@vibecodetown/mcp-server 2.1.0

package/build/local-mode/templates.js

@@ -0,0 +1,856 @@
+export const VALIDATE_SH_TEMPLATE = `#!/usr/bin/env bash
+#
+# Vibe PM Validation Library (SSOT)
+# Hooks/CLI/CI call validate_changes().
+#
+
+set -e
+
+# =============================================================================
+# Repo Root (be resilient to hook cwd)
+# =============================================================================
+
+REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
+cd "$REPO_ROOT" || exit 1
+
+# =============================================================================
+# Config
+# =============================================================================
+
+VIBE_DIR=".vibe"
+CONFIG_FILE="$VIBE_DIR/config.json"
+STATE_DIR="$VIBE_DIR/state"
+WORK_ORDER_FILE="$STATE_DIR/current_work_order.json"
+STALE_HOURS=24
+OUTPUT_FORMAT="\${VIBE_OUTPUT_FORMAT:-text}"
+
+# =============================================================================
+# Colors
+# =============================================================================
+
+RED='\\033[0;31m'
+YELLOW='\\033[1;33m'
+GREEN='\\033[0;32m'
+NC='\\033[0m'
+
+# =============================================================================
+# Logging
+# =============================================================================
+
+log_info()  { echo -e "\${GREEN}[VIBE]\${NC} $1"; }
+log_warn()  { echo -e "\${YELLOW}[VIBE WARN]\${NC} $1"; }
+log_error() { echo -e "\${RED}[VIBE BLOCK]\${NC} $1"; }
+
+# =============================================================================
+# JSON Helpers (jq optional)
+# =============================================================================
+
+json_get() {
+  local file="$1"
+  local key_path="$2"
+  local default="$3"
+
+  if [ ! -f "$file" ]; then
+    echo "$default"
+    return 0
+  fi
+
+  if command -v jq &> /dev/null; then
+    local value
+    value="$(jq -r "$key_path // empty" "$file" 2>/dev/null || true)"
+    if [ -n "$value" ] && [ "$value" != "null" ]; then
+      echo "$value"
+    else
+      echo "$default"
+    fi
+    return 0
+  fi
+
+  node - <<'NODE' "$file" "$key_path" "$default" 2>/dev/null || echo "$default"
+const fs = require("fs");
+const file = process.argv[2];
+const keyPath = (process.argv[3] || "").replace(/^\\./, "");
+const defaultValue = process.argv[4] ?? "";
+let doc;
+try { doc = JSON.parse(fs.readFileSync(file, "utf8")); } catch { process.stdout.write(defaultValue); process.exit(0); }
+let cur = doc;
+for (const part of keyPath.split(".").filter(Boolean)) {
+  if (cur && typeof cur === "object" && Object.prototype.hasOwnProperty.call(cur, part)) cur = cur[part];
+  else { cur = undefined; break; }
+}
+if (cur === undefined || cur === null || cur === "") { process.stdout.write(defaultValue); process.exit(0); }
+process.stdout.write(String(cur));
+NODE
+}
+
+json_get_array() {
+  local file="$1"
+  local key_path="$2"
+
+  if [ ! -f "$file" ]; then
+    return 0
+  fi
+
+  if command -v jq &> /dev/null; then
+    jq -r "$key_path[]? // empty" "$file" 2>/dev/null || true
+    return 0
+  fi
+
+  node - <<'NODE' "$file" "$key_path" 2>/dev/null || true
+const fs = require("fs");
+const file = process.argv[2];
+const keyPath = (process.argv[3] || "").replace(/^\\./, "");
+let doc;
+try { doc = JSON.parse(fs.readFileSync(file, "utf8")); } catch { process.exit(0); }
+let cur = doc;
+for (const part of keyPath.split(".").filter(Boolean)) {
+  if (cur && typeof cur === "object" && Object.prototype.hasOwnProperty.call(cur, part)) cur = cur[part];
+  else { cur = undefined; break; }
+}
+if (!Array.isArray(cur)) process.exit(0);
+for (const item of cur) {
+  if (typeof item === "string" && item.length) console.log(item);
+}
+NODE
+}
+
+get_config() {
+  local key_path="$1"
+  local default="$2"
+  json_get "$CONFIG_FILE" "$key_path" "$default"
+}
+
+get_config_array() {
+  local key_path="$1"
+  json_get_array "$CONFIG_FILE" "$key_path"
+}
+
+# =============================================================================
+# Zone Matching (git pathspec)
+# =============================================================================
+
+matches_pathspec() {
+  local file="$1"
+  local pattern="$2"
+
+  local ps="$pattern"
+  if [[ "$pattern" != ":(glob)"* && "$pattern" != ":(icase)"* && "$pattern" != ":(exclude)"* ]]; then
+    ps=":(glob)$pattern"
+  fi
+
+  if git ls-files --cached --others --exclude-standard --full-name -- "$ps" 2>/dev/null | grep -Fxq "$file"; then
+    return 0
+  fi
+
+  return 1
+}
+
+get_file_zone() {
+  local file="$1"
+
+  local black_patterns="$(get_config_array ".policy.safety_zones.black")"
+  local green_patterns="$(get_config_array ".policy.safety_zones.green")"
+  local yellow_patterns="$(get_config_array ".policy.safety_zones.yellow")"
+  local red_patterns="$(get_config_array ".policy.safety_zones.red")"
+
+  if [ -z "$black_patterns$green_patterns$yellow_patterns$red_patterns" ]; then
+    black_patterns=$'.vibe/state/**\\n.vibe/decisions/**\\n.vibe/chroma/**\\n.git/**'
+    green_patterns=$'src/**\\ntests/**\\nlib/**\\nscripts/**'
+    yellow_patterns=$'docs/**\\nREADME.md\\n*.md'
+    red_patterns=$'config/**\\n.env\\n.env.*\\nsecrets/**\\ncredentials.*\\n*.pem\\n*.key'
+  fi
+
+  for pattern in $black_patterns; do
+    if matches_pathspec "$file" "$pattern"; then
+      echo "black"
+      return 0
+    fi
+  done
+
+  for pattern in $red_patterns; do
+    if matches_pathspec "$file" "$pattern"; then
+      echo "red"
+      return 0
+    fi
+  done
+
+  for pattern in $yellow_patterns; do
+    if matches_pathspec "$file" "$pattern"; then
+      echo "yellow"
+      return 0
+    fi
+  done
+
+  for pattern in $green_patterns; do
+    if matches_pathspec "$file" "$pattern"; then
+      echo "green"
+      return 0
+    fi
+  done
+
+  echo "unspecified"
+}
+
+# =============================================================================
+# Work Order Validation
+# =============================================================================
+
+has_work_order() {
+  [ -f "$WORK_ORDER_FILE" ]
+}
+
+is_work_order_stale() {
+  if ! has_work_order; then
+    return 1
+  fi
+
+  local threshold
+  threshold="$(get_config ".policy.stale_hours" "24")"
+  if ! [[ "$threshold" =~ ^[0-9]+$ ]]; then
+    threshold=24
+  fi
+
+  local created_at
+  created_at="$(json_get "$WORK_ORDER_FILE" ".created_at" "")"
+  if [ -z "$created_at" ]; then
+    return 1
+  fi
+
+  local created_epoch
+  created_epoch="$(node -e 'const d=new Date(process.argv[1]); const n=Number.isFinite(d.getTime())?Math.floor(d.getTime()/1000):0; process.stdout.write(String(n));' "$created_at" 2>/dev/null || echo "0")"
+  if [ "$created_epoch" -le 0 ]; then
+    return 1
+  fi
+
+  local now_epoch
+  now_epoch="$(node -e 'process.stdout.write(String(Math.floor(Date.now()/1000)));')"
+
+  local diff_hours=$(( (now_epoch - created_epoch) / 3600 ))
+  [ "$diff_hours" -ge "$threshold" ]
+}
+
+check_do_not_touch() {
+  local file="$1"
+  if ! has_work_order; then
+    return 1
+  fi
+
+  local patterns
+  patterns="$(json_get_array "$WORK_ORDER_FILE" ".do_not_touch")"
+  for pattern in $patterns; do
+    if matches_pathspec "$file" "$pattern"; then
+      return 0
+    fi
+  done
+
+  return 1
+}
+
+check_scope_violation() {
+  local file="$1"
+  if ! has_work_order; then
+    return 1
+  fi
+
+  local excludes
+  excludes="$(json_get_array "$WORK_ORDER_FILE" ".scope.exclude")"
+  for pattern in $excludes; do
+    if matches_pathspec "$file" "$pattern"; then
+      return 0
+    fi
+  done
+
+  local includes
+  includes="$(json_get_array "$WORK_ORDER_FILE" ".scope.include")"
+  if [ -z "$includes" ]; then
+    return 1
+  fi
+
+  for pattern in $includes; do
+    if matches_pathspec "$file" "$pattern"; then
+      return 1
+    fi
+  done
+
+  return 0
+}
+
+# =============================================================================
+# Main Validation Function
+# =============================================================================
+
+# JSON output (machine readable)
+emit_validation_json() {
+  local exit_code="$1"; shift
+  local enforcement="$1"; shift
+  local no_ticket_no_work="$1"; shift
+  local stale_hours="$1"; shift
+  local has_work_order_val="$1"; shift
+  local work_order_stale_val="$1"; shift
+  local green_list="$1"; shift
+  local yellow_list="$1"; shift
+  local red_list="$1"; shift
+  local black_list="$1"; shift
+  local do_not_touch_list="$1"; shift
+  local scope_violation_list="$1"; shift
+  local changed_list="$1"; shift
+
+  VIBE_EXIT_CODE="$exit_code" \
+  VIBE_ENFORCEMENT="$enforcement" \
+  VIBE_NO_TICKET_NO_WORK="$no_ticket_no_work" \
+  VIBE_STALE_HOURS="$stale_hours" \
+  VIBE_HAS_WORK_ORDER="$has_work_order_val" \
+  VIBE_WORK_ORDER_STALE="$work_order_stale_val" \
+  VIBE_CHANGED_FILES="$changed_list" \
+  VIBE_GREEN_FILES="$green_list" \
+  VIBE_YELLOW_FILES="$yellow_list" \
+  VIBE_RED_FILES="$red_list" \
+  VIBE_BLACK_FILES="$black_list" \
+  VIBE_DO_NOT_TOUCH_FILES="$do_not_touch_list" \
+  VIBE_SCOPE_VIOLATION_FILES="$scope_violation_list" \
+  node - <<'NODE'
+const env = process.env;
+const nl = String.fromCharCode(10);
+const bs = String.fromCharCode(92);
+const bsN = bs + "n";
+
+const normalize = (v) => String(v ?? "").split(bsN).join(nl);
+const list = (name) =>
+  normalize(env[name] ?? "")
+    .split(nl)
+    .map((s) => s.trim())
+    .filter(Boolean);
+
+const exitCode = parseInt(env.VIBE_EXIT_CODE || "0", 10);
+const status = exitCode === 0 ? "PASS" : exitCode === 1 ? "WARN" : "BLOCK";
+const staleHours = parseInt(env.VIBE_STALE_HOURS || "24", 10);
+
+const out = {
+  format_version: 1,
+  status,
+  exit_code: exitCode,
+  policy: {
+    enforcement: env.VIBE_ENFORCEMENT || "warn",
+    no_ticket_no_work: env.VIBE_NO_TICKET_NO_WORK === "true",
+    stale_hours: Number.isFinite(staleHours) ? staleHours : 24,
+  },
+  has_work_order: env.VIBE_HAS_WORK_ORDER === "true",
+  work_order_stale: env.VIBE_WORK_ORDER_STALE === "true",
+  files: {
+    changed: list("VIBE_CHANGED_FILES"),
+    green: list("VIBE_GREEN_FILES"),
+    yellow: list("VIBE_YELLOW_FILES"),
+    red: list("VIBE_RED_FILES"),
+    black: list("VIBE_BLACK_FILES"),
+    do_not_touch: list("VIBE_DO_NOT_TOUCH_FILES"),
+    scope_violation: list("VIBE_SCOPE_VIOLATION_FILES"),
+  },
+};
+
+process.stdout.write(JSON.stringify(out, null, 2));
+NODE
+}
+
+# Exit codes: 0=pass, 1=warn, 2=block
+validate_changes() {
+  local changed_files="$1"
+
+  local enforcement
+  enforcement="$(get_config ".policy.enforcement" "warn")"
+
+  local has_warning=false
+  local has_block=false
+
+  local green_files=""
+  local yellow_files=""
+  local red_files=""
+  local black_files=""
+  local do_not_touch_files=""
+  local scope_violation_files=""
+
+  local green_list=""
+  local yellow_list=""
+  local red_list=""
+  local black_list=""
+  local do_not_touch_list=""
+  local scope_violation_list=""
+
+  local no_ticket_no_work
+  no_ticket_no_work="$(get_config ".policy.no_ticket_no_work" "true")"
+
+  while IFS= read -r file; do
+    if [ -z "$file" ]; then
+      continue
+    fi
+
+    # 1) do_not_touch (always BLOCK when present)
+    if check_do_not_touch "$file"; then
+      do_not_touch_files="$do_not_touch_files\\n  - $file"
+      do_not_touch_list="$do_not_touch_list\\n$file"
+      has_block=true
+      continue
+    fi
+
+    # 2) scope violation (warn/block per enforcement)
+    if check_scope_violation "$file"; then
+      scope_violation_files="$scope_violation_files\\n  - $file"
+      scope_violation_list="$scope_violation_list\\n$file"
+      has_warning=true
+    fi
+
+    # 3) zone checks
+    local zone
+    zone="$(get_file_zone "$file")"
+    case "$zone" in
+      black)
+        black_files="$black_files\\n  - $file"
+        black_list="$black_list\\n$file"
+        has_block=true
+        ;;
+      green)
+        green_files="$green_files\\n  - $file"
+        green_list="$green_list\\n$file"
+        ;;
+      red)
+        red_files="$red_files\\n  - $file"
+        red_list="$red_list\\n$file"
+        if [ "$no_ticket_no_work" = "true" ] && ! has_work_order; then
+          has_block=true
+        fi
+        ;;
+      yellow|unspecified)
+        yellow_files="$yellow_files\\n  - $file"
+        yellow_list="$yellow_list\\n$file"
+        if [ "$no_ticket_no_work" = "true" ] && ! has_work_order; then
+          has_warning=true
+        fi
+        ;;
+    esac
+  done <<< "$changed_files"
+
+  local exit_code=0
+
+  if [ -n "$black_files" ]; then
+    exit_code=2
+  fi
+
+  if [ -n "$do_not_touch_files" ]; then
+    exit_code=2
+  fi
+
+  if [ -n "$red_files" ] && [ "$no_ticket_no_work" = "true" ] && ! has_work_order; then
+    exit_code=2
+  fi
+
+  if [ -n "$scope_violation_files" ]; then
+    if [ "$enforcement" = "block" ]; then
+      exit_code=2
+    elif [ "$exit_code" -lt 1 ]; then
+      exit_code=1
+    fi
+  fi
+
+  if [ -n "$yellow_files" ] && [ "$no_ticket_no_work" = "true" ] && ! has_work_order; then
+    if [ "$enforcement" = "block" ]; then
+      exit_code=2
+    elif [ "$exit_code" -lt 1 ]; then
+      exit_code=1
+    fi
+  fi
+
+  local has_work_order_val="false"
+  if has_work_order; then
+    has_work_order_val="true"
+  fi
+
+  local work_order_stale_val="false"
+  if has_work_order && is_work_order_stale; then
+    work_order_stale_val="true"
+  fi
+
+  local stale_hours
+  stale_hours="$(get_config ".policy.stale_hours" "24")"
+  if ! [[ "$stale_hours" =~ ^[0-9]+$ ]]; then
+    stale_hours="24"
+  fi
+
+  if [ "$OUTPUT_FORMAT" = "json" ]; then
+    emit_validation_json \
+      "$exit_code" \
+      "$enforcement" \
+      "$no_ticket_no_work" \
+      "$stale_hours" \
+      "$has_work_order_val" \
+      "$work_order_stale_val" \
+      "$green_list" \
+      "$yellow_list" \
+      "$red_list" \
+      "$black_list" \
+      "$do_not_touch_list" \
+      "$scope_violation_list" \
+      "$changed_files"
+    return $exit_code
+  fi
+
+  if [ -n "$black_files" ]; then
+    log_error "BLACK zone files (BLOCKED):$black_files"
+  fi
+
+  if [ -n "$do_not_touch_files" ]; then
+    log_error "DO_NOT_TOUCH violation (BLOCKED):$do_not_touch_files"
+  fi
+
+  if [ -n "$red_files" ] && [ "$no_ticket_no_work" = "true" ] && ! has_work_order; then
+    log_error "RED zone files without work order (BLOCKED):$red_files"
+  fi
+
+  if [ -n "$scope_violation_files" ]; then
+    log_warn "Scope violation:$scope_violation_files"
+  fi
+
+  if [ -n "$yellow_files" ] && [ "$no_ticket_no_work" = "true" ] && ! has_work_order; then
+    log_warn "YELLOW zone files without work order:$yellow_files"
+  fi
+
+  if has_work_order && is_work_order_stale; then
+    local threshold
+    threshold="$(get_config ".policy.stale_hours" "24")"
+    log_warn "Work order is stale (>\${threshold}h). Consider refreshing."
+    if [ "$exit_code" -lt 1 ]; then
+      exit_code=1
+    fi
+  fi
+
+  if [ "$exit_code" -eq 0 ]; then
+    log_info "Validation passed."
+  fi
+
+  return $exit_code
+}
+
+# =============================================================================
+# CLI Entrypoint
+# =============================================================================
+
+if [[ "\${BASH_SOURCE[0]}" == "$0" ]]; then
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --format)
+        OUTPUT_FORMAT="$2"
+        shift 2
+        ;;
+      *)
+        shift
+        ;;
+    esac
+  done
+
+  CHANGED="$(
+    (
+      git diff --name-only 2>/dev/null
+      git diff --name-only --cached 2>/dev/null
+      git ls-files --others --exclude-standard 2>/dev/null
+    ) | sort -u
+  )"
+  validate_changes "$CHANGED"
+  exit $?
+fi
+`;
+export const GITLEAKS_CONFIG_TEMPLATE = `title = "Vibe PM - Gitleaks config"
+
+# Use built-in rules by default; add allowlist paths only when needed.
+
+[allowlist]
+description = "Allowlist for known false positives"
+paths = [
+  # Example: "fixtures/**"
+]
+`;
+export const PRE_PUSH_HOOK_TEMPLATE = `#!/usr/bin/env bash
+#
+# Vibe PM pre-push hook
+# Enforces "No Ticket No Work" policy
+#
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "\${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../lib/validate.sh"
+
+# Control plane off-limits (applies only to the Vibe PM repo)
+PROTECTED_PATH_REGEX='^(\\.vibe/|vibecoding_helper/|adapters/|engines/|schemas/|fixtures/|docs/ssot/|docs/DEV_SPEC/implemented/|runs/|config/semgrep/|config/gitleaks/|policy/|scripts/generate-contracts\\.sh|scripts/generate-contract-lock\\.py|schemas/contracts\\.(version|lock)\\.json)'
+GITLEAKS_CONFIG="config/gitleaks/.gitleaks.toml"
+
+have_gitleaks() {
+  command -v gitleaks >/dev/null 2>&1
+}
+
+is_control_plane_repo() {
+  if [ -f "$REPO_ROOT/vibecoding_helper.spec" ]; then
+    return 0
+  fi
+  if [ -d "$REPO_ROOT/vibecoding_helper" ] && [ -d "$REPO_ROOT/adapters/mcp-ts" ]; then
+    return 0
+  fi
+  return 1
+}
+
+main() {
+  if [ ! -d "$VIBE_DIR" ]; then
+    log_info "Not a Vibe-managed repo. Skipping checks."
+    exit 0
+  fi
+
+  local enabled
+  enabled="$(get_config ".hooks.pre_push.enabled" "true")"
+  if [ "$enabled" != "true" ]; then
+    log_info "pre-push hook disabled. Skipping."
+    exit 0
+  fi
+
+  local gitleaks_required
+  gitleaks_required="$(get_config ".hooks.pre_push.gitleaks_required" "false")"
+
+  local remote="$1"
+  local url="$2"
+  local zero_sha="0000000000000000000000000000000000000000"
+  local gitleaks_warned="false"
+
+  while read local_ref local_oid remote_ref remote_oid; do
+    if [ "$local_oid" = "$zero_sha" ]; then
+      continue
+    fi
+
+    local changed_files
+    local log_opts
+    if [ "$remote_oid" = "0000000000000000000000000000000000000000" ]; then
+      local default_branch
+      default_branch="$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@^refs/remotes/origin/@@')"
+      if [ -z "$default_branch" ]; then
+        default_branch="main"
+      fi
+      changed_files="$(git diff --name-only "origin/$default_branch"..."$local_oid" 2>/dev/null || git ls-files)"
+      if git rev-parse --verify "origin/$default_branch" >/dev/null 2>&1; then
+        log_opts="origin/$default_branch..$local_oid"
+      else
+        log_opts="$local_oid"
+      fi
+    else
+      changed_files="$(git diff --name-only "$remote_oid" "$local_oid")"
+      log_opts="$remote_oid..$local_oid"
+    fi
+
+    echo ""
+    echo "=============================================="
+    echo "  VIBE PM: Pre-push Validation"
+    echo "=============================================="
+    echo ""
+
+    if is_control_plane_repo; then
+      if echo "$changed_files" | grep -E "$PROTECTED_PATH_REGEX" >/dev/null 2>&1; then
+        log_error "Control plane paths are off-limits (push blocked):"
+        echo "$changed_files" | grep -E "$PROTECTED_PATH_REGEX" || true
+        exit 1
+      fi
+    fi
+
+    set +e
+    validate_changes "$changed_files"
+    local result=$?
+    set -e
+
+    case $result in
+      0)
+        log_info "Pre-push checks passed."
+        ;;
+      1)
+        log_warn "Push allowed with warnings."
+        echo ""
+        echo "Consider creating a work order: vibe ticket"
+        echo ""
+        ;;
+      2)
+        log_error "Push BLOCKED. Create a work order first."
+        echo ""
+        echo "Next action:"
+        echo "  vibe ticket"
+        echo ""
+        echo "Or to skip (not recommended):"
+        echo "  git push --no-verify"
+        echo ""
+        exit 1
+        ;;
+    esac
+
+    if have_gitleaks; then
+      if ! gitleaks detect --config "$GITLEAKS_CONFIG" --redact --no-banner --log-opts "$log_opts" --exit-code 1; then
+        log_error "gitleaks detected secrets in the push range."
+        exit 1
+      fi
+    else
+      if [ "$gitleaks_required" = "true" ]; then
+        log_error "gitleaks is required but not installed. Install gitleaks or disable requirement."
+        exit 1
+      fi
+      if [ "$gitleaks_warned" != "true" ]; then
+        log_warn "gitleaks not installed. Skipping secret scan."
+        gitleaks_warned="true"
+      fi
+    fi
+  done
+
+  exit 0
+}
+
+main "$@"
+`;
+export const GITHUB_ACTIONS_LOCAL_MODE_GUARD_WORKFLOW_TEMPLATE = `name: Vibe PM Local Mode Guard
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+jobs:
+  vibe-local-mode-guard:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine diff range
+        shell: bash
+        run: |
+          set -euo pipefail
+          python - <<'PY'
+          import json, os, subprocess
+
+          event_path = os.environ.get("GITHUB_EVENT_PATH")
+          event_name = os.environ.get("GITHUB_EVENT_NAME", "")
+          head = os.environ.get("GITHUB_SHA", "")
+          base = ""
+
+          if event_path and os.path.exists(event_path):
+              with open(event_path, "r", encoding="utf-8") as f:
+                  event = json.load(f)
+              if event_name == "pull_request":
+                  base = (event.get("pull_request", {}) or {}).get("base", {}).get("sha", "")
+              elif event_name == "push":
+                  base = event.get("before", "")
+
+          if (not base) or (set(base) == {"0"}):
+              base = subprocess.check_output(["git", "rev-list", "--max-parents=0", head]).decode().strip()
+
+          with open(os.environ["GITHUB_ENV"], "a", encoding="utf-8") as f:
+              f.write(f"VIBE_BASE_SHA={base}\\n")
+              f.write(f"VIBE_HEAD_SHA={head}\\n")
+
+          print(f"Base: {base}")
+          print(f"Head: {head}")
+          PY
+
+      - name: Compute changed files
+        shell: bash
+        run: |
+          set -euo pipefail
+          git diff --name-only "$VIBE_BASE_SHA" "$VIBE_HEAD_SHA" | sort -u > /tmp/vibe_changed_files.txt
+          echo "Changed files:"
+          cat /tmp/vibe_changed_files.txt || true
+
+      - name: Run Vibe guard
+        shell: bash
+        env:
+          # Default: WARN does not fail the job (seatbelt philosophy).
+          # Opt-in strict mode: set to "true" in the generated workflow.
+          VIBE_FAIL_ON_WARN: "false"
+        run: |
+          set -euo pipefail
+          if [[ ! -f ".vibe/lib/validate.sh" ]]; then
+            echo "::error title=Vibe guard missing::Missing .vibe/lib/validate.sh. Run 'vibe init' and commit generated files."
+            exit 1
+          fi
+          source ".vibe/lib/validate.sh"
+          CHANGED="$(cat /tmp/vibe_changed_files.txt)"
+          set +e
+          echo "::group::Vibe guard output"
+          output="$(validate_changes "$CHANGED" 2>&1)"
+          rc=$?
+          echo "$output"
+          echo "::endgroup::"
+          set -e
+
+          clean="$(echo "$output" | sed -r 's/\\x1B\\[[0-9;]*[mK]//g')"
+          {
+            echo "## Vibe PM Local Mode Guard"
+            echo ""
+            echo "**Changed files**"
+            echo ""
+            echo '~~~'
+            cat /tmp/vibe_changed_files.txt || true
+            echo '~~~'
+            echo ""
+            echo "**Validator output**"
+            echo ""
+            echo '~~~'
+            echo "$clean"
+            echo '~~~'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+	          escape_anno() {
+	            local s="$1"
+	            s="\${s//'%'/'%25'}"
+	            s="\${s//$'\\n'/'%0A'}"
+	            s="\${s//$'\\r'/'%0D'}"
+	            echo "$s"
+	          }
+
+          emit_annotation() {
+            local sev="$1"
+            local file="$2"
+            local msg="$3"
+
+            msg="$(escape_anno "$msg")"
+	            file="$(escape_anno "$file")"
+
+	            if [[ -n "$file" ]]; then
+	              echo "::\${sev} file=\${file}::\${msg}"
+	            else
+	              echo "::\${sev}::\${msg}"
+	            fi
+	          }
+
+          current_sev=""
+          current_msg=""
+          while IFS= read -r line; do
+	            if [[ "$line" =~ ^\\[VIBE\\ WARN\\][[:space:]](.*)$ ]]; then
+	              current_sev="warning"
+	              current_msg="\${BASH_REMATCH[1]}"
+	              current_msg="\${current_msg%:}"
+	              continue
+	            fi
+	            if [[ "$line" =~ ^\\[VIBE\\ BLOCK\\][[:space:]](.*)$ ]]; then
+	              current_sev="error"
+	              current_msg="\${BASH_REMATCH[1]}"
+	              current_msg="\${current_msg%:}"
+	              continue
+	            fi
+	            if [[ -n "$current_sev" && "$line" =~ ^[[:space:]]*-[[:space:]](.+)$ ]]; then
+	              emit_annotation "$current_sev" "\${BASH_REMATCH[1]}" "$current_msg"
+	            fi
+	          done <<< "$clean"
+
+          if [[ $rc -eq 2 ]]; then
+            echo "::error title=Vibe guard blocked::Unsafe changes blocked. Create a work order first."
+            exit 1
+          fi
+          if [[ $rc -eq 1 ]]; then
+            echo "::warning title=Vibe guard warnings::Warnings found. Merge allowed, but review recommended."
+            if [[ "$VIBE_FAIL_ON_WARN" == "true" ]]; then
+              echo "::error title=Vibe guard strict mode::WARN treated as failure (VIBE_FAIL_ON_WARN=true)."
+              exit 1
+            fi
+          fi
+`;