npm - @node9/proxy - Versions diffs - 1.0.15 → 1.0.17 - Mend

@node9/proxy 1.0.15 → 1.0.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -44,6 +44,10 @@ Node9 initiates a **Concurrent Race** across all enabled channels. The first cha
 Node9 records every tool call your AI agent makes in real-time — no polling, no log files, no refresh. Two ways to watch:
+<p align="center">
+  <img src="docs/flight-recorder.jpeg" width="100%">
+</p>
 **Browser Dashboard** (`node9 daemon start` → `localhost:7391`)
 A live 3-column dashboard. The left column streams every tool call as it happens, updating in-place from `● PENDING` to `✓ ALLOW` or `✗ BLOCK`. The center handles pending approvals. The right sidebar controls shields and persistent decisions — all without ever causing a browser scrollbar.
@@ -284,29 +288,35 @@ Use `node9 explain <tool> <args>` to dry-run any tool call and see exactly which
 ```json
 {
+  "version": "1.0",
   "settings": {
-    "mode": "standard",
+    "mode": "audit",
     "enableUndo": true,
+    "flightRecorder": true,
     "approvalTimeoutMs": 30000,
     "approvers": {
       "native": true,
       "browser": true,
-      "cloud": true,
+      "cloud": false,
       "terminal": true
     }
   }
 }
 ```
-| Key                  | Default      | Description                                                  |
-| :------------------- | :----------- | :----------------------------------------------------------- |
-| `mode`               | `"standard"` | `standard` \| `strict` \| `audit`                            |
-| `enableUndo`         | `true`       | Take git snapshots before every AI file edit                 |
-| `approvalTimeoutMs`  | `0`          | Auto-deny after N ms if no human responds (0 = wait forever) |
-| `approvers.native`   | `true`       | OS-native popup                                              |
-| `approvers.browser`  | `true`       | Browser dashboard (`node9 daemon`)                           |
-| `approvers.cloud`    | `true`       | Slack / SaaS approval                                        |
-| `approvers.terminal` | `true`       | `[Y/n]` prompt in terminal                                   |
+| Key                  | Default   | Description                                                                     |
+| :------------------- | :-------- | :------------------------------------------------------------------------------ |
+| `mode`               | `"audit"` | `audit` (log-only) \| `standard` (approve/block) \| `strict` (deny by default)  |
+| `enableUndo`         | `true`    | Take git snapshots before every AI file edit                                    |
+| `flightRecorder`     | `true`    | Record tool call activity to the flight recorder ring buffer for the browser UI |
+| `approvalTimeoutMs`  | `30000`   | Auto-deny after N ms if no human responds (`0` = wait forever)                  |
+| `approvers.native`   | `true`    | OS-native popup                                                                 |
+| `approvers.browser`  | `true`    | Browser dashboard (`node9 daemon`)                                              |
+| `approvers.cloud`    | `false`   | Slack / SaaS approval — requires `node9 login`; opt-in only                     |
+| `approvers.terminal` | `true`    | `[Y/n]` prompt in terminal                                                      |
+> **Tip — choosing a mode:**
+> Start with the default `audit` to observe what your agent does without blocking anything. Once you understand its behaviour, switch to `standard` (blocks dangerous commands with human approval) or `strict` (denies anything not explicitly allowed) in your `~/.node9/config.json` or project `node9.config.json`.
 ---
@@ -369,7 +379,7 @@ Verdict: BLOCK  (dangerous word: rm -rf)
 ## 🔧 Troubleshooting
 **`node9 check` exits immediately / Claude is never blocked**
-Node9 fails open by design to prevent breaking your agent. Check debug logs: `NODE9_DEBUG=1 claude`.
+Node9 fails open by design to prevent breaking your agent. Check debug logs: `NODE9_DEBUG=1 claude`. Also verify you are in `standard` or `strict` mode — the default `audit` mode approves everything and only logs.
 **Terminal prompt never appears during Claude/Gemini sessions**
 Interactive agents run hooks in a "Headless" subprocess. You **must** enable `native: true` or `browser: true` in your config to see approval prompts.
@@ -377,6 +387,9 @@ Interactive agents run hooks in a "Headless" subprocess. You **must** enable `na
 **"Blocked by Organization (SaaS)"**
 A corporate policy has locked this action. You must click the "Approve" button in your company's Slack channel to proceed.
+**`node9 tail --history` says "Daemon failed to start" even though the daemon is running**
+This can happen when the daemon's PID file (`~/.node9/daemon.pid`) is missing — for example after a crash or a botched restart left a daemon running without a PID file. Node9 now detects this automatically: it performs an HTTP health probe and a live port check before deciding the daemon is gone. If you hit this on an older version, run `node9 daemon stop` then `node9 daemon -b` to create a clean PID file.
 ---
 ## 🗺️ Roadmap

package/dist/cli.js CHANGED Viewed

@@ -418,7 +418,13 @@ var init_config_schema = __esm({
       ),
       value: import_zod.z.string().optional(),
       flags: import_zod.z.string().optional()
-    });
+    }).refine(
+      (c) => {
+        if (c.op === "matchesGlob" || c.op === "notMatchesGlob") return c.value !== void 0;
+        return true;
+      },
+      { message: "matchesGlob and notMatchesGlob conditions require a value field" }
+    );
     SmartRuleSchema = import_zod.z.object({
       name: import_zod.z.string().optional(),
       tool: import_zod.z.string().min(1, "Smart rule tool must not be empty"),
@@ -437,6 +443,7 @@ var init_config_schema = __esm({
         enableUndo: import_zod.z.boolean().optional(),
         enableHookLogDebug: import_zod.z.boolean().optional(),
         approvalTimeoutMs: import_zod.z.number().nonnegative().optional(),
+        flightRecorder: import_zod.z.boolean().optional(),
         approvers: import_zod.z.object({
           native: import_zod.z.boolean().optional(),
           browser: import_zod.z.boolean().optional(),
@@ -927,7 +934,7 @@ function evaluateSmartConditions(args, rule) {
       case "matchesGlob":
         return val !== null && cond.value ? import_picomatch.default.isMatch(val, cond.value) : false;
       case "notMatchesGlob":
-        return val !== null && cond.value ? !import_picomatch.default.isMatch(val, cond.value) : true;
+        return val !== null && cond.value ? !import_picomatch.default.isMatch(val, cond.value) : false;
       default:
         return false;
     }
@@ -1040,7 +1047,7 @@ function getGlobalSettings() {
       const parsed = JSON.parse(import_fs2.default.readFileSync(globalConfigPath, "utf-8"));
       const settings = parsed.settings || {};
       return {
-        mode: settings.mode || "standard",
+        mode: settings.mode || "audit",
         autoStartDaemon: settings.autoStartDaemon !== false,
         slackEnabled: settings.slackEnabled !== false,
         enableTrustSessions: settings.enableTrustSessions === true,
@@ -1050,7 +1057,7 @@ function getGlobalSettings() {
   } catch {
   }
   return {
-    mode: "standard",
+    mode: "audit",
     autoStartDaemon: true,
     slackEnabled: true,
     enableTrustSessions: false,
@@ -1437,13 +1444,23 @@ function isIgnoredTool(toolName) {
   return matchesPattern(toolName, config.policy.ignoredTools);
 }
 function isDaemonRunning() {
+  const pidFile = import_path4.default.join(import_os2.default.homedir(), ".node9", "daemon.pid");
+  if (import_fs2.default.existsSync(pidFile)) {
+    try {
+      const { pid, port } = JSON.parse(import_fs2.default.readFileSync(pidFile, "utf-8"));
+      if (port !== DAEMON_PORT) return false;
+      process.kill(pid, 0);
+      return true;
+    } catch {
+      return false;
+    }
+  }
   try {
-    const pidFile = import_path4.default.join(import_os2.default.homedir(), ".node9", "daemon.pid");
-    if (!import_fs2.default.existsSync(pidFile)) return false;
-    const { pid, port } = JSON.parse(import_fs2.default.readFileSync(pidFile, "utf-8"));
-    if (port !== DAEMON_PORT) return false;
-    process.kill(pid, 0);
-    return true;
+    const r = (0, import_child_process2.spawnSync)("ss", ["-Htnp", `sport = :${DAEMON_PORT}`], {
+      encoding: "utf8",
+      timeout: 500
+    });
+    return r.status === 0 && (r.stdout ?? "").includes(`:${DAEMON_PORT}`);
   } catch {
     return false;
   }
@@ -2245,7 +2262,7 @@ async function resolveNode9SaaS(requestId, creds, approved) {
   } catch {
   }
 }
-var import_chalk2, import_prompts, import_fs2, import_path4, import_os2, import_net, import_crypto2, import_picomatch, import_sh_syntax, PAUSED_FILE, TRUST_FILE, LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG, SQL_DML_KEYWORDS, DANGEROUS_WORDS, DEFAULT_CONFIG, ADVISORY_SMART_RULES, cachedConfig, DAEMON_PORT, DAEMON_HOST, ACTIVITY_SOCKET_PATH;
+var import_chalk2, import_prompts, import_fs2, import_path4, import_os2, import_net, import_crypto2, import_child_process2, import_picomatch, import_sh_syntax, PAUSED_FILE, TRUST_FILE, LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG, SQL_DML_KEYWORDS, DANGEROUS_WORDS, DEFAULT_CONFIG, ADVISORY_SMART_RULES, cachedConfig, DAEMON_PORT, DAEMON_HOST, ACTIVITY_SOCKET_PATH;
 var init_core = __esm({
   "src/core.ts"() {
     "use strict";
@@ -2256,6 +2273,7 @@ var init_core = __esm({
     import_os2 = __toESM(require("os"));
     import_net = __toESM(require("net"));
     import_crypto2 = require("crypto");
+    import_child_process2 = require("child_process");
     import_picomatch = __toESM(require("picomatch"));
     import_sh_syntax = require("sh-syntax");
     init_native();
@@ -2275,15 +2293,17 @@ var init_core = __esm({
       // permanently overwrites file contents (unrecoverable)
     ];
     DEFAULT_CONFIG = {
+      version: "1.0",
       settings: {
-        mode: "standard",
+        mode: "audit",
         autoStartDaemon: true,
         enableUndo: true,
         // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
-        enableHookLogDebug: false,
-        approvalTimeoutMs: 0,
-        // 0 = disabled; set e.g. 30000 for 30-second auto-deny
-        approvers: { native: true, browser: true, cloud: true, terminal: true }
+        enableHookLogDebug: true,
+        approvalTimeoutMs: 3e4,
+        // 30-second auto-deny timeout
+        flightRecorder: true,
+        approvers: { native: true, browser: true, cloud: false, terminal: true }
       },
       policy: {
         sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
@@ -4056,7 +4076,7 @@ data: ${JSON.stringify(data)}
 function openBrowser(url) {
   try {
     const args = process.platform === "darwin" ? ["open", url] : process.platform === "win32" ? ["cmd", "/c", "start", "", url] : ["xdg-open", url];
-    (0, import_child_process2.spawn)(args[0], args.slice(1), { detached: true, stdio: "ignore" }).unref();
+    (0, import_child_process3.spawn)(args[0], args.slice(1), { detached: true, stdio: "ignore" }).unref();
   } catch {
   }
 }
@@ -4437,6 +4457,11 @@ data: ${JSON.stringify(item.data)}
         res.writeHead(400).end();
       }
     }
+    if (req.method === "POST" && pathname === "/events/clear") {
+      activityRing.length = 0;
+      res.writeHead(200, { "Content-Type": "application/json" });
+      return res.end(JSON.stringify({ ok: true }));
+    }
     if (req.method === "GET" && pathname === "/audit") {
       res.writeHead(200, { "Content-Type": "application/json" });
       return res.end(JSON.stringify(getAuditHistory()));
@@ -4492,6 +4517,35 @@ data: ${JSON.stringify(item.data)}
         server.listen(DAEMON_PORT2, DAEMON_HOST2);
         return;
       }
+      fetch(`http://${DAEMON_HOST2}:${DAEMON_PORT2}/settings`, {
+        signal: AbortSignal.timeout(1e3)
+      }).then((res) => {
+        if (res.ok) {
+          try {
+            const r = (0, import_child_process3.spawnSync)("ss", ["-Htnp", `sport = :${DAEMON_PORT2}`], {
+              encoding: "utf8",
+              timeout: 1e3
+            });
+            const match = r.stdout?.match(/pid=(\d+)/);
+            if (match) {
+              const orphanPid = parseInt(match[1], 10);
+              process.kill(orphanPid, 0);
+              atomicWriteSync2(
+                DAEMON_PID_FILE,
+                JSON.stringify({ pid: orphanPid, port: DAEMON_PORT2, internalToken, autoStarted }),
+                { mode: 384 }
+              );
+            }
+          } catch {
+          }
+          process.exit(0);
+        } else {
+          server.listen(DAEMON_PORT2, DAEMON_HOST2);
+        }
+      }).catch(() => {
+        server.listen(DAEMON_PORT2, DAEMON_HOST2);
+      });
+      return;
     }
     console.error(import_chalk4.default.red("\n\u{1F6D1} Node9 Daemon Error:"), e.message);
     process.exit(1);
@@ -4571,17 +4625,28 @@ function stopDaemon() {
   }
 }
 function daemonStatus() {
-  if (!import_fs4.default.existsSync(DAEMON_PID_FILE))
-    return console.log(import_chalk4.default.yellow("Node9 daemon: not running"));
-  try {
-    const { pid } = JSON.parse(import_fs4.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
-    process.kill(pid, 0);
-    console.log(import_chalk4.default.green("Node9 daemon: running"));
-  } catch {
-    console.log(import_chalk4.default.yellow("Node9 daemon: not running (stale PID)"));
+  if (import_fs4.default.existsSync(DAEMON_PID_FILE)) {
+    try {
+      const { pid } = JSON.parse(import_fs4.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+      process.kill(pid, 0);
+      console.log(import_chalk4.default.green("Node9 daemon: running"));
+      return;
+    } catch {
+      console.log(import_chalk4.default.yellow("Node9 daemon: not running (stale PID)"));
+      return;
+    }
+  }
+  const r = (0, import_child_process3.spawnSync)("ss", ["-Htnp", `sport = :${DAEMON_PORT2}`], {
+    encoding: "utf8",
+    timeout: 500
+  });
+  if (r.status === 0 && (r.stdout ?? "").includes(`:${DAEMON_PORT2}`)) {
+    console.log(import_chalk4.default.yellow("Node9 daemon: running (no PID file \u2014 orphaned)"));
+  } else {
+    console.log(import_chalk4.default.yellow("Node9 daemon: not running"));
   }
 }
-var import_http, import_net2, import_fs4, import_path6, import_os4, import_child_process2, import_crypto3, import_chalk4, ACTIVITY_SOCKET_PATH2, DAEMON_PORT2, DAEMON_HOST2, homeDir, DAEMON_PID_FILE, DECISIONS_FILE, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, TRUST_DURATIONS, SECRET_KEY_RE, AUTO_DENY_MS, autoStarted, pending, sseClients, abandonTimer, daemonServer, hadBrowserClient, ACTIVITY_RING_SIZE, activityRing;
+var import_http, import_net2, import_fs4, import_path6, import_os4, import_child_process3, import_crypto3, import_chalk4, ACTIVITY_SOCKET_PATH2, DAEMON_PORT2, DAEMON_HOST2, homeDir, DAEMON_PID_FILE, DECISIONS_FILE, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, TRUST_DURATIONS, SECRET_KEY_RE, AUTO_DENY_MS, autoStarted, pending, sseClients, abandonTimer, daemonServer, hadBrowserClient, ACTIVITY_RING_SIZE, activityRing;
 var init_daemon = __esm({
   "src/daemon/index.ts"() {
     "use strict";
@@ -4591,7 +4656,7 @@ var init_daemon = __esm({
     import_fs4 = __toESM(require("fs"));
     import_path6 = __toESM(require("path"));
     import_os4 = __toESM(require("os"));
-    import_child_process2 = require("child_process");
+    import_child_process3 = require("child_process");
     import_crypto3 = require("crypto");
     import_chalk4 = __toESM(require("chalk"));
     init_core();
@@ -4672,8 +4737,15 @@ async function ensureDaemon() {
     } catch {
     }
   }
+  try {
+    const res = await fetch(`http://127.0.0.1:${DAEMON_PORT2}/settings`, {
+      signal: AbortSignal.timeout(500)
+    });
+    if (res.ok) return DAEMON_PORT2;
+  } catch {
+  }
   console.log(import_chalk5.default.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon..."));
-  const child = (0, import_child_process4.spawn)(process.execPath, [process.argv[1], "daemon"], {
+  const child = (0, import_child_process5.spawn)(process.execPath, [process.argv[1], "daemon"], {
     detached: true,
     stdio: "ignore",
     env: { ...process.env, NODE9_AUTO_STARTED: "1" }
@@ -4681,15 +4753,11 @@ async function ensureDaemon() {
   child.unref();
   for (let i = 0; i < 20; i++) {
     await new Promise((r) => setTimeout(r, 250));
-    if (!import_fs6.default.existsSync(PID_FILE)) continue;
     try {
       const res = await fetch(`http://127.0.0.1:${DAEMON_PORT2}/settings`, {
         signal: AbortSignal.timeout(500)
       });
-      if (res.ok) {
-        const { port } = JSON.parse(import_fs6.default.readFileSync(PID_FILE, "utf-8"));
-        return port;
-      }
+      if (res.ok) return DAEMON_PORT2;
     } catch {
     }
   }
@@ -4698,11 +4766,26 @@ async function ensureDaemon() {
 }
 async function startTail(options = {}) {
   const port = await ensureDaemon();
+  if (options.clear) {
+    await new Promise((resolve) => {
+      const req2 = import_http2.default.request(
+        { method: "POST", hostname: "127.0.0.1", port, path: "/events/clear" },
+        (res) => {
+          res.resume();
+          res.on("end", resolve);
+        }
+      );
+      req2.on("error", resolve);
+      req2.end();
+    });
+  }
   const connectionTime = Date.now();
   const pending2 = /* @__PURE__ */ new Map();
   console.log(import_chalk5.default.cyan.bold(`
 \u{1F6F0}\uFE0F  Node9 tail  `) + import_chalk5.default.dim(`\u2192 localhost:${port}`));
-  if (options.history) {
+  if (options.clear) {
+    console.log(import_chalk5.default.dim("History cleared. Showing live events. Press Ctrl+C to exit.\n"));
+  } else if (options.history) {
     console.log(import_chalk5.default.dim("Showing history + live events. Press Ctrl+C to exit.\n"));
   } else {
     console.log(
@@ -4783,7 +4866,7 @@ async function startTail(options = {}) {
     process.exit(1);
   });
 }
-var import_http2, import_chalk5, import_fs6, import_os6, import_path8, import_readline, import_child_process4, PID_FILE, ICONS;
+var import_http2, import_chalk5, import_fs6, import_os6, import_path8, import_readline, import_child_process5, PID_FILE, ICONS;
 var init_tail = __esm({
   "src/tui/tail.ts"() {
     "use strict";
@@ -4793,7 +4876,7 @@ var init_tail = __esm({
     import_os6 = __toESM(require("os"));
     import_path8 = __toESM(require("path"));
     import_readline = __toESM(require("readline"));
-    import_child_process4 = require("child_process");
+    import_child_process5 = require("child_process");
     init_daemon();
     PID_FILE = import_path8.default.join(import_os6.default.homedir(), ".node9", "daemon.pid");
     ICONS = {
@@ -5068,7 +5151,7 @@ async function setupCursor() {
 // src/cli.ts
 init_daemon();
-var import_child_process5 = require("child_process");
+var import_child_process6 = require("child_process");
 var import_execa = require("execa");
 var import_execa2 = require("execa");
 var import_chalk6 = __toESM(require("chalk"));
@@ -5078,7 +5161,7 @@ var import_path9 = __toESM(require("path"));
 var import_os7 = __toESM(require("os"));
 // src/undo.ts
-var import_child_process3 = require("child_process");
+var import_child_process4 = require("child_process");
 var import_fs5 = __toESM(require("fs"));
 var import_path7 = __toESM(require("path"));
 var import_os5 = __toESM(require("os"));
@@ -5115,12 +5198,12 @@ async function createShadowSnapshot(tool = "unknown", args = {}) {
     if (!import_fs5.default.existsSync(import_path7.default.join(cwd, ".git"))) return null;
     const tempIndex = import_path7.default.join(cwd, ".git", `node9_index_${Date.now()}`);
     const env = { ...process.env, GIT_INDEX_FILE: tempIndex };
-    (0, import_child_process3.spawnSync)("git", ["add", "-A"], { env });
-    const treeRes = (0, import_child_process3.spawnSync)("git", ["write-tree"], { env });
+    (0, import_child_process4.spawnSync)("git", ["add", "-A"], { env });
+    const treeRes = (0, import_child_process4.spawnSync)("git", ["write-tree"], { env });
     const treeHash = treeRes.stdout.toString().trim();
     if (import_fs5.default.existsSync(tempIndex)) import_fs5.default.unlinkSync(tempIndex);
     if (!treeHash || treeRes.status !== 0) return null;
-    const commitRes = (0, import_child_process3.spawnSync)("git", [
+    const commitRes = (0, import_child_process4.spawnSync)("git", [
       "commit-tree",
       treeHash,
       "-m",
@@ -5151,10 +5234,10 @@ function getSnapshotHistory() {
 }
 function computeUndoDiff(hash, cwd) {
   try {
-    const result = (0, import_child_process3.spawnSync)("git", ["diff", hash, "--stat", "--", "."], { cwd });
+    const result = (0, import_child_process4.spawnSync)("git", ["diff", hash, "--stat", "--", "."], { cwd });
     const stat = result.stdout.toString().trim();
     if (!stat) return null;
-    const diff = (0, import_child_process3.spawnSync)("git", ["diff", hash, "--", "."], { cwd });
+    const diff = (0, import_child_process4.spawnSync)("git", ["diff", hash, "--", "."], { cwd });
     const raw = diff.stdout.toString();
     if (!raw) return null;
     const lines = raw.split("\n").filter(
@@ -5168,14 +5251,14 @@ function computeUndoDiff(hash, cwd) {
 function applyUndo(hash, cwd) {
   try {
     const dir = cwd ?? process.cwd();
-    const restore = (0, import_child_process3.spawnSync)("git", ["restore", "--source", hash, "--staged", "--worktree", "."], {
+    const restore = (0, import_child_process4.spawnSync)("git", ["restore", "--source", hash, "--staged", "--worktree", "."], {
       cwd: dir
     });
     if (restore.status !== 0) return false;
-    const lsTree = (0, import_child_process3.spawnSync)("git", ["ls-tree", "-r", "--name-only", hash], { cwd: dir });
+    const lsTree = (0, import_child_process4.spawnSync)("git", ["ls-tree", "-r", "--name-only", hash], { cwd: dir });
     const snapshotFiles = new Set(lsTree.stdout.toString().trim().split("\n").filter(Boolean));
-    const tracked = (0, import_child_process3.spawnSync)("git", ["ls-files"], { cwd: dir }).stdout.toString().trim().split("\n").filter(Boolean);
-    const untracked = (0, import_child_process3.spawnSync)("git", ["ls-files", "--others", "--exclude-standard"], { cwd: dir }).stdout.toString().trim().split("\n").filter(Boolean);
+    const tracked = (0, import_child_process4.spawnSync)("git", ["ls-files"], { cwd: dir }).stdout.toString().trim().split("\n").filter(Boolean);
+    const untracked = (0, import_child_process4.spawnSync)("git", ["ls-files", "--others", "--exclude-standard"], { cwd: dir }).stdout.toString().trim().split("\n").filter(Boolean);
     for (const file of [...tracked, ...untracked]) {
       const fullPath = import_path7.default.join(dir, file);
       if (!snapshotFiles.has(file) && import_fs5.default.existsSync(fullPath)) {
@@ -5280,15 +5363,15 @@ function openBrowserLocal() {
   const url = `http://${DAEMON_HOST2}:${DAEMON_PORT2}/`;
   try {
     const opts = { stdio: "ignore" };
-    if (process.platform === "darwin") (0, import_child_process5.execSync)(`open "${url}"`, opts);
-    else if (process.platform === "win32") (0, import_child_process5.execSync)(`cmd /c start "" "${url}"`, opts);
-    else (0, import_child_process5.execSync)(`xdg-open "${url}"`, opts);
+    if (process.platform === "darwin") (0, import_child_process6.execSync)(`open "${url}"`, opts);
+    else if (process.platform === "win32") (0, import_child_process6.execSync)(`cmd /c start "" "${url}"`, opts);
+    else (0, import_child_process6.execSync)(`xdg-open "${url}"`, opts);
   } catch {
   }
 }
 async function autoStartDaemonAndWait() {
   try {
-    const child = (0, import_child_process5.spawn)("node9", ["daemon"], {
+    const child = (0, import_child_process6.spawn)("node9", ["daemon"], {
       detached: true,
       stdio: "ignore",
       env: { ...process.env, NODE9_AUTO_STARTED: "1" }
@@ -5325,7 +5408,7 @@ async function runProxy(targetCommand) {
   } catch {
   }
   console.log(import_chalk6.default.green(`\u{1F680} Node9 Proxy Active: Monitoring [${targetCommand}]`));
-  const child = (0, import_child_process5.spawn)(executable, args, {
+  const child = (0, import_child_process6.spawn)(executable, args, {
     stdio: ["pipe", "pipe", "inherit"],
     // We control STDIN and STDOUT
     shell: false,
@@ -5497,7 +5580,7 @@ program.command("doctor").description("Check that Node9 is installed and configu
 `));
   section("Binary");
   try {
-    const which = (0, import_child_process5.execSync)("which node9", { encoding: "utf-8" }).trim();
+    const which = (0, import_child_process6.execSync)("which node9", { encoding: "utf-8" }).trim();
     pass(`node9 found at ${which}`);
   } catch {
     warn("node9 not found in $PATH \u2014 hooks may not find it", "Run: npm install -g @node9/proxy");
@@ -5512,7 +5595,7 @@ program.command("doctor").description("Check that Node9 is installed and configu
     );
   }
   try {
-    const gitVersion = (0, import_child_process5.execSync)("git --version", { encoding: "utf-8" }).trim();
+    const gitVersion = (0, import_child_process6.execSync)("git --version", { encoding: "utf-8" }).trim();
     pass(gitVersion);
   } catch {
     warn(
@@ -5863,7 +5946,7 @@ program.command("daemon").description("Run the local approval server").argument(
         console.log(import_chalk6.default.green(`\u{1F310}  Opened browser: http://${DAEMON_HOST2}:${DAEMON_PORT2}/`));
         process.exit(0);
       }
-      const child = (0, import_child_process5.spawn)("node9", ["daemon"], { detached: true, stdio: "ignore" });
+      const child = (0, import_child_process6.spawn)("node9", ["daemon"], { detached: true, stdio: "ignore" });
       child.unref();
       for (let i = 0; i < 12; i++) {
         await new Promise((r) => setTimeout(r, 250));
@@ -5875,7 +5958,7 @@ program.command("daemon").description("Run the local approval server").argument(
       process.exit(0);
     }
     if (options.background) {
-      const child = (0, import_child_process5.spawn)("node9", ["daemon"], { detached: true, stdio: "ignore" });
+      const child = (0, import_child_process6.spawn)("node9", ["daemon"], { detached: true, stdio: "ignore" });
       child.unref();
       console.log(import_chalk6.default.green(`
 \u{1F6E1}\uFE0F  Node9 daemon started in background  (PID ${child.pid})`));
@@ -5884,7 +5967,7 @@ program.command("daemon").description("Run the local approval server").argument(
     startDaemon();
   }
 );
-program.command("tail").description("Stream live agent activity to the terminal").option("--history", "Include recent history on connect", false).action(async (options) => {
+program.command("tail").description("Stream live agent activity to the terminal").option("--history", "Include recent history on connect", false).option("--clear", "Clear history buffer and stream live events fresh", false).action(async (options) => {
   const { startTail: startTail2 } = await Promise.resolve().then(() => (init_tail(), tail_exports));
   await startTail2(options);
 });

package/dist/cli.mjs CHANGED Viewed

@@ -397,7 +397,13 @@ var init_config_schema = __esm({
       ),
       value: z.string().optional(),
       flags: z.string().optional()
-    });
+    }).refine(
+      (c) => {
+        if (c.op === "matchesGlob" || c.op === "notMatchesGlob") return c.value !== void 0;
+        return true;
+      },
+      { message: "matchesGlob and notMatchesGlob conditions require a value field" }
+    );
     SmartRuleSchema = z.object({
       name: z.string().optional(),
       tool: z.string().min(1, "Smart rule tool must not be empty"),
@@ -416,6 +422,7 @@ var init_config_schema = __esm({
         enableUndo: z.boolean().optional(),
         enableHookLogDebug: z.boolean().optional(),
         approvalTimeoutMs: z.number().nonnegative().optional(),
+        flightRecorder: z.boolean().optional(),
         approvers: z.object({
           native: z.boolean().optional(),
           browser: z.boolean().optional(),
@@ -751,6 +758,7 @@ import path4 from "path";
 import os2 from "os";
 import net from "net";
 import { randomUUID } from "crypto";
+import { spawnSync } from "child_process";
 import pm from "picomatch";
 import { parse } from "sh-syntax";
 function checkPause() {
@@ -915,7 +923,7 @@ function evaluateSmartConditions(args, rule) {
       case "matchesGlob":
         return val !== null && cond.value ? pm.isMatch(val, cond.value) : false;
       case "notMatchesGlob":
-        return val !== null && cond.value ? !pm.isMatch(val, cond.value) : true;
+        return val !== null && cond.value ? !pm.isMatch(val, cond.value) : false;
       default:
         return false;
     }
@@ -1028,7 +1036,7 @@ function getGlobalSettings() {
       const parsed = JSON.parse(fs2.readFileSync(globalConfigPath, "utf-8"));
       const settings = parsed.settings || {};
       return {
-        mode: settings.mode || "standard",
+        mode: settings.mode || "audit",
         autoStartDaemon: settings.autoStartDaemon !== false,
         slackEnabled: settings.slackEnabled !== false,
         enableTrustSessions: settings.enableTrustSessions === true,
@@ -1038,7 +1046,7 @@ function getGlobalSettings() {
   } catch {
   }
   return {
-    mode: "standard",
+    mode: "audit",
     autoStartDaemon: true,
     slackEnabled: true,
     enableTrustSessions: false,
@@ -1425,13 +1433,23 @@ function isIgnoredTool(toolName) {
   return matchesPattern(toolName, config.policy.ignoredTools);
 }
 function isDaemonRunning() {
+  const pidFile = path4.join(os2.homedir(), ".node9", "daemon.pid");
+  if (fs2.existsSync(pidFile)) {
+    try {
+      const { pid, port } = JSON.parse(fs2.readFileSync(pidFile, "utf-8"));
+      if (port !== DAEMON_PORT) return false;
+      process.kill(pid, 0);
+      return true;
+    } catch {
+      return false;
+    }
+  }
   try {
-    const pidFile = path4.join(os2.homedir(), ".node9", "daemon.pid");
-    if (!fs2.existsSync(pidFile)) return false;
-    const { pid, port } = JSON.parse(fs2.readFileSync(pidFile, "utf-8"));
-    if (port !== DAEMON_PORT) return false;
-    process.kill(pid, 0);
-    return true;
+    const r = spawnSync("ss", ["-Htnp", `sport = :${DAEMON_PORT}`], {
+      encoding: "utf8",
+      timeout: 500
+    });
+    return r.status === 0 && (r.stdout ?? "").includes(`:${DAEMON_PORT}`);
   } catch {
     return false;
   }
@@ -2254,15 +2272,17 @@ var init_core = __esm({
       // permanently overwrites file contents (unrecoverable)
     ];
     DEFAULT_CONFIG = {
+      version: "1.0",
       settings: {
-        mode: "standard",
+        mode: "audit",
         autoStartDaemon: true,
         enableUndo: true,
         // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
-        enableHookLogDebug: false,
-        approvalTimeoutMs: 0,
-        // 0 = disabled; set e.g. 30000 for 30-second auto-deny
-        approvers: { native: true, browser: true, cloud: true, terminal: true }
+        enableHookLogDebug: true,
+        approvalTimeoutMs: 3e4,
+        // 30-second auto-deny timeout
+        flightRecorder: true,
+        approvers: { native: true, browser: true, cloud: false, terminal: true }
       },
       policy: {
         sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
@@ -3913,7 +3933,7 @@ import net2 from "net";
 import fs4 from "fs";
 import path6 from "path";
 import os4 from "os";
-import { spawn as spawn2 } from "child_process";
+import { spawn as spawn2, spawnSync as spawnSync2 } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
 import chalk4 from "chalk";
 function atomicWriteSync2(filePath, data, options) {
@@ -4424,6 +4444,11 @@ data: ${JSON.stringify(item.data)}
         res.writeHead(400).end();
       }
     }
+    if (req.method === "POST" && pathname === "/events/clear") {
+      activityRing.length = 0;
+      res.writeHead(200, { "Content-Type": "application/json" });
+      return res.end(JSON.stringify({ ok: true }));
+    }
     if (req.method === "GET" && pathname === "/audit") {
       res.writeHead(200, { "Content-Type": "application/json" });
       return res.end(JSON.stringify(getAuditHistory()));
@@ -4479,6 +4504,35 @@ data: ${JSON.stringify(item.data)}
         server.listen(DAEMON_PORT2, DAEMON_HOST2);
         return;
       }
+      fetch(`http://${DAEMON_HOST2}:${DAEMON_PORT2}/settings`, {
+        signal: AbortSignal.timeout(1e3)
+      }).then((res) => {
+        if (res.ok) {
+          try {
+            const r = spawnSync2("ss", ["-Htnp", `sport = :${DAEMON_PORT2}`], {
+              encoding: "utf8",
+              timeout: 1e3
+            });
+            const match = r.stdout?.match(/pid=(\d+)/);
+            if (match) {
+              const orphanPid = parseInt(match[1], 10);
+              process.kill(orphanPid, 0);
+              atomicWriteSync2(
+                DAEMON_PID_FILE,
+                JSON.stringify({ pid: orphanPid, port: DAEMON_PORT2, internalToken, autoStarted }),
+                { mode: 384 }
+              );
+            }
+          } catch {
+          }
+          process.exit(0);
+        } else {
+          server.listen(DAEMON_PORT2, DAEMON_HOST2);
+        }
+      }).catch(() => {
+        server.listen(DAEMON_PORT2, DAEMON_HOST2);
+      });
+      return;
     }
     console.error(chalk4.red("\n\u{1F6D1} Node9 Daemon Error:"), e.message);
     process.exit(1);
@@ -4558,14 +4612,25 @@ function stopDaemon() {
   }
 }
 function daemonStatus() {
-  if (!fs4.existsSync(DAEMON_PID_FILE))
-    return console.log(chalk4.yellow("Node9 daemon: not running"));
-  try {
-    const { pid } = JSON.parse(fs4.readFileSync(DAEMON_PID_FILE, "utf-8"));
-    process.kill(pid, 0);
-    console.log(chalk4.green("Node9 daemon: running"));
-  } catch {
-    console.log(chalk4.yellow("Node9 daemon: not running (stale PID)"));
+  if (fs4.existsSync(DAEMON_PID_FILE)) {
+    try {
+      const { pid } = JSON.parse(fs4.readFileSync(DAEMON_PID_FILE, "utf-8"));
+      process.kill(pid, 0);
+      console.log(chalk4.green("Node9 daemon: running"));
+      return;
+    } catch {
+      console.log(chalk4.yellow("Node9 daemon: not running (stale PID)"));
+      return;
+    }
+  }
+  const r = spawnSync2("ss", ["-Htnp", `sport = :${DAEMON_PORT2}`], {
+    encoding: "utf8",
+    timeout: 500
+  });
+  if (r.status === 0 && (r.stdout ?? "").includes(`:${DAEMON_PORT2}`)) {
+    console.log(chalk4.yellow("Node9 daemon: running (no PID file \u2014 orphaned)"));
+  } else {
+    console.log(chalk4.yellow("Node9 daemon: not running"));
   }
 }
 var ACTIVITY_SOCKET_PATH2, DAEMON_PORT2, DAEMON_HOST2, homeDir, DAEMON_PID_FILE, DECISIONS_FILE, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, TRUST_DURATIONS, SECRET_KEY_RE, AUTO_DENY_MS, autoStarted, pending, sseClients, abandonTimer, daemonServer, hadBrowserClient, ACTIVITY_RING_SIZE, activityRing;
@@ -4658,6 +4723,13 @@ async function ensureDaemon() {
     } catch {
     }
   }
+  try {
+    const res = await fetch(`http://127.0.0.1:${DAEMON_PORT2}/settings`, {
+      signal: AbortSignal.timeout(500)
+    });
+    if (res.ok) return DAEMON_PORT2;
+  } catch {
+  }
   console.log(chalk5.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon..."));
   const child = spawn3(process.execPath, [process.argv[1], "daemon"], {
     detached: true,
@@ -4667,15 +4739,11 @@ async function ensureDaemon() {
   child.unref();
   for (let i = 0; i < 20; i++) {
     await new Promise((r) => setTimeout(r, 250));
-    if (!fs6.existsSync(PID_FILE)) continue;
     try {
       const res = await fetch(`http://127.0.0.1:${DAEMON_PORT2}/settings`, {
         signal: AbortSignal.timeout(500)
       });
-      if (res.ok) {
-        const { port } = JSON.parse(fs6.readFileSync(PID_FILE, "utf-8"));
-        return port;
-      }
+      if (res.ok) return DAEMON_PORT2;
     } catch {
     }
   }
@@ -4684,11 +4752,26 @@ async function ensureDaemon() {
 }
 async function startTail(options = {}) {
   const port = await ensureDaemon();
+  if (options.clear) {
+    await new Promise((resolve) => {
+      const req2 = http2.request(
+        { method: "POST", hostname: "127.0.0.1", port, path: "/events/clear" },
+        (res) => {
+          res.resume();
+          res.on("end", resolve);
+        }
+      );
+      req2.on("error", resolve);
+      req2.end();
+    });
+  }
   const connectionTime = Date.now();
   const pending2 = /* @__PURE__ */ new Map();
   console.log(chalk5.cyan.bold(`
 \u{1F6F0}\uFE0F  Node9 tail  `) + chalk5.dim(`\u2192 localhost:${port}`));
-  if (options.history) {
+  if (options.clear) {
+    console.log(chalk5.dim("History cleared. Showing live events. Press Ctrl+C to exit.\n"));
+  } else if (options.history) {
     console.log(chalk5.dim("Showing history + live events. Press Ctrl+C to exit.\n"));
   } else {
     console.log(
@@ -5057,7 +5140,7 @@ import path9 from "path";
 import os7 from "os";
 // src/undo.ts
-import { spawnSync } from "child_process";
+import { spawnSync as spawnSync3 } from "child_process";
 import fs5 from "fs";
 import path7 from "path";
 import os5 from "os";
@@ -5094,12 +5177,12 @@ async function createShadowSnapshot(tool = "unknown", args = {}) {
     if (!fs5.existsSync(path7.join(cwd, ".git"))) return null;
     const tempIndex = path7.join(cwd, ".git", `node9_index_${Date.now()}`);
     const env = { ...process.env, GIT_INDEX_FILE: tempIndex };
-    spawnSync("git", ["add", "-A"], { env });
-    const treeRes = spawnSync("git", ["write-tree"], { env });
+    spawnSync3("git", ["add", "-A"], { env });
+    const treeRes = spawnSync3("git", ["write-tree"], { env });
     const treeHash = treeRes.stdout.toString().trim();
     if (fs5.existsSync(tempIndex)) fs5.unlinkSync(tempIndex);
     if (!treeHash || treeRes.status !== 0) return null;
-    const commitRes = spawnSync("git", [
+    const commitRes = spawnSync3("git", [
       "commit-tree",
       treeHash,
       "-m",
@@ -5130,10 +5213,10 @@ function getSnapshotHistory() {
 }
 function computeUndoDiff(hash, cwd) {
   try {
-    const result = spawnSync("git", ["diff", hash, "--stat", "--", "."], { cwd });
+    const result = spawnSync3("git", ["diff", hash, "--stat", "--", "."], { cwd });
     const stat = result.stdout.toString().trim();
     if (!stat) return null;
-    const diff = spawnSync("git", ["diff", hash, "--", "."], { cwd });
+    const diff = spawnSync3("git", ["diff", hash, "--", "."], { cwd });
     const raw = diff.stdout.toString();
     if (!raw) return null;
     const lines = raw.split("\n").filter(
@@ -5147,14 +5230,14 @@ function computeUndoDiff(hash, cwd) {
 function applyUndo(hash, cwd) {
   try {
     const dir = cwd ?? process.cwd();
-    const restore = spawnSync("git", ["restore", "--source", hash, "--staged", "--worktree", "."], {
+    const restore = spawnSync3("git", ["restore", "--source", hash, "--staged", "--worktree", "."], {
       cwd: dir
     });
     if (restore.status !== 0) return false;
-    const lsTree = spawnSync("git", ["ls-tree", "-r", "--name-only", hash], { cwd: dir });
+    const lsTree = spawnSync3("git", ["ls-tree", "-r", "--name-only", hash], { cwd: dir });
     const snapshotFiles = new Set(lsTree.stdout.toString().trim().split("\n").filter(Boolean));
-    const tracked = spawnSync("git", ["ls-files"], { cwd: dir }).stdout.toString().trim().split("\n").filter(Boolean);
-    const untracked = spawnSync("git", ["ls-files", "--others", "--exclude-standard"], { cwd: dir }).stdout.toString().trim().split("\n").filter(Boolean);
+    const tracked = spawnSync3("git", ["ls-files"], { cwd: dir }).stdout.toString().trim().split("\n").filter(Boolean);
+    const untracked = spawnSync3("git", ["ls-files", "--others", "--exclude-standard"], { cwd: dir }).stdout.toString().trim().split("\n").filter(Boolean);
     for (const file of [...tracked, ...untracked]) {
       const fullPath = path7.join(dir, file);
       if (!snapshotFiles.has(file) && fs5.existsSync(fullPath)) {
@@ -5863,7 +5946,7 @@ program.command("daemon").description("Run the local approval server").argument(
     startDaemon();
   }
 );
-program.command("tail").description("Stream live agent activity to the terminal").option("--history", "Include recent history on connect", false).action(async (options) => {
+program.command("tail").description("Stream live agent activity to the terminal").option("--history", "Include recent history on connect", false).option("--clear", "Clear history buffer and stream live events fresh", false).action(async (options) => {
   const { startTail: startTail2 } = await Promise.resolve().then(() => (init_tail(), tail_exports));
   await startTail2(options);
 });

package/dist/index.js CHANGED Viewed

@@ -42,6 +42,7 @@ var import_path4 = __toESM(require("path"));
 var import_os2 = __toESM(require("os"));
 var import_net = __toESM(require("net"));
 var import_crypto = require("crypto");
+var import_child_process2 = require("child_process");
 var import_picomatch = __toESM(require("picomatch"));
 var import_sh_syntax = require("sh-syntax");
@@ -392,7 +393,13 @@ var SmartConditionSchema = import_zod.z.object({
   ),
   value: import_zod.z.string().optional(),
   flags: import_zod.z.string().optional()
-});
+}).refine(
+  (c) => {
+    if (c.op === "matchesGlob" || c.op === "notMatchesGlob") return c.value !== void 0;
+    return true;
+  },
+  { message: "matchesGlob and notMatchesGlob conditions require a value field" }
+);
 var SmartRuleSchema = import_zod.z.object({
   name: import_zod.z.string().optional(),
   tool: import_zod.z.string().min(1, "Smart rule tool must not be empty"),
@@ -411,6 +418,7 @@ var ConfigFileSchema = import_zod.z.object({
     enableUndo: import_zod.z.boolean().optional(),
     enableHookLogDebug: import_zod.z.boolean().optional(),
     approvalTimeoutMs: import_zod.z.number().nonnegative().optional(),
+    flightRecorder: import_zod.z.boolean().optional(),
     approvers: import_zod.z.object({
       native: import_zod.z.boolean().optional(),
       browser: import_zod.z.boolean().optional(),
@@ -885,7 +893,7 @@ function evaluateSmartConditions(args, rule) {
       case "matchesGlob":
         return val !== null && cond.value ? import_picomatch.default.isMatch(val, cond.value) : false;
       case "notMatchesGlob":
-        return val !== null && cond.value ? !import_picomatch.default.isMatch(val, cond.value) : true;
+        return val !== null && cond.value ? !import_picomatch.default.isMatch(val, cond.value) : false;
       default:
         return false;
     }
@@ -996,15 +1004,17 @@ var DANGEROUS_WORDS = [
   // permanently overwrites file contents (unrecoverable)
 ];
 var DEFAULT_CONFIG = {
+  version: "1.0",
   settings: {
-    mode: "standard",
+    mode: "audit",
     autoStartDaemon: true,
     enableUndo: true,
     // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
-    enableHookLogDebug: false,
-    approvalTimeoutMs: 0,
-    // 0 = disabled; set e.g. 30000 for 30-second auto-deny
-    approvers: { native: true, browser: true, cloud: true, terminal: true }
+    enableHookLogDebug: true,
+    approvalTimeoutMs: 3e4,
+    // 30-second auto-deny timeout
+    flightRecorder: true,
+    approvers: { native: true, browser: true, cloud: false, terminal: true }
   },
   policy: {
     sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
@@ -1315,13 +1325,23 @@ function isIgnoredTool(toolName) {
 var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function isDaemonRunning() {
+  const pidFile = import_path4.default.join(import_os2.default.homedir(), ".node9", "daemon.pid");
+  if (import_fs2.default.existsSync(pidFile)) {
+    try {
+      const { pid, port } = JSON.parse(import_fs2.default.readFileSync(pidFile, "utf-8"));
+      if (port !== DAEMON_PORT) return false;
+      process.kill(pid, 0);
+      return true;
+    } catch {
+      return false;
+    }
+  }
   try {
-    const pidFile = import_path4.default.join(import_os2.default.homedir(), ".node9", "daemon.pid");
-    if (!import_fs2.default.existsSync(pidFile)) return false;
-    const { pid, port } = JSON.parse(import_fs2.default.readFileSync(pidFile, "utf-8"));
-    if (port !== DAEMON_PORT) return false;
-    process.kill(pid, 0);
-    return true;
+    const r = (0, import_child_process2.spawnSync)("ss", ["-Htnp", `sport = :${DAEMON_PORT}`], {
+      encoding: "utf8",
+      timeout: 500
+    });
+    return r.status === 0 && (r.stdout ?? "").includes(`:${DAEMON_PORT}`);
   } catch {
     return false;
   }

package/dist/index.mjs CHANGED Viewed

@@ -6,6 +6,7 @@ import path4 from "path";
 import os2 from "os";
 import net from "net";
 import { randomUUID } from "crypto";
+import { spawnSync } from "child_process";
 import pm from "picomatch";
 import { parse } from "sh-syntax";
@@ -356,7 +357,13 @@ var SmartConditionSchema = z.object({
   ),
   value: z.string().optional(),
   flags: z.string().optional()
-});
+}).refine(
+  (c) => {
+    if (c.op === "matchesGlob" || c.op === "notMatchesGlob") return c.value !== void 0;
+    return true;
+  },
+  { message: "matchesGlob and notMatchesGlob conditions require a value field" }
+);
 var SmartRuleSchema = z.object({
   name: z.string().optional(),
   tool: z.string().min(1, "Smart rule tool must not be empty"),
@@ -375,6 +382,7 @@ var ConfigFileSchema = z.object({
     enableUndo: z.boolean().optional(),
     enableHookLogDebug: z.boolean().optional(),
     approvalTimeoutMs: z.number().nonnegative().optional(),
+    flightRecorder: z.boolean().optional(),
     approvers: z.object({
       native: z.boolean().optional(),
       browser: z.boolean().optional(),
@@ -849,7 +857,7 @@ function evaluateSmartConditions(args, rule) {
       case "matchesGlob":
         return val !== null && cond.value ? pm.isMatch(val, cond.value) : false;
       case "notMatchesGlob":
-        return val !== null && cond.value ? !pm.isMatch(val, cond.value) : true;
+        return val !== null && cond.value ? !pm.isMatch(val, cond.value) : false;
       default:
         return false;
     }
@@ -960,15 +968,17 @@ var DANGEROUS_WORDS = [
   // permanently overwrites file contents (unrecoverable)
 ];
 var DEFAULT_CONFIG = {
+  version: "1.0",
   settings: {
-    mode: "standard",
+    mode: "audit",
     autoStartDaemon: true,
     enableUndo: true,
     // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
-    enableHookLogDebug: false,
-    approvalTimeoutMs: 0,
-    // 0 = disabled; set e.g. 30000 for 30-second auto-deny
-    approvers: { native: true, browser: true, cloud: true, terminal: true }
+    enableHookLogDebug: true,
+    approvalTimeoutMs: 3e4,
+    // 30-second auto-deny timeout
+    flightRecorder: true,
+    approvers: { native: true, browser: true, cloud: false, terminal: true }
   },
   policy: {
     sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
@@ -1279,13 +1289,23 @@ function isIgnoredTool(toolName) {
 var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function isDaemonRunning() {
+  const pidFile = path4.join(os2.homedir(), ".node9", "daemon.pid");
+  if (fs2.existsSync(pidFile)) {
+    try {
+      const { pid, port } = JSON.parse(fs2.readFileSync(pidFile, "utf-8"));
+      if (port !== DAEMON_PORT) return false;
+      process.kill(pid, 0);
+      return true;
+    } catch {
+      return false;
+    }
+  }
   try {
-    const pidFile = path4.join(os2.homedir(), ".node9", "daemon.pid");
-    if (!fs2.existsSync(pidFile)) return false;
-    const { pid, port } = JSON.parse(fs2.readFileSync(pidFile, "utf-8"));
-    if (port !== DAEMON_PORT) return false;
-    process.kill(pid, 0);
-    return true;
+    const r = spawnSync("ss", ["-Htnp", `sport = :${DAEMON_PORT}`], {
+      encoding: "utf8",
+      timeout: 500
+    });
+    return r.status === 0 && (r.stdout ?? "").includes(`:${DAEMON_PORT}`);
   } catch {
     return false;
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.0.15",
+  "version": "1.0.17",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",