feat: enforce layer0 gate and add tests

mcp/oracle_answer/cli.py

@@ -15,6 +15,9 @@ import json
 import sys
 from typing import List, Optional
 
+from layer0 import layer0_entry
+from layer0.shadow_classifier import ShadowEvalResult
+
 from .tool import OracleAnswerTool
 
 
@@ -79,6 +82,12 @@ async def main_async(args: Optional[List[str]] = None) -> int:
     parser = build_parser()
     ns = parser.parse_args(args=args)
 
+    # Layer 0: pre-boot Shadow Eval gate before any processing.
+    routing_action, shadow = layer0_entry(ns.question)
+    if routing_action != "HANDOFF_TO_LAYER1":
+        _render_layer0_block(routing_action, shadow)
+        return 1
+
     tool = OracleAnswerTool(
         default_frameworks=ns.frameworks,
         use_local_only=ns.local_only,
@@ -130,5 +139,33 @@ def main() -> None:
         sys.exit(1)
 
 
+def _render_layer0_block(routing_action: str, shadow: ShadowEvalResult) -> None:
+    """
+    Minimal user-facing responses for Layer 0 decisions.
+    - Catastrophic: fail closed, no details beyond refusal.
+    - Forbidden: governance violation noted.
+    - Ambiguous: ask for clarification.
+    """
+    if routing_action == "FAIL_CLOSED":
+        print("Layer 0: cannot comply with this request.", file=sys.stderr)
+        return
+    if routing_action == "HANDOFF_TO_GUARDRAILS":
+        print(
+            "Layer 0: governance violation detected (e.g., GitOps bypass or dashboard request).",
+            file=sys.stderr,
+        )
+        if shadow.reason:
+            print(f"Reason: {shadow.reason}", file=sys.stderr)
+        return
+    if routing_action == "PROMPT_FOR_CLARIFICATION":
+        print(
+            "Layer 0: request is ambiguous. Please add specifics before rerunning.",
+            file=sys.stderr,
+        )
+        return
+    # Unexpected action; default to refusal.
+    print("Layer 0: unrecognized routing action; refusing request.", file=sys.stderr)
+
+
 if __name__ == "__main__":
     main()