@node9/proxy 1.10.0 → 1.10.1

package/dist/cli.js

@@ -168,8 +168,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path34 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path34}: ${issue.message}`;
+    const path35 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path35}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -253,7 +253,8 @@ var init_config_schema = __esm({
         slackEnabled: import_zod.z.boolean().optional(),
         enableTrustSessions: import_zod.z.boolean().optional(),
         allowGlobalPause: import_zod.z.boolean().optional(),
-        auditHashArgs: import_zod.z.boolean().optional()
+        auditHashArgs: import_zod.z.boolean().optional(),
+        agentPolicy: import_zod.z.enum(["require_approval", "block_on_rules"]).optional()
       }).optional(),
       policy: import_zod.z.object({
         sandboxPaths: import_zod.z.array(import_zod.z.string()).optional(),
@@ -1726,9 +1727,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path34) {
+function getNestedValue(obj, path35) {
   if (!obj || typeof obj !== "object") return null;
-  return path34.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path35.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function shouldSnapshot(toolName, args, config) {
   if (!config.settings.enableUndo) return false;
@@ -2811,11 +2812,12 @@ ${smartTruncate(str, 500)}`
 function escapePango(text) {
   return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
-function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1) {
+function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1, ruleDescription) {
   const lines = [];
   if (locked) lines.push("\u26A0\uFE0F  LOCKED BY ADMIN POLICY\n");
   lines.push(`\u{1F916} ${agent || "AI Agent"}  |  \u{1F527} ${toolName}`);
   lines.push(`\u{1F6E1}\uFE0F  ${explainableLabel || "Security Policy"}`);
+  if (ruleDescription) lines.push(`\u2139  ${ruleDescription}`);
   lines.push("");
   lines.push(formattedArgs);
   if (allowCount >= 3) {
@@ -2828,7 +2830,7 @@ function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, loc
   }
   return lines.join("\n");
 }
-function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1) {
+function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1, ruleDescription) {
   const lines = [];
   if (locked) {
     lines.push('<span foreground="red" weight="bold">\u26A0\uFE0F  LOCKED BY ADMIN POLICY</span>');
@@ -2838,6 +2840,7 @@ function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, loc
     `<b>\u{1F916} ${escapePango(agent || "AI Agent")}</b>  |  <b>\u{1F527} <tt>${escapePango(toolName)}</tt></b>`
   );
   lines.push(`<i>\u{1F6E1}\uFE0F  ${escapePango(explainableLabel || "Security Policy")}</i>`);
+  if (ruleDescription) lines.push(`<i>\u2139  ${escapePango(ruleDescription)}</i>`);
   lines.push("");
   lines.push(`<tt>${escapePango(formattedArgs)}</tt>`);
   if (allowCount >= 3) {
@@ -2854,7 +2857,7 @@ function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, loc
   }
   return lines.join("\n");
 }
-async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord, allowCount = 1) {
+async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord, allowCount = 1, ruleDescription) {
   if (isTestEnv()) return "deny";
   const { message: formattedArgs, intent } = formatArgs(args, matchedField, matchedWord);
   const intentLabel = intent === "EDIT" ? "Code Edit" : "Action Approval";
@@ -2865,7 +2868,8 @@ async function askNativePopup(toolName, args, agent, explainableLabel, locked =
     agent,
     explainableLabel,
     locked,
-    allowCount
+    allowCount,
+    ruleDescription
   );
   return new Promise((resolve) => {
     let childProcess = null;
@@ -2899,7 +2903,8 @@ end run`;
           agent,
           explainableLabel,
           locked,
-          allowCount
+          allowCount,
+          ruleDescription
         );
         const argsList = [
           locked ? "--info" : "--question",
@@ -2972,7 +2977,7 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
   }).catch(() => {
   });
 }
-async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
+async function initNode9SaaS(toolName, args, creds, meta, riskMetadata, agentPolicy, forceReview) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 1e4);
   if (!creds.apiKey) throw new Error("Node9 API Key is missing");
@@ -3017,7 +3022,9 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
           platform: import_os9.default.platform()
         },
         ...riskMetadata && { riskMetadata },
-        ...ciContext && { ciContext }
+        ...ciContext && { ciContext },
+        ...agentPolicy && { policy: agentPolicy },
+        ...forceReview && { forceReview: true }
       }),
       signal: controller.signal
     });
@@ -3414,6 +3421,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       policyMatchedWord,
       policyResult.ruleName
     );
+    if (policyRuleDescription) riskMetadata.ruleDescription = policyRuleDescription.slice(0, 200);
     const persistent = policyResult.ruleName ? null : getPersistentDecision(toolName);
     if (persistent === "allow") {
       if (approvers.cloud && creds?.apiKey)
@@ -3448,9 +3456,18 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   }
   let cloudRequestId = null;
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
-  if (cloudEnforced && !localSmartRuleMatched && !options?.localSmartRuleMatched) {
+  const forceReview = localSmartRuleMatched === true || options?.localSmartRuleMatched === true || void 0;
+  if (cloudEnforced) {
     try {
-      const initResult = await initNode9SaaS(toolName, args, creds, meta, riskMetadata);
+      const initResult = await initNode9SaaS(
+        toolName,
+        args,
+        creds,
+        meta,
+        riskMetadata,
+        config.settings.agentPolicy,
+        forceReview
+      );
       if (!initResult.pending) {
         if (initResult.shadowMode) {
           return { approved: true, checkedBy: "cloud" };
@@ -3465,9 +3482,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           };
         }
       }
-      if (!localSmartRuleMatched && !options?.localSmartRuleMatched) {
-        cloudRequestId = initResult.requestId || null;
-      }
+      if (initResult.pending) cloudRequestId = initResult.requestId || null;
       if (!taintWarning) explainableLabel = "Organization Policy (SaaS)";
     } catch {
     }
@@ -3524,7 +3539,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       }
     }
   }
-  if (cloudEnforced && cloudRequestId && !localSmartRuleMatched && !options?.localSmartRuleMatched) {
+  if (cloudEnforced && cloudRequestId) {
     racePromises.push(
       (async () => {
         try {
@@ -3556,7 +3571,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           signal,
           policyMatchedField,
           policyMatchedWord,
-          daemonAllowCount
+          daemonAllowCount,
+          riskMetadata?.ruleDescription
         );
         if (decision === "always_allow") {
           writeTrustSession(toolName, 36e5);
@@ -6059,8 +6075,175 @@ var init_patch = __esm({
   }
 });
 
+// src/costSync.ts
+function normalizeModel(raw) {
+  return raw.replace(/-\d{8}$/, "");
+}
+function pricingFor(model) {
+  const norm = normalizeModel(model);
+  if (PRICING[norm]) return PRICING[norm];
+  let best = null;
+  for (const key of Object.keys(PRICING)) {
+    if (norm.startsWith(key) && (best === null || key.length > best.length)) best = key;
+  }
+  return best ? PRICING[best] : null;
+}
+function parseJSONLFile(filePath) {
+  let content;
+  try {
+    content = import_fs16.default.readFileSync(filePath, "utf8");
+  } catch {
+    return /* @__PURE__ */ new Map();
+  }
+  const daily = /* @__PURE__ */ new Map();
+  for (const line of content.split("\n")) {
+    if (!line.trim()) continue;
+    let row;
+    try {
+      row = JSON.parse(line);
+    } catch {
+      continue;
+    }
+    if (row["type"] !== "assistant") continue;
+    const msg = row["message"];
+    if (!msg?.["usage"] || typeof msg["model"] !== "string") continue;
+    const usage = msg["usage"];
+    const model = msg["model"];
+    const timestamp = row["timestamp"];
+    if (typeof timestamp !== "string" || timestamp.length < 10) continue;
+    const date = timestamp.slice(0, 10);
+    const p = pricingFor(model);
+    if (!p) continue;
+    const inp = Number(usage["input_tokens"] ?? 0);
+    const out = Number(usage["output_tokens"] ?? 0);
+    const cw = Number(usage["cache_creation_input_tokens"] ?? 0);
+    const cr = Number(usage["cache_read_input_tokens"] ?? 0);
+    const cost = inp * p[0] + out * p[1] + cw * p[2] + cr * p[3];
+    const norm = normalizeModel(model);
+    const key = `${date}::${norm}`;
+    const prev = daily.get(key);
+    if (prev) {
+      prev.costUSD += cost;
+      prev.inputTokens += inp;
+      prev.outputTokens += out;
+      prev.cacheWriteTokens += cw;
+      prev.cacheReadTokens += cr;
+    } else {
+      daily.set(key, {
+        date,
+        model: norm,
+        costUSD: cost,
+        inputTokens: inp,
+        outputTokens: out,
+        cacheWriteTokens: cw,
+        cacheReadTokens: cr
+      });
+    }
+  }
+  return daily;
+}
+function collectEntries() {
+  const projectsDir = import_path19.default.join(import_os14.default.homedir(), ".claude", "projects");
+  if (!import_fs16.default.existsSync(projectsDir)) return [];
+  const combined = /* @__PURE__ */ new Map();
+  let dirs;
+  try {
+    dirs = import_fs16.default.readdirSync(projectsDir);
+  } catch {
+    return [];
+  }
+  for (const dir of dirs) {
+    const dirPath = import_path19.default.join(projectsDir, dir);
+    try {
+      if (!import_fs16.default.statSync(dirPath).isDirectory()) continue;
+    } catch {
+      continue;
+    }
+    let files;
+    try {
+      files = import_fs16.default.readdirSync(dirPath).filter((f) => f.endsWith(".jsonl"));
+    } catch {
+      continue;
+    }
+    for (const file of files) {
+      const entries = parseJSONLFile(import_path19.default.join(dirPath, file));
+      for (const [key, e] of entries) {
+        const prev = combined.get(key);
+        if (prev) {
+          prev.costUSD += e.costUSD;
+          prev.inputTokens += e.inputTokens;
+          prev.outputTokens += e.outputTokens;
+          prev.cacheWriteTokens += e.cacheWriteTokens;
+          prev.cacheReadTokens += e.cacheReadTokens;
+        } else {
+          combined.set(key, { ...e });
+        }
+      }
+    }
+  }
+  return [...combined.values()];
+}
+async function syncCost() {
+  const creds = getCredentials();
+  if (!creds?.apiKey || !creds?.apiUrl) return;
+  const entries = collectEntries();
+  if (entries.length === 0) return;
+  let username = "unknown";
+  try {
+    username = import_os14.default.userInfo().username;
+  } catch {
+  }
+  const machineId = `${import_os14.default.hostname()}:${username}`;
+  try {
+    const res = await fetch(`${creds.apiUrl}/cost-sync`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
+      body: JSON.stringify({ machineId, entries }),
+      signal: AbortSignal.timeout(15e3)
+    });
+    if (!res.ok) {
+      import_fs16.default.appendFileSync(HOOK_DEBUG_LOG, `[cost-sync] HTTP ${res.status}
+`);
+    }
+  } catch (err2) {
+    import_fs16.default.appendFileSync(HOOK_DEBUG_LOG, `[cost-sync] ${err2.message}
+`);
+  }
+}
+function startCostSync() {
+  syncCost().catch(() => {
+  });
+  const timer = setInterval(() => {
+    syncCost().catch(() => {
+    });
+  }, SYNC_INTERVAL_MS);
+  timer.unref();
+}
+var import_fs16, import_path19, import_os14, SYNC_INTERVAL_MS, PRICING;
+var init_costSync = __esm({
+  "src/costSync.ts"() {
+    "use strict";
+    import_fs16 = __toESM(require("fs"));
+    import_path19 = __toESM(require("path"));
+    import_os14 = __toESM(require("os"));
+    init_config();
+    init_audit();
+    SYNC_INTERVAL_MS = 10 * 60 * 1e3;
+    PRICING = {
+      "claude-opus-4": [5e-6, 25e-6, 625e-8, 5e-7],
+      "claude-sonnet-4": [3e-6, 15e-6, 375e-8, 3e-7],
+      "claude-haiku-4": [8e-7, 4e-6, 1e-6, 8e-8],
+      "claude-3-7-sonnet": [3e-6, 15e-6, 375e-8, 3e-7],
+      "claude-3-5-sonnet": [3e-6, 15e-6, 375e-8, 3e-7],
+      "claude-3-5-haiku": [8e-7, 4e-6, 1e-6, 8e-8],
+      "claude-3-haiku": [25e-8, 125e-8, 3e-7, 3e-8]
+    };
+  }
+});
+
 // src/daemon/server.ts
 function startDaemon() {
+  startCostSync();
   loadInsightCounts();
   const csrfToken = (0, import_crypto7.randomUUID)();
   const internalToken = (0, import_crypto7.randomUUID)();
@@ -6076,7 +6259,7 @@ function startDaemon() {
     idleTimer = setTimeout(() => {
       if (autoStarted) {
         try {
-          import_fs16.default.unlinkSync(DAEMON_PID_FILE);
+          import_fs17.default.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
       }
@@ -6239,7 +6422,7 @@ data: ${JSON.stringify(item.data)}
             status: "pending"
           });
         }
-        const projectCwd = typeof cwd === "string" && import_path19.default.isAbsolute(cwd) ? cwd : void 0;
+        const projectCwd = typeof cwd === "string" && import_path20.default.isAbsolute(cwd) ? cwd : void 0;
         const projectConfig = getConfig(projectCwd);
         const browserEnabled = projectConfig.settings.approvers?.browser !== false;
         const terminalEnabled = projectConfig.settings.approvers?.terminal !== false;
@@ -6629,8 +6812,8 @@ data: ${JSON.stringify(item.data)}
         const body = await readBody(req);
         const data = body ? JSON.parse(body) : {};
         const configPath = data.configPath ?? GLOBAL_CONFIG_PATH;
-        const node9Dir = import_path19.default.dirname(GLOBAL_CONFIG_PATH);
-        if (!import_path19.default.resolve(configPath).startsWith(node9Dir + import_path19.default.sep)) {
+        const node9Dir = import_path20.default.dirname(GLOBAL_CONFIG_PATH);
+        if (!import_path20.default.resolve(configPath).startsWith(node9Dir + import_path20.default.sep)) {
           res.writeHead(400, { "Content-Type": "application/json" });
           return res.end(
             JSON.stringify({ error: "configPath must be within the node9 config directory" })
@@ -6741,14 +6924,14 @@ data: ${JSON.stringify(item.data)}
   server.on("error", (e) => {
     if (e.code === "EADDRINUSE") {
       try {
-        if (import_fs16.default.existsSync(DAEMON_PID_FILE)) {
-          const { pid } = JSON.parse(import_fs16.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+        if (import_fs17.default.existsSync(DAEMON_PID_FILE)) {
+          const { pid } = JSON.parse(import_fs17.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
           process.kill(pid, 0);
           return process.exit(0);
         }
       } catch {
         try {
-          import_fs16.default.unlinkSync(DAEMON_PID_FILE);
+          import_fs17.default.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
         server.listen(DAEMON_PORT, DAEMON_HOST);
@@ -6807,13 +6990,13 @@ data: ${JSON.stringify(item.data)}
   }
   startActivitySocket();
 }
-var import_http, import_fs16, import_path19, import_crypto7, import_child_process4, import_chalk2;
+var import_http, import_fs17, import_path20, import_crypto7, import_child_process4, import_chalk2;
 var init_server = __esm({
   "src/daemon/server.ts"() {
     "use strict";
     import_http = __toESM(require("http"));
-    import_fs16 = __toESM(require("fs"));
-    import_path19 = __toESM(require("path"));
+    import_fs17 = __toESM(require("fs"));
+    import_path20 = __toESM(require("path"));
     import_crypto7 = require("crypto");
     import_child_process4 = require("child_process");
     import_chalk2 = __toESM(require("chalk"));
@@ -6823,29 +7006,30 @@ var init_server = __esm({
     init_state2();
     init_patch();
     init_config_schema();
+    init_costSync();
   }
 });
 
 // src/daemon/index.ts
 function stopDaemon() {
-  if (!import_fs17.default.existsSync(DAEMON_PID_FILE)) return console.log(import_chalk3.default.yellow("Not running."));
+  if (!import_fs18.default.existsSync(DAEMON_PID_FILE)) return console.log(import_chalk3.default.yellow("Not running."));
   try {
-    const { pid } = JSON.parse(import_fs17.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+    const { pid } = JSON.parse(import_fs18.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
     process.kill(pid, "SIGTERM");
     console.log(import_chalk3.default.green("\u2705 Stopped."));
   } catch {
     console.log(import_chalk3.default.gray("Cleaned up stale PID file."));
   } finally {
     try {
-      import_fs17.default.unlinkSync(DAEMON_PID_FILE);
+      import_fs18.default.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
   }
 }
 function daemonStatus() {
-  if (import_fs17.default.existsSync(DAEMON_PID_FILE)) {
+  if (import_fs18.default.existsSync(DAEMON_PID_FILE)) {
     try {
-      const { pid } = JSON.parse(import_fs17.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+      const { pid } = JSON.parse(import_fs18.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
       process.kill(pid, 0);
       console.log(import_chalk3.default.green("Node9 daemon: running"));
       return;
@@ -6864,11 +7048,11 @@ function daemonStatus() {
     console.log(import_chalk3.default.yellow("Node9 daemon: not running"));
   }
 }
-var import_fs17, import_chalk3, import_child_process5;
+var import_fs18, import_chalk3, import_child_process5;
 var init_daemon2 = __esm({
   "src/daemon/index.ts"() {
     "use strict";
-    import_fs17 = __toESM(require("fs"));
+    import_fs18 = __toESM(require("fs"));
     import_chalk3 = __toESM(require("chalk"));
     import_child_process5 = require("child_process");
     init_server();
@@ -6902,7 +7086,7 @@ function formatBase(activity) {
   const time = new Date(activity.ts).toLocaleTimeString([], { hour12: false });
   const icon = getIcon(activity.tool);
   const toolName = activity.tool.slice(0, 16).padEnd(16);
-  const argsStr = JSON.stringify(activity.args ?? {}).replace(/\s+/g, " ").replaceAll(import_os24.default.homedir(), "~");
+  const argsStr = JSON.stringify(activity.args ?? {}).replace(/\s+/g, " ").replaceAll(import_os25.default.homedir(), "~");
   const argsPreview = argsStr.length > 70 ? argsStr.slice(0, 70) + "\u2026" : argsStr;
   return `${import_chalk19.default.gray(time)} ${icon} ${import_chalk19.default.white.bold(toolName)} ${import_chalk19.default.dim(argsPreview)}`;
 }
@@ -6941,9 +7125,9 @@ function renderPending(activity) {
 }
 async function ensureDaemon() {
   let pidPort = null;
-  if (import_fs28.default.existsSync(PID_FILE)) {
+  if (import_fs29.default.existsSync(PID_FILE)) {
     try {
-      const { port } = JSON.parse(import_fs28.default.readFileSync(PID_FILE, "utf-8"));
+      const { port } = JSON.parse(import_fs29.default.readFileSync(PID_FILE, "utf-8"));
       pidPort = port;
     } catch {
       console.error(import_chalk19.default.dim("\u26A0\uFE0F  Could not read PID file; falling back to default port."));
@@ -7020,6 +7204,9 @@ function buildCardLines(req, localCount = 0) {
     `${CYAN}\u2551${RESET2} Tool:    ${BOLD2}${req.toolName}${RESET2}`,
     `${CYAN}\u2551${RESET2} Reason:  ${tierLabel} \u2014 ${blockedBy}${RESET2}`
   ];
+  if (req.riskMetadata?.ruleDescription) {
+    lines.push(`${CYAN}\u2551${RESET2} ${YELLOW}\u2139  ${req.riskMetadata.ruleDescription}${RESET2}`);
+  }
   if (req.riskMetadata?.ruleName && blockedBy.includes("Taint")) {
     lines.push(`${CYAN}\u2551${RESET2} ${YELLOW}\u26A0  ${req.riskMetadata.ruleName}${RESET2}`);
   }
@@ -7063,9 +7250,9 @@ function buildRecoveryCardLines(req) {
   ];
 }
 function readApproversFromDisk() {
-  const configPath = import_path31.default.join(import_os24.default.homedir(), ".node9", "config.json");
+  const configPath = import_path32.default.join(import_os25.default.homedir(), ".node9", "config.json");
   try {
-    const raw = JSON.parse(import_fs28.default.readFileSync(configPath, "utf-8"));
+    const raw = JSON.parse(import_fs29.default.readFileSync(configPath, "utf-8"));
     const settings = raw.settings ?? {};
     return settings.approvers ?? {};
   } catch {
@@ -7081,15 +7268,15 @@ function approverStatusLine() {
   return `${fmt("native", "native")}  ${fmt("browser", "browser")}  ${fmt("cloud", "cloud")}  ${fmt("terminal", "terminal")}`;
 }
 function toggleApprover(channel) {
-  const configPath = import_path31.default.join(import_os24.default.homedir(), ".node9", "config.json");
+  const configPath = import_path32.default.join(import_os25.default.homedir(), ".node9", "config.json");
   try {
-    const raw = JSON.parse(import_fs28.default.readFileSync(configPath, "utf-8"));
+    const raw = JSON.parse(import_fs29.default.readFileSync(configPath, "utf-8"));
     const settings = raw.settings ?? {};
     const approvers = settings.approvers ?? {};
     approvers[channel] = approvers[channel] === false;
     settings.approvers = approvers;
     raw.settings = settings;
-    import_fs28.default.writeFileSync(configPath, JSON.stringify(raw, null, 2) + "\n");
+    import_fs29.default.writeFileSync(configPath, JSON.stringify(raw, null, 2) + "\n");
   } catch (err2) {
     process.stderr.write(`[node9] toggleApprover failed: ${String(err2)}
 `);
@@ -7259,8 +7446,8 @@ async function startTail(options = {}) {
       }
       postDecisionHttp(req2.id, httpDecision, csrfToken, port, httpOpts).catch((err2) => {
         try {
-          import_fs28.default.appendFileSync(
-            import_path31.default.join(import_os24.default.homedir(), ".node9", "hook-debug.log"),
+          import_fs29.default.appendFileSync(
+            import_path32.default.join(import_os25.default.homedir(), ".node9", "hook-debug.log"),
             `[tail] POST /decision failed: ${String(err2)}
 `
           );
@@ -7513,21 +7700,21 @@ async function startTail(options = {}) {
     process.exit(1);
   });
 }
-var import_http2, import_chalk19, import_fs28, import_os24, import_path31, import_readline5, import_child_process14, PID_FILE, ICONS, RESET2, BOLD2, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, pendingShownForId, pendingWrappedLines, DIVIDER;
+var import_http2, import_chalk19, import_fs29, import_os25, import_path32, import_readline5, import_child_process14, PID_FILE, ICONS, RESET2, BOLD2, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, pendingShownForId, pendingWrappedLines, DIVIDER;
 var init_tail = __esm({
   "src/tui/tail.ts"() {
     "use strict";
     import_http2 = __toESM(require("http"));
     import_chalk19 = __toESM(require("chalk"));
-    import_fs28 = __toESM(require("fs"));
-    import_os24 = __toESM(require("os"));
-    import_path31 = __toESM(require("path"));
+    import_fs29 = __toESM(require("fs"));
+    import_os25 = __toESM(require("os"));
+    import_path32 = __toESM(require("path"));
     import_readline5 = __toESM(require("readline"));
     import_child_process14 = require("child_process");
     init_daemon2();
     init_daemon();
     init_core();
-    PID_FILE = import_path31.default.join(import_os24.default.homedir(), ".node9", "daemon.pid");
+    PID_FILE = import_path32.default.join(import_os25.default.homedir(), ".node9", "daemon.pid");
     ICONS = {
       bash: "\u{1F4BB}",
       shell: "\u{1F4BB}",
@@ -7642,9 +7829,9 @@ function formatTimeLeft(resetsAt) {
   return ` (${m}m left)`;
 }
 function safeReadJson(filePath) {
-  if (!import_fs29.default.existsSync(filePath)) return null;
+  if (!import_fs30.default.existsSync(filePath)) return null;
   try {
-    return JSON.parse(import_fs29.default.readFileSync(filePath, "utf-8"));
+    return JSON.parse(import_fs30.default.readFileSync(filePath, "utf-8"));
   } catch {
     return null;
   }
@@ -7665,12 +7852,12 @@ function countHooksInFile(filePath) {
   return Object.keys(cfg.hooks).length;
 }
 function countRulesInDir(rulesDir) {
-  if (!import_fs29.default.existsSync(rulesDir)) return 0;
+  if (!import_fs30.default.existsSync(rulesDir)) return 0;
   let count = 0;
   try {
-    for (const entry of import_fs29.default.readdirSync(rulesDir, { withFileTypes: true })) {
+    for (const entry of import_fs30.default.readdirSync(rulesDir, { withFileTypes: true })) {
       if (entry.isDirectory()) {
-        count += countRulesInDir(import_path32.default.join(rulesDir, entry.name));
+        count += countRulesInDir(import_path33.default.join(rulesDir, entry.name));
       } else if (entry.isFile() && entry.name.endsWith(".md")) {
         count++;
       }
@@ -7681,46 +7868,46 @@ function countRulesInDir(rulesDir) {
 }
 function isSamePath(a, b) {
   try {
-    return import_path32.default.resolve(a) === import_path32.default.resolve(b);
+    return import_path33.default.resolve(a) === import_path33.default.resolve(b);
   } catch {
     return false;
   }
 }
 function countConfigs(cwd) {
-  const homeDir2 = import_os25.default.homedir();
-  const claudeDir = import_path32.default.join(homeDir2, ".claude");
+  const homeDir2 = import_os26.default.homedir();
+  const claudeDir = import_path33.default.join(homeDir2, ".claude");
   let claudeMdCount = 0;
   let rulesCount = 0;
   let hooksCount = 0;
   const userMcpServers = /* @__PURE__ */ new Set();
   const projectMcpServers = /* @__PURE__ */ new Set();
-  if (import_fs29.default.existsSync(import_path32.default.join(claudeDir, "CLAUDE.md"))) claudeMdCount++;
-  rulesCount += countRulesInDir(import_path32.default.join(claudeDir, "rules"));
-  const userSettings = import_path32.default.join(claudeDir, "settings.json");
+  if (import_fs30.default.existsSync(import_path33.default.join(claudeDir, "CLAUDE.md"))) claudeMdCount++;
+  rulesCount += countRulesInDir(import_path33.default.join(claudeDir, "rules"));
+  const userSettings = import_path33.default.join(claudeDir, "settings.json");
   for (const name of getMcpServerNames(userSettings)) userMcpServers.add(name);
   hooksCount += countHooksInFile(userSettings);
-  const userClaudeJson = import_path32.default.join(homeDir2, ".claude.json");
+  const userClaudeJson = import_path33.default.join(homeDir2, ".claude.json");
   for (const name of getMcpServerNames(userClaudeJson)) userMcpServers.add(name);
   for (const name of getDisabledMcpServers(userClaudeJson, "disabledMcpServers")) {
     userMcpServers.delete(name);
   }
   if (cwd) {
-    if (import_fs29.default.existsSync(import_path32.default.join(cwd, "CLAUDE.md"))) claudeMdCount++;
-    if (import_fs29.default.existsSync(import_path32.default.join(cwd, "CLAUDE.local.md"))) claudeMdCount++;
-    const projectClaudeDir = import_path32.default.join(cwd, ".claude");
+    if (import_fs30.default.existsSync(import_path33.default.join(cwd, "CLAUDE.md"))) claudeMdCount++;
+    if (import_fs30.default.existsSync(import_path33.default.join(cwd, "CLAUDE.local.md"))) claudeMdCount++;
+    const projectClaudeDir = import_path33.default.join(cwd, ".claude");
     const overlapsUserScope = isSamePath(projectClaudeDir, claudeDir);
     if (!overlapsUserScope) {
-      if (import_fs29.default.existsSync(import_path32.default.join(projectClaudeDir, "CLAUDE.md"))) claudeMdCount++;
-      rulesCount += countRulesInDir(import_path32.default.join(projectClaudeDir, "rules"));
-      const projSettings = import_path32.default.join(projectClaudeDir, "settings.json");
+      if (import_fs30.default.existsSync(import_path33.default.join(projectClaudeDir, "CLAUDE.md"))) claudeMdCount++;
+      rulesCount += countRulesInDir(import_path33.default.join(projectClaudeDir, "rules"));
+      const projSettings = import_path33.default.join(projectClaudeDir, "settings.json");
       for (const name of getMcpServerNames(projSettings)) projectMcpServers.add(name);
       hooksCount += countHooksInFile(projSettings);
     }
-    if (import_fs29.default.existsSync(import_path32.default.join(projectClaudeDir, "CLAUDE.local.md"))) claudeMdCount++;
-    const localSettings = import_path32.default.join(projectClaudeDir, "settings.local.json");
+    if (import_fs30.default.existsSync(import_path33.default.join(projectClaudeDir, "CLAUDE.local.md"))) claudeMdCount++;
+    const localSettings = import_path33.default.join(projectClaudeDir, "settings.local.json");
     for (const name of getMcpServerNames(localSettings)) projectMcpServers.add(name);
     hooksCount += countHooksInFile(localSettings);
-    const mcpJsonServers = getMcpServerNames(import_path32.default.join(cwd, ".mcp.json"));
+    const mcpJsonServers = getMcpServerNames(import_path33.default.join(cwd, ".mcp.json"));
     const disabledMcpJson = getDisabledMcpServers(localSettings, "disabledMcpjsonServers");
     for (const name of disabledMcpJson) mcpJsonServers.delete(name);
     for (const name of mcpJsonServers) projectMcpServers.add(name);
@@ -7753,12 +7940,12 @@ function readActiveShieldsHud() {
     return shieldsCache.value;
   }
   try {
-    const shieldsPath = import_path32.default.join(import_os25.default.homedir(), ".node9", "shields.json");
-    if (!import_fs29.default.existsSync(shieldsPath)) {
+    const shieldsPath = import_path33.default.join(import_os26.default.homedir(), ".node9", "shields.json");
+    if (!import_fs30.default.existsSync(shieldsPath)) {
       shieldsCache = { value: [], ts: now };
       return [];
     }
-    const parsed = JSON.parse(import_fs29.default.readFileSync(shieldsPath, "utf-8"));
+    const parsed = JSON.parse(import_fs30.default.readFileSync(shieldsPath, "utf-8"));
     if (!Array.isArray(parsed.active)) {
       shieldsCache = { value: [], ts: now };
       return [];
@@ -7860,17 +8047,17 @@ function renderContextLine(stdin) {
 async function main() {
   try {
     const [stdin, daemonStatus2] = await Promise.all([readStdin(), queryDaemon()]);
-    if (import_fs29.default.existsSync(import_path32.default.join(import_os25.default.homedir(), ".node9", "hud-debug"))) {
+    if (import_fs30.default.existsSync(import_path33.default.join(import_os26.default.homedir(), ".node9", "hud-debug"))) {
       try {
-        const logPath = import_path32.default.join(import_os25.default.homedir(), ".node9", "hud-debug.log");
+        const logPath = import_path33.default.join(import_os26.default.homedir(), ".node9", "hud-debug.log");
         const MAX_LOG_SIZE = 10 * 1024 * 1024;
         let size = 0;
         try {
-          size = import_fs29.default.statSync(logPath).size;
+          size = import_fs30.default.statSync(logPath).size;
         } catch {
         }
         if (size < MAX_LOG_SIZE) {
-          import_fs29.default.appendFileSync(
+          import_fs30.default.appendFileSync(
             logPath,
             JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), stdin }) + "\n"
           );
@@ -7891,11 +8078,11 @@ async function main() {
       try {
         const cwd = stdin.cwd ?? process.cwd();
         for (const configPath of [
-          import_path32.default.join(cwd, "node9.config.json"),
-          import_path32.default.join(import_os25.default.homedir(), ".node9", "config.json")
+          import_path33.default.join(cwd, "node9.config.json"),
+          import_path33.default.join(import_os26.default.homedir(), ".node9", "config.json")
         ]) {
-          if (!import_fs29.default.existsSync(configPath)) continue;
-          const cfg = JSON.parse(import_fs29.default.readFileSync(configPath, "utf-8"));
+          if (!import_fs30.default.existsSync(configPath)) continue;
+          const cfg = JSON.parse(import_fs30.default.readFileSync(configPath, "utf-8"));
           const hud = cfg.settings?.hud;
           if (hud && "showEnvironmentCounts" in hud) return hud.showEnvironmentCounts !== false;
         }
@@ -7913,13 +8100,13 @@ async function main() {
     renderOffline();
   }
 }
-var import_fs29, import_path32, import_os25, import_http3, RESET3, BOLD3, DIM, RED2, GREEN2, YELLOW2, BLUE, MAGENTA, CYAN2, WHITE, BAR_FILLED, BAR_EMPTY, BAR_WIDTH, shieldsCache, SHIELDS_CACHE_TTL_MS;
+var import_fs30, import_path33, import_os26, import_http3, RESET3, BOLD3, DIM, RED2, GREEN2, YELLOW2, BLUE, MAGENTA, CYAN2, WHITE, BAR_FILLED, BAR_EMPTY, BAR_WIDTH, shieldsCache, SHIELDS_CACHE_TTL_MS;
 var init_hud = __esm({
   "src/cli/hud.ts"() {
     "use strict";
-    import_fs29 = __toESM(require("fs"));
-    import_path32 = __toESM(require("path"));
-    import_os25 = __toESM(require("os"));
+    import_fs30 = __toESM(require("fs"));
+    import_path33 = __toESM(require("path"));
+    import_os26 = __toESM(require("os"));
     import_http3 = __toESM(require("http"));
     init_daemon();
     RESET3 = "\x1B[0m";
@@ -8529,9 +8716,9 @@ function teardownHud() {
 // src/cli.ts
 init_daemon2();
 var import_chalk20 = __toESM(require("chalk"));
-var import_fs30 = __toESM(require("fs"));
-var import_path33 = __toESM(require("path"));
-var import_os26 = __toESM(require("os"));
+var import_fs31 = __toESM(require("fs"));
+var import_path34 = __toESM(require("path"));
+var import_os27 = __toESM(require("os"));
 var import_prompts2 = require("@inquirer/prompts");
 
 // src/utils/duration.ts
@@ -8756,10 +8943,10 @@ async function autoStartDaemonAndWait() {
 
 // src/cli/commands/check.ts
 var import_chalk5 = __toESM(require("chalk"));
-var import_fs19 = __toESM(require("fs"));
+var import_fs20 = __toESM(require("fs"));
 var import_child_process9 = require("child_process");
-var import_path21 = __toESM(require("path"));
-var import_os15 = __toESM(require("os"));
+var import_path22 = __toESM(require("path"));
+var import_os16 = __toESM(require("os"));
 init_orchestrator();
 init_daemon();
 init_config();
@@ -8768,11 +8955,11 @@ init_policy();
 // src/undo.ts
 var import_child_process8 = require("child_process");
 var import_crypto8 = __toESM(require("crypto"));
-var import_fs18 = __toESM(require("fs"));
+var import_fs19 = __toESM(require("fs"));
 var import_net3 = __toESM(require("net"));
-var import_path20 = __toESM(require("path"));
-var import_os14 = __toESM(require("os"));
-var ACTIVITY_SOCKET_PATH3 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path20.default.join(import_os14.default.tmpdir(), "node9-activity.sock");
+var import_path21 = __toESM(require("path"));
+var import_os15 = __toESM(require("os"));
+var ACTIVITY_SOCKET_PATH3 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path21.default.join(import_os15.default.tmpdir(), "node9-activity.sock");
 function notifySnapshotTaken(hash, tool, argsSummary, fileCount) {
   try {
     const payload = JSON.stringify({
@@ -8792,22 +8979,22 @@ function notifySnapshotTaken(hash, tool, argsSummary, fileCount) {
   } catch {
   }
 }
-var SNAPSHOT_STACK_PATH = import_path20.default.join(import_os14.default.homedir(), ".node9", "snapshots.json");
-var UNDO_LATEST_PATH = import_path20.default.join(import_os14.default.homedir(), ".node9", "undo_latest.txt");
+var SNAPSHOT_STACK_PATH = import_path21.default.join(import_os15.default.homedir(), ".node9", "snapshots.json");
+var UNDO_LATEST_PATH = import_path21.default.join(import_os15.default.homedir(), ".node9", "undo_latest.txt");
 var MAX_SNAPSHOTS = 10;
 var GIT_TIMEOUT = 15e3;
 function readStack() {
   try {
-    if (import_fs18.default.existsSync(SNAPSHOT_STACK_PATH))
-      return JSON.parse(import_fs18.default.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
+    if (import_fs19.default.existsSync(SNAPSHOT_STACK_PATH))
+      return JSON.parse(import_fs19.default.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
   } catch {
   }
   return [];
 }
 function writeStack(stack) {
-  const dir = import_path20.default.dirname(SNAPSHOT_STACK_PATH);
-  if (!import_fs18.default.existsSync(dir)) import_fs18.default.mkdirSync(dir, { recursive: true });
-  import_fs18.default.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
+  const dir = import_path21.default.dirname(SNAPSHOT_STACK_PATH);
+  if (!import_fs19.default.existsSync(dir)) import_fs19.default.mkdirSync(dir, { recursive: true });
+  import_fs19.default.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
 }
 function extractFilePath(args) {
   if (!args || typeof args !== "object") return null;
@@ -8827,12 +9014,12 @@ function buildArgsSummary(tool, args) {
   return "";
 }
 function findProjectRoot(filePath) {
-  let dir = import_path20.default.dirname(filePath);
+  let dir = import_path21.default.dirname(filePath);
   while (true) {
-    if (import_fs18.default.existsSync(import_path20.default.join(dir, ".git")) || import_fs18.default.existsSync(import_path20.default.join(dir, "package.json"))) {
+    if (import_fs19.default.existsSync(import_path21.default.join(dir, ".git")) || import_fs19.default.existsSync(import_path21.default.join(dir, "package.json"))) {
       return dir;
     }
-    const parent = import_path20.default.dirname(dir);
+    const parent = import_path21.default.dirname(dir);
     if (parent === dir) return process.cwd();
     dir = parent;
   }
@@ -8840,7 +9027,7 @@ function findProjectRoot(filePath) {
 function normalizeCwdForHash(cwd) {
   let normalized;
   try {
-    normalized = import_fs18.default.realpathSync(cwd);
+    normalized = import_fs19.default.realpathSync(cwd);
   } catch {
     normalized = cwd;
   }
@@ -8850,16 +9037,16 @@ function normalizeCwdForHash(cwd) {
 }
 function getShadowRepoDir(cwd) {
   const hash = import_crypto8.default.createHash("sha256").update(normalizeCwdForHash(cwd)).digest("hex").slice(0, 16);
-  return import_path20.default.join(import_os14.default.homedir(), ".node9", "snapshots", hash);
+  return import_path21.default.join(import_os15.default.homedir(), ".node9", "snapshots", hash);
 }
 function cleanOrphanedIndexFiles(shadowDir) {
   try {
     const cutoff = Date.now() - 6e4;
-    for (const f of import_fs18.default.readdirSync(shadowDir)) {
+    for (const f of import_fs19.default.readdirSync(shadowDir)) {
       if (f.startsWith("index_")) {
-        const fp = import_path20.default.join(shadowDir, f);
+        const fp = import_path21.default.join(shadowDir, f);
         try {
-          if (import_fs18.default.statSync(fp).mtimeMs < cutoff) import_fs18.default.unlinkSync(fp);
+          if (import_fs19.default.statSync(fp).mtimeMs < cutoff) import_fs19.default.unlinkSync(fp);
         } catch {
         }
       }
@@ -8871,7 +9058,7 @@ function writeShadowExcludes(shadowDir, ignorePaths) {
   const hardcoded = [".git", ".node9"];
   const lines = [...hardcoded, ...ignorePaths].join("\n");
   try {
-    import_fs18.default.writeFileSync(import_path20.default.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
+    import_fs19.default.writeFileSync(import_path21.default.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
   } catch {
   }
 }
@@ -8884,25 +9071,25 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   if (check.status === 0) {
-    const ptPath = import_path20.default.join(shadowDir, "project-path.txt");
+    const ptPath = import_path21.default.join(shadowDir, "project-path.txt");
     try {
-      const stored = import_fs18.default.readFileSync(ptPath, "utf8").trim();
+      const stored = import_fs19.default.readFileSync(ptPath, "utf8").trim();
       if (stored === normalizedCwd) return true;
       if (process.env.NODE9_DEBUG === "1")
         console.error(
           `[Node9] Shadow repo path mismatch: stored="${stored}" expected="${normalizedCwd}" \u2014 reinitializing`
         );
-      import_fs18.default.rmSync(shadowDir, { recursive: true, force: true });
+      import_fs19.default.rmSync(shadowDir, { recursive: true, force: true });
     } catch {
       try {
-        import_fs18.default.writeFileSync(ptPath, normalizedCwd, "utf8");
+        import_fs19.default.writeFileSync(ptPath, normalizedCwd, "utf8");
       } catch {
       }
       return true;
     }
   }
   try {
-    import_fs18.default.mkdirSync(shadowDir, { recursive: true });
+    import_fs19.default.mkdirSync(shadowDir, { recursive: true });
   } catch {
   }
   const init = (0, import_child_process8.spawnSync)("git", ["init", "--bare", shadowDir], { timeout: 5e3 });
@@ -8911,7 +9098,7 @@ function ensureShadowRepo(shadowDir, cwd) {
     if (process.env.NODE9_DEBUG === "1") console.error("[Node9] git init --bare failed:", reason);
     return false;
   }
-  const configFile = import_path20.default.join(shadowDir, "config");
+  const configFile = import_path21.default.join(shadowDir, "config");
   (0, import_child_process8.spawnSync)("git", ["config", "--file", configFile, "core.untrackedCache", "true"], {
     timeout: 3e3
   });
@@ -8919,7 +9106,7 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   try {
-    import_fs18.default.writeFileSync(import_path20.default.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
+    import_fs19.default.writeFileSync(import_path21.default.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
   } catch {
   }
   return true;
@@ -8939,12 +9126,12 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
   let indexFile = null;
   try {
     const rawFilePath = extractFilePath(args);
-    const absFilePath = rawFilePath && import_path20.default.isAbsolute(rawFilePath) ? rawFilePath : null;
+    const absFilePath = rawFilePath && import_path21.default.isAbsolute(rawFilePath) ? rawFilePath : null;
     const cwd = absFilePath ? findProjectRoot(absFilePath) : process.cwd();
     const shadowDir = getShadowRepoDir(cwd);
     if (!ensureShadowRepo(shadowDir, cwd)) return null;
     writeShadowExcludes(shadowDir, ignorePaths);
-    indexFile = import_path20.default.join(shadowDir, `index_${process.pid}_${Date.now()}`);
+    indexFile = import_path21.default.join(shadowDir, `index_${process.pid}_${Date.now()}`);
     const shadowEnv = {
       ...process.env,
       GIT_DIR: shadowDir,
@@ -9016,7 +9203,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     writeStack(stack);
     const entry = stack[stack.length - 1];
     notifySnapshotTaken(commitHash.slice(0, 7), tool, entry.argsSummary, capturedFiles.length);
-    import_fs18.default.writeFileSync(UNDO_LATEST_PATH, commitHash);
+    import_fs19.default.writeFileSync(UNDO_LATEST_PATH, commitHash);
     if (shouldGc) {
       (0, import_child_process8.spawn)("git", ["gc", "--auto"], { env: shadowEnv, detached: true, stdio: "ignore" }).unref();
     }
@@ -9027,7 +9214,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
   } finally {
     if (indexFile) {
       try {
-        import_fs18.default.unlinkSync(indexFile);
+        import_fs19.default.unlinkSync(indexFile);
       } catch {
       }
     }
@@ -9103,9 +9290,9 @@ function applyUndo(hash, cwd) {
       timeout: GIT_TIMEOUT
     }).stdout?.toString().trim().split("\n").filter(Boolean) ?? [];
     for (const file of [...tracked, ...untracked]) {
-      const fullPath = import_path20.default.join(dir, file);
-      if (!snapshotFiles.has(file) && import_fs18.default.existsSync(fullPath)) {
-        import_fs18.default.unlinkSync(fullPath);
+      const fullPath = import_path21.default.join(dir, file);
+      if (!snapshotFiles.has(file) && import_fs19.default.existsSync(fullPath)) {
+        import_fs19.default.unlinkSync(fullPath);
       }
     }
     return true;
@@ -9129,9 +9316,9 @@ function registerCheckCommand(program2) {
         } catch (err2) {
           const tempConfig = getConfig();
           if (process.env.NODE9_DEBUG === "1" || tempConfig.settings.enableHookLogDebug) {
-            const logPath = import_path21.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
+            const logPath = import_path22.default.join(import_os16.default.homedir(), ".node9", "hook-debug.log");
             const errMsg = err2 instanceof Error ? err2.message : String(err2);
-            import_fs19.default.appendFileSync(
+            import_fs20.default.appendFileSync(
               logPath,
               `[${(/* @__PURE__ */ new Date()).toISOString()}] JSON_PARSE_ERROR: ${errMsg}
 RAW: ${raw}
@@ -9144,10 +9331,10 @@ RAW: ${raw}
         if (config.settings.autoStartDaemon && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON) {
           try {
             const scriptPath = process.argv[1];
-            if (typeof scriptPath !== "string" || !import_path21.default.isAbsolute(scriptPath))
+            if (typeof scriptPath !== "string" || !import_path22.default.isAbsolute(scriptPath))
               throw new Error("node9: argv[1] is not an absolute path");
-            const resolvedScript = import_fs19.default.realpathSync(scriptPath);
-            const expectedCli = import_fs19.default.realpathSync(import_path21.default.resolve(__dirname, "../../cli.js"));
+            const resolvedScript = import_fs20.default.realpathSync(scriptPath);
+            const expectedCli = import_fs20.default.realpathSync(import_path22.default.resolve(__dirname, "../../cli.js"));
             if (resolvedScript !== expectedCli)
               throw new Error(
                 "node9: daemon spawn aborted \u2014 argv[1] does not resolve to the node9 CLI"
@@ -9173,10 +9360,10 @@ RAW: ${raw}
           }
         }
         if (process.env.NODE9_DEBUG === "1" || config.settings.enableHookLogDebug) {
-          const logPath = import_path21.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
-          if (!import_fs19.default.existsSync(import_path21.default.dirname(logPath)))
-            import_fs19.default.mkdirSync(import_path21.default.dirname(logPath), { recursive: true });
-          import_fs19.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
+          const logPath = import_path22.default.join(import_os16.default.homedir(), ".node9", "hook-debug.log");
+          if (!import_fs20.default.existsSync(import_path22.default.dirname(logPath)))
+            import_fs20.default.mkdirSync(import_path22.default.dirname(logPath), { recursive: true });
+          import_fs20.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
 `);
         }
         const toolName = sanitize2(payload.tool_name ?? payload.name ?? "");
@@ -9189,8 +9376,8 @@ RAW: ${raw}
           const isHumanDecision = blockedByContext.toLowerCase().includes("user") || blockedByContext.toLowerCase().includes("daemon") || blockedByContext.toLowerCase().includes("decision");
           let ttyFd = null;
           try {
-            ttyFd = import_fs19.default.openSync("/dev/tty", "w");
-            const writeTty = (line) => import_fs19.default.writeSync(ttyFd, line + "\n");
+            ttyFd = import_fs20.default.openSync("/dev/tty", "w");
+            const writeTty = (line) => import_fs20.default.writeSync(ttyFd, line + "\n");
             if (blockedByContext.includes("DLP") || blockedByContext.includes("Secret Detected") || blockedByContext.includes("Credential Review")) {
               writeTty(import_chalk5.default.bgRed.white.bold(`
  \u{1F6A8} NODE9 DLP ALERT \u2014 CREDENTIAL DETECTED `));
@@ -9209,7 +9396,7 @@ RAW: ${raw}
           } finally {
             if (ttyFd !== null)
               try {
-                import_fs19.default.closeSync(ttyFd);
+                import_fs20.default.closeSync(ttyFd);
               } catch {
               }
           }
@@ -9241,7 +9428,7 @@ RAW: ${raw}
         if (shouldSnapshot(toolName, toolInput, config)) {
           await createShadowSnapshot(toolName, toolInput, config.policy.snapshot.ignorePaths);
         }
-        const safeCwdForAuth = typeof payload.cwd === "string" && import_path21.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const safeCwdForAuth = typeof payload.cwd === "string" && import_path22.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const result = await authorizeHeadless(toolName, toolInput, meta, {
           cwd: safeCwdForAuth
         });
@@ -9253,12 +9440,12 @@ RAW: ${raw}
         }
         if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && !process.stdout.isTTY && config.settings.autoStartDaemon) {
           try {
-            const tty = import_fs19.default.openSync("/dev/tty", "w");
-            import_fs19.default.writeSync(
+            const tty = import_fs20.default.openSync("/dev/tty", "w");
+            import_fs20.default.writeSync(
               tty,
               import_chalk5.default.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically...\n")
             );
-            import_fs19.default.closeSync(tty);
+            import_fs20.default.closeSync(tty);
           } catch {
           }
           const daemonReady = await autoStartDaemonAndWait();
@@ -9285,9 +9472,9 @@ RAW: ${raw}
         });
       } catch (err2) {
         if (process.env.NODE9_DEBUG === "1") {
-          const logPath = import_path21.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
+          const logPath = import_path22.default.join(import_os16.default.homedir(), ".node9", "hook-debug.log");
           const errMsg = err2 instanceof Error ? err2.message : String(err2);
-          import_fs19.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
+          import_fs20.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
 `);
         }
         process.exit(0);
@@ -9321,9 +9508,9 @@ RAW: ${raw}
 }
 
 // src/cli/commands/log.ts
-var import_fs20 = __toESM(require("fs"));
-var import_path22 = __toESM(require("path"));
-var import_os16 = __toESM(require("os"));
+var import_fs21 = __toESM(require("fs"));
+var import_path23 = __toESM(require("path"));
+var import_os17 = __toESM(require("os"));
 init_audit();
 init_config();
 init_policy();
@@ -9399,10 +9586,10 @@ function registerLogCommand(program2) {
           decision: "allowed",
           source: "post-hook"
         };
-        const logPath = import_path22.default.join(import_os16.default.homedir(), ".node9", "audit.log");
-        if (!import_fs20.default.existsSync(import_path22.default.dirname(logPath)))
-          import_fs20.default.mkdirSync(import_path22.default.dirname(logPath), { recursive: true });
-        import_fs20.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+        const logPath = import_path23.default.join(import_os17.default.homedir(), ".node9", "audit.log");
+        if (!import_fs21.default.existsSync(import_path23.default.dirname(logPath)))
+          import_fs21.default.mkdirSync(import_path23.default.dirname(logPath), { recursive: true });
+        import_fs21.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
         if ((tool === "Bash" || tool === "bash") && isDaemonRunning()) {
           const command = typeof rawInput === "object" && rawInput !== null && "command" in rawInput && typeof rawInput.command === "string" ? rawInput.command : null;
           if (command) {
@@ -9435,7 +9622,7 @@ function registerLogCommand(program2) {
             }
           }
         }
-        const safeCwd = typeof payload.cwd === "string" && import_path22.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const safeCwd = typeof payload.cwd === "string" && import_path23.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const config = getConfig(safeCwd);
         if (shouldSnapshot(tool, {}, config)) {
           await createShadowSnapshot("unknown", {}, config.policy.snapshot.ignorePaths);
@@ -9444,9 +9631,9 @@ function registerLogCommand(program2) {
         const msg = err2 instanceof Error ? err2.message : String(err2);
         process.stderr.write(`[Node9] audit log error: ${msg}
 `);
-        const debugPath = import_path22.default.join(import_os16.default.homedir(), ".node9", "hook-debug.log");
+        const debugPath = import_path23.default.join(import_os17.default.homedir(), ".node9", "hook-debug.log");
         try {
-          import_fs20.default.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
+          import_fs21.default.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
 `);
         } catch {
         }
@@ -9846,14 +10033,14 @@ function registerConfigShowCommand(program2) {
 
 // src/cli/commands/doctor.ts
 var import_chalk7 = __toESM(require("chalk"));
-var import_fs21 = __toESM(require("fs"));
-var import_path23 = __toESM(require("path"));
-var import_os17 = __toESM(require("os"));
+var import_fs22 = __toESM(require("fs"));
+var import_path24 = __toESM(require("path"));
+var import_os18 = __toESM(require("os"));
 var import_child_process10 = require("child_process");
 init_daemon();
 function registerDoctorCommand(program2, version2) {
   program2.command("doctor").description("Check that Node9 is installed and configured correctly").action(() => {
-    const homeDir2 = import_os17.default.homedir();
+    const homeDir2 = import_os18.default.homedir();
     let failures = 0;
     function pass(msg) {
       console.log(import_chalk7.default.green("  \u2705 ") + msg);
@@ -9902,10 +10089,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Configuration");
-    const globalConfigPath = import_path23.default.join(homeDir2, ".node9", "config.json");
-    if (import_fs21.default.existsSync(globalConfigPath)) {
+    const globalConfigPath = import_path24.default.join(homeDir2, ".node9", "config.json");
+    if (import_fs22.default.existsSync(globalConfigPath)) {
       try {
-        JSON.parse(import_fs21.default.readFileSync(globalConfigPath, "utf-8"));
+        JSON.parse(import_fs22.default.readFileSync(globalConfigPath, "utf-8"));
         pass("~/.node9/config.json found and valid");
       } catch {
         fail("~/.node9/config.json is invalid JSON", "Run: node9 init --force");
@@ -9913,10 +10100,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("~/.node9/config.json not found (using defaults)", "Run: node9 init");
     }
-    const projectConfigPath = import_path23.default.join(process.cwd(), "node9.config.json");
-    if (import_fs21.default.existsSync(projectConfigPath)) {
+    const projectConfigPath = import_path24.default.join(process.cwd(), "node9.config.json");
+    if (import_fs22.default.existsSync(projectConfigPath)) {
       try {
-        JSON.parse(import_fs21.default.readFileSync(projectConfigPath, "utf-8"));
+        JSON.parse(import_fs22.default.readFileSync(projectConfigPath, "utf-8"));
         pass("node9.config.json found and valid (project)");
       } catch {
         fail(
@@ -9925,8 +10112,8 @@ function registerDoctorCommand(program2, version2) {
         );
       }
     }
-    const credsPath = import_path23.default.join(homeDir2, ".node9", "credentials.json");
-    if (import_fs21.default.existsSync(credsPath)) {
+    const credsPath = import_path24.default.join(homeDir2, ".node9", "credentials.json");
+    if (import_fs22.default.existsSync(credsPath)) {
       pass("Cloud credentials found (~/.node9/credentials.json)");
     } else {
       warn(
@@ -9935,10 +10122,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Agent Hooks");
-    const claudeSettingsPath = import_path23.default.join(homeDir2, ".claude", "settings.json");
-    if (import_fs21.default.existsSync(claudeSettingsPath)) {
+    const claudeSettingsPath = import_path24.default.join(homeDir2, ".claude", "settings.json");
+    if (import_fs22.default.existsSync(claudeSettingsPath)) {
       try {
-        const cs = JSON.parse(import_fs21.default.readFileSync(claudeSettingsPath, "utf-8"));
+        const cs = JSON.parse(import_fs22.default.readFileSync(claudeSettingsPath, "utf-8"));
         const hasHook = cs.hooks?.PreToolUse?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -9954,10 +10141,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Claude Code \u2014 not configured", "Run: node9 setup claude");
     }
-    const geminiSettingsPath = import_path23.default.join(homeDir2, ".gemini", "settings.json");
-    if (import_fs21.default.existsSync(geminiSettingsPath)) {
+    const geminiSettingsPath = import_path24.default.join(homeDir2, ".gemini", "settings.json");
+    if (import_fs22.default.existsSync(geminiSettingsPath)) {
       try {
-        const gs = JSON.parse(import_fs21.default.readFileSync(geminiSettingsPath, "utf-8"));
+        const gs = JSON.parse(import_fs22.default.readFileSync(geminiSettingsPath, "utf-8"));
         const hasHook = gs.hooks?.BeforeTool?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -9973,10 +10160,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Gemini CLI  \u2014 not configured", "Run: node9 setup gemini  (skip if not using Gemini)");
     }
-    const cursorHooksPath = import_path23.default.join(homeDir2, ".cursor", "hooks.json");
-    if (import_fs21.default.existsSync(cursorHooksPath)) {
+    const cursorHooksPath = import_path24.default.join(homeDir2, ".cursor", "hooks.json");
+    if (import_fs22.default.existsSync(cursorHooksPath)) {
       try {
-        const cur = JSON.parse(import_fs21.default.readFileSync(cursorHooksPath, "utf-8"));
+        const cur = JSON.parse(import_fs22.default.readFileSync(cursorHooksPath, "utf-8"));
         const hasHook = cur.hooks?.preToolUse?.some(
           (h) => h.command?.includes("node9") || h.command?.includes("cli.js")
         );
@@ -10014,9 +10201,9 @@ function registerDoctorCommand(program2, version2) {
 
 // src/cli/commands/audit.ts
 var import_chalk8 = __toESM(require("chalk"));
-var import_fs22 = __toESM(require("fs"));
-var import_path24 = __toESM(require("path"));
-var import_os18 = __toESM(require("os"));
+var import_fs23 = __toESM(require("fs"));
+var import_path25 = __toESM(require("path"));
+var import_os19 = __toESM(require("os"));
 function formatRelativeTime(timestamp) {
   const diff = Date.now() - new Date(timestamp).getTime();
   const sec = Math.floor(diff / 1e3);
@@ -10029,14 +10216,14 @@ function formatRelativeTime(timestamp) {
 }
 function registerAuditCommand(program2) {
   program2.command("audit").description("View local execution audit log").option("--tail <n>", "Number of entries to show", "20").option("--tool <pattern>", "Filter by tool name (substring match)").option("--deny", "Show only denied actions").option("--json", "Output raw JSON").action((options) => {
-    const logPath = import_path24.default.join(import_os18.default.homedir(), ".node9", "audit.log");
-    if (!import_fs22.default.existsSync(logPath)) {
+    const logPath = import_path25.default.join(import_os19.default.homedir(), ".node9", "audit.log");
+    if (!import_fs23.default.existsSync(logPath)) {
       console.log(
         import_chalk8.default.yellow("No audit logs found. Run node9 with an agent to generate entries.")
       );
       return;
     }
-    const raw = import_fs22.default.readFileSync(logPath, "utf-8");
+    const raw = import_fs23.default.readFileSync(logPath, "utf-8");
     const lines = raw.split("\n").filter((l) => l.trim() !== "");
     let entries = lines.flatMap((line) => {
       try {
@@ -10090,9 +10277,9 @@ function registerAuditCommand(program2) {
 
 // src/cli/commands/report.ts
 var import_chalk9 = __toESM(require("chalk"));
-var import_fs23 = __toESM(require("fs"));
-var import_path25 = __toESM(require("path"));
-var import_os19 = __toESM(require("os"));
+var import_fs24 = __toESM(require("fs"));
+var import_path26 = __toESM(require("path"));
+var import_os20 = __toESM(require("os"));
 var TEST_COMMAND_RE3 = /(?:^|\s)(npm\s+(?:run\s+)?test|npx\s+(?:vitest|jest|mocha)|yarn\s+(?:run\s+)?test|pnpm\s+(?:run\s+)?test|vitest|jest|mocha|pytest|py\.test|cargo\s+test|go\s+test|bundle\s+exec\s+rspec|rspec|phpunit|dotnet\s+test)\b/i;
 function buildTestTimestamps(allEntries) {
   const testTs = /* @__PURE__ */ new Set();
@@ -10139,8 +10326,8 @@ function getDateRange(period) {
   }
 }
 function parseAuditLog(logPath) {
-  if (!import_fs23.default.existsSync(logPath)) return [];
-  const raw = import_fs23.default.readFileSync(logPath, "utf-8");
+  if (!import_fs24.default.existsSync(logPath)) return [];
+  const raw = import_fs24.default.readFileSync(logPath, "utf-8");
   return raw.split("\n").flatMap((line) => {
     if (!line.trim()) return [];
     try {
@@ -10202,29 +10389,39 @@ function claudeModelPrice(model) {
   return null;
 }
 function loadClaudeCost(start, end) {
-  const projectsDir = import_path25.default.join(import_os19.default.homedir(), ".claude", "projects");
-  if (!import_fs23.default.existsSync(projectsDir)) return { total: 0, byDay: /* @__PURE__ */ new Map() };
+  const empty = {
+    total: 0,
+    byDay: /* @__PURE__ */ new Map(),
+    byModel: /* @__PURE__ */ new Map(),
+    inputTokens: 0,
+    cacheReadTokens: 0
+  };
+  const projectsDir = import_path26.default.join(import_os20.default.homedir(), ".claude", "projects");
+  if (!import_fs24.default.existsSync(projectsDir)) return empty;
   let dirs;
   try {
-    dirs = import_fs23.default.readdirSync(projectsDir);
+    dirs = import_fs24.default.readdirSync(projectsDir);
   } catch {
-    return { total: 0, byDay: /* @__PURE__ */ new Map() };
+    return empty;
   }
   let total = 0;
+  let inputTokens = 0;
+  let cacheReadTokens = 0;
   const byDay = /* @__PURE__ */ new Map();
+  const byModel = /* @__PURE__ */ new Map();
   for (const proj of dirs) {
-    const projPath = import_path25.default.join(projectsDir, proj);
+    const projPath = import_path26.default.join(projectsDir, proj);
     let files;
     try {
-      const stat = import_fs23.default.statSync(projPath);
+      const stat = import_fs24.default.statSync(projPath);
       if (!stat.isDirectory()) continue;
-      files = import_fs23.default.readdirSync(projPath).filter((f) => f.endsWith(".jsonl") && !f.startsWith("agent-"));
+      files = import_fs24.default.readdirSync(projPath).filter((f) => f.endsWith(".jsonl") && !f.startsWith("agent-"));
     } catch {
       continue;
     }
     for (const file of files) {
       try {
-        const raw = import_fs23.default.readFileSync(import_path25.default.join(projPath, file), "utf-8");
+        const raw = import_fs24.default.readFileSync(import_path26.default.join(projPath, file), "utf-8");
         for (const line of raw.split("\n")) {
           if (!line.trim()) continue;
           let entry;
@@ -10242,24 +10439,32 @@ function loadClaudeCost(start, end) {
           if (!usage || !model) continue;
           const p = claudeModelPrice(model);
           if (!p) continue;
-          const cost = (usage.input_tokens ?? 0) * p.i + (usage.output_tokens ?? 0) * p.o + (usage.cache_creation_input_tokens ?? 0) * p.cw + (usage.cache_read_input_tokens ?? 0) * p.cr;
+          const inp = usage.input_tokens ?? 0;
+          const out = usage.output_tokens ?? 0;
+          const cw = usage.cache_creation_input_tokens ?? 0;
+          const cr = usage.cache_read_input_tokens ?? 0;
+          const cost = inp * p.i + out * p.o + cw * p.cw + cr * p.cr;
           total += cost;
+          inputTokens += inp;
+          cacheReadTokens += cr;
           const dateKey = entry.timestamp.slice(0, 10);
           byDay.set(dateKey, (byDay.get(dateKey) ?? 0) + cost);
+          const normModel = model.replace(/@.*$/, "").replace(/-\d{8}$/, "");
+          byModel.set(normModel, (byModel.get(normModel) ?? 0) + cost);
         }
       } catch {
         continue;
       }
     }
   }
-  return { total, byDay };
+  return { total, byDay, byModel, inputTokens, cacheReadTokens };
 }
 function registerReportCommand(program2) {
   program2.command("report").description("Activity and security report \u2014 what Claude did, what was blocked").option("--period <period>", "today | 7d | 30d | month", "7d").option("--no-tests", "exclude test runner calls (npm test, vitest, pytest\u2026) from stats").action((options) => {
     const period = ["today", "7d", "30d", "month"].includes(
       options.period
     ) ? options.period : "7d";
-    const logPath = import_path25.default.join(import_os19.default.homedir(), ".node9", "audit.log");
+    const logPath = import_path26.default.join(import_os20.default.homedir(), ".node9", "audit.log");
     const allEntries = parseAuditLog(logPath);
     if (allEntries.length === 0) {
       console.log(
@@ -10268,7 +10473,13 @@ function registerReportCommand(program2) {
       return;
     }
     const { start, end } = getDateRange(period);
-    const { total: costUSD, byDay: costByDay } = loadClaudeCost(start, end);
+    const {
+      total: costUSD,
+      byDay: costByDay,
+      byModel: costByModel,
+      inputTokens: costInputTokens,
+      cacheReadTokens: costCacheRead
+    } = loadClaudeCost(start, end);
     const periodMs = end.getTime() - start.getTime();
     const priorEnd = new Date(start.getTime() - 1);
     const priorStart = new Date(start.getTime() - periodMs);
@@ -10370,7 +10581,6 @@ function registerReportCommand(program2) {
     const blockLabel = blocked > 0 ? import_chalk9.default.red(`\u{1F6D1} ${num(blocked)} blocked`) : import_chalk9.default.dim("\u{1F6D1} 0 blocked");
     const dlpLabel = dlpHits > 0 ? import_chalk9.default.yellow(`\u{1F6A8} ${dlpHits} DLP hits`) : import_chalk9.default.dim("\u{1F6A8} 0 DLP hits");
     const loopLabel = loopHits > 0 ? import_chalk9.default.yellow(`\u{1F504} ${loopHits} loops`) : import_chalk9.default.dim("\u{1F504} 0 loops");
-    const costLabel = costUSD > 0 ? import_chalk9.default.magenta(`\u{1F4B0} ${fmtCost(costUSD)}`) : import_chalk9.default.dim("\u{1F4B0} \u2013");
     const currentRate = total > 0 ? blocked / total : 0;
     const trendLabel = (() => {
       if (priorBlockRate === null) return import_chalk9.default.dim(`${pct(blocked, total)} block rate`);
@@ -10383,7 +10593,7 @@ function registerReportCommand(program2) {
     const ratioLabel = reads > 0 ? import_chalk9.default.dim(`edit/read ${(edits / reads).toFixed(1)}`) : import_chalk9.default.dim("edit/read \u2013");
     const testLabel = testPasses + testFails > 0 ? import_chalk9.default.dim("tests ") + import_chalk9.default.green(`${testPasses}\u2713`) + (testFails > 0 ? " " + import_chalk9.default.red(`${testFails}\u2717`) : "") : import_chalk9.default.dim("tests \u2013");
     console.log(
-      "  " + import_chalk9.default.green(`\u2705 ${num(allowed)} allowed`) + "   " + blockLabel + "   " + dlpLabel + "   " + loopLabel + "   " + trendLabel + "   " + costLabel
+      "  " + import_chalk9.default.green(`\u2705 ${num(allowed)} allowed`) + "   " + blockLabel + "   " + dlpLabel + "   " + loopLabel + "   " + trendLabel
     );
     console.log("  " + ratioLabel + "   " + testLabel);
     console.log("");
@@ -10468,6 +10678,30 @@ function registerReportCommand(program2) {
         );
       }
     }
+    if (costUSD > 0) {
+      const periodDays = Math.max(1, Math.ceil((end.getTime() - start.getTime()) / 864e5));
+      const avgPerDay = costUSD / periodDays;
+      const cacheHitPct = costInputTokens + costCacheRead > 0 ? Math.round(costCacheRead / (costInputTokens + costCacheRead) * 100) : 0;
+      const costHeaderRight = [
+        import_chalk9.default.yellow(fmtCost(costUSD)),
+        import_chalk9.default.dim(`avg ${fmtCost(avgPerDay)}/day`),
+        cacheHitPct > 0 ? import_chalk9.default.dim(`${cacheHitPct}% cache hit`) : null
+      ].filter(Boolean).join(import_chalk9.default.dim("  \xB7  "));
+      console.log("");
+      console.log("  " + import_chalk9.default.bold("Cost") + "  " + costHeaderRight);
+      console.log("  " + import_chalk9.default.dim("\u2500".repeat(Math.min(50, W - 4))));
+      const modelList = [...costByModel.entries()].sort((a, b) => b[1] - a[1]);
+      const maxModelCost = Math.max(...modelList.map(([, v]) => v), 1e-9);
+      const MODEL_LABEL = 22;
+      const MODEL_BAR = Math.max(6, Math.min(20, W - MODEL_LABEL - 12));
+      for (const [model, cost] of modelList) {
+        const label = model.length > MODEL_LABEL - 1 ? model.slice(0, MODEL_LABEL - 2) + "\u2026" : model;
+        const b = colorBar(cost, maxModelCost, MODEL_BAR);
+        console.log(
+          "  " + import_chalk9.default.white(label.padEnd(MODEL_LABEL)) + b + "  " + import_chalk9.default.yellow(fmtCost(cost))
+        );
+      }
+    }
     console.log("");
     console.log(
       "  " + import_chalk9.default.dim("node9 audit --deny") + import_chalk9.default.dim("  \xB7  ") + import_chalk9.default.dim("node9 report --period today|7d|30d|month  --no-tests")
@@ -10542,14 +10776,14 @@ function registerDaemonCommand(program2) {
 
 // src/cli/commands/status.ts
 var import_chalk11 = __toESM(require("chalk"));
-var import_fs24 = __toESM(require("fs"));
-var import_path26 = __toESM(require("path"));
-var import_os20 = __toESM(require("os"));
+var import_fs25 = __toESM(require("fs"));
+var import_path27 = __toESM(require("path"));
+var import_os21 = __toESM(require("os"));
 init_core();
 init_daemon();
 function readJson2(filePath) {
   try {
-    if (import_fs24.default.existsSync(filePath)) return JSON.parse(import_fs24.default.readFileSync(filePath, "utf-8"));
+    if (import_fs25.default.existsSync(filePath)) return JSON.parse(import_fs25.default.readFileSync(filePath, "utf-8"));
   } catch {
   }
   return null;
@@ -10614,28 +10848,28 @@ function registerStatusCommand(program2) {
     console.log("");
     const modeLabel = settings.mode === "audit" ? import_chalk11.default.blue("audit") : settings.mode === "strict" ? import_chalk11.default.red("strict") : import_chalk11.default.white("standard");
     console.log(`  Mode:    ${modeLabel}`);
-    const projectConfig = import_path26.default.join(process.cwd(), "node9.config.json");
-    const globalConfig = import_path26.default.join(import_os20.default.homedir(), ".node9", "config.json");
+    const projectConfig = import_path27.default.join(process.cwd(), "node9.config.json");
+    const globalConfig = import_path27.default.join(import_os21.default.homedir(), ".node9", "config.json");
     console.log(
-      `  Local:   ${import_fs24.default.existsSync(projectConfig) ? import_chalk11.default.green("Active (node9.config.json)") : import_chalk11.default.gray("Not present")}`
+      `  Local:   ${import_fs25.default.existsSync(projectConfig) ? import_chalk11.default.green("Active (node9.config.json)") : import_chalk11.default.gray("Not present")}`
     );
     console.log(
-      `  Global:  ${import_fs24.default.existsSync(globalConfig) ? import_chalk11.default.green("Active (~/.node9/config.json)") : import_chalk11.default.gray("Not present")}`
+      `  Global:  ${import_fs25.default.existsSync(globalConfig) ? import_chalk11.default.green("Active (~/.node9/config.json)") : import_chalk11.default.gray("Not present")}`
     );
     if (mergedConfig.policy.sandboxPaths.length > 0) {
       console.log(
         `  Sandbox: ${import_chalk11.default.green(`${mergedConfig.policy.sandboxPaths.length} safe zones active`)}`
       );
     }
-    const homeDir2 = import_os20.default.homedir();
+    const homeDir2 = import_os21.default.homedir();
     const claudeSettings = readJson2(
-      import_path26.default.join(homeDir2, ".claude", "settings.json")
+      import_path27.default.join(homeDir2, ".claude", "settings.json")
     );
-    const claudeConfig = readJson2(import_path26.default.join(homeDir2, ".claude.json"));
+    const claudeConfig = readJson2(import_path27.default.join(homeDir2, ".claude.json"));
     const geminiSettings = readJson2(
-      import_path26.default.join(homeDir2, ".gemini", "settings.json")
+      import_path27.default.join(homeDir2, ".gemini", "settings.json")
     );
-    const cursorConfig = readJson2(import_path26.default.join(homeDir2, ".cursor", "mcp.json"));
+    const cursorConfig = readJson2(import_path27.default.join(homeDir2, ".cursor", "mcp.json"));
     const agentFound = claudeSettings || claudeConfig || geminiSettings || cursorConfig;
     if (agentFound) {
       console.log("");
@@ -10694,9 +10928,9 @@ function registerStatusCommand(program2) {
 
 // src/cli/commands/init.ts
 var import_chalk12 = __toESM(require("chalk"));
-var import_fs25 = __toESM(require("fs"));
-var import_path27 = __toESM(require("path"));
-var import_os21 = __toESM(require("os"));
+var import_fs26 = __toESM(require("fs"));
+var import_path28 = __toESM(require("path"));
+var import_os22 = __toESM(require("os"));
 var import_https2 = __toESM(require("https"));
 init_core();
 init_shields();
@@ -10756,15 +10990,15 @@ function registerInitCommand(program2) {
       }
       console.log("");
     }
-    const configPath = import_path27.default.join(import_os21.default.homedir(), ".node9", "config.json");
-    if (import_fs25.default.existsSync(configPath) && !options.force) {
+    const configPath = import_path28.default.join(import_os22.default.homedir(), ".node9", "config.json");
+    if (import_fs26.default.existsSync(configPath) && !options.force) {
       try {
-        const existing = JSON.parse(import_fs25.default.readFileSync(configPath, "utf-8"));
+        const existing = JSON.parse(import_fs26.default.readFileSync(configPath, "utf-8"));
         const settings = existing.settings ?? {};
         if (settings.mode !== chosenMode) {
           settings.mode = chosenMode;
           existing.settings = settings;
-          import_fs25.default.writeFileSync(configPath, JSON.stringify(existing, null, 2) + "\n");
+          import_fs26.default.writeFileSync(configPath, JSON.stringify(existing, null, 2) + "\n");
           console.log(import_chalk12.default.green(`\u2705 Mode updated: ${chosenMode}`));
         } else {
           console.log(import_chalk12.default.blue(`\u2139\uFE0F  Config already exists: ${configPath}`));
@@ -10777,9 +11011,9 @@ function registerInitCommand(program2) {
         ...DEFAULT_CONFIG,
         settings: { ...DEFAULT_CONFIG.settings, mode: chosenMode }
       };
-      const dir = import_path27.default.dirname(configPath);
-      if (!import_fs25.default.existsSync(dir)) import_fs25.default.mkdirSync(dir, { recursive: true });
-      import_fs25.default.writeFileSync(configPath, JSON.stringify(configToSave, null, 2) + "\n");
+      const dir = import_path28.default.dirname(configPath);
+      if (!import_fs26.default.existsSync(dir)) import_fs26.default.mkdirSync(dir, { recursive: true });
+      import_fs26.default.writeFileSync(configPath, JSON.stringify(configToSave, null, 2) + "\n");
       console.log(import_chalk12.default.green(`\u2705 Config created: ${configPath}`));
       console.log(import_chalk12.default.gray(`   Mode: ${chosenMode}`));
     }
@@ -10833,7 +11067,7 @@ function registerInitCommand(program2) {
 }
 
 // src/cli/commands/undo.ts
-var import_path28 = __toESM(require("path"));
+var import_path29 = __toESM(require("path"));
 var import_chalk14 = __toESM(require("chalk"));
 
 // src/tui/undo-navigator.ts
@@ -10992,7 +11226,7 @@ function findMatchingCwd(startDir, history) {
   let dir = startDir;
   while (true) {
     if (cwds.has(dir)) return dir;
-    const parent = import_path28.default.dirname(dir);
+    const parent = import_path29.default.dirname(dir);
     if (parent === dir) return null;
     dir = parent;
   }
@@ -11188,12 +11422,12 @@ init_orchestrator();
 init_provenance();
 
 // src/mcp-pin.ts
-var import_fs26 = __toESM(require("fs"));
-var import_path29 = __toESM(require("path"));
-var import_os22 = __toESM(require("os"));
+var import_fs27 = __toESM(require("fs"));
+var import_path30 = __toESM(require("path"));
+var import_os23 = __toESM(require("os"));
 var import_crypto9 = __toESM(require("crypto"));
 function getPinsFilePath() {
-  return import_path29.default.join(import_os22.default.homedir(), ".node9", "mcp-pins.json");
+  return import_path30.default.join(import_os23.default.homedir(), ".node9", "mcp-pins.json");
 }
 function hashToolDefinitions(tools) {
   const sorted = [...tools].sort((a, b) => {
@@ -11210,7 +11444,7 @@ function getServerKey(upstreamCommand) {
 function readMcpPinsSafe() {
   const filePath = getPinsFilePath();
   try {
-    const raw = import_fs26.default.readFileSync(filePath, "utf-8");
+    const raw = import_fs27.default.readFileSync(filePath, "utf-8");
     if (!raw.trim()) {
       return { ok: false, reason: "corrupt", detail: "empty file" };
     }
@@ -11234,10 +11468,10 @@ function readMcpPins() {
 }
 function writeMcpPins(data) {
   const filePath = getPinsFilePath();
-  import_fs26.default.mkdirSync(import_path29.default.dirname(filePath), { recursive: true });
+  import_fs27.default.mkdirSync(import_path30.default.dirname(filePath), { recursive: true });
   const tmp = `${filePath}.${import_crypto9.default.randomBytes(6).toString("hex")}.tmp`;
-  import_fs26.default.writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 384 });
-  import_fs26.default.renameSync(tmp, filePath);
+  import_fs27.default.writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 384 });
+  import_fs27.default.renameSync(tmp, filePath);
 }
 function checkPin(serverKey, currentHash) {
   const result = readMcpPinsSafe();
@@ -11609,9 +11843,9 @@ function registerMcpGatewayCommand(program2) {
 
 // src/mcp-server/index.ts
 var import_readline4 = __toESM(require("readline"));
-var import_fs27 = __toESM(require("fs"));
-var import_os23 = __toESM(require("os"));
-var import_path30 = __toESM(require("path"));
+var import_fs28 = __toESM(require("fs"));
+var import_os24 = __toESM(require("os"));
+var import_path31 = __toESM(require("path"));
 init_core();
 init_daemon();
 init_shields();
@@ -11786,13 +12020,13 @@ function handleStatus() {
   lines.push(`Active shields: ${activeShields.length > 0 ? activeShields.join(", ") : "none"}`);
   lines.push(`Smart rules: ${config.policy.smartRules.length} loaded`);
   lines.push(`DLP: ${config.policy.dlp?.enabled !== false ? "enabled" : "disabled"}`);
-  const projectConfig = import_path30.default.join(process.cwd(), "node9.config.json");
-  const globalConfig = import_path30.default.join(import_os23.default.homedir(), ".node9", "config.json");
+  const projectConfig = import_path31.default.join(process.cwd(), "node9.config.json");
+  const globalConfig = import_path31.default.join(import_os24.default.homedir(), ".node9", "config.json");
   lines.push(
-    `Project config (node9.config.json): ${import_fs27.default.existsSync(projectConfig) ? "present" : "not found"}`
+    `Project config (node9.config.json): ${import_fs28.default.existsSync(projectConfig) ? "present" : "not found"}`
   );
   lines.push(
-    `Global config (~/.node9/config.json): ${import_fs27.default.existsSync(globalConfig) ? "present" : "not found"}`
+    `Global config (~/.node9/config.json): ${import_fs28.default.existsSync(globalConfig) ? "present" : "not found"}`
   );
   return lines.join("\n");
 }
@@ -11866,21 +12100,21 @@ function handleShieldDisable(args) {
   writeActiveShields(active.filter((s) => s !== name));
   return `Shield "${name}" disabled.`;
 }
-var GLOBAL_CONFIG_PATH2 = import_path30.default.join(import_os23.default.homedir(), ".node9", "config.json");
+var GLOBAL_CONFIG_PATH2 = import_path31.default.join(import_os24.default.homedir(), ".node9", "config.json");
 var APPROVER_CHANNELS = ["native", "browser", "cloud", "terminal"];
 function readGlobalConfigRaw() {
   try {
-    if (import_fs27.default.existsSync(GLOBAL_CONFIG_PATH2)) {
-      return JSON.parse(import_fs27.default.readFileSync(GLOBAL_CONFIG_PATH2, "utf-8"));
+    if (import_fs28.default.existsSync(GLOBAL_CONFIG_PATH2)) {
+      return JSON.parse(import_fs28.default.readFileSync(GLOBAL_CONFIG_PATH2, "utf-8"));
     }
   } catch {
   }
   return {};
 }
 function writeGlobalConfigRaw(data) {
-  const dir = import_path30.default.dirname(GLOBAL_CONFIG_PATH2);
-  if (!import_fs27.default.existsSync(dir)) import_fs27.default.mkdirSync(dir, { recursive: true });
-  import_fs27.default.writeFileSync(GLOBAL_CONFIG_PATH2, JSON.stringify(data, null, 2) + "\n");
+  const dir = import_path31.default.dirname(GLOBAL_CONFIG_PATH2);
+  if (!import_fs28.default.existsSync(dir)) import_fs28.default.mkdirSync(dir, { recursive: true });
+  import_fs28.default.writeFileSync(GLOBAL_CONFIG_PATH2, JSON.stringify(data, null, 2) + "\n");
 }
 function handleApproverList() {
   const config = getConfig();
@@ -11923,9 +12157,9 @@ function handleApproverSet(args) {
 }
 function handleAuditGet(args) {
   const limit = Math.min(typeof args.limit === "number" ? args.limit : 20, 100);
-  const auditPath = import_path30.default.join(import_os23.default.homedir(), ".node9", "audit.log");
-  if (!import_fs27.default.existsSync(auditPath)) return "No audit log found.";
-  const lines = import_fs27.default.readFileSync(auditPath, "utf-8").trim().split("\n").filter(Boolean);
+  const auditPath = import_path31.default.join(import_os24.default.homedir(), ".node9", "audit.log");
+  if (!import_fs28.default.existsSync(auditPath)) return "No audit log found.";
+  const lines = import_fs28.default.readFileSync(auditPath, "utf-8").trim().split("\n").filter(Boolean);
   const recent = lines.slice(-limit);
   const entries = recent.map((line) => {
     try {
@@ -12245,20 +12479,20 @@ function registerMcpPinCommand(program2) {
 
 // src/cli.ts
 var { version } = JSON.parse(
-  import_fs30.default.readFileSync(import_path33.default.join(__dirname, "../package.json"), "utf-8")
+  import_fs31.default.readFileSync(import_path34.default.join(__dirname, "../package.json"), "utf-8")
 );
 var program = new import_commander.Command();
 program.name("node9").description("The Sudo Command for AI Agents").version(version);
 program.command("login").argument("<apiKey>").option("--local", "Save key for audit/logging only \u2014 local config still controls all decisions").option("--profile <name>", 'Save as a named profile (default: "default")').action((apiKey, options) => {
   const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  const credPath = import_path33.default.join(import_os26.default.homedir(), ".node9", "credentials.json");
-  if (!import_fs30.default.existsSync(import_path33.default.dirname(credPath)))
-    import_fs30.default.mkdirSync(import_path33.default.dirname(credPath), { recursive: true });
+  const credPath = import_path34.default.join(import_os27.default.homedir(), ".node9", "credentials.json");
+  if (!import_fs31.default.existsSync(import_path34.default.dirname(credPath)))
+    import_fs31.default.mkdirSync(import_path34.default.dirname(credPath), { recursive: true });
   const profileName = options.profile || "default";
   let existingCreds = {};
   try {
-    if (import_fs30.default.existsSync(credPath)) {
-      const raw = JSON.parse(import_fs30.default.readFileSync(credPath, "utf-8"));
+    if (import_fs31.default.existsSync(credPath)) {
+      const raw = JSON.parse(import_fs31.default.readFileSync(credPath, "utf-8"));
       if (raw.apiKey) {
         existingCreds = {
           default: { apiKey: raw.apiKey, apiUrl: raw.apiUrl || DEFAULT_API_URL }
@@ -12270,13 +12504,13 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
   } catch {
   }
   existingCreds[profileName] = { apiKey, apiUrl: DEFAULT_API_URL };
-  import_fs30.default.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
+  import_fs31.default.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
   if (profileName === "default") {
-    const configPath = import_path33.default.join(import_os26.default.homedir(), ".node9", "config.json");
+    const configPath = import_path34.default.join(import_os27.default.homedir(), ".node9", "config.json");
     let config = {};
     try {
-      if (import_fs30.default.existsSync(configPath))
-        config = JSON.parse(import_fs30.default.readFileSync(configPath, "utf-8"));
+      if (import_fs31.default.existsSync(configPath))
+        config = JSON.parse(import_fs31.default.readFileSync(configPath, "utf-8"));
     } catch {
     }
     if (!config.settings || typeof config.settings !== "object") config.settings = {};
@@ -12291,9 +12525,9 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
       approvers.cloud = false;
     }
     s.approvers = approvers;
-    if (!import_fs30.default.existsSync(import_path33.default.dirname(configPath)))
-      import_fs30.default.mkdirSync(import_path33.default.dirname(configPath), { recursive: true });
-    import_fs30.default.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+    if (!import_fs31.default.existsSync(import_path34.default.dirname(configPath)))
+      import_fs31.default.mkdirSync(import_path34.default.dirname(configPath), { recursive: true });
+    import_fs31.default.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
   }
   if (options.profile && profileName !== "default") {
     console.log(import_chalk20.default.green(`\u2705 Profile "${profileName}" saved`));
@@ -12387,15 +12621,15 @@ program.command("uninstall").description("Remove all Node9 hooks and optionally
     }
   }
   if (options.purge) {
-    const node9Dir = import_path33.default.join(import_os26.default.homedir(), ".node9");
-    if (import_fs30.default.existsSync(node9Dir)) {
+    const node9Dir = import_path34.default.join(import_os27.default.homedir(), ".node9");
+    if (import_fs31.default.existsSync(node9Dir)) {
       const confirmed = await (0, import_prompts2.confirm)({
         message: `Permanently delete ${node9Dir} (config, audit log, credentials)?`,
         default: false
       });
       if (confirmed) {
-        import_fs30.default.rmSync(node9Dir, { recursive: true });
-        if (import_fs30.default.existsSync(node9Dir)) {
+        import_fs31.default.rmSync(node9Dir, { recursive: true });
+        if (import_fs31.default.existsSync(node9Dir)) {
           console.error(
             import_chalk20.default.red("\n  \u26A0\uFE0F  ~/.node9/ could not be fully deleted \u2014 remove it manually.")
           );
@@ -12536,14 +12770,14 @@ Claude Code spawns this command every ~300ms and writes a JSON payload to stdin.
 Run "node9 addto claude" to register it as the statusLine.`
 ).argument("[subcommand]", 'Optional: "debug on" / "debug off" to toggle stdin logging').argument("[state]", 'on|off \u2014 used with "debug" subcommand').action(async (subcommand, state) => {
   if (subcommand === "debug") {
-    const flagFile = import_path33.default.join(import_os26.default.homedir(), ".node9", "hud-debug");
+    const flagFile = import_path34.default.join(import_os27.default.homedir(), ".node9", "hud-debug");
     if (state === "on") {
-      import_fs30.default.mkdirSync(import_path33.default.dirname(flagFile), { recursive: true });
-      import_fs30.default.writeFileSync(flagFile, "");
+      import_fs31.default.mkdirSync(import_path34.default.dirname(flagFile), { recursive: true });
+      import_fs31.default.writeFileSync(flagFile, "");
       console.log("HUD debug logging enabled \u2192 ~/.node9/hud-debug.log");
       console.log("Tail it with: tail -f ~/.node9/hud-debug.log");
     } else if (state === "off") {
-      if (import_fs30.default.existsSync(flagFile)) import_fs30.default.unlinkSync(flagFile);
+      if (import_fs31.default.existsSync(flagFile)) import_fs31.default.unlinkSync(flagFile);
       console.log("HUD debug logging disabled.");
     } else {
       console.error("Usage: node9 hud debug on|off");
@@ -12650,9 +12884,9 @@ if (process.argv[2] !== "daemon") {
     const isCheckHook = process.argv[2] === "check";
     if (isCheckHook) {
       if (process.env.NODE9_DEBUG === "1" || getConfig().settings.enableHookLogDebug) {
-        const logPath = import_path33.default.join(import_os26.default.homedir(), ".node9", "hook-debug.log");
+        const logPath = import_path34.default.join(import_os27.default.homedir(), ".node9", "hook-debug.log");
         const msg = reason instanceof Error ? reason.message : String(reason);
-        import_fs30.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
+        import_fs31.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
 `);
       }
       process.exit(0);