@node9/proxy 1.0.7 → 1.0.9

package/dist/index.mjs

@@ -2,24 +2,124 @@
 import chalk2 from "chalk";
 import { confirm } from "@inquirer/prompts";
 import fs from "fs";
-import path from "path";
+import path3 from "path";
 import os from "os";
 import pm from "picomatch";
 import { parse } from "sh-syntax";
 
 // src/ui/native.ts
 import { spawn } from "child_process";
+import path2 from "path";
 import chalk from "chalk";
-var isTestEnv = () => {
-  return process.env.NODE_ENV === "test" || process.env.VITEST === "true" || !!process.env.VITEST || process.env.CI === "true" || !!process.env.CI || process.env.NODE9_TESTING === "1";
-};
+
+// src/context-sniper.ts
+import path from "path";
 function smartTruncate(str, maxLen = 500) {
   if (str.length <= maxLen) return str;
   const edge = Math.floor(maxLen / 2) - 3;
   return `${str.slice(0, edge)} ... ${str.slice(-edge)}`;
 }
-function formatArgs(args) {
-  if (args === null || args === void 0) return "(none)";
+function extractContext(text, matchedWord) {
+  const lines = text.split("\n");
+  if (lines.length <= 7 || !matchedWord) {
+    return { snippet: smartTruncate(text, 500), lineIndex: -1 };
+  }
+  const escaped = matchedWord.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const pattern = new RegExp(`\\b${escaped}\\b`, "i");
+  const allHits = lines.map((line, i) => ({ i, line })).filter(({ line }) => pattern.test(line));
+  if (allHits.length === 0) return { snippet: smartTruncate(text, 500), lineIndex: -1 };
+  const nonComment = allHits.find(({ line }) => {
+    const trimmed = line.trim();
+    return !trimmed.startsWith("//") && !trimmed.startsWith("#");
+  });
+  const hitIndex = (nonComment ?? allHits[0]).i;
+  const start = Math.max(0, hitIndex - 3);
+  const end = Math.min(lines.length, hitIndex + 4);
+  const lineIndex = hitIndex - start;
+  const snippet = lines.slice(start, end).map((line, i) => `${start + i === hitIndex ? "\u{1F6D1} " : "   "}${line}`).join("\n");
+  const head = start > 0 ? `... [${start} lines hidden] ...
+` : "";
+  const tail = end < lines.length ? `
+... [${lines.length - end} lines hidden] ...` : "";
+  return { snippet: `${head}${snippet}${tail}`, lineIndex };
+}
+var CODE_KEYS = [
+  "command",
+  "cmd",
+  "shell_command",
+  "bash_command",
+  "script",
+  "code",
+  "input",
+  "sql",
+  "query",
+  "arguments",
+  "args",
+  "param",
+  "params",
+  "text"
+];
+function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWord, ruleName) {
+  let intent = "EXEC";
+  let contextSnippet;
+  let contextLineIndex;
+  let editFileName;
+  let editFilePath;
+  let parsed = args;
+  if (typeof args === "string") {
+    const trimmed = args.trim();
+    if (trimmed.startsWith("{") && trimmed.endsWith("}")) {
+      try {
+        parsed = JSON.parse(trimmed);
+      } catch {
+      }
+    }
+  }
+  if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+    const obj = parsed;
+    if (obj.old_string !== void 0 && obj.new_string !== void 0) {
+      intent = "EDIT";
+      if (obj.file_path) {
+        editFilePath = String(obj.file_path);
+        editFileName = path.basename(editFilePath);
+      }
+      const result = extractContext(String(obj.new_string), matchedWord);
+      contextSnippet = result.snippet;
+      if (result.lineIndex >= 0) contextLineIndex = result.lineIndex;
+    } else if (matchedField && obj[matchedField] !== void 0) {
+      const result = extractContext(String(obj[matchedField]), matchedWord);
+      contextSnippet = result.snippet;
+      if (result.lineIndex >= 0) contextLineIndex = result.lineIndex;
+    } else {
+      const foundKey = Object.keys(obj).find((k) => CODE_KEYS.includes(k.toLowerCase()));
+      if (foundKey) {
+        const val = obj[foundKey];
+        contextSnippet = smartTruncate(typeof val === "string" ? val : JSON.stringify(val), 500);
+      }
+    }
+  } else if (typeof parsed === "string") {
+    contextSnippet = smartTruncate(parsed, 500);
+  }
+  return {
+    intent,
+    tier,
+    blockedByLabel,
+    ...matchedWord && { matchedWord },
+    ...matchedField && { matchedField },
+    ...contextSnippet !== void 0 && { contextSnippet },
+    ...contextLineIndex !== void 0 && { contextLineIndex },
+    ...editFileName && { editFileName },
+    ...editFilePath && { editFilePath },
+    ...ruleName && { ruleName }
+  };
+}
+
+// src/ui/native.ts
+var isTestEnv = () => {
+  return process.env.NODE_ENV === "test" || process.env.VITEST === "true" || !!process.env.VITEST || process.env.CI === "true" || !!process.env.CI || process.env.NODE9_TESTING === "1";
+};
+function formatArgs(args, matchedField, matchedWord) {
+  if (args === null || args === void 0) return { message: "(none)", intent: "EXEC" };
   let parsed = args;
   if (typeof args === "string") {
     const trimmed = args.trim();
@@ -30,11 +130,39 @@ function formatArgs(args) {
         parsed = args;
       }
     } else {
-      return smartTruncate(args, 600);
+      return { message: smartTruncate(args, 600), intent: "EXEC" };
     }
   }
   if (typeof parsed === "object" && !Array.isArray(parsed)) {
     const obj = parsed;
+    if (obj.old_string !== void 0 && obj.new_string !== void 0) {
+      const file = obj.file_path ? path2.basename(String(obj.file_path)) : "file";
+      const oldPreview = smartTruncate(String(obj.old_string), 120);
+      const newPreview = extractContext(String(obj.new_string), matchedWord).snippet;
+      return {
+        intent: "EDIT",
+        message: `\u{1F4DD} EDITING: ${file}
+\u{1F4C2} PATH: ${obj.file_path}
+
+--- REPLACING ---
+${oldPreview}
+
++++ NEW CODE +++
+${newPreview}`
+      };
+    }
+    if (matchedField && obj[matchedField] !== void 0) {
+      const otherKeys = Object.keys(obj).filter((k) => k !== matchedField);
+      const context = otherKeys.length > 0 ? `\u2699\uFE0F  Context: ${otherKeys.map((k) => `${k}=${smartTruncate(typeof obj[k] === "object" ? JSON.stringify(obj[k]) : String(obj[k]), 30)}`).join(", ")}
+
+` : "";
+      const content = extractContext(String(obj[matchedField]), matchedWord).snippet;
+      return {
+        intent: "EXEC",
+        message: `${context}\u{1F6D1} [${matchedField.toUpperCase()}]:
+${content}`
+      };
+    }
     const codeKeys = [
       "command",
       "cmd",
@@ -55,14 +183,18 @@ function formatArgs(args) {
     if (foundKey) {
       const val = obj[foundKey];
       const str = typeof val === "string" ? val : JSON.stringify(val);
-      return `[${foundKey.toUpperCase()}]:
-${smartTruncate(str, 500)}`;
+      return {
+        intent: "EXEC",
+        message: `[${foundKey.toUpperCase()}]:
+${smartTruncate(str, 500)}`
+      };
     }
-    return Object.entries(obj).slice(0, 5).map(
+    const msg = Object.entries(obj).slice(0, 5).map(
       ([k, v]) => `  ${k}: ${smartTruncate(typeof v === "string" ? v : JSON.stringify(v), 300)}`
     ).join("\n");
+    return { intent: "EXEC", message: msg };
   }
-  return smartTruncate(JSON.stringify(parsed), 200);
+  return { intent: "EXEC", message: smartTruncate(JSON.stringify(parsed), 200) };
 }
 function sendDesktopNotification(title, body) {
   if (isTestEnv()) return;
@@ -115,10 +247,11 @@ function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, loc
   }
   return lines.join("\n");
 }
-async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal) {
+async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord) {
   if (isTestEnv()) return "deny";
-  const formattedArgs = formatArgs(args);
-  const title = locked ? `\u26A1 Node9 \u2014 Locked` : `\u{1F6E1}\uFE0F Node9 \u2014 Action Approval`;
+  const { message: formattedArgs, intent } = formatArgs(args, matchedField, matchedWord);
+  const intentLabel = intent === "EDIT" ? "Code Edit" : "Action Approval";
+  const title = locked ? `\u26A1 Node9 \u2014 Locked` : `\u{1F6E1}\uFE0F Node9 \u2014 ${intentLabel}`;
   const message = buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked);
   process.stderr.write(chalk.yellow(`
 \u{1F6E1}\uFE0F  Node9: Intercepted "${toolName}" \u2014 awaiting user...
@@ -195,11 +328,113 @@ end run`;
   });
 }
 
+// src/config-schema.ts
+import { z } from "zod";
+var noNewlines = z.string().refine((s) => !s.includes("\n") && !s.includes("\r"), {
+  message: "Value must not contain literal newline characters (use \\n instead)"
+});
+var validRegex = noNewlines.refine(
+  (s) => {
+    try {
+      new RegExp(s);
+      return true;
+    } catch {
+      return false;
+    }
+  },
+  { message: "Value must be a valid regular expression" }
+);
+var SmartConditionSchema = z.object({
+  field: z.string().min(1, "Condition field must not be empty"),
+  op: z.enum(["matches", "notMatches", "contains", "notContains", "exists", "notExists"], {
+    errorMap: () => ({
+      message: "op must be one of: matches, notMatches, contains, notContains, exists, notExists"
+    })
+  }),
+  value: validRegex.optional(),
+  flags: z.string().optional()
+});
+var SmartRuleSchema = z.object({
+  name: z.string().optional(),
+  tool: z.string().min(1, "Smart rule tool must not be empty"),
+  conditions: z.array(SmartConditionSchema).min(1, "Smart rule must have at least one condition"),
+  conditionMode: z.enum(["all", "any"]).optional(),
+  verdict: z.enum(["allow", "review", "block"], {
+    errorMap: () => ({ message: "verdict must be one of: allow, review, block" })
+  }),
+  reason: z.string().optional()
+});
+var PolicyRuleSchema = z.object({
+  action: z.string().min(1),
+  allowPaths: z.array(z.string()).optional(),
+  blockPaths: z.array(z.string()).optional()
+});
+var ConfigFileSchema = z.object({
+  version: z.string().optional(),
+  settings: z.object({
+    mode: z.enum(["standard", "strict", "audit"]).optional(),
+    autoStartDaemon: z.boolean().optional(),
+    enableUndo: z.boolean().optional(),
+    enableHookLogDebug: z.boolean().optional(),
+    approvalTimeoutMs: z.number().nonnegative().optional(),
+    approvers: z.object({
+      native: z.boolean().optional(),
+      browser: z.boolean().optional(),
+      cloud: z.boolean().optional(),
+      terminal: z.boolean().optional()
+    }).optional(),
+    environment: z.string().optional(),
+    slackEnabled: z.boolean().optional(),
+    enableTrustSessions: z.boolean().optional(),
+    allowGlobalPause: z.boolean().optional()
+  }).optional(),
+  policy: z.object({
+    sandboxPaths: z.array(z.string()).optional(),
+    dangerousWords: z.array(noNewlines).optional(),
+    ignoredTools: z.array(z.string()).optional(),
+    toolInspection: z.record(z.string()).optional(),
+    rules: z.array(PolicyRuleSchema).optional(),
+    smartRules: z.array(SmartRuleSchema).optional(),
+    snapshot: z.object({
+      tools: z.array(z.string()).optional(),
+      onlyPaths: z.array(z.string()).optional(),
+      ignorePaths: z.array(z.string()).optional()
+    }).optional()
+  }).optional(),
+  environments: z.record(z.object({ requireApproval: z.boolean().optional() })).optional()
+}).strict({ message: "Config contains unknown top-level keys" });
+function sanitizeConfig(raw) {
+  const result = ConfigFileSchema.safeParse(raw);
+  if (result.success) {
+    return { sanitized: result.data, error: null };
+  }
+  const invalidTopLevelKeys = new Set(
+    result.error.issues.filter((issue) => issue.path.length > 0).map((issue) => String(issue.path[0]))
+  );
+  const sanitized = {};
+  if (typeof raw === "object" && raw !== null) {
+    for (const [key, value] of Object.entries(raw)) {
+      if (!invalidTopLevelKeys.has(key)) {
+        sanitized[key] = value;
+      }
+    }
+  }
+  const lines = result.error.issues.map((issue) => {
+    const path4 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path4}: ${issue.message}`;
+  });
+  return {
+    sanitized,
+    error: `Invalid config:
+${lines.join("\n")}`
+  };
+}
+
 // src/core.ts
-var PAUSED_FILE = path.join(os.homedir(), ".node9", "PAUSED");
-var TRUST_FILE = path.join(os.homedir(), ".node9", "trust.json");
-var LOCAL_AUDIT_LOG = path.join(os.homedir(), ".node9", "audit.log");
-var HOOK_DEBUG_LOG = path.join(os.homedir(), ".node9", "hook-debug.log");
+var PAUSED_FILE = path3.join(os.homedir(), ".node9", "PAUSED");
+var TRUST_FILE = path3.join(os.homedir(), ".node9", "trust.json");
+var LOCAL_AUDIT_LOG = path3.join(os.homedir(), ".node9", "audit.log");
+var HOOK_DEBUG_LOG = path3.join(os.homedir(), ".node9", "hook-debug.log");
 function checkPause() {
   try {
     if (!fs.existsSync(PAUSED_FILE)) return { paused: false };
@@ -217,7 +452,7 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = path.dirname(filePath);
+  const dir = path3.dirname(filePath);
   if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
   const tmpPath = `${filePath}.${os.hostname()}.${process.pid}.tmp`;
   fs.writeFileSync(tmpPath, data, options);
@@ -258,7 +493,7 @@ function writeTrustSession(toolName, durationMs) {
 }
 function appendToLog(logPath, entry) {
   try {
-    const dir = path.dirname(logPath);
+    const dir = path3.dirname(logPath);
     if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
     fs.appendFileSync(logPath, JSON.stringify(entry) + "\n");
   } catch {
@@ -302,9 +537,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path2) {
+function getNestedValue(obj, path4) {
   if (!obj || typeof obj !== "object") return null;
-  return path2.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path4.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -441,15 +676,10 @@ function redactSecrets(text) {
   return redacted;
 }
 var DANGEROUS_WORDS = [
-  "drop",
-  "truncate",
-  "purge",
-  "format",
-  "destroy",
-  "terminate",
-  "revoke",
-  "docker",
-  "psql"
+  "mkfs",
+  // formats/wipes a filesystem partition
+  "shred"
+  // permanently overwrites file contents (unrecoverable)
 ];
 var DEFAULT_CONFIG = {
   settings: {
@@ -493,7 +723,21 @@ var DEFAULT_CONFIG = {
       "terminal.execute": "command",
       "postgres:query": "sql"
     },
+    snapshot: {
+      tools: [
+        "str_replace_based_edit_tool",
+        "write_file",
+        "edit_file",
+        "create_file",
+        "edit",
+        "replace"
+      ],
+      onlyPaths: [],
+      ignorePaths: ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log"]
+    },
     rules: [
+      // Only use the legacy rules format for simple path-based rm control.
+      // All other command-level enforcement lives in smartRules below.
       {
         action: "rm",
         allowPaths: [
@@ -510,6 +754,7 @@ var DEFAULT_CONFIG = {
       }
     ],
     smartRules: [
+      // ── SQL safety ────────────────────────────────────────────────────────
       {
         name: "no-delete-without-where",
         tool: "*",
@@ -520,6 +765,84 @@ var DEFAULT_CONFIG = {
         conditionMode: "all",
         verdict: "review",
         reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table"
+      },
+      {
+        name: "review-drop-truncate-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "\\b(DROP|TRUNCATE)\\s+(TABLE|DATABASE|SCHEMA|INDEX)",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "SQL DDL destructive statement inside a shell command"
+      },
+      // ── Git safety ────────────────────────────────────────────────────────
+      {
+        name: "block-force-push",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "git push.*(--force|--force-with-lease|-f\\b)",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "block",
+        reason: "Force push overwrites remote history and cannot be undone"
+      },
+      {
+        name: "review-git-push",
+        tool: "bash",
+        conditions: [{ field: "command", op: "matches", value: "^\\s*git push\\b", flags: "i" }],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "git push sends changes to a shared remote"
+      },
+      {
+        name: "review-git-destructive",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "git\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase|tag\\s+-d|branch\\s+-[dD])",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "Destructive git operation \u2014 discards history or working-tree changes"
+      },
+      // ── Shell safety ──────────────────────────────────────────────────────
+      {
+        name: "review-sudo",
+        tool: "bash",
+        conditions: [{ field: "command", op: "matches", value: "^\\s*sudo\\s", flags: "i" }],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "Command requires elevated privileges"
+      },
+      {
+        name: "review-curl-pipe-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "block",
+        reason: "Piping remote script into a shell is a supply-chain attack vector"
       }
     ]
   },
@@ -528,7 +851,7 @@ var DEFAULT_CONFIG = {
 var cachedConfig = null;
 function getInternalToken() {
   try {
-    const pidFile = path.join(os.homedir(), ".node9", "daemon.pid");
+    const pidFile = path3.join(os.homedir(), ".node9", "daemon.pid");
     if (!fs.existsSync(pidFile)) return null;
     const data = JSON.parse(fs.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
@@ -549,7 +872,9 @@ async function evaluatePolicy(toolName, args, agent) {
       return {
         decision: matchedRule.verdict,
         blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
-        reason: matchedRule.reason
+        reason: matchedRule.reason,
+        tier: 2,
+        ruleName: matchedRule.name ?? matchedRule.tool
       };
     }
   }
@@ -564,7 +889,7 @@ async function evaluatePolicy(toolName, args, agent) {
     pathTokens = analyzed.paths;
     const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
     if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
-      return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)" };
+      return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)", tier: 3 };
     }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
@@ -587,7 +912,7 @@ async function evaluatePolicy(toolName, args, agent) {
     );
     const isRootWipe = allTokens.includes("rm") && (allTokens.includes("/") || allTokens.includes("/*"));
     if (hasSystemDisaster || isRootWipe) {
-      return { decision: "review", blockedByLabel: "Manual Nuclear Protection" };
+      return { decision: "review", blockedByLabel: "Manual Nuclear Protection", tier: 3 };
     }
     return { decision: "allow" };
   }
@@ -605,14 +930,16 @@ async function evaluatePolicy(toolName, args, agent) {
         if (anyBlocked)
           return {
             decision: "review",
-            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`
+            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`,
+            tier: 5
           };
         const allAllowed = pathTokens.every((p) => matchesPattern(p, rule.allowPaths || []));
         if (allAllowed) return { decision: "allow" };
       }
       return {
         decision: "review",
-        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`
+        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`,
+        tier: 5
       };
     }
   }
@@ -632,15 +959,36 @@ async function evaluatePolicy(toolName, args, agent) {
     })
   );
   if (isDangerous) {
+    let matchedField;
+    if (matchedDangerousWord && args && typeof args === "object" && !Array.isArray(args)) {
+      const obj = args;
+      for (const [key, value] of Object.entries(obj)) {
+        if (typeof value === "string") {
+          try {
+            if (new RegExp(
+              `\\b${matchedDangerousWord.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`,
+              "i"
+            ).test(value)) {
+              matchedField = key;
+              break;
+            }
+          } catch {
+          }
+        }
+      }
+    }
     return {
       decision: "review",
-      blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`
+      blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`,
+      matchedWord: matchedDangerousWord,
+      matchedField,
+      tier: 6
     };
   }
   if (config.settings.mode === "strict") {
     const envConfig = getActiveEnvironment(config);
     if (envConfig?.requireApproval === false) return { decision: "allow" };
-    return { decision: "review", blockedByLabel: "Global Config (Strict Mode Active)" };
+    return { decision: "review", blockedByLabel: "Global Config (Strict Mode Active)", tier: 7 };
   }
   return { decision: "allow" };
 }
@@ -652,7 +1000,7 @@ var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function isDaemonRunning() {
   try {
-    const pidFile = path.join(os.homedir(), ".node9", "daemon.pid");
+    const pidFile = path3.join(os.homedir(), ".node9", "daemon.pid");
     if (!fs.existsSync(pidFile)) return false;
     const { pid, port } = JSON.parse(fs.readFileSync(pidFile, "utf-8"));
     if (port !== DAEMON_PORT) return false;
@@ -664,7 +1012,7 @@ function isDaemonRunning() {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = path.join(os.homedir(), ".node9", "decisions.json");
+    const file = path3.join(os.homedir(), ".node9", "decisions.json");
     if (!fs.existsSync(file)) return null;
     const decisions = JSON.parse(fs.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
@@ -673,7 +1021,7 @@ function getPersistentDecision(toolName) {
   }
   return null;
 }
-async function askDaemon(toolName, args, meta, signal) {
+async function askDaemon(toolName, args, meta, signal, riskMetadata) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const checkCtrl = new AbortController();
   const checkTimer = setTimeout(() => checkCtrl.abort(), 5e3);
@@ -683,7 +1031,13 @@ async function askDaemon(toolName, args, meta, signal) {
     const checkRes = await fetch(`${base}/check`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ toolName, args, agent: meta?.agent, mcpServer: meta?.mcpServer }),
+      body: JSON.stringify({
+        toolName,
+        args,
+        agent: meta?.agent,
+        mcpServer: meta?.mcpServer,
+        ...riskMetadata && { riskMetadata }
+      }),
       signal: checkCtrl.signal
     });
     if (!checkRes.ok) throw new Error("Daemon fail");
@@ -708,7 +1062,7 @@ async function askDaemon(toolName, args, meta, signal) {
     if (signal) signal.removeEventListener("abort", onAbort);
   }
 }
-async function notifyDaemonViewer(toolName, args, meta) {
+async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const res = await fetch(`${base}/check`, {
     method: "POST",
@@ -718,7 +1072,8 @@ async function notifyDaemonViewer(toolName, args, meta) {
       args,
       slackDelegated: true,
       agent: meta?.agent,
-      mcpServer: meta?.mcpServer
+      mcpServer: meta?.mcpServer,
+      ...riskMetadata && { riskMetadata }
     }),
     signal: AbortSignal.timeout(3e3)
   });
@@ -735,7 +1090,7 @@ async function resolveViaDaemon(id, decision, internalToken) {
     signal: AbortSignal.timeout(3e3)
   });
 }
-async function authorizeHeadless(toolName, args, allowTerminalFallback = false, meta) {
+async function authorizeHeadless(toolName, args, allowTerminalFallback = false, meta, options) {
   if (process.env.NODE9_PAUSED === "1") return { approved: true, checkedBy: "paused" };
   const pauseState = checkPause();
   if (pauseState.paused) return { approved: true, checkedBy: "paused" };
@@ -755,11 +1110,17 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   }
   const isManual = meta?.agent === "Terminal";
   let explainableLabel = "Local Config";
+  let policyMatchedField;
+  let policyMatchedWord;
+  let riskMetadata;
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
       if (policyResult.decision === "review") {
         appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
+        if (approvers.cloud && creds?.apiKey) {
+          await auditLocalAllow(toolName, args, "audit-mode", creds, meta);
+        }
         sendDesktopNotification(
           "Node9 Audit Mode",
           `Would have blocked "${toolName}" (${policyResult.blockedByLabel || "Local Config"}) \u2014 running in audit mode`
@@ -770,13 +1131,15 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   }
   if (!isIgnoredTool(toolName)) {
     if (getActiveTrustSession(toolName)) {
-      if (creds?.apiKey) auditLocalAllow(toolName, args, "trust", creds, meta);
+      if (approvers.cloud && creds?.apiKey)
+        await auditLocalAllow(toolName, args, "trust", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta);
       return { approved: true, checkedBy: "trust" };
     }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
-      if (creds?.apiKey) auditLocalAllow(toolName, args, "local-policy", creds, meta);
+      if (approvers.cloud && creds?.apiKey)
+        auditLocalAllow(toolName, args, "local-policy", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
       return { approved: true, checkedBy: "local-policy" };
     }
@@ -790,9 +1153,20 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       };
     }
     explainableLabel = policyResult.blockedByLabel || "Local Config";
+    policyMatchedField = policyResult.matchedField;
+    policyMatchedWord = policyResult.matchedWord;
+    riskMetadata = computeRiskMetadata(
+      args,
+      policyResult.tier ?? 6,
+      explainableLabel,
+      policyMatchedField,
+      policyMatchedWord,
+      policyResult.ruleName
+    );
     const persistent = getPersistentDecision(toolName);
     if (persistent === "allow") {
-      if (creds?.apiKey) auditLocalAllow(toolName, args, "persistent", creds, meta);
+      if (approvers.cloud && creds?.apiKey)
+        await auditLocalAllow(toolName, args, "persistent", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta);
       return { approved: true, checkedBy: "persistent" };
     }
@@ -806,7 +1180,6 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       };
     }
   } else {
-    if (creds?.apiKey) auditLocalAllow(toolName, args, "ignoredTools", creds, meta);
     if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta);
     return { approved: true };
   }
@@ -815,8 +1188,21 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
   if (cloudEnforced) {
     try {
-      const initResult = await initNode9SaaS(toolName, args, creds, meta);
+      const initResult = await initNode9SaaS(toolName, args, creds, meta, riskMetadata);
       if (!initResult.pending) {
+        if (initResult.shadowMode) {
+          console.error(
+            chalk2.yellow(
+              `
+\u26A0\uFE0F  Node9 Shadow Mode: Action allowed, but would have been blocked by company policy.`
+            )
+          );
+          if (initResult.shadowReason) {
+            console.error(chalk2.dim(`   Reason: ${initResult.shadowReason}
+`));
+          }
+          return { approved: true, checkedBy: "cloud" };
+        }
         return {
           approved: !!initResult.approved,
           reason: initResult.reason || (initResult.approved ? void 0 : "Action rejected by organization policy."),
@@ -841,18 +1227,22 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       );
     }
   }
-  if (cloudEnforced && cloudRequestId) {
-    console.error(
-      chalk2.yellow("\n\u{1F6E1}\uFE0F  Node9: Action suspended \u2014 waiting for Organization approval.")
-    );
-    console.error(chalk2.cyan("   Dashboard  \u2192 ") + chalk2.bold("Mission Control > Activity Feed\n"));
-  } else if (!cloudEnforced) {
-    const cloudOffReason = !creds?.apiKey ? "no API key \u2014 run `node9 login` to connect" : "privacy mode (cloud disabled)";
-    console.error(
-      chalk2.dim(`
+  if (!options?.calledFromDaemon) {
+    if (cloudEnforced && cloudRequestId) {
+      console.error(
+        chalk2.yellow("\n\u{1F6E1}\uFE0F  Node9: Action suspended \u2014 waiting for Organization approval.")
+      );
+      console.error(
+        chalk2.cyan("   Dashboard  \u2192 ") + chalk2.bold("Mission Control > Activity Feed\n")
+      );
+    } else if (!cloudEnforced) {
+      const cloudOffReason = !creds?.apiKey ? "no API key \u2014 run `node9 login` to connect" : "privacy mode (cloud disabled)";
+      console.error(
+        chalk2.dim(`
 \u{1F6E1}\uFE0F  Node9: intercepted "${toolName}" \u2014 cloud off (${cloudOffReason})
 `)
-    );
+      );
+    }
   }
   const abortController = new AbortController();
   const { signal } = abortController;
@@ -882,8 +1272,10 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
     racePromises.push(
       (async () => {
         try {
-          if (isDaemonRunning() && internalToken) {
-            viewerId = await notifyDaemonViewer(toolName, args, meta).catch(() => null);
+          if (isDaemonRunning() && internalToken && !options?.calledFromDaemon) {
+            viewerId = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(
+              () => null
+            );
           }
           const cloudResult = await pollNode9SaaS(cloudRequestId, creds, signal);
           return {
@@ -901,7 +1293,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       })()
     );
   }
-  if (approvers.native && !isManual) {
+  if (approvers.native && !isManual && !options?.calledFromDaemon) {
     racePromises.push(
       (async () => {
         const decision = await askNativePopup(
@@ -910,7 +1302,9 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
           meta?.agent,
           explainableLabel,
           isRemoteLocked,
-          signal
+          signal,
+          policyMatchedField,
+          policyMatchedWord
         );
         if (decision === "always_allow") {
           writeTrustSession(toolName, 36e5);
@@ -927,7 +1321,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       })()
     );
   }
-  if (approvers.browser && isDaemonRunning()) {
+  if (approvers.browser && isDaemonRunning() && !options?.calledFromDaemon && !cloudEnforced) {
     racePromises.push(
       (async () => {
         try {
@@ -938,7 +1332,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
             console.error(chalk2.cyan(`   URL \u2192 http://${DAEMON_HOST}:${DAEMON_PORT}/
 `));
           }
-          const daemonDecision = await askDaemon(toolName, args, meta, signal);
+          const daemonDecision = await askDaemon(toolName, args, meta, signal, riskMetadata);
           if (daemonDecision === "abandoned") throw new Error("Abandoned");
           const isApproved = daemonDecision === "allow";
           return {
@@ -1063,8 +1457,8 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
 }
 function getConfig() {
   if (cachedConfig) return cachedConfig;
-  const globalPath = path.join(os.homedir(), ".node9", "config.json");
-  const projectPath = path.join(process.cwd(), "node9.config.json");
+  const globalPath = path3.join(os.homedir(), ".node9", "config.json");
+  const projectPath = path3.join(process.cwd(), "node9.config.json");
   const globalConfig = tryLoadConfig(globalPath);
   const projectConfig = tryLoadConfig(projectPath);
   const mergedSettings = {
@@ -1077,7 +1471,12 @@ function getConfig() {
     ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
     toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
     rules: [...DEFAULT_CONFIG.policy.rules],
-    smartRules: [...DEFAULT_CONFIG.policy.smartRules]
+    smartRules: [...DEFAULT_CONFIG.policy.smartRules],
+    snapshot: {
+      tools: [...DEFAULT_CONFIG.policy.snapshot.tools],
+      onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
+      ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
+    }
   };
   const applyLayer = (source) => {
     if (!source) return;
@@ -1089,6 +1488,7 @@ function getConfig() {
     if (s.enableHookLogDebug !== void 0)
       mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
     if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
+    if (s.approvalTimeoutMs !== void 0) mergedSettings.approvalTimeoutMs = s.approvalTimeoutMs;
     if (s.environment !== void 0) mergedSettings.environment = s.environment;
     if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
     if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
@@ -1097,6 +1497,12 @@ function getConfig() {
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
     if (p.rules) mergedPolicy.rules.push(...p.rules);
     if (p.smartRules) mergedPolicy.smartRules.push(...p.smartRules);
+    if (p.snapshot) {
+      const s2 = p.snapshot;
+      if (s2.tools) mergedPolicy.snapshot.tools.push(...s2.tools);
+      if (s2.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s2.onlyPaths);
+      if (s2.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s2.ignorePaths);
+    }
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
@@ -1104,6 +1510,9 @@ function getConfig() {
   mergedPolicy.sandboxPaths = [...new Set(mergedPolicy.sandboxPaths)];
   mergedPolicy.dangerousWords = [...new Set(mergedPolicy.dangerousWords)];
   mergedPolicy.ignoredTools = [...new Set(mergedPolicy.ignoredTools)];
+  mergedPolicy.snapshot.tools = [...new Set(mergedPolicy.snapshot.tools)];
+  mergedPolicy.snapshot.onlyPaths = [...new Set(mergedPolicy.snapshot.onlyPaths)];
+  mergedPolicy.snapshot.ignorePaths = [...new Set(mergedPolicy.snapshot.ignorePaths)];
   cachedConfig = {
     settings: mergedSettings,
     policy: mergedPolicy,
@@ -1113,11 +1522,33 @@ function getConfig() {
 }
 function tryLoadConfig(filePath) {
   if (!fs.existsSync(filePath)) return null;
+  let raw;
   try {
-    return JSON.parse(fs.readFileSync(filePath, "utf-8"));
-  } catch {
+    raw = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    process.stderr.write(
+      `
+\u26A0\uFE0F  Node9: Failed to parse ${filePath}
+   ${msg}
+   \u2192 Using default config
+
+`
+    );
     return null;
   }
+  const { sanitized, error } = sanitizeConfig(raw);
+  if (error) {
+    process.stderr.write(
+      `
+\u26A0\uFE0F  Node9: Invalid config at ${filePath}:
+${error.replace("Invalid config:\n", "")}
+   \u2192 Invalid fields ignored, using defaults for those keys
+
+`
+    );
+  }
+  return sanitized;
 }
 function getActiveEnvironment(config) {
   const env = config.settings.environment || process.env.NODE_ENV || "development";
@@ -1132,7 +1563,7 @@ function getCredentials() {
     };
   }
   try {
-    const credPath = path.join(os.homedir(), ".node9", "credentials.json");
+    const credPath = path3.join(os.homedir(), ".node9", "credentials.json");
     if (fs.existsSync(credPath)) {
       const creds = JSON.parse(fs.readFileSync(credPath, "utf-8"));
       const profileName = process.env.NODE9_PROFILE || "default";
@@ -1159,9 +1590,7 @@ async function authorizeAction(toolName, args) {
   return result.approved;
 }
 function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
-  const controller = new AbortController();
-  setTimeout(() => controller.abort(), 5e3);
-  fetch(`${creds.apiUrl}/audit`, {
+  return fetch(`${creds.apiUrl}/audit`, {
     method: "POST",
     headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
     body: JSON.stringify({
@@ -1176,11 +1605,12 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
         platform: os.platform()
       }
     }),
-    signal: controller.signal
+    signal: AbortSignal.timeout(5e3)
+  }).then(() => {
   }).catch(() => {
   });
 }
-async function initNode9SaaS(toolName, args, creds, meta) {
+async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 1e4);
   try {
@@ -1196,7 +1626,8 @@ async function initNode9SaaS(toolName, args, creds, meta) {
           hostname: os.hostname(),
           cwd: process.cwd(),
           platform: os.platform()
-        }
+        },
+        ...riskMetadata && { riskMetadata }
       }),
       signal: controller.signal
     });