@vibecodetown/mcp-server 2.1.0

package/build/tools/vibe_pm/inspect_code.js

@@ -0,0 +1,828 @@
+// adapters/mcp-ts/src/tools/vibe_pm/inspect_code.ts
+// vibe_pm.inspect_code - Code review and validation
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { parse as parseYaml } from "yaml";
+import { runEngine, invalidateEngineCache } from "../../engine.js";
+import { safeJsonParse } from "../../cli.js";
+import { resolveRunId, resolveProjectId, resolveBridgePath, readRunState, getRunsDir, resolveRunDir, invalidateStateCache } from "./context.js";
+import { validateInspectCodeInput } from "../../security/input-validator.js";
+import { preExecutionCheck } from "../../security/path-policy.js";
+import { PATH_ZONES } from "../../security/path-policy.js";
+import { signalToReview, formatMode, formatIssueType, generateRepairPrompt } from "./pm_language.js";
+import { ClinicBridgeFileSchema } from "../../generated/clinic_bridge_file.js";
+import { selectMessageTemplate } from "./types.js";
+import { fixDependencies } from "./modules/fix_dependencies.js";
+import { toInspectionData, runIntentVerification, formatVerificationForPM } from "./intent/index.js";
+import { VibecodingHelperOneLoopSelectionOutputSchema } from "../../generated/vibecoding_helper_one_loop_selection_output.js";
+import { runEntityGate } from "./entity_gate/preflight.js";
+import { updateKceDocUsage } from "./kce/doc_usage.js";
+import { kcePreflight } from "./kce/preflight.js";
+import { loadRulebook } from "./system_design/rulebook.js";
+import { runSemgrepDesignEnforcement } from "./system_design/semgrep.js";
+import { semgrepFindingsToIssues } from "./system_design/issue_mapping.js";
+/**
+ * vibe_pm.inspect_code - Code review and validation
+ *
+ * Internal mapping:
+ *   → find latest bridge (auto-wiring)
+ *   → vibecoding-helper one-loop <run_id> --output selection
+ *   → issue classification (type mapping)
+ *   → prompt_block generation (if FIX/BLOCK)
+ *   → result transform (PM language)
+ */
+export async function inspectCode(input) {
+    const basePath = process.cwd();
+    // Security: Validate input first
+    validateInspectCodeInput(input);
+    // Resolve run_id and bridge path
+    const { run_id } = resolveRunId(input.project_id, basePath);
+    const project_id = resolveProjectId(run_id, basePath);
+    const runState = readRunState(run_id, basePath);
+    const bridgePath = resolveBridgePath(input.bridge_path, run_id, basePath);
+    // Get mode for context
+    const mode = runState?.mode ?? "balanced";
+    // P3: Validate and cache the bridge file shape once (fail closed on drift).
+    let bridgeDoc = null;
+    if (bridgePath) {
+        try {
+            bridgeDoc = loadBridgeFileValidated(bridgePath);
+        }
+        catch (e) {
+            const issues = [
+                {
+                    type: "RULE_VIOLATION",
+                    business_risk: "작업 지시서 형식이 예상과 달라 안전한 검수를 진행할 수 없습니다.",
+                    plain_explanation: "작업 지시서를 다시 발행한 뒤, 다시 검수해주세요.",
+                    technical_detail: {
+                        file_path: bridgePath,
+                        rule_violated: "WORK_ORDER_FILE_SCHEMA_DRIFT"
+                    }
+                }
+            ];
+            const decisionContext = getDecisionContext(mode, runState);
+            const next_action = {
+                action_type: "CONTINUE",
+                tool: "vibe_pm.create_work_order",
+                reason: "작업 지시서를 다시 발행하세요"
+            };
+            const message_template_id = selectMessageTemplate("BLOCK", issues, true);
+            return {
+                project_id,
+                review_summary: {
+                    decision_context: decisionContext,
+                    review_result: "BLOCK",
+                    one_line_verdict: "작업 지시서를 다시 발행해야 합니다"
+                },
+                issues_found: issues,
+                next_action,
+                message_template_id
+            };
+        }
+    }
+    // v2.x: P0 Scope Enforcement (Immediate BLOCK)
+    // If Spec-High decision_guard.allow_paths expands outside AI GREEN zone, stop before engine execution.
+    if (bridgePath) {
+        const allowPaths = bridgeDoc ? extractAllowPathsFromBridge(bridgeDoc) : [];
+        const invalid = findInvalidAllowPaths(allowPaths);
+        if (invalid.length > 0) {
+            const issues = [
+                {
+                    type: "RULE_VIOLATION",
+                    business_risk: "작업 지시서의 허용 범위가 안전 작업 구역 밖으로 확장되어, 설정/시크릿/시스템 파일 훼손 위험이 있습니다.",
+                    plain_explanation: "이번 작업은 작업 범위부터 다시 정리해야 합니다. 안전 작업 구역(src/tests/lib/scripts) 밖의 범위는 허용되지 않습니다.",
+                    technical_detail: {
+                        file_path: bridgePath,
+                        rule_violated: "SCOPE_INCLUDE_OUTSIDE_SRC_BLOCK"
+                    }
+                }
+            ];
+            const decisionContext = getDecisionContext(mode, runState);
+            const next_action = {
+                action_type: "CONTINUE",
+                tool: "vibe_pm.create_work_order",
+                reason: `작업 범위를 안전 작업 구역으로 다시 제한하세요 (위반: ${invalid.join(", ")})`
+            };
+            const message_template_id = selectMessageTemplate("BLOCK", issues, true);
+            return {
+                project_id,
+                review_summary: {
+                    decision_context: decisionContext,
+                    review_result: "BLOCK",
+                    one_line_verdict: "작업 범위가 안전 구역을 벗어났습니다"
+                },
+                issues_found: issues,
+                next_action,
+                message_template_id
+            };
+        }
+    }
+    // OPA deny promotion: if policy_result says "allow=false", hard-block inspect_code (LEVEL_3).
+    const opaBlock = buildOpaPolicyBlockOutput({
+        basePath,
+        run_id,
+        project_id,
+        mode,
+        runState
+    });
+    if (opaBlock) {
+        return opaBlock;
+    }
+    // KCE preflight (mandatory): verify Evidence/KB substrate is READY before running inspection.
+    // Entity Gate runs first to fail-fast on contract drift (schema/tests/static rules).
+    try {
+        const gate = await runEntityGate({ basePath, run_id, writeEvidence: true });
+        if (gate.status !== "OK") {
+            const issues = [
+                {
+                    type: "RULE_VIOLATION",
+                    business_risk: "핵심 계약(엔티티)이 깨져 있어 안전한 검수를 진행할 수 없습니다.",
+                    plain_explanation: "계약 문서/정적 규칙/테스트 연결을 먼저 복구해야 합니다.",
+                    technical_detail: {
+                        file_path: "entities/",
+                        rule_violated: gate.errors.slice(0, 3).join("; ") || "ENTITY_GATE_FAILED"
+                    }
+                }
+            ];
+            const decisionContext = getDecisionContext(mode, runState);
+            const next_action = {
+                action_type: "DONE",
+                message: "계약 문서가 깨져 있어 검수를 진행할 수 없습니다. 먼저 계약/규칙/테스트 연결을 복구하세요."
+            };
+            const message_template_id = selectMessageTemplate("BLOCK", issues, true);
+            return {
+                project_id,
+                review_summary: {
+                    decision_context: decisionContext,
+                    review_result: "BLOCK",
+                    one_line_verdict: "계약 복구가 필요합니다"
+                },
+                issues_found: issues,
+                next_action,
+                message_template_id
+            };
+        }
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        const issues = [
+            {
+                type: "RULE_VIOLATION",
+                business_risk: "계약 검증(엔티티 게이트)을 실행할 수 없어 검수를 진행할 수 없습니다.",
+                plain_explanation: "잠시 후 다시 시도해 주세요. 문제가 반복되면 도구 상태 점검이 필요합니다.",
+                technical_detail: {
+                    file_path: "scripts/entity_gate.py",
+                    rule_violated: msg
+                }
+            }
+        ];
+        const decisionContext = getDecisionContext(mode, runState);
+        const next_action = {
+            action_type: "DONE",
+            message: "계약 검증 실행에 실패했습니다. 도구 상태 점검이 필요합니다."
+        };
+        const message_template_id = selectMessageTemplate("BLOCK", issues, true);
+        return {
+            project_id,
+            review_summary: {
+                decision_context: decisionContext,
+                review_result: "BLOCK",
+                one_line_verdict: "검수 준비가 필요합니다"
+            },
+            issues_found: issues,
+            next_action,
+            message_template_id
+        };
+    }
+    // KCE preflight (mandatory): BLOCK when the knowledge substrate is not READY.
+    // This prevents "inspect_code" from producing low-quality/low-evidence verdicts.
+    try {
+        await kcePreflight({ basePath, run_id, purpose: "inspect_code", writeEvidence: true });
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        const issues = [
+            {
+                type: "RULE_VIOLATION",
+                business_risk: "검수에 필요한 근거(지식 인덱스)가 준비되지 않아 안전한 검수를 진행할 수 없습니다.",
+                plain_explanation: "도구 상태 점검 후 다시 검수해 주세요.",
+                technical_detail: {
+                    file_path: ".vibe/kce/",
+                    rule_violated: msg
+                }
+            }
+        ];
+        const decisionContext = getDecisionContext(mode, runState);
+        const next_action = {
+            action_type: "DONE",
+            message: "검수 준비가 완료되지 않았습니다. 도구 상태 점검 후 다시 시도해 주세요."
+        };
+        const message_template_id = selectMessageTemplate("BLOCK", issues, false);
+        return {
+            project_id,
+            review_summary: {
+                decision_context: decisionContext,
+                review_result: "BLOCK",
+                one_line_verdict: "검수 준비가 필요합니다"
+            },
+            issues_found: issues,
+            next_action,
+            message_template_id
+        };
+    }
+    // Security: Validate and normalize target paths
+    let validatedTargetPaths;
+    if (input.target_paths && input.target_paths.length > 0) {
+        // Get do_not_touch patterns from bridge (if available)
+        const doNotTouchPatterns = bridgeDoc ? extractDoNotTouchPatternsFromBridge(bridgeDoc) : [];
+        // Validate paths against security policies
+        validatedTargetPaths = preExecutionCheck(input.target_paths, doNotTouchPatterns, basePath);
+    }
+    // Build command arguments
+    const args = ["one-loop", run_id, "--output", "selection"];
+    if (bridgePath) {
+        args.push("--bridge", bridgePath);
+    }
+    // Use validated paths instead of raw input
+    if (validatedTargetPaths && validatedTargetPaths.length > 0) {
+        args.push("--paths", validatedTargetPaths.join(","));
+    }
+    if (input.mode === "quick") {
+        args.push("--quick");
+    }
+    // Run one-loop validation
+    const { code, stdout, stderr } = await runEngine("vibecoding-helper", args, {
+        timeoutMs: 180_000
+    });
+    // Parse result
+    const parsed = safeJsonParse(stdout);
+    if (!parsed.ok) {
+        // If parsing fails, treat as unknown error
+        return createErrorOutput(project_id, mode, "검수 결과를 파싱할 수 없습니다", stderr);
+    }
+    const validated = VibecodingHelperOneLoopSelectionOutputSchema.safeParse(parsed.value);
+    if (!validated.success) {
+        return createErrorOutput(project_id, mode, "검수 결과 형식이 예상과 다릅니다", stderr);
+    }
+    let result = validated.data;
+    // Determine review status from signal
+    const signalLevel = result.signal_level ?? result.signal ?? "LEVEL_1";
+    let { result: reviewResult, verdict } = signalToReview(signalLevel);
+    // Collect and transform issues
+    let issues = transformIssues(result);
+    // P2: False Positive recheck loop (BLOCK only, non-critical)
+    // If the first run is BLOCK but contains no hard safety issues, re-run once to confirm.
+    // - quick → thorough escalation
+    // - thorough → one additional confirmation run
+    if (reviewResult === "BLOCK" &&
+        !issues.some((i) => i.type === "RULE_VIOLATION" || i.type === "RISK_SPIKE")) {
+        const recheckArgs = input.mode === "quick" ? args.filter((a) => a !== "--quick") : args;
+        try {
+            const recheck = await runEngine("vibecoding-helper", recheckArgs, { timeoutMs: 180_000 });
+            const reParsed = safeJsonParse(recheck.stdout);
+            if (reParsed.ok) {
+                const reValidated = VibecodingHelperOneLoopSelectionOutputSchema.safeParse(reParsed.value);
+                if (!reValidated.success) {
+                    throw new Error("recheck_output_schema_invalid");
+                }
+                const reResult = reValidated.data;
+                const reSignalLevel = reResult.signal_level ?? reResult.signal ?? "LEVEL_1";
+                const reMapped = signalToReview(reSignalLevel);
+                const reIssues = transformIssues(reResult);
+                // Never soften if the recheck still reports critical issues.
+                const reHasHardIssues = reIssues.some((i) => i.type === "RULE_VIOLATION" || i.type === "RISK_SPIKE");
+                // If recheck is less severe, accept it.
+                if (!reHasHardIssues && reMapped.result !== "BLOCK") {
+                    result = reResult;
+                    reviewResult = reMapped.result;
+                    verdict = `${reMapped.verdict} (재검증 완료)`;
+                    issues = reIssues;
+                }
+            }
+        }
+        catch {
+            // Recheck is best-effort; keep original result on any failure.
+        }
+    }
+    // Get decision context
+    const decisionContext = getDecisionContext(mode, runState);
+    const modifiedFiles = collectModifiedFiles(result);
+    // Evidence (best-effort): record doc usage for deterministic recency signals.
+    try {
+        const touchedDocs = modifiedFiles
+            .map((p) => (typeof p === "string" ? p : ""))
+            .map((p) => p.replace(/\\\\/g, "/"))
+            .filter((p) => p.endsWith(".md") || p.endsWith(".mdx"));
+        const referencedEntities = modifiedFiles
+            .map((p) => (typeof p === "string" ? p : ""))
+            .map((p) => p.replace(/\\\\/g, "/"))
+            .filter((p) => p.startsWith("entities/") && p.endsWith(".entity.json"))
+            .map((p) => path.basename(p, ".entity.json"))
+            .filter(Boolean);
+        updateKceDocUsage({ basePath, run_id, touched_docs: touchedDocs, referenced_entities: referencedEntities });
+    }
+    catch {
+        // ignore
+    }
+    // Design Enforcement (best-effort): Semgrep findings -> issues_found (mapped via rulebook).
+    try {
+        const { rulebook } = loadRulebook(basePath);
+        const semgrepTargets = computeSemgrepTargets({ basePath, modifiedFiles, validatedTargetPaths });
+        const semgrep = await runSemgrepDesignEnforcement({ basePath, run_id, targets: semgrepTargets, timeoutMs: 60_000 });
+        if (semgrep.status === "OK" && semgrep.findings.length > 0) {
+            const mapped = semgrepFindingsToIssues({
+                findings: semgrep.findings,
+                rulebook,
+                evidence_ref: semgrep.evidence_ref
+            });
+            issues = [...issues, ...mapped.issues];
+            // Only tighten GO -> FIX when Semgrep reports ERROR/CRITICAL findings.
+            if (reviewResult === "GO" && mapped.error_count > 0) {
+                reviewResult = "FIX";
+                verdict = `${verdict} (설계 규칙 위반 ${mapped.error_count}건)`;
+            }
+        }
+        else if (semgrep.status === "ERROR") {
+            // Keep the workflow moving: do not downgrade; just annotate the verdict.
+            verdict = `${verdict} (설계 규칙 검사를 실행할 수 없습니다)`;
+        }
+    }
+    catch {
+        // ignore (best-effort)
+    }
+    // Run Intent-based verification (if intent document exists)
+    let intentCheck;
+    try {
+        const runsDir = getRunsDir(basePath);
+        const inspectionData = toInspectionData({
+            status: result.status,
+            issues: result.issues?.map((i) => ({
+                type: i.type ?? i.issue_type ?? "unknown",
+                message: i.message ?? i.description ?? "",
+                business_risk: i.business_risk
+            })),
+            modified_files: modifiedFiles,
+            features: result.features ?? []
+        });
+        const intentResult = await runIntentVerification(runsDir, run_id, inspectionData);
+        if (intentResult) {
+            intentCheck = formatVerificationForPM(intentResult).intent_check;
+            // Downgrade review result if intent verification fails
+            if (intentCheck.status === "FAIL" && reviewResult === "GO") {
+                reviewResult = "FIX";
+                verdict = `Intent 검증 실패: ${intentCheck.summary}`;
+            }
+            else if (intentCheck.status === "WARN" && reviewResult === "GO") {
+                verdict = `${verdict} (Intent 주의: ${intentCheck.summary})`;
+            }
+        }
+    }
+    catch {
+        // Intent verification is optional - continue if it fails
+    }
+    // Auto-fix logic (if enabled)
+    let fixedIssues;
+    if (input.auto_fix !== false) {
+        try {
+            const fixResult = await fixDependencies(basePath);
+            if (fixResult.fixed.length > 0) {
+                fixedIssues = fixResult.fixed;
+                // If we fixed issues and no critical issues remain, upgrade review result
+                const hasCriticalIssues = issues.some((i) => i.type === "RULE_VIOLATION" || i.type === "RISK_SPIKE");
+                if (!hasCriticalIssues && reviewResult === "FIX") {
+                    // Re-evaluate: if only dependency issues were found and we fixed them, GO
+                    const onlyDependencyIssues = issues.every((i) => i.type === "VERIFY_FAIL" && i.plain_explanation.includes("의존성"));
+                    if (onlyDependencyIssues) {
+                        reviewResult = "GO";
+                        verdict = `자동 수정 완료: ${fixResult.fixed.length}개 의존성 문제 해결`;
+                    }
+                    else {
+                        verdict = `${verdict} (${fixResult.fixed.length}개 의존성 자동 수정됨)`;
+                    }
+                }
+            }
+        }
+        catch {
+            // Auto-fix is optional - continue if it fails
+        }
+    }
+    // Determine next action based on review result
+    const nextAction = determineNextAction(reviewResult, issues, project_id, mode);
+    // P14: Determine message template ID using SSOT rules
+    const hasNextWorkOrder = nextAction.action_type === "CONTINUE";
+    const message_template_id = selectMessageTemplate(reviewResult, issues, hasNextWorkOrder);
+    // Build output with optional intent check
+    const output = {
+        project_id,
+        review_summary: {
+            decision_context: decisionContext,
+            review_result: reviewResult,
+            one_line_verdict: verdict
+        },
+        issues_found: issues,
+        fixed_issues: fixedIssues,
+        next_action: nextAction,
+        message_template_id
+    };
+    invalidateEngineCache(new RegExp(escapeRegExp(run_id)));
+    invalidateStateCache(run_id, basePath);
+    return output;
+}
+function buildOpaPolicyBlockOutput(args) {
+    const evidence = readOpaPolicyResult(args.basePath, args.run_id);
+    if (!evidence)
+        return null;
+    const allow = evidence.result.allow;
+    if (allow === true)
+        return null;
+    const classification = classifyOpaPolicyResult(evidence.result);
+    const decisionContext = getDecisionContext(args.mode, args.runState);
+    const issue = {
+        type: "RULE_VIOLATION",
+        business_risk: classification.business_risk,
+        plain_explanation: classification.plain_explanation,
+        technical_detail: {
+            file_path: "policy/vibepm/run_app.rego",
+            rule_violated: classification.rule_violated,
+            evidence_ref: evidence.evidence_path
+        }
+    };
+    return {
+        project_id: args.project_id,
+        review_summary: {
+            decision_context: decisionContext,
+            review_result: "BLOCK",
+            one_line_verdict: classification.one_line_verdict
+        },
+        issues_found: [issue],
+        next_action: {
+            action_type: "DONE",
+            message: classification.next_action_message
+        },
+        message_template_id: "BLOCK-02"
+    };
+}
+function readOpaPolicyResult(basePath, run_id) {
+    const resolved = resolveRunDir(run_id, basePath);
+    if (!resolved)
+        return null;
+    const evidencePath = path.join(resolved.run_dir, "security", "policy_result.json");
+    if (!fs.existsSync(evidencePath))
+        return null;
+    try {
+        const raw = JSON.parse(fs.readFileSync(evidencePath, "utf-8"));
+        if (!raw || typeof raw !== "object")
+            return null;
+        const reasons = Array.isArray(raw.reasons)
+            ? raw.reasons.filter((r) => typeof r === "string")
+            : [];
+        const matched_rules = Array.isArray(raw.matched_rules)
+            ? raw.matched_rules.filter((r) => typeof r === "string")
+            : [];
+        const result = {
+            allow: typeof raw.allow === "boolean" ? raw.allow : undefined,
+            reasons,
+            matched_rules
+        };
+        return { result, evidence_path: evidencePath };
+    }
+    catch {
+        return null;
+    }
+}
+function classifyOpaPolicyResult(result) {
+    const reasons = (result.reasons ?? []).join(" ").toLowerCase();
+    const matched = (result.matched_rules ?? []).join(" ").toLowerCase();
+    const corpus = `${reasons} ${matched}`.trim();
+    if (corpus.includes("eval_failed") ||
+        corpus.includes("opa_eval_failed") ||
+        corpus.includes("opa exception") ||
+        corpus.includes("opa_exception") ||
+        corpus.includes("eval failed")) {
+        return {
+            rule_violated: "OPA_POLICY_EVAL_FAILED",
+            one_line_verdict: "OPA 평가에 실패하여 안전을 위해 차단했습니다(기본 차단).",
+            business_risk: "정책 평가가 실패한 상태에서 실행을 허용하면 통제 불능 상태가 됩니다.",
+            plain_explanation: "정책 엔진(OPA) 실행/파싱/타임아웃 문제로 정책 판단을 할 수 없어 기본 차단했습니다.",
+            next_action_message: "OPA 설치/정책 파일/실행 환경을 확인한 뒤 다시 시도하세요."
+        };
+    }
+    if (corpus.includes("opa_missing") ||
+        corpus.includes("opa not found") ||
+        corpus.includes("not found") ||
+        corpus.includes("missing")) {
+        return {
+            rule_violated: "OPA_POLICY_MISSING",
+            one_line_verdict: "OPA가 설치되어 있지 않아 안전을 위해 차단했습니다(기본 차단).",
+            business_risk: "정책 엔진이 없으면 실행 통제가 불가능해져 보안 경계가 무너질 수 있습니다.",
+            plain_explanation: "OPA 바이너리가 없어 정책 판단을 할 수 없어 기본 차단했습니다.",
+            next_action_message: "OPA 설치 후 다시 시도하세요."
+        };
+    }
+    return {
+        rule_violated: "OPA_POLICY_DENY_RUN_APP",
+        one_line_verdict: "정책(OPA)에서 실행이 차단되었습니다. 허용된 커맨드/경로만 사용하세요.",
+        business_risk: "로컬 실행(run_app)이 정책 위반으로 이어지면 임의 커맨드 실행/RCE 및 보호 영역 오염 가능성이 있습니다.",
+        plain_explanation: "보안 정책이 허용하지 않은 커맨드 또는 경로 접근이 감지되어 실행을 차단했습니다.",
+        next_action_message: "OPA 정책을 만족하도록 command/paths를 수정한 뒤 다시 시도하세요."
+    };
+}
+function computeSemgrepTargets(args) {
+    const out = new Set();
+    const candidates = [...(args.validatedTargetPaths ?? []), ...(args.modifiedFiles ?? [])];
+    const allowedPrefixes = ["vibecoding_helper/", "adapters/mcp-ts/src/"];
+    const allowedExt = new Set([".py", ".ts", ".tsx", ".js", ".jsx"]);
+    for (const raw of candidates) {
+        if (typeof raw !== "string")
+            continue;
+        let p = raw.replace(/\\\\/g, "/").trim();
+        if (!p)
+            continue;
+        if (path.isAbsolute(p)) {
+            p = path.relative(args.basePath, p).replace(/\\\\/g, "/");
+        }
+        if (!p || p.startsWith(".."))
+            continue;
+        if (!allowedPrefixes.some((pref) => p === pref.slice(0, -1) || p.startsWith(pref)))
+            continue;
+        const ext = path.extname(p).toLowerCase();
+        if (!allowedExt.has(ext))
+            continue;
+        const abs = path.join(args.basePath, p);
+        try {
+            if (fs.existsSync(abs) && fs.statSync(abs).isFile()) {
+                out.add(p);
+            }
+        }
+        catch {
+            // ignore
+        }
+    }
+    return Array.from(out.values()).slice(0, 200);
+}
+/**
+ * Transform internal issues to user-facing format
+ */
+function transformIssues(result) {
+    const issues = [];
+    // Transform direct issues
+    if (result.issues) {
+        for (const issue of result.issues) {
+            const type = mapIssueType(issue.type ?? issue.issue_type ?? "unknown");
+            const { name, description } = formatIssueType(type);
+            issues.push({
+                type,
+                business_risk: issue.business_risk ?? description,
+                plain_explanation: issue.message ?? issue.description ?? name,
+                technical_detail: issue.file_path
+                    ? {
+                        file_path: issue.file_path,
+                        line_range: issue.line_range,
+                        rule_violated: issue.rule_violated
+                    }
+                    : undefined
+            });
+        }
+    }
+    // Transform verification failures
+    if (result.verification_results) {
+        for (const vr of result.verification_results) {
+            if (!vr.passed) {
+                issues.push({
+                    type: "VERIFY_FAIL",
+                    business_risk: `검증 기준 "${vr.criterion}"을(를) 충족하지 못했습니다`,
+                    plain_explanation: vr.message ?? "검증에 실패했습니다"
+                });
+            }
+        }
+    }
+    // Transform scope violations
+    if (result.scope_violations) {
+        for (const sv of result.scope_violations) {
+            issues.push({
+                type: "SCOPE_MISMATCH",
+                business_risk: "이번 작업 범위를 벗어난 변경이 있습니다",
+                plain_explanation: sv.description ?? "범위 이탈",
+                technical_detail: sv.file_path
+                    ? {
+                        file_path: sv.file_path
+                    }
+                    : undefined
+            });
+        }
+    }
+    return issues;
+}
+/**
+ * Map internal issue type to standardized type
+ */
+function mapIssueType(rawType) {
+    const normalized = rawType.toLowerCase().replace(/[^a-z_]/g, "");
+    if (normalized.includes("rule") || normalized.includes("violation") || normalized.includes("constraint")) {
+        return "RULE_VIOLATION";
+    }
+    if (normalized.includes("verify") || normalized.includes("acceptance") || normalized.includes("criteria")) {
+        return "VERIFY_FAIL";
+    }
+    if (normalized.includes("scope") || normalized.includes("out_of") || normalized.includes("boundary")) {
+        return "SCOPE_MISMATCH";
+    }
+    if (normalized.includes("risk") || normalized.includes("security") || normalized.includes("danger")) {
+        return "RISK_SPIKE";
+    }
+    return "VERIFY_FAIL"; // Default
+}
+/**
+ * Generate decision context message
+ */
+function getDecisionContext(mode, runState) {
+    const modeDisplay = formatMode(mode);
+    if (runState?.decisions_made && runState.decisions_made > 0) {
+        return `${modeDisplay}로 진행 중 (결재 ${runState.decisions_made}건 완료)`;
+    }
+    return `${modeDisplay}로 결정하셨습니다`;
+}
+/**
+ * Determine next action based on review result
+ */
+function determineNextAction(reviewResult, issues, projectId, mode) {
+    if (reviewResult === "GO") {
+        return {
+            action_type: "DONE",
+            message: "구현이 완료되었습니다. 다음 단계로 진행하세요."
+        };
+    }
+    if (reviewResult === "FIX" || reviewResult === "BLOCK") {
+        // Generate repair prompt
+        const mainIssue = issues[0];
+        const promptBlock = generateRepairPrompt({
+            projectName: projectId,
+            mode,
+            problem: mainIssue?.plain_explanation ?? "문제가 발견되었습니다",
+            cause: mainIssue?.business_risk ?? "원인을 파악 중입니다",
+            fixDirection: issues.map((i) => i.plain_explanation),
+            verifyCriteria: issues
+                .filter((i) => i.type === "VERIFY_FAIL")
+                .map((i) => i.plain_explanation.replace(/실패|미충족/g, "충족"))
+        });
+        return {
+            action_type: "COPY_PASTE_TO_AGENT",
+            label: reviewResult === "FIX"
+                ? "수정이 필요합니다. 아래 내용을 AI에게 전달하세요"
+                : "심각한 문제가 있습니다. 아래 내용을 AI에게 전달하세요",
+            prompt_block: promptBlock
+        };
+    }
+    // Fallback
+    return {
+        action_type: "CONTINUE",
+        tool: "vibe_pm.create_work_order",
+        reason: "다음 작업 지시서를 받으세요"
+    };
+}
+function loadBridgeFileValidated(bridgePath) {
+    const content = fs.readFileSync(bridgePath, "utf-8");
+    const raw = parseBridgeData(content, bridgePath);
+    const validated = ClinicBridgeFileSchema.safeParse(raw);
+    if (!validated.success) {
+        throw new Error("작업 지시서 원본 파일 형식이 예상과 다릅니다. 업데이트 후 다시 시도해주세요.");
+    }
+    return validated.data;
+}
+function extractDoNotTouchPatternsFromBridge(bridgeDoc) {
+    const data = bridgeDoc;
+    const dg = data?.decision_guard;
+    if (Array.isArray(dg?.read_only_paths)) {
+        return dg.read_only_paths.filter((item) => typeof item === "string");
+    }
+    const legacy = data?.do_not_touch;
+    if (Array.isArray(legacy)) {
+        return legacy.filter((item) => typeof item === "string");
+    }
+    return [];
+}
+function extractAllowPathsFromBridge(bridgeDoc) {
+    const data = bridgeDoc;
+    const dg = data?.decision_guard;
+    if (Array.isArray(dg?.allow_paths)) {
+        return dg.allow_paths
+            .filter((item) => typeof item === "string")
+            .map((s) => normalizeAllowPath(s));
+    }
+    const scope = data?.scope;
+    if (scope && typeof scope === "object") {
+        const include = scope.include;
+        if (Array.isArray(include)) {
+            return include
+                .filter((item) => typeof item === "string")
+                .map((s) => normalizeAllowPath(s));
+        }
+    }
+    return [];
+}
+function normalizeAllowPath(value) {
+    let v = (value ?? "").trim().replace(/\\/g, "/");
+    if (v.startsWith("./"))
+        v = v.slice(2);
+    return v;
+}
+function findInvalidAllowPaths(allowPaths) {
+    if (!Array.isArray(allowPaths) || allowPaths.length === 0)
+        return [];
+    const allowedPrefixes = new Set(PATH_ZONES.GREEN.map((p) => {
+        const norm = normalizeAllowPath(p);
+        const idx = norm.indexOf("**");
+        const base = idx >= 0 ? norm.slice(0, idx) : norm;
+        return base.endsWith("/") ? base : base + "/";
+    }));
+    const out = [];
+    for (const raw of allowPaths) {
+        const p = normalizeAllowPath(raw);
+        if (!p)
+            continue;
+        // Minimal path traversal / absolute-path guard
+        if (p.includes("..") || /^[A-Za-z]:[\\/]/.test(p) || p.startsWith("/") || p.startsWith("\\\\")) {
+            out.push(p);
+            continue;
+        }
+        let ok = false;
+        for (const prefix of allowedPrefixes) {
+            if (p === prefix.slice(0, -1) || p.startsWith(prefix)) {
+                ok = true;
+                break;
+            }
+        }
+        if (!ok)
+            out.push(p);
+    }
+    return out;
+}
+function parseBridgeData(content, bridgePath) {
+    if (bridgePath.endsWith(".json")) {
+        return JSON.parse(content);
+    }
+    return parseYaml(content);
+}
+function collectModifiedFiles(result) {
+    const files = new Set();
+    if (Array.isArray(result.modified_files)) {
+        for (const file of result.modified_files) {
+            if (typeof file === "string" && file.length > 0) {
+                files.add(file);
+            }
+        }
+    }
+    if (result.scope_violations) {
+        for (const violation of result.scope_violations) {
+            if (typeof violation.file_path === "string" && violation.file_path.length > 0) {
+                files.add(violation.file_path);
+            }
+        }
+    }
+    if (result.issues) {
+        for (const issue of result.issues) {
+            if (typeof issue.file_path === "string" && issue.file_path.length > 0) {
+                files.add(issue.file_path);
+            }
+        }
+    }
+    return Array.from(files);
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+/**
+ * Create error output for parsing/execution failures
+ */
+function createErrorOutput(projectId, mode, errorMessage, stderr) {
+    const issues = [
+        {
+            type: "RISK_SPIKE",
+            business_risk: "검수를 완료할 수 없습니다",
+            plain_explanation: errorMessage,
+            technical_detail: stderr
+                ? {
+                    file_path: "system",
+                    rule_violated: stderr.slice(0, 200)
+                }
+                : undefined
+        }
+    ];
+    // P14: Error output uses BLOCK-01 (RISK_SPIKE triggers BLOCK-01)
+    const message_template_id = selectMessageTemplate("BLOCK", issues, false);
+    return {
+        project_id: projectId,
+        review_summary: {
+            decision_context: formatMode(mode),
+            review_result: "BLOCK",
+            one_line_verdict: "검수 중 오류가 발생했습니다"
+        },
+        issues_found: issues,
+        next_action: {
+            action_type: "ASK_DECISION",
+            tool: "vibe_pm.get_decision",
+            reason: "검수 오류로 인해 추가 결정이 필요합니다"
+        },
+        message_template_id
+    };
+}