diff --git a/bin/pre-publish-gate.js b/bin/pre-publish-gate.js
index fd15313d..fdcab786 100644
--- a/bin/pre-publish-gate.js
+++ b/bin/pre-publish-gate.js
@@ -206,10 +206,12 @@ try {
     console.log(`${GREEN}[pre-publish] Layer validation PASSED: ${validation.totalFiles} files, all L1.${NC}`);
   }
 } catch (err) {
-  // Layer validation is best-effort in pre-publish gate.
-  // If Python or audit_layers.py not available, WARN but don't block.
-  console.warn(`${YELLOW}[pre-publish] Layer validation skipped: ${err.message}${NC}`);
-  console.warn(`${YELLOW}[pre-publish] Run 'node bin/validate-package.js' manually to validate.${NC}`);
+  // L-12 SECURITY FIX: Layer validation is fail-CLOSED (consistent with gate design).
+  // If Python or audit_layers.py not available, BLOCK publish to prevent bypass.
+  console.error(`${RED}[BLOCKED] Layer validation failed: ${err.message}${NC}`);
+  console.error(`${RED}[BLOCKED] Install Python 3 and ensure core/intelligence/audit_layers.py exists.${NC}`);
+  console.error(`${YELLOW}[pre-publish] Run 'node bin/validate-package.js' to diagnose.${NC}`);
+  foundIssues++;
 }
 
 // === VERDICT ===
diff --git a/package-lock.json b/package-lock.json
index 5f69f0bf..8410e28e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "mega-brain-ai",
-  "version": "1.1.1",
+  "version": "1.3.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "mega-brain-ai",
-      "version": "1.1.1",
+      "version": "1.3.0",
       "license": "UNLICENSED",
       "dependencies": {
         "boxen": "^7.1.0",