vibecheck-ai 2.0.2 → 5.0.0

package/bin/runners/runShield.js

@@ -0,0 +1,1282 @@
+/**
+ * vibecheck shield - Agent Firewall™
+ * 
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * ENTERPRISE-GRADE AI ENFORCEMENT LAYER
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * 
+ * The Agent Firewall is the core enforcement primitive in VibeCheck.
+ * It intercepts AI actions at multiple levels:
+ * 
+ *   1. PROMPT LEVEL    - Injection detection before AI execution
+ *   2. FILE WRITE      - Intercept IDE/AI file changes in real-time
+ *   3. CLAIM VALIDATION - Verify changes against truthpack evidence
+ *   4. VERDICT         - ALLOW / WARN / BLOCK decision with proof chain
+ * 
+ * Unlike advisory tools, Shield actually STOPS bad changes.
+ * 
+ * Unifies: guard, firewall, agent, validate, prompt-firewall
+ * 
+ * @module runShield
+ * @version 4.0.0
+ * @license MIT
+ */
+
+"use strict";
+
+const path = require("path");
+const fs = require("fs");
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// LAZY IMPORTS - Enterprise startup optimization
+// ═══════════════════════════════════════════════════════════════════════════════
+
+let _globalFlags = null;
+let _exitCodes = null;
+let _cliOutput = null;
+
+function getGlobalFlags() {
+  if (!_globalFlags) {
+    _globalFlags = require("./lib/global-flags");
+  }
+  return _globalFlags;
+}
+
+function getExitCodes() {
+  if (!_exitCodes) {
+    _exitCodes = require("./lib/exit-codes");
+  }
+  return _exitCodes;
+}
+
+function getCliOutput() {
+  if (!_cliOutput) {
+    _cliOutput = require("./lib/unified-cli-output");
+  }
+  return _cliOutput;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// UNDERLYING IMPLEMENTATIONS - Lazy loaded for performance
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const implementations = {
+  firewall: null,
+  agent: null,
+  guard: null,
+  validate: null,
+  promptFirewall: null,
+  orchestrator: null,
+  intentStore: null,
+};
+
+function loadImplementation(name) {
+  if (implementations[name] !== null) return implementations[name];
+  
+  try {
+    switch (name) {
+      case "firewall":
+        implementations[name] = require("./runFirewall");
+        break;
+      case "agent":
+        implementations[name] = require("./runAgent");
+        break;
+      case "guard":
+        implementations[name] = require("./runGuard").runGuard;
+        break;
+      case "validate":
+        implementations[name] = require("./runValidate").runValidate;
+        break;
+      case "promptFirewall":
+        implementations[name] = require("./runPromptFirewall").runPromptFirewall;
+        break;
+      case "orchestrator":
+        implementations[name] = require("./lib/agent-firewall/enforcement").createOrchestrator;
+        break;
+      case "intentStore":
+        implementations[name] = require("./lib/agent-firewall/intent").IntentStore;
+        break;
+      default:
+        implementations[name] = false;
+    }
+  } catch (e) {
+    implementations[name] = false;
+  }
+  
+  return implementations[name];
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// CONSTANTS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const SHIELD_VERSION = "4.0.0";
+
+const SUBCOMMANDS = {
+  status: { description: "Show firewall status and configuration", pro: false },
+  enforce: { description: "Enable enforcement mode (block violations)", pro: true },
+  observe: { description: "Enable observe-only mode (log only)", pro: false },
+  lock: { description: "Hard lockdown - all rules enforced", pro: true },
+  unlock: { description: "Release lock, return to observe mode", pro: true },
+  verify: { description: "Verify AI claims, prompts, hallucinations", pro: true },
+  check: { description: "Run v2 enforcement check on staged/recent changes", pro: true },
+  install: { description: "Install IDE hooks for interception", pro: true },
+  stats: { description: "Show firewall statistics and metrics", pro: false },
+  audit: { description: "Audit recent change packets", pro: true },
+  policy: { description: "View or edit policy configuration", pro: true },
+};
+
+const ENFORCEMENT_RULES = [
+  { id: "ghost_route", name: "Ghost Route", description: "Block undeclared routes", severity: "block" },
+  { id: "ghost_env", name: "Ghost Env", description: "Block undeclared env vars", severity: "block" },
+  { id: "auth_drift", name: "Auth Drift", description: "Detect auth pattern changes", severity: "block" },
+  { id: "contract_drift", name: "Contract Drift", description: "Detect contract violations", severity: "block" },
+  { id: "scope_explosion", name: "Scope Explosion", description: "Detect scope creep", severity: "warn" },
+  { id: "unsafe_side_effect", name: "Unsafe Side Effect", description: "Block unsafe operations", severity: "block" },
+  { id: "fake_success", name: "Fake Success", description: "Detect fake success UI", severity: "warn" },
+];
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// ENTERPRISE HELP SYSTEM
+// ═══════════════════════════════════════════════════════════════════════════════
+
+function printHelp(detailed = false) {
+  const { ansi } = getCliOutput();
+  
+  const header = `
+${ansi.bold}${ansi.cyan}╔═══════════════════════════════════════════════════════════════════════════════╗
+║                                                                               ║
+║   ${ansi.reset}${ansi.bold}AGENT FIREWALL™${ansi.cyan}                                                          ║
+║   ${ansi.reset}${ansi.dim}The AI Enforcement Layer${ansi.cyan}                                                   ║
+║                                                                               ║
+╚═══════════════════════════════════════════════════════════════════════════════╝${ansi.reset}
+
+  ${ansi.bold}USAGE${ansi.reset}
+    ${ansi.cyan}vibecheck shield${ansi.reset} <subcommand> [options]
+
+  ${ansi.dim}Intercept AI actions, validate claims against truthpack, and block
+  unauthorized changes in real-time. The core enforcement primitive.${ansi.reset}
+
+  ${ansi.bold}SUBCOMMANDS${ansi.reset}`;
+
+  console.log(header);
+  
+  // Print subcommands with alignment
+  const maxLen = Math.max(...Object.keys(SUBCOMMANDS).map(k => k.length));
+  for (const [name, info] of Object.entries(SUBCOMMANDS)) {
+    const proTag = info.pro ? `${ansi.magenta}PRO${ansi.reset} ` : "    ";
+    console.log(`    ${ansi.cyan}${name.padEnd(maxLen + 2)}${ansi.reset}${proTag}${info.description}`);
+  }
+
+  console.log(`
+  ${ansi.bold}VERIFY OPTIONS${ansi.reset}
+    ${ansi.cyan}--claims${ansi.reset}               Verify AI claims against truthpack
+    ${ansi.cyan}--prompts${ansi.reset}              Check for prompt injection attacks
+    ${ansi.cyan}--hallucinations${ansi.reset}       Detect hallucination patterns
+    ${ansi.cyan}--file <path>${ansi.reset}          Check specific file(s)
+    ${ansi.cyan}--strict${ansi.reset}               Fail on warnings (not just errors)
+
+  ${ansi.bold}CHECK (v2) OPTIONS${ansi.reset}
+    ${ansi.cyan}--staged${ansi.reset}               Check only staged git changes
+    ${ansi.cyan}--recent${ansi.reset}               Check changes since last commit
+
+  ${ansi.bold}GENERAL OPTIONS${ansi.reset}
+    ${ansi.cyan}--json${ansi.reset}                 Output as JSON (CI integration)
+    ${ansi.cyan}--quiet, -q${ansi.reset}            Suppress non-essential output
+    ${ansi.cyan}--verbose, -v${ansi.reset}          Show detailed output
+    ${ansi.cyan}--help, -h${ansi.reset}             Show this help
+
+  ${ansi.bold}EXAMPLES${ansi.reset}
+    ${ansi.dim}# Check firewall status${ansi.reset}
+    vibecheck shield status
+
+    ${ansi.dim}# Enable enforcement mode (blocks violations)${ansi.reset}
+    vibecheck shield enforce
+
+    ${ansi.dim}# Full lockdown (all hard rules enforced)${ansi.reset}
+    vibecheck shield lock
+
+    ${ansi.dim}# Verify AI claims${ansi.reset}
+    vibecheck shield verify --claims
+
+    ${ansi.dim}# Install IDE hooks${ansi.reset}
+    vibecheck shield install
+
+    ${ansi.dim}# CI integration (JSON output, strict mode)${ansi.reset}
+    vibecheck shield verify --claims --strict --json`);
+
+  if (detailed) {
+    console.log(`
+  ${ansi.bold}INTERCEPTION ARCHITECTURE${ansi.reset}
+    ${ansi.dim}┌─────────────────────────────────────────────────────────────────┐
+    │ 1. PROMPT LEVEL     - Injection detection before AI execution │
+    │ 2. FILE WRITE       - Intercept IDE/AI file changes           │
+    │ 3. CLAIM VALIDATION - Verify changes against truthpack        │
+    │ 4. VERDICT          - ALLOW / WARN / BLOCK decision           │
+    └─────────────────────────────────────────────────────────────────┘${ansi.reset}
+
+  ${ansi.bold}ENFORCEMENT RULES${ansi.reset}`);
+
+    for (const rule of ENFORCEMENT_RULES) {
+      const severityColor = rule.severity === "block" ? ansi.red : ansi.yellow;
+      console.log(`    ${ansi.dim}•${ansi.reset} ${ansi.cyan}${rule.id.padEnd(20)}${ansi.reset} ${severityColor}${rule.severity.toUpperCase().padEnd(5)}${ansi.reset} ${rule.description}`);
+    }
+  }
+
+  console.log(`
+  ${ansi.bold}EXIT CODES${ansi.reset}
+    ${ansi.green}0${ansi.reset}  All checks passed / operation successful
+    ${ansi.yellow}1${ansi.reset}  Warnings found (non-blocking)
+    ${ansi.red}2${ansi.reset}  Violations found (blocking issues)
+    ${ansi.red}3${ansi.reset}  Configuration error
+    ${ansi.red}4${ansi.reset}  Internal error
+
+  ${ansi.dim}────────────────────────────────────────────────────────────────────${ansi.reset}
+  ${ansi.dim}Documentation: https://docs.vibecheckai.dev/cli/shield${ansi.reset}
+  ${ansi.dim}Version: ${SHIELD_VERSION}${ansi.reset}
+`);
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// MAIN ENTRY POINT
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Main shield command handler
+ * 
+ * @param {string[]} args - Command arguments
+ * @param {Object} context - Execution context
+ * @param {string} context.repoRoot - Repository root path
+ * @returns {Promise<number>} Exit code
+ */
+async function runShield(args = [], context = {}) {
+  const { parseGlobalFlags, shouldSuppressOutput, isJsonMode } = getGlobalFlags();
+  const { EXIT } = getExitCodes();
+  
+  const { flags: globalFlags, cleanArgs } = parseGlobalFlags(args);
+  const quiet = shouldSuppressOutput(globalFlags);
+  const json = isJsonMode(globalFlags) || args.includes("--json");
+  const verbose = args.includes("--verbose") || args.includes("-v");
+  const projectRoot = context.repoRoot || globalFlags.path || process.cwd();
+  
+  // Parse subcommand
+  const subcommand = cleanArgs[0] || "status";
+  const subArgs = cleanArgs.slice(1);
+  
+  // Handle help
+  if (globalFlags.help || args.includes("--help") || args.includes("-h")) {
+    if (!subcommand || ["--help", "-h"].includes(subcommand)) {
+      printHelp(verbose);
+      return EXIT.SUCCESS;
+    }
+  }
+
+  // Create execution context
+  const execContext = {
+    projectRoot,
+    json,
+    quiet,
+    verbose,
+    args: subArgs,
+    originalArgs: args,
+    startTime: Date.now(),
+  };
+
+  try {
+    // Route to appropriate handler
+    switch (subcommand) {
+      case "status":
+        return await handleStatus(execContext);
+        
+      case "enforce":
+        return await handleSetMode("enforce", execContext);
+        
+      case "observe":
+        return await handleSetMode("observe", execContext);
+        
+      case "lock":
+        return await handleLock(execContext);
+        
+      case "unlock":
+        return await handleUnlock(execContext);
+        
+      case "verify":
+        return await handleVerify(execContext);
+        
+      case "check":
+        return await handleCheck(execContext);
+        
+      case "install":
+        return await handleInstall(execContext);
+        
+      case "stats":
+        return await handleStats(execContext);
+        
+      case "audit":
+        return await handleAudit(execContext);
+        
+      case "policy":
+        return await handlePolicy(execContext);
+        
+      default:
+        // If it looks like a verify flag, pass to verify
+        if (subcommand.startsWith("--")) {
+          execContext.args = cleanArgs;
+          return await handleVerify(execContext);
+        }
+        
+        return handleUnknownSubcommand(subcommand, execContext);
+    }
+  } catch (error) {
+    return handleError(error, execContext);
+  }
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// SUBCOMMAND HANDLERS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Handle status subcommand
+ */
+async function handleStatus(ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi, sym, renderMinimalHeader, renderSectionHeader, renderFooter } = getCliOutput();
+  
+  const firewall = loadImplementation("firewall");
+  const agent = loadImplementation("agent");
+  
+  // Gather status from all sources
+  const status = firewall ? await firewall.runFirewall({ status: true, projectRoot: ctx.projectRoot }) : { mode: "unknown", error: "Firewall module not available" };
+  const agentStatus = agent ? await agent.runAgent({ action: "status", projectRoot: ctx.projectRoot }) : { installed: false };
+  
+  // Check truthpack freshness
+  let truthpackAge = null;
+  const truthpackPath = path.join(ctx.projectRoot, ".vibecheck", "truthpack.json");
+  if (fs.existsSync(truthpackPath)) {
+    const stats = fs.statSync(truthpackPath);
+    truthpackAge = Date.now() - stats.mtimeMs;
+  }
+  
+  const result = {
+    shield: {
+      version: SHIELD_VERSION,
+      mode: status.mode || "unknown",
+      profile: status.profile || "default",
+      locked: agentStatus.locked || false,
+    },
+    hooks: {
+      installed: agentStatus.installed || false,
+    },
+    truthpack: {
+      fresh: status.truthpackFresh || false,
+      age: truthpackAge ? `${Math.round(truthpackAge / 1000 / 60)}m ago` : "unknown",
+    },
+    rules: {
+      enabled: status.rulesEnabled || 0,
+      total: ENFORCEMENT_RULES.length,
+    },
+    health: calculateHealth(status, agentStatus),
+  };
+  
+  if (ctx.json) {
+    console.log(JSON.stringify(result, null, 2));
+  } else if (!ctx.quiet) {
+    renderMinimalHeader("shield", "pro");
+    renderSectionHeader("Agent Firewall Status", sym.shield);
+    
+    // Mode indicator with color
+    const modeColor = result.shield.mode === "enforce" ? ansi.green : 
+                      result.shield.mode === "observe" ? ansi.yellow : ansi.red;
+    const lockIcon = result.shield.locked ? ` ${ansi.red}🔒${ansi.reset}` : "";
+    
+    console.log(`
+  ${ansi.bold}Shield Configuration${ansi.reset}
+    ${ansi.dim}Mode:${ansi.reset}           ${modeColor}${result.shield.mode.toUpperCase()}${ansi.reset}${lockIcon}
+    ${ansi.dim}Profile:${ansi.reset}        ${result.shield.profile}
+    ${ansi.dim}Version:${ansi.reset}        ${result.shield.version}
+
+  ${ansi.bold}Interception${ansi.reset}
+    ${ansi.dim}IDE Hooks:${ansi.reset}      ${result.hooks.installed ? ansi.green + "✓ Installed" : ansi.yellow + "○ Not installed"}${ansi.reset}
+    ${ansi.dim}Truthpack:${ansi.reset}      ${result.truthpack.fresh ? ansi.green + "✓ Fresh" : ansi.yellow + "○ Stale"}${ansi.reset} ${ansi.dim}(${result.truthpack.age})${ansi.reset}
+    ${ansi.dim}Rules:${ansi.reset}          ${result.rules.enabled}/${result.rules.total} enabled
+
+  ${ansi.bold}Health${ansi.reset}
+    ${ansi.dim}Overall:${ansi.reset}        ${renderHealthBadge(result.health, ansi)}
+`);
+
+    // Recommendations
+    const recommendations = [];
+    if (!result.hooks.installed) {
+      recommendations.push({ cmd: "vibecheck shield install", desc: "Install IDE hooks" });
+    }
+    if (result.shield.mode === "observe") {
+      recommendations.push({ cmd: "vibecheck shield enforce", desc: "Enable enforcement" });
+    }
+    if (!result.truthpack.fresh) {
+      recommendations.push({ cmd: "vibecheck audit", desc: "Refresh truthpack" });
+    }
+    
+    if (recommendations.length > 0) {
+      renderFooter({
+        nextSteps: recommendations,
+        docsUrl: "https://docs.vibecheckai.dev/cli/shield",
+      });
+    }
+  }
+  
+  return EXIT.SUCCESS;
+}
+
+/**
+ * Handle enforce/observe mode setting
+ */
+async function handleSetMode(mode, ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi, renderSuccess, renderError, renderWarning } = getCliOutput();
+  
+  const firewall = loadImplementation("firewall");
+  if (!firewall) {
+    return handleModuleNotAvailable("firewall", ctx);
+  }
+  
+  const result = await firewall.runFirewall({ mode, projectRoot: ctx.projectRoot });
+  
+  if (ctx.json) {
+    console.log(JSON.stringify({
+      success: result.success,
+      mode,
+      message: result.message,
+      timestamp: new Date().toISOString(),
+    }, null, 2));
+  } else if (!ctx.quiet) {
+    if (result.success) {
+      if (mode === "enforce") {
+        renderSuccess("Enforcement mode ENABLED");
+        console.log(`
+  ${ansi.dim}Shield will now BLOCK violations:${ansi.reset}
+    ${ansi.red}•${ansi.reset} Ghost routes/env vars
+    ${ansi.red}•${ansi.reset} Auth drift
+    ${ansi.red}•${ansi.reset} Contract violations
+    ${ansi.red}•${ansi.reset} Unsafe side effects
+
+  ${ansi.dim}Use ${ansi.cyan}vibecheck shield observe${ansi.dim} to switch back to logging-only.${ansi.reset}
+`);
+      } else {
+        renderWarning("Observe mode ENABLED");
+        console.log(`
+  ${ansi.dim}Shield will LOG but not block violations.${ansi.reset}
+  ${ansi.dim}Use ${ansi.cyan}vibecheck shield enforce${ansi.dim} to enable blocking.${ansi.reset}
+`);
+      }
+    } else {
+      renderError(result.error || `Failed to set mode to ${mode}`);
+    }
+  }
+  
+  return result.success ? EXIT.SUCCESS : EXIT.INTERNAL_ERROR;
+}
+
+/**
+ * Handle lock subcommand (repo-lock mode)
+ */
+async function handleLock(ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi, renderWarning, renderError } = getCliOutput();
+  
+  const agent = loadImplementation("agent");
+  if (!agent) {
+    return handleModuleNotAvailable("agent", ctx);
+  }
+  
+  const result = await agent.runAgent({ action: "lock", projectRoot: ctx.projectRoot });
+  
+  if (ctx.json) {
+    console.log(JSON.stringify({
+      success: result.success,
+      mode: "repo-lock",
+      rules: ENFORCEMENT_RULES.map(r => r.id),
+      message: result.message,
+      timestamp: new Date().toISOString(),
+    }, null, 2));
+  } else if (!ctx.quiet) {
+    if (result.success) {
+      console.log(`
+${ansi.yellow}${ansi.bold}╔═══════════════════════════════════════════════════════════════════╗
+║                                                                   ║
+║   🔒 REPO LOCK MODE ENABLED                                       ║
+║                                                                   ║
+╚═══════════════════════════════════════════════════════════════════╝${ansi.reset}
+
+  ${ansi.yellow}All hard rules are now enforced:${ansi.reset}
+`);
+      for (const rule of ENFORCEMENT_RULES) {
+        if (rule.severity === "block") {
+          console.log(`    ${ansi.red}▪${ansi.reset} ${rule.name} - ${rule.description}`);
+        }
+      }
+      console.log(`
+  ${ansi.dim}This is the strictest enforcement mode.${ansi.reset}
+  ${ansi.dim}Run ${ansi.cyan}vibecheck shield unlock${ansi.dim} to release.${ansi.reset}
+`);
+    } else {
+      renderError(result.error || "Failed to lock repo");
+    }
+  }
+  
+  return result.success ? EXIT.SUCCESS : EXIT.INTERNAL_ERROR;
+}
+
+/**
+ * Handle unlock subcommand
+ */
+async function handleUnlock(ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi, renderSuccess, renderError } = getCliOutput();
+  
+  const agent = loadImplementation("agent");
+  if (!agent) {
+    return handleModuleNotAvailable("agent", ctx);
+  }
+  
+  const result = await agent.runAgent({ action: "unlock", projectRoot: ctx.projectRoot });
+  
+  if (ctx.json) {
+    console.log(JSON.stringify({
+      success: result.success,
+      mode: "observe",
+      message: result.message,
+      timestamp: new Date().toISOString(),
+    }, null, 2));
+  } else if (!ctx.quiet) {
+    if (result.success) {
+      renderSuccess("Repo lock released");
+      console.log(`
+  ${ansi.dim}Firewall is now in observe mode.${ansi.reset}
+  ${ansi.dim}Violations will be logged but not blocked.${ansi.reset}
+`);
+    } else {
+      renderError(result.error || "Failed to unlock repo");
+    }
+  }
+  
+  return result.success ? EXIT.SUCCESS : EXIT.INTERNAL_ERROR;
+}
+
+/**
+ * Handle verify subcommand - delegates to runGuard with enhancements
+ */
+async function handleVerify(ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi, renderMinimalHeader, renderSectionHeader, renderVerdict, renderFooter, Spinner, sym } = getCliOutput();
+  
+  const guard = loadImplementation("guard");
+  if (!guard) {
+    return handleModuleNotAvailable("guard", ctx);
+  }
+  
+  // Build guard args
+  const guardArgs = [...ctx.args];
+  if (ctx.json && !guardArgs.includes("--json")) guardArgs.push("--json");
+  if (ctx.quiet && !guardArgs.includes("--quiet") && !guardArgs.includes("-q")) guardArgs.push("--quiet");
+  
+  if (!ctx.json && !ctx.quiet) {
+    renderMinimalHeader("shield", "pro");
+    renderSectionHeader("Verification", sym.shield);
+    
+    // Show what we're checking
+    const checkClaims = ctx.args.includes("--claims") || (!ctx.args.includes("--prompts") && !ctx.args.includes("--hallucinations"));
+    const checkPrompts = ctx.args.includes("--prompts") || (!ctx.args.includes("--claims") && !ctx.args.includes("--hallucinations"));
+    const checkHallucinations = ctx.args.includes("--hallucinations") || (!ctx.args.includes("--claims") && !ctx.args.includes("--prompts"));
+    
+    console.log(`
+  ${ansi.dim}Running verification checks:${ansi.reset}
+    ${checkClaims ? ansi.green + "✓" : ansi.dim + "○"} ${ansi.reset}AI Claims against truthpack
+    ${checkPrompts ? ansi.green + "✓" : ansi.dim + "○"} ${ansi.reset}Prompt injection detection
+    ${checkHallucinations ? ansi.green + "✓" : ansi.dim + "○"} ${ansi.reset}Hallucination patterns
+`);
+  }
+  
+  // Execute guard
+  const exitCode = await guard(guardArgs);
+  
+  return exitCode;
+}
+
+/**
+ * Handle check subcommand - v2 enforcement with intent alignment
+ */
+async function handleCheck(ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi, renderMinimalHeader, renderSectionHeader, renderSuccess, renderError, sym } = getCliOutput();
+  
+  const createOrchestrator = loadImplementation("orchestrator");
+  const IntentStore = loadImplementation("intentStore");
+  
+  if (!createOrchestrator || !IntentStore) {
+    if (ctx.json) {
+      console.log(JSON.stringify({ success: false, error: "v2 enforcement modules not available" }));
+    } else {
+      renderError("v2 enforcement modules not available");
+    }
+    return EXIT.INTERNAL_ERROR;
+  }
+  
+  // Check for intent
+  const intentStore = new IntentStore(ctx.projectRoot);
+  const hasIntent = intentStore.hasIntent();
+  const intent = intentStore.getCurrent({ allowMissing: true });
+  
+  if (!ctx.json && !ctx.quiet) {
+    renderMinimalHeader("shield", "pro");
+    renderSectionHeader("Agent Firewall v2 Check", sym.shield);
+    
+    // Show intent status
+    const isBlocking = intent?.summary?.includes("NO INTENT DECLARED");
+    
+    console.log(`
+  ${ansi.bold}Intent Status${ansi.reset}`);
+    
+    if (!hasIntent || isBlocking) {
+      console.log(`    ${ansi.yellow}⚠${ansi.reset} No intent declared - ${ansi.red}ALL CHANGES BLOCKED${ansi.reset}`);
+      console.log(`
+  ${ansi.dim}Declare an intent before making AI changes:${ansi.reset}
+    ${ansi.cyan}vibecheck intent set -s "Your intent description"${ansi.reset}
+`);
+    } else {
+      console.log(`    ${ansi.green}✓${ansi.reset} Intent active: ${intent.summary}`);
+      if (intent.constraints && intent.constraints.length > 0) {
+        console.log(`    ${ansi.dim}Constraints: ${intent.constraints.length}${ansi.reset}`);
+      }
+      if (intent.allowed_changes && intent.allowed_changes.length > 0) {
+        console.log(`    ${ansi.dim}Allowed changes: ${intent.allowed_changes.length}${ansi.reset}`);
+      }
+      console.log(`    ${ansi.dim}Hash: ${intent.hash.slice(0, 16)}...${ansi.reset}`);
+    }
+  }
+  
+  // Get staged changes from git
+  let changes = [];
+  try {
+    const { execSync } = require("child_process");
+    const gitDiff = execSync("git diff --cached --name-only", { 
+      cwd: ctx.projectRoot, 
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"],
+    }).trim();
+    
+    if (gitDiff) {
+      changes = gitDiff.split("\n").filter(Boolean).map(file => ({
+        path: file,
+        type: "file_write",
+      }));
+    }
+  } catch {
+    // No git or no staged changes
+  }
+  
+  // If no staged changes, check for recent modified files
+  if (changes.length === 0) {
+    try {
+      const { execSync } = require("child_process");
+      const gitStatus = execSync("git diff --name-only HEAD~1", { 
+        cwd: ctx.projectRoot, 
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "pipe"],
+      }).trim();
+      
+      if (gitStatus) {
+        changes = gitStatus.split("\n").filter(Boolean).map(file => ({
+          path: file,
+          type: "file_write",
+        }));
+      }
+    } catch {
+      // No recent changes
+    }
+  }
+  
+  if (!ctx.json && !ctx.quiet) {
+    console.log(`
+  ${ansi.bold}Changes to Check${ansi.reset}
+    ${changes.length > 0 ? `${changes.length} file(s)` : `${ansi.dim}(no staged or recent changes)${ansi.reset}`}`);
+    
+    for (const change of changes.slice(0, 5)) {
+      console.log(`    ${ansi.dim}•${ansi.reset} ${change.path}`);
+    }
+    if (changes.length > 5) {
+      console.log(`    ${ansi.dim}... and ${changes.length - 5} more${ansi.reset}`);
+    }
+  }
+  
+  // Run enforcement if we have changes
+  if (changes.length === 0) {
+    if (ctx.json) {
+      console.log(JSON.stringify({
+        success: true,
+        verdict: { decision: "PASS", message: "No changes to check" },
+        intent_hash: intent?.hash || null,
+        changes: 0,
+      }, null, 2));
+    } else if (!ctx.quiet) {
+      console.log(`
+  ${ansi.green}✓${ansi.reset} No changes to enforce
+`);
+    }
+    return EXIT.SUCCESS;
+  }
+  
+  // Create orchestrator and run enforcement
+  const orchestrator = createOrchestrator(ctx.projectRoot);
+  
+  if (!ctx.json && !ctx.quiet) {
+    console.log(`
+  ${ansi.bold}Running Enforcement${ansi.reset}
+    ${ansi.dim}Checking intent alignment...${ansi.reset}`);
+  }
+  
+  const result = await orchestrator.enforce({
+    changes,
+    agentId: "cli-check",
+  });
+  
+  if (ctx.json) {
+    console.log(JSON.stringify({
+      success: !result.blocked,
+      verdict: result.verdict,
+      violations: result.violations,
+      proofs: result.proofs,
+      intent_hash: result.intent_hash,
+      changes: changes.length,
+    }, null, 2));
+  } else if (!ctx.quiet) {
+    const verdictColor = result.verdict?.decision === "PASS" ? ansi.green : ansi.red;
+    
+    console.log(`
+  ${ansi.bold}Verdict${ansi.reset}
+    ${verdictColor}${result.verdict?.decision || "UNKNOWN"}${ansi.reset}`);
+    
+    if (result.violations && result.violations.length > 0) {
+      console.log(`
+  ${ansi.bold}Violations (${result.violations.length})${ansi.reset}`);
+      for (const v of result.violations.slice(0, 5)) {
+        console.log(`    ${ansi.red}✗${ansi.reset} [${v.code}] ${v.message}`);
+        console.log(`      ${ansi.dim}Resource: ${v.resource}${ansi.reset}`);
+      }
+      if (result.violations.length > 5) {
+        console.log(`    ${ansi.dim}... and ${result.violations.length - 5} more${ansi.reset}`);
+      }
+    }
+    
+    if (result.verdict?.decision === "PASS") {
+      console.log(`
+${ansi.green}${ansi.bold}╔═══════════════════════════════════════════════════════════════════╗
+║                                                                   ║
+║   ✓ ENFORCEMENT PASSED                                            ║
+║                                                                   ║
+╚═══════════════════════════════════════════════════════════════════╝${ansi.reset}
+`);
+    } else {
+      console.log(`
+${ansi.red}${ansi.bold}╔═══════════════════════════════════════════════════════════════════╗
+║                                                                   ║
+║   ✗ ENFORCEMENT BLOCKED                                           ║
+║                                                                   ║
+╚═══════════════════════════════════════════════════════════════════╝${ansi.reset}
+
+  ${ansi.dim}To resolve:${ansi.reset}
+    1. Update your intent to allow these changes
+    2. Or modify changes to align with declared intent
+    
+  ${ansi.dim}Current intent: ${ansi.cyan}vibecheck intent show${ansi.reset}
+  ${ansi.dim}Update intent: ${ansi.cyan}vibecheck intent set -s "..."${ansi.reset}
+`);
+    }
+  }
+  
+  return result.blocked ? EXIT.BLOCKING : EXIT.SUCCESS;
+}
+
+/**
+ * Handle install subcommand
+ */
+async function handleInstall(ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi, renderSuccess, renderError, renderWarning, sym } = getCliOutput();
+  
+  const agent = loadImplementation("agent");
+  if (!agent) {
+    return handleModuleNotAvailable("agent", ctx);
+  }
+  
+  if (!ctx.json && !ctx.quiet) {
+    console.log(`
+  ${ansi.dim}Installing Agent Firewall hooks...${ansi.reset}
+`);
+  }
+  
+  const result = await agent.runAgent({ action: "install", projectRoot: ctx.projectRoot });
+  
+  if (ctx.json) {
+    console.log(JSON.stringify({
+      success: result.success,
+      hooks: {
+        cursor: true,
+        vscode: true,
+        windsurf: true,
+      },
+      message: result.message,
+      timestamp: new Date().toISOString(),
+    }, null, 2));
+  } else if (!ctx.quiet) {
+    if (result.success) {
+      console.log(`
+${ansi.green}${ansi.bold}╔═══════════════════════════════════════════════════════════════════╗
+║                                                                   ║
+║   ${sym.success} AGENT FIREWALL HOOKS INSTALLED                             ║
+║                                                                   ║
+╚═══════════════════════════════════════════════════════════════════╝${ansi.reset}
+
+  ${ansi.dim}IDE Integration:${ansi.reset}
+    ${ansi.green}✓${ansi.reset} Cursor
+    ${ansi.green}✓${ansi.reset} VS Code
+    ${ansi.green}✓${ansi.reset} Windsurf
+
+  ${ansi.dim}The firewall will now intercept AI code changes.${ansi.reset}
+
+  ${ansi.bold}Next Steps:${ansi.reset}
+    ${ansi.cyan}vibecheck shield enforce${ansi.reset}    Enable blocking mode
+    ${ansi.cyan}vibecheck shield status${ansi.reset}     Check configuration
+    ${ansi.cyan}vibecheck audit${ansi.reset}             Generate fresh truthpack
+`);
+    } else {
+      renderError(result.error || "Failed to install hooks");
+    }
+  }
+  
+  return result.success ? EXIT.SUCCESS : EXIT.INTERNAL_ERROR;
+}
+
+/**
+ * Handle stats subcommand
+ */
+async function handleStats(ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi, renderMinimalHeader, renderSectionHeader, sym } = getCliOutput();
+  
+  const firewall = loadImplementation("firewall");
+  if (!firewall) {
+    return handleModuleNotAvailable("firewall", ctx);
+  }
+  
+  const stats = await firewall.runFirewall({ stats: true, projectRoot: ctx.projectRoot });
+  
+  const result = {
+    total: stats.total || 0,
+    byVerdict: stats.byVerdict || {},
+    byAgent: stats.byAgent || {},
+    byDate: stats.byDate || {},
+    recent: stats.recent || [],
+    period: "all-time",
+    timestamp: new Date().toISOString(),
+  };
+  
+  if (ctx.json) {
+    console.log(JSON.stringify(result, null, 2));
+  } else if (!ctx.quiet) {
+    renderMinimalHeader("shield", "pro");
+    renderSectionHeader("Firewall Statistics", sym.chart);
+    
+    if (stats.error || result.total === 0) {
+      console.log(`
+  ${ansi.dim}No change packets recorded yet.${ansi.reset}
+  
+  ${ansi.dim}Change packets are created when:${ansi.reset}
+    ${ansi.dim}• AI makes code changes through IDE hooks${ansi.reset}
+    ${ansi.dim}• Files are modified with hooks installed${ansi.reset}
+  
+  ${ansi.dim}Run ${ansi.cyan}vibecheck shield install${ansi.dim} to set up interception.${ansi.reset}
+`);
+    } else {
+      console.log(`
+  ${ansi.bold}Overview${ansi.reset}
+    ${ansi.dim}Total Packets:${ansi.reset}  ${ansi.bold}${result.total}${ansi.reset}
+`);
+
+      // Verdict breakdown
+      if (Object.keys(result.byVerdict).length > 0) {
+        console.log(`  ${ansi.bold}By Verdict${ansi.reset}`);
+        for (const [verdict, count] of Object.entries(result.byVerdict)) {
+          const pct = ((count / result.total) * 100).toFixed(1);
+          const bar = renderProgressBar(count / result.total, 20, ansi);
+          const color = verdict === "ALLOW" ? ansi.green : verdict === "BLOCK" ? ansi.red : ansi.yellow;
+          console.log(`    ${color}${verdict.padEnd(8)}${ansi.reset} ${bar} ${count} (${pct}%)`);
+        }
+        console.log();
+      }
+
+      // Agent breakdown
+      if (Object.keys(result.byAgent).length > 0) {
+        console.log(`  ${ansi.bold}By Agent${ansi.reset}`);
+        for (const [agent, count] of Object.entries(result.byAgent)) {
+          console.log(`    ${ansi.dim}${agent.padEnd(20)}${ansi.reset} ${count}`);
+        }
+        console.log();
+      }
+
+      // Recent packets
+      if (result.recent.length > 0) {
+        console.log(`  ${ansi.bold}Recent Activity${ansi.reset}`);
+        for (const packet of result.recent.slice(0, 5)) {
+          const verdictColor = packet.verdict === "ALLOW" ? ansi.green : 
+                              packet.verdict === "BLOCK" ? ansi.red : ansi.yellow;
+          const time = new Date(packet.timestamp).toLocaleTimeString();
+          console.log(`    ${ansi.dim}${time}${ansi.reset} ${verdictColor}${(packet.verdict || "?").padEnd(6)}${ansi.reset} ${packet.files || 0} files`);
+        }
+        console.log();
+      }
+    }
+  }
+  
+  return EXIT.SUCCESS;
+}
+
+/**
+ * Handle audit subcommand - review recent change packets
+ */
+async function handleAudit(ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi, renderMinimalHeader, renderSectionHeader, renderWarning, sym } = getCliOutput();
+  
+  if (!ctx.json && !ctx.quiet) {
+    renderMinimalHeader("shield", "pro");
+    renderSectionHeader("Change Packet Audit", sym.search);
+  }
+  
+  // Load recent packets
+  const packetsDir = path.join(ctx.projectRoot, ".vibecheck", "packets");
+  
+  if (!fs.existsSync(packetsDir)) {
+    if (ctx.json) {
+      console.log(JSON.stringify({ packets: [], count: 0, message: "No packets directory found" }));
+    } else if (!ctx.quiet) {
+      renderWarning("No change packets found");
+      console.log(`
+  ${ansi.dim}Install hooks and make changes to generate packets:${ansi.reset}
+  ${ansi.cyan}vibecheck shield install${ansi.reset}
+`);
+    }
+    return EXIT.SUCCESS;
+  }
+  
+  // Collect packets from date directories
+  const packets = [];
+  try {
+    const dateDirs = fs.readdirSync(packetsDir).filter(d => /^\d{4}-\d{2}-\d{2}$/.test(d));
+    for (const dateDir of dateDirs.slice(-7)) { // Last 7 days
+      const dayPath = path.join(packetsDir, dateDir);
+      const files = fs.readdirSync(dayPath).filter(f => f.endsWith(".json"));
+      for (const file of files.slice(-10)) { // Last 10 per day
+        try {
+          const packet = JSON.parse(fs.readFileSync(path.join(dayPath, file), "utf-8"));
+          packets.push({ ...packet, date: dateDir, file });
+        } catch {
+          // Skip invalid packets
+        }
+      }
+    }
+  } catch {
+    // Handle read errors gracefully
+  }
+  
+  if (ctx.json) {
+    console.log(JSON.stringify({ packets, count: packets.length }, null, 2));
+  } else if (!ctx.quiet) {
+    if (packets.length === 0) {
+      console.log(`
+  ${ansi.dim}No recent packets found.${ansi.reset}
+`);
+    } else {
+      console.log(`
+  ${ansi.dim}Found ${packets.length} recent packets:${ansi.reset}
+`);
+      for (const packet of packets.slice(-10)) {
+        const verdictColor = packet.verdict?.decision === "ALLOW" ? ansi.green : 
+                            packet.verdict?.decision === "BLOCK" ? ansi.red : ansi.yellow;
+        console.log(`  ${ansi.dim}${packet.date}${ansi.reset} ${packet.id?.slice(0, 8) || "?"} ${verdictColor}${(packet.verdict?.decision || "?").padEnd(6)}${ansi.reset} ${packet.files?.length || 0} files`);
+      }
+      console.log();
+    }
+  }
+  
+  return EXIT.SUCCESS;
+}
+
+/**
+ * Handle policy subcommand
+ */
+async function handlePolicy(ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi, renderMinimalHeader, renderSectionHeader, sym } = getCliOutput();
+  
+  const policyPath = path.join(ctx.projectRoot, ".vibecheck", "policy.json");
+  
+  if (!ctx.json && !ctx.quiet) {
+    renderMinimalHeader("shield", "pro");
+    renderSectionHeader("Policy Configuration", sym.settings);
+  }
+  
+  let policy = {
+    mode: "observe",
+    profile: "balanced",
+    rules: {},
+  };
+  
+  if (fs.existsSync(policyPath)) {
+    try {
+      policy = JSON.parse(fs.readFileSync(policyPath, "utf-8"));
+    } catch {
+      // Use defaults
+    }
+  }
+  
+  if (ctx.json) {
+    console.log(JSON.stringify(policy, null, 2));
+  } else if (!ctx.quiet) {
+    console.log(`
+  ${ansi.bold}Current Policy${ansi.reset}
+    ${ansi.dim}Mode:${ansi.reset}     ${policy.mode}
+    ${ansi.dim}Profile:${ansi.reset}  ${policy.profile}
+    ${ansi.dim}Path:${ansi.reset}     ${policyPath}
+
+  ${ansi.bold}Rules${ansi.reset}`);
+    
+    for (const rule of ENFORCEMENT_RULES) {
+      const ruleConfig = policy.rules?.[rule.id] || {};
+      const enabled = ruleConfig.enabled !== false;
+      const severity = ruleConfig.severity || rule.severity;
+      const severityColor = severity === "block" ? ansi.red : ansi.yellow;
+      
+      console.log(`    ${enabled ? ansi.green + "✓" : ansi.dim + "○"} ${ansi.reset}${rule.id.padEnd(20)} ${severityColor}${severity.padEnd(5)}${ansi.reset} ${ansi.dim}${rule.description}${ansi.reset}`);
+    }
+    
+    console.log(`
+  ${ansi.dim}Edit ${policyPath} to customize rules.${ansi.reset}
+`);
+  }
+  
+  return EXIT.SUCCESS;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// ERROR HANDLING
+// ═══════════════════════════════════════════════════════════════════════════════
+
+function handleUnknownSubcommand(subcommand, ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi } = getCliOutput();
+  
+  if (ctx.json) {
+    console.log(JSON.stringify({ 
+      success: false, 
+      error: `Unknown subcommand: ${subcommand}`,
+      available: Object.keys(SUBCOMMANDS),
+    }));
+  } else {
+    console.log(`
+${ansi.red}Error: Unknown subcommand '${subcommand}'${ansi.reset}
+
+${ansi.dim}Available subcommands:${ansi.reset}
+${Object.keys(SUBCOMMANDS).map(s => `  ${ansi.cyan}${s}${ansi.reset}`).join("\n")}
+
+Run ${ansi.cyan}vibecheck shield --help${ansi.reset} for usage.
+`);
+  }
+  
+  return EXIT.USER_ERROR;
+}
+
+function handleModuleNotAvailable(module, ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi, renderError } = getCliOutput();
+  
+  if (ctx.json) {
+    console.log(JSON.stringify({ 
+      success: false, 
+      error: `${module} module not available`,
+      hint: "Try reinstalling vibecheck or check your installation",
+    }));
+  } else {
+    renderError(`${module} module not available`);
+    console.log(`
+  ${ansi.dim}This may indicate an incomplete installation.${ansi.reset}
+  ${ansi.dim}Try: ${ansi.cyan}npm install -g @vibecheck/cli${ansi.reset}
+`);
+  }
+  
+  return EXIT.INTERNAL_ERROR;
+}
+
+function handleError(error, ctx) {
+  const { EXIT } = getExitCodes();
+  const { ansi, renderError } = getCliOutput();
+  
+  if (ctx.json) {
+    console.log(JSON.stringify({ 
+      success: false, 
+      error: error.message,
+      stack: ctx.verbose ? error.stack : undefined,
+    }));
+  } else {
+    renderError(`Shield error: ${error.message}`);
+    if (ctx.verbose) {
+      console.log(`\n${ansi.dim}${error.stack}${ansi.reset}\n`);
+    }
+  }
+  
+  return EXIT.INTERNAL_ERROR;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// UTILITY FUNCTIONS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+function calculateHealth(status, agentStatus) {
+  let score = 100;
+  
+  if (!agentStatus.installed) score -= 30;
+  if (!status.truthpackFresh) score -= 20;
+  if (status.mode === "observe") score -= 10;
+  if (status.error) score -= 40;
+  
+  if (score >= 80) return { score, level: "excellent", color: "green" };
+  if (score >= 60) return { score, level: "good", color: "green" };
+  if (score >= 40) return { score, level: "fair", color: "yellow" };
+  return { score, level: "needs attention", color: "red" };
+}
+
+function renderHealthBadge(health, ansi) {
+  const color = health.color === "green" ? ansi.green : 
+                health.color === "yellow" ? ansi.yellow : ansi.red;
+  return `${color}${health.level.toUpperCase()}${ansi.reset} ${ansi.dim}(${health.score}/100)${ansi.reset}`;
+}
+
+function renderProgressBar(ratio, width, ansi) {
+  const filled = Math.round(ratio * width);
+  const empty = width - filled;
+  return `${ansi.green}${"█".repeat(filled)}${ansi.dim}${"░".repeat(empty)}${ansi.reset}`;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// SEAL (BADGE) COMMAND
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Generate seal (badge) and attestation
+ * @param {string[]} args - Command arguments
+ * @param {Object} context - Execution context
+ */
+async function runSeal(args = [], context = {}) {
+  const { EXIT } = getExitCodes();
+  const { ansi, renderMinimalHeader, renderSectionHeader, renderSuccess, sym } = getCliOutput();
+  const { parseGlobalFlags, shouldSuppressOutput, isJsonMode } = getGlobalFlags();
+  
+  const { flags: globalFlags, cleanArgs } = parseGlobalFlags(args);
+  const quiet = shouldSuppressOutput(globalFlags);
+  const json = isJsonMode(globalFlags) || args.includes("--json");
+  const projectRoot = context.repoRoot || globalFlags.path || process.cwd();
+  
+  // Check for --badge flag compatibility (delegate to ship)
+  if (args.includes("--badge") || !args.some(a => a.startsWith("--"))) {
+    try {
+      const { runShip } = require("./runShip");
+      return runShip(["--badge", ...args.filter(a => a !== "--badge")], context);
+    } catch (e) {
+      // Fall through to local implementation
+    }
+  }
+  
+  // Generate seal locally
+  const format = getArgValue(args, "--format") || "svg";
+  const output = getArgValue(args, "--output") || getArgValue(args, "-o");
+  const includeAttest = args.includes("--attest");
+  
+  if (!json && !quiet) {
+    renderMinimalHeader("seal", "pro");
+    renderSectionHeader("Badge Generation", sym.badge);
+  }
+  
+  // Load last ship result
+  const shipResultPath = path.join(projectRoot, ".vibecheck", "ship", "last_ship.json");
+  let shipResult = { verdict: "UNKNOWN" };
+  
+  if (fs.existsSync(shipResultPath)) {
+    try {
+      shipResult = JSON.parse(fs.readFileSync(shipResultPath, "utf-8"));
+    } catch {
+      // Use defaults
+    }
+  }
+  
+  const seal = {
+    verdict: shipResult.verdict || "UNKNOWN",
+    timestamp: new Date().toISOString(),
+    version: SHIELD_VERSION,
+    format,
+  };
+  
+  if (includeAttest) {
+    seal.attestation = {
+      hash: require("crypto").createHash("sha256").update(JSON.stringify(seal)).digest("hex").slice(0, 16),
+      algorithm: "sha256",
+    };
+  }
+  
+  if (json) {
+    console.log(JSON.stringify(seal, null, 2));
+  } else if (!quiet) {
+    renderSuccess(`Seal generated: ${seal.verdict}`);
+    console.log(`
+  ${ansi.dim}Format:${ansi.reset}  ${format}
+  ${ansi.dim}Verdict:${ansi.reset} ${seal.verdict}
+  ${ansi.dim}Time:${ansi.reset}    ${seal.timestamp}
+`);
+    
+    if (includeAttest) {
+      console.log(`  ${ansi.dim}Attestation:${ansi.reset} ${seal.attestation.hash}`);
+    }
+  }
+  
+  return EXIT.SUCCESS;
+}
+
+function getArgValue(args, flag) {
+  const index = args.indexOf(flag);
+  if (index !== -1 && args[index + 1] && !args[index + 1].startsWith("--")) {
+    return args[index + 1];
+  }
+  return null;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// EXPORTS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+module.exports = {
+  runShield,
+  runSeal,
+  // Export constants for testing
+  SHIELD_VERSION,
+  SUBCOMMANDS,
+  ENFORCEMENT_RULES,
+  // Export individual handlers for direct access
+  handleStatus,
+  handleSetMode,
+  handleLock,
+  handleUnlock,
+  handleVerify,
+  handleInstall,
+  handleStats,
+  handleAudit,
+  handlePolicy,
+};