npm - @node9/proxy - Versions diffs - 1.0.8 → 1.0.10 - Mend

@node9/proxy 1.0.8 → 1.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli.js CHANGED Viewed

@@ -30,18 +30,18 @@ var import_commander = require("commander");
 var import_chalk2 = __toESM(require("chalk"));
 var import_prompts = require("@inquirer/prompts");
 var import_fs = __toESM(require("fs"));
-var import_path2 = __toESM(require("path"));
+var import_path3 = __toESM(require("path"));
 var import_os = __toESM(require("os"));
 var import_picomatch = __toESM(require("picomatch"));
 var import_sh_syntax = require("sh-syntax");
 // src/ui/native.ts
 var import_child_process = require("child_process");
-var import_path = __toESM(require("path"));
+var import_path2 = __toESM(require("path"));
 var import_chalk = __toESM(require("chalk"));
-var isTestEnv = () => {
-  return process.env.NODE_ENV === "test" || process.env.VITEST === "true" || !!process.env.VITEST || process.env.CI === "true" || !!process.env.CI || process.env.NODE9_TESTING === "1";
-};
+// src/context-sniper.ts
+var import_path = __toESM(require("path"));
 function smartTruncate(str, maxLen = 500) {
   if (str.length <= maxLen) return str;
   const edge = Math.floor(maxLen / 2) - 3;
@@ -49,11 +49,13 @@ function smartTruncate(str, maxLen = 500) {
 }
 function extractContext(text, matchedWord) {
   const lines = text.split("\n");
-  if (lines.length <= 7 || !matchedWord) return smartTruncate(text, 500);
+  if (lines.length <= 7 || !matchedWord) {
+    return { snippet: smartTruncate(text, 500), lineIndex: -1 };
+  }
   const escaped = matchedWord.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
   const pattern = new RegExp(`\\b${escaped}\\b`, "i");
   const allHits = lines.map((line, i) => ({ i, line })).filter(({ line }) => pattern.test(line));
-  if (allHits.length === 0) return smartTruncate(text, 500);
+  if (allHits.length === 0) return { snippet: smartTruncate(text, 500), lineIndex: -1 };
   const nonComment = allHits.find(({ line }) => {
     const trimmed = line.trim();
     return !trimmed.startsWith("//") && !trimmed.startsWith("#");
@@ -61,13 +63,89 @@ function extractContext(text, matchedWord) {
   const hitIndex = (nonComment ?? allHits[0]).i;
   const start = Math.max(0, hitIndex - 3);
   const end = Math.min(lines.length, hitIndex + 4);
+  const lineIndex = hitIndex - start;
   const snippet = lines.slice(start, end).map((line, i) => `${start + i === hitIndex ? "\u{1F6D1} " : "   "}${line}`).join("\n");
   const head = start > 0 ? `... [${start} lines hidden] ...
 ` : "";
   const tail = end < lines.length ? `
 ... [${lines.length - end} lines hidden] ...` : "";
-  return `${head}${snippet}${tail}`;
+  return { snippet: `${head}${snippet}${tail}`, lineIndex };
 }
+var CODE_KEYS = [
+  "command",
+  "cmd",
+  "shell_command",
+  "bash_command",
+  "script",
+  "code",
+  "input",
+  "sql",
+  "query",
+  "arguments",
+  "args",
+  "param",
+  "params",
+  "text"
+];
+function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWord, ruleName) {
+  let intent = "EXEC";
+  let contextSnippet;
+  let contextLineIndex;
+  let editFileName;
+  let editFilePath;
+  let parsed = args;
+  if (typeof args === "string") {
+    const trimmed = args.trim();
+    if (trimmed.startsWith("{") && trimmed.endsWith("}")) {
+      try {
+        parsed = JSON.parse(trimmed);
+      } catch {
+      }
+    }
+  }
+  if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+    const obj = parsed;
+    if (obj.old_string !== void 0 && obj.new_string !== void 0) {
+      intent = "EDIT";
+      if (obj.file_path) {
+        editFilePath = String(obj.file_path);
+        editFileName = import_path.default.basename(editFilePath);
+      }
+      const result = extractContext(String(obj.new_string), matchedWord);
+      contextSnippet = result.snippet;
+      if (result.lineIndex >= 0) contextLineIndex = result.lineIndex;
+    } else if (matchedField && obj[matchedField] !== void 0) {
+      const result = extractContext(String(obj[matchedField]), matchedWord);
+      contextSnippet = result.snippet;
+      if (result.lineIndex >= 0) contextLineIndex = result.lineIndex;
+    } else {
+      const foundKey = Object.keys(obj).find((k) => CODE_KEYS.includes(k.toLowerCase()));
+      if (foundKey) {
+        const val = obj[foundKey];
+        contextSnippet = smartTruncate(typeof val === "string" ? val : JSON.stringify(val), 500);
+      }
+    }
+  } else if (typeof parsed === "string") {
+    contextSnippet = smartTruncate(parsed, 500);
+  }
+  return {
+    intent,
+    tier,
+    blockedByLabel,
+    ...matchedWord && { matchedWord },
+    ...matchedField && { matchedField },
+    ...contextSnippet !== void 0 && { contextSnippet },
+    ...contextLineIndex !== void 0 && { contextLineIndex },
+    ...editFileName && { editFileName },
+    ...editFilePath && { editFilePath },
+    ...ruleName && { ruleName }
+  };
+}
+// src/ui/native.ts
+var isTestEnv = () => {
+  return process.env.NODE_ENV === "test" || process.env.VITEST === "true" || !!process.env.VITEST || process.env.CI === "true" || !!process.env.CI || process.env.NODE9_TESTING === "1";
+};
 function formatArgs(args, matchedField, matchedWord) {
   if (args === null || args === void 0) return { message: "(none)", intent: "EXEC" };
   let parsed = args;
@@ -86,9 +164,9 @@ function formatArgs(args, matchedField, matchedWord) {
   if (typeof parsed === "object" && !Array.isArray(parsed)) {
     const obj = parsed;
     if (obj.old_string !== void 0 && obj.new_string !== void 0) {
-      const file = obj.file_path ? import_path.default.basename(String(obj.file_path)) : "file";
+      const file = obj.file_path ? import_path2.default.basename(String(obj.file_path)) : "file";
       const oldPreview = smartTruncate(String(obj.old_string), 120);
-      const newPreview = extractContext(String(obj.new_string), matchedWord);
+      const newPreview = extractContext(String(obj.new_string), matchedWord).snippet;
       return {
         intent: "EDIT",
         message: `\u{1F4DD} EDITING: ${file}
@@ -106,7 +184,7 @@ ${newPreview}`
       const context = otherKeys.length > 0 ? `\u2699\uFE0F  Context: ${otherKeys.map((k) => `${k}=${smartTruncate(typeof obj[k] === "object" ? JSON.stringify(obj[k]) : String(obj[k]), 30)}`).join(", ")}
 ` : "";
-      const content = extractContext(String(obj[matchedField]), matchedWord);
+      const content = extractContext(String(obj[matchedField]), matchedWord).snippet;
       return {
         intent: "EXEC",
         message: `${context}\u{1F6D1} [${matchedField.toUpperCase()}]:
@@ -278,11 +356,113 @@ end run`;
   });
 }
+// src/config-schema.ts
+var import_zod = require("zod");
+var noNewlines = import_zod.z.string().refine((s) => !s.includes("\n") && !s.includes("\r"), {
+  message: "Value must not contain literal newline characters (use \\n instead)"
+});
+var validRegex = noNewlines.refine(
+  (s) => {
+    try {
+      new RegExp(s);
+      return true;
+    } catch {
+      return false;
+    }
+  },
+  { message: "Value must be a valid regular expression" }
+);
+var SmartConditionSchema = import_zod.z.object({
+  field: import_zod.z.string().min(1, "Condition field must not be empty"),
+  op: import_zod.z.enum(["matches", "notMatches", "contains", "notContains", "exists", "notExists"], {
+    errorMap: () => ({
+      message: "op must be one of: matches, notMatches, contains, notContains, exists, notExists"
+    })
+  }),
+  value: validRegex.optional(),
+  flags: import_zod.z.string().optional()
+});
+var SmartRuleSchema = import_zod.z.object({
+  name: import_zod.z.string().optional(),
+  tool: import_zod.z.string().min(1, "Smart rule tool must not be empty"),
+  conditions: import_zod.z.array(SmartConditionSchema).min(1, "Smart rule must have at least one condition"),
+  conditionMode: import_zod.z.enum(["all", "any"]).optional(),
+  verdict: import_zod.z.enum(["allow", "review", "block"], {
+    errorMap: () => ({ message: "verdict must be one of: allow, review, block" })
+  }),
+  reason: import_zod.z.string().optional()
+});
+var PolicyRuleSchema = import_zod.z.object({
+  action: import_zod.z.string().min(1),
+  allowPaths: import_zod.z.array(import_zod.z.string()).optional(),
+  blockPaths: import_zod.z.array(import_zod.z.string()).optional()
+});
+var ConfigFileSchema = import_zod.z.object({
+  version: import_zod.z.string().optional(),
+  settings: import_zod.z.object({
+    mode: import_zod.z.enum(["standard", "strict", "audit"]).optional(),
+    autoStartDaemon: import_zod.z.boolean().optional(),
+    enableUndo: import_zod.z.boolean().optional(),
+    enableHookLogDebug: import_zod.z.boolean().optional(),
+    approvalTimeoutMs: import_zod.z.number().nonnegative().optional(),
+    approvers: import_zod.z.object({
+      native: import_zod.z.boolean().optional(),
+      browser: import_zod.z.boolean().optional(),
+      cloud: import_zod.z.boolean().optional(),
+      terminal: import_zod.z.boolean().optional()
+    }).optional(),
+    environment: import_zod.z.string().optional(),
+    slackEnabled: import_zod.z.boolean().optional(),
+    enableTrustSessions: import_zod.z.boolean().optional(),
+    allowGlobalPause: import_zod.z.boolean().optional()
+  }).optional(),
+  policy: import_zod.z.object({
+    sandboxPaths: import_zod.z.array(import_zod.z.string()).optional(),
+    dangerousWords: import_zod.z.array(noNewlines).optional(),
+    ignoredTools: import_zod.z.array(import_zod.z.string()).optional(),
+    toolInspection: import_zod.z.record(import_zod.z.string()).optional(),
+    rules: import_zod.z.array(PolicyRuleSchema).optional(),
+    smartRules: import_zod.z.array(SmartRuleSchema).optional(),
+    snapshot: import_zod.z.object({
+      tools: import_zod.z.array(import_zod.z.string()).optional(),
+      onlyPaths: import_zod.z.array(import_zod.z.string()).optional(),
+      ignorePaths: import_zod.z.array(import_zod.z.string()).optional()
+    }).optional()
+  }).optional(),
+  environments: import_zod.z.record(import_zod.z.object({ requireApproval: import_zod.z.boolean().optional() })).optional()
+}).strict({ message: "Config contains unknown top-level keys" });
+function sanitizeConfig(raw) {
+  const result = ConfigFileSchema.safeParse(raw);
+  if (result.success) {
+    return { sanitized: result.data, error: null };
+  }
+  const invalidTopLevelKeys = new Set(
+    result.error.issues.filter((issue) => issue.path.length > 0).map((issue) => String(issue.path[0]))
+  );
+  const sanitized = {};
+  if (typeof raw === "object" && raw !== null) {
+    for (const [key, value] of Object.entries(raw)) {
+      if (!invalidTopLevelKeys.has(key)) {
+        sanitized[key] = value;
+      }
+    }
+  }
+  const lines = result.error.issues.map((issue) => {
+    const path8 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path8}: ${issue.message}`;
+  });
+  return {
+    sanitized,
+    error: `Invalid config:
+${lines.join("\n")}`
+  };
+}
 // src/core.ts
-var PAUSED_FILE = import_path2.default.join(import_os.default.homedir(), ".node9", "PAUSED");
-var TRUST_FILE = import_path2.default.join(import_os.default.homedir(), ".node9", "trust.json");
-var LOCAL_AUDIT_LOG = import_path2.default.join(import_os.default.homedir(), ".node9", "audit.log");
-var HOOK_DEBUG_LOG = import_path2.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
+var PAUSED_FILE = import_path3.default.join(import_os.default.homedir(), ".node9", "PAUSED");
+var TRUST_FILE = import_path3.default.join(import_os.default.homedir(), ".node9", "trust.json");
+var LOCAL_AUDIT_LOG = import_path3.default.join(import_os.default.homedir(), ".node9", "audit.log");
+var HOOK_DEBUG_LOG = import_path3.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
 function checkPause() {
   try {
     if (!import_fs.default.existsSync(PAUSED_FILE)) return { paused: false };
@@ -300,7 +480,7 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = import_path2.default.dirname(filePath);
+  const dir = import_path3.default.dirname(filePath);
   if (!import_fs.default.existsSync(dir)) import_fs.default.mkdirSync(dir, { recursive: true });
   const tmpPath = `${filePath}.${import_os.default.hostname()}.${process.pid}.tmp`;
   import_fs.default.writeFileSync(tmpPath, data, options);
@@ -351,7 +531,7 @@ function writeTrustSession(toolName, durationMs) {
 }
 function appendToLog(logPath, entry) {
   try {
-    const dir = import_path2.default.dirname(logPath);
+    const dir = import_path3.default.dirname(logPath);
     if (!import_fs.default.existsSync(dir)) import_fs.default.mkdirSync(dir, { recursive: true });
     import_fs.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
   } catch {
@@ -395,9 +575,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path7) {
+function getNestedValue(obj, path8) {
   if (!obj || typeof obj !== "object") return null;
-  return path7.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path8.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function shouldSnapshot(toolName, args, config) {
   if (!config.settings.enableUndo) return false;
@@ -546,15 +726,10 @@ function redactSecrets(text) {
   return redacted;
 }
 var DANGEROUS_WORDS = [
-  "drop",
-  "truncate",
-  "purge",
-  "format",
-  "destroy",
-  "terminate",
-  "revoke",
-  "docker",
-  "psql"
+  "mkfs",
+  // formats/wipes a filesystem partition
+  "shred"
+  // permanently overwrites file contents (unrecoverable)
 ];
 var DEFAULT_CONFIG = {
   settings: {
@@ -611,6 +786,8 @@ var DEFAULT_CONFIG = {
       ignorePaths: ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log"]
     },
     rules: [
+      // Only use the legacy rules format for simple path-based rm control.
+      // All other command-level enforcement lives in smartRules below.
       {
         action: "rm",
         allowPaths: [
@@ -627,6 +804,7 @@ var DEFAULT_CONFIG = {
       }
     ],
     smartRules: [
+      // ── SQL safety ────────────────────────────────────────────────────────
       {
         name: "no-delete-without-where",
         tool: "*",
@@ -637,6 +815,84 @@ var DEFAULT_CONFIG = {
         conditionMode: "all",
         verdict: "review",
         reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table"
+      },
+      {
+        name: "review-drop-truncate-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "\\b(DROP|TRUNCATE)\\s+(TABLE|DATABASE|SCHEMA|INDEX)",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "SQL DDL destructive statement inside a shell command"
+      },
+      // ── Git safety ────────────────────────────────────────────────────────
+      {
+        name: "block-force-push",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "git push.*(--force|--force-with-lease|-f\\b)",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "block",
+        reason: "Force push overwrites remote history and cannot be undone"
+      },
+      {
+        name: "review-git-push",
+        tool: "bash",
+        conditions: [{ field: "command", op: "matches", value: "^\\s*git\\s+push\\b", flags: "i" }],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "git push sends changes to a shared remote"
+      },
+      {
+        name: "review-git-destructive",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "git\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase|tag\\s+-d|branch\\s+-[dD])",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "Destructive git operation \u2014 discards history or working-tree changes"
+      },
+      // ── Shell safety ──────────────────────────────────────────────────────
+      {
+        name: "review-sudo",
+        tool: "bash",
+        conditions: [{ field: "command", op: "matches", value: "^\\s*sudo\\s", flags: "i" }],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "Command requires elevated privileges"
+      },
+      {
+        name: "review-curl-pipe-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "block",
+        reason: "Piping remote script into a shell is a supply-chain attack vector"
       }
     ]
   },
@@ -648,7 +904,7 @@ function _resetConfigCache() {
 }
 function getGlobalSettings() {
   try {
-    const globalConfigPath = import_path2.default.join(import_os.default.homedir(), ".node9", "config.json");
+    const globalConfigPath = import_path3.default.join(import_os.default.homedir(), ".node9", "config.json");
     if (import_fs.default.existsSync(globalConfigPath)) {
       const parsed = JSON.parse(import_fs.default.readFileSync(globalConfigPath, "utf-8"));
       const settings = parsed.settings || {};
@@ -672,7 +928,7 @@ function getGlobalSettings() {
 }
 function getInternalToken() {
   try {
-    const pidFile = import_path2.default.join(import_os.default.homedir(), ".node9", "daemon.pid");
+    const pidFile = import_path3.default.join(import_os.default.homedir(), ".node9", "daemon.pid");
     if (!import_fs.default.existsSync(pidFile)) return null;
     const data = JSON.parse(import_fs.default.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
@@ -693,7 +949,9 @@ async function evaluatePolicy(toolName, args, agent) {
       return {
         decision: matchedRule.verdict,
         blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
-        reason: matchedRule.reason
+        reason: matchedRule.reason,
+        tier: 2,
+        ruleName: matchedRule.name ?? matchedRule.tool
       };
     }
   }
@@ -708,7 +966,7 @@ async function evaluatePolicy(toolName, args, agent) {
     pathTokens = analyzed.paths;
     const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
     if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
-      return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)" };
+      return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)", tier: 3 };
     }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
@@ -731,7 +989,7 @@ async function evaluatePolicy(toolName, args, agent) {
     );
     const isRootWipe = allTokens.includes("rm") && (allTokens.includes("/") || allTokens.includes("/*"));
     if (hasSystemDisaster || isRootWipe) {
-      return { decision: "review", blockedByLabel: "Manual Nuclear Protection" };
+      return { decision: "review", blockedByLabel: "Manual Nuclear Protection", tier: 3 };
     }
     return { decision: "allow" };
   }
@@ -749,14 +1007,16 @@ async function evaluatePolicy(toolName, args, agent) {
         if (anyBlocked)
           return {
             decision: "review",
-            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`
+            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`,
+            tier: 5
           };
         const allAllowed = pathTokens.every((p) => matchesPattern(p, rule.allowPaths || []));
         if (allAllowed) return { decision: "allow" };
       }
       return {
         decision: "review",
-        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`
+        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`,
+        tier: 5
       };
     }
   }
@@ -798,21 +1058,22 @@ async function evaluatePolicy(toolName, args, agent) {
       decision: "review",
       blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`,
       matchedWord: matchedDangerousWord,
-      matchedField
+      matchedField,
+      tier: 6
     };
   }
   if (config.settings.mode === "strict") {
     const envConfig = getActiveEnvironment(config);
     if (envConfig?.requireApproval === false) return { decision: "allow" };
-    return { decision: "review", blockedByLabel: "Global Config (Strict Mode Active)" };
+    return { decision: "review", blockedByLabel: "Global Config (Strict Mode Active)", tier: 7 };
   }
   return { decision: "allow" };
 }
 async function explainPolicy(toolName, args) {
   const steps = [];
-  const globalPath = import_path2.default.join(import_os.default.homedir(), ".node9", "config.json");
-  const projectPath = import_path2.default.join(process.cwd(), "node9.config.json");
-  const credsPath = import_path2.default.join(import_os.default.homedir(), ".node9", "credentials.json");
+  const globalPath = import_path3.default.join(import_os.default.homedir(), ".node9", "config.json");
+  const projectPath = import_path3.default.join(process.cwd(), "node9.config.json");
+  const credsPath = import_path3.default.join(import_os.default.homedir(), ".node9", "credentials.json");
   const waterfall = [
     {
       tier: 1,
@@ -1116,7 +1377,7 @@ var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function isDaemonRunning() {
   try {
-    const pidFile = import_path2.default.join(import_os.default.homedir(), ".node9", "daemon.pid");
+    const pidFile = import_path3.default.join(import_os.default.homedir(), ".node9", "daemon.pid");
     if (!import_fs.default.existsSync(pidFile)) return false;
     const { pid, port } = JSON.parse(import_fs.default.readFileSync(pidFile, "utf-8"));
     if (port !== DAEMON_PORT) return false;
@@ -1128,7 +1389,7 @@ function isDaemonRunning() {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = import_path2.default.join(import_os.default.homedir(), ".node9", "decisions.json");
+    const file = import_path3.default.join(import_os.default.homedir(), ".node9", "decisions.json");
     if (!import_fs.default.existsSync(file)) return null;
     const decisions = JSON.parse(import_fs.default.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
@@ -1137,7 +1398,7 @@ function getPersistentDecision(toolName) {
   }
   return null;
 }
-async function askDaemon(toolName, args, meta, signal) {
+async function askDaemon(toolName, args, meta, signal, riskMetadata) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const checkCtrl = new AbortController();
   const checkTimer = setTimeout(() => checkCtrl.abort(), 5e3);
@@ -1147,7 +1408,13 @@ async function askDaemon(toolName, args, meta, signal) {
     const checkRes = await fetch(`${base}/check`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ toolName, args, agent: meta?.agent, mcpServer: meta?.mcpServer }),
+      body: JSON.stringify({
+        toolName,
+        args,
+        agent: meta?.agent,
+        mcpServer: meta?.mcpServer,
+        ...riskMetadata && { riskMetadata }
+      }),
       signal: checkCtrl.signal
     });
     if (!checkRes.ok) throw new Error("Daemon fail");
@@ -1172,7 +1439,7 @@ async function askDaemon(toolName, args, meta, signal) {
     if (signal) signal.removeEventListener("abort", onAbort);
   }
 }
-async function notifyDaemonViewer(toolName, args, meta) {
+async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const res = await fetch(`${base}/check`, {
     method: "POST",
@@ -1182,7 +1449,8 @@ async function notifyDaemonViewer(toolName, args, meta) {
       args,
       slackDelegated: true,
       agent: meta?.agent,
-      mcpServer: meta?.mcpServer
+      mcpServer: meta?.mcpServer,
+      ...riskMetadata && { riskMetadata }
     }),
     signal: AbortSignal.timeout(3e3)
   });
@@ -1221,11 +1489,15 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   let explainableLabel = "Local Config";
   let policyMatchedField;
   let policyMatchedWord;
+  let riskMetadata;
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
       if (policyResult.decision === "review") {
         appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
+        if (approvers.cloud && creds?.apiKey) {
+          await auditLocalAllow(toolName, args, "audit-mode", creds, meta);
+        }
         sendDesktopNotification(
           "Node9 Audit Mode",
           `Would have blocked "${toolName}" (${policyResult.blockedByLabel || "Local Config"}) \u2014 running in audit mode`
@@ -1236,13 +1508,15 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   }
   if (!isIgnoredTool(toolName)) {
     if (getActiveTrustSession(toolName)) {
-      if (creds?.apiKey) auditLocalAllow(toolName, args, "trust", creds, meta);
+      if (approvers.cloud && creds?.apiKey)
+        await auditLocalAllow(toolName, args, "trust", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta);
       return { approved: true, checkedBy: "trust" };
     }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
-      if (creds?.apiKey) auditLocalAllow(toolName, args, "local-policy", creds, meta);
+      if (approvers.cloud && creds?.apiKey)
+        auditLocalAllow(toolName, args, "local-policy", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
       return { approved: true, checkedBy: "local-policy" };
     }
@@ -1258,9 +1532,18 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     policyMatchedField = policyResult.matchedField;
     policyMatchedWord = policyResult.matchedWord;
+    riskMetadata = computeRiskMetadata(
+      args,
+      policyResult.tier ?? 6,
+      explainableLabel,
+      policyMatchedField,
+      policyMatchedWord,
+      policyResult.ruleName
+    );
     const persistent = getPersistentDecision(toolName);
     if (persistent === "allow") {
-      if (creds?.apiKey) auditLocalAllow(toolName, args, "persistent", creds, meta);
+      if (approvers.cloud && creds?.apiKey)
+        await auditLocalAllow(toolName, args, "persistent", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta);
       return { approved: true, checkedBy: "persistent" };
     }
@@ -1274,7 +1557,6 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       };
     }
   } else {
-    if (creds?.apiKey) auditLocalAllow(toolName, args, "ignoredTools", creds, meta);
     if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta);
     return { approved: true };
   }
@@ -1283,8 +1565,21 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
   if (cloudEnforced) {
     try {
-      const initResult = await initNode9SaaS(toolName, args, creds, meta);
+      const initResult = await initNode9SaaS(toolName, args, creds, meta, riskMetadata);
       if (!initResult.pending) {
+        if (initResult.shadowMode) {
+          console.error(
+            import_chalk2.default.yellow(
+              `
+\u26A0\uFE0F  Node9 Shadow Mode: Action allowed, but would have been blocked by company policy.`
+            )
+          );
+          if (initResult.shadowReason) {
+            console.error(import_chalk2.default.dim(`   Reason: ${initResult.shadowReason}
+`));
+          }
+          return { approved: true, checkedBy: "cloud" };
+        }
         return {
           approved: !!initResult.approved,
           reason: initResult.reason || (initResult.approved ? void 0 : "Action rejected by organization policy."),
@@ -1309,18 +1604,22 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       );
     }
   }
-  if (cloudEnforced && cloudRequestId) {
-    console.error(
-      import_chalk2.default.yellow("\n\u{1F6E1}\uFE0F  Node9: Action suspended \u2014 waiting for Organization approval.")
-    );
-    console.error(import_chalk2.default.cyan("   Dashboard  \u2192 ") + import_chalk2.default.bold("Mission Control > Activity Feed\n"));
-  } else if (!cloudEnforced) {
-    const cloudOffReason = !creds?.apiKey ? "no API key \u2014 run `node9 login` to connect" : "privacy mode (cloud disabled)";
-    console.error(
-      import_chalk2.default.dim(`
+  if (!options?.calledFromDaemon) {
+    if (cloudEnforced && cloudRequestId) {
+      console.error(
+        import_chalk2.default.yellow("\n\u{1F6E1}\uFE0F  Node9: Action suspended \u2014 waiting for Organization approval.")
+      );
+      console.error(
+        import_chalk2.default.cyan("   Dashboard  \u2192 ") + import_chalk2.default.bold("Mission Control > Activity Feed\n")
+      );
+    } else if (!cloudEnforced) {
+      const cloudOffReason = !creds?.apiKey ? "no API key \u2014 run `node9 login` to connect" : "privacy mode (cloud disabled)";
+      console.error(
+        import_chalk2.default.dim(`
 \u{1F6E1}\uFE0F  Node9: intercepted "${toolName}" \u2014 cloud off (${cloudOffReason})
 `)
-    );
+      );
+    }
   }
   const abortController = new AbortController();
   const { signal } = abortController;
@@ -1351,7 +1650,9 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       (async () => {
         try {
           if (isDaemonRunning() && internalToken && !options?.calledFromDaemon) {
-            viewerId = await notifyDaemonViewer(toolName, args, meta).catch(() => null);
+            viewerId = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(
+              () => null
+            );
           }
           const cloudResult = await pollNode9SaaS(cloudRequestId, creds, signal);
           return {
@@ -1369,7 +1670,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       })()
     );
   }
-  if (approvers.native && !isManual) {
+  if (approvers.native && !isManual && !options?.calledFromDaemon) {
     racePromises.push(
       (async () => {
         const decision = await askNativePopup(
@@ -1397,7 +1698,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       })()
     );
   }
-  if (approvers.browser && isDaemonRunning() && !options?.calledFromDaemon) {
+  if (approvers.browser && isDaemonRunning() && !options?.calledFromDaemon && !cloudEnforced) {
     racePromises.push(
       (async () => {
         try {
@@ -1408,7 +1709,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
             console.error(import_chalk2.default.cyan(`   URL \u2192 http://${DAEMON_HOST}:${DAEMON_PORT}/
 `));
           }
-          const daemonDecision = await askDaemon(toolName, args, meta, signal);
+          const daemonDecision = await askDaemon(toolName, args, meta, signal, riskMetadata);
           if (daemonDecision === "abandoned") throw new Error("Abandoned");
           const isApproved = daemonDecision === "allow";
           return {
@@ -1533,8 +1834,8 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
 }
 function getConfig() {
   if (cachedConfig) return cachedConfig;
-  const globalPath = import_path2.default.join(import_os.default.homedir(), ".node9", "config.json");
-  const projectPath = import_path2.default.join(process.cwd(), "node9.config.json");
+  const globalPath = import_path3.default.join(import_os.default.homedir(), ".node9", "config.json");
+  const projectPath = import_path3.default.join(process.cwd(), "node9.config.json");
   const globalConfig = tryLoadConfig(globalPath);
   const projectConfig = tryLoadConfig(projectPath);
   const mergedSettings = {
@@ -1554,6 +1855,7 @@ function getConfig() {
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
     }
   };
+  const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
   const applyLayer = (source) => {
     if (!source) return;
     const s = source.settings || {};
@@ -1579,6 +1881,17 @@ function getConfig() {
       if (s2.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s2.onlyPaths);
       if (s2.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s2.ignorePaths);
     }
+    const envs = source.environments || {};
+    for (const [envName, envConfig] of Object.entries(envs)) {
+      if (envConfig && typeof envConfig === "object") {
+        const ec = envConfig;
+        mergedEnvironments[envName] = {
+          ...mergedEnvironments[envName],
+          // Validate field types before merging — do not blindly spread user input
+          ...typeof ec.requireApproval === "boolean" ? { requireApproval: ec.requireApproval } : {}
+        };
+      }
+    }
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
@@ -1592,17 +1905,62 @@ function getConfig() {
   cachedConfig = {
     settings: mergedSettings,
     policy: mergedPolicy,
-    environments: {}
+    environments: mergedEnvironments
   };
   return cachedConfig;
 }
 function tryLoadConfig(filePath) {
   if (!import_fs.default.existsSync(filePath)) return null;
+  let raw;
   try {
-    return JSON.parse(import_fs.default.readFileSync(filePath, "utf-8"));
-  } catch {
+    raw = JSON.parse(import_fs.default.readFileSync(filePath, "utf-8"));
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    process.stderr.write(
+      `
+\u26A0\uFE0F  Node9: Failed to parse ${filePath}
+   ${msg}
+   \u2192 Using default config
+`
+    );
     return null;
   }
+  const SUPPORTED_VERSION = "1.0";
+  const SUPPORTED_MAJOR = SUPPORTED_VERSION.split(".")[0];
+  const fileVersion = raw?.version;
+  if (fileVersion !== void 0) {
+    const vStr = String(fileVersion);
+    const fileMajor = vStr.split(".")[0];
+    if (fileMajor !== SUPPORTED_MAJOR) {
+      process.stderr.write(
+        `
+\u274C  Node9: Config at ${filePath} has version "${vStr}" \u2014 major version is incompatible with this release (expected "${SUPPORTED_VERSION}"). Config will not be loaded.
+`
+      );
+      return null;
+    } else if (vStr !== SUPPORTED_VERSION) {
+      process.stderr.write(
+        `
+\u26A0\uFE0F  Node9: Config at ${filePath} declares version "${vStr}" \u2014 expected "${SUPPORTED_VERSION}". Continuing with best-effort parsing.
+`
+      );
+    }
+  }
+  const { sanitized, error } = sanitizeConfig(raw);
+  if (error) {
+    process.stderr.write(
+      `
+\u26A0\uFE0F  Node9: Invalid config at ${filePath}:
+${error.replace("Invalid config:\n", "")}
+   \u2192 Invalid fields ignored, using defaults for those keys
+`
+    );
+  }
+  return sanitized;
 }
 function getActiveEnvironment(config) {
   const env = config.settings.environment || process.env.NODE_ENV || "development";
@@ -1617,7 +1975,7 @@ function getCredentials() {
     };
   }
   try {
-    const credPath = import_path2.default.join(import_os.default.homedir(), ".node9", "credentials.json");
+    const credPath = import_path3.default.join(import_os.default.homedir(), ".node9", "credentials.json");
     if (import_fs.default.existsSync(credPath)) {
       const creds = JSON.parse(import_fs.default.readFileSync(credPath, "utf-8"));
       const profileName = process.env.NODE9_PROFILE || "default";
@@ -1640,9 +1998,7 @@ function getCredentials() {
   return null;
 }
 function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
-  const controller = new AbortController();
-  setTimeout(() => controller.abort(), 5e3);
-  fetch(`${creds.apiUrl}/audit`, {
+  return fetch(`${creds.apiUrl}/audit`, {
     method: "POST",
     headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
     body: JSON.stringify({
@@ -1657,11 +2013,12 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
         platform: import_os.default.platform()
       }
     }),
-    signal: controller.signal
+    signal: AbortSignal.timeout(5e3)
+  }).then(() => {
   }).catch(() => {
   });
 }
-async function initNode9SaaS(toolName, args, creds, meta) {
+async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 1e4);
   try {
@@ -1677,7 +2034,8 @@ async function initNode9SaaS(toolName, args, creds, meta) {
           hostname: import_os.default.hostname(),
           cwd: process.cwd(),
           platform: import_os.default.platform()
-        }
+        },
+        ...riskMetadata && { riskMetadata }
       }),
       signal: controller.signal
     });
@@ -1735,7 +2093,7 @@ async function resolveNode9SaaS(requestId, creds, approved) {
 // src/setup.ts
 var import_fs2 = __toESM(require("fs"));
-var import_path3 = __toESM(require("path"));
+var import_path4 = __toESM(require("path"));
 var import_os2 = __toESM(require("os"));
 var import_chalk3 = __toESM(require("chalk"));
 var import_prompts2 = require("@inquirer/prompts");
@@ -1760,14 +2118,14 @@ function readJson(filePath) {
   return null;
 }
 function writeJson(filePath, data) {
-  const dir = import_path3.default.dirname(filePath);
+  const dir = import_path4.default.dirname(filePath);
   if (!import_fs2.default.existsSync(dir)) import_fs2.default.mkdirSync(dir, { recursive: true });
   import_fs2.default.writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n");
 }
 async function setupClaude() {
   const homeDir2 = import_os2.default.homedir();
-  const mcpPath = import_path3.default.join(homeDir2, ".claude.json");
-  const hooksPath = import_path3.default.join(homeDir2, ".claude", "settings.json");
+  const mcpPath = import_path4.default.join(homeDir2, ".claude.json");
+  const hooksPath = import_path4.default.join(homeDir2, ".claude", "settings.json");
   const claudeConfig = readJson(mcpPath) ?? {};
   const settings = readJson(hooksPath) ?? {};
   const servers = claudeConfig.mcpServers ?? {};
@@ -1842,7 +2200,7 @@ async function setupClaude() {
 }
 async function setupGemini() {
   const homeDir2 = import_os2.default.homedir();
-  const settingsPath = import_path3.default.join(homeDir2, ".gemini", "settings.json");
+  const settingsPath = import_path4.default.join(homeDir2, ".gemini", "settings.json");
   const settings = readJson(settingsPath) ?? {};
   const servers = settings.mcpServers ?? {};
   let anythingChanged = false;
@@ -1925,8 +2283,8 @@ async function setupGemini() {
 }
 async function setupCursor() {
   const homeDir2 = import_os2.default.homedir();
-  const mcpPath = import_path3.default.join(homeDir2, ".cursor", "mcp.json");
-  const hooksPath = import_path3.default.join(homeDir2, ".cursor", "hooks.json");
+  const mcpPath = import_path4.default.join(homeDir2, ".cursor", "mcp.json");
+  const hooksPath = import_path4.default.join(homeDir2, ".cursor", "hooks.json");
   const mcpConfig = readJson(mcpPath) ?? {};
   const hooksFile = readJson(hooksPath) ?? { version: 1 };
   const servers = mcpConfig.mcpServers ?? {};
@@ -2222,6 +2580,55 @@ var ui_default = `<!doctype html>
         white-space: pre-wrap;
         word-break: break-all;
       }
+      /* \u2500\u2500 Context Sniper \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+      .sniper-header {
+        display: flex;
+        align-items: center;
+        gap: 8px;
+        flex-wrap: wrap;
+        margin-bottom: 8px;
+      }
+      .sniper-badge {
+        font-size: 11px;
+        font-weight: 600;
+        padding: 3px 8px;
+        border-radius: 5px;
+        letter-spacing: 0.02em;
+      }
+      .sniper-badge-edit {
+        background: rgba(59, 130, 246, 0.15);
+        color: #60a5fa;
+        border: 1px solid rgba(59, 130, 246, 0.3);
+      }
+      .sniper-badge-exec {
+        background: rgba(239, 68, 68, 0.12);
+        color: #f87171;
+        border: 1px solid rgba(239, 68, 68, 0.25);
+      }
+      .sniper-tier {
+        font-size: 10px;
+        color: var(--muted);
+        font-family: 'Fira Code', monospace;
+      }
+      .sniper-filepath {
+        font-size: 11px;
+        color: #a8b3c4;
+        font-family: 'Fira Code', monospace;
+        margin-bottom: 6px;
+        word-break: break-all;
+      }
+      .sniper-match {
+        font-size: 11px;
+        color: #a8b3c4;
+        margin-bottom: 6px;
+      }
+      .sniper-match code {
+        background: rgba(239, 68, 68, 0.15);
+        color: #f87171;
+        padding: 1px 5px;
+        border-radius: 3px;
+        font-family: 'Fira Code', monospace;
+      }
       .actions {
         display: grid;
         grid-template-columns: 1fr 1fr;
@@ -2728,20 +3135,47 @@ var ui_default = `<!doctype html>
         }, 200);
       }
+      function renderPayload(req) {
+        const rm = req.riskMetadata;
+        if (!rm) {
+          // Fallback: raw args for requests without context sniper data
+          const cmd = esc(
+            String(
+              req.args &&
+                (req.args.command ||
+                  req.args.cmd ||
+                  req.args.script ||
+                  JSON.stringify(req.args, null, 2))
+            )
+          );
+          return \`<span class="label">Input Payload</span><pre>\${cmd}</pre>\`;
+        }
+        const isEdit = rm.intent === 'EDIT';
+        const badgeClass = isEdit ? 'sniper-badge-edit' : 'sniper-badge-exec';
+        const badgeLabel = isEdit ? '\u{1F4DD} Code Edit' : '\u{1F6D1} Execution';
+        const tierLabel = \`Tier \${rm.tier} \xB7 \${esc(rm.blockedByLabel)}\`;
+        const fileLine =
+          isEdit && rm.editFilePath
+            ? \`<div class="sniper-filepath">\u{1F4C2} \${esc(rm.editFilePath)}</div>\`
+            : !isEdit && rm.matchedWord
+              ? \`<div class="sniper-match">Matched: <code>\${esc(rm.matchedWord)}</code>\${rm.matchedField ? \` in <code>\${esc(rm.matchedField)}</code>\` : ''}</div>\`
+              : '';
+        const snippetHtml = rm.contextSnippet ? \`<pre>\${esc(rm.contextSnippet)}</pre>\` : '';
+        return \`
+          <div class="sniper-header">
+            <span class="sniper-badge \${badgeClass}">\${badgeLabel}</span>
+            <span class="sniper-tier">\${tierLabel}</span>
+          </div>
+          \${fileLine}
+          \${snippetHtml}
+        \`;
+      }
       function addCard(req) {
         if (requests.has(req.id)) return;
         requests.add(req.id);
         refresh();
         const isSlack = !!req.slackDelegated;
-        const cmd = esc(
-          String(
-            req.args &&
-              (req.args.command ||
-                req.args.cmd ||
-                req.args.script ||
-                JSON.stringify(req.args, null, 2))
-          )
-        );
         const card = document.createElement('div');
         card.className = 'card' + (isSlack ? ' slack-viewer' : '');
         card.id = 'c-' + req.id;
@@ -2755,8 +3189,7 @@ var ui_default = `<!doctype html>
         </div>
         <div class="tool-chip">\${esc(req.toolName)}</div>
         \${isSlack ? '<div class="slack-indicator">\u26A1 Awaiting Slack approval \u2014 view only</div>' : ''}
-        <span class="label">Input Payload</span>
-        <pre>\${cmd}</pre>
+        \${renderPayload(req)}
         <div class="actions" id="act-\${req.id}">
           <button class="btn-allow" onclick="sendDecision('\${req.id}','allow',false)" \${dis}>Approve Execution</button>
           <button class="btn-deny"  onclick="sendDecision('\${req.id}','deny',false)"  \${dis}>Block Action</button>
@@ -2964,7 +3397,7 @@ var UI_HTML_TEMPLATE = ui_default;
 // src/daemon/index.ts
 var import_http = __toESM(require("http"));
 var import_fs3 = __toESM(require("fs"));
-var import_path4 = __toESM(require("path"));
+var import_path5 = __toESM(require("path"));
 var import_os3 = __toESM(require("os"));
 var import_child_process2 = require("child_process");
 var import_crypto = require("crypto");
@@ -2972,14 +3405,14 @@ var import_chalk4 = __toESM(require("chalk"));
 var DAEMON_PORT2 = 7391;
 var DAEMON_HOST2 = "127.0.0.1";
 var homeDir = import_os3.default.homedir();
-var DAEMON_PID_FILE = import_path4.default.join(homeDir, ".node9", "daemon.pid");
-var DECISIONS_FILE = import_path4.default.join(homeDir, ".node9", "decisions.json");
-var GLOBAL_CONFIG_FILE = import_path4.default.join(homeDir, ".node9", "config.json");
-var CREDENTIALS_FILE = import_path4.default.join(homeDir, ".node9", "credentials.json");
-var AUDIT_LOG_FILE = import_path4.default.join(homeDir, ".node9", "audit.log");
-var TRUST_FILE2 = import_path4.default.join(homeDir, ".node9", "trust.json");
+var DAEMON_PID_FILE = import_path5.default.join(homeDir, ".node9", "daemon.pid");
+var DECISIONS_FILE = import_path5.default.join(homeDir, ".node9", "decisions.json");
+var GLOBAL_CONFIG_FILE = import_path5.default.join(homeDir, ".node9", "config.json");
+var CREDENTIALS_FILE = import_path5.default.join(homeDir, ".node9", "credentials.json");
+var AUDIT_LOG_FILE = import_path5.default.join(homeDir, ".node9", "audit.log");
+var TRUST_FILE2 = import_path5.default.join(homeDir, ".node9", "trust.json");
 function atomicWriteSync2(filePath, data, options) {
-  const dir = import_path4.default.dirname(filePath);
+  const dir = import_path5.default.dirname(filePath);
   if (!import_fs3.default.existsSync(dir)) import_fs3.default.mkdirSync(dir, { recursive: true });
   const tmpPath = `${filePath}.${(0, import_crypto.randomUUID)()}.tmp`;
   import_fs3.default.writeFileSync(tmpPath, data, options);
@@ -3023,7 +3456,7 @@ function appendAuditLog(data) {
       decision: data.decision,
       source: "daemon"
     };
-    const dir = import_path4.default.dirname(AUDIT_LOG_FILE);
+    const dir = import_path5.default.dirname(AUDIT_LOG_FILE);
     if (!import_fs3.default.existsSync(dir)) import_fs3.default.mkdirSync(dir, { recursive: true });
     import_fs3.default.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
   } catch {
@@ -3181,6 +3614,7 @@ data: ${JSON.stringify({
             id: e.id,
             toolName: e.toolName,
             args: e.args,
+            riskMetadata: e.riskMetadata,
             slackDelegated: e.slackDelegated,
             timestamp: e.timestamp,
             agent: e.agent,
@@ -3206,14 +3640,23 @@ data: ${JSON.stringify(readPersistentDecisions())}
     if (req.method === "POST" && pathname === "/check") {
       try {
         resetIdleTimer();
+        _resetConfigCache();
         const body = await readBody(req);
         if (body.length > 65536) return res.writeHead(413).end();
-        const { toolName, args, slackDelegated = false, agent, mcpServer } = JSON.parse(body);
+        const {
+          toolName,
+          args,
+          slackDelegated = false,
+          agent,
+          mcpServer,
+          riskMetadata
+        } = JSON.parse(body);
         const id = (0, import_crypto.randomUUID)();
         const entry = {
           id,
           toolName,
           args,
+          riskMetadata: riskMetadata ?? void 0,
           agent: typeof agent === "string" ? agent : void 0,
           mcpServer: typeof mcpServer === "string" ? mcpServer : void 0,
           slackDelegated: !!slackDelegated,
@@ -3245,6 +3688,7 @@ data: ${JSON.stringify(readPersistentDecisions())}
             id,
             toolName,
             args,
+            riskMetadata: entry.riskMetadata,
             slackDelegated: entry.slackDelegated,
             agent: entry.agent,
             mcpServer: entry.mcpServer
@@ -3514,16 +3958,16 @@ var import_execa2 = require("execa");
 var import_chalk5 = __toESM(require("chalk"));
 var import_readline = __toESM(require("readline"));
 var import_fs5 = __toESM(require("fs"));
-var import_path6 = __toESM(require("path"));
+var import_path7 = __toESM(require("path"));
 var import_os5 = __toESM(require("os"));
 // src/undo.ts
 var import_child_process3 = require("child_process");
 var import_fs4 = __toESM(require("fs"));
-var import_path5 = __toESM(require("path"));
+var import_path6 = __toESM(require("path"));
 var import_os4 = __toESM(require("os"));
-var SNAPSHOT_STACK_PATH = import_path5.default.join(import_os4.default.homedir(), ".node9", "snapshots.json");
-var UNDO_LATEST_PATH = import_path5.default.join(import_os4.default.homedir(), ".node9", "undo_latest.txt");
+var SNAPSHOT_STACK_PATH = import_path6.default.join(import_os4.default.homedir(), ".node9", "snapshots.json");
+var UNDO_LATEST_PATH = import_path6.default.join(import_os4.default.homedir(), ".node9", "undo_latest.txt");
 var MAX_SNAPSHOTS = 10;
 function readStack() {
   try {
@@ -3534,7 +3978,7 @@ function readStack() {
   return [];
 }
 function writeStack(stack) {
-  const dir = import_path5.default.dirname(SNAPSHOT_STACK_PATH);
+  const dir = import_path6.default.dirname(SNAPSHOT_STACK_PATH);
   if (!import_fs4.default.existsSync(dir)) import_fs4.default.mkdirSync(dir, { recursive: true });
   import_fs4.default.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
 }
@@ -3552,8 +3996,8 @@ function buildArgsSummary(tool, args) {
 async function createShadowSnapshot(tool = "unknown", args = {}) {
   try {
     const cwd = process.cwd();
-    if (!import_fs4.default.existsSync(import_path5.default.join(cwd, ".git"))) return null;
-    const tempIndex = import_path5.default.join(cwd, ".git", `node9_index_${Date.now()}`);
+    if (!import_fs4.default.existsSync(import_path6.default.join(cwd, ".git"))) return null;
+    const tempIndex = import_path6.default.join(cwd, ".git", `node9_index_${Date.now()}`);
     const env = { ...process.env, GIT_INDEX_FILE: tempIndex };
     (0, import_child_process3.spawnSync)("git", ["add", "-A"], { env });
     const treeRes = (0, import_child_process3.spawnSync)("git", ["write-tree"], { env });
@@ -3617,7 +4061,7 @@ function applyUndo(hash, cwd) {
     const tracked = (0, import_child_process3.spawnSync)("git", ["ls-files"], { cwd: dir }).stdout.toString().trim().split("\n").filter(Boolean);
     const untracked = (0, import_child_process3.spawnSync)("git", ["ls-files", "--others", "--exclude-standard"], { cwd: dir }).stdout.toString().trim().split("\n").filter(Boolean);
     for (const file of [...tracked, ...untracked]) {
-      const fullPath = import_path5.default.join(dir, file);
+      const fullPath = import_path6.default.join(dir, file);
       if (!snapshotFiles.has(file) && import_fs4.default.existsSync(fullPath)) {
         import_fs4.default.unlinkSync(fullPath);
       }
@@ -3631,7 +4075,7 @@ function applyUndo(hash, cwd) {
 // src/cli.ts
 var import_prompts3 = require("@inquirer/prompts");
 var { version } = JSON.parse(
-  import_fs5.default.readFileSync(import_path6.default.join(__dirname, "../package.json"), "utf-8")
+  import_fs5.default.readFileSync(import_path7.default.join(__dirname, "../package.json"), "utf-8")
 );
 function parseDuration(str) {
   const m = str.trim().match(/^(\d+(?:\.\d+)?)\s*(s|m|h|d)?$/i);
@@ -3824,9 +4268,9 @@ async function runProxy(targetCommand) {
 }
 program.command("login").argument("<apiKey>").option("--local", "Save key for audit/logging only \u2014 local config still controls all decisions").option("--profile <name>", 'Save as a named profile (default: "default")').action((apiKey, options) => {
   const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  const credPath = import_path6.default.join(import_os5.default.homedir(), ".node9", "credentials.json");
-  if (!import_fs5.default.existsSync(import_path6.default.dirname(credPath)))
-    import_fs5.default.mkdirSync(import_path6.default.dirname(credPath), { recursive: true });
+  const credPath = import_path7.default.join(import_os5.default.homedir(), ".node9", "credentials.json");
+  if (!import_fs5.default.existsSync(import_path7.default.dirname(credPath)))
+    import_fs5.default.mkdirSync(import_path7.default.dirname(credPath), { recursive: true });
   const profileName = options.profile || "default";
   let existingCreds = {};
   try {
@@ -3845,7 +4289,7 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
   existingCreds[profileName] = { apiKey, apiUrl: DEFAULT_API_URL };
   import_fs5.default.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
   if (profileName === "default") {
-    const configPath = import_path6.default.join(import_os5.default.homedir(), ".node9", "config.json");
+    const configPath = import_path7.default.join(import_os5.default.homedir(), ".node9", "config.json");
     let config = {};
     try {
       if (import_fs5.default.existsSync(configPath))
@@ -3860,10 +4304,12 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
       cloud: true,
       terminal: true
     };
-    approvers.cloud = !options.local;
+    if (options.local) {
+      approvers.cloud = false;
+    }
     s.approvers = approvers;
-    if (!import_fs5.default.existsSync(import_path6.default.dirname(configPath)))
-      import_fs5.default.mkdirSync(import_path6.default.dirname(configPath), { recursive: true });
+    if (!import_fs5.default.existsSync(import_path7.default.dirname(configPath)))
+      import_fs5.default.mkdirSync(import_path7.default.dirname(configPath), { recursive: true });
     import_fs5.default.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
   }
   if (options.profile && profileName !== "default") {
@@ -3949,7 +4395,7 @@ program.command("doctor").description("Check that Node9 is installed and configu
     );
   }
   section("Configuration");
-  const globalConfigPath = import_path6.default.join(homeDir2, ".node9", "config.json");
+  const globalConfigPath = import_path7.default.join(homeDir2, ".node9", "config.json");
   if (import_fs5.default.existsSync(globalConfigPath)) {
     try {
       JSON.parse(import_fs5.default.readFileSync(globalConfigPath, "utf-8"));
@@ -3960,7 +4406,7 @@ program.command("doctor").description("Check that Node9 is installed and configu
   } else {
     warn("~/.node9/config.json not found (using defaults)", "Run: node9 init");
   }
-  const projectConfigPath = import_path6.default.join(process.cwd(), "node9.config.json");
+  const projectConfigPath = import_path7.default.join(process.cwd(), "node9.config.json");
   if (import_fs5.default.existsSync(projectConfigPath)) {
     try {
       JSON.parse(import_fs5.default.readFileSync(projectConfigPath, "utf-8"));
@@ -3969,7 +4415,7 @@ program.command("doctor").description("Check that Node9 is installed and configu
       fail("node9.config.json is invalid JSON", "Fix the JSON or delete it and run: node9 init");
     }
   }
-  const credsPath = import_path6.default.join(homeDir2, ".node9", "credentials.json");
+  const credsPath = import_path7.default.join(homeDir2, ".node9", "credentials.json");
   if (import_fs5.default.existsSync(credsPath)) {
     pass("Cloud credentials found (~/.node9/credentials.json)");
   } else {
@@ -3979,7 +4425,7 @@ program.command("doctor").description("Check that Node9 is installed and configu
     );
   }
   section("Agent Hooks");
-  const claudeSettingsPath = import_path6.default.join(homeDir2, ".claude", "settings.json");
+  const claudeSettingsPath = import_path7.default.join(homeDir2, ".claude", "settings.json");
   if (import_fs5.default.existsSync(claudeSettingsPath)) {
     try {
       const cs = JSON.parse(import_fs5.default.readFileSync(claudeSettingsPath, "utf-8"));
@@ -3995,7 +4441,7 @@ program.command("doctor").description("Check that Node9 is installed and configu
   } else {
     warn("Claude Code \u2014 not configured", "Run: node9 setup claude");
   }
-  const geminiSettingsPath = import_path6.default.join(homeDir2, ".gemini", "settings.json");
+  const geminiSettingsPath = import_path7.default.join(homeDir2, ".gemini", "settings.json");
   if (import_fs5.default.existsSync(geminiSettingsPath)) {
     try {
       const gs = JSON.parse(import_fs5.default.readFileSync(geminiSettingsPath, "utf-8"));
@@ -4011,7 +4457,7 @@ program.command("doctor").description("Check that Node9 is installed and configu
   } else {
     warn("Gemini CLI  \u2014 not configured", "Run: node9 setup gemini  (skip if not using Gemini)");
   }
-  const cursorHooksPath = import_path6.default.join(homeDir2, ".cursor", "hooks.json");
+  const cursorHooksPath = import_path7.default.join(homeDir2, ".cursor", "hooks.json");
   if (import_fs5.default.existsSync(cursorHooksPath)) {
     try {
       const cur = JSON.parse(import_fs5.default.readFileSync(cursorHooksPath, "utf-8"));
@@ -4116,7 +4562,7 @@ program.command("explain").description(
   console.log("");
 });
 program.command("init").description("Create ~/.node9/config.json with default policy (safe to run multiple times)").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").action((options) => {
-  const configPath = import_path6.default.join(import_os5.default.homedir(), ".node9", "config.json");
+  const configPath = import_path7.default.join(import_os5.default.homedir(), ".node9", "config.json");
   if (import_fs5.default.existsSync(configPath) && !options.force) {
     console.log(import_chalk5.default.yellow(`\u2139\uFE0F  Global config already exists: ${configPath}`));
     console.log(import_chalk5.default.gray(`   Run with --force to overwrite.`));
@@ -4131,7 +4577,7 @@ program.command("init").description("Create ~/.node9/config.json with default po
       mode: safeMode
     }
   };
-  const dir = import_path6.default.dirname(configPath);
+  const dir = import_path7.default.dirname(configPath);
   if (!import_fs5.default.existsSync(dir)) import_fs5.default.mkdirSync(dir, { recursive: true });
   import_fs5.default.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
   console.log(import_chalk5.default.green(`\u2705 Global config created: ${configPath}`));
@@ -4151,7 +4597,7 @@ function formatRelativeTime(timestamp) {
   return new Date(timestamp).toLocaleDateString();
 }
 program.command("audit").description("View local execution audit log").option("--tail <n>", "Number of entries to show", "20").option("--tool <pattern>", "Filter by tool name (substring match)").option("--deny", "Show only denied actions").option("--json", "Output raw JSON").action((options) => {
-  const logPath = import_path6.default.join(import_os5.default.homedir(), ".node9", "audit.log");
+  const logPath = import_path7.default.join(import_os5.default.homedir(), ".node9", "audit.log");
   if (!import_fs5.default.existsSync(logPath)) {
     console.log(
       import_chalk5.default.yellow("No audit logs found. Run node9 with an agent to generate entries.")
@@ -4241,8 +4687,8 @@ program.command("status").description("Show current Node9 mode, policy source, a
   console.log("");
   const modeLabel = settings.mode === "audit" ? import_chalk5.default.blue("audit") : settings.mode === "strict" ? import_chalk5.default.red("strict") : import_chalk5.default.white("standard");
   console.log(`  Mode:    ${modeLabel}`);
-  const projectConfig = import_path6.default.join(process.cwd(), "node9.config.json");
-  const globalConfig = import_path6.default.join(import_os5.default.homedir(), ".node9", "config.json");
+  const projectConfig = import_path7.default.join(process.cwd(), "node9.config.json");
+  const globalConfig = import_path7.default.join(import_os5.default.homedir(), ".node9", "config.json");
   console.log(
     `  Local:   ${import_fs5.default.existsSync(projectConfig) ? import_chalk5.default.green("Active (node9.config.json)") : import_chalk5.default.gray("Not present")}`
   );
@@ -4310,7 +4756,7 @@ program.command("check").description("Hook handler \u2014 evaluates a tool call
       } catch (err) {
         const tempConfig = getConfig();
         if (process.env.NODE9_DEBUG === "1" || tempConfig.settings.enableHookLogDebug) {
-          const logPath = import_path6.default.join(import_os5.default.homedir(), ".node9", "hook-debug.log");
+          const logPath = import_path7.default.join(import_os5.default.homedir(), ".node9", "hook-debug.log");
           const errMsg = err instanceof Error ? err.message : String(err);
           import_fs5.default.appendFileSync(
             logPath,
@@ -4330,9 +4776,9 @@ RAW: ${raw}
       }
       const config = getConfig();
       if (process.env.NODE9_DEBUG === "1" || config.settings.enableHookLogDebug) {
-        const logPath = import_path6.default.join(import_os5.default.homedir(), ".node9", "hook-debug.log");
-        if (!import_fs5.default.existsSync(import_path6.default.dirname(logPath)))
-          import_fs5.default.mkdirSync(import_path6.default.dirname(logPath), { recursive: true });
+        const logPath = import_path7.default.join(import_os5.default.homedir(), ".node9", "hook-debug.log");
+        if (!import_fs5.default.existsSync(import_path7.default.dirname(logPath)))
+          import_fs5.default.mkdirSync(import_path7.default.dirname(logPath), { recursive: true });
         import_fs5.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
 `);
       }
@@ -4404,7 +4850,7 @@ RAW: ${raw}
       });
     } catch (err) {
       if (process.env.NODE9_DEBUG === "1") {
-        const logPath = import_path6.default.join(import_os5.default.homedir(), ".node9", "hook-debug.log");
+        const logPath = import_path7.default.join(import_os5.default.homedir(), ".node9", "hook-debug.log");
         const errMsg = err instanceof Error ? err.message : String(err);
         import_fs5.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
 `);
@@ -4451,9 +4897,9 @@ program.command("log").description("PostToolUse hook \u2014 records executed too
         decision: "allowed",
         source: "post-hook"
       };
-      const logPath = import_path6.default.join(import_os5.default.homedir(), ".node9", "audit.log");
-      if (!import_fs5.default.existsSync(import_path6.default.dirname(logPath)))
-        import_fs5.default.mkdirSync(import_path6.default.dirname(logPath), { recursive: true });
+      const logPath = import_path7.default.join(import_os5.default.homedir(), ".node9", "audit.log");
+      if (!import_fs5.default.existsSync(import_path7.default.dirname(logPath)))
+        import_fs5.default.mkdirSync(import_path7.default.dirname(logPath), { recursive: true });
       import_fs5.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
       const config = getConfig();
       if (shouldSnapshot(tool, {}, config)) {
@@ -4628,7 +5074,7 @@ process.on("unhandledRejection", (reason) => {
   const isCheckHook = process.argv[2] === "check";
   if (isCheckHook) {
     if (process.env.NODE9_DEBUG === "1" || getConfig().settings.enableHookLogDebug) {
-      const logPath = import_path6.default.join(import_os5.default.homedir(), ".node9", "hook-debug.log");
+      const logPath = import_path7.default.join(import_os5.default.homedir(), ".node9", "hook-debug.log");
       const msg = reason instanceof Error ? reason.message : String(reason);
       import_fs5.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
 `);