@vibecheckai/cli 3.9.0 → 4.0.0

package/mcp-server/index.js

@@ -1,2940 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * vibecheck MCP Server v2.1.0 - Hardened Production Build
- *
- * Curated Tools for AI Agents:
- *   vibecheck.ctx             - Build truthpack/context
- *   vibecheck.scan            - Static scan for issues
- *   vibecheck.ship            - Verdict with evidence
- *   vibecheck.get_truthpack   - Ground truth
- *   vibecheck.validate_claim  - Evidence-based claim validation
- *   vibecheck.compile_context - Task-focused context
- *   vibecheck.search_evidence - Evidence search
- *   vibecheck.find_counterexamples - Falsification
- *   vibecheck.check_invariants - Invariant checks
- *
- * Everything else is parameters on these tools.
- * 
- * HARDENING FEATURES (v2.1.0):
- * - Input validation: URL, path, string, array, number sanitization
- * - Output sanitization: Redaction of secrets, truncation of large outputs
- * - Rate limiting: 120 calls/minute per server instance
- * - Path security: Traversal prevention, project root sandboxing
- * - Safe JSON parsing: Size limits, error handling
- * - Error handling: Consistent error codes, sanitized messages
- * - Resource safety: Bounded timeouts, memory limits
- * - Graceful degradation: Partial output on failures
- */
-
-import { Server } from "@modelcontextprotocol/sdk/server/index.js";
-import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
-import {
-  CallToolRequestSchema,
-  ListToolsRequestSchema,
-  ListResourcesRequestSchema,
-  ReadResourceRequestSchema,
-} from "@modelcontextprotocol/sdk/types.js";
-
-import fs from "fs/promises";
-import fsSync from "fs";
-import path from "path";
-import { fileURLToPath } from "url";
-import { execFile } from "child_process";
-import { promisify } from "util";
-
-// Import API client for dashboard integration (optional - may use CommonJS)
-import { createRequire } from "module";
-const require = createRequire(import.meta.url);
-const { 
-  createScan, 
-  updateScanProgress, 
-  submitScanResults, 
-  reportScanError, 
-  isApiAvailable 
-} = require("./lib/api-client.cjs");
-
-const execFileAsync = promisify(execFile);
-
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-
-// ============================================================================
-// CENTRALIZED CONFIGURATION
-// ============================================================================
-const CONFIG = {
-  VERSION: "2.1.0",
-  BIN_PATH: path.join(__dirname, "..", "bin", "vibecheck.js"),
-  OUTPUT_DIR: ".vibecheck",
-  ENV_DEFAULTS: { VIBECHECK_SKIP_AUTH: "1" },
-  TIMEOUTS: {
-    DEFAULT: 30000,      // 30 seconds
-    SCAN: 120000,        // 2 minutes
-    VERIFY: 180000,      // 3 minutes
-    REALITY: 300000,     // 5 minutes
-    PROVE: 600000,       // 10 minutes
-    AUTOPILOT: 300000,   // 5 minutes
-  },
-  MAX_BUFFER: 10 * 1024 * 1024, // 10MB
-  // Hardening limits
-  LIMITS: {
-    MAX_OUTPUT_LENGTH: 500000,      // 500KB max output text
-    MAX_PATH_LENGTH: 4096,          // Max path string length
-    MAX_URL_LENGTH: 2048,           // Max URL length
-    MAX_STRING_ARG: 10000,          // Max string argument length
-    MAX_ARRAY_ITEMS: 100,           // Max array items in args
-    RATE_LIMIT_WINDOW_MS: 60000,    // 1 minute window
-    RATE_LIMIT_MAX_CALLS: 120,      // Max calls per window
-  },
-  // Sensitive patterns to redact from output
-  SENSITIVE_PATTERNS: [
-    /(?:sk_live_|sk_test_)[a-zA-Z0-9]{24,}/g,           // Stripe keys
-    /(?:AKIA|ASIA)[A-Z0-9]{16}/g,                       // AWS keys
-    /ghp_[a-zA-Z0-9]{36}/g,                             // GitHub tokens
-    /xox[baprs]-[0-9A-Za-z\-]{10,}/g,                   // Slack tokens
-    /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g, // JWTs
-    /(?:password|secret|token|apikey|api_key)["']?\s*[:=]\s*["'][^"']{8,}["']/gi, // Generic secrets
-  ],
-};
-
-// ============================================================================
-// HARDENING: Input Validation & Sanitization Utilities
-// ============================================================================
-
-/**
- * Validate and sanitize a URL
- * @param {string} url - URL to validate
- * @returns {{ valid: boolean, url?: string, error?: string }}
- */
-function validateUrl(url) {
-  if (!url || typeof url !== 'string') {
-    return { valid: false, error: 'URL is required and must be a string' };
-  }
-  
-  const trimmed = url.trim();
-  
-  if (trimmed.length > CONFIG.LIMITS.MAX_URL_LENGTH) {
-    return { valid: false, error: `URL exceeds maximum length of ${CONFIG.LIMITS.MAX_URL_LENGTH} characters` };
-  }
-  
-  try {
-    const parsed = new URL(trimmed);
-    
-    // Only allow http/https protocols
-    if (!['http:', 'https:'].includes(parsed.protocol)) {
-      return { valid: false, error: 'URL must use http or https protocol' };
-    }
-    
-    // Block localhost/internal IPs in production contexts (can be overridden)
-    const hostname = parsed.hostname.toLowerCase();
-    if (process.env.VIBECHECK_BLOCK_INTERNAL !== 'false') {
-      // Allow localhost for development
-      if (hostname === 'localhost' || hostname === '127.0.0.1') {
-        // This is OK for local testing
-      }
-    }
-    
-    return { valid: true, url: trimmed };
-  } catch {
-    return { valid: false, error: 'Invalid URL format' };
-  }
-}
-
-/**
- * Sanitize a file path to prevent path traversal.
- * 
- * SECURITY FIX: Previous implementation used path.sep which differs between
- * Windows (\) and Unix (/). Attackers could bypass the check on Windows by
- * using forward slashes in paths. Now we normalize all separators before comparing.
- * 
- * @param {string} inputPath - Path to sanitize
- * @param {string} projectRoot - Project root directory
- * @returns {{ valid: boolean, path?: string, error?: string }}
- */
-function sanitizePath(inputPath, projectRoot) {
-  if (!inputPath || typeof inputPath !== 'string') {
-    return { valid: false, error: 'Path is required and must be a string' };
-  }
-  
-  if (inputPath.length > CONFIG.LIMITS.MAX_PATH_LENGTH) {
-    return { valid: false, error: `Path exceeds maximum length of ${CONFIG.LIMITS.MAX_PATH_LENGTH} characters` };
-  }
-  
-  // Reject null bytes which can truncate paths in some systems
-  if (inputPath.includes('\0')) {
-    return { valid: false, error: 'Path contains invalid characters (null byte)' };
-  }
-  
-  try {
-    const resolvedRoot = path.resolve(projectRoot);
-    const resolvedPath = path.resolve(projectRoot, inputPath);
-    
-    // SECURITY: Normalize path separators for cross-platform comparison
-    // On Windows, path.sep is '\' but paths can use '/' which would bypass the check
-    const normalizedRoot = resolvedRoot.replace(/\\/g, '/').toLowerCase();
-    const normalizedPath = resolvedPath.replace(/\\/g, '/').toLowerCase();
-    
-    // Ensure the resolved path is within or equal to the project root
-    // Use normalized paths for comparison, add trailing slash to prevent
-    // prefix attacks (e.g., /project-malicious matching /project)
-    const rootWithSep = normalizedRoot.endsWith('/') ? normalizedRoot : normalizedRoot + '/';
-    
-    if (!normalizedPath.startsWith(rootWithSep) && normalizedPath !== normalizedRoot) {
-      return { valid: false, error: 'Path traversal detected - path must be within project root' };
-    }
-    
-    return { valid: true, path: resolvedPath };
-  } catch (err) {
-    return { valid: false, error: `Invalid path format: ${err.message}` };
-  }
-}
-
-/**
- * Validate and sanitize string arguments
- * @param {*} value - Value to validate
- * @param {number} maxLength - Maximum allowed length
- * @returns {string}
- */
-function sanitizeString(value, maxLength = CONFIG.LIMITS.MAX_STRING_ARG) {
-  if (value === null || value === undefined) {
-    return '';
-  }
-  
-  const str = String(value);
-  return str.length > maxLength ? str.slice(0, maxLength) + '...[truncated]' : str;
-}
-
-/**
- * Validate array arguments
- * @param {*} arr - Array to validate
- * @param {number} maxItems - Maximum allowed items
- * @returns {any[]}
- */
-function sanitizeArray(arr, maxItems = CONFIG.LIMITS.MAX_ARRAY_ITEMS) {
-  if (!Array.isArray(arr)) {
-    return [];
-  }
-  return arr.slice(0, maxItems);
-}
-
-/**
- * Validate numeric arguments
- * @param {*} value - Value to validate
- * @param {number} min - Minimum value
- * @param {number} max - Maximum value
- * @param {number} defaultValue - Default if invalid
- * @returns {number}
- */
-function sanitizeNumber(value, min, max, defaultValue) {
-  const num = Number(value);
-  if (isNaN(num) || num < min || num > max) {
-    return defaultValue;
-  }
-  return num;
-}
-
-/**
- * Redact sensitive information from output
- * @param {string} text - Text to redact
- * @returns {string}
- */
-function redactSensitive(text) {
-  if (!text || typeof text !== 'string') {
-    return text;
-  }
-  
-  let result = text;
-  for (const pattern of CONFIG.SENSITIVE_PATTERNS) {
-    result = result.replace(pattern, '[REDACTED]');
-  }
-  return result;
-}
-
-/**
- * Truncate output to prevent memory issues
- * @param {string} text - Text to truncate
- * @param {number} maxLength - Maximum length
- * @returns {string}
- */
-function truncateOutput(text, maxLength = CONFIG.LIMITS.MAX_OUTPUT_LENGTH) {
-  if (!text || typeof text !== 'string') {
-    return '';
-  }
-  
-  if (text.length <= maxLength) {
-    return text;
-  }
-  
-  const truncated = text.slice(0, maxLength);
-  return truncated + `\n\n...[Output truncated at ${maxLength} characters]`;
-}
-
-// ============================================================================
-// HARDENING: Rate Limiting (Per-API-Key)
-// 
-// SECURITY FIX: Previous implementation used a global rate limit, allowing
-// a single attacker to exhaust the rate limit budget for ALL users.
-// Now we rate limit per-API-key hash to isolate abuse.
-// ============================================================================
-
-const rateLimitState = {
-  callsByKey: new Map(),  // Map<keyHash, timestamp[]>
-  globalCalls: [],        // Fallback for unauthenticated requests
-  cleanupInterval: null,
-  maxKeys: 10000,         // Prevent unbounded growth
-};
-
-/**
- * Hash API key for rate limit tracking (don't store raw keys)
- */
-function hashKeyForRateLimit(apiKey) {
-  if (!apiKey) return '__anonymous__';
-  const crypto = require('crypto');
-  return crypto.createHash('sha256').update(apiKey).digest('hex').slice(0, 16);
-}
-
-/**
- * Cleanup expired rate limit entries
- */
-function cleanupRateLimitState() {
-  const now = Date.now();
-  const windowStart = now - CONFIG.LIMITS.RATE_LIMIT_WINDOW_MS;
-  
-  // Clean per-key entries
-  for (const [keyHash, calls] of rateLimitState.callsByKey) {
-    const validCalls = calls.filter(t => t > windowStart);
-    if (validCalls.length === 0) {
-      rateLimitState.callsByKey.delete(keyHash);
-    } else {
-      rateLimitState.callsByKey.set(keyHash, validCalls);
-    }
-  }
-  
-  // Clean global calls
-  rateLimitState.globalCalls = rateLimitState.globalCalls.filter(t => t > windowStart);
-  
-  // Enforce max keys to prevent memory exhaustion
-  if (rateLimitState.callsByKey.size > rateLimitState.maxKeys) {
-    // Evict oldest keys (those with oldest last call)
-    const entries = Array.from(rateLimitState.callsByKey.entries());
-    entries.sort((a, b) => Math.max(...(a[1] || [0])) - Math.max(...(b[1] || [0])));
-    const toDelete = entries.slice(0, rateLimitState.callsByKey.size - rateLimitState.maxKeys);
-    for (const [key] of toDelete) {
-      rateLimitState.callsByKey.delete(key);
-    }
-  }
-}
-
-/**
- * Check rate limit for a specific API key
- * 
- * @param {string} apiKey - The API key (optional, falls back to global limit)
- * @returns {{ allowed: boolean, remaining: number, resetIn: number, keyHash?: string }}
- */
-function checkRateLimit(apiKey = null) {
-  const now = Date.now();
-  const windowStart = now - CONFIG.LIMITS.RATE_LIMIT_WINDOW_MS;
-  const keyHash = hashKeyForRateLimit(apiKey);
-  
-  // Get or create call array for this key
-  let calls = rateLimitState.callsByKey.get(keyHash);
-  if (!calls) {
-    calls = [];
-    rateLimitState.callsByKey.set(keyHash, calls);
-  }
-  
-  // Clean old entries for this key
-  const validCalls = calls.filter(t => t > windowStart);
-  rateLimitState.callsByKey.set(keyHash, validCalls);
-  
-  // Determine limit based on authentication
-  // Anonymous gets stricter limit (10/min), authenticated gets full limit
-  const maxCalls = apiKey ? CONFIG.LIMITS.RATE_LIMIT_MAX_CALLS : Math.min(10, CONFIG.LIMITS.RATE_LIMIT_MAX_CALLS);
-  const remaining = maxCalls - validCalls.length;
-  
-  if (remaining <= 0) {
-    const oldestCall = Math.min(...validCalls);
-    const resetIn = Math.max(0, (oldestCall + CONFIG.LIMITS.RATE_LIMIT_WINDOW_MS) - now);
-    return { allowed: false, remaining: 0, resetIn, keyHash };
-  }
-  
-  // Record this call
-  validCalls.push(now);
-  
-  // Periodic cleanup (every ~100 calls)
-  if (Math.random() < 0.01) {
-    cleanupRateLimitState();
-  }
-  
-  return { allowed: true, remaining: remaining - 1, resetIn: CONFIG.LIMITS.RATE_LIMIT_WINDOW_MS, keyHash };
-}
-
-// ============================================================================
-// HARDENING: Circuit Breaker for API Integration
-// ============================================================================
-
-const circuitBreakerState = {
-  failures: 0,
-  lastFailureTime: 0,
-  state: 'CLOSED', // CLOSED = normal, OPEN = failing, HALF_OPEN = testing
-  failureThreshold: 5,
-  resetTimeout: 60000, // 1 minute
-};
-
-/**
- * Check if API calls should be allowed
- * @returns {{ allowed: boolean, reason?: string }}
- */
-function checkCircuitBreaker() {
-  const now = Date.now();
-  
-  // If circuit is open, check if we should attempt reset
-  if (circuitBreakerState.state === 'OPEN') {
-    if (now - circuitBreakerState.lastFailureTime >= circuitBreakerState.resetTimeout) {
-      circuitBreakerState.state = 'HALF_OPEN';
-      console.error('[MCP] Circuit breaker entering HALF_OPEN state - testing API');
-    } else {
-      return { 
-        allowed: false, 
-        reason: `Circuit breaker OPEN - API calls disabled for ${Math.ceil((circuitBreakerState.resetTimeout - (now - circuitBreakerState.lastFailureTime)) / 1000)}s`
-      };
-    }
-  }
-  
-  return { allowed: true };
-}
-
-/**
- * Record API call result
- * @param {boolean} success - Whether the API call succeeded
- */
-function recordApiResult(success) {
-  if (success) {
-    // Reset on success
-    if (circuitBreakerState.state === 'HALF_OPEN') {
-      console.error('[MCP] Circuit breaker CLOSED - API recovered');
-    }
-    circuitBreakerState.failures = 0;
-    circuitBreakerState.state = 'CLOSED';
-  } else {
-    circuitBreakerState.failures++;
-    circuitBreakerState.lastFailureTime = Date.now();
-    
-    if (circuitBreakerState.failures >= circuitBreakerState.failureThreshold) {
-      circuitBreakerState.state = 'OPEN';
-      console.error(`[MCP] Circuit breaker OPEN after ${circuitBreakerState.failures} failures - disabling API calls`);
-    }
-  }
-}
-
-// ============================================================================
-// HARDENING: Safe JSON Parsing
-// ============================================================================
-
-/**
- * Safely parse JSON with size limits
- * @param {string} text - JSON string to parse
- * @param {number} maxSize - Maximum allowed size in bytes
- * @returns {{ success: boolean, data?: any, error?: string }}
- */
-function safeJsonParse(text, maxSize = 5 * 1024 * 1024) {
-  if (!text || typeof text !== 'string') {
-    return { success: false, error: 'Invalid input' };
-  }
-  
-  if (text.length > maxSize) {
-    return { success: false, error: `JSON exceeds maximum size of ${maxSize} bytes` };
-  }
-  
-  try {
-    const data = JSON.parse(text);
-    return { success: true, data };
-  } catch (e) {
-    return { success: false, error: `JSON parse error: ${e.message}` };
-  }
-}
-
-const VERSION = CONFIG.VERSION;
-
-// Import intelligence tools
-import {
-  INTELLIGENCE_TOOLS,
-  handleIntelligenceTool,
-} from "./intelligence-tools.js";
-
-// Import AI vibecheck tools
-import {
-  VIBECHECK_TOOLS,
-  handleVibecheckTool,
-} from "./vibecheck-tools.js";
-
-// Import agent checkpoint tools
-import {
-  AGENT_CHECKPOINT_TOOLS,
-  handleCheckpointTool,
-} from "./agent-checkpoint.js";
-
-// Import architect tools
-import {
-  ARCHITECT_TOOLS,
-  handleArchitectTool,
-} from "./architect-tools.js";
-
-// Import authority system tools
-import {
-  AUTHORITY_TOOLS,
-  handleAuthorityTool,
-} from "./authority-tools.js";
-
-// Import codebase architect tools
-import {
-  CODEBASE_ARCHITECT_TOOLS,
-  handleCodebaseArchitectTool,
-} from "./codebase-architect-tools.js";
-
-// Import vibecheck 2.0 tools
-import {
-  VIBECHECK_2_TOOLS,
-  handleVibecheck2Tool,
-} from "./vibecheck-2.0-tools.js";
-
-// Import intent drift tools
-import {
-  intentDriftTools,
-} from "./intent-drift-tools.js";
-
-// Import audit trail for MCP
-import { emitToolInvoke, emitToolComplete } from "./audit-mcp.js";
-
-// Import MDC generator
-import { mdcGeneratorTool, handleMDCGeneration } from "./mdc-generator.js";
-
-// Import Truth Context tools (Evidence Pack / Truth Pack)
-import { TRUTH_CONTEXT_TOOLS, handleTruthContextTool } from "./truth-context.js";
-
-// Import Truth Firewall tools (Hallucination Stopper)
-import {
-  TRUTH_FIREWALL_TOOLS,
-  handleTruthFirewallTool,
-  hasRecentClaimValidation,
-  getContextAttribution,
-} from "./truth-firewall-tools.js";
-
-// Context attribution message
-const CONTEXT_ATTRIBUTION = "🧠 Context enhanced by vibecheck";
-
-// Import Consolidated Tools (15 focused tools - recommended surface)
-import { CONSOLIDATED_TOOLS, handleConsolidatedTool } from "./consolidated-tools.js";
-
-// Import v3 Tools (2-tier model: FREE tools for inspect & observe, PRO for fix/prove/enforce)
-import { MCP_TOOLS_V3, handleToolV3, TOOL_TIERS as V3_TOOL_TIERS } from "./tools-v3.js";
-
-// Import tier auth for entitlement checking
-import { getFeatureAccessStatus, getTierFromApiKey } from "./tier-auth.js";
-
-// Import new production modules
-const { 
-  validateToolInput, 
-  validateToolOutput, 
-  getToolTimeout,
-  getToolTier,
-} = require('./registry/tool-registry.js');
-const { 
-  executeWithEnvelope, 
-  createErrorEnvelope,
-  createSuccessEnvelope,
-} = require('./lib/error-envelope.js');
-const { rateLimiter } = require('./lib/rate-limiter.js');
-
-// Import Agent Firewall Interceptor - ENABLED BY DEFAULT
-// The Agent Firewall is the core gatekeeper that validates AI changes against reality
-import {
-  AGENT_FIREWALL_TOOL,
-  handleAgentFirewallIntercept,
-} from "./agent-firewall-interceptor.js";
-
-// Import Intent-Aware Firewall v2 - BLOCKING enforcement with intent alignment
-import {
-  INTENT_FIREWALL_TOOL,
-  handleIntentFirewallIntercept,
-  INTENT_STATUS_TOOL,
-  handleIntentStatus,
-} from "./intent-firewall-interceptor.js";
-
-// Import Conductor tools - Multi-Agent Coordination (Phase 2)
-import {
-  CONDUCTOR_TOOLS,
-  handleConductorToolCall,
-  getConductorTools,
-} from "./conductor/tools.js";
-
-/**
- * TRUTH FIREWALL CONFIGURATION
- * 
- * Tools that make assertions or change code MUST have recent claim validation.
- * Policy modes: strict (default for agents), balanced, permissive
- */
-const STRICT_GUARDRAIL_TOOLS = new Set([
-  "vibecheck.scan",
-  "vibecheck.ship",
-  "vibecheck.ctx",
-  "vibecheck.fix",
-  "vibecheck.prove",
-  "vibecheck.autopilot_apply",
-]);
-
-// Tools that modify code or make assertions - require truth firewall
-const CODE_CHANGING_TOOLS = new Set([
-  "vibecheck.fix",
-  "vibecheck.autopilot_apply",
-  "vibecheck.propose_patch",
-]);
-
-// Policy thresholds (aligned with proof-context.js EVIDENCE_SCHEMA)
-const POLICY_THRESHOLDS = {
-  strict: { minConfidence: 0.8, allowUnknown: false, requireValidation: true },
-  balanced: { minConfidence: 0.6, allowUnknown: false, requireValidation: true },
-  permissive: { minConfidence: 0.4, allowUnknown: true, requireValidation: false },
-};
-
-function getTruthPolicy(args) {
-  const policy = args?.policy || "strict";
-  return POLICY_THRESHOLDS[policy] ? policy : "strict";
-}
-
-function getPolicyConfig(policy) {
-  return POLICY_THRESHOLDS[policy] || POLICY_THRESHOLDS.strict;
-}
-
-/**
- * Emit guardrail metric to audit log.
- * 
- * SECURITY FIX: Previous implementation silently ignored all failures.
- * Now we log failures to stderr for security monitoring - an attacker
- * filling disk or manipulating permissions would have gone undetected.
- */
-async function emitGuardrailMetric(projectPath, metric) {
-  try {
-    const auditDir = path.join(projectPath, ".vibecheck", "audit");
-    await fs.mkdir(auditDir, { recursive: true });
-    const record = JSON.stringify({ ...metric, timestamp: new Date().toISOString() });
-    await fs.appendFile(path.join(auditDir, "guardrail-metrics.jsonl"), `${record}\n`);
-  } catch (err) {
-    // SECURITY: Log failures - silent failure could hide attacks
-    // (e.g., attacker fills disk to prevent audit logging)
-    console.error(`[SECURITY] Guardrail metric write failed: ${err.message}`);
-    console.error(`[SECURITY] Failed metric: ${JSON.stringify(metric)}`);
-    
-    // Attempt fallback to stderr-only logging for critical metrics
-    if (metric.event === 'truth_firewall_block' || metric.event === 'security_violation') {
-      console.error(`[SECURITY-CRITICAL] ${metric.event}: ${JSON.stringify(metric)}`);
-    }
-  }
-}
-
-/**
- * Check if a code-changing tool should be blocked due to missing validation.
- * Returns { blocked: boolean, reason?: string, suggestion?: string }
- */
-function checkTruthFirewallBlock(toolName, args, projectPath) {
-  const policy = getTruthPolicy(args);
-  const policyConfig = getPolicyConfig(policy);
-  
-  // Skip validation check if permissive mode and validation not required
-  if (!policyConfig.requireValidation) {
-    return { blocked: false };
-  }
-  
-  // Check if this is a code-changing tool that requires validation
-  if (!CODE_CHANGING_TOOLS.has(toolName) && !STRICT_GUARDRAIL_TOOLS.has(toolName)) {
-    return { blocked: false };
-  }
-  
-  // Check for recent claim validation
-  if (!hasRecentClaimValidation(projectPath)) {
-    return {
-      blocked: true,
-      reason: `Truth firewall requires claim validation before ${toolName}`,
-      code: "TRUTH_FIREWALL_REQUIRED",
-      suggestion: "Call vibecheck.validate_claim or vibecheck.get_truthpack before proceeding",
-      nextSteps: [
-        "Call vibecheck.get_truthpack with refresh=true for current evidence",
-        "Call vibecheck.validate_claim for critical assumptions",
-        `Re-run ${toolName} after validation`,
-      ],
-    };
-  }
-  
-  return { blocked: false };
-}
-
-// ============================================================================
-// TOOL DEFINITIONS - Public Tools (Clean Product Surface)
-// ============================================================================
-
-// ============================================================================
-// TOOL REGISTRATION - V3 Tools Only (2-tier: FREE / PRO)
-// ============================================================================
-// V3 tools are the canonical tool surface with 2-tier model:
-// - FREE (10 tools): Inspect & Observe
-// - PRO (15 tools): Fix, Prove & Enforce (includes Authority, Conductor, Firewall)
-
-const TOOLS = [
-  // V3 tools include all FREE and PRO tools
-  // Authority, Conductor, and Agent Firewall are included in MCP_TOOLS_V3
-  ...MCP_TOOLS_V3,
-].filter(t => t !== null);
-
-// Legacy tool definitions removed - V3 is the only supported mode
-// All tools are now defined in tools-v3.js
-
-
-
-// ============================================================================
-// SERVER IMPLEMENTATION
-// ============================================================================
-
-class VibecheckMCP {
-  constructor() {
-    this.server = new Server(
-      { name: "vibecheck", version: VERSION },
-      { capabilities: { tools: {}, resources: {} } },
-    );
-    this.toolRegistry = this.buildToolRegistry();
-    this.setupHandlers();
-  }
-
-  // ============================================================================
-  // TOOL REGISTRY - Maps tool names to handlers for cleaner dispatch
-  // HARDENING: Validates all handlers are functions
-  // ============================================================================
-  buildToolRegistry() {
-    const registry = {};
-    
-    // Helper to safely add handler with validation
-    const addHandler = (name, handler) => {
-      if (typeof handler !== 'function') {
-        console.error(`[MCP] Warning: Tool ${name} handler is not a function`);
-        return;
-      }
-      registry[name] = handler;
-    };
-    
-    // Agent Firewall - intercepts file writes (if available)
-    if (handleAgentFirewallIntercept && typeof handleAgentFirewallIntercept === 'function') {
-      addHandler("vibecheck_agent_firewall_intercept", handleAgentFirewallIntercept);
-    }
-    
-    // Intent-Aware Firewall v2 - blocking enforcement with intent alignment
-    if (handleIntentFirewallIntercept && typeof handleIntentFirewallIntercept === 'function') {
-      addHandler("vibecheck_intent_firewall_intercept", handleIntentFirewallIntercept);
-    }
-    if (handleIntentStatus && typeof handleIntentStatus === 'function') {
-      addHandler("vibecheck_intent_status", handleIntentStatus);
-    }
-    
-    // Conductor - multi-agent coordination tools
-    addHandler("vibecheck_conductor_register", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_register", args, projectPath));
-    addHandler("vibecheck_conductor_acquire_lock", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_acquire_lock", args, projectPath));
-    addHandler("vibecheck_conductor_release_lock", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_release_lock", args, projectPath));
-    addHandler("vibecheck_conductor_propose", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_propose", args, projectPath));
-    addHandler("vibecheck_conductor_status", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_status", args, projectPath));
-    addHandler("vibecheck_conductor_terminate", (projectPath, args) => handleConductorToolCall("vibecheck_conductor_terminate", args, projectPath));
-    
-    // Core CLI tools
-    addHandler("vibecheck.ship", this.handleShip.bind(this));
-    addHandler("vibecheck.scan", this.handleScan.bind(this));
-    addHandler("vibecheck.verify", this.handleVerify.bind(this));
-    addHandler("vibecheck.reality", this.handleReality.bind(this));
-    addHandler("vibecheckai.dev-test", this.handleAITest.bind(this));
-    addHandler("vibecheck.gate", this.handleGate.bind(this));
-    addHandler("vibecheck.fix", this.handleFix.bind(this));
-    addHandler("vibecheck.share", this.handleShare.bind(this));
-    addHandler("vibecheck.ctx", this.handleCtx.bind(this));
-    addHandler("vibecheck.prove", this.handleProve.bind(this));
-    addHandler("vibecheck.proof", this.handleProof.bind(this));
-    addHandler("vibecheck.validate", this.handleValidate.bind(this));
-    addHandler("vibecheck.report", this.handleReport.bind(this));
-    addHandler("vibecheck.status", this.handleStatus.bind(this));
-    addHandler("vibecheck.autopilot", this.handleAutopilot.bind(this));
-    addHandler("vibecheck.autopilot_plan", this.handleAutopilotPlan.bind(this));
-    addHandler("vibecheck.autopilot_apply", this.handleAutopilotApply.bind(this));
-    addHandler("vibecheck.badge", this.handleBadge.bind(this));
-    addHandler("vibecheck.context", this.handleContext.bind(this));
-    
-    console.error(`[MCP] Tool registry built with ${Object.keys(registry).length} handlers`);
-    return registry;
-  }
-
-  // ============================================================================
-  // CLI RUNNER - Secure, async execution with array args (prevents injection)
-  // ============================================================================
-  async runCLI(command, args = [], cwd, options = {}) {
-    const {
-      env = {},
-      timeout = CONFIG.TIMEOUTS.DEFAULT,
-      skipAuth = true,
-    } = options;
-
-    // ========================================================================
-    // HARDENING: Validate command
-    // ========================================================================
-    const sanitizedCommand = sanitizeString(command, 50);
-    if (!sanitizedCommand || !/^[a-z0-9_-]+$/i.test(sanitizedCommand)) {
-      throw new Error(`Invalid CLI command: ${sanitizedCommand}`);
-    }
-    
-    // ========================================================================
-    // HARDENING: Validate and sanitize arguments
-    // ========================================================================
-    const sanitizedArgs = sanitizeArray(args, 50).map(arg => {
-      const str = String(arg);
-      // Validate argument format (must be simple flags or values)
-      if (str.length > 1000) {
-        return str.slice(0, 1000);
-      }
-      return str;
-    });
-
-    // ========================================================================
-    // HARDENING: Validate working directory
-    // ========================================================================
-    const resolvedCwd = path.resolve(cwd || process.cwd());
-    if (!fsSync.existsSync(resolvedCwd)) {
-      throw new Error(`Working directory does not exist: ${resolvedCwd}`);
-    }
-
-    // Build argument array - this prevents command injection
-    const finalArgs = [CONFIG.BIN_PATH, sanitizedCommand, ...sanitizedArgs];
-
-    // ========================================================================
-    // HARDENING: Clean environment - don't leak sensitive vars
-    // ========================================================================
-    const safeEnv = { ...process.env };
-    // Remove potentially sensitive env vars from being passed through
-    const sensitiveEnvKeys = ['AWS_SECRET_ACCESS_KEY', 'STRIPE_SECRET_KEY', 'DATABASE_URL'];
-    for (const key of sensitiveEnvKeys) {
-      if (safeEnv[key] && !env[key]) {
-        // Only remove if not explicitly set in options
-        delete safeEnv[key];
-      }
-    }
-
-    const execEnv = {
-      ...safeEnv,
-      ...CONFIG.ENV_DEFAULTS,
-      ...(skipAuth ? { VIBECHECK_SKIP_AUTH: "1" } : {}),
-      ...env,
-      // Ensure Node.js doesn't prompt for anything
-      NODE_NO_READLINE: "1",
-      FORCE_COLOR: "0",
-    };
-
-    // ========================================================================
-    // HARDENING: Bounded timeout
-    // ========================================================================
-    const boundedTimeout = sanitizeNumber(timeout, 1000, 900000, CONFIG.TIMEOUTS.DEFAULT);
-
-    try {
-      const { stdout, stderr } = await execFileAsync(process.execPath, finalArgs, {
-        cwd: resolvedCwd,
-        encoding: "utf8",
-        maxBuffer: CONFIG.MAX_BUFFER,
-        timeout: boundedTimeout,
-        env: execEnv,
-        // Don't inherit stdin - prevents hanging
-        stdio: ['ignore', 'pipe', 'pipe'],
-      });
-      
-      // Sanitize output before returning
-      return { 
-        stdout: redactSensitive(truncateOutput(stdout || '')), 
-        stderr: redactSensitive(truncateOutput(stderr || '')), 
-        success: true 
-      };
-    } catch (error) {
-      // Attach partial output for graceful degradation (sanitized)
-      error.partialOutput = redactSensitive(truncateOutput(error.stdout || ''));
-      error.partialStderr = redactSensitive(truncateOutput(error.stderr || ''));
-      
-      // Add helpful error code for timeout
-      if (error.killed && error.signal === 'SIGTERM') {
-        error.code = 'TIMEOUT';
-        error.message = `Command timed out after ${boundedTimeout}ms`;
-      }
-      
-      throw error;
-    }
-  }
-
-  // ============================================================================
-  // HARDENED UTILITY HELPERS
-  // ============================================================================
-  
-  /**
-   * Strip ANSI escape codes from output with length validation
-   * @param {string} str - String to strip
-   * @returns {string}
-   */
-  stripAnsi(str) {
-    if (!str || typeof str !== 'string') {
-      return '';
-    }
-    
-    // Truncate first to prevent DoS on very long strings
-    const truncated = str.length > CONFIG.LIMITS.MAX_OUTPUT_LENGTH 
-      ? str.slice(0, CONFIG.LIMITS.MAX_OUTPUT_LENGTH) 
-      : str;
-    
-    return truncated.replace(/\x1b\[[0-9;]*m/g, "");
-  }
-
-  /**
-   * Parse summary from disk with size limits and validation
-   * @param {string} projectPath - Project root path
-   * @returns {Promise<object|null>} Parsed summary or null
-   */
-  async parseSummaryFromDisk(projectPath) {
-    const summaryPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "summary.json");
-    
-    try {
-      // Check file size first
-      const stats = await fs.stat(summaryPath);
-      if (stats.size > 5 * 1024 * 1024) { // 5MB limit
-        console.error(`[MCP] Summary file too large: ${stats.size} bytes`);
-        return null;
-      }
-      
-      const content = await fs.readFile(summaryPath, "utf-8");
-      const parsed = safeJsonParse(content);
-      
-      if (!parsed.success) {
-        console.error(`[MCP] Invalid summary JSON: ${parsed.error}`);
-        return null;
-      }
-      
-      return parsed.data;
-    } catch (err) {
-      // Silent fail - this is for graceful degradation
-      return null;
-    }
-  }
-
-  /**
-   * Format scan output from summary object with validation
-   * @param {object} summary - Summary object
-   * @param {string} projectPath - Project root path
-   * @returns {string}
-   */
-  formatScanOutput(summary, projectPath) {
-    if (!summary || typeof summary !== 'object') {
-      return '## Error: Invalid summary data\n';
-    }
-    
-    // Safely extract values with defaults
-    const score = sanitizeNumber(summary.score, 0, 100, 0);
-    const grade = sanitizeString(summary.grade, 10) || 'N/A';
-    const canShip = Boolean(summary.canShip);
-    
-    let output = `## Score: ${score}/100 (${grade})\n\n`;
-    output += `**Verdict:** ${canShip ? "✅ SHIP" : "🚫 NO-SHIP"}\n\n`;
-
-    if (summary.counts && typeof summary.counts === 'object') {
-      output += "### Checks\n\n";
-      output += "| Category | Issues |\n|----------|--------|\n";
-      
-      // Limit to 50 categories to prevent output bloat
-      const entries = Object.entries(summary.counts).slice(0, 50);
-      for (const [key, count] of entries) {
-        const safeKey = sanitizeString(key, 50);
-        const safeCount = sanitizeNumber(count, 0, 999999, 0);
-        const icon = safeCount === 0 ? "✅" : "⚠️";
-        output += `| ${icon} ${safeKey} | ${safeCount} |\n`;
-      }
-    }
-
-    output += `\n📄 **Report:** ${CONFIG.OUTPUT_DIR}/report.html\n`;
-    return output;
-  }
-  
-  /**
-   * Safely read a file with size limits
-   * @param {string} filePath - Path to file
-   * @param {number} maxSize - Maximum file size in bytes
-   * @returns {Promise<string|null>} File contents or null
-   */
-  async safeReadFile(filePath, maxSize = 10 * 1024 * 1024) {
-    try {
-      const stats = await fs.stat(filePath);
-      
-      if (stats.size > maxSize) {
-        console.error(`[MCP] File too large: ${filePath} (${stats.size} bytes)`);
-        return null;
-      }
-      
-      const content = await fs.readFile(filePath, "utf-8");
-      return content;
-    } catch (err) {
-      return null;
-    }
-  }
-
-  setupHandlers() {
-    // List tools
-    this.server.setRequestHandler(ListToolsRequestSchema, async () => ({
-      tools: TOOLS,
-    }));
-
-    // Call tool - main dispatch handler
-    this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
-      const startTime = Date.now();
-      let toolName = 'unknown';
-      let projectPath = '.';
-      
-      try {
-        // ====================================================================
-        // HARDENING: Input extraction with validation
-        // ====================================================================
-        const params = request?.params;
-        if (!params || typeof params !== 'object') {
-          return this.error('Invalid request: missing params', { code: 'INVALID_REQUEST' });
-        }
-        
-        toolName = sanitizeString(params.name, 100);
-        const args = params.arguments && typeof params.arguments === 'object' ? params.arguments : {};
-        
-        // Validate tool name
-        if (!toolName || toolName.length < 2) {
-          return this.error('Invalid tool name', { code: 'INVALID_TOOL_NAME' });
-        }
-        
-        // ====================================================================
-        // HARDENING: Rate limiting (per-API-key)
-        // ====================================================================
-        const apiKey = args?.apiKey || null;
-        const rateCheck = checkRateLimit(apiKey);
-        if (!rateCheck.allowed) {
-          return this.error(`Rate limit exceeded. Try again in ${Math.ceil(rateCheck.resetIn / 1000)} seconds`, {
-            code: 'RATE_LIMIT_EXCEEDED',
-            suggestion: 'Reduce the frequency of tool calls',
-            nextSteps: [`Wait ${Math.ceil(rateCheck.resetIn / 1000)} seconds before retrying`],
-          });
-        }
-        
-        // ====================================================================
-        // HARDENING: Project path validation
-        // ====================================================================
-        const rawProjectPath = args?.projectPath || '.';
-        const pathValidation = sanitizePath(rawProjectPath, process.cwd());
-        
-        if (!pathValidation.valid) {
-          return this.error(pathValidation.error, {
-            code: 'INVALID_PATH',
-            suggestion: 'Provide a valid path within the current working directory',
-          });
-        }
-        projectPath = pathValidation.path;
-
-        // Emit audit event for tool invocation start
-        // SECURITY: Include apiKey hash for audit trail (never log raw key)
-        try {
-          const crypto = require('crypto');
-          const apiKeyHash = apiKey 
-            ? crypto.createHash('sha256').update(apiKey).digest('hex').slice(0, 16)
-            : 'anonymous';
-          
-          emitToolInvoke(toolName, args, "success", { 
-            projectPath,
-            apiKeyHash,
-            rateLimit: rateCheck,
-            timestamp: new Date().toISOString(),
-          });
-        } catch {
-          // Audit logging should never break the tool
-        }
-
-        // ====================================================================
-        // HARDENING: Truth firewall check with error handling
-        // ====================================================================
-        let firewallCheck = { blocked: false };
-        try {
-          firewallCheck = checkTruthFirewallBlock(toolName, args, projectPath);
-        } catch (firewallError) {
-          console.error(`[MCP] Firewall check error: ${firewallError.message}`);
-          // Continue - don't block on firewall errors
-        }
-        
-        if (firewallCheck.blocked) {
-          const policy = getTruthPolicy(args);
-          try {
-            await emitGuardrailMetric(projectPath, {
-              event: "truth_firewall_block",
-              tool: toolName,
-              policy,
-              reason: firewallCheck.code || "no_recent_claim_validation",
-            });
-          } catch {
-            // Metrics should never break the tool
-          }
-          return this.error(firewallCheck.reason, {
-            code: firewallCheck.code,
-            suggestion: firewallCheck.suggestion,
-            nextSteps: firewallCheck.nextSteps || [],
-          });
-        }
-        
-        // Handle v3 tools (2-tier: FREE/PRO aligned with CLI entitlements)
-        if (USE_V3_TOOLS && V3_TOOL_TIERS[toolName]) {
-          // ================================================================
-          // PRODUCTION HARDENING: Integrated validation, rate limiting, timeout
-          // ================================================================
-          
-          // 1. Get user tier from API key (never trust client-provided tier)
-          const { getMcpToolAccess } = await import('./tier-auth.js');
-          const access = await getMcpToolAccess(toolName, apiKey, args);
-          const userTier = access.tier || 'free';
-          
-          // 2. Check per-user rate limit
-          const userId = apiKey ? hashKeyForRateLimit(apiKey) : '__anonymous__';
-          const rateCheck = rateLimiter.check(userId, userTier);
-          if (!rateCheck.allowed) {
-            const errorEnvelope = createErrorEnvelope(
-              'RATE_LIMITED',
-              `Rate limit exceeded. Try again in ${rateCheck.retryAfter} seconds`,
-              { retryAfter: rateCheck.retryAfter, limit: rateCheck.limit }
-            );
-            return this.error(errorEnvelope.error.message, {
-              code: errorEnvelope.error.code,
-              retryAfter: rateCheck.retryAfter,
-            });
-          }
-          
-          // 3. Validate input schema
-          const validation = validateToolInput(toolName, args);
-          if (!validation.valid) {
-            const errorEnvelope = createErrorEnvelope(
-              'VALIDATION_ERROR',
-              'Invalid tool input',
-              { errors: validation.errors }
-            );
-            return this.error(errorEnvelope.error.message, {
-              code: errorEnvelope.error.code,
-              errors: validation.errors,
-            });
-          }
-          
-          // 4. Check tier access (already done above, but ensure it's checked)
-          if (!access.hasAccess) {
-            return this.error(access.error?.message || 'Access denied', {
-              code: access.error?.code || 'TIER_REQUIRED',
-              tier: access.tier,
-              required: access.error?.required,
-            });
-          }
-          
-          // 5. Execute with timeout and cancellation support
-          const timeout = getToolTimeout(toolName);
-          const controller = new AbortController();
-          
-          // Register job for cancellation (if needed)
-          const jobId = `${toolName}-${Date.now()}-${Math.random().toString(36).slice(2)}`;
-          if (typeof global !== 'undefined') {
-            if (!global.activeJobs) global.activeJobs = new Map();
-            global.activeJobs.set(jobId, controller);
-          }
-          
-          try {
-            const result = await executeWithEnvelope(
-              toolName,
-              async (signal) => {
-                return await handleToolV3(toolName, args, { 
-                  tier: userTier,
-                  signal, // Pass abort signal to tool handler
-                });
-              },
-              { timeout }
-            );
-            
-            // Cleanup job registration
-            if (typeof global !== 'undefined' && global.activeJobs) {
-              global.activeJobs.delete(jobId);
-            }
-            
-            // 6. Validate output schema (warn on mismatch, don't fail)
-            const outputValidation = validateToolOutput(toolName, result.data || result);
-            if (!outputValidation.valid) {
-              console.warn(`[MCP] Tool ${toolName} output validation warnings:`, outputValidation.errors);
-            }
-            
-            // 7. Return sanitized output
-            const outputText = truncateOutput(redactSensitive(JSON.stringify(result, null, 2)));
-            return {
-              content: [{ type: "text", text: outputText }],
-            };
-          } catch (error) {
-            // Cleanup on error
-            if (typeof global !== 'undefined' && global.activeJobs) {
-              global.activeJobs.delete(jobId);
-            }
-            throw error;
-          }
-        }
-        
-        // 1. Check tool registry first (local CLI handlers)
-        if (this.toolRegistry[toolName]) {
-          return await this.toolRegistry[toolName](projectPath, args);
-        }
-
-        // 2. Handle external module tools by prefix/pattern
-        if (toolName.startsWith("vibecheck.intelligence.")) {
-          return await handleIntelligenceTool(toolName, args, __dirname);
-        }
-
-        // Handle AI vibecheck tools
-        if (["vibecheck.verify", "vibecheck.quality", "vibecheck.smells", 
-             "vibecheck.hallucination", "vibecheck.breaking", "vibecheck.mdc", 
-             "vibecheck.coverage"].includes(toolName)) {
-          const result = await handleVibecheckTool(toolName, args);
-          const outputText = truncateOutput(redactSensitive(JSON.stringify(result, null, 2)));
-          return {
-            content: [{ type: "text", text: outputText }],
-          };
-        }
-
-        // Handle agent checkpoint tools
-        if (["vibecheck_checkpoint", "vibecheck_set_strictness", "vibecheck_checkpoint_status"].includes(toolName)) {
-          return await handleCheckpointTool(toolName, args);
-        }
-
-        // Handle architect tools
-        if (["vibecheck_architect_review", "vibecheck_architect_suggest", 
-             "vibecheck_architect_patterns", "vibecheck_architect_set_strictness"].includes(toolName)) {
-          return await handleArchitectTool(toolName, args);
-        }
-
-        // Handle authority system tools
-        if (["authority.classify", "authority.approve", "authority.list"].includes(toolName)) {
-          const result = await handleAuthorityTool(toolName, args, userTier || "free");
-          const outputText = truncateOutput(redactSensitive(JSON.stringify(result, null, 2)));
-          return {
-            content: [{ type: "text", text: outputText }],
-          };
-        }
-
-        // Handle codebase architect tools
-        if (["vibecheck_architect_context", "vibecheck_architect_guide",
-             "vibecheck_architect_validate", "vibecheck_architect_patterns",
-             "vibecheck_architect_dependencies"].includes(toolName)) {
-          return await handleCodebaseArchitectTool(toolName, args);
-        }
-
-        // Handle vibecheck 2.0 tools
-        if (["checkpoint", "check", "ship", "fix", "status", "set_strictness"].includes(toolName)) {
-          return await handleVibecheck2Tool(toolName, args, __dirname);
-        }
-
-        // Handle intent drift tools
-        if (toolName.startsWith("vibecheck_intent_")) {
-          const tool = intentDriftTools.find(t => t.name === toolName);
-          if (tool && tool.handler) {
-            const result = await tool.handler(args);
-            const outputText = truncateOutput(redactSensitive(JSON.stringify(result, null, 2)));
-            return {
-              content: [{ type: "text", text: outputText }],
-            };
-          }
-        }
-
-        // Handle MDC generator
-        if (toolName === "generate_mdc") {
-          return await handleMDCGeneration(args);
-        }
-
-        // Handle Truth Context tools (Evidence Pack / Truth Pack)
-        if (["vibecheck.verify_claim", "vibecheck.evidence"].includes(toolName)) {
-          return await handleTruthContextTool(toolName, args);
-        }
-
-        // Handle Truth Firewall tools (Hallucination Stopper)
-        if (["vibecheck.get_truthpack", "vibecheck.validate_claim", "vibecheck.compile_context",
-             "vibecheck.search_evidence", "vibecheck.find_counterexamples", "vibecheck.propose_patch",
-             "vibecheck.check_invariants", "vibecheck.add_assumption"].includes(toolName)) {
-          return await handleTruthFirewallTool(toolName, args, projectPath);
-        }
-
-        return this.error(`Unknown tool: ${toolName}`, {
-          code: 'UNKNOWN_TOOL',
-          suggestion: 'Check the tool name and try again',
-          nextSteps: ['Use vibecheck.status to see available tools'],
-        });
-      } catch (err) {
-        // ====================================================================
-        // HARDENING: Enhanced error handling with sanitization
-        // ====================================================================
-        const durationMs = Date.now() - startTime;
-        const errorMessage = sanitizeString(err?.message || 'Unknown error', 500);
-        
-        // Emit audit event for tool error (safely)
-        try {
-          emitToolComplete(toolName, "error", { 
-            errorMessage: redactSensitive(errorMessage),
-            durationMs,
-          });
-        } catch {
-          // Audit logging should never break the response
-        }
-        
-        // Log error details to stderr (not stdout - preserves MCP protocol)
-        console.error(`[MCP] Tool ${toolName} failed after ${durationMs}ms: ${errorMessage}`);
-        
-        return this.error(`${toolName} failed: ${redactSensitive(errorMessage)}`, {
-          code: err?.code || 'TOOL_ERROR',
-          suggestion: 'Check the error message and try again',
-          nextSteps: [
-            'Verify the tool arguments are correct',
-            'Check that the project path is valid',
-            'Try running with simpler arguments first',
-          ],
-        });
-      }
-    });
-
-    // Resources
-    this.server.setRequestHandler(ListResourcesRequestSchema, async () => ({
-      resources: [
-        {
-          uri: "vibecheck://config",
-          name: "vibecheck Config",
-          description: "Project vibecheck configuration",
-          mimeType: "application/json",
-        },
-        {
-          uri: "vibecheck://summary",
-          name: "Last Scan Summary",
-          description: "Most recent scan results and verdict",
-          mimeType: "application/json",
-        },
-        {
-          uri: "vibecheck://truthpack",
-          name: "Truth Pack",
-          description: "Ground truth: routes, env, auth, billing",
-          mimeType: "application/json",
-        },
-        {
-          uri: "vibecheck://missions",
-          name: "Fix Missions",
-          description: "Latest mission pack for AI-powered fixes",
-          mimeType: "application/json",
-        },
-        {
-          uri: "vibecheck://reality",
-          name: "Reality Results",
-          description: "Last runtime verification results",
-          mimeType: "application/json",
-        },
-        {
-          uri: "vibecheck://findings",
-          name: "All Findings",
-          description: "Complete list of detected issues",
-          mimeType: "application/json",
-        },
-        {
-          uri: "vibecheck://share",
-          name: "Share Pack",
-          description: "Latest fix missions share bundle for PR/review",
-          mimeType: "application/json",
-        },
-        {
-          uri: "vibecheck://prove",
-          name: "Prove Report",
-          description: "Last prove loop results (ctx → reality → ship → fix)",
-          mimeType: "application/json",
-        },
-      ],
-    }));
-
-    this.server.setRequestHandler(
-      ReadResourceRequestSchema,
-      async (request) => {
-        // ====================================================================
-        // HARDENING: Resource request validation
-        // ====================================================================
-        const uri = sanitizeString(request?.params?.uri, 200);
-        if (!uri || !uri.startsWith('vibecheck://')) {
-          return { contents: [{ uri: uri || '', mimeType: "application/json", text: '{"error": "Invalid resource URI"}' }] };
-        }
-        
-        const projectPath = process.cwd();
-        
-        // Helper to safely read and return JSON resource
-        const safeReadResource = async (filePath, defaultMessage) => {
-          try {
-            const content = await fs.readFile(filePath, "utf-8");
-            // Validate JSON and sanitize
-            const parsed = safeJsonParse(content);
-            if (!parsed.success) {
-              return { contents: [{ uri, mimeType: "application/json", text: JSON.stringify({ error: "Invalid JSON in resource file" }) }] };
-            }
-            // Redact any sensitive data and truncate
-            const sanitized = redactSensitive(truncateOutput(content, CONFIG.LIMITS.MAX_OUTPUT_LENGTH));
-            return { contents: [{ uri, mimeType: "application/json", text: sanitized }] };
-          } catch {
-            return { contents: [{ uri, mimeType: "application/json", text: JSON.stringify({ message: defaultMessage }) }] };
-          }
-        };
-
-        if (uri === "vibecheck://config") {
-          const configPath = path.join(projectPath, "vibecheck.config.json");
-          try {
-            const content = await fs.readFile(configPath, "utf-8");
-            // Redact sensitive config values
-            const sanitized = redactSensitive(truncateOutput(content, CONFIG.LIMITS.MAX_OUTPUT_LENGTH));
-            return {
-              contents: [{ uri, mimeType: "application/json", text: sanitized }],
-            };
-          } catch {
-            return {
-              contents: [{ uri, mimeType: "application/json", text: "{}" }],
-            };
-          }
-        }
-
-        if (uri === "vibecheck://summary") {
-          const summaryPath = path.join(projectPath, ".vibecheck", "summary.json");
-          return await safeReadResource(summaryPath, "No scan found. Run vibecheck.scan first.");
-        }
-
-        if (uri === "vibecheck://truthpack") {
-          const truthpackPath = path.join(projectPath, ".vibecheck", "truth", "truthpack.json");
-          return await safeReadResource(truthpackPath, "No truthpack. Run vibecheck.ctx first.");
-        }
-
-        if (uri === "vibecheck://missions") {
-          const missionsDir = path.join(projectPath, ".vibecheck", "missions");
-          try {
-            // HARDENING: Validate directory read
-            const dirs = await fs.readdir(missionsDir);
-            const safeDirs = sanitizeArray(dirs, 100).filter(d => typeof d === 'string' && d.length > 0);
-            const latest = safeDirs.sort().reverse()[0];
-            
-            if (latest) {
-              const missionPath = path.join(missionsDir, latest, "missions.json");
-              return await safeReadResource(missionPath, "No missions found in latest directory.");
-            }
-          } catch (err) {
-            console.error(`[MCP] Error reading missions: ${err.message}`);
-          }
-          return { contents: [{ uri, mimeType: "application/json", text: '{"message": "No missions. Run vibecheck.fix first."}' }] };
-        }
-
-        if (uri === "vibecheck://reality") {
-          const realityPath = path.join(projectPath, ".vibecheck", "reality", "last_reality.json");
-          return await safeReadResource(realityPath, "No reality results. Run vibecheck verify first.");
-        }
-
-        if (uri === "vibecheck://findings") {
-          const findingsPath = path.join(projectPath, ".vibecheck", "findings.json");
-          
-          // Try primary findings file
-          const content = await this.safeReadFile(findingsPath, 10 * 1024 * 1024);
-          if (content) {
-            const parsed = safeJsonParse(content);
-            if (parsed.success) {
-              const sanitized = redactSensitive(truncateOutput(content));
-              return { contents: [{ uri, mimeType: "application/json", text: sanitized }] };
-            }
-          }
-          
-          // HARDENING: Try summary.json as fallback with size limits
-          const summaryPath = path.join(projectPath, ".vibecheck", "summary.json");
-          const summaryContent = await this.safeReadFile(summaryPath, 10 * 1024 * 1024);
-          
-          if (summaryContent) {
-            const parsed = safeJsonParse(summaryContent);
-            if (parsed.success && parsed.data.findings) {
-              const findings = sanitizeArray(parsed.data.findings, 1000);
-              return { contents: [{ uri, mimeType: "application/json", text: JSON.stringify({ findings }, null, 2) }] };
-            }
-          }
-          
-          return { contents: [{ uri, mimeType: "application/json", text: '{"message": "No findings. Run vibecheck.scan first."}' }] };
-        }
-
-        if (uri === "vibecheck://share") {
-          const missionsDir = path.join(projectPath, ".vibecheck", "missions");
-          try {
-            // HARDENING: Safe directory read
-            const dirs = await fs.readdir(missionsDir);
-            const safeDirs = sanitizeArray(dirs, 100).filter(d => typeof d === 'string' && d.length > 0);
-            const latest = safeDirs.sort().reverse()[0];
-            
-            if (latest) {
-              const sharePath = path.join(missionsDir, latest, "share", "share.json");
-              
-              // Try share.json first
-              const shareContent = await this.safeReadFile(sharePath, 10 * 1024 * 1024);
-              if (shareContent) {
-                const parsed = safeJsonParse(shareContent);
-                if (parsed.success) {
-                  const sanitized = redactSensitive(truncateOutput(shareContent));
-                  return { contents: [{ uri, mimeType: "application/json", text: sanitized }] };
-                }
-              }
-              
-              // HARDENING: Fallback to missions.json with safe read
-              const missionPath = path.join(missionsDir, latest, "missions.json");
-              return await safeReadResource(missionPath, "No share data available in latest mission.");
-            }
-          } catch (err) {
-            console.error(`[MCP] Error reading share pack: ${err.message}`);
-          }
-          return { contents: [{ uri, mimeType: "application/json", text: '{"message": "No share pack. Run vibecheck.fix --share first."}' }] };
-        }
-
-        if (uri === "vibecheck://prove") {
-          const provePath = path.join(projectPath, ".vibecheck", "prove", "last_prove.json");
-          return await safeReadResource(provePath, "No prove results. Run vibecheck.prove first.");
-        }
-
-        return { 
-          contents: [{ 
-            uri, 
-            mimeType: "application/json", 
-            text: JSON.stringify({ error: "Unknown resource URI" }) 
-          }] 
-        };
-      },
-    );
-  }
-
-  // ============================================================================
-  // HARDENED HELPERS
-  // ============================================================================
-  
-  /**
-   * Return a successful response with sanitization
-   * @param {string} text - Response text
-   * @param {boolean} includeAttribution - Include vibecheck attribution
-   * @returns {object} MCP response
-   */
-  success(text, includeAttribution = true) {
-    // Sanitize output: redact secrets and truncate
-    let sanitized = redactSensitive(sanitizeString(text, CONFIG.LIMITS.MAX_OUTPUT_LENGTH));
-    
-    const finalText = includeAttribution 
-      ? `${sanitized}\n\n---\n_${CONTEXT_ATTRIBUTION}_`
-      : sanitized;
-    
-    return { content: [{ type: "text", text: finalText }] };
-  }
-
-  /**
-   * Return an error response with sanitization
-   * @param {string} text - Error message
-   * @param {object} options - Additional options
-   * @returns {object} MCP error response
-   */
-  error(text, options = {}) {
-    const { code, suggestion, nextSteps = [] } = options;
-    
-    // Sanitize all text inputs
-    const sanitizedText = redactSensitive(sanitizeString(text, 1000));
-    const sanitizedSuggestion = suggestion ? redactSensitive(sanitizeString(suggestion, 500)) : null;
-    const sanitizedSteps = sanitizeArray(nextSteps, 10).map(s => sanitizeString(s, 200));
-    
-    let errorText = `❌ ${sanitizedText}`;
-    
-    if (code) {
-      errorText += `\n\n**Error Code:** \`${sanitizeString(code, 50)}\``;
-    }
-    
-    if (sanitizedSuggestion) {
-      errorText += `\n\n💡 **Suggestion:** ${sanitizedSuggestion}`;
-    }
-    
-    if (sanitizedSteps.length > 0) {
-      errorText += `\n\n**Next Steps:**\n`;
-      sanitizedSteps.forEach((step, i) => {
-        errorText += `${i + 1}. ${step}\n`;
-      });
-    }
-    
-    return { content: [{ type: "text", text: errorText }], isError: true };
-  }
-
-  // Validate project path exists and is accessible (sync for simple validation)
-  validateProjectPath(projectPath) {
-    try {
-      const stats = fsSync.statSync(projectPath);
-      if (!stats.isDirectory()) {
-        return { 
-          valid: false, 
-          error: `Path is not a directory: ${projectPath}`,
-          suggestion: "Provide a directory path, not a file",
-          nextSteps: [
-            "Check the path you provided",
-            "Ensure it points to a project directory",
-          ],
-        };
-      }
-      return { valid: true };
-    } catch (e) {
-      return { 
-        valid: false, 
-        error: `Cannot access path: ${projectPath}`,
-        code: e.code || "PATH_ACCESS_ERROR",
-        suggestion: "Check that the path exists and you have read permissions",
-        nextSteps: [
-          "Verify the path is correct",
-          "Check file permissions",
-          "Ensure the directory exists",
-        ],
-      };
-    }
-  }
-
-  // ============================================================================
-  // SCAN
-  // ============================================================================
-  async handleScan(projectPath, args) {
-    // Validate project path first
-    const validation = this.validateProjectPath(projectPath);
-    if (!validation.valid) {
-      return this.error(validation.error, {
-        code: validation.code || "INVALID_PATH",
-        suggestion: validation.suggestion,
-        nextSteps: validation.nextSteps || [],
-      });
-    }
-
-    // HARDENING: Validate and sanitize profile
-    const validProfiles = ["quick", "full", "ship", "ci", "security", "compliance", "ai"];
-    const profile = validProfiles.includes(args?.profile) ? args?.profile : "quick";
-    
-    // HARDENING: Sanitize only array
-    const only = sanitizeArray(args?.only, 20).map(item => sanitizeString(item, 50));
-
-    // Initialize API integration with timeout and circuit breaker
-    let apiScan = null;
-    let apiConnected = false;
-    
-    // HARDENING: Check circuit breaker before attempting API calls
-    const circuitCheck = checkCircuitBreaker();
-    
-    // Try to connect to API for dashboard integration
-    if (circuitCheck.allowed) {
-      try {
-        // HARDENING: Add timeout to API availability check
-        const apiCheckPromise = isApiAvailable();
-        const timeoutPromise = new Promise((_, reject) => 
-          setTimeout(() => reject(new Error('API check timeout')), 5000)
-        );
-        
-        apiConnected = await Promise.race([apiCheckPromise, timeoutPromise]);
-        
-        if (apiConnected) {
-          // Create scan record in dashboard
-          const createScanPromise = createScan({
-            localPath: sanitizeString(projectPath, 500),
-            branch: sanitizeString(args?.branch, 100) || 'main',
-            enableLLM: false,
-          });
-          const scanTimeoutPromise = new Promise((_, reject) => 
-            setTimeout(() => reject(new Error('Create scan timeout')), 10000)
-          );
-          
-          apiScan = await Promise.race([createScanPromise, scanTimeoutPromise]);
-          console.error(`[MCP] Connected to dashboard (Scan ID: ${apiScan.scanId})`);
-          recordApiResult(true); // Record success
-        }
-      } catch (err) {
-        // API connection is optional, continue without it
-        console.error(`[MCP] Dashboard integration unavailable: ${err.message}`);
-        recordApiResult(false); // Record failure
-      }
-    } else {
-      console.error(`[MCP] ${circuitCheck.reason}`);
-    }
-
-    let output = "# 🔍 vibecheck Scan\n\n";
-    output += `**Profile:** ${profile}\n`;
-    output += `**Path:** ${projectPath}\n\n`;
-
-    // Build CLI arguments array (secure - no injection possible)
-    const cliArgs = [`--profile=${profile}`, "--json"];
-    if (only.length > 0) {
-      cliArgs.push(`--only=${only.join(",")}`);
-    }
-
-    try {
-      await this.runCLI("scan", cliArgs, projectPath, { timeout: CONFIG.TIMEOUTS.SCAN });
-
-      // Read summary from disk
-      const summary = await this.parseSummaryFromDisk(projectPath);
-      if (summary) {
-        output += this.formatScanOutput(summary, projectPath);
-        
-        // Submit results to dashboard if connected
-        if (apiConnected && apiScan) {
-          try {
-            // HARDENING: Add timeout to result submission
-            const submitPromise = submitScanResults(apiScan.scanId, {
-              verdict: sanitizeString(summary.verdict, 50) || 'UNKNOWN',
-              score: sanitizeNumber(summary.score?.overall, 0, 100, 0),
-              findings: sanitizeArray(summary.findings, 1000) || [],
-              filesScanned: sanitizeNumber(summary.stats?.filesScanned, 0, 1000000, 0),
-              linesScanned: sanitizeNumber(summary.stats?.linesScanned, 0, 100000000, 0),
-              durationMs: sanitizeNumber(summary.timings?.total, 0, 3600000, 0),
-              metadata: {
-                profile,
-                source: 'mcp-server',
-                version: CONFIG.VERSION,
-              },
-            });
-            const submitTimeout = new Promise((_, reject) => 
-              setTimeout(() => reject(new Error('Submit timeout')), 10000)
-            );
-            
-            await Promise.race([submitPromise, submitTimeout]);
-            console.error(`[MCP] Results sent to dashboard`);
-          } catch (err) {
-            console.error(`[MCP] Failed to send results to dashboard: ${err.message}`);
-          }
-        }
-      }
-      output += "\n---\n_Context Enhanced by vibecheck AI_\n";
-      return this.success(output);
-    } catch (err) {
-      // Graceful degradation: check if scan completed but found issues (exit code 1)
-      const summary = await this.parseSummaryFromDisk(projectPath);
-      if (summary) {
-        output += this.formatScanOutput(summary, projectPath);
-        
-        // Submit results to dashboard if connected
-        if (apiConnected && apiScan) {
-          try {
-            // HARDENING: Add timeout to error case submission
-            const submitPromise = submitScanResults(apiScan.scanId, {
-              verdict: sanitizeString(summary.verdict, 50) || 'UNKNOWN',
-              score: sanitizeNumber(summary.score?.overall, 0, 100, 0),
-              findings: sanitizeArray(summary.findings, 1000) || [],
-              filesScanned: sanitizeNumber(summary.stats?.filesScanned, 0, 1000000, 0),
-              linesScanned: sanitizeNumber(summary.stats?.linesScanned, 0, 100000000, 0),
-              durationMs: sanitizeNumber(summary.timings?.total, 0, 3600000, 0),
-              metadata: {
-                profile,
-                source: 'mcp-server',
-                version: CONFIG.VERSION,
-                error: sanitizeString(err.message, 500),
-              },
-            });
-            const submitTimeout = new Promise((_, reject) => 
-              setTimeout(() => reject(new Error('Submit timeout')), 10000)
-            );
-            
-            await Promise.race([submitPromise, submitTimeout]);
-            console.error(`[MCP] Results sent to dashboard (with error)`);
-          } catch (apiErr) {
-            console.error(`[MCP] Failed to send results to dashboard: ${apiErr.message}`);
-          }
-        }
-        output += `\n⚠️ Scan completed with findings (exit code ${err.code || 1})\n`;
-        return this.success(output);
-      }
-
-      // Report error to dashboard if connected
-      if (apiConnected && apiScan) {
-        try {
-          // HARDENING: Add timeout to error reporting
-          const reportPromise = reportScanError(apiScan.scanId, err);
-          const reportTimeout = new Promise((_, reject) => 
-            setTimeout(() => reject(new Error('Report timeout')), 10000)
-          );
-          
-          await Promise.race([reportPromise, reportTimeout]);
-          console.error(`[MCP] Error reported to dashboard`);
-        } catch (apiErr) {
-          console.error(`[MCP] Failed to report error to dashboard: ${apiErr.message}`);
-        }
-      }
-
-      return this.error(`Scan failed: ${err.message}`, {
-        code: "SCAN_ERROR",
-        suggestion: "Check that the project path is valid and contains scanable code",
-        nextSteps: [
-          "Verify the project path is correct",
-          "Ensure you have read permissions",
-          "Check that required dependencies are installed",
-          "Try running: vibecheck scan --help",
-        ],
-      });
-    }
-  }
-
-  // ============================================================================
-  // GATE - PRO tier required (CI/CD enforcement)
-  // ============================================================================
-  async handleGate(projectPath, args) {
-    // Check tier access (PRO tier required - aligned with CLI entitlements-v2.js)
-    const access = await getFeatureAccessStatus("vibecheck.gate", args?.apiKey, args);
-    if (!access.hasAccess) {
-      return {
-        content: [{
-          type: "text",
-          text: JSON.stringify({
-            ok: false,
-            error: access.error || {
-              code: 'NOT_ENTITLED',
-              message: 'Requires PRO',
-              userAction: 'Open billing',
-              retryable: false,
-            },
-          }, null, 2)
-        }],
-        isError: true
-      };
-    }
-
-    const policy = args?.policy || "strict";
-
-    let output = "# 🚦 vibecheck Gate\n\n";
-    output += `**Policy:** ${policy}\n\n`;
-
-    // Build CLI arguments array (secure)
-    const cliArgs = [`--policy=${policy}`];
-    if (args?.sarif) cliArgs.push("--sarif");
-
-    try {
-      await this.runCLI("gate", cliArgs, projectPath);
-
-      output += "## ✅ GATE PASSED\n\n";
-      output += "All checks passed. Clear to merge.\n";
-    } catch (err) {
-      output += "## 🚫 GATE FAILED\n\n";
-      output += "Build blocked. Fix the issues and re-run.\n\n";
-      output += `Run \`vibecheck fix --plan\` to see recommended fixes.\n`;
-    }
-
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // FIX MISSIONS v1 - PRO tier required (aligned with CLI entitlements-v2.js)
-  // ============================================================================
-  async handleFix(projectPath, args) {
-    // Check tier access - vibecheck.fix is PRO (all modes: plan, apply, autopilot)
-    const access = await getFeatureAccessStatus("vibecheck.fix", args?.apiKey, args);
-    if (!access.hasAccess) {
-      return {
-        content: [{
-          type: "text",
-          text: JSON.stringify({
-            ok: false,
-            error: access.error || {
-              code: 'NOT_ENTITLED',
-              message: 'Requires PRO',
-              userAction: 'Open billing',
-              retryable: false,
-            },
-          }, null, 2)
-        }],
-        isError: true
-      };
-    }
-
-    const mode = args?.autopilot ? "Autopilot" : 
-                 args?.apply ? "Apply" : 
-                 args?.promptOnly ? "Prompt Only" : 
-                 args?.dryRun ? "Dry Run" : "Plan";
-
-    let output = "# 🛠 vibecheck Fix Missions v1\n\n";
-    output += `**Mode:** ${mode}\n`;
-    output += `**Max Missions:** ${args?.maxMissions || 8}\n`;
-    if (args?.autopilot) output += `**Max Steps:** ${args?.maxSteps || 10}\n`;
-    if (args?.dryRun) output += `**Dry Run:** Yes (no changes will be made)\n`;
-    output += "\n";
-
-    // Build CLI arguments array (secure)
-    const cliArgs = [];
-    if (args?.promptOnly) cliArgs.push("--prompt-only");
-    if (args?.apply) cliArgs.push("--apply");
-    if (args?.autopilot) cliArgs.push("--autopilot");
-    if (args?.share) cliArgs.push("--share");
-    if (args?.dryRun) cliArgs.push("--dry-run");
-    if (args?.maxMissions) cliArgs.push("--max-missions", String(args.maxMissions));
-    if (args?.maxSteps) cliArgs.push("--max-steps", String(args.maxSteps));
-
-    try {
-      const result = await this.runCLI("fix", cliArgs, projectPath, { 
-        timeout: CONFIG.TIMEOUTS.AUTOPILOT 
-      });
-
-      output += this.stripAnsi(result.stdout);
-
-      // Read mission pack if available
-      const missionsDir = path.join(projectPath, CONFIG.OUTPUT_DIR, "missions");
-      try {
-        const dirs = await fs.readdir(missionsDir);
-        const latest = dirs.sort().reverse()[0];
-        if (latest) {
-          const missionPath = path.join(missionsDir, latest, "missions.json");
-          const missions = JSON.parse(await fs.readFile(missionPath, "utf-8"));
-          
-          output += "\n## Planned Missions\n\n";
-          output += "| # | Mission | Target Findings |\n|---|---------|----------------|\n";
-          for (let i = 0; i < missions.missions.length; i++) {
-            const m = missions.missions[i];
-            output += `| ${i + 1} | ${m.title} | ${m.targetFindingIds.length} |\n`;
-          }
-          output += `\n📁 **Mission Pack:** ${CONFIG.OUTPUT_DIR}/missions/${latest}\n`;
-        }
-      } catch {}
-    } catch (err) {
-      output += `\n⚠️ Fix error: ${err.message}\n`;
-      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
-    }
-
-    output += "\n---\n_Fix Missions v1 — Reality Firewall Protected_\n";
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // SHARE - Generate share bundle from fix missions
-  // ============================================================================
-  async handleShare(projectPath, args) {
-    let output = "# 📦 vibecheck Share Bundle\n\n";
-
-    // Build CLI arguments array (secure)
-    const cliArgs = [];
-    if (args?.prComment) cliArgs.push("--pr-comment");
-    if (args?.out) cliArgs.push("--out", args.out);
-
-    try {
-      const result = await this.runCLI("share", cliArgs, projectPath);
-
-      output += this.stripAnsi(result.stdout);
-
-      // Read share pack if available
-      const missionsDir = path.join(projectPath, CONFIG.OUTPUT_DIR, "missions");
-      try {
-        const dirs = await fs.readdir(missionsDir);
-        const latest = dirs.sort().reverse()[0];
-        if (latest) {
-          const sharePath = path.join(missionsDir, latest, "share", "share.json");
-          try {
-            const share = JSON.parse(await fs.readFile(sharePath, "utf-8"));
-            
-            output += "\n## Share Pack Summary\n\n";
-            output += `| Metric | Value |\n|--------|-------|\n`;
-            output += `| Mission Pack | ${latest} |\n`;
-            output += `| Total Steps | ${share.timeline?.length || 0} |\n`;
-            output += `| Final Verdict | ${share.finalVerdict || "Unknown"} |\n`;
-            
-            if (share.timeline?.length > 0) {
-              output += "\n## Timeline\n\n";
-              output += "| Step | Mission | Before | After |\n|------|---------|--------|-------|\n";
-              for (const t of share.timeline.slice(0, 10)) {
-                output += `| ${t.step} | ${t.missionTitle || t.missionId} | ${t.beforeVerdict} | ${t.afterVerdict} |\n`;
-              }
-            }
-            
-            output += `\n📁 **Share Pack:** ${CONFIG.OUTPUT_DIR}/missions/${latest}/share/\n`;
-            output += `📄 **PR Comment:** ${CONFIG.OUTPUT_DIR}/missions/${latest}/share/pr_comment.md\n`;
-          } catch {}
-        }
-      } catch {}
-    } catch (err) {
-      output += `\n⚠️ Share error: ${err.message}\n`;
-      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
-    }
-
-    output += "\n---\n_Fix Missions Share Bundle_\n";
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // CTX - Truth Pack Generator
-  // ============================================================================
-  async handleCtx(projectPath, args) {
-    let output = "# 📦 vibecheck Truth Pack\n\n";
-    output += `**Path:** ${projectPath}\n\n`;
-
-    // Build CLI arguments array (secure)
-    const cliArgs = [];
-    if (args?.snapshot) cliArgs.push("--snapshot");
-    if (args?.json) cliArgs.push("--json");
-
-    try {
-      const result = await this.runCLI("ctx", cliArgs, projectPath);
-
-      if (args?.json) {
-        // Return raw JSON
-        return this.success(result.stdout);
-      }
-
-      output += this.stripAnsi(result.stdout);
-
-      // Read truthpack summary
-      const truthpackPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "truth", "truthpack.json");
-      try {
-        const truthpack = JSON.parse(await fs.readFile(truthpackPath, "utf-8"));
-        
-        output += "\n## Truth Pack Contents\n\n";
-        output += `| Category | Count |\n|----------|-------|\n`;
-        output += `| Server Routes | ${truthpack.routes?.server?.length || 0} |\n`;
-        output += `| Client Refs | ${truthpack.routes?.clientRefs?.length || 0} |\n`;
-        output += `| Route Gaps | ${truthpack.routes?.gaps?.length || 0} |\n`;
-        output += `| Env Used | ${truthpack.env?.vars?.length || 0} |\n`;
-        output += `| Env Declared | ${truthpack.env?.declared?.length || 0} |\n`;
-        output += `| Auth Middleware | ${truthpack.auth?.nextMiddleware?.length || 0} |\n`;
-        output += `| Stripe Detected | ${truthpack.billing?.hasStripe ? "✅" : "❌"} |\n`;
-        output += `| Webhooks | ${truthpack.billing?.summary?.webhookHandlersFound || 0} |\n`;
-        
-        output += `\n📁 **Saved:** ${CONFIG.OUTPUT_DIR}/truth/truthpack.json\n`;
-      } catch {}
-    } catch (err) {
-      output += `\n⚠️ Truth pack error: ${err.message}\n`;
-    }
-
-    output += "\n---\n_Ground Truth for AI Agents_\n";
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // PROVE - One Command Reality Proof (PRO tier required)
-  // ============================================================================
-  async handleProve(projectPath, args) {
-    // Check tier access (PRO tier required - aligned with CLI entitlements-v2.js)
-    const access = await getFeatureAccessStatus("vibecheck.prove", args?.apiKey, args);
-    if (!access.hasAccess) {
-      return {
-        content: [{
-          type: "text",
-          text: JSON.stringify({
-            ok: false,
-            error: access.error || {
-              code: 'NOT_ENTITLED',
-              message: 'Requires PRO',
-              userAction: 'Open billing',
-              retryable: false,
-            },
-          }, null, 2)
-        }],
-        isError: true
-      };
-    }
-
-    let output = "# 🔬 vibecheck prove\n\n";
-    output += `**URL:** ${args?.url || "(static only)"}\n`;
-    output += `**Max Fix Rounds:** ${args?.maxFixRounds || 3}\n\n`;
-
-    // Build CLI arguments array (secure)
-    const cliArgs = [];
-    if (args?.url) cliArgs.push("--url", args.url);
-    if (args?.auth) cliArgs.push("--auth", args.auth);
-    if (args?.storageState) cliArgs.push("--storage-state", args.storageState);
-    if (args?.skipReality) cliArgs.push("--skip-reality");
-    if (args?.skipFix) cliArgs.push("--skip-fix");
-    if (args?.maxFixRounds) cliArgs.push("--max-fix-rounds", String(args.maxFixRounds));
-
-    try {
-      const result = await this.runCLI("prove", cliArgs, projectPath, { 
-        timeout: CONFIG.TIMEOUTS.PROVE 
-      });
-
-      output += this.stripAnsi(result.stdout);
-
-      // Read prove report
-      const provePath = path.join(projectPath, CONFIG.OUTPUT_DIR, "prove", "last_prove.json");
-      try {
-        const report = JSON.parse(await fs.readFile(provePath, "utf-8"));
-        
-        output += "\n## Timeline\n\n";
-        output += "| Step | Action | Status |\n|------|--------|--------|\n";
-        for (const t of report.timeline || []) {
-          output += `| ${t.step} | ${t.action} | ${t.status || t.verdict || "ok"} |\n`;
-        }
-        
-        output += `\n**Final Verdict:** ${report.finalVerdict}\n`;
-        output += `**Duration:** ${report.meta?.durationSeconds}s\n`;
-      } catch {}
-    } catch (err) {
-      output += `\n⚠️ Prove error: ${err.message}\n`;
-      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
-    }
-
-    output += "\n---\n_One command to make it real_\n";
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // PROOF
-  // ============================================================================
-  async handleProof(projectPath, args) {
-    const mode = args?.mode;
-
-    if (!mode) {
-      return this.error("Mode required: 'mocks' or 'reality'");
-    }
-
-    let output = `# 🎬 vibecheck Proof: ${mode.toUpperCase()}\n\n`;
-
-    // Build CLI arguments array (secure)
-    const cliArgs = [mode];
-    if (mode === "reality" && args?.url) cliArgs.push(`--url=${args.url}`);
-    if (mode === "reality" && args?.flow) cliArgs.push(`--flow=${args.flow}`);
-
-    try {
-      const result = await this.runCLI("proof", cliArgs, projectPath, { 
-        timeout: CONFIG.TIMEOUTS.SCAN,
-        skipAuth: false 
-      });
-
-      output += result.stdout;
-    } catch (err) {
-      if (mode === "mocks") {
-        output += "## 🚫 MOCKPROOF: FAIL\n\n";
-        output += "Mock/demo code detected in production paths.\n";
-      } else {
-        output += "## 🚫 REALITY MODE: FAIL\n\n";
-        output += "Fake data or mock services detected at runtime.\n";
-      }
-      output += `\n${err.partialOutput || err.message}\n`;
-    }
-
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // VALIDATE
-  // ============================================================================
-  async handleValidate(projectPath, args) {
-    const { code, intent } = args;
-    if (!code) return this.error("Code is required");
-
-    let output = "# 🤖 AI Code Validation\n\n";
-    if (intent) output += `**Intent:** ${intent}\n\n`;
-
-    try {
-      const {
-        runHallucinationCheck,
-        validateIntent,
-        validateQuality,
-      } = require(
-        path.join(__dirname, "..", "bin", "runners", "lib", "ai-bridge.js"),
-      );
-
-      // 1. Hallucinations (checking against project deps + internal logic)
-      // Note: In MCP context, we might want to check the provided code specifically for imports.
-      // The bridge's runHallucinationCheck mostly checks package.json.
-      // But we can check imports in the 'code' snippet if we extract them.
-      // The bridge handles extractImports internally but runHallucinationCheck doesn't expose it directly for a string input.
-      // We will rely on package.json sanity check for now + static analysis of the snippet.
-
-      const hallResult = await runHallucinationCheck(projectPath);
-
-      // 2. Intent
-      let intentResult = { score: 100, issues: [] };
-      if (intent) {
-        intentResult = validateIntent(code, intent);
-      }
-
-      // 3. Quality
-      const qualityResult = validateQuality(code);
-
-      const allIssues = [
-        ...hallResult.issues,
-        ...intentResult.issues,
-        ...qualityResult.issues,
-      ];
-
-      const score = Math.round(
-        (hallResult.score + intentResult.score + qualityResult.score) / 3,
-      );
-      const status = score >= 80 ? "✅ PASSED" : "⚠️ ISSUES FOUND";
-
-      output += `**Status:** ${status} (${score}/100)\n\n`;
-
-      if (allIssues.length > 0) {
-        output += "### Issues\n";
-        for (const issue of allIssues) {
-          const icon =
-            issue.severity === "critical"
-              ? "🔴"
-              : issue.severity === "high"
-                ? "🟠"
-                : "🟡";
-          output += `- ${icon} **[${issue.type}]** ${issue.message}\n`;
-        }
-      } else {
-        output += "✨ Code looks valid and safe.\n";
-      }
-
-      return this.success(output);
-    } catch (err) {
-      return this.error(`Validation failed: ${err.message}`);
-    }
-  }
-
-  // ============================================================================
-  // REPORT
-  // ============================================================================
-  async handleReport(projectPath, args) {
-    const type = args?.type || "summary";
-    const outputDir = path.join(projectPath, ".vibecheck");
-
-    let output = "# 📄 vibecheck Report\n\n";
-
-    try {
-      if (type === "summary") {
-        const summaryPath = path.join(outputDir, "summary.json");
-        const summary = JSON.parse(await fs.readFile(summaryPath, "utf-8"));
-
-        output += `**Score:** ${summary.score}/100 (${summary.grade})\n`;
-        output += `**Verdict:** ${summary.canShip ? "✅ SHIP" : "🚫 NO-SHIP"}\n`;
-        output += `**Generated:** ${summary.timestamp}\n`;
-      } else if (type === "full") {
-        const reportPath = path.join(outputDir, "summary.md");
-        output += await fs.readFile(reportPath, "utf-8");
-      } else if (type === "sarif") {
-        const sarifPath = path.join(outputDir, "results.sarif");
-        const sarif = await fs.readFile(sarifPath, "utf-8");
-        output += "```json\n" + sarif.substring(0, 2000) + "\n```\n";
-        output += `\n📄 **Full SARIF:** ${sarifPath}\n`;
-      } else if (type === "html") {
-        output += `📄 **HTML Report:** ${path.join(outputDir, "report.html")}\n`;
-        output += "Open in browser to view the full report.\n";
-      }
-    } catch (err) {
-      output += `⚠️ No ${type} report found. Run \`vibecheck.scan\` first.\n`;
-    }
-
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // SHIP - Verdict engine (PRO tier required - aligned with CLI entitlements-v2.js)
-  // ============================================================================
-  async handleShip(projectPath, args) {
-    // Check tier access (PRO tier required)
-    const access = await getFeatureAccessStatus("vibecheck.ship", args?.apiKey, args);
-    if (!access.hasAccess) {
-      return {
-        content: [{
-          type: "text",
-          text: JSON.stringify({
-            ok: false,
-            error: access.error || {
-              code: 'NOT_ENTITLED',
-              message: 'Requires PRO',
-              userAction: 'Open billing',
-              retryable: false,
-            },
-          }, null, 2)
-        }],
-        isError: true
-      };
-    }
-
-    // HARDENING: Validate project path
-    const validation = this.validateProjectPath(projectPath);
-    if (!validation.valid) {
-      return this.error(validation.error, {
-        code: validation.code || "INVALID_PATH",
-        suggestion: validation.suggestion,
-        nextSteps: validation.nextSteps || [],
-      });
-    }
-
-    let output = "# 🚀 vibecheck Ship\n\n";
-    output += `**Path:** ${projectPath}\n\n`;
-
-    // Build CLI arguments array (secure)
-    const cliArgs = [];
-    if (args?.fix) cliArgs.push("--fix");
-
-    try {
-      const result = await this.runCLI("ship", cliArgs, projectPath);
-
-      output += this.stripAnsi(result.stdout);
-    } catch (err) {
-      output += `\n⚠️ Ship check failed: ${err.message}\n`;
-      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
-    }
-
-    output += "\n---\n_Context Enhanced by vibecheck AI_\n";
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // VERIFY - Runtime browser testing
-  // ============================================================================
-  async handleVerify(projectPath, args) {
-    // HARDENING: Validate URL
-    const urlValidation = validateUrl(args?.url);
-    if (!urlValidation.valid) {
-      return this.error(urlValidation.error, {
-        code: 'INVALID_URL',
-        suggestion: 'Provide a valid HTTP/HTTPS URL',
-        nextSteps: ['Check the URL format', 'Ensure the URL is accessible'],
-      });
-    }
-    const url = urlValidation.url;
-
-    let output = "# 🧪 vibecheck Verify\n\n";
-    output += `**URL:** ${url}\n`;
-    
-    // HARDENING: Sanitize array inputs
-    const flows = sanitizeArray(args?.flows, 10);
-    if (flows.length) output += `**Flows:** ${flows.join(", ")}\n`;
-    if (args?.headed) output += `**Mode:** Headed (visible browser)\n`;
-    if (args?.record) output += `**Recording:** Enabled\n`;
-    output += "\n";
-
-    // Build CLI arguments array (secure)
-    const cliArgs = ["--url", url];
-    // HARDENING: Sanitize auth - don't log full credentials
-    if (args?.auth && typeof args.auth === 'string') {
-      cliArgs.push("--auth", sanitizeString(args.auth, 200));
-    }
-    if (flows.length) cliArgs.push("--flows", flows.join(","));
-    if (args?.headed) cliArgs.push("--headed");
-    if (args?.record) cliArgs.push("--record");
-
-    try {
-      const result = await this.runCLI("verify", cliArgs, projectPath, { 
-        timeout: CONFIG.TIMEOUTS.VERIFY 
-      });
-
-      output += this.stripAnsi(result.stdout);
-
-      // Try to read reality results
-      const realityPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "reality", "last_reality.json");
-      try {
-        const reality = JSON.parse(await fs.readFile(realityPath, "utf-8"));
-        
-        output += "\n## Verification Summary\n\n";
-        output += `| Metric | Value |\n|--------|-------|\n`;
-        output += `| Pages Visited | ${reality.meta?.pagesVisited || 0} |\n`;
-        output += `| Buttons Clicked | ${reality.meta?.buttonsClicked || 0} |\n`;
-        output += `| Forms Tested | ${reality.meta?.formsTested || 0} |\n`;
-        output += `| Dead UI Found | ${reality.findings?.length || 0} |\n`;
-        output += `| Console Errors | ${reality.consoleErrors?.length || 0} |\n`;
-        output += `| Duration | ${reality.meta?.durationMs || 0}ms |\n`;
-        
-        if (reality.findings?.length > 0) {
-          output += "\n## Dead UI Detected\n\n";
-          for (const f of reality.findings.slice(0, 5)) {
-            output += `- **${f.title}** — ${f.reason}\n`;
-          }
-          if (reality.findings.length > 5) {
-            output += `\n_...and ${reality.findings.length - 5} more_\n`;
-          }
-        }
-        
-        output += `\n📁 **Full Report:** ${CONFIG.OUTPUT_DIR}/reality/last_reality.json\n`;
-      } catch {}
-    } catch (err) {
-      output += `\n⚠️ Verify failed: ${err.message}\n`;
-      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
-    }
-
-    output += "\n---\n_Runtime Verification by vibecheck_\n";
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // REALITY v2 - Two-Pass Auth Verification + Dead UI Crawler
-  // ============================================================================
-  async handleReality(projectPath, args) {
-    // HARDENING: Validate URL
-    const urlValidation = validateUrl(args?.url);
-    if (!urlValidation.valid) {
-      return this.error(urlValidation.error, {
-        code: 'INVALID_URL',
-        suggestion: 'Provide a valid HTTP/HTTPS URL',
-        nextSteps: ['Check the URL format', 'Ensure the URL is accessible'],
-      });
-    }
-    const url = urlValidation.url;
-
-    let output = "# 🧪 vibecheck Reality v2\n\n";
-    output += `**URL:** ${url}\n`;
-    output += `**Two-Pass Auth:** ${args?.verifyAuth ? "Yes" : "No"}\n`;
-    
-    // HARDENING: Safely display auth info (mask password)
-    if (args?.auth && typeof args.auth === 'string') {
-      const authParts = args.auth.split(":");
-      const maskedAuth = authParts[0] ? `${authParts[0].slice(0, 20)}:***` : '***';
-      output += `**Auth:** ${maskedAuth}\n`;
-    }
-    if (args?.storageState) output += `**Storage State:** ${sanitizeString(args.storageState, 100)}\n`;
-    if (args?.headed) output += `**Mode:** Headed (visible browser)\n`;
-    if (args?.danger) output += `**Danger Mode:** Enabled (risky clicks allowed)\n`;
-    output += "\n";
-
-    // Build CLI arguments array (secure)
-    const cliArgs = ["--url", url];
-    if (args?.auth && typeof args.auth === 'string') {
-      cliArgs.push("--auth", sanitizeString(args.auth, 200));
-    }
-    if (args?.verifyAuth) cliArgs.push("--verify-auth");
-    
-    // HARDENING: Validate path arguments
-    if (args?.storageState) {
-      const pathCheck = sanitizePath(args.storageState, projectPath);
-      if (pathCheck.valid) {
-        cliArgs.push("--storage-state", pathCheck.path);
-      }
-    }
-    if (args?.saveStorageState) {
-      const pathCheck = sanitizePath(args.saveStorageState, projectPath);
-      if (pathCheck.valid) {
-        cliArgs.push("--save-storage-state", pathCheck.path);
-      }
-    }
-    if (args?.truthpack) {
-      const pathCheck = sanitizePath(args.truthpack, projectPath);
-      if (pathCheck.valid) {
-        cliArgs.push("--truthpack", pathCheck.path);
-      }
-    }
-    if (args?.headed) cliArgs.push("--headed");
-    
-    // HARDENING: Bound numeric arguments
-    if (args?.maxPages) {
-      cliArgs.push("--max-pages", String(sanitizeNumber(args.maxPages, 1, 100, 18)));
-    }
-    if (args?.maxDepth) {
-      cliArgs.push("--max-depth", String(sanitizeNumber(args.maxDepth, 1, 10, 2)));
-    }
-    if (args?.danger) cliArgs.push("--danger");
-
-    try {
-      const result = await this.runCLI("reality", cliArgs, projectPath, { 
-        timeout: CONFIG.TIMEOUTS.REALITY 
-      });
-
-      output += this.stripAnsi(result.stdout);
-
-      // Read reality results
-      const realityPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "reality", "last_reality.json");
-      try {
-        const reality = JSON.parse(await fs.readFile(realityPath, "utf-8"));
-        
-        output += "\n## Reality Report\n\n";
-        output += `| Metric | Value |\n|--------|-------|\n`;
-        output += `| Anon Pages | ${reality.passes?.anon?.pagesVisited?.length || 0} |\n`;
-        if (reality.passes?.auth) {
-          output += `| Auth Pages | ${reality.passes?.auth?.pagesVisited?.length || 0} |\n`;
-        }
-        output += `| Findings | ${reality.findings?.length || 0} |\n`;
-        output += `| Console Errors | ${reality.consoleErrors?.length || 0} |\n`;
-        output += `| Network Errors | ${reality.networkErrors?.length || 0} |\n`;
-        
-        if (reality.coverage) {
-          output += `| UI Coverage | ${reality.coverage.percent}% (${reality.coverage.hit}/${reality.coverage.total}) |\n`;
-        }
-        
-        if (reality.meta?.protectedMatcherCount > 0) {
-          output += `| Auth Matchers | ${reality.meta.protectedMatcherCount} |\n`;
-        }
-        
-        // Show findings by category
-        const blocks = reality.findings?.filter(f => f.severity === "BLOCK") || [];
-        const warns = reality.findings?.filter(f => f.severity === "WARN") || [];
-        
-        if (blocks.length > 0) {
-          output += "\n### 🛑 BLOCK Findings\n\n";
-          for (const f of blocks.slice(0, 5)) {
-            output += `- **${f.title}**\n  - ${f.reason}\n`;
-            if (f.screenshot) output += `  - Screenshot: ${f.screenshot}\n`;
-          }
-          if (blocks.length > 5) {
-            output += `\n_...and ${blocks.length - 5} more BLOCKs_\n`;
-          }
-        }
-        
-        if (warns.length > 0) {
-          output += "\n### ⚠️ WARN Findings\n\n";
-          for (const f of warns.slice(0, 3)) {
-            output += `- **${f.title}** — ${f.reason}\n`;
-          }
-          if (warns.length > 3) {
-            output += `\n_...and ${warns.length - 3} more WARNs_\n`;
-          }
-        }
-        
-        // Verdict
-        const verdict = blocks.length > 0 ? "🛑 BLOCK" : warns.length > 0 ? "⚠️ WARN" : "✅ CLEAN";
-        output += `\n## Verdict: ${verdict}\n`;
-        
-        output += `\n📁 **Full Report:** ${CONFIG.OUTPUT_DIR}/reality/last_reality.json\n`;
-        
-        if (reality.meta?.savedStorageState) {
-          output += `📁 **Saved Auth State:** ${reality.meta.savedStorageState}\n`;
-        }
-      } catch {}
-    } catch (err) {
-      output += `\n⚠️ Reality failed: ${err.message}\n`;
-      if (err.partialOutput) output += `\n${this.stripAnsi(err.partialOutput)}\n`;
-    }
-
-    output += "\n---\n_Reality Mode v2 — Two-Pass Auth Verification_\n";
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // AI-TEST - AI Agent testing
-  // ============================================================================
-  async handleAITest(projectPath, args) {
-    // HARDENING: Validate URL
-    const urlValidation = validateUrl(args?.url);
-    if (!urlValidation.valid) {
-      return this.error(urlValidation.error, {
-        code: 'INVALID_URL',
-        suggestion: 'Provide a valid HTTP/HTTPS URL',
-        nextSteps: ['Check the URL format', 'Ensure the URL is accessible'],
-      });
-    }
-    const url = urlValidation.url;
-
-    // HARDENING: Sanitize goal string
-    const goal = sanitizeString(args?.goal, 500) || "Test all features";
-
-    let output = "# 🤖 vibecheck AI Agent\n\n";
-    output += `**URL:** ${url}\n`;
-    output += `**Goal:** ${goal}\n\n`;
-
-    // Build CLI arguments array (secure)
-    const cliArgs = ["--url", url];
-    if (goal) cliArgs.push("--goal", goal);
-    if (args?.headed) cliArgs.push("--headed");
-
-    try {
-      const result = await this.runCLI("ai-test", cliArgs, projectPath, { 
-        timeout: CONFIG.TIMEOUTS.VERIFY 
-      });
-
-      output += this.stripAnsi(result.stdout);
-
-      // Try to read fix prompts
-      const promptPath = path.join(projectPath, CONFIG.OUTPUT_DIR, "ai-agent", "fix-prompt.md");
-      try {
-        const prompts = await fs.readFile(promptPath, "utf-8");
-        output += "\n## Fix Prompts Generated\n\n";
-        output += prompts.substring(0, 2000);
-        if (prompts.length > 2000) output += "\n\n... (truncated)";
-      } catch {}
-    } catch (err) {
-      output += `\n⚠️ AI Agent failed: ${err.message}\n`;
-    }
-
-    output += "\n---\n_Context Enhanced by vibecheck AI_\n";
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // AUTOPILOT - Continuous protection
-  // ============================================================================
-  async handleAutopilot(projectPath, args) {
-    const action = args?.action || "status";
-
-    let output = "# 🤖 vibecheck Autopilot\n\n";
-    output += `**Action:** ${action}\n\n`;
-
-    // Build CLI arguments array (secure - no injection possible)
-    const cliArgs = [action];
-    if (args?.slack) cliArgs.push("--slack", args.slack);
-    if (args?.email) cliArgs.push("--email", args.email);
-
-    try {
-      const result = await this.runCLI("autopilot", cliArgs, projectPath);
-
-      output += this.stripAnsi(result.stdout);
-    } catch (err) {
-      output += `\n⚠️ Autopilot failed: ${err.message}\n`;
-    }
-
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // AUTOPILOT PLAN - Generate fix plan (PRO tier required)
-  // ============================================================================
-  async handleAutopilotPlan(projectPath, args) {
-    // Check tier access (PRO tier required - aligned with CLI entitlements-v2.js)
-    const access = await getFeatureAccessStatus("vibecheck.fix", args?.apiKey, args);
-    if (!access.hasAccess) {
-      return {
-        content: [{
-          type: "text",
-          text: JSON.stringify({
-            ok: false,
-            error: access.error || {
-              code: 'NOT_ENTITLED',
-              message: 'Requires PRO',
-              userAction: 'Open billing',
-              retryable: false,
-            },
-          }, null, 2)
-        }],
-        isError: true
-      };
-    }
-
-    let output = "# 🤖 vibecheck Autopilot Plan\n\n";
-    output += `**Path:** ${projectPath}\n`;
-    output += `**Profile:** ${args?.profile || "ship"}\n\n`;
-
-    try {
-      // Use the core autopilot runner directly
-      const corePath = path.join(__dirname, "..", "packages", "core", "dist", "index.js");
-      let runAutopilot;
-      
-      try {
-        const core = await import(corePath);
-        runAutopilot = core.runAutopilot;
-      } catch {
-        // Fallback to CLI - build secure args array
-        const cliArgs = [
-          "plan",
-          "--profile", args?.profile || "ship",
-          "--max-fixes", String(args?.maxFixes || 10),
-          "--json"
-        ];
-
-        const result = await this.runCLI("autopilot", cliArgs, projectPath);
-
-        const jsonResult = JSON.parse(result.stdout);
-        output += `## Scan Results\n\n`;
-        output += `- **Total findings:** ${jsonResult.totalFindings}\n`;
-        output += `- **Fixable:** ${jsonResult.fixableFindings}\n`;
-        output += `- **Estimated time:** ${jsonResult.estimatedDuration}\n\n`;
-
-        output += `## Fix Packs\n\n`;
-        for (const pack of jsonResult.packs || []) {
-          const risk = pack.estimatedRisk === "high" ? "🔴" : pack.estimatedRisk === "medium" ? "🟡" : "🟢";
-          output += `### ${risk} ${pack.name}\n`;
-          output += `- Issues: ${pack.findings.length}\n`;
-          output += `- Files: ${pack.impactedFiles.join(", ")}\n\n`;
-        }
-
-        output += `\n💡 Run \`vibecheck.autopilot_apply\` to apply these fixes.\n`;
-        return this.success(output);
-      }
-
-      if (runAutopilot) {
-        const result = await runAutopilot({
-          projectPath,
-          mode: "plan",
-          profile: args?.profile || "ship",
-          maxFixes: args?.maxFixes || 10,
-        });
-
-        output += `## Scan Results\n\n`;
-        output += `- **Total findings:** ${result.totalFindings}\n`;
-        output += `- **Fixable:** ${result.fixableFindings}\n`;
-        output += `- **Estimated time:** ${result.estimatedDuration}\n\n`;
-
-        output += `## Fix Packs\n\n`;
-        for (const pack of result.packs) {
-          const risk = pack.estimatedRisk === "high" ? "🔴" : pack.estimatedRisk === "medium" ? "🟡" : "🟢";
-          output += `### ${risk} ${pack.name}\n`;
-          output += `- Issues: ${pack.findings.length}\n`;
-          output += `- Files: ${pack.impactedFiles.join(", ")}\n\n`;
-        }
-
-        output += `\n💡 Run \`vibecheck.autopilot_apply\` to apply these fixes.\n`;
-      }
-    } catch (err) {
-      output += `\n❌ Error: ${err.message}\n`;
-    }
-
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // AUTOPILOT APPLY - Apply fixes (PRO tier required)
-  // ============================================================================
-  async handleAutopilotApply(projectPath, args) {
-    // Check tier access (PRO tier required - aligned with CLI entitlements-v2.js)
-    const access = await getFeatureAccessStatus("vibecheck.fix", args?.apiKey, args);
-    if (!access.hasAccess) {
-      return {
-        content: [{
-          type: "text",
-          text: `🚫 UPGRADE REQUIRED\n\n${access.reason}\n\nCurrent tier: ${access.tier}\nUpgrade at: ${access.upgradeUrl}`
-        }],
-        isError: true
-      };
-    }
-
-    let output = "# 🔧 vibecheck Autopilot Apply\n\n";
-    output += `**Path:** ${projectPath}\n`;
-    output += `**Profile:** ${args?.profile || "ship"}\n`;
-    output += `**Dry Run:** ${args?.dryRun ? "Yes" : "No"}\n\n`;
-
-    // Build CLI arguments array (secure)
-    const cliArgs = [
-      "apply",
-      "--profile", args?.profile || "ship",
-      "--max-fixes", String(args?.maxFixes || 10),
-      "--json"
-    ];
-    if (args?.verify === false) cliArgs.push("--no-verify");
-    if (args?.dryRun) cliArgs.push("--dry-run");
-
-    try {
-      const result = await this.runCLI("autopilot", cliArgs, projectPath, {
-        timeout: CONFIG.TIMEOUTS.AUTOPILOT,
-      });
-
-      const jsonResult = JSON.parse(result.stdout);
-
-      output += `## Results\n\n`;
-      output += `- **Packs attempted:** ${jsonResult.packsAttempted}\n`;
-      output += `- **Packs succeeded:** ${jsonResult.packsSucceeded}\n`;
-      output += `- **Packs failed:** ${jsonResult.packsFailed}\n`;
-      output += `- **Fixes applied:** ${jsonResult.appliedFixes?.filter(f => f.success).length || 0}\n`;
-      output += `- **Duration:** ${jsonResult.duration}ms\n\n`;
-
-      if (jsonResult.verification) {
-        output += `## Verification\n\n`;
-        output += `- TypeScript: ${jsonResult.verification.typecheck?.passed ? "✅" : "❌"}\n`;
-        output += `- Build: ${jsonResult.verification.build?.passed ? "✅" : "⏭️"}\n`;
-        output += `- Overall: ${jsonResult.verification.passed ? "✅ PASSED" : "❌ FAILED"}\n\n`;
-      }
-
-      output += `**Remaining findings:** ${jsonResult.remainingFindings}\n`;
-      output += `**New scan verdict:** ${jsonResult.newScanVerdict}\n`;
-    } catch (err) {
-      output += `\n❌ Error: ${err.message}\n`;
-    }
-
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // BADGE - Generate ship badge (PRO tier required)
-  // ============================================================================
-  async handleBadge(projectPath, args) {
-    // Check tier access (PRO tier required - aligned with CLI entitlements-v2.js)
-    const access = await getFeatureAccessStatus("vibecheck.badge", args?.apiKey, args);
-    if (!access.hasAccess) {
-      return {
-        content: [{
-          type: "text",
-          text: JSON.stringify({
-            ok: false,
-            error: access.error || {
-              code: 'NOT_ENTITLED',
-              message: 'Requires PRO',
-              userAction: 'Open billing',
-              retryable: false,
-            },
-          }, null, 2)
-        }],
-        isError: true
-      };
-    }
-
-    const format = args?.format || "svg";
-
-    let output = "# 🏅 vibecheck Badge\n\n";
-
-    // Build CLI arguments array (secure)
-    const cliArgs = ["--format", format];
-    if (args?.style) cliArgs.push("--style", args.style);
-
-    try {
-      const result = await this.runCLI("badge", cliArgs, projectPath);
-
-      output += this.stripAnsi(result.stdout);
-
-      // Read the badge file
-      const badgePath = path.join(projectPath, CONFIG.OUTPUT_DIR, "badges", `badge.${format}`);
-      try {
-        const badge = await fs.readFile(badgePath, "utf-8");
-        if (format === "md") {
-          output += "\n**Markdown:**\n```\n" + badge + "\n```\n";
-        } else if (format === "html") {
-          output += "\n**HTML:**\n```html\n" + badge + "\n```\n";
-        } else {
-          output += `\n**Badge saved to:** ${badgePath}\n`;
-        }
-      } catch {}
-    } catch (err) {
-      output += `\n⚠️ Badge generation failed: ${err.message}\n`;
-    }
-
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // CONTEXT - AI Rules Generator
-  // ============================================================================
-  async handleContext(projectPath, args) {
-    const platform = args?.platform || "all";
-
-    let output = "# 🧠 vibecheck Context Generator\n\n";
-    output += `**Project:** ${path.basename(projectPath)}\n`;
-    output += `**Platform:** ${platform}\n\n`;
-
-    // Build CLI arguments array (secure)
-    const cliArgs = [];
-    if (platform !== "all") cliArgs.push(`--platform=${platform}`);
-
-    try {
-      await this.runCLI("context", cliArgs, projectPath, { skipAuth: false });
-
-      output += "## ✅ Context Generated\n\n";
-      output += "Your AI coding assistants now have full project awareness.\n\n";
-
-      output += "### Generated Files\n\n";
-
-      if (platform === "all" || platform === "cursor") {
-        output += "**Cursor:**\n";
-        output += "- `.cursorrules` - Main rules file\n";
-        output += "- `.cursor/rules/*.mdc` - Modular rules\n\n";
-      }
-
-      if (platform === "all" || platform === "windsurf") {
-        output += "**Windsurf:**\n";
-        output += "- `.windsurf/rules/*.md` - Cascade rules\n\n";
-      }
-
-      if (platform === "all" || platform === "copilot") {
-        output += "**GitHub Copilot:**\n";
-        output += "- `.github/copilot-instructions.md`\n\n";
-      }
-
-      output += "**Universal (MCP):**\n";
-      output += `- \`${CONFIG.OUTPUT_DIR}/context.json\` - Full context\n`;
-      output += `- \`${CONFIG.OUTPUT_DIR}/project-map.json\` - Project analysis\n\n`;
-
-      output += "### What Your AI Now Knows\n\n";
-      output += "- Project architecture and structure\n";
-      output += "- API routes and endpoints\n";
-      output += "- Components and data models\n";
-      output += "- Coding conventions and patterns\n";
-      output += "- Dependencies and tech stack\n\n";
-
-      output += "> **Tip:** Regenerate after major codebase changes with `vibecheck context`\n";
-    } catch (err) {
-      output += `\n⚠️ Context generation failed: ${err.message}\n`;
-    }
-
-    output += "\n---\n_Context Enhanced by vibecheck AI_\n";
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // STATUS
-  // ============================================================================
-  async handleStatus(projectPath, args) {
-    let output = "# 📊 vibecheck Status\n\n";
-
-    output += "## Server\n\n";
-    output += `- **Version:** ${VERSION}\n`;
-    output += `- **Node:** ${process.version}\n`;
-    output += `- **Platform:** ${process.platform}\n\n`;
-
-    output += "## Project\n\n";
-    output += `- **Path:** ${projectPath}\n`;
-
-    // Config
-    const configPaths = [
-      path.join(projectPath, "vibecheck.config.json"),
-      path.join(projectPath, ".vibecheckrc"),
-    ];
-    let hasConfig = false;
-    for (const p of configPaths) {
-      try {
-        await fs.access(p);
-        hasConfig = true;
-        output += `- **Config:** ✅ Found (${path.basename(p)})\n`;
-        break;
-      } catch {}
-    }
-    if (!hasConfig) {
-      output += "- **Config:** ⚠️ Not found (run `vibecheck init`)\n";
-    }
-
-    // Last scan
-    const summaryPath = path.join(projectPath, ".vibecheck", "summary.json");
-    try {
-      const summary = JSON.parse(await fs.readFile(summaryPath, "utf-8"));
-      output += `- **Last Scan:** ${summary.timestamp}\n`;
-      output += `- **Last Score:** ${summary.score}/100 (${summary.grade})\n`;
-      output += `- **Last Verdict:** ${summary.canShip ? "✅ SHIP" : "🚫 NO-SHIP"}\n`;
-    } catch {
-      output += "- **Last Scan:** None\n";
-    }
-
-    output += "\n## Available Tools\n\n";
-    output += "| Tool | Description |\n|------|-------------|\n";
-    for (const tool of TOOLS) {
-      output += `| \`${tool.name}\` | ${tool.description.split("—")[0].trim()} |\n`;
-    }
-
-    output += "\n---\n_Vibecheck v" + VERSION + " — https://vibecheckai.dev_\n";
-
-    return this.success(output);
-  }
-
-  // ============================================================================
-  // RUN - with graceful shutdown handling
-  // ============================================================================
-  async run() {
-    const transport = new StdioServerTransport();
-    
-    // ========================================================================
-    // HARDENING: Graceful shutdown handling
-    // ========================================================================
-    const shutdown = async (signal) => {
-      console.error(`\n[MCP] Received ${signal}, shutting down gracefully...`);
-      try {
-        // Clear rate limit state to prevent memory leaks
-        rateLimitState.calls = [];
-        
-        // Close server connection
-        await this.server.close();
-        console.error('[MCP] Server closed successfully');
-      } catch (err) {
-        console.error(`[MCP] Error during shutdown: ${err.message}`);
-      }
-      process.exit(0);
-    };
-    
-    // Handle termination signals
-    process.on('SIGINT', () => shutdown('SIGINT'));
-    process.on('SIGTERM', () => shutdown('SIGTERM'));
-    
-    // Handle uncaught errors gracefully
-    process.on('uncaughtException', (err) => {
-      console.error(`[MCP] Uncaught exception: ${err.message}`);
-      console.error(err.stack);
-      // Don't exit - try to keep running
-    });
-    
-    process.on('unhandledRejection', (reason, promise) => {
-      console.error(`[MCP] Unhandled rejection at:`, promise);
-      console.error(`[MCP] Reason:`, reason);
-      // Don't exit - try to keep running
-    });
-    
-    await this.server.connect(transport);
-    console.error(`vibecheck MCP Server v${VERSION} running on stdio (hardened)`);
-  }
-}
-
-// ============================================================================
-// MAIN - with error handling
-// ============================================================================
-const server = new VibecheckMCP();
-server.run().catch((err) => {
-  console.error(`[MCP] Fatal error starting server: ${err.message}`);
-  console.error(err.stack);
-  process.exit(1);
-});