feat: enforce layer0 gate and add tests

oracle_runner.py

@@ -28,6 +28,9 @@ from dataclasses import dataclass, asdict, field
 from enum import Enum
 import re
 
+from layer0 import layer0_entry
+from layer0.shadow_classifier import ShadowEvalResult
+
 
 class ComplianceFramework(str, Enum):
     """Supported compliance frameworks"""
@@ -364,6 +367,12 @@ def main() -> int:
     frameworks: Optional[List[str]] = None
     verbose = "--verbose" in sys.argv or "-v" in sys.argv
 
+    # Layer 0: pre-boot Shadow Eval gate before any processing.
+    routing_action, shadow = layer0_entry(question)
+    if routing_action != "HANDOFF_TO_LAYER1":
+        _render_layer0_block(routing_action, shadow)
+        return 1
+
     # Parse frameworks flag
     for i, arg in enumerate(sys.argv[2:], 2):
         if arg.startswith("--frameworks="):
@@ -420,3 +429,26 @@ def main() -> int:
 
 if __name__ == "__main__":
     sys.exit(main())
+
+
+def _render_layer0_block(routing_action: str, shadow: ShadowEvalResult) -> None:
+    """
+    Minimal user-facing responses for Layer 0 decisions.
+    """
+    if routing_action == "FAIL_CLOSED":
+        print("Layer 0: cannot comply with this request.", file=sys.stderr)
+        return
+    if routing_action == "HANDOFF_TO_GUARDRAILS":
+        reason = shadow.reason or "governance_violation"
+        print(
+            f"Layer 0: governance violation detected ({reason}).",
+            file=sys.stderr,
+        )
+        return
+    if routing_action == "PROMPT_FOR_CLARIFICATION":
+        print(
+            "Layer 0: request is ambiguous. Please add specifics before rerunning.",
+            file=sys.stderr,
+        )
+        return
+    print("Layer 0: unrecognized routing action; refusing request.", file=sys.stderr)