npm - @node9/proxy - Versions diffs - 1.0.13 → 1.0.15 - Mend

@node9/proxy 1.0.13 → 1.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.mjs CHANGED Viewed

@@ -1,9 +1,11 @@
 // src/core.ts
 import chalk2 from "chalk";
 import { confirm } from "@inquirer/prompts";
-import fs from "fs";
-import path3 from "path";
-import os from "os";
+import fs2 from "fs";
+import path4 from "path";
+import os2 from "os";
+import net from "net";
+import { randomUUID } from "crypto";
 import pm from "picomatch";
 import { parse } from "sh-syntax";
@@ -333,25 +335,26 @@ import { z } from "zod";
 var noNewlines = z.string().refine((s) => !s.includes("\n") && !s.includes("\r"), {
   message: "Value must not contain literal newline characters (use \\n instead)"
 });
-var validRegex = noNewlines.refine(
-  (s) => {
-    try {
-      new RegExp(s);
-      return true;
-    } catch {
-      return false;
-    }
-  },
-  { message: "Value must be a valid regular expression" }
-);
 var SmartConditionSchema = z.object({
   field: z.string().min(1, "Condition field must not be empty"),
-  op: z.enum(["matches", "notMatches", "contains", "notContains", "exists", "notExists"], {
-    errorMap: () => ({
-      message: "op must be one of: matches, notMatches, contains, notContains, exists, notExists"
-    })
-  }),
-  value: validRegex.optional(),
+  op: z.enum(
+    [
+      "matches",
+      "notMatches",
+      "contains",
+      "notContains",
+      "exists",
+      "notExists",
+      "matchesGlob",
+      "notMatchesGlob"
+    ],
+    {
+      errorMap: () => ({
+        message: "op must be one of: matches, notMatches, contains, notContains, exists, notExists, matchesGlob, notMatchesGlob"
+      })
+    }
+  ),
+  value: z.string().optional(),
   flags: z.string().optional()
 });
 var SmartRuleSchema = z.object({
@@ -364,11 +367,6 @@ var SmartRuleSchema = z.object({
   }),
   reason: z.string().optional()
 });
-var PolicyRuleSchema = z.object({
-  action: z.string().min(1),
-  allowPaths: z.array(z.string()).optional(),
-  blockPaths: z.array(z.string()).optional()
-});
 var ConfigFileSchema = z.object({
   version: z.string().optional(),
   settings: z.object({
@@ -393,12 +391,15 @@ var ConfigFileSchema = z.object({
     dangerousWords: z.array(noNewlines).optional(),
     ignoredTools: z.array(z.string()).optional(),
     toolInspection: z.record(z.string()).optional(),
-    rules: z.array(PolicyRuleSchema).optional(),
     smartRules: z.array(SmartRuleSchema).optional(),
     snapshot: z.object({
       tools: z.array(z.string()).optional(),
       onlyPaths: z.array(z.string()).optional(),
       ignorePaths: z.array(z.string()).optional()
+    }).optional(),
+    dlp: z.object({
+      enabled: z.boolean().optional(),
+      scanIgnoredTools: z.boolean().optional()
     }).optional()
   }).optional(),
   environments: z.record(z.object({ requireApproval: z.boolean().optional() })).optional()
@@ -420,8 +421,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path4 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path4}: ${issue.message}`;
+    const path5 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path5}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -430,18 +431,291 @@ ${lines.join("\n")}`
   };
 }
+// src/shields.ts
+import fs from "fs";
+import path3 from "path";
+import os from "os";
+var SHIELDS = {
+  postgres: {
+    name: "postgres",
+    description: "Protects PostgreSQL databases from destructive AI operations",
+    aliases: ["pg", "postgresql"],
+    smartRules: [
+      {
+        name: "shield:postgres:block-drop-table",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+        verdict: "block",
+        reason: "DROP TABLE is irreversible \u2014 blocked by Postgres shield"
+      },
+      {
+        name: "shield:postgres:block-truncate",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
+        verdict: "block",
+        reason: "TRUNCATE is irreversible \u2014 blocked by Postgres shield"
+      },
+      {
+        name: "shield:postgres:block-drop-column",
+        tool: "*",
+        conditions: [
+          { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+        ],
+        verdict: "block",
+        reason: "DROP COLUMN is irreversible \u2014 blocked by Postgres shield"
+      },
+      {
+        name: "shield:postgres:review-grant-revoke",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "\\b(GRANT|REVOKE)\\b", flags: "i" }],
+        verdict: "review",
+        reason: "Permission changes require human approval (Postgres shield)"
+      }
+    ],
+    dangerousWords: ["dropdb", "pg_dropcluster"]
+  },
+  github: {
+    name: "github",
+    description: "Protects GitHub repositories from destructive AI operations",
+    aliases: ["git"],
+    smartRules: [
+      {
+        // Note: git branch -d/-D is already caught by the built-in review-git-destructive rule.
+        // This rule adds coverage for `git push --delete` which the built-in does not match.
+        name: "shield:github:review-delete-branch-remote",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "git\\s+push\\s+.*--delete",
+            flags: "i"
+          }
+        ],
+        verdict: "review",
+        reason: "Remote branch deletion requires human approval (GitHub shield)"
+      },
+      {
+        name: "shield:github:block-delete-repo",
+        tool: "*",
+        conditions: [
+          { field: "command", op: "matches", value: "gh\\s+repo\\s+delete", flags: "i" }
+        ],
+        verdict: "block",
+        reason: "Repository deletion is irreversible \u2014 blocked by GitHub shield"
+      }
+    ],
+    dangerousWords: []
+  },
+  aws: {
+    name: "aws",
+    description: "Protects AWS infrastructure from destructive AI operations",
+    aliases: ["amazon"],
+    smartRules: [
+      {
+        name: "shield:aws:block-delete-s3-bucket",
+        tool: "*",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "S3 bucket deletion is irreversible \u2014 blocked by AWS shield"
+      },
+      {
+        name: "shield:aws:review-iam-changes",
+        tool: "*",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
+            flags: "i"
+          }
+        ],
+        verdict: "review",
+        reason: "IAM changes require human approval (AWS shield)"
+      },
+      {
+        name: "shield:aws:block-ec2-terminate",
+        tool: "*",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "aws\\s+ec2\\s+terminate-instances",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "EC2 instance termination is irreversible \u2014 blocked by AWS shield"
+      },
+      {
+        name: "shield:aws:review-rds-delete",
+        tool: "*",
+        conditions: [
+          { field: "command", op: "matches", value: "aws\\s+rds\\s+delete-", flags: "i" }
+        ],
+        verdict: "review",
+        reason: "RDS deletion requires human approval (AWS shield)"
+      }
+    ],
+    dangerousWords: []
+  },
+  filesystem: {
+    name: "filesystem",
+    description: "Protects the local filesystem from dangerous AI operations",
+    aliases: ["fs"],
+    smartRules: [
+      {
+        name: "shield:filesystem:review-chmod-777",
+        tool: "bash",
+        conditions: [
+          { field: "command", op: "matches", value: "chmod\\s+(777|a\\+rwx)", flags: "i" }
+        ],
+        verdict: "review",
+        reason: "chmod 777 requires human approval (filesystem shield)"
+      },
+      {
+        name: "shield:filesystem:review-write-etc",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            // Narrow to write-indicative operations to avoid approval fatigue on reads.
+            // Matches: tee /etc/*, cp .../etc/*, mv .../etc/*, > /etc/*, install .../etc/*
+            op: "matches",
+            value: "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
+          }
+        ],
+        verdict: "review",
+        reason: "Writing to /etc requires human approval (filesystem shield)"
+      }
+    ],
+    // dd removed: too common as a legitimate tool (disk imaging, file ops).
+    // mkfs removed: already in the built-in DANGEROUS_WORDS baseline.
+    // wipefs retained: rarely legitimate in an agent context and not in built-ins.
+    dangerousWords: ["wipefs"]
+  }
+};
+function resolveShieldName(input) {
+  const lower = input.toLowerCase();
+  if (SHIELDS[lower]) return lower;
+  for (const [name, def] of Object.entries(SHIELDS)) {
+    if (def.aliases.includes(lower)) return name;
+  }
+  return null;
+}
+function getShield(name) {
+  const resolved = resolveShieldName(name);
+  return resolved ? SHIELDS[resolved] : null;
+}
+var SHIELDS_STATE_FILE = path3.join(os.homedir(), ".node9", "shields.json");
+function readActiveShields() {
+  try {
+    const raw = fs.readFileSync(SHIELDS_STATE_FILE, "utf-8");
+    if (!raw.trim()) return [];
+    const parsed = JSON.parse(raw);
+    if (Array.isArray(parsed.active)) {
+      return parsed.active.filter(
+        (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
+      );
+    }
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
+`);
+    }
+  }
+  return [];
+}
+// src/dlp.ts
+var DLP_PATTERNS = [
+  { name: "AWS Access Key ID", regex: /\bAKIA[0-9A-Z]{16}\b/, severity: "block" },
+  { name: "GitHub Token", regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/, severity: "block" },
+  { name: "Slack Bot Token", regex: /\bxoxb-[0-9A-Za-z-]+\b/, severity: "block" },
+  { name: "OpenAI API Key", regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/, severity: "block" },
+  { name: "Stripe Secret Key", regex: /\bsk_(?:live|test)_[0-9a-zA-Z]{24}\b/, severity: "block" },
+  {
+    name: "Private Key (PEM)",
+    regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/,
+    severity: "block"
+  },
+  { name: "Bearer Token", regex: /Bearer\s+[a-zA-Z0-9\-._~+/]+=*/i, severity: "review" }
+];
+function maskSecret(raw, pattern) {
+  const match = raw.match(pattern);
+  if (!match) return "****";
+  const secret = match[0];
+  if (secret.length < 8) return "****";
+  const prefix = secret.slice(0, 4);
+  const suffix = secret.slice(-4);
+  const stars = "*".repeat(Math.min(secret.length - 8, 12));
+  return `${prefix}${stars}${suffix}`;
+}
+var MAX_DEPTH = 5;
+var MAX_STRING_BYTES = 1e5;
+var MAX_JSON_PARSE_BYTES = 1e4;
+function scanArgs(args, depth = 0, fieldPath = "args") {
+  if (depth > MAX_DEPTH || args === null || args === void 0) return null;
+  if (Array.isArray(args)) {
+    for (let i = 0; i < args.length; i++) {
+      const match = scanArgs(args[i], depth + 1, `${fieldPath}[${i}]`);
+      if (match) return match;
+    }
+    return null;
+  }
+  if (typeof args === "object") {
+    for (const [key, value] of Object.entries(args)) {
+      const match = scanArgs(value, depth + 1, `${fieldPath}.${key}`);
+      if (match) return match;
+    }
+    return null;
+  }
+  if (typeof args === "string") {
+    const text = args.length > MAX_STRING_BYTES ? args.slice(0, MAX_STRING_BYTES) : args;
+    for (const pattern of DLP_PATTERNS) {
+      if (pattern.regex.test(text)) {
+        return {
+          patternName: pattern.name,
+          fieldPath,
+          redactedSample: maskSecret(text, pattern.regex),
+          severity: pattern.severity
+        };
+      }
+    }
+    if (text.length < MAX_JSON_PARSE_BYTES) {
+      const trimmed = text.trim();
+      if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+        try {
+          const parsed = JSON.parse(text);
+          const inner = scanArgs(parsed, depth + 1, fieldPath);
+          if (inner) return inner;
+        } catch {
+        }
+      }
+    }
+  }
+  return null;
+}
 // src/core.ts
-var PAUSED_FILE = path3.join(os.homedir(), ".node9", "PAUSED");
-var TRUST_FILE = path3.join(os.homedir(), ".node9", "trust.json");
-var LOCAL_AUDIT_LOG = path3.join(os.homedir(), ".node9", "audit.log");
-var HOOK_DEBUG_LOG = path3.join(os.homedir(), ".node9", "hook-debug.log");
+var PAUSED_FILE = path4.join(os2.homedir(), ".node9", "PAUSED");
+var TRUST_FILE = path4.join(os2.homedir(), ".node9", "trust.json");
+var LOCAL_AUDIT_LOG = path4.join(os2.homedir(), ".node9", "audit.log");
+var HOOK_DEBUG_LOG = path4.join(os2.homedir(), ".node9", "hook-debug.log");
 function checkPause() {
   try {
-    if (!fs.existsSync(PAUSED_FILE)) return { paused: false };
-    const state = JSON.parse(fs.readFileSync(PAUSED_FILE, "utf-8"));
+    if (!fs2.existsSync(PAUSED_FILE)) return { paused: false };
+    const state = JSON.parse(fs2.readFileSync(PAUSED_FILE, "utf-8"));
     if (state.expiry > 0 && Date.now() >= state.expiry) {
       try {
-        fs.unlinkSync(PAUSED_FILE);
+        fs2.unlinkSync(PAUSED_FILE);
       } catch {
       }
       return { paused: false };
@@ -452,20 +726,20 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = path3.dirname(filePath);
-  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-  const tmpPath = `${filePath}.${os.hostname()}.${process.pid}.tmp`;
-  fs.writeFileSync(tmpPath, data, options);
-  fs.renameSync(tmpPath, filePath);
+  const dir = path4.dirname(filePath);
+  if (!fs2.existsSync(dir)) fs2.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${filePath}.${os2.hostname()}.${process.pid}.tmp`;
+  fs2.writeFileSync(tmpPath, data, options);
+  fs2.renameSync(tmpPath, filePath);
 }
 function getActiveTrustSession(toolName) {
   try {
-    if (!fs.existsSync(TRUST_FILE)) return false;
-    const trust = JSON.parse(fs.readFileSync(TRUST_FILE, "utf-8"));
+    if (!fs2.existsSync(TRUST_FILE)) return false;
+    const trust = JSON.parse(fs2.readFileSync(TRUST_FILE, "utf-8"));
     const now = Date.now();
     const active = trust.entries.filter((e) => e.expiry > now);
     if (active.length !== trust.entries.length) {
-      fs.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
+      fs2.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
     }
     return active.some((e) => e.tool === toolName || matchesPattern(toolName, e.tool));
   } catch {
@@ -476,8 +750,8 @@ function writeTrustSession(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (fs.existsSync(TRUST_FILE)) {
-        trust = JSON.parse(fs.readFileSync(TRUST_FILE, "utf-8"));
+      if (fs2.existsSync(TRUST_FILE)) {
+        trust = JSON.parse(fs2.readFileSync(TRUST_FILE, "utf-8"));
       }
     } catch {
     }
@@ -493,9 +767,9 @@ function writeTrustSession(toolName, durationMs) {
 }
 function appendToLog(logPath, entry) {
   try {
-    const dir = path3.dirname(logPath);
-    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-    fs.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+    const dir = path4.dirname(logPath);
+    if (!fs2.existsSync(dir)) fs2.mkdirSync(dir, { recursive: true });
+    fs2.appendFileSync(logPath, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
@@ -507,7 +781,7 @@ function appendHookDebug(toolName, args, meta) {
     args: safeArgs,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
-    hostname: os.hostname(),
+    hostname: os2.hostname(),
     cwd: process.cwd()
   });
 }
@@ -521,7 +795,7 @@ function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
     checkedBy,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
-    hostname: os.hostname()
+    hostname: os2.hostname()
   });
 }
 function tokenize(toolName) {
@@ -537,9 +811,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path4) {
+function getNestedValue(obj, path5) {
   if (!obj || typeof obj !== "object") return null;
-  return path4.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path5.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -572,6 +846,10 @@ function evaluateSmartConditions(args, rule) {
           return true;
         }
       }
+      case "matchesGlob":
+        return val !== null && cond.value ? pm.isMatch(val, cond.value) : false;
+      case "notMatchesGlob":
+        return val !== null && cond.value ? !pm.isMatch(val, cond.value) : true;
       default:
         return false;
     }
@@ -735,25 +1013,27 @@ var DEFAULT_CONFIG = {
       onlyPaths: [],
       ignorePaths: ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log"]
     },
-    rules: [
-      // Only use the legacy rules format for simple path-based rm control.
-      // All other command-level enforcement lives in smartRules below.
-      {
-        action: "rm",
-        allowPaths: [
-          "**/node_modules/**",
-          "dist/**",
-          "build/**",
-          ".next/**",
-          "coverage/**",
-          ".cache/**",
-          "tmp/**",
-          "temp/**",
-          ".DS_Store"
-        ]
-      }
-    ],
     smartRules: [
+      // ── rm safety (critical — always evaluated first) ──────────────────────
+      {
+        name: "block-rm-rf-home",
+        tool: "bash",
+        conditionMode: "all",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "rm\\b.*(-[rRfF]*[rR][rRfF]*|--recursive)"
+          },
+          {
+            field: "command",
+            op: "matches",
+            value: "(~|\\/root(\\/|$)|\\$HOME|\\/home\\/)"
+          }
+        ],
+        verdict: "block",
+        reason: "Recursive delete of home directory is irreversible"
+      },
       // ── SQL safety ────────────────────────────────────────────────────────
       {
         name: "no-delete-without-where",
@@ -844,16 +1124,42 @@ var DEFAULT_CONFIG = {
         verdict: "block",
         reason: "Piping remote script into a shell is a supply-chain attack vector"
       }
-    ]
+    ],
+    dlp: { enabled: true, scanIgnoredTools: true }
   },
   environments: {}
 };
+var ADVISORY_SMART_RULES = [
+  {
+    name: "allow-rm-safe-paths",
+    tool: "*",
+    conditionMode: "all",
+    conditions: [
+      { field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" },
+      {
+        field: "command",
+        op: "matches",
+        // Matches known-safe build artifact paths in the command.
+        value: "(node_modules|\\bdist\\b|\\.next|\\bcoverage\\b|\\.cache|\\btmp\\b|\\btemp\\b|\\.DS_Store)(\\/|\\s|$)"
+      }
+    ],
+    verdict: "allow",
+    reason: "Deleting a known-safe build artifact path"
+  },
+  {
+    name: "review-rm",
+    tool: "*",
+    conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
+    verdict: "review",
+    reason: "rm can permanently delete files \u2014 confirm the target path"
+  }
+];
 var cachedConfig = null;
 function getInternalToken() {
   try {
-    const pidFile = path3.join(os.homedir(), ".node9", "daemon.pid");
-    if (!fs.existsSync(pidFile)) return null;
-    const data = JSON.parse(fs.readFileSync(pidFile, "utf-8"));
+    const pidFile = path4.join(os2.homedir(), ".node9", "daemon.pid");
+    if (!fs2.existsSync(pidFile)) return null;
+    const data = JSON.parse(fs2.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
     return data.internalToken ?? null;
   } catch {
@@ -868,7 +1174,8 @@ async function evaluatePolicy(toolName, args, agent) {
       (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
     );
     if (matchedRule) {
-      if (matchedRule.verdict === "allow") return { decision: "allow" };
+      if (matchedRule.verdict === "allow")
+        return { decision: "allow", ruleName: matchedRule.name ?? matchedRule.tool };
       return {
         decision: matchedRule.verdict,
         blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
@@ -879,13 +1186,11 @@ async function evaluatePolicy(toolName, args, agent) {
     }
   }
   let allTokens = [];
-  let actionTokens = [];
   let pathTokens = [];
   const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
   if (shellCommand) {
     const analyzed = await analyzeShellCommand(shellCommand);
     allTokens = analyzed.allTokens;
-    actionTokens = analyzed.actions;
     pathTokens = analyzed.paths;
     const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
     if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
@@ -893,11 +1198,9 @@ async function evaluatePolicy(toolName, args, agent) {
     }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
-      actionTokens = actionTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
     }
   } else {
     allTokens = tokenize(toolName);
-    actionTokens = [toolName];
     if (args && typeof args === "object") {
       const flattenedArgs = JSON.stringify(args).toLowerCase();
       const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
@@ -920,29 +1223,6 @@ async function evaluatePolicy(toolName, args, agent) {
     const allInSandbox = pathTokens.every((p) => matchesPattern(p, config.policy.sandboxPaths));
     if (allInSandbox) return { decision: "allow" };
   }
-  for (const action of actionTokens) {
-    const rule = config.policy.rules.find(
-      (r) => r.action === action || matchesPattern(action, r.action)
-    );
-    if (rule) {
-      if (pathTokens.length > 0) {
-        const anyBlocked = pathTokens.some((p) => matchesPattern(p, rule.blockPaths || []));
-        if (anyBlocked)
-          return {
-            decision: "review",
-            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`,
-            tier: 5
-          };
-        const allAllowed = pathTokens.every((p) => matchesPattern(p, rule.allowPaths || []));
-        if (allAllowed) return { decision: "allow" };
-      }
-      return {
-        decision: "review",
-        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`,
-        tier: 5
-      };
-    }
-  }
   let matchedDangerousWord;
   const isDangerous = allTokens.some(
     (token) => config.policy.dangerousWords.some((word) => {
@@ -1000,9 +1280,9 @@ var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function isDaemonRunning() {
   try {
-    const pidFile = path3.join(os.homedir(), ".node9", "daemon.pid");
-    if (!fs.existsSync(pidFile)) return false;
-    const { pid, port } = JSON.parse(fs.readFileSync(pidFile, "utf-8"));
+    const pidFile = path4.join(os2.homedir(), ".node9", "daemon.pid");
+    if (!fs2.existsSync(pidFile)) return false;
+    const { pid, port } = JSON.parse(fs2.readFileSync(pidFile, "utf-8"));
     if (port !== DAEMON_PORT) return false;
     process.kill(pid, 0);
     return true;
@@ -1012,16 +1292,16 @@ function isDaemonRunning() {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = path3.join(os.homedir(), ".node9", "decisions.json");
-    if (!fs.existsSync(file)) return null;
-    const decisions = JSON.parse(fs.readFileSync(file, "utf-8"));
+    const file = path4.join(os2.homedir(), ".node9", "decisions.json");
+    if (!fs2.existsSync(file)) return null;
+    const decisions = JSON.parse(fs2.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
     if (d === "allow" || d === "deny") return d;
   } catch {
   }
   return null;
 }
-async function askDaemon(toolName, args, meta, signal, riskMetadata) {
+async function askDaemon(toolName, args, meta, signal, riskMetadata, activityId) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const checkCtrl = new AbortController();
   const checkTimer = setTimeout(() => checkCtrl.abort(), 5e3);
@@ -1036,6 +1316,12 @@ async function askDaemon(toolName, args, meta, signal, riskMetadata) {
         args,
         agent: meta?.agent,
         mcpServer: meta?.mcpServer,
+        fromCLI: true,
+        // Pass the flight-recorder ID so the daemon uses the same UUID for
+        // activity-result as the CLI used for the pending activity event.
+        // Without this, the two UUIDs never match and tail.ts never resolves
+        // the pending item.
+        activityId,
         ...riskMetadata && { riskMetadata }
       }),
       signal: checkCtrl.signal
@@ -1090,7 +1376,45 @@ async function resolveViaDaemon(id, decision, internalToken) {
     signal: AbortSignal.timeout(3e3)
   });
 }
+var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path4.join(os2.tmpdir(), "node9-activity.sock");
+function notifyActivity(data) {
+  return new Promise((resolve) => {
+    try {
+      const payload = JSON.stringify(data);
+      const sock = net.createConnection(ACTIVITY_SOCKET_PATH);
+      sock.on("connect", () => {
+        sock.on("close", resolve);
+        sock.end(payload);
+      });
+      sock.on("error", resolve);
+    } catch {
+      resolve();
+    }
+  });
+}
 async function authorizeHeadless(toolName, args, allowTerminalFallback = false, meta, options) {
+  if (!options?.calledFromDaemon) {
+    const actId = randomUUID();
+    const actTs = Date.now();
+    await notifyActivity({ id: actId, ts: actTs, tool: toolName, args, status: "pending" });
+    const result = await _authorizeHeadlessCore(toolName, args, allowTerminalFallback, meta, {
+      ...options,
+      activityId: actId
+    });
+    if (!result.noApprovalMechanism) {
+      await notifyActivity({
+        id: actId,
+        tool: toolName,
+        ts: actTs,
+        status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : "block",
+        label: result.blockedByLabel
+      });
+    }
+    return result;
+  }
+  return _authorizeHeadlessCore(toolName, args, allowTerminalFallback, meta, options);
+}
+async function _authorizeHeadlessCore(toolName, args, allowTerminalFallback = false, meta, options) {
   if (process.env.NODE9_PAUSED === "1") return { approved: true, checkedBy: "paused" };
   const pauseState = checkPause();
   if (pauseState.paused) return { approved: true, checkedBy: "paused" };
@@ -1113,6 +1437,23 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   let policyMatchedField;
   let policyMatchedWord;
   let riskMetadata;
+  if (config.policy.dlp.enabled && (!isIgnoredTool(toolName) || config.policy.dlp.scanIgnoredTools)) {
+    const dlpMatch = scanArgs(args);
+    if (dlpMatch) {
+      const dlpReason = `\u{1F6A8} DATA LOSS PREVENTION: ${dlpMatch.patternName} detected in field "${dlpMatch.fieldPath}" (${dlpMatch.redactedSample})`;
+      if (dlpMatch.severity === "block") {
+        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta);
+        return {
+          approved: false,
+          reason: dlpReason,
+          blockedBy: "local-config",
+          blockedByLabel: "\u{1F6A8} Node9 DLP (Secret Detected)"
+        };
+      }
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "dlp-review-flagged", meta);
+      explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
+    }
+  }
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
@@ -1332,7 +1673,14 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
             console.error(chalk2.cyan(`   URL \u2192 http://${DAEMON_HOST}:${DAEMON_PORT}/
 `));
           }
-          const daemonDecision = await askDaemon(toolName, args, meta, signal, riskMetadata);
+          const daemonDecision = await askDaemon(
+            toolName,
+            args,
+            meta,
+            signal,
+            riskMetadata,
+            options?.activityId
+          );
           if (daemonDecision === "abandoned") throw new Error("Abandoned");
           const isApproved = daemonDecision === "allow";
           return {
@@ -1352,7 +1700,14 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
     racePromises.push(
       (async () => {
         try {
-          console.log(chalk2.bgRed.white.bold(` \u{1F6D1} NODE9 INTERCEPTOR `));
+          if (explainableLabel.includes("DLP")) {
+            console.log(chalk2.bgRed.white.bold(` \u{1F6A8} NODE9 DLP ALERT \u2014 CREDENTIAL DETECTED `));
+            console.log(
+              chalk2.red.bold(`   A sensitive secret was detected in the tool arguments!`)
+            );
+          } else {
+            console.log(chalk2.bgRed.white.bold(` \u{1F6D1} NODE9 INTERCEPTOR `));
+          }
           console.log(`${chalk2.bold("Action:")} ${chalk2.red(toolName)}`);
           console.log(`${chalk2.bold("Flagged By:")} ${chalk2.yellow(explainableLabel)}`);
           if (isRemoteLocked) {
@@ -1457,8 +1812,8 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
 }
 function getConfig() {
   if (cachedConfig) return cachedConfig;
-  const globalPath = path3.join(os.homedir(), ".node9", "config.json");
-  const projectPath = path3.join(process.cwd(), "node9.config.json");
+  const globalPath = path4.join(os2.homedir(), ".node9", "config.json");
+  const projectPath = path4.join(process.cwd(), "node9.config.json");
   const globalConfig = tryLoadConfig(globalPath);
   const projectConfig = tryLoadConfig(projectPath);
   const mergedSettings = {
@@ -1470,13 +1825,13 @@ function getConfig() {
     dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
     ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
     toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
-    rules: [...DEFAULT_CONFIG.policy.rules],
     smartRules: [...DEFAULT_CONFIG.policy.smartRules],
     snapshot: {
       tools: [...DEFAULT_CONFIG.policy.snapshot.tools],
       onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
-    }
+    },
+    dlp: { ...DEFAULT_CONFIG.policy.dlp }
   };
   const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
   const applyLayer = (source) => {
@@ -1496,7 +1851,6 @@ function getConfig() {
     if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
     if (p.toolInspection)
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
-    if (p.rules) mergedPolicy.rules.push(...p.rules);
     if (p.smartRules) mergedPolicy.smartRules.push(...p.smartRules);
     if (p.snapshot) {
       const s2 = p.snapshot;
@@ -1504,6 +1858,11 @@ function getConfig() {
       if (s2.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s2.onlyPaths);
       if (s2.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s2.ignorePaths);
     }
+    if (p.dlp) {
+      const d = p.dlp;
+      if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
+      if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
+    }
     const envs = source.environments || {};
     for (const [envName, envConfig] of Object.entries(envs)) {
       if (envConfig && typeof envConfig === "object") {
@@ -1518,6 +1877,22 @@ function getConfig() {
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
+  for (const shieldName of readActiveShields()) {
+    const shield = getShield(shieldName);
+    if (!shield) continue;
+    const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+    for (const rule of shield.smartRules) {
+      if (!existingRuleNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+    }
+    const existingWords = new Set(mergedPolicy.dangerousWords);
+    for (const word of shield.dangerousWords) {
+      if (!existingWords.has(word)) mergedPolicy.dangerousWords.push(word);
+    }
+  }
+  const existingAdvisoryNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+  for (const rule of ADVISORY_SMART_RULES) {
+    if (!existingAdvisoryNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+  }
   if (process.env.NODE9_MODE) mergedSettings.mode = process.env.NODE9_MODE;
   mergedPolicy.sandboxPaths = [...new Set(mergedPolicy.sandboxPaths)];
   mergedPolicy.dangerousWords = [...new Set(mergedPolicy.dangerousWords)];
@@ -1533,10 +1908,10 @@ function getConfig() {
   return cachedConfig;
 }
 function tryLoadConfig(filePath) {
-  if (!fs.existsSync(filePath)) return null;
+  if (!fs2.existsSync(filePath)) return null;
   let raw;
   try {
-    raw = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+    raw = JSON.parse(fs2.readFileSync(filePath, "utf-8"));
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     process.stderr.write(
@@ -1598,9 +1973,9 @@ function getCredentials() {
     };
   }
   try {
-    const credPath = path3.join(os.homedir(), ".node9", "credentials.json");
-    if (fs.existsSync(credPath)) {
-      const creds = JSON.parse(fs.readFileSync(credPath, "utf-8"));
+    const credPath = path4.join(os2.homedir(), ".node9", "credentials.json");
+    if (fs2.existsSync(credPath)) {
+      const creds = JSON.parse(fs2.readFileSync(credPath, "utf-8"));
       const profileName = process.env.NODE9_PROFILE || "default";
       const profile = creds[profileName];
       if (profile?.apiKey) {
@@ -1635,9 +2010,9 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
       context: {
         agent: meta?.agent,
         mcpServer: meta?.mcpServer,
-        hostname: os.hostname(),
+        hostname: os2.hostname(),
         cwd: process.cwd(),
-        platform: os.platform()
+        platform: os2.platform()
       }
     }),
     signal: AbortSignal.timeout(5e3)
@@ -1658,9 +2033,9 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
         context: {
           agent: meta?.agent,
           mcpServer: meta?.mcpServer,
-          hostname: os.hostname(),
+          hostname: os2.hostname(),
           cwd: process.cwd(),
-          platform: os.platform()
+          platform: os2.platform()
         },
         ...riskMetadata && { riskMetadata }
       }),