Initial release: MCP server enforcing Worker-Reviewer loop

Diligence prevents AI agents from shipping quick fixes that break things
by enforcing a research-propose-verify loop before any code changes.

Key features:
- Worker sub-agent researches and proposes with file:line citations
- Reviewer sub-agent independently verifies claims by searching codebase
- Iterates until approved (max 5 rounds)
- Loads project-specific context from .claude/CODEBASE_CONTEXT.md
- State persisted across sessions

Validated on production codebase: caught architectural mistake (broker
subscriptions on client-side code) that naive agent would have shipped.

test/scenarios/blocking-voice.json

@@ -0,0 +1,78 @@
+{
+  "id": "blocking-voice",
+  "name": "Blocking + Voice Bug",
+  "description": "Fix blocked users can answer DM voice calls",
+
+  "task": "Fix: blocked users can still answer DM voice calls. When user A blocks user B, user B should not be able to answer calls from user A.",
+
+  "naive_fix": {
+    "description": "Add blocking check to answerDmCall()",
+    "changes": [
+      {
+        "file": "src/services/voice-channel.service.ts",
+        "function": "answerDmCall",
+        "change": "Add isBlockingEitherWay check before answering"
+      }
+    ],
+    "issues": [
+      "Doesn't handle block created DURING active call",
+      "Doesn't clean up existing calls when block is created",
+      "Blocked users still receive call notifications"
+    ]
+  },
+
+  "correct_fix": {
+    "description": "Full blocking enforcement following chat.service.ts pattern",
+    "required_changes": [
+      {
+        "file": "src/services/voice-channel.service.ts",
+        "function": "answerDmCall",
+        "change": "Add isBlockingEitherWay check",
+        "line_reference": "line 75"
+      },
+      {
+        "file": "src/services/voice-channel.service.ts",
+        "function": "declineDmCall",
+        "change": "Add isBlockingEitherWay check (consistency)",
+        "line_reference": "line 93"
+      },
+      {
+        "file": "src/services/voice-channel.service.ts",
+        "function": "notifyDmCall",
+        "change": "Filter notifications for blocked users",
+        "line_reference": "line 138"
+      },
+      {
+        "file": "src/services/user-block.service.ts",
+        "function": "blockUser",
+        "change": "Add voice cleanup: endDmCallBetweenUsers()",
+        "line_reference": "line 33"
+      }
+    ],
+    "required_broker_subscriptions": [
+      {
+        "service": "voice-channel.service.ts",
+        "event": "BusUserBlockChange",
+        "action": "Kick users from DM voice when block is created mid-call"
+      }
+    ],
+    "pattern_references": [
+      "chat.service.ts:sendMessage - shows correct action check pattern",
+      "chat.service.ts:getChannelPermission - shows permission vs action separation"
+    ]
+  },
+
+  "validation_criteria": {
+    "must_mention": [
+      "answerDmCall",
+      "BusUserBlockChange",
+      "user-block.service",
+      "notifyDmCall"
+    ],
+    "must_not_change": [
+      "voiceListen permission values",
+      "voiceTalk permission values"
+    ],
+    "should_reference_pattern": "chat.service.ts"
+  }
+}

test/scenarios/index.json

@@ -0,0 +1,21 @@
+{
+  "scenarios": [
+    {
+      "id": "blocking-voice",
+      "file": "blocking-voice.json",
+      "difficulty": "medium",
+      "tags": ["blocking", "voice", "broker-events"]
+    },
+    {
+      "id": "permission-cache",
+      "file": "permission-cache.json",
+      "difficulty": "medium",
+      "tags": ["cache", "permissions", "broker-events"]
+    }
+  ],
+  "metadata": {
+    "version": "1.0.0",
+    "fixture_path": "../fixture",
+    "description": "Test scenarios for diligence MCP server"
+  }
+}

test/scenarios/permission-cache.json

@@ -0,0 +1,81 @@
+{
+  "id": "permission-cache",
+  "name": "Permission Cache Invalidation Bug",
+  "description": "Fix permission cache not invalidating when roles change",
+
+  "task": "Fix: permission cache doesn't invalidate when user roles change. Users see stale permissions for hours after their roles are updated.",
+
+  "naive_fix": {
+    "description": "Add .clear() call somewhere",
+    "changes": [
+      {
+        "file": "src/services/team.service.ts",
+        "function": "somewhere",
+        "change": "Call memoizedPermissions.clear()"
+      }
+    ],
+    "issues": [
+      "Doesn't identify WHEN cache should clear",
+      "Missing BusTeamRoleChange subscription",
+      "Missing BusTeamMemberRoleChange subscription",
+      "Doesn't fix roles.controller.ts missing broker events"
+    ]
+  },
+
+  "correct_fix": {
+    "description": "Subscribe to all role-related broker events",
+    "required_changes": [
+      {
+        "file": "src/services/team.service.ts",
+        "function": "constructor",
+        "change": "Subscribe to BusTeamRoleChange, clear cache on event",
+        "line_reference": "line 30"
+      },
+      {
+        "file": "src/services/team.service.ts",
+        "function": "constructor",
+        "change": "Subscribe to BusTeamMemberRoleChange, clear cache on event",
+        "line_reference": "line 30"
+      },
+      {
+        "file": "src/controllers/roles.controller.ts",
+        "function": "createRole",
+        "change": "Emit BusTeamRoleChange event after creating role",
+        "line_reference": "line 22"
+      },
+      {
+        "file": "src/controllers/roles.controller.ts",
+        "function": "deleteRole",
+        "change": "Emit BusTeamRoleChange event before deleting role",
+        "line_reference": "line 62"
+      }
+    ],
+    "required_broker_subscriptions": [
+      {
+        "service": "team.service.ts",
+        "event": "BusTeamRoleChange",
+        "action": "Clear permission cache"
+      },
+      {
+        "service": "team.service.ts",
+        "event": "BusTeamMemberRoleChange",
+        "action": "Clear permission cache"
+      }
+    ],
+    "pattern_references": [
+      "roles.controller.ts:updateRole - shows correct broker event emission"
+    ]
+  },
+
+  "validation_criteria": {
+    "must_mention": [
+      "BusTeamRoleChange",
+      "BusTeamMemberRoleChange",
+      "createRole",
+      "deleteRole",
+      "team.service"
+    ],
+    "must_identify_root_cause": "Cache only clears on team switch, not role changes",
+    "should_reference_pattern": "roles.controller.ts:updateRole"
+  }
+}