agentic-qe 3.9.7 → 3.9.9

package/.claude/skills/qe-browser/scripts/check-injection.js

@@ -0,0 +1,267 @@
+#!/usr/bin/env node
+// qe-browser: prompt-injection scanner for the current Vibium page.
+//
+// Scans both visible text and optionally hidden/offscreen content for common
+// prompt-injection patterns that might try to manipulate an LLM browsing the page.
+// Pattern library ported from gsd-browser (MIT/Apache-2.0) with extensions.
+//
+// Usage:
+//   node check-injection.js
+//   node check-injection.js --include-hidden
+//   node check-injection.js --json
+//   node check-injection.js --exclude-selector "main, .docs-content"
+//
+// M8 (devil's-advocate finding): the regex patterns match anywhere in the
+// page, including legitimate documentation that talks ABOUT prompt injection.
+// `--exclude-selector` lets callers drop subtrees from the scan (typically
+// used to exclude documentation/markdown bodies on docs sites). Pass a CSS
+// selector list — every matched element's text is removed before scanning.
+
+'use strict';
+
+const {
+  vibiumEvalStdin,
+  envelope,
+  parseArgs,
+  emit,
+  fail,
+  runOrSkip,
+  rethrowIfUnavailable,
+} = require('./lib/vibium');
+
+// Pattern list — each entry: { name, severity, regex, description }.
+// Severities: info < low < medium < high < critical.
+const PATTERNS = [
+  {
+    name: 'ignore_previous_instructions',
+    severity: 'high',
+    regex: /ignore\s+(all\s+)?(previous|prior|above|preceding)\s+(instructions|prompts|commands|directives)/i,
+    description: 'Classic prompt override',
+  },
+  {
+    name: 'new_instructions',
+    severity: 'high',
+    regex: /(new|updated|revised)\s+(instructions|system\s+prompt|directives)/i,
+    description: 'Attempts to inject a new instruction set',
+  },
+  {
+    name: 'system_prompt_leak',
+    severity: 'critical',
+    regex: /\b(show|reveal|print|output|display|repeat|share)\s+(me\s+|us\s+)?(your\s+|the\s+)?(system\s+)?(prompt|instructions|rules|guidelines)\b/i,
+    description: 'Attempts to exfiltrate system prompt',
+  },
+  {
+    name: 'role_override',
+    severity: 'high',
+    regex: /you\s+are\s+(now|actually)\s+(a|an)\s+[a-z]+/i,
+    description: 'Role reassignment attempt',
+  },
+  {
+    name: 'developer_mode',
+    severity: 'high',
+    regex: /(enable|activate|enter)\s+(developer|dev|debug|jailbreak|admin|root)\s+mode/i,
+    description: 'Developer/jailbreak mode request',
+  },
+  {
+    name: 'confidential_exfil',
+    severity: 'critical',
+    regex: /(send|post|leak|exfiltrate|upload|forward)\s+.*(api[_\s-]?key|password|secret|token|credential)/i,
+    description: 'Credential exfiltration attempt',
+  },
+  {
+    name: 'base64_directive',
+    severity: 'medium',
+    regex: /decode\s+(the\s+)?(following\s+)?base64\s+(and\s+(run|execute|follow))?/i,
+    description: 'Base64-obfuscated instructions',
+  },
+  {
+    name: 'dan_pattern',
+    severity: 'high',
+    regex: /do\s+anything\s+now|dan\s+(mode|jailbreak|prompt)/i,
+    description: 'DAN (Do Anything Now) jailbreak',
+  },
+  {
+    name: 'chain_of_trust',
+    severity: 'medium',
+    regex: /(this\s+is\s+anthropic|i\s+am\s+a\s+trusted|authorized\s+by\s+the\s+developer)/i,
+    description: 'False authority / impersonation',
+  },
+  {
+    name: 'exfil_via_url',
+    severity: 'high',
+    regex: /fetch\s*\(\s*['"`]https?:\/\/[^'"`]*\?(key|secret|token|data)=/i,
+    description: 'URL-based data exfiltration',
+  },
+  {
+    name: 'markdown_image_exfil',
+    severity: 'high',
+    regex: /!\[[^\]]*\]\(https?:\/\/[^)]+\?[^)]*=[^)]+\)/i,
+    description: 'Markdown image exfiltration channel',
+  },
+  {
+    name: 'tool_hijack',
+    severity: 'high',
+    regex: /(call|invoke|run|execute)\s+(the\s+)?(tool|function|command)\s*:?\s*['"`]?(bash|exec|shell|eval)/i,
+    description: 'Tool-use hijacking',
+  },
+  {
+    name: 'memory_poison',
+    severity: 'medium',
+    regex: /remember\s+(this|that)\s+.*(forever|permanently|always)/i,
+    description: 'Attempts to poison persistent memory',
+  },
+  {
+    name: 'instructions_in_html_comment',
+    severity: 'medium',
+    regex: /<!--\s*(instructions|system|prompt|note\s+to\s+ai|claude|gpt|llm)/i,
+    description: 'Instructions hidden in HTML comments',
+  },
+];
+
+// M4 (devil's-advocate finding): scanned page text can contain ANSI escape
+// sequences, NUL bytes, or other terminal-control characters. Embedding
+// those verbatim in the JSON snippet means a `cat findings.json` could
+// reposition the cursor, change colors, or trigger terminal exploits. We
+// strip C0 controls (0x00-0x1F except \t \n) and DEL (0x7F) before emitting.
+// We deliberately keep \t and \n so multi-line snippets remain readable.
+function sanitizeSnippet(text) {
+  // eslint-disable-next-line no-control-regex
+  return text.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '');
+}
+
+function scanText(text, hidden) {
+  const findings = [];
+  for (const pat of PATTERNS) {
+    const match = text.match(pat.regex);
+    if (match) {
+      const idx = match.index || 0;
+      const start = Math.max(0, idx - 40);
+      const end = Math.min(text.length, idx + match[0].length + 40);
+      const rawSnippet = text.slice(start, end).replace(/\s+/g, ' ').trim();
+      findings.push({
+        pattern: pat.name,
+        severity: pat.severity,
+        description: pat.description,
+        snippet: sanitizeSnippet(rawSnippet),
+        hidden,
+      });
+    }
+  }
+  return findings;
+}
+
+function aggregateSeverity(findings) {
+  const order = { info: 1, low: 2, medium: 3, high: 4, critical: 5 };
+  let top = 'none';
+  let topRank = 0;
+  for (const f of findings) {
+    const rank = order[f.severity] || 0;
+    if (rank > topRank) {
+      topRank = rank;
+      top = f.severity;
+    }
+  }
+  return top;
+}
+
+function fetchPageText(includeHidden, excludeSelector) {
+  // Return both visible and (optionally) full text-content via vibium eval.
+  // We pull both so we can tag findings with `hidden: true/false`.
+  //
+  // H2 (devil's-advocate finding): TreeWalker(SHOW_COMMENT) yields the
+  // INNER text of each comment, stripping the `<!-- ... -->` delimiters.
+  // The `instructions_in_html_comment` regex requires the literal `<!--`
+  // prefix, so it could never fire against the unwrapped text. Fix: re-wrap
+  // each comment in `<!-- ... -->` before adding it to the hidden bucket so
+  // the comment-pattern actually matches.
+  //
+  // M8 (devil's-advocate finding): excludeSelector lets callers strip
+  // subtrees (typically documentation bodies) from BOTH the visible and
+  // hidden text before scanning, so docs about prompt injection don't
+  // self-flag. We clone the body, remove matching elements, and read text
+  // from the clone — leaving the live page unchanged.
+  //
+  // Vibium eval returns the LAST EXPRESSION's value, not console.log
+  // output, so we wrap our payload in JSON.stringify and let
+  // lib/vibium.js's unwrapEvalResult parse it back into an object.
+  const excludeJson = excludeSelector ? JSON.stringify(excludeSelector) : 'null';
+  const script = `
+    (function() {
+      var body = document.body;
+      var excludeSel = ${excludeJson};
+      var workBody = body;
+      if (excludeSel && body) {
+        workBody = body.cloneNode(true);
+        try {
+          var toRemove = workBody.querySelectorAll(excludeSel);
+          for (var i = 0; i < toRemove.length; i++) {
+            toRemove[i].parentNode && toRemove[i].parentNode.removeChild(toRemove[i]);
+          }
+        } catch (e) { /* invalid selector — fall back to full body */ }
+      }
+      var visible = workBody ? workBody.innerText : '';
+      var full = workBody ? workBody.textContent : '';
+      var comments = [];
+      var walker = document.createTreeWalker(workBody || document, NodeFilter.SHOW_COMMENT, null);
+      var n;
+      while ((n = walker.nextNode())) {
+        comments.push('<!-- ' + n.textContent + ' -->');
+      }
+      var hidden = ${includeHidden ? 'full.replace(visible, "") + "\\n" + comments.join("\\n")' : '""'};
+      return JSON.stringify({ visible: visible, hidden: hidden });
+    })()
+  `;
+  return vibiumEvalStdin(script) || { visible: '', hidden: '' };
+}
+
+function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const includeHidden = Boolean(args['include-hidden']);
+  // M8: --exclude-selector takes a CSS selector list; matching elements are
+  // dropped from the scan so docs about prompt injection don't self-flag.
+  const excludeSelector =
+    typeof args['exclude-selector'] === 'string' ? args['exclude-selector'] : null;
+  const startedAt = Date.now();
+
+  try {
+    const { visible, hidden } = fetchPageText(includeHidden, excludeSelector);
+    const findings = [
+      ...scanText(visible || '', false),
+      ...scanText(hidden || '', true),
+    ];
+    const severity = findings.length === 0 ? 'none' : aggregateSeverity(findings);
+    const status =
+      severity === 'none' || severity === 'info' || severity === 'low' ? 'success' : 'failed';
+
+    return emit(
+      envelope({
+        operation: 'check-injection',
+        summary:
+          findings.length === 0
+            ? 'No prompt-injection patterns detected'
+            : `Detected ${findings.length} prompt-injection pattern(s), highest severity: ${severity}`,
+        status,
+        details: {
+          checkInjection: {
+            findings,
+            severity,
+            scanned: {
+              visibleChars: (visible || '').length,
+              hiddenChars: (hidden || '').length,
+            },
+          },
+        },
+        metadata: { executionTimeMs: Date.now() - startedAt },
+      })
+    );
+  } catch (err) {
+    rethrowIfUnavailable(err); // F1: bubble missing-vibium past this catch
+    return fail('check-injection', err.message);
+  }
+}
+
+if (require.main === module) {
+  process.exit(runOrSkip('check-injection', main));
+}
+
+module.exports = { scanText, PATTERNS, aggregateSeverity, sanitizeSnippet };

package/.claude/skills/qe-browser/scripts/intent-score.js

@@ -0,0 +1,325 @@
+#!/usr/bin/env node
+// qe-browser: semantic intent scoring for the current Vibium page.
+//
+// Ported from gsd-browser (MIT/Apache-2.0) — the scorer is pure JS heuristic,
+// no LLM round-trip. We push the whole scoring function into `vibium eval --stdin`
+// which runs it in the page context via WebDriver BiDi.
+//
+// Usage:
+//   node intent-score.js --intent submit_form
+//   node intent-score.js --intent accept_cookies --scope "#banner"
+//   node intent-score.js --intent fill_email
+
+'use strict';
+
+const {
+  vibiumEvalStdin,
+  envelope,
+  parseArgs,
+  emit,
+  fail,
+  runOrSkip,
+  rethrowIfUnavailable,
+} = require('./lib/vibium');
+
+const VALID_INTENTS = [
+  'submit_form',
+  'close_dialog',
+  'primary_cta',
+  'search_field',
+  'next_step',
+  'dismiss',
+  'auth_action',
+  'back_navigation',
+  'fill_email',
+  'fill_password',
+  'fill_username',
+  'accept_cookies',
+  'main_content',
+  'pagination_next',
+  'pagination_prev',
+];
+
+// The scoring function is a self-contained IIFE that runs in the page context.
+// Derived from gsd-browser/cli/src/daemon/handlers/intent.rs:59-385.
+const SCORER_JS = `
+(function () {
+  const intent = __INTENT__;
+  const scopeSel = __SCOPE__;
+  const root = scopeSel ? document.querySelector(scopeSel) : document;
+  if (!root) throw new Error('scope element not found: ' + scopeSel);
+
+  const interactiveSel =
+    'a, button, input, select, textarea, [role=button], [role=link], [role=menuitem], ' +
+    '[role=tab], [role=search], [role=searchbox], [tabindex], [onclick]';
+  const contentSel = 'main, article, section, [role=main], [role=article], div';
+  const sel = intent === 'main_content' ? interactiveSel + ', ' + contentSel : interactiveSel;
+  const candidates = Array.from(root.querySelectorAll(sel));
+
+  function isVisible(el) {
+    if (el.hidden || el.disabled) return false;
+    const rect = el.getBoundingClientRect();
+    if (rect.width === 0 && rect.height === 0) return false;
+    const style = getComputedStyle(el);
+    if (style.display === 'none' || style.visibility === 'hidden' || parseFloat(style.opacity) === 0) return false;
+    return true;
+  }
+  function getText(el) { return (el.textContent || '').trim().substring(0, 100).toLowerCase(); }
+  function getAriaLabel(el) { return (el.getAttribute('aria-label') || '').toLowerCase(); }
+  function getRole(el) { return (el.getAttribute('role') || '').toLowerCase(); }
+
+  function buildSelector(el) {
+    if (el.id) return '#' + CSS.escape(el.id);
+    const tag = el.tagName.toLowerCase();
+    const testId = el.getAttribute('data-testid');
+    if (testId) return tag + '[data-testid=' + JSON.stringify(testId) + ']';
+    if (el.name) {
+      const nsel = tag + '[name=' + JSON.stringify(el.name) + ']';
+      if (document.querySelectorAll(nsel).length === 1) return nsel;
+    }
+    if (el.type) {
+      const tsel = tag + '[type=' + JSON.stringify(el.type) + ']';
+      if (document.querySelectorAll(tsel).length === 1) return tsel;
+    }
+    const all = Array.from(document.querySelectorAll(tag));
+    const idx = all.indexOf(el);
+    return tag + ':nth-of-type(' + (idx + 1) + ')';
+  }
+
+  const scorers = {
+    submit_form(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (type === 'submit') { s += 0.5; r.push('type=submit'); }
+      if (tag === 'button' && !el.type) { s += 0.2; r.push('button no-type'); }
+      if (/submit|send|save|confirm|create|register|sign.?up|log.?in|continue|next|apply|ok/i.test(text || el.value || aria)) { s += 0.3; r.push('submit text'); }
+      if (el.closest('form')) { s += 0.15; r.push('inside form'); }
+      if (role === 'button') { s += 0.05; r.push('role=button'); }
+      return { score: s, reasons: r };
+    },
+    close_dialog(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      // M7: anchor bare 'x' with word boundaries so we don't match
+      // "fix", "exit", "extra", "sixteen". The unicode multiplication
+      // sign (U+00D7) and small x (U+2715) are unaffected.
+      if (/close|dismiss|cancel|\\u00d7|\\u2715|\\bx\\b/i.test(text || aria)) { s += 0.4; r.push('close text'); }
+      if (el.closest('dialog, [role=dialog], [role=alertdialog], .modal')) { s += 0.3; r.push('in dialog'); }
+      if (aria && /close|dismiss/i.test(aria)) { s += 0.2; r.push('aria close'); }
+      if (tag === 'button') { s += 0.05; r.push('is button'); }
+      return { score: s, reasons: r };
+    },
+    primary_cta(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (tag === 'button' || tag === 'a' || role === 'button') { s += 0.15; r.push('interactive'); }
+      const rect = el.getBoundingClientRect();
+      if (rect.width * rect.height > 3000) { s += 0.15; r.push('large area'); }
+      const style = getComputedStyle(el);
+      const bg = style.backgroundColor;
+      if (bg && bg !== 'rgba(0, 0, 0, 0)' && bg !== 'transparent') { s += 0.2; r.push('has bg'); }
+      if (/get.?started|sign.?up|try|buy|subscribe|download|start|learn.?more/i.test(text || aria)) { s += 0.3; r.push('CTA text'); }
+      return { score: s, reasons: r };
+    },
+    search_field(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (role === 'search' || role === 'searchbox') { s += 0.5; r.push('search role'); }
+      if (type === 'search') { s += 0.5; r.push('type=search'); }
+      if (tag === 'input' && /search/i.test(aria || el.placeholder || el.name || '')) { s += 0.4; r.push('search attr'); }
+      if (tag === 'input' || tag === 'textarea') { s += 0.05; r.push('is input'); }
+      return { score: s, reasons: r };
+    },
+    next_step(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (/next|continue|proceed|forward|\\u2192|\\u203a|>>|step/i.test(text || aria)) { s += 0.4; r.push('next text'); }
+      if (tag === 'button' || role === 'button') { s += 0.15; r.push('is button'); }
+      if (type === 'submit') { s += 0.1; r.push('type=submit'); }
+      return { score: s, reasons: r };
+    },
+    dismiss(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (/dismiss|close|cancel|no.?thanks|skip|later|not.?now|got.?it|ok|accept/i.test(text || aria)) { s += 0.4; r.push('dismiss text'); }
+      if (el.closest('[class*=overlay], [class*=popup], [class*=banner], [class*=toast], [class*=notification]')) { s += 0.2; r.push('in overlay'); }
+      if (tag === 'button') { s += 0.1; r.push('is button'); }
+      return { score: s, reasons: r };
+    },
+    auth_action(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (/log.?in|sign.?in|sign.?up|register|auth|sso|forgot.?password/i.test(text || aria)) { s += 0.4; r.push('auth text'); }
+      if (type === 'submit' && el.closest('form')) {
+        const form = el.closest('form');
+        if (form.querySelector('input[type=password]')) { s += 0.3; r.push('has password'); }
+      }
+      if (tag === 'button' || tag === 'a') { s += 0.1; r.push('interactive'); }
+      return { score: s, reasons: r };
+    },
+    back_navigation(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (/back|previous|\\u2190|\\u2039|<<|return|go.?back/i.test(text || aria)) { s += 0.4; r.push('back text'); }
+      if (tag === 'a' && el.href) {
+        try {
+          const url = new URL(el.href);
+          if (url.pathname.length < location.pathname.length) { s += 0.2; r.push('shorter path'); }
+        } catch (e) {}
+      }
+      if (role === 'navigation' || el.closest('nav')) { s += 0.1; r.push('in nav'); }
+      return { score: s, reasons: r };
+    },
+    fill_email(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (type === 'email') { s += 0.6; r.push('type=email'); }
+      if (/email|e-mail/i.test(el.name || el.placeholder || aria || '')) { s += 0.4; r.push('email attr'); }
+      if (el.autocomplete === 'email') { s += 0.3; r.push('autocomplete=email'); }
+      if (tag === 'input') { s += 0.05; r.push('is input'); }
+      return { score: s, reasons: r };
+    },
+    fill_password(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (type === 'password') { s += 0.7; r.push('type=password'); }
+      if (/password|passwd|pass/i.test(el.name || el.placeholder || aria || '')) { s += 0.3; r.push('password attr'); }
+      if (el.autocomplete === 'current-password' || el.autocomplete === 'new-password') { s += 0.2; r.push('autocomplete=password'); }
+      return { score: s, reasons: r };
+    },
+    fill_username(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (/user.?name|login|account/i.test(el.name || el.placeholder || aria || '')) { s += 0.5; r.push('username attr'); }
+      if (el.autocomplete === 'username') { s += 0.4; r.push('autocomplete=username'); }
+      if (type === 'text' && el.closest('form')) {
+        if (el.closest('form').querySelector('input[type=password]')) { s += 0.2; r.push('text in login form'); }
+      }
+      if (tag === 'input') { s += 0.05; r.push('is input'); }
+      return { score: s, reasons: r };
+    },
+    accept_cookies(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (/accept|agree|consent|allow|got.?it|ok|i.?understand/i.test(text || aria)) { s += 0.3; r.push('accept text'); }
+      if (/cookie/i.test(text || aria)) { s += 0.2; r.push('mentions cookies'); }
+      if (el.closest('[class*=cookie], [class*=consent], [class*=gdpr], [class*=privacy], [id*=cookie], [id*=consent]')) { s += 0.3; r.push('in cookie banner'); }
+      if (tag === 'button' || role === 'button') { s += 0.1; r.push('is button'); }
+      if (/reject|decline|settings|manage|customize/i.test(text || aria)) { s -= 0.3; r.push('reject penalty'); }
+      return { score: s, reasons: r };
+    },
+    main_content(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (role === 'main') { s += 0.6; r.push('role=main'); }
+      if (tag === 'main') { s += 0.6; r.push('<main>'); }
+      if (tag === 'article') { s += 0.4; r.push('<article>'); }
+      if (el.id && /content|main|article|body/i.test(el.id)) { s += 0.3; r.push('content id'); }
+      if (el.className && /content|main|article|body/i.test(el.className)) { s += 0.2; r.push('content class'); }
+      const rect = el.getBoundingClientRect();
+      if (rect.width > 500 && rect.height > 300) { s += 0.15; r.push('large area'); }
+      return { score: s, reasons: r };
+    },
+    pagination_next(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (/next|\\u203a|>>|\\u2192|older/i.test(text || aria)) { s += 0.4; r.push('next text'); }
+      if (el.rel === 'next') { s += 0.5; r.push('rel=next'); }
+      if (el.closest('nav, [role=navigation], [class*=paginat], [class*=pager]')) { s += 0.2; r.push('in pagination'); }
+      if (tag === 'a' || tag === 'button') { s += 0.05; r.push('interactive'); }
+      return { score: s, reasons: r };
+    },
+    pagination_prev(el, tag, type, text, role, aria) {
+      let s = 0; const r = [];
+      if (/prev|previous|\\u2039|<<|\\u2190|newer/i.test(text || aria)) { s += 0.4; r.push('prev text'); }
+      if (el.rel === 'prev') { s += 0.5; r.push('rel=prev'); }
+      if (el.closest('nav, [role=navigation], [class*=paginat], [class*=pager]')) { s += 0.2; r.push('in pagination'); }
+      if (tag === 'a' || tag === 'button') { s += 0.05; r.push('interactive'); }
+      return { score: s, reasons: r };
+    },
+  };
+
+  const scorer = scorers[intent];
+  if (!scorer) throw new Error('unknown intent: ' + intent + '. Valid: ' + Object.keys(scorers).join(', '));
+
+  const scored = [];
+  for (const el of candidates) {
+    if (!isVisible(el)) continue;
+    const tag = el.tagName.toLowerCase();
+    const type = (el.getAttribute('type') || '').toLowerCase();
+    const text = getText(el);
+    const role = getRole(el);
+    const aria = getAriaLabel(el);
+    const { score, reasons } = scorer(el, tag, type, text, role, aria);
+    if (score <= 0) continue;
+    const rect = el.getBoundingClientRect();
+    scored.push({
+      score: Math.round(score * 1000) / 1000,
+      selector: buildSelector(el),
+      tag,
+      type: type || null,
+      role: role || null,
+      text: (el.textContent || '').trim().substring(0, 80) || null,
+      reason: reasons.join(', '),
+      bounds: {
+        x: Math.round(rect.x),
+        y: Math.round(rect.y),
+        width: Math.round(rect.width),
+        height: Math.round(rect.height),
+      },
+    });
+  }
+
+  scored.sort((a, b) => b.score - a.score);
+  return {
+    intent: intent,
+    candidateCount: scored.length,
+    candidates: scored.slice(0, 5),
+    scope: scopeSel || 'document',
+  };
+})()
+`;
+
+function buildScript(intent, scope) {
+  const intentJson = JSON.stringify(intent);
+  const scopeJson = scope ? JSON.stringify(scope) : 'null';
+  // Use split/join instead of String.prototype.replace because the second
+  // argument of .replace is a *replacement string* where $&, $`, $', $1-$9
+  // have special meaning. JSON.stringify output can contain those sequences
+  // (e.g. a selector like `div[data-x="$amount"]`) which would otherwise
+  // corrupt the generated script. split/join does a literal substitution.
+  const body = SCORER_JS.split('__INTENT__').join(intentJson).split('__SCOPE__').join(scopeJson);
+  // Vibium eval returns the last expression's value, not console.log output.
+  // Wrap in JSON.stringify so lib/vibium.js's unwrapEvalResult can JSON-parse
+  // the result string back into a real object on our side.
+  return `JSON.stringify(${body})`;
+}
+
+function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const intent = args.intent;
+  if (!intent) return fail('intent-score', 'missing --intent argument');
+  if (!VALID_INTENTS.includes(intent)) {
+    return fail(
+      'intent-score',
+      `unknown intent "${intent}". Valid: ${VALID_INTENTS.join(', ')}`
+    );
+  }
+  const scope = args.scope;
+  const startedAt = Date.now();
+
+  try {
+    const payload = vibiumEvalStdin(buildScript(intent, scope));
+    if (!payload || !Array.isArray(payload.candidates)) {
+      throw new Error('scorer returned unexpected payload');
+    }
+    const top = payload.candidates[0];
+    return emit(
+      envelope({
+        operation: 'intent-score',
+        summary:
+          payload.candidateCount > 0
+            ? `Top candidate for "${intent}": score ${top.score}, selector ${top.selector}`
+            : `No candidates found for intent "${intent}"`,
+        status: payload.candidateCount > 0 ? 'success' : 'partial',
+        details: { intentScore: payload },
+        metadata: { executionTimeMs: Date.now() - startedAt },
+      })
+    );
+  } catch (err) {
+    rethrowIfUnavailable(err); // F1
+    return fail('intent-score', err.message);
+  }
+}
+
+if (require.main === module) {
+  process.exit(runOrSkip('intent-score', main));
+}
+
+module.exports = { VALID_INTENTS, buildScript };