@node9/proxy 1.0.13 → 1.0.14

package/dist/cli.mjs

@@ -6,9 +6,9 @@ import { Command } from "commander";
 // src/core.ts
 import chalk2 from "chalk";
 import { confirm } from "@inquirer/prompts";
-import fs from "fs";
-import path3 from "path";
-import os from "os";
+import fs2 from "fs";
+import path4 from "path";
+import os2 from "os";
 import pm from "picomatch";
 import { parse } from "sh-syntax";
 
@@ -338,25 +338,26 @@ import { z } from "zod";
 var noNewlines = z.string().refine((s) => !s.includes("\n") && !s.includes("\r"), {
   message: "Value must not contain literal newline characters (use \\n instead)"
 });
-var validRegex = noNewlines.refine(
-  (s) => {
-    try {
-      new RegExp(s);
-      return true;
-    } catch {
-      return false;
-    }
-  },
-  { message: "Value must be a valid regular expression" }
-);
 var SmartConditionSchema = z.object({
   field: z.string().min(1, "Condition field must not be empty"),
-  op: z.enum(["matches", "notMatches", "contains", "notContains", "exists", "notExists"], {
-    errorMap: () => ({
-      message: "op must be one of: matches, notMatches, contains, notContains, exists, notExists"
-    })
-  }),
-  value: validRegex.optional(),
+  op: z.enum(
+    [
+      "matches",
+      "notMatches",
+      "contains",
+      "notContains",
+      "exists",
+      "notExists",
+      "matchesGlob",
+      "notMatchesGlob"
+    ],
+    {
+      errorMap: () => ({
+        message: "op must be one of: matches, notMatches, contains, notContains, exists, notExists, matchesGlob, notMatchesGlob"
+      })
+    }
+  ),
+  value: z.string().optional(),
   flags: z.string().optional()
 });
 var SmartRuleSchema = z.object({
@@ -369,11 +370,6 @@ var SmartRuleSchema = z.object({
   }),
   reason: z.string().optional()
 });
-var PolicyRuleSchema = z.object({
-  action: z.string().min(1),
-  allowPaths: z.array(z.string()).optional(),
-  blockPaths: z.array(z.string()).optional()
-});
 var ConfigFileSchema = z.object({
   version: z.string().optional(),
   settings: z.object({
@@ -398,12 +394,15 @@ var ConfigFileSchema = z.object({
     dangerousWords: z.array(noNewlines).optional(),
     ignoredTools: z.array(z.string()).optional(),
     toolInspection: z.record(z.string()).optional(),
-    rules: z.array(PolicyRuleSchema).optional(),
     smartRules: z.array(SmartRuleSchema).optional(),
     snapshot: z.object({
       tools: z.array(z.string()).optional(),
       onlyPaths: z.array(z.string()).optional(),
       ignorePaths: z.array(z.string()).optional()
+    }).optional(),
+    dlp: z.object({
+      enabled: z.boolean().optional(),
+      scanIgnoredTools: z.boolean().optional()
     }).optional()
   }).optional(),
   environments: z.record(z.object({ requireApproval: z.boolean().optional() })).optional()
@@ -425,8 +424,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path8 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path8}: ${issue.message}`;
+    const path9 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path9}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -435,18 +434,301 @@ ${lines.join("\n")}`
   };
 }
 
+// src/shields.ts
+import fs from "fs";
+import path3 from "path";
+import os from "os";
+import crypto from "crypto";
+var SHIELDS = {
+  postgres: {
+    name: "postgres",
+    description: "Protects PostgreSQL databases from destructive AI operations",
+    aliases: ["pg", "postgresql"],
+    smartRules: [
+      {
+        name: "shield:postgres:block-drop-table",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+        verdict: "block",
+        reason: "DROP TABLE is irreversible \u2014 blocked by Postgres shield"
+      },
+      {
+        name: "shield:postgres:block-truncate",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
+        verdict: "block",
+        reason: "TRUNCATE is irreversible \u2014 blocked by Postgres shield"
+      },
+      {
+        name: "shield:postgres:block-drop-column",
+        tool: "*",
+        conditions: [
+          { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+        ],
+        verdict: "block",
+        reason: "DROP COLUMN is irreversible \u2014 blocked by Postgres shield"
+      },
+      {
+        name: "shield:postgres:review-grant-revoke",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "\\b(GRANT|REVOKE)\\b", flags: "i" }],
+        verdict: "review",
+        reason: "Permission changes require human approval (Postgres shield)"
+      }
+    ],
+    dangerousWords: ["dropdb", "pg_dropcluster"]
+  },
+  github: {
+    name: "github",
+    description: "Protects GitHub repositories from destructive AI operations",
+    aliases: ["git"],
+    smartRules: [
+      {
+        // Note: git branch -d/-D is already caught by the built-in review-git-destructive rule.
+        // This rule adds coverage for `git push --delete` which the built-in does not match.
+        name: "shield:github:review-delete-branch-remote",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "git\\s+push\\s+.*--delete",
+            flags: "i"
+          }
+        ],
+        verdict: "review",
+        reason: "Remote branch deletion requires human approval (GitHub shield)"
+      },
+      {
+        name: "shield:github:block-delete-repo",
+        tool: "*",
+        conditions: [
+          { field: "command", op: "matches", value: "gh\\s+repo\\s+delete", flags: "i" }
+        ],
+        verdict: "block",
+        reason: "Repository deletion is irreversible \u2014 blocked by GitHub shield"
+      }
+    ],
+    dangerousWords: []
+  },
+  aws: {
+    name: "aws",
+    description: "Protects AWS infrastructure from destructive AI operations",
+    aliases: ["amazon"],
+    smartRules: [
+      {
+        name: "shield:aws:block-delete-s3-bucket",
+        tool: "*",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "S3 bucket deletion is irreversible \u2014 blocked by AWS shield"
+      },
+      {
+        name: "shield:aws:review-iam-changes",
+        tool: "*",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
+            flags: "i"
+          }
+        ],
+        verdict: "review",
+        reason: "IAM changes require human approval (AWS shield)"
+      },
+      {
+        name: "shield:aws:block-ec2-terminate",
+        tool: "*",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "aws\\s+ec2\\s+terminate-instances",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "EC2 instance termination is irreversible \u2014 blocked by AWS shield"
+      },
+      {
+        name: "shield:aws:review-rds-delete",
+        tool: "*",
+        conditions: [
+          { field: "command", op: "matches", value: "aws\\s+rds\\s+delete-", flags: "i" }
+        ],
+        verdict: "review",
+        reason: "RDS deletion requires human approval (AWS shield)"
+      }
+    ],
+    dangerousWords: []
+  },
+  filesystem: {
+    name: "filesystem",
+    description: "Protects the local filesystem from dangerous AI operations",
+    aliases: ["fs"],
+    smartRules: [
+      {
+        name: "shield:filesystem:review-chmod-777",
+        tool: "bash",
+        conditions: [
+          { field: "command", op: "matches", value: "chmod\\s+(777|a\\+rwx)", flags: "i" }
+        ],
+        verdict: "review",
+        reason: "chmod 777 requires human approval (filesystem shield)"
+      },
+      {
+        name: "shield:filesystem:review-write-etc",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            // Narrow to write-indicative operations to avoid approval fatigue on reads.
+            // Matches: tee /etc/*, cp .../etc/*, mv .../etc/*, > /etc/*, install .../etc/*
+            op: "matches",
+            value: "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
+          }
+        ],
+        verdict: "review",
+        reason: "Writing to /etc requires human approval (filesystem shield)"
+      }
+    ],
+    // dd removed: too common as a legitimate tool (disk imaging, file ops).
+    // mkfs removed: already in the built-in DANGEROUS_WORDS baseline.
+    // wipefs retained: rarely legitimate in an agent context and not in built-ins.
+    dangerousWords: ["wipefs"]
+  }
+};
+function resolveShieldName(input) {
+  const lower = input.toLowerCase();
+  if (SHIELDS[lower]) return lower;
+  for (const [name, def] of Object.entries(SHIELDS)) {
+    if (def.aliases.includes(lower)) return name;
+  }
+  return null;
+}
+function getShield(name) {
+  const resolved = resolveShieldName(name);
+  return resolved ? SHIELDS[resolved] : null;
+}
+function listShields() {
+  return Object.values(SHIELDS);
+}
+var SHIELDS_STATE_FILE = path3.join(os.homedir(), ".node9", "shields.json");
+function readActiveShields() {
+  try {
+    const raw = fs.readFileSync(SHIELDS_STATE_FILE, "utf-8");
+    if (!raw.trim()) return [];
+    const parsed = JSON.parse(raw);
+    if (Array.isArray(parsed.active)) {
+      return parsed.active.filter(
+        (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
+      );
+    }
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
+`);
+    }
+  }
+  return [];
+}
+function writeActiveShields(active) {
+  fs.mkdirSync(path3.dirname(SHIELDS_STATE_FILE), { recursive: true });
+  const tmp = `${SHIELDS_STATE_FILE}.${crypto.randomBytes(6).toString("hex")}.tmp`;
+  fs.writeFileSync(tmp, JSON.stringify({ active }, null, 2), { mode: 384 });
+  fs.renameSync(tmp, SHIELDS_STATE_FILE);
+}
+
+// src/dlp.ts
+var DLP_PATTERNS = [
+  { name: "AWS Access Key ID", regex: /\bAKIA[0-9A-Z]{16}\b/, severity: "block" },
+  { name: "GitHub Token", regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/, severity: "block" },
+  { name: "Slack Bot Token", regex: /\bxoxb-[0-9A-Za-z-]+\b/, severity: "block" },
+  { name: "OpenAI API Key", regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/, severity: "block" },
+  { name: "Stripe Secret Key", regex: /\bsk_(?:live|test)_[0-9a-zA-Z]{24}\b/, severity: "block" },
+  {
+    name: "Private Key (PEM)",
+    regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/,
+    severity: "block"
+  },
+  { name: "Bearer Token", regex: /Bearer\s+[a-zA-Z0-9\-._~+/]+=*/i, severity: "review" }
+];
+function maskSecret(raw, pattern) {
+  const match = raw.match(pattern);
+  if (!match) return "****";
+  const secret = match[0];
+  if (secret.length < 8) return "****";
+  const prefix = secret.slice(0, 4);
+  const suffix = secret.slice(-4);
+  const stars = "*".repeat(Math.min(secret.length - 8, 12));
+  return `${prefix}${stars}${suffix}`;
+}
+var MAX_DEPTH = 5;
+var MAX_STRING_BYTES = 1e5;
+var MAX_JSON_PARSE_BYTES = 1e4;
+function scanArgs(args, depth = 0, fieldPath = "args") {
+  if (depth > MAX_DEPTH || args === null || args === void 0) return null;
+  if (Array.isArray(args)) {
+    for (let i = 0; i < args.length; i++) {
+      const match = scanArgs(args[i], depth + 1, `${fieldPath}[${i}]`);
+      if (match) return match;
+    }
+    return null;
+  }
+  if (typeof args === "object") {
+    for (const [key, value] of Object.entries(args)) {
+      const match = scanArgs(value, depth + 1, `${fieldPath}.${key}`);
+      if (match) return match;
+    }
+    return null;
+  }
+  if (typeof args === "string") {
+    const text = args.length > MAX_STRING_BYTES ? args.slice(0, MAX_STRING_BYTES) : args;
+    for (const pattern of DLP_PATTERNS) {
+      if (pattern.regex.test(text)) {
+        return {
+          patternName: pattern.name,
+          fieldPath,
+          redactedSample: maskSecret(text, pattern.regex),
+          severity: pattern.severity
+        };
+      }
+    }
+    if (text.length < MAX_JSON_PARSE_BYTES) {
+      const trimmed = text.trim();
+      if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+        try {
+          const parsed = JSON.parse(text);
+          const inner = scanArgs(parsed, depth + 1, fieldPath);
+          if (inner) return inner;
+        } catch {
+        }
+      }
+    }
+  }
+  return null;
+}
+
 // src/core.ts
-var PAUSED_FILE = path3.join(os.homedir(), ".node9", "PAUSED");
-var TRUST_FILE = path3.join(os.homedir(), ".node9", "trust.json");
-var LOCAL_AUDIT_LOG = path3.join(os.homedir(), ".node9", "audit.log");
-var HOOK_DEBUG_LOG = path3.join(os.homedir(), ".node9", "hook-debug.log");
+var PAUSED_FILE = path4.join(os2.homedir(), ".node9", "PAUSED");
+var TRUST_FILE = path4.join(os2.homedir(), ".node9", "trust.json");
+var LOCAL_AUDIT_LOG = path4.join(os2.homedir(), ".node9", "audit.log");
+var HOOK_DEBUG_LOG = path4.join(os2.homedir(), ".node9", "hook-debug.log");
 function checkPause() {
   try {
-    if (!fs.existsSync(PAUSED_FILE)) return { paused: false };
-    const state = JSON.parse(fs.readFileSync(PAUSED_FILE, "utf-8"));
+    if (!fs2.existsSync(PAUSED_FILE)) return { paused: false };
+    const state = JSON.parse(fs2.readFileSync(PAUSED_FILE, "utf-8"));
     if (state.expiry > 0 && Date.now() >= state.expiry) {
       try {
-        fs.unlinkSync(PAUSED_FILE);
+        fs2.unlinkSync(PAUSED_FILE);
       } catch {
       }
       return { paused: false };
@@ -457,11 +739,11 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = path3.dirname(filePath);
-  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-  const tmpPath = `${filePath}.${os.hostname()}.${process.pid}.tmp`;
-  fs.writeFileSync(tmpPath, data, options);
-  fs.renameSync(tmpPath, filePath);
+  const dir = path4.dirname(filePath);
+  if (!fs2.existsSync(dir)) fs2.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${filePath}.${os2.hostname()}.${process.pid}.tmp`;
+  fs2.writeFileSync(tmpPath, data, options);
+  fs2.renameSync(tmpPath, filePath);
 }
 function pauseNode9(durationMs, durationStr) {
   const state = { expiry: Date.now() + durationMs, duration: durationStr };
@@ -469,18 +751,18 @@ function pauseNode9(durationMs, durationStr) {
 }
 function resumeNode9() {
   try {
-    if (fs.existsSync(PAUSED_FILE)) fs.unlinkSync(PAUSED_FILE);
+    if (fs2.existsSync(PAUSED_FILE)) fs2.unlinkSync(PAUSED_FILE);
   } catch {
   }
 }
 function getActiveTrustSession(toolName) {
   try {
-    if (!fs.existsSync(TRUST_FILE)) return false;
-    const trust = JSON.parse(fs.readFileSync(TRUST_FILE, "utf-8"));
+    if (!fs2.existsSync(TRUST_FILE)) return false;
+    const trust = JSON.parse(fs2.readFileSync(TRUST_FILE, "utf-8"));
     const now = Date.now();
     const active = trust.entries.filter((e) => e.expiry > now);
     if (active.length !== trust.entries.length) {
-      fs.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
+      fs2.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
     }
     return active.some((e) => e.tool === toolName || matchesPattern(toolName, e.tool));
   } catch {
@@ -491,8 +773,8 @@ function writeTrustSession(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (fs.existsSync(TRUST_FILE)) {
-        trust = JSON.parse(fs.readFileSync(TRUST_FILE, "utf-8"));
+      if (fs2.existsSync(TRUST_FILE)) {
+        trust = JSON.parse(fs2.readFileSync(TRUST_FILE, "utf-8"));
       }
     } catch {
     }
@@ -508,9 +790,9 @@ function writeTrustSession(toolName, durationMs) {
 }
 function appendToLog(logPath, entry) {
   try {
-    const dir = path3.dirname(logPath);
-    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-    fs.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+    const dir = path4.dirname(logPath);
+    if (!fs2.existsSync(dir)) fs2.mkdirSync(dir, { recursive: true });
+    fs2.appendFileSync(logPath, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
@@ -522,7 +804,7 @@ function appendHookDebug(toolName, args, meta) {
     args: safeArgs,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
-    hostname: os.hostname(),
+    hostname: os2.hostname(),
     cwd: process.cwd()
   });
 }
@@ -536,7 +818,7 @@ function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
     checkedBy,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
-    hostname: os.hostname()
+    hostname: os2.hostname()
   });
 }
 function tokenize(toolName) {
@@ -552,9 +834,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path8) {
+function getNestedValue(obj, path9) {
   if (!obj || typeof obj !== "object") return null;
-  return path8.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path9.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function shouldSnapshot(toolName, args, config) {
   if (!config.settings.enableUndo) return false;
@@ -599,6 +881,10 @@ function evaluateSmartConditions(args, rule) {
           return true;
         }
       }
+      case "matchesGlob":
+        return val !== null && cond.value ? pm.isMatch(val, cond.value) : false;
+      case "notMatchesGlob":
+        return val !== null && cond.value ? !pm.isMatch(val, cond.value) : true;
       default:
         return false;
     }
@@ -762,25 +1048,27 @@ var DEFAULT_CONFIG = {
       onlyPaths: [],
       ignorePaths: ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log"]
     },
-    rules: [
-      // Only use the legacy rules format for simple path-based rm control.
-      // All other command-level enforcement lives in smartRules below.
-      {
-        action: "rm",
-        allowPaths: [
-          "**/node_modules/**",
-          "dist/**",
-          "build/**",
-          ".next/**",
-          "coverage/**",
-          ".cache/**",
-          "tmp/**",
-          "temp/**",
-          ".DS_Store"
-        ]
-      }
-    ],
     smartRules: [
+      // ── rm safety (critical — always evaluated first) ──────────────────────
+      {
+        name: "block-rm-rf-home",
+        tool: "bash",
+        conditionMode: "all",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "rm\\b.*(-[rRfF]*[rR][rRfF]*|--recursive)"
+          },
+          {
+            field: "command",
+            op: "matches",
+            value: "(~|\\/root(\\/|$)|\\$HOME|\\/home\\/)"
+          }
+        ],
+        verdict: "block",
+        reason: "Recursive delete of home directory is irreversible"
+      },
       // ── SQL safety ────────────────────────────────────────────────────────
       {
         name: "no-delete-without-where",
@@ -871,19 +1159,45 @@ var DEFAULT_CONFIG = {
         verdict: "block",
         reason: "Piping remote script into a shell is a supply-chain attack vector"
       }
-    ]
+    ],
+    dlp: { enabled: true, scanIgnoredTools: true }
   },
   environments: {}
 };
+var ADVISORY_SMART_RULES = [
+  {
+    name: "allow-rm-safe-paths",
+    tool: "*",
+    conditionMode: "all",
+    conditions: [
+      { field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" },
+      {
+        field: "command",
+        op: "matches",
+        // Matches known-safe build artifact paths in the command.
+        value: "(node_modules|\\bdist\\b|\\.next|\\bcoverage\\b|\\.cache|\\btmp\\b|\\btemp\\b|\\.DS_Store)(\\/|\\s|$)"
+      }
+    ],
+    verdict: "allow",
+    reason: "Deleting a known-safe build artifact path"
+  },
+  {
+    name: "review-rm",
+    tool: "*",
+    conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
+    verdict: "review",
+    reason: "rm can permanently delete files \u2014 confirm the target path"
+  }
+];
 var cachedConfig = null;
 function _resetConfigCache() {
   cachedConfig = null;
 }
 function getGlobalSettings() {
   try {
-    const globalConfigPath = path3.join(os.homedir(), ".node9", "config.json");
-    if (fs.existsSync(globalConfigPath)) {
-      const parsed = JSON.parse(fs.readFileSync(globalConfigPath, "utf-8"));
+    const globalConfigPath = path4.join(os2.homedir(), ".node9", "config.json");
+    if (fs2.existsSync(globalConfigPath)) {
+      const parsed = JSON.parse(fs2.readFileSync(globalConfigPath, "utf-8"));
       const settings = parsed.settings || {};
       return {
         mode: settings.mode || "standard",
@@ -905,9 +1219,9 @@ function getGlobalSettings() {
 }
 function getInternalToken() {
   try {
-    const pidFile = path3.join(os.homedir(), ".node9", "daemon.pid");
-    if (!fs.existsSync(pidFile)) return null;
-    const data = JSON.parse(fs.readFileSync(pidFile, "utf-8"));
+    const pidFile = path4.join(os2.homedir(), ".node9", "daemon.pid");
+    if (!fs2.existsSync(pidFile)) return null;
+    const data = JSON.parse(fs2.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
     return data.internalToken ?? null;
   } catch {
@@ -922,7 +1236,8 @@ async function evaluatePolicy(toolName, args, agent) {
       (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
     );
     if (matchedRule) {
-      if (matchedRule.verdict === "allow") return { decision: "allow" };
+      if (matchedRule.verdict === "allow")
+        return { decision: "allow", ruleName: matchedRule.name ?? matchedRule.tool };
       return {
         decision: matchedRule.verdict,
         blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
@@ -933,13 +1248,11 @@ async function evaluatePolicy(toolName, args, agent) {
     }
   }
   let allTokens = [];
-  let actionTokens = [];
   let pathTokens = [];
   const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
   if (shellCommand) {
     const analyzed = await analyzeShellCommand(shellCommand);
     allTokens = analyzed.allTokens;
-    actionTokens = analyzed.actions;
     pathTokens = analyzed.paths;
     const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
     if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
@@ -947,11 +1260,9 @@ async function evaluatePolicy(toolName, args, agent) {
     }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
-      actionTokens = actionTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
     }
   } else {
     allTokens = tokenize(toolName);
-    actionTokens = [toolName];
     if (args && typeof args === "object") {
       const flattenedArgs = JSON.stringify(args).toLowerCase();
       const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
@@ -974,29 +1285,6 @@ async function evaluatePolicy(toolName, args, agent) {
     const allInSandbox = pathTokens.every((p) => matchesPattern(p, config.policy.sandboxPaths));
     if (allInSandbox) return { decision: "allow" };
   }
-  for (const action of actionTokens) {
-    const rule = config.policy.rules.find(
-      (r) => r.action === action || matchesPattern(action, r.action)
-    );
-    if (rule) {
-      if (pathTokens.length > 0) {
-        const anyBlocked = pathTokens.some((p) => matchesPattern(p, rule.blockPaths || []));
-        if (anyBlocked)
-          return {
-            decision: "review",
-            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`,
-            tier: 5
-          };
-        const allAllowed = pathTokens.every((p) => matchesPattern(p, rule.allowPaths || []));
-        if (allAllowed) return { decision: "allow" };
-      }
-      return {
-        decision: "review",
-        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`,
-        tier: 5
-      };
-    }
-  }
   let matchedDangerousWord;
   const isDangerous = allTokens.some(
     (token) => config.policy.dangerousWords.some((word) => {
@@ -1048,9 +1336,9 @@ async function evaluatePolicy(toolName, args, agent) {
 }
 async function explainPolicy(toolName, args) {
   const steps = [];
-  const globalPath = path3.join(os.homedir(), ".node9", "config.json");
-  const projectPath = path3.join(process.cwd(), "node9.config.json");
-  const credsPath = path3.join(os.homedir(), ".node9", "credentials.json");
+  const globalPath = path4.join(os2.homedir(), ".node9", "config.json");
+  const projectPath = path4.join(process.cwd(), "node9.config.json");
+  const credsPath = path4.join(os2.homedir(), ".node9", "credentials.json");
   const waterfall = [
     {
       tier: 1,
@@ -1061,19 +1349,19 @@ async function explainPolicy(toolName, args) {
     {
       tier: 2,
       label: "Cloud policy",
-      status: fs.existsSync(credsPath) ? "active" : "missing",
-      note: fs.existsSync(credsPath) ? "credentials found (not evaluated in explain mode)" : "not connected \u2014 run: node9 login"
+      status: fs2.existsSync(credsPath) ? "active" : "missing",
+      note: fs2.existsSync(credsPath) ? "credentials found (not evaluated in explain mode)" : "not connected \u2014 run: node9 login"
     },
     {
       tier: 3,
       label: "Project config",
-      status: fs.existsSync(projectPath) ? "active" : "missing",
+      status: fs2.existsSync(projectPath) ? "active" : "missing",
       path: projectPath
     },
     {
       tier: 4,
       label: "Global config",
-      status: fs.existsSync(globalPath) ? "active" : "missing",
+      status: fs2.existsSync(globalPath) ? "active" : "missing",
       path: globalPath
     },
     {
@@ -1084,7 +1372,28 @@ async function explainPolicy(toolName, args) {
     }
   ];
   const config = getConfig();
-  if (matchesPattern(toolName, config.policy.ignoredTools)) {
+  const wouldBeIgnored = matchesPattern(toolName, config.policy.ignoredTools);
+  if (config.policy.dlp.enabled && (!wouldBeIgnored || config.policy.dlp.scanIgnoredTools)) {
+    const dlpMatch = args !== void 0 ? scanArgs(args) : null;
+    if (dlpMatch) {
+      steps.push({
+        name: "DLP Content Scanner",
+        outcome: dlpMatch.severity === "block" ? "block" : "review",
+        detail: `\u{1F6A8} ${dlpMatch.patternName} detected in ${dlpMatch.fieldPath} \u2014 sample: ${dlpMatch.redactedSample}`,
+        isFinal: dlpMatch.severity === "block"
+      });
+      if (dlpMatch.severity === "block") {
+        return { tool: toolName, args, waterfall, steps, decision: "block" };
+      }
+    } else {
+      steps.push({
+        name: "DLP Content Scanner",
+        outcome: "checked",
+        detail: "No sensitive credentials detected in args"
+      });
+    }
+  }
+  if (wouldBeIgnored) {
     steps.push({
       name: "Ignored tools",
       outcome: "allow",
@@ -1137,13 +1446,11 @@ async function explainPolicy(toolName, args) {
     steps.push({ name: "Smart rules", outcome: "skip", detail: "No smart rules configured" });
   }
   let allTokens = [];
-  let actionTokens = [];
   let pathTokens = [];
   const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
   if (shellCommand) {
     const analyzed = await analyzeShellCommand(shellCommand);
     allTokens = analyzed.allTokens;
-    actionTokens = analyzed.actions;
     pathTokens = analyzed.paths;
     const patterns = Object.keys(config.policy.toolInspection);
     const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
@@ -1177,7 +1484,6 @@ async function explainPolicy(toolName, args) {
     });
     if (isSqlTool(toolName, config.policy.toolInspection)) {
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
-      actionTokens = actionTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
       steps.push({
         name: "SQL token stripping",
         outcome: "checked",
@@ -1186,7 +1492,6 @@ async function explainPolicy(toolName, args) {
     }
   } else {
     allTokens = tokenize(toolName);
-    actionTokens = [toolName];
     let detail = `No toolInspection match for "${toolName}" \u2014 tokens: [${allTokens.join(", ")}]`;
     if (args && typeof args === "object") {
       const flattenedArgs = JSON.stringify(args).toLowerCase();
@@ -1227,65 +1532,6 @@ async function explainPolicy(toolName, args) {
       detail: pathTokens.length === 0 ? "No path tokens found in input" : "No sandbox paths configured"
     });
   }
-  let ruleMatched = false;
-  for (const action of actionTokens) {
-    const rule = config.policy.rules.find(
-      (r) => r.action === action || matchesPattern(action, r.action)
-    );
-    if (rule) {
-      ruleMatched = true;
-      if (pathTokens.length > 0) {
-        const anyBlocked = pathTokens.some((p) => matchesPattern(p, rule.blockPaths || []));
-        if (anyBlocked) {
-          steps.push({
-            name: "Policy rules",
-            outcome: "review",
-            detail: `Rule "${rule.action}" matched + path is in blockPaths`,
-            isFinal: true
-          });
-          return {
-            tool: toolName,
-            args,
-            waterfall,
-            steps,
-            decision: "review",
-            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`
-          };
-        }
-        const allAllowed = pathTokens.every((p) => matchesPattern(p, rule.allowPaths || []));
-        if (allAllowed) {
-          steps.push({
-            name: "Policy rules",
-            outcome: "allow",
-            detail: `Rule "${rule.action}" matched + all paths are in allowPaths`,
-            isFinal: true
-          });
-          return { tool: toolName, args, waterfall, steps, decision: "allow" };
-        }
-      }
-      steps.push({
-        name: "Policy rules",
-        outcome: "review",
-        detail: `Rule "${rule.action}" matched \u2014 default block (no path exception)`,
-        isFinal: true
-      });
-      return {
-        tool: toolName,
-        args,
-        waterfall,
-        steps,
-        decision: "review",
-        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`
-      };
-    }
-  }
-  if (!ruleMatched) {
-    steps.push({
-      name: "Policy rules",
-      outcome: "skip",
-      detail: config.policy.rules.length === 0 ? "No rules configured" : `No rule matched [${actionTokens.join(", ")}]`
-    });
-  }
   let matchedDangerousWord;
   const isDangerous = uniqueTokens.some(
     (token) => config.policy.dangerousWords.some((word) => {
@@ -1354,9 +1600,9 @@ var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function isDaemonRunning() {
   try {
-    const pidFile = path3.join(os.homedir(), ".node9", "daemon.pid");
-    if (!fs.existsSync(pidFile)) return false;
-    const { pid, port } = JSON.parse(fs.readFileSync(pidFile, "utf-8"));
+    const pidFile = path4.join(os2.homedir(), ".node9", "daemon.pid");
+    if (!fs2.existsSync(pidFile)) return false;
+    const { pid, port } = JSON.parse(fs2.readFileSync(pidFile, "utf-8"));
     if (port !== DAEMON_PORT) return false;
     process.kill(pid, 0);
     return true;
@@ -1366,9 +1612,9 @@ function isDaemonRunning() {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = path3.join(os.homedir(), ".node9", "decisions.json");
-    if (!fs.existsSync(file)) return null;
-    const decisions = JSON.parse(fs.readFileSync(file, "utf-8"));
+    const file = path4.join(os2.homedir(), ".node9", "decisions.json");
+    if (!fs2.existsSync(file)) return null;
+    const decisions = JSON.parse(fs2.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
     if (d === "allow" || d === "deny") return d;
   } catch {
@@ -1467,6 +1713,22 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   let policyMatchedField;
   let policyMatchedWord;
   let riskMetadata;
+  if (config.policy.dlp.enabled && (!isIgnoredTool(toolName) || config.policy.dlp.scanIgnoredTools)) {
+    const dlpMatch = scanArgs(args);
+    if (dlpMatch) {
+      const dlpReason = `\u{1F6A8} DATA LOSS PREVENTION: ${dlpMatch.patternName} detected in field "${dlpMatch.fieldPath}" (${dlpMatch.redactedSample})`;
+      if (dlpMatch.severity === "block") {
+        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta);
+        return {
+          approved: false,
+          reason: dlpReason,
+          blockedBy: "local-config",
+          blockedByLabel: "\u{1F6A8} Node9 DLP (Secret Detected)"
+        };
+      }
+      explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
+    }
+  }
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
@@ -1706,7 +1968,14 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
     racePromises.push(
       (async () => {
         try {
-          console.log(chalk2.bgRed.white.bold(` \u{1F6D1} NODE9 INTERCEPTOR `));
+          if (explainableLabel.includes("DLP")) {
+            console.log(chalk2.bgRed.white.bold(` \u{1F6A8} NODE9 DLP ALERT \u2014 CREDENTIAL DETECTED `));
+            console.log(
+              chalk2.red.bold(`   A sensitive secret was detected in the tool arguments!`)
+            );
+          } else {
+            console.log(chalk2.bgRed.white.bold(` \u{1F6D1} NODE9 INTERCEPTOR `));
+          }
           console.log(`${chalk2.bold("Action:")} ${chalk2.red(toolName)}`);
           console.log(`${chalk2.bold("Flagged By:")} ${chalk2.yellow(explainableLabel)}`);
           if (isRemoteLocked) {
@@ -1811,8 +2080,8 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
 }
 function getConfig() {
   if (cachedConfig) return cachedConfig;
-  const globalPath = path3.join(os.homedir(), ".node9", "config.json");
-  const projectPath = path3.join(process.cwd(), "node9.config.json");
+  const globalPath = path4.join(os2.homedir(), ".node9", "config.json");
+  const projectPath = path4.join(process.cwd(), "node9.config.json");
   const globalConfig = tryLoadConfig(globalPath);
   const projectConfig = tryLoadConfig(projectPath);
   const mergedSettings = {
@@ -1824,13 +2093,13 @@ function getConfig() {
     dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
     ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
     toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
-    rules: [...DEFAULT_CONFIG.policy.rules],
     smartRules: [...DEFAULT_CONFIG.policy.smartRules],
     snapshot: {
       tools: [...DEFAULT_CONFIG.policy.snapshot.tools],
       onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
-    }
+    },
+    dlp: { ...DEFAULT_CONFIG.policy.dlp }
   };
   const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
   const applyLayer = (source) => {
@@ -1850,7 +2119,6 @@ function getConfig() {
     if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
     if (p.toolInspection)
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
-    if (p.rules) mergedPolicy.rules.push(...p.rules);
     if (p.smartRules) mergedPolicy.smartRules.push(...p.smartRules);
     if (p.snapshot) {
       const s2 = p.snapshot;
@@ -1858,6 +2126,11 @@ function getConfig() {
       if (s2.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s2.onlyPaths);
       if (s2.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s2.ignorePaths);
     }
+    if (p.dlp) {
+      const d = p.dlp;
+      if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
+      if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
+    }
     const envs = source.environments || {};
     for (const [envName, envConfig] of Object.entries(envs)) {
       if (envConfig && typeof envConfig === "object") {
@@ -1872,6 +2145,19 @@ function getConfig() {
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
+  for (const shieldName of readActiveShields()) {
+    const shield = getShield(shieldName);
+    if (!shield) continue;
+    const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+    for (const rule of shield.smartRules) {
+      if (!existingRuleNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+    }
+    for (const word of shield.dangerousWords) mergedPolicy.dangerousWords.push(word);
+  }
+  const existingAdvisoryNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+  for (const rule of ADVISORY_SMART_RULES) {
+    if (!existingAdvisoryNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+  }
   if (process.env.NODE9_MODE) mergedSettings.mode = process.env.NODE9_MODE;
   mergedPolicy.sandboxPaths = [...new Set(mergedPolicy.sandboxPaths)];
   mergedPolicy.dangerousWords = [...new Set(mergedPolicy.dangerousWords)];
@@ -1887,10 +2173,10 @@ function getConfig() {
   return cachedConfig;
 }
 function tryLoadConfig(filePath) {
-  if (!fs.existsSync(filePath)) return null;
+  if (!fs2.existsSync(filePath)) return null;
   let raw;
   try {
-    raw = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+    raw = JSON.parse(fs2.readFileSync(filePath, "utf-8"));
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     process.stderr.write(
@@ -1952,9 +2238,9 @@ function getCredentials() {
     };
   }
   try {
-    const credPath = path3.join(os.homedir(), ".node9", "credentials.json");
-    if (fs.existsSync(credPath)) {
-      const creds = JSON.parse(fs.readFileSync(credPath, "utf-8"));
+    const credPath = path4.join(os2.homedir(), ".node9", "credentials.json");
+    if (fs2.existsSync(credPath)) {
+      const creds = JSON.parse(fs2.readFileSync(credPath, "utf-8"));
       const profileName = process.env.NODE9_PROFILE || "default";
       const profile = creds[profileName];
       if (profile?.apiKey) {
@@ -1985,9 +2271,9 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
       context: {
         agent: meta?.agent,
         mcpServer: meta?.mcpServer,
-        hostname: os.hostname(),
+        hostname: os2.hostname(),
         cwd: process.cwd(),
-        platform: os.platform()
+        platform: os2.platform()
       }
     }),
     signal: AbortSignal.timeout(5e3)
@@ -2008,9 +2294,9 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
         context: {
           agent: meta?.agent,
           mcpServer: meta?.mcpServer,
-          hostname: os.hostname(),
+          hostname: os2.hostname(),
           cwd: process.cwd(),
-          platform: os.platform()
+          platform: os2.platform()
         },
         ...riskMetadata && { riskMetadata }
       }),
@@ -2069,9 +2355,9 @@ async function resolveNode9SaaS(requestId, creds, approved) {
 }
 
 // src/setup.ts
-import fs2 from "fs";
-import path4 from "path";
-import os2 from "os";
+import fs3 from "fs";
+import path5 from "path";
+import os3 from "os";
 import chalk3 from "chalk";
 import { confirm as confirm2 } from "@inquirer/prompts";
 function printDaemonTip() {
@@ -2087,22 +2373,22 @@ function fullPathCommand(subcommand) {
 }
 function readJson(filePath) {
   try {
-    if (fs2.existsSync(filePath)) {
-      return JSON.parse(fs2.readFileSync(filePath, "utf-8"));
+    if (fs3.existsSync(filePath)) {
+      return JSON.parse(fs3.readFileSync(filePath, "utf-8"));
     }
   } catch {
   }
   return null;
 }
 function writeJson(filePath, data) {
-  const dir = path4.dirname(filePath);
-  if (!fs2.existsSync(dir)) fs2.mkdirSync(dir, { recursive: true });
-  fs2.writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n");
+  const dir = path5.dirname(filePath);
+  if (!fs3.existsSync(dir)) fs3.mkdirSync(dir, { recursive: true });
+  fs3.writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n");
 }
 async function setupClaude() {
-  const homeDir2 = os2.homedir();
-  const mcpPath = path4.join(homeDir2, ".claude.json");
-  const hooksPath = path4.join(homeDir2, ".claude", "settings.json");
+  const homeDir2 = os3.homedir();
+  const mcpPath = path5.join(homeDir2, ".claude.json");
+  const hooksPath = path5.join(homeDir2, ".claude", "settings.json");
   const claudeConfig = readJson(mcpPath) ?? {};
   const settings = readJson(hooksPath) ?? {};
   const servers = claudeConfig.mcpServers ?? {};
@@ -2176,8 +2462,8 @@ async function setupClaude() {
   }
 }
 async function setupGemini() {
-  const homeDir2 = os2.homedir();
-  const settingsPath = path4.join(homeDir2, ".gemini", "settings.json");
+  const homeDir2 = os3.homedir();
+  const settingsPath = path5.join(homeDir2, ".gemini", "settings.json");
   const settings = readJson(settingsPath) ?? {};
   const servers = settings.mcpServers ?? {};
   let anythingChanged = false;
@@ -2259,36 +2545,11 @@ async function setupGemini() {
   }
 }
 async function setupCursor() {
-  const homeDir2 = os2.homedir();
-  const mcpPath = path4.join(homeDir2, ".cursor", "mcp.json");
-  const hooksPath = path4.join(homeDir2, ".cursor", "hooks.json");
+  const homeDir2 = os3.homedir();
+  const mcpPath = path5.join(homeDir2, ".cursor", "mcp.json");
   const mcpConfig = readJson(mcpPath) ?? {};
-  const hooksFile = readJson(hooksPath) ?? { version: 1 };
   const servers = mcpConfig.mcpServers ?? {};
   let anythingChanged = false;
-  if (!hooksFile.hooks) hooksFile.hooks = {};
-  const hasPreHook = hooksFile.hooks.preToolUse?.some(
-    (h) => h.command === "node9" && h.args?.includes("check") || h.command?.includes("cli.js")
-  );
-  if (!hasPreHook) {
-    if (!hooksFile.hooks.preToolUse) hooksFile.hooks.preToolUse = [];
-    hooksFile.hooks.preToolUse.push({ command: fullPathCommand("check") });
-    console.log(chalk3.green("  \u2705 preToolUse hook added \u2192 node9 check"));
-    anythingChanged = true;
-  }
-  const hasPostHook = hooksFile.hooks.postToolUse?.some(
-    (h) => h.command === "node9" && h.args?.includes("log") || h.command?.includes("cli.js")
-  );
-  if (!hasPostHook) {
-    if (!hooksFile.hooks.postToolUse) hooksFile.hooks.postToolUse = [];
-    hooksFile.hooks.postToolUse.push({ command: fullPathCommand("log") });
-    console.log(chalk3.green("  \u2705 postToolUse hook added \u2192 node9 log"));
-    anythingChanged = true;
-  }
-  if (anythingChanged) {
-    writeJson(hooksPath, hooksFile);
-    console.log("");
-  }
   const serversToWrap = [];
   for (const [name, server] of Object.entries(servers)) {
     if (!server.command || server.command === "node9") continue;
@@ -2317,13 +2578,23 @@ async function setupCursor() {
     }
     console.log("");
   }
+  console.log(
+    chalk3.yellow(
+      "  \u26A0\uFE0F  Note: Cursor does not yet support native pre-execution hooks.\n     MCP proxy wrapping is the only supported protection mode for Cursor."
+    )
+  );
+  console.log("");
   if (!anythingChanged && serversToWrap.length === 0) {
-    console.log(chalk3.blue("\u2139\uFE0F  Node9 is already fully configured for Cursor."));
+    console.log(
+      chalk3.blue(
+        "\u2139\uFE0F  No MCP servers found to wrap. Add MCP servers to ~/.cursor/mcp.json and re-run."
+      )
+    );
     printDaemonTip();
     return;
   }
   if (anythingChanged) {
-    console.log(chalk3.green.bold("\u{1F6E1}\uFE0F  Node9 is now protecting Cursor!"));
+    console.log(chalk3.green.bold("\u{1F6E1}\uFE0F  Node9 is now protecting Cursor via MCP proxy!"));
     console.log(chalk3.gray("    Restart Cursor for changes to take effect."));
     printDaemonTip();
   }
@@ -3373,34 +3644,34 @@ var UI_HTML_TEMPLATE = ui_default;
 
 // src/daemon/index.ts
 import http from "http";
-import fs3 from "fs";
-import path5 from "path";
-import os3 from "os";
+import fs4 from "fs";
+import path6 from "path";
+import os4 from "os";
 import { spawn as spawn2 } from "child_process";
 import { randomUUID } from "crypto";
 import chalk4 from "chalk";
 var DAEMON_PORT2 = 7391;
 var DAEMON_HOST2 = "127.0.0.1";
-var homeDir = os3.homedir();
-var DAEMON_PID_FILE = path5.join(homeDir, ".node9", "daemon.pid");
-var DECISIONS_FILE = path5.join(homeDir, ".node9", "decisions.json");
-var GLOBAL_CONFIG_FILE = path5.join(homeDir, ".node9", "config.json");
-var CREDENTIALS_FILE = path5.join(homeDir, ".node9", "credentials.json");
-var AUDIT_LOG_FILE = path5.join(homeDir, ".node9", "audit.log");
-var TRUST_FILE2 = path5.join(homeDir, ".node9", "trust.json");
+var homeDir = os4.homedir();
+var DAEMON_PID_FILE = path6.join(homeDir, ".node9", "daemon.pid");
+var DECISIONS_FILE = path6.join(homeDir, ".node9", "decisions.json");
+var GLOBAL_CONFIG_FILE = path6.join(homeDir, ".node9", "config.json");
+var CREDENTIALS_FILE = path6.join(homeDir, ".node9", "credentials.json");
+var AUDIT_LOG_FILE = path6.join(homeDir, ".node9", "audit.log");
+var TRUST_FILE2 = path6.join(homeDir, ".node9", "trust.json");
 function atomicWriteSync2(filePath, data, options) {
-  const dir = path5.dirname(filePath);
-  if (!fs3.existsSync(dir)) fs3.mkdirSync(dir, { recursive: true });
+  const dir = path6.dirname(filePath);
+  if (!fs4.existsSync(dir)) fs4.mkdirSync(dir, { recursive: true });
   const tmpPath = `${filePath}.${randomUUID()}.tmp`;
-  fs3.writeFileSync(tmpPath, data, options);
-  fs3.renameSync(tmpPath, filePath);
+  fs4.writeFileSync(tmpPath, data, options);
+  fs4.renameSync(tmpPath, filePath);
 }
 function writeTrustEntry(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (fs3.existsSync(TRUST_FILE2))
-        trust = JSON.parse(fs3.readFileSync(TRUST_FILE2, "utf-8"));
+      if (fs4.existsSync(TRUST_FILE2))
+        trust = JSON.parse(fs4.readFileSync(TRUST_FILE2, "utf-8"));
     } catch {
     }
     trust.entries = trust.entries.filter((e) => e.tool !== toolName && e.expiry > Date.now());
@@ -3433,16 +3704,16 @@ function appendAuditLog(data) {
       decision: data.decision,
       source: "daemon"
     };
-    const dir = path5.dirname(AUDIT_LOG_FILE);
-    if (!fs3.existsSync(dir)) fs3.mkdirSync(dir, { recursive: true });
-    fs3.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
+    const dir = path6.dirname(AUDIT_LOG_FILE);
+    if (!fs4.existsSync(dir)) fs4.mkdirSync(dir, { recursive: true });
+    fs4.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
 function getAuditHistory(limit = 20) {
   try {
-    if (!fs3.existsSync(AUDIT_LOG_FILE)) return [];
-    const lines = fs3.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
+    if (!fs4.existsSync(AUDIT_LOG_FILE)) return [];
+    const lines = fs4.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
     if (lines.length === 1 && lines[0] === "") return [];
     return lines.slice(-limit).map((l) => JSON.parse(l)).reverse();
   } catch {
@@ -3452,7 +3723,7 @@ function getAuditHistory(limit = 20) {
 var AUTO_DENY_MS = 12e4;
 function getOrgName() {
   try {
-    if (fs3.existsSync(CREDENTIALS_FILE)) {
+    if (fs4.existsSync(CREDENTIALS_FILE)) {
       return "Node9 Cloud";
     }
   } catch {
@@ -3461,13 +3732,13 @@ function getOrgName() {
 }
 var autoStarted = process.env.NODE9_AUTO_STARTED === "1";
 function hasStoredSlackKey() {
-  return fs3.existsSync(CREDENTIALS_FILE);
+  return fs4.existsSync(CREDENTIALS_FILE);
 }
 function writeGlobalSetting(key, value) {
   let config = {};
   try {
-    if (fs3.existsSync(GLOBAL_CONFIG_FILE)) {
-      config = JSON.parse(fs3.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
+    if (fs4.existsSync(GLOBAL_CONFIG_FILE)) {
+      config = JSON.parse(fs4.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
     }
   } catch {
   }
@@ -3491,7 +3762,7 @@ function abandonPending() {
   });
   if (autoStarted) {
     try {
-      fs3.unlinkSync(DAEMON_PID_FILE);
+      fs4.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
     setTimeout(() => {
@@ -3529,8 +3800,8 @@ function readBody(req) {
 }
 function readPersistentDecisions() {
   try {
-    if (fs3.existsSync(DECISIONS_FILE)) {
-      return JSON.parse(fs3.readFileSync(DECISIONS_FILE, "utf-8"));
+    if (fs4.existsSync(DECISIONS_FILE)) {
+      return JSON.parse(fs4.readFileSync(DECISIONS_FILE, "utf-8"));
     }
   } catch {
   }
@@ -3557,7 +3828,7 @@ function startDaemon() {
     idleTimer = setTimeout(() => {
       if (autoStarted) {
         try {
-          fs3.unlinkSync(DAEMON_PID_FILE);
+          fs4.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
       }
@@ -3875,14 +4146,14 @@ data: ${JSON.stringify(readPersistentDecisions())}
   server.on("error", (e) => {
     if (e.code === "EADDRINUSE") {
       try {
-        if (fs3.existsSync(DAEMON_PID_FILE)) {
-          const { pid } = JSON.parse(fs3.readFileSync(DAEMON_PID_FILE, "utf-8"));
+        if (fs4.existsSync(DAEMON_PID_FILE)) {
+          const { pid } = JSON.parse(fs4.readFileSync(DAEMON_PID_FILE, "utf-8"));
           process.kill(pid, 0);
           return process.exit(0);
         }
       } catch {
         try {
-          fs3.unlinkSync(DAEMON_PID_FILE);
+          fs4.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
         server.listen(DAEMON_PORT2, DAEMON_HOST2);
@@ -3902,25 +4173,25 @@ data: ${JSON.stringify(readPersistentDecisions())}
   });
 }
 function stopDaemon() {
-  if (!fs3.existsSync(DAEMON_PID_FILE)) return console.log(chalk4.yellow("Not running."));
+  if (!fs4.existsSync(DAEMON_PID_FILE)) return console.log(chalk4.yellow("Not running."));
   try {
-    const { pid } = JSON.parse(fs3.readFileSync(DAEMON_PID_FILE, "utf-8"));
+    const { pid } = JSON.parse(fs4.readFileSync(DAEMON_PID_FILE, "utf-8"));
     process.kill(pid, "SIGTERM");
     console.log(chalk4.green("\u2705 Stopped."));
   } catch {
     console.log(chalk4.gray("Cleaned up stale PID file."));
   } finally {
     try {
-      fs3.unlinkSync(DAEMON_PID_FILE);
+      fs4.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
   }
 }
 function daemonStatus() {
-  if (!fs3.existsSync(DAEMON_PID_FILE))
+  if (!fs4.existsSync(DAEMON_PID_FILE))
     return console.log(chalk4.yellow("Node9 daemon: not running"));
   try {
-    const { pid } = JSON.parse(fs3.readFileSync(DAEMON_PID_FILE, "utf-8"));
+    const { pid } = JSON.parse(fs4.readFileSync(DAEMON_PID_FILE, "utf-8"));
     process.kill(pid, 0);
     console.log(chalk4.green("Node9 daemon: running"));
   } catch {
@@ -3934,30 +4205,30 @@ import { parseCommandString } from "execa";
 import { execa } from "execa";
 import chalk5 from "chalk";
 import readline from "readline";
-import fs5 from "fs";
-import path7 from "path";
-import os5 from "os";
+import fs6 from "fs";
+import path8 from "path";
+import os6 from "os";
 
 // src/undo.ts
 import { spawnSync } from "child_process";
-import fs4 from "fs";
-import path6 from "path";
-import os4 from "os";
-var SNAPSHOT_STACK_PATH = path6.join(os4.homedir(), ".node9", "snapshots.json");
-var UNDO_LATEST_PATH = path6.join(os4.homedir(), ".node9", "undo_latest.txt");
+import fs5 from "fs";
+import path7 from "path";
+import os5 from "os";
+var SNAPSHOT_STACK_PATH = path7.join(os5.homedir(), ".node9", "snapshots.json");
+var UNDO_LATEST_PATH = path7.join(os5.homedir(), ".node9", "undo_latest.txt");
 var MAX_SNAPSHOTS = 10;
 function readStack() {
   try {
-    if (fs4.existsSync(SNAPSHOT_STACK_PATH))
-      return JSON.parse(fs4.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
+    if (fs5.existsSync(SNAPSHOT_STACK_PATH))
+      return JSON.parse(fs5.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
   } catch {
   }
   return [];
 }
 function writeStack(stack) {
-  const dir = path6.dirname(SNAPSHOT_STACK_PATH);
-  if (!fs4.existsSync(dir)) fs4.mkdirSync(dir, { recursive: true });
-  fs4.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
+  const dir = path7.dirname(SNAPSHOT_STACK_PATH);
+  if (!fs5.existsSync(dir)) fs5.mkdirSync(dir, { recursive: true });
+  fs5.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
 }
 function buildArgsSummary(tool, args) {
   if (!args || typeof args !== "object") return "";
@@ -3973,13 +4244,13 @@ function buildArgsSummary(tool, args) {
 async function createShadowSnapshot(tool = "unknown", args = {}) {
   try {
     const cwd = process.cwd();
-    if (!fs4.existsSync(path6.join(cwd, ".git"))) return null;
-    const tempIndex = path6.join(cwd, ".git", `node9_index_${Date.now()}`);
+    if (!fs5.existsSync(path7.join(cwd, ".git"))) return null;
+    const tempIndex = path7.join(cwd, ".git", `node9_index_${Date.now()}`);
     const env = { ...process.env, GIT_INDEX_FILE: tempIndex };
     spawnSync("git", ["add", "-A"], { env });
     const treeRes = spawnSync("git", ["write-tree"], { env });
     const treeHash = treeRes.stdout.toString().trim();
-    if (fs4.existsSync(tempIndex)) fs4.unlinkSync(tempIndex);
+    if (fs5.existsSync(tempIndex)) fs5.unlinkSync(tempIndex);
     if (!treeHash || treeRes.status !== 0) return null;
     const commitRes = spawnSync("git", [
       "commit-tree",
@@ -4000,7 +4271,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}) {
     stack.push(entry);
     if (stack.length > MAX_SNAPSHOTS) stack.splice(0, stack.length - MAX_SNAPSHOTS);
     writeStack(stack);
-    fs4.writeFileSync(UNDO_LATEST_PATH, commitHash);
+    fs5.writeFileSync(UNDO_LATEST_PATH, commitHash);
     return commitHash;
   } catch (err) {
     if (process.env.NODE9_DEBUG === "1") console.error("[Node9 Undo Engine Error]:", err);
@@ -4038,9 +4309,9 @@ function applyUndo(hash, cwd) {
     const tracked = spawnSync("git", ["ls-files"], { cwd: dir }).stdout.toString().trim().split("\n").filter(Boolean);
     const untracked = spawnSync("git", ["ls-files", "--others", "--exclude-standard"], { cwd: dir }).stdout.toString().trim().split("\n").filter(Boolean);
     for (const file of [...tracked, ...untracked]) {
-      const fullPath = path6.join(dir, file);
-      if (!snapshotFiles.has(file) && fs4.existsSync(fullPath)) {
-        fs4.unlinkSync(fullPath);
+      const fullPath = path7.join(dir, file);
+      if (!snapshotFiles.has(file) && fs5.existsSync(fullPath)) {
+        fs5.unlinkSync(fullPath);
       }
     }
     return true;
@@ -4052,7 +4323,7 @@ function applyUndo(hash, cwd) {
 // src/cli.ts
 import { confirm as confirm3 } from "@inquirer/prompts";
 var { version } = JSON.parse(
-  fs5.readFileSync(path7.join(__dirname, "../package.json"), "utf-8")
+  fs6.readFileSync(path8.join(__dirname, "../package.json"), "utf-8")
 );
 function parseDuration(str) {
   const m = str.trim().match(/^(\d+(?:\.\d+)?)\s*(s|m|h|d)?$/i);
@@ -4084,6 +4355,15 @@ INSTRUCTIONS:
 - If you believe this action is critical, explain your reasoning and ask them to run "node9 pause 15m" to proceed.`;
   }
   const label = blockedByLabel.toLowerCase();
+  if (label.includes("dlp") || label.includes("secret detected") || label.includes("credential review")) {
+    return `NODE9 SECURITY ALERT: A sensitive credential (API key, token, or private key) was found in your tool call arguments.
+CRITICAL INSTRUCTION: Do NOT retry this action.
+REQUIRED ACTIONS:
+1. Remove the hardcoded credential from your command or code.
+2. Use an environment variable or a dedicated secrets manager instead.
+3. Treat the leaked credential as compromised and rotate it immediately.
+Do NOT attempt to bypass this check or pass the credential through another tool.`;
+  }
   if (label.includes("sql safety") && label.includes("delete without where")) {
     return `NODE9: Blocked \u2014 DELETE without WHERE clause would wipe the entire table.
 INSTRUCTION: Add a WHERE clause to scope the deletion (e.g. WHERE id = <value>).
@@ -4245,14 +4525,14 @@ async function runProxy(targetCommand) {
 }
 program.command("login").argument("<apiKey>").option("--local", "Save key for audit/logging only \u2014 local config still controls all decisions").option("--profile <name>", 'Save as a named profile (default: "default")').action((apiKey, options) => {
   const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  const credPath = path7.join(os5.homedir(), ".node9", "credentials.json");
-  if (!fs5.existsSync(path7.dirname(credPath)))
-    fs5.mkdirSync(path7.dirname(credPath), { recursive: true });
+  const credPath = path8.join(os6.homedir(), ".node9", "credentials.json");
+  if (!fs6.existsSync(path8.dirname(credPath)))
+    fs6.mkdirSync(path8.dirname(credPath), { recursive: true });
   const profileName = options.profile || "default";
   let existingCreds = {};
   try {
-    if (fs5.existsSync(credPath)) {
-      const raw = JSON.parse(fs5.readFileSync(credPath, "utf-8"));
+    if (fs6.existsSync(credPath)) {
+      const raw = JSON.parse(fs6.readFileSync(credPath, "utf-8"));
       if (raw.apiKey) {
         existingCreds = {
           default: { apiKey: raw.apiKey, apiUrl: raw.apiUrl || DEFAULT_API_URL }
@@ -4264,13 +4544,13 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
   } catch {
   }
   existingCreds[profileName] = { apiKey, apiUrl: DEFAULT_API_URL };
-  fs5.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
+  fs6.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
   if (profileName === "default") {
-    const configPath = path7.join(os5.homedir(), ".node9", "config.json");
+    const configPath = path8.join(os6.homedir(), ".node9", "config.json");
     let config = {};
     try {
-      if (fs5.existsSync(configPath))
-        config = JSON.parse(fs5.readFileSync(configPath, "utf-8"));
+      if (fs6.existsSync(configPath))
+        config = JSON.parse(fs6.readFileSync(configPath, "utf-8"));
     } catch {
     }
     if (!config.settings || typeof config.settings !== "object") config.settings = {};
@@ -4285,9 +4565,9 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
       approvers.cloud = false;
     }
     s.approvers = approvers;
-    if (!fs5.existsSync(path7.dirname(configPath)))
-      fs5.mkdirSync(path7.dirname(configPath), { recursive: true });
-    fs5.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+    if (!fs6.existsSync(path8.dirname(configPath)))
+      fs6.mkdirSync(path8.dirname(configPath), { recursive: true });
+    fs6.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
   }
   if (options.profile && profileName !== "default") {
     console.log(chalk5.green(`\u2705 Profile "${profileName}" saved`));
@@ -4326,7 +4606,7 @@ program.command("setup").description('Alias for "addto" \u2014 integrate Node9 w
   process.exit(1);
 });
 program.command("doctor").description("Check that Node9 is installed and configured correctly").action(() => {
-  const homeDir2 = os5.homedir();
+  const homeDir2 = os6.homedir();
   let failures = 0;
   function pass(msg) {
     console.log(chalk5.green("  \u2705 ") + msg);
@@ -4372,10 +4652,10 @@ program.command("doctor").description("Check that Node9 is installed and configu
     );
   }
   section("Configuration");
-  const globalConfigPath = path7.join(homeDir2, ".node9", "config.json");
-  if (fs5.existsSync(globalConfigPath)) {
+  const globalConfigPath = path8.join(homeDir2, ".node9", "config.json");
+  if (fs6.existsSync(globalConfigPath)) {
     try {
-      JSON.parse(fs5.readFileSync(globalConfigPath, "utf-8"));
+      JSON.parse(fs6.readFileSync(globalConfigPath, "utf-8"));
       pass("~/.node9/config.json found and valid");
     } catch {
       fail("~/.node9/config.json is invalid JSON", "Run: node9 init --force");
@@ -4383,17 +4663,17 @@ program.command("doctor").description("Check that Node9 is installed and configu
   } else {
     warn("~/.node9/config.json not found (using defaults)", "Run: node9 init");
   }
-  const projectConfigPath = path7.join(process.cwd(), "node9.config.json");
-  if (fs5.existsSync(projectConfigPath)) {
+  const projectConfigPath = path8.join(process.cwd(), "node9.config.json");
+  if (fs6.existsSync(projectConfigPath)) {
     try {
-      JSON.parse(fs5.readFileSync(projectConfigPath, "utf-8"));
+      JSON.parse(fs6.readFileSync(projectConfigPath, "utf-8"));
       pass("node9.config.json found and valid (project)");
     } catch {
       fail("node9.config.json is invalid JSON", "Fix the JSON or delete it and run: node9 init");
     }
   }
-  const credsPath = path7.join(homeDir2, ".node9", "credentials.json");
-  if (fs5.existsSync(credsPath)) {
+  const credsPath = path8.join(homeDir2, ".node9", "credentials.json");
+  if (fs6.existsSync(credsPath)) {
     pass("Cloud credentials found (~/.node9/credentials.json)");
   } else {
     warn(
@@ -4402,10 +4682,10 @@ program.command("doctor").description("Check that Node9 is installed and configu
     );
   }
   section("Agent Hooks");
-  const claudeSettingsPath = path7.join(homeDir2, ".claude", "settings.json");
-  if (fs5.existsSync(claudeSettingsPath)) {
+  const claudeSettingsPath = path8.join(homeDir2, ".claude", "settings.json");
+  if (fs6.existsSync(claudeSettingsPath)) {
     try {
-      const cs = JSON.parse(fs5.readFileSync(claudeSettingsPath, "utf-8"));
+      const cs = JSON.parse(fs6.readFileSync(claudeSettingsPath, "utf-8"));
       const hasHook = cs.hooks?.PreToolUse?.some(
         (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
       );
@@ -4418,10 +4698,10 @@ program.command("doctor").description("Check that Node9 is installed and configu
   } else {
     warn("Claude Code \u2014 not configured", "Run: node9 setup claude");
   }
-  const geminiSettingsPath = path7.join(homeDir2, ".gemini", "settings.json");
-  if (fs5.existsSync(geminiSettingsPath)) {
+  const geminiSettingsPath = path8.join(homeDir2, ".gemini", "settings.json");
+  if (fs6.existsSync(geminiSettingsPath)) {
     try {
-      const gs = JSON.parse(fs5.readFileSync(geminiSettingsPath, "utf-8"));
+      const gs = JSON.parse(fs6.readFileSync(geminiSettingsPath, "utf-8"));
       const hasHook = gs.hooks?.BeforeTool?.some(
         (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
       );
@@ -4434,10 +4714,10 @@ program.command("doctor").description("Check that Node9 is installed and configu
   } else {
     warn("Gemini CLI  \u2014 not configured", "Run: node9 setup gemini  (skip if not using Gemini)");
   }
-  const cursorHooksPath = path7.join(homeDir2, ".cursor", "hooks.json");
-  if (fs5.existsSync(cursorHooksPath)) {
+  const cursorHooksPath = path8.join(homeDir2, ".cursor", "hooks.json");
+  if (fs6.existsSync(cursorHooksPath)) {
     try {
-      const cur = JSON.parse(fs5.readFileSync(cursorHooksPath, "utf-8"));
+      const cur = JSON.parse(fs6.readFileSync(cursorHooksPath, "utf-8"));
       const hasHook = cur.hooks?.preToolUse?.some(
         (h) => h.command?.includes("node9") || h.command?.includes("cli.js")
       );
@@ -4539,8 +4819,8 @@ program.command("explain").description(
   console.log("");
 });
 program.command("init").description("Create ~/.node9/config.json with default policy (safe to run multiple times)").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").action((options) => {
-  const configPath = path7.join(os5.homedir(), ".node9", "config.json");
-  if (fs5.existsSync(configPath) && !options.force) {
+  const configPath = path8.join(os6.homedir(), ".node9", "config.json");
+  if (fs6.existsSync(configPath) && !options.force) {
     console.log(chalk5.yellow(`\u2139\uFE0F  Global config already exists: ${configPath}`));
     console.log(chalk5.gray(`   Run with --force to overwrite.`));
     return;
@@ -4554,9 +4834,9 @@ program.command("init").description("Create ~/.node9/config.json with default po
       mode: safeMode
     }
   };
-  const dir = path7.dirname(configPath);
-  if (!fs5.existsSync(dir)) fs5.mkdirSync(dir, { recursive: true });
-  fs5.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
+  const dir = path8.dirname(configPath);
+  if (!fs6.existsSync(dir)) fs6.mkdirSync(dir, { recursive: true });
+  fs6.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
   console.log(chalk5.green(`\u2705 Global config created: ${configPath}`));
   console.log(chalk5.cyan(`   Mode set to: ${safeMode}`));
   console.log(
@@ -4574,14 +4854,14 @@ function formatRelativeTime(timestamp) {
   return new Date(timestamp).toLocaleDateString();
 }
 program.command("audit").description("View local execution audit log").option("--tail <n>", "Number of entries to show", "20").option("--tool <pattern>", "Filter by tool name (substring match)").option("--deny", "Show only denied actions").option("--json", "Output raw JSON").action((options) => {
-  const logPath = path7.join(os5.homedir(), ".node9", "audit.log");
-  if (!fs5.existsSync(logPath)) {
+  const logPath = path8.join(os6.homedir(), ".node9", "audit.log");
+  if (!fs6.existsSync(logPath)) {
     console.log(
       chalk5.yellow("No audit logs found. Run node9 with an agent to generate entries.")
     );
     return;
   }
-  const raw = fs5.readFileSync(logPath, "utf-8");
+  const raw = fs6.readFileSync(logPath, "utf-8");
   const lines = raw.split("\n").filter((l) => l.trim() !== "");
   let entries = lines.flatMap((line) => {
     try {
@@ -4664,13 +4944,13 @@ program.command("status").description("Show current Node9 mode, policy source, a
   console.log("");
   const modeLabel = settings.mode === "audit" ? chalk5.blue("audit") : settings.mode === "strict" ? chalk5.red("strict") : chalk5.white("standard");
   console.log(`  Mode:    ${modeLabel}`);
-  const projectConfig = path7.join(process.cwd(), "node9.config.json");
-  const globalConfig = path7.join(os5.homedir(), ".node9", "config.json");
+  const projectConfig = path8.join(process.cwd(), "node9.config.json");
+  const globalConfig = path8.join(os6.homedir(), ".node9", "config.json");
   console.log(
-    `  Local:   ${fs5.existsSync(projectConfig) ? chalk5.green("Active (node9.config.json)") : chalk5.gray("Not present")}`
+    `  Local:   ${fs6.existsSync(projectConfig) ? chalk5.green("Active (node9.config.json)") : chalk5.gray("Not present")}`
   );
   console.log(
-    `  Global:  ${fs5.existsSync(globalConfig) ? chalk5.green("Active (~/.node9/config.json)") : chalk5.gray("Not present")}`
+    `  Global:  ${fs6.existsSync(globalConfig) ? chalk5.green("Active (~/.node9/config.json)") : chalk5.gray("Not present")}`
   );
   if (mergedConfig.policy.sandboxPaths.length > 0) {
     console.log(
@@ -4733,9 +5013,9 @@ program.command("check").description("Hook handler \u2014 evaluates a tool call
       } catch (err) {
         const tempConfig = getConfig();
         if (process.env.NODE9_DEBUG === "1" || tempConfig.settings.enableHookLogDebug) {
-          const logPath = path7.join(os5.homedir(), ".node9", "hook-debug.log");
+          const logPath = path8.join(os6.homedir(), ".node9", "hook-debug.log");
           const errMsg = err instanceof Error ? err.message : String(err);
-          fs5.appendFileSync(
+          fs6.appendFileSync(
             logPath,
             `[${(/* @__PURE__ */ new Date()).toISOString()}] JSON_PARSE_ERROR: ${errMsg}
 RAW: ${raw}
@@ -4753,10 +5033,10 @@ RAW: ${raw}
       }
       const config = getConfig();
       if (process.env.NODE9_DEBUG === "1" || config.settings.enableHookLogDebug) {
-        const logPath = path7.join(os5.homedir(), ".node9", "hook-debug.log");
-        if (!fs5.existsSync(path7.dirname(logPath)))
-          fs5.mkdirSync(path7.dirname(logPath), { recursive: true });
-        fs5.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
+        const logPath = path8.join(os6.homedir(), ".node9", "hook-debug.log");
+        if (!fs6.existsSync(path8.dirname(logPath)))
+          fs6.mkdirSync(path8.dirname(logPath), { recursive: true });
+        fs6.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
 `);
       }
       const toolName = sanitize(payload.tool_name ?? payload.name ?? "");
@@ -4767,8 +5047,14 @@ RAW: ${raw}
       const sendBlock = (msg, result2) => {
         const blockedByContext = result2?.blockedByLabel || result2?.blockedBy || "Local Security Policy";
         const isHumanDecision = blockedByContext.toLowerCase().includes("user") || blockedByContext.toLowerCase().includes("daemon") || blockedByContext.toLowerCase().includes("decision");
-        console.error(chalk5.red(`
+        if (blockedByContext.includes("DLP") || blockedByContext.includes("Secret Detected") || blockedByContext.includes("Credential Review")) {
+          console.error(chalk5.bgRed.white.bold(`
+ \u{1F6A8} NODE9 DLP ALERT \u2014 CREDENTIAL DETECTED `));
+          console.error(chalk5.red.bold(`   A sensitive secret was found in the tool arguments!`));
+        } else {
+          console.error(chalk5.red(`
 \u{1F6D1} Node9 blocked "${toolName}"`));
+        }
         console.error(chalk5.gray(`   Triggered by: ${blockedByContext}`));
         if (result2?.changeHint) console.error(chalk5.cyan(`   To change:  ${result2.changeHint}`));
         console.error("");
@@ -4827,9 +5113,9 @@ RAW: ${raw}
       });
     } catch (err) {
       if (process.env.NODE9_DEBUG === "1") {
-        const logPath = path7.join(os5.homedir(), ".node9", "hook-debug.log");
+        const logPath = path8.join(os6.homedir(), ".node9", "hook-debug.log");
         const errMsg = err instanceof Error ? err.message : String(err);
-        fs5.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
+        fs6.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
 `);
       }
       process.exit(0);
@@ -4874,10 +5160,10 @@ program.command("log").description("PostToolUse hook \u2014 records executed too
         decision: "allowed",
         source: "post-hook"
       };
-      const logPath = path7.join(os5.homedir(), ".node9", "audit.log");
-      if (!fs5.existsSync(path7.dirname(logPath)))
-        fs5.mkdirSync(path7.dirname(logPath), { recursive: true });
-      fs5.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+      const logPath = path8.join(os6.homedir(), ".node9", "audit.log");
+      if (!fs6.existsSync(path8.dirname(logPath)))
+        fs6.mkdirSync(path8.dirname(logPath), { recursive: true });
+      fs6.appendFileSync(logPath, JSON.stringify(entry) + "\n");
       const config = getConfig();
       if (shouldSnapshot(tool, {}, config)) {
         await createShadowSnapshot();
@@ -5059,13 +5345,103 @@ program.command("undo").description(
     console.log(chalk5.gray("\nCancelled.\n"));
   }
 });
+var shieldCmd = program.command("shield").description("Manage pre-packaged security shield templates");
+shieldCmd.command("enable <service>").description("Enable a security shield for a specific service").action((service) => {
+  const name = resolveShieldName(service);
+  if (!name) {
+    console.error(chalk5.red(`
+\u274C Unknown shield: "${service}"
+`));
+    console.log(`Run ${chalk5.cyan("node9 shield list")} to see available shields.
+`);
+    process.exit(1);
+  }
+  const shield = getShield(name);
+  const active = readActiveShields();
+  if (active.includes(name)) {
+    console.log(chalk5.yellow(`
+\u2139\uFE0F  Shield "${name}" is already active.
+`));
+    return;
+  }
+  writeActiveShields([...active, name]);
+  console.log(chalk5.green(`
+\u{1F6E1}\uFE0F  Shield "${name}" enabled.`));
+  console.log(chalk5.gray(`   ${shield.smartRules.length} smart rules now active.`));
+  if (shield.dangerousWords.length > 0)
+    console.log(chalk5.gray(`   ${shield.dangerousWords.length} dangerous words now active.`));
+  if (name === "filesystem") {
+    console.log(
+      chalk5.yellow(
+        `
+   \u26A0\uFE0F  Note: filesystem rules cover common rm -rf patterns but not all variants.
+      Tools like unlink, find -delete, or language-level file ops are not intercepted.`
+      )
+    );
+  }
+  console.log("");
+});
+shieldCmd.command("disable <service>").description("Disable a security shield").action((service) => {
+  const name = resolveShieldName(service);
+  if (!name) {
+    console.error(chalk5.red(`
+\u274C Unknown shield: "${service}"
+`));
+    console.log(`Run ${chalk5.cyan("node9 shield list")} to see available shields.
+`);
+    process.exit(1);
+  }
+  const active = readActiveShields();
+  if (!active.includes(name)) {
+    console.log(chalk5.yellow(`
+\u2139\uFE0F  Shield "${name}" is not active.
+`));
+    return;
+  }
+  writeActiveShields(active.filter((s) => s !== name));
+  console.log(chalk5.green(`
+\u{1F6E1}\uFE0F  Shield "${name}" disabled.
+`));
+});
+shieldCmd.command("list").description("Show all available shields").action(() => {
+  const active = new Set(readActiveShields());
+  console.log(chalk5.bold("\n\u{1F6E1}\uFE0F  Available Shields\n"));
+  for (const shield of listShields()) {
+    const status = active.has(shield.name) ? chalk5.green("\u25CF enabled") : chalk5.gray("\u25CB disabled");
+    console.log(`  ${status}  ${chalk5.cyan(shield.name.padEnd(12))} ${shield.description}`);
+    if (shield.aliases.length > 0)
+      console.log(chalk5.gray(`              aliases: ${shield.aliases.join(", ")}`));
+  }
+  console.log("");
+});
+shieldCmd.command("status").description("Show which shields are currently active").action(() => {
+  const active = readActiveShields();
+  if (active.length === 0) {
+    console.log(chalk5.yellow("\n\u2139\uFE0F  No shields are active.\n"));
+    console.log(`Run ${chalk5.cyan("node9 shield list")} to see available shields.
+`);
+    return;
+  }
+  console.log(chalk5.bold("\n\u{1F6E1}\uFE0F  Active Shields\n"));
+  for (const name of active) {
+    const shield = getShield(name);
+    if (!shield) continue;
+    console.log(`  ${chalk5.green("\u25CF")} ${chalk5.cyan(name)}`);
+    console.log(
+      chalk5.gray(
+        `    ${shield.smartRules.length} smart rules \xB7 ${shield.dangerousWords.length} dangerous words`
+      )
+    );
+  }
+  console.log("");
+});
 process.on("unhandledRejection", (reason) => {
   const isCheckHook = process.argv[2] === "check";
   if (isCheckHook) {
     if (process.env.NODE9_DEBUG === "1" || getConfig().settings.enableHookLogDebug) {
-      const logPath = path7.join(os5.homedir(), ".node9", "hook-debug.log");
+      const logPath = path8.join(os6.homedir(), ".node9", "hook-debug.log");
       const msg = reason instanceof Error ? reason.message : String(reason);
-      fs5.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
+      fs6.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
 `);
     }
     process.exit(0);