npm - @node9/policy-engine - Versions diffs - 1.0.0 → 1.5.0 - Mend

@node9/policy-engine 1.0.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js CHANGED Viewed

@@ -30,36 +30,67 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var src_exports = {};
 __export(src_exports, {
+  AST_FS_REGEX_RULES: () => AST_FS_REGEX_RULES,
+  BASH_TOOL_NAMES: () => BASH_TOOL_NAMES,
   BUILTIN_SHIELDS: () => BUILTIN_SHIELDS,
+  CANONICAL_EXTRACTOR_HASH: () => CANONICAL_EXTRACTOR_HASH,
+  CANONICAL_EXTRACTOR_VERSION: () => CANONICAL_EXTRACTOR_VERSION,
+  COST_PER_LOOP_ITER_USD: () => COST_PER_LOOP_ITER_USD,
+  DESTRUCTIVE_OP_RE: () => DESTRUCTIVE_OP_RE,
   DLP_PATTERNS: () => DLP_PATTERNS,
   ENGINE_VERSION: () => ENGINE_VERSION,
+  FILE_TOOLS: () => FILE_TOOLS,
   FLAGS_WITH_VALUES: () => FLAGS_WITH_VALUES,
+  LONG_OUTPUT_THRESHOLD_BYTES: () => LONG_OUTPUT_THRESHOLD_BYTES,
   LOOP_MAX_RECORDS: () => LOOP_MAX_RECORDS,
+  LOOP_THRESHOLD_FOR_WASTE: () => LOOP_THRESHOLD_FOR_WASTE,
+  PRIVILEGE_ESCALATION_RE: () => PRIVILEGE_ESCALATION_RE,
+  SCAN_SIGNAL_WEIGHTS: () => SCAN_SIGNAL_WEIGHTS,
+  SENSITIVE_PATH_RE: () => SENSITIVE_PATH_RE,
   SENSITIVE_PATH_REGEXES: () => SENSITIVE_PATH_REGEXES,
+  analyzeFsOperation: () => analyzeFsOperation,
   analyzePipeChain: () => analyzePipeChain,
   analyzeShellCommand: () => analyzeShellCommand,
   checkDangerousSql: () => checkDangerousSql,
+  classifyAuditEntry: () => classifyAuditEntry,
+  classifyRuleSeverity: () => classifyRuleSeverity,
+  classifyScanSignal: () => classifyScanSignal,
   computeArgsHash: () => computeArgsHash,
+  computeBlendedSecurityScore: () => computeBlendedSecurityScore,
+  computeScanScore: () => computeScanScore,
+  computeSecurityScore: () => computeSecurityScore,
+  dedupeCanonicalFindings: () => dedupeCanonicalFindings,
   detectDangerousEval: () => detectDangerousEval,
   detectDangerousShellExec: () => detectDangerousShellExec,
+  detectPii: () => detectPii,
   evaluateLoopWindow: () => evaluateLoopWindow,
   evaluatePolicy: () => evaluatePolicy,
   evaluateSmartConditions: () => evaluateSmartConditions,
   extractAllSshHosts: () => extractAllSshHosts,
+  extractCanonicalFindings: () => extractCanonicalFindings,
   extractNetworkTargets: () => extractNetworkTargets,
   extractPositionalArgs: () => extractPositionalArgs,
+  extractSessionLevelFindings: () => extractSessionLevelFindings,
   getCompiledRegex: () => getCompiledRegex,
   getNestedValue: () => getNestedValue,
+  isBashTool: () => isBashTool,
   isIgnoredTool: () => isIgnoredTool,
+  isProtectedHomePath: () => isProtectedHomePath,
   isShieldVerdict: () => isShieldVerdict,
   matchSensitivePath: () => matchSensitivePath,
   matchesPattern: () => matchesPattern,
+  narrativeRuleLabel: () => narrativeRuleLabel,
   normalizeCommandForPolicy: () => normalizeCommandForPolicy,
   parseAllSshHostsFromCommand: () => parseAllSshHostsFromCommand,
+  previewArgs: () => previewArgs,
   redactText: () => redactText,
   scanArgs: () => scanArgs,
   scanText: () => scanText,
   sensitivePathMatch: () => sensitivePathMatch,
+  summarizeBlast: () => summarizeBlast,
+  summarizeScan: () => summarizeScan,
+  toScanFinding: () => toScanFinding,
+  truncateBlastPath: () => truncateBlastPath,
   validateOverrides: () => validateOverrides,
   validateRegex: () => validateRegex,
   validateShieldDefinition: () => validateShieldDefinition
@@ -67,6 +98,7 @@ __export(src_exports, {
 module.exports = __toCommonJS(src_exports);
 // src/dlp/index.ts
+var import_safe_regex2 = __toESM(require("safe-regex2"));
 var ASSIGNMENT_CONTEXT_RE = /\b(?:password|passwd|secret|token|api[_-]?key|auth(?:_key|_token)?|credential|private[_-]?key|access[_-]?key|client[_-]?secret)\s*[=:]\s*/i;
 function isAssignmentContext(text) {
   return ASSIGNMENT_CONTEXT_RE.test(text);
@@ -550,6 +582,23 @@ function sensitivePathMatch(originalPath) {
   };
 }
 var SENSITIVE_PATH_REGEXES = SENSITIVE_PATH_PATTERNS;
+function assertBuiltinPatternsAreSafe() {
+  for (const p of DLP_PATTERNS) {
+    if (!(0, import_safe_regex2.default)(p.regex.source)) {
+      throw new Error(
+        `[node9 engine] Builtin DLP pattern '${p.name}' is vulnerable to ReDoS: ${p.regex.source}`
+      );
+    }
+  }
+  for (const re of SENSITIVE_PATH_PATTERNS) {
+    if (!(0, import_safe_regex2.default)(re.source)) {
+      throw new Error(
+        `[node9 engine] Builtin sensitive-path pattern is vulnerable to ReDoS: ${re.source}`
+      );
+    }
+  }
+}
+assertBuiltinPatternsAreSafe();
 function maskSecret(raw, pattern) {
   const match = raw.match(pattern);
   if (!match) return "****";
@@ -671,9 +720,70 @@ var MESSAGE_FLAGS = /* @__PURE__ */ new Set([
 ]);
 var SHELL_INTERPRETERS = /* @__PURE__ */ new Set(["bash", "sh", "zsh", "fish", "dash", "ksh"]);
 var DOWNLOAD_CMDS = /* @__PURE__ */ new Set(["curl", "wget"]);
+function isCatHeredocOrLit(part) {
+  if (!part) return false;
+  const t = syntax.NodeType(part);
+  if (t === "Lit") return true;
+  if (t !== "CmdSubst") return false;
+  const stmts = part.Stmts || [];
+  if (stmts.length !== 1) return false;
+  const stmt = stmts[0];
+  const redirs = stmt.Redirs || stmt.Cmd?.Redirs || [];
+  const hasHeredoc = redirs.some((r) => r && r.Hdoc);
+  if (!hasHeredoc) return false;
+  const cmd = stmt.Cmd;
+  if (!cmd || syntax.NodeType(cmd) !== "CallExpr") return false;
+  const firstArg = cmd.Args?.[0]?.Parts || [];
+  if (firstArg.length !== 1 || syntax.NodeType(firstArg[0]) !== "Lit") return false;
+  return (firstArg[0].Value || "").toLowerCase() === "cat";
+}
+var NORMALIZE_CACHE_MAX = 5e3;
+var normalizeCache = /* @__PURE__ */ new Map();
+var AST_CACHE_MAX = 5e3;
+var astCache = /* @__PURE__ */ new Map();
+var PARSE_FAIL = /* @__PURE__ */ Symbol("parse-fail");
+function parseShared(command) {
+  const cached = astCache.get(command);
+  if (cached !== void 0) {
+    astCache.delete(command);
+    astCache.set(command, cached);
+    return cached;
+  }
+  let parsed;
+  try {
+    parsed = sharedParser.Parse(command, "cmd");
+  } catch {
+    parsed = PARSE_FAIL;
+  }
+  if (astCache.size >= AST_CACHE_MAX) {
+    const oldest = astCache.keys().next().value;
+    if (oldest !== void 0) astCache.delete(oldest);
+  }
+  astCache.set(command, parsed);
+  return parsed;
+}
+function cachedNormalize(command, compute) {
+  const hit = normalizeCache.get(command);
+  if (hit !== void 0) {
+    normalizeCache.delete(command);
+    normalizeCache.set(command, hit);
+    return hit;
+  }
+  const result = compute();
+  if (normalizeCache.size >= NORMALIZE_CACHE_MAX) {
+    const oldest = normalizeCache.keys().next().value;
+    if (oldest !== void 0) normalizeCache.delete(oldest);
+  }
+  normalizeCache.set(command, result);
+  return result;
+}
 function normalizeCommandForPolicy(command) {
+  return cachedNormalize(command, () => normalizeCommandForPolicyImpl(command));
+}
+function normalizeCommandForPolicyImpl(command) {
+  const f = parseShared(command);
+  if (f === PARSE_FAIL) return command;
   try {
-    const f = sharedParser.Parse(command, "cmd");
     const strips = [];
     syntax.Walk(f, (node) => {
       if (!node) return false;
@@ -695,7 +805,11 @@ function normalizeCommandForPolicy(command) {
         } else if (nt === "DblQuoted") {
           const innerParts = quotedNode.Parts || [];
           const allLit = innerParts.length === 0 || innerParts.every((p) => syntax.NodeType(p) === "Lit");
-          if (allLit) strips.push([next.Pos().Offset(), next.End().Offset()]);
+          if (allLit) {
+            strips.push([next.Pos().Offset(), next.End().Offset()]);
+          } else if (innerParts.every((p) => isCatHeredocOrLit(p))) {
+            strips.push([next.Pos().Offset(), next.End().Offset()]);
+          }
         }
       }
       return true;
@@ -764,6 +878,242 @@ function detectDangerousShellExec(command) {
   }
 }
 var detectDangerousEval = detectDangerousShellExec;
+var FS_READ_TOOLS = /* @__PURE__ */ new Set([
+  "cat",
+  "less",
+  "head",
+  "tail",
+  "bat",
+  "more",
+  "open",
+  "print",
+  "nano",
+  "vim",
+  "vi",
+  "emacs",
+  "code",
+  "type"
+]);
+var FS_OP_PRESCREEN_RE = /(?:^|[\s|;&(`\n])(?:rm|cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\b/;
+var HOME_CACHE_ALLOWLIST = [
+  ".cache",
+  ".npm/_npx",
+  ".npm/_cacache",
+  ".cargo/registry",
+  ".gradle/caches",
+  ".gradle/.tmp",
+  ".m2/repository",
+  ".pnpm-store",
+  ".yarn/cache",
+  ".yarn/.cache",
+  ".cache/pip",
+  ".local/share/Trash",
+  ".rustup/downloads"
+];
+var SENSITIVE_PATH_RULES = [
+  {
+    rule: "shield:project-jail:block-read-ssh",
+    reason: "Reading SSH private keys is blocked by project-jail shield",
+    match: (p) => /(^|[\\/])\.ssh[\\/]/i.test(p)
+  },
+  {
+    rule: "shield:project-jail:block-read-aws",
+    reason: "Reading AWS credentials is blocked by project-jail shield",
+    match: (p) => /(^|[\\/])\.aws[\\/]/i.test(p)
+  },
+  {
+    // Mirrors the JSON shield's `.env` pattern (project-jail.json's
+    // review-read-env-any-tool) so the AST FS-op path catches the
+    // same set the regex shield does — including Next.js / Vite's
+    // `.env.<env>.local` double-suffix overrides which are commonly
+    // gitignored AND commonly contain real secrets.
+    //
+    // Intentional non-matches (dev fixtures): .env.example, .env.sample,
+    // .env.template, .env.test, .envrc. See shields.test.ts:983-995
+    // for the canonical test-asserted contract.
+    rule: "shield:project-jail:block-read-env",
+    reason: "Reading .env files is blocked by project-jail shield",
+    match: (p) => /(?:^|[\\/])\.env(?:\.(?:local|production|staging|development|production\.local|staging\.local|development\.local))?$/i.test(
+      p
+    )
+  },
+  {
+    // verdict: 'review' (not 'block') is a deliberate design choice
+    // documented in commit 29327a8. SSH keys and AWS credentials are
+    // cryptographic material with no legitimate read use-case for
+    // an AI agent → hard `block`. But .netrc / .npmrc / .docker /
+    // .kube / gcloud are CONFIG files that hold tokens AND have
+    // legitimate diagnostic reads ("which registry am I configured
+    // for", "what cluster am I on"). Hard-blocking those creates
+    // friction without much safety win because the review gate
+    // still catches genuine exfiltration attempts.
+    //
+    // The review gate FAILS CLOSED on timeout (daemon.approvalTimeoutMs
+    // returns a deny verdict via the orchestrator's timeout branch),
+    // so a stuck or unattended approval does NOT silently grant
+    // credential access. If the threat model demands strict block,
+    // a future per-shield strict-mode toggle is the right fix —
+    // not a regex-level upgrade here.
+    rule: "shield:project-jail:review-read-credentials",
+    reason: "Reading credential files requires approval (project-jail shield)",
+    verdict: "review",
+    match: (p) => (
+      // .kube/config holds Kubernetes cluster credentials and was
+      // flagged as missing by the node9-pr-agent review (the comment
+      // above mentioned .kube but the regex didn't include it — a
+      // textbook code-comment vs code drift). The JSON shield's
+      // review-read-credentials-any-tool already had it. Now aligned.
+      /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials|\.kube[\\/]config)$/i.test(
+        p
+      )
+    )
+  }
+];
+var BASH_TOOL_NAMES = /* @__PURE__ */ new Set([
+  "bash",
+  "execute_bash",
+  "run_shell_command",
+  "shell",
+  "exec_command"
+]);
+function isBashTool(toolName) {
+  return BASH_TOOL_NAMES.has(toolName.toLowerCase());
+}
+var AST_FS_REGEX_RULES = /* @__PURE__ */ new Set([
+  "block-rm-rf-home",
+  "shield:project-jail:block-read-ssh",
+  "shield:project-jail:block-read-aws",
+  "shield:project-jail:block-read-env",
+  "shield:project-jail:review-read-credentials"
+]);
+function isProtectedHomePath(rawPath) {
+  let p = rawPath.replace(/^\$HOME[\\/]?|^\$\{HOME\}[\\/]?/, "~/");
+  let underHome = false;
+  if (p === "~" || p.startsWith("~/") || p.startsWith("~\\")) {
+    p = p.replace(/^~[\\/]?/, "");
+    underHome = true;
+  } else if (/^\/home\/[^/]+/.test(p) || /^\/root(\/|$)/.test(p)) {
+    p = p.replace(/^\/home\/[^/]+[\\/]?|^\/root[\\/]?/, "");
+    underHome = true;
+  }
+  if (!underHome) return false;
+  if (p === "" || p === "." || p === "./") return true;
+  for (const safe of HOME_CACHE_ALLOWLIST) {
+    if (p === safe || p.startsWith(safe + "/") || p.startsWith(safe + "\\")) {
+      return false;
+    }
+  }
+  return true;
+}
+function extractLiteralArgs(callExpr) {
+  const args = callExpr.Args || [];
+  if (args.length === 0) return { name: "", flags: [], paths: [] };
+  const litFromWord = (w) => {
+    const parts = w?.Parts || [];
+    let s = "";
+    for (const p of parts) {
+      const t = syntax.NodeType(p);
+      if (t === "Lit") s += (p.Value ?? "").replace(/\\(.)/g, "$1");
+      else if (t === "SglQuoted") s += p.Value ?? "";
+      else if (t === "DblQuoted") {
+        const inner = p.Parts || [];
+        if (!inner.every((ip) => syntax.NodeType(ip) === "Lit")) return null;
+        s += inner.map((ip) => ip.Value ?? "").join("");
+      } else {
+        return null;
+      }
+    }
+    return s;
+  };
+  const name = (litFromWord(args[0]) || "").toLowerCase();
+  const flags = [];
+  const paths = [];
+  for (let i = 1; i < args.length; i++) {
+    const v = litFromWord(args[i]);
+    if (v === null) continue;
+    if (v.startsWith("-")) flags.push(v);
+    else paths.push(v);
+  }
+  return { name, flags, paths };
+}
+var FS_OP_CACHE_MAX = 5e3;
+var fsOpCache = /* @__PURE__ */ new Map();
+function analyzeFsOperation(command) {
+  if (!FS_OP_PRESCREEN_RE.test(command)) return null;
+  if (fsOpCache.has(command)) {
+    const hit = fsOpCache.get(command) ?? null;
+    fsOpCache.delete(command);
+    fsOpCache.set(command, hit);
+    return hit;
+  }
+  const computed = analyzeFsOperationImpl(command);
+  if (fsOpCache.size >= FS_OP_CACHE_MAX) {
+    const oldest = fsOpCache.keys().next().value;
+    if (oldest !== void 0) fsOpCache.delete(oldest);
+  }
+  fsOpCache.set(command, computed);
+  return computed;
+}
+function analyzeFsOperationImpl(command) {
+  const f = parseShared(command);
+  if (f === PARSE_FAIL) return null;
+  let result = null;
+  try {
+    syntax.Walk(f, (node) => {
+      if (!node || result) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const { name, flags, paths } = extractLiteralArgs(n);
+      if (!name) return true;
+      if (name === "rm") {
+        const flagStr = flags.join("").toLowerCase();
+        const hasR = /[r]/.test(flagStr) || flags.includes("--recursive");
+        const hasF = /[f]/.test(flagStr) || flags.includes("--force");
+        if (hasR && hasF) {
+          for (const p of paths) {
+            if (isProtectedHomePath(p)) {
+              result = {
+                ruleName: "block-rm-rf-home",
+                verdict: "block",
+                reason: "Recursive delete of home directory is irreversible",
+                path: p
+              };
+              return false;
+            }
+            if (p === "/" || /^\/+$/.test(p)) {
+              result = {
+                ruleName: "block-rm-rf-home",
+                verdict: "block",
+                reason: "Recursive delete of root is catastrophic",
+                path: p
+              };
+              return false;
+            }
+          }
+        }
+      }
+      if (FS_READ_TOOLS.has(name)) {
+        for (const p of paths) {
+          for (const sp of SENSITIVE_PATH_RULES) {
+            if (sp.match(p)) {
+              result = {
+                ruleName: sp.rule,
+                verdict: sp.verdict ?? "block",
+                reason: sp.reason,
+                path: p
+              };
+              return false;
+            }
+          }
+        }
+      }
+      return true;
+    });
+    return result;
+  } catch {
+    return null;
+  }
+}
 function analyzeShellCommand(command) {
   const actions = [];
   const paths = [];
@@ -1141,7 +1491,7 @@ function parseAllSshHostsFromCommand(command) {
 var import_picomatch = __toESM(require("picomatch"));
 // src/utils/regex.ts
-var import_safe_regex2 = __toESM(require("safe-regex2"));
+var import_safe_regex22 = __toESM(require("safe-regex2"));
 var MAX_REGEX_LENGTH = 100;
 var REGEX_CACHE_MAX = 500;
 var regexCache = /* @__PURE__ */ new Map();
@@ -1154,7 +1504,7 @@ function validateRegex(pattern) {
     return `Invalid regex syntax: ${e.message}`;
   }
   if (/\\\d+[*+{]/.test(pattern)) return "Quantified backreferences are forbidden (ReDoS risk)";
-  if (!(0, import_safe_regex2.default)(pattern)) return "Pattern rejected: potential ReDoS vulnerability detected";
+  if (!(0, import_safe_regex22.default)(pattern)) return "Pattern rejected: potential ReDoS vulnerability detected";
   return null;
 }
 function getCompiledRegex(pattern, flags = "") {
@@ -1191,17 +1541,30 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
+var FORBIDDEN_PATH_SEGMENTS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
 function getNestedValue(obj, path) {
   if (!obj || typeof obj !== "object") return null;
-  return path.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  const segments = path.split(".");
+  for (const seg of segments) {
+    if (FORBIDDEN_PATH_SEGMENTS.has(seg)) return null;
+  }
+  return segments.reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
   const mode = rule.conditionMode ?? "all";
+  const fieldCache = /* @__PURE__ */ new Map();
+  const resolveField = (field) => {
+    if (fieldCache.has(field)) return fieldCache.get(field) ?? null;
+    const rawVal = getNestedValue(args, field);
+    const rawStr = rawVal !== null && rawVal !== void 0 ? String(rawVal) : null;
+    const stripped = field === "command" && rawStr !== null ? normalizeCommandForPolicy(rawStr) : rawStr;
+    const val = stripped !== null ? stripped.replace(/\s+/g, " ").trim() : null;
+    fieldCache.set(field, val);
+    return val;
+  };
   const results = rule.conditions.map((cond) => {
-    const rawVal = getNestedValue(args, cond.field);
-    const normalized = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
-    const val = cond.field === "command" && normalized !== null ? normalizeCommandForPolicy(normalized) : normalized;
+    const val = resolveField(cond.field);
     switch (cond.op) {
       case "exists":
         return val !== null && val !== "";
@@ -1264,6 +1627,43 @@ function checkDangerousSql(sql) {
     return "UPDATE without WHERE \u2014 updates every row";
   return null;
 }
+function pipeChainVerdict(command, isTrustedHost) {
+  const pipeAnalysis = analyzePipeChain(command);
+  if (!pipeAnalysis.isPipeline) return null;
+  if (pipeAnalysis.risk !== "critical" && pipeAnalysis.risk !== "high") return null;
+  const sinks = pipeAnalysis.sinkTargets;
+  const allTrusted = sinks.length > 0 && sinks.every((host) => isTrustedHost ? isTrustedHost(host) : false);
+  if (pipeAnalysis.risk === "critical") {
+    if (allTrusted) {
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
+        reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
+        tier: 3
+      };
+    }
+    return {
+      decision: "block",
+      blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
+      reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+      tier: 3
+    };
+  }
+  if (allTrusted) {
+    return {
+      decision: "allow",
+      blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
+      reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
+      tier: 3
+    };
+  }
+  return {
+    decision: "review",
+    blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
+    reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+    tier: 3
+  };
+}
 async function evaluatePolicy(config, toolName, args, context = {}, hooks = {}) {
   const { agent, cwd, activeEnvironment } = context;
   const { checkProvenance, isTrustedHost } = hooks;
@@ -1279,9 +1679,27 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
     }
   }
   if (wouldBeIgnored) return { decision: "allow" };
+  const bashCommand = agent !== "Terminal" && isBashTool(toolName) && args && typeof args === "object" ? typeof args.command === "string" ? args.command : null : null;
+  if (bashCommand !== null) {
+    const pipeVerdict = pipeChainVerdict(bashCommand, isTrustedHost);
+    if (pipeVerdict) return pipeVerdict;
+    const fsVerdict = analyzeFsOperation(bashCommand);
+    if (fsVerdict) {
+      const isShieldRule = fsVerdict.ruleName.startsWith("shield:");
+      const labelPrefix = isShieldRule ? "project-jail (AST)" : "Node9 (AST)";
+      return {
+        decision: fsVerdict.verdict,
+        blockedByLabel: `${labelPrefix}: ${fsVerdict.ruleName}`,
+        reason: fsVerdict.reason,
+        tier: 2,
+        ruleName: fsVerdict.ruleName,
+        ruleDescription: fsVerdict.reason
+      };
+    }
+  }
   if (config.policy.smartRules.length > 0) {
     const matchedRule = config.policy.smartRules.find(
-      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+      (rule) => matchesPattern(toolName, rule.tool) && !(bashCommand !== null && rule.name && AST_FS_REGEX_RULES.has(rule.name)) && evaluateSmartConditions(args, rule)
     );
     if (matchedRule) {
       if (matchedRule.verdict === "allow")
@@ -1339,41 +1757,8 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
         tier: 3
       };
     }
-    const pipeAnalysis = analyzePipeChain(shellCommand);
-    if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
-      const sinks = pipeAnalysis.sinkTargets;
-      const allTrusted = sinks.length > 0 && sinks.every((host) => isTrustedHost ? isTrustedHost(host) : false);
-      if (pipeAnalysis.risk === "critical") {
-        if (allTrusted) {
-          return {
-            decision: "review",
-            blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
-            reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
-            tier: 3
-          };
-        }
-        return {
-          decision: "block",
-          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
-          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-          tier: 3
-        };
-      }
-      if (allTrusted) {
-        return {
-          decision: "allow",
-          blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
-          reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
-          tier: 3
-        };
-      }
-      return {
-        decision: "review",
-        blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
-        reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-        tier: 3
-      };
-    }
+    const ptVerdict = pipeChainVerdict(shellCommand, isTrustedHost);
+    if (ptVerdict) return ptVerdict;
     const firstToken = analyzed.actions[0] ?? "";
     if (["ssh", "scp", "rsync"].includes(firstToken)) {
       const rawTokens = shellCommand.trim().split(/\s+/);
@@ -1479,6 +1864,9 @@ function isIgnoredTool(toolName, config) {
   return matchesPattern(toolName, config.policy.ignoredTools);
 }
+// src/shields/index.ts
+var import_safe_regex23 = __toESM(require("safe-regex2"));
 // src/shields/builtin/aws.json
 var aws_default = {
   name: "aws",
@@ -1910,15 +2298,6 @@ var k8s_default = {
   dangerousWords: []
 };
-// src/shields/builtin/mcp-tool-gating.json
-var mcp_tool_gating_default = {
-  name: "mcp-tool-gating",
-  description: "Intercept MCP tool lists and require user approval before the agent can use any tools from a new server",
-  aliases: ["mcp-gating", "mcp-tools"],
-  smartRules: [],
-  dangerousWords: []
-};
 // src/shields/builtin/mongodb.json
 var mongodb_default = {
   name: "mongodb",
@@ -2056,7 +2435,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.ssh[\\/\\\\]",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*?\\.ssh[\\/\\\\]",
           flags: "i"
         }
       ],
@@ -2070,7 +2449,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.aws[\\/\\\\]",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*?\\.aws[\\/\\\\]",
           flags: "i"
         }
       ],
@@ -2092,7 +2471,7 @@ var project_jail_default = {
       reason: "Reading .env files is blocked by project-jail shield"
     },
     {
-      name: "shield:project-jail:block-read-credentials",
+      name: "shield:project-jail:review-read-credentials",
       tool: "bash",
       conditions: [
         {
@@ -2102,8 +2481,64 @@ var project_jail_default = {
           flags: "i"
         }
       ],
+      verdict: "review",
+      reason: "Reading credential files requires approval (project-jail shield)"
+    },
+    {
+      name: "shield:project-jail:block-read-ssh-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.ssh[\\/\\\\]",
+          flags: "i"
+        }
+      ],
       verdict: "block",
-      reason: "Reading credential files is blocked by project-jail shield"
+      reason: "Reading SSH private keys is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-aws-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.aws[\\/\\\\]",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading AWS credentials is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:review-read-env-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.env(\\.(local|production|staging|development|production\\.local|staging\\.local|development\\.local))?$",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Reading .env files requires approval (project-jail shield)"
+    },
+    {
+      name: "shield:project-jail:review-read-credentials-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: ".*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials|\\.kube[\\/\\\\]config)",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Reading credential files requires approval (project-jail shield)"
     }
   ],
   dangerousWords: []
@@ -2233,12 +2668,29 @@ var BUILTIN_SHIELDS = {
   [filesystem_default.name]: filesystem_default,
   [github_default.name]: github_default,
   [k8s_default.name]: k8s_default,
-  [mcp_tool_gating_default.name]: mcp_tool_gating_default,
   [mongodb_default.name]: mongodb_default,
   [postgres_default.name]: postgres_default,
   [project_jail_default.name]: project_jail_default,
   [redis_default.name]: redis_default
 };
+function assertBuiltinShieldRegexesAreSafe() {
+  for (const shield of Object.values(BUILTIN_SHIELDS)) {
+    for (const rule of shield.smartRules) {
+      const conditions = rule.conditions ?? [];
+      for (const cond of conditions) {
+        if (cond.op !== "matches" && cond.op !== "notMatches") continue;
+        const pattern = cond.value;
+        if (!pattern) continue;
+        if (!(0, import_safe_regex23.default)(pattern)) {
+          throw new Error(
+            `[node9 engine] Shield '${shield.name}' rule '${rule.name ?? rule.tool}' has unsafe regex: ${pattern}`
+          );
+        }
+      }
+    }
+  }
+}
+assertBuiltinShieldRegexesAreSafe();
 // src/loop/index.ts
 var import_crypto = __toESM(require("crypto"));
@@ -2257,40 +2709,689 @@ function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
   return { nextRecords, count, looping: count >= threshold };
 }
+// src/scan/index.ts
+function emptySignals() {
+  return {
+    dlpFindings: 0,
+    piiFindings: 0,
+    sensitiveFileReads: 0,
+    privilegeEscalation: 0,
+    networkExfil: 0,
+    pipeToShell: 0,
+    evalOfRemote: 0,
+    destructiveOps: 0,
+    loops: 0,
+    longOutputRedactions: 0
+  };
+}
+var FINDING_TO_SIGNAL = {
+  dlp: "dlpFindings",
+  pii: "piiFindings",
+  "sensitive-file-read": "sensitiveFileReads",
+  "privilege-escalation": "privilegeEscalation",
+  "network-exfil": "networkExfil",
+  "pipe-to-shell": "pipeToShell",
+  "eval-of-remote": "evalOfRemote",
+  "destructive-op": "destructiveOps",
+  loop: "loops",
+  "long-output-redacted": "longOutputRedactions"
+};
+var SCAN_SIGNAL_WEIGHTS = {
+  dlpFindings: 30,
+  piiFindings: 10,
+  sensitiveFileReads: 20,
+  privilegeEscalation: 15,
+  networkExfil: 25,
+  pipeToShell: 30,
+  evalOfRemote: 30,
+  destructiveOps: 15,
+  loops: 3,
+  longOutputRedactions: 1
+};
+function computeScanScore(signals) {
+  let deduction = 0;
+  for (const key of Object.keys(signals)) {
+    deduction += signals[key] * SCAN_SIGNAL_WEIGHTS[key];
+  }
+  return Math.max(0, Math.min(100, 100 - deduction));
+}
+var LOOP_THRESHOLD_FOR_WASTE = 3;
+var COST_PER_LOOP_ITER_USD = 6e-3;
+function summarizeScan(findings, opts = {}) {
+  const totalToolCalls = opts.totalToolCalls ?? 0;
+  const topN = opts.topN ?? 10;
+  const signals = emptySignals();
+  const sessionIds = /* @__PURE__ */ new Set();
+  const patternCounts = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    sessionIds.add(f.sessionId);
+    const key = FINDING_TO_SIGNAL[f.type];
+    signals[key]++;
+    if (f.patternName) {
+      patternCounts.set(f.patternName, (patternCounts.get(f.patternName) ?? 0) + 1);
+    }
+  }
+  const topPatterns = [...patternCounts.entries()].sort((a, b) => {
+    if (b[1] !== a[1]) return b[1] - a[1];
+    return a[0].localeCompare(b[0]);
+  }).slice(0, topN).map(([patternName, count]) => ({ patternName, count }));
+  return {
+    totalSessions: sessionIds.size,
+    totalToolCalls,
+    signals,
+    topPatterns,
+    score: computeScanScore(signals)
+  };
+}
+// src/severity/index.ts
+function classifyRuleSeverity(name, verdict) {
+  const n = name.toLowerCase();
+  const criticalPatterns = [
+    "rm-rf",
+    "eval-remote",
+    "eval-curl",
+    "read-aws",
+    "read-ssh",
+    "read-gcp",
+    "read-cred",
+    "delete-repo",
+    "helm-uninstall",
+    "drop-table",
+    "drop-database",
+    "drop-collection",
+    "truncate",
+    "flushall",
+    "flushdb",
+    "pipe-shell"
+  ];
+  if (criticalPatterns.some((p) => n.includes(p))) return "critical";
+  const highPatterns = [
+    "force-push",
+    "force_push",
+    "git-destructive",
+    "reset-hard",
+    "rebase",
+    "delete-branch",
+    "delete-remote"
+  ];
+  if (highPatterns.some((p) => n.includes(p))) return "high";
+  if (verdict === "block") return "high";
+  return "medium";
+}
+function narrativeRuleLabel(name) {
+  const stripped = stripRulePrefixes(name);
+  const map = {
+    "read-aws": "AWS credentials read",
+    "read-ssh": "SSH private key read",
+    "read-gcp": "GCP credentials read",
+    "read-cred": "credential file read",
+    "delete-repo": "GitHub repository deletion",
+    "helm-uninstall": "helm uninstall",
+    "rm-rf-home": "rm -rf on home directory",
+    "rm-rf": "rm -rf",
+    "eval-remote": "eval of remote download",
+    "eval-curl": "eval of curl output",
+    "pipe-shell": "curl | bash",
+    "drop-table": "DROP TABLE",
+    "drop-database": "DROP DATABASE",
+    "drop-collection": "DROP COLLECTION",
+    truncate: "TRUNCATE",
+    flushall: "Redis FLUSHALL",
+    flushdb: "Redis FLUSHDB",
+    "force-push": "force pushes",
+    force_push: "force pushes",
+    "reset-hard": "git reset --hard",
+    "git-destructive": "destructive git operations",
+    "delete-branch": "branch deletion",
+    "delete-remote": "remote deletion",
+    rebase: "git rebase",
+    rm: "rm calls",
+    sudo: "sudo calls",
+    "eval-dynamic": "dynamic eval",
+    "config-set": "Redis CONFIG SET"
+  };
+  for (const [key, label] of Object.entries(map)) {
+    if (stripped.includes(key)) return label;
+  }
+  return stripped;
+}
+function stripRulePrefixes(name) {
+  let n = name.toLowerCase();
+  if (n.startsWith("org:")) n = n.slice(4);
+  const shieldMatch = /^shield:[^:]+:(.+)$/.exec(n);
+  if (shieldMatch) n = shieldMatch[1];
+  n = n.replace(/^(block|review|allow)-/, "");
+  return n;
+}
+function classifyAuditEntry(entry) {
+  const ruleName = entry.riskMetadata?.ruleName;
+  if (typeof ruleName === "string" && ruleName.length > 0) {
+    const verdict = entry.action === "AUTO_BLOCKED" || entry.action === "DENIED" ? "block" : entry.action === "APPROVED" || entry.action === "AUTO_ALLOWED" ? "allow" : "review";
+    return classifyRuleSeverity(ruleName, verdict);
+  }
+  const cb = entry.checkedBy ?? "";
+  if (cb === "dlp-block" || cb.startsWith("dlp-saas:")) return "critical";
+  if (cb.startsWith("eval-saas") || cb === "pipe-chain-saas:critical") {
+    return "critical";
+  }
+  if (cb === "loop-detected") return "medium";
+  const isBlocked = entry.action === "AUTO_BLOCKED" || entry.action === "DENIED";
+  if (isBlocked) return "high";
+  return null;
+}
+function computeSecurityScore(opts) {
+  const { critical, high, medium, total } = opts;
+  if (total === 0) return { score: 100, tier: "good" };
+  const criticalRate = critical / total;
+  const highRate = high / total;
+  const mediumRate = medium / total;
+  const deduction = Math.min(criticalRate * 3e3, 60) + Math.min(highRate * 500, 30) + Math.min(mediumRate * 100, 15);
+  const score = Math.max(0, Math.min(100, Math.round(100 - deduction)));
+  const tier = score >= 80 ? "good" : score >= 50 ? "at-risk" : "critical";
+  return { score, tier };
+}
+function classifyScanSignal(key) {
+  const w = SCAN_SIGNAL_WEIGHTS[key];
+  if (w >= 25) return "critical";
+  if (w >= 11) return "high";
+  return "medium";
+}
+function computeBlendedSecurityScore(opts) {
+  const { audit, scan } = opts;
+  let critical = audit.critical;
+  let high = audit.high;
+  let medium = audit.medium;
+  let total = audit.total;
+  if (scan) {
+    let scanFindingSum = 0;
+    for (const key of Object.keys(scan.signals)) {
+      const count = scan.signals[key];
+      if (count <= 0) continue;
+      const tier = classifyScanSignal(key);
+      if (tier === "critical") critical += count;
+      else if (tier === "high") high += count;
+      else medium += count;
+      scanFindingSum += count;
+    }
+    const scanContribution = Math.max(scan.totalToolCalls ?? 0, scanFindingSum);
+    total += scanContribution;
+  }
+  return computeSecurityScore({ critical, high, medium, total });
+}
+// src/blast/index.ts
+function truncateBlastPath(full) {
+  if (!full) return "";
+  const cleaned = full.replace(/[/\\]+$/, "");
+  const parts = cleaned.split(/[/\\]+/).filter((p) => p.length > 0);
+  if (parts.length <= 2) {
+    return cleaned.startsWith("~") && !cleaned.startsWith("~/") ? cleaned : cleaned.startsWith("~/") ? cleaned : parts.join("/");
+  }
+  return parts.slice(-2).join("/");
+}
+function summarizeBlast(result, opts = {}) {
+  const topN = opts.topN ?? 5;
+  const sorted = [...result.reachable].sort((a, b) => {
+    if (b.score !== a.score) return b.score - a.score;
+    return a.label.localeCompare(b.label);
+  });
+  return {
+    score: result.score,
+    exposureCount: result.reachable.length + result.envFindings.length,
+    envExposureCount: result.envFindings.length,
+    worstPaths: sorted.slice(0, topN).map((f) => ({
+      path: truncateBlastPath(f.label),
+      score: f.score
+    }))
+  };
+}
+// src/scan/destructive-regex.ts
+var DESTRUCTIVE_OP_RE = /\brm\s+-[rRf]+\b|\bDROP\s+(TABLE|DATABASE|COLLECTION|SCHEMA)\b|\bTRUNCATE\s+TABLE\b|\bgit\s+push\s+(--force|-f)\b|\bFLUSHALL\b|\bFLUSHDB\b|\bkubectl\s+delete\b|\bhelm\s+uninstall\b/i;
+var PRIVILEGE_ESCALATION_RE = /\bchmod\s+(0?777|\+x)\b|\bchown\s+root\b/i;
+var SENSITIVE_PATH_RE = /\.aws\/(credentials|config)\b|\.ssh\/(id_rsa|id_ed25519|id_ecdsa|id_dsa)\b|\.env(\.|$|\b)|\.config\/gcloud\/credentials\.db\b|\.docker\/config\.json\b|\.netrc\b|\.npmrc\b|\.node9\/credentials\.json\b/i;
+var FILE_TOOLS = /* @__PURE__ */ new Set([
+  "read",
+  "read_file",
+  "edit",
+  "edit_file",
+  "write",
+  "write_file",
+  "multiedit",
+  "grep",
+  "grep_search",
+  "glob",
+  "list_files"
+]);
+// src/scan/pii.ts
+var PII_EMAIL_RE = /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/;
+var PII_SSN_RE = /\b\d{3}-\d{2}-\d{4}\b/;
+var PII_PHONE_RE = /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]\d{3}[-.\s]\d{4}\b/;
+var PII_CC_RE = /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6\d{3})[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/;
+function detectPii(text) {
+  const found = /* @__PURE__ */ new Set();
+  if (/@/.test(text) && PII_EMAIL_RE.test(text)) found.add("Email");
+  if (/-/.test(text) && PII_SSN_RE.test(text)) found.add("SSN");
+  if (PII_PHONE_RE.test(text)) found.add("Phone");
+  if (PII_CC_RE.test(text)) found.add("Credit Card");
+  return [...found];
+}
+// src/scan/canonical.ts
+var LONG_OUTPUT_THRESHOLD_BYTES = 100 * 1024;
+var CANONICAL_EXTRACTOR_VERSION = "canonical-v4";
+var CANONICAL_EXTRACTOR_HASH = "64a6a63a27f4646f";
+var DEDUPE_PREVIEW_LEN = 120;
+function extractCanonicalFindings(call, ctx) {
+  const out = [];
+  const ts = call.timestamp;
+  const toolNameLower = call.toolName.toLowerCase();
+  const command = typeof call.args.command === "string" ? call.args.command : null;
+  const isBash = isBashTool(call.toolName) && command !== null;
+  if (call.outputBytes !== void 0 && call.outputBytes > LONG_OUTPUT_THRESHOLD_BYTES) {
+    out.push(
+      makeFinding({
+        type: "long-output-redacted",
+        ruleName: "long-output-redacted",
+        verdict: "review",
+        severity: "medium",
+        reason: `Tool output exceeded ${LONG_OUTPUT_THRESHOLD_BYTES} bytes and was redacted`,
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine"
+      })
+    );
+  }
+  if (ctx.dlpEnabled) {
+    const dlp = scanArgs(call.args);
+    if (dlp) {
+      out.push(
+        makeFinding({
+          type: "dlp",
+          ruleName: `dlp:${dlp.patternName}`,
+          patternName: dlp.patternName,
+          verdict: dlp.severity === "block" ? "block" : "review",
+          severity: dlp.severity === "block" ? "critical" : "medium",
+          reason: `${dlp.patternName} detected in ${dlp.fieldPath}`,
+          toolName: call.toolName,
+          ctx,
+          ts,
+          sourceType: "engine",
+          input: call.args,
+          redactedSample: dlp.redactedSample
+        })
+      );
+    }
+  }
+  for (const value of stringValues(call.args)) {
+    const piiHits = detectPii(value);
+    for (const pattern of piiHits) {
+      out.push(
+        makeFinding({
+          type: "pii",
+          ruleName: `pii:${pattern.toLowerCase().replace(/\s+/g, "-")}`,
+          patternName: pattern,
+          verdict: "review",
+          severity: "medium",
+          reason: `${pattern} pattern detected in tool input`,
+          toolName: call.toolName,
+          ctx,
+          ts,
+          sourceType: "engine"
+        })
+      );
+    }
+  }
+  if (FILE_TOOLS.has(toolNameLower)) {
+    const filePath = typeof call.args.file_path === "string" && call.args.file_path || typeof call.args.path === "string" && call.args.path || typeof call.args.pattern === "string" && call.args.pattern || "";
+    if (filePath && SENSITIVE_PATH_RE.test(filePath)) {
+      out.push(
+        makeFinding({
+          type: "sensitive-file-read",
+          ruleName: "sensitive-file-read",
+          verdict: "review",
+          severity: "critical",
+          reason: `Sensitive file path read via ${call.toolName}`,
+          toolName: call.toolName,
+          ctx,
+          ts,
+          sourceType: "engine",
+          subjectPath: filePath
+        })
+      );
+    }
+  }
+  if (!isBash || command === null) {
+    return out;
+  }
+  const fsVerdict = analyzeFsOperation(command);
+  if (fsVerdict) {
+    const isShield = fsVerdict.ruleName.startsWith("shield:");
+    out.push(
+      makeFinding({
+        type: "ast-fs-op",
+        ruleName: fsVerdict.ruleName,
+        verdict: fsVerdict.verdict,
+        severity: classifyRuleSeverity(fsVerdict.ruleName, fsVerdict.verdict),
+        reason: fsVerdict.reason,
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: isShield ? "shield" : "engine",
+        shieldLabel: isShield ? "project-jail (AST)" : "Node9 (AST)",
+        subjectPath: fsVerdict.path,
+        input: call.args
+      })
+    );
+  }
+  for (const source of ctx.rules) {
+    const r = source.rule;
+    if (r.verdict === "allow") continue;
+    if (r.tool && !matchesPattern(toolNameLower, r.tool)) continue;
+    if (r.name && AST_FS_REGEX_RULES.has(r.name)) continue;
+    if (!evaluateSmartConditions(call.args, r)) continue;
+    out.push(
+      makeFinding({
+        type: "smart-rule",
+        ruleName: r.name ?? r.tool,
+        verdict: r.verdict === "block" ? "block" : "review",
+        severity: classifyRuleSeverity(r.name ?? r.tool, r.verdict),
+        reason: r.reason ?? `Smart rule ${r.name ?? r.tool} fired`,
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: source.sourceType,
+        shieldLabel: source.shieldLabel,
+        input: call.args
+      })
+    );
+    break;
+  }
+  const evalVerdict = detectDangerousShellExec(command);
+  if (evalVerdict) {
+    out.push(
+      makeFinding({
+        type: "eval-of-remote",
+        ruleName: "eval-of-remote",
+        verdict: evalVerdict,
+        severity: classifyRuleSeverity("eval-remote", evalVerdict),
+        reason: evalVerdict === "block" ? "Eval of remote download is a near-certain supply-chain attack" : "Eval of dynamic content (variable / subshell) requires approval",
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine",
+        input: call.args
+      })
+    );
+  }
+  const pipe = analyzePipeChain(command);
+  if (pipe.isPipeline && pipe.risk === "critical") {
+    out.push(
+      makeFinding({
+        type: "pipe-to-shell",
+        ruleName: "pipe-to-shell",
+        verdict: "block",
+        severity: "critical",
+        reason: `Sensitive file piped through obfuscator to network sink: ${pipe.sourceFiles.join(", ")} \u2192 ${pipe.sinkTargets.join(", ")}`,
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine",
+        input: call.args
+      })
+    );
+  }
+  if (DESTRUCTIVE_OP_RE.test(command)) {
+    out.push(
+      makeFinding({
+        type: "destructive-op",
+        ruleName: "destructive-op",
+        verdict: "review",
+        severity: "high",
+        reason: "Destructive operation pattern detected",
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine",
+        input: call.args
+      })
+    );
+  }
+  const ast = analyzeShellCommand(command);
+  const sudoVariant = ast.actions.includes("sudo") || ast.actions.includes("su");
+  const chmodVariant = ast.actions.includes("chmod") && (ast.allTokens.includes("777") || ast.allTokens.includes("0777") || ast.allTokens.includes("+x"));
+  const chownVariant = ast.actions.includes("chown") && ast.allTokens.includes("root");
+  if (sudoVariant || chmodVariant || chownVariant) {
+    out.push(
+      makeFinding({
+        type: "privilege-escalation",
+        ruleName: "privilege-escalation",
+        verdict: "review",
+        severity: "high",
+        reason: "Privilege-escalation pattern detected",
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine",
+        input: call.args
+      })
+    );
+  }
+  return out;
+}
+function extractSessionLevelFindings(calls, ctx) {
+  if (!ctx.loopDetection.enabled || calls.length === 0) return [];
+  const out = [];
+  const seenLoopKeys = /* @__PURE__ */ new Set();
+  const ONE_YEAR_MS = 365 * 24 * 60 * 60 * 1e3;
+  const windowMs = ctx.loopDetection.windowSeconds <= 0 ? ONE_YEAR_MS : ctx.loopDetection.windowSeconds * 1e3;
+  let records = [];
+  let syntheticTs = 0;
+  for (let i = 0; i < calls.length; i++) {
+    const call = calls[i];
+    const parsed = new Date(call.timestamp).getTime();
+    const now = Number.isFinite(parsed) ? parsed : ++syntheticTs;
+    const verdict = evaluateLoopWindow(
+      records,
+      call.toolName,
+      call.args,
+      ctx.loopDetection.threshold,
+      windowMs,
+      now
+    );
+    records = verdict.nextRecords;
+    if (!verdict.looping) continue;
+    const last = records[records.length - 1];
+    const key = `${last.t}|${last.h}`;
+    if (seenLoopKeys.has(key)) continue;
+    seenLoopKeys.add(key);
+    out.push({
+      type: "loop",
+      ruleName: "loop",
+      verdict: "review",
+      severity: "medium",
+      reason: `Tool called ${verdict.count} times with identical args within window`,
+      toolName: call.toolName,
+      agent: ctx.agent,
+      sessionId: ctx.sessionId,
+      project: ctx.project,
+      lineIndex: call.lineIndex,
+      sourceType: "engine",
+      firstSeenAt: call.timestamp,
+      lastSeenAt: call.timestamp,
+      occurrenceCount: 1,
+      loopCount: verdict.count,
+      loopKind: "loop",
+      commandPreview: previewArgs(call.args, DEDUPE_PREVIEW_LEN),
+      costUsd: verdict.count * COST_PER_LOOP_ITER_USD
+    });
+  }
+  return out;
+}
+function dedupeCanonicalFindings(findings) {
+  const merged = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const inputPreview = f.input ? previewArgs(f.input, DEDUPE_PREVIEW_LEN) : "";
+    const key = `${f.type}|${f.ruleName}|${inputPreview}|${f.project}|${f.agent}`;
+    const prev = merged.get(key);
+    if (!prev) {
+      merged.set(key, { ...f });
+      continue;
+    }
+    prev.occurrenceCount += f.occurrenceCount;
+    if (f.firstSeenAt && (!prev.firstSeenAt || f.firstSeenAt < prev.firstSeenAt)) {
+      prev.firstSeenAt = f.firstSeenAt;
+    }
+    if (f.lastSeenAt && f.lastSeenAt > prev.lastSeenAt) {
+      prev.lastSeenAt = f.lastSeenAt;
+    }
+    if (f.costUsd !== void 0) {
+      prev.costUsd = (prev.costUsd ?? 0) + f.costUsd;
+    }
+    if (f.loopCount !== void 0) {
+      prev.loopCount = (prev.loopCount ?? 0) + f.loopCount;
+    }
+  }
+  return [...merged.values()];
+}
+function toScanFinding(c) {
+  const typeMap = {
+    "smart-rule": null,
+    "ast-fs-op": null,
+    dlp: "dlp",
+    pii: "pii",
+    "sensitive-file-read": "sensitive-file-read",
+    "privilege-escalation": "privilege-escalation",
+    "destructive-op": "destructive-op",
+    "pipe-to-shell": "pipe-to-shell",
+    "eval-of-remote": "eval-of-remote",
+    loop: "loop",
+    "long-output-redacted": "long-output-redacted"
+  };
+  const sfType = typeMap[c.type];
+  if (sfType === null) return null;
+  return {
+    sessionId: c.sessionId,
+    type: sfType,
+    ...c.patternName && { patternName: c.patternName },
+    lineIndex: c.lineIndex
+  };
+}
+var TERMINAL_ESCAPE_RE = (
+  // eslint-disable-next-line no-control-regex
+  /\x1b\[[0-9;?]*[A-Za-z]|\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)|\x1b[@-_]|[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/g
+);
+function previewArgs(input, max) {
+  const cmd = input.command ?? input.query ?? input.file_path ?? JSON.stringify(input);
+  const s = String(cmd).replace(TERMINAL_ESCAPE_RE, "").replace(/\s+/g, " ").trim();
+  return s.length > max ? s.slice(0, max - 1) + "\u2026" : s;
+}
+function makeFinding(args) {
+  const f = {
+    type: args.type,
+    ruleName: args.ruleName,
+    verdict: args.verdict,
+    severity: args.severity,
+    reason: args.reason,
+    toolName: args.toolName,
+    agent: args.ctx.agent,
+    sessionId: args.ctx.sessionId,
+    project: args.ctx.project,
+    lineIndex: args.ctx.lineIndex,
+    sourceType: args.sourceType,
+    firstSeenAt: args.ts,
+    lastSeenAt: args.ts,
+    occurrenceCount: 1
+  };
+  if (args.shieldLabel) f.shieldLabel = args.shieldLabel;
+  if (args.subjectPath) f.subjectPath = args.subjectPath;
+  if (args.input) f.input = args.input;
+  if (args.patternName) f.patternName = args.patternName;
+  if (args.redactedSample) f.redactedSample = args.redactedSample;
+  return f;
+}
+function* stringValues(obj, depth = 0) {
+  if (depth > 6) return;
+  if (typeof obj === "string") {
+    if (obj.length > 0) yield obj;
+    return;
+  }
+  if (!obj || typeof obj !== "object") return;
+  if (Array.isArray(obj)) {
+    for (const v of obj) yield* stringValues(v, depth + 1);
+    return;
+  }
+  for (const v of Object.values(obj)) yield* stringValues(v, depth + 1);
+}
 // src/index.ts
-var ENGINE_VERSION = "1.0.0";
+var ENGINE_VERSION = "1.4.0";
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  AST_FS_REGEX_RULES,
+  BASH_TOOL_NAMES,
   BUILTIN_SHIELDS,
+  CANONICAL_EXTRACTOR_HASH,
+  CANONICAL_EXTRACTOR_VERSION,
+  COST_PER_LOOP_ITER_USD,
+  DESTRUCTIVE_OP_RE,
   DLP_PATTERNS,
   ENGINE_VERSION,
+  FILE_TOOLS,
   FLAGS_WITH_VALUES,
+  LONG_OUTPUT_THRESHOLD_BYTES,
   LOOP_MAX_RECORDS,
+  LOOP_THRESHOLD_FOR_WASTE,
+  PRIVILEGE_ESCALATION_RE,
+  SCAN_SIGNAL_WEIGHTS,
+  SENSITIVE_PATH_RE,
   SENSITIVE_PATH_REGEXES,
+  analyzeFsOperation,
   analyzePipeChain,
   analyzeShellCommand,
   checkDangerousSql,
+  classifyAuditEntry,
+  classifyRuleSeverity,
+  classifyScanSignal,
   computeArgsHash,
+  computeBlendedSecurityScore,
+  computeScanScore,
+  computeSecurityScore,
+  dedupeCanonicalFindings,
   detectDangerousEval,
   detectDangerousShellExec,
+  detectPii,
   evaluateLoopWindow,
   evaluatePolicy,
   evaluateSmartConditions,
   extractAllSshHosts,
+  extractCanonicalFindings,
   extractNetworkTargets,
   extractPositionalArgs,
+  extractSessionLevelFindings,
   getCompiledRegex,
   getNestedValue,
+  isBashTool,
   isIgnoredTool,
+  isProtectedHomePath,
   isShieldVerdict,
   matchSensitivePath,
   matchesPattern,
+  narrativeRuleLabel,
   normalizeCommandForPolicy,
   parseAllSshHostsFromCommand,
+  previewArgs,
   redactText,
   scanArgs,
   scanText,
   sensitivePathMatch,
+  summarizeBlast,
+  summarizeScan,
+  toScanFinding,
+  truncateBlastPath,
   validateOverrides,
   validateRegex,
   validateShieldDefinition