --mode observe", desc: "run in observe mode" },
-          { cmd: "Edit .vibecheck/firewall.json", desc: "customize firewall rules" },
-        ],
-        docsUrl: "https://docs.vibecheckai.dev/cli/guard",
-      });
-    }
-    // Return appropriate exit code
-    if (!result.allowed) {
-      return EXIT.BLOCKING;
-    }
-    if (result.violationCount > 0 || result.warningCount > 0) {
-      return EXIT.WARNINGS;
-    }
-    return EXIT.SUCCESS;
-  } catch (error) {
-    if (json) {
-      console.log(JSON.stringify({ success: false, error: error.message }));
-    } else {
-      renderError(`Firewall check failed: ${error.message}`);
-    }
-    return EXIT.INTERNAL_ERROR;
-  }
-}
-// ═══════════════════════════════════════════════════════════════════════════════
-// LEGACY GUARD MODE (Claims, Prompts, Hallucinations)
-// ═══════════════════════════════════════════════════════════════════════════════
-async function runLegacyGuard(args, { quiet, json, startTime, globalFlags }) {
   const runClaims = args.includes("--claims") || (!args.includes("--prompts") && !args.includes("--hallucinations"));
   const runPrompts = args.includes("--prompts") || (!args.includes("--claims") && !args.includes("--hallucinations"));
   const runHallucinations = args.includes("--hallucinations") || (!args.includes("--claims") && !args.includes("--prompts"));
+  const jsonOutput = args.includes("--json");
   const strict = args.includes("--strict");
-  // Validate --file if provided
-  const fileIndex = args.indexOf("--file");
-  if (fileIndex !== -1) {
-    const filePath = args[fileIndex + 1];
-    if (!filePath || filePath.startsWith("--")) {
-      if (json) {
-        console.log(JSON.stringify({ success: false, error: "--file requires a path argument" }));
-      } else {
-        renderError("--file requires a path argument");
-      }
-      return EXIT.USER_ERROR;
-    }
-    if (!fs.existsSync(filePath)) {
-      if (json) {
-        console.log(JSON.stringify({ success: false, error: `File not found: ${filePath}` }));
-      } else {
-        renderError(`File not found: ${filePath}`);
-      }
-      return EXIT.NOT_FOUND;
-    }
-  }
   const results = {
     claims: null,
@@ -492,164 +78,91 @@ async function runLegacyGuard(args, { quiet, json, startTime, globalFlags }) {
     warnings: 0,
   };
-  try {
-    if (!quiet && !json) {
-      renderMinimalHeader("guard", "starter");
-      renderSectionHeader("Trust Boundary Checks", sym.shield);
-    }
+  console.log(`
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+  ${c.bold}🛡️  VIBECHECK GUARD${c.reset} - Trust Boundary Enforcement
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+`);
-    // Run claims verification
-    if (runClaims) {
-      const spinner = !quiet && !json ? new Spinner("Verifying AI claims against truthpack").start() : null;
-      if (!runValidate) {
-        results.claims = { skipped: true, reason: "Validator module not available" };
-        spinner?.warn("Claims check skipped: module not available");
-      } else {
-        try {
-          const validateArgs = args.filter(a => !["--claims", "--prompts", "--hallucinations"].includes(a));
-          const exitCode = await runValidate(validateArgs);
-          results.claims = { exitCode, status: exitCode === 0 ? "pass" : "fail" };
-          if (exitCode !== 0) {
-            results.errors++;
-            results.verdict = "FAIL";
-            spinner?.fail("Claim verification failed");
-          } else {
-            spinner?.succeed("Claims verified");
-          }
-        } catch (e) {
-          results.claims = { error: e.message };
-          spinner?.warn(`Claims check failed: ${e.message}`);
-        }
+  // Run claims verification (validates AI claims against truthpack)
+  if (runClaims) {
+    console.log(`${c.dim}▸ Verifying AI claims against truthpack...${c.reset}`);
+    try {
+      const validateArgs = args.filter(a => !["--claims", "--prompts", "--hallucinations"].includes(a));
+      const exitCode = await runValidate(validateArgs);
+      results.claims = { exitCode, status: exitCode === 0 ? "pass" : "fail" };
+      if (exitCode !== 0) {
+        results.errors++;
+        results.verdict = "FAIL";
       }
+      console.log(exitCode === 0
+        ? `  ${c.green}✓${c.reset} Claims verified`
+        : `  ${c.red}✗${c.reset} Claim verification failed`);
+    } catch (e) {
+      results.claims = { error: e.message };
+      console.log(`  ${c.yellow}⚠${c.reset} Claims check skipped: ${e.message}`);
     }
+  }
-    // Run prompt injection detection
-    if (runPrompts) {
-      const spinner = !quiet && !json ? new Spinner("Scanning for prompt injection vulnerabilities").start() : null;
-      if (!runPromptFirewall) {
-        results.prompts = { skipped: true, reason: "Firewall module not available" };
-        spinner?.warn("Prompt check skipped: module not available");
-      } else {
-        try {
-          const firewallArgs = args.filter(a => !["--claims", "--prompts", "--hallucinations"].includes(a));
-          const exitCode = await runPromptFirewall(firewallArgs);
-          results.prompts = { exitCode, status: exitCode === 0 ? "pass" : "fail" };
-          if (exitCode !== 0) {
-            results.warnings++;
-            if (strict) results.verdict = "FAIL";
-            spinner?.warn("Prompt injection risks detected");
-          } else {
-            spinner?.succeed("No prompt injection risks");
-          }
-        } catch (e) {
-          results.prompts = { error: e.message };
-          spinner?.warn(`Prompt check failed: ${e.message}`);
-        }
+  // Run prompt injection detection
+  if (runPrompts) {
+    console.log(`${c.dim}▸ Scanning for prompt injection vulnerabilities...${c.reset}`);
+    try {
+      const firewallArgs = args.filter(a => !["--claims", "--prompts", "--hallucinations"].includes(a));
+      const exitCode = await runPromptFirewall(firewallArgs);
+      results.prompts = { exitCode, status: exitCode === 0 ? "pass" : "fail" };
+      if (exitCode !== 0) {
+        results.warnings++;
+        if (strict) results.verdict = "FAIL";
       }
+      console.log(exitCode === 0
+        ? `  ${c.green}✓${c.reset} No prompt injection risks`
+        : `  ${c.yellow}⚠${c.reset} Prompt injection risks detected`);
+    } catch (e) {
+      results.prompts = { error: e.message };
+      console.log(`  ${c.yellow}⚠${c.reset} Prompt check skipped: ${e.message}`);
     }
+  }
-    // Run hallucination detection
-    if (runHallucinations) {
-      const spinner = !quiet && !json ? new Spinner("Detecting hallucination patterns").start() : null;
-      if (!runValidate) {
-        results.hallucinations = { skipped: true, reason: "Validator module not available" };
-        spinner?.warn("Hallucination check skipped: module not available");
-      } else {
-        try {
-          const validateArgs = ["--hallucinations", ...args.filter(a => !["--claims", "--prompts", "--hallucinations"].includes(a))];
-          const exitCode = await runValidate(validateArgs);
-          results.hallucinations = { exitCode, status: exitCode === 0 ? "pass" : "fail" };
-          if (exitCode !== 0) {
-            results.warnings++;
-            if (strict) results.verdict = "FAIL";
-            spinner?.warn("Potential hallucinations detected");
-          } else {
-            spinner?.succeed("No hallucination patterns");
-          }
-        } catch (e) {
-          results.hallucinations = { error: e.message };
-          spinner?.warn(`Hallucination check failed: ${e.message}`);
-        }
+  // Run hallucination detection
+  if (runHallucinations) {
+    console.log(`${c.dim}▸ Detecting hallucination patterns...${c.reset}`);
+    // Use validate with hallucination focus
+    try {
+      const validateArgs = ["--hallucinations", ...args.filter(a => !["--claims", "--prompts", "--hallucinations"].includes(a))];
+      const exitCode = await runValidate(validateArgs);
+      results.hallucinations = { exitCode, status: exitCode === 0 ? "pass" : "fail" };
+      if (exitCode !== 0) {
+        results.warnings++;
+        if (strict) results.verdict = "FAIL";
       }
+      console.log(exitCode === 0
+        ? `  ${c.green}✓${c.reset} No hallucination patterns`
+        : `  ${c.yellow}⚠${c.reset} Potential hallucinations detected`);
+    } catch (e) {
+      results.hallucinations = { error: e.message };
+      console.log(`  ${c.yellow}⚠${c.reset} Hallucination check skipped: ${e.message}`);
     }
+  }
-    // Summary
-    const duration = Date.now() - startTime;
-    if (!quiet && !json) {
-      renderVerdict(results.verdict === "PASS" ? "PASS" : "FAIL", {
-        warnings: results.warnings,
-        critical: results.errors,
-        duration,
-      });
-      renderFooter({
-        nextSteps: results.verdict === "PASS" ? [
-          { cmd: "vibecheck scan", desc: "run full code analysis" },
-          { cmd: "vibecheck ship", desc: "get ship verdict" },
-        ] : [
-          { cmd: "vibecheck fix --plan-only", desc: "view fix recommendations" },
-        ],
-        docsUrl: "https://docs.vibecheckai.dev/cli/guard",
-      });
-    }
+  // Summary
+  console.log(`
+${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}`);
+  if (results.verdict === "PASS") {
+    console.log(`  ${c.green}${c.bold}✓ GUARD PASS${c.reset} - All trust boundaries intact`);
+  } else {
+    console.log(`  ${c.red}${c.bold}✗ GUARD FAIL${c.reset} - Trust boundary violations detected`);
+  }
-    if (json) {
-      console.log(JSON.stringify({ ...results, duration }, null, 2));
-    }
+  console.log(`${c.cyan}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${c.reset}
+`);
-    // Return appropriate exit code
-    if (results.verdict === "PASS") {
-      return EXIT.SUCCESS;
-    } else if (results.errors > 0) {
-      return EXIT.BLOCKING;
-    } else {
-      return EXIT.WARNINGS;
-    }
-  } catch (error) {
-    if (json) {
-      console.log(JSON.stringify({ success: false, error: error.message }));
-    } else {
-      renderError(`Guard check failed: ${error.message}`);
-    }
-    return EXIT.INTERNAL_ERROR;
+  if (jsonOutput) {
+    console.log(JSON.stringify(results, null, 2));
   }
-}
-// ═══════════════════════════════════════════════════════════════════════════════
-// UTILITY FUNCTIONS
-// ═══════════════════════════════════════════════════════════════════════════════
-/**
- * Read content from stdin
- * @returns {Promise<string>} Stdin content
- */
-function readStdin() {
-  return new Promise((resolve) => {
-    let data = "";
-    process.stdin.setEncoding("utf8");
-    process.stdin.on("readable", () => {
-      let chunk;
-      while ((chunk = process.stdin.read()) !== null) {
-        data += chunk;
-      }
-    });
-    process.stdin.on("end", () => {
-      resolve(data);
-    });
-    // Timeout after 100ms if no data
-    setTimeout(() => resolve(data), 100);
-  });
+  return results.verdict === "PASS" ? 0 : (results.errors > 0 ? 2 : 1);
 }
-// ═══════════════════════════════════════════════════════════════════════════════
-// EXPORTS
-// ═══════════════════════════════════════════════════════════════════════════════
-module.exports = {
-  runGuard,
-  runFirewallCheck,
-};
+module.exports = { runGuard };