principles-disciple 1.61.0 → 1.63.0

package/src/hooks/bash-risk.ts

@@ -1,175 +0,0 @@
-/**
- * Bash Risk Analysis Module
- *
- * Analyzes bash command security risks and determines command categorization.
- *
- * **Responsibilities:**
- * - De-obfuscate Unicode/Cyrillic lookalike characters (security bypass prevention)
- * - Tokenize command chains to detect multi-command bypasses
- * - Classify commands as: 'safe', 'dangerous', or 'normal'
- * - Pattern matching against safe/dangerous regex patterns
- * - Fail-closed behavior (invalid regex = dangerous)
- *
- * **Configuration:**
- * - Bash safe patterns from gfi_gate.bash_safe_patterns
- * - Bash dangerous patterns from gfi_gate.bash_dangerous_patterns
- */
-
-// TODO: Extract types from gate.ts related to bash risk analysis
-export interface BashRiskConfig {
-  bash_safe_patterns?: string[];
-  bash_dangerous_patterns?: string[];
-}
-
-export type BashRiskLevel = 'safe' | 'dangerous' | 'normal';
-
-/**
- * Analyzes a bash command to determine its risk level.
- *
- * Implements security features:
- * - Unicode/Cyrillic de-obfuscation to detect homograph attacks
- * - Command chain tokenization to catch multi-command bypasses
- * - Pattern matching against safe/dangerous regex patterns
- * - Fail-closed behavior (invalid dangerous regex = dangerous)
- *
- * @param command - The bash command to analyze
- * @param safePatterns - Regex patterns that indicate safe commands
- * @param dangerousPatterns - Regex patterns that indicate dangerous commands
- * @param logger - Optional logger for warnings about invalid patterns
- * @returns The risk level: 'safe', 'dangerous', or 'normal'
- */
- 
- 
-export function analyzeBashCommand(
-  command: string,
-  safePatterns: string[],
-  dangerousPatterns: string[],
-  logger?: { warn?: ( _message: string) => void }
-): BashRiskLevel {
-  let normalizedCmd = command.trim().toLowerCase();
-
-  // Unicode de-obfuscation — convert Cyrillic/Unicode lookalikes to ASCII equivalents
-  // Common Cyrillic lookalikes that could bypass detection: аеорсух (Cyrillic) → aeopcyx (Latin)
-  const CYRILLIC_TO_LATIN: Record<string, string> = {
-    'а': 'a', 'е': 'e', 'о': 'o', 'р': 'p', 'с': 'c', 'у': 'y', 'х': 'x',
-    'А': 'a', 'Е': 'e', 'О': 'o', 'Р': 'p', 'С': 'c', 'У': 'y', 'Х': 'x',
-    // Additional confusable chars
-    'і': 'i', 'ј': 'j', 'ѕ': 's', 'ԁ': 'd', 'ɡ': 'g', 'һ': 'h', 'ⅰ': 'i',
-    'ƚ': 'l', 'м': 'm', 'п': 'n', 'ѵ': 'v', 'ѡ': 'w', 'ᴦ': 'r', 'ꜱ': 's',
-  };
-  normalizedCmd = normalizedCmd.replace(/[а-яА-Яіјѕԁɡһⅰƚмпеꜱѵѡᴦꜱ]/g, m => CYRILLIC_TO_LATIN[m] ?? m);
-
-  // Zero-width character detection — detect hidden characters that could bypass pattern matching
-  // Common zero-width characters used in command injection:
-  // - Zero-width space (U+200B)
-  // - Zero-width non-joiner (U+200C)
-  // - Zero-width joiner (U+200D)
-  // - Word joiner (U+2060)
-  // - Zero-width invisible separator (U+FEFF)
-   
-  const ZERO_WIDTH_CHARS = /\u200B|\u200C|\u200D|\u2060|\uFEFF/g;
-  if (ZERO_WIDTH_CHARS.test(command)) {
-    logger?.warn?.(`[PD_GATE] Bash command contains zero-width characters — blocking as dangerous`);
-    return 'dangerous'; // Fail-closed: zero-width chars are suspicious
-  }
-
-  // Tokenize command chain before pattern matching to catch `cmd1 && cmd2` bypasses
-  // Only split on statement separators (; && ||), NOT on pipe (|) which is part of the command
-  const tokens = normalizedCmd
-    .split(/\s*(?:;|&&|\|\|)\s*/)
-    .map(t => t.trim())
-    .filter(t => t.length > 0);
-
-  // If no tokens (e.g., pure pipe-only), use the original
-  const segments = tokens.length > 0 ? tokens : [normalizedCmd];
-
-  // Also strip outer $() and backticks from each segment, but PRESERVE inner content
-  const cleanSegments = segments.map(seg => {
-    let s = seg;
-    // Extract inner content from $() or ${} or backtick-wrapped commands
-    // IMPORTANT: Preserve the inner command for analysis, don't drop it entirely
-    s = s.replace(/^\$\(([^)]+)\)$/, '$1').replace(/^\$\{([^}]+)\}$/, '$1').replace(/^`([^`]+)`$/, '$1');
-    return s.trim();
-  }).filter(s => s.length > 0);
-
-  // SECURITY: If original input was non-empty but we have no analyzable content, fail closed
-  if (cleanSegments.length === 0 && normalizedCmd.trim().length > 0) {
-    logger?.warn?.(`[PD_GATE] Bash command analysis produced empty segments from non-empty input, failing closed: ${normalizedCmd.substring(0, 100)}`);
-    return 'dangerous';
-  }
-
-  // 1. Check dangerous patterns against each segment
-  for (const seg of cleanSegments) {
-    for (const pattern of dangerousPatterns) {
-      try {
-        if (new RegExp(pattern, 'i').test(seg)) {
-          return 'dangerous';
-        }
-      } catch (error) {
-        logger?.warn?.(`[PD_GATE] Invalid dangerous bash regex "${pattern}": ${String(error)}. Failing closed.`);
-        return 'dangerous';
-        // Fail-closed: 无效的危险模式正则视为匹配危险命令
-      }
-    }
-  }
-
-  // 2. Check safe patterns (only if ALL segments are safe)
-  for (const seg of cleanSegments) {
-    let isSafe = false;
-    for (const pattern of safePatterns) {
-      try {
-        if (new RegExp(pattern, 'i').test(seg)) {
-          isSafe = true;
-          break;
-        }
-      } catch (error) {
-        logger?.warn?.(`[PD_GATE] Invalid safe bash regex "${pattern}": ${String(error)}. Ignoring safe override.`);
-      }
-    }
-    if (!isSafe) {
-      // Not all segments are safe → treat as normal
-      return 'normal';
-    }
-  }
-
-  // All segments are safe
-  return 'safe';
-}
-
-export interface DynamicThresholdConfig {
-  large_change_lines: number;
-  ep_tier_multipliers: Record<string, number>;
-}
-
-/**
- * Calculates the dynamic GFI threshold based on EP tier and line changes.
- *
- * The threshold is adjusted by:
- * 1. EP tier multiplier (higher tiers get higher thresholds)
- * 2. Large change reduction (big edits lower the threshold to catch more issues)
- *
- * @param baseThreshold - The base GFI threshold (typically 50 for GFI)
- * @param epTier - Current EP tier (1-5)
- * @param lineChanges - Number of lines being changed
- * @param config - Configuration with large_change_lines and ep_tier_multipliers
- * @returns The adjusted threshold (minimum 0)
- */
- 
-export function calculateDynamicThreshold(
-  baseThreshold: number,
-  epTier: number,
-  lineChanges: number,
-  config: DynamicThresholdConfig
-): number {
-  // 1. EP Tier multiplier
-  const tierMultiplier = config.ep_tier_multipliers[epTier.toString()] || 1.0;
-  let threshold = baseThreshold * tierMultiplier;
-
-  // 2. Large scale modification reduces threshold
-  if (lineChanges > config.large_change_lines) {
-    const ratio = Math.min(lineChanges / 200, 0.5); // Reduce by up to 50%
-    threshold = threshold * (1 - ratio);
-  }
-
-  return Math.round(Math.max(threshold, 0));
-}

package/src/hooks/edit-verification.ts

@@ -1,302 +0,0 @@
-/**
- * Edit Verification Module
- *
- * Enforces P-03 (precise verification principle) for edit tool operations.
- *
- * **Responsibilities:**
- * - Verify oldText matches current file content before edit
- * - Fuzzy matching for whitespace-agnostic comparison
- * - File size limits and binary file detection
- * - Automatic correction of whitespace mismatches
- * - Detailed error messages with guidance for fix
- *
- * **Configuration:**
- * - Edit verification settings from profile.edit_verification
- * - Max file size threshold (default 10MB)
- * - Fuzzy match threshold (default 0.8)
- * - Skip action for large files (warn/block)
- */
-
-import * as fs from 'fs';
-import * as path from 'path';
-import type { PluginHookBeforeToolCallEvent, PluginHookBeforeToolCallResult } from '../openclaw-sdk.js';
-import type { WorkspaceContext } from '../core/workspace-context.js';
-
-export interface EditVerificationConfig {
-  enabled?: boolean;
-  max_file_size_bytes?: number;
-  fuzzy_match_enabled?: boolean;
-  fuzzy_match_threshold?: number;
-  skip_large_file_action?: 'warn' | 'block';
-}
-
-/**
- * Normalize a line for fuzzy matching by collapsing whitespace
- */
-export function normalizeLine(line: string): string {
-  return line.replace(/\s+/g, ' ').trim();
-}
-
-/**
- * Find fuzzy match between oldText and current file content
- * @param lines - File content split into lines
- * @param oldLines - oldText split into lines
- * @param threshold - Match threshold (0-1)
- * @returns Match index or -1 if not found
- */
-export function findFuzzyMatch(lines: string[], oldLines: string[], threshold = 0.8): number {
-  if (oldLines.length === 0) return -1;  // P2 fix: empty array boundary check
-
-  const normalizedLines = lines.map(normalizeLine);
-  const normalizedOldLines = oldLines.map(normalizeLine);
-
-  // Try to find matching sequence
-  for (let i = 0; i <= lines.length - oldLines.length; i++) {
-    let matchCount = 0;
-    for (let j = 0; j < oldLines.length; j++) {
-      if (normalizedLines[i + j] === normalizedOldLines[j]) {
-        matchCount++;
-      }
-    }
-
-    // Use threshold from config
-    if (matchCount >= oldLines.length * threshold) {
-      return i;
-    }
-  }
-
-  return -1;
-}
-
-/**
- * Try to find a fuzzy match for oldText in current content
- * @param currentContent - Current file content
- * @param oldText - Text to match
- * @param threshold - Match threshold (0-1)
- * @returns Object with found status and corrected text if found
- */
-export function tryFuzzyMatch(currentContent: string, oldText: string, threshold = 0.8): { found: boolean; correctedText?: string } {
-  const lines = currentContent.split('\n');
-  const oldLines = oldText.split('\n');
-
-  const matchIndex = findFuzzyMatch(lines, oldLines, threshold);
-
-  if (matchIndex !== -1) {
-    // Found fuzzy match, extract actual text from file
-    const correctedText = lines.slice(matchIndex, matchIndex + oldLines.length).join('\n');
-    return { found: true, correctedText };
-  }
-
-  return { found: false };
-}
-
-/**
- * Generate a helpful error message for edit verification failure
- */
-export function generateEditError(filePath: string, oldText: string, currentContent: string): string {
-  const expectedSnippet = oldText.split('\n').slice(0, 3).join('\n').substring(0, 200);
-  const actualSnippet = currentContent.substring(0, 200);
-
-  return `[P-03 Violation] Edit verification failed
-
-File: ${filePath}
-
-The text you're trying to replace does not match the current file content.
-
-Expected to find:
-${expectedSnippet}${oldText.length > 200 ? '...' : ''}
-
-Actual file contains:
-${actualSnippet}${currentContent.length > 200 ? '...' : ''}
-
-Possible reasons:
-  - File has been modified by another process
-  - Whitespace characters do not match (spaces, tabs, newlines)
-  - Context compression caused outdated information
-
-Solution:
-  1. Use 'read' tool to get current file content
-  2. Update your edit command with exact text from file
-  3. Retry edit operation
-
-This is enforced by P-03 (精确匹配前验证原则).`;
-}
-
-/**
- * Handle edit tool verification before allowing operation
- * This enforces P-03 at the tool layer
- */
- 
- 
-export function handleEditVerification(
-  event: PluginHookBeforeToolCallEvent,
-  wctx: WorkspaceContext,
-   
-  ctx: { logger?: any; sessionId?: string },
-  config: EditVerificationConfig = {}
-): PluginHookBeforeToolCallResult | void {
-  // Skip verification if disabled - return early without any processing or logging
-  if (config.enabled === false) {
-    return;
-  }
-
-  const logger = ctx.logger || console;
-  const maxSizeBytes = config.max_file_size_bytes ?? 10 * 1024 * 1024; // Default 10MB
-  const fuzzyMatchEnabled = config.fuzzy_match_enabled !== false;
-  const fuzzyMatchThreshold = config.fuzzy_match_threshold ?? 0.8;
-  const skipAction: 'warn' | 'block' = config.skip_large_file_action ?? 'warn';
-
-  // 1. Extract parameters (handle both parameter naming conventions)
-  const filePath = event.params.file_path || event.params.path || event.params.file;
-  const oldText = event.params.oldText || event.params.old_string;
-
-  if (!filePath || !oldText) {
-    // Missing required parameters, let it fail naturally
-    return;
-  }
-
-  // 2. Resolve and read file
-   
-   
-  let absolutePath: string;
-  try {
-    absolutePath = wctx.resolve(filePath);
-  } catch (_error) { // eslint-disable-line @typescript-eslint/no-unused-vars -- Reason: intentionally unused - let it fail naturally on path resolution error
-    // Path resolution error, let it fail naturally
-    return;
-  }
-
-  // 2.5. Skip verification for binary files
-  const BINARY_EXTENSIONS = ['.png', '.jpg', '.jpeg', '.gif', '.webp', '.bmp', '.svg',
-                           '.pdf', '.zip', '.tar', '.gz', '.7z', '.rar',
-                           '.exe', '.dll', '.so', '.dylib', '.bin',
-                           '.mp3', '.mp4', '.avi', '.mov', '.wav',
-                           '.ttf', '.otf', '.woff', '.woff2',
-                           '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx'];
-  const ext = path.extname(absolutePath).toLowerCase();
-  if (BINARY_EXTENSIONS.includes(ext)) {
-    logger?.info?.(`[PD_GATE:EDIT_VERIFY] Skipping verification for binary file: ${path.basename(filePath)}`);
-    return;
-  }
-
-  try {
-    // 2.6. Check file size before reading (P-03 improvement)
-    try {
-      const stats = fs.statSync(absolutePath);
-      const fileSizeBytes = stats.size;
-      const fileSizeMB = fileSizeBytes / (1024 * 1024);
-
-      if (fileSizeBytes > maxSizeBytes) {
-        const message = `[PD_GATE:EDIT_VERIFY] File size check: ${path.basename(filePath)} is ${fileSizeMB.toFixed(2)}MB (threshold: ${(maxSizeBytes / (1024 * 1024)).toFixed(2)}MB)`;
-
-        if (skipAction === 'block') {
-          logger?.warn?.(message + ' - BLOCKED');
-          return {
-            block: true,
-            blockReason: `${message}\n\nFile is too large for edit verification. Increase max_file_size_bytes in PROFILE.json or reduce file size.`
-          };
-        } else {
-          logger?.warn?.(message + ' - SKIPPING verification');
-          return; // Skip verification but allow operation
-        }
-      }
-
-      logger?.info?.(`[PD_GATE:EDIT_VERIFY] File size check passed: ${path.basename(filePath)} (${fileSizeMB.toFixed(2)}MB)`);
-    } catch (statError) {
-      // File stat error (e.g., permission denied)
-      const errStr = statError instanceof Error ? statError.message : String(statError);
-      const errCode = (statError as { code?: string }).code;
-
-      if (errCode === 'EACCES' || errCode === 'EPERM') {
-        logger?.error?.(`[PD_GATE:EDIT_VERIFY] Permission denied accessing file: ${path.basename(filePath)} (${errStr})`);
-        return {
-          block: true,
-          blockReason: `[P-03 Error] Permission denied: Cannot access file ${absolutePath}\n\nError: ${errStr}\n\nSolution: Check file permissions or run with appropriate access rights.`
-        };
-      } else if (errCode === 'ENOENT') {
-        logger?.warn?.(`[PD_GATE:EDIT_VERIFY] File not found: ${path.basename(filePath)} (${errStr})`);
-        // File doesn't exist - let edit operation proceed (it will create file)
-        return;
-      } else {
-        logger?.warn?.(`[PD_GATE:EDIT_VERIFY] Stat error: ${errStr}`);
-        // Let it fail naturally on read attempt
-      }
-    }
-
-    // 3. Read current file content with improved error handling
-     
-     
-    let currentContent: string;
-    try {
-      currentContent = fs.readFileSync(absolutePath, 'utf-8');
-    } catch (readError) {
-      const errStr = readError instanceof Error ? readError.message : String(readError);
-      const errCode = (readError as { code?: string }).code;
-
-      if (errCode === 'EACCES' || errCode === 'EPERM') {
-        logger?.error?.(`[PD_GATE:EDIT_VERIFY] Permission denied reading file: ${path.basename(filePath)} (${errStr})`);
-        return {
-          block: true,
-          blockReason: `[P-03 Error] Permission denied: Cannot read file ${absolutePath}\n\nError: ${errStr}\n\nSolution: Check file permissions or run with appropriate access rights.`
-        };
-      } else if (errCode === 'ENOENT') {
-        logger?.warn?.(`[PD_GATE:EDIT_VERIFY] File not found: ${path.basename(filePath)} (${errStr})`);
-        // File doesn't exist - let edit operation proceed
-        return;
-      } else if (errStr.includes('UTF-8') || errStr.includes('encoding')) {
-        logger?.error?.(`[PD_GATE:EDIT_VERIFY] Encoding error reading file: ${path.basename(filePath)} (${errStr})`);
-        return {
-          block: true,
-          blockReason: `[P-03 Error] Encoding error: Cannot read file ${absolutePath}\n\nError: ${errStr}\n\nThe file appears to use an encoding other than UTF-8. Edit verification requires UTF-8 readable text files.\n\nSolution: Ensure file is UTF-8 encoded text, or mark binary extensions to skip verification.`
-        };
-      } else {
-        logger?.warn?.(`[PD_GATE:EDIT_VERIFY] Read error: ${errStr}`);
-        // Let it fail naturally
-        return;
-      }
-    }
-
-    // 4. Verify oldText exists in current content
-    if (!currentContent.includes(oldText)) {
-      logger?.info?.(`[PD_GATE:EDIT_VERIFY] Exact match failed for ${path.basename(filePath)}, trying fuzzy match`);
-
-      // 5. Try fuzzy matching (if enabled)
-      if (fuzzyMatchEnabled) {
-        const fuzzyResult = tryFuzzyMatch(currentContent, oldText, fuzzyMatchThreshold);
-
-        if (fuzzyResult.found && fuzzyResult.correctedText) {
-          logger?.info?.(`[PD_GATE:EDIT_VERIFY] Fuzzy match found for ${path.basename(filePath)}, auto-correcting oldText`);
-
-          // Return corrected parameters
-          return {
-            params: {
-              ...event.params,
-              oldText: fuzzyResult.correctedText,
-              old_string: fuzzyResult.correctedText
-            }
-          };
-        }
-      }
-
-      // 6. No match found, block operation with helpful error
-      const errorMsg = generateEditError(absolutePath, oldText, currentContent);
-
-      logger?.error?.(`[PD_GATE:EDIT_VERIFY] Block edit on ${path.basename(filePath)}: oldText not found`);
-
-      return {
-        block: true,
-        blockReason: errorMsg
-      };
-    }
-
-    // 7. Verification passed, allow edit to proceed
-    logger?.info?.(`[PD_GATE:EDIT_VERIFY] Verified edit on ${path.basename(filePath)}`);
-    return;
-
-  } catch (error) {
-    // Unexpected error - let it fail naturally
-    const errorStr = error instanceof Error ? error.message : String(error);
-    logger?.warn?.(`[PD_GATE:EDIT_VERIFY] Unexpected error: ${errorStr}`);
-    return;
-  }
-}

package/src/hooks/gfi-gate.ts

@@ -1,186 +0,0 @@
-/**
- * GFI Gate Module
- *
- * Handles Fatigue Index (GFI) based tool blocking with TIER 0-3 classification.
- *
- * **Responsibilities:**
- * - Calculate dynamic GFI thresholds based on EP tier and line changes
- * - Apply tier-based tool blocking:
- *   - TIER 0: Read-only tools (never blocked)
- *   - TIER 1: Low-risk writes (blocked when GFI >= low_risk_block threshold)
- *   - TIER 2: High-risk operations (blocked when GFI >= high_risk_block threshold)
- *   - TIER 3: Bash commands (content-dependent blocking)
- * - Prevent subagent spawn at critically high GFI (>=90)
- *
- * **Configuration:**
- * - GFI thresholds from config.gfi_gate
- * - EP tier multipliers for dynamic threshold calculation
- * - Large change adjustments
- *
- * **Block Persistence:**
- * - Uses shared `recordGateBlockAndReturn` from gate-block-helper.ts
- * - Ensures single authoritative block persistence path
- */
-
-import { getSession } from '../core/session-tracker.js';
-import { estimateLineChanges } from '../core/risk-calculator.js';
-import { analyzeBashCommand, calculateDynamicThreshold } from './bash-risk.js';
-import { BASH_TOOLS_SET, HIGH_RISK_TOOLS, LOW_RISK_WRITE_TOOLS, AGENT_TOOLS } from '../constants/tools.js';
-import { AGENT_SPAWN_GFI_THRESHOLD } from '../config/index.js';
-import { recordGateBlockAndReturn } from './gate-block-helper.js';
-import { getEvolutionEngine } from '../core/evolution-engine.js';
-import type { WorkspaceContext } from '../core/workspace-context.js';
-import type { PluginHookBeforeToolCallEvent, PluginHookBeforeToolCallResult } from '../openclaw-sdk.js';
-
-export interface GfiGateConfig {
-  enabled?: boolean;
-  thresholds?: {
-    low_risk_block?: number;
-    high_risk_block?: number;
-  };
-  large_change_lines?: number;
-  ep_tier_multipliers?: Record<string, number>;
-  bash_safe_patterns?: string[];
-  bash_dangerous_patterns?: string[];
-}
-
-/**
- * Internal helper to call the shared block helper with gfi-gate source tag.
- */
- 
- 
-function block(
-  wctx: WorkspaceContext,
-  filePath: string,
-  reason: string,
-  toolName: string,
-  sessionId: string | undefined,
-   
-  logger?: { info?: (message: string) => void; warn?: (message: string) => void; error?: (message: string) => void }
-   
-): PluginHookBeforeToolCallResult {
-  return recordGateBlockAndReturn(wctx, {
-    filePath,
-    reason,
-    toolName,
-    sessionId,
-    blockSource: 'gfi-gate',
-  }, logger ||  
-  { warn: () => { /* no-op */ }, error: () => { /* no-op */ } } as const);
-}
-
- 
- 
-export function checkGfiGate(
-  event: PluginHookBeforeToolCallEvent,
-  wctx: WorkspaceContext,
-  sessionId: string | undefined,
-  config: GfiGateConfig,
-   
-  logger?: { info?: (message: string) => void; warn?: (message: string) => void }
-   
-): PluginHookBeforeToolCallResult | undefined {
-  if (!config || config.enabled === false || !sessionId) {
-    return undefined;
-  }
-
-  const session = getSession(sessionId);
-  const currentGfi = session?.currentGfi || 0;
-
-  const getEpTier = (): number => {
-    return getEvolutionEngine(wctx.workspaceDir).getTier();
-  };
-
-  // TIER 3: Bash commands
-  if (BASH_TOOLS_SET.has(event.toolName)) {
-    const command = String(event.params.command || event.params.args || '');
-    const bashRisk = analyzeBashCommand(
-      command,
-      config.bash_safe_patterns || [],
-      config.bash_dangerous_patterns || [],
-      logger
-    );
-
-    if (bashRisk === 'dangerous') {
-      logger?.warn?.(`[PD:GFI_GATE] Dangerous bash command blocked: ${command.substring(0, 50)}...`);
-      return block(wctx, command.substring(0, 100), `危险命令被拦截。检测到危险命令模式，需要确认执行意图。`, event.toolName, sessionId, logger);
-    }
-
-    if (bashRisk === 'safe') {
-      return undefined;
-    }
-
-    // normal bash - check GFI threshold
-    const tier = getEpTier();
-    const baseThreshold = config.thresholds?.low_risk_block || 70;
-    const dynamicThreshold = calculateDynamicThreshold(
-      baseThreshold,
-      tier,
-      0,
-      {
-        large_change_lines: config.large_change_lines || 50,
-        ep_tier_multipliers: config.ep_tier_multipliers || { '1': 0.5, '2': 0.75, '3': 1.0, '4': 1.5, '5': 2.0 },
-      }
-    );
-
-    if (currentGfi >= dynamicThreshold) {
-      logger?.warn?.(`[PD:GFI_GATE] Bash blocked by GFI: ${currentGfi} >= ${dynamicThreshold}`);
-      return block(wctx, command.substring(0, 100), `疲劳指数过高 (GFI: ${currentGfi}/${dynamicThreshold})。系统进入保护模式。`, event.toolName, sessionId, logger);
-    }
-
-    return undefined;
-  }
-
-  // TIER 2: High-risk tools
-  if (HIGH_RISK_TOOLS.has(event.toolName)) {
-    const tier = getEpTier();
-    const baseThreshold = config.thresholds?.high_risk_block || 40;
-    const dynamicThreshold = calculateDynamicThreshold(
-      baseThreshold,
-      tier,
-      0,
-      {
-        large_change_lines: config.large_change_lines || 50,
-        ep_tier_multipliers: config.ep_tier_multipliers || { '1': 0.5, '2': 0.75, '3': 1.0, '4': 1.5, '5': 2.0 },
-      }
-    );
-
-    if (currentGfi >= dynamicThreshold) {
-      const filePath = event.params.file_path || event.params.path || event.params.file || event.params.target || 'unknown';
-      logger?.warn?.(`[PD:GFI_GATE] High-risk tool "${event.toolName}" blocked by GFI: ${currentGfi} >= ${dynamicThreshold}`);
-      return block(wctx, filePath, `高风险操作被拦截。GFI: ${currentGfi}/${dynamicThreshold}。高风险工具需要更低的阈值。`, event.toolName, sessionId, logger);
-    }
-  }
-
-  // TIER 1: Low-risk write tools
-  if (LOW_RISK_WRITE_TOOLS.has(event.toolName)) {
-    const tier = getEpTier();
-    const lineChanges = estimateLineChanges({ toolName: event.toolName, params: event.params });
-    const baseThreshold = config.thresholds?.low_risk_block || 70;
-    const dynamicThreshold = calculateDynamicThreshold(
-      baseThreshold,
-      tier,
-      lineChanges,
-      {
-        large_change_lines: config.large_change_lines || 50,
-        ep_tier_multipliers: config.ep_tier_multipliers || { '1': 0.5, '2': 0.75, '3': 1.0, '4': 1.5, '5': 2.0 },
-      }
-    );
-
-    if (currentGfi >= dynamicThreshold) {
-      const filePath = event.params.file_path || event.params.path || event.params.file || event.params.target || 'unknown';
-      logger?.warn?.(`[PD:GFI_GATE] Low-risk tool "${event.toolName}" blocked by GFI: ${currentGfi} >= ${dynamicThreshold}`);
-      return block(wctx, filePath, `疲劳指数过高 (GFI: ${currentGfi}/${dynamicThreshold})。系统进入保护模式。`, event.toolName, sessionId, logger);
-    }
-  }
-
-  // AGENT_TOOLS: Block subagent spawn when GFI is critically high
-  if (AGENT_TOOLS.has(event.toolName)) {
-    if (currentGfi >= AGENT_SPAWN_GFI_THRESHOLD) {
-      logger?.warn?.(`[PD:GFI_GATE] Agent tool "${event.toolName}" blocked by GFI: ${currentGfi} >= ${AGENT_SPAWN_GFI_THRESHOLD}`);
-      return block(wctx, 'subagent-spawn', `疲劳指数过高，禁止派生子智能体。GFI: ${currentGfi}/${AGENT_SPAWN_GFI_THRESHOLD}`, event.toolName, sessionId, logger);
-    }
-  }
-
-  return undefined;
-}