@node9/proxy 1.1.4 → 1.1.6

package/README.md

@@ -138,13 +138,13 @@ Node9 has two layers of protection. You get Layer 1 automatically. Layer 2 is on
 
 Built into the binary. Zero configuration required. Protects the tools every developer uses.
 
-| What it protects  | Example blocked action                                  |
-| :---------------- | :------------------------------------------------------ |
-| **Git**           | `git push --force`, `git reset --hard`, `git clean -fd` |
-| **Shell**         | `curl ... \| bash`, `sudo` commands                     |
-| **SQL**           | `DELETE` / `UPDATE` without a `WHERE` clause            |
-| **Filesystem**    | `rm -rf` targeting home directory                       |
-| **Secrets (DLP)** | AWS keys, GitHub tokens, Stripe keys, PEM private keys  |
+| What it protects  | Example blocked action                                                             |
+| :---------------- | :--------------------------------------------------------------------------------- |
+| **Git**           | `git push --force`, `git reset --hard`, `git clean -fd`                            |
+| **Shell**         | `curl ... \| bash`, `sudo` commands                                                |
+| **SQL**           | `DELETE` / `UPDATE` without `WHERE`; `DROP TABLE`, `TRUNCATE TABLE`, `DROP COLUMN` |
+| **Filesystem**    | `rm -rf` targeting home directory                                                  |
+| **Secrets (DLP)** | AWS keys, GitHub tokens, Stripe keys, PEM private keys                             |
 
 ### 🔍 DLP — Content Scanner (Always On)
 
@@ -188,12 +188,12 @@ Secrets are **never logged in full** — the audit trail stores only a redacted
 
 Shields add protection for specific infrastructure and services — only relevant if you actually use them.
 
-| Shield       | What it protects                                                              |
-| :----------- | :---------------------------------------------------------------------------- |
-| `postgres`   | Blocks `DROP TABLE`, `TRUNCATE`, `DROP COLUMN`; reviews `GRANT`/`REVOKE`      |
-| `github`     | Blocks `gh repo delete`; reviews remote branch deletion                       |
-| `aws`        | Blocks S3 bucket deletion, EC2 termination; reviews IAM changes, RDS deletion |
-| `filesystem` | Reviews `chmod 777`, writes to `/etc/`                                        |
+| Shield       | What it protects                                                                                                |
+| :----------- | :-------------------------------------------------------------------------------------------------------------- |
+| `postgres`   | Hard-blocks `DROP TABLE`, `TRUNCATE`, `DROP COLUMN` (upgrades Layer 1 review → block); reviews `GRANT`/`REVOKE` |
+| `github`     | Blocks `gh repo delete`; reviews remote branch deletion                                                         |
+| `aws`        | Blocks S3 bucket deletion, EC2 termination; reviews IAM changes, RDS deletion                                   |
+| `filesystem` | Reviews `chmod 777`, writes to `/etc/`                                                                          |
 
 ```bash
 node9 shield enable postgres    # protect your database

package/dist/cli.js

@@ -492,30 +492,97 @@ function getShield(name) {
 function listShields() {
   return Object.values(SHIELDS);
 }
-function readActiveShields() {
+function isShieldVerdict(v) {
+  return v === "allow" || v === "review" || v === "block";
+}
+function validateOverrides(raw) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return {};
+  const result = {};
+  for (const [shieldName, rules] of Object.entries(raw)) {
+    if (!rules || typeof rules !== "object" || Array.isArray(rules)) continue;
+    const validRules = {};
+    for (const [ruleName, verdict] of Object.entries(rules)) {
+      if (isShieldVerdict(verdict)) {
+        validRules[ruleName] = verdict;
+      } else {
+        process.stderr.write(
+          `[node9] Warning: shields.json contains invalid verdict "${String(verdict)}" for ${shieldName}/${ruleName} \u2014 entry ignored. File may be corrupted or tampered with.
+`
+        );
+      }
+    }
+    if (Object.keys(validRules).length > 0) result[shieldName] = validRules;
+  }
+  return result;
+}
+function readShieldsFile() {
   try {
     const raw = import_fs.default.readFileSync(SHIELDS_STATE_FILE, "utf-8");
-    if (!raw.trim()) return [];
+    if (!raw.trim()) return { active: [] };
     const parsed = JSON.parse(raw);
-    if (Array.isArray(parsed.active)) {
-      return parsed.active.filter(
-        (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
-      );
-    }
+    const active = Array.isArray(parsed.active) ? parsed.active.filter(
+      (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
+    ) : [];
+    return { active, overrides: validateOverrides(parsed.overrides) };
   } catch (err) {
     if (err.code !== "ENOENT") {
       process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
 `);
     }
+    return { active: [] };
   }
-  return [];
 }
-function writeActiveShields(active) {
+function writeShieldsFile(data) {
   import_fs.default.mkdirSync(import_path3.default.dirname(SHIELDS_STATE_FILE), { recursive: true });
   const tmp = `${SHIELDS_STATE_FILE}.${import_crypto.default.randomBytes(6).toString("hex")}.tmp`;
-  import_fs.default.writeFileSync(tmp, JSON.stringify({ active }, null, 2), { mode: 384 });
+  const toWrite = { active: data.active };
+  if (data.overrides && Object.keys(data.overrides).length > 0) toWrite.overrides = data.overrides;
+  import_fs.default.writeFileSync(tmp, JSON.stringify(toWrite, null, 2), { mode: 384 });
   import_fs.default.renameSync(tmp, SHIELDS_STATE_FILE);
 }
+function readActiveShields() {
+  return readShieldsFile().active;
+}
+function writeActiveShields(active) {
+  const current = readShieldsFile();
+  writeShieldsFile({ ...current, active });
+}
+function readShieldOverrides() {
+  return readShieldsFile().overrides ?? {};
+}
+function writeShieldOverride(shieldName, ruleName, verdict) {
+  const current = readShieldsFile();
+  const overrides = { ...current.overrides ?? {} };
+  overrides[shieldName] = { ...overrides[shieldName] ?? {}, [ruleName]: verdict };
+  writeShieldsFile({ ...current, overrides });
+}
+function clearShieldOverride(shieldName, ruleName) {
+  const current = readShieldsFile();
+  if (!current.overrides?.[shieldName]?.[ruleName]) return;
+  const overrides = { ...current.overrides };
+  const updated = { ...overrides[shieldName] };
+  delete updated[ruleName];
+  if (Object.keys(updated).length === 0) {
+    delete overrides[shieldName];
+  } else {
+    overrides[shieldName] = updated;
+  }
+  writeShieldsFile({ ...current, overrides });
+}
+function resolveShieldRule(shieldName, identifier) {
+  const shield = SHIELDS[shieldName];
+  if (!shield) return null;
+  const id = identifier.toLowerCase();
+  for (const rule of shield.smartRules) {
+    if (!rule.name) continue;
+    if (rule.name === id) return rule.name;
+    const withoutShieldPrefix = rule.name.replace(`shield:${shieldName}:`, "");
+    if (withoutShieldPrefix === id) return rule.name;
+    const operation = withoutShieldPrefix.replace(/^(block|review|allow)-/, "");
+    if (operation === id) return rule.name;
+  }
+  return null;
+}
 var import_fs, import_path3, import_os, import_crypto, SHIELDS, SHIELDS_STATE_FILE;
 var init_shields = __esm({
   "src/shields.ts"() {
@@ -829,9 +896,9 @@ var init_dlp = __esm({
       /[/\\][^/\\]+\.key$/i,
       /[/\\][^/\\]+\.p12$/i,
       /[/\\][^/\\]+\.pfx$/i,
-      /^\/etc\/passwd$/,
-      /^\/etc\/shadow$/,
-      /^\/etc\/sudoers$/,
+      /^(?:[a-zA-Z]:)?\/etc\/passwd$/,
+      /^(?:[a-zA-Z]:)?\/etc\/shadow$/,
+      /^(?:[a-zA-Z]:)?\/etc\/sudoers$/,
       /[/\\]credentials\.json$/i,
       /[/\\]id_rsa$/i,
       /[/\\]id_ed25519$/i,
@@ -1152,6 +1219,13 @@ function redactSecrets(text) {
 function _resetConfigCache() {
   cachedConfig = null;
 }
+function appendConfigAudit(entry) {
+  appendToLog(LOCAL_AUDIT_LOG, {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    ...entry,
+    hostname: import_os2.default.hostname()
+  });
+}
 function getGlobalSettings() {
   try {
     const globalConfigPath = import_path5.default.join(import_os2.default.homedir(), ".node9", "config.json");
@@ -2167,12 +2241,19 @@ function getConfig(cwd) {
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
+  const shieldOverrides = readShieldOverrides();
   for (const shieldName of readActiveShields()) {
     const shield = getShield(shieldName);
     if (!shield) continue;
     const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+    const ruleOverrides = shieldOverrides[shieldName] ?? {};
     for (const rule of shield.smartRules) {
-      if (!existingRuleNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+      if (!existingRuleNames.has(rule.name)) {
+        const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
+        mergedPolicy.smartRules.push(
+          overrideVerdict !== void 0 ? { ...rule, verdict: overrideVerdict } : rule
+        );
+      }
     }
     const existingWords = new Set(mergedPolicy.dangerousWords);
     for (const word of shield.dangerousWords) {
@@ -2593,6 +2674,10 @@ var init_core = __esm({
       environments: {}
     };
     ADVISORY_SMART_RULES = [
+      // ── rm safety ─────────────────────────────────────────────────────────────
+      // tool: '*' so they cover bash, shell, run_shell_command, and Gemini's Shell.
+      // Pattern '(^|&&|\|\||;)\s*rm\b' matches rm as a shell command (including in
+      // chained commands like 'cat foo && rm bar') but avoids false-positives on 'docker rm'.
       {
         name: "allow-rm-safe-paths",
         tool: "*",
@@ -2615,6 +2700,34 @@ var init_core = __esm({
         conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
         verdict: "review",
         reason: "rm can permanently delete files \u2014 confirm the target path"
+      },
+      // ── SQL safety (Safe by Default) ──────────────────────────────────────────
+      // These rules fire when an AI calls a database tool directly (e.g. MCP postgres,
+      // mcp__postgres__query) with a destructive SQL statement in the 'sql' field.
+      // The postgres shield upgrades these from 'review' → 'block' for stricter teams;
+      // without a shield, users still get a human-approval gate on every destructive op.
+      {
+        name: "review-drop-table-sql",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+        verdict: "review",
+        reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead"
+      },
+      {
+        name: "review-truncate-sql",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
+        verdict: "review",
+        reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead"
+      },
+      {
+        name: "review-drop-column-sql",
+        tool: "*",
+        conditions: [
+          { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+        ],
+        verdict: "review",
+        reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead"
       }
     ];
     cachedConfig = null;
@@ -5823,7 +5936,7 @@ function openBrowserLocal() {
 }
 async function autoStartDaemonAndWait() {
   try {
-    const child = (0, import_child_process6.spawn)("node9", ["daemon"], {
+    const child = (0, import_child_process6.spawn)(process.execPath, [process.argv[1], "daemon"], {
       detached: true,
       stdio: "ignore",
       env: { ...process.env, NODE9_AUTO_STARTED: "1" }
@@ -6479,7 +6592,10 @@ program.command("daemon").description("Run the local approval server").argument(
         console.log(import_chalk6.default.green(`\u{1F310}  Opened browser: http://${DAEMON_HOST2}:${DAEMON_PORT2}/`));
         process.exit(0);
       }
-      const child = (0, import_child_process6.spawn)("node9", ["daemon"], { detached: true, stdio: "ignore" });
+      const child = (0, import_child_process6.spawn)(process.execPath, [process.argv[1], "daemon"], {
+        detached: true,
+        stdio: "ignore"
+      });
       child.unref();
       for (let i = 0; i < 12; i++) {
         await new Promise((r) => setTimeout(r, 250));
@@ -6491,7 +6607,10 @@ program.command("daemon").description("Run the local approval server").argument(
       process.exit(0);
     }
     if (options.background) {
-      const child = (0, import_child_process6.spawn)("node9", ["daemon"], { detached: true, stdio: "ignore" });
+      const child = (0, import_child_process6.spawn)(process.execPath, [process.argv[1], "daemon"], {
+        detached: true,
+        stdio: "ignore"
+      });
       child.unref();
       console.log(import_chalk6.default.green(`
 \u{1F6E1}\uFE0F  Node9 daemon started in background  (PID ${child.pid})`));
@@ -6923,26 +7042,201 @@ shieldCmd.command("list").description("Show all available shields").action(() =>
   }
   console.log("");
 });
-shieldCmd.command("status").description("Show which shields are currently active").action(() => {
+shieldCmd.command("status").description("Show active shields and their individual rules with verdicts").action(() => {
   const active = readActiveShields();
   if (active.length === 0) {
-    console.log(import_chalk6.default.yellow("\n\u2139\uFE0F  No shields are active.\n"));
-    console.log(`Run ${import_chalk6.default.cyan("node9 shield list")} to see available shields.
+    console.error(import_chalk6.default.yellow("\n\u2139\uFE0F  No shields are active.\n"));
+    console.error(`Run ${import_chalk6.default.cyan("node9 shield list")} to see available shields.
 `);
     return;
   }
-  console.log(import_chalk6.default.bold("\n\u{1F6E1}\uFE0F  Active Shields\n"));
+  const overrides = readShieldOverrides();
+  console.error(import_chalk6.default.bold("\n\u{1F6E1}\uFE0F  Active Shields\n"));
   for (const name of active) {
     const shield = getShield(name);
     if (!shield) continue;
-    console.log(`  ${import_chalk6.default.green("\u25CF")} ${import_chalk6.default.cyan(name)}`);
-    console.log(
+    console.error(`  ${import_chalk6.default.green("\u25CF")} ${import_chalk6.default.cyan(name)} \u2014 ${shield.description}`);
+    const ruleOverrides = overrides[name] ?? {};
+    for (const rule of shield.smartRules) {
+      const shortName = rule.name ? rule.name.replace(`shield:${name}:`, "") : "(unnamed)";
+      const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
+      const effectiveVerdict = overrideVerdict ?? rule.verdict;
+      const verdictLabel = effectiveVerdict === "block" ? import_chalk6.default.red("block ") : effectiveVerdict === "review" ? import_chalk6.default.yellow("review") : import_chalk6.default.green("allow ");
+      const overrideNote = overrideVerdict ? import_chalk6.default.gray(` \u2190 overridden (was: ${rule.verdict})`) : "";
+      console.error(
+        `    ${verdictLabel}  ${shortName.padEnd(24)} ${import_chalk6.default.gray(rule.reason ?? "")}${overrideNote}`
+      );
+    }
+    if (shield.dangerousWords.length > 0) {
+      console.error(import_chalk6.default.gray(`    words: ${shield.dangerousWords.join(", ")}`));
+    }
+    console.error("");
+  }
+  if (Object.keys(overrides).length > 0) {
+    console.error(
       import_chalk6.default.gray(
-        `    ${shield.smartRules.length} smart rules \xB7 ${shield.dangerousWords.length} dangerous words`
+        `  Tip: run ${import_chalk6.default.cyan("node9 shield unset <shield> <rule>")} to remove an override.
+`
       )
     );
   }
-  console.log("");
+});
+shieldCmd.command("set <service> <rule> <verdict>").description("Override the verdict for a specific shield rule (block, review, or allow)").option("--force", "Required when setting verdict to allow (silences a block rule)").action((service, rule, verdict, opts) => {
+  const name = resolveShieldName(service);
+  if (!name) {
+    console.error(import_chalk6.default.red(`
+\u274C Unknown shield: "${service}"
+`));
+    console.error(`Run ${import_chalk6.default.cyan("node9 shield list")} to see available shields.
+`);
+    process.exit(1);
+  }
+  if (!readActiveShields().includes(name)) {
+    console.error(import_chalk6.default.red(`
+\u274C Shield "${name}" is not active. Enable it first:
+`));
+    console.error(`  ${import_chalk6.default.cyan(`node9 shield enable ${name}`)}
+`);
+    process.exit(1);
+  }
+  if (!isShieldVerdict(verdict)) {
+    console.error(import_chalk6.default.red(`
+\u274C Invalid verdict "${verdict}". Use: block, review, or allow
+`));
+    process.exit(1);
+  }
+  if (verdict === "allow" && !opts.force) {
+    console.error(
+      import_chalk6.default.red(`
+\u26A0\uFE0F  Setting a verdict to "allow" silences the rule entirely.
+`) + import_chalk6.default.yellow(
+        `   This disables a shield protection. If you are sure, re-run with --force:
+`
+      ) + import_chalk6.default.cyan(`
+   node9 shield set ${service} ${rule} allow --force
+`)
+    );
+    process.exit(1);
+  }
+  const ruleName = resolveShieldRule(name, rule);
+  if (!ruleName) {
+    const shield = getShield(name);
+    console.error(import_chalk6.default.red(`
+\u274C Unknown rule "${rule}" for shield "${name}".
+`));
+    console.error("  Available rules:");
+    for (const r of shield?.smartRules ?? []) {
+      const short = r.name ? r.name.replace(`shield:${name}:`, "") : "";
+      console.error(`    ${import_chalk6.default.cyan(short)}`);
+    }
+    console.error("");
+    process.exit(1);
+  }
+  writeShieldOverride(name, ruleName, verdict);
+  if (verdict === "allow") {
+    appendConfigAudit({ event: "shield-override-allow", shield: name, rule: ruleName });
+  }
+  const shortName = ruleName.replace(`shield:${name}:`, "");
+  const verdictLabel = verdict === "block" ? import_chalk6.default.red("block") : verdict === "review" ? import_chalk6.default.yellow("review") : import_chalk6.default.green("allow");
+  if (verdict === "allow") {
+    console.error(
+      import_chalk6.default.yellow(`
+\u26A0\uFE0F  ${name}/${shortName} \u2192 ${verdictLabel}`) + import_chalk6.default.gray(" (rule silenced \u2014 use `node9 shield unset` to restore)\n")
+    );
+  } else {
+    console.error(import_chalk6.default.green(`
+\u2705  ${name}/${shortName} \u2192 ${verdictLabel}
+`));
+  }
+  console.error(
+    import_chalk6.default.gray(`   Run ${import_chalk6.default.cyan("node9 shield status")} to see all active rules.
+`)
+  );
+});
+shieldCmd.command("unset <service> <rule>").description("Remove a verdict override, restoring the shield default").action((service, rule) => {
+  const name = resolveShieldName(service);
+  if (!name) {
+    console.error(import_chalk6.default.red(`
+\u274C Unknown shield: "${service}"
+`));
+    process.exit(1);
+  }
+  const ruleName = resolveShieldRule(name, rule);
+  if (!ruleName) {
+    console.error(import_chalk6.default.red(`
+\u274C Unknown rule "${rule}" for shield "${name}".
+`));
+    process.exit(1);
+  }
+  clearShieldOverride(name, ruleName);
+  const shortName = ruleName.replace(`shield:${name}:`, "");
+  console.error(
+    import_chalk6.default.green(`
+\u2705  Override removed \u2014 ${name}/${shortName} restored to default.
+`)
+  );
+});
+program.command("config show").description("Show the full effective runtime configuration including shields and advisory rules").action(() => {
+  const config = getConfig();
+  const active = readActiveShields();
+  const overrides = readShieldOverrides();
+  console.error(import_chalk6.default.bold("\n\u{1F50D}  Node9 Effective Configuration\n"));
+  const modeLabel = config.settings.mode === "audit" ? import_chalk6.default.blue("audit") : config.settings.mode === "strict" ? import_chalk6.default.red("strict") : import_chalk6.default.white("standard");
+  console.error(`  Mode: ${modeLabel}
+`);
+  if (active.length > 0) {
+    console.error(import_chalk6.default.bold("  \u2500\u2500 Active Shields \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    for (const name of active) {
+      const shield = getShield(name);
+      if (!shield) continue;
+      const ruleOverrides = overrides[name] ?? {};
+      console.error(`
+  ${import_chalk6.default.green("\u25CF")} ${import_chalk6.default.cyan(name)}`);
+      for (const rule of shield.smartRules) {
+        const shortName = rule.name ? rule.name.replace(`shield:${name}:`, "") : "(unnamed)";
+        const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
+        const effectiveVerdict = overrideVerdict ?? rule.verdict;
+        const vLabel = effectiveVerdict === "block" ? import_chalk6.default.red("block ") : effectiveVerdict === "review" ? import_chalk6.default.yellow("review") : import_chalk6.default.green("allow ");
+        const note = overrideVerdict ? import_chalk6.default.gray(` \u2190 overridden`) : "";
+        console.error(`    ${vLabel}  ${shortName}${note}`);
+      }
+    }
+    console.error("");
+  } else {
+    console.error(import_chalk6.default.gray("  No shields active. Run `node9 shield list` to see options.\n"));
+  }
+  console.error(import_chalk6.default.bold("  \u2500\u2500 Built-in Rules (always on) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  for (const rule of config.policy.smartRules) {
+    const isShieldRule = rule.name?.startsWith("shield:");
+    const isAdvisory = [
+      "review-rm",
+      "allow-rm-safe-paths",
+      "review-drop-table-sql",
+      "review-truncate-sql",
+      "review-drop-column-sql"
+    ].includes(rule.name ?? "");
+    if (isShieldRule || isAdvisory) continue;
+    const vLabel = rule.verdict === "block" ? import_chalk6.default.red("block ") : rule.verdict === "review" ? import_chalk6.default.yellow("review") : import_chalk6.default.green("allow ");
+    console.error(`    ${vLabel}  ${import_chalk6.default.gray(rule.name ?? rule.tool)}`);
+  }
+  console.error("");
+  console.error(import_chalk6.default.bold("  \u2500\u2500 Safe by Default (advisory, overridable) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  const advisoryNames = /* @__PURE__ */ new Set([
+    "review-rm",
+    "allow-rm-safe-paths",
+    "review-drop-table-sql",
+    "review-truncate-sql",
+    "review-drop-column-sql"
+  ]);
+  for (const rule of config.policy.smartRules) {
+    if (!advisoryNames.has(rule.name ?? "")) continue;
+    const vLabel = rule.verdict === "block" ? import_chalk6.default.red("block ") : rule.verdict === "review" ? import_chalk6.default.yellow("review") : import_chalk6.default.green("allow ");
+    console.error(`    ${vLabel}  ${import_chalk6.default.gray(rule.name ?? rule.tool)}`);
+  }
+  console.error("");
+  console.error(import_chalk6.default.bold("  \u2500\u2500 Dangerous Words \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.error(`    ${import_chalk6.default.gray(config.policy.dangerousWords.join(", "))}
+`);
 });
 if (process.argv[2] !== "daemon") {
   process.on("unhandledRejection", (reason) => {

package/dist/cli.mjs

@@ -475,30 +475,97 @@ function getShield(name) {
 function listShields() {
   return Object.values(SHIELDS);
 }
-function readActiveShields() {
+function isShieldVerdict(v) {
+  return v === "allow" || v === "review" || v === "block";
+}
+function validateOverrides(raw) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return {};
+  const result = {};
+  for (const [shieldName, rules] of Object.entries(raw)) {
+    if (!rules || typeof rules !== "object" || Array.isArray(rules)) continue;
+    const validRules = {};
+    for (const [ruleName, verdict] of Object.entries(rules)) {
+      if (isShieldVerdict(verdict)) {
+        validRules[ruleName] = verdict;
+      } else {
+        process.stderr.write(
+          `[node9] Warning: shields.json contains invalid verdict "${String(verdict)}" for ${shieldName}/${ruleName} \u2014 entry ignored. File may be corrupted or tampered with.
+`
+        );
+      }
+    }
+    if (Object.keys(validRules).length > 0) result[shieldName] = validRules;
+  }
+  return result;
+}
+function readShieldsFile() {
   try {
     const raw = fs.readFileSync(SHIELDS_STATE_FILE, "utf-8");
-    if (!raw.trim()) return [];
+    if (!raw.trim()) return { active: [] };
     const parsed = JSON.parse(raw);
-    if (Array.isArray(parsed.active)) {
-      return parsed.active.filter(
-        (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
-      );
-    }
+    const active = Array.isArray(parsed.active) ? parsed.active.filter(
+      (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
+    ) : [];
+    return { active, overrides: validateOverrides(parsed.overrides) };
   } catch (err) {
     if (err.code !== "ENOENT") {
       process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
 `);
     }
+    return { active: [] };
   }
-  return [];
 }
-function writeActiveShields(active) {
+function writeShieldsFile(data) {
   fs.mkdirSync(path3.dirname(SHIELDS_STATE_FILE), { recursive: true });
   const tmp = `${SHIELDS_STATE_FILE}.${crypto.randomBytes(6).toString("hex")}.tmp`;
-  fs.writeFileSync(tmp, JSON.stringify({ active }, null, 2), { mode: 384 });
+  const toWrite = { active: data.active };
+  if (data.overrides && Object.keys(data.overrides).length > 0) toWrite.overrides = data.overrides;
+  fs.writeFileSync(tmp, JSON.stringify(toWrite, null, 2), { mode: 384 });
   fs.renameSync(tmp, SHIELDS_STATE_FILE);
 }
+function readActiveShields() {
+  return readShieldsFile().active;
+}
+function writeActiveShields(active) {
+  const current = readShieldsFile();
+  writeShieldsFile({ ...current, active });
+}
+function readShieldOverrides() {
+  return readShieldsFile().overrides ?? {};
+}
+function writeShieldOverride(shieldName, ruleName, verdict) {
+  const current = readShieldsFile();
+  const overrides = { ...current.overrides ?? {} };
+  overrides[shieldName] = { ...overrides[shieldName] ?? {}, [ruleName]: verdict };
+  writeShieldsFile({ ...current, overrides });
+}
+function clearShieldOverride(shieldName, ruleName) {
+  const current = readShieldsFile();
+  if (!current.overrides?.[shieldName]?.[ruleName]) return;
+  const overrides = { ...current.overrides };
+  const updated = { ...overrides[shieldName] };
+  delete updated[ruleName];
+  if (Object.keys(updated).length === 0) {
+    delete overrides[shieldName];
+  } else {
+    overrides[shieldName] = updated;
+  }
+  writeShieldsFile({ ...current, overrides });
+}
+function resolveShieldRule(shieldName, identifier) {
+  const shield = SHIELDS[shieldName];
+  if (!shield) return null;
+  const id = identifier.toLowerCase();
+  for (const rule of shield.smartRules) {
+    if (!rule.name) continue;
+    if (rule.name === id) return rule.name;
+    const withoutShieldPrefix = rule.name.replace(`shield:${shieldName}:`, "");
+    if (withoutShieldPrefix === id) return rule.name;
+    const operation = withoutShieldPrefix.replace(/^(block|review|allow)-/, "");
+    if (operation === id) return rule.name;
+  }
+  return null;
+}
 var SHIELDS, SHIELDS_STATE_FILE;
 var init_shields = __esm({
   "src/shields.ts"() {
@@ -808,9 +875,9 @@ var init_dlp = __esm({
       /[/\\][^/\\]+\.key$/i,
       /[/\\][^/\\]+\.p12$/i,
       /[/\\][^/\\]+\.pfx$/i,
-      /^\/etc\/passwd$/,
-      /^\/etc\/shadow$/,
-      /^\/etc\/sudoers$/,
+      /^(?:[a-zA-Z]:)?\/etc\/passwd$/,
+      /^(?:[a-zA-Z]:)?\/etc\/shadow$/,
+      /^(?:[a-zA-Z]:)?\/etc\/sudoers$/,
       /[/\\]credentials\.json$/i,
       /[/\\]id_rsa$/i,
       /[/\\]id_ed25519$/i,
@@ -1142,6 +1209,13 @@ function redactSecrets(text) {
 function _resetConfigCache() {
   cachedConfig = null;
 }
+function appendConfigAudit(entry) {
+  appendToLog(LOCAL_AUDIT_LOG, {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    ...entry,
+    hostname: os2.hostname()
+  });
+}
 function getGlobalSettings() {
   try {
     const globalConfigPath = path5.join(os2.homedir(), ".node9", "config.json");
@@ -2157,12 +2231,19 @@ function getConfig(cwd) {
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
+  const shieldOverrides = readShieldOverrides();
   for (const shieldName of readActiveShields()) {
     const shield = getShield(shieldName);
     if (!shield) continue;
     const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+    const ruleOverrides = shieldOverrides[shieldName] ?? {};
     for (const rule of shield.smartRules) {
-      if (!existingRuleNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+      if (!existingRuleNames.has(rule.name)) {
+        const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
+        mergedPolicy.smartRules.push(
+          overrideVerdict !== void 0 ? { ...rule, verdict: overrideVerdict } : rule
+        );
+      }
     }
     const existingWords = new Set(mergedPolicy.dangerousWords);
     for (const word of shield.dangerousWords) {
@@ -2572,6 +2653,10 @@ var init_core = __esm({
       environments: {}
     };
     ADVISORY_SMART_RULES = [
+      // ── rm safety ─────────────────────────────────────────────────────────────
+      // tool: '*' so they cover bash, shell, run_shell_command, and Gemini's Shell.
+      // Pattern '(^|&&|\|\||;)\s*rm\b' matches rm as a shell command (including in
+      // chained commands like 'cat foo && rm bar') but avoids false-positives on 'docker rm'.
       {
         name: "allow-rm-safe-paths",
         tool: "*",
@@ -2594,6 +2679,34 @@ var init_core = __esm({
         conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
         verdict: "review",
         reason: "rm can permanently delete files \u2014 confirm the target path"
+      },
+      // ── SQL safety (Safe by Default) ──────────────────────────────────────────
+      // These rules fire when an AI calls a database tool directly (e.g. MCP postgres,
+      // mcp__postgres__query) with a destructive SQL statement in the 'sql' field.
+      // The postgres shield upgrades these from 'review' → 'block' for stricter teams;
+      // without a shield, users still get a human-approval gate on every destructive op.
+      {
+        name: "review-drop-table-sql",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+        verdict: "review",
+        reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead"
+      },
+      {
+        name: "review-truncate-sql",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
+        verdict: "review",
+        reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead"
+      },
+      {
+        name: "review-drop-column-sql",
+        tool: "*",
+        conditions: [
+          { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+        ],
+        verdict: "review",
+        reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead"
       }
     ];
     cachedConfig = null;
@@ -5802,7 +5915,7 @@ function openBrowserLocal() {
 }
 async function autoStartDaemonAndWait() {
   try {
-    const child = spawn5("node9", ["daemon"], {
+    const child = spawn5(process.execPath, [process.argv[1], "daemon"], {
       detached: true,
       stdio: "ignore",
       env: { ...process.env, NODE9_AUTO_STARTED: "1" }
@@ -6458,7 +6571,10 @@ program.command("daemon").description("Run the local approval server").argument(
         console.log(chalk6.green(`\u{1F310}  Opened browser: http://${DAEMON_HOST2}:${DAEMON_PORT2}/`));
         process.exit(0);
       }
-      const child = spawn5("node9", ["daemon"], { detached: true, stdio: "ignore" });
+      const child = spawn5(process.execPath, [process.argv[1], "daemon"], {
+        detached: true,
+        stdio: "ignore"
+      });
       child.unref();
       for (let i = 0; i < 12; i++) {
         await new Promise((r) => setTimeout(r, 250));
@@ -6470,7 +6586,10 @@ program.command("daemon").description("Run the local approval server").argument(
       process.exit(0);
     }
     if (options.background) {
-      const child = spawn5("node9", ["daemon"], { detached: true, stdio: "ignore" });
+      const child = spawn5(process.execPath, [process.argv[1], "daemon"], {
+        detached: true,
+        stdio: "ignore"
+      });
       child.unref();
       console.log(chalk6.green(`
 \u{1F6E1}\uFE0F  Node9 daemon started in background  (PID ${child.pid})`));
@@ -6902,26 +7021,201 @@ shieldCmd.command("list").description("Show all available shields").action(() =>
   }
   console.log("");
 });
-shieldCmd.command("status").description("Show which shields are currently active").action(() => {
+shieldCmd.command("status").description("Show active shields and their individual rules with verdicts").action(() => {
   const active = readActiveShields();
   if (active.length === 0) {
-    console.log(chalk6.yellow("\n\u2139\uFE0F  No shields are active.\n"));
-    console.log(`Run ${chalk6.cyan("node9 shield list")} to see available shields.
+    console.error(chalk6.yellow("\n\u2139\uFE0F  No shields are active.\n"));
+    console.error(`Run ${chalk6.cyan("node9 shield list")} to see available shields.
 `);
     return;
   }
-  console.log(chalk6.bold("\n\u{1F6E1}\uFE0F  Active Shields\n"));
+  const overrides = readShieldOverrides();
+  console.error(chalk6.bold("\n\u{1F6E1}\uFE0F  Active Shields\n"));
   for (const name of active) {
     const shield = getShield(name);
     if (!shield) continue;
-    console.log(`  ${chalk6.green("\u25CF")} ${chalk6.cyan(name)}`);
-    console.log(
+    console.error(`  ${chalk6.green("\u25CF")} ${chalk6.cyan(name)} \u2014 ${shield.description}`);
+    const ruleOverrides = overrides[name] ?? {};
+    for (const rule of shield.smartRules) {
+      const shortName = rule.name ? rule.name.replace(`shield:${name}:`, "") : "(unnamed)";
+      const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
+      const effectiveVerdict = overrideVerdict ?? rule.verdict;
+      const verdictLabel = effectiveVerdict === "block" ? chalk6.red("block ") : effectiveVerdict === "review" ? chalk6.yellow("review") : chalk6.green("allow ");
+      const overrideNote = overrideVerdict ? chalk6.gray(` \u2190 overridden (was: ${rule.verdict})`) : "";
+      console.error(
+        `    ${verdictLabel}  ${shortName.padEnd(24)} ${chalk6.gray(rule.reason ?? "")}${overrideNote}`
+      );
+    }
+    if (shield.dangerousWords.length > 0) {
+      console.error(chalk6.gray(`    words: ${shield.dangerousWords.join(", ")}`));
+    }
+    console.error("");
+  }
+  if (Object.keys(overrides).length > 0) {
+    console.error(
       chalk6.gray(
-        `    ${shield.smartRules.length} smart rules \xB7 ${shield.dangerousWords.length} dangerous words`
+        `  Tip: run ${chalk6.cyan("node9 shield unset <shield> <rule>")} to remove an override.
+`
       )
     );
   }
-  console.log("");
+});
+shieldCmd.command("set <service> <rule> <verdict>").description("Override the verdict for a specific shield rule (block, review, or allow)").option("--force", "Required when setting verdict to allow (silences a block rule)").action((service, rule, verdict, opts) => {
+  const name = resolveShieldName(service);
+  if (!name) {
+    console.error(chalk6.red(`
+\u274C Unknown shield: "${service}"
+`));
+    console.error(`Run ${chalk6.cyan("node9 shield list")} to see available shields.
+`);
+    process.exit(1);
+  }
+  if (!readActiveShields().includes(name)) {
+    console.error(chalk6.red(`
+\u274C Shield "${name}" is not active. Enable it first:
+`));
+    console.error(`  ${chalk6.cyan(`node9 shield enable ${name}`)}
+`);
+    process.exit(1);
+  }
+  if (!isShieldVerdict(verdict)) {
+    console.error(chalk6.red(`
+\u274C Invalid verdict "${verdict}". Use: block, review, or allow
+`));
+    process.exit(1);
+  }
+  if (verdict === "allow" && !opts.force) {
+    console.error(
+      chalk6.red(`
+\u26A0\uFE0F  Setting a verdict to "allow" silences the rule entirely.
+`) + chalk6.yellow(
+        `   This disables a shield protection. If you are sure, re-run with --force:
+`
+      ) + chalk6.cyan(`
+   node9 shield set ${service} ${rule} allow --force
+`)
+    );
+    process.exit(1);
+  }
+  const ruleName = resolveShieldRule(name, rule);
+  if (!ruleName) {
+    const shield = getShield(name);
+    console.error(chalk6.red(`
+\u274C Unknown rule "${rule}" for shield "${name}".
+`));
+    console.error("  Available rules:");
+    for (const r of shield?.smartRules ?? []) {
+      const short = r.name ? r.name.replace(`shield:${name}:`, "") : "";
+      console.error(`    ${chalk6.cyan(short)}`);
+    }
+    console.error("");
+    process.exit(1);
+  }
+  writeShieldOverride(name, ruleName, verdict);
+  if (verdict === "allow") {
+    appendConfigAudit({ event: "shield-override-allow", shield: name, rule: ruleName });
+  }
+  const shortName = ruleName.replace(`shield:${name}:`, "");
+  const verdictLabel = verdict === "block" ? chalk6.red("block") : verdict === "review" ? chalk6.yellow("review") : chalk6.green("allow");
+  if (verdict === "allow") {
+    console.error(
+      chalk6.yellow(`
+\u26A0\uFE0F  ${name}/${shortName} \u2192 ${verdictLabel}`) + chalk6.gray(" (rule silenced \u2014 use `node9 shield unset` to restore)\n")
+    );
+  } else {
+    console.error(chalk6.green(`
+\u2705  ${name}/${shortName} \u2192 ${verdictLabel}
+`));
+  }
+  console.error(
+    chalk6.gray(`   Run ${chalk6.cyan("node9 shield status")} to see all active rules.
+`)
+  );
+});
+shieldCmd.command("unset <service> <rule>").description("Remove a verdict override, restoring the shield default").action((service, rule) => {
+  const name = resolveShieldName(service);
+  if (!name) {
+    console.error(chalk6.red(`
+\u274C Unknown shield: "${service}"
+`));
+    process.exit(1);
+  }
+  const ruleName = resolveShieldRule(name, rule);
+  if (!ruleName) {
+    console.error(chalk6.red(`
+\u274C Unknown rule "${rule}" for shield "${name}".
+`));
+    process.exit(1);
+  }
+  clearShieldOverride(name, ruleName);
+  const shortName = ruleName.replace(`shield:${name}:`, "");
+  console.error(
+    chalk6.green(`
+\u2705  Override removed \u2014 ${name}/${shortName} restored to default.
+`)
+  );
+});
+program.command("config show").description("Show the full effective runtime configuration including shields and advisory rules").action(() => {
+  const config = getConfig();
+  const active = readActiveShields();
+  const overrides = readShieldOverrides();
+  console.error(chalk6.bold("\n\u{1F50D}  Node9 Effective Configuration\n"));
+  const modeLabel = config.settings.mode === "audit" ? chalk6.blue("audit") : config.settings.mode === "strict" ? chalk6.red("strict") : chalk6.white("standard");
+  console.error(`  Mode: ${modeLabel}
+`);
+  if (active.length > 0) {
+    console.error(chalk6.bold("  \u2500\u2500 Active Shields \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    for (const name of active) {
+      const shield = getShield(name);
+      if (!shield) continue;
+      const ruleOverrides = overrides[name] ?? {};
+      console.error(`
+  ${chalk6.green("\u25CF")} ${chalk6.cyan(name)}`);
+      for (const rule of shield.smartRules) {
+        const shortName = rule.name ? rule.name.replace(`shield:${name}:`, "") : "(unnamed)";
+        const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
+        const effectiveVerdict = overrideVerdict ?? rule.verdict;
+        const vLabel = effectiveVerdict === "block" ? chalk6.red("block ") : effectiveVerdict === "review" ? chalk6.yellow("review") : chalk6.green("allow ");
+        const note = overrideVerdict ? chalk6.gray(` \u2190 overridden`) : "";
+        console.error(`    ${vLabel}  ${shortName}${note}`);
+      }
+    }
+    console.error("");
+  } else {
+    console.error(chalk6.gray("  No shields active. Run `node9 shield list` to see options.\n"));
+  }
+  console.error(chalk6.bold("  \u2500\u2500 Built-in Rules (always on) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  for (const rule of config.policy.smartRules) {
+    const isShieldRule = rule.name?.startsWith("shield:");
+    const isAdvisory = [
+      "review-rm",
+      "allow-rm-safe-paths",
+      "review-drop-table-sql",
+      "review-truncate-sql",
+      "review-drop-column-sql"
+    ].includes(rule.name ?? "");
+    if (isShieldRule || isAdvisory) continue;
+    const vLabel = rule.verdict === "block" ? chalk6.red("block ") : rule.verdict === "review" ? chalk6.yellow("review") : chalk6.green("allow ");
+    console.error(`    ${vLabel}  ${chalk6.gray(rule.name ?? rule.tool)}`);
+  }
+  console.error("");
+  console.error(chalk6.bold("  \u2500\u2500 Safe by Default (advisory, overridable) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  const advisoryNames = /* @__PURE__ */ new Set([
+    "review-rm",
+    "allow-rm-safe-paths",
+    "review-drop-table-sql",
+    "review-truncate-sql",
+    "review-drop-column-sql"
+  ]);
+  for (const rule of config.policy.smartRules) {
+    if (!advisoryNames.has(rule.name ?? "")) continue;
+    const vLabel = rule.verdict === "block" ? chalk6.red("block ") : rule.verdict === "review" ? chalk6.yellow("review") : chalk6.green("allow ");
+    console.error(`    ${vLabel}  ${chalk6.gray(rule.name ?? rule.tool)}`);
+  }
+  console.error("");
+  console.error(chalk6.bold("  \u2500\u2500 Dangerous Words \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.error(`    ${chalk6.gray(config.policy.dangerousWords.join(", "))}
+`);
 });
 if (process.argv[2] !== "daemon") {
   process.on("unhandledRejection", (reason) => {

package/dist/index.js

@@ -660,23 +660,51 @@ function getShield(name) {
   return resolved ? SHIELDS[resolved] : null;
 }
 var SHIELDS_STATE_FILE = import_path3.default.join(import_os.default.homedir(), ".node9", "shields.json");
-function readActiveShields() {
+function isShieldVerdict(v) {
+  return v === "allow" || v === "review" || v === "block";
+}
+function validateOverrides(raw) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return {};
+  const result = {};
+  for (const [shieldName, rules] of Object.entries(raw)) {
+    if (!rules || typeof rules !== "object" || Array.isArray(rules)) continue;
+    const validRules = {};
+    for (const [ruleName, verdict] of Object.entries(rules)) {
+      if (isShieldVerdict(verdict)) {
+        validRules[ruleName] = verdict;
+      } else {
+        process.stderr.write(
+          `[node9] Warning: shields.json contains invalid verdict "${String(verdict)}" for ${shieldName}/${ruleName} \u2014 entry ignored. File may be corrupted or tampered with.
+`
+        );
+      }
+    }
+    if (Object.keys(validRules).length > 0) result[shieldName] = validRules;
+  }
+  return result;
+}
+function readShieldsFile() {
   try {
     const raw = import_fs.default.readFileSync(SHIELDS_STATE_FILE, "utf-8");
-    if (!raw.trim()) return [];
+    if (!raw.trim()) return { active: [] };
     const parsed = JSON.parse(raw);
-    if (Array.isArray(parsed.active)) {
-      return parsed.active.filter(
-        (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
-      );
-    }
+    const active = Array.isArray(parsed.active) ? parsed.active.filter(
+      (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
+    ) : [];
+    return { active, overrides: validateOverrides(parsed.overrides) };
   } catch (err) {
     if (err.code !== "ENOENT") {
       process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
 `);
     }
+    return { active: [] };
   }
-  return [];
+}
+function readActiveShields() {
+  return readShieldsFile().active;
+}
+function readShieldOverrides() {
+  return readShieldsFile().overrides ?? {};
 }
 
 // src/dlp.ts
@@ -724,9 +752,9 @@ var SENSITIVE_PATH_PATTERNS = [
   /[/\\][^/\\]+\.key$/i,
   /[/\\][^/\\]+\.p12$/i,
   /[/\\][^/\\]+\.pfx$/i,
-  /^\/etc\/passwd$/,
-  /^\/etc\/shadow$/,
-  /^\/etc\/sudoers$/,
+  /^(?:[a-zA-Z]:)?\/etc\/passwd$/,
+  /^(?:[a-zA-Z]:)?\/etc\/shadow$/,
+  /^(?:[a-zA-Z]:)?\/etc\/sudoers$/,
   /[/\\]credentials\.json$/i,
   /[/\\]id_rsa$/i,
   /[/\\]id_ed25519$/i,
@@ -1299,6 +1327,10 @@ var DEFAULT_CONFIG = {
   environments: {}
 };
 var ADVISORY_SMART_RULES = [
+  // ── rm safety ─────────────────────────────────────────────────────────────
+  // tool: '*' so they cover bash, shell, run_shell_command, and Gemini's Shell.
+  // Pattern '(^|&&|\|\||;)\s*rm\b' matches rm as a shell command (including in
+  // chained commands like 'cat foo && rm bar') but avoids false-positives on 'docker rm'.
   {
     name: "allow-rm-safe-paths",
     tool: "*",
@@ -1321,6 +1353,34 @@ var ADVISORY_SMART_RULES = [
     conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
     verdict: "review",
     reason: "rm can permanently delete files \u2014 confirm the target path"
+  },
+  // ── SQL safety (Safe by Default) ──────────────────────────────────────────
+  // These rules fire when an AI calls a database tool directly (e.g. MCP postgres,
+  // mcp__postgres__query) with a destructive SQL statement in the 'sql' field.
+  // The postgres shield upgrades these from 'review' → 'block' for stricter teams;
+  // without a shield, users still get a human-approval gate on every destructive op.
+  {
+    name: "review-drop-table-sql",
+    tool: "*",
+    conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+    verdict: "review",
+    reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead"
+  },
+  {
+    name: "review-truncate-sql",
+    tool: "*",
+    conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
+    verdict: "review",
+    reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead"
+  },
+  {
+    name: "review-drop-column-sql",
+    tool: "*",
+    conditions: [
+      { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+    ],
+    verdict: "review",
+    reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead"
   }
 ];
 var cachedConfig = null;
@@ -2058,12 +2118,19 @@ function getConfig(cwd) {
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
+  const shieldOverrides = readShieldOverrides();
   for (const shieldName of readActiveShields()) {
     const shield = getShield(shieldName);
     if (!shield) continue;
     const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+    const ruleOverrides = shieldOverrides[shieldName] ?? {};
     for (const rule of shield.smartRules) {
-      if (!existingRuleNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+      if (!existingRuleNames.has(rule.name)) {
+        const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
+        mergedPolicy.smartRules.push(
+          overrideVerdict !== void 0 ? { ...rule, verdict: overrideVerdict } : rule
+        );
+      }
     }
     const existingWords = new Set(mergedPolicy.dangerousWords);
     for (const word of shield.dangerousWords) {

package/dist/index.mjs

@@ -624,23 +624,51 @@ function getShield(name) {
   return resolved ? SHIELDS[resolved] : null;
 }
 var SHIELDS_STATE_FILE = path3.join(os.homedir(), ".node9", "shields.json");
-function readActiveShields() {
+function isShieldVerdict(v) {
+  return v === "allow" || v === "review" || v === "block";
+}
+function validateOverrides(raw) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return {};
+  const result = {};
+  for (const [shieldName, rules] of Object.entries(raw)) {
+    if (!rules || typeof rules !== "object" || Array.isArray(rules)) continue;
+    const validRules = {};
+    for (const [ruleName, verdict] of Object.entries(rules)) {
+      if (isShieldVerdict(verdict)) {
+        validRules[ruleName] = verdict;
+      } else {
+        process.stderr.write(
+          `[node9] Warning: shields.json contains invalid verdict "${String(verdict)}" for ${shieldName}/${ruleName} \u2014 entry ignored. File may be corrupted or tampered with.
+`
+        );
+      }
+    }
+    if (Object.keys(validRules).length > 0) result[shieldName] = validRules;
+  }
+  return result;
+}
+function readShieldsFile() {
   try {
     const raw = fs.readFileSync(SHIELDS_STATE_FILE, "utf-8");
-    if (!raw.trim()) return [];
+    if (!raw.trim()) return { active: [] };
     const parsed = JSON.parse(raw);
-    if (Array.isArray(parsed.active)) {
-      return parsed.active.filter(
-        (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
-      );
-    }
+    const active = Array.isArray(parsed.active) ? parsed.active.filter(
+      (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
+    ) : [];
+    return { active, overrides: validateOverrides(parsed.overrides) };
   } catch (err) {
     if (err.code !== "ENOENT") {
       process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
 `);
     }
+    return { active: [] };
   }
-  return [];
+}
+function readActiveShields() {
+  return readShieldsFile().active;
+}
+function readShieldOverrides() {
+  return readShieldsFile().overrides ?? {};
 }
 
 // src/dlp.ts
@@ -688,9 +716,9 @@ var SENSITIVE_PATH_PATTERNS = [
   /[/\\][^/\\]+\.key$/i,
   /[/\\][^/\\]+\.p12$/i,
   /[/\\][^/\\]+\.pfx$/i,
-  /^\/etc\/passwd$/,
-  /^\/etc\/shadow$/,
-  /^\/etc\/sudoers$/,
+  /^(?:[a-zA-Z]:)?\/etc\/passwd$/,
+  /^(?:[a-zA-Z]:)?\/etc\/shadow$/,
+  /^(?:[a-zA-Z]:)?\/etc\/sudoers$/,
   /[/\\]credentials\.json$/i,
   /[/\\]id_rsa$/i,
   /[/\\]id_ed25519$/i,
@@ -1263,6 +1291,10 @@ var DEFAULT_CONFIG = {
   environments: {}
 };
 var ADVISORY_SMART_RULES = [
+  // ── rm safety ─────────────────────────────────────────────────────────────
+  // tool: '*' so they cover bash, shell, run_shell_command, and Gemini's Shell.
+  // Pattern '(^|&&|\|\||;)\s*rm\b' matches rm as a shell command (including in
+  // chained commands like 'cat foo && rm bar') but avoids false-positives on 'docker rm'.
   {
     name: "allow-rm-safe-paths",
     tool: "*",
@@ -1285,6 +1317,34 @@ var ADVISORY_SMART_RULES = [
     conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
     verdict: "review",
     reason: "rm can permanently delete files \u2014 confirm the target path"
+  },
+  // ── SQL safety (Safe by Default) ──────────────────────────────────────────
+  // These rules fire when an AI calls a database tool directly (e.g. MCP postgres,
+  // mcp__postgres__query) with a destructive SQL statement in the 'sql' field.
+  // The postgres shield upgrades these from 'review' → 'block' for stricter teams;
+  // without a shield, users still get a human-approval gate on every destructive op.
+  {
+    name: "review-drop-table-sql",
+    tool: "*",
+    conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+    verdict: "review",
+    reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead"
+  },
+  {
+    name: "review-truncate-sql",
+    tool: "*",
+    conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
+    verdict: "review",
+    reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead"
+  },
+  {
+    name: "review-drop-column-sql",
+    tool: "*",
+    conditions: [
+      { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+    ],
+    verdict: "review",
+    reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead"
   }
 ];
 var cachedConfig = null;
@@ -2022,12 +2082,19 @@ function getConfig(cwd) {
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
+  const shieldOverrides = readShieldOverrides();
   for (const shieldName of readActiveShields()) {
     const shield = getShield(shieldName);
     if (!shield) continue;
     const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+    const ruleOverrides = shieldOverrides[shieldName] ?? {};
     for (const rule of shield.smartRules) {
-      if (!existingRuleNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+      if (!existingRuleNames.has(rule.name)) {
+        const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
+        mergedPolicy.smartRules.push(
+          overrideVerdict !== void 0 ? { ...rule, verdict: overrideVerdict } : rule
+        );
+      }
     }
     const existingWords = new Set(mergedPolicy.dangerousWords);
     for (const word of shield.dangerousWords) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.1.4",
+  "version": "1.1.6",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -61,9 +61,9 @@
     "test:e2e": "NODE9_TESTING=1 bash scripts/e2e.sh",
     "preuninstall": "node9 uninstall || echo 'node9 uninstall failed — remove hooks manually from ~/.claude/settings.json'",
     "prepublishOnly": "npm run validate",
-    "test": "NODE_ENV=test vitest --run",
-    "test:watch": "NODE_ENV=test vitest",
-    "test:ui": "NODE_ENV=test vitest --ui"
+    "test": "vitest --run",
+    "test:watch": "vitest",
+    "test:ui": "vitest --ui"
   },
   "dependencies": {
     "@inquirer/prompts": "^8.3.0",