@node9/proxy 1.0.13 → 1.0.15

package/dist/index.js

@@ -37,9 +37,11 @@ module.exports = __toCommonJS(src_exports);
 // src/core.ts
 var import_chalk2 = __toESM(require("chalk"));
 var import_prompts = require("@inquirer/prompts");
-var import_fs = __toESM(require("fs"));
-var import_path3 = __toESM(require("path"));
-var import_os = __toESM(require("os"));
+var import_fs2 = __toESM(require("fs"));
+var import_path4 = __toESM(require("path"));
+var import_os2 = __toESM(require("os"));
+var import_net = __toESM(require("net"));
+var import_crypto = require("crypto");
 var import_picomatch = __toESM(require("picomatch"));
 var import_sh_syntax = require("sh-syntax");
 
@@ -369,25 +371,26 @@ var import_zod = require("zod");
 var noNewlines = import_zod.z.string().refine((s) => !s.includes("\n") && !s.includes("\r"), {
   message: "Value must not contain literal newline characters (use \\n instead)"
 });
-var validRegex = noNewlines.refine(
-  (s) => {
-    try {
-      new RegExp(s);
-      return true;
-    } catch {
-      return false;
-    }
-  },
-  { message: "Value must be a valid regular expression" }
-);
 var SmartConditionSchema = import_zod.z.object({
   field: import_zod.z.string().min(1, "Condition field must not be empty"),
-  op: import_zod.z.enum(["matches", "notMatches", "contains", "notContains", "exists", "notExists"], {
-    errorMap: () => ({
-      message: "op must be one of: matches, notMatches, contains, notContains, exists, notExists"
-    })
-  }),
-  value: validRegex.optional(),
+  op: import_zod.z.enum(
+    [
+      "matches",
+      "notMatches",
+      "contains",
+      "notContains",
+      "exists",
+      "notExists",
+      "matchesGlob",
+      "notMatchesGlob"
+    ],
+    {
+      errorMap: () => ({
+        message: "op must be one of: matches, notMatches, contains, notContains, exists, notExists, matchesGlob, notMatchesGlob"
+      })
+    }
+  ),
+  value: import_zod.z.string().optional(),
   flags: import_zod.z.string().optional()
 });
 var SmartRuleSchema = import_zod.z.object({
@@ -400,11 +403,6 @@ var SmartRuleSchema = import_zod.z.object({
   }),
   reason: import_zod.z.string().optional()
 });
-var PolicyRuleSchema = import_zod.z.object({
-  action: import_zod.z.string().min(1),
-  allowPaths: import_zod.z.array(import_zod.z.string()).optional(),
-  blockPaths: import_zod.z.array(import_zod.z.string()).optional()
-});
 var ConfigFileSchema = import_zod.z.object({
   version: import_zod.z.string().optional(),
   settings: import_zod.z.object({
@@ -429,12 +427,15 @@ var ConfigFileSchema = import_zod.z.object({
     dangerousWords: import_zod.z.array(noNewlines).optional(),
     ignoredTools: import_zod.z.array(import_zod.z.string()).optional(),
     toolInspection: import_zod.z.record(import_zod.z.string()).optional(),
-    rules: import_zod.z.array(PolicyRuleSchema).optional(),
     smartRules: import_zod.z.array(SmartRuleSchema).optional(),
     snapshot: import_zod.z.object({
       tools: import_zod.z.array(import_zod.z.string()).optional(),
       onlyPaths: import_zod.z.array(import_zod.z.string()).optional(),
       ignorePaths: import_zod.z.array(import_zod.z.string()).optional()
+    }).optional(),
+    dlp: import_zod.z.object({
+      enabled: import_zod.z.boolean().optional(),
+      scanIgnoredTools: import_zod.z.boolean().optional()
     }).optional()
   }).optional(),
   environments: import_zod.z.record(import_zod.z.object({ requireApproval: import_zod.z.boolean().optional() })).optional()
@@ -456,8 +457,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path4 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path4}: ${issue.message}`;
+    const path5 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path5}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -466,18 +467,291 @@ ${lines.join("\n")}`
   };
 }
 
+// src/shields.ts
+var import_fs = __toESM(require("fs"));
+var import_path3 = __toESM(require("path"));
+var import_os = __toESM(require("os"));
+var SHIELDS = {
+  postgres: {
+    name: "postgres",
+    description: "Protects PostgreSQL databases from destructive AI operations",
+    aliases: ["pg", "postgresql"],
+    smartRules: [
+      {
+        name: "shield:postgres:block-drop-table",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+        verdict: "block",
+        reason: "DROP TABLE is irreversible \u2014 blocked by Postgres shield"
+      },
+      {
+        name: "shield:postgres:block-truncate",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
+        verdict: "block",
+        reason: "TRUNCATE is irreversible \u2014 blocked by Postgres shield"
+      },
+      {
+        name: "shield:postgres:block-drop-column",
+        tool: "*",
+        conditions: [
+          { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+        ],
+        verdict: "block",
+        reason: "DROP COLUMN is irreversible \u2014 blocked by Postgres shield"
+      },
+      {
+        name: "shield:postgres:review-grant-revoke",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "\\b(GRANT|REVOKE)\\b", flags: "i" }],
+        verdict: "review",
+        reason: "Permission changes require human approval (Postgres shield)"
+      }
+    ],
+    dangerousWords: ["dropdb", "pg_dropcluster"]
+  },
+  github: {
+    name: "github",
+    description: "Protects GitHub repositories from destructive AI operations",
+    aliases: ["git"],
+    smartRules: [
+      {
+        // Note: git branch -d/-D is already caught by the built-in review-git-destructive rule.
+        // This rule adds coverage for `git push --delete` which the built-in does not match.
+        name: "shield:github:review-delete-branch-remote",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "git\\s+push\\s+.*--delete",
+            flags: "i"
+          }
+        ],
+        verdict: "review",
+        reason: "Remote branch deletion requires human approval (GitHub shield)"
+      },
+      {
+        name: "shield:github:block-delete-repo",
+        tool: "*",
+        conditions: [
+          { field: "command", op: "matches", value: "gh\\s+repo\\s+delete", flags: "i" }
+        ],
+        verdict: "block",
+        reason: "Repository deletion is irreversible \u2014 blocked by GitHub shield"
+      }
+    ],
+    dangerousWords: []
+  },
+  aws: {
+    name: "aws",
+    description: "Protects AWS infrastructure from destructive AI operations",
+    aliases: ["amazon"],
+    smartRules: [
+      {
+        name: "shield:aws:block-delete-s3-bucket",
+        tool: "*",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "S3 bucket deletion is irreversible \u2014 blocked by AWS shield"
+      },
+      {
+        name: "shield:aws:review-iam-changes",
+        tool: "*",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
+            flags: "i"
+          }
+        ],
+        verdict: "review",
+        reason: "IAM changes require human approval (AWS shield)"
+      },
+      {
+        name: "shield:aws:block-ec2-terminate",
+        tool: "*",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "aws\\s+ec2\\s+terminate-instances",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "EC2 instance termination is irreversible \u2014 blocked by AWS shield"
+      },
+      {
+        name: "shield:aws:review-rds-delete",
+        tool: "*",
+        conditions: [
+          { field: "command", op: "matches", value: "aws\\s+rds\\s+delete-", flags: "i" }
+        ],
+        verdict: "review",
+        reason: "RDS deletion requires human approval (AWS shield)"
+      }
+    ],
+    dangerousWords: []
+  },
+  filesystem: {
+    name: "filesystem",
+    description: "Protects the local filesystem from dangerous AI operations",
+    aliases: ["fs"],
+    smartRules: [
+      {
+        name: "shield:filesystem:review-chmod-777",
+        tool: "bash",
+        conditions: [
+          { field: "command", op: "matches", value: "chmod\\s+(777|a\\+rwx)", flags: "i" }
+        ],
+        verdict: "review",
+        reason: "chmod 777 requires human approval (filesystem shield)"
+      },
+      {
+        name: "shield:filesystem:review-write-etc",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            // Narrow to write-indicative operations to avoid approval fatigue on reads.
+            // Matches: tee /etc/*, cp .../etc/*, mv .../etc/*, > /etc/*, install .../etc/*
+            op: "matches",
+            value: "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
+          }
+        ],
+        verdict: "review",
+        reason: "Writing to /etc requires human approval (filesystem shield)"
+      }
+    ],
+    // dd removed: too common as a legitimate tool (disk imaging, file ops).
+    // mkfs removed: already in the built-in DANGEROUS_WORDS baseline.
+    // wipefs retained: rarely legitimate in an agent context and not in built-ins.
+    dangerousWords: ["wipefs"]
+  }
+};
+function resolveShieldName(input) {
+  const lower = input.toLowerCase();
+  if (SHIELDS[lower]) return lower;
+  for (const [name, def] of Object.entries(SHIELDS)) {
+    if (def.aliases.includes(lower)) return name;
+  }
+  return null;
+}
+function getShield(name) {
+  const resolved = resolveShieldName(name);
+  return resolved ? SHIELDS[resolved] : null;
+}
+var SHIELDS_STATE_FILE = import_path3.default.join(import_os.default.homedir(), ".node9", "shields.json");
+function readActiveShields() {
+  try {
+    const raw = import_fs.default.readFileSync(SHIELDS_STATE_FILE, "utf-8");
+    if (!raw.trim()) return [];
+    const parsed = JSON.parse(raw);
+    if (Array.isArray(parsed.active)) {
+      return parsed.active.filter(
+        (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
+      );
+    }
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
+`);
+    }
+  }
+  return [];
+}
+
+// src/dlp.ts
+var DLP_PATTERNS = [
+  { name: "AWS Access Key ID", regex: /\bAKIA[0-9A-Z]{16}\b/, severity: "block" },
+  { name: "GitHub Token", regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/, severity: "block" },
+  { name: "Slack Bot Token", regex: /\bxoxb-[0-9A-Za-z-]+\b/, severity: "block" },
+  { name: "OpenAI API Key", regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/, severity: "block" },
+  { name: "Stripe Secret Key", regex: /\bsk_(?:live|test)_[0-9a-zA-Z]{24}\b/, severity: "block" },
+  {
+    name: "Private Key (PEM)",
+    regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/,
+    severity: "block"
+  },
+  { name: "Bearer Token", regex: /Bearer\s+[a-zA-Z0-9\-._~+/]+=*/i, severity: "review" }
+];
+function maskSecret(raw, pattern) {
+  const match = raw.match(pattern);
+  if (!match) return "****";
+  const secret = match[0];
+  if (secret.length < 8) return "****";
+  const prefix = secret.slice(0, 4);
+  const suffix = secret.slice(-4);
+  const stars = "*".repeat(Math.min(secret.length - 8, 12));
+  return `${prefix}${stars}${suffix}`;
+}
+var MAX_DEPTH = 5;
+var MAX_STRING_BYTES = 1e5;
+var MAX_JSON_PARSE_BYTES = 1e4;
+function scanArgs(args, depth = 0, fieldPath = "args") {
+  if (depth > MAX_DEPTH || args === null || args === void 0) return null;
+  if (Array.isArray(args)) {
+    for (let i = 0; i < args.length; i++) {
+      const match = scanArgs(args[i], depth + 1, `${fieldPath}[${i}]`);
+      if (match) return match;
+    }
+    return null;
+  }
+  if (typeof args === "object") {
+    for (const [key, value] of Object.entries(args)) {
+      const match = scanArgs(value, depth + 1, `${fieldPath}.${key}`);
+      if (match) return match;
+    }
+    return null;
+  }
+  if (typeof args === "string") {
+    const text = args.length > MAX_STRING_BYTES ? args.slice(0, MAX_STRING_BYTES) : args;
+    for (const pattern of DLP_PATTERNS) {
+      if (pattern.regex.test(text)) {
+        return {
+          patternName: pattern.name,
+          fieldPath,
+          redactedSample: maskSecret(text, pattern.regex),
+          severity: pattern.severity
+        };
+      }
+    }
+    if (text.length < MAX_JSON_PARSE_BYTES) {
+      const trimmed = text.trim();
+      if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+        try {
+          const parsed = JSON.parse(text);
+          const inner = scanArgs(parsed, depth + 1, fieldPath);
+          if (inner) return inner;
+        } catch {
+        }
+      }
+    }
+  }
+  return null;
+}
+
 // src/core.ts
-var PAUSED_FILE = import_path3.default.join(import_os.default.homedir(), ".node9", "PAUSED");
-var TRUST_FILE = import_path3.default.join(import_os.default.homedir(), ".node9", "trust.json");
-var LOCAL_AUDIT_LOG = import_path3.default.join(import_os.default.homedir(), ".node9", "audit.log");
-var HOOK_DEBUG_LOG = import_path3.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
+var PAUSED_FILE = import_path4.default.join(import_os2.default.homedir(), ".node9", "PAUSED");
+var TRUST_FILE = import_path4.default.join(import_os2.default.homedir(), ".node9", "trust.json");
+var LOCAL_AUDIT_LOG = import_path4.default.join(import_os2.default.homedir(), ".node9", "audit.log");
+var HOOK_DEBUG_LOG = import_path4.default.join(import_os2.default.homedir(), ".node9", "hook-debug.log");
 function checkPause() {
   try {
-    if (!import_fs.default.existsSync(PAUSED_FILE)) return { paused: false };
-    const state = JSON.parse(import_fs.default.readFileSync(PAUSED_FILE, "utf-8"));
+    if (!import_fs2.default.existsSync(PAUSED_FILE)) return { paused: false };
+    const state = JSON.parse(import_fs2.default.readFileSync(PAUSED_FILE, "utf-8"));
     if (state.expiry > 0 && Date.now() >= state.expiry) {
       try {
-        import_fs.default.unlinkSync(PAUSED_FILE);
+        import_fs2.default.unlinkSync(PAUSED_FILE);
       } catch {
       }
       return { paused: false };
@@ -488,20 +762,20 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = import_path3.default.dirname(filePath);
-  if (!import_fs.default.existsSync(dir)) import_fs.default.mkdirSync(dir, { recursive: true });
-  const tmpPath = `${filePath}.${import_os.default.hostname()}.${process.pid}.tmp`;
-  import_fs.default.writeFileSync(tmpPath, data, options);
-  import_fs.default.renameSync(tmpPath, filePath);
+  const dir = import_path4.default.dirname(filePath);
+  if (!import_fs2.default.existsSync(dir)) import_fs2.default.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${filePath}.${import_os2.default.hostname()}.${process.pid}.tmp`;
+  import_fs2.default.writeFileSync(tmpPath, data, options);
+  import_fs2.default.renameSync(tmpPath, filePath);
 }
 function getActiveTrustSession(toolName) {
   try {
-    if (!import_fs.default.existsSync(TRUST_FILE)) return false;
-    const trust = JSON.parse(import_fs.default.readFileSync(TRUST_FILE, "utf-8"));
+    if (!import_fs2.default.existsSync(TRUST_FILE)) return false;
+    const trust = JSON.parse(import_fs2.default.readFileSync(TRUST_FILE, "utf-8"));
     const now = Date.now();
     const active = trust.entries.filter((e) => e.expiry > now);
     if (active.length !== trust.entries.length) {
-      import_fs.default.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
+      import_fs2.default.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
     }
     return active.some((e) => e.tool === toolName || matchesPattern(toolName, e.tool));
   } catch {
@@ -512,8 +786,8 @@ function writeTrustSession(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (import_fs.default.existsSync(TRUST_FILE)) {
-        trust = JSON.parse(import_fs.default.readFileSync(TRUST_FILE, "utf-8"));
+      if (import_fs2.default.existsSync(TRUST_FILE)) {
+        trust = JSON.parse(import_fs2.default.readFileSync(TRUST_FILE, "utf-8"));
       }
     } catch {
     }
@@ -529,9 +803,9 @@ function writeTrustSession(toolName, durationMs) {
 }
 function appendToLog(logPath, entry) {
   try {
-    const dir = import_path3.default.dirname(logPath);
-    if (!import_fs.default.existsSync(dir)) import_fs.default.mkdirSync(dir, { recursive: true });
-    import_fs.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+    const dir = import_path4.default.dirname(logPath);
+    if (!import_fs2.default.existsSync(dir)) import_fs2.default.mkdirSync(dir, { recursive: true });
+    import_fs2.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
@@ -543,7 +817,7 @@ function appendHookDebug(toolName, args, meta) {
     args: safeArgs,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
-    hostname: import_os.default.hostname(),
+    hostname: import_os2.default.hostname(),
     cwd: process.cwd()
   });
 }
@@ -557,7 +831,7 @@ function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
     checkedBy,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
-    hostname: import_os.default.hostname()
+    hostname: import_os2.default.hostname()
   });
 }
 function tokenize(toolName) {
@@ -573,9 +847,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path4) {
+function getNestedValue(obj, path5) {
   if (!obj || typeof obj !== "object") return null;
-  return path4.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path5.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -608,6 +882,10 @@ function evaluateSmartConditions(args, rule) {
           return true;
         }
       }
+      case "matchesGlob":
+        return val !== null && cond.value ? import_picomatch.default.isMatch(val, cond.value) : false;
+      case "notMatchesGlob":
+        return val !== null && cond.value ? !import_picomatch.default.isMatch(val, cond.value) : true;
       default:
         return false;
     }
@@ -771,25 +1049,27 @@ var DEFAULT_CONFIG = {
       onlyPaths: [],
       ignorePaths: ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log"]
     },
-    rules: [
-      // Only use the legacy rules format for simple path-based rm control.
-      // All other command-level enforcement lives in smartRules below.
-      {
-        action: "rm",
-        allowPaths: [
-          "**/node_modules/**",
-          "dist/**",
-          "build/**",
-          ".next/**",
-          "coverage/**",
-          ".cache/**",
-          "tmp/**",
-          "temp/**",
-          ".DS_Store"
-        ]
-      }
-    ],
     smartRules: [
+      // ── rm safety (critical — always evaluated first) ──────────────────────
+      {
+        name: "block-rm-rf-home",
+        tool: "bash",
+        conditionMode: "all",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "rm\\b.*(-[rRfF]*[rR][rRfF]*|--recursive)"
+          },
+          {
+            field: "command",
+            op: "matches",
+            value: "(~|\\/root(\\/|$)|\\$HOME|\\/home\\/)"
+          }
+        ],
+        verdict: "block",
+        reason: "Recursive delete of home directory is irreversible"
+      },
       // ── SQL safety ────────────────────────────────────────────────────────
       {
         name: "no-delete-without-where",
@@ -880,16 +1160,42 @@ var DEFAULT_CONFIG = {
         verdict: "block",
         reason: "Piping remote script into a shell is a supply-chain attack vector"
       }
-    ]
+    ],
+    dlp: { enabled: true, scanIgnoredTools: true }
   },
   environments: {}
 };
+var ADVISORY_SMART_RULES = [
+  {
+    name: "allow-rm-safe-paths",
+    tool: "*",
+    conditionMode: "all",
+    conditions: [
+      { field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" },
+      {
+        field: "command",
+        op: "matches",
+        // Matches known-safe build artifact paths in the command.
+        value: "(node_modules|\\bdist\\b|\\.next|\\bcoverage\\b|\\.cache|\\btmp\\b|\\btemp\\b|\\.DS_Store)(\\/|\\s|$)"
+      }
+    ],
+    verdict: "allow",
+    reason: "Deleting a known-safe build artifact path"
+  },
+  {
+    name: "review-rm",
+    tool: "*",
+    conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
+    verdict: "review",
+    reason: "rm can permanently delete files \u2014 confirm the target path"
+  }
+];
 var cachedConfig = null;
 function getInternalToken() {
   try {
-    const pidFile = import_path3.default.join(import_os.default.homedir(), ".node9", "daemon.pid");
-    if (!import_fs.default.existsSync(pidFile)) return null;
-    const data = JSON.parse(import_fs.default.readFileSync(pidFile, "utf-8"));
+    const pidFile = import_path4.default.join(import_os2.default.homedir(), ".node9", "daemon.pid");
+    if (!import_fs2.default.existsSync(pidFile)) return null;
+    const data = JSON.parse(import_fs2.default.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
     return data.internalToken ?? null;
   } catch {
@@ -904,7 +1210,8 @@ async function evaluatePolicy(toolName, args, agent) {
       (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
     );
     if (matchedRule) {
-      if (matchedRule.verdict === "allow") return { decision: "allow" };
+      if (matchedRule.verdict === "allow")
+        return { decision: "allow", ruleName: matchedRule.name ?? matchedRule.tool };
       return {
         decision: matchedRule.verdict,
         blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
@@ -915,13 +1222,11 @@ async function evaluatePolicy(toolName, args, agent) {
     }
   }
   let allTokens = [];
-  let actionTokens = [];
   let pathTokens = [];
   const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
   if (shellCommand) {
     const analyzed = await analyzeShellCommand(shellCommand);
     allTokens = analyzed.allTokens;
-    actionTokens = analyzed.actions;
     pathTokens = analyzed.paths;
     const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
     if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
@@ -929,11 +1234,9 @@ async function evaluatePolicy(toolName, args, agent) {
     }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
-      actionTokens = actionTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
     }
   } else {
     allTokens = tokenize(toolName);
-    actionTokens = [toolName];
     if (args && typeof args === "object") {
       const flattenedArgs = JSON.stringify(args).toLowerCase();
       const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
@@ -956,29 +1259,6 @@ async function evaluatePolicy(toolName, args, agent) {
     const allInSandbox = pathTokens.every((p) => matchesPattern(p, config.policy.sandboxPaths));
     if (allInSandbox) return { decision: "allow" };
   }
-  for (const action of actionTokens) {
-    const rule = config.policy.rules.find(
-      (r) => r.action === action || matchesPattern(action, r.action)
-    );
-    if (rule) {
-      if (pathTokens.length > 0) {
-        const anyBlocked = pathTokens.some((p) => matchesPattern(p, rule.blockPaths || []));
-        if (anyBlocked)
-          return {
-            decision: "review",
-            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`,
-            tier: 5
-          };
-        const allAllowed = pathTokens.every((p) => matchesPattern(p, rule.allowPaths || []));
-        if (allAllowed) return { decision: "allow" };
-      }
-      return {
-        decision: "review",
-        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`,
-        tier: 5
-      };
-    }
-  }
   let matchedDangerousWord;
   const isDangerous = allTokens.some(
     (token) => config.policy.dangerousWords.some((word) => {
@@ -1036,9 +1316,9 @@ var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function isDaemonRunning() {
   try {
-    const pidFile = import_path3.default.join(import_os.default.homedir(), ".node9", "daemon.pid");
-    if (!import_fs.default.existsSync(pidFile)) return false;
-    const { pid, port } = JSON.parse(import_fs.default.readFileSync(pidFile, "utf-8"));
+    const pidFile = import_path4.default.join(import_os2.default.homedir(), ".node9", "daemon.pid");
+    if (!import_fs2.default.existsSync(pidFile)) return false;
+    const { pid, port } = JSON.parse(import_fs2.default.readFileSync(pidFile, "utf-8"));
     if (port !== DAEMON_PORT) return false;
     process.kill(pid, 0);
     return true;
@@ -1048,16 +1328,16 @@ function isDaemonRunning() {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = import_path3.default.join(import_os.default.homedir(), ".node9", "decisions.json");
-    if (!import_fs.default.existsSync(file)) return null;
-    const decisions = JSON.parse(import_fs.default.readFileSync(file, "utf-8"));
+    const file = import_path4.default.join(import_os2.default.homedir(), ".node9", "decisions.json");
+    if (!import_fs2.default.existsSync(file)) return null;
+    const decisions = JSON.parse(import_fs2.default.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
     if (d === "allow" || d === "deny") return d;
   } catch {
   }
   return null;
 }
-async function askDaemon(toolName, args, meta, signal, riskMetadata) {
+async function askDaemon(toolName, args, meta, signal, riskMetadata, activityId) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const checkCtrl = new AbortController();
   const checkTimer = setTimeout(() => checkCtrl.abort(), 5e3);
@@ -1072,6 +1352,12 @@ async function askDaemon(toolName, args, meta, signal, riskMetadata) {
         args,
         agent: meta?.agent,
         mcpServer: meta?.mcpServer,
+        fromCLI: true,
+        // Pass the flight-recorder ID so the daemon uses the same UUID for
+        // activity-result as the CLI used for the pending activity event.
+        // Without this, the two UUIDs never match and tail.ts never resolves
+        // the pending item.
+        activityId,
         ...riskMetadata && { riskMetadata }
       }),
       signal: checkCtrl.signal
@@ -1126,7 +1412,45 @@ async function resolveViaDaemon(id, decision, internalToken) {
     signal: AbortSignal.timeout(3e3)
   });
 }
+var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path4.default.join(import_os2.default.tmpdir(), "node9-activity.sock");
+function notifyActivity(data) {
+  return new Promise((resolve) => {
+    try {
+      const payload = JSON.stringify(data);
+      const sock = import_net.default.createConnection(ACTIVITY_SOCKET_PATH);
+      sock.on("connect", () => {
+        sock.on("close", resolve);
+        sock.end(payload);
+      });
+      sock.on("error", resolve);
+    } catch {
+      resolve();
+    }
+  });
+}
 async function authorizeHeadless(toolName, args, allowTerminalFallback = false, meta, options) {
+  if (!options?.calledFromDaemon) {
+    const actId = (0, import_crypto.randomUUID)();
+    const actTs = Date.now();
+    await notifyActivity({ id: actId, ts: actTs, tool: toolName, args, status: "pending" });
+    const result = await _authorizeHeadlessCore(toolName, args, allowTerminalFallback, meta, {
+      ...options,
+      activityId: actId
+    });
+    if (!result.noApprovalMechanism) {
+      await notifyActivity({
+        id: actId,
+        tool: toolName,
+        ts: actTs,
+        status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : "block",
+        label: result.blockedByLabel
+      });
+    }
+    return result;
+  }
+  return _authorizeHeadlessCore(toolName, args, allowTerminalFallback, meta, options);
+}
+async function _authorizeHeadlessCore(toolName, args, allowTerminalFallback = false, meta, options) {
   if (process.env.NODE9_PAUSED === "1") return { approved: true, checkedBy: "paused" };
   const pauseState = checkPause();
   if (pauseState.paused) return { approved: true, checkedBy: "paused" };
@@ -1149,6 +1473,23 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   let policyMatchedField;
   let policyMatchedWord;
   let riskMetadata;
+  if (config.policy.dlp.enabled && (!isIgnoredTool(toolName) || config.policy.dlp.scanIgnoredTools)) {
+    const dlpMatch = scanArgs(args);
+    if (dlpMatch) {
+      const dlpReason = `\u{1F6A8} DATA LOSS PREVENTION: ${dlpMatch.patternName} detected in field "${dlpMatch.fieldPath}" (${dlpMatch.redactedSample})`;
+      if (dlpMatch.severity === "block") {
+        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta);
+        return {
+          approved: false,
+          reason: dlpReason,
+          blockedBy: "local-config",
+          blockedByLabel: "\u{1F6A8} Node9 DLP (Secret Detected)"
+        };
+      }
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "dlp-review-flagged", meta);
+      explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
+    }
+  }
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
@@ -1368,7 +1709,14 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
             console.error(import_chalk2.default.cyan(`   URL \u2192 http://${DAEMON_HOST}:${DAEMON_PORT}/
 `));
           }
-          const daemonDecision = await askDaemon(toolName, args, meta, signal, riskMetadata);
+          const daemonDecision = await askDaemon(
+            toolName,
+            args,
+            meta,
+            signal,
+            riskMetadata,
+            options?.activityId
+          );
           if (daemonDecision === "abandoned") throw new Error("Abandoned");
           const isApproved = daemonDecision === "allow";
           return {
@@ -1388,7 +1736,14 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
     racePromises.push(
       (async () => {
         try {
-          console.log(import_chalk2.default.bgRed.white.bold(` \u{1F6D1} NODE9 INTERCEPTOR `));
+          if (explainableLabel.includes("DLP")) {
+            console.log(import_chalk2.default.bgRed.white.bold(` \u{1F6A8} NODE9 DLP ALERT \u2014 CREDENTIAL DETECTED `));
+            console.log(
+              import_chalk2.default.red.bold(`   A sensitive secret was detected in the tool arguments!`)
+            );
+          } else {
+            console.log(import_chalk2.default.bgRed.white.bold(` \u{1F6D1} NODE9 INTERCEPTOR `));
+          }
           console.log(`${import_chalk2.default.bold("Action:")} ${import_chalk2.default.red(toolName)}`);
           console.log(`${import_chalk2.default.bold("Flagged By:")} ${import_chalk2.default.yellow(explainableLabel)}`);
           if (isRemoteLocked) {
@@ -1493,8 +1848,8 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
 }
 function getConfig() {
   if (cachedConfig) return cachedConfig;
-  const globalPath = import_path3.default.join(import_os.default.homedir(), ".node9", "config.json");
-  const projectPath = import_path3.default.join(process.cwd(), "node9.config.json");
+  const globalPath = import_path4.default.join(import_os2.default.homedir(), ".node9", "config.json");
+  const projectPath = import_path4.default.join(process.cwd(), "node9.config.json");
   const globalConfig = tryLoadConfig(globalPath);
   const projectConfig = tryLoadConfig(projectPath);
   const mergedSettings = {
@@ -1506,13 +1861,13 @@ function getConfig() {
     dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
     ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
     toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
-    rules: [...DEFAULT_CONFIG.policy.rules],
     smartRules: [...DEFAULT_CONFIG.policy.smartRules],
     snapshot: {
       tools: [...DEFAULT_CONFIG.policy.snapshot.tools],
       onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
-    }
+    },
+    dlp: { ...DEFAULT_CONFIG.policy.dlp }
   };
   const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
   const applyLayer = (source) => {
@@ -1532,7 +1887,6 @@ function getConfig() {
     if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
     if (p.toolInspection)
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
-    if (p.rules) mergedPolicy.rules.push(...p.rules);
     if (p.smartRules) mergedPolicy.smartRules.push(...p.smartRules);
     if (p.snapshot) {
       const s2 = p.snapshot;
@@ -1540,6 +1894,11 @@ function getConfig() {
       if (s2.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s2.onlyPaths);
       if (s2.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s2.ignorePaths);
     }
+    if (p.dlp) {
+      const d = p.dlp;
+      if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
+      if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
+    }
     const envs = source.environments || {};
     for (const [envName, envConfig] of Object.entries(envs)) {
       if (envConfig && typeof envConfig === "object") {
@@ -1554,6 +1913,22 @@ function getConfig() {
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
+  for (const shieldName of readActiveShields()) {
+    const shield = getShield(shieldName);
+    if (!shield) continue;
+    const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+    for (const rule of shield.smartRules) {
+      if (!existingRuleNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+    }
+    const existingWords = new Set(mergedPolicy.dangerousWords);
+    for (const word of shield.dangerousWords) {
+      if (!existingWords.has(word)) mergedPolicy.dangerousWords.push(word);
+    }
+  }
+  const existingAdvisoryNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+  for (const rule of ADVISORY_SMART_RULES) {
+    if (!existingAdvisoryNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+  }
   if (process.env.NODE9_MODE) mergedSettings.mode = process.env.NODE9_MODE;
   mergedPolicy.sandboxPaths = [...new Set(mergedPolicy.sandboxPaths)];
   mergedPolicy.dangerousWords = [...new Set(mergedPolicy.dangerousWords)];
@@ -1569,10 +1944,10 @@ function getConfig() {
   return cachedConfig;
 }
 function tryLoadConfig(filePath) {
-  if (!import_fs.default.existsSync(filePath)) return null;
+  if (!import_fs2.default.existsSync(filePath)) return null;
   let raw;
   try {
-    raw = JSON.parse(import_fs.default.readFileSync(filePath, "utf-8"));
+    raw = JSON.parse(import_fs2.default.readFileSync(filePath, "utf-8"));
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     process.stderr.write(
@@ -1634,9 +2009,9 @@ function getCredentials() {
     };
   }
   try {
-    const credPath = import_path3.default.join(import_os.default.homedir(), ".node9", "credentials.json");
-    if (import_fs.default.existsSync(credPath)) {
-      const creds = JSON.parse(import_fs.default.readFileSync(credPath, "utf-8"));
+    const credPath = import_path4.default.join(import_os2.default.homedir(), ".node9", "credentials.json");
+    if (import_fs2.default.existsSync(credPath)) {
+      const creds = JSON.parse(import_fs2.default.readFileSync(credPath, "utf-8"));
       const profileName = process.env.NODE9_PROFILE || "default";
       const profile = creds[profileName];
       if (profile?.apiKey) {
@@ -1671,9 +2046,9 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
       context: {
         agent: meta?.agent,
         mcpServer: meta?.mcpServer,
-        hostname: import_os.default.hostname(),
+        hostname: import_os2.default.hostname(),
         cwd: process.cwd(),
-        platform: import_os.default.platform()
+        platform: import_os2.default.platform()
       }
     }),
     signal: AbortSignal.timeout(5e3)
@@ -1694,9 +2069,9 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
         context: {
           agent: meta?.agent,
           mcpServer: meta?.mcpServer,
-          hostname: import_os.default.hostname(),
+          hostname: import_os2.default.hostname(),
           cwd: process.cwd(),
-          platform: import_os.default.platform()
+          platform: import_os2.default.platform()
         },
         ...riskMetadata && { riskMetadata }
       }),