feat: implement YOLO classifier and MCP unified pipeline

Phase 3.4 YOLO Classifier (jcode-only):
- Create src/yolo_classifier.rs with 2-stage LLM approach
- Stage 1 (fast, 64 tokens): BLOCK/ALLOW decision
- Stage 2 (thinking, 4096 tokens): CoT evidence gathering when blocked
- Fail closed on errors/timeouts → falls back to interactive prompt
- Circuit breaker: 3 consecutive denials → bypass YOLO until reset
- Integrated into dcg_bridge::classify_with_mode() for Mode::Auto

Phase 3.6 MCP Unified Pipeline:
- Extend action_to_tool_call() to handle mcp__* actions
- MCP tools mapped to ToolCall::read with [Read, Write, Spawn] effects
- Three matching levels: mcp__server, mcp__server__tool, mcp__server__*

Also updated src/lib.rs to export the yolo_classifier module.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: quangdang46

src/dcg_bridge.rs

@@ -37,6 +37,8 @@ use std::sync::{LazyLock, Mutex};
 
 use dcg_core::{Decision, Effect, Engine, EngineConfig, Mode, Session, ToolCall};
 
+pub use crate::yolo_classifier::YoloClassifier;
+
 /// Globally configured permission mode. Set once during CLI startup, read
 /// from every `SafetySystem::classify` call.
 ///
@@ -141,11 +143,33 @@ pub fn classify_with_mode(action: &str, mode: Mode) -> BridgeDecision {
     // `Engine::evaluate` because their pre-check semantics are well
     // defined without rule data.
     if matches!(mode, Mode::Default | Mode::Auto) {
-        return if is_legacy_auto_allowed(&lower) {
-            BridgeDecision::Allow
-        } else {
-            BridgeDecision::Prompt
-        };
+        // Legacy auto-allowed tools always allow in both Default and Auto.
+        if is_legacy_auto_allowed(&lower) {
+            return BridgeDecision::Allow;
+        }
+
+        // For Mode::Auto, non-legacy tools go through YOLO classifier.
+        if mode == Mode::Auto {
+            let (tool, effects) = action_to_tool_call(&lower);
+            let effect_strings: Vec<&str> = effects
+                .iter()
+                .map(|e| match e {
+                    Effect::Read => "Read",
+                    Effect::Write => "Write",
+                    Effect::Spawn => "Spawn",
+                    Effect::Fs => "Fs",
+                    Effect::Irreversible => "Irreversible",
+                    Effect::Network => "Network",
+                    Effect::CredentialAccess => "CredentialAccess",
+                    Effect::PrivilegeEscalation => "PrivilegeEscalation",
+                })
+                .collect();
+
+            let classifier = YoloClassifier::get_or_init();
+            return classifier.evaluate(&lower, &format!("{:?}", tool), &effect_strings);
+        }
+
+        return BridgeDecision::Prompt;
     }
 
     let (tool, effects) = action_to_tool_call(&lower);
@@ -242,6 +266,24 @@ fn action_to_tool_call(action_lower: &str) -> (ToolCall, Vec<Effect>) {
         return (ToolCall::bash(""), vec![Spawn, Write, Irreversible]);
     }
 
+    // MCP tool actions: mcp__serverName__toolName
+    // Three matching levels:
+    //   mcp__github          → matches ALL tools from github server
+    //   mcp__github__*        → wildcard, same as above
+    //   mcp__github__create_pull_request → exact tool
+    if action_lower.starts_with("mcp__") {
+        let parts: Vec<&str> = action_lower.split("__").collect();
+        if parts.len() >= 2 {
+            // MCP tools carry Read + Write + Spawn effects since they can
+            // read/write data and spawn background processes.
+            // Path is unknown at classify time — use placeholder.
+            return (
+                ToolCall::read(placeholder),
+                vec![Read, Write, Spawn],
+            );
+        }
+    }
+
     // Conservative default for unknown / future tools. We still surface a
     // ToolCall::Bash so the engine treats it as command-shaped rather
     // than file-shaped.

src/lib.rs

@@ -6,6 +6,7 @@
     clippy::useless_conversion
 )]
 
+pub mod yolo_classifier;
 pub mod agent;
 pub mod ambient;
 pub mod ambient_runner;