veto-sdk 1.17.0 → 2.2.0

package/dist/core/veto.js

@@ -6,12 +6,14 @@
  *
  * @module core/veto
  */
-import { createLogger } from '../utils/logger.js';
+import { createLogger, } from '../utils/logger.js';
 import { generateId, generateToolCallId } from '../utils/id.js';
 import { ValidationEngine } from './validator.js';
 import { HistoryTracker } from './history.js';
 import { BudgetTracker, BudgetExceededError } from './budget.js';
 import { Interceptor, ToolCallDeniedError } from './interceptor.js';
+import { EconomicEvaluator } from '../economic/evaluator.js';
+import { LocalBudgetEngine } from '../economic/budget-engine.js';
 import { compile, evaluate } from '../compiler/index.js';
 import { evaluateConditionCollections } from '../rules/condition-evaluator.js';
 import { VetoCloudClient, ApprovalTimeoutError } from '../cloud/client.js';
@@ -19,6 +21,7 @@ import { PolicyCache } from '../cloud/policy-cache.js';
 import { validateDeterministic } from '../deterministic/validator.js';
 import { OutputValidator } from './output-validator.js';
 import { EventWebhookEmitter, resolveEventWebhookConfig, } from './events.js';
+const RESERVED_LOCAL_CONTEXT_KEYS = new Set(['market', 'budget', 'portfolio']);
 class LocalApprovalTimeoutError extends Error {
     constructor(timeoutMs) {
         super(`Approval callback timed out after ${timeoutMs}ms`);
@@ -46,11 +49,13 @@ class LocalApprovalTimeoutError extends Error {
  * ```
  */
 export class Veto {
-    static DEFAULT_CLOUD_BASE_URL = 'https://api.runveto.com';
+    static DEFAULT_CLOUD_BASE_URL = 'https://api.veto.so';
     logger;
     validationEngine;
     historyTracker;
     budgetTracker;
+    economicEvaluator;
+    economicBudgetEngine;
     interceptor;
     outputValidator;
     eventWebhookEmitter;
@@ -81,28 +86,44 @@ export class Veto {
     approvalPollOptions;
     localApprovalConfig;
     onApprovalRequired;
+    onDecisionMade;
     // Approval preference cache: tool name -> 'approve_all' | 'deny_all'
     approvalPreferences = new Map();
     // Client-side deterministic validation cache
     policyCache = null;
+    remoteOutputRulesByTool = new Map();
     // Loaded rules
     rulesState;
+    localSourceFiles = [];
+    localRulesDir;
+    localRulesRecursive;
     browserMode;
     compiledExpressionCache = new Map();
     refreshIntervalId = null;
-    constructor(options, config, rules, logger, browserMode = false) {
+    constructor(options, config, rules, logger, browserMode = false, localRulesSource) {
         this.logger = logger;
         this.configDir = options.configDir ?? './veto';
         this.rulesState = rules;
+        this.localSourceFiles = localRulesSource?.sourceFiles ?? [];
+        this.localRulesDir = localRulesSource?.dir;
+        this.localRulesRecursive = localRulesSource?.recursive ?? true;
         this.browserMode = browserMode;
         const envMode = this.browserMode
             ? undefined
             : Veto.parseEnvMode(process.env.VETO_MODE);
         this.mode = options.mode ?? config.mode ?? envMode ?? 'strict';
+        const envLogSetting = this.browserMode
+            ? undefined
+            : Veto.parseEnvLogSetting(process.env.VETO_LOG);
         const envLogLevel = this.browserMode
             ? undefined
             : Veto.parseEnvLogLevel(process.env.VETO_LOG_LEVEL);
-        this.resolvedLogLevel = options.logLevel ?? envLogLevel ?? config.logging?.level ?? 'info';
+        const explicitLogLevel = Veto.resolveExplicitLogLevel(options);
+        this.resolvedLogLevel = explicitLogLevel
+            ?? envLogSetting?.level
+            ?? envLogLevel
+            ?? config.logging?.level
+            ?? 'info';
         const explicitValidationMode = config.validation?.mode;
         const cloudApiKey = options.apiKey
             ?? config.cloud?.apiKey
@@ -230,8 +251,9 @@ export class Veto {
                 reasonField: config.approval?.responseSchema?.reasonField ?? 'reason',
             },
         };
-        // Approval hook
+        // Hooks
         this.onApprovalRequired = options.onApprovalRequired;
+        this.onDecisionMade = options.onDecisionMade;
         this.eventWebhookEmitter = new EventWebhookEmitter(resolveEventWebhookConfig(config.events?.webhook, this.logger), this.logger);
         // Resolve tracking options
         const envSessionId = this.browserMode ? undefined : process.env.VETO_SESSION_ID;
@@ -319,6 +341,28 @@ export class Veto {
         else {
             this.budgetTracker = null;
         }
+        // Initialize economic evaluator (if configured)
+        if (config.economic?.budgets?.length) {
+            const localBudgetEngine = new LocalBudgetEngine({
+                budgets: config.economic.budgets,
+                logger: this.logger,
+            });
+            this.economicBudgetEngine = localBudgetEngine;
+            this.economicEvaluator = new EconomicEvaluator({
+                policy: config.economic,
+                budgetEngine: localBudgetEngine,
+                logger: this.logger,
+            });
+            this.logger.info('Economic authorization enabled', {
+                budgets: config.economic.budgets.length,
+                protocols: ['x402', 'mpp', 'ap2'],
+                payer_required: config.economic.payer?.required ?? false,
+            });
+        }
+        else {
+            this.economicEvaluator = null;
+            this.economicBudgetEngine = null;
+        }
         // Initialize interceptor
         this.outputValidator = new OutputValidator({
             logger: this.logger,
@@ -367,17 +411,28 @@ export class Veto {
         const parseYaml = await Veto.loadYamlParser();
         const configDir = pathModule.resolve(options.configDir ?? './veto');
         // Determine log level
-        const envLogLevel = process.env.VETO_LOG_LEVEL;
-        let logLevel = options.logLevel ?? envLogLevel ?? 'info';
+        const envLogSetting = Veto.parseEnvLogSetting(process.env.VETO_LOG);
+        const envLogLevel = Veto.parseEnvLogLevel(process.env.VETO_LOG_LEVEL);
+        const explicitLogLevel = Veto.resolveExplicitLogLevel(options);
+        let logLevel = explicitLogLevel ?? envLogSetting?.level ?? envLogLevel ?? 'info';
+        let streamMode = options.streamMode ?? envLogSetting?.streamMode ?? 'compact';
         // Load config file
         const configPath = pathModule.join(configDir, 'veto.config.yaml');
         let config = {};
         if (fsModule.existsSync(configPath)) {
             const configContent = fsModule.readFileSync(configPath, 'utf-8');
             config = parseYaml(configContent);
-            logLevel = options.logLevel ?? envLogLevel ?? config.logging?.level ?? 'info';
-        }
-        const logger = createLogger(logLevel);
+            logLevel = explicitLogLevel
+                ?? envLogSetting?.level
+                ?? envLogLevel
+                ?? config.logging?.level
+                ?? 'info';
+            streamMode = options.streamMode
+                ?? envLogSetting?.streamMode
+                ?? config.logging?.streamMode
+                ?? 'compact';
+        }
+        const logger = createLogger(logLevel, streamMode);
         if (!fsModule.existsSync(configPath)) {
             logger.warn('Veto config not found. Run "npx veto init" to initialize.', {
                 expected: configPath,
@@ -387,11 +442,20 @@ export class Veto {
         const rulesDir = pathModule.resolve(configDir, config.rules?.directory ?? './rules');
         const recursive = config.rules?.recursive ?? true;
         const rules = await Veto.loadRules(rulesDir, recursive, logger, fsModule, pathModule, parseYaml);
-        return new Veto(options, config, rules, logger);
+        return new Veto({ ...options, configDir }, config, rules.state, logger, false, {
+            dir: rulesDir,
+            recursive,
+            sourceFiles: rules.sourceFiles,
+        });
     }
     static fromRules(options) {
-        const logLevel = options.logLevel ?? 'warn';
-        const logger = createLogger(logLevel);
+        const envLogSetting = Veto.parseEnvLogSetting(typeof process === 'undefined' ? undefined : process.env.VETO_LOG);
+        const logLevel = Veto.resolveExplicitLogLevel(options)
+            ?? envLogSetting?.level
+            ?? Veto.parseEnvLogLevel(typeof process === 'undefined' ? undefined : process.env.VETO_LOG_LEVEL)
+            ?? 'warn';
+        const streamMode = options.streamMode ?? envLogSetting?.streamMode ?? 'compact';
+        const logger = createLogger(logLevel, streamMode);
         const envMode = Veto.parseEnvMode(typeof process === 'undefined' ? undefined : process.env.VETO_MODE);
         const resolvedMode = options.mode ?? envMode;
         const cloudClient = options.cloudClient ?? (options.apiKey
@@ -412,7 +476,7 @@ export class Veto {
                     baseUrl: options.endpoint,
                 }
                 : undefined,
-            logging: { level: logLevel },
+            logging: { level: logLevel, streamMode },
             budget: options.budget,
             costs: options.costs,
             approval: options.approval,
@@ -422,6 +486,7 @@ export class Veto {
         const vetoOptions = {
             mode: resolvedMode,
             logLevel,
+            streamMode,
             sessionId: options.sessionId,
             agentId: options.agentId,
             userId: options.userId,
@@ -431,11 +496,17 @@ export class Veto {
             endpoint: undefined,
             cloudClient,
             onApprovalRequired: options.onApprovalRequired,
+            onDecisionMade: options.onDecisionMade,
         };
         return new Veto(vetoOptions, config, rules, logger, true);
     }
     static async fromCloud(options) {
-        const logger = createLogger('warn');
+        const envLogSetting = Veto.parseEnvLogSetting(typeof process === 'undefined' ? undefined : process.env.VETO_LOG);
+        const logLevel = envLogSetting?.level
+            ?? Veto.parseEnvLogLevel(typeof process === 'undefined' ? undefined : process.env.VETO_LOG_LEVEL)
+            ?? 'warn';
+        const streamMode = envLogSetting?.streamMode ?? 'compact';
+        const logger = createLogger(logLevel, streamMode);
         const cloudClient = new VetoCloudClient({
             config: {
                 apiKey: options.apiKey,
@@ -460,9 +531,29 @@ export class Veto {
         }
         return undefined;
     }
+    static parseEnvLogSetting(value) {
+        if (!value) {
+            return undefined;
+        }
+        const normalized = value.trim().toLowerCase();
+        if (normalized === 'stream') {
+            return { level: 'stream', streamMode: 'compact' };
+        }
+        if (normalized === 'stream:verbose') {
+            return { level: 'stream', streamMode: 'verbose' };
+        }
+        return undefined;
+    }
+    static resolveExplicitLogLevel(options) {
+        if (options.stream) {
+            return 'stream';
+        }
+        return options.logLevel;
+    }
     static parseEnvLogLevel(level) {
         if (level === 'debug'
             || level === 'info'
+            || level === 'stream'
             || level === 'warn'
             || level === 'error'
             || level === 'silent') {
@@ -546,7 +637,10 @@ export class Veto {
         const state = Veto.createEmptyRulesState();
         if (!fsModule.existsSync(rulesDir)) {
             logger.debug('Rules directory not found', { path: rulesDir });
-            return state;
+            return {
+                state,
+                sourceFiles: [],
+            };
         }
         const yamlFiles = Veto.findYamlFiles(rulesDir, recursive, fsModule, pathModule);
         logger.debug('Found rule files', { count: yamlFiles.length });
@@ -609,7 +703,10 @@ export class Veto {
             outputGlobal: state.globalOutputRules.length,
             outputToolSpecific: state.outputRulesByTool.size,
         });
-        return state;
+        return {
+            state,
+            sourceFiles: yamlFiles,
+        };
     }
     /**
      * Find YAML files in a directory.
@@ -646,7 +743,16 @@ export class Veto {
     }
     getOutputRulesForTool(toolName) {
         const toolSpecific = this.rulesState.outputRulesByTool.get(toolName) ?? [];
-        return [...this.rulesState.globalOutputRules, ...toolSpecific];
+        const remote = this.remoteOutputRulesByTool.get(toolName) ?? [];
+        return [...this.rulesState.globalOutputRules, ...toolSpecific, ...remote]
+            .filter((rule) => rule.enabled !== false);
+    }
+    cacheRemoteOutputRules(toolName, outputRules) {
+        if (!outputRules || outputRules.length === 0) {
+            this.remoteOutputRulesByTool.delete(toolName);
+            return;
+        }
+        this.remoteOutputRulesByTool.set(toolName, outputRules);
     }
     isGuardEvaluation(context) {
         return context.source === 'guard';
@@ -917,100 +1023,133 @@ export class Veto {
         }
         const localContext = this.buildLocalEvaluationContext(context);
         let firstAllowRule = null;
+        let firstApprovalRule = null;
+        let firstBlockRule = null;
+        let firstNonBlockingRule = null;
         for (const rule of rules) {
             if (!this.matchesLocalRule(rule, context, localContext)) {
                 continue;
             }
-            const reason = rule.description ?? `Matched rule: ${rule.name}`;
-            const metadata = this.toLocalRuleMetadata(rule);
-            if (rule.action === 'require_approval') {
-                if (this.shouldApplyLogModeOverride(context)) {
-                    if (this.mode === 'shadow') {
-                        return this.applyShadowModeOverride(context, 'require_approval', reason, metadata, rule.id);
-                    }
-                    this.logger.warn('Tool call would require approval locally (log mode)', {
-                        tool: context.toolName,
-                        ruleId: rule.id,
-                        reason,
-                    });
-                    return {
-                        decision: 'allow',
-                        reason: `[LOG MODE] Would require approval: ${reason}`,
-                        metadata: {
-                            blocked_in_strict_mode: true,
-                            ...metadata,
-                        },
-                    };
-                }
-                if (this.isGuardEvaluation(context)) {
-                    return {
-                        decision: 'require_approval',
-                        reason,
-                        metadata,
-                    };
-                }
-                return this.handleLocalApprovalFlow(context, rule, reason);
+            if (rule.action === 'block' && !firstBlockRule) {
+                firstBlockRule = rule;
+                continue;
             }
-            if (rule.action === 'block') {
-                if (this.shouldApplyLogModeOverride(context)) {
-                    if (this.mode === 'shadow') {
-                        return this.applyShadowModeOverride(context, 'deny', reason, metadata, rule.id);
-                    }
-                    this.logger.warn('Tool call would be blocked locally (log mode)', {
-                        tool: context.toolName,
-                        ruleId: rule.id,
-                        reason,
-                    });
-                    return {
-                        decision: 'allow',
-                        reason: `[LOG MODE] Would block: ${reason}`,
-                        metadata: {
-                            blocked_in_strict_mode: true,
-                            ...metadata,
-                        },
-                    };
+            if (rule.action === 'require_approval' && !firstApprovalRule) {
+                firstApprovalRule = rule;
+                continue;
+            }
+            if (rule.action === 'allow' && !firstAllowRule) {
+                firstAllowRule = rule;
+                continue;
+            }
+            if ((rule.action === 'warn' || rule.action === 'log') && !firstNonBlockingRule) {
+                firstNonBlockingRule = rule;
+            }
+        }
+        const decisiveRule = firstBlockRule ?? firstApprovalRule ?? firstAllowRule;
+        if (!decisiveRule) {
+            if (firstNonBlockingRule) {
+                this.logger.warn('Local rule matched with non-blocking action', {
+                    tool: context.toolName,
+                    action: firstNonBlockingRule.action,
+                    ruleId: firstNonBlockingRule.id,
+                });
+            }
+            return { decision: 'allow' };
+        }
+        const reason = decisiveRule.description ?? `Matched rule: ${decisiveRule.name}`;
+        const metadata = this.toLocalRuleMetadata(decisiveRule);
+        if (decisiveRule.action === 'require_approval') {
+            if (this.shouldApplyLogModeOverride(context)) {
+                if (this.mode === 'shadow') {
+                    return this.applyShadowModeOverride(context, 'require_approval', reason, metadata, decisiveRule.id);
                 }
-                this.logger.warn('Tool call blocked by local rule', {
+                this.logger.warn('Tool call would require approval locally (log mode)', {
                     tool: context.toolName,
-                    ruleId: rule.id,
+                    ruleId: decisiveRule.id,
                     reason,
                 });
                 return {
-                    decision: 'deny',
+                    decision: 'allow',
+                    reason: `[LOG MODE] Would require approval: ${reason}`,
+                    metadata: {
+                        blocked_in_strict_mode: true,
+                        ...metadata,
+                    },
+                };
+            }
+            if (this.isGuardEvaluation(context)) {
+                return {
+                    decision: 'require_approval',
                     reason,
                     metadata,
                 };
             }
-            if (rule.action === 'allow' && !firstAllowRule) {
-                firstAllowRule = rule;
-            }
-            if (rule.action === 'warn' || rule.action === 'log') {
-                this.logger.warn('Local rule matched with non-blocking action', {
+            return this.handleLocalApprovalFlow(context, decisiveRule, reason);
+        }
+        if (decisiveRule.action === 'block') {
+            if (this.shouldApplyLogModeOverride(context)) {
+                if (this.mode === 'shadow') {
+                    return this.applyShadowModeOverride(context, 'deny', reason, metadata, decisiveRule.id);
+                }
+                this.logger.warn('Tool call would be blocked locally (log mode)', {
                     tool: context.toolName,
-                    action: rule.action,
-                    ruleId: rule.id,
+                    ruleId: decisiveRule.id,
+                    reason,
                 });
+                return {
+                    decision: 'allow',
+                    reason: `[LOG MODE] Would block: ${reason}`,
+                    metadata: {
+                        blocked_in_strict_mode: true,
+                        ...metadata,
+                    },
+                };
             }
+            this.logger.warn('Tool call blocked by local rule', {
+                tool: context.toolName,
+                ruleId: decisiveRule.id,
+                reason,
+            });
+            return {
+                decision: 'deny',
+                reason,
+                metadata,
+            };
         }
-        if (firstAllowRule) {
+        if (decisiveRule.action === 'allow') {
             return {
                 decision: 'allow',
-                reason: firstAllowRule.description ?? `Allowed by rule: ${firstAllowRule.name}`,
-                metadata: this.toLocalRuleMetadata(firstAllowRule),
+                reason: decisiveRule.description ?? `Allowed by rule: ${decisiveRule.name}`,
+                metadata,
             };
         }
         return { decision: 'allow' };
     }
     buildLocalEvaluationContext(context) {
+        const customContext = context.custom ?? {};
+        const localArguments = Object.fromEntries(Object.entries(context.arguments).filter(([key]) => !RESERVED_LOCAL_CONTEXT_KEYS.has(key)));
+        const marketContext = customContext.market && typeof customContext.market === 'object' && !Array.isArray(customContext.market)
+            ? customContext.market
+            : undefined;
+        const budgetContext = customContext.budget && typeof customContext.budget === 'object' && !Array.isArray(customContext.budget)
+            ? customContext.budget
+            : undefined;
+        const portfolioContext = customContext.portfolio && typeof customContext.portfolio === 'object' && !Array.isArray(customContext.portfolio)
+            ? customContext.portfolio
+            : undefined;
         return {
-            ...context.arguments,
+            ...localArguments,
             tool_name: context.toolName,
             arguments: context.arguments,
             session_id: this.resolveSessionId(context),
             agent_id: this.resolveAgentId(context),
             user_id: this.resolveUserId(context),
             role: this.resolveRole(context),
-            custom: context.custom,
+            ...(marketContext ? { market: marketContext } : {}),
+            ...(budgetContext ? { budget: budgetContext } : {}),
+            ...(portfolioContext ? { portfolio: portfolioContext } : {}),
+            custom: customContext,
         };
     }
     matchesLocalRule(rule, validationContext, localContext) {
@@ -1459,6 +1598,7 @@ export class Veto {
         }
         try {
             const response = await client.validate(context.toolName, context.arguments, apiContext);
+            this.cacheRemoteOutputRules(context.toolName, response.outputRules);
             const metadata = {};
             if (response.failed_constraints) {
                 metadata.failed_constraints = response.failed_constraints;
@@ -1469,6 +1609,9 @@ export class Veto {
             // Handle require_approval decision
             if (response.decision === 'require_approval') {
                 const approvalReason = response.reason ?? 'Approval required';
+                if (response.denial) {
+                    metadata.denial = response.denial;
+                }
                 const metadataWithApproval = response.approval_id
                     ? { ...metadata, approvalId: response.approval_id }
                     : metadata;
@@ -1539,6 +1682,9 @@ export class Veto {
                 tool: context.toolName,
                 reason: response.reason,
             });
+            if (response.denial) {
+                metadata.denial = response.denial;
+            }
             return {
                 decision: 'deny',
                 reason: response.reason,
@@ -1959,6 +2105,61 @@ export class Veto {
         };
         this.eventWebhookEmitter.emit(event);
     }
+    notifyDecisionMade(result, toolName) {
+        try {
+            const maybePromise = this.onDecisionMade?.({ ...result, toolName });
+            if (maybePromise && typeof maybePromise.catch === 'function') {
+                maybePromise.catch(() => { });
+            }
+        }
+        catch {
+            // swallow — callback errors must not break guard flow
+        }
+    }
+    /**
+     * Emit a webhook event for economic authorization outcomes.
+     *
+     * Maps economic evaluation results to the appropriate webhook event type:
+     * - budget_exceeded → 'budget_exceeded'
+     * - approval_required → 'approval_triggered'
+     * - budget_warning (>80% utilization on allow) → 'budget_warning'
+     * - spend_committed (successful reservation) → 'spend_committed'
+     */
+    emitEconomicEvent(toolName, args, econResult, economicContext, forceType) {
+        let eventType;
+        if (forceType) {
+            eventType = forceType;
+        }
+        else if (econResult.denial?.reason === 'budget_exceeded') {
+            eventType = 'budget_exceeded';
+        }
+        else if (econResult.denial?.reason === 'approval_required') {
+            eventType = 'approval_triggered';
+        }
+        else {
+            eventType = 'deny';
+        }
+        const event = {
+            eventType,
+            toolName,
+            arguments: args,
+            decision: econResult.decision,
+            reason: econResult.denial?.reason,
+            severity: eventType === 'budget_exceeded' ? 'high' : 'medium',
+            timestamp: new Date().toISOString(),
+            shadow: this.mode === 'shadow' ? true : undefined,
+            economic: {
+                cost: economicContext.cost,
+                currency: economicContext.currency,
+                protocol: economicContext.protocol,
+                payer: economicContext.payer,
+                budget_spent: econResult.denial?.budget_spent,
+                budget_limit: econResult.denial?.budget_limit,
+                budget_remaining: econResult.denial?.budget_remaining,
+            },
+        };
+        this.eventWebhookEmitter.emit(event);
+    }
     toGuardResult(result) {
         const metadata = result.metadata;
         const ruleId = this.extractMetadataString(metadata, ['ruleId', 'rule_id']);
@@ -2027,9 +2228,42 @@ export class Veto {
     delay(ms) {
         return new Promise((resolve) => setTimeout(resolve, ms));
     }
-    validateOutputOrThrow(toolName, output) {
+    logOutputValidation(toolName, args, outputResult, latencyMs) {
+        if (!this.cloudClient) {
+            return;
+        }
+        if (outputResult.decision !== 'block' && outputResult.trace.length === 0) {
+            return;
+        }
+        this.getCloudClient().logDecision({
+            tool_name: toolName,
+            arguments: args,
+            decision: outputResult.decision === 'block' ? 'deny' : 'allow',
+            reason: outputResult.reason,
+            mode: 'deterministic',
+            latency_ms: latencyMs,
+            source: 'client',
+            context: {
+                output_validation: true,
+            },
+            redactions: outputResult.trace,
+        });
+    }
+    validateOutputOrThrow(toolName, args, output) {
+        const startedAt = Date.now();
         const outputResult = this.validateOutput(toolName, output);
+        const latencyMs = Date.now() - startedAt;
+        this.logOutputValidation(toolName, args, outputResult, latencyMs);
         if (outputResult.decision === 'block') {
+            if (this.mode === 'log' || this.mode === 'shadow') {
+                this.logger.warn(this.mode === 'shadow'
+                    ? '[shadow] Tool output would be blocked'
+                    : 'Tool output would be blocked (log mode)', {
+                    tool: toolName,
+                    reason: outputResult.reason,
+                });
+                return output;
+            }
             throw new Error(outputResult.reason ?? `Tool output blocked for ${toolName}`);
         }
         return outputResult.output;
@@ -2095,12 +2329,13 @@ export class Veto {
                     arguments: input,
                 });
                 if (!result.allowed) {
-                    throw new ToolCallDeniedError(toolName, result.originalCall.id || '', result.validationResult);
+                    const denial = result.validationResult.metadata?.denial;
+                    throw new ToolCallDeniedError(toolName, result.originalCall.id || '', result.validationResult, denial);
                 }
                 // Execute the original function with potentially modified arguments
                 const finalArgs = result.finalArguments ?? input;
                 const executionResult = await originalFunc.call(tool, finalArgs);
-                return veto.validateOutputOrThrow(toolName, executionResult);
+                return veto.validateOutputOrThrow(toolName, finalArgs, executionResult);
             };
             // Replace func
             wrapped.func = wrappedFunc;
@@ -2115,12 +2350,13 @@ export class Veto {
                         arguments: input,
                     });
                     if (!result.allowed) {
-                        throw new ToolCallDeniedError(toolName, result.originalCall.id || '', result.validationResult);
+                        const denial = result.validationResult.metadata?.denial;
+                        throw new ToolCallDeniedError(toolName, result.originalCall.id || '', result.validationResult, denial);
                     }
                     // Call original invoke with potentially modified arguments
                     const finalArgs = result.finalArguments ?? input;
                     const executionResult = await originalInvoke.call(tool, finalArgs, ...rest);
-                    return veto.validateOutputOrThrow(toolName, executionResult);
+                    return veto.validateOutputOrThrow(toolName, finalArgs, executionResult);
                 };
             }
             veto.logger.debug('Tool wrapped', { name: toolName });
@@ -2147,15 +2383,16 @@ export class Veto {
                         arguments: callArgs,
                     });
                     if (!result.allowed) {
-                        throw new ToolCallDeniedError(toolName, result.originalCall.id || '', result.validationResult);
+                        const denial = result.validationResult.metadata?.denial;
+                        throw new ToolCallDeniedError(toolName, result.originalCall.id || '', result.validationResult, denial);
                     }
                     const finalArgs = result.finalArguments ?? callArgs;
                     if (args.length === 1 && typeof args[0] === 'object') {
                         const executionResult = await originalFunc.call(tool, finalArgs);
-                        return veto.validateOutputOrThrow(toolName, executionResult);
+                        return veto.validateOutputOrThrow(toolName, finalArgs, executionResult);
                     }
                     const executionResult = await originalFunc.apply(tool, args);
-                    return veto.validateOutputOrThrow(toolName, executionResult);
+                    return veto.validateOutputOrThrow(toolName, finalArgs, executionResult);
                 };
                 wrapped[key] = wrappedFunc;
                 veto.logger.debug('Tool wrapped', { name: toolName });
@@ -2221,11 +2458,12 @@ export class Veto {
                 arguments: callArgs,
             });
             if (!result.allowed) {
-                throw new ToolCallDeniedError(args.name, result.originalCall.id || '', result.validationResult);
+                const denial = result.validationResult.metadata?.denial;
+                throw new ToolCallDeniedError(args.name, result.originalCall.id || '', result.validationResult, denial);
             }
             const finalArgs = result.finalArguments ?? callArgs;
             const executionResult = await serverClient.callTool({ name: args.name, arguments: finalArgs });
-            return veto.validateOutputOrThrow(args.name, executionResult);
+            return veto.validateOutputOrThrow(args.name, finalArgs, executionResult);
         };
         this.logger.debug('MCP tools wrapped', { count: tools.length });
         return { tools, callTool };
@@ -2272,6 +2510,88 @@ export class Veto {
      * Unlike interceptor execution, this returns raw validation outcomes in log/shadow mode.
      */
     async guard(toolName, args, context = {}) {
+        // Economic pre-checks: payer validation and cost validation run BEFORE
+        // behavioral rules. Budget reservation happens AFTER behavioral rules
+        // to avoid the TOCTOU double-spend (check then reserve race).
+        if (this.economicEvaluator && context.economic) {
+            const econResult = this.economicEvaluator.evaluate(context.economic);
+            if (econResult.decision !== 'allow') {
+                this.logger.warn('Economic authorization denied', {
+                    toolName,
+                    decision: econResult.decision,
+                    reason: econResult.denial?.reason,
+                    cost: context.economic.cost,
+                    protocol: context.economic.protocol,
+                });
+                this.emitEconomicEvent(toolName, args, econResult, context.economic);
+                const result = {
+                    decision: this.mode === 'shadow' ? 'allow' : econResult.decision,
+                    reason: econResult.denial
+                        ? `Economic: ${econResult.denial.reason}`
+                        : 'Economic authorization denied',
+                    economicDenial: econResult.denial,
+                    shadow: this.mode === 'shadow' ? true : undefined,
+                    shadowDecision: this.mode === 'shadow' ? econResult.decision : undefined,
+                };
+                this.notifyDecisionMade(result, toolName);
+                return result;
+            }
+        }
+        // If economic evaluator is configured and can resolve cost from args
+        // (no explicit EconomicContext provided, but cost_extraction is configured)
+        let implicitEconomicContext;
+        if (this.economicEvaluator && !context.economic) {
+            const resolvedCost = this.economicEvaluator.resolveCost(toolName, args);
+            if (resolvedCost !== undefined && resolvedCost > 0) {
+                implicitEconomicContext = {
+                    cost: resolvedCost,
+                    currency: 'USD', // Default currency for implicit extraction
+                    protocol: 'custom',
+                };
+                const econResult = this.economicEvaluator.evaluate(implicitEconomicContext);
+                if (econResult.decision !== 'allow') {
+                    this.logger.warn('Economic authorization denied (implicit cost)', {
+                        toolName,
+                        decision: econResult.decision,
+                        reason: econResult.denial?.reason,
+                        cost: resolvedCost,
+                    });
+                    this.emitEconomicEvent(toolName, args, econResult, implicitEconomicContext);
+                    const result = {
+                        decision: this.mode === 'shadow' ? 'allow' : econResult.decision,
+                        reason: econResult.denial
+                            ? `Economic: ${econResult.denial.reason}`
+                            : 'Economic authorization denied',
+                        economicDenial: econResult.denial,
+                        shadow: this.mode === 'shadow' ? true : undefined,
+                        shadowDecision: this.mode === 'shadow' ? econResult.decision : undefined,
+                    };
+                    this.notifyDecisionMade(result, toolName);
+                    return result;
+                }
+            }
+        }
+        const customContext = {
+            ...(context.custom ?? {}),
+        };
+        if (context.market) {
+            if (customContext.market !== undefined) {
+                this.logger.debug('Guard context override applied', { key: 'market' });
+            }
+            customContext.market = context.market;
+        }
+        if (context.budget) {
+            if (customContext.budget !== undefined) {
+                this.logger.debug('Guard context override applied', { key: 'budget' });
+            }
+            customContext.budget = context.budget;
+        }
+        if (context.portfolio) {
+            if (customContext.portfolio !== undefined) {
+                this.logger.debug('Guard context override applied', { key: 'portfolio' });
+            }
+            customContext.portfolio = context.portfolio;
+        }
         const validationContext = {
             toolName,
             arguments: args,
@@ -2282,6 +2602,7 @@ export class Veto {
             agentId: context.agentId ?? this.agentId,
             userId: context.userId ?? this.userId,
             role: context.role ?? this.role,
+            custom: Object.keys(customContext).length > 0 ? customContext : undefined,
             source: 'guard',
         };
         const aggregatedResult = await this.validationEngine.validate(validationContext);
@@ -2289,7 +2610,34 @@ export class Veto {
         this.historyTracker.record(toolName, args, validationResult, aggregatedResult.totalDurationMs);
         this.emitDecisionEvent(validationContext, validationResult);
         this.logClientDecision(validationContext, validationResult, aggregatedResult.totalDurationMs);
-        return this.toGuardResult(validationResult);
+        // If behavioral rules allow and economic context exists, reserve budget.
+        // Skip reservation in shadow mode — shadow should never deduct real budget.
+        const behavioralResult = this.toGuardResult(validationResult);
+        const effectiveEconomic = context.economic ?? implicitEconomicContext;
+        if (behavioralResult.decision === 'allow'
+            && this.economicEvaluator
+            && effectiveEconomic
+            && effectiveEconomic.cost > 0
+            && this.mode !== 'shadow') {
+            const reserveResult = this.economicEvaluator.reserveBudget(effectiveEconomic.cost, effectiveEconomic.currency);
+            if (reserveResult.decision !== 'allow') {
+                this.emitEconomicEvent(toolName, args, reserveResult, effectiveEconomic);
+                const result = {
+                    ...behavioralResult,
+                    decision: reserveResult.decision,
+                    reason: reserveResult.denial
+                        ? `Economic: ${reserveResult.denial.reason}`
+                        : 'Budget reservation failed',
+                    economicDenial: reserveResult.denial,
+                };
+                this.notifyDecisionMade(result, toolName);
+                return result;
+            }
+            // Emit spend_committed event on successful reservation
+            this.emitEconomicEvent(toolName, args, reserveResult, effectiveEconomic, 'spend_committed');
+        }
+        this.notifyDecisionMade(behavioralResult, toolName);
+        return behavioralResult;
     }
     /**
      * Cache an approval preference for a tool.
@@ -2352,6 +2700,25 @@ export class Veto {
             outputRulesLoaded: this.rulesState.allOutputRules.length,
         });
     }
+    async reloadLocalRules() {
+        if (this.validationMode !== 'local' || !this.localRulesDir) {
+            throw new Error('No local rules configured');
+        }
+        const [fsModule, pathModule, parseYaml] = await Promise.all([
+            Veto.loadNodeFsModule(),
+            Veto.loadNodePathModule(),
+            Veto.loadYamlParser(),
+        ]);
+        const rules = await Veto.loadRules(this.localRulesDir, this.localRulesRecursive, this.logger, fsModule, pathModule, parseYaml);
+        this.rulesState = rules.state;
+        this.localSourceFiles = rules.sourceFiles;
+        this.compiledExpressionCache.clear();
+        this.logger.info('Local rules reloaded', {
+            rulesLoaded: this.rulesState.allRules.length,
+            outputRulesLoaded: this.rulesState.allOutputRules.length,
+            sourceFiles: this.localSourceFiles.length,
+        });
+    }
     setRefreshInterval(refreshIntervalMs) {
         if (this.refreshIntervalId) {
             clearInterval(this.refreshIntervalId);
@@ -2392,6 +2759,19 @@ export class Veto {
     resetBudget() {
         this.budgetTracker?.reset();
     }
+    /**
+     * Get current economic budget status for a scope.
+     * Returns null if no economic policy is configured.
+     */
+    getEconomicBudgetStatus(scope = 'session') {
+        return this.economicBudgetEngine?.getStatus(scope) ?? null;
+    }
+    /**
+     * Reset economic budget for a scope.
+     */
+    resetEconomicBudget(scope = 'session') {
+        this.economicBudgetEngine?.reset(scope);
+    }
     dispose() {
         if (this.refreshIntervalId) {
             clearInterval(this.refreshIntervalId);