mstro-app 0.3.7 → 0.3.8

package/server/mcp/bouncer-sandbox.ts

@@ -0,0 +1,214 @@
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+
+/**
+ * Sandbox Harness for Bouncer Testing
+ *
+ * Wraps command execution in Anthropic's sandbox-runtime (bubblewrap on Linux,
+ * sandbox-exec on macOS) to safely test what happens when the bouncer FAILS —
+ * i.e., when a malicious tool call gets through.
+ *
+ * Usage in tests:
+ *   const harness = new BouncerSandboxHarness();
+ *   await harness.initialize();
+ *   const result = await harness.executeInSandbox('rm -rf /tmp/test-canary');
+ *   expect(result.violations).toContain(...)
+ *   await harness.cleanup();
+ */
+
+import { execSync } from 'node:child_process';
+import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+export interface SandboxExecResult {
+  /** The sandboxed command that was actually run */
+  wrappedCommand: string;
+  /** Whether sandbox-runtime is available on this platform */
+  sandboxAvailable: boolean;
+  /** Whether the sandbox contained the operation (no violations) */
+  contained: boolean;
+  /** List of violation descriptions if any escaped the sandbox */
+  violations: string[];
+}
+
+export interface CanaryCheckResult {
+  /** Whether the canary file still exists (should be true if sandbox contained the write) */
+  canaryIntact: boolean;
+  /** Whether a file was written outside the sandbox (should be false) */
+  escapeDetected: boolean;
+}
+
+/**
+ * Test harness that wraps command execution in sandbox-runtime.
+ * Provides canary files and violation tracking to verify containment.
+ */
+export class BouncerSandboxHarness {
+  private sandboxManager: Awaited<typeof import('@anthropic-ai/sandbox-runtime')>['SandboxManager'] | null = null;
+  private sandboxAvailable = false;
+  private tempDir: string;
+  private canaryDir: string;
+
+  constructor() {
+    this.tempDir = mkdtempSync(join(tmpdir(), 'bouncer-sandbox-'));
+    this.canaryDir = join(this.tempDir, 'canaries');
+    mkdirSync(this.canaryDir, { recursive: true });
+  }
+
+  /**
+   * Initialize the sandbox. Falls back gracefully if bwrap/sandbox-exec not available.
+   */
+  async initialize(): Promise<{ available: boolean; reason?: string }> {
+    try {
+      const { SandboxManager } = await import('@anthropic-ai/sandbox-runtime');
+
+      if (!SandboxManager.isSupportedPlatform()) {
+        return { available: false, reason: 'Platform not supported by sandbox-runtime' };
+      }
+
+      const deps = SandboxManager.checkDependencies();
+      if (deps.errors.length > 0) {
+        return {
+          available: false,
+          reason: `Missing dependencies: ${deps.errors.join(', ')}`,
+        };
+      }
+
+      await SandboxManager.initialize({
+        network: {
+          allowedDomains: [], // Block ALL network access
+          deniedDomains: ['*'],
+        },
+        filesystem: {
+          denyRead: [
+            '/home/*/.ssh',
+            '/home/*/.aws',
+            '/home/*/.gnupg',
+            '/etc/shadow',
+            '/etc/passwd',
+          ],
+          allowWrite: [this.tempDir], // Only allow writes to our temp dir
+          denyWrite: [
+            '/',
+            '/home',
+            '/etc',
+            '/usr',
+            '/var',
+          ],
+        },
+      });
+
+      this.sandboxManager = SandboxManager;
+      this.sandboxAvailable = true;
+      return { available: true };
+    } catch (error: unknown) {
+      const msg = error instanceof Error ? error.message : String(error);
+      return { available: false, reason: `Failed to initialize sandbox: ${msg}` };
+    }
+  }
+
+  /**
+   * Execute a command inside the sandbox. Returns containment results.
+   * If sandbox is not available, validates the bouncer decision only (no actual execution).
+   */
+  async executeInSandbox(command: string): Promise<SandboxExecResult> {
+    if (!this.sandboxAvailable || !this.sandboxManager) {
+      return {
+        wrappedCommand: command,
+        sandboxAvailable: false,
+        contained: true,
+        violations: ['Sandbox not available — decision-only testing mode'],
+      };
+    }
+
+    const violations: string[] = [];
+    try {
+      const wrappedCommand = await this.sandboxManager.wrapWithSandbox(command);
+
+      // Execute the wrapped command and capture violations
+      try {
+        execSync(wrappedCommand, {
+          timeout: 5000,
+          stdio: 'pipe',
+          cwd: this.tempDir,
+        });
+      } catch {
+        // Command failure inside sandbox is expected for malicious ops
+      }
+
+      // Check violation store
+      const stderr = this.sandboxManager.annotateStderrWithSandboxFailures(command, '');
+      if (stderr) {
+        violations.push(stderr);
+      }
+
+      this.sandboxManager.cleanupAfterCommand();
+
+      return {
+        wrappedCommand,
+        sandboxAvailable: true,
+        contained: violations.length === 0,
+        violations,
+      };
+    } catch (error: unknown) {
+      const msg = error instanceof Error ? error.message : String(error);
+      violations.push(`Sandbox execution error: ${msg}`);
+      return {
+        wrappedCommand: command,
+        sandboxAvailable: true,
+        contained: true, // Error means the command didn't execute
+        violations,
+      };
+    }
+  }
+
+  /**
+   * Place a canary file and return a checker to verify containment.
+   * If a sandboxed command can delete or modify the canary, containment failed.
+   */
+  placeCanary(name: string): { path: string; check: () => CanaryCheckResult } {
+    const canaryPath = join(this.canaryDir, name);
+    const escapePath = join(this.canaryDir, `${name}.escaped`);
+    writeFileSync(canaryPath, `canary-${Date.now()}`, 'utf-8');
+
+    return {
+      path: canaryPath,
+      check: () => ({
+        canaryIntact: existsSync(canaryPath),
+        escapeDetected: existsSync(escapePath),
+      }),
+    };
+  }
+
+  /**
+   * Get the temp directory where sandboxed commands can write.
+   */
+  getSandboxWriteDir(): string {
+    return this.tempDir;
+  }
+
+  /**
+   * Whether the sandbox is actually available and initialized.
+   */
+  isAvailable(): boolean {
+    return this.sandboxAvailable;
+  }
+
+  /**
+   * Clean up temp dirs and reset sandbox state.
+   */
+  async cleanup(): Promise<void> {
+    try {
+      if (this.sandboxManager) {
+        await this.sandboxManager.reset();
+      }
+    } catch {
+      // Ignore cleanup errors
+    }
+    try {
+      rmSync(this.tempDir, { recursive: true, force: true });
+    } catch {
+      // Ignore cleanup errors
+    }
+  }
+}

package/server/mcp/security-patterns.ts

@@ -14,6 +14,8 @@
  * - The question is: "Does this operation make sense given user intent?"
  */
 
+import { resolve } from 'node:path';
+
 export interface SecurityPattern {
   pattern: RegExp;
   reason?: string;
@@ -83,7 +85,16 @@ export const CRITICAL_THREATS: SecurityPattern[] = [
   {
     pattern: /chmod\s+000\s+\//i,
     reason: 'Attempting to make system directories inaccessible'
-  }
+  },
+  // Reverse shells - never legitimate in a dev workflow
+  {
+    pattern: /\/dev\/tcp\//i,
+    reason: 'Reverse shell via /dev/tcp - classic backdoor technique'
+  },
+  {
+    pattern: /\bnc\b.*-[elp].*\b\d+\b/i,
+    reason: 'Netcat listener/reverse shell - common backdoor technique'
+  },
   // NOTE: curl|bash is NOT here - it goes to Haiku for context review
   // The question is "did a bad actor inject this?" not "is curl|bash dangerous?"
 ];
@@ -158,12 +169,104 @@ export const NEEDS_AI_REVIEW: SecurityPattern[] = [
     reason: 'Recursive deletion - verify target matches user intent'
   },
 
+  // Data exfiltration patterns — piping data to network tools
+  {
+    pattern: /\|\s*(nc|netcat|ncat)\b/i,
+    reason: 'Pipe to netcat - potential data exfiltration'
+  },
+  {
+    pattern: /\bscp\b.*@/i,
+    reason: 'SCP to remote host - potential data exfiltration'
+  },
+  {
+    pattern: /\|\s*curl\b/i,
+    reason: 'Pipe to curl - potential data exfiltration'
+  },
+  {
+    pattern: /curl\b.*-d\s*@/i,
+    reason: 'Curl with file upload - potential data exfiltration'
+  },
+
   // ALL Write/Edit operations that aren't to /tmp go through context review
   // This is the key change: we review based on context, not blanket allow/deny
   {
     pattern: /^(Write|Edit):\s*(?!\/tmp\/|\/var\/tmp\/)/i,
     reason: 'File modification - verify aligns with user request'
   },
+
+  // Reverse shells and bind shells — network-connected interactive shells
+  {
+    pattern: /\/dev\/tcp\//i,
+    reason: 'Potential reverse shell via /dev/tcp'
+  },
+  {
+    pattern: /\b(nc|netcat|ncat)\b.*-e\s/i,
+    reason: 'Netcat with -e flag - potential reverse shell'
+  },
+  {
+    pattern: /\bsocket\b.*\bconnect\b.*\b(dup2|subprocess|exec)\b/i,
+    reason: 'Programmatic reverse shell pattern (socket+connect+exec)'
+  },
+  {
+    pattern: /\bperl\b.*\bsocket\b.*\bexec\b/i,
+    reason: 'Perl reverse shell pattern'
+  },
+
+  // Encoded/obfuscated payloads piped to shell or eval
+  {
+    pattern: /\b(base64|base32)\b.*-d.*\|\s*(bash|sh)\b/i,
+    reason: 'Decoded payload piped to shell - obfuscated command execution'
+  },
+  {
+    pattern: /\\x[0-9a-f]{2}.*\|\s*(bash|sh)\b/i,
+    reason: 'Hex-encoded payload piped to shell'
+  },
+  {
+    pattern: /\bexec\b.*\b(base64|b64decode)\b/i,
+    reason: 'Exec with base64 decoding - obfuscated code execution'
+  },
+  {
+    pattern: /\bprintf\b.*\\x[0-9a-f].*\|\s*(bash|sh)\b/i,
+    reason: 'Printf hex payload piped to shell'
+  },
+
+  // Cloud metadata / SSRF — accessing cloud instance credentials
+  {
+    pattern: /169\.254\.169\.254/i,
+    reason: 'AWS/Azure IMDS access - potential credential theft'
+  },
+  {
+    pattern: /metadata\.google\.internal/i,
+    reason: 'GCP metadata access - potential credential theft'
+  },
+
+  // Persistence — writing to shell profiles, cron, authorized_keys via echo/append
+  {
+    pattern: />>\s*~?\/?.*\/(authorized_keys|\.bashrc|\.bash_profile|\.zshrc|\.profile)/i,
+    reason: 'Appending to sensitive file - potential persistence mechanism'
+  },
+  {
+    pattern: /\bld\.so\.preload\b/i,
+    reason: 'LD_PRELOAD injection - shared library hijacking'
+  },
+
+  // wget with file upload
+  {
+    pattern: /wget\b.*--post-file/i,
+    reason: 'wget file upload - potential data exfiltration'
+  },
+
+  // pip install from custom index (supply chain attack)
+  {
+    pattern: /pip\b.*--index-url\s+https?:\/\/(?!pypi\.org)/i,
+    reason: 'pip install from non-PyPI index - potential supply chain attack'
+  },
+
+  // MCP server manipulation
+  {
+    pattern: /\bclaude\b.*\bmcp\b.*\badd\b/i,
+    reason: 'Adding MCP server - verify source is trusted'
+  },
 ];
 
 /**
@@ -178,11 +281,70 @@ export function matchesPattern(operation: string, patterns: SecurityPattern[]):
   return null;
 }
 
+/**
+ * Normalize file paths in Write/Edit/Read operations to resolve .. traversal.
+ * Prevents path traversal attacks like "Write: /home/user/../../etc/passwd"
+ * from matching safe home-directory patterns.
+ */
+export function normalizeOperation(operation: string): string {
+  const match = operation.match(/^(Write|Edit|Read):\s*(\S+)/i);
+  if (match?.[2].includes('..')) {
+    const [, tool, rawPath] = match;
+    const normalizedPath = resolve(rawPath);
+    return `${tool}: ${normalizedPath}`;
+  }
+  return operation;
+}
+
+/** Check if a Bash command contains chain operators that could hide dangerous ops after a safe prefix. */
+function containsChainOperators(operation: string): boolean {
+  const commandPart = operation.replace(/^Bash:\s*/i, '');
+  return /;|&&|\|\||\n/.test(commandPart);
+}
+
+/** Check if a Bash command pipes output to known exfiltration/network tools or shells. */
+function containsDangerousPipe(operation: string): boolean {
+  const commandPart = operation.replace(/^Bash:\s*/i, '');
+  return /\|\s*(nc|netcat|ncat|curl|wget|scp|bash|sh)\b/i.test(commandPart);
+}
+
+/** Check if a Bash command redirects output to sensitive paths (append or overwrite). */
+function containsSensitiveRedirect(operation: string): boolean {
+  const commandPart = operation.replace(/^Bash:\s*/i, '');
+  return />>?\s*~?\/?.*\/(authorized_keys|\.bashrc|\.bash_profile|\.zshrc|\.profile|\.ssh\/|\.aws\/|\.gnupg\/|ld\.so\.preload|crontab|sudoers)/i.test(commandPart)
+    || />>?\s*\/etc\//i.test(commandPart);
+}
+
+/** Check if a Bash command contains subshell or backtick expansion (not simple ${VAR}). */
+function containsBashExpansion(operation: string): boolean {
+  const commandPart = operation.replace(/^Bash:\s*/i, '');
+  return /`[^`]+`/.test(commandPart) || /\$\([^)]+\)/.test(commandPart);
+}
+
+/** Check if a Bash command contains any form of shell expansion: ${VAR}, $(...), or backticks. */
+function containsAnyExpansion(operation: string): boolean {
+  const cmd = operation.replace(/^Bash:\s*/i, '');
+  return /\$\{[^}]+\}/.test(cmd) || /\$\([^)]+\)/.test(cmd) || /`[^`]+`/.test(cmd);
+}
+
+/** Check if expansion is safely used as an argument to a known-safe command prefix.
+ *  e.g., "echo ${HOME}" or "cat ${FILE}" — the expansion can't change the command itself. */
+function isSafeExpansionUse(operation: string): boolean {
+  const cmd = operation.replace(/^Bash:\s*/i, '').trim();
+  // If the expansion IS the command (first token), it's never safe
+  if (/^(\$\{|\$\(|`)/.test(cmd)) return false;
+  // Safe command prefixes where expansion as an argument is harmless
+  const safePrefix = /^(echo|printf|cat|ls|pwd|whoami|date|env|printenv|test|true|false)\s/i;
+  return safePrefix.test(cmd);
+}
+
 /**
  * Determine if operation requires AI context review
  *
  * The philosophy here is:
- * - SAFE_OPERATIONS: No review needed (read-only, temp files, build artifact cleanup)
+ * - SENSITIVE_PATHS: Always require review (credentials, system configs)
+ * - SAFE_OPERATIONS: No review needed, UNLESS the bash command contains
+ *   chain operators, dangerous pipes, or subshell/backtick expansion
  * - CRITICAL_THREATS: Auto-deny, no review (catastrophic operations)
  * - Everything else: AI reviews context to determine if it matches user intent
  */
@@ -197,17 +359,48 @@ const SAFE_RM_PATTERNS = [
 ];
 
 export function requiresAIReview(operation: string): boolean {
-  if (matchesPattern(operation, SAFE_OPERATIONS)) return false;
-  if (matchesPattern(operation, CRITICAL_THREATS)) return false;
+  // Normalize paths to prevent .. traversal bypass
+  const op = normalizeOperation(operation);
+
+  // Check sensitive paths BEFORE safe operations — prevents home-dir
+  // safe pattern from masking .ssh, .aws, .bashrc, etc.
+  if (matchesPattern(op, SENSITIVE_PATHS)) return true;
+
+  // Bash commands with any shell expansion (${VAR}, $(...), backticks) are
+  // opaque — the bouncer can't predict what they expand to at runtime.
+  // Route to AI review BEFORE checking CRITICAL_THREATS or SAFE_OPERATIONS,
+  // UNLESS the command is clearly safe (expansion is just an argument to a
+  // known-safe prefix like "echo ${HOME}").
+  if (/^Bash:/i.test(op) && containsAnyExpansion(op) && !isSafeExpansionUse(op)) {
+    return true;
+  }
+
+  if (matchesPattern(op, SAFE_OPERATIONS)) {
+    // Safe bash commands must not contain chain operators, dangerous pipes,
+    // or subshell/backtick expansion that could hide dangerous operations.
+    // A safe prefix (e.g., "git clone") with chain operators (&&, ;, ||)
+    // means the full command isn't necessarily safe — route to AI review.
+    if (/^Bash:/i.test(op) && (
+      containsChainOperators(op) ||
+      containsDangerousPipe(op) ||
+      containsBashExpansion(op) ||
+      containsSensitiveRedirect(op)
+    )) {
+      return true;
+    }
+    return false;
+  }
+
+  if (matchesPattern(op, CRITICAL_THREATS)) return false;
 
-  if (matchesPattern(operation, NEEDS_AI_REVIEW)) {
-    return !SAFE_RM_PATTERNS.some(p => p.test(operation));
+  if (matchesPattern(op, NEEDS_AI_REVIEW)) {
+    return !SAFE_RM_PATTERNS.some(p => p.test(op));
   }
 
-  // Variable expansion and glob patterns are only concerning in Bash commands
-  if (/^Bash:/.test(operation)) {
-    if (/\$\{.*\}|\$\(.*\)/.test(operation) || /\*\*?/.test(operation)) return true;
-    if (/^Bash:\s*\.\//.test(operation)) return true;
+  // Glob patterns and script execution are concerning in Bash commands
+  if (/^Bash:/.test(op)) {
+    if (/\*\*?/.test(op)) return true;
+    if (/^Bash:\s*\.\//.test(op)) return true;
   }
 
   return false;
@@ -262,6 +455,9 @@ export function classifyRisk(operation: string): {
     { pattern: /chmod\s+777/i, reason: 'Dangerous permissions' },
     { pattern: /(curl|wget).*\|.*(bash|sh)/i, reason: 'Remote code execution' },
     { pattern: /pkill|killall/i, reason: 'Process termination' },
+    { pattern: /\|\s*(nc|netcat|ncat)\b/i, reason: 'Data exfiltration via netcat' },
+    { pattern: /\bscp\b.*@/i, reason: 'Data exfiltration via SCP' },
+    { pattern: /curl\b.*-d\s*@/i, reason: 'Data exfiltration via curl file upload' },
   ];
 
   for (const pattern of elevatedPatterns) {

package/server/services/websocket/handler.ts

@@ -19,6 +19,7 @@ import { handleFileExplorerMessage, handleFileMessage } from './file-explorer-ha
 import { FileUploadHandler } from './file-upload-handler.js';
 import { handleGitMessage } from './git-handlers.js';
 import type { HandlerContext, UsageReporter } from './handler-context.js';
+import { handleQualityMessage } from './quality-handlers.js';
 import { handleHistoryMessage, handleSessionMessage, initializeTab, resumeHistoricalSession } from './session-handlers.js';
 import { SessionRegistry } from './session-registry.js';
 import { generateNotificationSummary, handleGetSettings, handleUpdateSettings } from './settings-handlers.js';
@@ -220,6 +221,12 @@ export class WebSocketImproviseHandler implements HandlerContext {
         return handleRemoveTab(this, ws, tabId, workingDir);
       case 'markTabViewed':
         return handleMarkTabViewed(this, ws, tabId, workingDir);
+      // Quality messages
+      case 'qualityDetectTools':
+      case 'qualityScan':
+      case 'qualityInstallTools':
+      case 'qualityCodeReview':
+        return handleQualityMessage(this, ws, msg, tabId, workingDir);
       // Settings messages
       case 'getSettings':
         return handleGetSettings(this, ws);
@@ -291,6 +298,4 @@ export class WebSocketImproviseHandler implements HandlerContext {
     this.sessions.delete(sessionId);
   }
 
-  cleanupStaleSessions(): void {
-  }
 }

package/server/services/websocket/quality-handlers.ts

@@ -0,0 +1,140 @@
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+
+import { join } from 'node:path';
+import type { HandlerContext } from './handler-context.js';
+import { detectTools, installTools, runQualityScan } from './quality-service.js';
+import type { WebSocketMessage, WSContext } from './types.js';
+
+export function handleQualityMessage(
+  ctx: HandlerContext,
+  ws: WSContext,
+  msg: WebSocketMessage,
+  _tabId: string,
+  workingDir: string,
+): void {
+  const handlers: Record<string, () => void> = {
+    qualityDetectTools: () => handleDetectTools(ctx, ws, msg, workingDir),
+    qualityScan: () => handleScan(ctx, ws, msg, workingDir),
+    qualityInstallTools: () => handleInstallTools(ctx, ws, msg, workingDir),
+    qualityCodeReview: () => handleCodeReview(ctx, ws, msg, workingDir),
+  };
+
+  const handler = handlers[msg.type];
+  if (!handler) return;
+
+  try {
+    handler();
+  } catch (error) {
+    const errMsg = error instanceof Error ? error.message : String(error);
+    ctx.send(ws, {
+      type: 'qualityError',
+      data: { path: msg.data?.path || workingDir, error: errMsg },
+    });
+  }
+}
+
+function resolvePath(workingDir: string, dirPath?: string): string {
+  if (!dirPath || dirPath === '.' || dirPath === './') return workingDir;
+  if (dirPath.startsWith('/')) return dirPath;
+  return join(workingDir, dirPath);
+}
+
+async function handleDetectTools(
+  ctx: HandlerContext,
+  ws: WSContext,
+  msg: WebSocketMessage,
+  workingDir: string,
+): Promise<void> {
+  const dirPath = resolvePath(workingDir, msg.data?.path);
+  try {
+    const { tools, ecosystem } = await detectTools(dirPath);
+    ctx.send(ws, {
+      type: 'qualityToolsDetected',
+      data: { path: msg.data?.path || '.', tools, ecosystem },
+    });
+  } catch (error) {
+    ctx.send(ws, {
+      type: 'qualityError',
+      data: { path: msg.data?.path || '.', error: error instanceof Error ? error.message : String(error) },
+    });
+  }
+}
+
+async function handleScan(
+  ctx: HandlerContext,
+  ws: WSContext,
+  msg: WebSocketMessage,
+  workingDir: string,
+): Promise<void> {
+  const dirPath = resolvePath(workingDir, msg.data?.path);
+  const reportPath = msg.data?.path || '.';
+
+  try {
+    const results = await runQualityScan(dirPath, (progress) => {
+      ctx.send(ws, {
+        type: 'qualityScanProgress',
+        data: { path: reportPath, progress },
+      });
+    });
+    ctx.send(ws, {
+      type: 'qualityScanResults',
+      data: { path: reportPath, results },
+    });
+  } catch (error) {
+    ctx.send(ws, {
+      type: 'qualityError',
+      data: { path: reportPath, error: error instanceof Error ? error.message : String(error) },
+    });
+  }
+}
+
+async function handleInstallTools(
+  ctx: HandlerContext,
+  ws: WSContext,
+  msg: WebSocketMessage,
+  workingDir: string,
+): Promise<void> {
+  const dirPath = resolvePath(workingDir, msg.data?.path);
+  const reportPath = msg.data?.path || '.';
+  const toolNames: string[] | undefined = msg.data?.tools;
+
+  try {
+    ctx.send(ws, {
+      type: 'qualityInstallProgress',
+      data: { path: reportPath, installing: true },
+    });
+
+    const { tools, ecosystem } = await installTools(dirPath, toolNames);
+
+    ctx.send(ws, {
+      type: 'qualityInstallComplete',
+      data: { path: reportPath, tools, ecosystem },
+    });
+  } catch (error) {
+    ctx.send(ws, {
+      type: 'qualityError',
+      data: { path: reportPath, error: error instanceof Error ? error.message : String(error) },
+    });
+  }
+}
+
+async function handleCodeReview(
+  ctx: HandlerContext,
+  ws: WSContext,
+  msg: WebSocketMessage,
+  _workingDir: string,
+): Promise<void> {
+  const reportPath = msg.data?.path || '.';
+
+  // Code review via headless Claude will be implemented in a follow-up.
+  // For now, send an empty result to unblock the UI.
+  ctx.send(ws, {
+    type: 'qualityCodeReview',
+    data: {
+      path: reportPath,
+      findings: [],
+      summary: 'Code review requires a Claude Code session. Run from the Chat view for a detailed code review.',
+    },
+  });
+}