@vibecheckai/cli 3.6.1 → 3.8.0

package/bin/runners/runApprove.js

@@ -1,1202 +1,320 @@
 /**
- * vibecheck approve - Authority Approval Command
+ * vibecheck approve - Session Approval CLI
  * 
- * Execute authorities to get structured verdicts with proofs.
- * Requires STARTER tier for advisory verdicts.
- * Requires PRO tier for enforcement.
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * SEAMLESS INTENT - SESSION APPROVAL COMMAND
+ * ═══════════════════════════════════════════════════════════════════════════════
  * 
- * Usage:
- *   vibecheck approve <authority-id>
- *   vibecheck approve safe-consolidation
- *   vibecheck approve --list
+ * Review and approve changes made during a vibe session.
+ * Creates intent retroactively from approved changes.
  * 
- * Part of the Authority System - "The AI That Says No"
+ * Usage:
+ *   vibecheck approve         # Interactive review
+ *   vibecheck approve -y      # Auto-approve with generated intent
+ *   vibecheck approve -m "..."  # Approve with custom message
+ *   vibecheck approve --reject # Reject pending changes
  * 
- * Production Features:
- * - Rate limiting to prevent abuse
- * - Input validation for all parameters
- * - Timeout enforcement for long-running analyses
- * - Audit trail for all executions
- * - Signed verdicts (PRO tier)
+ * @module runApprove
+ * @version 1.0.0
  */
 
+"use strict";
+
 const path = require("path");
-const fs = require("fs");
-const { withErrorHandling, createUserError } = require("./lib/error-handler");
-const { parseGlobalFlags, shouldShowBanner } = require("./lib/global-flags");
-const { EXIT } = require("./lib/exit-codes");
 
-// ═══════════════════════════════════════════════════════════════════════════════
-// TERMINAL UI
-// ═══════════════════════════════════════════════════════════════════════════════
+// Lazy imports
+let _globalFlags = null;
+let _exitCodes = null;
+let _cliOutput = null;
+let _sessionModule = null;
 
-const {
-  ansi,
-  colors,
-  Spinner,
-} = require("./lib/terminal-ui");
+function getGlobalFlags() {
+  if (!_globalFlags) {
+    _globalFlags = require("./lib/global-flags");
+  }
+  return _globalFlags;
+}
 
-const BANNER = `
-${ansi.rgb(0, 200, 255)}  ██╗   ██╗██╗██████╗ ███████╗ ██████╗██╗  ██╗███████╗ ██████╗██╗  ██╗${ansi.reset}
-${ansi.rgb(30, 180, 255)}  ██║   ██║██║██╔══██╗██╔════╝██╔════╝██║  ██║██╔════╝██╔════╝██║ ██╔╝${ansi.reset}
-${ansi.rgb(60, 160, 255)}  ██║   ██║██║██████╔╝█████╗  ██║     ███████║█████╗  ██║     █████╔╝ ${ansi.reset}
-${ansi.rgb(90, 140, 255)}  ╚██╗ ██╔╝██║██╔══██╗██╔══╝  ██║     ██╔══██║██╔══╝  ██║     ██╔═██╗ ${ansi.reset}
-${ansi.rgb(120, 120, 255)}   ╚████╔╝ ██║██████╔╝███████╗╚██████╗██║  ██║███████╗╚██████╗██║  ██╗${ansi.reset}
-${ansi.rgb(150, 100, 255)}    ╚═══╝  ╚═╝╚═════╝ ╚══════╝ ╚═════╝╚═╝  ╚═╝╚══════╝ ╚═════╝╚═╝  ╚═╝${ansi.reset}
+function getExitCodes() {
+  if (!_exitCodes) {
+    _exitCodes = require("./lib/exit-codes");
+  }
+  return _exitCodes;
+}
 
-${ansi.dim}  ┌─────────────────────────────────────────────────────────────────────┐${ansi.reset}
-${ansi.dim}  │${ansi.reset}  ${ansi.rgb(255, 255, 255)}${ansi.bold}Authority System${ansi.reset} ${ansi.dim}•${ansi.reset} ${ansi.rgb(200, 200, 200)}Approve${ansi.reset} ${ansi.dim}•${ansi.reset} ${ansi.rgb(150, 150, 150)}Verdicts with Proofs${ansi.reset}       ${ansi.dim}│${ansi.reset}
-${ansi.dim}  └─────────────────────────────────────────────────────────────────────┘${ansi.reset}
-`;
+function getCliOutput() {
+  if (!_cliOutput) {
+    _cliOutput = require("./lib/unified-cli-output");
+  }
+  return _cliOutput;
+}
 
-function printBanner() {
-  console.log(BANNER);
+function getSessionModule() {
+  if (!_sessionModule) {
+    _sessionModule = require("./lib/agent-firewall/session");
+  }
+  return _sessionModule;
 }
 
 // ═══════════════════════════════════════════════════════════════════════════════
-// ARGS PARSER
+// HELP
 // ═══════════════════════════════════════════════════════════════════════════════
 
-function parseArgs(args) {
-  const { flags: globalFlags, cleanArgs } = parseGlobalFlags(args);
-  
-  const opts = {
-    path: globalFlags.path || process.cwd(),
-    json: globalFlags.json || false,
-    verbose: globalFlags.verbose || false,
-    help: globalFlags.help || false,
-    noBanner: globalFlags.noBanner || false,
-    ci: globalFlags.ci || false,
-    quiet: globalFlags.quiet || false,
-    // Authority options
-    authority: null,        // Authority ID to execute
-    list: false,            // List available authorities
-    // Output options
-    output: null,           // Output file path
-    badge: false,           // Generate badge for PROCEED
-    // Dry run
-    dryRun: false,          // Don't save results, just analyze
-  };
-
-  for (let i = 0; i < cleanArgs.length; i++) {
-    const arg = cleanArgs[i];
-    
-    if (arg === '--list' || arg === '-l') opts.list = true;
-    else if (arg === '--output' || arg === '-o') opts.output = cleanArgs[++i];
-    else if (arg === '--badge' || arg === '-b') opts.badge = true;
-    else if (arg === '--dry-run') opts.dryRun = true;
-    else if (arg === '--path' || arg === '-p') opts.path = cleanArgs[++i] || process.cwd();
-    else if (arg.startsWith('--path=')) opts.path = arg.split('=')[1];
-    else if (!arg.startsWith('-') && !opts.authority) opts.authority = arg;
-  }
+function printHelp() {
+  const { ansi } = getCliOutput();
   
-  return opts;
-}
-
-function printHelp(showBanner = true) {
-  if (showBanner && shouldShowBanner({})) {
-    printBanner();
-  }
   console.log(`
-  ${ansi.bold}USAGE${ansi.reset}
-    ${colors.accent}vibecheck approve${ansi.reset} <authority> [options]
-    ${colors.accent}vibecheck approve${ansi.reset} --list
+${ansi.bold}${ansi.cyan}╔═══════════════════════════════════════════════════════════════════════════════╗
+║                                                                               ║
+║   ${ansi.reset}${ansi.bold}SESSION APPROVAL${ansi.cyan}                                                          ║
+║   ${ansi.reset}${ansi.dim}Review and approve vibe session changes${ansi.cyan}                                   ║
+║                                                                               ║
+╚═══════════════════════════════════════════════════════════════════════════════╝${ansi.reset}
 
-  ${ansi.dim}Requires: STARTER tier (advisory) or PRO tier (enforcement)${ansi.reset}
-
-  Execute an authority to get a structured verdict with proofs.
-  Authorities are policy engines that analyze your code and produce
-  PROCEED/STOP/DEFER verdicts with evidence.
+  ${ansi.bold}USAGE${ansi.reset}
+    ${ansi.cyan}vibecheck approve${ansi.reset} [options]
 
-  ${ansi.bold}AUTHORITIES${ansi.reset}
-    ${colors.accent}safe-consolidation${ansi.reset}    Zero-behavior-change code cleanup
-    ${colors.accent}inventory${ansi.reset}             Read-only duplication/legacy maps ${ansi.dim}(use 'classify')${ansi.reset}
+  ${ansi.dim}Review AI changes made during a vibe session.
+  Approved changes create intent retroactively.${ansi.reset}
 
   ${ansi.bold}OPTIONS${ansi.reset}
-    ${colors.accent}--list, -l${ansi.reset}            List all available authorities
-    ${colors.accent}--badge, -b${ansi.reset}           Generate badge for PROCEED verdicts
-    ${colors.accent}--dry-run${ansi.reset}             Analyze without saving results
-    ${colors.accent}--output, -o <file>${ansi.reset}   Save verdict to file
+    ${ansi.cyan}-y, --yes${ansi.reset}              Auto-approve with generated intent
+    ${ansi.cyan}-m, --message <text>${ansi.reset}   Approve with custom intent message
+    ${ansi.cyan}--reject${ansi.reset}               Reject all pending changes
+    ${ansi.cyan}--clear${ansi.reset}                Clear session without creating intent
 
-  ${ansi.bold}GLOBAL OPTIONS${ansi.reset}
-    ${colors.accent}--json${ansi.reset}                Output verdict as JSON
-    ${colors.accent}--path, -p <dir>${ansi.reset}      Run in specified directory
-    ${colors.accent}--verbose, -v${ansi.reset}         Show detailed analysis
-    ${colors.accent}--quiet, -q${ansi.reset}           Suppress non-essential output
-    ${colors.accent}--ci${ansi.reset}                  CI mode (quiet + exit codes)
-    ${colors.accent}--help, -h${ansi.reset}            Show this help
+  ${ansi.bold}EXAMPLES${ansi.reset}
+    ${ansi.dim}# Interactive review${ansi.reset}
+    vibecheck approve
 
-  ${ansi.bold}💡 EXAMPLES${ansi.reset}
+    ${ansi.dim}# Auto-approve${ansi.reset}
+    vibecheck approve -y
 
-    ${ansi.dim}# Run safe-consolidation authority${ansi.reset}
-    vibecheck approve safe-consolidation
+    ${ansi.dim}# Custom intent${ansi.reset}
+    vibecheck approve -m "Added user profile feature"
 
-    ${ansi.dim}# JSON output for CI integration${ansi.reset}
-    vibecheck approve safe-consolidation --json --ci
+    ${ansi.dim}# Reject changes${ansi.reset}
+    vibecheck approve --reject
 
-    ${ansi.dim}# Generate badge for PROCEED verdicts${ansi.reset}
-    vibecheck approve safe-consolidation --badge
-
-    ${ansi.dim}# List available authorities${ansi.reset}
-    vibecheck approve --list
-
-  ${ansi.bold}📊 VERDICT ACTIONS${ansi.reset}
-    ${colors.success}PROCEED${ansi.reset}   Safe to continue, all proofs satisfied (exit 0)
-    ${colors.warning}DEFER${ansi.reset}     Manual review required (exit 1)
-    ${colors.error}STOP${ansi.reset}      Unsafe, hard stops triggered (exit 2)
-
-  ${ansi.bold}🔗 RELATED COMMANDS${ansi.reset}
-    ${colors.accent}vibecheck classify${ansi.reset}    Read-only inventory ${ansi.dim}(FREE)${ansi.reset}
-    ${colors.accent}vibecheck scan${ansi.reset}        Full code analysis
-    ${colors.accent}vibecheck ship${ansi.reset}        SHIP/WARN/BLOCK verdict
-
-  ${ansi.dim}─────────────────────────────────────────────────────────────${ansi.reset}
+  ${ansi.dim}────────────────────────────────────────────────────────────────────${ansi.reset}
   ${ansi.dim}Documentation: https://docs.vibecheckai.dev/cli/approve${ansi.reset}
-  `);
-}
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// AUTHORITY DEFINITIONS (Inline for now - will use packages/core in production)
-// ═══════════════════════════════════════════════════════════════════════════════
-
-const AUTHORITIES = {
-  'safe-consolidation': {
-    id: 'safe-consolidation',
-    version: '1.0.0',
-    description: 'Zero-behavior-change cleanup of duplicated and legacy code',
-    tier: 'starter',
-    scope: {
-      allowedActions: ['analyze', 'propose_diff'],
-      disallowedActions: ['delete', 'rename_public_exports', 'force_publish', 'modify_env', 'modify_migrations'],
-      allowedRisk: ['LOW'],
-      excludedPaths: [
-        'packages/cli/**',
-        '**/migrations/**',
-        '**/prisma/migrations/**',
-        '**/*.env*',
-        '**/node_modules/**',
-        '**/dist/**',
-        '**/build/**',
-        '**/.git/**',
-        '**/auth/**',
-        '**/secrets/**',
-        '**/billing/**',
-      ],
-    },
-    permissions: {
-      readRepo: true,
-      writeProposals: true,
-      applyChanges: false,
-      enforceCI: true,
-    },
-    requiredProofs: {
-      reachability: 'Static + dynamic analysis proving no runtime imports',
-      compatibility: 'Import path preservation via aliases/re-exports',
-      behaviorLock: 'Observable behavior unchanged (errors, timing, side effects)',
-      rollback: 'Single git revert restores previous state',
-    },
-    hardStops: {
-      dynamicImportDetected: true,
-      migrationFlagDetected: true,
-      behaviorChangeUncertain: true,
-      securitySensitive: true,
-    },
-  },
-  'security-remediation': {
-    id: 'security-remediation',
-    version: '1.0.0',
-    description: 'Verified security fixes with proof of safety',
-    tier: 'pro',
-    scope: {
-      allowedActions: ['analyze', 'propose_diff'],
-      disallowedActions: [
-        'delete_auth_code',
-        'modify_crypto_primitives',
-        'alter_permission_checks',
-        'remove_rate_limits',
-        'expose_internal_apis',
-      ],
-      allowedRisk: ['LOW', 'MEDIUM'],
-      excludedPaths: [
-        '**/node_modules/**',
-        '**/dist/**',
-        '**/build/**',
-        '**/.git/**',
-        '**/migrations/**',
-        '**/*.env*',
-      ],
-    },
-    permissions: {
-      readRepo: true,
-      writeProposals: true,
-      applyChanges: false,
-      enforceCI: true,
-    },
-    requiredProofs: {
-      reachability: 'Proof that vulnerable code path is reachable and fix addresses it',
-      compatibility: 'Proof that fix does not break existing functionality',
-      behaviorLock: 'Proof that security behavior is strengthened, not weakened',
-      rollback: 'Proof that fix can be reverted without leaving system vulnerable',
-    },
-    hardStops: {
-      dynamicImportDetected: true,
-      migrationFlagDetected: false,
-      behaviorChangeUncertain: true,
-      securitySensitive: false,
-    },
-  },
-  'inventory': {
-    id: 'inventory',
-    version: '1.0.0',
-    description: 'Read-only inventory of duplication and legacy code',
-    tier: 'free',
-    note: 'Use "vibecheck classify" for this authority',
-  },
-};
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// TIER CHECKING
-// ═══════════════════════════════════════════════════════════════════════════════
-
-async function checkTierAccess(authorityTier) {
-  try {
-    const entitlementsV2 = require("./lib/entitlements-v2");
-    const access = await entitlementsV2.enforce(`authority.${authorityTier}`, { 
-      silent: true,
-    });
-    return access;
-  } catch (err) {
-    // Fallback to free tier if entitlements fail
-    return {
-      allowed: authorityTier === 'free',
-      tier: 'free',
-      reason: authorityTier === 'free' ? 'Free tier access' : 'Upgrade required',
-    };
-  }
+`);
 }
 
 // ═══════════════════════════════════════════════════════════════════════════════
-// SAFE CONSOLIDATION EXECUTOR
+// MAIN ENTRY
 // ═══════════════════════════════════════════════════════════════════════════════
 
 /**
- * Check for unsafe patterns in file content
+ * Main approve command handler
+ * @param {string[]} args - Command arguments
+ * @param {Object} context - Execution context
+ * @returns {Promise<number>} Exit code
  */
-function checkUnsafePatterns(content) {
-  const patterns = [
-    { pattern: /import\s*\(/, reason: 'Dynamic import detected' },
-    { pattern: /require\s*\((?!['"])/, reason: 'Dynamic require detected' },
-    { pattern: /process\.env\./, reason: 'Environment-dependent behavior' },
-    { pattern: /FEATURE_FLAG/i, reason: 'Feature flag detected' },
-    { pattern: /feature\s*toggle/i, reason: 'Feature toggle detected' },
-    { pattern: /eval\s*\(/, reason: 'Eval detected' },
-    { pattern: /Function\s*\(/, reason: 'Dynamic function construction' },
-  ];
-  
-  const triggered = [];
-  for (const { pattern, reason } of patterns) {
-    if (pattern.test(content)) {
-      triggered.push(reason);
-    }
-  }
+async function runApprove(args = [], context = {}) {
+  const { parseGlobalFlags, shouldSuppressOutput, isJsonMode } = getGlobalFlags();
+  const { EXIT } = getExitCodes();
+  const { ansi, renderSuccess, renderError, renderWarning } = getCliOutput();
   
-  return triggered;
-}
-
-/**
- * Check if file is in excluded paths
- */
-function isExcludedPath(filePath, excludedPaths) {
-  const minimatch = require('minimatch');
+  const { flags: globalFlags, cleanArgs } = parseGlobalFlags(args);
+  const quiet = shouldSuppressOutput(globalFlags);
+  const json = isJsonMode(globalFlags) || args.includes("--json");
+  const projectRoot = context.repoRoot || globalFlags.path || process.cwd();
   
-  for (const pattern of excludedPaths) {
-    if (minimatch(filePath, pattern, { matchBase: true })) {
-      return true;
-    }
+  // Handle help
+  if (globalFlags.help || args.includes("--help") || args.includes("-h")) {
+    printHelp();
+    return EXIT.SUCCESS;
   }
   
-  return false;
-}
-
-/**
- * Analyze files for safe consolidation
- */
-async function analyzeSafeConsolidation(projectPath, authority, opts, spinner) {
-  const startTime = Date.now();
-  const findings = {
-    safeToConsolidate: [],
-    needsReview: [],
-    blocked: [],
-  };
-  const hardStopsTriggered = [];
-  const filesTouched = [];
-  
-  // Get inventory first
-  const { runClassify } = require("./runClassify");
-  
-  spinner.update('Running inventory analysis...');
-  
-  // Run classify in quiet mode to get data
-  const inventoryResult = await runInventoryForApprove(projectPath, opts);
-  
-  spinner.update('Analyzing consolidation safety...');
-  
-  // Analyze each duplicate group
-  for (const dupGroup of inventoryResult.duplicationMap) {
-    const primary = dupGroup.primary;
-    filesTouched.push(primary);
-    
-    // Skip if in excluded paths
-    if (isExcludedPath(primary, authority.scope.excludedPaths)) {
-      findings.blocked.push({
-        file: primary,
-        reason: 'In excluded path',
-        recommendation: 'No action needed - file is intentionally excluded',
-      });
-      continue;
-    }
-    
-    // Read primary file content
-    const primaryPath = path.join(projectPath, primary);
-    let content = '';
-    try {
-      content = await fs.promises.readFile(primaryPath, 'utf-8');
-    } catch (err) {
-      findings.blocked.push({
-        file: primary,
-        reason: 'Unable to read file',
-        recommendation: 'Check file permissions',
-      });
-      continue;
-    }
-    
-    // Check for unsafe patterns
-    const unsafeReasons = checkUnsafePatterns(content);
-    if (unsafeReasons.length > 0) {
-      findings.blocked.push({
-        file: primary,
-        reason: unsafeReasons.join(', '),
-        recommendation: 'Manual review required - contains patterns that prevent safe automated consolidation',
-      });
-      
-      if (authority.hardStops.dynamicImportDetected && unsafeReasons.some(r => r.includes('import'))) {
-        hardStopsTriggered.push(`Dynamic import in ${primary}`);
-      }
-      continue;
-    }
-    
-    // Check similarity level
-    if (dupGroup.similarity >= 0.95) {
-      findings.safeToConsolidate.push({
-        primary: primary,
-        duplicates: dupGroup.duplicates,
-        similarity: dupGroup.similarity,
-        type: dupGroup.type,
-        action: 'Create re-export from duplicates to primary',
-        linesSaved: dupGroup.lineCount * dupGroup.duplicates.length,
-      });
-    } else {
-      findings.needsReview.push({
-        file: primary,
-        duplicates: dupGroup.duplicates,
-        similarity: dupGroup.similarity,
-        reason: `Similarity ${Math.round(dupGroup.similarity * 100)}% below threshold for auto-consolidation`,
-        recommendation: 'Review differences manually before consolidating',
-      });
-    }
-  }
+  // Parse options
+  const autoApprove = args.includes("-y") || args.includes("--yes");
+  const reject = args.includes("--reject");
+  const clear = args.includes("--clear");
+  const customMessage = getArgValue(args, "-m") || getArgValue(args, "--message");
   
-  // Analyze legacy code
-  for (const legacyEntry of inventoryResult.legacyMap) {
-    filesTouched.push(legacyEntry.file);
-    
-    if (isExcludedPath(legacyEntry.file, authority.scope.excludedPaths)) {
-      continue;
-    }
-    
-    if (legacyEntry.type === 'backup' && legacyEntry.confidence >= 0.9) {
-      findings.safeToConsolidate.push({
-        primary: legacyEntry.file,
-        duplicates: [],
-        type: 'legacy-backup',
-        action: 'Archive or remove backup file',
-        evidence: legacyEntry.evidence,
-      });
+  // Load session module
+  let SessionCollector;
+  try {
+    SessionCollector = getSessionModule().SessionCollector;
+  } catch (e) {
+    if (json) {
+      console.log(JSON.stringify({ success: false, error: "Session module not available" }));
     } else {
-      findings.needsReview.push({
-        file: legacyEntry.file,
-        type: legacyEntry.type,
-        confidence: legacyEntry.confidence,
-        reason: 'Legacy code - requires manual review',
-        recommendation: 'Verify no active references before removal',
-      });
+      renderError("Session module not available");
     }
+    return EXIT.INTERNAL_ERROR;
   }
   
-  // Generate proofs
-  const proofs = {
-    reachability: hardStopsTriggered.length > 0 
-      ? `FAILED: ${hardStopsTriggered.join('; ')}` 
-      : 'PASSED: No dynamic imports detected in safe files',
-    compatibility: findings.safeToConsolidate.length > 0
-      ? 'PASSED: Re-exports preserve import paths'
-      : 'N/A: No consolidations proposed',
-    rollback: 'PASSED: Single git revert restores state',
-  };
-  
-  // Determine verdict
-  let action = 'PROCEED';
-  let confidence = 0.95;
-  
-  if (hardStopsTriggered.length > 0) {
-    action = 'STOP';
-    confidence = 1.0;
-  } else if (findings.needsReview.length > findings.safeToConsolidate.length) {
-    action = 'DEFER';
-    confidence = 0.6;
-  } else if (findings.blocked.length > 0) {
-    action = 'DEFER';
-    confidence = 0.7;
-  }
-  
-  return {
-    authority: authority.id,
-    version: authority.version,
-    timestamp: new Date().toISOString(),
-    action,
-    riskLevel: action === 'STOP' ? 'HIGH' : action === 'DEFER' ? 'MEDIUM' : 'LOW',
-    exitCode: action === 'PROCEED' ? 0 : action === 'DEFER' ? 1 : 2,
-    filesTouched,
-    proofs,
-    behaviorChange: action === 'STOP',
-    confidence,
-    hardStopsTriggered,
-    notes: generateNotes(action, findings, hardStopsTriggered),
-    analysis: {
-      safeToConsolidate: findings.safeToConsolidate,
-      needsReview: findings.needsReview,
-      blocked: findings.blocked,
-      summary: {
-        safeCount: findings.safeToConsolidate.length,
-        reviewCount: findings.needsReview.length,
-        blockedCount: findings.blocked.length,
-        totalLinesSavings: findings.safeToConsolidate.reduce((sum, f) => sum + (f.linesSaved || 0), 0),
-      },
-    },
-    analysisTimeMs: Date.now() - startTime,
-  };
-}
-
-/**
- * Run inventory analysis for approve command
- */
-async function runInventoryForApprove(projectPath, opts) {
-  const { runClassify } = require("./runClassify");
-  
-  // Create a minimal spinner that captures output
-  const inventoryOpts = {
-    path: projectPath,
-    json: true,
-    quiet: true,
-    includeNear: true,
-    includeSemantic: false,
-    threshold: 0.8,
-    maxFiles: 5000,
-  };
-  
-  // Directly run the inventory analysis logic
-  const crypto = require("crypto");
-  
-  const EXCLUDED_DIRS = new Set([
-    'node_modules', '.git', 'dist', 'build', '.next', 'coverage', '.vibecheck',
-  ]);
+  const collector = new SessionCollector(projectRoot);
   
-  async function findFiles(rootPath, maxFiles) {
-    const files = [];
-    const extensions = new Set(['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']);
-    
-    async function walk(dir, depth = 0) {
-      if (depth > 20 || files.length >= maxFiles) return;
-      try {
-        const entries = await fs.promises.readdir(dir, { withFileTypes: true });
-        for (const entry of entries) {
-          if (files.length >= maxFiles) break;
-          const fullPath = path.join(dir, entry.name);
-          const relativePath = path.relative(rootPath, fullPath);
-          if (entry.isDirectory()) {
-            if (!EXCLUDED_DIRS.has(entry.name) && !entry.name.startsWith('.')) {
-              await walk(fullPath, depth + 1);
-            }
-          } else if (entry.isFile()) {
-            const ext = path.extname(entry.name).toLowerCase();
-            if (extensions.has(ext)) {
-              files.push({ path: fullPath, relativePath, name: entry.name, ext });
-            }
-          }
-        }
-      } catch (err) { /* skip */ }
+  // Check for pending changes
+  if (!collector.hasPending()) {
+    if (json) {
+      console.log(JSON.stringify({ success: true, message: "No pending changes", changes: 0 }));
+    } else if (!quiet) {
+      renderWarning("No pending changes to review");
+      console.log(`\n  ${ansi.dim}Changes are logged when AI modifies files in OBSERVE mode.${ansi.reset}\n`);
     }
-    await walk(rootPath);
-    return files;
+    return EXIT.SUCCESS;
   }
   
-  const files = await findFiles(projectPath, 5000);
-  const fileContents = new Map();
-  const fileHashes = new Map();
-  
-  for (const file of files) {
-    try {
-      const content = await fs.promises.readFile(file.path, 'utf-8');
-      const lines = content.split('\n').length;
-      fileContents.set(file.relativePath, { content, lines });
-      fileHashes.set(file.relativePath, crypto.createHash('sha256').update(content).digest('hex').slice(0, 16));
-    } catch (err) { /* skip */ }
-  }
+  const session = collector.getPending();
+  const summary = collector.getSummary();
   
-  // Find duplicates
-  const hashGroups = new Map();
-  for (const [filePath, hash] of fileHashes.entries()) {
-    if (!hashGroups.has(hash)) hashGroups.set(hash, []);
-    hashGroups.get(hash).push(filePath);
+  // Handle reject
+  if (reject) {
+    collector.reject();
+    if (json) {
+      console.log(JSON.stringify({ success: true, action: "rejected", changes: summary.total_changes }));
+    } else if (!quiet) {
+      renderSuccess("Session changes rejected");
+      console.log(`\n  ${ansi.dim}${summary.total_changes} change(s) discarded.${ansi.reset}\n`);
+    }
+    return EXIT.SUCCESS;
   }
   
-  const duplicationMap = [];
-  for (const [hash, files] of hashGroups.entries()) {
-    if (files.length > 1) {
-      const { lines } = fileContents.get(files[0]) || { lines: 0 };
-      duplicationMap.push({
-        primary: files[0],
-        duplicates: files.slice(1),
-        similarity: 1.0,
-        type: 'exact',
-        lineCount: lines,
-      });
+  // Handle clear (no intent created)
+  if (clear) {
+    collector.clear();
+    if (json) {
+      console.log(JSON.stringify({ success: true, action: "cleared", changes: summary.total_changes }));
+    } else if (!quiet) {
+      renderSuccess("Session cleared");
+      console.log(`\n  ${ansi.dim}Session reset. No intent created.${ansi.reset}\n`);
     }
+    return EXIT.SUCCESS;
   }
   
-  // Find legacy code
-  const LEGACY_PATTERNS = [
-    { pattern: /\.old\.(js|ts|tsx|jsx)$/i, type: 'backup', confidence: 0.9 },
-    { pattern: /\.bak\.(js|ts|tsx|jsx)$/i, type: 'backup', confidence: 0.95 },
-    { pattern: /\.backup\.(js|ts|tsx|jsx)$/i, type: 'backup', confidence: 0.95 },
-    { pattern: /\.deprecated\.(js|ts|tsx|jsx)$/i, type: 'deprecated', confidence: 0.9 },
-  ];
-  
-  const legacyMap = [];
-  for (const [filePath, { content }] of fileContents.entries()) {
-    for (const { pattern, type, confidence } of LEGACY_PATTERNS) {
-      if (pattern.test(filePath)) {
-        legacyMap.push({
-          file: filePath,
-          type,
-          evidence: [`File name matches pattern: ${pattern}`],
-          confidence,
-        });
-        break;
+  // Show changes summary
+  if (!json && !quiet) {
+    console.log(`
+${ansi.cyan}${ansi.bold}╔═══════════════════════════════════════════════════════════════════╗
+║                                                                   ║
+║   SESSION REVIEW                                                  ║
+║                                                                   ║
+╚═══════════════════════════════════════════════════════════════════╝${ansi.reset}
+
+  ${ansi.bold}Session Info${ansi.reset}
+    ID: ${session.id}
+    Started: ${new Date(session.started_at).toLocaleString()}
+    Duration: ${summary.duration_minutes} minutes
+
+  ${ansi.bold}Changes (${summary.total_changes})${ansi.reset}`);
+    
+    // Group by domain
+    const byDomain = {};
+    for (const change of session.changes) {
+      const domain = change.domain || "general";
+      if (!byDomain[domain]) byDomain[domain] = [];
+      byDomain[domain].push(change);
+    }
+    
+    for (const [domain, changes] of Object.entries(byDomain)) {
+      console.log(`\n    ${ansi.bold}${domain}${ansi.reset} (${changes.length})`);
+      for (const change of changes.slice(0, 5)) {
+        const icon = change.type === "file_create" ? "+" : change.type === "file_delete" ? "-" : "~";
+        const color = change.type === "file_create" ? ansi.green : change.type === "file_delete" ? ansi.red : ansi.yellow;
+        console.log(`      ${color}${icon}${ansi.reset} ${change.path}`);
+      }
+      if (changes.length > 5) {
+        console.log(`      ${ansi.dim}... and ${changes.length - 5} more${ansi.reset}`);
       }
     }
-    // Check content for @deprecated
-    if (/@deprecated/i.test(content)) {
-      const existing = legacyMap.find(l => l.file === filePath);
-      if (!existing) {
-        legacyMap.push({
-          file: filePath,
-          type: 'deprecated',
-          evidence: ['Contains @deprecated annotation'],
-          confidence: 0.85,
-        });
+    
+    // Show auto-generated intent
+    const generatedIntent = collector.generateIntentSummary();
+    console.log(`
+  ${ansi.bold}Auto-Generated Intent${ansi.reset}
+    "${generatedIntent}"
+`);
+  }
+  
+  // Handle auto-approve
+  if (autoApprove || customMessage) {
+    const intentMessage = customMessage || collector.generateIntentSummary();
+    const result = collector.approve(intentMessage);
+    
+    if (json) {
+      console.log(JSON.stringify({
+        success: result.success,
+        action: "approved",
+        intent: result.intent ? {
+          hash: result.intent.hash,
+          summary: result.intent.summary,
+        } : null,
+        changes: summary.total_changes,
+        error: result.error,
+      }, null, 2));
+    } else if (!quiet) {
+      if (result.success) {
+        console.log(`
+${ansi.green}${ansi.bold}╔═══════════════════════════════════════════════════════════════════╗
+║                                                                   ║
+║   ✓ SESSION APPROVED                                              ║
+║                                                                   ║
+╚═══════════════════════════════════════════════════════════════════╝${ansi.reset}
+
+  ${ansi.bold}Intent Created${ansi.reset}
+    "${result.intent.summary}"
+
+  ${ansi.bold}Changes Approved${ansi.reset}
+    ${result.changes_approved} change(s)
+
+  ${ansi.dim}Hash: ${result.intent.hash.slice(0, 16)}...${ansi.reset}
+
+  ${ansi.bold}The Agent Firewall is now in ENFORCE mode.${ansi.reset}
+  ${ansi.dim}Future changes must align with this intent.${ansi.reset}
+`);
+      } else {
+        renderError(result.error || "Failed to approve session");
       }
     }
+    
+    return result.success ? EXIT.SUCCESS : EXIT.INTERNAL_ERROR;
   }
   
-  return {
-    duplicationMap,
-    legacyMap,
-    summary: {
-      totalFiles: files.length,
-      duplicatedFiles: duplicationMap.reduce((sum, d) => sum + 1 + d.duplicates.length, 0),
-      legacyFiles: legacyMap.length,
-    },
-  };
-}
-
-/**
- * Generate human-readable notes for verdict
- */
-function generateNotes(action, findings, hardStopsTriggered) {
-  if (action === 'STOP') {
-    return `BLOCKED: Hard stops triggered. ${hardStopsTriggered.join('. ')}. Manual intervention required.`;
+  // Interactive mode - show options
+  if (!json && !quiet) {
+    console.log(`  ${ansi.bold}Options${ansi.reset}
+    ${ansi.cyan}vibecheck approve -y${ansi.reset}              Approve with auto-generated intent
+    ${ansi.cyan}vibecheck approve -m "..."${ansi.reset}        Approve with custom message
+    ${ansi.cyan}vibecheck approve --reject${ansi.reset}        Reject all changes
+`);
   }
   
-  if (action === 'DEFER') {
-    const reviewCount = findings.needsReview.length;
-    const blockedCount = findings.blocked.length;
-    return `REVIEW NEEDED: ${reviewCount} items need manual review, ${blockedCount} items are blocked. Safe consolidations: ${findings.safeToConsolidate.length}.`;
+  if (json) {
+    console.log(JSON.stringify({
+      pending: true,
+      session_id: session.id,
+      changes: summary.total_changes,
+      files_touched: summary.files_touched,
+      domains: summary.domains,
+      generated_intent: collector.generateIntentSummary(),
+    }, null, 2));
   }
   
-  const linesSaved = findings.safeToConsolidate.reduce((sum, f) => sum + (f.linesSaved || 0), 0);
-  return `SAFE TO PROCEED: ${findings.safeToConsolidate.length} consolidations identified. Estimated ${linesSaved} lines can be reduced.`;
+  return EXIT.SUCCESS;
 }
 
 // ═══════════════════════════════════════════════════════════════════════════════
-// OUTPUT FORMATTERS
+// UTILITIES
 // ═══════════════════════════════════════════════════════════════════════════════
 
-function formatVerdictOutput(verdict, projectPath) {
-  const lines = [];
-  
-  const actionSymbol = verdict.action === 'PROCEED' ? '✓' : verdict.action === 'DEFER' ? '⚠' : '✗';
-  const actionColor = verdict.action === 'PROCEED' ? colors.success : verdict.action === 'DEFER' ? colors.warning : colors.error;
-  
-  lines.push('');
-  lines.push('┌────────────────────────────────────────────────────────────────────┐');
-  lines.push(`│  ${actionColor}${actionSymbol}${ansi.reset} Authority Verdict: ${ansi.bold}${verdict.action}${ansi.reset}                                  │`);
-  lines.push('├────────────────────────────────────────────────────────────────────┤');
-  lines.push(`│  Authority:   ${verdict.authority} v${verdict.version}`.padEnd(68) + '│');
-  lines.push(`│  Risk Level:  ${verdict.riskLevel}`.padEnd(68) + '│');
-  lines.push(`│  Confidence:  ${Math.round(verdict.confidence * 100)}%`.padEnd(68) + '│');
-  lines.push(`│  Exit Code:   ${verdict.exitCode}`.padEnd(68) + '│');
-  lines.push('└────────────────────────────────────────────────────────────────────┘');
-  lines.push('');
-  
-  // Hard stops
-  if (verdict.hardStopsTriggered.length > 0) {
-    lines.push(`${ansi.bold}${colors.error}Hard Stops Triggered:${ansi.reset}`);
-    for (const stop of verdict.hardStopsTriggered) {
-      lines.push(`  ${colors.error}✗${ansi.reset} ${stop}`);
+function getArgValue(args, ...flags) {
+  for (const flag of flags) {
+    const index = args.indexOf(flag);
+    if (index !== -1 && args[index + 1] && !args[index + 1].startsWith("-")) {
+      return args[index + 1];
     }
-    lines.push('');
-  }
-  
-  // Proofs
-  lines.push(`${ansi.bold}Proofs:${ansi.reset}`);
-  for (const [key, value] of Object.entries(verdict.proofs)) {
-    const icon = value.startsWith('PASSED') ? colors.success + '✓' : value.startsWith('FAILED') ? colors.error + '✗' : colors.warning + '○';
-    lines.push(`  ${icon}${ansi.reset} ${key}: ${ansi.dim}${value}${ansi.reset}`);
-  }
-  lines.push('');
-  
-  // Analysis summary
-  if (verdict.analysis) {
-    const { summary } = verdict.analysis;
-    lines.push(`${ansi.bold}Analysis Summary:${ansi.reset}`);
-    lines.push(`  ${colors.success}✓${ansi.reset} Safe to consolidate: ${summary.safeCount}`);
-    lines.push(`  ${colors.warning}⚠${ansi.reset} Needs review: ${summary.reviewCount}`);
-    lines.push(`  ${colors.error}✗${ansi.reset} Blocked: ${summary.blockedCount}`);
-    lines.push(`  ${ansi.dim}Estimated lines saved: ${summary.totalLinesSavings}${ansi.reset}`);
-    lines.push('');
-  }
-  
-  // Notes
-  lines.push(`${ansi.bold}Notes:${ansi.reset}`);
-  lines.push(`  ${verdict.notes}`);
-  lines.push('');
-  
-  // Timestamp
-  lines.push(`${ansi.dim}${verdict.timestamp}${ansi.reset}`);
-  lines.push('');
-  
-  return lines.join('\n');
-}
-
-/**
- * Generate authority approved badge SVG
- */
-function generateBadge(verdict) {
-  const color = verdict.action === 'PROCEED' ? '#22C55E' : verdict.action === 'DEFER' ? '#F59E0B' : '#EF4444';
-  const text = verdict.action;
-  const conf = Math.round(verdict.confidence * 100);
-  
-  return `<svg xmlns="http://www.w3.org/2000/svg" width="240" height="20">
-  <linearGradient id="b" x2="0" y2="100%">
-    <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
-    <stop offset="1" stop-opacity=".1"/>
-  </linearGradient>
-  <clipPath id="a">
-    <rect width="240" height="20" rx="3" fill="#fff"/>
-  </clipPath>
-  <g clip-path="url(#a)">
-    <path fill="#555" d="M0 0h150v20H0z"/>
-    <path fill="${color}" d="M150 0h90v20H150z"/>
-    <path fill="url(#b)" d="M0 0h240v20H0z"/>
-  </g>
-  <g fill="#fff" text-anchor="middle" font-family="DejaVu Sans,Verdana,Geneva,sans-serif" font-size="11">
-    <text x="75" y="15" fill="#010101" fill-opacity=".3">Authority Approved</text>
-    <text x="75" y="14">Authority Approved</text>
-    <text x="195" y="15" fill="#010101" fill-opacity=".3">${text} ${conf}%</text>
-    <text x="195" y="14">${text} ${conf}%</text>
-  </g>
-</svg>`;
-}
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// HARDENING CONSTANTS
-// ═══════════════════════════════════════════════════════════════════════════════
-
-/** Maximum execution time for an authority (ms) */
-const MAX_EXECUTION_TIME_MS = 5 * 60 * 1000; // 5 minutes
-
-/** Rate limit tracking */
-const rateLimitStore = new Map();
-
-/**
- * Check rate limit for user
- */
-function checkRateLimit(userId, windowMs, maxRequests) {
-  const key = `${userId}:${windowMs}`;
-  const now = Date.now();
-  
-  let entry = rateLimitStore.get(key);
-  
-  if (!entry || entry.resetAt < now) {
-    entry = { count: 0, resetAt: now + windowMs };
-    rateLimitStore.set(key, entry);
-  }
-  
-  const allowed = entry.count < maxRequests;
-  if (allowed) {
-    entry.count++;
-  }
-  
-  return {
-    allowed,
-    remaining: Math.max(0, maxRequests - entry.count),
-    resetAt: new Date(entry.resetAt),
-  };
-}
-
-/**
- * Validate authority ID format
- */
-function validateAuthorityId(id) {
-  const pattern = /^[a-z0-9][a-z0-9-]{0,62}[a-z0-9]$/;
-  
-  if (!id || typeof id !== 'string') {
-    return { valid: false, error: 'Authority ID must be a non-empty string' };
-  }
-  
-  if (id.length < 2 || id.length > 64) {
-    return { valid: false, error: 'Authority ID must be 2-64 characters' };
-  }
-  
-  if (!pattern.test(id)) {
-    return { valid: false, error: 'Authority ID must be lowercase alphanumeric with hyphens' };
-  }
-  
-  return { valid: true };
-}
-
-/**
- * Validate project path for security
- */
-function validateProjectPath(projectPath) {
-  if (!projectPath || typeof projectPath !== 'string') {
-    return { valid: false, error: 'Project path must be a non-empty string' };
-  }
-  
-  // Check for path traversal attempts
-  if (projectPath.includes('..') || projectPath.includes('\0')) {
-    return { valid: false, error: 'Invalid characters in project path' };
-  }
-  
-  // Must be absolute path
-  const isAbsolute = projectPath.startsWith('/') || /^[A-Za-z]:[\\/]/.test(projectPath);
-  if (!isAbsolute) {
-    return { valid: false, error: 'Project path must be absolute' };
-  }
-  
-  return { valid: true };
-}
-
-/**
- * Execute with timeout
- */
-async function withTimeout(fn, timeoutMs, timeoutError = 'Operation timed out') {
-  let timeoutId;
-  
-  const timeoutPromise = new Promise((_, reject) => {
-    timeoutId = setTimeout(() => {
-      reject(new Error(timeoutError));
-    }, timeoutMs);
-  });
-  
-  try {
-    const result = await Promise.race([fn(), timeoutPromise]);
-    clearTimeout(timeoutId);
-    return result;
-  } catch (error) {
-    clearTimeout(timeoutId);
-    throw error;
-  }
-}
-
-/**
- * Sanitize error for safe logging
- */
-function sanitizeError(error) {
-  if (error instanceof Error) {
-    let message = error.message;
-    // Remove file paths
-    message = message.replace(/[A-Za-z]:[\\\/][^\s]+/g, '[PATH]');
-    message = message.replace(/\/[^\s]+/g, '[PATH]');
-    // Remove potential secrets
-    message = message.replace(/['"][^'"]{20,}['"]/g, '[REDACTED]');
-    
-    return {
-      message: message.slice(0, 200),
-      code: error.name || 'Error',
-    };
   }
-  
-  return {
-    message: 'An unexpected error occurred',
-    code: 'UNKNOWN_ERROR',
-  };
+  return null;
 }
 
 // ═══════════════════════════════════════════════════════════════════════════════
-// MAIN COMMAND
+// EXPORTS
 // ═══════════════════════════════════════════════════════════════════════════════
 
-async function runApprove(args) {
-  const opts = parseArgs(args);
-  const executionId = `exec_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
-  const startTime = Date.now();
-  
-  // Show help
-  if (opts.help) {
-    printHelp(shouldShowBanner(opts));
-    return 0;
-  }
-  
-  // Print banner
-  if (shouldShowBanner(opts)) {
-    printBanner();
-  }
-  
-  // List authorities
-  if (opts.list) {
-    console.log(`\n  ${ansi.bold}Available Authorities:${ansi.reset}\n`);
-    
-    for (const [id, auth] of Object.entries(AUTHORITIES)) {
-      const tierLabel = auth.tier === 'free' ? colors.success + '[FREE]' : 
-                        auth.tier === 'starter' ? colors.accent + '[STARTER]' : 
-                        auth.tier === 'pro' ? colors.warning + '[PRO]' :
-                        colors.error + '[ENTERPRISE]';
-      console.log(`  ${colors.accent}${id}${ansi.reset} ${tierLabel}${ansi.reset}`);
-      console.log(`    ${ansi.dim}${auth.description}${ansi.reset}`);
-      if (auth.note) {
-        console.log(`    ${colors.warning}Note: ${auth.note}${ansi.reset}`);
-      }
-      console.log();
-    }
-    
-    console.log(`  ${ansi.dim}Usage: vibecheck approve <authority-id>${ansi.reset}\n`);
-    return 0;
-  }
-  
-  // Require authority argument
-  if (!opts.authority) {
-    console.error(`\n  ${colors.error}✗${ansi.reset} Authority ID required\n`);
-    console.log(`  ${ansi.dim}Usage: vibecheck approve <authority-id>${ansi.reset}`);
-    console.log(`  ${ansi.dim}List:  vibecheck approve --list${ansi.reset}\n`);
-    return EXIT.USER_ERROR;
-  }
-  
-  // HARDENING: Validate authority ID format
-  const idValidation = validateAuthorityId(opts.authority);
-  if (!idValidation.valid) {
-    console.error(`\n  ${colors.error}✗${ansi.reset} Invalid authority ID: ${idValidation.error}\n`);
-    return EXIT.USER_ERROR;
-  }
-  
-  // Check authority exists
-  const authority = AUTHORITIES[opts.authority];
-  if (!authority) {
-    console.error(`\n  ${colors.error}✗${ansi.reset} Unknown authority: ${opts.authority}\n`);
-    console.log(`  ${ansi.dim}Available: ${Object.keys(AUTHORITIES).join(', ')}${ansi.reset}\n`);
-    return EXIT.USER_ERROR;
-  }
-  
-  // Special case for inventory - redirect to classify
-  if (opts.authority === 'inventory') {
-    console.log(`\n  ${colors.warning}⚠${ansi.reset} Use 'vibecheck classify' for the inventory authority\n`);
-    return EXIT.USER_ERROR;
-  }
-  
-  // HARDENING: Rate limiting (10 requests per minute)
-  const userId = process.env.VIBECHECK_USER_ID || 'anonymous';
-  const rateCheck = checkRateLimit(userId, 60 * 1000, 10);
-  if (!rateCheck.allowed) {
-    console.error(`\n  ${colors.error}✗${ansi.reset} Rate limit exceeded`);
-    console.log(`  ${ansi.dim}Try again at: ${rateCheck.resetAt.toISOString()}${ansi.reset}\n`);
-    return EXIT.RATE_LIMITED || 429;
-  }
-  
-  // Check tier access
-  const access = await checkTierAccess(authority.tier);
-  if (!access.allowed) {
-    console.log(`\n  ${colors.error}✗${ansi.reset} ${ansi.bold}${authority.tier.toUpperCase()} tier required${ansi.reset}`);
-    console.log(`  ${ansi.dim}Current tier: ${access.tier || 'FREE'}${ansi.reset}`);
-    console.log(`  ${ansi.dim}Upgrade at: https://vibecheckai.dev/pricing${ansi.reset}\n`);
-    return EXIT.TIER_REQUIRED;
-  }
-  
-  const projectPath = path.resolve(opts.path);
-  
-  // HARDENING: Validate project path
-  const pathValidation = validateProjectPath(projectPath);
-  if (!pathValidation.valid) {
-    throw createUserError(pathValidation.error, "SecurityError");
-  }
-  
-  // Validate project path exists
-  if (!fs.existsSync(projectPath)) {
-    throw createUserError(`Project path does not exist: ${projectPath}`, "ValidationError");
-  }
-  
-  if (!opts.quiet) {
-    console.log(`  ${ansi.dim}Execution:${ansi.reset} ${ansi.dim}${executionId}${ansi.reset}`);
-    console.log(`  ${ansi.dim}Project:${ansi.reset}   ${ansi.bold}${path.basename(projectPath)}${ansi.reset}`);
-    console.log(`  ${ansi.dim}Authority:${ansi.reset} ${colors.accent}${authority.id}${ansi.reset} v${authority.version}`);
-    console.log(`  ${ansi.dim}Tier:${ansi.reset}      ${authority.tier.toUpperCase()}`);
-    console.log();
-  }
-  
-  // Run analysis with timeout
-  const spinner = new Spinner({ color: colors.primary });
-  spinner.start('Executing authority...');
-  
-  try {
-    let verdict;
-    
-    // HARDENING: Execute with timeout
-    verdict = await withTimeout(
-      async () => {
-        if (opts.authority === 'safe-consolidation') {
-          return await analyzeSafeConsolidation(projectPath, authority, opts, spinner);
-        } else if (opts.authority === 'security-remediation') {
-          // Forward to security analysis
-          return await analyzeSecurityRemediation(projectPath, authority, opts, spinner);
-        } else {
-          throw createUserError(`Authority executor not implemented: ${opts.authority}`, "NotImplemented");
-        }
-      },
-      MAX_EXECUTION_TIME_MS,
-      `Authority execution timed out after ${MAX_EXECUTION_TIME_MS / 1000}s`
-    );
-    
-    // Add execution metadata
-    verdict.executionId = executionId;
-    verdict.analysisTimeMs = Date.now() - startTime;
-    
-    spinner.succeed(`Analysis complete (${verdict.analysisTimeMs}ms)`);
-    
-    // Output
-    if (opts.json) {
-      console.log(JSON.stringify(verdict, null, 2));
-    } else {
-      // Use Mission Control format
-      const { formatApproveOutput } = require('./lib/approve-output');
-      console.log(formatApproveOutput(verdict, { projectPath, version: 'v3.5.5' }));
-    }
-    
-    // Save to file if requested
-    if (opts.output && !opts.dryRun) {
-      const outputPath = path.resolve(opts.output);
-      await fs.promises.writeFile(outputPath, JSON.stringify(verdict, null, 2));
-      
-      if (!opts.quiet && !opts.json) {
-        console.log(`  ${colors.success}✓${ansi.reset} Verdict saved to: ${outputPath}`);
-      }
-    }
-    
-    // Generate badge if requested
-    if (opts.badge && verdict.action === 'PROCEED' && !opts.dryRun) {
-      const badgePath = path.join(projectPath, '.vibecheck', 'badges', `${authority.id}-badge.svg`);
-      const badgeDir = path.dirname(badgePath);
-      
-      if (!fs.existsSync(badgeDir)) {
-        fs.mkdirSync(badgeDir, { recursive: true });
-      }
-      
-      await fs.promises.writeFile(badgePath, generateBadge(verdict));
-      
-      if (!opts.quiet && !opts.json) {
-        console.log(`  ${colors.success}✓${ansi.reset} Badge saved to: ${badgePath}`);
-      }
-    }
-    
-    // Log execution summary (for audit)
-    if (opts.verbose) {
-      console.log(`\n  ${ansi.dim}Execution Summary:${ansi.reset}`);
-      console.log(`  ${ansi.dim}├─ ID: ${executionId}${ansi.reset}`);
-      console.log(`  ${ansi.dim}├─ Duration: ${verdict.analysisTimeMs}ms${ansi.reset}`);
-      console.log(`  ${ansi.dim}├─ Files Analyzed: ${verdict.filesTouched.length}${ansi.reset}`);
-      console.log(`  ${ansi.dim}└─ Verdict: ${verdict.action}${ansi.reset}\n`);
-    }
-    
-    return verdict.exitCode;
-    
-  } catch (error) {
-    const sanitized = sanitizeError(error);
-    spinner.fail(`Authority execution failed: ${sanitized.message}`);
-    
-    // Log sanitized error details
-    if (opts.verbose) {
-      console.error(`  ${ansi.dim}Error Code: ${sanitized.code}${ansi.reset}`);
-      console.error(`  ${ansi.dim}Execution ID: ${executionId}${ansi.reset}`);
-    }
-    
-    throw error;
-  }
-}
-
-/**
- * Security remediation authority executor
- */
-async function analyzeSecurityRemediation(projectPath, authority, opts, spinner) {
-  const startTime = Date.now();
-  spinner.update('Scanning for security vulnerabilities...');
-  
-  // Security patterns to detect
-  const SECURITY_PATTERNS = {
-    COMMAND_INJECTION: {
-      pattern: /execSync\s*\(\s*[`$]/,
-      severity: 'CRITICAL',
-      description: 'Command injection via shell interpolation',
-    },
-    SQL_INJECTION: {
-      pattern: /query\s*\(\s*[`$]/,
-      severity: 'CRITICAL',
-      description: 'SQL injection via string interpolation',
-    },
-    EVAL_USAGE: {
-      pattern: /eval\s*\(/,
-      severity: 'HIGH',
-      description: 'Unsafe eval usage',
-    },
-    HARDCODED_SECRET: {
-      pattern: /process\.env\.\w+\s*\|\|\s*['"][^'"]{8,}['"]/,
-      severity: 'HIGH',
-      description: 'Hardcoded fallback secret',
-    },
-    PATH_TRAVERSAL: {
-      pattern: /path\.join\s*\([^)]*req\./,
-      severity: 'HIGH',
-      description: 'Path traversal via user input',
-    },
-  };
-  
-  const findings = [];
-  const filesTouched = [];
-  
-  // Scan files
-  const extensions = new Set(['.ts', '.tsx', '.js', '.jsx']);
-  const excludedDirs = new Set(['node_modules', '.git', 'dist', 'build']);
-  
-  async function walkDir(dir, depth = 0) {
-    if (depth > 15) return;
-    
-    try {
-      const entries = await fs.promises.readdir(dir, { withFileTypes: true });
-      
-      for (const entry of entries) {
-        const fullPath = path.join(dir, entry.name);
-        const relativePath = path.relative(projectPath, fullPath);
-        
-        if (entry.isDirectory()) {
-          if (!excludedDirs.has(entry.name) && !entry.name.startsWith('.')) {
-            await walkDir(fullPath, depth + 1);
-          }
-        } else if (entry.isFile()) {
-          const ext = path.extname(entry.name).toLowerCase();
-          if (extensions.has(ext)) {
-            try {
-              const content = await fs.promises.readFile(fullPath, 'utf-8');
-              filesTouched.push(relativePath);
-              
-              for (const [name, { pattern, severity, description }] of Object.entries(SECURITY_PATTERNS)) {
-                if (pattern.test(content)) {
-                  const match = content.match(pattern);
-                  const beforeMatch = content.slice(0, match.index);
-                  const line = (beforeMatch.match(/\n/g) || []).length + 1;
-                  
-                  findings.push({
-                    file: relativePath,
-                    line,
-                    type: name,
-                    severity,
-                    description,
-                    evidence: match[0].slice(0, 50),
-                  });
-                }
-              }
-            } catch (err) {
-              // Skip unreadable files
-            }
-          }
-        }
-      }
-    } catch (err) {
-      // Skip inaccessible directories
-    }
-  }
-  
-  await walkDir(projectPath);
-  
-  // Determine verdict
-  const criticalCount = findings.filter(f => f.severity === 'CRITICAL').length;
-  const highCount = findings.filter(f => f.severity === 'HIGH').length;
-  
-  let action = 'PROCEED';
-  let riskLevel = 'LOW';
-  let confidence = 0.9;
-  
-  if (criticalCount > 0) {
-    action = 'STOP';
-    riskLevel = 'CRITICAL';
-    confidence = 1.0;
-  } else if (highCount > 0) {
-    action = 'DEFER';
-    riskLevel = 'HIGH';
-    confidence = 0.8;
-  }
-  
-  return {
-    authority: authority.id,
-    version: authority.version,
-    timestamp: new Date().toISOString(),
-    action,
-    riskLevel,
-    exitCode: action === 'PROCEED' ? 0 : action === 'DEFER' ? 1 : 2,
-    filesTouched,
-    proofs: {
-      reachability: 'Static analysis - pattern matching',
-      compatibility: 'N/A - read-only scan',
-      rollback: 'N/A - no changes made',
-    },
-    behaviorChange: false,
-    confidence,
-    hardStopsTriggered: criticalCount > 0 ? [`${criticalCount} CRITICAL vulnerabilities`] : [],
-    notes: criticalCount > 0 
-      ? `BLOCKED: ${criticalCount} critical vulnerabilities found. Fix before deployment.`
-      : highCount > 0
-      ? `REVIEW: ${highCount} high severity issues found. Manual review recommended.`
-      : `PASSED: No critical security issues detected.`,
-    analysis: {
-      findings,
-      summary: {
-        critical: criticalCount,
-        high: highCount,
-        total: findings.length,
-        filesScanned: filesTouched.length,
-      },
-    },
-    analysisTimeMs: Date.now() - startTime,
-  };
-}
-
 module.exports = {
-  runApprove: withErrorHandling(runApprove, "Approve failed"),
+  runApprove,
 };