npm - @vibecheckai/cli - Versions diffs - 3.5.1 → 3.5.2 - Mend

@vibecheckai/cli 3.5.1 → 3.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (272) hide show

package/bin/registry.js +406 -154
package/bin/runners/context/analyzer.js +52 -1
package/bin/runners/context/generators/mcp.js +15 -13
package/bin/runners/context/git-context.js +3 -1
package/bin/runners/context/proof-context.js +248 -1
package/bin/runners/context/team-conventions.js +33 -7
package/bin/runners/lib/agent-firewall/ai/false-positive-analyzer.js +474 -0
package/bin/runners/lib/agent-firewall/change-packet/builder.js +488 -0
package/bin/runners/lib/agent-firewall/change-packet/schema.json +228 -0
package/bin/runners/lib/agent-firewall/change-packet/store.js +200 -0
package/bin/runners/lib/agent-firewall/claims/claim-types.js +21 -0
package/bin/runners/lib/agent-firewall/claims/extractor.js +303 -0
package/bin/runners/lib/agent-firewall/claims/patterns.js +24 -0
package/bin/runners/lib/agent-firewall/critic/index.js +151 -0
package/bin/runners/lib/agent-firewall/critic/judge.js +432 -0
package/bin/runners/lib/agent-firewall/critic/prompts.js +305 -0
package/bin/runners/lib/agent-firewall/evidence/auth-evidence.js +88 -0
package/bin/runners/lib/agent-firewall/evidence/contract-evidence.js +75 -0
package/bin/runners/lib/agent-firewall/evidence/env-evidence.js +127 -0
package/bin/runners/lib/agent-firewall/evidence/resolver.js +102 -0
package/bin/runners/lib/agent-firewall/evidence/route-evidence.js +213 -0
package/bin/runners/lib/agent-firewall/evidence/side-effect-evidence.js +145 -0
package/bin/runners/lib/agent-firewall/fs-hook/daemon.js +19 -0
package/bin/runners/lib/agent-firewall/fs-hook/installer.js +87 -0
package/bin/runners/lib/agent-firewall/fs-hook/watcher.js +184 -0
package/bin/runners/lib/agent-firewall/git-hook/pre-commit.js +163 -0
package/bin/runners/lib/agent-firewall/ide-extension/cursor.js +107 -0
package/bin/runners/lib/agent-firewall/ide-extension/vscode.js +68 -0
package/bin/runners/lib/agent-firewall/ide-extension/windsurf.js +66 -0
package/bin/runners/lib/agent-firewall/interceptor/base.js +304 -0
package/bin/runners/lib/agent-firewall/interceptor/cursor.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/vscode.js +35 -0
package/bin/runners/lib/agent-firewall/interceptor/windsurf.js +34 -0
package/bin/runners/lib/agent-firewall/lawbook/distributor.js +465 -0
package/bin/runners/lib/agent-firewall/lawbook/evaluator.js +604 -0
package/bin/runners/lib/agent-firewall/lawbook/index.js +304 -0
package/bin/runners/lib/agent-firewall/lawbook/registry.js +514 -0
package/bin/runners/lib/agent-firewall/lawbook/schema.js +420 -0
package/bin/runners/lib/agent-firewall/logger.js +141 -0
package/bin/runners/lib/agent-firewall/policy/default-policy.json +90 -0
package/bin/runners/lib/agent-firewall/policy/engine.js +103 -0
package/bin/runners/lib/agent-firewall/policy/loader.js +451 -0
package/bin/runners/lib/agent-firewall/policy/rules/auth-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/contract-drift.js +50 -0
package/bin/runners/lib/agent-firewall/policy/rules/fake-success.js +86 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-env.js +162 -0
package/bin/runners/lib/agent-firewall/policy/rules/ghost-route.js +189 -0
package/bin/runners/lib/agent-firewall/policy/rules/scope.js +93 -0
package/bin/runners/lib/agent-firewall/policy/rules/unsafe-side-effect.js +57 -0
package/bin/runners/lib/agent-firewall/policy/schema.json +183 -0
package/bin/runners/lib/agent-firewall/policy/verdict.js +54 -0
package/bin/runners/lib/agent-firewall/proposal/extractor.js +394 -0
package/bin/runners/lib/agent-firewall/proposal/index.js +212 -0
package/bin/runners/lib/agent-firewall/proposal/schema.js +251 -0
package/bin/runners/lib/agent-firewall/proposal/validator.js +386 -0
package/bin/runners/lib/agent-firewall/reality/index.js +332 -0
package/bin/runners/lib/agent-firewall/reality/state.js +625 -0
package/bin/runners/lib/agent-firewall/reality/watcher.js +322 -0
package/bin/runners/lib/agent-firewall/risk/index.js +173 -0
package/bin/runners/lib/agent-firewall/risk/scorer.js +328 -0
package/bin/runners/lib/agent-firewall/risk/thresholds.js +321 -0
package/bin/runners/lib/agent-firewall/risk/vectors.js +421 -0
package/bin/runners/lib/agent-firewall/simulator/diff-simulator.js +472 -0
package/bin/runners/lib/agent-firewall/simulator/import-resolver.js +346 -0
package/bin/runners/lib/agent-firewall/simulator/index.js +181 -0
package/bin/runners/lib/agent-firewall/simulator/route-validator.js +380 -0
package/bin/runners/lib/agent-firewall/time-machine/incident-correlator.js +661 -0
package/bin/runners/lib/agent-firewall/time-machine/index.js +267 -0
package/bin/runners/lib/agent-firewall/time-machine/replay-engine.js +436 -0
package/bin/runners/lib/agent-firewall/time-machine/state-reconstructor.js +490 -0
package/bin/runners/lib/agent-firewall/time-machine/timeline-builder.js +530 -0
package/bin/runners/lib/agent-firewall/truthpack/index.js +67 -0
package/bin/runners/lib/agent-firewall/truthpack/loader.js +137 -0
package/bin/runners/lib/agent-firewall/unblock/planner.js +337 -0
package/bin/runners/lib/agent-firewall/utils/ignore-checker.js +118 -0
package/bin/runners/lib/analysis-core.js +220 -182
package/bin/runners/lib/analyzers.js +2145 -224
package/bin/runners/lib/api-client.js +269 -0
package/bin/runners/lib/authority-badge.js +425 -0
package/bin/runners/lib/cli-output.js +242 -210
package/bin/runners/lib/default-config.js +127 -0
package/bin/runners/lib/detectors-v2.js +547 -785
package/bin/runners/lib/doctor/modules/security.js +3 -1
package/bin/runners/lib/engine/ast-cache.js +210 -0
package/bin/runners/lib/engine/auth-extractor.js +211 -0
package/bin/runners/lib/engine/billing-extractor.js +112 -0
package/bin/runners/lib/engine/enforcement-extractor.js +100 -0
package/bin/runners/lib/engine/env-extractor.js +207 -0
package/bin/runners/lib/engine/express-extractor.js +208 -0
package/bin/runners/lib/engine/extractors.js +849 -0
package/bin/runners/lib/engine/index.js +207 -0
package/bin/runners/lib/engine/repo-index.js +514 -0
package/bin/runners/lib/engine/types.js +124 -0
package/bin/runners/lib/engines/accessibility-engine.js +190 -0
package/bin/runners/lib/engines/api-consistency-engine.js +162 -0
package/bin/runners/lib/engines/ast-cache.js +99 -0
package/bin/runners/lib/engines/code-quality-engine.js +255 -0
package/bin/runners/lib/engines/console-logs-engine.js +115 -0
package/bin/runners/lib/engines/cross-file-analysis-engine.js +268 -0
package/bin/runners/lib/engines/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/deprecated-api-engine.js +226 -0
package/bin/runners/lib/engines/empty-catch-engine.js +150 -0
package/bin/runners/lib/engines/file-filter.js +131 -0
package/bin/runners/lib/engines/hardcoded-secrets-engine.js +251 -0
package/bin/runners/lib/engines/mock-data-engine.js +272 -0
package/bin/runners/lib/engines/parallel-processor.js +71 -0
package/bin/runners/lib/engines/performance-issues-engine.js +265 -0
package/bin/runners/lib/engines/security-vulnerabilities-engine.js +243 -0
package/bin/runners/lib/engines/todo-fixme-engine.js +115 -0
package/bin/runners/lib/engines/type-aware-engine.js +152 -0
package/bin/runners/lib/engines/unsafe-regex-engine.js +225 -0
package/bin/runners/lib/engines/vibecheck-engines/README.md +53 -0
package/bin/runners/lib/engines/vibecheck-engines/index.js +15 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +139 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
package/bin/runners/lib/engines/vibecheck-engines/package.json +13 -0
package/bin/runners/lib/entitlements-v2.js +152 -446
package/bin/runners/lib/error-handler.js +60 -12
package/bin/runners/lib/error-messages.js +289 -0
package/bin/runners/lib/evidence-pack.js +7 -1
package/bin/runners/lib/exit-codes.js +275 -0
package/bin/runners/lib/finding-id.js +69 -0
package/bin/runners/lib/finding-sorter.js +89 -0
package/bin/runners/lib/fingerprint.js +377 -0
package/bin/runners/lib/global-flags.js +37 -0
package/bin/runners/lib/help-formatter.js +413 -0
package/bin/runners/lib/logger.js +38 -0
package/bin/runners/lib/next-action.js +560 -0
package/bin/runners/lib/prerequisites.js +149 -0
package/bin/runners/lib/route-detection.js +137 -68
package/bin/runners/lib/route-truth.js +1167 -322
package/bin/runners/lib/scan-output.js +504 -463
package/bin/runners/lib/scan-runner.js +135 -0
package/bin/runners/lib/schemas/ajv-validator.js +464 -0
package/bin/runners/lib/schemas/error-envelope.schema.json +105 -0
package/bin/runners/lib/schemas/finding-v3.schema.json +151 -0
package/bin/runners/lib/schemas/report-artifact.schema.json +120 -0
package/bin/runners/lib/schemas/run-request.schema.json +108 -0
package/bin/runners/lib/schemas/validator.js +27 -0
package/bin/runners/lib/schemas/verdict.schema.json +140 -0
package/bin/runners/lib/ship-output-enterprise.js +239 -0
package/bin/runners/lib/ship-output.js +328 -31
package/bin/runners/lib/terminal-ui.js +234 -731
package/bin/runners/lib/truth.js +1332 -308
package/bin/runners/lib/unified-cli-output.js +604 -0
package/bin/runners/lib/unified-output.js +163 -155
package/bin/runners/lib/upsell.js +104 -204
package/bin/runners/runAgent.d.ts +5 -0
package/bin/runners/runAgent.js +161 -0
package/bin/runners/runAllowlist.js +166 -101
package/bin/runners/runApprove.js +1200 -0
package/bin/runners/runAuth.js +373 -95
package/bin/runners/runCheckpoint.js +59 -21
package/bin/runners/runClassify.js +926 -0
package/bin/runners/runContext.d.ts +4 -0
package/bin/runners/runContext.js +136 -24
package/bin/runners/runDoctor.js +115 -67
package/bin/runners/runEvidencePack.js +239 -96
package/bin/runners/runFirewall.d.ts +5 -0
package/bin/runners/runFirewall.js +134 -0
package/bin/runners/runFirewallHook.d.ts +5 -0
package/bin/runners/runFirewallHook.js +56 -0
package/bin/runners/runFix.js +6 -5
package/bin/runners/runGuard.js +212 -118
package/bin/runners/runInit.js +66 -21
package/bin/runners/runLabs.js +204 -121
package/bin/runners/runMcp.js +131 -60
package/bin/runners/runPolish.d.ts +4 -0
package/bin/runners/runPolish.js +43 -20
package/bin/runners/runProof.zip +0 -0
package/bin/runners/runProve.js +15 -5
package/bin/runners/runQuickstart.js +531 -0
package/bin/runners/runReality.js +14 -0
package/bin/runners/runReport.js +36 -4
package/bin/runners/runScan.js +689 -91
package/bin/runners/runShip.js +96 -40
package/bin/runners/runTruth.d.ts +5 -0
package/bin/runners/runTruth.js +101 -0
package/bin/runners/runValidate.js +21 -4
package/bin/runners/runWatch.js +118 -54
package/bin/scan.js +6 -1
package/bin/vibecheck.js +297 -52
package/mcp-server/HARDENING_SUMMARY.md +299 -0
package/mcp-server/agent-firewall-interceptor.js +500 -0
package/mcp-server/authority-tools.js +569 -0
package/mcp-server/conductor/conflict-resolver.js +588 -0
package/mcp-server/conductor/execution-planner.js +544 -0
package/mcp-server/conductor/index.js +377 -0
package/mcp-server/conductor/lock-manager.js +615 -0
package/mcp-server/conductor/request-queue.js +550 -0
package/mcp-server/conductor/session-manager.js +500 -0
package/mcp-server/conductor/tools.js +510 -0
package/mcp-server/deprecation-middleware.js +282 -0
package/mcp-server/handlers/index.ts +15 -0
package/mcp-server/handlers/tool-handler.ts +474 -591
package/mcp-server/index.js +1748 -1099
package/mcp-server/lib/api-client.cjs +13 -0
package/mcp-server/lib/cache-wrapper.cjs +383 -0
package/mcp-server/lib/error-envelope.js +138 -0
package/mcp-server/lib/executor.ts +428 -721
package/mcp-server/lib/index.ts +19 -0
package/mcp-server/lib/logger.cjs +30 -0
package/mcp-server/lib/rate-limiter.js +166 -0
package/mcp-server/lib/sandbox.test.ts +519 -0
package/mcp-server/lib/sandbox.ts +342 -284
package/mcp-server/lib/types.ts +267 -0
package/mcp-server/logger.js +173 -0
package/mcp-server/package.json +11 -27
package/mcp-server/premium-tools.js +2 -2
package/mcp-server/registry/tool-registry.js +794 -0
package/mcp-server/registry/tools.json +507 -378
package/mcp-server/registry.test.ts +334 -0
package/mcp-server/tests/tier-gating.test.js +297 -0
package/mcp-server/tier-auth.js +492 -347
package/mcp-server/tools-v3.js +950 -0
package/mcp-server/truth-context.js +131 -90
package/mcp-server/truth-firewall-tools.js +1612 -1001
package/mcp-server/tsconfig.json +8 -5
package/mcp-server/vibecheck-2.0-tools.js +14 -1
package/mcp-server/vibecheck-mcp-server-3.2.0.tgz +0 -0
package/mcp-server/vibecheck-tools.js +2 -2
package/package.json +4 -3
package/bin/runners/runInstall.js +0 -281
package/mcp-server/ARCHITECTURE.md +0 -339
package/mcp-server/__tests__/cache.test.ts +0 -313
package/mcp-server/__tests__/executor.test.ts +0 -239
package/mcp-server/__tests__/fixtures/exclusion-test/.cache/webpack/cache.pack +0 -1
package/mcp-server/__tests__/fixtures/exclusion-test/.next/server/chunk.js +0 -3
package/mcp-server/__tests__/fixtures/exclusion-test/.turbo/cache.json +0 -3
package/mcp-server/__tests__/fixtures/exclusion-test/.venv/lib/env.py +0 -3
package/mcp-server/__tests__/fixtures/exclusion-test/dist/bundle.js +0 -3
package/mcp-server/__tests__/fixtures/exclusion-test/package.json +0 -5
package/mcp-server/__tests__/fixtures/exclusion-test/src/app.ts +0 -5
package/mcp-server/__tests__/fixtures/exclusion-test/venv/lib/config.py +0 -4
package/mcp-server/__tests__/ids.test.ts +0 -345
package/mcp-server/__tests__/integration/tools.test.ts +0 -410
package/mcp-server/__tests__/registry.test.ts +0 -365
package/mcp-server/__tests__/sandbox.test.ts +0 -323
package/mcp-server/__tests__/schemas.test.ts +0 -372
package/mcp-server/benchmarks/run-benchmarks.ts +0 -304
package/mcp-server/examples/doctor.request.json +0 -14
package/mcp-server/examples/doctor.response.json +0 -53
package/mcp-server/examples/error.response.json +0 -15
package/mcp-server/examples/scan.request.json +0 -14
package/mcp-server/examples/scan.response.json +0 -108
package/mcp-server/index-v3.ts +0 -293
package/mcp-server/index.old.js +0 -4137
package/mcp-server/lib/cache.ts +0 -341
package/mcp-server/lib/errors.ts +0 -346
package/mcp-server/lib/ids.ts +0 -238
package/mcp-server/lib/logger.ts +0 -368
package/mcp-server/lib/metrics.ts +0 -365
package/mcp-server/lib/validator.ts +0 -229
package/mcp-server/package-lock.json +0 -165
package/mcp-server/schemas/error-envelope.schema.json +0 -125
package/mcp-server/schemas/finding.schema.json +0 -167
package/mcp-server/schemas/report-artifact.schema.json +0 -88
package/mcp-server/schemas/run-request.schema.json +0 -75
package/mcp-server/schemas/verdict.schema.json +0 -168
package/mcp-server/tier-auth.d.ts +0 -71
package/mcp-server/vitest.config.ts +0 -16

package/mcp-server/agent-firewall-interceptor.js ADDED Viewed

@@ -0,0 +1,500 @@
+/**
+ * Agent Firewall Interceptor - MCP Tool
+ *
+ * Intercepts file write/patch tool calls from AI agents.
+ * Validates changes against truthpack and policy before allowing writes.
+ *
+ * Codename: Sentinel
+ *
+ * Tier-based enforcement:
+ * - FREE: Observe mode (logs violations but allows writes)
+ * - STARTER: Advisory mode (warns but allows with confirmation)
+ * - PRO: Enforce mode (blocks violations)
+ * - ENTERPRISE: Enforce mode + audit trail
+ *
+ * SECURITY: Tier is NEVER trusted from client - always derived from validated API key
+ */
+import path from "path";
+import fs from "fs";
+import { createRequire } from "module";
+// Import tier auth for secure tier validation
+import { getMcpToolAccess } from "./tier-auth.js";
+const require = createRequire(import.meta.url);
+// Import core firewall modules
+const { interceptFileWrite, interceptMultiFileWrite } = require("../bin/runners/lib/agent-firewall/interceptor/base");
+const { loadPolicy } = require("../bin/runners/lib/agent-firewall/policy/loader");
+// Import new Sentinel modules
+let reality, risk, simulator, proposal, critic, proofBuilder;
+try {
+  reality = require("../bin/runners/lib/agent-firewall/reality");
+  risk = require("../bin/runners/lib/agent-firewall/risk");
+  simulator = require("../bin/runners/lib/agent-firewall/simulator");
+  proposal = require("../bin/runners/lib/agent-firewall/proposal");
+  critic = require("../bin/runners/lib/agent-firewall/critic");
+  proofBuilder = require("../bin/runners/lib/agent-firewall/change-packet/builder");
+} catch (err) {
+  console.warn(`[Agent Firewall] Some Sentinel modules not available: ${err.message}`);
+}
+// Tier-based policy mode mapping
+const TIER_POLICY_MODES = {
+  FREE: "observe",         // Log only, never block
+  STARTER: "advisory",     // Warn, allow with confirmation
+  PRO: "enforce",          // Block violations
+  ENTERPRISE: "enforce",   // Block + full audit
+};
+/**
+ * Get effective policy mode based on tier
+ * @param {string} tier - User's subscription tier
+ * @param {object} policy - Policy configuration
+ * @returns {string} Effective mode
+ */
+function getEffectivePolicyMode(tier, policy) {
+  // If policy explicitly sets mode, respect it for PRO+
+  if (policy.mode && (tier === "PRO" || tier === "ENTERPRISE")) {
+    return policy.mode;
+  }
+  // Otherwise use tier-based defaults
+  return TIER_POLICY_MODES[tier] || "observe";
+}
+/**
+ * MCP Tool Definition
+ */
+const AGENT_FIREWALL_TOOL = {
+  name: "vibecheck_agent_firewall_intercept",
+  description: `🛡️ Agent Firewall (Sentinel) - Intercepts AI code changes and validates against repo truth.
+This tool MUST be called before any file write/patch operations.
+It validates changes against truthpack, policy rules, and reality state.
+Features:
+- Reality state validation (routes, env vars, services)
+- Risk scoring (surface area, blast radius, irreversibility)
+- Diff simulation (broken imports, orphaned files)
+- Assumption verification
+- Proof artifact generation
+Tier modes:
+- FREE: Observe (logs only)
+- STARTER: Advisory (warns)
+- PRO/ENTERPRISE: Enforce (blocks)
+Returns: { allowed, verdict, riskScore, violations, unblockPlan, proofId }`,
+  inputSchema: {
+    type: "object",
+    required: ["agentId", "filePath", "content"],
+    properties: {
+      agentId: {
+        type: "string",
+        description: "Agent identifier (e.g., 'cursor', 'windsurf', 'copilot')"
+      },
+      filePath: {
+        type: "string",
+        description: "File path relative to project root"
+      },
+      content: {
+        type: "string",
+        description: "New file content"
+      },
+      oldContent: {
+        type: "string",
+        description: "Old file content (optional, for diff generation)"
+      },
+      intent: {
+        type: "string",
+        description: "Agent's stated intent for this change"
+      },
+      summary: {
+        type: "string",
+        description: "Human-readable summary of the change"
+      },
+      assumptions: {
+        type: "array",
+        description: "Declared assumptions (auto-extracted if not provided)",
+        items: {
+          type: "object",
+          properties: {
+            type: { type: "string", enum: ["env", "route", "service", "file"] },
+            key: { type: "string" },
+            reason: { type: "string" }
+          }
+        }
+      },
+      confidence: {
+        type: "number",
+        description: "Confidence level (0-1) that the change is correct",
+        minimum: 0,
+        maximum: 1
+      },
+      projectRoot: {
+        type: "string",
+        default: ".",
+        description: "Project root directory"
+      },
+      apiKey: {
+        type: "string",
+        description: "API key for authentication (tier is derived from this, never client-provided)"
+      }
+      // NOTE: 'tier' parameter removed for security - tier is now derived from validated apiKey
+      // Accepting tier from client allowed privilege escalation attacks
+    }
+  }
+};
+/**
+ * Handle MCP tool call
+ *
+ * SECURITY: Tier is NEVER accepted from client args - always derived from validated API key.
+ * Previous implementation accepted args.tier which allowed attackers to escalate privileges
+ * by simply passing tier: "ENTERPRISE".
+ *
+ * @param {string} name - Tool name (unused, for consistency)
+ * @param {object} args - Tool arguments
+ * @returns {object} MCP tool response
+ */
+async function handleAgentFirewallIntercept(name, args) {
+  const projectRoot = path.resolve(args.projectRoot || ".");
+  const agentId = args.agentId || "unknown";
+  const filePath = args.filePath;
+  const content = args.content;
+  const oldContent = args.oldContent || null;
+  const intent = args.intent || "No intent provided";
+  // SECURITY FIX: Derive tier from validated API key, NEVER trust client-provided tier
+  let tier = "FREE"; // Default to most restrictive (observe mode)
+  try {
+    const access = await getMcpToolAccess("vibecheck_agent_firewall_intercept", args.apiKey);
+    if (access.tier) {
+      tier = access.tier.toUpperCase();
+    }
+    // Note: Even if access check fails, we continue with FREE tier (observe mode)
+    // This allows the tool to still provide value while logging violations
+  } catch (err) {
+    console.warn(`[Agent Firewall] Tier validation failed, defaulting to FREE: ${err.message}`);
+  }
+  // Validate file path is within project root
+  const fileAbs = path.resolve(projectRoot, filePath);
+  if (!fileAbs.startsWith(projectRoot + path.sep) && fileAbs !== projectRoot) {
+    return {
+      content: [{
+        type: "text",
+        text: `❌ BLOCKED: File path outside project root: ${filePath}`
+      }],
+      isError: true
+    };
+  }
+  try {
+    // Load policy and determine effective mode based on tier
+    const policy = loadPolicy(projectRoot);
+    const effectiveMode = getEffectivePolicyMode(tier, policy);
+    // Read old content if not provided
+    // SECURITY FIX: Compute content hash to detect concurrent modifications
+    // Between reading and validation, another agent could modify the file.
+    // We provide the hash so callers can verify before actual write.
+    let actualOldContent = oldContent;
+    let oldContentHash = null;
+    const crypto = require('crypto');
+    if (!actualOldContent && fs.existsSync(fileAbs)) {
+      actualOldContent = fs.readFileSync(fileAbs, "utf8");
+    }
+    // Compute hash of the content we're validating against
+    if (actualOldContent) {
+      oldContentHash = crypto.createHash('sha256').update(actualOldContent).digest('hex');
+    }
+    // Build structured proposal from args
+    let structuredProposal = null;
+    if (proposal) {
+      structuredProposal = proposal.proposal.create(
+        proposal.proposal.normalizeIntent(intent),
+        [{ type: actualOldContent ? "modify" : "create", path: filePath, content }]
+      );
+      structuredProposal.summary = args.summary || intent;
+      structuredProposal.assumptions = args.assumptions || [];
+      structuredProposal.confidence = args.confidence ?? 0.5;
+      // Auto-extract assumptions if not provided
+      if (structuredProposal.assumptions.length === 0) {
+        const extracted = proposal.extractFromOperations(structuredProposal.operations);
+        structuredProposal.assumptions = extracted;
+      }
+      // Validate proposal
+      const validationResult = proposal.proposal.validate(structuredProposal);
+      if (!validationResult.valid && effectiveMode === "enforce") {
+        return {
+          content: [{
+            type: "text",
+            text: `❌ INVALID PROPOSAL: ${validationResult.errors.map(e => e.message).join(", ")}`
+          }],
+          isError: true
+        };
+      }
+    }
+    // Get reality state
+    let realityState = null;
+    if (reality) {
+      try {
+        realityState = reality.reality.getState(projectRoot);
+      } catch (err) {
+        console.warn(`[Agent Firewall] Reality state unavailable: ${err.message}`);
+      }
+    }
+    // Calculate risk score
+    let riskScore = null;
+    if (risk && structuredProposal) {
+      try {
+        riskScore = risk.calculateRiskScore({
+          files: [{ path: filePath }],
+          operations: structuredProposal.operations,
+          claims: [],
+          evidence: [],
+          intent,
+          assumptions: structuredProposal.assumptions,
+          proposalConfidence: structuredProposal.confidence,
+          policy,
+        });
+      } catch (err) {
+        console.warn(`[Agent Firewall] Risk scoring failed: ${err.message}`);
+      }
+    }
+    // Run diff simulation
+    let simulationResult = null;
+    if (simulator && content) {
+      try {
+        simulationResult = simulator.quickSimulate(projectRoot, filePath, content, actualOldContent);
+      } catch (err) {
+        console.warn(`[Agent Firewall] Simulation failed: ${err.message}`);
+      }
+    }
+    // Intercept the write with core firewall
+    const result = await interceptFileWrite({
+      projectRoot,
+      agentId,
+      intent,
+      filePath,
+      content,
+      oldContent: actualOldContent
+    });
+    // Get critic verdict (rule-based, LLM optional)
+    let criticVerdict = null;
+    if (critic) {
+      try {
+        criticVerdict = await critic.critic.evaluate({
+          proposal: structuredProposal,
+          validationResults: result,
+          riskScore,
+          simulationResult,
+          realityState,
+        });
+      } catch (err) {
+        console.warn(`[Agent Firewall] Critic evaluation failed: ${err.message}`);
+      }
+    }
+    // Build enhanced proof artifact
+    let proofId = result.packetId;
+    if (proofBuilder && riskScore) {
+      try {
+        const proofArtifact = proofBuilder.buildProofArtifact({
+          changeId: `c-${result.packetId}`,
+          decision: result.verdict,
+          rulesTriggered: (result.violations || []).map(v => v.rule),
+          assumptionsFailed: (result.violations || []).filter(v => v.type === "assumption").map(v => v.key),
+          riskScore,
+          simulationResult,
+          criticVerdict,
+        });
+        proofId = proofArtifact.changeId;
+      } catch (err) {
+        console.warn(`[Agent Firewall] Proof artifact generation failed: ${err.message}`);
+      }
+    }
+    // Format response based on mode
+    const formatResponse = (isBlocked) => {
+      let message = "";
+      const icon = isBlocked ? "❌" : (effectiveMode === "observe" ? "📊" : "✅");
+      const modeLabel = effectiveMode.toUpperCase();
+      message += `${icon} ${modeLabel} MODE: ${result.verdict}\n\n`;
+      // Risk score
+      if (riskScore) {
+        message += `Risk: ${riskScore.total} (${riskScore.level})\n`;
+        if (riskScore.reasons.length > 0) {
+          message += `Factors: ${riskScore.reasons.slice(0, 3).join(", ")}\n`;
+        }
+        message += "\n";
+      }
+      // Simulation result
+      if (simulationResult) {
+        message += `Simulation: ${simulationResult.passed ? "✅ Passed" : "❌ Failed"}\n`;
+        if (!simulationResult.passed && simulationResult.errors.length > 0) {
+          message += `Errors: ${simulationResult.errors.slice(0, 2).map(e => e.message).join("; ")}\n`;
+        }
+        message += "\n";
+      }
+      // Violations
+      if (result.violations && result.violations.length > 0) {
+        message += "Violations:\n";
+        for (const violation of result.violations.slice(0, 5)) {
+          message += `  - ${violation.rule || violation.type}: ${violation.message}\n`;
+        }
+        message += "\n";
+      }
+      // Critic verdict (if blocked)
+      if (criticVerdict && criticVerdict.verdict === "BLOCK") {
+        message += `Critic: ${criticVerdict.verdict} (${(criticVerdict.confidence * 100).toFixed(0)}% confidence)\n`;
+        if (criticVerdict.reasoning.length > 0) {
+          message += `Reasoning: ${criticVerdict.reasoning[0]}\n`;
+        }
+        message += "\n";
+      }
+      // Unblock plan
+      if (isBlocked && result.unblockPlan && result.unblockPlan.steps?.length > 0) {
+        message += "To unblock:\n";
+        for (const step of result.unblockPlan.steps.slice(0, 3)) {
+          message += `  ${step.action === "create" ? "➕ Create" : "✏️ Modify"} ${step.file || "file"}: ${step.description}\n`;
+        }
+        message += "\n";
+      }
+      message += `Proof ID: ${proofId}\n`;
+      // SECURITY: Include content hash for race condition protection
+      // Callers MUST verify this hash matches current file content before writing
+      // to prevent TOCTOU (time-of-check-time-of-use) vulnerabilities
+      if (oldContentHash) {
+        message += `\n⚠️ IMPORTANT: Before writing, verify file hash matches:\n`;
+        message += `Content Hash: ${oldContentHash}\n`;
+        message += `(Re-read file and compare SHA-256 hash to detect concurrent modifications)`;
+      } else {
+        message += `\nNote: New file (no existing content to verify)`;
+      }
+      return message;
+    };
+    // Determine final decision based on mode
+    if (effectiveMode === "observe") {
+      // Observe mode - always allow, log everything
+      return {
+        content: [{
+          type: "text",
+          text: formatResponse(false)
+        }]
+      };
+    }
+    if (effectiveMode === "advisory") {
+      // Advisory mode - warn but allow (for STARTER tier)
+      const shouldWarn = !result.allowed || (riskScore && riskScore.total > 50);
+      return {
+        content: [{
+          type: "text",
+          text: formatResponse(false) + (shouldWarn ? "\n\n⚠️ Consider reviewing before proceeding." : "")
+        }]
+      };
+    }
+    // Enforce mode - block if not allowed
+    // More intelligent blocking logic to reduce false positives:
+    // 1. Base interception result must say not allowed, OR
+    // 2. Simulation failed with actual errors (not just warnings), OR
+    // 3. Critic says BLOCK with very high confidence (90%+), OR
+    // 4. Risk score decision is BLOCK (but respect lowered thresholds)
+    // Count the number of blocking signals
+    let blockingSignals = 0;
+    const blockReasons = [];
+    if (!result.allowed) {
+      blockingSignals++;
+      blockReasons.push("policy_violation");
+    }
+    // Only count simulation failure if it has actual errors (not just warnings)
+    if (simulationResult && !simulationResult.passed) {
+      const hasActualErrors = simulationResult.errors?.some(e =>
+        e.severity === 'error' || e.type === 'broken_import' || e.type === 'syntax_error'
+      );
+      if (hasActualErrors) {
+        blockingSignals++;
+        blockReasons.push("simulation_failed");
+      }
+    }
+    // Critic verdict - require very high confidence (90%+) to block
+    if (criticVerdict && criticVerdict.verdict === "BLOCK" && criticVerdict.confidence >= 0.9) {
+      blockingSignals++;
+      blockReasons.push("critic_blocked");
+    }
+    // Risk score decision
+    if (riskScore && riskScore.decision?.decision === "BLOCK") {
+      blockingSignals++;
+      blockReasons.push("risk_threshold_exceeded");
+    }
+    // Only block if we have at least 2 independent blocking signals
+    // This prevents a single false positive from blocking legitimate changes
+    // Exception: if risk score is CRITICAL (total >= 120), block with 1 signal
+    const isCriticalRisk = riskScore && riskScore.total >= 120;
+    const shouldBlock = (blockingSignals >= 2) || (isCriticalRisk && blockingSignals >= 1);
+    if (shouldBlock) {
+      return {
+        content: [{
+          type: "text",
+          text: formatResponse(true) + `\n\nBlocking reasons: ${blockReasons.join(", ")}`
+        }],
+        isError: true
+      };
+    }
+    // Allowed
+    return {
+      content: [{
+        type: "text",
+        text: formatResponse(false)
+      }]
+    };
+  } catch (error) {
+    return {
+      content: [{
+        type: "text",
+        text: `❌ Error intercepting write: ${error.message}\n\n${error.stack}`
+      }],
+      isError: true
+    };
+  }
+}
+export {
+  AGENT_FIREWALL_TOOL,
+  handleAgentFirewallIntercept
+};