{
  "id": "security-gate",
  "name": "security-gate",
  "version": "0.1.0",
  "defaultEnabled": true,
  "behaviorStatus": "active",
  "ownershipStatus": "locus-specific",
  "sourceMode": "locus-owned",
  "runtimeRequirements": [
    "Loaded by default through package.json#pi.extensions",
    "Pi tool_call lifecycle hook",
    "shared tool-call classifier and audit ledger",
    "security-audit command for local audit review",
    "Audits classified dangerous tool calls and delegates approval/block decisions to Pi",
    "security-audit shows newest bounded audit-only observations (default TUI selection 20, RPC projection 3) with literal decision facts, derived INFO/WARN severity, redacted width-bounded targets, and hidden count without claiming Locus enforcement"
  ],
  "stateUsed": ["security audit events"],
  "tier": "core-owned",
  "provides": {
    "tools": [],
    "commands": ["security-audit"],
    "hooks": ["tool_call"]
  },
  "uiLifecycle": {
    "commands": [
      {
        "name": "security-audit",
        "taxonomy": ["transient-widget"],
        "transient": ["widget:security-audit"],
        "persistent": []
      }
    ]
  },
  "permissions": {
    "filesystem": {
      "read": [],
      "write": []
    },
    "subprocess": [],
    "network": [],
    "browser": false,
    "models": false,
    "ui": ["setWidget"]
  },
  "risk": "critical",
  "docsPath": "docs/extensions/active/security-gate.md",
  "sourceAuditPath": "https://github.com/kroffske/locus-pi/blob/main/docs/source-audit/security-gate.md",
  "tests": ["tests/shared/security/security.test.ts", "tests/integration/public-registration.test.ts"],
  "review": {
    "status": "reviewed",
    "source": "write-from-scratch",
    "reviewedBy": "locus-pi",
    "reviewedAt": "2026-07-10"
  }
}
