@vibecheckai/cli 3.5.0 → 3.5.1

package/mcp-server/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 /**
- * vibecheck MCP Server v2.1.0 - Hardened Production Build
+ * vibecheck MCP Server v2.0 - Clean Product Surface
  *
  * Curated Tools for AI Agents:
  *   vibecheck.ctx             - Build truthpack/context
@@ -15,16 +15,6 @@
  *   vibecheck.check_invariants - Invariant checks
  *
  * Everything else is parameters on these tools.
- * 
- * HARDENING FEATURES (v2.1.0):
- * - Input validation: URL, path, string, array, number sanitization
- * - Output sanitization: Redaction of secrets, truncation of large outputs
- * - Rate limiting: 120 calls/minute per server instance
- * - Path security: Traversal prevention, project root sandboxing
- * - Safe JSON parsing: Size limits, error handling
- * - Error handling: Consistent error codes, sanitized messages
- * - Resource safety: Bounded timeouts, memory limits
- * - Graceful degradation: Partial output on failures
  */
 
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
@@ -37,424 +27,14 @@ import {
 } from "@modelcontextprotocol/sdk/types.js";
 
 import fs from "fs/promises";
-import fsSync from "fs";
 import path from "path";
 import { fileURLToPath } from "url";
-import { execFile } from "child_process";
-import { promisify } from "util";
-
-// Import API client for dashboard integration (optional - may use CommonJS)
-import { createRequire } from "module";
-const require = createRequire(import.meta.url);
-const { 
-  createScan, 
-  updateScanProgress, 
-  submitScanResults, 
-  reportScanError, 
-  isApiAvailable 
-} = require("./lib/api-client.cjs");
-
-const execFileAsync = promisify(execFile);
+import { execSync } from "child_process";
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-// ============================================================================
-// CENTRALIZED CONFIGURATION
-// ============================================================================
-const CONFIG = {
-  VERSION: "2.2.0",
-  BIN_PATH: path.join(__dirname, "..", "bin", "vibecheck.js"),
-  OUTPUT_DIR: ".vibecheck",
-  ENV_DEFAULTS: { VIBECHECK_SKIP_AUTH: "1" },
-  TIMEOUTS: {
-    DEFAULT: 30000,      // 30 seconds
-    SCAN: 120000,        // 2 minutes
-    VERIFY: 180000,      // 3 minutes
-    REALITY: 300000,     // 5 minutes
-    PROVE: 600000,       // 10 minutes
-    AUTOPILOT: 300000,   // 5 minutes
-  },
-  MAX_BUFFER: 10 * 1024 * 1024, // 10MB
-  // Hardening limits
-  LIMITS: {
-    MAX_OUTPUT_LENGTH: 500000,      // 500KB max output text
-    MAX_PATH_LENGTH: 4096,          // Max path string length
-    MAX_URL_LENGTH: 2048,           // Max URL length
-    MAX_STRING_ARG: 10000,          // Max string argument length
-    MAX_ARRAY_ITEMS: 100,           // Max array items in args
-    RATE_LIMIT_WINDOW_MS: 60000,    // 1 minute window
-    RATE_LIMIT_MAX_CALLS: 120,      // Max calls per window
-  },
-  // Sensitive patterns to redact from output
-  SENSITIVE_PATTERNS: [
-    /(?:sk_live_|sk_test_)[a-zA-Z0-9]{24,}/g,           // Stripe keys
-    /(?:AKIA|ASIA)[A-Z0-9]{16}/g,                       // AWS keys
-    /ghp_[a-zA-Z0-9]{36}/g,                             // GitHub tokens
-    /xox[baprs]-[0-9A-Za-z\-]{10,}/g,                   // Slack tokens
-    /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g, // JWTs
-    /(?:password|secret|token|apikey|api_key)["']?\s*[:=]\s*["'][^"']{8,}["']/gi, // Generic secrets
-  ],
-};
-
-// ============================================================================
-// HARDENING: Input Validation & Sanitization Utilities
-// ============================================================================
-
-/**
- * Validate and sanitize a URL
- * @param {string} url - URL to validate
- * @returns {{ valid: boolean, url?: string, error?: string }}
- */
-function validateUrl(url) {
-  if (!url || typeof url !== 'string') {
-    return { valid: false, error: 'URL is required and must be a string' };
-  }
-  
-  const trimmed = url.trim();
-  
-  if (trimmed.length > CONFIG.LIMITS.MAX_URL_LENGTH) {
-    return { valid: false, error: `URL exceeds maximum length of ${CONFIG.LIMITS.MAX_URL_LENGTH} characters` };
-  }
-  
-  try {
-    const parsed = new URL(trimmed);
-    
-    // Only allow http/https protocols
-    if (!['http:', 'https:'].includes(parsed.protocol)) {
-      return { valid: false, error: 'URL must use http or https protocol' };
-    }
-    
-    // Block localhost/internal IPs in production contexts (can be overridden)
-    const hostname = parsed.hostname.toLowerCase();
-    if (process.env.VIBECHECK_BLOCK_INTERNAL !== 'false') {
-      // Allow localhost for development
-      if (hostname === 'localhost' || hostname === '127.0.0.1') {
-        // This is OK for local testing
-      }
-    }
-    
-    return { valid: true, url: trimmed };
-  } catch {
-    return { valid: false, error: 'Invalid URL format' };
-  }
-}
-
-/**
- * Sanitize a file path to prevent path traversal.
- * 
- * SECURITY FIX: Previous implementation used path.sep which differs between
- * Windows (\) and Unix (/). Attackers could bypass the check on Windows by
- * using forward slashes in paths. Now we normalize all separators before comparing.
- * 
- * @param {string} inputPath - Path to sanitize
- * @param {string} projectRoot - Project root directory
- * @returns {{ valid: boolean, path?: string, error?: string }}
- */
-function sanitizePath(inputPath, projectRoot) {
-  if (!inputPath || typeof inputPath !== 'string') {
-    return { valid: false, error: 'Path is required and must be a string' };
-  }
-  
-  if (inputPath.length > CONFIG.LIMITS.MAX_PATH_LENGTH) {
-    return { valid: false, error: `Path exceeds maximum length of ${CONFIG.LIMITS.MAX_PATH_LENGTH} characters` };
-  }
-  
-  // Reject null bytes which can truncate paths in some systems
-  if (inputPath.includes('\0')) {
-    return { valid: false, error: 'Path contains invalid characters (null byte)' };
-  }
-  
-  try {
-    const resolvedRoot = path.resolve(projectRoot);
-    const resolvedPath = path.resolve(projectRoot, inputPath);
-    
-    // SECURITY: Normalize path separators for cross-platform comparison
-    // On Windows, path.sep is '\' but paths can use '/' which would bypass the check
-    const normalizedRoot = resolvedRoot.replace(/\\/g, '/').toLowerCase();
-    const normalizedPath = resolvedPath.replace(/\\/g, '/').toLowerCase();
-    
-    // Ensure the resolved path is within or equal to the project root
-    // Use normalized paths for comparison, add trailing slash to prevent
-    // prefix attacks (e.g., /project-malicious matching /project)
-    const rootWithSep = normalizedRoot.endsWith('/') ? normalizedRoot : normalizedRoot + '/';
-    
-    if (!normalizedPath.startsWith(rootWithSep) && normalizedPath !== normalizedRoot) {
-      return { valid: false, error: 'Path traversal detected - path must be within project root' };
-    }
-    
-    return { valid: true, path: resolvedPath };
-  } catch (err) {
-    return { valid: false, error: `Invalid path format: ${err.message}` };
-  }
-}
-
-/**
- * Validate and sanitize string arguments
- * @param {*} value - Value to validate
- * @param {number} maxLength - Maximum allowed length
- * @returns {string}
- */
-function sanitizeString(value, maxLength = CONFIG.LIMITS.MAX_STRING_ARG) {
-  if (value === null || value === undefined) {
-    return '';
-  }
-  
-  const str = String(value);
-  return str.length > maxLength ? str.slice(0, maxLength) + '...[truncated]' : str;
-}
-
-/**
- * Validate array arguments
- * @param {*} arr - Array to validate
- * @param {number} maxItems - Maximum allowed items
- * @returns {any[]}
- */
-function sanitizeArray(arr, maxItems = CONFIG.LIMITS.MAX_ARRAY_ITEMS) {
-  if (!Array.isArray(arr)) {
-    return [];
-  }
-  return arr.slice(0, maxItems);
-}
-
-/**
- * Validate numeric arguments
- * @param {*} value - Value to validate
- * @param {number} min - Minimum value
- * @param {number} max - Maximum value
- * @param {number} defaultValue - Default if invalid
- * @returns {number}
- */
-function sanitizeNumber(value, min, max, defaultValue) {
-  const num = Number(value);
-  if (isNaN(num) || num < min || num > max) {
-    return defaultValue;
-  }
-  return num;
-}
-
-/**
- * Redact sensitive information from output
- * @param {string} text - Text to redact
- * @returns {string}
- */
-function redactSensitive(text) {
-  if (!text || typeof text !== 'string') {
-    return text;
-  }
-  
-  let result = text;
-  for (const pattern of CONFIG.SENSITIVE_PATTERNS) {
-    result = result.replace(pattern, '[REDACTED]');
-  }
-  return result;
-}
-
-/**
- * Truncate output to prevent memory issues
- * @param {string} text - Text to truncate
- * @param {number} maxLength - Maximum length
- * @returns {string}
- */
-function truncateOutput(text, maxLength = CONFIG.LIMITS.MAX_OUTPUT_LENGTH) {
-  if (!text || typeof text !== 'string') {
-    return '';
-  }
-  
-  if (text.length <= maxLength) {
-    return text;
-  }
-  
-  const truncated = text.slice(0, maxLength);
-  return truncated + `\n\n...[Output truncated at ${maxLength} characters]`;
-}
-
-// ============================================================================
-// HARDENING: Rate Limiting (Per-API-Key)
-// 
-// SECURITY FIX: Previous implementation used a global rate limit, allowing
-// a single attacker to exhaust the rate limit budget for ALL users.
-// Now we rate limit per-API-key hash to isolate abuse.
-// ============================================================================
-
-const rateLimitState = {
-  callsByKey: new Map(),  // Map<keyHash, timestamp[]>
-  globalCalls: [],        // Fallback for unauthenticated requests
-  cleanupInterval: null,
-  maxKeys: 10000,         // Prevent unbounded growth
-};
-
-/**
- * Hash API key for rate limit tracking (don't store raw keys)
- */
-function hashKeyForRateLimit(apiKey) {
-  if (!apiKey) return '__anonymous__';
-  const crypto = require('crypto');
-  return crypto.createHash('sha256').update(apiKey).digest('hex').slice(0, 16);
-}
-
-/**
- * Cleanup expired rate limit entries
- */
-function cleanupRateLimitState() {
-  const now = Date.now();
-  const windowStart = now - CONFIG.LIMITS.RATE_LIMIT_WINDOW_MS;
-  
-  // Clean per-key entries
-  for (const [keyHash, calls] of rateLimitState.callsByKey) {
-    const validCalls = calls.filter(t => t > windowStart);
-    if (validCalls.length === 0) {
-      rateLimitState.callsByKey.delete(keyHash);
-    } else {
-      rateLimitState.callsByKey.set(keyHash, validCalls);
-    }
-  }
-  
-  // Clean global calls
-  rateLimitState.globalCalls = rateLimitState.globalCalls.filter(t => t > windowStart);
-  
-  // Enforce max keys to prevent memory exhaustion
-  if (rateLimitState.callsByKey.size > rateLimitState.maxKeys) {
-    // Evict oldest keys (those with oldest last call)
-    const entries = Array.from(rateLimitState.callsByKey.entries());
-    entries.sort((a, b) => Math.max(...(a[1] || [0])) - Math.max(...(b[1] || [0])));
-    const toDelete = entries.slice(0, rateLimitState.callsByKey.size - rateLimitState.maxKeys);
-    for (const [key] of toDelete) {
-      rateLimitState.callsByKey.delete(key);
-    }
-  }
-}
-
-/**
- * Check rate limit for a specific API key
- * 
- * @param {string} apiKey - The API key (optional, falls back to global limit)
- * @returns {{ allowed: boolean, remaining: number, resetIn: number, keyHash?: string }}
- */
-function checkRateLimit(apiKey = null) {
-  const now = Date.now();
-  const windowStart = now - CONFIG.LIMITS.RATE_LIMIT_WINDOW_MS;
-  const keyHash = hashKeyForRateLimit(apiKey);
-  
-  // Get or create call array for this key
-  let calls = rateLimitState.callsByKey.get(keyHash);
-  if (!calls) {
-    calls = [];
-    rateLimitState.callsByKey.set(keyHash, calls);
-  }
-  
-  // Clean old entries for this key
-  const validCalls = calls.filter(t => t > windowStart);
-  rateLimitState.callsByKey.set(keyHash, validCalls);
-  
-  // Determine limit based on authentication
-  // Anonymous gets stricter limit (10/min), authenticated gets full limit
-  const maxCalls = apiKey ? CONFIG.LIMITS.RATE_LIMIT_MAX_CALLS : Math.min(10, CONFIG.LIMITS.RATE_LIMIT_MAX_CALLS);
-  const remaining = maxCalls - validCalls.length;
-  
-  if (remaining <= 0) {
-    const oldestCall = Math.min(...validCalls);
-    const resetIn = Math.max(0, (oldestCall + CONFIG.LIMITS.RATE_LIMIT_WINDOW_MS) - now);
-    return { allowed: false, remaining: 0, resetIn, keyHash };
-  }
-  
-  // Record this call
-  validCalls.push(now);
-  
-  // Periodic cleanup (every ~100 calls)
-  if (Math.random() < 0.01) {
-    cleanupRateLimitState();
-  }
-  
-  return { allowed: true, remaining: remaining - 1, resetIn: CONFIG.LIMITS.RATE_LIMIT_WINDOW_MS, keyHash };
-}
-
-// ============================================================================
-// HARDENING: Circuit Breaker for API Integration
-// ============================================================================
-
-const circuitBreakerState = {
-  failures: 0,
-  lastFailureTime: 0,
-  state: 'CLOSED', // CLOSED = normal, OPEN = failing, HALF_OPEN = testing
-  failureThreshold: 5,
-  resetTimeout: 60000, // 1 minute
-};
-
-/**
- * Check if API calls should be allowed
- * @returns {{ allowed: boolean, reason?: string }}
- */
-function checkCircuitBreaker() {
-  const now = Date.now();
-  
-  // If circuit is open, check if we should attempt reset
-  if (circuitBreakerState.state === 'OPEN') {
-    if (now - circuitBreakerState.lastFailureTime >= circuitBreakerState.resetTimeout) {
-      circuitBreakerState.state = 'HALF_OPEN';
-      console.error('[MCP] Circuit breaker entering HALF_OPEN state - testing API');
-    } else {
-      return { 
-        allowed: false, 
-        reason: `Circuit breaker OPEN - API calls disabled for ${Math.ceil((circuitBreakerState.resetTimeout - (now - circuitBreakerState.lastFailureTime)) / 1000)}s`
-      };
-    }
-  }
-  
-  return { allowed: true };
-}
-
-/**
- * Record API call result
- * @param {boolean} success - Whether the API call succeeded
- */
-function recordApiResult(success) {
-  if (success) {
-    // Reset on success
-    if (circuitBreakerState.state === 'HALF_OPEN') {
-      console.error('[MCP] Circuit breaker CLOSED - API recovered');
-    }
-    circuitBreakerState.failures = 0;
-    circuitBreakerState.state = 'CLOSED';
-  } else {
-    circuitBreakerState.failures++;
-    circuitBreakerState.lastFailureTime = Date.now();
-    
-    if (circuitBreakerState.failures >= circuitBreakerState.failureThreshold) {
-      circuitBreakerState.state = 'OPEN';
-      console.error(`[MCP] Circuit breaker OPEN after ${circuitBreakerState.failures} failures - disabling API calls`);
-    }
-  }
-}
-
-// ============================================================================
-// HARDENING: Safe JSON Parsing
-// ============================================================================
-
-/**
- * Safely parse JSON with size limits
- * @param {string} text - JSON string to parse
- * @param {number} maxSize - Maximum allowed size in bytes
- * @returns {{ success: boolean, data?: any, error?: string }}
- */
-function safeJsonParse(text, maxSize = 5 * 1024 * 1024) {
-  if (!text || typeof text !== 'string') {
-    return { success: false, error: 'Invalid input' };
-  }
-  
-  if (text.length > maxSize) {
-    return { success: false, error: `JSON exceeds maximum size of ${maxSize} bytes` };
-  }
-  
-  try {
-    const data = JSON.parse(text);
-    return { success: true, data };
-  } catch (e) {
-    return { success: false, error: `JSON parse error: ${e.message}` };
-  }
-}
-
-const VERSION = CONFIG.VERSION;
+const VERSION = "2.1.0";
 
 // Import intelligence tools
 import {
@@ -480,12 +60,6 @@ import {
   handleArchitectTool,
 } from "./architect-tools.js";
 
-// Import authority system tools
-import {
-  AUTHORITY_TOOLS,
-  handleAuthorityTool,
-} from "./authority-tools.js";
-
 // Import codebase architect tools
 import {
   CODEBASE_ARCHITECT_TOOLS,
@@ -517,779 +91,827 @@ import {
   TRUTH_FIREWALL_TOOLS,
   handleTruthFirewallTool,
   hasRecentClaimValidation,
-  getContextAttribution,
 } from "./truth-firewall-tools.js";
 
-// Context attribution message
-const CONTEXT_ATTRIBUTION = "🧠 Context enhanced by vibecheck";
-
 // Import Consolidated Tools (15 focused tools - recommended surface)
 import { CONSOLIDATED_TOOLS, handleConsolidatedTool } from "./consolidated-tools.js";
 
-// Import v3 Tools (10 focused tools - STARTER+ only, no free tools)
-import { MCP_TOOLS_V3, handleToolV3, TOOL_TIERS as V3_TOOL_TIERS } from "./tools-v3.js";
-
 // Import tier auth for entitlement checking
-import { getFeatureAccessStatus } from "./tier-auth.js";
+import { checkFeatureAccess } from "./tier-auth.js";
 
-// Import Agent Firewall Interceptor - ENABLED BY DEFAULT
-// The Agent Firewall is the core gatekeeper that validates AI changes against reality
-import {
-  AGENT_FIREWALL_TOOL,
-  handleAgentFirewallIntercept,
-} from "./agent-firewall-interceptor.js";
-
-// Import Conductor tools - Multi-Agent Coordination (Phase 2)
-import {
-  CONDUCTOR_TOOLS,
-  handleConductorToolCall,
-  getConductorTools,
-} from "./conductor/tools.js";
-
-/**
- * TRUTH FIREWALL CONFIGURATION
- * 
- * Tools that make assertions or change code MUST have recent claim validation.
- * Policy modes: strict (default for agents), balanced, permissive
- */
 const STRICT_GUARDRAIL_TOOLS = new Set([
   "vibecheck.scan",
   "vibecheck.ship",
   "vibecheck.ctx",
-  "vibecheck.fix",
-  "vibecheck.prove",
-  "vibecheck.autopilot_apply",
 ]);
 
-// Tools that modify code or make assertions - require truth firewall
-const CODE_CHANGING_TOOLS = new Set([
-  "vibecheck.fix",
-  "vibecheck.autopilot_apply",
-  "vibecheck.propose_patch",
-]);
-
-// Policy thresholds (aligned with proof-context.js EVIDENCE_SCHEMA)
-const POLICY_THRESHOLDS = {
-  strict: { minConfidence: 0.8, allowUnknown: false, requireValidation: true },
-  balanced: { minConfidence: 0.6, allowUnknown: false, requireValidation: true },
-  permissive: { minConfidence: 0.4, allowUnknown: true, requireValidation: false },
-};
-
 function getTruthPolicy(args) {
-  const policy = args?.policy || "strict";
-  return POLICY_THRESHOLDS[policy] ? policy : "strict";
+  return args?.policy || "strict";
 }
 
-function getPolicyConfig(policy) {
-  return POLICY_THRESHOLDS[policy] || POLICY_THRESHOLDS.strict;
-}
-
-/**
- * Emit guardrail metric to audit log.
- * 
- * SECURITY FIX: Previous implementation silently ignored all failures.
- * Now we log failures to stderr for security monitoring - an attacker
- * filling disk or manipulating permissions would have gone undetected.
- */
 async function emitGuardrailMetric(projectPath, metric) {
   try {
     const auditDir = path.join(projectPath, ".vibecheck", "audit");
     await fs.mkdir(auditDir, { recursive: true });
     const record = JSON.stringify({ ...metric, timestamp: new Date().toISOString() });
     await fs.appendFile(path.join(auditDir, "guardrail-metrics.jsonl"), `${record}\n`);
-  } catch (err) {
-    // SECURITY: Log failures - silent failure could hide attacks
-    // (e.g., attacker fills disk to prevent audit logging)
-    console.error(`[SECURITY] Guardrail metric write failed: ${err.message}`);
-    console.error(`[SECURITY] Failed metric: ${JSON.stringify(metric)}`);
-    
-    // Attempt fallback to stderr-only logging for critical metrics
-    if (metric.event === 'truth_firewall_block' || metric.event === 'security_violation') {
-      console.error(`[SECURITY-CRITICAL] ${metric.event}: ${JSON.stringify(metric)}`);
-    }
-  }
-}
-
-/**
- * Check if a code-changing tool should be blocked due to missing validation.
- * Returns { blocked: boolean, reason?: string, suggestion?: string }
- */
-function checkTruthFirewallBlock(toolName, args, projectPath) {
-  const policy = getTruthPolicy(args);
-  const policyConfig = getPolicyConfig(policy);
-  
-  // Skip validation check if permissive mode and validation not required
-  if (!policyConfig.requireValidation) {
-    return { blocked: false };
-  }
-  
-  // Check if this is a code-changing tool that requires validation
-  if (!CODE_CHANGING_TOOLS.has(toolName) && !STRICT_GUARDRAIL_TOOLS.has(toolName)) {
-    return { blocked: false };
-  }
-  
-  // Check for recent claim validation
-  if (!hasRecentClaimValidation(projectPath)) {
-    return {
-      blocked: true,
-      reason: `Truth firewall requires claim validation before ${toolName}`,
-      code: "TRUTH_FIREWALL_REQUIRED",
-      suggestion: "Call vibecheck.validate_claim or vibecheck.get_truthpack before proceeding",
-      nextSteps: [
-        "Call vibecheck.get_truthpack with refresh=true for current evidence",
-        "Call vibecheck.validate_claim for critical assumptions",
-        `Re-run ${toolName} after validation`,
-      ],
-    };
+  } catch {
+    // ignore metrics write failures
   }
-  
-  return { blocked: false };
 }
 
 // ============================================================================
 // TOOL DEFINITIONS - Public Tools (Clean Product Surface)
 // ============================================================================
 
-// ============================================================================
-// TOOL REGISTRATION - V3 Tools Only (2-tier: FREE / PRO)
-// ============================================================================
-// V3 tools are the canonical tool surface with 2-tier model:
-// - FREE (10 tools): Inspect & Observe
-// - PRO (15 tools): Fix, Prove & Enforce (includes Authority, Conductor, Firewall)
+// RECOMMENDED: Use consolidated tools (15 focused, evidence-backed tools)
+// These map directly to CLI commands and return file/line citations
+const USE_CONSOLIDATED_TOOLS = process.env.VIBECHECK_MCP_CONSOLIDATED !== 'false';
+
+const TOOLS = USE_CONSOLIDATED_TOOLS ? [
+  // Curated tools for agents
+  ...CONSOLIDATED_TOOLS,
+] : [
+  // Legacy: Full tool set (50+ tools) - for backward compatibility
+  // PRIORITY: Truth Firewall tools (Hallucination Stopper) - agents MUST use these
+  ...TRUTH_FIREWALL_TOOLS, // vibecheck.get_truthpack, vibecheck.validate_claim, vibecheck.compile_context, etc.
+  
+  // Truth Context tools (Evidence-Backed AI)
+  ...TRUTH_CONTEXT_TOOLS, // vibecheck.ctx, vibecheck.verify_claim, vibecheck.evidence
+  
+  ...INTELLIGENCE_TOOLS, // Add all intelligence suite tools
+  ...VIBECHECK_TOOLS,    // Add AI vibecheck tools (verify, quality, smells, etc.)
+  ...AGENT_CHECKPOINT_TOOLS, // Add agent checkpoint tools
+  ...ARCHITECT_TOOLS,    // Add architect review/suggest tools
+  ...CODEBASE_ARCHITECT_TOOLS, // Add codebase-aware architect tools
+  ...VIBECHECK_2_TOOLS,  // Add vibecheck 2.0 consolidated tools
+  ...intentDriftTools,   // Add intent drift guard tools
+  mdcGeneratorTool,      // Add MDC generator tool
+  // 1. SHIP - Quick health check (vibe coder friendly)
+  {
+    name: "vibecheck.ship",
+    description:
+      "🚀 Quick health check — 'Is my app ready?' Plain English, traffic light score",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          description: "Path to project root",
+          default: ".",
+        },
+        fix: {
+          type: "boolean",
+          description: "Auto-fix problems where possible",
+          default: false,
+        },
+      },
+    },
+  },
 
-const TOOLS = [
-  // V3 tools include all FREE and PRO tools
-  // Authority, Conductor, and Agent Firewall are included in MCP_TOOLS_V3
-  ...MCP_TOOLS_V3,
-].filter(t => t !== null);
+  // 2. SCAN - Deep technical analysis
+  {
+    name: "vibecheck.scan",
+    description:
+      "🔍 Deep scan — technical analysis of secrets, auth, mocks, routes (detailed output)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          description: "Path to project root",
+          default: ".",
+        },
+        profile: {
+          type: "string",
+          enum: ["quick", "full", "ship", "ci", "security", "compliance", "ai"],
+          description:
+            "Check profile: quick, full, ship, ci, security, compliance, ai",
+          default: "quick",
+        },
+        only: {
+          type: "array",
+          items: { type: "string" },
+          description:
+            "Run only specific checks: integrity, security, hygiene, contracts, auth, routes, mocks, compliance, ai",
+        },
+        format: {
+          type: "string",
+          enum: ["text", "json", "html", "sarif"],
+          description: "Output format",
+          default: "text",
+        },
+      },
+    },
+  },
 
-// Legacy tool definitions removed - V3 is the only supported mode
-// All tools are now defined in tools-v3.js
+  // 3. VERIFY - Runtime verification with Playwright
+  {
+    name: "vibecheck.verify",
+    description:
+      "🧪 Runtime Verify — clicks buttons, fills forms, finds Dead UI with Playwright",
+    inputSchema: {
+      type: "object",
+      properties: {
+        url: {
+          type: "string",
+          description: "Target URL to test (required)",
+        },
+        auth: {
+          type: "string",
+          description: "Auth credentials (email:password)",
+        },
+        flows: {
+          type: "array",
+          items: { type: "string" },
+          description: "Flow packs to test: auth, ui, forms, billing",
+        },
+        headed: {
+          type: "boolean",
+          description: "Run browser in visible mode",
+          default: false,
+        },
+        record: {
+          type: "boolean",
+          description: "Record video of test run",
+          default: false,
+        },
+      },
+      required: ["url"],
+    },
+  },
 
+  // 3b. REALITY v2 - Two-Pass Auth Verification + Dead UI Crawler
+  {
+    name: "vibecheck.reality",
+    description:
+      "🧪 Reality Mode v2 — Two-pass auth verification: crawl anon, then auth. Finds Dead UI, HTTP errors, auth coverage gaps.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        url: {
+          type: "string",
+          description: "Target URL to test (required)",
+        },
+        auth: {
+          type: "string",
+          description: "Auth credentials (email:password) for login attempt",
+        },
+        verifyAuth: {
+          type: "boolean",
+          description: "Enable two-pass auth verification (anon + auth)",
+          default: false,
+        },
+        storageState: {
+          type: "string",
+          description: "Path to Playwright storageState.json for pre-authenticated session",
+        },
+        saveStorageState: {
+          type: "string",
+          description: "Path to save storageState after successful login",
+        },
+        truthpack: {
+          type: "string",
+          description: "Path to truthpack.json for auth matcher verification",
+        },
+        headed: {
+          type: "boolean",
+          description: "Run browser in visible mode",
+          default: false,
+        },
+        maxPages: {
+          type: "number",
+          description: "Max pages to visit per pass (default: 18)",
+          default: 18,
+        },
+        maxDepth: {
+          type: "number",
+          description: "Max link depth to crawl (default: 2)",
+          default: 2,
+        },
+        danger: {
+          type: "boolean",
+          description: "Allow clicking risky buttons (delete, cancel, etc.)",
+          default: false,
+        },
+      },
+      required: ["url"],
+    },
+  },
 
+  // 4. AI-TEST - AI Agent testing
+  {
+    name: "vibecheckai.dev-test",
+    description:
+      "🤖 AI Agent — autonomous testing that explores your app and generates fix prompts",
+    inputSchema: {
+      type: "object",
+      properties: {
+        url: {
+          type: "string",
+          description: "Target URL to test (required)",
+        },
+        goal: {
+          type: "string",
+          description: "Natural language goal for the AI agent",
+          default: "Test all features and find issues",
+        },
+        headed: {
+          type: "boolean",
+          description: "Run browser in visible mode",
+          default: false,
+        },
+      },
+      required: ["url"],
+    },
+  },
 
-// ============================================================================
-// SERVER IMPLEMENTATION
-// ============================================================================
+  // 3. GATE - Enforce truth in CI
+  {
+    name: "vibecheck.gate",
+    description: "🚦 Enforce truth in CI — fail builds on policy violations (STARTER tier)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          default: ".",
+        },
+        policy: {
+          type: "string",
+          enum: ["default", "strict", "ci"],
+          description: "Policy strictness level",
+          default: "strict",
+        },
+        sarif: {
+          type: "boolean",
+          description: "Generate SARIF for GitHub Code Scanning",
+          default: true,
+        },
+      },
+    },
+  },
 
-class VibecheckMCP {
-  constructor() {
-    this.server = new Server(
-      { name: "vibecheck", version: VERSION },
-      { capabilities: { tools: {}, resources: {} } },
-    );
-    this.toolRegistry = this.buildToolRegistry();
-    this.setupHandlers();
-  }
+  // 5. FIX - Fix Missions v1
+  {
+    name: "vibecheck.fix",
+    description:
+      "🔧 Fix Missions v1 — AI-powered surgical fixes with proof verification loop. --apply and --autopilot require PRO tier ($99/mo).",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          default: ".",
+        },
+        promptOnly: {
+          type: "boolean",
+          description: "Generate mission prompts only (no edits)",
+          default: false,
+        },
+        apply: {
+          type: "boolean",
+          description: "Apply patches returned by the model",
+          default: false,
+        },
+        autopilot: {
+          type: "boolean",
+          description: "Loop: fix → verify → fix until SHIP or stuck",
+          default: false,
+        },
+        share: {
+          type: "boolean",
+          description: "Generate share bundle for review",
+          default: false,
+        },
+        maxMissions: {
+          type: "number",
+          description: "Max missions to plan (default: 8)",
+          default: 8,
+        },
+        maxSteps: {
+          type: "number",
+          description: "Max autopilot steps (default: 10)",
+          default: 10,
+        },
+      },
+    },
+  },
 
-  // ============================================================================
-  // TOOL REGISTRY - Maps tool names to handlers for cleaner dispatch
-  // HARDENING: Validates all handlers are functions
-  // ============================================================================
-  buildToolRegistry() {
-    const registry = {};
-    
-    // Helper to safely add handler with validation
-    const addHandler = (name, handler) => {
-      if (typeof handler !== 'function') {
-        console.error(`[MCP] Warning: Tool ${name} handler is not a function`);
-        return;
-      }
-      registry[name] = handler;
-    };
-    
-    // Agent Firewall - intercepts file writes (if available)
-    if (handleAgentFirewallIntercept && typeof handleAgentFirewallIntercept === 'function') {
-      addHandler("vibecheck_agent_firewall_intercept", handleAgentFirewallIntercept);
-    }
-    
-    // Conductor - multi-agent coordination tools
-    addHandler("vibecheck_conductor_register", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_register", args, projectPath));
-    addHandler("vibecheck_conductor_acquire_lock", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_acquire_lock", args, projectPath));
-    addHandler("vibecheck_conductor_release_lock", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_release_lock", args, projectPath));
-    addHandler("vibecheck_conductor_propose", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_propose", args, projectPath));
-    addHandler("vibecheck_conductor_status", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_status", args, projectPath));
-    addHandler("vibecheck_conductor_terminate", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_terminate", args, projectPath));
-    
-    // Core CLI tools
-    addHandler("vibecheck.ship", this.handleShip.bind(this));
-    addHandler("vibecheck.scan", this.handleScan.bind(this));
-    addHandler("vibecheck.verify", this.handleVerify.bind(this));
-    addHandler("vibecheck.reality", this.handleReality.bind(this));
-    addHandler("vibecheckai.dev-test", this.handleAITest.bind(this));
-    addHandler("vibecheck.gate", this.handleGate.bind(this));
-    addHandler("vibecheck.fix", this.handleFix.bind(this));
-    addHandler("vibecheck.share", this.handleShare.bind(this));
-    addHandler("vibecheck.ctx", this.handleCtx.bind(this));
-    addHandler("vibecheck.prove", this.handleProve.bind(this));
-    addHandler("vibecheck.proof", this.handleProof.bind(this));
-    addHandler("vibecheck.validate", this.handleValidate.bind(this));
-    addHandler("vibecheck.report", this.handleReport.bind(this));
-    addHandler("vibecheck.status", this.handleStatus.bind(this));
-    addHandler("vibecheck.autopilot", this.handleAutopilot.bind(this));
-    addHandler("vibecheck.autopilot_plan", this.handleAutopilotPlan.bind(this));
-    addHandler("vibecheck.autopilot_apply", this.handleAutopilotApply.bind(this));
-    addHandler("vibecheck.badge", this.handleBadge.bind(this));
-    addHandler("vibecheck.context", this.handleContext.bind(this));
-    
-    console.error(`[MCP] Tool registry built with ${Object.keys(registry).length} handlers`);
-    return registry;
-  }
+  // 6. SHARE - Generate share bundle from fix missions
+  {
+    name: "vibecheck.share",
+    description: "📦 Share Bundle — generate PR comment / review bundle from latest fix missions",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          default: ".",
+        },
+        prComment: {
+          type: "boolean",
+          description: "Output GitHub PR comment format",
+          default: false,
+        },
+        out: {
+          type: "string",
+          description: "Write output to file path",
+        },
+      },
+    },
+  },
 
-  // ============================================================================
-  // CLI RUNNER - Secure, async execution with array args (prevents injection)
-  // ============================================================================
-  async runCLI(command, args = [], cwd, options = {}) {
-    const {
-      env = {},
-      timeout = CONFIG.TIMEOUTS.DEFAULT,
-      skipAuth = true,
-    } = options;
-
-    // ========================================================================
-    // HARDENING: Validate command
-    // ========================================================================
-    const sanitizedCommand = sanitizeString(command, 50);
-    if (!sanitizedCommand || !/^[a-z0-9_-]+$/i.test(sanitizedCommand)) {
-      throw new Error(`Invalid CLI command: ${sanitizedCommand}`);
-    }
-    
-    // ========================================================================
-    // HARDENING: Validate and sanitize arguments
-    // ========================================================================
-    const sanitizedArgs = sanitizeArray(args, 50).map(arg => {
-      const str = String(arg);
-      // Validate argument format (must be simple flags or values)
-      if (str.length > 1000) {
-        return str.slice(0, 1000);
-      }
-      return str;
-    });
+  // 7. PROVE - One Command Reality Proof (orchestrates ctx → reality → ship → fix)
+  {
+    name: "vibecheck.prove",
+    description: "🔬 One Command Reality Proof — orchestrates ctx → reality → ship → fix loop until SHIP or stuck (PRO tier)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          default: ".",
+        },
+        url: {
+          type: "string",
+          description: "Base URL for runtime testing",
+        },
+        auth: {
+          type: "string",
+          description: "Auth credentials (email:password)",
+        },
+        storageState: {
+          type: "string",
+          description: "Path to Playwright storageState.json",
+        },
+        maxFixRounds: {
+          type: "number",
+          description: "Max auto-fix attempts (default: 3)",
+          default: 3,
+        },
+        skipReality: {
+          type: "boolean",
+          description: "Skip runtime crawling (static only)",
+          default: false,
+        },
+        skipFix: {
+          type: "boolean",
+          description: "Don't auto-fix, just diagnose",
+          default: false,
+        },
+        headed: {
+          type: "boolean",
+          description: "Run browser in visible mode",
+          default: false,
+        },
+        danger: {
+          type: "boolean",
+          description: "Allow clicking risky buttons",
+          default: false,
+        },
+      },
+    },
+  },
 
-    // ========================================================================
-    // HARDENING: Validate working directory
-    // ========================================================================
-    const resolvedCwd = path.resolve(cwd || process.cwd());
-    if (!fsSync.existsSync(resolvedCwd)) {
-      throw new Error(`Working directory does not exist: ${resolvedCwd}`);
-    }
+  // 8. CTX - Truth Pack Generator
+  {
+    name: "vibecheck.ctx",
+    description: "📦 Truth Pack — generate ground truth for AI agents (routes, env, auth, billing)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          default: ".",
+        },
+        snapshot: {
+          type: "boolean",
+          description: "Save timestamped snapshot",
+          default: false,
+        },
+        json: {
+          type: "boolean",
+          description: "Output raw JSON",
+          default: false,
+        },
+      },
+    },
+  },
 
-    // Build argument array - this prevents command injection
-    const finalArgs = [CONFIG.BIN_PATH, sanitizedCommand, ...sanitizedArgs];
-
-    // ========================================================================
-    // HARDENING: Clean environment - don't leak sensitive vars
-    // ========================================================================
-    const safeEnv = { ...process.env };
-    // Remove potentially sensitive env vars from being passed through
-    const sensitiveEnvKeys = ['AWS_SECRET_ACCESS_KEY', 'STRIPE_SECRET_KEY', 'DATABASE_URL'];
-    for (const key of sensitiveEnvKeys) {
-      if (safeEnv[key] && !env[key]) {
-        // Only remove if not explicitly set in options
-        delete safeEnv[key];
-      }
-    }
+  // 9. PROOF - Premium verification
+  {
+    name: "vibecheck.proof",
+    description:
+      "🎬 Premium verification — mocks (static) or reality (runtime with Playwright)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          default: ".",
+        },
+        mode: {
+          type: "string",
+          enum: ["mocks", "reality"],
+          description:
+            "Proof mode: mocks (import graph + fake domains) or reality (Playwright runtime)",
+        },
+        url: {
+          type: "string",
+          description: "Base URL for reality mode",
+          default: "http://localhost:3000",
+        },
+        flow: {
+          type: "string",
+          enum: ["auth", "checkout", "dashboard"],
+          description: "Flow to test in reality mode",
+          default: "auth",
+        },
+      },
+      required: ["mode"],
+    },
+  },
 
-    const execEnv = {
-      ...safeEnv,
-      ...CONFIG.ENV_DEFAULTS,
-      ...(skipAuth ? { VIBECHECK_SKIP_AUTH: "1" } : {}),
-      ...env,
-      // Ensure Node.js doesn't prompt for anything
-      NODE_NO_READLINE: "1",
-      FORCE_COLOR: "0",
-    };
-
-    // ========================================================================
-    // HARDENING: Bounded timeout
-    // ========================================================================
-    const boundedTimeout = sanitizeNumber(timeout, 1000, 900000, CONFIG.TIMEOUTS.DEFAULT);
+  // 5. REPORT - Access artifacts
+  {
+    name: "vibecheck.validate",
+    description:
+      "🤖 Validate AI-generated code. Checks for hallucinations, intent mismatch, and quality issues.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        code: { type: "string", description: "The code content to validate" },
+        intent: {
+          type: "string",
+          description: "The user's original request/intent",
+        },
+        projectPath: { type: "string", default: "." },
+      },
+      required: ["code"],
+    },
+  },
+  // 10. REPORT - Access scan artifacts
+  {
+    name: "vibecheck.report",
+    description:
+      "📄 Access scan artifacts — summary, full report, SARIF export",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          default: ".",
+        },
+        type: {
+          type: "string",
+          enum: ["summary", "full", "sarif", "html"],
+          description: "Report type to retrieve",
+          default: "summary",
+        },
+        runId: {
+          type: "string",
+          description: "Specific run ID (defaults to last run)",
+        },
+      },
+    },
+  },
 
-    try {
-      const { stdout, stderr } = await execFileAsync(process.execPath, finalArgs, {
-        cwd: resolvedCwd,
-        encoding: "utf8",
-        maxBuffer: CONFIG.MAX_BUFFER,
-        timeout: boundedTimeout,
-        env: execEnv,
-        // Don't inherit stdin - prevents hanging
-        stdio: ['ignore', 'pipe', 'pipe'],
-      });
-      
-      // Sanitize output before returning
-      return { 
-        stdout: redactSensitive(truncateOutput(stdout || '')), 
-        stderr: redactSensitive(truncateOutput(stderr || '')), 
-        success: true 
-      };
-    } catch (error) {
-      // Attach partial output for graceful degradation (sanitized)
-      error.partialOutput = redactSensitive(truncateOutput(error.stdout || ''));
-      error.partialStderr = redactSensitive(truncateOutput(error.stderr || ''));
-      
-      // Add helpful error code for timeout
-      if (error.killed && error.signal === 'SIGTERM') {
-        error.code = 'TIMEOUT';
-        error.message = `Command timed out after ${boundedTimeout}ms`;
-      }
-      
-      throw error;
-    }
-  }
+  // 11. STATUS - Health and config
+  {
+    name: "vibecheck.status",
+    description: "📊 Server status — health, versions, config, last run info",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          default: ".",
+        },
+      },
+    },
+  },
 
-  // ============================================================================
-  // HARDENED UTILITY HELPERS
-  // ============================================================================
-  
-  /**
-   * Strip ANSI escape codes from output with length validation
-   * @param {string} str - String to strip
-   * @returns {string}
-   */
-  stripAnsi(str) {
-    if (!str || typeof str !== 'string') {
-      return '';
-    }
-    
-    // Truncate first to prevent DoS on very long strings
-    const truncated = str.length > CONFIG.LIMITS.MAX_OUTPUT_LENGTH 
-      ? str.slice(0, CONFIG.LIMITS.MAX_OUTPUT_LENGTH) 
-      : str;
-    
-    return truncated.replace(/\x1b\[[0-9;]*m/g, "");
-  }
+  // 12. AUTOPILOT - Continuous protection
+  {
+    name: "vibecheck.autopilot",
+    description:
+      "🤖 Autopilot — continuous protection with weekly reports, auto-PRs, deploy blocking",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          default: ".",
+        },
+        action: {
+          type: "string",
+          enum: ["status", "enable", "disable", "digest"],
+          description: "Autopilot action",
+          default: "status",
+        },
+        slack: {
+          type: "string",
+          description: "Slack webhook URL for notifications",
+        },
+        email: {
+          type: "string",
+          description: "Email for weekly digest",
+        },
+      },
+    },
+  },
 
-  /**
-   * Parse summary from disk with size limits and validation
-   * @param {string} projectPath - Project root path
-   * @returns {Promise<object|null>} Parsed summary or null
-   */
-  async parseSummaryFromDisk(projectPath) {
-    const summaryPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "summary.json");
-    
-    try {
-      // Check file size first
-      const stats = await fs.stat(summaryPath);
-      if (stats.size > 5 * 1024 * 1024) { // 5MB limit
-        console.error(`[MCP] Summary file too large: ${stats.size} bytes`);
-        return null;
-      }
-      
-      const content = await fs.readFile(summaryPath, "utf-8");
-      const parsed = safeJsonParse(content);
-      
-      if (!parsed.success) {
-        console.error(`[MCP] Invalid summary JSON: ${parsed.error}`);
-        return null;
-      }
-      
-      return parsed.data;
-    } catch (err) {
-      // Silent fail - this is for graceful degradation
-      return null;
-    }
-  }
+  // 13. AUTOPILOT PLAN - Generate fix plan (PRO tier)
+  {
+    name: "vibecheck.autopilot_plan",
+    description:
+      "🤖 Autopilot Plan — scan codebase, group issues into fix packs, estimate risk (PRO tier)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          default: ".",
+        },
+        profile: {
+          type: "string",
+          enum: ["quick", "full", "ship", "ci"],
+          description: "Scan profile",
+          default: "ship",
+        },
+        maxFixes: {
+          type: "number",
+          description: "Max fixes per category",
+          default: 10,
+        },
+      },
+    },
+  },
 
-  /**
-   * Format scan output from summary object with validation
-   * @param {object} summary - Summary object
-   * @param {string} projectPath - Project root path
-   * @returns {string}
-   */
-  formatScanOutput(summary, projectPath) {
-    if (!summary || typeof summary !== 'object') {
-      return '## Error: Invalid summary data\n';
-    }
-    
-    // Safely extract values with defaults - handle different output structures
-    const score = sanitizeNumber(
-      summary.score?.overall || summary.score || summary.verdict?.score || 0, 
-      0, 100, 0
-    );
-    const grade = sanitizeString(summary.grade || summary.verdict?.grade, 10) || 'N/A';
-    const verdict = summary.verdict?.verdict || summary.verdict || (score >= 80 ? 'SHIP' : score >= 50 ? 'WARN' : 'BLOCK');
-    const canShip = verdict === 'SHIP' || Boolean(summary.canShip);
-    const findings = sanitizeArray(summary.findings || summary.report?.findings || [], 500);
-    
-    // Get severity counts
-    const sevCounts = { critical: 0, high: 0, medium: 0, low: 0 };
-    for (const f of findings) {
-      const sev = (f.severity || 'medium').toLowerCase();
-      if (sev === 'block' || sev === 'critical') sevCounts.critical++;
-      else if (sev === 'high') sevCounts.high++;
-      else if (sev === 'warn' || sev === 'warning' || sev === 'medium') sevCounts.medium++;
-      else sevCounts.low++;
-    }
-    
-    // Build structured output
-    let output = '';
-    
-    // Header with verdict
-    const verdictEmoji = verdict === 'SHIP' ? '✅' : verdict === 'WARN' ? '⚠️' : '🚫';
-    output += `## ${verdictEmoji} VERDICT: ${verdict}\n\n`;
-    output += `**Health Score:** ${score}/100 (${grade})\n\n`;
-    
-    // Summary stats
-    output += `### Summary\n`;
-    output += `- **Total Issues:** ${findings.length}\n`;
-    output += `- **Critical:** ${sevCounts.critical}\n`;
-    output += `- **High:** ${sevCounts.high}\n`;
-    output += `- **Medium:** ${sevCounts.medium}\n`;
-    output += `- **Low:** ${sevCounts.low}\n\n`;
-
-    // Category breakdown
-    if (summary.counts && typeof summary.counts === 'object') {
-      output += "### Issue Categories\n\n";
-      output += "| Category | Count | Status |\n|----------|-------|--------|\n";
-      
-      const entries = Object.entries(summary.counts).slice(0, 20);
-      for (const [key, count] of entries) {
-        const safeKey = sanitizeString(key, 50);
-        const safeCount = sanitizeNumber(count, 0, 999999, 0);
-        const icon = safeCount === 0 ? "✅" : "⚠️";
-        output += `| ${safeKey} | ${safeCount} | ${icon} |\n`;
-      }
-      output += '\n';
-    }
+  // 14. AUTOPILOT APPLY - Apply fixes (PRO tier)
+  {
+    name: "vibecheck.autopilot_apply",
+    description:
+      "🔧 Autopilot Apply — apply fix packs with verification, re-scan to confirm (PRO tier)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          default: ".",
+        },
+        profile: {
+          type: "string",
+          enum: ["quick", "full", "ship", "ci"],
+          description: "Scan profile",
+          default: "ship",
+        },
+        maxFixes: {
+          type: "number",
+          description: "Max fixes per category",
+          default: 10,
+        },
+        verify: {
+          type: "boolean",
+          description: "Run verification after apply",
+          default: true,
+        },
+        dryRun: {
+          type: "boolean",
+          description: "Preview changes without applying",
+          default: false,
+        },
+      },
+    },
+  },
 
-    // Top findings with details (show up to 15)
-    if (findings.length > 0) {
-      output += "### Top Issues to Fix\n\n";
-      
-      // Sort by severity (critical first)
-      const sortedFindings = findings
-        .sort((a, b) => {
-          const sevOrder = { critical: 0, block: 0, high: 1, warn: 2, warning: 2, medium: 2, low: 3, info: 4 };
-          const aOrder = sevOrder[(a.severity || 'medium').toLowerCase()] || 2;
-          const bOrder = sevOrder[(b.severity || 'medium').toLowerCase()] || 2;
-          return aOrder - bOrder;
-        })
-        .slice(0, 15);
-      
-      for (let i = 0; i < sortedFindings.length; i++) {
-        const f = sortedFindings[i];
-        const sev = sanitizeString(f.severity || 'medium', 20).toUpperCase();
-        const sevEmoji = sev === 'CRITICAL' || sev === 'BLOCK' ? '🔴' : sev === 'HIGH' ? '🟠' : '🟡';
-        const title = sanitizeString(f.title || f.message || f.why || 'Unknown issue', 100);
-        const category = sanitizeString(f.category || f.type || 'Other', 30);
-        const file = sanitizeString(f.file || (f.evidence && f.evidence[0]?.file) || '', 150);
-        const line = f.line || (f.evidence && f.evidence[0]?.lines) || '';
-        
-        output += `**${i + 1}. ${sevEmoji} [${sev}] ${title}**\n`;
-        output += `   - Category: \`${category}\`\n`;
-        if (file) {
-          output += `   - File: \`${file}\`${line ? `:${line}` : ''}\n`;
-        }
-        
-        // Include fix hints if available
-        const fixHint = f.fixHints?.[0] || f.fixHint || f.fix;
-        if (fixHint) {
-          output += `   - **Fix:** ${sanitizeString(fixHint, 200)}\n`;
-        }
-        output += '\n';
-      }
-      
-      if (findings.length > 15) {
-        output += `_...and ${findings.length - 15} more issues. See full report for details._\n\n`;
-      }
-    }
+  // 15. BADGE - Generate ship badge
+  {
+    name: "vibecheck.badge",
+    description:
+      "🏅 Ship Badge — generate a badge for README/PR showing scan status (STARTER tier)",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          default: ".",
+        },
+        format: {
+          type: "string",
+          enum: ["svg", "md", "html"],
+          description: "Badge format",
+          default: "svg",
+        },
+        style: {
+          type: "string",
+          enum: ["flat", "flat-square"],
+          description: "Badge style",
+          default: "flat",
+        },
+      },
+    },
+  },
 
-    // Next steps based on verdict
-    output += "### Recommended Actions\n\n";
-    if (verdict === 'SHIP') {
-      output += "- ✅ Code is clean and ready to ship\n";
-      output += "- Consider running `vibecheck ship --badge` to generate a status badge\n";
-    } else if (verdict === 'WARN') {
-      output += "- Review the warnings above before shipping\n";
-      output += "- Run `vibecheck fix --plan` to see fix suggestions\n";
-      output += "- Consider using `vibecheck fix --apply` (PRO) to auto-fix issues\n";
-    } else {
-      output += "- 🚫 Critical issues must be fixed before shipping\n";
-      output += "- Run `vibecheck fix --plan` to see detailed fix suggestions\n";
-      output += "- Address critical issues first, then re-scan\n";
-    }
-    
-    output += `\n📄 **Full Report:** ${CONFIG.OUTPUT_DIR}/report.html\n`;
-    output += `📊 **JSON Results:** ${CONFIG.OUTPUT_DIR}/results/latest.json\n`;
-    
-    return output;
-  }
-  
-  /**
-   * Safely read a file with size limits
-   * @param {string} filePath - Path to file
-   * @param {number} maxSize - Maximum file size in bytes
-   * @returns {Promise<string|null>} File contents or null
-   */
-  async safeReadFile(filePath, maxSize = 10 * 1024 * 1024) {
-    try {
-      const stats = await fs.stat(filePath);
-      
-      if (stats.size > maxSize) {
-        console.error(`[MCP] File too large: ${filePath} (${stats.size} bytes)`);
-        return null;
-      }
-      
-      const content = await fs.readFile(filePath, "utf-8");
-      return content;
-    } catch (err) {
-      return null;
-    }
-  }
+  // 16. CONTEXT - AI Rules Generator
+  {
+    name: "vibecheck.context",
+    description:
+      "🧠 AI Context — generate rules files for Cursor, Windsurf, Copilot to understand your codebase",
+    inputSchema: {
+      type: "object",
+      properties: {
+        projectPath: {
+          type: "string",
+          description: "Path to project root",
+          default: ".",
+        },
+        platform: {
+          type: "string",
+          enum: ["all", "cursor", "windsurf", "copilot", "claude"],
+          description: "Target platform (default: all)",
+          default: "all",
+        },
+      },
+    },
+  },
+];
 
-  setupHandlers() {
-    // List tools
-    this.server.setRequestHandler(ListToolsRequestSchema, async () => ({
-      tools: TOOLS,
-    }));
+// ============================================================================
+// SERVER IMPLEMENTATION
+// ============================================================================
 
-    // Call tool - main dispatch handler
-    this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
-      const startTime = Date.now();
-      let toolName = 'unknown';
-      let projectPath = '.';
-      
-      try {
-        // ====================================================================
-        // HARDENING: Input extraction with validation
-        // ====================================================================
-        const params = request?.params;
-        if (!params || typeof params !== 'object') {
-          return this.error('Invalid request: missing params', { code: 'INVALID_REQUEST' });
-        }
-        
-        toolName = sanitizeString(params.name, 100);
-        const args = params.arguments && typeof params.arguments === 'object' ? params.arguments : {};
-        
-        // Validate tool name
-        if (!toolName || toolName.length < 2) {
-          return this.error('Invalid tool name', { code: 'INVALID_TOOL_NAME' });
-        }
-        
-        // ====================================================================
-        // HARDENING: Rate limiting (per-API-key)
-        // ====================================================================
-        const apiKey = args?.apiKey || null;
-        const rateCheck = checkRateLimit(apiKey);
-        if (!rateCheck.allowed) {
-          return this.error(`Rate limit exceeded. Try again in ${Math.ceil(rateCheck.resetIn / 1000)} seconds`, {
-            code: 'RATE_LIMIT_EXCEEDED',
-            suggestion: 'Reduce the frequency of tool calls',
-            nextSteps: [`Wait ${Math.ceil(rateCheck.resetIn / 1000)} seconds before retrying`],
-          });
-        }
-        
-        // ====================================================================
-        // HARDENING: Project path validation
-        // ====================================================================
-        const rawProjectPath = args?.projectPath || '.';
-        const pathValidation = sanitizePath(rawProjectPath, process.cwd());
-        
-        if (!pathValidation.valid) {
-          return this.error(pathValidation.error, {
-            code: 'INVALID_PATH',
-            suggestion: 'Provide a valid path within the current working directory',
-          });
-        }
-        projectPath = pathValidation.path;
-
-        // Emit audit event for tool invocation start
-        // SECURITY: Include apiKey hash for audit trail (never log raw key)
-        try {
-          const crypto = require('crypto');
-          const apiKeyHash = apiKey 
-            ? crypto.createHash('sha256').update(apiKey).digest('hex').slice(0, 16)
-            : 'anonymous';
-          
-          emitToolInvoke(toolName, args, "success", { 
-            projectPath,
-            apiKeyHash,
-            rateLimit: rateCheck,
-            timestamp: new Date().toISOString(),
-          });
-        } catch {
-          // Audit logging should never break the tool
-        }
+class VibecheckMCP {
+  constructor() {
+    this.server = new Server(
+      { name: "vibecheck", version: VERSION },
+      { capabilities: { tools: {}, resources: {} } },
+    );
+    this.setupHandlers();
+  }
 
-        // ====================================================================
-        // HARDENING: Truth firewall check with error handling
-        // ====================================================================
-        let firewallCheck = { blocked: false };
-        try {
-          firewallCheck = checkTruthFirewallBlock(toolName, args, projectPath);
-        } catch (firewallError) {
-          console.error(`[MCP] Firewall check error: ${firewallError.message}`);
-          // Continue - don't block on firewall errors
-        }
-        
-        if (firewallCheck.blocked) {
-          const policy = getTruthPolicy(args);
-          try {
-            await emitGuardrailMetric(projectPath, {
-              event: "truth_firewall_block",
-              tool: toolName,
-              policy,
-              reason: firewallCheck.code || "no_recent_claim_validation",
-            });
-          } catch {
-            // Metrics should never break the tool
-          }
-          return this.error(firewallCheck.reason, {
-            code: firewallCheck.code,
-            suggestion: firewallCheck.suggestion,
-            nextSteps: firewallCheck.nextSteps || [],
+  setupHandlers() {
+    // List tools
+    this.server.setRequestHandler(ListToolsRequestSchema, async () => ({
+      tools: TOOLS,
+    }));
+
+    // Call tool
+    this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
+      const { name, arguments: args } = request.params;
+      const projectPath = path.resolve(args?.projectPath || ".");
+      const startTime = Date.now();
+
+      // Emit audit event for tool invocation start
+      emitToolInvoke(name, args, "success", { projectPath });
+
+      try {
+        const policy = getTruthPolicy(args);
+        if (
+          STRICT_GUARDRAIL_TOOLS.has(name) &&
+          policy !== "permissive" &&
+          !hasRecentClaimValidation(projectPath)
+        ) {
+          await emitGuardrailMetric(projectPath, {
+            event: "truth_firewall_block",
+            tool: name,
+            policy,
+            reason: "no_recent_claim_validation",
           });
+          return this.error(
+            "Truth firewall requires claim validation before high-impact tools.",
+            {
+              code: "TRUTH_FIREWALL_REQUIRED",
+              suggestion: "Call vibecheck.validate_claim or vibecheck.get_truthpack before proceeding.",
+              nextSteps: [
+                "Call vibecheck.get_truthpack with refresh=true for current evidence",
+                "Call vibecheck.validate_claim for critical assumptions",
+                "Re-run the tool after validation",
+              ],
+            },
+          );
         }
-        
-        // Handle v3 tools (10 consolidated tools, STARTER+ only)
-        if (USE_V3_TOOLS && V3_TOOL_TIERS[toolName]) {
-          // SECURITY FIX: Never trust client-provided tier - validate from API key
-          // Previous: const userTier = sanitizeString(args?.tier, 20) || ...
-          // This allowed privilege escalation via args.tier = "pro"
-          const { getMcpToolAccess } = await import('./tier-auth.js');
-          const access = await getMcpToolAccess(toolName, apiKey);
-          const userTier = access.tier || 'free';
-          const result = await handleToolV3(toolName, args, { tier: userTier });
-          
-          if (result.error) {
-            return this.error(result.error, { tier: result.tier, required: result.required });
-          }
-          
-          // Sanitize and truncate output
-          const outputText = truncateOutput(redactSensitive(JSON.stringify(result, null, 2)));
-          return {
-            content: [{ type: "text", text: outputText }],
-          };
-        }
-        
-        // 1. Check tool registry first (local CLI handlers)
-        if (this.toolRegistry[toolName]) {
-          return await this.toolRegistry[toolName](projectPath, args);
-        }
-
-        // 2. Handle external module tools by prefix/pattern
-        if (toolName.startsWith("vibecheck.intelligence.")) {
-          return await handleIntelligenceTool(toolName, args, __dirname);
+        // Handle intelligence tools first
+        if (name.startsWith("vibecheck.intelligence.")) {
+          return await handleIntelligenceTool(name, args, __dirname);
         }
 
-        // Handle AI vibecheck tools
+        // Handle AI vibecheck tools (verify, quality, smells, hallucination, breaking, mdc, coverage)
         if (["vibecheck.verify", "vibecheck.quality", "vibecheck.smells", 
              "vibecheck.hallucination", "vibecheck.breaking", "vibecheck.mdc", 
-             "vibecheck.coverage"].includes(toolName)) {
-          const result = await handleVibecheckTool(toolName, args);
-          const outputText = truncateOutput(redactSensitive(JSON.stringify(result, null, 2)));
+             "vibecheck.coverage"].includes(name)) {
+          const result = await handleVibecheckTool(name, args);
           return {
-            content: [{ type: "text", text: outputText }],
+            content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
           };
         }
 
         // Handle agent checkpoint tools
-        if (["vibecheck_checkpoint", "vibecheck_set_strictness", "vibecheck_checkpoint_status"].includes(toolName)) {
-          return await handleCheckpointTool(toolName, args);
+        if (["vibecheck_checkpoint", "vibecheck_set_strictness", "vibecheck_checkpoint_status"].includes(name)) {
+          return await handleCheckpointTool(name, args);
         }
 
         // Handle architect tools
         if (["vibecheck_architect_review", "vibecheck_architect_suggest", 
-             "vibecheck_architect_patterns", "vibecheck_architect_set_strictness"].includes(toolName)) {
-          return await handleArchitectTool(toolName, args);
-        }
-
-        // Handle authority system tools
-        if (["authority.classify", "authority.approve", "authority.list"].includes(toolName)) {
-          const result = await handleAuthorityTool(toolName, args, userTier || "free");
-          const outputText = truncateOutput(redactSensitive(JSON.stringify(result, null, 2)));
-          return {
-            content: [{ type: "text", text: outputText }],
-          };
+             "vibecheck_architect_patterns", "vibecheck_architect_set_strictness"].includes(name)) {
+          return await handleArchitectTool(name, args);
         }
 
         // Handle codebase architect tools
         if (["vibecheck_architect_context", "vibecheck_architect_guide",
              "vibecheck_architect_validate", "vibecheck_architect_patterns",
-             "vibecheck_architect_dependencies"].includes(toolName)) {
-          return await handleCodebaseArchitectTool(toolName, args);
+             "vibecheck_architect_dependencies"].includes(name)) {
+          return await handleCodebaseArchitectTool(name, args);
         }
 
         // Handle vibecheck 2.0 tools
-        if (["checkpoint", "check", "ship", "fix", "status", "set_strictness"].includes(toolName)) {
-          return await handleVibecheck2Tool(toolName, args, __dirname);
+        if (["checkpoint", "check", "ship", "fix", "status", "set_strictness"].includes(name)) {
+          return await handleVibecheck2Tool(name, args, __dirname);
         }
 
         // Handle intent drift tools
-        if (toolName.startsWith("vibecheck_intent_")) {
-          const tool = intentDriftTools.find(t => t.name === toolName);
+        if (name.startsWith("vibecheck_intent_")) {
+          const tool = intentDriftTools.find(t => t.name === name);
           if (tool && tool.handler) {
             const result = await tool.handler(args);
-            const outputText = truncateOutput(redactSensitive(JSON.stringify(result, null, 2)));
             return {
-              content: [{ type: "text", text: outputText }],
+              content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
             };
           }
         }
 
-        // Handle MDC generator
-        if (toolName === "generate_mdc") {
-          return await handleMDCGeneration(args);
-        }
-
-        // Handle Truth Context tools (Evidence Pack / Truth Pack)
-        if (["vibecheck.verify_claim", "vibecheck.evidence"].includes(toolName)) {
-          return await handleTruthContextTool(toolName, args);
-        }
-
-        // Handle Truth Firewall tools (Hallucination Stopper)
-        if (["vibecheck.get_truthpack", "vibecheck.validate_claim", "vibecheck.compile_context",
-             "vibecheck.search_evidence", "vibecheck.find_counterexamples", "vibecheck.propose_patch",
-             "vibecheck.check_invariants", "vibecheck.add_assumption"].includes(toolName)) {
-          return await handleTruthFirewallTool(toolName, args, projectPath);
+        switch (name) {
+          case "vibecheck.ship":
+            return await this.handleShip(projectPath, args);
+          case "vibecheck.scan":
+            return await this.handleScan(projectPath, args);
+          case "vibecheck.verify":
+            return await this.handleVerify(projectPath, args);
+          case "vibecheck.reality":
+            return await this.handleReality(projectPath, args);
+          case "vibecheckai.dev-test":
+            return await this.handleAITest(projectPath, args);
+          case "vibecheck.gate":
+            return await this.handleGate(projectPath, args);
+          case "vibecheck.fix":
+            return await this.handleFix(projectPath, args);
+          case "vibecheck.share":
+            return await this.handleShare(projectPath, args);
+          case "vibecheck.ctx":
+            return await this.handleCtx(projectPath, args);
+          case "vibecheck.prove":
+            return await this.handleProve(projectPath, args);
+          case "vibecheck.proof":
+            return await this.handleProof(projectPath, args);
+          case "vibecheck.validate":
+            return await this.handleValidate(projectPath, args);
+          case "vibecheck.report":
+            return await this.handleReport(projectPath, args);
+          case "vibecheck.status":
+            return await this.handleStatus(projectPath, args);
+          case "vibecheck.autopilot":
+            return await this.handleAutopilot(projectPath, args);
+          case "vibecheck.autopilot_plan":
+            return await this.handleAutopilotPlan(projectPath, args);
+          case "vibecheck.autopilot_apply":
+            return await this.handleAutopilotApply(projectPath, args);
+          case "vibecheck.badge":
+            return await this.handleBadge(projectPath, args);
+          case "vibecheck.context":
+            return await this.handleContext(projectPath, args);
+          case "generate_mdc":
+            return await handleMDCGeneration(args);
+          // Truth Context tools (Evidence Pack / Truth Pack)
+          case "vibecheck.verify_claim":
+          case "vibecheck.evidence":
+            return await handleTruthContextTool(name, args);
+          // Truth Firewall tools (Hallucination Stopper)
+          case "vibecheck.get_truthpack":
+          case "vibecheck.validate_claim":
+          case "vibecheck.compile_context":
+          case "vibecheck.search_evidence":
+          case "vibecheck.find_counterexamples":
+          case "vibecheck.propose_patch":
+          case "vibecheck.check_invariants":
+          case "vibecheck.add_assumption":
+            return await handleTruthFirewallTool(name, args, projectPath);
+          default:
+            return this.error(`Unknown tool: ${name}`);
         }
-
-        return this.error(`Unknown tool: ${toolName}`, {
-          code: 'UNKNOWN_TOOL',
-          suggestion: 'Check the tool name and try again',
-          nextSteps: ['Use vibecheck.status to see available tools'],
-        });
       } catch (err) {
-        // ====================================================================
-        // HARDENING: Enhanced error handling with sanitization
-        // ====================================================================
-        const durationMs = Date.now() - startTime;
-        const errorMessage = sanitizeString(err?.message || 'Unknown error', 500);
-        
-        // Emit audit event for tool error (safely)
-        try {
-          emitToolComplete(toolName, "error", { 
-            errorMessage: redactSensitive(errorMessage),
-            durationMs,
-          });
-        } catch {
-          // Audit logging should never break the response
-        }
-        
-        // Log error details to stderr (not stdout - preserves MCP protocol)
-        console.error(`[MCP] Tool ${toolName} failed after ${durationMs}ms: ${errorMessage}`);
-        
-        return this.error(`${toolName} failed: ${redactSensitive(errorMessage)}`, {
-          code: err?.code || 'TOOL_ERROR',
-          suggestion: 'Check the error message and try again',
-          nextSteps: [
-            'Verify the tool arguments are correct',
-            'Check that the project path is valid',
-            'Try running with simpler arguments first',
-          ],
+        // Emit audit event for tool error
+        emitToolComplete(name, "error", { 
+          errorMessage: err.message,
+          durationMs: Date.now() - startTime 
         });
+        return this.error(`${name} failed: ${err.message}`);
       }
     });
 
     // Resources
     this.server.setRequestHandler(ListResourcesRequestSchema, async () => ({
       resources: [
-        {
-          uri: "vibecheck://status",
-          name: "Server Status",
-          description: "Current MCP server health, version, and rate limits",
-          mimeType: "application/json",
-        },
         {
           uri: "vibecheck://config",
           name: "vibecheck Config",
@@ -1338,53 +960,21 @@ class VibecheckMCP {
           description: "Last prove loop results (ctx → reality → ship → fix)",
           mimeType: "application/json",
         },
-        {
-          uri: "vibecheck://registry",
-          name: "Command Registry",
-          description: "Available commands and their tiers",
-          mimeType: "application/json",
-        },
       ],
     }));
 
     this.server.setRequestHandler(
       ReadResourceRequestSchema,
       async (request) => {
-        // ====================================================================
-        // HARDENING: Resource request validation
-        // ====================================================================
-        const uri = sanitizeString(request?.params?.uri, 200);
-        if (!uri || !uri.startsWith('vibecheck://')) {
-          return { contents: [{ uri: uri || '', mimeType: "application/json", text: '{"error": "Invalid resource URI"}' }] };
-        }
-        
+        const { uri } = request.params;
         const projectPath = process.cwd();
-        
-        // Helper to safely read and return JSON resource
-        const safeReadResource = async (filePath, defaultMessage) => {
-          try {
-            const content = await fs.readFile(filePath, "utf-8");
-            // Validate JSON and sanitize
-            const parsed = safeJsonParse(content);
-            if (!parsed.success) {
-              return { contents: [{ uri, mimeType: "application/json", text: JSON.stringify({ error: "Invalid JSON in resource file" }) }] };
-            }
-            // Redact any sensitive data and truncate
-            const sanitized = redactSensitive(truncateOutput(content, CONFIG.LIMITS.MAX_OUTPUT_LENGTH));
-            return { contents: [{ uri, mimeType: "application/json", text: sanitized }] };
-          } catch {
-            return { contents: [{ uri, mimeType: "application/json", text: JSON.stringify({ message: defaultMessage }) }] };
-          }
-        };
 
         if (uri === "vibecheck://config") {
           const configPath = path.join(projectPath, "vibecheck.config.json");
           try {
             const content = await fs.readFile(configPath, "utf-8");
-            // Redact sensitive config values
-            const sanitized = redactSensitive(truncateOutput(content, CONFIG.LIMITS.MAX_OUTPUT_LENGTH));
             return {
-              contents: [{ uri, mimeType: "application/json", text: sanitized }],
+              contents: [{ uri, mimeType: "application/json", text: content }],
             };
           } catch {
             return {
@@ -1394,237 +984,138 @@ class VibecheckMCP {
         }
 
         if (uri === "vibecheck://summary") {
-          const summaryPath = path.join(projectPath, ".vibecheck", "summary.json");
-          return await safeReadResource(summaryPath, "No scan found. Run vibecheck.scan first.");
+          const summaryPath = path.join(
+            projectPath,
+            ".vibecheck",
+            "summary.json",
+          );
+          try {
+            const content = await fs.readFile(summaryPath, "utf-8");
+            return {
+              contents: [{ uri, mimeType: "application/json", text: content }],
+            };
+          } catch {
+            return {
+              contents: [
+                {
+                  uri,
+                  mimeType: "application/json",
+                  text: '{"message": "No scan found. Run vibecheck.scan first."}',
+                },
+              ],
+            };
+          }
         }
 
         if (uri === "vibecheck://truthpack") {
           const truthpackPath = path.join(projectPath, ".vibecheck", "truth", "truthpack.json");
-          return await safeReadResource(truthpackPath, "No truthpack. Run vibecheck.ctx first.");
+          try {
+            const content = await fs.readFile(truthpackPath, "utf-8");
+            return { contents: [{ uri, mimeType: "application/json", text: content }] };
+          } catch {
+            return { contents: [{ uri, mimeType: "application/json", text: '{"message": "No truthpack. Run vibecheck.ctx first."}' }] };
+          }
         }
 
         if (uri === "vibecheck://missions") {
           const missionsDir = path.join(projectPath, ".vibecheck", "missions");
           try {
-            // HARDENING: Validate directory read
             const dirs = await fs.readdir(missionsDir);
-            const safeDirs = sanitizeArray(dirs, 100).filter(d => typeof d === 'string' && d.length > 0);
-            const latest = safeDirs.sort().reverse()[0];
-            
+            const latest = dirs.sort().reverse()[0];
             if (latest) {
               const missionPath = path.join(missionsDir, latest, "missions.json");
-              return await safeReadResource(missionPath, "No missions found in latest directory.");
+              const content = await fs.readFile(missionPath, "utf-8");
+              return { contents: [{ uri, mimeType: "application/json", text: content }] };
             }
-          } catch (err) {
-            console.error(`[MCP] Error reading missions: ${err.message}`);
-          }
+          } catch {}
           return { contents: [{ uri, mimeType: "application/json", text: '{"message": "No missions. Run vibecheck.fix first."}' }] };
         }
 
         if (uri === "vibecheck://reality") {
           const realityPath = path.join(projectPath, ".vibecheck", "reality", "last_reality.json");
-          return await safeReadResource(realityPath, "No reality results. Run vibecheck verify first.");
+          try {
+            const content = await fs.readFile(realityPath, "utf-8");
+            return { contents: [{ uri, mimeType: "application/json", text: content }] };
+          } catch {
+            return { contents: [{ uri, mimeType: "application/json", text: '{"message": "No reality results. Run vibecheck verify first."}' }] };
+          }
         }
 
         if (uri === "vibecheck://findings") {
           const findingsPath = path.join(projectPath, ".vibecheck", "findings.json");
-          
-          // Try primary findings file
-          const content = await this.safeReadFile(findingsPath, 10 * 1024 * 1024);
-          if (content) {
-            const parsed = safeJsonParse(content);
-            if (parsed.success) {
-              const sanitized = redactSensitive(truncateOutput(content));
-              return { contents: [{ uri, mimeType: "application/json", text: sanitized }] };
-            }
-          }
-          
-          // HARDENING: Try summary.json as fallback with size limits
-          const summaryPath = path.join(projectPath, ".vibecheck", "summary.json");
-          const summaryContent = await this.safeReadFile(summaryPath, 10 * 1024 * 1024);
-          
-          if (summaryContent) {
-            const parsed = safeJsonParse(summaryContent);
-            if (parsed.success && parsed.data.findings) {
-              const findings = sanitizeArray(parsed.data.findings, 1000);
+          try {
+            const content = await fs.readFile(findingsPath, "utf-8");
+            return { contents: [{ uri, mimeType: "application/json", text: content }] };
+          } catch {
+            // Try summary.json as fallback
+            const summaryPath = path.join(projectPath, ".vibecheck", "summary.json");
+            try {
+              const summary = JSON.parse(await fs.readFile(summaryPath, "utf-8"));
+              const findings = summary.findings || [];
               return { contents: [{ uri, mimeType: "application/json", text: JSON.stringify({ findings }, null, 2) }] };
+            } catch {
+              return { contents: [{ uri, mimeType: "application/json", text: '{"message": "No findings. Run vibecheck.scan first."}' }] };
             }
           }
-          
-          return { contents: [{ uri, mimeType: "application/json", text: '{"message": "No findings. Run vibecheck.scan first."}' }] };
         }
 
         if (uri === "vibecheck://share") {
           const missionsDir = path.join(projectPath, ".vibecheck", "missions");
           try {
-            // HARDENING: Safe directory read
             const dirs = await fs.readdir(missionsDir);
-            const safeDirs = sanitizeArray(dirs, 100).filter(d => typeof d === 'string' && d.length > 0);
-            const latest = safeDirs.sort().reverse()[0];
-            
+            const latest = dirs.sort().reverse()[0];
             if (latest) {
               const sharePath = path.join(missionsDir, latest, "share", "share.json");
-              
-              // Try share.json first
-              const shareContent = await this.safeReadFile(sharePath, 10 * 1024 * 1024);
-              if (shareContent) {
-                const parsed = safeJsonParse(shareContent);
-                if (parsed.success) {
-                  const sanitized = redactSensitive(truncateOutput(shareContent));
-                  return { contents: [{ uri, mimeType: "application/json", text: sanitized }] };
-                }
+              try {
+                const content = await fs.readFile(sharePath, "utf-8");
+                return { contents: [{ uri, mimeType: "application/json", text: content }] };
+              } catch {
+                // Fallback to missions.json
+                const missionPath = path.join(missionsDir, latest, "missions.json");
+                const content = await fs.readFile(missionPath, "utf-8");
+                return { contents: [{ uri, mimeType: "application/json", text: content }] };
               }
-              
-              // HARDENING: Fallback to missions.json with safe read
-              const missionPath = path.join(missionsDir, latest, "missions.json");
-              return await safeReadResource(missionPath, "No share data available in latest mission.");
             }
-          } catch (err) {
-            console.error(`[MCP] Error reading share pack: ${err.message}`);
-          }
+          } catch {}
           return { contents: [{ uri, mimeType: "application/json", text: '{"message": "No share pack. Run vibecheck.fix --share first."}' }] };
         }
 
         if (uri === "vibecheck://prove") {
           const provePath = path.join(projectPath, ".vibecheck", "prove", "last_prove.json");
-          return await safeReadResource(provePath, "No prove results. Run vibecheck.prove first.");
-        }
-
-        // Server status resource - live health check
-        if (uri === "vibecheck://status") {
-          const rateCheck = checkRateLimit(null);
-          const circuitCheck = checkCircuitBreaker();
-          
-          const status = {
-            server: {
-              version: CONFIG.VERSION,
-              uptime: Math.floor(process.uptime()),
-              transport: 'stdio',
-              nodeVersion: process.version,
-            },
-            health: {
-              status: circuitCheck.allowed ? 'healthy' : 'degraded',
-              circuitBreaker: circuitBreakerState.state,
-              failureCount: circuitBreakerState.failures,
-            },
-            rateLimit: {
-              remaining: rateCheck.remaining,
-              resetIn: rateCheck.resetIn || 0,
-              limit: CONFIG.LIMITS.RATE_LIMIT_MAX_CALLS,
-              window: CONFIG.LIMITS.RATE_LIMIT_WINDOW_MS,
-            },
-            features: {
-              hardening: true,
-              auditLogging: true,
-              secretRedaction: true,
-              pathSecurity: true,
-            },
-            timestamp: new Date().toISOString(),
-          };
-          
-          return {
-            contents: [{ uri, mimeType: "application/json", text: JSON.stringify(status, null, 2) }],
-          };
-        }
-
-        // Registry resource - available commands and tiers
-        if (uri === "vibecheck://registry") {
-          const registry = {
-            version: CONFIG.VERSION,
-            tiers: {
-              free: {
-                name: 'FREE',
-                price: '$0',
-                description: 'Inspect & Observe',
-              },
-              pro: {
-                name: 'PRO',
-                price: '$69/mo',
-                description: 'Fix, Prove & Enforce',
-              },
-            },
-            tools: Object.entries(V3_TOOL_TIERS).map(([name, tier]) => ({
-              name,
-              tier,
-            })),
-            resources: [
-              'vibecheck://status',
-              'vibecheck://config',
-              'vibecheck://summary',
-              'vibecheck://truthpack',
-              'vibecheck://missions',
-              'vibecheck://reality',
-              'vibecheck://findings',
-              'vibecheck://share',
-              'vibecheck://prove',
-              'vibecheck://registry',
-            ],
-          };
-          
-          return {
-            contents: [{ uri, mimeType: "application/json", text: JSON.stringify(registry, null, 2) }],
-          };
+          try {
+            const content = await fs.readFile(provePath, "utf-8");
+            return { contents: [{ uri, mimeType: "application/json", text: content }] };
+          } catch {
+            return { contents: [{ uri, mimeType: "application/json", text: '{"message": "No prove results. Run vibecheck.prove first."}' }] };
+          }
         }
 
-        return { 
-          contents: [{ 
-            uri, 
-            mimeType: "application/json", 
-            text: JSON.stringify({ error: "Unknown resource URI" }) 
-          }] 
-        };
+        return { contents: [] };
       },
     );
   }
 
-  // ============================================================================
-  // HARDENED HELPERS
-  // ============================================================================
-  
-  /**
-   * Return a successful response with sanitization
-   * @param {string} text - Response text
-   * @param {boolean} includeAttribution - Include vibecheck attribution
-   * @returns {object} MCP response
-   */
-  success(text, includeAttribution = true) {
-    // Sanitize output: redact secrets and truncate
-    let sanitized = redactSensitive(sanitizeString(text, CONFIG.LIMITS.MAX_OUTPUT_LENGTH));
-    
-    const finalText = includeAttribution 
-      ? `${sanitized}\n\n---\n_${CONTEXT_ATTRIBUTION}_`
-      : sanitized;
-    
-    return { content: [{ type: "text", text: finalText }] };
+  // Helpers
+  success(text) {
+    return { content: [{ type: "text", text }] };
   }
 
-  /**
-   * Return an error response with sanitization
-   * @param {string} text - Error message
-   * @param {object} options - Additional options
-   * @returns {object} MCP error response
-   */
   error(text, options = {}) {
     const { code, suggestion, nextSteps = [] } = options;
     
-    // Sanitize all text inputs
-    const sanitizedText = redactSensitive(sanitizeString(text, 1000));
-    const sanitizedSuggestion = suggestion ? redactSensitive(sanitizeString(suggestion, 500)) : null;
-    const sanitizedSteps = sanitizeArray(nextSteps, 10).map(s => sanitizeString(s, 200));
-    
-    let errorText = `❌ ${sanitizedText}`;
+    let errorText = `❌ ${text}`;
     
     if (code) {
-      errorText += `\n\n**Error Code:** \`${sanitizeString(code, 50)}\``;
+      errorText += `\n\n**Error Code:** \`${code}\``;
     }
     
-    if (sanitizedSuggestion) {
-      errorText += `\n\n💡 **Suggestion:** ${sanitizedSuggestion}`;
+    if (suggestion) {
+      errorText += `\n\n💡 **Suggestion:** ${suggestion}`;
     }
     
-    if (sanitizedSteps.length > 0) {
+    if (nextSteps.length > 0) {
       errorText += `\n\n**Next Steps:**\n`;
-      sanitizedSteps.forEach((step, i) => {
+      nextSteps.forEach((step, i) => {
         errorText += `${i + 1}. ${step}\n`;
       });
     }
@@ -1632,10 +1123,10 @@ class VibecheckMCP {
     return { content: [{ type: "text", text: errorText }], isError: true };
   }
 
-  // Validate project path exists and is accessible (sync for simple validation)
+  // Validate project path exists and is accessible
   validateProjectPath(projectPath) {
     try {
-      const stats = fsSync.statSync(projectPath);
+      const stats = require("fs").statSync(projectPath);
       if (!stats.isDirectory()) {
         return { 
           valid: false, 
@@ -1677,157 +1168,47 @@ class VibecheckMCP {
       });
     }
 
-    // HARDENING: Validate and sanitize profile
-    const validProfiles = ["quick", "full", "ship", "ci", "security", "compliance", "ai"];
-    const profile = validProfiles.includes(args?.profile) ? args?.profile : "quick";
-    
-    // HARDENING: Sanitize only array
-    const only = sanitizeArray(args?.only, 20).map(item => sanitizeString(item, 50));
-
-    // Initialize API integration with timeout and circuit breaker
-    let apiScan = null;
-    let apiConnected = false;
-    
-    // HARDENING: Check circuit breaker before attempting API calls
-    const circuitCheck = checkCircuitBreaker();
-    
-    // Try to connect to API for dashboard integration
-    if (circuitCheck.allowed) {
-      try {
-        // HARDENING: Add timeout to API availability check
-        const apiCheckPromise = isApiAvailable();
-        const timeoutPromise = new Promise((_, reject) => 
-          setTimeout(() => reject(new Error('API check timeout')), 5000)
-        );
-        
-        apiConnected = await Promise.race([apiCheckPromise, timeoutPromise]);
-        
-        if (apiConnected) {
-          // Create scan record in dashboard
-          const createScanPromise = createScan({
-            localPath: sanitizeString(projectPath, 500),
-            branch: sanitizeString(args?.branch, 100) || 'main',
-            enableLLM: false,
-          });
-          const scanTimeoutPromise = new Promise((_, reject) => 
-            setTimeout(() => reject(new Error('Create scan timeout')), 10000)
-          );
-          
-          apiScan = await Promise.race([createScanPromise, scanTimeoutPromise]);
-          console.error(`[MCP] Connected to dashboard (Scan ID: ${apiScan.scanId})`);
-          recordApiResult(true); // Record success
-        }
-      } catch (err) {
-        // API connection is optional, continue without it
-        console.error(`[MCP] Dashboard integration unavailable: ${err.message}`);
-        recordApiResult(false); // Record failure
-      }
-    } else {
-      console.error(`[MCP] ${circuitCheck.reason}`);
-    }
+    const profile = args?.profile || "quick";
+    const format = args?.format || "text";
+    const only = args?.only;
 
     let output = "# 🔍 vibecheck Scan\n\n";
     output += `**Profile:** ${profile}\n`;
     output += `**Path:** ${projectPath}\n\n`;
 
-    // Build CLI arguments array (secure - no injection possible)
-    const cliArgs = [`--profile=${profile}`, "--json"];
-    if (only.length > 0) {
-      cliArgs.push(`--only=${only.join(",")}`);
-    }
-
     try {
-      await this.runCLI("scan", cliArgs, projectPath, { timeout: CONFIG.TIMEOUTS.SCAN });
+      // Build CLI command
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" scan`;
+      cmd += ` --profile=${profile}`;
+      if (only?.length) cmd += ` --only=${only.join(",")}`;
+      cmd += ` --json`;
+
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+      });
 
-      // Read summary from disk
-      const summary = await this.parseSummaryFromDisk(projectPath);
-      if (summary) {
-        output += this.formatScanOutput(summary, projectPath);
-        
-        // Submit results to dashboard if connected
-        if (apiConnected && apiScan) {
-          try {
-            // HARDENING: Add timeout to result submission
-            const submitPromise = submitScanResults(apiScan.scanId, {
-              verdict: sanitizeString(summary.verdict, 50) || 'UNKNOWN',
-              score: sanitizeNumber(summary.score?.overall, 0, 100, 0),
-              findings: sanitizeArray(summary.findings, 1000) || [],
-              filesScanned: sanitizeNumber(summary.stats?.filesScanned, 0, 1000000, 0),
-              linesScanned: sanitizeNumber(summary.stats?.linesScanned, 0, 100000000, 0),
-              durationMs: sanitizeNumber(summary.timings?.total, 0, 3600000, 0),
-              metadata: {
-                profile,
-                source: 'mcp-server',
-                version: CONFIG.VERSION,
-              },
-            });
-            const submitTimeout = new Promise((_, reject) => 
-              setTimeout(() => reject(new Error('Submit timeout')), 10000)
-            );
-            
-            await Promise.race([submitPromise, submitTimeout]);
-            console.error(`[MCP] Results sent to dashboard`);
-          } catch (err) {
-            console.error(`[MCP] Failed to send results to dashboard: ${err.message}`);
-          }
+      // Read summary
+      const summaryPath = path.join(projectPath, ".vibecheck", "summary.json");
+      const summary = JSON.parse(await fs.readFile(summaryPath, "utf-8"));
+
+      output += `## Score: ${summary.score}/100 (${summary.grade})\n\n`;
+      output += `**Verdict:** ${summary.canShip ? "✅ SHIP" : "🚫 NO-SHIP"}\n\n`;
+
+      if (summary.counts) {
+        output += "### Checks\n\n";
+        output += "| Category | Issues |\n|----------|--------|\n";
+        for (const [key, count] of Object.entries(summary.counts)) {
+          const icon = count === 0 ? "✅" : "⚠️";
+          output += `| ${icon} ${key} | ${count} |\n`;
         }
       }
+
+      output += `\n📄 **Report:** .vibecheck/report.html\n`;
       output += "\n---\n_Context Enhanced by vibecheck AI_\n";
       return this.success(output);
     } catch (err) {
-      // Graceful degradation: check if scan completed but found issues (exit code 1)
-      const summary = await this.parseSummaryFromDisk(projectPath);
-      if (summary) {
-        output += this.formatScanOutput(summary, projectPath);
-        
-        // Submit results to dashboard if connected
-        if (apiConnected && apiScan) {
-          try {
-            // HARDENING: Add timeout to error case submission
-            const submitPromise = submitScanResults(apiScan.scanId, {
-              verdict: sanitizeString(summary.verdict, 50) || 'UNKNOWN',
-              score: sanitizeNumber(summary.score?.overall, 0, 100, 0),
-              findings: sanitizeArray(summary.findings, 1000) || [],
-              filesScanned: sanitizeNumber(summary.stats?.filesScanned, 0, 1000000, 0),
-              linesScanned: sanitizeNumber(summary.stats?.linesScanned, 0, 100000000, 0),
-              durationMs: sanitizeNumber(summary.timings?.total, 0, 3600000, 0),
-              metadata: {
-                profile,
-                source: 'mcp-server',
-                version: CONFIG.VERSION,
-                error: sanitizeString(err.message, 500),
-              },
-            });
-            const submitTimeout = new Promise((_, reject) => 
-              setTimeout(() => reject(new Error('Submit timeout')), 10000)
-            );
-            
-            await Promise.race([submitPromise, submitTimeout]);
-            console.error(`[MCP] Results sent to dashboard (with error)`);
-          } catch (apiErr) {
-            console.error(`[MCP] Failed to send results to dashboard: ${apiErr.message}`);
-          }
-        }
-        output += `\n⚠️ Scan completed with findings (exit code ${err.code || 1})\n`;
-        return this.success(output);
-      }
-
-      // Report error to dashboard if connected
-      if (apiConnected && apiScan) {
-        try {
-          // HARDENING: Add timeout to error reporting
-          const reportPromise = reportScanError(apiScan.scanId, err);
-          const reportTimeout = new Promise((_, reject) => 
-            setTimeout(() => reject(new Error('Report timeout')), 10000)
-          );
-          
-          await Promise.race([reportPromise, reportTimeout]);
-          console.error(`[MCP] Error reported to dashboard`);
-        } catch (apiErr) {
-          console.error(`[MCP] Failed to report error to dashboard: ${apiErr.message}`);
-        }
-      }
-
       return this.error(`Scan failed: ${err.message}`, {
         code: "SCAN_ERROR",
         suggestion: "Check that the project path is valid and contains scanable code",
@@ -1846,7 +1227,7 @@ class VibecheckMCP {
   // ============================================================================
   async handleGate(projectPath, args) {
     // Check tier access (STARTER tier required)
-    const access = await getFeatureAccessStatus("gate", args?.apiKey);
+    const access = await checkFeatureAccess("gate", args?.apiKey);
     if (!access.hasAccess) {
       return {
         content: [{
@@ -1862,12 +1243,16 @@ class VibecheckMCP {
     let output = "# 🚦 vibecheck Gate\n\n";
     output += `**Policy:** ${policy}\n\n`;
 
-    // Build CLI arguments array (secure)
-    const cliArgs = [`--policy=${policy}`];
-    if (args?.sarif) cliArgs.push("--sarif");
-
     try {
-      await this.runCLI("gate", cliArgs, projectPath);
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" gate`;
+      cmd += ` --policy=${policy}`;
+      if (args?.sarif) cmd += ` --sarif`;
+
+      execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+      });
 
       output += "## ✅ GATE PASSED\n\n";
       output += "All checks passed. Clear to merge.\n";
@@ -1886,7 +1271,7 @@ class VibecheckMCP {
   async handleFix(projectPath, args) {
     // Check tier access for --apply and --autopilot (PRO tier required)
     if (args?.apply || args?.autopilot) {
-      const access = await getFeatureAccessStatus("fix.apply_patches", args?.apiKey);
+      const access = await checkFeatureAccess("fix.apply_patches", args?.apiKey);
       if (!access.hasAccess) {
         return {
           content: [{
@@ -1900,35 +1285,35 @@ class VibecheckMCP {
 
     const mode = args?.autopilot ? "Autopilot" : 
                  args?.apply ? "Apply" : 
-                 args?.promptOnly ? "Prompt Only" : 
-                 args?.dryRun ? "Dry Run" : "Plan";
+                 args?.promptOnly ? "Prompt Only" : "Plan";
 
     let output = "# 🛠 vibecheck Fix Missions v1\n\n";
     output += `**Mode:** ${mode}\n`;
     output += `**Max Missions:** ${args?.maxMissions || 8}\n`;
     if (args?.autopilot) output += `**Max Steps:** ${args?.maxSteps || 10}\n`;
-    if (args?.dryRun) output += `**Dry Run:** Yes (no changes will be made)\n`;
     output += "\n";
 
-    // Build CLI arguments array (secure)
-    const cliArgs = [];
-    if (args?.promptOnly) cliArgs.push("--prompt-only");
-    if (args?.apply) cliArgs.push("--apply");
-    if (args?.autopilot) cliArgs.push("--autopilot");
-    if (args?.share) cliArgs.push("--share");
-    if (args?.dryRun) cliArgs.push("--dry-run");
-    if (args?.maxMissions) cliArgs.push("--max-missions", String(args.maxMissions));
-    if (args?.maxSteps) cliArgs.push("--max-steps", String(args.maxSteps));
-
     try {
-      const result = await this.runCLI("fix", cliArgs, projectPath, { 
-        timeout: CONFIG.TIMEOUTS.AUTOPILOT 
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" fix`;
+      if (args?.promptOnly) cmd += ` --prompt-only`;
+      if (args?.apply) cmd += ` --apply`;
+      if (args?.autopilot) cmd += ` --autopilot`;
+      if (args?.share) cmd += ` --share`;
+      if (args?.maxMissions) cmd += ` --max-missions ${args.maxMissions}`;
+      if (args?.maxSteps) cmd += ` --max-steps ${args.maxSteps}`;
+
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        timeout: 300000, // 5 min timeout for autopilot
+        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
       });
 
-      output += this.stripAnsi(result.stdout);
+      output += result.replace(/\x1b\[[0-9;]*m/g, ""); // Strip ANSI codes
 
       // Read mission pack if available
-      const missionsDir = path.join(projectPath, CONFIG.OUTPUT_DIR, "missions");
+      const missionsDir = path.join(projectPath, ".vibecheck", "missions");
       try {
         const dirs = await fs.readdir(missionsDir);
         const latest = dirs.sort().reverse()[0];
@@ -1942,12 +1327,12 @@ class VibecheckMCP {
             const m = missions.missions[i];
             output += `| ${i + 1} | ${m.title} | ${m.targetFindingIds.length} |\n`;
           }
-          output += `\n📁 **Mission Pack:** ${CONFIG.OUTPUT_DIR}/missions/${latest}\n`;
+          output += `\n📁 **Mission Pack:** .vibecheck/missions/${latest}\n`;
         }
       } catch {}
     } catch (err) {
       output += `\n⚠️ Fix error: ${err.message}\n`;
-      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
+      if (err.stdout) output += `\n${err.stdout.replace(/\x1b\[[0-9;]*m/g, "")}\n`;
     }
 
     output += "\n---\n_Fix Missions v1 — Reality Firewall Protected_\n";
@@ -1960,18 +1345,22 @@ class VibecheckMCP {
   async handleShare(projectPath, args) {
     let output = "# 📦 vibecheck Share Bundle\n\n";
 
-    // Build CLI arguments array (secure)
-    const cliArgs = [];
-    if (args?.prComment) cliArgs.push("--pr-comment");
-    if (args?.out) cliArgs.push("--out", args.out);
-
     try {
-      const result = await this.runCLI("share", cliArgs, projectPath);
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" share`;
+      if (args?.prComment) cmd += ` --pr-comment`;
+      if (args?.out) cmd += ` --out "${args.out}"`;
+
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
+      });
 
-      output += this.stripAnsi(result.stdout);
+      output += result.replace(/\x1b\[[0-9;]*m/g, "");
 
       // Read share pack if available
-      const missionsDir = path.join(projectPath, CONFIG.OUTPUT_DIR, "missions");
+      const missionsDir = path.join(projectPath, ".vibecheck", "missions");
       try {
         const dirs = await fs.readdir(missionsDir);
         const latest = dirs.sort().reverse()[0];
@@ -1994,14 +1383,14 @@ class VibecheckMCP {
               }
             }
             
-            output += `\n📁 **Share Pack:** ${CONFIG.OUTPUT_DIR}/missions/${latest}/share/\n`;
-            output += `📄 **PR Comment:** ${CONFIG.OUTPUT_DIR}/missions/${latest}/share/pr_comment.md\n`;
+            output += `\n📁 **Share Pack:** .vibecheck/missions/${latest}/share/\n`;
+            output += `📄 **PR Comment:** .vibecheck/missions/${latest}/share/pr_comment.md\n`;
           } catch {}
         }
       } catch {}
     } catch (err) {
       output += `\n⚠️ Share error: ${err.message}\n`;
-      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
+      if (err.stdout) output += `\n${err.stdout.replace(/\x1b\[[0-9;]*m/g, "")}\n`;
     }
 
     output += "\n---\n_Fix Missions Share Bundle_\n";
@@ -2015,23 +1404,28 @@ class VibecheckMCP {
     let output = "# 📦 vibecheck Truth Pack\n\n";
     output += `**Path:** ${projectPath}\n\n`;
 
-    // Build CLI arguments array (secure)
-    const cliArgs = [];
-    if (args?.snapshot) cliArgs.push("--snapshot");
-    if (args?.json) cliArgs.push("--json");
-
     try {
-      const result = await this.runCLI("ctx", cliArgs, projectPath);
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" ctx`;
+      if (args?.snapshot) cmd += ` --snapshot`;
+      if (args?.json) cmd += ` --json`;
+
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
+      });
 
       if (args?.json) {
         // Return raw JSON
-        return this.success(result.stdout);
+        output = result;
+        return this.success(output);
       }
 
-      output += this.stripAnsi(result.stdout);
+      output += result.replace(/\x1b\[[0-9;]*m/g, ""); // Strip ANSI codes
 
       // Read truthpack summary
-      const truthpackPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "truth", "truthpack.json");
+      const truthpackPath = path.join(projectPath, ".vibecheck", "truth", "truthpack.json");
       try {
         const truthpack = JSON.parse(await fs.readFile(truthpackPath, "utf-8"));
         
@@ -2046,7 +1440,7 @@ class VibecheckMCP {
         output += `| Stripe Detected | ${truthpack.billing?.hasStripe ? "✅" : "❌"} |\n`;
         output += `| Webhooks | ${truthpack.billing?.summary?.webhookHandlersFound || 0} |\n`;
         
-        output += `\n📁 **Saved:** ${CONFIG.OUTPUT_DIR}/truth/truthpack.json\n`;
+        output += `\n📁 **Saved:** .vibecheck/truth/truthpack.json\n`;
       } catch {}
     } catch (err) {
       output += `\n⚠️ Truth pack error: ${err.message}\n`;
@@ -2061,7 +1455,7 @@ class VibecheckMCP {
   // ============================================================================
   async handleProve(projectPath, args) {
     // Check tier access (PRO tier required)
-    const access = await getFeatureAccessStatus("prove", args?.apiKey);
+    const access = await checkFeatureAccess("prove", args?.apiKey);
     if (!access.hasAccess) {
       return {
         content: [{
@@ -2076,24 +1470,27 @@ class VibecheckMCP {
     output += `**URL:** ${args?.url || "(static only)"}\n`;
     output += `**Max Fix Rounds:** ${args?.maxFixRounds || 3}\n\n`;
 
-    // Build CLI arguments array (secure)
-    const cliArgs = [];
-    if (args?.url) cliArgs.push("--url", args.url);
-    if (args?.auth) cliArgs.push("--auth", args.auth);
-    if (args?.storageState) cliArgs.push("--storage-state", args.storageState);
-    if (args?.skipReality) cliArgs.push("--skip-reality");
-    if (args?.skipFix) cliArgs.push("--skip-fix");
-    if (args?.maxFixRounds) cliArgs.push("--max-fix-rounds", String(args.maxFixRounds));
-
     try {
-      const result = await this.runCLI("prove", cliArgs, projectPath, { 
-        timeout: CONFIG.TIMEOUTS.PROVE 
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" prove`;
+      if (args?.url) cmd += ` --url ${args.url}`;
+      if (args?.auth) cmd += ` --auth ${args.auth}`;
+      if (args?.storageState) cmd += ` --storage-state ${args.storageState}`;
+      if (args?.skipReality) cmd += ` --skip-reality`;
+      if (args?.skipFix) cmd += ` --skip-fix`;
+      if (args?.maxFixRounds) cmd += ` --max-fix-rounds ${args.maxFixRounds}`;
+
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        timeout: 600000, // 10 min timeout for full prove loop
+        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
       });
 
-      output += this.stripAnsi(result.stdout);
+      output += result.replace(/\x1b\[[0-9;]*m/g, "");
 
       // Read prove report
-      const provePath = path.join(projectPath, CONFIG.OUTPUT_DIR, "prove", "last_prove.json");
+      const provePath = path.join(projectPath, ".vibecheck", "prove", "last_prove.json");
       try {
         const report = JSON.parse(await fs.readFile(provePath, "utf-8"));
         
@@ -2108,7 +1505,7 @@ class VibecheckMCP {
       } catch {}
     } catch (err) {
       output += `\n⚠️ Prove error: ${err.message}\n`;
-      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
+      if (err.stdout) output += `\n${err.stdout.replace(/\x1b\[[0-9;]*m/g, "")}\n`;
     }
 
     output += "\n---\n_One command to make it real_\n";
@@ -2127,18 +1524,19 @@ class VibecheckMCP {
 
     let output = `# 🎬 vibecheck Proof: ${mode.toUpperCase()}\n\n`;
 
-    // Build CLI arguments array (secure)
-    const cliArgs = [mode];
-    if (mode === "reality" && args?.url) cliArgs.push(`--url=${args.url}`);
-    if (mode === "reality" && args?.flow) cliArgs.push(`--flow=${args.flow}`);
-
     try {
-      const result = await this.runCLI("proof", cliArgs, projectPath, { 
-        timeout: CONFIG.TIMEOUTS.SCAN,
-        skipAuth: false 
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" proof ${mode}`;
+      if (mode === "reality" && args?.url) cmd += ` --url=${args.url}`;
+      if (mode === "reality" && args?.flow) cmd += ` --flow=${args.flow}`;
+
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        timeout: 120000, // 2 min timeout for reality mode
       });
 
-      output += result.stdout;
+      output += result;
     } catch (err) {
       if (mode === "mocks") {
         output += "## 🚫 MOCKPROOF: FAIL\n\n";
@@ -2147,7 +1545,7 @@ class VibecheckMCP {
         output += "## 🚫 REALITY MODE: FAIL\n\n";
         output += "Fake data or mock services detected at runtime.\n";
       }
-      output += `\n${err.partialOutput || err.message}\n`;
+      output += `\n${err.stdout || err.message}\n`;
     }
 
     return this.success(output);
@@ -2264,30 +1662,24 @@ class VibecheckMCP {
   // SHIP - Quick health check
   // ============================================================================
   async handleShip(projectPath, args) {
-    // HARDENING: Validate project path
-    const validation = this.validateProjectPath(projectPath);
-    if (!validation.valid) {
-      return this.error(validation.error, {
-        code: validation.code || "INVALID_PATH",
-        suggestion: validation.suggestion,
-        nextSteps: validation.nextSteps || [],
-      });
-    }
-
     let output = "# 🚀 vibecheck Ship\n\n";
     output += `**Path:** ${projectPath}\n\n`;
 
-    // Build CLI arguments array (secure)
-    const cliArgs = [];
-    if (args?.fix) cliArgs.push("--fix");
-
     try {
-      const result = await this.runCLI("ship", cliArgs, projectPath);
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" ship`;
+      if (args?.fix) cmd += ` --fix`;
 
-      output += this.stripAnsi(result.stdout);
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
+      });
+
+      // Parse the output for key information
+      output += result.replace(/\x1b\[[0-9;]*m/g, ""); // Strip ANSI codes
     } catch (err) {
       output += `\n⚠️ Ship check failed: ${err.message}\n`;
-      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
     }
 
     output += "\n---\n_Context Enhanced by vibecheck AI_\n";
@@ -2298,46 +1690,35 @@ class VibecheckMCP {
   // VERIFY - Runtime browser testing
   // ============================================================================
   async handleVerify(projectPath, args) {
-    // HARDENING: Validate URL
-    const urlValidation = validateUrl(args?.url);
-    if (!urlValidation.valid) {
-      return this.error(urlValidation.error, {
-        code: 'INVALID_URL',
-        suggestion: 'Provide a valid HTTP/HTTPS URL',
-        nextSteps: ['Check the URL format', 'Ensure the URL is accessible'],
-      });
-    }
-    const url = urlValidation.url;
+    const url = args?.url;
+    if (!url) return this.error("URL is required");
 
     let output = "# 🧪 vibecheck Verify\n\n";
     output += `**URL:** ${url}\n`;
-    
-    // HARDENING: Sanitize array inputs
-    const flows = sanitizeArray(args?.flows, 10);
-    if (flows.length) output += `**Flows:** ${flows.join(", ")}\n`;
+    if (args?.flows?.length) output += `**Flows:** ${args.flows.join(", ")}\n`;
     if (args?.headed) output += `**Mode:** Headed (visible browser)\n`;
     if (args?.record) output += `**Recording:** Enabled\n`;
     output += "\n";
 
-    // Build CLI arguments array (secure)
-    const cliArgs = ["--url", url];
-    // HARDENING: Sanitize auth - don't log full credentials
-    if (args?.auth && typeof args.auth === 'string') {
-      cliArgs.push("--auth", sanitizeString(args.auth, 200));
-    }
-    if (flows.length) cliArgs.push("--flows", flows.join(","));
-    if (args?.headed) cliArgs.push("--headed");
-    if (args?.record) cliArgs.push("--record");
-
     try {
-      const result = await this.runCLI("verify", cliArgs, projectPath, { 
-        timeout: CONFIG.TIMEOUTS.VERIFY 
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" verify --url "${url}"`;
+      if (args?.auth) cmd += ` --auth "${args.auth}"`;
+      if (args?.flows?.length) cmd += ` --flows ${args.flows.join(",")}`;
+      if (args?.headed) cmd += ` --headed`;
+      if (args?.record) cmd += ` --record`;
+
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        timeout: 180000, // 3 min timeout
+        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
       });
 
-      output += this.stripAnsi(result.stdout);
+      output += result.replace(/\x1b\[[0-9;]*m/g, "");
 
       // Try to read reality results
-      const realityPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "reality", "last_reality.json");
+      const realityPath = path.join(projectPath, ".vibecheck", "reality", "last_reality.json");
       try {
         const reality = JSON.parse(await fs.readFile(realityPath, "utf-8"));
         
@@ -2360,11 +1741,11 @@ class VibecheckMCP {
           }
         }
         
-        output += `\n📁 **Full Report:** ${CONFIG.OUTPUT_DIR}/reality/last_reality.json\n`;
+        output += `\n📁 **Full Report:** .vibecheck/reality/last_reality.json\n`;
       } catch {}
     } catch (err) {
       output += `\n⚠️ Verify failed: ${err.message}\n`;
-      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
+      if (err.stdout) output += `\n${err.stdout.replace(/\x1b\[[0-9;]*m/g, "")}\n`;
     }
 
     output += "\n---\n_Runtime Verification by vibecheck_\n";
@@ -2375,78 +1756,42 @@ class VibecheckMCP {
   // REALITY v2 - Two-Pass Auth Verification + Dead UI Crawler
   // ============================================================================
   async handleReality(projectPath, args) {
-    // HARDENING: Validate URL
-    const urlValidation = validateUrl(args?.url);
-    if (!urlValidation.valid) {
-      return this.error(urlValidation.error, {
-        code: 'INVALID_URL',
-        suggestion: 'Provide a valid HTTP/HTTPS URL',
-        nextSteps: ['Check the URL format', 'Ensure the URL is accessible'],
-      });
-    }
-    const url = urlValidation.url;
+    const url = args?.url;
+    if (!url) return this.error("URL is required");
 
     let output = "# 🧪 vibecheck Reality v2\n\n";
     output += `**URL:** ${url}\n`;
     output += `**Two-Pass Auth:** ${args?.verifyAuth ? "Yes" : "No"}\n`;
-    
-    // HARDENING: Safely display auth info (mask password)
-    if (args?.auth && typeof args.auth === 'string') {
-      const authParts = args.auth.split(":");
-      const maskedAuth = authParts[0] ? `${authParts[0].slice(0, 20)}:***` : '***';
-      output += `**Auth:** ${maskedAuth}\n`;
-    }
-    if (args?.storageState) output += `**Storage State:** ${sanitizeString(args.storageState, 100)}\n`;
+    if (args?.auth) output += `**Auth:** ${args.auth.split(":")[0]}:***\n`;
+    if (args?.storageState) output += `**Storage State:** ${args.storageState}\n`;
     if (args?.headed) output += `**Mode:** Headed (visible browser)\n`;
     if (args?.danger) output += `**Danger Mode:** Enabled (risky clicks allowed)\n`;
     output += "\n";
 
-    // Build CLI arguments array (secure)
-    const cliArgs = ["--url", url];
-    if (args?.auth && typeof args.auth === 'string') {
-      cliArgs.push("--auth", sanitizeString(args.auth, 200));
-    }
-    if (args?.verifyAuth) cliArgs.push("--verify-auth");
-    
-    // HARDENING: Validate path arguments
-    if (args?.storageState) {
-      const pathCheck = sanitizePath(args.storageState, projectPath);
-      if (pathCheck.valid) {
-        cliArgs.push("--storage-state", pathCheck.path);
-      }
-    }
-    if (args?.saveStorageState) {
-      const pathCheck = sanitizePath(args.saveStorageState, projectPath);
-      if (pathCheck.valid) {
-        cliArgs.push("--save-storage-state", pathCheck.path);
-      }
-    }
-    if (args?.truthpack) {
-      const pathCheck = sanitizePath(args.truthpack, projectPath);
-      if (pathCheck.valid) {
-        cliArgs.push("--truthpack", pathCheck.path);
-      }
-    }
-    if (args?.headed) cliArgs.push("--headed");
-    
-    // HARDENING: Bound numeric arguments
-    if (args?.maxPages) {
-      cliArgs.push("--max-pages", String(sanitizeNumber(args.maxPages, 1, 100, 18)));
-    }
-    if (args?.maxDepth) {
-      cliArgs.push("--max-depth", String(sanitizeNumber(args.maxDepth, 1, 10, 2)));
-    }
-    if (args?.danger) cliArgs.push("--danger");
-
     try {
-      const result = await this.runCLI("reality", cliArgs, projectPath, { 
-        timeout: CONFIG.TIMEOUTS.REALITY 
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" reality --url "${url}"`;
+      if (args?.auth) cmd += ` --auth "${args.auth}"`;
+      if (args?.verifyAuth) cmd += ` --verify-auth`;
+      if (args?.storageState) cmd += ` --storage-state "${args.storageState}"`;
+      if (args?.saveStorageState) cmd += ` --save-storage-state "${args.saveStorageState}"`;
+      if (args?.truthpack) cmd += ` --truthpack "${args.truthpack}"`;
+      if (args?.headed) cmd += ` --headed`;
+      if (args?.maxPages) cmd += ` --max-pages ${args.maxPages}`;
+      if (args?.maxDepth) cmd += ` --max-depth ${args.maxDepth}`;
+      if (args?.danger) cmd += ` --danger`;
+
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        timeout: 300000, // 5 min timeout for two-pass
+        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
       });
 
-      output += this.stripAnsi(result.stdout);
+      output += result.replace(/\x1b\[[0-9;]*m/g, "");
 
       // Read reality results
-      const realityPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "reality", "last_reality.json");
+      const realityPath = path.join(projectPath, ".vibecheck", "reality", "last_reality.json");
       try {
         const reality = JSON.parse(await fs.readFile(realityPath, "utf-8"));
         
@@ -2497,7 +1842,7 @@ class VibecheckMCP {
         const verdict = blocks.length > 0 ? "🛑 BLOCK" : warns.length > 0 ? "⚠️ WARN" : "✅ CLEAN";
         output += `\n## Verdict: ${verdict}\n`;
         
-        output += `\n📁 **Full Report:** ${CONFIG.OUTPUT_DIR}/reality/last_reality.json\n`;
+        output += `\n📁 **Full Report:** .vibecheck/reality/last_reality.json\n`;
         
         if (reality.meta?.savedStorageState) {
           output += `📁 **Saved Auth State:** ${reality.meta.savedStorageState}\n`;
@@ -2505,7 +1850,7 @@ class VibecheckMCP {
       } catch {}
     } catch (err) {
       output += `\n⚠️ Reality failed: ${err.message}\n`;
-      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
+      if (err.stdout) output += `\n${err.stdout.replace(/\x1b\[[0-9;]*m/g, "")}\n`;
     }
 
     output += "\n---\n_Reality Mode v2 — Two-Pass Auth Verification_\n";
@@ -2516,38 +1861,35 @@ class VibecheckMCP {
   // AI-TEST - AI Agent testing
   // ============================================================================
   async handleAITest(projectPath, args) {
-    // HARDENING: Validate URL
-    const urlValidation = validateUrl(args?.url);
-    if (!urlValidation.valid) {
-      return this.error(urlValidation.error, {
-        code: 'INVALID_URL',
-        suggestion: 'Provide a valid HTTP/HTTPS URL',
-        nextSteps: ['Check the URL format', 'Ensure the URL is accessible'],
-      });
-    }
-    const url = urlValidation.url;
-
-    // HARDENING: Sanitize goal string
-    const goal = sanitizeString(args?.goal, 500) || "Test all features";
+    const url = args?.url;
+    if (!url) return this.error("URL is required");
 
     let output = "# 🤖 vibecheck AI Agent\n\n";
     output += `**URL:** ${url}\n`;
-    output += `**Goal:** ${goal}\n\n`;
-
-    // Build CLI arguments array (secure)
-    const cliArgs = ["--url", url];
-    if (goal) cliArgs.push("--goal", goal);
-    if (args?.headed) cliArgs.push("--headed");
+    output += `**Goal:** ${args?.goal || "Test all features"}\n\n`;
 
     try {
-      const result = await this.runCLI("ai-test", cliArgs, projectPath, { 
-        timeout: CONFIG.TIMEOUTS.VERIFY 
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" ai-test --url "${url}"`;
+      if (args?.goal) cmd += ` --goal "${args.goal}"`;
+      if (args?.headed) cmd += ` --headed`;
+
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        timeout: 180000,
+        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
       });
 
-      output += this.stripAnsi(result.stdout);
+      output += result.replace(/\x1b\[[0-9;]*m/g, "");
 
       // Try to read fix prompts
-      const promptPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "ai-agent", "fix-prompt.md");
+      const promptPath = path.join(
+        projectPath,
+        ".vibecheck",
+        "ai-agent",
+        "fix-prompt.md",
+      );
       try {
         const prompts = await fs.readFile(promptPath, "utf-8");
         output += "\n## Fix Prompts Generated\n\n";
@@ -2571,15 +1913,19 @@ class VibecheckMCP {
     let output = "# 🤖 vibecheck Autopilot\n\n";
     output += `**Action:** ${action}\n\n`;
 
-    // Build CLI arguments array (secure - no injection possible)
-    const cliArgs = [action];
-    if (args?.slack) cliArgs.push("--slack", args.slack);
-    if (args?.email) cliArgs.push("--email", args.email);
-
     try {
-      const result = await this.runCLI("autopilot", cliArgs, projectPath);
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" autopilot ${action}`;
+      if (args?.slack) cmd += ` --slack="${args.slack}"`;
+      if (args?.email) cmd += ` --email="${args.email}"`;
+
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
+      });
 
-      output += this.stripAnsi(result.stdout);
+      output += result.replace(/\x1b\[[0-9;]*m/g, "");
     } catch (err) {
       output += `\n⚠️ Autopilot failed: ${err.message}\n`;
     }
@@ -2592,7 +1938,7 @@ class VibecheckMCP {
   // ============================================================================
   async handleAutopilotPlan(projectPath, args) {
     // Check tier access (PRO tier required)
-    const access = await getFeatureAccessStatus("fix.apply_patches", args?.apiKey);
+    const access = await checkFeatureAccess("fix.apply_patches", args?.apiKey);
     if (!access.hasAccess) {
       return {
         content: [{
@@ -2616,17 +1962,20 @@ class VibecheckMCP {
         const core = await import(corePath);
         runAutopilot = core.runAutopilot;
       } catch {
-        // Fallback to CLI - build secure args array
-        const cliArgs = [
-          "plan",
-          "--profile", args?.profile || "ship",
-          "--max-fixes", String(args?.maxFixes || 10),
-          "--json"
-        ];
-
-        const result = await this.runCLI("autopilot", cliArgs, projectPath);
+        // Fallback to CLI
+        let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" autopilot plan`;
+        cmd += ` --profile ${args?.profile || "ship"}`;
+        cmd += ` --max-fixes ${args?.maxFixes || 10}`;
+        cmd += ` --json`;
+
+        const result = execSync(cmd, {
+          cwd: projectPath,
+          encoding: "utf8",
+          maxBuffer: 10 * 1024 * 1024,
+          env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
+        });
 
-        const jsonResult = JSON.parse(result.stdout);
+        const jsonResult = JSON.parse(result);
         output += `## Scan Results\n\n`;
         output += `- **Total findings:** ${jsonResult.totalFindings}\n`;
         output += `- **Fixable:** ${jsonResult.fixableFindings}\n`;
@@ -2679,7 +2028,7 @@ class VibecheckMCP {
   // ============================================================================
   async handleAutopilotApply(projectPath, args) {
     // Check tier access (PRO tier required)
-    const access = await getFeatureAccessStatus("fix.apply_patches", args?.apiKey);
+    const access = await checkFeatureAccess("fix.apply_patches", args?.apiKey);
     if (!access.hasAccess) {
       return {
         content: [{
@@ -2695,22 +2044,24 @@ class VibecheckMCP {
     output += `**Profile:** ${args?.profile || "ship"}\n`;
     output += `**Dry Run:** ${args?.dryRun ? "Yes" : "No"}\n\n`;
 
-    // Build CLI arguments array (secure)
-    const cliArgs = [
-      "apply",
-      "--profile", args?.profile || "ship",
-      "--max-fixes", String(args?.maxFixes || 10),
-      "--json"
-    ];
-    if (args?.verify === false) cliArgs.push("--no-verify");
-    if (args?.dryRun) cliArgs.push("--dry-run");
-
     try {
-      const result = await this.runCLI("autopilot", cliArgs, projectPath, {
-        timeout: CONFIG.TIMEOUTS.AUTOPILOT,
+      // Fallback to CLI
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" autopilot apply`;
+      cmd += ` --profile ${args?.profile || "ship"}`;
+      cmd += ` --max-fixes ${args?.maxFixes || 10}`;
+      if (args?.verify === false) cmd += ` --no-verify`;
+      if (args?.dryRun) cmd += ` --dry-run`;
+      cmd += ` --json`;
+
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        timeout: 300000, // 5 min timeout
+        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
       });
 
-      const jsonResult = JSON.parse(result.stdout);
+      const jsonResult = JSON.parse(result);
 
       output += `## Results\n\n`;
       output += `- **Packs attempted:** ${jsonResult.packsAttempted}\n`;
@@ -2740,7 +2091,7 @@ class VibecheckMCP {
   // ============================================================================
   async handleBadge(projectPath, args) {
     // Check tier access (STARTER tier required)
-    const access = await getFeatureAccessStatus("badge", args?.apiKey);
+    const access = await checkFeatureAccess("badge", args?.apiKey);
     if (!access.hasAccess) {
       return {
         content: [{
@@ -2755,17 +2106,26 @@ class VibecheckMCP {
 
     let output = "# 🏅 vibecheck Badge\n\n";
 
-    // Build CLI arguments array (secure)
-    const cliArgs = ["--format", format];
-    if (args?.style) cliArgs.push("--style", args.style);
-
     try {
-      const result = await this.runCLI("badge", cliArgs, projectPath);
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" badge --format ${format}`;
+      if (args?.style) cmd += ` --style ${args.style}`;
+
+      const result = execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+        env: { ...process.env, VIBECHECK_SKIP_AUTH: "1" },
+      });
 
-      output += this.stripAnsi(result.stdout);
+      output += result.replace(/\x1b\[[0-9;]*m/g, "");
 
       // Read the badge file
-      const badgePath = path.join(projectPath, CONFIG.OUTPUT_DIR, "badges", `badge.${format}`);
+      const badgePath = path.join(
+        projectPath,
+        ".vibecheck",
+        "badges",
+        `badge.${format}`,
+      );
       try {
         const badge = await fs.readFile(badgePath, "utf-8");
         if (format === "md") {
@@ -2793,15 +2153,19 @@ class VibecheckMCP {
     output += `**Project:** ${path.basename(projectPath)}\n`;
     output += `**Platform:** ${platform}\n\n`;
 
-    // Build CLI arguments array (secure)
-    const cliArgs = [];
-    if (platform !== "all") cliArgs.push(`--platform=${platform}`);
-
     try {
-      await this.runCLI("context", cliArgs, projectPath, { skipAuth: false });
+      let cmd = `node "${path.join(__dirname, "..", "bin", "vibecheck.js")}" context`;
+      if (platform !== "all") cmd += ` --platform=${platform}`;
+
+      execSync(cmd, {
+        cwd: projectPath,
+        encoding: "utf8",
+        maxBuffer: 10 * 1024 * 1024,
+      });
 
       output += "## ✅ Context Generated\n\n";
-      output += "Your AI coding assistants now have full project awareness.\n\n";
+      output +=
+        "Your AI coding assistants now have full project awareness.\n\n";
 
       output += "### Generated Files\n\n";
 
@@ -2822,8 +2186,8 @@ class VibecheckMCP {
       }
 
       output += "**Universal (MCP):**\n";
-      output += `- \`${CONFIG.OUTPUT_DIR}/context.json\` - Full context\n`;
-      output += `- \`${CONFIG.OUTPUT_DIR}/project-map.json\` - Project analysis\n\n`;
+      output += "- `.vibecheck/context.json` - Full context\n";
+      output += "- `.vibecheck/project-map.json` - Project analysis\n\n";
 
       output += "### What Your AI Now Knows\n\n";
       output += "- Project architecture and structure\n";
@@ -2832,7 +2196,8 @@ class VibecheckMCP {
       output += "- Coding conventions and patterns\n";
       output += "- Dependencies and tech stack\n\n";
 
-      output += "> **Tip:** Regenerate after major codebase changes with `vibecheck context`\n";
+      output +=
+        "> **Tip:** Regenerate after major codebase changes with `vibecheck context`\n";
     } catch (err) {
       output += `\n⚠️ Context generation failed: ${err.message}\n`;
     }
@@ -2896,57 +2261,15 @@ class VibecheckMCP {
   }
 
   // ============================================================================
-  // RUN - with graceful shutdown handling
+  // RUN
   // ============================================================================
   async run() {
     const transport = new StdioServerTransport();
-    
-    // ========================================================================
-    // HARDENING: Graceful shutdown handling
-    // ========================================================================
-    const shutdown = async (signal) => {
-      console.error(`\n[MCP] Received ${signal}, shutting down gracefully...`);
-      try {
-        // Clear rate limit state to prevent memory leaks
-        rateLimitState.calls = [];
-        
-        // Close server connection
-        await this.server.close();
-        console.error('[MCP] Server closed successfully');
-      } catch (err) {
-        console.error(`[MCP] Error during shutdown: ${err.message}`);
-      }
-      process.exit(0);
-    };
-    
-    // Handle termination signals
-    process.on('SIGINT', () => shutdown('SIGINT'));
-    process.on('SIGTERM', () => shutdown('SIGTERM'));
-    
-    // Handle uncaught errors gracefully
-    process.on('uncaughtException', (err) => {
-      console.error(`[MCP] Uncaught exception: ${err.message}`);
-      console.error(err.stack);
-      // Don't exit - try to keep running
-    });
-    
-    process.on('unhandledRejection', (reason, promise) => {
-      console.error(`[MCP] Unhandled rejection at:`, promise);
-      console.error(`[MCP] Reason:`, reason);
-      // Don't exit - try to keep running
-    });
-    
     await this.server.connect(transport);
-    console.error(`vibecheck MCP Server v${VERSION} running on stdio (hardened)`);
+    console.error("vibecheck MCP Server v2.0 running on stdio");
   }
 }
 
-// ============================================================================
-// MAIN - with error handling
-// ============================================================================
+// Main
 const server = new VibecheckMCP();
-server.run().catch((err) => {
-  console.error(`[MCP] Fatal error starting server: ${err.message}`);
-  console.error(err.stack);
-  process.exit(1);
-});
+server.run().catch(console.error);