@node9/proxy 1.10.3 → 1.11.1

package/dist/index.js

@@ -261,6 +261,11 @@ var ConfigFileSchema = import_zod.z.object({
       enabled: import_zod.z.boolean().optional(),
       threshold: import_zod.z.number().min(2).optional(),
       windowSeconds: import_zod.z.number().min(10).optional()
+    }).optional(),
+    skillPinning: import_zod.z.object({
+      enabled: import_zod.z.boolean().optional(),
+      mode: import_zod.z.enum(["warn", "block"]).optional(),
+      roots: import_zod.z.array(import_zod.z.string()).optional()
     }).optional()
   }).optional(),
   environments: import_zod.z.record(import_zod.z.object({ requireApproval: import_zod.z.boolean().optional() })).optional()
@@ -498,9 +503,8 @@ var DEFAULT_CONFIG = {
           {
             field: "command",
             op: "matches",
-            // Require the recursive flag to be preceded by whitespace so that
-            // filenames containing "-r" (e.g. "ai-review.yml") don't false-positive.
-            value: "rm\\b.*\\s(-[rRfF]*[rR][rRfF]*|--recursive)(\\s|$)"
+            // Anchor rm as a shell command (not inside a string arg like a git commit message).
+            value: "(^|&&|\\|\\||;)\\s*rm\\b[^;&|]*\\s(-[rRfF]*[rR][rRfF]*|--recursive)(\\s|$)"
           },
           {
             field: "command",
@@ -529,6 +533,13 @@ var DEFAULT_CONFIG = {
         name: "review-drop-truncate-shell",
         tool: "bash",
         conditions: [
+          {
+            field: "command",
+            op: "matches",
+            // Require a DB CLI in the command so grep/cat/echo of SQL strings don't trigger.
+            value: "(^|&&|\\|\\||;|\\|)\\s*(psql|mysql|sqlite3|sqlplus|cockroach|clickhouse-client|mongo)\\b",
+            flags: "i"
+          },
           {
             field: "command",
             op: "matches",
@@ -549,7 +560,9 @@ var DEFAULT_CONFIG = {
           {
             field: "command",
             op: "matches",
-            value: "\\bgit\\b.*\\bpush\\b.*(--force|--force-with-lease|-f\\b)",
+            // Anchor git as a shell command so node -e / python -c scripts containing
+            // "git push --force" as a string don't false-positive.
+            value: "(^|&&|\\|\\||;)\\s*git\\s+push[^;&|]*(--force|--force-with-lease|-f\\b)",
             flags: "i"
           }
         ],
@@ -559,29 +572,20 @@ var DEFAULT_CONFIG = {
         description: "The AI wants to force push to a remote git branch. This rewrites shared history and can permanently destroy commits that teammates have already pulled."
       },
       {
-        name: "review-git-push",
+        name: "review-git-destructive",
         tool: "bash",
         conditions: [
           {
             field: "command",
             op: "matches",
-            value: "\\bgit\\b.*\\bpush\\b(?!.*(-f\\b|--force|--force-with-lease))",
+            value: "\\bgit\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase\\b|tag\\s+-d|branch\\s+-[dD])",
             flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "git push sends changes to a shared remote",
-        description: "The AI wants to push commits to a remote repository. Once pushed, those changes are visible to everyone with access."
-      },
-      {
-        name: "review-git-destructive",
-        tool: "bash",
-        conditions: [
+          },
           {
             field: "command",
-            op: "matches",
-            value: "\\bgit\\b.*(reset\\s+--hard|clean\\s+-[fdxX]|\\brebase\\b|tag\\s+-d|branch\\s+-[dD])",
+            op: "notMatches",
+            // Exclude recovery ops — these resolve a conflict, not start a destructive action.
+            value: "\\bgit\\s+rebase\\s+--(abort|continue|skip)\\b",
             flags: "i"
           }
         ],
@@ -607,7 +611,9 @@ var DEFAULT_CONFIG = {
           {
             field: "command",
             op: "matches",
-            value: "(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
+            // Anchor curl/wget as a shell command so node -e scripts testing this
+            // regex pattern don't self-match as a false positive.
+            value: "(^|&&|\\|\\||;)\\s*(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
             flags: "i"
           }
         ],
@@ -618,7 +624,8 @@ var DEFAULT_CONFIG = {
       }
     ],
     dlp: { enabled: true, scanIgnoredTools: true },
-    loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 }
+    loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 },
+    skillPinning: { enabled: false, mode: "warn", roots: [] }
   },
   environments: {}
 };
@@ -741,7 +748,11 @@ function getConfig(cwd) {
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
     },
     dlp: { ...DEFAULT_CONFIG.policy.dlp },
-    loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection }
+    loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection },
+    skillPinning: {
+      ...DEFAULT_CONFIG.policy.skillPinning,
+      roots: [...DEFAULT_CONFIG.policy.skillPinning.roots]
+    }
   };
   const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
   const applyLayer = (source) => {
@@ -794,6 +805,16 @@ function getConfig(cwd) {
       if (ld.windowSeconds !== void 0)
         mergedPolicy.loopDetection.windowSeconds = ld.windowSeconds;
     }
+    if (p.skillPinning && typeof p.skillPinning === "object") {
+      const sp = p.skillPinning;
+      if (sp.enabled !== void 0) mergedPolicy.skillPinning.enabled = sp.enabled;
+      if (sp.mode !== void 0) mergedPolicy.skillPinning.mode = sp.mode;
+      if (Array.isArray(sp.roots)) {
+        for (const r of sp.roots) {
+          if (typeof r === "string" && r.length > 0) mergedPolicy.skillPinning.roots.push(r);
+        }
+      }
+    }
     const envs = source.environments || {};
     for (const [envName, envConfig] of Object.entries(envs)) {
       if (envConfig && typeof envConfig === "object") {
@@ -845,6 +866,7 @@ function getConfig(cwd) {
   mergedPolicy.sandboxPaths = [...new Set(mergedPolicy.sandboxPaths)];
   mergedPolicy.dangerousWords = [...new Set(mergedPolicy.dangerousWords)];
   mergedPolicy.ignoredTools = [...new Set(mergedPolicy.ignoredTools)];
+  mergedPolicy.skillPinning.roots = [...new Set(mergedPolicy.skillPinning.roots)];
   mergedPolicy.snapshot.tools = [...new Set(mergedPolicy.snapshot.tools)];
   mergedPolicy.snapshot.onlyPaths = [...new Set(mergedPolicy.snapshot.onlyPaths)];
   mergedPolicy.snapshot.ignorePaths = [...new Set(mergedPolicy.snapshot.ignorePaths)];
@@ -992,7 +1014,7 @@ var DLP_PATTERNS = [
     regex: /_authToken\s*=\s*[A-Za-z0-9_\-]{20,}/,
     severity: "block"
   },
-  { name: "Bearer Token", regex: /Bearer\s+[a-zA-Z0-9\-._~+/]+=*/i, severity: "review" }
+  { name: "Bearer Token", regex: /Bearer\s+[a-zA-Z0-9\-._~+/]{20,}=*/i, severity: "review" }
 ];
 var SENSITIVE_PATH_PATTERNS = [
   /[/\\]\.ssh[/\\]/i,
@@ -1582,12 +1604,25 @@ function getNestedValue(obj, path15) {
   if (!obj || typeof obj !== "object") return null;
   return path15.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
+function stripStringArguments(cmd) {
+  let result = cmd;
+  result = result.replace(
+    /\b(node|python3?|ruby|perl|php|deno)\s+(-[ecr]|eval)\s+("(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')/gi,
+    '$1 $2 ""'
+  );
+  result = result.replace(
+    /\s(-m|--message|--body|--title|--description)\s+("(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')/g,
+    ' $1 ""'
+  );
+  return result;
+}
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
   const mode = rule.conditionMode ?? "all";
   const results = rule.conditions.map((cond) => {
     const rawVal = getNestedValue(args, cond.field);
-    const val = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
+    const normalized = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
+    const val = cond.field === "command" && normalized !== null ? stripStringArguments(normalized) : normalized;
     switch (cond.op) {
       case "exists":
         return val !== null && val !== "";
@@ -1890,6 +1925,15 @@ var import_path9 = __toESM(require("path"));
 var import_os6 = __toESM(require("os"));
 var PAUSED_FILE = import_path9.default.join(import_os6.default.homedir(), ".node9", "PAUSED");
 var TRUST_FILE = import_path9.default.join(import_os6.default.homedir(), ".node9", "trust.json");
+function extractCommandPattern(toolName, args) {
+  const lower = toolName.toLowerCase();
+  if (lower !== "bash" && lower !== "execute_bash" && lower !== "shell") return void 0;
+  const a = args;
+  const cmd = typeof a?.["command"] === "string" ? a["command"].trim() : "";
+  if (!cmd) return void 0;
+  const words = cmd.split(/\s+/);
+  return words.slice(0, 2).join(" ");
+}
 function checkPause() {
   try {
     if (!import_fs7.default.existsSync(PAUSED_FILE)) return { paused: false };
@@ -1913,7 +1957,7 @@ function atomicWriteSync(filePath, data, options) {
   import_fs7.default.writeFileSync(tmpPath, data, options);
   import_fs7.default.renameSync(tmpPath, filePath);
 }
-function getActiveTrustSession(toolName) {
+function getActiveTrustSession(toolName, args) {
   try {
     if (!import_fs7.default.existsSync(TRUST_FILE)) return false;
     const trust = JSON.parse(import_fs7.default.readFileSync(TRUST_FILE, "utf-8"));
@@ -1922,12 +1966,20 @@ function getActiveTrustSession(toolName) {
     if (active.length !== trust.entries.length) {
       import_fs7.default.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
     }
-    return active.some((e) => e.tool === toolName || matchesPattern(toolName, e.tool));
+    return active.some((e) => {
+      if (!(e.tool === toolName || matchesPattern(toolName, e.tool))) return false;
+      if (e.commandPattern) {
+        const actual = extractCommandPattern(toolName, args) ?? "";
+        return actual === e.commandPattern || actual.startsWith(e.commandPattern + " ");
+      }
+      return true;
+    });
   } catch {
     return false;
   }
 }
-function writeTrustSession(toolName, durationMs) {
+function writeTrustSession(toolName, durationMs, args) {
+  const commandPattern = extractCommandPattern(toolName, args);
   try {
     let trust = { entries: [] };
     try {
@@ -1937,8 +1989,14 @@ function writeTrustSession(toolName, durationMs) {
     } catch {
     }
     const now = Date.now();
-    trust.entries = trust.entries.filter((e) => e.tool !== toolName && e.expiry > now);
-    trust.entries.push({ tool: toolName, expiry: now + durationMs });
+    trust.entries = trust.entries.filter(
+      (e) => !(e.tool === toolName && e.commandPattern === commandPattern) && e.expiry > now
+    );
+    trust.entries.push({
+      tool: toolName,
+      ...commandPattern && { commandPattern },
+      expiry: now + durationMs
+    });
     atomicWriteSync(TRUST_FILE, JSON.stringify(trust, null, 2));
   } catch (err) {
     if (process.env.NODE9_DEBUG === "1") {
@@ -2369,7 +2427,8 @@ function escapePango(text) {
 function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1, ruleDescription) {
   const lines = [];
   if (locked) lines.push("\u26A0\uFE0F  LOCKED BY ADMIN POLICY\n");
-  lines.push(`\u{1F916} ${agent || "AI Agent"}  |  \u{1F527} ${toolName}`);
+  const safeAgent = (agent ?? "AI Agent").replace(/\x1b(?:\[[0-9;?]*[a-zA-Z]|\][^\x07\x1b]*(?:\x07|\x1b\\)|[@-_])/g, "").slice(0, 80);
+  lines.push(`\u{1F916} ${safeAgent}  |  \u{1F527} ${toolName}`);
   lines.push(`\u{1F6E1}\uFE0F  ${explainableLabel || "Security Policy"}`);
   if (ruleDescription) lines.push(`\u2139  ${ruleDescription}`);
   lines.push("");
@@ -2746,7 +2805,16 @@ async function authorizeHeadless(toolName, args, meta, options) {
   if (!options?.calledFromDaemon) {
     const actId = (0, import_crypto3.randomUUID)();
     const actTs = Date.now();
-    await notifyActivity({ id: actId, ts: actTs, tool: toolName, args, status: "pending" });
+    await notifyActivity({
+      id: actId,
+      ts: actTs,
+      tool: toolName,
+      args,
+      status: "pending",
+      // Strip ANSI escape sequences — agent name comes from caller-supplied metadata
+      // and may be displayed in a terminal (node9 tail/watch), enabling injection.
+      agent: meta?.agent ? meta.agent.replace(/\x1b(?:\[[0-9;?]*[a-zA-Z]|\][^\x07\x1b]*(?:\x07|\x1b\\)|[@-_])/g, "").slice(0, 80) : void 0
+    });
     const result = await _authorizeHeadlessCore(toolName, args, meta, {
       ...options,
       activityId: actId
@@ -2900,12 +2968,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         };
       }
     }
-    if (getActiveTrustSession(toolName)) {
-      if (approvers.cloud && creds?.apiKey)
-        await auditLocalAllow(toolName, args, "trust", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta, hashAuditArgs);
-      return { approved: true, checkedBy: "trust" };
-    }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
@@ -2987,6 +3049,12 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
     return { approved: true };
   }
+  if (!taintWarning && getActiveTrustSession(toolName, args)) {
+    if (approvers.cloud && creds?.apiKey)
+      await auditLocalAllow(toolName, args, "trust", creds, meta);
+    if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta, hashAuditArgs);
+    return { approved: true, checkedBy: "trust" };
+  }
   if (taintWarning) {
     explainableLabel = "\u{1F534} Node9 Taint (Exfiltration Prevention)";
     riskMetadata = computeRiskMetadata(
@@ -3119,7 +3187,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           riskMetadata?.ruleDescription
         );
         if (decision === "always_allow") {
-          writeTrustSession(toolName, 36e5);
+          writeTrustSession(toolName, 36e5, args);
           return { approved: true, checkedBy: "trust" };
         }
         const isApproved = decision === "allow";

package/dist/index.mjs

@@ -231,6 +231,11 @@ var ConfigFileSchema = z.object({
       enabled: z.boolean().optional(),
       threshold: z.number().min(2).optional(),
       windowSeconds: z.number().min(10).optional()
+    }).optional(),
+    skillPinning: z.object({
+      enabled: z.boolean().optional(),
+      mode: z.enum(["warn", "block"]).optional(),
+      roots: z.array(z.string()).optional()
     }).optional()
   }).optional(),
   environments: z.record(z.object({ requireApproval: z.boolean().optional() })).optional()
@@ -468,9 +473,8 @@ var DEFAULT_CONFIG = {
           {
             field: "command",
             op: "matches",
-            // Require the recursive flag to be preceded by whitespace so that
-            // filenames containing "-r" (e.g. "ai-review.yml") don't false-positive.
-            value: "rm\\b.*\\s(-[rRfF]*[rR][rRfF]*|--recursive)(\\s|$)"
+            // Anchor rm as a shell command (not inside a string arg like a git commit message).
+            value: "(^|&&|\\|\\||;)\\s*rm\\b[^;&|]*\\s(-[rRfF]*[rR][rRfF]*|--recursive)(\\s|$)"
           },
           {
             field: "command",
@@ -499,6 +503,13 @@ var DEFAULT_CONFIG = {
         name: "review-drop-truncate-shell",
         tool: "bash",
         conditions: [
+          {
+            field: "command",
+            op: "matches",
+            // Require a DB CLI in the command so grep/cat/echo of SQL strings don't trigger.
+            value: "(^|&&|\\|\\||;|\\|)\\s*(psql|mysql|sqlite3|sqlplus|cockroach|clickhouse-client|mongo)\\b",
+            flags: "i"
+          },
           {
             field: "command",
             op: "matches",
@@ -519,7 +530,9 @@ var DEFAULT_CONFIG = {
           {
             field: "command",
             op: "matches",
-            value: "\\bgit\\b.*\\bpush\\b.*(--force|--force-with-lease|-f\\b)",
+            // Anchor git as a shell command so node -e / python -c scripts containing
+            // "git push --force" as a string don't false-positive.
+            value: "(^|&&|\\|\\||;)\\s*git\\s+push[^;&|]*(--force|--force-with-lease|-f\\b)",
             flags: "i"
           }
         ],
@@ -529,29 +542,20 @@ var DEFAULT_CONFIG = {
         description: "The AI wants to force push to a remote git branch. This rewrites shared history and can permanently destroy commits that teammates have already pulled."
       },
       {
-        name: "review-git-push",
+        name: "review-git-destructive",
         tool: "bash",
         conditions: [
           {
             field: "command",
             op: "matches",
-            value: "\\bgit\\b.*\\bpush\\b(?!.*(-f\\b|--force|--force-with-lease))",
+            value: "\\bgit\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase\\b|tag\\s+-d|branch\\s+-[dD])",
             flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "git push sends changes to a shared remote",
-        description: "The AI wants to push commits to a remote repository. Once pushed, those changes are visible to everyone with access."
-      },
-      {
-        name: "review-git-destructive",
-        tool: "bash",
-        conditions: [
+          },
           {
             field: "command",
-            op: "matches",
-            value: "\\bgit\\b.*(reset\\s+--hard|clean\\s+-[fdxX]|\\brebase\\b|tag\\s+-d|branch\\s+-[dD])",
+            op: "notMatches",
+            // Exclude recovery ops — these resolve a conflict, not start a destructive action.
+            value: "\\bgit\\s+rebase\\s+--(abort|continue|skip)\\b",
             flags: "i"
           }
         ],
@@ -577,7 +581,9 @@ var DEFAULT_CONFIG = {
           {
             field: "command",
             op: "matches",
-            value: "(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
+            // Anchor curl/wget as a shell command so node -e scripts testing this
+            // regex pattern don't self-match as a false positive.
+            value: "(^|&&|\\|\\||;)\\s*(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
             flags: "i"
           }
         ],
@@ -588,7 +594,8 @@ var DEFAULT_CONFIG = {
       }
     ],
     dlp: { enabled: true, scanIgnoredTools: true },
-    loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 }
+    loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 },
+    skillPinning: { enabled: false, mode: "warn", roots: [] }
   },
   environments: {}
 };
@@ -711,7 +718,11 @@ function getConfig(cwd) {
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
     },
     dlp: { ...DEFAULT_CONFIG.policy.dlp },
-    loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection }
+    loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection },
+    skillPinning: {
+      ...DEFAULT_CONFIG.policy.skillPinning,
+      roots: [...DEFAULT_CONFIG.policy.skillPinning.roots]
+    }
   };
   const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
   const applyLayer = (source) => {
@@ -764,6 +775,16 @@ function getConfig(cwd) {
       if (ld.windowSeconds !== void 0)
         mergedPolicy.loopDetection.windowSeconds = ld.windowSeconds;
     }
+    if (p.skillPinning && typeof p.skillPinning === "object") {
+      const sp = p.skillPinning;
+      if (sp.enabled !== void 0) mergedPolicy.skillPinning.enabled = sp.enabled;
+      if (sp.mode !== void 0) mergedPolicy.skillPinning.mode = sp.mode;
+      if (Array.isArray(sp.roots)) {
+        for (const r of sp.roots) {
+          if (typeof r === "string" && r.length > 0) mergedPolicy.skillPinning.roots.push(r);
+        }
+      }
+    }
     const envs = source.environments || {};
     for (const [envName, envConfig] of Object.entries(envs)) {
       if (envConfig && typeof envConfig === "object") {
@@ -815,6 +836,7 @@ function getConfig(cwd) {
   mergedPolicy.sandboxPaths = [...new Set(mergedPolicy.sandboxPaths)];
   mergedPolicy.dangerousWords = [...new Set(mergedPolicy.dangerousWords)];
   mergedPolicy.ignoredTools = [...new Set(mergedPolicy.ignoredTools)];
+  mergedPolicy.skillPinning.roots = [...new Set(mergedPolicy.skillPinning.roots)];
   mergedPolicy.snapshot.tools = [...new Set(mergedPolicy.snapshot.tools)];
   mergedPolicy.snapshot.onlyPaths = [...new Set(mergedPolicy.snapshot.onlyPaths)];
   mergedPolicy.snapshot.ignorePaths = [...new Set(mergedPolicy.snapshot.ignorePaths)];
@@ -962,7 +984,7 @@ var DLP_PATTERNS = [
     regex: /_authToken\s*=\s*[A-Za-z0-9_\-]{20,}/,
     severity: "block"
   },
-  { name: "Bearer Token", regex: /Bearer\s+[a-zA-Z0-9\-._~+/]+=*/i, severity: "review" }
+  { name: "Bearer Token", regex: /Bearer\s+[a-zA-Z0-9\-._~+/]{20,}=*/i, severity: "review" }
 ];
 var SENSITIVE_PATH_PATTERNS = [
   /[/\\]\.ssh[/\\]/i,
@@ -1552,12 +1574,25 @@ function getNestedValue(obj, path15) {
   if (!obj || typeof obj !== "object") return null;
   return path15.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
+function stripStringArguments(cmd) {
+  let result = cmd;
+  result = result.replace(
+    /\b(node|python3?|ruby|perl|php|deno)\s+(-[ecr]|eval)\s+("(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')/gi,
+    '$1 $2 ""'
+  );
+  result = result.replace(
+    /\s(-m|--message|--body|--title|--description)\s+("(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')/g,
+    ' $1 ""'
+  );
+  return result;
+}
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
   const mode = rule.conditionMode ?? "all";
   const results = rule.conditions.map((cond) => {
     const rawVal = getNestedValue(args, cond.field);
-    const val = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
+    const normalized = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
+    const val = cond.field === "command" && normalized !== null ? stripStringArguments(normalized) : normalized;
     switch (cond.op) {
       case "exists":
         return val !== null && val !== "";
@@ -1860,6 +1895,15 @@ import path9 from "path";
 import os6 from "os";
 var PAUSED_FILE = path9.join(os6.homedir(), ".node9", "PAUSED");
 var TRUST_FILE = path9.join(os6.homedir(), ".node9", "trust.json");
+function extractCommandPattern(toolName, args) {
+  const lower = toolName.toLowerCase();
+  if (lower !== "bash" && lower !== "execute_bash" && lower !== "shell") return void 0;
+  const a = args;
+  const cmd = typeof a?.["command"] === "string" ? a["command"].trim() : "";
+  if (!cmd) return void 0;
+  const words = cmd.split(/\s+/);
+  return words.slice(0, 2).join(" ");
+}
 function checkPause() {
   try {
     if (!fs7.existsSync(PAUSED_FILE)) return { paused: false };
@@ -1883,7 +1927,7 @@ function atomicWriteSync(filePath, data, options) {
   fs7.writeFileSync(tmpPath, data, options);
   fs7.renameSync(tmpPath, filePath);
 }
-function getActiveTrustSession(toolName) {
+function getActiveTrustSession(toolName, args) {
   try {
     if (!fs7.existsSync(TRUST_FILE)) return false;
     const trust = JSON.parse(fs7.readFileSync(TRUST_FILE, "utf-8"));
@@ -1892,12 +1936,20 @@ function getActiveTrustSession(toolName) {
     if (active.length !== trust.entries.length) {
       fs7.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
     }
-    return active.some((e) => e.tool === toolName || matchesPattern(toolName, e.tool));
+    return active.some((e) => {
+      if (!(e.tool === toolName || matchesPattern(toolName, e.tool))) return false;
+      if (e.commandPattern) {
+        const actual = extractCommandPattern(toolName, args) ?? "";
+        return actual === e.commandPattern || actual.startsWith(e.commandPattern + " ");
+      }
+      return true;
+    });
   } catch {
     return false;
   }
 }
-function writeTrustSession(toolName, durationMs) {
+function writeTrustSession(toolName, durationMs, args) {
+  const commandPattern = extractCommandPattern(toolName, args);
   try {
     let trust = { entries: [] };
     try {
@@ -1907,8 +1959,14 @@ function writeTrustSession(toolName, durationMs) {
     } catch {
     }
     const now = Date.now();
-    trust.entries = trust.entries.filter((e) => e.tool !== toolName && e.expiry > now);
-    trust.entries.push({ tool: toolName, expiry: now + durationMs });
+    trust.entries = trust.entries.filter(
+      (e) => !(e.tool === toolName && e.commandPattern === commandPattern) && e.expiry > now
+    );
+    trust.entries.push({
+      tool: toolName,
+      ...commandPattern && { commandPattern },
+      expiry: now + durationMs
+    });
     atomicWriteSync(TRUST_FILE, JSON.stringify(trust, null, 2));
   } catch (err) {
     if (process.env.NODE9_DEBUG === "1") {
@@ -2339,7 +2397,8 @@ function escapePango(text) {
 function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1, ruleDescription) {
   const lines = [];
   if (locked) lines.push("\u26A0\uFE0F  LOCKED BY ADMIN POLICY\n");
-  lines.push(`\u{1F916} ${agent || "AI Agent"}  |  \u{1F527} ${toolName}`);
+  const safeAgent = (agent ?? "AI Agent").replace(/\x1b(?:\[[0-9;?]*[a-zA-Z]|\][^\x07\x1b]*(?:\x07|\x1b\\)|[@-_])/g, "").slice(0, 80);
+  lines.push(`\u{1F916} ${safeAgent}  |  \u{1F527} ${toolName}`);
   lines.push(`\u{1F6E1}\uFE0F  ${explainableLabel || "Security Policy"}`);
   if (ruleDescription) lines.push(`\u2139  ${ruleDescription}`);
   lines.push("");
@@ -2716,7 +2775,16 @@ async function authorizeHeadless(toolName, args, meta, options) {
   if (!options?.calledFromDaemon) {
     const actId = randomUUID();
     const actTs = Date.now();
-    await notifyActivity({ id: actId, ts: actTs, tool: toolName, args, status: "pending" });
+    await notifyActivity({
+      id: actId,
+      ts: actTs,
+      tool: toolName,
+      args,
+      status: "pending",
+      // Strip ANSI escape sequences — agent name comes from caller-supplied metadata
+      // and may be displayed in a terminal (node9 tail/watch), enabling injection.
+      agent: meta?.agent ? meta.agent.replace(/\x1b(?:\[[0-9;?]*[a-zA-Z]|\][^\x07\x1b]*(?:\x07|\x1b\\)|[@-_])/g, "").slice(0, 80) : void 0
+    });
     const result = await _authorizeHeadlessCore(toolName, args, meta, {
       ...options,
       activityId: actId
@@ -2870,12 +2938,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         };
       }
     }
-    if (getActiveTrustSession(toolName)) {
-      if (approvers.cloud && creds?.apiKey)
-        await auditLocalAllow(toolName, args, "trust", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta, hashAuditArgs);
-      return { approved: true, checkedBy: "trust" };
-    }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
@@ -2957,6 +3019,12 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
     return { approved: true };
   }
+  if (!taintWarning && getActiveTrustSession(toolName, args)) {
+    if (approvers.cloud && creds?.apiKey)
+      await auditLocalAllow(toolName, args, "trust", creds, meta);
+    if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta, hashAuditArgs);
+    return { approved: true, checkedBy: "trust" };
+  }
   if (taintWarning) {
     explainableLabel = "\u{1F534} Node9 Taint (Exfiltration Prevention)";
     riskMetadata = computeRiskMetadata(
@@ -3089,7 +3157,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           riskMetadata?.ruleDescription
         );
         if (decision === "always_allow") {
-          writeTrustSession(toolName, 36e5);
+          writeTrustSession(toolName, 36e5, args);
           return { approved: true, checkedBy: "trust" };
         }
         const isApproved = decision === "allow";

package/dist/shields/builtin/bash-safe.json

@@ -10,7 +10,7 @@
         {
           "field": "command",
           "op": "matches",
-          "value": "(curl|wget)\\s+[^|]*\\|\\s*(?:(bash|sh|zsh|fish)|(python3?|ruby|perl|node)\\b(?!\\s+-[cem]\\b))",
+          "value": "(^|&&|\\|\\||;)\\s*(curl|wget)\\s+[^|]*\\|\\s*(?:(bash|sh|zsh|fish)|(python3?|ruby|perl|node)\\b(?!\\s+-[cem]\\b))",
           "flags": "i"
         }
       ],
@@ -24,7 +24,7 @@
         {
           "field": "command",
           "op": "matches",
-          "value": "base64\\s+(-d|--decode).*\\|\\s*(bash|sh|zsh)",
+          "value": "\\bbase64\\s+(-d|--decode)[^|;&]*\\|\\s*(bash|sh|zsh)",
           "flags": "i"
         }
       ],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.10.3",
+  "version": "1.11.1",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",