@node9/proxy 1.1.7 → 1.3.0

package/dist/index.mjs

@@ -1,826 +1,843 @@
-// src/core.ts
-import fs3 from "fs";
-import path5 from "path";
-import os2 from "os";
-import net from "net";
-import { randomUUID } from "crypto";
-import { spawnSync } from "child_process";
-import pm from "picomatch";
-import safeRegex from "safe-regex2";
-import { parse } from "sh-syntax";
-
-// src/ui/native.ts
-import { spawn } from "child_process";
-import path2 from "path";
-
-// src/context-sniper.ts
+// src/audit/index.ts
+import fs from "fs";
 import path from "path";
-function smartTruncate(str, maxLen = 500) {
-  if (str.length <= maxLen) return str;
-  const edge = Math.floor(maxLen / 2) - 3;
-  return `${str.slice(0, edge)} ... ${str.slice(-edge)}`;
+import os from "os";
+var LOCAL_AUDIT_LOG = path.join(os.homedir(), ".node9", "audit.log");
+var HOOK_DEBUG_LOG = path.join(os.homedir(), ".node9", "hook-debug.log");
+function redactSecrets(text) {
+  if (!text) return text;
+  let redacted = text;
+  redacted = redacted.replace(
+    /(authorization:\s*(?:bearer|basic)\s+)[a-zA-Z0-9._\-\/\\=]+/gi,
+    "$1********"
+  );
+  redacted = redacted.replace(
+    /(api[_-]?key|secret|password|token)([:=]\s*['"]?)[a-zA-Z0-9._\-]{8,}/gi,
+    "$1$2********"
+  );
+  return redacted;
 }
-function extractContext(text, matchedWord) {
-  const lines = text.split("\n");
-  if (lines.length <= 7 || !matchedWord) {
-    return { snippet: smartTruncate(text, 500), lineIndex: -1 };
+function appendToLog(logPath, entry) {
+  try {
+    const dir = path.dirname(logPath);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    fs.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+  } catch {
   }
-  const escaped = matchedWord.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-  const pattern = new RegExp(`\\b${escaped}\\b`, "i");
-  const allHits = lines.map((line, i) => ({ i, line })).filter(({ line }) => pattern.test(line));
-  if (allHits.length === 0) return { snippet: smartTruncate(text, 500), lineIndex: -1 };
-  const nonComment = allHits.find(({ line }) => {
-    const trimmed = line.trim();
-    return !trimmed.startsWith("//") && !trimmed.startsWith("#");
+}
+function appendHookDebug(toolName, args, meta) {
+  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+  appendToLog(HOOK_DEBUG_LOG, {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    tool: toolName,
+    args: safeArgs,
+    agent: meta?.agent,
+    mcpServer: meta?.mcpServer,
+    hostname: os.hostname(),
+    cwd: process.cwd()
   });
-  const hitIndex = (nonComment ?? allHits[0]).i;
-  const start = Math.max(0, hitIndex - 3);
-  const end = Math.min(lines.length, hitIndex + 4);
-  const lineIndex = hitIndex - start;
-  const snippet = lines.slice(start, end).map((line, i) => `${start + i === hitIndex ? "\u{1F6D1} " : "   "}${line}`).join("\n");
-  const head = start > 0 ? `... [${start} lines hidden] ...
-` : "";
-  const tail = end < lines.length ? `
-... [${lines.length - end} lines hidden] ...` : "";
-  return { snippet: `${head}${snippet}${tail}`, lineIndex };
 }
-var CODE_KEYS = [
-  "command",
-  "cmd",
-  "shell_command",
-  "bash_command",
-  "script",
-  "code",
-  "input",
-  "sql",
-  "query",
-  "arguments",
-  "args",
-  "param",
-  "params",
-  "text"
-];
-function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWord, ruleName) {
-  let intent = "EXEC";
-  let contextSnippet;
-  let contextLineIndex;
-  let editFileName;
-  let editFilePath;
-  let parsed = args;
-  if (typeof args === "string") {
-    const trimmed = args.trim();
-    if (trimmed.startsWith("{") && trimmed.endsWith("}")) {
-      try {
-        parsed = JSON.parse(trimmed);
-      } catch {
-      }
+function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
+  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+  appendToLog(LOCAL_AUDIT_LOG, {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    tool: toolName,
+    args: safeArgs,
+    decision,
+    checkedBy,
+    agent: meta?.agent,
+    mcpServer: meta?.mcpServer,
+    hostname: os.hostname()
+  });
+}
+
+// src/config/index.ts
+import fs3 from "fs";
+import path3 from "path";
+import os3 from "os";
+
+// src/config-schema.ts
+import { z } from "zod";
+var noNewlines = z.string().refine((s) => !s.includes("\n") && !s.includes("\r"), {
+  message: "Value must not contain literal newline characters (use \\n instead)"
+});
+var SmartConditionSchema = z.object({
+  field: z.string().min(1, "Condition field must not be empty"),
+  op: z.enum(
+    [
+      "matches",
+      "notMatches",
+      "contains",
+      "notContains",
+      "exists",
+      "notExists",
+      "matchesGlob",
+      "notMatchesGlob"
+    ],
+    {
+      errorMap: () => ({
+        message: "op must be one of: matches, notMatches, contains, notContains, exists, notExists, matchesGlob, notMatchesGlob"
+      })
     }
+  ),
+  value: z.string().optional(),
+  flags: z.string().optional()
+}).refine(
+  (c) => {
+    if (c.op === "matchesGlob" || c.op === "notMatchesGlob") return c.value !== void 0;
+    return true;
+  },
+  { message: "matchesGlob and notMatchesGlob conditions require a value field" }
+);
+var SmartRuleSchema = z.object({
+  name: z.string().optional(),
+  tool: z.string().min(1, "Smart rule tool must not be empty"),
+  conditions: z.array(SmartConditionSchema).min(1, "Smart rule must have at least one condition"),
+  conditionMode: z.enum(["all", "any"]).optional(),
+  verdict: z.enum(["allow", "review", "block"], {
+    errorMap: () => ({ message: "verdict must be one of: allow, review, block" })
+  }),
+  reason: z.string().optional()
+});
+var ConfigFileSchema = z.object({
+  version: z.string().optional(),
+  settings: z.object({
+    mode: z.enum(["standard", "strict", "audit"]).optional(),
+    autoStartDaemon: z.boolean().optional(),
+    enableUndo: z.boolean().optional(),
+    enableHookLogDebug: z.boolean().optional(),
+    approvalTimeoutMs: z.number().nonnegative().optional(),
+    approvalTimeoutSeconds: z.number().nonnegative().optional(),
+    flightRecorder: z.boolean().optional(),
+    approvers: z.object({
+      native: z.boolean().optional(),
+      browser: z.boolean().optional(),
+      cloud: z.boolean().optional(),
+      terminal: z.boolean().optional()
+    }).optional(),
+    environment: z.string().optional(),
+    slackEnabled: z.boolean().optional(),
+    enableTrustSessions: z.boolean().optional(),
+    allowGlobalPause: z.boolean().optional()
+  }).optional(),
+  policy: z.object({
+    sandboxPaths: z.array(z.string()).optional(),
+    dangerousWords: z.array(noNewlines).optional(),
+    ignoredTools: z.array(z.string()).optional(),
+    toolInspection: z.record(z.string()).optional(),
+    smartRules: z.array(SmartRuleSchema).optional(),
+    snapshot: z.object({
+      tools: z.array(z.string()).optional(),
+      onlyPaths: z.array(z.string()).optional(),
+      ignorePaths: z.array(z.string()).optional()
+    }).optional(),
+    dlp: z.object({
+      enabled: z.boolean().optional(),
+      scanIgnoredTools: z.boolean().optional()
+    }).optional()
+  }).optional(),
+  environments: z.record(z.object({ requireApproval: z.boolean().optional() })).optional()
+}).strict({ message: "Config contains unknown top-level keys" });
+function sanitizeConfig(raw) {
+  const result = ConfigFileSchema.safeParse(raw);
+  if (result.success) {
+    return { sanitized: result.data, error: null };
   }
-  if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
-    const obj = parsed;
-    if (obj.old_string !== void 0 && obj.new_string !== void 0) {
-      intent = "EDIT";
-      if (obj.file_path) {
-        editFilePath = String(obj.file_path);
-        editFileName = path.basename(editFilePath);
-      }
-      const result = extractContext(String(obj.new_string), matchedWord);
-      contextSnippet = result.snippet;
-      if (result.lineIndex >= 0) contextLineIndex = result.lineIndex;
-    } else if (matchedField && obj[matchedField] !== void 0) {
-      const result = extractContext(String(obj[matchedField]), matchedWord);
-      contextSnippet = result.snippet;
-      if (result.lineIndex >= 0) contextLineIndex = result.lineIndex;
-    } else {
-      const foundKey = Object.keys(obj).find((k) => CODE_KEYS.includes(k.toLowerCase()));
-      if (foundKey) {
-        const val = obj[foundKey];
-        contextSnippet = smartTruncate(typeof val === "string" ? val : JSON.stringify(val), 500);
+  const invalidTopLevelKeys = new Set(
+    result.error.issues.filter((issue) => issue.path.length > 0).map((issue) => String(issue.path[0]))
+  );
+  const sanitized = {};
+  if (typeof raw === "object" && raw !== null) {
+    for (const [key, value] of Object.entries(raw)) {
+      if (!invalidTopLevelKeys.has(key)) {
+        sanitized[key] = value;
       }
     }
-  } else if (typeof parsed === "string") {
-    contextSnippet = smartTruncate(parsed, 500);
   }
+  const lines = result.error.issues.map((issue) => {
+    const path10 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path10}: ${issue.message}`;
+  });
   return {
-    intent,
-    tier,
-    blockedByLabel,
-    ...matchedWord && { matchedWord },
-    ...matchedField && { matchedField },
-    ...contextSnippet !== void 0 && { contextSnippet },
-    ...contextLineIndex !== void 0 && { contextLineIndex },
-    ...editFileName && { editFileName },
-    ...editFilePath && { editFilePath },
-    ...ruleName && { ruleName }
+    sanitized,
+    error: `Invalid config:
+${lines.join("\n")}`
   };
 }
 
-// src/ui/native.ts
-var isTestEnv = () => {
-  return process.env.NODE_ENV === "test" || process.env.VITEST === "true" || !!process.env.VITEST || process.env.CI === "true" || !!process.env.CI || process.env.NODE9_TESTING === "1";
-};
-function formatArgs(args, matchedField, matchedWord) {
-  if (args === null || args === void 0) return { message: "(none)", intent: "EXEC" };
-  let parsed = args;
-  if (typeof args === "string") {
-    const trimmed = args.trim();
-    if (trimmed.startsWith("{") && trimmed.endsWith("}")) {
-      try {
-        parsed = JSON.parse(trimmed);
-      } catch {
-        parsed = args;
+// src/shields.ts
+import fs2 from "fs";
+import path2 from "path";
+import os2 from "os";
+var SHIELDS = {
+  postgres: {
+    name: "postgres",
+    description: "Protects PostgreSQL databases from destructive AI operations",
+    aliases: ["pg", "postgresql"],
+    smartRules: [
+      {
+        name: "shield:postgres:block-drop-table",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+        verdict: "block",
+        reason: "DROP TABLE is irreversible \u2014 blocked by Postgres shield"
+      },
+      {
+        name: "shield:postgres:block-truncate",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
+        verdict: "block",
+        reason: "TRUNCATE is irreversible \u2014 blocked by Postgres shield"
+      },
+      {
+        name: "shield:postgres:block-drop-column",
+        tool: "*",
+        conditions: [
+          { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+        ],
+        verdict: "block",
+        reason: "DROP COLUMN is irreversible \u2014 blocked by Postgres shield"
+      },
+      {
+        name: "shield:postgres:review-grant-revoke",
+        tool: "*",
+        conditions: [{ field: "sql", op: "matches", value: "\\b(GRANT|REVOKE)\\b", flags: "i" }],
+        verdict: "review",
+        reason: "Permission changes require human approval (Postgres shield)"
       }
-    } else {
-      return { message: smartTruncate(args, 600), intent: "EXEC" };
-    }
+    ],
+    dangerousWords: ["dropdb", "pg_dropcluster"]
+  },
+  github: {
+    name: "github",
+    description: "Protects GitHub repositories from destructive AI operations",
+    aliases: ["git"],
+    smartRules: [
+      {
+        // Note: git branch -d/-D is already caught by the built-in review-git-destructive rule.
+        // This rule adds coverage for `git push --delete` which the built-in does not match.
+        name: "shield:github:review-delete-branch-remote",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "git\\s+push\\s+.*--delete",
+            flags: "i"
+          }
+        ],
+        verdict: "review",
+        reason: "Remote branch deletion requires human approval (GitHub shield)"
+      },
+      {
+        name: "shield:github:block-delete-repo",
+        tool: "*",
+        conditions: [
+          { field: "command", op: "matches", value: "gh\\s+repo\\s+delete", flags: "i" }
+        ],
+        verdict: "block",
+        reason: "Repository deletion is irreversible \u2014 blocked by GitHub shield"
+      }
+    ],
+    dangerousWords: []
+  },
+  aws: {
+    name: "aws",
+    description: "Protects AWS infrastructure from destructive AI operations",
+    aliases: ["amazon"],
+    smartRules: [
+      {
+        name: "shield:aws:block-delete-s3-bucket",
+        tool: "*",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "S3 bucket deletion is irreversible \u2014 blocked by AWS shield"
+      },
+      {
+        name: "shield:aws:review-iam-changes",
+        tool: "*",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
+            flags: "i"
+          }
+        ],
+        verdict: "review",
+        reason: "IAM changes require human approval (AWS shield)"
+      },
+      {
+        name: "shield:aws:block-ec2-terminate",
+        tool: "*",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "aws\\s+ec2\\s+terminate-instances",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "EC2 instance termination is irreversible \u2014 blocked by AWS shield"
+      },
+      {
+        name: "shield:aws:review-rds-delete",
+        tool: "*",
+        conditions: [
+          { field: "command", op: "matches", value: "aws\\s+rds\\s+delete-", flags: "i" }
+        ],
+        verdict: "review",
+        reason: "RDS deletion requires human approval (AWS shield)"
+      }
+    ],
+    dangerousWords: []
+  },
+  filesystem: {
+    name: "filesystem",
+    description: "Protects the local filesystem from dangerous AI operations",
+    aliases: ["fs"],
+    smartRules: [
+      {
+        name: "shield:filesystem:review-chmod-777",
+        tool: "bash",
+        conditions: [
+          { field: "command", op: "matches", value: "chmod\\s+(777|a\\+rwx)", flags: "i" }
+        ],
+        verdict: "review",
+        reason: "chmod 777 requires human approval (filesystem shield)"
+      },
+      {
+        name: "shield:filesystem:review-write-etc",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            // Narrow to write-indicative operations to avoid approval fatigue on reads.
+            // Matches: tee /etc/*, cp .../etc/*, mv .../etc/*, > /etc/*, install .../etc/*
+            op: "matches",
+            value: "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
+          }
+        ],
+        verdict: "review",
+        reason: "Writing to /etc requires human approval (filesystem shield)"
+      }
+    ],
+    // dd removed: too common as a legitimate tool (disk imaging, file ops).
+    // mkfs removed: already in the built-in DANGEROUS_WORDS baseline.
+    // wipefs retained: rarely legitimate in an agent context and not in built-ins.
+    dangerousWords: ["wipefs"]
   }
-  if (typeof parsed === "object" && !Array.isArray(parsed)) {
-    const obj = parsed;
-    if (obj.old_string !== void 0 && obj.new_string !== void 0) {
-      const file = obj.file_path ? path2.basename(String(obj.file_path)) : "file";
-      const oldPreview = smartTruncate(String(obj.old_string), 120);
-      const newPreview = extractContext(String(obj.new_string), matchedWord).snippet;
-      return {
-        intent: "EDIT",
-        message: `\u{1F4DD} EDITING: ${file}
-\u{1F4C2} PATH: ${obj.file_path}
-
---- REPLACING ---
-${oldPreview}
-
-+++ NEW CODE +++
-${newPreview}`
-      };
-    }
-    if (matchedField && obj[matchedField] !== void 0) {
-      const otherKeys = Object.keys(obj).filter((k) => k !== matchedField);
-      const context = otherKeys.length > 0 ? `\u2699\uFE0F  Context: ${otherKeys.map((k) => `${k}=${smartTruncate(typeof obj[k] === "object" ? JSON.stringify(obj[k]) : String(obj[k]), 30)}`).join(", ")}
-
-` : "";
-      const content = extractContext(String(obj[matchedField]), matchedWord).snippet;
-      return {
-        intent: "EXEC",
-        message: `${context}\u{1F6D1} [${matchedField.toUpperCase()}]:
-${content}`
-      };
-    }
-    const codeKeys = [
-      "command",
-      "cmd",
-      "shell_command",
-      "bash_command",
-      "script",
-      "code",
-      "input",
-      "sql",
-      "query",
-      "arguments",
-      "args",
-      "param",
-      "params",
-      "text"
-    ];
-    const foundKey = Object.keys(obj).find((k) => codeKeys.includes(k.toLowerCase()));
-    if (foundKey) {
-      const val = obj[foundKey];
-      const str = typeof val === "string" ? val : JSON.stringify(val);
-      return {
-        intent: "EXEC",
-        message: `[${foundKey.toUpperCase()}]:
-${smartTruncate(str, 500)}`
-      };
-    }
-    const msg = Object.entries(obj).slice(0, 5).map(
-      ([k, v]) => `  ${k}: ${smartTruncate(typeof v === "string" ? v : JSON.stringify(v), 300)}`
-    ).join("\n");
-    return { intent: "EXEC", message: msg };
+};
+function resolveShieldName(input) {
+  const lower = input.toLowerCase();
+  if (SHIELDS[lower]) return lower;
+  for (const [name, def] of Object.entries(SHIELDS)) {
+    if (def.aliases.includes(lower)) return name;
   }
-  return { intent: "EXEC", message: smartTruncate(JSON.stringify(parsed), 200) };
-}
-function escapePango(text) {
-  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  return null;
 }
-function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
-  const lines = [];
-  if (locked) lines.push("\u26A0\uFE0F  LOCKED BY ADMIN POLICY\n");
-  lines.push(`\u{1F916} ${agent || "AI Agent"}  |  \u{1F527} ${toolName}`);
-  lines.push(`\u{1F6E1}\uFE0F  ${explainableLabel || "Security Policy"}`);
-  lines.push("");
-  lines.push(formattedArgs);
-  if (!locked) {
-    lines.push("");
-    lines.push('\u21B5 Enter = Allow \u21B5   |   \u238B Esc = Block \u238B   |   "Always Allow" = never ask again');
-  }
-  return lines.join("\n");
+function getShield(name) {
+  const resolved = resolveShieldName(name);
+  return resolved ? SHIELDS[resolved] : null;
 }
-function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
-  const lines = [];
-  if (locked) {
-    lines.push('<span foreground="red" weight="bold">\u26A0\uFE0F  LOCKED BY ADMIN POLICY</span>');
-    lines.push("");
-  }
-  lines.push(
-    `<b>\u{1F916} ${escapePango(agent || "AI Agent")}</b>  |  <b>\u{1F527} <tt>${escapePango(toolName)}</tt></b>`
-  );
-  lines.push(`<i>\u{1F6E1}\uFE0F  ${escapePango(explainableLabel || "Security Policy")}</i>`);
-  lines.push("");
-  lines.push(`<tt>${escapePango(formattedArgs)}</tt>`);
-  if (!locked) {
-    lines.push("");
-    lines.push(
-      '<small>\u21B5 Enter = <b>Allow \u21B5</b>   |   \u238B Esc = <b>Block \u238B</b>   |   "Always Allow" = never ask again</small>'
-    );
-  }
-  return lines.join("\n");
+var SHIELDS_STATE_FILE = path2.join(os2.homedir(), ".node9", "shields.json");
+function isShieldVerdict(v) {
+  return v === "allow" || v === "review" || v === "block";
 }
-async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord) {
-  if (isTestEnv()) return "deny";
-  const { message: formattedArgs, intent } = formatArgs(args, matchedField, matchedWord);
-  const intentLabel = intent === "EDIT" ? "Code Edit" : "Action Approval";
-  const title = locked ? `\u26A1 Node9 \u2014 Locked` : `\u{1F6E1}\uFE0F Node9 \u2014 ${intentLabel}`;
-  const message = buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked);
-  return new Promise((resolve) => {
-    let childProcess = null;
-    const onAbort = () => {
-      if (childProcess && childProcess.pid) {
-        try {
-          process.kill(childProcess.pid, "SIGKILL");
-        } catch {
-        }
-      }
-      resolve("deny");
-    };
-    if (signal) {
-      if (signal.aborted) return resolve("deny");
-      signal.addEventListener("abort", onAbort);
-    }
-    try {
-      if (process.platform === "darwin") {
-        const buttons = locked ? `buttons {"Waiting\u2026"} default button "Waiting\u2026"` : `buttons {"Block \u238B", "Always Allow", "Allow \u21B5"} default button "Allow \u21B5" cancel button "Block \u238B"`;
-        const script = `on run argv
-tell application "System Events"
-activate
-display dialog (item 1 of argv) with title (item 2 of argv) ${buttons}
-end tell
-end run`;
-        childProcess = spawn("osascript", ["-e", script, "--", message, title]);
-      } else if (process.platform === "linux") {
-        const pangoMessage = buildPangoMessage(
-          toolName,
-          formattedArgs,
-          agent,
-          explainableLabel,
-          locked
+function validateOverrides(raw) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return {};
+  const result = {};
+  for (const [shieldName, rules] of Object.entries(raw)) {
+    if (!rules || typeof rules !== "object" || Array.isArray(rules)) continue;
+    const validRules = {};
+    for (const [ruleName, verdict] of Object.entries(rules)) {
+      if (isShieldVerdict(verdict)) {
+        validRules[ruleName] = verdict;
+      } else {
+        process.stderr.write(
+          `[node9] Warning: shields.json contains invalid verdict "${String(verdict)}" for ${shieldName}/${ruleName} \u2014 entry ignored. File may be corrupted or tampered with.
+`
         );
-        const argsList = [
-          locked ? "--info" : "--question",
-          "--modal",
-          "--width=480",
-          "--title",
-          title,
-          "--text",
-          pangoMessage,
-          "--ok-label",
-          locked ? "Waiting..." : "Allow  \u21B5",
-          "--timeout",
-          "300"
-        ];
-        if (!locked) {
-          argsList.push("--cancel-label", "Block  \u238B");
-          argsList.push("--extra-button", "Always Allow");
-        }
-        childProcess = spawn("zenity", argsList);
-      } else if (process.platform === "win32") {
-        const b64Msg = Buffer.from(message).toString("base64");
-        const b64Title = Buffer.from(title).toString("base64");
-        const ps = `Add-Type -AssemblyName PresentationFramework; $msg = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("${b64Msg}")); $title = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("${b64Title}")); $res = [System.Windows.MessageBox]::Show($msg, $title, "${locked ? "OK" : "YesNo"}", "Warning", "Button2", "DefaultDesktopOnly"); if ($res -eq "Yes") { exit 0 } else { exit 1 }`;
-        childProcess = spawn("powershell", ["-Command", ps]);
       }
-      let output = "";
-      childProcess?.stdout?.on("data", (d) => output += d.toString());
-      childProcess?.on("close", (code) => {
-        if (signal) signal.removeEventListener("abort", onAbort);
-        if (locked) return resolve("deny");
-        if (output.includes("Always Allow")) return resolve("always_allow");
-        if (code === 0) return resolve("allow");
-        resolve("deny");
-      });
-    } catch {
-      resolve("deny");
-    }
-  });
-}
-
-// src/config-schema.ts
-import { z } from "zod";
-var noNewlines = z.string().refine((s) => !s.includes("\n") && !s.includes("\r"), {
-  message: "Value must not contain literal newline characters (use \\n instead)"
-});
-var SmartConditionSchema = z.object({
-  field: z.string().min(1, "Condition field must not be empty"),
-  op: z.enum(
-    [
-      "matches",
-      "notMatches",
-      "contains",
-      "notContains",
-      "exists",
-      "notExists",
-      "matchesGlob",
-      "notMatchesGlob"
-    ],
-    {
-      errorMap: () => ({
-        message: "op must be one of: matches, notMatches, contains, notContains, exists, notExists, matchesGlob, notMatchesGlob"
-      })
     }
-  ),
-  value: z.string().optional(),
-  flags: z.string().optional()
-}).refine(
-  (c) => {
-    if (c.op === "matchesGlob" || c.op === "notMatchesGlob") return c.value !== void 0;
-    return true;
-  },
-  { message: "matchesGlob and notMatchesGlob conditions require a value field" }
-);
-var SmartRuleSchema = z.object({
-  name: z.string().optional(),
-  tool: z.string().min(1, "Smart rule tool must not be empty"),
-  conditions: z.array(SmartConditionSchema).min(1, "Smart rule must have at least one condition"),
-  conditionMode: z.enum(["all", "any"]).optional(),
-  verdict: z.enum(["allow", "review", "block"], {
-    errorMap: () => ({ message: "verdict must be one of: allow, review, block" })
-  }),
-  reason: z.string().optional()
-});
-var ConfigFileSchema = z.object({
-  version: z.string().optional(),
-  settings: z.object({
-    mode: z.enum(["standard", "strict", "audit"]).optional(),
-    autoStartDaemon: z.boolean().optional(),
-    enableUndo: z.boolean().optional(),
-    enableHookLogDebug: z.boolean().optional(),
-    approvalTimeoutMs: z.number().nonnegative().optional(),
-    approvalTimeoutSeconds: z.number().nonnegative().optional(),
-    flightRecorder: z.boolean().optional(),
-    approvers: z.object({
-      native: z.boolean().optional(),
-      browser: z.boolean().optional(),
-      cloud: z.boolean().optional(),
-      terminal: z.boolean().optional()
-    }).optional(),
-    environment: z.string().optional(),
-    slackEnabled: z.boolean().optional(),
-    enableTrustSessions: z.boolean().optional(),
-    allowGlobalPause: z.boolean().optional()
-  }).optional(),
-  policy: z.object({
-    sandboxPaths: z.array(z.string()).optional(),
-    dangerousWords: z.array(noNewlines).optional(),
-    ignoredTools: z.array(z.string()).optional(),
-    toolInspection: z.record(z.string()).optional(),
-    smartRules: z.array(SmartRuleSchema).optional(),
-    snapshot: z.object({
-      tools: z.array(z.string()).optional(),
-      onlyPaths: z.array(z.string()).optional(),
-      ignorePaths: z.array(z.string()).optional()
-    }).optional(),
-    dlp: z.object({
-      enabled: z.boolean().optional(),
-      scanIgnoredTools: z.boolean().optional()
-    }).optional()
-  }).optional(),
-  environments: z.record(z.object({ requireApproval: z.boolean().optional() })).optional()
-}).strict({ message: "Config contains unknown top-level keys" });
-function sanitizeConfig(raw) {
-  const result = ConfigFileSchema.safeParse(raw);
-  if (result.success) {
-    return { sanitized: result.data, error: null };
+    if (Object.keys(validRules).length > 0) result[shieldName] = validRules;
   }
-  const invalidTopLevelKeys = new Set(
-    result.error.issues.filter((issue) => issue.path.length > 0).map((issue) => String(issue.path[0]))
-  );
-  const sanitized = {};
-  if (typeof raw === "object" && raw !== null) {
-    for (const [key, value] of Object.entries(raw)) {
-      if (!invalidTopLevelKeys.has(key)) {
-        sanitized[key] = value;
-      }
+  return result;
+}
+function readShieldsFile() {
+  try {
+    const raw = fs2.readFileSync(SHIELDS_STATE_FILE, "utf-8");
+    if (!raw.trim()) return { active: [] };
+    const parsed = JSON.parse(raw);
+    const active = Array.isArray(parsed.active) ? parsed.active.filter(
+      (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
+    ) : [];
+    return { active, overrides: validateOverrides(parsed.overrides) };
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
+`);
     }
+    return { active: [] };
   }
-  const lines = result.error.issues.map((issue) => {
-    const path6 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path6}: ${issue.message}`;
-  });
-  return {
-    sanitized,
-    error: `Invalid config:
-${lines.join("\n")}`
-  };
+}
+function readActiveShields() {
+  return readShieldsFile().active;
+}
+function readShieldOverrides() {
+  return readShieldsFile().overrides ?? {};
 }
 
-// src/shields.ts
-import fs from "fs";
-import path3 from "path";
-import os from "os";
-var SHIELDS = {
-  postgres: {
-    name: "postgres",
-    description: "Protects PostgreSQL databases from destructive AI operations",
-    aliases: ["pg", "postgresql"],
-    smartRules: [
-      {
-        name: "shield:postgres:block-drop-table",
-        tool: "*",
-        conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
-        verdict: "block",
-        reason: "DROP TABLE is irreversible \u2014 blocked by Postgres shield"
-      },
-      {
-        name: "shield:postgres:block-truncate",
-        tool: "*",
-        conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
-        verdict: "block",
-        reason: "TRUNCATE is irreversible \u2014 blocked by Postgres shield"
-      },
+// src/config/index.ts
+var DANGEROUS_WORDS = [
+  "mkfs",
+  // formats/wipes a filesystem partition
+  "shred"
+  // permanently overwrites file contents (unrecoverable)
+];
+var DEFAULT_CONFIG = {
+  version: "1.0",
+  settings: {
+    mode: "audit",
+    autoStartDaemon: true,
+    enableUndo: true,
+    // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
+    enableHookLogDebug: true,
+    approvalTimeoutMs: 12e4,
+    // 120-second auto-deny timeout
+    flightRecorder: true,
+    approvers: { native: true, browser: true, cloud: false, terminal: true }
+  },
+  policy: {
+    sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
+    dangerousWords: DANGEROUS_WORDS,
+    ignoredTools: [
+      "list_*",
+      "get_*",
+      "read_*",
+      "describe_*",
+      "read",
+      "glob",
+      "grep",
+      "ls",
+      "notebookread",
+      "notebookedit",
+      "webfetch",
+      "websearch",
+      "exitplanmode",
+      "askuserquestion",
+      "agent",
+      "task*",
+      "toolsearch",
+      "mcp__ide__*",
+      "getDiagnostics"
+    ],
+    toolInspection: {
+      bash: "command",
+      shell: "command",
+      run_shell_command: "command",
+      "terminal.execute": "command",
+      "postgres:query": "sql"
+    },
+    snapshot: {
+      tools: [
+        "str_replace_based_edit_tool",
+        "write_file",
+        "edit_file",
+        "create_file",
+        "edit",
+        "replace"
+      ],
+      onlyPaths: [],
+      ignorePaths: ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log"]
+    },
+    smartRules: [
+      // ── rm safety (critical — always evaluated first) ──────────────────────
       {
-        name: "shield:postgres:block-drop-column",
-        tool: "*",
+        name: "block-rm-rf-home",
+        tool: "bash",
+        conditionMode: "all",
         conditions: [
-          { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+          {
+            field: "command",
+            op: "matches",
+            value: "rm\\b.*(-[rRfF]*[rR][rRfF]*|--recursive)"
+          },
+          {
+            field: "command",
+            op: "matches",
+            value: "(~|\\/root(\\/|$)|\\$HOME|\\/home\\/)"
+          }
         ],
         verdict: "block",
-        reason: "DROP COLUMN is irreversible \u2014 blocked by Postgres shield"
+        reason: "Recursive delete of home directory is irreversible"
       },
+      // ── SQL safety ────────────────────────────────────────────────────────
       {
-        name: "shield:postgres:review-grant-revoke",
+        name: "no-delete-without-where",
         tool: "*",
-        conditions: [{ field: "sql", op: "matches", value: "\\b(GRANT|REVOKE)\\b", flags: "i" }],
+        conditions: [
+          { field: "sql", op: "matches", value: "^(DELETE|UPDATE)\\s", flags: "i" },
+          { field: "sql", op: "notMatches", value: "\\bWHERE\\b", flags: "i" }
+        ],
+        conditionMode: "all",
         verdict: "review",
-        reason: "Permission changes require human approval (Postgres shield)"
-      }
-    ],
-    dangerousWords: ["dropdb", "pg_dropcluster"]
-  },
-  github: {
-    name: "github",
-    description: "Protects GitHub repositories from destructive AI operations",
-    aliases: ["git"],
-    smartRules: [
+        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table"
+      },
       {
-        // Note: git branch -d/-D is already caught by the built-in review-git-destructive rule.
-        // This rule adds coverage for `git push --delete` which the built-in does not match.
-        name: "shield:github:review-delete-branch-remote",
+        name: "review-drop-truncate-shell",
         tool: "bash",
         conditions: [
           {
             field: "command",
             op: "matches",
-            value: "git\\s+push\\s+.*--delete",
+            value: "\\b(DROP|TRUNCATE)\\s+(TABLE|DATABASE|SCHEMA|INDEX)",
             flags: "i"
           }
         ],
+        conditionMode: "all",
         verdict: "review",
-        reason: "Remote branch deletion requires human approval (GitHub shield)"
+        reason: "SQL DDL destructive statement inside a shell command"
       },
+      // ── Git safety ────────────────────────────────────────────────────────
       {
-        name: "shield:github:block-delete-repo",
-        tool: "*",
-        conditions: [
-          { field: "command", op: "matches", value: "gh\\s+repo\\s+delete", flags: "i" }
-        ],
-        verdict: "block",
-        reason: "Repository deletion is irreversible \u2014 blocked by GitHub shield"
-      }
-    ],
-    dangerousWords: []
-  },
-  aws: {
-    name: "aws",
-    description: "Protects AWS infrastructure from destructive AI operations",
-    aliases: ["amazon"],
-    smartRules: [
-      {
-        name: "shield:aws:block-delete-s3-bucket",
-        tool: "*",
+        name: "block-force-push",
+        tool: "bash",
         conditions: [
           {
             field: "command",
             op: "matches",
-            value: "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
+            value: "^\\s*git\\b.*\\bpush\\b.*(--force|--force-with-lease|-f\\b)",
             flags: "i"
           }
         ],
+        conditionMode: "all",
         verdict: "block",
-        reason: "S3 bucket deletion is irreversible \u2014 blocked by AWS shield"
+        reason: "Force push overwrites remote history and cannot be undone"
       },
       {
-        name: "shield:aws:review-iam-changes",
-        tool: "*",
+        name: "review-git-push",
+        tool: "bash",
         conditions: [
           {
             field: "command",
             op: "matches",
-            value: "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
+            value: "^\\s*git\\b.*\\bpush\\b(?!.*(-f\\b|--force|--force-with-lease))",
             flags: "i"
           }
         ],
+        conditionMode: "all",
         verdict: "review",
-        reason: "IAM changes require human approval (AWS shield)"
+        reason: "git push sends changes to a shared remote"
       },
       {
-        name: "shield:aws:block-ec2-terminate",
-        tool: "*",
+        name: "review-git-destructive",
+        tool: "bash",
         conditions: [
           {
             field: "command",
             op: "matches",
-            value: "aws\\s+ec2\\s+terminate-instances",
+            value: "^\\s*git\\b.*(reset\\s+--hard|clean\\s+-[fdxX]|\\brebase\\b|tag\\s+-d|branch\\s+-[dD])",
             flags: "i"
           }
         ],
-        verdict: "block",
-        reason: "EC2 instance termination is irreversible \u2014 blocked by AWS shield"
-      },
-      {
-        name: "shield:aws:review-rds-delete",
-        tool: "*",
-        conditions: [
-          { field: "command", op: "matches", value: "aws\\s+rds\\s+delete-", flags: "i" }
-        ],
+        conditionMode: "all",
         verdict: "review",
-        reason: "RDS deletion requires human approval (AWS shield)"
-      }
-    ],
-    dangerousWords: []
-  },
-  filesystem: {
-    name: "filesystem",
-    description: "Protects the local filesystem from dangerous AI operations",
-    aliases: ["fs"],
-    smartRules: [
+        reason: "Destructive git operation \u2014 discards history or working-tree changes"
+      },
+      // ── Shell safety ──────────────────────────────────────────────────────
       {
-        name: "shield:filesystem:review-chmod-777",
+        name: "review-sudo",
         tool: "bash",
-        conditions: [
-          { field: "command", op: "matches", value: "chmod\\s+(777|a\\+rwx)", flags: "i" }
-        ],
+        conditions: [{ field: "command", op: "matches", value: "^\\s*sudo\\s", flags: "i" }],
+        conditionMode: "all",
         verdict: "review",
-        reason: "chmod 777 requires human approval (filesystem shield)"
+        reason: "Command requires elevated privileges"
       },
       {
-        name: "shield:filesystem:review-write-etc",
+        name: "review-curl-pipe-shell",
         tool: "bash",
         conditions: [
           {
             field: "command",
-            // Narrow to write-indicative operations to avoid approval fatigue on reads.
-            // Matches: tee /etc/*, cp .../etc/*, mv .../etc/*, > /etc/*, install .../etc/*
             op: "matches",
-            value: "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
+            value: "(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
+            flags: "i"
           }
         ],
-        verdict: "review",
-        reason: "Writing to /etc requires human approval (filesystem shield)"
+        conditionMode: "all",
+        verdict: "block",
+        reason: "Piping remote script into a shell is a supply-chain attack vector"
       }
     ],
-    // dd removed: too common as a legitimate tool (disk imaging, file ops).
-    // mkfs removed: already in the built-in DANGEROUS_WORDS baseline.
-    // wipefs retained: rarely legitimate in an agent context and not in built-ins.
-    dangerousWords: ["wipefs"]
-  }
+    dlp: { enabled: true, scanIgnoredTools: true }
+  },
+  environments: {}
 };
-function resolveShieldName(input) {
-  const lower = input.toLowerCase();
-  if (SHIELDS[lower]) return lower;
-  for (const [name, def] of Object.entries(SHIELDS)) {
-    if (def.aliases.includes(lower)) return name;
-  }
-  return null;
-}
-function getShield(name) {
-  const resolved = resolveShieldName(name);
-  return resolved ? SHIELDS[resolved] : null;
-}
-var SHIELDS_STATE_FILE = path3.join(os.homedir(), ".node9", "shields.json");
-function isShieldVerdict(v) {
-  return v === "allow" || v === "review" || v === "block";
-}
-function validateOverrides(raw) {
-  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return {};
-  const result = {};
-  for (const [shieldName, rules] of Object.entries(raw)) {
-    if (!rules || typeof rules !== "object" || Array.isArray(rules)) continue;
-    const validRules = {};
-    for (const [ruleName, verdict] of Object.entries(rules)) {
-      if (isShieldVerdict(verdict)) {
-        validRules[ruleName] = verdict;
-      } else {
-        process.stderr.write(
-          `[node9] Warning: shields.json contains invalid verdict "${String(verdict)}" for ${shieldName}/${ruleName} \u2014 entry ignored. File may be corrupted or tampered with.
-`
-        );
+var ADVISORY_SMART_RULES = [
+  // ── rm safety ─────────────────────────────────────────────────────────────
+  // tool: '*' so they cover bash, shell, run_shell_command, and Gemini's Shell.
+  // Pattern '(^|&&|\|\||;)\s*rm\b' matches rm as a shell command (including in
+  // chained commands like 'cat foo && rm bar') but avoids false-positives on 'docker rm'.
+  {
+    name: "allow-rm-safe-paths",
+    tool: "*",
+    conditionMode: "all",
+    conditions: [
+      { field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" },
+      {
+        field: "command",
+        op: "matches",
+        // Matches known-safe build artifact paths in the command.
+        value: "(node_modules|\\bdist\\b|\\.next|\\bcoverage\\b|\\.cache|\\btmp\\b|\\btemp\\b|\\.DS_Store)(\\/|\\s|$)"
       }
-    }
-    if (Object.keys(validRules).length > 0) result[shieldName] = validRules;
-  }
-  return result;
-}
-function readShieldsFile() {
-  try {
-    const raw = fs.readFileSync(SHIELDS_STATE_FILE, "utf-8");
-    if (!raw.trim()) return { active: [] };
-    const parsed = JSON.parse(raw);
-    const active = Array.isArray(parsed.active) ? parsed.active.filter(
-      (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
-    ) : [];
-    return { active, overrides: validateOverrides(parsed.overrides) };
-  } catch (err) {
-    if (err.code !== "ENOENT") {
-      process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
-`);
-    }
-    return { active: [] };
-  }
-}
-function readActiveShields() {
-  return readShieldsFile().active;
-}
-function readShieldOverrides() {
-  return readShieldsFile().overrides ?? {};
-}
-
-// src/dlp.ts
-import fs2 from "fs";
-import path4 from "path";
-var DLP_PATTERNS = [
-  { name: "AWS Access Key ID", regex: /\bAKIA[0-9A-Z]{16}\b/, severity: "block" },
-  { name: "GitHub Token", regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/, severity: "block" },
-  // Slack bot tokens: xoxb- + variable segment. Real tokens are ~50–80 chars;
-  // lower bound 20 avoids false negatives on partial tokens, upper 100 caps scan cost.
-  { name: "Slack Bot Token", regex: /\bxoxb-[0-9A-Za-z-]{20,100}\b/, severity: "block" },
-  { name: "OpenAI API Key", regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/, severity: "block" },
-  { name: "Stripe Secret Key", regex: /\bsk_(?:live|test)_[0-9a-zA-Z]{24}\b/, severity: "block" },
+    ],
+    verdict: "allow",
+    reason: "Deleting a known-safe build artifact path"
+  },
   {
-    name: "Private Key (PEM)",
-    regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/,
-    severity: "block"
+    name: "review-rm",
+    tool: "*",
+    conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
+    verdict: "review",
+    reason: "rm can permanently delete files \u2014 confirm the target path"
   },
-  // GCP service account JSON (detects the type field that uniquely identifies it)
+  // ── SQL safety (Safe by Default) ──────────────────────────────────────────
+  // These rules fire when an AI calls a database tool directly (e.g. MCP postgres,
+  // mcp__postgres__query) with a destructive SQL statement in the 'sql' field.
+  // The postgres shield upgrades these from 'review' → 'block' for stricter teams;
+  // without a shield, users still get a human-approval gate on every destructive op.
   {
-    name: "GCP Service Account",
-    regex: /"type"\s*:\s*"service_account"/,
-    severity: "block"
+    name: "review-drop-table-sql",
+    tool: "*",
+    conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+    verdict: "review",
+    reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead"
   },
-  // NPM auth token in .npmrc format
   {
-    name: "NPM Auth Token",
-    regex: /_authToken\s*=\s*[A-Za-z0-9_\-]{20,}/,
-    severity: "block"
+    name: "review-truncate-sql",
+    tool: "*",
+    conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
+    verdict: "review",
+    reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead"
   },
-  { name: "Bearer Token", regex: /Bearer\s+[a-zA-Z0-9\-._~+/]+=*/i, severity: "review" }
-];
-var SENSITIVE_PATH_PATTERNS = [
-  /[/\\]\.ssh[/\\]/i,
-  /[/\\]\.aws[/\\]/i,
-  /[/\\]\.config[/\\]gcloud[/\\]/i,
-  /[/\\]\.azure[/\\]/i,
-  /[/\\]\.kube[/\\]config$/i,
-  /[/\\]\.env($|\.)/i,
-  // .env, .env.local, .env.production — not .envoy
-  /[/\\]\.git-credentials$/i,
-  /[/\\]\.npmrc$/i,
-  /[/\\]\.docker[/\\]config\.json$/i,
-  /[/\\][^/\\]+\.pem$/i,
-  /[/\\][^/\\]+\.key$/i,
-  /[/\\][^/\\]+\.p12$/i,
-  /[/\\][^/\\]+\.pfx$/i,
-  /^(?:[a-zA-Z]:)?\/etc\/passwd$/,
-  /^(?:[a-zA-Z]:)?\/etc\/shadow$/,
-  /^(?:[a-zA-Z]:)?\/etc\/sudoers$/,
-  /[/\\]credentials\.json$/i,
-  /[/\\]id_rsa$/i,
-  /[/\\]id_ed25519$/i,
-  /[/\\]id_ecdsa$/i
+  {
+    name: "review-drop-column-sql",
+    tool: "*",
+    conditions: [
+      { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+    ],
+    verdict: "review",
+    reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead"
+  }
 ];
-function scanFilePath(filePath, cwd = process.cwd()) {
-  if (!filePath) return null;
-  let resolved;
-  try {
-    const absolute = path4.resolve(cwd, filePath);
-    resolved = fs2.realpathSync.native(absolute);
-  } catch (err) {
-    const code = err.code;
-    if (code === "ENOENT" || code === "ENOTDIR") {
-      resolved = path4.resolve(cwd, filePath);
-    } else {
-      return {
-        patternName: "Sensitive File Path",
-        fieldPath: "file_path",
-        redactedSample: filePath,
-        severity: "block"
-      };
-    }
+var cachedConfig = null;
+function getCredentials() {
+  const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
+  if (process.env.NODE9_API_KEY) {
+    return {
+      apiKey: process.env.NODE9_API_KEY,
+      apiUrl: process.env.NODE9_API_URL || DEFAULT_API_URL
+    };
   }
-  const normalised = resolved.replace(/\\/g, "/");
-  for (const pattern of SENSITIVE_PATH_PATTERNS) {
-    if (pattern.test(normalised)) {
-      return {
-        patternName: "Sensitive File Path",
-        fieldPath: "file_path",
-        redactedSample: filePath,
-        // show original path in alert, not resolved
-        severity: "block"
-      };
+  try {
+    const credPath = path3.join(os3.homedir(), ".node9", "credentials.json");
+    if (fs3.existsSync(credPath)) {
+      const creds = JSON.parse(fs3.readFileSync(credPath, "utf-8"));
+      const profileName = process.env.NODE9_PROFILE || "default";
+      const profile = creds[profileName];
+      if (profile?.apiKey) {
+        return {
+          apiKey: profile.apiKey,
+          apiUrl: profile.apiUrl || DEFAULT_API_URL
+        };
+      }
+      if (creds.apiKey) {
+        return {
+          apiKey: creds.apiKey,
+          apiUrl: creds.apiUrl || DEFAULT_API_URL
+        };
+      }
     }
+  } catch {
   }
   return null;
 }
-function maskSecret(raw, pattern) {
-  const match = raw.match(pattern);
-  if (!match) return "****";
-  const secret = match[0];
-  if (secret.length < 8) return "****";
-  const prefix = secret.slice(0, 4);
-  const suffix = secret.slice(-4);
-  const stars = "*".repeat(Math.min(secret.length - 8, 12));
-  return `${prefix}${stars}${suffix}`;
+function getActiveEnvironment(config) {
+  const env = config.settings.environment || process.env.NODE_ENV || "development";
+  return config.environments[env] ?? null;
 }
-var MAX_DEPTH = 5;
-var MAX_STRING_BYTES = 1e5;
-var MAX_JSON_PARSE_BYTES = 1e4;
-function scanArgs(args, depth = 0, fieldPath = "args") {
-  if (depth > MAX_DEPTH || args === null || args === void 0) return null;
-  if (Array.isArray(args)) {
-    for (let i = 0; i < args.length; i++) {
-      const match = scanArgs(args[i], depth + 1, `${fieldPath}[${i}]`);
-      if (match) return match;
+function getConfig(cwd) {
+  if (!cwd && cachedConfig) return cachedConfig;
+  const globalPath = path3.join(os3.homedir(), ".node9", "config.json");
+  const projectPath = path3.join(cwd ?? process.cwd(), "node9.config.json");
+  const globalConfig = tryLoadConfig(globalPath);
+  const projectConfig = tryLoadConfig(projectPath);
+  const mergedSettings = {
+    ...DEFAULT_CONFIG.settings,
+    approvers: { ...DEFAULT_CONFIG.settings.approvers }
+  };
+  const mergedPolicy = {
+    sandboxPaths: [...DEFAULT_CONFIG.policy.sandboxPaths],
+    dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
+    ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
+    toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
+    smartRules: [...DEFAULT_CONFIG.policy.smartRules],
+    snapshot: {
+      tools: [...DEFAULT_CONFIG.policy.snapshot.tools],
+      onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
+      ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
+    },
+    dlp: { ...DEFAULT_CONFIG.policy.dlp }
+  };
+  const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
+  const applyLayer = (source) => {
+    if (!source) return;
+    const s = source.settings || {};
+    const p = source.policy || {};
+    if (s.mode !== void 0) mergedSettings.mode = s.mode;
+    if (s.autoStartDaemon !== void 0) mergedSettings.autoStartDaemon = s.autoStartDaemon;
+    if (s.enableUndo !== void 0) mergedSettings.enableUndo = s.enableUndo;
+    if (s.enableHookLogDebug !== void 0)
+      mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
+    if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
+    if (s.approvalTimeoutMs !== void 0) mergedSettings.approvalTimeoutMs = s.approvalTimeoutMs;
+    if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
+      mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
+    if (s.environment !== void 0) mergedSettings.environment = s.environment;
+    if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
+    if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
+    if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
+    if (p.toolInspection)
+      mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
+    if (p.smartRules) mergedPolicy.smartRules.push(...p.smartRules);
+    if (p.snapshot) {
+      const s2 = p.snapshot;
+      if (s2.tools) mergedPolicy.snapshot.tools.push(...s2.tools);
+      if (s2.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s2.onlyPaths);
+      if (s2.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s2.ignorePaths);
     }
-    return null;
-  }
-  if (typeof args === "object") {
-    for (const [key, value] of Object.entries(args)) {
-      const match = scanArgs(value, depth + 1, `${fieldPath}.${key}`);
-      if (match) return match;
+    if (p.dlp) {
+      const d = p.dlp;
+      if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
+      if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
     }
-    return null;
-  }
-  if (typeof args === "string") {
-    const text = args.length > MAX_STRING_BYTES ? args.slice(0, MAX_STRING_BYTES) : args;
-    for (const pattern of DLP_PATTERNS) {
-      if (pattern.regex.test(text)) {
-        return {
-          patternName: pattern.name,
-          fieldPath,
-          redactedSample: maskSecret(text, pattern.regex),
-          severity: pattern.severity
+    const envs = source.environments || {};
+    for (const [envName, envConfig] of Object.entries(envs)) {
+      if (envConfig && typeof envConfig === "object") {
+        const ec = envConfig;
+        mergedEnvironments[envName] = {
+          ...mergedEnvironments[envName],
+          // Validate field types before merging — do not blindly spread user input
+          ...typeof ec.requireApproval === "boolean" ? { requireApproval: ec.requireApproval } : {}
         };
       }
     }
-    if (text.length < MAX_JSON_PARSE_BYTES) {
-      const trimmed = text.trim();
-      if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
-        try {
-          const parsed = JSON.parse(text);
-          const inner = scanArgs(parsed, depth + 1, fieldPath);
-          if (inner) return inner;
-        } catch {
-        }
+  };
+  applyLayer(globalConfig);
+  applyLayer(projectConfig);
+  const shieldOverrides = readShieldOverrides();
+  for (const shieldName of readActiveShields()) {
+    const shield = getShield(shieldName);
+    if (!shield) continue;
+    const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+    const ruleOverrides = shieldOverrides[shieldName] ?? {};
+    for (const rule of shield.smartRules) {
+      if (!existingRuleNames.has(rule.name)) {
+        const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
+        mergedPolicy.smartRules.push(
+          overrideVerdict !== void 0 ? { ...rule, verdict: overrideVerdict } : rule
+        );
       }
     }
+    const existingWords = new Set(mergedPolicy.dangerousWords);
+    for (const word of shield.dangerousWords) {
+      if (!existingWords.has(word)) mergedPolicy.dangerousWords.push(word);
+    }
   }
-  return null;
+  const existingAdvisoryNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+  for (const rule of ADVISORY_SMART_RULES) {
+    if (!existingAdvisoryNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+  }
+  if (process.env.NODE9_MODE) mergedSettings.mode = process.env.NODE9_MODE;
+  mergedPolicy.sandboxPaths = [...new Set(mergedPolicy.sandboxPaths)];
+  mergedPolicy.dangerousWords = [...new Set(mergedPolicy.dangerousWords)];
+  mergedPolicy.ignoredTools = [...new Set(mergedPolicy.ignoredTools)];
+  mergedPolicy.snapshot.tools = [...new Set(mergedPolicy.snapshot.tools)];
+  mergedPolicy.snapshot.onlyPaths = [...new Set(mergedPolicy.snapshot.onlyPaths)];
+  mergedPolicy.snapshot.ignorePaths = [...new Set(mergedPolicy.snapshot.ignorePaths)];
+  const result = {
+    settings: mergedSettings,
+    policy: mergedPolicy,
+    environments: mergedEnvironments
+  };
+  if (!cwd) cachedConfig = result;
+  return result;
 }
-
-// src/core.ts
-var PAUSED_FILE = path5.join(os2.homedir(), ".node9", "PAUSED");
-var TRUST_FILE = path5.join(os2.homedir(), ".node9", "trust.json");
-var LOCAL_AUDIT_LOG = path5.join(os2.homedir(), ".node9", "audit.log");
-var HOOK_DEBUG_LOG = path5.join(os2.homedir(), ".node9", "hook-debug.log");
-function checkPause() {
+function tryLoadConfig(filePath) {
+  if (!fs3.existsSync(filePath)) return null;
+  let raw;
   try {
-    if (!fs3.existsSync(PAUSED_FILE)) return { paused: false };
-    const state = JSON.parse(fs3.readFileSync(PAUSED_FILE, "utf-8"));
-    if (state.expiry > 0 && Date.now() >= state.expiry) {
-      try {
-        fs3.unlinkSync(PAUSED_FILE);
-      } catch {
-      }
-      return { paused: false };
+    raw = JSON.parse(fs3.readFileSync(filePath, "utf-8"));
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    process.stderr.write(
+      `
+\u26A0\uFE0F  Node9: Failed to parse ${filePath}
+   ${msg}
+   \u2192 Using default config
+
+`
+    );
+    return null;
+  }
+  const SUPPORTED_VERSION = "1.0";
+  const SUPPORTED_MAJOR = SUPPORTED_VERSION.split(".")[0];
+  const fileVersion = raw?.version;
+  if (fileVersion !== void 0) {
+    const vStr = String(fileVersion);
+    const fileMajor = vStr.split(".")[0];
+    if (fileMajor !== SUPPORTED_MAJOR) {
+      process.stderr.write(
+        `
+\u274C  Node9: Config at ${filePath} has version "${vStr}" \u2014 major version is incompatible with this release (expected "${SUPPORTED_VERSION}"). Config will not be loaded.
+
+`
+      );
+      return null;
+    } else if (vStr !== SUPPORTED_VERSION) {
+      process.stderr.write(
+        `
+\u26A0\uFE0F  Node9: Config at ${filePath} declares version "${vStr}" \u2014 expected "${SUPPORTED_VERSION}". Continuing with best-effort parsing.
+
+`
+      );
     }
-    return { paused: true, expiresAt: state.expiry, duration: state.duration };
-  } catch {
-    return { paused: false };
   }
+  const { sanitized, error } = sanitizeConfig(raw);
+  if (error) {
+    process.stderr.write(
+      `
+\u26A0\uFE0F  Node9: Invalid config at ${filePath}:
+${error.replace("Invalid config:\n", "")}
+   \u2192 Invalid fields ignored, using defaults for those keys
+
+`
+    );
+  }
+  return sanitized;
 }
-function atomicWriteSync(filePath, data, options) {
-  const dir = path5.dirname(filePath);
-  if (!fs3.existsSync(dir)) fs3.mkdirSync(dir, { recursive: true });
-  const tmpPath = `${filePath}.${os2.hostname()}.${process.pid}.tmp`;
-  fs3.writeFileSync(tmpPath, data, options);
-  fs3.renameSync(tmpPath, filePath);
-}
+
+// src/utils/regex.ts
+import safeRegex from "safe-regex2";
 var MAX_REGEX_LENGTH = 100;
 var REGEX_CACHE_MAX = 500;
 var regexCache = /* @__PURE__ */ new Map();
@@ -867,88 +884,170 @@ function getCompiledRegex(pattern, flags = "") {
     return null;
   }
 }
-function getActiveTrustSession(toolName) {
-  try {
-    if (!fs3.existsSync(TRUST_FILE)) return false;
-    const trust = JSON.parse(fs3.readFileSync(TRUST_FILE, "utf-8"));
-    const now = Date.now();
-    const active = trust.entries.filter((e) => e.expiry > now);
-    if (active.length !== trust.entries.length) {
-      fs3.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
-    }
-    return active.some((e) => e.tool === toolName || matchesPattern(toolName, e.tool));
-  } catch {
-    return false;
-  }
-}
-function writeTrustSession(toolName, durationMs) {
+
+// src/policy/index.ts
+import pm from "picomatch";
+import { parse } from "sh-syntax";
+
+// src/dlp.ts
+import fs4 from "fs";
+import path4 from "path";
+var DLP_PATTERNS = [
+  { name: "AWS Access Key ID", regex: /\bAKIA[0-9A-Z]{16}\b/, severity: "block" },
+  { name: "GitHub Token", regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/, severity: "block" },
+  // Slack bot tokens: xoxb- + variable segment. Real tokens are ~50–80 chars;
+  // lower bound 20 avoids false negatives on partial tokens, upper 100 caps scan cost.
+  { name: "Slack Bot Token", regex: /\bxoxb-[0-9A-Za-z-]{20,100}\b/, severity: "block" },
+  { name: "OpenAI API Key", regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/, severity: "block" },
+  { name: "Stripe Secret Key", regex: /\bsk_(?:live|test)_[0-9a-zA-Z]{24}\b/, severity: "block" },
+  {
+    name: "Private Key (PEM)",
+    regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/,
+    severity: "block"
+  },
+  // GCP service account JSON (detects the type field that uniquely identifies it)
+  {
+    name: "GCP Service Account",
+    regex: /"type"\s*:\s*"service_account"/,
+    severity: "block"
+  },
+  // NPM auth token in .npmrc format
+  {
+    name: "NPM Auth Token",
+    regex: /_authToken\s*=\s*[A-Za-z0-9_\-]{20,}/,
+    severity: "block"
+  },
+  { name: "Bearer Token", regex: /Bearer\s+[a-zA-Z0-9\-._~+/]+=*/i, severity: "review" }
+];
+var SENSITIVE_PATH_PATTERNS = [
+  /[/\\]\.ssh[/\\]/i,
+  /[/\\]\.aws[/\\]/i,
+  /[/\\]\.config[/\\]gcloud[/\\]/i,
+  /[/\\]\.azure[/\\]/i,
+  /[/\\]\.kube[/\\]config$/i,
+  /[/\\]\.env($|\.)/i,
+  // .env, .env.local, .env.production — not .envoy
+  /[/\\]\.git-credentials$/i,
+  /[/\\]\.npmrc$/i,
+  /[/\\]\.docker[/\\]config\.json$/i,
+  /[/\\][^/\\]+\.pem$/i,
+  /[/\\][^/\\]+\.key$/i,
+  /[/\\][^/\\]+\.p12$/i,
+  /[/\\][^/\\]+\.pfx$/i,
+  /^(?:[a-zA-Z]:)?\/etc\/passwd$/,
+  /^(?:[a-zA-Z]:)?\/etc\/shadow$/,
+  /^(?:[a-zA-Z]:)?\/etc\/sudoers$/,
+  /[/\\]credentials\.json$/i,
+  /[/\\]id_rsa$/i,
+  /[/\\]id_ed25519$/i,
+  /[/\\]id_ecdsa$/i
+];
+function scanFilePath(filePath, cwd = process.cwd()) {
+  if (!filePath) return null;
+  let resolved;
   try {
-    let trust = { entries: [] };
-    try {
-      if (fs3.existsSync(TRUST_FILE)) {
-        trust = JSON.parse(fs3.readFileSync(TRUST_FILE, "utf-8"));
-      }
-    } catch {
-    }
-    const now = Date.now();
-    trust.entries = trust.entries.filter((e) => e.tool !== toolName && e.expiry > now);
-    trust.entries.push({ tool: toolName, expiry: now + durationMs });
-    atomicWriteSync(TRUST_FILE, JSON.stringify(trust, null, 2));
+    const absolute = path4.resolve(cwd, filePath);
+    resolved = fs4.realpathSync.native(absolute);
   } catch (err) {
-    if (process.env.NODE9_DEBUG === "1") {
-      console.error("[Node9 Trust Error]:", err);
+    const code = err.code;
+    if (code === "ENOENT" || code === "ENOTDIR") {
+      resolved = path4.resolve(cwd, filePath);
+    } else {
+      return {
+        patternName: "Sensitive File Path",
+        fieldPath: "file_path",
+        redactedSample: filePath,
+        severity: "block"
+      };
     }
   }
-}
-function appendToLog(logPath, entry) {
-  try {
-    const dir = path5.dirname(logPath);
-    if (!fs3.existsSync(dir)) fs3.mkdirSync(dir, { recursive: true });
-    fs3.appendFileSync(logPath, JSON.stringify(entry) + "\n");
-  } catch {
+  const normalised = resolved.replace(/\\/g, "/");
+  for (const pattern of SENSITIVE_PATH_PATTERNS) {
+    if (pattern.test(normalised)) {
+      return {
+        patternName: "Sensitive File Path",
+        fieldPath: "file_path",
+        redactedSample: filePath,
+        // show original path in alert, not resolved
+        severity: "block"
+      };
+    }
   }
+  return null;
 }
-function appendHookDebug(toolName, args, meta) {
-  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
-  appendToLog(HOOK_DEBUG_LOG, {
-    ts: (/* @__PURE__ */ new Date()).toISOString(),
-    tool: toolName,
-    args: safeArgs,
-    agent: meta?.agent,
-    mcpServer: meta?.mcpServer,
-    hostname: os2.hostname(),
-    cwd: process.cwd()
-  });
-}
-function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
-  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
-  appendToLog(LOCAL_AUDIT_LOG, {
-    ts: (/* @__PURE__ */ new Date()).toISOString(),
-    tool: toolName,
-    args: safeArgs,
-    decision,
-    checkedBy,
-    agent: meta?.agent,
-    mcpServer: meta?.mcpServer,
-    hostname: os2.hostname()
-  });
-}
-function tokenize(toolName) {
-  return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
+function maskSecret(raw, pattern) {
+  const match = raw.match(pattern);
+  if (!match) return "****";
+  const secret = match[0];
+  if (secret.length < 8) return "****";
+  const prefix = secret.slice(0, 4);
+  const suffix = secret.slice(-4);
+  const stars = "*".repeat(Math.min(secret.length - 8, 12));
+  return `${prefix}${stars}${suffix}`;
 }
-function matchesPattern(text, patterns) {
-  const p = Array.isArray(patterns) ? patterns : [patterns];
-  if (p.length === 0) return false;
-  const isMatch = pm(p, { nocase: true, dot: true });
-  const target = text.toLowerCase();
+var MAX_DEPTH = 5;
+var MAX_STRING_BYTES = 1e5;
+var MAX_JSON_PARSE_BYTES = 1e4;
+function scanArgs(args, depth = 0, fieldPath = "args") {
+  if (depth > MAX_DEPTH || args === null || args === void 0) return null;
+  if (Array.isArray(args)) {
+    for (let i = 0; i < args.length; i++) {
+      const match = scanArgs(args[i], depth + 1, `${fieldPath}[${i}]`);
+      if (match) return match;
+    }
+    return null;
+  }
+  if (typeof args === "object") {
+    for (const [key, value] of Object.entries(args)) {
+      const match = scanArgs(value, depth + 1, `${fieldPath}.${key}`);
+      if (match) return match;
+    }
+    return null;
+  }
+  if (typeof args === "string") {
+    const text = args.length > MAX_STRING_BYTES ? args.slice(0, MAX_STRING_BYTES) : args;
+    for (const pattern of DLP_PATTERNS) {
+      if (pattern.regex.test(text)) {
+        return {
+          patternName: pattern.name,
+          fieldPath,
+          redactedSample: maskSecret(text, pattern.regex),
+          severity: pattern.severity
+        };
+      }
+    }
+    if (text.length < MAX_JSON_PARSE_BYTES) {
+      const trimmed = text.trim();
+      if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+        try {
+          const parsed = JSON.parse(text);
+          const inner = scanArgs(parsed, depth + 1, fieldPath);
+          if (inner) return inner;
+        } catch {
+        }
+      }
+    }
+  }
+  return null;
+}
+
+// src/policy/index.ts
+function tokenize(toolName) {
+  return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
+}
+function matchesPattern(text, patterns) {
+  const p = Array.isArray(patterns) ? patterns : [patterns];
+  if (p.length === 0) return false;
+  const isMatch = pm(p, { nocase: true, dot: true });
+  const target = text.toLowerCase();
   const directMatch = isMatch(target);
   if (directMatch) return true;
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path6) {
+function getNestedValue(obj, path10) {
   if (!obj || typeof obj !== "object") return null;
-  return path6.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path10.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -1072,494 +1171,727 @@ async function analyzeShellCommand(command) {
   }
   return { actions, paths, allTokens };
 }
-function redactSecrets(text) {
-  if (!text) return text;
-  let redacted = text;
-  redacted = redacted.replace(
-    /(authorization:\s*(?:bearer|basic)\s+)[a-zA-Z0-9._\-\/\\=]+/gi,
-    "$1********"
-  );
-  redacted = redacted.replace(
-    /(api[_-]?key|secret|password|token)([:=]\s*['"]?)[a-zA-Z0-9._\-]{8,}/gi,
-    "$1$2********"
+async function evaluatePolicy(toolName, args, agent) {
+  const config = getConfig();
+  if (matchesPattern(toolName, config.policy.ignoredTools)) return { decision: "allow" };
+  if (config.policy.smartRules.length > 0) {
+    const matchedRule = config.policy.smartRules.find(
+      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+    );
+    if (matchedRule) {
+      if (matchedRule.verdict === "allow")
+        return { decision: "allow", ruleName: matchedRule.name ?? matchedRule.tool };
+      return {
+        decision: matchedRule.verdict,
+        blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
+        reason: matchedRule.reason,
+        tier: 2,
+        ruleName: matchedRule.name ?? matchedRule.tool
+      };
+    }
+  }
+  let allTokens = [];
+  let pathTokens = [];
+  const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
+  if (shellCommand) {
+    const analyzed = await analyzeShellCommand(shellCommand);
+    allTokens = analyzed.allTokens;
+    pathTokens = analyzed.paths;
+    const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
+    if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
+      return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)", tier: 3 };
+    }
+    if (isSqlTool(toolName, config.policy.toolInspection)) {
+      allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
+    }
+  } else {
+    allTokens = tokenize(toolName);
+    if (args && typeof args === "object") {
+      const flattenedArgs = JSON.stringify(args).toLowerCase();
+      const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
+      allTokens.push(...extraTokens);
+    }
+  }
+  const isManual = agent === "Terminal";
+  if (isManual) {
+    const SYSTEM_DISASTER_COMMANDS = ["mkfs", "shred", "dd", "drop", "truncate", "purge"];
+    const hasSystemDisaster = allTokens.some(
+      (t) => SYSTEM_DISASTER_COMMANDS.includes(t.toLowerCase())
+    );
+    const isRootWipe = allTokens.includes("rm") && (allTokens.includes("/") || allTokens.includes("/*"));
+    if (hasSystemDisaster || isRootWipe) {
+      return { decision: "review", blockedByLabel: "Manual Nuclear Protection", tier: 3 };
+    }
+    return { decision: "allow" };
+  }
+  if (pathTokens.length > 0 && config.policy.sandboxPaths.length > 0) {
+    const allInSandbox = pathTokens.every((p) => matchesPattern(p, config.policy.sandboxPaths));
+    if (allInSandbox) return { decision: "allow" };
+  }
+  let matchedDangerousWord;
+  const isDangerous = allTokens.some(
+    (token) => config.policy.dangerousWords.some((word) => {
+      const w = word.toLowerCase();
+      const hit = token === w || (() => {
+        try {
+          return new RegExp(`\\b${w}\\b`, "i").test(token);
+        } catch {
+          return false;
+        }
+      })();
+      if (hit && !matchedDangerousWord) matchedDangerousWord = word;
+      return hit;
+    })
   );
-  return redacted;
-}
-var DANGEROUS_WORDS = [
-  "mkfs",
-  // formats/wipes a filesystem partition
-  "shred"
-  // permanently overwrites file contents (unrecoverable)
-];
-var DEFAULT_CONFIG = {
-  version: "1.0",
-  settings: {
-    mode: "audit",
-    autoStartDaemon: true,
-    enableUndo: true,
-    // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
-    enableHookLogDebug: true,
-    approvalTimeoutMs: 12e4,
-    // 120-second auto-deny timeout
-    flightRecorder: true,
-    approvers: { native: true, browser: true, cloud: false, terminal: true }
-  },
-  policy: {
-    sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
-    dangerousWords: DANGEROUS_WORDS,
-    ignoredTools: [
-      "list_*",
-      "get_*",
-      "read_*",
-      "describe_*",
-      "read",
-      "glob",
-      "grep",
-      "ls",
-      "notebookread",
-      "notebookedit",
-      "webfetch",
-      "websearch",
-      "exitplanmode",
-      "askuserquestion",
-      "agent",
-      "task*",
-      "toolsearch",
-      "mcp__ide__*",
-      "getDiagnostics"
-    ],
-    toolInspection: {
-      bash: "command",
-      shell: "command",
-      run_shell_command: "command",
-      "terminal.execute": "command",
-      "postgres:query": "sql"
-    },
-    snapshot: {
-      tools: [
-        "str_replace_based_edit_tool",
-        "write_file",
-        "edit_file",
-        "create_file",
-        "edit",
-        "replace"
-      ],
-      onlyPaths: [],
-      ignorePaths: ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log"]
-    },
-    smartRules: [
-      // ── rm safety (critical — always evaluated first) ──────────────────────
-      {
-        name: "block-rm-rf-home",
-        tool: "bash",
-        conditionMode: "all",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "rm\\b.*(-[rRfF]*[rR][rRfF]*|--recursive)"
-          },
-          {
-            field: "command",
-            op: "matches",
-            value: "(~|\\/root(\\/|$)|\\$HOME|\\/home\\/)"
-          }
-        ],
-        verdict: "block",
-        reason: "Recursive delete of home directory is irreversible"
-      },
-      // ── SQL safety ────────────────────────────────────────────────────────
-      {
-        name: "no-delete-without-where",
-        tool: "*",
-        conditions: [
-          { field: "sql", op: "matches", value: "^(DELETE|UPDATE)\\s", flags: "i" },
-          { field: "sql", op: "notMatches", value: "\\bWHERE\\b", flags: "i" }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table"
-      },
-      {
-        name: "review-drop-truncate-shell",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "\\b(DROP|TRUNCATE)\\s+(TABLE|DATABASE|SCHEMA|INDEX)",
-            flags: "i"
+  if (isDangerous) {
+    let matchedField;
+    if (matchedDangerousWord && args && typeof args === "object" && !Array.isArray(args)) {
+      const obj = args;
+      for (const [key, value] of Object.entries(obj)) {
+        if (typeof value === "string") {
+          try {
+            if (new RegExp(
+              `\\b${matchedDangerousWord.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`,
+              "i"
+            ).test(value)) {
+              matchedField = key;
+              break;
+            }
+          } catch {
           }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "SQL DDL destructive statement inside a shell command"
-      },
-      // ── Git safety ────────────────────────────────────────────────────────
-      {
-        name: "block-force-push",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "^\\s*git\\b.*\\bpush\\b.*(--force|--force-with-lease|-f\\b)",
-            flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "block",
-        reason: "Force push overwrites remote history and cannot be undone"
-      },
-      {
-        name: "review-git-push",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "^\\s*git\\b.*\\bpush\\b(?!.*(-f\\b|--force|--force-with-lease))",
-            flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "git push sends changes to a shared remote"
-      },
-      {
-        name: "review-git-destructive",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "^\\s*git\\b.*(reset\\s+--hard|clean\\s+-[fdxX]|\\brebase\\b|tag\\s+-d|branch\\s+-[dD])",
-            flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "Destructive git operation \u2014 discards history or working-tree changes"
-      },
-      // ── Shell safety ──────────────────────────────────────────────────────
-      {
-        name: "review-sudo",
-        tool: "bash",
-        conditions: [{ field: "command", op: "matches", value: "^\\s*sudo\\s", flags: "i" }],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "Command requires elevated privileges"
-      },
-      {
-        name: "review-curl-pipe-shell",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
-            flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "block",
-        reason: "Piping remote script into a shell is a supply-chain attack vector"
+        }
       }
-    ],
-    dlp: { enabled: true, scanIgnoredTools: true }
-  },
-  environments: {}
-};
-var ADVISORY_SMART_RULES = [
-  // ── rm safety ─────────────────────────────────────────────────────────────
-  // tool: '*' so they cover bash, shell, run_shell_command, and Gemini's Shell.
-  // Pattern '(^|&&|\|\||;)\s*rm\b' matches rm as a shell command (including in
-  // chained commands like 'cat foo && rm bar') but avoids false-positives on 'docker rm'.
-  {
-    name: "allow-rm-safe-paths",
-    tool: "*",
-    conditionMode: "all",
-    conditions: [
-      { field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" },
-      {
-        field: "command",
-        op: "matches",
-        // Matches known-safe build artifact paths in the command.
-        value: "(node_modules|\\bdist\\b|\\.next|\\bcoverage\\b|\\.cache|\\btmp\\b|\\btemp\\b|\\.DS_Store)(\\/|\\s|$)"
+    }
+    return {
+      decision: "review",
+      blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`,
+      matchedWord: matchedDangerousWord,
+      matchedField,
+      tier: 6
+    };
+  }
+  if (config.settings.mode === "strict") {
+    const envConfig = getActiveEnvironment(config);
+    if (envConfig?.requireApproval === false) return { decision: "allow" };
+    return { decision: "review", blockedByLabel: "Global Config (Strict Mode Active)", tier: 7 };
+  }
+  return { decision: "allow" };
+}
+function isIgnoredTool(toolName) {
+  const config = getConfig();
+  return matchesPattern(toolName, config.policy.ignoredTools);
+}
+
+// src/auth/state.ts
+import fs5 from "fs";
+import path5 from "path";
+import os4 from "os";
+var PAUSED_FILE = path5.join(os4.homedir(), ".node9", "PAUSED");
+var TRUST_FILE = path5.join(os4.homedir(), ".node9", "trust.json");
+function checkPause() {
+  try {
+    if (!fs5.existsSync(PAUSED_FILE)) return { paused: false };
+    const state = JSON.parse(fs5.readFileSync(PAUSED_FILE, "utf-8"));
+    if (state.expiry > 0 && Date.now() >= state.expiry) {
+      try {
+        fs5.unlinkSync(PAUSED_FILE);
+      } catch {
       }
-    ],
-    verdict: "allow",
-    reason: "Deleting a known-safe build artifact path"
-  },
-  {
-    name: "review-rm",
-    tool: "*",
-    conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
-    verdict: "review",
-    reason: "rm can permanently delete files \u2014 confirm the target path"
-  },
-  // ── SQL safety (Safe by Default) ──────────────────────────────────────────
-  // These rules fire when an AI calls a database tool directly (e.g. MCP postgres,
-  // mcp__postgres__query) with a destructive SQL statement in the 'sql' field.
-  // The postgres shield upgrades these from 'review' → 'block' for stricter teams;
-  // without a shield, users still get a human-approval gate on every destructive op.
-  {
-    name: "review-drop-table-sql",
-    tool: "*",
-    conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
-    verdict: "review",
-    reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead"
-  },
-  {
-    name: "review-truncate-sql",
-    tool: "*",
-    conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
-    verdict: "review",
-    reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead"
-  },
-  {
-    name: "review-drop-column-sql",
-    tool: "*",
-    conditions: [
-      { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
-    ],
-    verdict: "review",
-    reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead"
+      return { paused: false };
+    }
+    return { paused: true, expiresAt: state.expiry, duration: state.duration };
+  } catch {
+    return { paused: false };
+  }
+}
+function atomicWriteSync(filePath, data, options) {
+  const dir = path5.dirname(filePath);
+  if (!fs5.existsSync(dir)) fs5.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${filePath}.${os4.hostname()}.${process.pid}.tmp`;
+  fs5.writeFileSync(tmpPath, data, options);
+  fs5.renameSync(tmpPath, filePath);
+}
+function getActiveTrustSession(toolName) {
+  try {
+    if (!fs5.existsSync(TRUST_FILE)) return false;
+    const trust = JSON.parse(fs5.readFileSync(TRUST_FILE, "utf-8"));
+    const now = Date.now();
+    const active = trust.entries.filter((e) => e.expiry > now);
+    if (active.length !== trust.entries.length) {
+      fs5.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
+    }
+    return active.some((e) => e.tool === toolName || matchesPattern(toolName, e.tool));
+  } catch {
+    return false;
+  }
+}
+function writeTrustSession(toolName, durationMs) {
+  try {
+    let trust = { entries: [] };
+    try {
+      if (fs5.existsSync(TRUST_FILE)) {
+        trust = JSON.parse(fs5.readFileSync(TRUST_FILE, "utf-8"));
+      }
+    } catch {
+    }
+    const now = Date.now();
+    trust.entries = trust.entries.filter((e) => e.tool !== toolName && e.expiry > now);
+    trust.entries.push({ tool: toolName, expiry: now + durationMs });
+    atomicWriteSync(TRUST_FILE, JSON.stringify(trust, null, 2));
+  } catch (err) {
+    if (process.env.NODE9_DEBUG === "1") {
+      console.error("[Node9 Trust Error]:", err);
+    }
+  }
+}
+function getPersistentDecision(toolName) {
+  try {
+    const file = path5.join(os4.homedir(), ".node9", "decisions.json");
+    if (!fs5.existsSync(file)) return null;
+    const decisions = JSON.parse(fs5.readFileSync(file, "utf-8"));
+    const d = decisions[toolName];
+    if (d === "allow" || d === "deny") return d;
+  } catch {
+  }
+  return null;
+}
+
+// src/auth/daemon.ts
+import fs6 from "fs";
+import path6 from "path";
+import os5 from "os";
+import { spawnSync } from "child_process";
+var DAEMON_PORT = 7391;
+var DAEMON_HOST = "127.0.0.1";
+function getInternalToken() {
+  try {
+    const pidFile = path6.join(os5.homedir(), ".node9", "daemon.pid");
+    if (!fs6.existsSync(pidFile)) return null;
+    const data = JSON.parse(fs6.readFileSync(pidFile, "utf-8"));
+    process.kill(data.pid, 0);
+    return data.internalToken ?? null;
+  } catch {
+    return null;
+  }
+}
+function isDaemonRunning() {
+  const pidFile = path6.join(os5.homedir(), ".node9", "daemon.pid");
+  if (fs6.existsSync(pidFile)) {
+    try {
+      const { pid, port } = JSON.parse(fs6.readFileSync(pidFile, "utf-8"));
+      if (port !== DAEMON_PORT) return false;
+      process.kill(pid, 0);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  try {
+    const r = spawnSync("ss", ["-Htnp", `sport = :${DAEMON_PORT}`], {
+      encoding: "utf8",
+      timeout: 500
+    });
+    return r.status === 0 && (r.stdout ?? "").includes(`:${DAEMON_PORT}`);
+  } catch {
+    return false;
+  }
+}
+async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd) {
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), 5e3);
+  try {
+    const res = await fetch(`${base}/check`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        toolName,
+        args,
+        agent: meta?.agent,
+        mcpServer: meta?.mcpServer,
+        fromCLI: true,
+        // Pass the flight-recorder ID so the daemon uses the same UUID for
+        // activity-result as the CLI used for the pending activity event.
+        activityId,
+        ...riskMetadata && { riskMetadata },
+        ...cwd && { cwd }
+      }),
+      signal: ctrl.signal
+    });
+    if (!res.ok) throw new Error("Daemon fail");
+    const { id } = await res.json();
+    return id;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+async function waitForDaemonDecision(id, signal) {
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  const waitCtrl = new AbortController();
+  const waitTimer = setTimeout(() => waitCtrl.abort(), 12e4);
+  const onAbort = () => waitCtrl.abort();
+  if (signal) signal.addEventListener("abort", onAbort);
+  try {
+    const waitRes = await fetch(`${base}/wait/${id}`, { signal: waitCtrl.signal });
+    if (!waitRes.ok) return { decision: "deny" };
+    const { decision, source } = await waitRes.json();
+    if (decision === "allow") return { decision: "allow", source };
+    if (decision === "abandoned") return { decision: "abandoned", source };
+    return { decision: "deny", source };
+  } finally {
+    clearTimeout(waitTimer);
+    if (signal) signal.removeEventListener("abort", onAbort);
+  }
+}
+async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  const res = await fetch(`${base}/check`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      toolName,
+      args,
+      slackDelegated: true,
+      agent: meta?.agent,
+      mcpServer: meta?.mcpServer,
+      ...riskMetadata && { riskMetadata }
+    }),
+    signal: AbortSignal.timeout(3e3)
+  });
+  if (!res.ok) throw new Error("Daemon unreachable");
+  const { id } = await res.json();
+  return id;
+}
+async function resolveViaDaemon(id, decision, internalToken) {
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  await fetch(`${base}/resolve/${id}`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", "X-Node9-Internal": internalToken },
+    body: JSON.stringify({ decision }),
+    signal: AbortSignal.timeout(3e3)
+  });
+}
+
+// src/auth/orchestrator.ts
+import net from "net";
+import path9 from "path";
+import os7 from "os";
+import { randomUUID } from "crypto";
+
+// src/ui/native.ts
+import { spawn } from "child_process";
+import path8 from "path";
+
+// src/context-sniper.ts
+import path7 from "path";
+function smartTruncate(str, maxLen = 500) {
+  if (str.length <= maxLen) return str;
+  const edge = Math.floor(maxLen / 2) - 3;
+  return `${str.slice(0, edge)} ... ${str.slice(-edge)}`;
+}
+function extractContext(text, matchedWord) {
+  const lines = text.split("\n");
+  if (lines.length <= 7 || !matchedWord) {
+    return { snippet: smartTruncate(text, 500), lineIndex: -1 };
   }
+  const escaped = matchedWord.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const pattern = new RegExp(`\\b${escaped}\\b`, "i");
+  const allHits = lines.map((line, i) => ({ i, line })).filter(({ line }) => pattern.test(line));
+  if (allHits.length === 0) return { snippet: smartTruncate(text, 500), lineIndex: -1 };
+  const nonComment = allHits.find(({ line }) => {
+    const trimmed = line.trim();
+    return !trimmed.startsWith("//") && !trimmed.startsWith("#");
+  });
+  const hitIndex = (nonComment ?? allHits[0]).i;
+  const start = Math.max(0, hitIndex - 3);
+  const end = Math.min(lines.length, hitIndex + 4);
+  const lineIndex = hitIndex - start;
+  const snippet = lines.slice(start, end).map((line, i) => `${start + i === hitIndex ? "\u{1F6D1} " : "   "}${line}`).join("\n");
+  const head = start > 0 ? `... [${start} lines hidden] ...
+` : "";
+  const tail = end < lines.length ? `
+... [${lines.length - end} lines hidden] ...` : "";
+  return { snippet: `${head}${snippet}${tail}`, lineIndex };
+}
+var CODE_KEYS = [
+  "command",
+  "cmd",
+  "shell_command",
+  "bash_command",
+  "script",
+  "code",
+  "input",
+  "sql",
+  "query",
+  "arguments",
+  "args",
+  "param",
+  "params",
+  "text"
 ];
-var cachedConfig = null;
-function getInternalToken() {
-  try {
-    const pidFile = path5.join(os2.homedir(), ".node9", "daemon.pid");
-    if (!fs3.existsSync(pidFile)) return null;
-    const data = JSON.parse(fs3.readFileSync(pidFile, "utf-8"));
-    process.kill(data.pid, 0);
-    return data.internalToken ?? null;
-  } catch {
-    return null;
+function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWord, ruleName) {
+  let intent = "EXEC";
+  let contextSnippet;
+  let contextLineIndex;
+  let editFileName;
+  let editFilePath;
+  let parsed = args;
+  if (typeof args === "string") {
+    const trimmed = args.trim();
+    if (trimmed.startsWith("{") && trimmed.endsWith("}")) {
+      try {
+        parsed = JSON.parse(trimmed);
+      } catch {
+      }
+    }
+  }
+  if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+    const obj = parsed;
+    if (obj.old_string !== void 0 && obj.new_string !== void 0) {
+      intent = "EDIT";
+      if (obj.file_path) {
+        editFilePath = String(obj.file_path);
+        editFileName = path7.basename(editFilePath);
+      }
+      const result = extractContext(String(obj.new_string), matchedWord);
+      contextSnippet = result.snippet;
+      if (result.lineIndex >= 0) contextLineIndex = result.lineIndex;
+    } else if (matchedField && obj[matchedField] !== void 0) {
+      const result = extractContext(String(obj[matchedField]), matchedWord);
+      contextSnippet = result.snippet;
+      if (result.lineIndex >= 0) contextLineIndex = result.lineIndex;
+    } else {
+      const foundKey = Object.keys(obj).find((k) => CODE_KEYS.includes(k.toLowerCase()));
+      if (foundKey) {
+        const val = obj[foundKey];
+        contextSnippet = smartTruncate(typeof val === "string" ? val : JSON.stringify(val), 500);
+      }
+    }
+  } else if (typeof parsed === "string") {
+    contextSnippet = smartTruncate(parsed, 500);
   }
+  return {
+    intent,
+    tier,
+    blockedByLabel,
+    ...matchedWord && { matchedWord },
+    ...matchedField && { matchedField },
+    ...contextSnippet !== void 0 && { contextSnippet },
+    ...contextLineIndex !== void 0 && { contextLineIndex },
+    ...editFileName && { editFileName },
+    ...editFilePath && { editFilePath },
+    ...ruleName && { ruleName }
+  };
 }
-async function evaluatePolicy(toolName, args, agent) {
-  const config = getConfig();
-  if (matchesPattern(toolName, config.policy.ignoredTools)) return { decision: "allow" };
-  if (config.policy.smartRules.length > 0) {
-    const matchedRule = config.policy.smartRules.find(
-      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
-    );
-    if (matchedRule) {
-      if (matchedRule.verdict === "allow")
-        return { decision: "allow", ruleName: matchedRule.name ?? matchedRule.tool };
-      return {
-        decision: matchedRule.verdict,
-        blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
-        reason: matchedRule.reason,
-        tier: 2,
-        ruleName: matchedRule.name ?? matchedRule.tool
-      };
+
+// src/ui/native.ts
+var isTestEnv = () => {
+  return process.env.NODE_ENV === "test" || process.env.VITEST === "true" || !!process.env.VITEST || process.env.CI === "true" || !!process.env.CI || process.env.NODE9_TESTING === "1";
+};
+function formatArgs(args, matchedField, matchedWord) {
+  if (args === null || args === void 0) return { message: "(none)", intent: "EXEC" };
+  let parsed = args;
+  if (typeof args === "string") {
+    const trimmed = args.trim();
+    if (trimmed.startsWith("{") && trimmed.endsWith("}")) {
+      try {
+        parsed = JSON.parse(trimmed);
+      } catch {
+        parsed = args;
+      }
+    } else {
+      return { message: smartTruncate(args, 600), intent: "EXEC" };
     }
   }
-  let allTokens = [];
-  let pathTokens = [];
-  const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
-  if (shellCommand) {
-    const analyzed = await analyzeShellCommand(shellCommand);
-    allTokens = analyzed.allTokens;
-    pathTokens = analyzed.paths;
-    const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
-    if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
-      return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)", tier: 3 };
+  if (typeof parsed === "object" && !Array.isArray(parsed)) {
+    const obj = parsed;
+    if (obj.old_string !== void 0 && obj.new_string !== void 0) {
+      const file = obj.file_path ? path8.basename(String(obj.file_path)) : "file";
+      const oldPreview = smartTruncate(String(obj.old_string), 120);
+      const newPreview = extractContext(String(obj.new_string), matchedWord).snippet;
+      return {
+        intent: "EDIT",
+        message: `\u{1F4DD} EDITING: ${file}
+\u{1F4C2} PATH: ${obj.file_path}
+
+--- REPLACING ---
+${oldPreview}
+
++++ NEW CODE +++
+${newPreview}`
+      };
     }
-    if (isSqlTool(toolName, config.policy.toolInspection)) {
-      allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
+    if (matchedField && obj[matchedField] !== void 0) {
+      const otherKeys = Object.keys(obj).filter((k) => k !== matchedField);
+      const context = otherKeys.length > 0 ? `\u2699\uFE0F  Context: ${otherKeys.map((k) => `${k}=${smartTruncate(typeof obj[k] === "object" ? JSON.stringify(obj[k]) : String(obj[k]), 30)}`).join(", ")}
+
+` : "";
+      const content = extractContext(String(obj[matchedField]), matchedWord).snippet;
+      return {
+        intent: "EXEC",
+        message: `${context}\u{1F6D1} [${matchedField.toUpperCase()}]:
+${content}`
+      };
     }
-  } else {
-    allTokens = tokenize(toolName);
-    if (args && typeof args === "object") {
-      const flattenedArgs = JSON.stringify(args).toLowerCase();
-      const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
-      allTokens.push(...extraTokens);
+    const codeKeys = [
+      "command",
+      "cmd",
+      "shell_command",
+      "bash_command",
+      "script",
+      "code",
+      "input",
+      "sql",
+      "query",
+      "arguments",
+      "args",
+      "param",
+      "params",
+      "text"
+    ];
+    const foundKey = Object.keys(obj).find((k) => codeKeys.includes(k.toLowerCase()));
+    if (foundKey) {
+      const val = obj[foundKey];
+      const str = typeof val === "string" ? val : JSON.stringify(val);
+      return {
+        intent: "EXEC",
+        message: `[${foundKey.toUpperCase()}]:
+${smartTruncate(str, 500)}`
+      };
     }
+    const msg = Object.entries(obj).slice(0, 5).map(
+      ([k, v]) => `  ${k}: ${smartTruncate(typeof v === "string" ? v : JSON.stringify(v), 300)}`
+    ).join("\n");
+    return { intent: "EXEC", message: msg };
   }
-  const isManual = agent === "Terminal";
-  if (isManual) {
-    const SYSTEM_DISASTER_COMMANDS = ["mkfs", "shred", "dd", "drop", "truncate", "purge"];
-    const hasSystemDisaster = allTokens.some(
-      (t) => SYSTEM_DISASTER_COMMANDS.includes(t.toLowerCase())
-    );
-    const isRootWipe = allTokens.includes("rm") && (allTokens.includes("/") || allTokens.includes("/*"));
-    if (hasSystemDisaster || isRootWipe) {
-      return { decision: "review", blockedByLabel: "Manual Nuclear Protection", tier: 3 };
-    }
-    return { decision: "allow" };
+  return { intent: "EXEC", message: smartTruncate(JSON.stringify(parsed), 200) };
+}
+function escapePango(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+  const lines = [];
+  if (locked) lines.push("\u26A0\uFE0F  LOCKED BY ADMIN POLICY\n");
+  lines.push(`\u{1F916} ${agent || "AI Agent"}  |  \u{1F527} ${toolName}`);
+  lines.push(`\u{1F6E1}\uFE0F  ${explainableLabel || "Security Policy"}`);
+  lines.push("");
+  lines.push(formattedArgs);
+  if (!locked) {
+    lines.push("");
+    lines.push('\u21B5 Enter = Allow \u21B5   |   \u238B Esc = Block \u238B   |   "Always Allow" = never ask again');
   }
-  if (pathTokens.length > 0 && config.policy.sandboxPaths.length > 0) {
-    const allInSandbox = pathTokens.every((p) => matchesPattern(p, config.policy.sandboxPaths));
-    if (allInSandbox) return { decision: "allow" };
+  return lines.join("\n");
+}
+function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+  const lines = [];
+  if (locked) {
+    lines.push('<span foreground="red" weight="bold">\u26A0\uFE0F  LOCKED BY ADMIN POLICY</span>');
+    lines.push("");
   }
-  let matchedDangerousWord;
-  const isDangerous = allTokens.some(
-    (token) => config.policy.dangerousWords.some((word) => {
-      const w = word.toLowerCase();
-      const hit = token === w || (() => {
+  lines.push(
+    `<b>\u{1F916} ${escapePango(agent || "AI Agent")}</b>  |  <b>\u{1F527} <tt>${escapePango(toolName)}</tt></b>`
+  );
+  lines.push(`<i>\u{1F6E1}\uFE0F  ${escapePango(explainableLabel || "Security Policy")}</i>`);
+  lines.push("");
+  lines.push(`<tt>${escapePango(formattedArgs)}</tt>`);
+  if (!locked) {
+    lines.push("");
+    lines.push(
+      '<small>\u21B5 Enter = <b>Allow \u21B5</b>   |   \u238B Esc = <b>Block \u238B</b>   |   "Always Allow" = never ask again</small>'
+    );
+  }
+  return lines.join("\n");
+}
+async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord) {
+  if (isTestEnv()) return "deny";
+  const { message: formattedArgs, intent } = formatArgs(args, matchedField, matchedWord);
+  const intentLabel = intent === "EDIT" ? "Code Edit" : "Action Approval";
+  const title = locked ? `\u26A1 Node9 \u2014 Locked` : `\u{1F6E1}\uFE0F Node9 \u2014 ${intentLabel}`;
+  const message = buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked);
+  return new Promise((resolve) => {
+    let childProcess = null;
+    const onAbort = () => {
+      if (childProcess && childProcess.pid) {
         try {
-          return new RegExp(`\\b${w}\\b`, "i").test(token);
+          process.kill(childProcess.pid, "SIGKILL");
         } catch {
-          return false;
-        }
-      })();
-      if (hit && !matchedDangerousWord) matchedDangerousWord = word;
-      return hit;
-    })
-  );
-  if (isDangerous) {
-    let matchedField;
-    if (matchedDangerousWord && args && typeof args === "object" && !Array.isArray(args)) {
-      const obj = args;
-      for (const [key, value] of Object.entries(obj)) {
-        if (typeof value === "string") {
-          try {
-            if (new RegExp(
-              `\\b${matchedDangerousWord.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`,
-              "i"
-            ).test(value)) {
-              matchedField = key;
-              break;
-            }
-          } catch {
-          }
         }
       }
-    }
-    return {
-      decision: "review",
-      blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`,
-      matchedWord: matchedDangerousWord,
-      matchedField,
-      tier: 6
+      resolve("deny");
     };
-  }
-  if (config.settings.mode === "strict") {
-    const envConfig = getActiveEnvironment(config);
-    if (envConfig?.requireApproval === false) return { decision: "allow" };
-    return { decision: "review", blockedByLabel: "Global Config (Strict Mode Active)", tier: 7 };
-  }
-  return { decision: "allow" };
-}
-function isIgnoredTool(toolName) {
-  const config = getConfig();
-  return matchesPattern(toolName, config.policy.ignoredTools);
-}
-var DAEMON_PORT = 7391;
-var DAEMON_HOST = "127.0.0.1";
-function isDaemonRunning() {
-  const pidFile = path5.join(os2.homedir(), ".node9", "daemon.pid");
-  if (fs3.existsSync(pidFile)) {
+    if (signal) {
+      if (signal.aborted) return resolve("deny");
+      signal.addEventListener("abort", onAbort);
+    }
     try {
-      const { pid, port } = JSON.parse(fs3.readFileSync(pidFile, "utf-8"));
-      if (port !== DAEMON_PORT) return false;
-      process.kill(pid, 0);
-      return true;
+      if (process.platform === "darwin") {
+        const buttons = locked ? `buttons {"Waiting\u2026"} default button "Waiting\u2026"` : `buttons {"Block \u238B", "Always Allow", "Allow \u21B5"} default button "Allow \u21B5" cancel button "Block \u238B"`;
+        const script = `on run argv
+tell application "System Events"
+activate
+display dialog (item 1 of argv) with title (item 2 of argv) ${buttons}
+end tell
+end run`;
+        childProcess = spawn("osascript", ["-e", script, "--", message, title]);
+      } else if (process.platform === "linux") {
+        const pangoMessage = buildPangoMessage(
+          toolName,
+          formattedArgs,
+          agent,
+          explainableLabel,
+          locked
+        );
+        const argsList = [
+          locked ? "--info" : "--question",
+          "--modal",
+          "--width=480",
+          "--title",
+          title,
+          "--text",
+          pangoMessage,
+          "--ok-label",
+          locked ? "Waiting..." : "Allow  \u21B5",
+          "--timeout",
+          "300"
+        ];
+        if (!locked) {
+          argsList.push("--cancel-label", "Block  \u238B");
+          argsList.push("--extra-button", "Always Allow");
+        }
+        childProcess = spawn("zenity", argsList);
+      } else if (process.platform === "win32") {
+        const b64Msg = Buffer.from(message).toString("base64");
+        const b64Title = Buffer.from(title).toString("base64");
+        const ps = `Add-Type -AssemblyName PresentationFramework; $msg = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("${b64Msg}")); $title = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("${b64Title}")); $res = [System.Windows.MessageBox]::Show($msg, $title, "${locked ? "OK" : "YesNo"}", "Warning", "Button2", "DefaultDesktopOnly"); if ($res -eq "Yes") { exit 0 } else { exit 1 }`;
+        childProcess = spawn("powershell", ["-Command", ps]);
+      }
+      let output = "";
+      childProcess?.stdout?.on("data", (d) => output += d.toString());
+      childProcess?.on("close", (code) => {
+        if (signal) signal.removeEventListener("abort", onAbort);
+        if (locked) return resolve("deny");
+        if (output.includes("Always Allow")) return resolve("always_allow");
+        if (code === 0) return resolve("allow");
+        resolve("deny");
+      });
     } catch {
-      return false;
+      resolve("deny");
     }
-  }
-  try {
-    const r = spawnSync("ss", ["-Htnp", `sport = :${DAEMON_PORT}`], {
-      encoding: "utf8",
-      timeout: 500
-    });
-    return r.status === 0 && (r.stdout ?? "").includes(`:${DAEMON_PORT}`);
-  } catch {
-    return false;
-  }
+  });
 }
-function getPersistentDecision(toolName) {
-  try {
-    const file = path5.join(os2.homedir(), ".node9", "decisions.json");
-    if (!fs3.existsSync(file)) return null;
-    const decisions = JSON.parse(fs3.readFileSync(file, "utf-8"));
-    const d = decisions[toolName];
-    if (d === "allow" || d === "deny") return d;
-  } catch {
-  }
-  return null;
+
+// src/auth/cloud.ts
+import fs7 from "fs";
+import os6 from "os";
+function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
+  return fetch(`${creds.apiUrl}/audit`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
+    body: JSON.stringify({
+      toolName,
+      args,
+      checkedBy,
+      context: {
+        agent: meta?.agent,
+        mcpServer: meta?.mcpServer,
+        hostname: os6.hostname(),
+        cwd: process.cwd(),
+        platform: os6.platform()
+      }
+    }),
+    signal: AbortSignal.timeout(5e3)
+  }).then(() => {
+  }).catch(() => {
+  });
 }
-async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd) {
-  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
-  const ctrl = new AbortController();
-  const timer = setTimeout(() => ctrl.abort(), 5e3);
+async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), 1e4);
   try {
-    const res = await fetch(`${base}/check`, {
+    const response = await fetch(creds.apiUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/json" },
+      headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
       body: JSON.stringify({
         toolName,
         args,
-        agent: meta?.agent,
-        mcpServer: meta?.mcpServer,
-        fromCLI: true,
-        // Pass the flight-recorder ID so the daemon uses the same UUID for
-        // activity-result as the CLI used for the pending activity event.
-        activityId,
-        ...riskMetadata && { riskMetadata },
-        ...cwd && { cwd }
+        context: {
+          agent: meta?.agent,
+          mcpServer: meta?.mcpServer,
+          hostname: os6.hostname(),
+          cwd: process.cwd(),
+          platform: os6.platform()
+        },
+        ...riskMetadata && { riskMetadata }
       }),
-      signal: ctrl.signal
+      signal: controller.signal
     });
-    if (!res.ok) throw new Error("Daemon fail");
-    const { id } = await res.json();
-    return id;
+    if (!response.ok) throw new Error(`HTTP ${response.status}`);
+    return await response.json();
   } finally {
-    clearTimeout(timer);
+    clearTimeout(timeout);
   }
 }
-async function waitForDaemonDecision(id, signal) {
-  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
-  const waitCtrl = new AbortController();
-  const waitTimer = setTimeout(() => waitCtrl.abort(), 12e4);
-  const onAbort = () => waitCtrl.abort();
-  if (signal) signal.addEventListener("abort", onAbort);
+async function pollNode9SaaS(requestId, creds, signal) {
+  const statusUrl = `${creds.apiUrl}/status/${requestId}`;
+  const POLL_INTERVAL_MS = 1e3;
+  const POLL_DEADLINE = Date.now() + 10 * 60 * 1e3;
+  while (Date.now() < POLL_DEADLINE) {
+    if (signal.aborted) throw new Error("Aborted");
+    await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
+    try {
+      const pollCtrl = new AbortController();
+      const pollTimer = setTimeout(() => pollCtrl.abort(), 5e3);
+      const statusRes = await fetch(statusUrl, {
+        headers: { Authorization: `Bearer ${creds.apiKey}` },
+        signal: pollCtrl.signal
+      });
+      clearTimeout(pollTimer);
+      if (!statusRes.ok) continue;
+      const { status, reason } = await statusRes.json();
+      if (status === "APPROVED") {
+        return { approved: true, reason };
+      }
+      if (status === "DENIED" || status === "AUTO_BLOCKED" || status === "TIMED_OUT") {
+        return { approved: false, reason };
+      }
+    } catch {
+    }
+  }
+  return { approved: false, reason: "Cloud approval timed out after 10 minutes." };
+}
+async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
   try {
-    const waitRes = await fetch(`${base}/wait/${id}`, { signal: waitCtrl.signal });
-    if (!waitRes.ok) return { decision: "deny" };
-    const { decision, source } = await waitRes.json();
-    if (decision === "allow") return { decision: "allow", source };
-    if (decision === "abandoned") return { decision: "abandoned", source };
-    return { decision: "deny", source };
-  } finally {
-    clearTimeout(waitTimer);
-    if (signal) signal.removeEventListener("abort", onAbort);
+    const resolveUrl = `${creds.apiUrl}/requests/${requestId}`;
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), 5e3);
+    const res = await fetch(resolveUrl, {
+      method: "PATCH",
+      headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
+      body: JSON.stringify({
+        decision: approved ? "APPROVED" : "DENIED",
+        ...decidedBy && { decidedBy }
+      }),
+      signal: ctrl.signal
+    });
+    clearTimeout(timer);
+    if (!res.ok) {
+      fs7.appendFileSync(
+        HOOK_DEBUG_LOG,
+        `[resolve-cloud] PATCH ${resolveUrl} \u2192 HTTP ${res.status}
+`
+      );
+    }
+  } catch (err) {
+    fs7.appendFileSync(
+      HOOK_DEBUG_LOG,
+      `[resolve-cloud] PATCH failed for ${requestId}: ${err.message}
+`
+    );
   }
 }
-async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
-  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
-  const res = await fetch(`${base}/check`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({
-      toolName,
-      args,
-      slackDelegated: true,
-      agent: meta?.agent,
-      mcpServer: meta?.mcpServer,
-      ...riskMetadata && { riskMetadata }
-    }),
-    signal: AbortSignal.timeout(3e3)
-  });
-  if (!res.ok) throw new Error("Daemon unreachable");
-  const { id } = await res.json();
-  return id;
-}
-async function resolveViaDaemon(id, decision, internalToken) {
-  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
-  await fetch(`${base}/resolve/${id}`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json", "X-Node9-Internal": internalToken },
-    body: JSON.stringify({ decision }),
-    signal: AbortSignal.timeout(3e3)
-  });
-}
-var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path5.join(os2.tmpdir(), "node9-activity.sock");
+
+// src/auth/orchestrator.ts
+var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path9.join(os7.tmpdir(), "node9-activity.sock");
 function notifyActivity(data) {
   return new Promise((resolve) => {
     try {
@@ -1801,415 +2133,114 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           false,
           signal,
           policyMatchedField,
-          policyMatchedWord
-        );
-        if (decision === "always_allow") {
-          writeTrustSession(toolName, 36e5);
-          return { approved: true, checkedBy: "trust" };
-        }
-        const isApproved = decision === "allow";
-        return {
-          approved: isApproved,
-          reason: isApproved ? void 0 : "The human user clicked 'Block' on the system dialog window.",
-          checkedBy: isApproved ? "daemon" : void 0,
-          blockedBy: isApproved ? void 0 : "local-decision",
-          blockedByLabel: "User Decision (Native)",
-          decisionSource: "native"
-        };
-      })()
-    );
-  }
-  if (daemonEntryId && (approvers.browser || approvers.terminal)) {
-    racePromises.push(
-      (async () => {
-        const { decision: daemonDecision, source: decisionSource } = await waitForDaemonDecision(
-          daemonEntryId,
-          signal
-        );
-        if (daemonDecision === "abandoned") throw new Error("Abandoned");
-        const isApproved = daemonDecision === "allow";
-        const src = decisionSource === "terminal" || decisionSource === "browser" ? decisionSource : approvers.browser ? "browser" : "terminal";
-        const via = src === "terminal" ? "Terminal (node9 tail)" : "Browser Dashboard";
-        return {
-          approved: isApproved,
-          reason: isApproved ? void 0 : `The human user rejected this action via the Node9 ${via}.`,
-          checkedBy: isApproved ? "daemon" : void 0,
-          blockedBy: isApproved ? void 0 : "local-decision",
-          blockedByLabel: `User Decision (${via})`,
-          decisionSource: src
-        };
-      })()
-    );
-  }
-  if (racePromises.length === 0) {
-    return {
-      approved: false,
-      noApprovalMechanism: true,
-      reason: `NODE9 SECURITY INTERVENTION: Action blocked by automated policy [${explainableLabel}].
-REASON: Action blocked because no approval channels are available. (Native/Browser UI is disabled in config, and this terminal is non-interactive).`,
-      blockedBy: "no-approval-mechanism",
-      blockedByLabel: explainableLabel
-    };
-  }
-  const finalResult = await new Promise((resolve) => {
-    let resolved = false;
-    let failures = 0;
-    const total = racePromises.length;
-    const finish = (res) => {
-      if (!resolved) {
-        resolved = true;
-        abortController.abort();
-        if (viewerId && internalToken) {
-          resolveViaDaemon(viewerId, res.approved ? "allow" : "deny", internalToken).catch(
-            () => null
-          );
-        }
-        resolve(res);
-      }
-    };
-    for (const p of racePromises) {
-      p.then(finish).catch((err) => {
-        if (err.name === "AbortError" || err.message?.includes("canceled") || err.message?.includes("Aborted"))
-          return;
-        if (err.message === "Abandoned") {
-          finish({
-            approved: false,
-            reason: "Browser dashboard closed without making a decision.",
-            blockedBy: "local-decision",
-            blockedByLabel: "Browser Dashboard (Abandoned)"
-          });
-          return;
-        }
-        failures++;
-        if (failures === total && !resolved) {
-          finish({ approved: false, reason: "All approval channels failed or disconnected." });
-        }
-      });
-    }
-  });
-  if (cloudRequestId && creds && finalResult.checkedBy !== "cloud") {
-    await resolveNode9SaaS(
-      cloudRequestId,
-      creds,
-      finalResult.approved,
-      finalResult.decisionSource ?? finalResult.checkedBy ?? "local"
-    );
-  }
-  if (!isManual) {
-    appendLocalAudit(
-      toolName,
-      args,
-      finalResult.approved ? "allow" : "deny",
-      finalResult.checkedBy || finalResult.blockedBy || "unknown",
-      meta
-    );
-  }
-  return finalResult;
-}
-function getConfig(cwd) {
-  if (!cwd && cachedConfig) return cachedConfig;
-  const globalPath = path5.join(os2.homedir(), ".node9", "config.json");
-  const projectPath = path5.join(cwd ?? process.cwd(), "node9.config.json");
-  const globalConfig = tryLoadConfig(globalPath);
-  const projectConfig = tryLoadConfig(projectPath);
-  const mergedSettings = {
-    ...DEFAULT_CONFIG.settings,
-    approvers: { ...DEFAULT_CONFIG.settings.approvers }
-  };
-  const mergedPolicy = {
-    sandboxPaths: [...DEFAULT_CONFIG.policy.sandboxPaths],
-    dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
-    ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
-    toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
-    smartRules: [...DEFAULT_CONFIG.policy.smartRules],
-    snapshot: {
-      tools: [...DEFAULT_CONFIG.policy.snapshot.tools],
-      onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
-      ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
-    },
-    dlp: { ...DEFAULT_CONFIG.policy.dlp }
-  };
-  const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
-  const applyLayer = (source) => {
-    if (!source) return;
-    const s = source.settings || {};
-    const p = source.policy || {};
-    if (s.mode !== void 0) mergedSettings.mode = s.mode;
-    if (s.autoStartDaemon !== void 0) mergedSettings.autoStartDaemon = s.autoStartDaemon;
-    if (s.enableUndo !== void 0) mergedSettings.enableUndo = s.enableUndo;
-    if (s.enableHookLogDebug !== void 0)
-      mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
-    if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
-    if (s.approvalTimeoutMs !== void 0) mergedSettings.approvalTimeoutMs = s.approvalTimeoutMs;
-    if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
-      mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
-    if (s.environment !== void 0) mergedSettings.environment = s.environment;
-    if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
-    if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
-    if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
-    if (p.toolInspection)
-      mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
-    if (p.smartRules) mergedPolicy.smartRules.push(...p.smartRules);
-    if (p.snapshot) {
-      const s2 = p.snapshot;
-      if (s2.tools) mergedPolicy.snapshot.tools.push(...s2.tools);
-      if (s2.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s2.onlyPaths);
-      if (s2.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s2.ignorePaths);
-    }
-    if (p.dlp) {
-      const d = p.dlp;
-      if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
-      if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
-    }
-    const envs = source.environments || {};
-    for (const [envName, envConfig] of Object.entries(envs)) {
-      if (envConfig && typeof envConfig === "object") {
-        const ec = envConfig;
-        mergedEnvironments[envName] = {
-          ...mergedEnvironments[envName],
-          // Validate field types before merging — do not blindly spread user input
-          ...typeof ec.requireApproval === "boolean" ? { requireApproval: ec.requireApproval } : {}
-        };
-      }
-    }
-  };
-  applyLayer(globalConfig);
-  applyLayer(projectConfig);
-  const shieldOverrides = readShieldOverrides();
-  for (const shieldName of readActiveShields()) {
-    const shield = getShield(shieldName);
-    if (!shield) continue;
-    const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
-    const ruleOverrides = shieldOverrides[shieldName] ?? {};
-    for (const rule of shield.smartRules) {
-      if (!existingRuleNames.has(rule.name)) {
-        const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
-        mergedPolicy.smartRules.push(
-          overrideVerdict !== void 0 ? { ...rule, verdict: overrideVerdict } : rule
-        );
-      }
-    }
-    const existingWords = new Set(mergedPolicy.dangerousWords);
-    for (const word of shield.dangerousWords) {
-      if (!existingWords.has(word)) mergedPolicy.dangerousWords.push(word);
-    }
-  }
-  const existingAdvisoryNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
-  for (const rule of ADVISORY_SMART_RULES) {
-    if (!existingAdvisoryNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
-  }
-  if (process.env.NODE9_MODE) mergedSettings.mode = process.env.NODE9_MODE;
-  mergedPolicy.sandboxPaths = [...new Set(mergedPolicy.sandboxPaths)];
-  mergedPolicy.dangerousWords = [...new Set(mergedPolicy.dangerousWords)];
-  mergedPolicy.ignoredTools = [...new Set(mergedPolicy.ignoredTools)];
-  mergedPolicy.snapshot.tools = [...new Set(mergedPolicy.snapshot.tools)];
-  mergedPolicy.snapshot.onlyPaths = [...new Set(mergedPolicy.snapshot.onlyPaths)];
-  mergedPolicy.snapshot.ignorePaths = [...new Set(mergedPolicy.snapshot.ignorePaths)];
-  const result = {
-    settings: mergedSettings,
-    policy: mergedPolicy,
-    environments: mergedEnvironments
-  };
-  if (!cwd) cachedConfig = result;
-  return result;
-}
-function tryLoadConfig(filePath) {
-  if (!fs3.existsSync(filePath)) return null;
-  let raw;
-  try {
-    raw = JSON.parse(fs3.readFileSync(filePath, "utf-8"));
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    process.stderr.write(
-      `
-\u26A0\uFE0F  Node9: Failed to parse ${filePath}
-   ${msg}
-   \u2192 Using default config
-
-`
+          policyMatchedWord
+        );
+        if (decision === "always_allow") {
+          writeTrustSession(toolName, 36e5);
+          return { approved: true, checkedBy: "trust" };
+        }
+        const isApproved = decision === "allow";
+        return {
+          approved: isApproved,
+          reason: isApproved ? void 0 : "The human user clicked 'Block' on the system dialog window.",
+          checkedBy: isApproved ? "daemon" : void 0,
+          blockedBy: isApproved ? void 0 : "local-decision",
+          blockedByLabel: "User Decision (Native)",
+          decisionSource: "native"
+        };
+      })()
     );
-    return null;
-  }
-  const SUPPORTED_VERSION = "1.0";
-  const SUPPORTED_MAJOR = SUPPORTED_VERSION.split(".")[0];
-  const fileVersion = raw?.version;
-  if (fileVersion !== void 0) {
-    const vStr = String(fileVersion);
-    const fileMajor = vStr.split(".")[0];
-    if (fileMajor !== SUPPORTED_MAJOR) {
-      process.stderr.write(
-        `
-\u274C  Node9: Config at ${filePath} has version "${vStr}" \u2014 major version is incompatible with this release (expected "${SUPPORTED_VERSION}"). Config will not be loaded.
-
-`
-      );
-      return null;
-    } else if (vStr !== SUPPORTED_VERSION) {
-      process.stderr.write(
-        `
-\u26A0\uFE0F  Node9: Config at ${filePath} declares version "${vStr}" \u2014 expected "${SUPPORTED_VERSION}". Continuing with best-effort parsing.
-
-`
-      );
-    }
   }
-  const { sanitized, error } = sanitizeConfig(raw);
-  if (error) {
-    process.stderr.write(
-      `
-\u26A0\uFE0F  Node9: Invalid config at ${filePath}:
-${error.replace("Invalid config:\n", "")}
-   \u2192 Invalid fields ignored, using defaults for those keys
-
-`
+  if (daemonEntryId && (approvers.browser || approvers.terminal)) {
+    racePromises.push(
+      (async () => {
+        const { decision: daemonDecision, source: decisionSource } = await waitForDaemonDecision(
+          daemonEntryId,
+          signal
+        );
+        if (daemonDecision === "abandoned") throw new Error("Abandoned");
+        const isApproved = daemonDecision === "allow";
+        const src = decisionSource === "terminal" || decisionSource === "browser" ? decisionSource : approvers.browser ? "browser" : "terminal";
+        const via = src === "terminal" ? "Terminal (node9 tail)" : "Browser Dashboard";
+        return {
+          approved: isApproved,
+          reason: isApproved ? void 0 : `The human user rejected this action via the Node9 ${via}.`,
+          checkedBy: isApproved ? "daemon" : void 0,
+          blockedBy: isApproved ? void 0 : "local-decision",
+          blockedByLabel: `User Decision (${via})`,
+          decisionSource: src
+        };
+      })()
     );
   }
-  return sanitized;
-}
-function getActiveEnvironment(config) {
-  const env = config.settings.environment || process.env.NODE_ENV || "development";
-  return config.environments[env] ?? null;
-}
-function getCredentials() {
-  const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  if (process.env.NODE9_API_KEY) {
+  if (racePromises.length === 0) {
     return {
-      apiKey: process.env.NODE9_API_KEY,
-      apiUrl: process.env.NODE9_API_URL || DEFAULT_API_URL
+      approved: false,
+      noApprovalMechanism: true,
+      reason: `NODE9 SECURITY INTERVENTION: Action blocked by automated policy [${explainableLabel}].
+REASON: Action blocked because no approval channels are available. (Native/Browser UI is disabled in config, and this terminal is non-interactive).`,
+      blockedBy: "no-approval-mechanism",
+      blockedByLabel: explainableLabel
     };
   }
-  try {
-    const credPath = path5.join(os2.homedir(), ".node9", "credentials.json");
-    if (fs3.existsSync(credPath)) {
-      const creds = JSON.parse(fs3.readFileSync(credPath, "utf-8"));
-      const profileName = process.env.NODE9_PROFILE || "default";
-      const profile = creds[profileName];
-      if (profile?.apiKey) {
-        return {
-          apiKey: profile.apiKey,
-          apiUrl: profile.apiUrl || DEFAULT_API_URL
-        };
-      }
-      if (creds.apiKey) {
-        return {
-          apiKey: creds.apiKey,
-          apiUrl: creds.apiUrl || DEFAULT_API_URL
-        };
+  const finalResult = await new Promise((resolve) => {
+    let resolved = false;
+    let failures = 0;
+    const total = racePromises.length;
+    const finish = (res) => {
+      if (!resolved) {
+        resolved = true;
+        abortController.abort();
+        if (viewerId && internalToken) {
+          resolveViaDaemon(viewerId, res.approved ? "allow" : "deny", internalToken).catch(
+            () => null
+          );
+        }
+        resolve(res);
       }
+    };
+    for (const p of racePromises) {
+      p.then(finish).catch((err) => {
+        if (err.name === "AbortError" || err.message?.includes("canceled") || err.message?.includes("Aborted"))
+          return;
+        if (err.message === "Abandoned") {
+          finish({
+            approved: false,
+            reason: "Browser dashboard closed without making a decision.",
+            blockedBy: "local-decision",
+            blockedByLabel: "Browser Dashboard (Abandoned)"
+          });
+          return;
+        }
+        failures++;
+        if (failures === total && !resolved) {
+          finish({ approved: false, reason: "All approval channels failed or disconnected." });
+        }
+      });
     }
-  } catch {
+  });
+  if (cloudRequestId && creds && finalResult.checkedBy !== "cloud") {
+    await resolveNode9SaaS(
+      cloudRequestId,
+      creds,
+      finalResult.approved,
+      finalResult.decisionSource ?? finalResult.checkedBy ?? "local"
+    );
   }
-  return null;
-}
-async function authorizeAction(toolName, args) {
-  const result = await authorizeHeadless(toolName, args);
-  return result.approved;
-}
-function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
-  return fetch(`${creds.apiUrl}/audit`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
-    body: JSON.stringify({
+  if (!isManual) {
+    appendLocalAudit(
       toolName,
       args,
-      checkedBy,
-      context: {
-        agent: meta?.agent,
-        mcpServer: meta?.mcpServer,
-        hostname: os2.hostname(),
-        cwd: process.cwd(),
-        platform: os2.platform()
-      }
-    }),
-    signal: AbortSignal.timeout(5e3)
-  }).then(() => {
-  }).catch(() => {
-  });
-}
-async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), 1e4);
-  try {
-    const response = await fetch(creds.apiUrl, {
-      method: "POST",
-      headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
-      body: JSON.stringify({
-        toolName,
-        args,
-        context: {
-          agent: meta?.agent,
-          mcpServer: meta?.mcpServer,
-          hostname: os2.hostname(),
-          cwd: process.cwd(),
-          platform: os2.platform()
-        },
-        ...riskMetadata && { riskMetadata }
-      }),
-      signal: controller.signal
-    });
-    if (!response.ok) throw new Error(`HTTP ${response.status}`);
-    return await response.json();
-  } finally {
-    clearTimeout(timeout);
-  }
-}
-async function pollNode9SaaS(requestId, creds, signal) {
-  const statusUrl = `${creds.apiUrl}/status/${requestId}`;
-  const POLL_INTERVAL_MS = 1e3;
-  const POLL_DEADLINE = Date.now() + 10 * 60 * 1e3;
-  while (Date.now() < POLL_DEADLINE) {
-    if (signal.aborted) throw new Error("Aborted");
-    await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
-    try {
-      const pollCtrl = new AbortController();
-      const pollTimer = setTimeout(() => pollCtrl.abort(), 5e3);
-      const statusRes = await fetch(statusUrl, {
-        headers: { Authorization: `Bearer ${creds.apiKey}` },
-        signal: pollCtrl.signal
-      });
-      clearTimeout(pollTimer);
-      if (!statusRes.ok) continue;
-      const { status, reason } = await statusRes.json();
-      if (status === "APPROVED") {
-        return { approved: true, reason };
-      }
-      if (status === "DENIED" || status === "AUTO_BLOCKED" || status === "TIMED_OUT") {
-        return { approved: false, reason };
-      }
-    } catch {
-    }
-  }
-  return { approved: false, reason: "Cloud approval timed out after 10 minutes." };
-}
-async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
-  try {
-    const resolveUrl = `${creds.apiUrl}/requests/${requestId}`;
-    const ctrl = new AbortController();
-    const timer = setTimeout(() => ctrl.abort(), 5e3);
-    const res = await fetch(resolveUrl, {
-      method: "PATCH",
-      headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
-      body: JSON.stringify({
-        decision: approved ? "APPROVED" : "DENIED",
-        ...decidedBy && { decidedBy }
-      }),
-      signal: ctrl.signal
-    });
-    clearTimeout(timer);
-    if (!res.ok) {
-      fs3.appendFileSync(
-        HOOK_DEBUG_LOG,
-        `[resolve-cloud] PATCH ${resolveUrl} \u2192 HTTP ${res.status}
-`
-      );
-    }
-  } catch (err) {
-    fs3.appendFileSync(
-      HOOK_DEBUG_LOG,
-      `[resolve-cloud] PATCH failed for ${requestId}: ${err.message}
-`
+      finalResult.approved ? "allow" : "deny",
+      finalResult.checkedBy || finalResult.blockedBy || "unknown",
+      meta
     );
   }
+  return finalResult;
+}
+async function authorizeAction(toolName, args) {
+  const result = await authorizeHeadless(toolName, args);
+  return result.approved;
 }
 
 // src/index.ts