feat: enforce layer0 gate and add tests

waf_intel_mcp.py

@@ -7,6 +7,8 @@ from typing import Any, Dict, List
 
 from modelcontextprotocol.python import Server
 from mcp.waf_intelligence.orchestrator import WAFInsight, WAFIntelligence
+from layer0 import layer0_entry
+from layer0.shadow_classifier import ShadowEvalResult
 
 server = Server("waf_intel")
 
@@ -43,6 +45,10 @@ async def analyze_waf(
         ]
       }
     """
+    routing_action, shadow = layer0_entry(_shadow_repr(file, files, limit, severity_threshold))
+    if routing_action != "HANDOFF_TO_LAYER1":
+        _raise_layer0(routing_action, shadow)
+
     paths: List[str] = []
 
     if files:
@@ -84,3 +90,21 @@ async def analyze_waf(
 
 if __name__ == "__main__":
     server.run()
+
+
+def _shadow_repr(file: str | None, files: List[str] | None, limit: int, severity: str) -> str:
+    try:
+        return f"analyze_waf: file={file}, files={files}, limit={limit}, severity={severity}"
+    except Exception:
+        return "analyze_waf"
+
+
+def _raise_layer0(routing_action: str, shadow: ShadowEvalResult) -> None:
+    if routing_action == "FAIL_CLOSED":
+        raise ValueError("Layer 0: cannot comply with this request.")
+    if routing_action == "HANDOFF_TO_GUARDRAILS":
+        reason = shadow.reason or "governance_violation"
+        raise ValueError(f"Layer 0: governance violation detected ({reason}).")
+    if routing_action == "PROMPT_FOR_CLARIFICATION":
+        raise ValueError("Layer 0: request is ambiguous. Please clarify and retry.")
+    raise ValueError("Layer 0: unrecognized routing action; refusing request.")