feat: enforce layer0 gate and add tests

mcp/waf_intelligence/__main__.py

@@ -7,6 +7,9 @@ from dataclasses import asdict
 from pathlib import Path
 from typing import Any, Dict, List
 
+from layer0 import layer0_entry
+from layer0.shadow_classifier import ShadowEvalResult
+
 from .orchestrator import WAFInsight, WAFIntelligence
 
 
@@ -56,6 +59,12 @@ def run_cli(argv: List[str] | None = None) -> int:
 
     args = parser.parse_args(argv)
 
+    # Layer 0: pre-boot Shadow Eval gate.
+    routing_action, shadow = layer0_entry(f"waf_intel_cli file={args.file} limit={args.limit}")
+    if routing_action != "HANDOFF_TO_LAYER1":
+        _render_layer0_block(routing_action, shadow)
+        return 1
+
     path = Path(args.file)
     if not path.exists():
         print(f"[error] file not found: {path}", file=sys.stderr)
@@ -130,3 +139,26 @@ def main() -> None:
 
 if __name__ == "__main__":
     main()
+
+
+def _render_layer0_block(routing_action: str, shadow: ShadowEvalResult) -> None:
+    """
+    Minimal user-facing responses for Layer 0 decisions.
+    """
+    if routing_action == "FAIL_CLOSED":
+        print("Layer 0: cannot comply with this request.", file=sys.stderr)
+        return
+    if routing_action == "HANDOFF_TO_GUARDRAILS":
+        reason = shadow.reason or "governance_violation"
+        print(
+            f"Layer 0: governance violation detected ({reason}).",
+            file=sys.stderr,
+        )
+        return
+    if routing_action == "PROMPT_FOR_CLARIFICATION":
+        print(
+            "Layer 0: request is ambiguous. Please add specifics before rerunning.",
+            file=sys.stderr,
+        )
+        return
+    print("Layer 0: unrecognized routing action; refusing request.", file=sys.stderr)