npm - @node9/policy-engine - Versions diffs - 1.4.0 → 1.26.3 - Mend

@node9/policy-engine 1.4.0 → 1.26.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.mjs CHANGED Viewed

@@ -426,6 +426,42 @@ var DLP_PATTERNS = [
     regex: /\bAGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JNLH]{58}\b/,
     severity: "block",
     keywords: ["age-secret-key-"]
+  },
+  // ── Database connection strings ───────────────────────────────────────────
+  // Universal <scheme>://[user]:<password>@<host> shape. Covers the gap
+  // vendor-prefix patterns (AWS / GitHub / Stripe / …) leave open. Matches
+  // the whole URL so maskSecret produces `<scheme>...:****@...<host>` —
+  // the password value never appears in the redacted sample.
+  //
+  // Schemes covered: redis, rediss (TLS), postgres, postgresql,
+  // mongodb, mongodb+srv, mysql, mariadb, amqp, amqps, kafka,
+  // clickhouse, cassandra. HTTP(S) / FTP / SSH are intentionally
+  // excluded — they're not database URLs and adding them would
+  // create false positives on every basic-auth URL in the wild.
+  //
+  // Requires `:password@` (4+ char password) so user-only URLs like
+  // `redis://user@host` don't match. Stopwords ('your', '${', '<your',
+  // 'placeholder', 'changeme', etc.) keep doc/README scans clean.
+  {
+    name: "Database Connection String",
+    regex: /\b(redis|rediss|postgres|postgresql|mongodb|mongodb\+srv|mysql|mariadb|amqp|amqps|kafka|clickhouse|cassandra):\/\/[^:/\s@]*:[^@\s]{4,}@[^\s/]+/,
+    severity: "block",
+    keywords: [
+      "redis://",
+      "rediss://",
+      "postgres://",
+      "postgresql://",
+      "mongodb://",
+      "mongodb+srv://",
+      "mysql://",
+      "mariadb://",
+      "amqp://",
+      "amqps://",
+      "kafka://",
+      "clickhouse://",
+      "cassandra://"
+    ],
+    minEntropy: 3
   }
 ];
 var DLP_PATTERNS_GLOBAL = DLP_PATTERNS.map(
@@ -621,9 +657,70 @@ var MESSAGE_FLAGS = /* @__PURE__ */ new Set([
 ]);
 var SHELL_INTERPRETERS = /* @__PURE__ */ new Set(["bash", "sh", "zsh", "fish", "dash", "ksh"]);
 var DOWNLOAD_CMDS = /* @__PURE__ */ new Set(["curl", "wget"]);
+function isCatHeredocOrLit(part) {
+  if (!part) return false;
+  const t = syntax.NodeType(part);
+  if (t === "Lit") return true;
+  if (t !== "CmdSubst") return false;
+  const stmts = part.Stmts || [];
+  if (stmts.length !== 1) return false;
+  const stmt = stmts[0];
+  const redirs = stmt.Redirs || stmt.Cmd?.Redirs || [];
+  const hasHeredoc = redirs.some((r) => r && r.Hdoc);
+  if (!hasHeredoc) return false;
+  const cmd = stmt.Cmd;
+  if (!cmd || syntax.NodeType(cmd) !== "CallExpr") return false;
+  const firstArg = cmd.Args?.[0]?.Parts || [];
+  if (firstArg.length !== 1 || syntax.NodeType(firstArg[0]) !== "Lit") return false;
+  return (firstArg[0].Value || "").toLowerCase() === "cat";
+}
+var NORMALIZE_CACHE_MAX = 5e3;
+var normalizeCache = /* @__PURE__ */ new Map();
+var AST_CACHE_MAX = 5e3;
+var astCache = /* @__PURE__ */ new Map();
+var PARSE_FAIL = /* @__PURE__ */ Symbol("parse-fail");
+function parseShared(command) {
+  const cached = astCache.get(command);
+  if (cached !== void 0) {
+    astCache.delete(command);
+    astCache.set(command, cached);
+    return cached;
+  }
+  let parsed;
+  try {
+    parsed = sharedParser.Parse(command, "cmd");
+  } catch {
+    parsed = PARSE_FAIL;
+  }
+  if (astCache.size >= AST_CACHE_MAX) {
+    const oldest = astCache.keys().next().value;
+    if (oldest !== void 0) astCache.delete(oldest);
+  }
+  astCache.set(command, parsed);
+  return parsed;
+}
+function cachedNormalize(command, compute) {
+  const hit = normalizeCache.get(command);
+  if (hit !== void 0) {
+    normalizeCache.delete(command);
+    normalizeCache.set(command, hit);
+    return hit;
+  }
+  const result = compute();
+  if (normalizeCache.size >= NORMALIZE_CACHE_MAX) {
+    const oldest = normalizeCache.keys().next().value;
+    if (oldest !== void 0) normalizeCache.delete(oldest);
+  }
+  normalizeCache.set(command, result);
+  return result;
+}
 function normalizeCommandForPolicy(command) {
+  return cachedNormalize(command, () => normalizeCommandForPolicyImpl(command));
+}
+function normalizeCommandForPolicyImpl(command) {
+  const f = parseShared(command);
+  if (f === PARSE_FAIL) return command;
   try {
-    const f = sharedParser.Parse(command, "cmd");
     const strips = [];
     syntax.Walk(f, (node) => {
       if (!node) return false;
@@ -645,7 +742,11 @@ function normalizeCommandForPolicy(command) {
         } else if (nt === "DblQuoted") {
           const innerParts = quotedNode.Parts || [];
           const allLit = innerParts.length === 0 || innerParts.every((p) => syntax.NodeType(p) === "Lit");
-          if (allLit) strips.push([next.Pos().Offset(), next.End().Offset()]);
+          if (allLit) {
+            strips.push([next.Pos().Offset(), next.End().Offset()]);
+          } else if (innerParts.every((p) => isCatHeredocOrLit(p))) {
+            strips.push([next.Pos().Offset(), next.End().Offset()]);
+          }
         }
       }
       return true;
@@ -714,6 +815,242 @@ function detectDangerousShellExec(command) {
   }
 }
 var detectDangerousEval = detectDangerousShellExec;
+var FS_READ_TOOLS = /* @__PURE__ */ new Set([
+  "cat",
+  "less",
+  "head",
+  "tail",
+  "bat",
+  "more",
+  "open",
+  "print",
+  "nano",
+  "vim",
+  "vi",
+  "emacs",
+  "code",
+  "type"
+]);
+var FS_OP_PRESCREEN_RE = /(?:^|[\s|;&(`\n])(?:rm|cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\b/;
+var HOME_CACHE_ALLOWLIST = [
+  ".cache",
+  ".npm/_npx",
+  ".npm/_cacache",
+  ".cargo/registry",
+  ".gradle/caches",
+  ".gradle/.tmp",
+  ".m2/repository",
+  ".pnpm-store",
+  ".yarn/cache",
+  ".yarn/.cache",
+  ".cache/pip",
+  ".local/share/Trash",
+  ".rustup/downloads"
+];
+var SENSITIVE_PATH_RULES = [
+  {
+    rule: "shield:project-jail:block-read-ssh",
+    reason: "Reading SSH private keys is blocked by project-jail shield",
+    match: (p) => /(^|[\\/])\.ssh[\\/]/i.test(p)
+  },
+  {
+    rule: "shield:project-jail:block-read-aws",
+    reason: "Reading AWS credentials is blocked by project-jail shield",
+    match: (p) => /(^|[\\/])\.aws[\\/]/i.test(p)
+  },
+  {
+    // Mirrors the JSON shield's `.env` pattern (project-jail.json's
+    // block-read-env-any-tool) so the AST FS-op path catches the
+    // same set the regex shield does — including Next.js / Vite's
+    // `.env.<env>.local` double-suffix overrides which are commonly
+    // gitignored AND commonly contain real secrets.
+    //
+    // Intentional non-matches (dev fixtures): .env.example, .env.sample,
+    // .env.template, .env.test, .envrc. See shields.test.ts:983-995
+    // for the canonical test-asserted contract.
+    rule: "shield:project-jail:block-read-env",
+    reason: "Reading .env files is blocked by project-jail shield",
+    match: (p) => /(?:^|[\\/])\.env(?:\.(?:local|production|staging|development|production\.local|staging\.local|development\.local))?$/i.test(
+      p
+    )
+  },
+  {
+    // verdict: 'review' (not 'block') is a deliberate design choice
+    // documented in commit 29327a8. SSH keys and AWS credentials are
+    // cryptographic material with no legitimate read use-case for
+    // an AI agent → hard `block`. But .netrc / .npmrc / .docker /
+    // .kube / gcloud are CONFIG files that hold tokens AND have
+    // legitimate diagnostic reads ("which registry am I configured
+    // for", "what cluster am I on"). Hard-blocking those creates
+    // friction without much safety win because the review gate
+    // still catches genuine exfiltration attempts.
+    //
+    // The review gate FAILS CLOSED on timeout (daemon.approvalTimeoutMs
+    // returns a deny verdict via the orchestrator's timeout branch),
+    // so a stuck or unattended approval does NOT silently grant
+    // credential access. If the threat model demands strict block,
+    // a future per-shield strict-mode toggle is the right fix —
+    // not a regex-level upgrade here.
+    rule: "shield:project-jail:review-read-credentials",
+    reason: "Reading credential files requires approval (project-jail shield)",
+    verdict: "review",
+    match: (p) => (
+      // .kube/config holds Kubernetes cluster credentials and was
+      // flagged as missing by the node9-pr-agent review (the comment
+      // above mentioned .kube but the regex didn't include it — a
+      // textbook code-comment vs code drift). The JSON shield's
+      // review-read-credentials-any-tool already had it. Now aligned.
+      /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials|\.kube[\\/]config)$/i.test(
+        p
+      )
+    )
+  }
+];
+var BASH_TOOL_NAMES = /* @__PURE__ */ new Set([
+  "bash",
+  "execute_bash",
+  "run_shell_command",
+  "shell",
+  "exec_command"
+]);
+function isBashTool(toolName) {
+  return BASH_TOOL_NAMES.has(toolName.toLowerCase());
+}
+var AST_FS_REGEX_RULES = /* @__PURE__ */ new Set([
+  "block-rm-rf-home",
+  "shield:project-jail:block-read-ssh",
+  "shield:project-jail:block-read-aws",
+  "shield:project-jail:block-read-env",
+  "shield:project-jail:review-read-credentials"
+]);
+function isProtectedHomePath(rawPath) {
+  let p = rawPath.replace(/^\$HOME[\\/]?|^\$\{HOME\}[\\/]?/, "~/");
+  let underHome = false;
+  if (p === "~" || p.startsWith("~/") || p.startsWith("~\\")) {
+    p = p.replace(/^~[\\/]?/, "");
+    underHome = true;
+  } else if (/^\/home\/[^/]+/.test(p) || /^\/root(\/|$)/.test(p)) {
+    p = p.replace(/^\/home\/[^/]+[\\/]?|^\/root[\\/]?/, "");
+    underHome = true;
+  }
+  if (!underHome) return false;
+  if (p === "" || p === "." || p === "./") return true;
+  for (const safe of HOME_CACHE_ALLOWLIST) {
+    if (p === safe || p.startsWith(safe + "/") || p.startsWith(safe + "\\")) {
+      return false;
+    }
+  }
+  return true;
+}
+function extractLiteralArgs(callExpr) {
+  const args = callExpr.Args || [];
+  if (args.length === 0) return { name: "", flags: [], paths: [] };
+  const litFromWord = (w) => {
+    const parts = w?.Parts || [];
+    let s = "";
+    for (const p of parts) {
+      const t = syntax.NodeType(p);
+      if (t === "Lit") s += (p.Value ?? "").replace(/\\(.)/g, "$1");
+      else if (t === "SglQuoted") s += p.Value ?? "";
+      else if (t === "DblQuoted") {
+        const inner = p.Parts || [];
+        if (!inner.every((ip) => syntax.NodeType(ip) === "Lit")) return null;
+        s += inner.map((ip) => ip.Value ?? "").join("");
+      } else {
+        return null;
+      }
+    }
+    return s;
+  };
+  const name = (litFromWord(args[0]) || "").toLowerCase();
+  const flags = [];
+  const paths = [];
+  for (let i = 1; i < args.length; i++) {
+    const v = litFromWord(args[i]);
+    if (v === null) continue;
+    if (v.startsWith("-")) flags.push(v);
+    else paths.push(v);
+  }
+  return { name, flags, paths };
+}
+var FS_OP_CACHE_MAX = 5e3;
+var fsOpCache = /* @__PURE__ */ new Map();
+function analyzeFsOperation(command) {
+  if (!FS_OP_PRESCREEN_RE.test(command)) return null;
+  if (fsOpCache.has(command)) {
+    const hit = fsOpCache.get(command) ?? null;
+    fsOpCache.delete(command);
+    fsOpCache.set(command, hit);
+    return hit;
+  }
+  const computed = analyzeFsOperationImpl(command);
+  if (fsOpCache.size >= FS_OP_CACHE_MAX) {
+    const oldest = fsOpCache.keys().next().value;
+    if (oldest !== void 0) fsOpCache.delete(oldest);
+  }
+  fsOpCache.set(command, computed);
+  return computed;
+}
+function analyzeFsOperationImpl(command) {
+  const f = parseShared(command);
+  if (f === PARSE_FAIL) return null;
+  let result = null;
+  try {
+    syntax.Walk(f, (node) => {
+      if (!node || result) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const { name, flags, paths } = extractLiteralArgs(n);
+      if (!name) return true;
+      if (name === "rm") {
+        const flagStr = flags.join("").toLowerCase();
+        const hasR = /[r]/.test(flagStr) || flags.includes("--recursive");
+        const hasF = /[f]/.test(flagStr) || flags.includes("--force");
+        if (hasR && hasF) {
+          for (const p of paths) {
+            if (isProtectedHomePath(p)) {
+              result = {
+                ruleName: "block-rm-rf-home",
+                verdict: "block",
+                reason: "Recursive delete of home directory is irreversible",
+                path: p
+              };
+              return false;
+            }
+            if (p === "/" || /^\/+$/.test(p)) {
+              result = {
+                ruleName: "block-rm-rf-home",
+                verdict: "block",
+                reason: "Recursive delete of root is catastrophic",
+                path: p
+              };
+              return false;
+            }
+          }
+        }
+      }
+      if (FS_READ_TOOLS.has(name)) {
+        for (const p of paths) {
+          for (const sp of SENSITIVE_PATH_RULES) {
+            if (sp.match(p)) {
+              result = {
+                ruleName: sp.rule,
+                verdict: sp.verdict ?? "block",
+                reason: sp.reason,
+                path: p
+              };
+              return false;
+            }
+          }
+        }
+      }
+      return true;
+    });
+    return result;
+  } catch {
+    return null;
+  }
+}
 function analyzeShellCommand(command) {
   const actions = [];
   const paths = [];
@@ -1153,10 +1490,18 @@ function getNestedValue(obj, path) {
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
   const mode = rule.conditionMode ?? "all";
+  const fieldCache = /* @__PURE__ */ new Map();
+  const resolveField = (field) => {
+    if (fieldCache.has(field)) return fieldCache.get(field) ?? null;
+    const rawVal = getNestedValue(args, field);
+    const rawStr = rawVal !== null && rawVal !== void 0 ? String(rawVal) : null;
+    const stripped = field === "command" && rawStr !== null ? normalizeCommandForPolicy(rawStr) : rawStr;
+    const val = stripped !== null ? stripped.replace(/\s+/g, " ").trim() : null;
+    fieldCache.set(field, val);
+    return val;
+  };
   const results = rule.conditions.map((cond) => {
-    const rawVal = getNestedValue(args, cond.field);
-    const normalized = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
-    const val = cond.field === "command" && normalized !== null ? normalizeCommandForPolicy(normalized) : normalized;
+    const val = resolveField(cond.field);
     switch (cond.op) {
       case "exists":
         return val !== null && val !== "";
@@ -1219,6 +1564,43 @@ function checkDangerousSql(sql) {
     return "UPDATE without WHERE \u2014 updates every row";
   return null;
 }
+function pipeChainVerdict(command, isTrustedHost) {
+  const pipeAnalysis = analyzePipeChain(command);
+  if (!pipeAnalysis.isPipeline) return null;
+  if (pipeAnalysis.risk !== "critical" && pipeAnalysis.risk !== "high") return null;
+  const sinks = pipeAnalysis.sinkTargets;
+  const allTrusted = sinks.length > 0 && sinks.every((host) => isTrustedHost ? isTrustedHost(host) : false);
+  if (pipeAnalysis.risk === "critical") {
+    if (allTrusted) {
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
+        reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
+        tier: 3
+      };
+    }
+    return {
+      decision: "block",
+      blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
+      reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+      tier: 3
+    };
+  }
+  if (allTrusted) {
+    return {
+      decision: "allow",
+      blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
+      reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
+      tier: 3
+    };
+  }
+  return {
+    decision: "review",
+    blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
+    reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+    tier: 3
+  };
+}
 async function evaluatePolicy(config, toolName, args, context = {}, hooks = {}) {
   const { agent, cwd, activeEnvironment } = context;
   const { checkProvenance, isTrustedHost } = hooks;
@@ -1234,9 +1616,27 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
     }
   }
   if (wouldBeIgnored) return { decision: "allow" };
+  const bashCommand = agent !== "Terminal" && isBashTool(toolName) && args && typeof args === "object" ? typeof args.command === "string" ? args.command : null : null;
+  if (bashCommand !== null) {
+    const pipeVerdict = pipeChainVerdict(bashCommand, isTrustedHost);
+    if (pipeVerdict) return pipeVerdict;
+    const fsVerdict = analyzeFsOperation(bashCommand);
+    if (fsVerdict) {
+      const isShieldRule = fsVerdict.ruleName.startsWith("shield:");
+      const labelPrefix = isShieldRule ? "project-jail (AST)" : "Node9 (AST)";
+      return {
+        decision: fsVerdict.verdict,
+        blockedByLabel: `${labelPrefix}: ${fsVerdict.ruleName}`,
+        reason: fsVerdict.reason,
+        tier: 2,
+        ruleName: fsVerdict.ruleName,
+        ruleDescription: fsVerdict.reason
+      };
+    }
+  }
   if (config.policy.smartRules.length > 0) {
     const matchedRule = config.policy.smartRules.find(
-      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+      (rule) => matchesPattern(toolName, rule.tool) && !(bashCommand !== null && rule.name && AST_FS_REGEX_RULES.has(rule.name)) && evaluateSmartConditions(args, rule)
     );
     if (matchedRule) {
       if (matchedRule.verdict === "allow")
@@ -1294,41 +1694,8 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
         tier: 3
       };
     }
-    const pipeAnalysis = analyzePipeChain(shellCommand);
-    if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
-      const sinks = pipeAnalysis.sinkTargets;
-      const allTrusted = sinks.length > 0 && sinks.every((host) => isTrustedHost ? isTrustedHost(host) : false);
-      if (pipeAnalysis.risk === "critical") {
-        if (allTrusted) {
-          return {
-            decision: "review",
-            blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
-            reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
-            tier: 3
-          };
-        }
-        return {
-          decision: "block",
-          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
-          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-          tier: 3
-        };
-      }
-      if (allTrusted) {
-        return {
-          decision: "allow",
-          blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
-          reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
-          tier: 3
-        };
-      }
-      return {
-        decision: "review",
-        blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
-        reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-        tier: 3
-      };
-    }
+    const ptVerdict = pipeChainVerdict(shellCommand, isTrustedHost);
+    if (ptVerdict) return ptVerdict;
     const firstToken = analyzed.actions[0] ?? "";
     if (["ssh", "scp", "rsync"].includes(firstToken)) {
       const rawTokens = shellCommand.trim().split(/\s+/);
@@ -2005,7 +2372,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.ssh[\\/\\\\]",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type|grep|egrep|fgrep|rg|ag|ack|awk|gawk|sed|cut|tr|jq|yq|od|xxd|hexdump|strings|sort|uniq|tac|nl|dd)\\s+.*?\\.ssh[\\/\\\\]",
           flags: "i"
         }
       ],
@@ -2019,7 +2386,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.aws[\\/\\\\]",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type|grep|egrep|fgrep|rg|ag|ack|awk|gawk|sed|cut|tr|jq|yq|od|xxd|hexdump|strings|sort|uniq|tac|nl|dd)\\s+.*?\\.aws[\\/\\\\]",
           flags: "i"
         }
       ],
@@ -2033,7 +2400,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*\\.env(\\.local|\\.production|\\.staging)?\\b",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type|grep|egrep|fgrep|rg|ag|ack|awk|gawk|sed|cut|tr|jq|yq|od|xxd|hexdump|strings|sort|uniq|tac|nl|dd)\\s+.*?\\.env(\\.(local|production|staging|development|production\\.local|staging\\.local|development\\.local))?(?=\\s|$|[;&|>)<])",
           flags: "i"
         }
       ],
@@ -2041,18 +2408,74 @@ var project_jail_default = {
       reason: "Reading .env files is blocked by project-jail shield"
     },
     {
-      name: "shield:project-jail:block-read-credentials",
+      name: "shield:project-jail:review-read-credentials",
       tool: "bash",
       conditions: [
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials)",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type|grep|egrep|fgrep|rg|ag|ack|awk|gawk|sed|cut|tr|jq|yq|od|xxd|hexdump|strings|sort|uniq|tac|nl|dd)\\s+.*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials)",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Reading credential files requires approval (project-jail shield)"
+    },
+    {
+      name: "shield:project-jail:block-read-ssh-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.ssh[\\/\\\\]",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading SSH private keys is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-aws-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.aws[\\/\\\\]",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading AWS credentials is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-env-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.env(\\.(local|production|staging|development|production\\.local|staging\\.local|development\\.local))?$",
           flags: "i"
         }
       ],
       verdict: "block",
-      reason: "Reading credential files is blocked by project-jail shield"
+      reason: "Reading .env files is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:review-read-credentials-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: ".*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials|\\.kube[\\/\\\\]config)",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Reading credential files requires approval (project-jail shield)"
     }
   ],
   dangerousWords: []
@@ -2461,18 +2884,408 @@ function summarizeBlast(result, opts = {}) {
   };
 }
+// src/scan/destructive-regex.ts
+var DESTRUCTIVE_OP_RE = /\brm\s+-[rRf]+\b|\bDROP\s+(TABLE|DATABASE|COLLECTION|SCHEMA)\b|\bTRUNCATE\s+TABLE\b|\bgit\s+push\s+(--force|-f)\b|\bFLUSHALL\b|\bFLUSHDB\b|\bkubectl\s+delete\b|\bhelm\s+uninstall\b/i;
+var PRIVILEGE_ESCALATION_RE = /\bchmod\s+(0?777|\+x)\b|\bchown\s+root\b/i;
+var SENSITIVE_PATH_RE = /\.aws\/(credentials|config)\b|\.ssh\/(id_rsa|id_ed25519|id_ecdsa|id_dsa)\b|\.env(\.|$|\b)|\.config\/gcloud\/credentials\.db\b|\.docker\/config\.json\b|\.netrc\b|\.npmrc\b|\.node9\/credentials\.json\b/i;
+var FILE_TOOLS = /* @__PURE__ */ new Set([
+  "read",
+  "read_file",
+  "edit",
+  "edit_file",
+  "write",
+  "write_file",
+  "multiedit",
+  "grep",
+  "grep_search",
+  "glob",
+  "list_files"
+]);
+// src/scan/pii.ts
+var PII_EMAIL_RE = /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/;
+var PII_SSN_RE = /\b\d{3}-\d{2}-\d{4}\b/;
+var PII_PHONE_RE = /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]\d{3}[-.\s]\d{4}\b/;
+var PII_CC_RE = /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6\d{3})[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/;
+function detectPii(text) {
+  const found = /* @__PURE__ */ new Set();
+  if (/@/.test(text) && PII_EMAIL_RE.test(text)) found.add("Email");
+  if (/-/.test(text) && PII_SSN_RE.test(text)) found.add("SSN");
+  if (PII_PHONE_RE.test(text)) found.add("Phone");
+  if (PII_CC_RE.test(text)) found.add("Credit Card");
+  return [...found];
+}
+// src/scan/canonical.ts
+var LONG_OUTPUT_THRESHOLD_BYTES = 100 * 1024;
+var CANONICAL_EXTRACTOR_VERSION = "canonical-v4";
+var CANONICAL_EXTRACTOR_HASH = "64a6a63a27f4646f";
+var DEDUPE_PREVIEW_LEN = 120;
+function extractCanonicalFindings(call, ctx) {
+  const out = [];
+  const ts = call.timestamp;
+  const toolNameLower = call.toolName.toLowerCase();
+  const command = typeof call.args.command === "string" ? call.args.command : null;
+  const isBash = isBashTool(call.toolName) && command !== null;
+  if (call.outputBytes !== void 0 && call.outputBytes > LONG_OUTPUT_THRESHOLD_BYTES) {
+    out.push(
+      makeFinding({
+        type: "long-output-redacted",
+        ruleName: "long-output-redacted",
+        verdict: "review",
+        severity: "medium",
+        reason: `Tool output exceeded ${LONG_OUTPUT_THRESHOLD_BYTES} bytes and was redacted`,
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine"
+      })
+    );
+  }
+  if (ctx.dlpEnabled) {
+    const dlp = scanArgs(call.args);
+    if (dlp) {
+      out.push(
+        makeFinding({
+          type: "dlp",
+          ruleName: `dlp:${dlp.patternName}`,
+          patternName: dlp.patternName,
+          verdict: dlp.severity === "block" ? "block" : "review",
+          severity: dlp.severity === "block" ? "critical" : "medium",
+          reason: `${dlp.patternName} detected in ${dlp.fieldPath}`,
+          toolName: call.toolName,
+          ctx,
+          ts,
+          sourceType: "engine",
+          input: call.args,
+          redactedSample: dlp.redactedSample
+        })
+      );
+    }
+  }
+  for (const value of stringValues(call.args)) {
+    const piiHits = detectPii(value);
+    for (const pattern of piiHits) {
+      out.push(
+        makeFinding({
+          type: "pii",
+          ruleName: `pii:${pattern.toLowerCase().replace(/\s+/g, "-")}`,
+          patternName: pattern,
+          verdict: "review",
+          severity: "medium",
+          reason: `${pattern} pattern detected in tool input`,
+          toolName: call.toolName,
+          ctx,
+          ts,
+          sourceType: "engine"
+        })
+      );
+    }
+  }
+  if (FILE_TOOLS.has(toolNameLower)) {
+    const filePath = typeof call.args.file_path === "string" && call.args.file_path || typeof call.args.path === "string" && call.args.path || typeof call.args.pattern === "string" && call.args.pattern || "";
+    if (filePath && SENSITIVE_PATH_RE.test(filePath)) {
+      out.push(
+        makeFinding({
+          type: "sensitive-file-read",
+          ruleName: "sensitive-file-read",
+          verdict: "review",
+          severity: "critical",
+          reason: `Sensitive file path read via ${call.toolName}`,
+          toolName: call.toolName,
+          ctx,
+          ts,
+          sourceType: "engine",
+          subjectPath: filePath
+        })
+      );
+    }
+  }
+  if (!isBash || command === null) {
+    return out;
+  }
+  const fsVerdict = analyzeFsOperation(command);
+  if (fsVerdict) {
+    const isShield = fsVerdict.ruleName.startsWith("shield:");
+    out.push(
+      makeFinding({
+        type: "ast-fs-op",
+        ruleName: fsVerdict.ruleName,
+        verdict: fsVerdict.verdict,
+        severity: classifyRuleSeverity(fsVerdict.ruleName, fsVerdict.verdict),
+        reason: fsVerdict.reason,
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: isShield ? "shield" : "engine",
+        shieldLabel: isShield ? "project-jail (AST)" : "Node9 (AST)",
+        subjectPath: fsVerdict.path,
+        input: call.args
+      })
+    );
+  }
+  for (const source of ctx.rules) {
+    const r = source.rule;
+    if (r.verdict === "allow") continue;
+    if (r.tool && !matchesPattern(toolNameLower, r.tool)) continue;
+    if (r.name && AST_FS_REGEX_RULES.has(r.name)) continue;
+    if (!evaluateSmartConditions(call.args, r)) continue;
+    out.push(
+      makeFinding({
+        type: "smart-rule",
+        ruleName: r.name ?? r.tool,
+        verdict: r.verdict === "block" ? "block" : "review",
+        severity: classifyRuleSeverity(r.name ?? r.tool, r.verdict),
+        reason: r.reason ?? `Smart rule ${r.name ?? r.tool} fired`,
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: source.sourceType,
+        shieldLabel: source.shieldLabel,
+        input: call.args
+      })
+    );
+    break;
+  }
+  const evalVerdict = detectDangerousShellExec(command);
+  if (evalVerdict) {
+    out.push(
+      makeFinding({
+        type: "eval-of-remote",
+        ruleName: "eval-of-remote",
+        verdict: evalVerdict,
+        severity: classifyRuleSeverity("eval-remote", evalVerdict),
+        reason: evalVerdict === "block" ? "Eval of remote download is a near-certain supply-chain attack" : "Eval of dynamic content (variable / subshell) requires approval",
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine",
+        input: call.args
+      })
+    );
+  }
+  const pipe = analyzePipeChain(command);
+  if (pipe.isPipeline && pipe.risk === "critical") {
+    out.push(
+      makeFinding({
+        type: "pipe-to-shell",
+        ruleName: "pipe-to-shell",
+        verdict: "block",
+        severity: "critical",
+        reason: `Sensitive file piped through obfuscator to network sink: ${pipe.sourceFiles.join(", ")} \u2192 ${pipe.sinkTargets.join(", ")}`,
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine",
+        input: call.args
+      })
+    );
+  }
+  if (DESTRUCTIVE_OP_RE.test(command)) {
+    out.push(
+      makeFinding({
+        type: "destructive-op",
+        ruleName: "destructive-op",
+        verdict: "review",
+        severity: "high",
+        reason: "Destructive operation pattern detected",
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine",
+        input: call.args
+      })
+    );
+  }
+  const ast = analyzeShellCommand(command);
+  const sudoVariant = ast.actions.includes("sudo") || ast.actions.includes("su");
+  const chmodVariant = ast.actions.includes("chmod") && (ast.allTokens.includes("777") || ast.allTokens.includes("0777") || ast.allTokens.includes("+x"));
+  const chownVariant = ast.actions.includes("chown") && ast.allTokens.includes("root");
+  if (sudoVariant || chmodVariant || chownVariant) {
+    out.push(
+      makeFinding({
+        type: "privilege-escalation",
+        ruleName: "privilege-escalation",
+        verdict: "review",
+        severity: "high",
+        reason: "Privilege-escalation pattern detected",
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine",
+        input: call.args
+      })
+    );
+  }
+  return out;
+}
+function extractSessionLevelFindings(calls, ctx) {
+  if (!ctx.loopDetection.enabled || calls.length === 0) return [];
+  const out = [];
+  const seenLoopKeys = /* @__PURE__ */ new Set();
+  const ONE_YEAR_MS = 365 * 24 * 60 * 60 * 1e3;
+  const windowMs = ctx.loopDetection.windowSeconds <= 0 ? ONE_YEAR_MS : ctx.loopDetection.windowSeconds * 1e3;
+  let records = [];
+  let syntheticTs = 0;
+  for (let i = 0; i < calls.length; i++) {
+    const call = calls[i];
+    const parsed = new Date(call.timestamp).getTime();
+    const now = Number.isFinite(parsed) ? parsed : ++syntheticTs;
+    const verdict = evaluateLoopWindow(
+      records,
+      call.toolName,
+      call.args,
+      ctx.loopDetection.threshold,
+      windowMs,
+      now
+    );
+    records = verdict.nextRecords;
+    if (!verdict.looping) continue;
+    const last = records[records.length - 1];
+    const key = `${last.t}|${last.h}`;
+    if (seenLoopKeys.has(key)) continue;
+    seenLoopKeys.add(key);
+    out.push({
+      type: "loop",
+      ruleName: "loop",
+      verdict: "review",
+      severity: "medium",
+      reason: `Tool called ${verdict.count} times with identical args within window`,
+      toolName: call.toolName,
+      agent: ctx.agent,
+      sessionId: ctx.sessionId,
+      project: ctx.project,
+      lineIndex: call.lineIndex,
+      sourceType: "engine",
+      firstSeenAt: call.timestamp,
+      lastSeenAt: call.timestamp,
+      occurrenceCount: 1,
+      loopCount: verdict.count,
+      loopKind: "loop",
+      commandPreview: previewArgs(call.args, DEDUPE_PREVIEW_LEN),
+      costUsd: verdict.count * COST_PER_LOOP_ITER_USD
+    });
+  }
+  return out;
+}
+function dedupeCanonicalFindings(findings) {
+  const merged = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const inputPreview = f.input ? previewArgs(f.input, DEDUPE_PREVIEW_LEN) : "";
+    const key = `${f.type}|${f.ruleName}|${inputPreview}|${f.project}|${f.agent}`;
+    const prev = merged.get(key);
+    if (!prev) {
+      merged.set(key, { ...f });
+      continue;
+    }
+    prev.occurrenceCount += f.occurrenceCount;
+    if (f.firstSeenAt && (!prev.firstSeenAt || f.firstSeenAt < prev.firstSeenAt)) {
+      prev.firstSeenAt = f.firstSeenAt;
+    }
+    if (f.lastSeenAt && f.lastSeenAt > prev.lastSeenAt) {
+      prev.lastSeenAt = f.lastSeenAt;
+    }
+    if (f.costUsd !== void 0) {
+      prev.costUsd = (prev.costUsd ?? 0) + f.costUsd;
+    }
+    if (f.loopCount !== void 0) {
+      prev.loopCount = (prev.loopCount ?? 0) + f.loopCount;
+    }
+  }
+  return [...merged.values()];
+}
+function toScanFinding(c) {
+  const typeMap = {
+    "smart-rule": null,
+    "ast-fs-op": null,
+    dlp: "dlp",
+    pii: "pii",
+    "sensitive-file-read": "sensitive-file-read",
+    "privilege-escalation": "privilege-escalation",
+    "destructive-op": "destructive-op",
+    "pipe-to-shell": "pipe-to-shell",
+    "eval-of-remote": "eval-of-remote",
+    loop: "loop",
+    "long-output-redacted": "long-output-redacted"
+  };
+  const sfType = typeMap[c.type];
+  if (sfType === null) return null;
+  return {
+    sessionId: c.sessionId,
+    type: sfType,
+    ...c.patternName && { patternName: c.patternName },
+    lineIndex: c.lineIndex
+  };
+}
+var TERMINAL_ESCAPE_RE = (
+  // eslint-disable-next-line no-control-regex
+  /\x1b\[[0-9;?]*[A-Za-z]|\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)|\x1b[@-_]|[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/g
+);
+function previewArgs(input, max) {
+  const cmd = input.command ?? input.query ?? input.file_path ?? JSON.stringify(input);
+  const s = String(cmd).replace(TERMINAL_ESCAPE_RE, "").replace(/\s+/g, " ").trim();
+  return s.length > max ? s.slice(0, max - 1) + "\u2026" : s;
+}
+function makeFinding(args) {
+  const f = {
+    type: args.type,
+    ruleName: args.ruleName,
+    verdict: args.verdict,
+    severity: args.severity,
+    reason: args.reason,
+    toolName: args.toolName,
+    agent: args.ctx.agent,
+    sessionId: args.ctx.sessionId,
+    project: args.ctx.project,
+    lineIndex: args.ctx.lineIndex,
+    sourceType: args.sourceType,
+    firstSeenAt: args.ts,
+    lastSeenAt: args.ts,
+    occurrenceCount: 1
+  };
+  if (args.shieldLabel) f.shieldLabel = args.shieldLabel;
+  if (args.subjectPath) f.subjectPath = args.subjectPath;
+  if (args.input) f.input = args.input;
+  if (args.patternName) f.patternName = args.patternName;
+  if (args.redactedSample) f.redactedSample = args.redactedSample;
+  return f;
+}
+function* stringValues(obj, depth = 0) {
+  if (depth > 6) return;
+  if (typeof obj === "string") {
+    if (obj.length > 0) yield obj;
+    return;
+  }
+  if (!obj || typeof obj !== "object") return;
+  if (Array.isArray(obj)) {
+    for (const v of obj) yield* stringValues(v, depth + 1);
+    return;
+  }
+  for (const v of Object.values(obj)) yield* stringValues(v, depth + 1);
+}
 // src/index.ts
 var ENGINE_VERSION = "1.4.0";
 export {
+  AST_FS_REGEX_RULES,
+  BASH_TOOL_NAMES,
   BUILTIN_SHIELDS,
+  CANONICAL_EXTRACTOR_HASH,
+  CANONICAL_EXTRACTOR_VERSION,
   COST_PER_LOOP_ITER_USD,
+  DESTRUCTIVE_OP_RE,
   DLP_PATTERNS,
   ENGINE_VERSION,
+  FILE_TOOLS,
   FLAGS_WITH_VALUES,
+  LONG_OUTPUT_THRESHOLD_BYTES,
   LOOP_MAX_RECORDS,
   LOOP_THRESHOLD_FOR_WASTE,
+  PRIVILEGE_ESCALATION_RE,
   SCAN_SIGNAL_WEIGHTS,
+  SENSITIVE_PATH_RE,
   SENSITIVE_PATH_REGEXES,
+  analyzeFsOperation,
   analyzePipeChain,
   analyzeShellCommand,
   checkDangerousSql,
@@ -2483,29 +3296,37 @@ export {
   computeBlendedSecurityScore,
   computeScanScore,
   computeSecurityScore,
+  dedupeCanonicalFindings,
   detectDangerousEval,
   detectDangerousShellExec,
+  detectPii,
   evaluateLoopWindow,
   evaluatePolicy,
   evaluateSmartConditions,
   extractAllSshHosts,
+  extractCanonicalFindings,
   extractNetworkTargets,
   extractPositionalArgs,
+  extractSessionLevelFindings,
   getCompiledRegex,
   getNestedValue,
+  isBashTool,
   isIgnoredTool,
+  isProtectedHomePath,
   isShieldVerdict,
   matchSensitivePath,
   matchesPattern,
   narrativeRuleLabel,
   normalizeCommandForPolicy,
   parseAllSshHostsFromCommand,
+  previewArgs,
   redactText,
   scanArgs,
   scanText,
   sensitivePathMatch,
   summarizeBlast,
   summarizeScan,
+  toScanFinding,
   truncateBlastPath,
   validateOverrides,
   validateRegex,