From e258d511800d2826a22eb524c0753dfbf12f4e8a Mon Sep 17 00:00:00 2001
From: lee-to <thecutcode@gmail.com>
Date: Fri, 20 Mar 2026 14:37:56 +0300
Subject: [PATCH 1/2] feat: Constraints with commands

---
 docs/ARCH.md                            |  10 +-
 docs/SPECS.md                           |  19 +-
 docs/WORKFLOW.md                        |  10 +-
 schema/constraint-schema.json           |  21 +
 schema/security-constraints-schema.json |  21 +
 skills/implement/SKILL.md               |   4 +-
 skills/validate/SKILL.md                |   4 +-
 src/check/code_trace.rs                 |   4 +
 src/check/constraints.rs                | 259 ++++++-
 src/cmd/check.rs                        |  21 +
 src/cmd/constraints.rs                  | 168 ++++-
 src/main.rs                             |  36 +
 src/mcp/mod.rs                          |  36 +-
 src/mcp/tools.rs                        |  29 +-
 src/model/policy.rs                     |  29 +
 tests/constraints_tests.rs              | 858 +++++++++++++++++++++++-
 tests/mcp_tests.rs                      |   7 +
 17 files changed, 1505 insertions(+), 31 deletions(-)

diff --git a/docs/ARCH.md b/docs/ARCH.md
index 2ed4f23..2c2304d 100644
--- a/docs/ARCH.md
+++ b/docs/ARCH.md
@@ -313,7 +313,7 @@ This is not dogma: for UI/frontend, bot/automation tasks, glue code, ML/data/AI-
 
 ### 5.2 Code Traceability (`@hlv` markers)
 
-Every error code, invariant, and constraint rule from contracts MUST have an `@hlv <ID>` marker next to the test that verifies it:
+Every error code, invariant, and constraint rule from contracts MUST have an `@hlv <ID>` marker next to the test that verifies it. Constraint rules that have `check_command` are exempt — they are verified programmatically:
 
 ```rust
 // @ctx: stock validation for order.create contract
@@ -333,7 +333,7 @@ fn test_no_sql_injection() { ... }
 
 `@ctx` comments are navigation hints for the LLM. They help understand context quickly without reading the entire file. They are optional, but recommended for complex logic.
 
-`hlv check` automatically collects all IDs from `contracts/*.yaml` (`errors[].code`, `invariants[].id`) and `constraints/*.yaml` (`rules[].id`), then scans `src/` and `tests/` for markers. Missing markers produce warning `CTR-010`; in phase `implemented` and later they block `/validate`.
+`hlv check` automatically collects all IDs from `contracts/*.yaml` (`errors[].code`, `invariants[].id`) and `constraints/*.yaml` (`rules[].id`), then scans `src/` and `tests/` for markers. Rules with `check_command` are skipped (verified by their command via CST-050). Missing markers produce warning `CTR-010`; in phase `implemented` and later they block `/validate`.
 
 ### 5.3 Agent Protocol
 
@@ -478,9 +478,11 @@ Architecture for managing constraint files in `human/constraints/`.
 
 **CRUD.** `hlv constraints add` creates a new YAML file from a `ConstraintFile` template. `add-rule` / `remove-rule` mutate the `rules[]` array inside an existing file. All operations follow: read file -> deserialize -> mutate -> serialize -> write.
 
-**`hlv check` checks.** `CST-010` - file from `project.yaml -> constraints` not found. `CST-020` - duplicate `rule.id` values inside the file. `CST-030` - invalid severity. `CST-010`/`020` are errors (block `/verify`), `CST-030` is a warning.
+**`hlv check` checks.** `CST-010` - file from `project.yaml -> constraints` not found. `CST-020` - duplicate `rule.id` values inside the file. `CST-030` - invalid `severity` or `error_level` value. `CST-050` - runs `check_command` for each constraint rule that has one; severity is determined by the rule's `error_level` override, or mapped from rule severity (`critical`/`high` -> error, `medium`/`low` -> warning). `CST-060` - runs file-level `check_command` on the constraint file itself; failure is always an error. `CST-010`/`020` are errors (block `/verify`), `CST-030` is a warning.
 
-**Contract linkage.** Contracts refer to constraint rules through `depends_on_constraints`. `hlv check` (`CTR-010`) verifies that every `rule.id` from constraints has an `@hlv` marker in code.
+**`hlv constraints check`.** Runs `check_command` for constraint rules with additional filters: `hlv constraints check <constraint>`, `--rule <id>`, `--json`. The same checks also run as part of `hlv check`.
+
+**Contract linkage.** Contracts refer to constraint rules through `depends_on_constraints`. `hlv check` (`CTR-010`) verifies that every `rule.id` from constraints has an `@hlv` marker in code. Rules that have `check_command` are exempt from the `@hlv` marker requirement — they are verified programmatically by their command.
 
 ---
 
diff --git a/docs/SPECS.md b/docs/SPECS.md
index aa279ea..05c3f42 100644
--- a/docs/SPECS.md
+++ b/docs/SPECS.md
@@ -469,8 +469,9 @@ CRUD management for constraint files in `human/constraints/`. Each file is a rul
 | `hlv constraints show <name> [--json]` | Show the content of a constraint file (all rules, owner, intent) |
 | `hlv constraints add <name> [--owner <owner>] [--intent <text>] [--applies-to <scope>]` | Create a new constraint file |
 | `hlv constraints remove <name> [--force]` | Remove a constraint file. Without `--force`, confirmation is required |
-| `hlv constraints add-rule <constraint> <rule-id> --severity <sev> --statement <text>` | Add a rule to an existing constraint file |
+| `hlv constraints add-rule <constraint> <rule-id> --severity <sev> --statement <text> [--check-command <cmd>] [--check-cwd <dir>] [--error-level <lvl>]` | Add a rule to an existing constraint file. Optional: `--check-command` sets a shell command to verify the rule, `--check-cwd` sets the working directory, `--error-level` overrides diagnostic severity (`error`, `warning`, `info`) |
 | `hlv constraints remove-rule <constraint> <rule-id>` | Remove a rule from a constraint file |
+| `hlv constraints check [<constraint>] [--rule <id>] [--json]` | Run `check_command` for constraint rules. Optionally filter by constraint name or rule ID |
 
 `<name>` is the file name without extension (for example `security` -> `human/constraints/security.yaml`). Severity values are `critical`, `high`, `medium`, `low`.
 
@@ -531,6 +532,9 @@ rules:
     statement: "Secrets must not appear in logs"
     enforcement:
       - log_policy_check
+    check_command: "grep -rn 'secret\\|password' src/ && exit 1 || exit 0"
+    check_cwd: "llm"
+    error_level: error
 exceptions:
   process: "Requires security team approval"
   max_duration_days: 30
@@ -547,6 +551,9 @@ exceptions:
 | `rules[].severity` | enum | Severity: `critical`, `high`, `medium`, `low` |
 | `rules[].statement` | string | Rule wording |
 | `rules[].enforcement[]` | array | Verification methods (`sast`, `integration_test`, `runtime_scan`, etc.) |
+| `rules[].check_command` | string (optional) | Shell command to verify the rule (used by `CST-050` and `hlv constraints check`) |
+| `rules[].check_cwd` | string (optional) | Working directory for `check_command` (relative to project root; defaults to project root) |
+| `rules[].error_level` | enum (optional) | Override diagnostic severity: `error`, `warning`, `info`. If unset, mapped from `severity` (`critical`/`high` -> error, `medium`/`low` -> warning) |
 | `exceptions` | object | Exception process (`process`, `max_duration_days`) |
 
 Rust model: `model::policy::ConstraintFile`. Schema: `schema/constraint-schema.json`.
@@ -561,7 +568,9 @@ Integrity checks for constraint files, executed by `hlv check`.
 |-----|---------|--------------|
 | `CST-010` | error | Constraint file referenced in `project.yaml -> constraints` is not found on disk |
 | `CST-020` | error | Duplicate `rule.id` values within the same constraint file |
-| `CST-030` | error | Invalid `severity` value (allowed: `critical`, `high`, `medium`, `low`) |
+| `CST-030` | error | Invalid `severity` value (allowed: `critical`, `high`, `medium`, `low`) or invalid `error_level` (allowed: `error`, `warning`, `info`) |
+| `CST-050` | varies | Runs `check_command` for a constraint rule. Severity is determined by `error_level` override, or mapped from rule severity (`critical`/`high` -> error, `medium`/`low` -> warning) |
+| `CST-060` | error | Runs file-level `check_command` on the constraint file. Failure is always an error |
 
 These checks run automatically as part of `hlv check` and block `/verify` when reported as errors.
 
@@ -597,7 +606,7 @@ Important notes:
 | `CTR-002` | error | Missing contract ID in Markdown header |
 | `CTR-003` | error | Missing contract version in Markdown header |
 | `CTR-004` | error | Markdown contract version differs from `project.yaml` |
-| `CTR-010` | error / warning | Missing required contract section (error) or missing `@hlv` marker in code trace (warning) |
+| `CTR-010` | error / warning | Missing required contract section (error) or missing `@hlv` marker in code trace (warning). Constraint rules with `check_command` are exempt from the marker requirement |
 | `CTR-020` | warning | Contract source link points to missing file |
 | `CTR-030` | error | Invalid Input YAML block in contract Markdown |
 | `CTR-031` | error | Missing Input YAML block in contract Markdown |
@@ -670,7 +679,9 @@ Important notes:
 |-----|---------|--------------|
 | `CST-010` | error | Constraint file is missing or unparsable |
 | `CST-020` | error | Duplicate `rules[].id` in one constraint file |
-| `CST-030` | error | Invalid `rules[].severity` |
+| `CST-030` | error | Invalid `rules[].severity` or `rules[].error_level` |
+| `CST-050` | varies | Rule-level `check_command` failed (severity from `error_level` or mapped from rule severity) |
+| `CST-060` | error | File-level `check_command` failed |
 
 #### LLM Map (`MAP-*`)
 
diff --git a/docs/WORKFLOW.md b/docs/WORKFLOW.md
index 36c2f06..416e4d9 100644
--- a/docs/WORKFLOW.md
+++ b/docs/WORKFLOW.md
@@ -335,7 +335,7 @@ Agents work in parallel inside a group. Between groups - git commit.
 
 **`llm/map.yaml` is the main navigator.** When creating a new file, the agent MUST add an entry to `llm/map.yaml` with a description sufficient to choose the file without opening it. The LLM finds code by descriptions in `map.yaml`, not by file names. `hlv check` verifies that all entries exist on disk.
 
-**`@hlv` markers.** Every test must carry an `@hlv <ID>` marker pointing to an error code, invariant, or constraint rule from contracts. This provides 100% contract->code traceability. `hlv check` verifies that all IDs are covered. Example:
+**`@hlv` markers.** Every test must carry an `@hlv <ID>` marker pointing to an error code, invariant, or constraint rule from contracts. This provides 100% contract->code traceability. `hlv check` verifies that all IDs are covered. Constraint rules that have `check_command` are exempt — they are verified by their command, not by markers. Example:
 
 ```rust
 // @ctx: validates stock availability check from order.create contract
@@ -543,7 +543,7 @@ hlv milestone abort          # abort milestone
 /generate                    # artifacts -> contracts + validation + stages
 
 # Verification
-hlv check                    # structural validation + run gate commands
+hlv check                    # structural validation + run gate commands + constraint checks (CST-050)
 hlv check --watch            # same + watch
 /verify                      # full verification (structure + semantics)
 
@@ -581,6 +581,12 @@ hlv stage meta <N> set|delete <key> [<value>]
 hlv milestone label add|remove <label>
 hlv milestone meta set|delete <key> [<value>]
 
+# Constraint checks
+hlv constraints check                    # run check_command for all rules
+hlv constraints check observability      # filter by constraint
+hlv constraints check --rule my_rule     # filter by rule
+hlv constraints check --json             # JSON output
+
 # Artifacts and glossary
 hlv artifacts [--global|--milestone] [--json]
 hlv artifacts show <name> [--json]
diff --git a/schema/constraint-schema.json b/schema/constraint-schema.json
index 90242a3..9d46f31 100644
--- a/schema/constraint-schema.json
+++ b/schema/constraint-schema.json
@@ -22,6 +22,14 @@
       "type": "string",
       "description": "Purpose description"
     },
+    "check_command": {
+      "type": "string",
+      "description": "Shell command to check this entire constraint file (executed via sh -c)"
+    },
+    "check_cwd": {
+      "type": "string",
+      "description": "Working directory for check_command, relative to project root"
+    },
     "rules": {
       "type": "array",
       "items": { "$ref": "#/$defs/ConstraintRule" }
@@ -54,6 +62,19 @@
           "items": { "type": "string" },
           "default": [],
           "description": "Enforcement mechanisms"
+        },
+        "check_command": {
+          "type": "string",
+          "description": "Shell command to check this rule (executed via sh -c)"
+        },
+        "check_cwd": {
+          "type": "string",
+          "description": "Working directory for check_command, relative to project root"
+        },
+        "error_level": {
+          "type": "string",
+          "enum": ["error", "warning", "info"],
+          "description": "Override diagnostic level for check failures. If omitted, derived from severity (critical|high → error, medium|low → warning)"
         }
       },
       "additionalProperties": false
diff --git a/schema/security-constraints-schema.json b/schema/security-constraints-schema.json
index 0da071b..632b107 100644
--- a/schema/security-constraints-schema.json
+++ b/schema/security-constraints-schema.json
@@ -21,6 +21,14 @@
     "intent": {
       "type": "string"
     },
+    "check_command": {
+      "type": "string",
+      "description": "Shell command to check this entire constraint file (executed via sh -c)"
+    },
+    "check_cwd": {
+      "type": "string",
+      "description": "Working directory for check_command, relative to project root"
+    },
     "rules": {
       "type": "array",
       "items": { "$ref": "#/$defs/SecurityConstraintRule" },
@@ -56,6 +64,19 @@
           },
           "description": "How this rule is verified",
           "default": []
+        },
+        "check_command": {
+          "type": "string",
+          "description": "Shell command to check this rule (executed via sh -c)"
+        },
+        "check_cwd": {
+          "type": "string",
+          "description": "Working directory for check_command, relative to project root"
+        },
+        "error_level": {
+          "type": "string",
+          "enum": ["error", "warning", "info"],
+          "description": "Override diagnostic level for check failures. If omitted, derived from severity (critical|high → error, medium|low → warning)"
         }
       },
       "additionalProperties": false
diff --git a/skills/implement/SKILL.md b/skills/implement/SKILL.md
index d04853a..bc90f43 100644
--- a/skills/implement/SKILL.md
+++ b/skills/implement/SKILL.md
@@ -350,8 +350,8 @@ it('masks PII in logs', () => { ... });
 1. One `@hlv` marker per validation/constraint per test. A test may carry multiple markers if it covers several validations.
 2. Every `errors[].code` from every contract YAML must appear as `@hlv <code>` somewhere in `src/` or `tests/`.
 3. Every `invariants[].id` must appear as `@hlv <id>`.
-4. Every constraint `rules[].id` must appear as `@hlv <id>`.
-5. `hlv check` reports missing markers as warnings (`CTR-010`). At `implemented` phase and later, these become hard warnings that block `/validate`.
+4. Every constraint `rules[].id` must appear as `@hlv <id>` — except rules that have `check_command` (they are verified programmatically, not via markers).
+5. `hlv check` reports missing markers as warnings (`CTR-010`). At `implemented` phase and later, these become hard warnings that block `/validate`. `hlv check` also runs `check_command` for rules that define one (CST-050/CST-060).
 
 ### Verification
 
diff --git a/skills/validate/SKILL.md b/skills/validate/SKILL.md
index 7d7954d..2a255c4 100644
--- a/skills/validate/SKILL.md
+++ b/skills/validate/SKILL.md
@@ -135,7 +135,9 @@ gate_results:
 
 ### Step 3b: Constraint rule coverage
 
-Check that every rule in rule-based constraint files (`human/constraints/*.yaml`) has a corresponding `@hlv <rule-id>` marker in `llm/src/` or `tests/`. Run `hlv check` and review CTR-010 diagnostics for missing constraint markers.
+Check that every rule in rule-based constraint files (`human/constraints/*.yaml`) has a corresponding `@hlv <rule-id>` marker in `llm/src/` or `tests/`. Rules with `check_command` are exempt — they are verified programmatically. Run `hlv check` and review CTR-010 diagnostics for missing constraint markers.
+
+`hlv check` also executes `check_command` for rules that define one (CST-050/CST-060). Review diagnostics: rules with `error_level: error` (or `critical`/`high` severity without an override) block release. Add failing checks to the remediation plan (Step 4a).
 
 For each critical rule without coverage, add it to the remediation plan (Step 4a).
 
diff --git a/src/check/code_trace.rs b/src/check/code_trace.rs
index a398955..d09349f 100644
--- a/src/check/code_trace.rs
+++ b/src/check/code_trace.rs
@@ -66,6 +66,10 @@ pub fn check_code_trace(
         if let Some(rules) = value.get("rules").and_then(|r| r.as_sequence()) {
             for rule in rules {
                 if let Some(id) = rule.get("id").and_then(|i| i.as_str()) {
+                    // Rules with check_command are verified programmatically, not via @hlv markers
+                    if rule.get("check_command").is_some() {
+                        continue;
+                    }
                     expected.push(ExpectedMarker {
                         id: id.to_string(),
                         kind: "constraint",
diff --git a/src/check/constraints.rs b/src/check/constraints.rs
index 3f0f6c2..38fad54 100644
--- a/src/check/constraints.rs
+++ b/src/check/constraints.rs
@@ -1,15 +1,21 @@
 use std::path::Path;
+use std::process::Command;
+use std::time::Duration;
 
-use crate::check::Diagnostic;
+use crate::check::{Diagnostic, Severity};
 use crate::model::policy::ConstraintFile;
 use crate::model::project::ProjectMap;
 
+/// Default timeout for check_command execution (60 seconds).
+const CHECK_COMMAND_TIMEOUT: Duration = Duration::from_secs(60);
+
 /// CST-010: constraint files exist and parse
 /// CST-020: no duplicate rule IDs within a constraint
 /// CST-030: severity values are valid
 pub fn check_constraints(root: &Path, project: &ProjectMap) -> Vec<Diagnostic> {
     let mut diags = Vec::new();
     let valid_severities = ["critical", "high", "medium", "low"];
+    let valid_error_levels = ["error", "warning", "info"];
 
     for entry in &project.constraints {
         let file_path = root.join(&entry.path);
@@ -73,8 +79,259 @@ pub fn check_constraints(root: &Path, project: &ProjectMap) -> Vec<Diagnostic> {
                     .with_file(&entry.path),
                 );
             }
+
+            // CST-030: valid error_level (if specified)
+            if let Some(ref el) = rule.error_level {
+                if !valid_error_levels.contains(&el.as_str()) {
+                    diags.push(
+                        Diagnostic::error(
+                            "CST-030",
+                            format!(
+                                "Invalid error_level '{}' for rule '{}' in '{}'. Must be: error, warning, info",
+                                el, rule.id, entry.id
+                            ),
+                        )
+                        .with_file(&entry.path),
+                    );
+                }
+            }
         }
     }
 
     diags
 }
+
+/// Result of running a single constraint rule check command.
+#[derive(Debug, Clone, serde::Serialize)]
+pub struct ConstraintCheckResult {
+    pub constraint_id: String,
+    pub rule_id: String,
+    pub severity: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub error_level: Option<String>,
+    pub passed: bool,
+    pub message: String,
+}
+
+/// Determine diagnostic severity for a failed check command.
+/// Priority: error_level (explicit override) > severity mapping.
+/// Severity mapping: critical|high → error, medium|low → warning.
+fn check_failure_severity(severity: &str, error_level: Option<&str>) -> Severity {
+    if let Some(el) = error_level {
+        return match el {
+            "error" => Severity::Error,
+            "info" => Severity::Info,
+            _ => Severity::Warning,
+        };
+    }
+    match severity {
+        "critical" | "high" => Severity::Error,
+        _ => Severity::Warning,
+    }
+}
+
+/// CST-050: run check_command for constraint rules.
+/// Diagnostic level depends on error_level (if set) or severity mapping.
+pub fn run_constraint_checks(
+    root: &Path,
+    project: &ProjectMap,
+    filter_constraint: Option<&str>,
+    filter_rule: Option<&str>,
+) -> (Vec<Diagnostic>, Vec<ConstraintCheckResult>) {
+    let mut diags = Vec::new();
+    let mut results = Vec::new();
+
+    for entry in &project.constraints {
+        // Apply constraint filter
+        if let Some(filter) = filter_constraint {
+            if !entry.id.contains(filter) {
+                continue;
+            }
+        }
+
+        let file_path = root.join(&entry.path);
+        let cf = match ConstraintFile::load(&file_path) {
+            Ok(cf) => cf,
+            Err(_) => continue,
+        };
+
+        for rule in &cf.rules {
+            // Apply rule filter
+            if let Some(filter) = filter_rule {
+                if rule.id != filter {
+                    continue;
+                }
+            }
+
+            let check_cmd = match &rule.check_command {
+                Some(cmd) => cmd,
+                None => continue,
+            };
+
+            let work_dir = match &rule.check_cwd {
+                Some(rel) => root.join(rel),
+                None => root.to_path_buf(),
+            };
+
+            let (passed, message) = execute_check_command(check_cmd, &work_dir);
+
+            if !passed {
+                let sev = check_failure_severity(&rule.severity, rule.error_level.as_deref());
+                let diag_msg = format!(
+                    "Check failed for rule '{}' in '{}': {}",
+                    rule.id, entry.id, message
+                );
+                let diag = Diagnostic {
+                    severity: sev,
+                    code: "CST-050".to_string(),
+                    message: diag_msg,
+                    file: Some(entry.path.clone()),
+                };
+                diags.push(diag);
+            }
+
+            results.push(ConstraintCheckResult {
+                constraint_id: entry.id.clone(),
+                rule_id: rule.id.clone(),
+                severity: rule.severity.clone(),
+                error_level: rule.error_level.clone(),
+                passed,
+                message,
+            });
+        }
+    }
+
+    (diags, results)
+}
+
+/// CST-060: run file-level check_command for constraint files.
+/// Returns diagnostics and results with rule_id = "__file__".
+pub fn run_file_level_checks(
+    root: &Path,
+    project: &ProjectMap,
+    filter_constraint: Option<&str>,
+) -> (Vec<Diagnostic>, Vec<ConstraintCheckResult>) {
+    let mut diags = Vec::new();
+    let mut results = Vec::new();
+
+    for entry in &project.constraints {
+        // Apply constraint filter
+        if let Some(filter) = filter_constraint {
+            if !entry.id.contains(filter) {
+                continue;
+            }
+        }
+
+        let file_path = root.join(&entry.path);
+        let cf = match ConstraintFile::load(&file_path) {
+            Ok(cf) => cf,
+            Err(_) => continue,
+        };
+
+        let check_cmd = match &cf.check_command {
+            Some(cmd) => cmd,
+            None => continue,
+        };
+
+        let work_dir = match &cf.check_cwd {
+            Some(rel) => root.join(rel),
+            None => root.to_path_buf(),
+        };
+
+        let (passed, message) = execute_check_command(check_cmd, &work_dir);
+
+        if !passed {
+            let diag_msg = format!(
+                "File-level check failed for constraint '{}': {}",
+                entry.id, message
+            );
+            diags.push(Diagnostic {
+                severity: Severity::Error,
+                code: "CST-060".to_string(),
+                message: diag_msg,
+                file: Some(entry.path.clone()),
+            });
+        }
+
+        results.push(ConstraintCheckResult {
+            constraint_id: entry.id.clone(),
+            rule_id: "__file__".to_string(),
+            severity: "file".to_string(),
+            error_level: None,
+            passed,
+            message,
+        });
+    }
+
+    (diags, results)
+}
+
+/// Execute a check command and return (passed, message).
+fn execute_check_command(cmd: &str, work_dir: &Path) -> (bool, String) {
+    let child = Command::new("sh")
+        .arg("-c")
+        .arg(cmd)
+        .current_dir(work_dir)
+        .stdout(std::process::Stdio::piped())
+        .stderr(std::process::Stdio::piped())
+        .spawn();
+
+    let mut child = match child {
+        Ok(c) => c,
+        Err(e) => return (false, format!("spawn error: {}", e)),
+    };
+
+    // Wait with timeout
+    let start = std::time::Instant::now();
+    loop {
+        match child.try_wait() {
+            Ok(Some(status)) => {
+                let stdout = child
+                    .stdout
+                    .take()
+                    .map(|mut s| {
+                        let mut buf = String::new();
+                        std::io::Read::read_to_string(&mut s, &mut buf).ok();
+                        buf
+                    })
+                    .unwrap_or_default();
+                let stderr = child
+                    .stderr
+                    .take()
+                    .map(|mut s| {
+                        let mut buf = String::new();
+                        std::io::Read::read_to_string(&mut s, &mut buf).ok();
+                        buf
+                    })
+                    .unwrap_or_default();
+
+                if status.success() {
+                    return (true, "ok".to_string());
+                } else {
+                    let output = if !stderr.trim().is_empty() {
+                        stderr.trim().to_string()
+                    } else if !stdout.trim().is_empty() {
+                        stdout.trim().to_string()
+                    } else {
+                        format!("exit code {}", status.code().unwrap_or(-1))
+                    };
+                    // Truncate long output
+                    let truncated = if output.len() > 200 {
+                        format!("{}...", &output[..200])
+                    } else {
+                        output
+                    };
+                    return (false, truncated);
+                }
+            }
+            Ok(None) => {
+                if start.elapsed() > CHECK_COMMAND_TIMEOUT {
+                    let _ = child.kill();
+                    return (false, "timeout".to_string());
+                }
+                std::thread::sleep(Duration::from_millis(50));
+            }
+            Err(e) => return (false, format!("wait error: {}", e)),
+        }
+    }
+}
diff --git a/src/cmd/check.rs b/src/cmd/check.rs
index 0fec7b5..e35d61e 100644
--- a/src/cmd/check.rs
+++ b/src/cmd/check.rs
@@ -138,6 +138,13 @@ pub fn get_check_diagnostics(root: &Path) -> Result<(Vec<Diagnostic>, i32)> {
 
     if !project.constraints.is_empty() {
         all_diags.extend(check::constraints::check_constraints(root, &project));
+        // CST-050: run rule-level check_commands
+        let (cst050, _) =
+            check::constraints::run_constraint_checks(root, &project, None, None);
+        all_diags.extend(cst050);
+        // CST-060: run file-level check_commands
+        let (cst060, _) = check::constraints::run_file_level_checks(root, &project, None);
+        all_diags.extend(cst060);
     }
 
     {
@@ -343,6 +350,20 @@ fn run_checks(root: &Path) -> Result<i32> {
         let cst_diags = check::constraints::check_constraints(root, &project);
         print_diags(&cst_diags);
         all_diags.extend(cst_diags);
+
+        // 9b. Constraint check commands (CST-050/060)
+        let (cst050, _) =
+            check::constraints::run_constraint_checks(root, &project, None, None);
+        if !cst050.is_empty() {
+            print_diags(&cst050);
+        }
+        all_diags.extend(cst050);
+
+        let (cst060, _) = check::constraints::run_file_level_checks(root, &project, None);
+        if !cst060.is_empty() {
+            print_diags(&cst060);
+        }
+        all_diags.extend(cst060);
     }
 
     // 10. Gates policy (parse validation)
diff --git a/src/cmd/constraints.rs b/src/cmd/constraints.rs
index 7abc8db..9982ea1 100644
--- a/src/cmd/constraints.rs
+++ b/src/cmd/constraints.rs
@@ -116,12 +116,16 @@ fn run_list_json(project_root: &Path, project: &ProjectMap, severity: Option<&st
                 .iter()
                 .filter(|r| severity.is_none_or(|s| r.severity == s))
                 .map(|r| {
-                    serde_json::json!({
+                    let mut val = serde_json::json!({
                         "id": r.id,
                         "severity": r.severity,
                         "statement": r.statement,
                         "enforcement": r.enforcement,
-                    })
+                    });
+                    if let Some(ref el) = r.error_level {
+                        val["error_level"] = serde_json::json!(el);
+                    }
+                    val
                 })
                 .collect();
 
@@ -164,12 +168,18 @@ pub fn run_show(project_root: &Path, name: &str, json: bool) -> Result<()> {
                 "version": cf.version,
                 "owner": cf.owner,
                 "intent": cf.intent,
-                "rules": cf.rules.iter().map(|r| serde_json::json!({
-                    "id": r.id,
-                    "severity": r.severity,
-                    "statement": r.statement,
-                    "enforcement": r.enforcement,
-                })).collect::<Vec<_>>(),
+                "rules": cf.rules.iter().map(|r| {
+                    let mut val = serde_json::json!({
+                        "id": r.id,
+                        "severity": r.severity,
+                        "statement": r.statement,
+                        "enforcement": r.enforcement,
+                    });
+                    if let Some(ref el) = r.error_level {
+                        val["error_level"] = serde_json::json!(el);
+                    }
+                    val
+                }).collect::<Vec<_>>(),
                 "exceptions": cf.exceptions.as_ref().map(|e| serde_json::json!({
                     "process": e.process,
                     "max_exception_days": e.max_exception_days,
@@ -250,6 +260,8 @@ pub fn run_add(
         version: "1.0.0".to_string(),
         owner: owner.map(|s| s.to_string()),
         intent: intent.map(|s| s.to_string()),
+        check_command: None,
+        check_cwd: None,
         rules: vec![],
         exceptions: None,
     };
@@ -348,12 +360,16 @@ pub fn run_remove(project_root: &Path, name: &str, force: bool) -> Result<()> {
     Ok(())
 }
 
+#[allow(clippy::too_many_arguments)]
 pub fn run_add_rule(
     project_root: &Path,
     constraint_name: &str,
     rule_id: &str,
     severity: &str,
     statement: &str,
+    check_command: Option<&str>,
+    check_cwd: Option<&str>,
+    error_level: Option<&str>,
 ) -> Result<()> {
     // Validate severity
     if !["critical", "high", "medium", "low"].contains(&severity) {
@@ -363,6 +379,16 @@ pub fn run_add_rule(
         );
     }
 
+    // Validate error_level if provided
+    if let Some(el) = error_level {
+        if !["error", "warning", "info"].contains(&el) {
+            anyhow::bail!(
+                "Invalid error_level '{}'. Must be: error, warning, info",
+                el
+            );
+        }
+    }
+
     let project = ProjectMap::load(&project_root.join("project.yaml"))?;
 
     let entry = project
@@ -382,6 +408,9 @@ pub fn run_add_rule(
         severity: severity.to_string(),
         statement: statement.to_string(),
         enforcement: vec![],
+        check_command: check_command.map(|s| s.to_string()),
+        check_cwd: check_cwd.map(|s| s.to_string()),
+        error_level: error_level.map(|s| s.to_string()),
     })?;
 
     cf.save(&file_path)?;
@@ -416,3 +445,126 @@ pub fn run_remove_rule(project_root: &Path, constraint_name: &str, rule_id: &str
     ));
     Ok(())
 }
+
+pub fn run_check(
+    project_root: &Path,
+    constraint: Option<&str>,
+    rule: Option<&str>,
+    json: bool,
+) -> Result<()> {
+    let project = ProjectMap::load(&project_root.join("project.yaml"))?;
+
+    let (mut diags, mut results) =
+        crate::check::constraints::run_constraint_checks(project_root, &project, constraint, rule);
+
+    // Also run file-level checks (CST-060)
+    if rule.is_none() {
+        let (file_diags, file_results) =
+            crate::check::constraints::run_file_level_checks(project_root, &project, constraint);
+        diags.extend(file_diags);
+        results.extend(file_results);
+    }
+
+    if json {
+        let output = serde_json::json!({
+            "results": results,
+            "diagnostics": diags.iter().map(|d| serde_json::json!({
+                "code": d.code,
+                "severity": format!("{:?}", d.severity).to_lowercase(),
+                "message": d.message,
+                "file": d.file,
+            })).collect::<Vec<_>>(),
+        });
+        println!("{}", serde_json::to_string_pretty(&output)?);
+        return Ok(());
+    }
+
+    style::header("constraints check");
+
+    if results.is_empty() {
+        style::hint("No rules with check_command found");
+        return Ok(());
+    }
+
+    let mut passed = 0u32;
+    let mut failed = 0u32;
+
+    for r in &results {
+        let icon = if r.passed {
+            "✓".green().to_string()
+        } else {
+            "✗".red().to_string()
+        };
+        let sev_color = match r.severity.as_str() {
+            "critical" => r.severity.red(),
+            "high" => r.severity.yellow(),
+            "medium" => r.severity.normal(),
+            _ => r.severity.dimmed(),
+        };
+        println!(
+            "  {} {} {} [{}] {}",
+            icon,
+            r.rule_id.bold(),
+            sev_color,
+            r.constraint_id.dimmed(),
+            if r.passed {
+                "ok".dimmed().to_string()
+            } else {
+                r.message.clone()
+            }
+        );
+        if r.passed {
+            passed += 1;
+        } else {
+            failed += 1;
+        }
+    }
+
+    let failed_str = if failed > 0 {
+        failed.to_string().red().bold().to_string()
+    } else {
+        failed.to_string().dimmed().to_string()
+    };
+    println!(
+        "\n  {} passed, {} failed",
+        passed.to_string().green().bold(),
+        failed_str
+    );
+
+    // Print diagnostics
+    for d in &diags {
+        d.print();
+    }
+
+    Ok(())
+}
+
+/// Get constraint check results as structured data (for MCP / JSON consumers).
+pub fn get_constraint_check_results(
+    project_root: &Path,
+    constraint: Option<&str>,
+    rule: Option<&str>,
+) -> Result<serde_json::Value> {
+    let project = ProjectMap::load(&project_root.join("project.yaml"))?;
+
+    let (mut diags, mut results) =
+        crate::check::constraints::run_constraint_checks(project_root, &project, constraint, rule);
+
+    // Also run file-level checks (CST-060)
+    if rule.is_none() {
+        let (file_diags, file_results) =
+            crate::check::constraints::run_file_level_checks(project_root, &project, constraint);
+        diags.extend(file_diags);
+        results.extend(file_results);
+    }
+
+    Ok(serde_json::json!({
+        "results": results,
+        "diagnostics": diags.iter().map(|d| serde_json::json!({
+            "code": d.code,
+            "severity": format!("{:?}", d.severity).to_lowercase(),
+            "message": d.message,
+            "file": d.file,
+        })).collect::<Vec<_>>(),
+    }))
+}
diff --git a/src/main.rs b/src/main.rs
index e0e269d..6f57362 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -497,6 +497,15 @@ enum ConstraintsAction {
         /// Rule statement
         #[arg(long)]
         statement: String,
+        /// Shell command to check this rule
+        #[arg(long)]
+        check_command: Option<String>,
+        /// Working directory for check command (relative to project root)
+        #[arg(long)]
+        check_cwd: Option<String>,
+        /// Override diagnostic level for check failures: error, warning, info
+        #[arg(long)]
+        error_level: Option<String>,
     },
     /// Remove a rule from a constraint
     RemoveRule {
@@ -505,6 +514,17 @@ enum ConstraintsAction {
         /// Rule ID
         rule_id: String,
     },
+    /// Run check commands for constraint rules
+    Check {
+        /// Constraint name filter (e.g. observability)
+        constraint: Option<String>,
+        /// Filter by specific rule ID
+        #[arg(long)]
+        rule: Option<String>,
+        /// Output in JSON
+        #[arg(long)]
+        json: bool,
+    },
 }
 
 fn main() {
@@ -683,17 +703,33 @@ fn run(cli: Cli) -> Result<()> {
                 rule_id,
                 severity: sev,
                 statement,
+                check_command,
+                check_cwd,
+                error_level,
             }) => hlv::cmd::constraints::run_add_rule(
                 &project_root,
                 &constraint,
                 &rule_id,
                 &sev,
                 &statement,
+                check_command.as_deref(),
+                check_cwd.as_deref(),
+                error_level.as_deref(),
             ),
             Some(ConstraintsAction::RemoveRule {
                 constraint,
                 rule_id,
             }) => hlv::cmd::constraints::run_remove_rule(&project_root, &constraint, &rule_id),
+            Some(ConstraintsAction::Check {
+                constraint,
+                rule,
+                json: j,
+            }) => hlv::cmd::constraints::run_check(
+                &project_root,
+                constraint.as_deref(),
+                rule.as_deref(),
+                j || json,
+            ),
         },
         Commands::CommitMsg { stage, r#type } => {
             hlv::cmd::commit_msg::run(&project_root, stage, r#type.as_deref())
diff --git a/src/mcp/mod.rs b/src/mcp/mod.rs
index fa7915d..f4b7897 100644
--- a/src/mcp/mod.rs
+++ b/src/mcp/mod.rs
@@ -106,6 +106,12 @@ struct ConstraintRuleParams {
     severity: String,
     /// Rule statement
     statement: String,
+    /// Shell command to check this rule
+    check_command: Option<String>,
+    /// Working directory for check command (relative to project root)
+    check_cwd: Option<String>,
+    /// Override diagnostic level for check failures: error, warning, info
+    error_level: Option<String>,
 }
 
 #[derive(Deserialize, schemars::JsonSchema, Default)]
@@ -118,6 +124,16 @@ struct ConstraintRuleRemoveParams {
     rule_id: String,
 }
 
+#[derive(Deserialize, schemars::JsonSchema, Default)]
+struct ConstraintCheckParams {
+    /// Project ID (required in workspace mode, ignored in single-project mode)
+    project_id: Option<String>,
+    /// Constraint name filter
+    constraint: Option<String>,
+    /// Rule ID filter
+    rule: Option<String>,
+}
+
 #[derive(Deserialize, schemars::JsonSchema, Default)]
 struct StageLabelParams {
     /// Project ID (required in workspace mode, ignored in single-project mode)
@@ -417,7 +433,16 @@ impl HlvMcpServer {
         Parameters(p): Parameters<ConstraintRuleParams>,
     ) -> Result<CallToolResult, McpError> {
         let root = self.root(p.project_id.as_deref())?;
-        tools::hlv_constraint_add_rule(&root, &p.constraint, &p.rule_id, &p.severity, &p.statement)
+        tools::hlv_constraint_add_rule(
+            &root,
+            &p.constraint,
+            &p.rule_id,
+            &p.severity,
+            &p.statement,
+            p.check_command.as_deref(),
+            p.check_cwd.as_deref(),
+            p.error_level.as_deref(),
+        )
     }
 
     #[tool(description = "Remove a rule from a constraint")]
@@ -429,6 +454,15 @@ impl HlvMcpServer {
         tools::hlv_constraint_remove_rule(&root, &p.constraint, &p.rule_id)
     }
 
+    #[tool(description = "Run check commands for constraint rules and return pass/fail results")]
+    fn hlv_constraint_check(
+        &self,
+        Parameters(p): Parameters<ConstraintCheckParams>,
+    ) -> Result<CallToolResult, McpError> {
+        let root = self.root(p.project_id.as_deref())?;
+        tools::hlv_constraint_check(&root, p.constraint.as_deref(), p.rule.as_deref())
+    }
+
     #[tool(description = "Add or remove a label on a stage")]
     fn hlv_stage_label(
         &self,
diff --git a/src/mcp/tools.rs b/src/mcp/tools.rs
index f164295..2877560 100644
--- a/src/mcp/tools.rs
+++ b/src/mcp/tools.rs
@@ -149,20 +149,45 @@ pub fn hlv_constraint_remove(root: &Path, name: &str) -> Result<CallToolResult,
     text_ok(format!("Constraint '{name}' removed"))
 }
 
+#[allow(clippy::too_many_arguments)]
 pub fn hlv_constraint_add_rule(
     root: &Path,
     constraint: &str,
     rule_id: &str,
     severity: &str,
     statement: &str,
+    check_command: Option<&str>,
+    check_cwd: Option<&str>,
+    error_level: Option<&str>,
 ) -> Result<CallToolResult, McpError> {
-    quiet(|| crate::cmd::constraints::run_add_rule(root, constraint, rule_id, severity, statement))
-        .map_err(|e| mcp_err("constraint add-rule failed", e))?;
+    quiet(|| {
+        crate::cmd::constraints::run_add_rule(
+            root,
+            constraint,
+            rule_id,
+            severity,
+            statement,
+            check_command,
+            check_cwd,
+            error_level,
+        )
+    })
+    .map_err(|e| mcp_err("constraint add-rule failed", e))?;
     text_ok(format!(
         "Rule '{rule_id}' added to constraint '{constraint}'"
     ))
 }
 
+pub fn hlv_constraint_check(
+    root: &Path,
+    constraint: Option<&str>,
+    rule: Option<&str>,
+) -> Result<CallToolResult, McpError> {
+    let data = crate::cmd::constraints::get_constraint_check_results(root, constraint, rule)
+        .map_err(|e| mcp_err("constraint check failed", e))?;
+    json_ok(&data)
+}
+
 pub fn hlv_constraint_remove_rule(
     root: &Path,
     constraint: &str,
diff --git a/src/model/policy.rs b/src/model/policy.rs
index e6b748f..b2e0946 100644
--- a/src/model/policy.rs
+++ b/src/model/policy.rs
@@ -294,6 +294,12 @@ pub struct ConstraintFile {
     pub owner: Option<String>,
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub intent: Option<String>,
+    /// Shell command to check this entire constraint file (executed via `sh -c`)
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub check_command: Option<String>,
+    /// Working directory for check_command, relative to project root
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub check_cwd: Option<String>,
     #[serde(default)]
     pub rules: Vec<ConstraintRule>,
     #[serde(default, skip_serializing_if = "Option::is_none")]
@@ -308,6 +314,16 @@ pub struct ConstraintRule {
     pub statement: String,
     #[serde(default)]
     pub enforcement: Vec<String>,
+    /// Shell command to check this rule (executed via `sh -c`)
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub check_command: Option<String>,
+    /// Working directory for check_command, relative to project root
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub check_cwd: Option<String>,
+    /// Override diagnostic level for check failures: error, warning, info.
+    /// If omitted, level is derived from severity (critical|high → error, medium|low → warning).
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub error_level: Option<String>,
 }
 
 impl ConstraintFile {
@@ -796,6 +812,8 @@ validation:
             version: "1.0.0".to_string(),
             owner: None,
             intent: None,
+            check_command: None,
+            check_cwd: None,
             rules: vec![],
             exceptions: None,
         };
@@ -805,6 +823,9 @@ validation:
             severity: "critical".to_string(),
             statement: "Test rule".to_string(),
             enforcement: vec!["sast".to_string()],
+            check_command: None,
+            check_cwd: None,
+            error_level: None,
         };
         cf.add_rule(rule).unwrap();
         assert_eq!(cf.rules.len(), 1);
@@ -815,6 +836,9 @@ validation:
             severity: "high".to_string(),
             statement: "Dup".to_string(),
             enforcement: vec![],
+            check_command: None,
+            check_cwd: None,
+            error_level: None,
         };
         assert!(cf.add_rule(dup).is_err());
 
@@ -837,11 +861,16 @@ validation:
             version: "1.0.0".to_string(),
             owner: Some("platform".to_string()),
             intent: Some("Observability".to_string()),
+            check_command: None,
+            check_cwd: None,
             rules: vec![ConstraintRule {
                 id: "structured_logging".to_string(),
                 severity: "critical".to_string(),
                 statement: "All logs must be structured".to_string(),
                 enforcement: vec!["sast".to_string()],
+                check_command: None,
+                check_cwd: None,
+                error_level: None,
             }],
             exceptions: Some(ExceptionPolicy {
                 process: Some("Approval required".to_string()),
diff --git a/tests/constraints_tests.rs b/tests/constraints_tests.rs
index 0fb4e7e..ec2477d 100644
--- a/tests/constraints_tests.rs
+++ b/tests/constraints_tests.rs
@@ -140,6 +140,9 @@ fn constraints_add_rule() {
         "audit_logs_required",
         "critical",
         "All state changes must produce audit logs",
+        None,
+        None,
+        None,
     )
     .unwrap();
 
@@ -158,9 +161,14 @@ fn constraints_add_rule_duplicate_fails() {
     setup_project(root);
 
     hlv::cmd::constraints::run_add(root, "test-dup", None, None, "global").unwrap();
-    hlv::cmd::constraints::run_add_rule(root, "test-dup", "rule1", "high", "Test").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root, "test-dup", "rule1", "high", "Test", None, None, None,
+    )
+    .unwrap();
 
-    let result = hlv::cmd::constraints::run_add_rule(root, "test-dup", "rule1", "low", "Dup");
+    let result = hlv::cmd::constraints::run_add_rule(
+        root, "test-dup", "rule1", "low", "Dup", None, None, None,
+    );
     assert!(result.is_err());
     assert!(result.unwrap_err().to_string().contains("already exists"));
 }
@@ -173,8 +181,16 @@ fn constraints_add_rule_invalid_severity() {
 
     hlv::cmd::constraints::run_add(root, "test-sev", None, None, "global").unwrap();
 
-    let result =
-        hlv::cmd::constraints::run_add_rule(root, "test-sev", "rule1", "extreme", "Bad severity");
+    let result = hlv::cmd::constraints::run_add_rule(
+        root,
+        "test-sev",
+        "rule1",
+        "extreme",
+        "Bad severity",
+        None,
+        None,
+        None,
+    );
     assert!(result.is_err());
     assert!(result.unwrap_err().to_string().contains("Invalid severity"));
 }
@@ -186,8 +202,10 @@ fn constraints_remove_rule() {
     setup_project(root);
 
     hlv::cmd::constraints::run_add(root, "test-rm", None, None, "global").unwrap();
-    hlv::cmd::constraints::run_add_rule(root, "test-rm", "rule1", "high", "Test").unwrap();
-    hlv::cmd::constraints::run_add_rule(root, "test-rm", "rule2", "low", "Test2").unwrap();
+    hlv::cmd::constraints::run_add_rule(root, "test-rm", "rule1", "high", "Test", None, None, None)
+        .unwrap();
+    hlv::cmd::constraints::run_add_rule(root, "test-rm", "rule2", "low", "Test2", None, None, None)
+        .unwrap();
 
     hlv::cmd::constraints::run_remove_rule(root, "test-rm", "rule1").unwrap();
 
@@ -218,3 +236,831 @@ fn constraints_list_severity_filter() {
     // Just verify it doesn't panic with severity filter
     hlv::cmd::constraints::run_list(root, Some("critical"), false).unwrap();
 }
+
+// ═══════════════════════════════════════════════════════
+// Phase 1: check_command / check_cwd tests
+// ═══════════════════════════════════════════════════════
+
+#[test]
+fn constraints_add_rule_with_check_fields() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "checktest", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "checktest",
+        "no_println",
+        "low",
+        "println! is forbidden",
+        Some("! rg \"println!\" src"),
+        Some("."),
+        None,
+    )
+    .unwrap();
+
+    let cf =
+        hlv::model::policy::ConstraintFile::load(&root.join("human/constraints/checktest.yaml"))
+            .unwrap();
+    assert_eq!(
+        cf.rules[0].check_command.as_deref(),
+        Some("! rg \"println!\" src")
+    );
+    assert_eq!(cf.rules[0].check_cwd.as_deref(), Some("."));
+}
+
+#[test]
+fn cst050_check_command_success() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    // Create constraint with a command that succeeds
+    hlv::cmd::constraints::run_add(root, "chk", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "chk",
+        "always_pass",
+        "critical",
+        "Always passes",
+        Some("true"),
+        None,
+        None,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, results) =
+        hlv::check::constraints::run_constraint_checks(root, &project, None, None);
+    assert!(diags.is_empty(), "expected no diags: {:?}", diags);
+    assert_eq!(results.len(), 1);
+    assert!(results[0].passed);
+}
+
+#[test]
+fn cst050_check_command_failure_critical_is_error() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "chk", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "chk",
+        "always_fail",
+        "critical",
+        "Always fails",
+        Some("false"),
+        None,
+        None,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, results) =
+        hlv::check::constraints::run_constraint_checks(root, &project, None, None);
+
+    assert_eq!(results.len(), 1);
+    assert!(!results[0].passed);
+
+    // Phase 2: critical severity → error
+    assert_eq!(diags.len(), 1);
+    assert_eq!(diags[0].code, "CST-050");
+    assert!(
+        matches!(diags[0].severity, hlv::check::Severity::Error),
+        "CST-050 should be error for critical severity"
+    );
+}
+
+#[test]
+fn cst050_check_cwd() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    // Create a subdirectory with a marker file
+    std::fs::create_dir_all(root.join("subdir")).unwrap();
+    std::fs::write(root.join("subdir/marker.txt"), "found").unwrap();
+
+    hlv::cmd::constraints::run_add(root, "chk", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "chk",
+        "find_marker",
+        "high",
+        "Marker must exist",
+        Some("test -f marker.txt"),
+        Some("subdir"),
+        None,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, results) =
+        hlv::check::constraints::run_constraint_checks(root, &project, None, None);
+    assert!(diags.is_empty(), "expected pass: {:?}", diags);
+    assert!(results[0].passed);
+}
+
+#[test]
+fn cst050_timeout() {
+    // This test verifies the timeout mechanism works but uses a fast command
+    // to avoid actually waiting 60s. The real timeout is 60s; here we just
+    // verify the function handles commands correctly.
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "chk", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "chk",
+        "quick_cmd",
+        "low",
+        "Quick command",
+        Some("echo hello"),
+        None,
+        None,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, results) =
+        hlv::check::constraints::run_constraint_checks(root, &project, None, None);
+    assert!(diags.is_empty());
+    assert!(results[0].passed);
+}
+
+#[test]
+fn constraints_check_subcommand() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "chk", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "chk",
+        "pass_rule",
+        "medium",
+        "Should pass",
+        Some("true"),
+        None,
+        None,
+    )
+    .unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "chk",
+        "fail_rule",
+        "high",
+        "Should fail",
+        Some("false"),
+        None,
+        None,
+    )
+    .unwrap();
+
+    // Test JSON output
+    let result = hlv::cmd::constraints::get_constraint_check_results(root, None, None).unwrap();
+    let results = result["results"].as_array().unwrap();
+    assert_eq!(results.len(), 2);
+
+    let passed: Vec<_> = results
+        .iter()
+        .filter(|r| r["passed"].as_bool() == Some(true))
+        .collect();
+    let failed: Vec<_> = results
+        .iter()
+        .filter(|r| r["passed"].as_bool() == Some(false))
+        .collect();
+    assert_eq!(passed.len(), 1);
+    assert_eq!(failed.len(), 1);
+}
+
+#[test]
+fn constraints_check_filter_by_constraint() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "alpha", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "alpha",
+        "a1",
+        "low",
+        "Alpha rule",
+        Some("true"),
+        None,
+        None,
+    )
+    .unwrap();
+
+    hlv::cmd::constraints::run_add(root, "beta", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "beta",
+        "b1",
+        "low",
+        "Beta rule",
+        Some("true"),
+        None,
+        None,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+
+    // Filter to alpha only
+    let (_, results) =
+        hlv::check::constraints::run_constraint_checks(root, &project, Some("alpha"), None);
+    assert_eq!(results.len(), 1);
+    assert!(results[0].constraint_id.contains("alpha"));
+}
+
+#[test]
+fn constraints_check_filter_by_rule() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "multi", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "multi",
+        "r1",
+        "low",
+        "Rule 1",
+        Some("true"),
+        None,
+        None,
+    )
+    .unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "multi",
+        "r2",
+        "low",
+        "Rule 2",
+        Some("true"),
+        None,
+        None,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+
+    let (_, results) =
+        hlv::check::constraints::run_constraint_checks(root, &project, None, Some("r2"));
+    assert_eq!(results.len(), 1);
+    assert_eq!(results[0].rule_id, "r2");
+}
+
+#[test]
+fn cst050_high_severity_is_error() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "chk", None, None, "global").unwrap();
+    // Command that will fail with non-zero exit — high severity → error
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "chk",
+        "bad_cmd",
+        "high",
+        "Bad command",
+        Some("exit 42"),
+        None,
+        None,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, results) =
+        hlv::check::constraints::run_constraint_checks(root, &project, None, None);
+    assert!(!results[0].passed);
+    assert_eq!(diags[0].code, "CST-050");
+    assert!(
+        matches!(diags[0].severity, hlv::check::Severity::Error),
+        "CST-050 should be error for high severity"
+    );
+}
+
+#[test]
+fn constraints_check_no_commands_returns_empty() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "nocheck", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(root, "nocheck", "r1", "low", "No check", None, None, None)
+        .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, results) =
+        hlv::check::constraints::run_constraint_checks(root, &project, None, None);
+    assert!(diags.is_empty());
+    assert!(results.is_empty());
+}
+
+#[test]
+fn constraint_rule_check_fields_serde_roundtrip() {
+    let tmp = TempDir::new().unwrap();
+    let path = tmp.path().join("test.yaml");
+
+    let cf = hlv::model::policy::ConstraintFile {
+        id: "constraints.test.global".to_string(),
+        version: "1.0.0".to_string(),
+        owner: None,
+        intent: None,
+        check_command: None,
+        check_cwd: None,
+        rules: vec![hlv::model::policy::ConstraintRule {
+            id: "rule_with_check".to_string(),
+            severity: "critical".to_string(),
+            statement: "Test check".to_string(),
+            enforcement: vec![],
+            check_command: Some("cargo test".to_string()),
+            check_cwd: Some("llm".to_string()),
+            error_level: None,
+        }],
+        exceptions: None,
+    };
+
+    cf.save(&path).unwrap();
+    let loaded = hlv::model::policy::ConstraintFile::load(&path).unwrap();
+    assert_eq!(loaded.rules[0].check_command.as_deref(), Some("cargo test"));
+    assert_eq!(loaded.rules[0].check_cwd.as_deref(), Some("llm"));
+}
+
+#[test]
+fn constraint_rule_check_fields_optional_serde() {
+    // Verify that rules without check_command/check_cwd still parse
+    let tmp = TempDir::new().unwrap();
+    let path = tmp.path().join("test.yaml");
+
+    std::fs::write(
+        &path,
+        r#"id: constraints.test.global
+version: "1.0.0"
+rules:
+  - id: no_check
+    severity: low
+    statement: "No check command"
+"#,
+    )
+    .unwrap();
+
+    let cf = hlv::model::policy::ConstraintFile::load(&path).unwrap();
+    assert!(cf.rules[0].check_command.is_none());
+    assert!(cf.rules[0].check_cwd.is_none());
+}
+
+// ═══════════════════════════════════════════════════════
+// Phase 2: error_level / severity mapping tests
+// ═══════════════════════════════════════════════════════
+
+#[test]
+fn cst050_low_severity_is_warning() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "chk", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "chk",
+        "low_rule",
+        "low",
+        "Low severity rule",
+        Some("false"),
+        None,
+        None,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, _) = hlv::check::constraints::run_constraint_checks(root, &project, None, None);
+    assert_eq!(diags.len(), 1);
+    assert_eq!(diags[0].code, "CST-050");
+    assert!(
+        matches!(diags[0].severity, hlv::check::Severity::Warning),
+        "CST-050 should be warning for low severity"
+    );
+}
+
+#[test]
+fn cst050_medium_severity_is_warning() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "chk", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "chk",
+        "med_rule",
+        "medium",
+        "Medium severity rule",
+        Some("false"),
+        None,
+        None,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, _) = hlv::check::constraints::run_constraint_checks(root, &project, None, None);
+    assert_eq!(diags.len(), 1);
+    assert!(
+        matches!(diags[0].severity, hlv::check::Severity::Warning),
+        "CST-050 should be warning for medium severity"
+    );
+}
+
+#[test]
+fn cst050_error_level_override_error() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "chk", None, None, "global").unwrap();
+    // low severity but error_level=error → should be error
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "chk",
+        "forced_error",
+        "low",
+        "Forced error rule",
+        Some("false"),
+        None,
+        Some("error"),
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, results) =
+        hlv::check::constraints::run_constraint_checks(root, &project, None, None);
+    assert_eq!(results.len(), 1);
+    assert!(!results[0].passed);
+    assert_eq!(diags.len(), 1);
+    assert!(
+        matches!(diags[0].severity, hlv::check::Severity::Error),
+        "error_level=error should override low severity to error"
+    );
+}
+
+#[test]
+fn cst050_error_level_override_warning() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "chk", None, None, "global").unwrap();
+    // critical severity but error_level=warning → should be warning
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "chk",
+        "forced_warn",
+        "critical",
+        "Forced warning rule",
+        Some("false"),
+        None,
+        Some("warning"),
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, _) = hlv::check::constraints::run_constraint_checks(root, &project, None, None);
+    assert_eq!(diags.len(), 1);
+    assert!(
+        matches!(diags[0].severity, hlv::check::Severity::Warning),
+        "error_level=warning should override critical severity to warning"
+    );
+}
+
+#[test]
+fn cst050_error_level_override_info() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "chk", None, None, "global").unwrap();
+    // high severity but error_level=info → should be info
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "chk",
+        "forced_info",
+        "high",
+        "Forced info rule",
+        Some("false"),
+        None,
+        Some("info"),
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, _) = hlv::check::constraints::run_constraint_checks(root, &project, None, None);
+    assert_eq!(diags.len(), 1);
+    assert!(
+        matches!(diags[0].severity, hlv::check::Severity::Info),
+        "error_level=info should override high severity to info"
+    );
+}
+
+#[test]
+fn cst030_invalid_error_level() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "badel", None, None, "global").unwrap();
+
+    // Write rule with invalid error_level directly to YAML
+    let cf_path = root.join("human/constraints/badel.yaml");
+    std::fs::write(
+        &cf_path,
+        r#"id: constraints.badel.global
+version: "1.0.0"
+rules:
+  - id: bad_el_rule
+    severity: low
+    statement: "Rule with bad error_level"
+    error_level: fatal
+"#,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let diags = hlv::check::constraints::check_constraints(root, &project);
+    let cst030: Vec<_> = diags
+        .iter()
+        .filter(|d| d.code == "CST-030" && d.message.contains("error_level"))
+        .collect();
+    assert_eq!(cst030.len(), 1, "Expected CST-030 for invalid error_level");
+    assert!(cst030[0].message.contains("fatal"));
+}
+
+#[test]
+fn constraint_add_rule_invalid_error_level() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "test-el", None, None, "global").unwrap();
+
+    let result = hlv::cmd::constraints::run_add_rule(
+        root,
+        "test-el",
+        "rule1",
+        "high",
+        "Test",
+        None,
+        None,
+        Some("fatal"),
+    );
+    assert!(result.is_err());
+    assert!(result
+        .unwrap_err()
+        .to_string()
+        .contains("Invalid error_level"));
+}
+
+#[test]
+fn constraint_add_rule_with_error_level() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "eltest", None, None, "global").unwrap();
+    hlv::cmd::constraints::run_add_rule(
+        root,
+        "eltest",
+        "mandatory_rule",
+        "low",
+        "Force error on low severity",
+        Some("true"),
+        None,
+        Some("error"),
+    )
+    .unwrap();
+
+    let cf = hlv::model::policy::ConstraintFile::load(&root.join("human/constraints/eltest.yaml"))
+        .unwrap();
+    assert_eq!(cf.rules[0].error_level.as_deref(), Some("error"));
+}
+
+#[test]
+fn constraint_rule_error_level_serde_roundtrip() {
+    let tmp = TempDir::new().unwrap();
+    let path = tmp.path().join("test.yaml");
+
+    let cf = hlv::model::policy::ConstraintFile {
+        id: "constraints.test.global".to_string(),
+        version: "1.0.0".to_string(),
+        owner: None,
+        intent: None,
+        check_command: None,
+        check_cwd: None,
+        rules: vec![hlv::model::policy::ConstraintRule {
+            id: "rule_with_el".to_string(),
+            severity: "low".to_string(),
+            statement: "Test error_level".to_string(),
+            enforcement: vec![],
+            check_command: Some("true".to_string()),
+            check_cwd: None,
+            error_level: Some("error".to_string()),
+        }],
+        exceptions: None,
+    };
+
+    cf.save(&path).unwrap();
+    let loaded = hlv::model::policy::ConstraintFile::load(&path).unwrap();
+    assert_eq!(loaded.rules[0].error_level.as_deref(), Some("error"));
+}
+
+#[test]
+fn constraint_rule_error_level_optional_serde() {
+    let tmp = TempDir::new().unwrap();
+    let path = tmp.path().join("test.yaml");
+
+    std::fs::write(
+        &path,
+        r#"id: constraints.test.global
+version: "1.0.0"
+rules:
+  - id: no_el
+    severity: critical
+    statement: "No error_level set"
+"#,
+    )
+    .unwrap();
+
+    let cf = hlv::model::policy::ConstraintFile::load(&path).unwrap();
+    assert!(cf.rules[0].error_level.is_none());
+}
+
+// ─── CST-060: File-level check_command ──────────────────────────
+
+#[test]
+fn cst060_file_level_check_command_success() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "filechk", None, None, "global").unwrap();
+
+    // Write constraint file with file-level check_command that succeeds
+    let cf_path = root.join("human/constraints/filechk.yaml");
+    std::fs::write(
+        &cf_path,
+        r#"id: constraints.filechk.global
+version: "1.0.0"
+check_command: "true"
+rules: []
+"#,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, results) = hlv::check::constraints::run_file_level_checks(root, &project, None);
+    assert!(diags.is_empty(), "expected no diags: {:?}", diags);
+    assert_eq!(results.len(), 1);
+    assert!(results[0].passed);
+    assert_eq!(results[0].rule_id, "__file__");
+    assert_eq!(results[0].constraint_id, "constraints.filechk.global");
+}
+
+#[test]
+fn cst060_file_level_check_command_failure_is_error() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "failchk", None, None, "global").unwrap();
+
+    // Write constraint file with file-level check_command that fails
+    let cf_path = root.join("human/constraints/failchk.yaml");
+    std::fs::write(
+        &cf_path,
+        r#"id: constraints.failchk.global
+version: "1.0.0"
+check_command: "false"
+rules: []
+"#,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, results) = hlv::check::constraints::run_file_level_checks(root, &project, None);
+
+    assert_eq!(results.len(), 1);
+    assert!(!results[0].passed);
+    assert_eq!(results[0].rule_id, "__file__");
+
+    assert_eq!(diags.len(), 1);
+    assert_eq!(diags[0].code, "CST-060");
+    assert!(
+        matches!(diags[0].severity, hlv::check::Severity::Error),
+        "CST-060 should always be error severity"
+    );
+}
+
+#[test]
+fn cst060_file_level_check_cwd() {
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    // Create a subdirectory with a marker file
+    std::fs::create_dir_all(root.join("subdir")).unwrap();
+    std::fs::write(root.join("subdir/marker.txt"), "found").unwrap();
+
+    hlv::cmd::constraints::run_add(root, "cwdchk", None, None, "global").unwrap();
+
+    // Write constraint file with check_cwd
+    let cf_path = root.join("human/constraints/cwdchk.yaml");
+    std::fs::write(
+        &cf_path,
+        r#"id: constraints.cwdchk.global
+version: "1.0.0"
+check_command: "test -f marker.txt"
+check_cwd: subdir
+rules: []
+"#,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, results) = hlv::check::constraints::run_file_level_checks(root, &project, None);
+    assert!(diags.is_empty(), "expected pass: {:?}", diags);
+    assert!(results[0].passed);
+}
+
+#[test]
+fn cst060_file_level_timeout() {
+    // Verify the function handles commands correctly (same pattern as cst050_timeout)
+    let tmp = TempDir::new().unwrap();
+    let root = tmp.path();
+    setup_project(root);
+
+    hlv::cmd::constraints::run_add(root, "timechk", None, None, "global").unwrap();
+
+    // Write constraint file with a quick check_command (real timeout is 60s)
+    let cf_path = root.join("human/constraints/timechk.yaml");
+    std::fs::write(
+        &cf_path,
+        r#"id: constraints.timechk.global
+version: "1.0.0"
+check_command: "echo hello"
+rules: []
+"#,
+    )
+    .unwrap();
+
+    let project = hlv::model::project::ProjectMap::load(&root.join("project.yaml")).unwrap();
+    let (diags, results) = hlv::check::constraints::run_file_level_checks(root, &project, None);
+    assert!(diags.is_empty());
+    assert!(results[0].passed);
+}
+
+#[test]
+fn constraint_file_check_fields_serde_roundtrip() {
+    let tmp = TempDir::new().unwrap();
+    let path = tmp.path().join("test.yaml");
+
+    let cf = hlv::model::policy::ConstraintFile {
+        id: "constraints.test.global".to_string(),
+        version: "1.0.0".to_string(),
+        owner: None,
+        intent: None,
+        check_command: Some("make lint".to_string()),
+        check_cwd: Some("src".to_string()),
+        rules: vec![],
+        exceptions: None,
+    };
+
+    cf.save(&path).unwrap();
+    let loaded = hlv::model::policy::ConstraintFile::load(&path).unwrap();
+    assert_eq!(loaded.check_command.as_deref(), Some("make lint"));
+    assert_eq!(loaded.check_cwd.as_deref(), Some("src"));
+
+    // Also verify None fields are not serialized
+    let cf_no_check = hlv::model::policy::ConstraintFile {
+        id: "constraints.empty.global".to_string(),
+        version: "1.0.0".to_string(),
+        owner: None,
+        intent: None,
+        check_command: None,
+        check_cwd: None,
+        rules: vec![],
+        exceptions: None,
+    };
+    let path2 = tmp.path().join("test2.yaml");
+    cf_no_check.save(&path2).unwrap();
+    let content = std::fs::read_to_string(&path2).unwrap();
+    assert!(!content.contains("check_command"));
+    assert!(!content.contains("check_cwd"));
+}
diff --git a/tests/mcp_tests.rs b/tests/mcp_tests.rs
index 0f1f576..5a065cd 100644
--- a/tests/mcp_tests.rs
+++ b/tests/mcp_tests.rs
@@ -184,6 +184,7 @@ fn server_lists_all_tools() {
         "hlv_constraint_remove",
         "hlv_constraint_add_rule",
         "hlv_constraint_remove_rule",
+        "hlv_constraint_check",
         "hlv_stage_reopen",
         "hlv_stage_label",
         "hlv_stage_meta",
@@ -1141,6 +1142,9 @@ fn tool_constraint_add_rule_remove_rule() {
         "RULE-001",
         "high",
         "All endpoints must have auth",
+        None,
+        None,
+        None,
     )
     .unwrap();
     assert!(tool_text(&result).contains("RULE-001"));
@@ -1164,6 +1168,9 @@ fn tool_constraint_add_rule_invalid_severity() {
         "RULE-001",
         "invalid-sev",
         "statement",
+        None,
+        None,
+        None,
     )
     .unwrap_err();
     assert!(

From 689e9a6e71d28ebe1827bc88a9a270199c918517 Mon Sep 17 00:00:00 2001
From: lee-to <thecutcode@gmail.com>
Date: Fri, 20 Mar 2026 14:44:00 +0300
Subject: [PATCH 2/2] fix: fmt

---
 src/cmd/check.rs | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/cmd/check.rs b/src/cmd/check.rs
index e35d61e..7f588fd 100644
--- a/src/cmd/check.rs
+++ b/src/cmd/check.rs
@@ -139,8 +139,7 @@ pub fn get_check_diagnostics(root: &Path) -> Result<(Vec<Diagnostic>, i32)> {
     if !project.constraints.is_empty() {
         all_diags.extend(check::constraints::check_constraints(root, &project));
         // CST-050: run rule-level check_commands
-        let (cst050, _) =
-            check::constraints::run_constraint_checks(root, &project, None, None);
+        let (cst050, _) = check::constraints::run_constraint_checks(root, &project, None, None);
         all_diags.extend(cst050);
         // CST-060: run file-level check_commands
         let (cst060, _) = check::constraints::run_file_level_checks(root, &project, None);
@@ -352,8 +351,7 @@ fn run_checks(root: &Path) -> Result<i32> {
         all_diags.extend(cst_diags);
 
         // 9b. Constraint check commands (CST-050/060)
-        let (cst050, _) =
-            check::constraints::run_constraint_checks(root, &project, None, None);
+        let (cst050, _) = check::constraints::run_constraint_checks(root, &project, None, None);
         if !cst050.is_empty() {
             print_diags(&cst050);
         }