@node9/proxy 1.0.1 → 1.0.2

package/README.md

@@ -11,6 +11,23 @@ While others try to _guess_ if a prompt is malicious (Semantic Security), Node9
 
 ---
 
+## 💎 The "Aha!" Moment
+
+**AIs are literal.** When you ask an agent to "Fix my disk space," it might decide to run `docker system prune -af`.
+
+<p align="center">
+  <img src="https://github.com/user-attachments/assets/c3a8f3ae-f0aa-4c57-869a-5e1e2e356d35" width="100%">
+</p>
+
+**With Node9, the interaction looks like this:**
+
+1. **🤖 AI attempts a "Nuke":** `Bash("docker system prune -af --volumes")`
+2. **🛡️ Node9 Intercepts:** An OS-native popup appears immediately.
+3. **🛑 User Blocks:** You click "Block" in the popup.
+4. **🧠 AI Negotiates:** Node9 explains the block to the AI. The AI responds: _"I understand. I will pivot to a safer cleanup, like removing only large log files instead."_
+
+---
+
 ## ⚡ Key Architectural Upgrades
 
 ### 🏁 The Multi-Channel Race Engine
@@ -26,6 +43,14 @@ Node9 initiates a **Concurrent Race** across all enabled channels. The first cha
 
 Node9 doesn't just "cut the wire." When a command is blocked, it injects a **Structured Negotiation Prompt** back into the AI’s context window. This teaches the AI why it was stopped and instructs it to pivot to a safer alternative or apologize to the human.
 
+### ⏪ Shadow Git Snapshots (Auto-Undo)
+
+Node9 takes silent, lightweight Git snapshots right before an AI agent is allowed to edit or delete files. If the AI hallucinates and ruins your code, don't waste time manualy fixing it. Just run:
+
+```bash
+node9 undo
+```
+
 ### 🌊 The Resolution Waterfall
 
 Security posture is resolved using a strict 5-tier waterfall:
@@ -47,8 +72,8 @@ npm install -g @node9/proxy
 node9 addto claude
 node9 addto gemini
 
-# 2. (Optional) Connect to Slack for remote approvals
-node9 login <your_api_key>
+# 2. Initialize your local safety net
+node9 init
 
 # 3. Check your status
 node9 status
@@ -121,9 +146,8 @@ A corporate policy has locked this action. You must click the "Approve" button i
 - [x] **AI Negotiation Loop** (Instructional feedback loop to guide LLM behavior)
 - [x] **Resolution Waterfall** (Cascading configuration: Env > Cloud > Project > Global)
 - [x] **Native OS Dialogs** (Sub-second approval via Mac/Win/Linux system windows)
-- [x] **One-command Agent Setup** (`node9 addto claude | gemini | cursor`)
+- [x] **Shadow Git Snapshots** (1-click Undo for AI hallucinations)
 - [x] **Identity-Aware Execution** (Differentiates between Human vs. AI risk levels)
-- [ ] **Shadow Git Snapshots** (1-click Undo for AI hallucinations)
 - [ ] **Execution Sandboxing** (Simulate dangerous commands in a virtual FS before applying)
 - [ ] **Multi-Admin Quorum** (Require 2+ human signatures for high-stakes production actions)
 - [ ] **SOC2 Tamper-proof Audit Trail** (Cryptographically signed, cloud-managed logs)

package/dist/cli.js

@@ -107,21 +107,47 @@ function sendDesktopNotification(title, body) {
   } catch {
   }
 }
+function escapePango(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+  const lines = [];
+  if (locked) lines.push("\u26A0\uFE0F  LOCKED BY ADMIN POLICY\n");
+  lines.push(`\u{1F916} ${agent || "AI Agent"}  |  \u{1F527} ${toolName}`);
+  lines.push(`\u{1F6E1}\uFE0F  ${explainableLabel || "Security Policy"}`);
+  lines.push("");
+  lines.push(formattedArgs);
+  if (!locked) {
+    lines.push("");
+    lines.push('\u21B5 Enter = Allow \u21B5   |   \u238B Esc = Block \u238B   |   "Always Allow" = never ask again');
+  }
+  return lines.join("\n");
+}
+function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+  const lines = [];
+  if (locked) {
+    lines.push('<span foreground="red" weight="bold">\u26A0\uFE0F  LOCKED BY ADMIN POLICY</span>');
+    lines.push("");
+  }
+  lines.push(
+    `<b>\u{1F916} ${escapePango(agent || "AI Agent")}</b>  |  <b>\u{1F527} <tt>${escapePango(toolName)}</tt></b>`
+  );
+  lines.push(`<i>\u{1F6E1}\uFE0F  ${escapePango(explainableLabel || "Security Policy")}</i>`);
+  lines.push("");
+  lines.push(`<tt>${escapePango(formattedArgs)}</tt>`);
+  if (!locked) {
+    lines.push("");
+    lines.push(
+      '<small>\u21B5 Enter = <b>Allow \u21B5</b>   |   \u238B Esc = <b>Block \u238B</b>   |   "Always Allow" = never ask again</small>'
+    );
+  }
+  return lines.join("\n");
+}
 async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal) {
   if (isTestEnv()) return "deny";
   const formattedArgs = formatArgs(args);
   const title = locked ? `\u26A1 Node9 \u2014 Locked` : `\u{1F6E1}\uFE0F Node9 \u2014 Action Approval`;
-  let message = "";
-  if (locked) message += `\u26A0\uFE0F LOCKED BY ADMIN POLICY
-`;
-  message += `Tool:  ${toolName}
-`;
-  message += `Agent: ${agent || "AI Agent"}
-`;
-  message += `Rule:  ${explainableLabel || "Security Policy"}
-
-`;
-  message += `${formattedArgs}`;
+  const message = buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked);
   process.stderr.write(import_chalk.default.yellow(`
 \u{1F6E1}\uFE0F  Node9: Intercepted "${toolName}" \u2014 awaiting user...
 `));
@@ -142,7 +168,7 @@ async function askNativePopup(toolName, args, agent, explainableLabel, locked =
     }
     try {
       if (process.platform === "darwin") {
-        const buttons = locked ? `buttons {"Waiting\u2026"} default button "Waiting\u2026"` : `buttons {"Block", "Always Allow", "Allow"} default button "Allow" cancel button "Block"`;
+        const buttons = locked ? `buttons {"Waiting\u2026"} default button "Waiting\u2026"` : `buttons {"Block \u238B", "Always Allow", "Allow \u21B5"} default button "Allow \u21B5" cancel button "Block \u238B"`;
         const script = `on run argv
 tell application "System Events"
 activate
@@ -151,21 +177,28 @@ end tell
 end run`;
         childProcess = (0, import_child_process.spawn)("osascript", ["-e", script, "--", message, title]);
       } else if (process.platform === "linux") {
+        const pangoMessage = buildPangoMessage(
+          toolName,
+          formattedArgs,
+          agent,
+          explainableLabel,
+          locked
+        );
         const argsList = [
           locked ? "--info" : "--question",
           "--modal",
-          "--width=450",
+          "--width=480",
           "--title",
           title,
           "--text",
-          message,
+          pangoMessage,
           "--ok-label",
-          locked ? "Waiting..." : "Allow",
+          locked ? "Waiting..." : "Allow  \u21B5",
           "--timeout",
           "300"
         ];
         if (!locked) {
-          argsList.push("--cancel-label", "Block");
+          argsList.push("--cancel-label", "Block  \u238B");
           argsList.push("--extra-button", "Always Allow");
         }
         childProcess = (0, import_child_process.spawn)("zenity", argsList);
@@ -193,6 +226,8 @@ end run`;
 // src/core.ts
 var PAUSED_FILE = import_path.default.join(import_os.default.homedir(), ".node9", "PAUSED");
 var TRUST_FILE = import_path.default.join(import_os.default.homedir(), ".node9", "trust.json");
+var LOCAL_AUDIT_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "audit.log");
+var HOOK_DEBUG_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
 function checkPause() {
   try {
     if (!import_fs.default.existsSync(PAUSED_FILE)) return { paused: false };
@@ -259,36 +294,39 @@ function writeTrustSession(toolName, durationMs) {
     }
   }
 }
-function appendAuditModeEntry(toolName, args) {
+function appendToLog(logPath, entry) {
   try {
-    const entry = JSON.stringify({
-      ts: (/* @__PURE__ */ new Date()).toISOString(),
-      tool: toolName,
-      args,
-      decision: "would-have-blocked",
-      source: "audit-mode"
-    });
-    const logPath = import_path.default.join(import_os.default.homedir(), ".node9", "audit.log");
     const dir = import_path.default.dirname(logPath);
     if (!import_fs.default.existsSync(dir)) import_fs.default.mkdirSync(dir, { recursive: true });
-    import_fs.default.appendFileSync(logPath, entry + "\n");
+    import_fs.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
-var DANGEROUS_WORDS = [
-  "delete",
-  "drop",
-  "remove",
-  "terminate",
-  "refund",
-  "write",
-  "update",
-  "destroy",
-  "rm",
-  "rmdir",
-  "purge",
-  "format"
-];
+function appendHookDebug(toolName, args, meta) {
+  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+  appendToLog(HOOK_DEBUG_LOG, {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    tool: toolName,
+    args: safeArgs,
+    agent: meta?.agent,
+    mcpServer: meta?.mcpServer,
+    hostname: import_os.default.hostname(),
+    cwd: process.cwd()
+  });
+}
+function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
+  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+  appendToLog(LOCAL_AUDIT_LOG, {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    tool: toolName,
+    args: safeArgs,
+    decision,
+    checkedBy,
+    agent: meta?.agent,
+    mcpServer: meta?.mcpServer,
+    hostname: import_os.default.hostname()
+  });
+}
 function tokenize(toolName) {
   return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
 }
@@ -395,16 +433,28 @@ function redactSecrets(text) {
   );
   return redacted;
 }
+var DANGEROUS_WORDS = [
+  "drop",
+  "truncate",
+  "purge",
+  "format",
+  "destroy",
+  "terminate",
+  "revoke",
+  "docker",
+  "psql"
+];
 var DEFAULT_CONFIG = {
   settings: {
     mode: "standard",
     autoStartDaemon: true,
-    enableUndo: false,
+    enableUndo: true,
+    // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
     enableHookLogDebug: false,
     approvers: { native: true, browser: true, cloud: true, terminal: true }
   },
   policy: {
-    sandboxPaths: [],
+    sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
     dangerousWords: DANGEROUS_WORDS,
     ignoredTools: [
       "list_*",
@@ -412,12 +462,44 @@ var DEFAULT_CONFIG = {
       "read_*",
       "describe_*",
       "read",
+      "glob",
       "grep",
       "ls",
-      "askuserquestion"
+      "notebookread",
+      "notebookedit",
+      "webfetch",
+      "websearch",
+      "exitplanmode",
+      "askuserquestion",
+      "agent",
+      "task*",
+      "toolsearch",
+      "mcp__ide__*",
+      "getDiagnostics"
     ],
-    toolInspection: { bash: "command", shell: "command" },
-    rules: [{ action: "rm", allowPaths: ["**/node_modules/**", "dist/**", ".DS_Store"] }]
+    toolInspection: {
+      bash: "command",
+      shell: "command",
+      run_shell_command: "command",
+      "terminal.execute": "command",
+      "postgres:query": "sql"
+    },
+    rules: [
+      {
+        action: "rm",
+        allowPaths: [
+          "**/node_modules/**",
+          "dist/**",
+          "build/**",
+          ".next/**",
+          "coverage/**",
+          ".cache/**",
+          "tmp/**",
+          "temp/**",
+          ".DS_Store"
+        ]
+      }
+    ]
   },
   environments: {}
 };
@@ -482,20 +564,15 @@ async function evaluatePolicy(toolName, args, agent) {
   }
   const isManual = agent === "Terminal";
   if (isManual) {
-    const NUCLEAR_COMMANDS = [
-      "drop",
-      "destroy",
-      "purge",
-      "rmdir",
-      "format",
-      "truncate",
-      "alter",
-      "grant",
-      "revoke",
-      "docker"
-    ];
-    const hasNuclear = allTokens.some((t) => NUCLEAR_COMMANDS.includes(t.toLowerCase()));
-    if (!hasNuclear) return { decision: "allow" };
+    const SYSTEM_DISASTER_COMMANDS = ["mkfs", "shred", "dd", "drop", "truncate", "purge"];
+    const hasSystemDisaster = allTokens.some(
+      (t) => SYSTEM_DISASTER_COMMANDS.includes(t.toLowerCase())
+    );
+    const isRootWipe = allTokens.includes("rm") && (allTokens.includes("/") || allTokens.includes("/*"));
+    if (hasSystemDisaster || isRootWipe) {
+      return { decision: "review", blockedByLabel: "Manual Nuclear Protection" };
+    }
+    return { decision: "allow" };
   }
   if (pathTokens.length > 0 && config.policy.sandboxPaths.length > 0) {
     const allInSandbox = pathTokens.every((p) => matchesPattern(p, config.policy.sandboxPaths));
@@ -509,27 +586,39 @@ async function evaluatePolicy(toolName, args, agent) {
       if (pathTokens.length > 0) {
         const anyBlocked = pathTokens.some((p) => matchesPattern(p, rule.blockPaths || []));
         if (anyBlocked)
-          return { decision: "review", blockedByLabel: "Project/Global Config (Rule Block)" };
+          return {
+            decision: "review",
+            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`
+          };
         const allAllowed = pathTokens.every((p) => matchesPattern(p, rule.allowPaths || []));
         if (allAllowed) return { decision: "allow" };
       }
-      return { decision: "review", blockedByLabel: "Project/Global Config (Rule Default Block)" };
+      return {
+        decision: "review",
+        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`
+      };
     }
   }
+  let matchedDangerousWord;
   const isDangerous = allTokens.some(
     (token) => config.policy.dangerousWords.some((word) => {
       const w = word.toLowerCase();
-      if (token === w) return true;
-      try {
-        return new RegExp(`\\b${w}\\b`, "i").test(token);
-      } catch {
-        return false;
-      }
+      const hit = token === w || (() => {
+        try {
+          return new RegExp(`\\b${w}\\b`, "i").test(token);
+        } catch {
+          return false;
+        }
+      })();
+      if (hit && !matchedDangerousWord) matchedDangerousWord = word;
+      return hit;
     })
   );
   if (isDangerous) {
-    const label = isManual ? "Manual Nuclear Protection" : "Project/Global Config (Dangerous Word)";
-    return { decision: "review", blockedByLabel: label };
+    return {
+      decision: "review",
+      blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`
+    };
   }
   if (config.settings.mode === "strict") {
     const envConfig = getActiveEnvironment(config);
@@ -644,13 +733,16 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
     approvers.browser = false;
     approvers.terminal = false;
   }
+  if (config.settings.enableHookLogDebug && !isTestEnv2) {
+    appendHookDebug(toolName, args, meta);
+  }
   const isManual = meta?.agent === "Terminal";
   let explainableLabel = "Local Config";
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
       if (policyResult.decision === "review") {
-        appendAuditModeEntry(toolName, args);
+        appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
         sendDesktopNotification(
           "Node9 Audit Mode",
           `Would have blocked "${toolName}" (${policyResult.blockedByLabel || "Local Config"}) \u2014 running in audit mode`
@@ -662,20 +754,24 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   if (!isIgnoredTool(toolName)) {
     if (getActiveTrustSession(toolName)) {
       if (creds?.apiKey) auditLocalAllow(toolName, args, "trust", creds, meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta);
       return { approved: true, checkedBy: "trust" };
     }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (creds?.apiKey) auditLocalAllow(toolName, args, "local-policy", creds, meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
       return { approved: true, checkedBy: "local-policy" };
     }
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     const persistent = getPersistentDecision(toolName);
     if (persistent === "allow") {
       if (creds?.apiKey) auditLocalAllow(toolName, args, "persistent", creds, meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta);
       return { approved: true, checkedBy: "persistent" };
     }
     if (persistent === "deny") {
+      if (!isManual) appendLocalAudit(toolName, args, "deny", "persistent-deny", meta);
       return {
         approved: false,
         reason: `This tool ("${toolName}") is explicitly listed in your 'Always Deny' list.`,
@@ -685,6 +781,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
     }
   } else {
     if (creds?.apiKey) auditLocalAllow(toolName, args, "ignoredTools", creds, meta);
+    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta);
     return { approved: true };
   }
   let cloudRequestId = null;
@@ -909,6 +1006,15 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
   if (cloudRequestId && creds && finalResult.checkedBy !== "cloud") {
     await resolveNode9SaaS(cloudRequestId, creds, finalResult.approved);
   }
+  if (!isManual) {
+    appendLocalAudit(
+      toolName,
+      args,
+      finalResult.approved ? "allow" : "deny",
+      finalResult.checkedBy || finalResult.blockedBy || "unknown",
+      meta
+    );
+  }
   return finalResult;
 }
 function getConfig() {
@@ -939,8 +1045,8 @@ function getConfig() {
       mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
     if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
     if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
-    if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
     if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
+    if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
     if (p.toolInspection)
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
     if (p.rules) mergedPolicy.rules.push(...p.rules);
@@ -3077,75 +3183,30 @@ program.command("addto").description("Integrate Node9 with an AI agent").addHelp
   console.error(import_chalk5.default.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
   process.exit(1);
 });
-program.command("init").description("Create ~/.node9/config.json with default policy (safe to run multiple times)").option("--force", "Overwrite existing config").action((options) => {
+program.command("init").description("Create ~/.node9/config.json with default policy (safe to run multiple times)").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").action((options) => {
   const configPath = import_path5.default.join(import_os5.default.homedir(), ".node9", "config.json");
   if (import_fs5.default.existsSync(configPath) && !options.force) {
     console.log(import_chalk5.default.yellow(`\u2139\uFE0F  Global config already exists: ${configPath}`));
     console.log(import_chalk5.default.gray(`   Run with --force to overwrite.`));
     return;
   }
-  const defaultConfig = {
-    version: "1.0",
+  const requestedMode = options.mode.toLowerCase();
+  const safeMode = ["standard", "strict", "audit"].includes(requestedMode) ? requestedMode : DEFAULT_CONFIG.settings.mode;
+  const configToSave = {
+    ...DEFAULT_CONFIG,
     settings: {
-      mode: "standard",
-      autoStartDaemon: true,
-      enableUndo: true,
-      enableHookLogDebug: false,
-      approvers: { native: true, browser: true, cloud: true, terminal: true }
-    },
-    policy: {
-      sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
-      dangerousWords: DANGEROUS_WORDS,
-      ignoredTools: [
-        "list_*",
-        "get_*",
-        "read_*",
-        "describe_*",
-        "read",
-        "write",
-        "edit",
-        "glob",
-        "grep",
-        "ls",
-        "notebookread",
-        "notebookedit",
-        "webfetch",
-        "websearch",
-        "exitplanmode",
-        "askuserquestion",
-        "agent",
-        "task*"
-      ],
-      toolInspection: {
-        bash: "command",
-        shell: "command",
-        run_shell_command: "command",
-        "terminal.execute": "command",
-        "postgres:query": "sql"
-      },
-      rules: [
-        {
-          action: "rm",
-          allowPaths: [
-            "**/node_modules/**",
-            "dist/**",
-            "build/**",
-            ".next/**",
-            "coverage/**",
-            ".cache/**",
-            "tmp/**",
-            "temp/**",
-            ".DS_Store"
-          ]
-        }
-      ]
+      ...DEFAULT_CONFIG.settings,
+      mode: safeMode
     }
   };
-  if (!import_fs5.default.existsSync(import_path5.default.dirname(configPath)))
-    import_fs5.default.mkdirSync(import_path5.default.dirname(configPath), { recursive: true });
-  import_fs5.default.writeFileSync(configPath, JSON.stringify(defaultConfig, null, 2));
+  const dir = import_path5.default.dirname(configPath);
+  if (!import_fs5.default.existsSync(dir)) import_fs5.default.mkdirSync(dir, { recursive: true });
+  import_fs5.default.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
   console.log(import_chalk5.default.green(`\u2705 Global config created: ${configPath}`));
-  console.log(import_chalk5.default.gray(`   Edit this file to add custom tool inspection or security rules.`));
+  console.log(import_chalk5.default.cyan(`   Mode set to: ${safeMode}`));
+  console.log(
+    import_chalk5.default.gray(`   Undo Engine is ENABLED by default. Use 'node9 undo' to revert AI changes.`)
+  );
 });
 program.command("status").description("Show current Node9 mode, policy source, and persistent decisions").action(() => {
   const creds = getCredentials();
@@ -3292,23 +3353,24 @@ RAW: ${raw}
         let aiFeedbackMessage = "";
         if (isHumanDecision) {
           aiFeedbackMessage = `NODE9 SECURITY INTERVENTION: The human user specifically REJECTED this action.
-        REASON: ${msg || "No specific reason provided by user."}
+REASON: ${msg || "No specific reason provided by user."}
 
-        INSTRUCTIONS FOR AI AGENT:
-        - Do NOT retry this exact command immediately.
-        - Explain to the user that you understand they blocked the action.
-        - Ask the user if there is an alternative approach they would prefer, or if they intended to block this action entirely.
-        - If you believe this action is critical, explain your reasoning to the user and ask them to run 'node9 pause 15m' to allow you to proceed.`;
+INSTRUCTIONS FOR AI AGENT:
+- Do NOT retry this exact command immediately.
+- Explain to the user that you understand they blocked the action.
+- Ask the user if there is an alternative approach they would prefer, or if they intended to block this action entirely.
+- If you believe this action is critical, explain your reasoning to the user and ask them to run 'node9 pause 15m' to allow you to proceed.`;
         } else {
           aiFeedbackMessage = `NODE9 SECURITY INTERVENTION: Action blocked by automated policy [${blockedByContext}].
-        REASON: ${msg}
+REASON: ${msg}
 
-        INSTRUCTIONS FOR AI AGENT:
-        - This command violates the current security configuration.
-        - Do NOT attempt to bypass this rule with bash syntax tricks; it will be blocked again.
-        - Pivot to a non-destructive or read-only alternative.
-        - Inform the user which security rule was triggered.`;
+INSTRUCTIONS FOR AI AGENT:
+- This command violates the current security configuration.
+- Do NOT attempt to bypass this rule with bash syntax tricks; it will be blocked again.
+- Pivot to a non-destructive or read-only alternative.
+- Inform the user which security rule was triggered.`;
         }
+        console.error(import_chalk5.default.dim(`   (Detailed instructions sent to AI agent)`));
         process.stdout.write(
           JSON.stringify({
             decision: "block",
@@ -3503,7 +3565,9 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
       process.exit(1);
     }
     const fullCommand = commandArgs.join(" ");
-    let result = await authorizeHeadless("shell", { command: fullCommand });
+    let result = await authorizeHeadless("shell", { command: fullCommand }, true, {
+      agent: "Terminal"
+    });
     if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && getConfig().settings.autoStartDaemon) {
       console.error(import_chalk5.default.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically..."));
       const daemonReady = await autoStartDaemonAndWait();