@node9/proxy 1.0.8 → 1.0.10

package/dist/index.mjs

@@ -2,18 +2,18 @@
 import chalk2 from "chalk";
 import { confirm } from "@inquirer/prompts";
 import fs from "fs";
-import path2 from "path";
+import path3 from "path";
 import os from "os";
 import pm from "picomatch";
 import { parse } from "sh-syntax";
 
 // src/ui/native.ts
 import { spawn } from "child_process";
-import path from "path";
+import path2 from "path";
 import chalk from "chalk";
-var isTestEnv = () => {
-  return process.env.NODE_ENV === "test" || process.env.VITEST === "true" || !!process.env.VITEST || process.env.CI === "true" || !!process.env.CI || process.env.NODE9_TESTING === "1";
-};
+
+// src/context-sniper.ts
+import path from "path";
 function smartTruncate(str, maxLen = 500) {
   if (str.length <= maxLen) return str;
   const edge = Math.floor(maxLen / 2) - 3;
@@ -21,11 +21,13 @@ function smartTruncate(str, maxLen = 500) {
 }
 function extractContext(text, matchedWord) {
   const lines = text.split("\n");
-  if (lines.length <= 7 || !matchedWord) return smartTruncate(text, 500);
+  if (lines.length <= 7 || !matchedWord) {
+    return { snippet: smartTruncate(text, 500), lineIndex: -1 };
+  }
   const escaped = matchedWord.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
   const pattern = new RegExp(`\\b${escaped}\\b`, "i");
   const allHits = lines.map((line, i) => ({ i, line })).filter(({ line }) => pattern.test(line));
-  if (allHits.length === 0) return smartTruncate(text, 500);
+  if (allHits.length === 0) return { snippet: smartTruncate(text, 500), lineIndex: -1 };
   const nonComment = allHits.find(({ line }) => {
     const trimmed = line.trim();
     return !trimmed.startsWith("//") && !trimmed.startsWith("#");
@@ -33,13 +35,89 @@ function extractContext(text, matchedWord) {
   const hitIndex = (nonComment ?? allHits[0]).i;
   const start = Math.max(0, hitIndex - 3);
   const end = Math.min(lines.length, hitIndex + 4);
+  const lineIndex = hitIndex - start;
   const snippet = lines.slice(start, end).map((line, i) => `${start + i === hitIndex ? "\u{1F6D1} " : "   "}${line}`).join("\n");
   const head = start > 0 ? `... [${start} lines hidden] ...
 ` : "";
   const tail = end < lines.length ? `
 ... [${lines.length - end} lines hidden] ...` : "";
-  return `${head}${snippet}${tail}`;
+  return { snippet: `${head}${snippet}${tail}`, lineIndex };
+}
+var CODE_KEYS = [
+  "command",
+  "cmd",
+  "shell_command",
+  "bash_command",
+  "script",
+  "code",
+  "input",
+  "sql",
+  "query",
+  "arguments",
+  "args",
+  "param",
+  "params",
+  "text"
+];
+function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWord, ruleName) {
+  let intent = "EXEC";
+  let contextSnippet;
+  let contextLineIndex;
+  let editFileName;
+  let editFilePath;
+  let parsed = args;
+  if (typeof args === "string") {
+    const trimmed = args.trim();
+    if (trimmed.startsWith("{") && trimmed.endsWith("}")) {
+      try {
+        parsed = JSON.parse(trimmed);
+      } catch {
+      }
+    }
+  }
+  if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+    const obj = parsed;
+    if (obj.old_string !== void 0 && obj.new_string !== void 0) {
+      intent = "EDIT";
+      if (obj.file_path) {
+        editFilePath = String(obj.file_path);
+        editFileName = path.basename(editFilePath);
+      }
+      const result = extractContext(String(obj.new_string), matchedWord);
+      contextSnippet = result.snippet;
+      if (result.lineIndex >= 0) contextLineIndex = result.lineIndex;
+    } else if (matchedField && obj[matchedField] !== void 0) {
+      const result = extractContext(String(obj[matchedField]), matchedWord);
+      contextSnippet = result.snippet;
+      if (result.lineIndex >= 0) contextLineIndex = result.lineIndex;
+    } else {
+      const foundKey = Object.keys(obj).find((k) => CODE_KEYS.includes(k.toLowerCase()));
+      if (foundKey) {
+        const val = obj[foundKey];
+        contextSnippet = smartTruncate(typeof val === "string" ? val : JSON.stringify(val), 500);
+      }
+    }
+  } else if (typeof parsed === "string") {
+    contextSnippet = smartTruncate(parsed, 500);
+  }
+  return {
+    intent,
+    tier,
+    blockedByLabel,
+    ...matchedWord && { matchedWord },
+    ...matchedField && { matchedField },
+    ...contextSnippet !== void 0 && { contextSnippet },
+    ...contextLineIndex !== void 0 && { contextLineIndex },
+    ...editFileName && { editFileName },
+    ...editFilePath && { editFilePath },
+    ...ruleName && { ruleName }
+  };
 }
+
+// src/ui/native.ts
+var isTestEnv = () => {
+  return process.env.NODE_ENV === "test" || process.env.VITEST === "true" || !!process.env.VITEST || process.env.CI === "true" || !!process.env.CI || process.env.NODE9_TESTING === "1";
+};
 function formatArgs(args, matchedField, matchedWord) {
   if (args === null || args === void 0) return { message: "(none)", intent: "EXEC" };
   let parsed = args;
@@ -58,9 +136,9 @@ function formatArgs(args, matchedField, matchedWord) {
   if (typeof parsed === "object" && !Array.isArray(parsed)) {
     const obj = parsed;
     if (obj.old_string !== void 0 && obj.new_string !== void 0) {
-      const file = obj.file_path ? path.basename(String(obj.file_path)) : "file";
+      const file = obj.file_path ? path2.basename(String(obj.file_path)) : "file";
       const oldPreview = smartTruncate(String(obj.old_string), 120);
-      const newPreview = extractContext(String(obj.new_string), matchedWord);
+      const newPreview = extractContext(String(obj.new_string), matchedWord).snippet;
       return {
         intent: "EDIT",
         message: `\u{1F4DD} EDITING: ${file}
@@ -78,7 +156,7 @@ ${newPreview}`
       const context = otherKeys.length > 0 ? `\u2699\uFE0F  Context: ${otherKeys.map((k) => `${k}=${smartTruncate(typeof obj[k] === "object" ? JSON.stringify(obj[k]) : String(obj[k]), 30)}`).join(", ")}
 
 ` : "";
-      const content = extractContext(String(obj[matchedField]), matchedWord);
+      const content = extractContext(String(obj[matchedField]), matchedWord).snippet;
       return {
         intent: "EXEC",
         message: `${context}\u{1F6D1} [${matchedField.toUpperCase()}]:
@@ -250,11 +328,113 @@ end run`;
   });
 }
 
+// src/config-schema.ts
+import { z } from "zod";
+var noNewlines = z.string().refine((s) => !s.includes("\n") && !s.includes("\r"), {
+  message: "Value must not contain literal newline characters (use \\n instead)"
+});
+var validRegex = noNewlines.refine(
+  (s) => {
+    try {
+      new RegExp(s);
+      return true;
+    } catch {
+      return false;
+    }
+  },
+  { message: "Value must be a valid regular expression" }
+);
+var SmartConditionSchema = z.object({
+  field: z.string().min(1, "Condition field must not be empty"),
+  op: z.enum(["matches", "notMatches", "contains", "notContains", "exists", "notExists"], {
+    errorMap: () => ({
+      message: "op must be one of: matches, notMatches, contains, notContains, exists, notExists"
+    })
+  }),
+  value: validRegex.optional(),
+  flags: z.string().optional()
+});
+var SmartRuleSchema = z.object({
+  name: z.string().optional(),
+  tool: z.string().min(1, "Smart rule tool must not be empty"),
+  conditions: z.array(SmartConditionSchema).min(1, "Smart rule must have at least one condition"),
+  conditionMode: z.enum(["all", "any"]).optional(),
+  verdict: z.enum(["allow", "review", "block"], {
+    errorMap: () => ({ message: "verdict must be one of: allow, review, block" })
+  }),
+  reason: z.string().optional()
+});
+var PolicyRuleSchema = z.object({
+  action: z.string().min(1),
+  allowPaths: z.array(z.string()).optional(),
+  blockPaths: z.array(z.string()).optional()
+});
+var ConfigFileSchema = z.object({
+  version: z.string().optional(),
+  settings: z.object({
+    mode: z.enum(["standard", "strict", "audit"]).optional(),
+    autoStartDaemon: z.boolean().optional(),
+    enableUndo: z.boolean().optional(),
+    enableHookLogDebug: z.boolean().optional(),
+    approvalTimeoutMs: z.number().nonnegative().optional(),
+    approvers: z.object({
+      native: z.boolean().optional(),
+      browser: z.boolean().optional(),
+      cloud: z.boolean().optional(),
+      terminal: z.boolean().optional()
+    }).optional(),
+    environment: z.string().optional(),
+    slackEnabled: z.boolean().optional(),
+    enableTrustSessions: z.boolean().optional(),
+    allowGlobalPause: z.boolean().optional()
+  }).optional(),
+  policy: z.object({
+    sandboxPaths: z.array(z.string()).optional(),
+    dangerousWords: z.array(noNewlines).optional(),
+    ignoredTools: z.array(z.string()).optional(),
+    toolInspection: z.record(z.string()).optional(),
+    rules: z.array(PolicyRuleSchema).optional(),
+    smartRules: z.array(SmartRuleSchema).optional(),
+    snapshot: z.object({
+      tools: z.array(z.string()).optional(),
+      onlyPaths: z.array(z.string()).optional(),
+      ignorePaths: z.array(z.string()).optional()
+    }).optional()
+  }).optional(),
+  environments: z.record(z.object({ requireApproval: z.boolean().optional() })).optional()
+}).strict({ message: "Config contains unknown top-level keys" });
+function sanitizeConfig(raw) {
+  const result = ConfigFileSchema.safeParse(raw);
+  if (result.success) {
+    return { sanitized: result.data, error: null };
+  }
+  const invalidTopLevelKeys = new Set(
+    result.error.issues.filter((issue) => issue.path.length > 0).map((issue) => String(issue.path[0]))
+  );
+  const sanitized = {};
+  if (typeof raw === "object" && raw !== null) {
+    for (const [key, value] of Object.entries(raw)) {
+      if (!invalidTopLevelKeys.has(key)) {
+        sanitized[key] = value;
+      }
+    }
+  }
+  const lines = result.error.issues.map((issue) => {
+    const path4 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path4}: ${issue.message}`;
+  });
+  return {
+    sanitized,
+    error: `Invalid config:
+${lines.join("\n")}`
+  };
+}
+
 // src/core.ts
-var PAUSED_FILE = path2.join(os.homedir(), ".node9", "PAUSED");
-var TRUST_FILE = path2.join(os.homedir(), ".node9", "trust.json");
-var LOCAL_AUDIT_LOG = path2.join(os.homedir(), ".node9", "audit.log");
-var HOOK_DEBUG_LOG = path2.join(os.homedir(), ".node9", "hook-debug.log");
+var PAUSED_FILE = path3.join(os.homedir(), ".node9", "PAUSED");
+var TRUST_FILE = path3.join(os.homedir(), ".node9", "trust.json");
+var LOCAL_AUDIT_LOG = path3.join(os.homedir(), ".node9", "audit.log");
+var HOOK_DEBUG_LOG = path3.join(os.homedir(), ".node9", "hook-debug.log");
 function checkPause() {
   try {
     if (!fs.existsSync(PAUSED_FILE)) return { paused: false };
@@ -272,7 +452,7 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = path2.dirname(filePath);
+  const dir = path3.dirname(filePath);
   if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
   const tmpPath = `${filePath}.${os.hostname()}.${process.pid}.tmp`;
   fs.writeFileSync(tmpPath, data, options);
@@ -313,7 +493,7 @@ function writeTrustSession(toolName, durationMs) {
 }
 function appendToLog(logPath, entry) {
   try {
-    const dir = path2.dirname(logPath);
+    const dir = path3.dirname(logPath);
     if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
     fs.appendFileSync(logPath, JSON.stringify(entry) + "\n");
   } catch {
@@ -357,9 +537,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path3) {
+function getNestedValue(obj, path4) {
   if (!obj || typeof obj !== "object") return null;
-  return path3.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path4.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -496,15 +676,10 @@ function redactSecrets(text) {
   return redacted;
 }
 var DANGEROUS_WORDS = [
-  "drop",
-  "truncate",
-  "purge",
-  "format",
-  "destroy",
-  "terminate",
-  "revoke",
-  "docker",
-  "psql"
+  "mkfs",
+  // formats/wipes a filesystem partition
+  "shred"
+  // permanently overwrites file contents (unrecoverable)
 ];
 var DEFAULT_CONFIG = {
   settings: {
@@ -561,6 +736,8 @@ var DEFAULT_CONFIG = {
       ignorePaths: ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log"]
     },
     rules: [
+      // Only use the legacy rules format for simple path-based rm control.
+      // All other command-level enforcement lives in smartRules below.
       {
         action: "rm",
         allowPaths: [
@@ -577,6 +754,7 @@ var DEFAULT_CONFIG = {
       }
     ],
     smartRules: [
+      // ── SQL safety ────────────────────────────────────────────────────────
       {
         name: "no-delete-without-where",
         tool: "*",
@@ -587,6 +765,84 @@ var DEFAULT_CONFIG = {
         conditionMode: "all",
         verdict: "review",
         reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table"
+      },
+      {
+        name: "review-drop-truncate-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "\\b(DROP|TRUNCATE)\\s+(TABLE|DATABASE|SCHEMA|INDEX)",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "SQL DDL destructive statement inside a shell command"
+      },
+      // ── Git safety ────────────────────────────────────────────────────────
+      {
+        name: "block-force-push",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "git push.*(--force|--force-with-lease|-f\\b)",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "block",
+        reason: "Force push overwrites remote history and cannot be undone"
+      },
+      {
+        name: "review-git-push",
+        tool: "bash",
+        conditions: [{ field: "command", op: "matches", value: "^\\s*git\\s+push\\b", flags: "i" }],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "git push sends changes to a shared remote"
+      },
+      {
+        name: "review-git-destructive",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "git\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase|tag\\s+-d|branch\\s+-[dD])",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "Destructive git operation \u2014 discards history or working-tree changes"
+      },
+      // ── Shell safety ──────────────────────────────────────────────────────
+      {
+        name: "review-sudo",
+        tool: "bash",
+        conditions: [{ field: "command", op: "matches", value: "^\\s*sudo\\s", flags: "i" }],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "Command requires elevated privileges"
+      },
+      {
+        name: "review-curl-pipe-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "block",
+        reason: "Piping remote script into a shell is a supply-chain attack vector"
       }
     ]
   },
@@ -595,7 +851,7 @@ var DEFAULT_CONFIG = {
 var cachedConfig = null;
 function getInternalToken() {
   try {
-    const pidFile = path2.join(os.homedir(), ".node9", "daemon.pid");
+    const pidFile = path3.join(os.homedir(), ".node9", "daemon.pid");
     if (!fs.existsSync(pidFile)) return null;
     const data = JSON.parse(fs.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
@@ -616,7 +872,9 @@ async function evaluatePolicy(toolName, args, agent) {
       return {
         decision: matchedRule.verdict,
         blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
-        reason: matchedRule.reason
+        reason: matchedRule.reason,
+        tier: 2,
+        ruleName: matchedRule.name ?? matchedRule.tool
       };
     }
   }
@@ -631,7 +889,7 @@ async function evaluatePolicy(toolName, args, agent) {
     pathTokens = analyzed.paths;
     const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
     if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
-      return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)" };
+      return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)", tier: 3 };
     }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
@@ -654,7 +912,7 @@ async function evaluatePolicy(toolName, args, agent) {
     );
     const isRootWipe = allTokens.includes("rm") && (allTokens.includes("/") || allTokens.includes("/*"));
     if (hasSystemDisaster || isRootWipe) {
-      return { decision: "review", blockedByLabel: "Manual Nuclear Protection" };
+      return { decision: "review", blockedByLabel: "Manual Nuclear Protection", tier: 3 };
     }
     return { decision: "allow" };
   }
@@ -672,14 +930,16 @@ async function evaluatePolicy(toolName, args, agent) {
         if (anyBlocked)
           return {
             decision: "review",
-            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`
+            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`,
+            tier: 5
           };
         const allAllowed = pathTokens.every((p) => matchesPattern(p, rule.allowPaths || []));
         if (allAllowed) return { decision: "allow" };
       }
       return {
         decision: "review",
-        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`
+        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`,
+        tier: 5
       };
     }
   }
@@ -721,13 +981,14 @@ async function evaluatePolicy(toolName, args, agent) {
       decision: "review",
       blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`,
       matchedWord: matchedDangerousWord,
-      matchedField
+      matchedField,
+      tier: 6
     };
   }
   if (config.settings.mode === "strict") {
     const envConfig = getActiveEnvironment(config);
     if (envConfig?.requireApproval === false) return { decision: "allow" };
-    return { decision: "review", blockedByLabel: "Global Config (Strict Mode Active)" };
+    return { decision: "review", blockedByLabel: "Global Config (Strict Mode Active)", tier: 7 };
   }
   return { decision: "allow" };
 }
@@ -739,7 +1000,7 @@ var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function isDaemonRunning() {
   try {
-    const pidFile = path2.join(os.homedir(), ".node9", "daemon.pid");
+    const pidFile = path3.join(os.homedir(), ".node9", "daemon.pid");
     if (!fs.existsSync(pidFile)) return false;
     const { pid, port } = JSON.parse(fs.readFileSync(pidFile, "utf-8"));
     if (port !== DAEMON_PORT) return false;
@@ -751,7 +1012,7 @@ function isDaemonRunning() {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = path2.join(os.homedir(), ".node9", "decisions.json");
+    const file = path3.join(os.homedir(), ".node9", "decisions.json");
     if (!fs.existsSync(file)) return null;
     const decisions = JSON.parse(fs.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
@@ -760,7 +1021,7 @@ function getPersistentDecision(toolName) {
   }
   return null;
 }
-async function askDaemon(toolName, args, meta, signal) {
+async function askDaemon(toolName, args, meta, signal, riskMetadata) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const checkCtrl = new AbortController();
   const checkTimer = setTimeout(() => checkCtrl.abort(), 5e3);
@@ -770,7 +1031,13 @@ async function askDaemon(toolName, args, meta, signal) {
     const checkRes = await fetch(`${base}/check`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ toolName, args, agent: meta?.agent, mcpServer: meta?.mcpServer }),
+      body: JSON.stringify({
+        toolName,
+        args,
+        agent: meta?.agent,
+        mcpServer: meta?.mcpServer,
+        ...riskMetadata && { riskMetadata }
+      }),
       signal: checkCtrl.signal
     });
     if (!checkRes.ok) throw new Error("Daemon fail");
@@ -795,7 +1062,7 @@ async function askDaemon(toolName, args, meta, signal) {
     if (signal) signal.removeEventListener("abort", onAbort);
   }
 }
-async function notifyDaemonViewer(toolName, args, meta) {
+async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const res = await fetch(`${base}/check`, {
     method: "POST",
@@ -805,7 +1072,8 @@ async function notifyDaemonViewer(toolName, args, meta) {
       args,
       slackDelegated: true,
       agent: meta?.agent,
-      mcpServer: meta?.mcpServer
+      mcpServer: meta?.mcpServer,
+      ...riskMetadata && { riskMetadata }
     }),
     signal: AbortSignal.timeout(3e3)
   });
@@ -844,11 +1112,15 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   let explainableLabel = "Local Config";
   let policyMatchedField;
   let policyMatchedWord;
+  let riskMetadata;
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
       if (policyResult.decision === "review") {
         appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
+        if (approvers.cloud && creds?.apiKey) {
+          await auditLocalAllow(toolName, args, "audit-mode", creds, meta);
+        }
         sendDesktopNotification(
           "Node9 Audit Mode",
           `Would have blocked "${toolName}" (${policyResult.blockedByLabel || "Local Config"}) \u2014 running in audit mode`
@@ -859,13 +1131,15 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   }
   if (!isIgnoredTool(toolName)) {
     if (getActiveTrustSession(toolName)) {
-      if (creds?.apiKey) auditLocalAllow(toolName, args, "trust", creds, meta);
+      if (approvers.cloud && creds?.apiKey)
+        await auditLocalAllow(toolName, args, "trust", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta);
       return { approved: true, checkedBy: "trust" };
     }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
-      if (creds?.apiKey) auditLocalAllow(toolName, args, "local-policy", creds, meta);
+      if (approvers.cloud && creds?.apiKey)
+        auditLocalAllow(toolName, args, "local-policy", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
       return { approved: true, checkedBy: "local-policy" };
     }
@@ -881,9 +1155,18 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     policyMatchedField = policyResult.matchedField;
     policyMatchedWord = policyResult.matchedWord;
+    riskMetadata = computeRiskMetadata(
+      args,
+      policyResult.tier ?? 6,
+      explainableLabel,
+      policyMatchedField,
+      policyMatchedWord,
+      policyResult.ruleName
+    );
     const persistent = getPersistentDecision(toolName);
     if (persistent === "allow") {
-      if (creds?.apiKey) auditLocalAllow(toolName, args, "persistent", creds, meta);
+      if (approvers.cloud && creds?.apiKey)
+        await auditLocalAllow(toolName, args, "persistent", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta);
       return { approved: true, checkedBy: "persistent" };
     }
@@ -897,7 +1180,6 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       };
     }
   } else {
-    if (creds?.apiKey) auditLocalAllow(toolName, args, "ignoredTools", creds, meta);
     if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta);
     return { approved: true };
   }
@@ -906,8 +1188,21 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
   if (cloudEnforced) {
     try {
-      const initResult = await initNode9SaaS(toolName, args, creds, meta);
+      const initResult = await initNode9SaaS(toolName, args, creds, meta, riskMetadata);
       if (!initResult.pending) {
+        if (initResult.shadowMode) {
+          console.error(
+            chalk2.yellow(
+              `
+\u26A0\uFE0F  Node9 Shadow Mode: Action allowed, but would have been blocked by company policy.`
+            )
+          );
+          if (initResult.shadowReason) {
+            console.error(chalk2.dim(`   Reason: ${initResult.shadowReason}
+`));
+          }
+          return { approved: true, checkedBy: "cloud" };
+        }
         return {
           approved: !!initResult.approved,
           reason: initResult.reason || (initResult.approved ? void 0 : "Action rejected by organization policy."),
@@ -932,18 +1227,22 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       );
     }
   }
-  if (cloudEnforced && cloudRequestId) {
-    console.error(
-      chalk2.yellow("\n\u{1F6E1}\uFE0F  Node9: Action suspended \u2014 waiting for Organization approval.")
-    );
-    console.error(chalk2.cyan("   Dashboard  \u2192 ") + chalk2.bold("Mission Control > Activity Feed\n"));
-  } else if (!cloudEnforced) {
-    const cloudOffReason = !creds?.apiKey ? "no API key \u2014 run `node9 login` to connect" : "privacy mode (cloud disabled)";
-    console.error(
-      chalk2.dim(`
+  if (!options?.calledFromDaemon) {
+    if (cloudEnforced && cloudRequestId) {
+      console.error(
+        chalk2.yellow("\n\u{1F6E1}\uFE0F  Node9: Action suspended \u2014 waiting for Organization approval.")
+      );
+      console.error(
+        chalk2.cyan("   Dashboard  \u2192 ") + chalk2.bold("Mission Control > Activity Feed\n")
+      );
+    } else if (!cloudEnforced) {
+      const cloudOffReason = !creds?.apiKey ? "no API key \u2014 run `node9 login` to connect" : "privacy mode (cloud disabled)";
+      console.error(
+        chalk2.dim(`
 \u{1F6E1}\uFE0F  Node9: intercepted "${toolName}" \u2014 cloud off (${cloudOffReason})
 `)
-    );
+      );
+    }
   }
   const abortController = new AbortController();
   const { signal } = abortController;
@@ -974,7 +1273,9 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       (async () => {
         try {
           if (isDaemonRunning() && internalToken && !options?.calledFromDaemon) {
-            viewerId = await notifyDaemonViewer(toolName, args, meta).catch(() => null);
+            viewerId = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(
+              () => null
+            );
           }
           const cloudResult = await pollNode9SaaS(cloudRequestId, creds, signal);
           return {
@@ -992,7 +1293,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       })()
     );
   }
-  if (approvers.native && !isManual) {
+  if (approvers.native && !isManual && !options?.calledFromDaemon) {
     racePromises.push(
       (async () => {
         const decision = await askNativePopup(
@@ -1020,7 +1321,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
       })()
     );
   }
-  if (approvers.browser && isDaemonRunning() && !options?.calledFromDaemon) {
+  if (approvers.browser && isDaemonRunning() && !options?.calledFromDaemon && !cloudEnforced) {
     racePromises.push(
       (async () => {
         try {
@@ -1031,7 +1332,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
             console.error(chalk2.cyan(`   URL \u2192 http://${DAEMON_HOST}:${DAEMON_PORT}/
 `));
           }
-          const daemonDecision = await askDaemon(toolName, args, meta, signal);
+          const daemonDecision = await askDaemon(toolName, args, meta, signal, riskMetadata);
           if (daemonDecision === "abandoned") throw new Error("Abandoned");
           const isApproved = daemonDecision === "allow";
           return {
@@ -1156,8 +1457,8 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
 }
 function getConfig() {
   if (cachedConfig) return cachedConfig;
-  const globalPath = path2.join(os.homedir(), ".node9", "config.json");
-  const projectPath = path2.join(process.cwd(), "node9.config.json");
+  const globalPath = path3.join(os.homedir(), ".node9", "config.json");
+  const projectPath = path3.join(process.cwd(), "node9.config.json");
   const globalConfig = tryLoadConfig(globalPath);
   const projectConfig = tryLoadConfig(projectPath);
   const mergedSettings = {
@@ -1177,6 +1478,7 @@ function getConfig() {
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
     }
   };
+  const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
   const applyLayer = (source) => {
     if (!source) return;
     const s = source.settings || {};
@@ -1202,6 +1504,17 @@ function getConfig() {
       if (s2.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s2.onlyPaths);
       if (s2.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s2.ignorePaths);
     }
+    const envs = source.environments || {};
+    for (const [envName, envConfig] of Object.entries(envs)) {
+      if (envConfig && typeof envConfig === "object") {
+        const ec = envConfig;
+        mergedEnvironments[envName] = {
+          ...mergedEnvironments[envName],
+          // Validate field types before merging — do not blindly spread user input
+          ...typeof ec.requireApproval === "boolean" ? { requireApproval: ec.requireApproval } : {}
+        };
+      }
+    }
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
@@ -1215,17 +1528,62 @@ function getConfig() {
   cachedConfig = {
     settings: mergedSettings,
     policy: mergedPolicy,
-    environments: {}
+    environments: mergedEnvironments
   };
   return cachedConfig;
 }
 function tryLoadConfig(filePath) {
   if (!fs.existsSync(filePath)) return null;
+  let raw;
   try {
-    return JSON.parse(fs.readFileSync(filePath, "utf-8"));
-  } catch {
+    raw = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    process.stderr.write(
+      `
+\u26A0\uFE0F  Node9: Failed to parse ${filePath}
+   ${msg}
+   \u2192 Using default config
+
+`
+    );
     return null;
   }
+  const SUPPORTED_VERSION = "1.0";
+  const SUPPORTED_MAJOR = SUPPORTED_VERSION.split(".")[0];
+  const fileVersion = raw?.version;
+  if (fileVersion !== void 0) {
+    const vStr = String(fileVersion);
+    const fileMajor = vStr.split(".")[0];
+    if (fileMajor !== SUPPORTED_MAJOR) {
+      process.stderr.write(
+        `
+\u274C  Node9: Config at ${filePath} has version "${vStr}" \u2014 major version is incompatible with this release (expected "${SUPPORTED_VERSION}"). Config will not be loaded.
+
+`
+      );
+      return null;
+    } else if (vStr !== SUPPORTED_VERSION) {
+      process.stderr.write(
+        `
+\u26A0\uFE0F  Node9: Config at ${filePath} declares version "${vStr}" \u2014 expected "${SUPPORTED_VERSION}". Continuing with best-effort parsing.
+
+`
+      );
+    }
+  }
+  const { sanitized, error } = sanitizeConfig(raw);
+  if (error) {
+    process.stderr.write(
+      `
+\u26A0\uFE0F  Node9: Invalid config at ${filePath}:
+${error.replace("Invalid config:\n", "")}
+   \u2192 Invalid fields ignored, using defaults for those keys
+
+`
+    );
+  }
+  return sanitized;
 }
 function getActiveEnvironment(config) {
   const env = config.settings.environment || process.env.NODE_ENV || "development";
@@ -1240,7 +1598,7 @@ function getCredentials() {
     };
   }
   try {
-    const credPath = path2.join(os.homedir(), ".node9", "credentials.json");
+    const credPath = path3.join(os.homedir(), ".node9", "credentials.json");
     if (fs.existsSync(credPath)) {
       const creds = JSON.parse(fs.readFileSync(credPath, "utf-8"));
       const profileName = process.env.NODE9_PROFILE || "default";
@@ -1267,9 +1625,7 @@ async function authorizeAction(toolName, args) {
   return result.approved;
 }
 function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
-  const controller = new AbortController();
-  setTimeout(() => controller.abort(), 5e3);
-  fetch(`${creds.apiUrl}/audit`, {
+  return fetch(`${creds.apiUrl}/audit`, {
     method: "POST",
     headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
     body: JSON.stringify({
@@ -1284,11 +1640,12 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
         platform: os.platform()
       }
     }),
-    signal: controller.signal
+    signal: AbortSignal.timeout(5e3)
+  }).then(() => {
   }).catch(() => {
   });
 }
-async function initNode9SaaS(toolName, args, creds, meta) {
+async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 1e4);
   try {
@@ -1304,7 +1661,8 @@ async function initNode9SaaS(toolName, args, creds, meta) {
           hostname: os.hostname(),
           cwd: process.cwd(),
           platform: os.platform()
-        }
+        },
+        ...riskMetadata && { riskMetadata }
       }),
       signal: controller.signal
     });