@node9/proxy 1.11.2 → 1.11.4

package/dist/index.js

@@ -116,7 +116,7 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
 }
 function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
   const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
-  const testRun = isTestCall(toolName, args) ? { testRun: true } : {};
+  const testRun = isTestCall(toolName, args) || process.env.NODE9_TESTING === "1" ? { testRun: true } : {};
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
@@ -447,7 +447,7 @@ var DEFAULT_CONFIG = {
     // 120-second auto-deny timeout
     flightRecorder: true,
     auditHashArgs: true,
-    approvers: { native: true, browser: true, cloud: false, terminal: true },
+    approvers: { native: true, browser: false, cloud: false, terminal: true },
     cloudSyncIntervalHours: 5
   },
   policy: {
@@ -554,7 +554,7 @@ var DEFAULT_CONFIG = {
       },
       // ── Git safety ────────────────────────────────────────────────────────
       {
-        name: "block-force-push",
+        name: "review-force-push",
         tool: "bash",
         conditions: [
           {
@@ -567,8 +567,8 @@ var DEFAULT_CONFIG = {
           }
         ],
         conditionMode: "all",
-        verdict: "block",
-        reason: "Force push overwrites remote history and cannot be undone",
+        verdict: "review",
+        reason: "Force push rewrites remote history \u2014 confirm this is intentional",
         description: "The AI wants to force push to a remote git branch. This rewrites shared history and can permanently destroy commits that teammates have already pulled."
       },
       {
@@ -578,14 +578,16 @@ var DEFAULT_CONFIG = {
           {
             field: "command",
             op: "matches",
-            value: "\\bgit\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase\\b|tag\\s+-d|branch\\s+-[dD])",
+            // Anchor git as a shell command so node -e / python -c scripts containing
+            // "git reset --hard" as a string don't false-positive.
+            value: "(^|&&|\\|\\||;)\\s*git\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase\\b|tag\\s+-d|branch\\s+-[dD])",
             flags: "i"
           },
           {
             field: "command",
             op: "notMatches",
-            // Exclude recovery ops — these resolve a conflict, not start a destructive action.
-            value: "\\bgit\\s+rebase\\s+--(abort|continue|skip)\\b",
+            // Exclude recovery ops and routine branch-surgery (--onto) — these are not destructive.
+            value: "\\bgit\\s+rebase\\s+--(abort|continue|skip|onto)\\b",
             flags: "i"
           }
         ],
@@ -984,37 +986,314 @@ function getCompiledRegex(pattern, flags = "") {
 // src/policy/index.ts
 var import_path8 = __toESM(require("path"));
 var import_picomatch = __toESM(require("picomatch"));
-var import_sh_syntax = require("sh-syntax");
+var import_mvdan_sh = __toESM(require("mvdan-sh"));
 
 // src/dlp.ts
 var import_fs4 = __toESM(require("fs"));
 var import_path4 = __toESM(require("path"));
+var DLP_STOPWORDS = [
+  "example",
+  "placeholder",
+  "changeme",
+  "your_key",
+  "your_token",
+  "your_secret",
+  "replace_me",
+  "insert_key",
+  "put_your",
+  "fake",
+  "dummy",
+  "sample",
+  "xxxxxxxx",
+  "aaaaaa",
+  "bbbbbb",
+  "00000000",
+  "${",
+  "{{",
+  "%{",
+  "<your",
+  "test_key",
+  "test_token"
+];
 var DLP_PATTERNS = [
-  { name: "AWS Access Key ID", regex: /\bAKIA[0-9A-Z]{16}\b/, severity: "block" },
-  { name: "GitHub Token", regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/, severity: "block" },
-  // Slack bot tokens: xoxb- + variable segment. Real tokens are ~50–80 chars;
-  // lower bound 20 avoids false negatives on partial tokens, upper 100 caps scan cost.
-  { name: "Slack Bot Token", regex: /\bxoxb-[0-9A-Za-z-]{20,100}\b/, severity: "block" },
-  { name: "OpenAI API Key", regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/, severity: "block" },
-  { name: "Stripe Secret Key", regex: /\bsk_(?:live|test)_[0-9a-zA-Z]{24}\b/, severity: "block" },
+  // ── AWS ───────────────────────────────────────────────────────────────────
   {
-    name: "Private Key (PEM)",
-    regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/,
-    severity: "block"
+    name: "AWS Access Key ID",
+    regex: /\b(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16}\b/,
+    severity: "block",
+    keywords: ["akia", "asia", "abia", "acca", "a3t"]
+  },
+  // ── GitHub ────────────────────────────────────────────────────────────────
+  {
+    name: "GitHub Token",
+    regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/,
+    severity: "block",
+    keywords: ["ghp_", "gho_", "ghu_", "ghs_"]
+  },
+  {
+    name: "GitHub Fine-Grained PAT",
+    regex: /\bgithub_pat_\w{82}\b/,
+    severity: "block",
+    keywords: ["github_pat_"]
+  },
+  // ── Slack ─────────────────────────────────────────────────────────────────
+  {
+    name: "Slack Bot Token",
+    // Real tokens are ~50–80 chars; lower bound 20 avoids false negatives on partial tokens
+    regex: /\bxoxb-[0-9A-Za-z-]{20,100}\b/,
+    severity: "block",
+    keywords: ["xoxb-"]
+  },
+  // ── Anthropic ─────────────────────────────────────────────────────────────
+  // Listed before OpenAI — Anthropic keys start with sk-ant- which would also
+  // match the broader OpenAI sk- pattern; more specific rules must come first.
+  {
+    name: "Anthropic API Key",
+    regex: /\bsk-ant-api03-[a-zA-Z0-9_-]{93}AA\b/,
+    severity: "block",
+    keywords: ["sk-ant-api03"]
+  },
+  {
+    name: "Anthropic Admin Key",
+    regex: /\bsk-ant-admin01-[a-zA-Z0-9_-]{93}AA\b/,
+    severity: "block",
+    keywords: ["sk-ant-admin01"]
+  },
+  // ── OpenAI ────────────────────────────────────────────────────────────────
+  {
+    name: "OpenAI API Key",
+    regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/,
+    severity: "block",
+    keywords: ["sk-"]
+  },
+  // ── Stripe ────────────────────────────────────────────────────────────────
+  {
+    name: "Stripe Secret Key",
+    regex: /\bsk_(?:live|test)_[0-9a-zA-Z]{24}\b/,
+    severity: "block",
+    keywords: ["sk_live_", "sk_test_"]
+  },
+  // ── GCP ───────────────────────────────────────────────────────────────────
+  {
+    name: "GCP API Key",
+    regex: /\bAIza[0-9A-Za-z_-]{35}\b/,
+    severity: "block",
+    keywords: ["aiza"]
   },
-  // GCP service account JSON (detects the type field that uniquely identifies it)
   {
     name: "GCP Service Account",
     regex: /"type"\s*:\s*"service_account"/,
-    severity: "block"
+    severity: "block",
+    keywords: ["service_account"]
+  },
+  // ── Azure ─────────────────────────────────────────────────────────────────
+  // Pattern: 3 alphanum chars + digit + Q~ + 31-34 alphanum chars
+  {
+    name: "Azure AD Client Secret",
+    regex: /(?:^|[\s>=:(,])([a-zA-Z0-9_~.]{3}\dQ~[a-zA-Z0-9_~.-]{31,34})(?:$|[\s<),])/,
+    severity: "block",
+    keywords: ["q~"]
+  },
+  // ── Databricks ────────────────────────────────────────────────────────────
+  {
+    name: "Databricks API Token",
+    regex: /\bdapi[a-f0-9]{32}(?:-\d)?\b/,
+    severity: "block",
+    keywords: ["dapi"]
+  },
+  // ── DigitalOcean ──────────────────────────────────────────────────────────
+  {
+    name: "DigitalOcean PAT",
+    regex: /\bdop_v1_[a-f0-9]{64}\b/,
+    severity: "block",
+    keywords: ["dop_v1_"]
+  },
+  {
+    name: "DigitalOcean Access Token",
+    regex: /\bdoo_v1_[a-f0-9]{64}\b/,
+    severity: "block",
+    keywords: ["doo_v1_"]
+  },
+  // ── Doppler ───────────────────────────────────────────────────────────────
+  {
+    name: "Doppler Token",
+    regex: /\bdp\.pt\.[a-z0-9]{43}\b/i,
+    severity: "block",
+    keywords: ["dp.pt."]
+  },
+  // ── HashiCorp Vault ───────────────────────────────────────────────────────
+  {
+    name: "HashiCorp Vault Service Token",
+    regex: /\bhvs\.[\w-]{90,120}\b/,
+    severity: "block",
+    keywords: ["hvs."]
   },
-  // NPM auth token in .npmrc format
+  {
+    name: "HashiCorp Vault Batch Token",
+    regex: /\bhvb\.[\w-]{138,300}\b/,
+    severity: "block",
+    keywords: ["hvb."]
+  },
+  // ── Hugging Face ──────────────────────────────────────────────────────────
+  { name: "HuggingFace Token", regex: /\bhf_[A-Za-z]{34}\b/, severity: "block", keywords: ["hf_"] },
+  // ── Postman ───────────────────────────────────────────────────────────────
+  {
+    name: "Postman API Token",
+    regex: /\bPMAK-[a-f0-9]{24}-[a-f0-9]{34}\b/i,
+    severity: "block",
+    keywords: ["pmak-"]
+  },
+  // ── Pulumi ────────────────────────────────────────────────────────────────
+  {
+    name: "Pulumi Access Token",
+    regex: /\bpul-[a-f0-9]{40}\b/,
+    severity: "block",
+    keywords: ["pul-"]
+  },
+  // ── SendGrid ──────────────────────────────────────────────────────────────
+  {
+    name: "SendGrid API Key",
+    regex: /\bSG\.[a-zA-Z0-9=_.-]{66}\b/,
+    severity: "block",
+    keywords: ["sg."]
+  },
+  // ── Private keys (PEM) ────────────────────────────────────────────────────
+  {
+    name: "Private Key (PEM)",
+    regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/,
+    severity: "block",
+    keywords: ["-----begin"]
+  },
+  // ── NPM ───────────────────────────────────────────────────────────────────
   {
     name: "NPM Auth Token",
-    regex: /_authToken\s*=\s*[A-Za-z0-9_\-]{20,}/,
-    severity: "block"
+    regex: /_authToken\s*=\s*[A-Za-z0-9_-]{20,}/,
+    severity: "block",
+    keywords: ["_authtoken"]
+  },
+  // ── JWT ───────────────────────────────────────────────────────────────────
+  // review (not block): JWTs appear legitimately in API calls; flag for human approval
+  {
+    name: "JWT",
+    regex: /\bey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/_-]{17,}\.[a-zA-Z0-9\/_-]{10,}={0,2}\b/,
+    severity: "review",
+    keywords: ["eyj"]
+  },
+  // ── Stripe (extended — adds restricted key rk_ prefix) ──────────────────
+  {
+    name: "Stripe Restricted Key",
+    regex: /\brk_(?:live|test|prod)_[0-9a-zA-Z]{10,99}\b/,
+    severity: "block",
+    keywords: ["rk_live_", "rk_test_", "rk_prod_"]
+  },
+  // ── Slack (app token) ─────────────────────────────────────────────────────
+  {
+    name: "Slack App Token",
+    regex: /\bxapp-\d-[A-Z0-9]+-\d+-[a-f0-9]+\b/,
+    severity: "block",
+    keywords: ["xapp-"]
+  },
+  // ── GitLab ────────────────────────────────────────────────────────────────
+  { name: "GitLab PAT", regex: /\bglpat-[\w-]{20}\b/, severity: "block", keywords: ["glpat-"] },
+  {
+    name: "GitLab Deploy Token",
+    regex: /\bgldt-[0-9a-zA-Z_-]{20}\b/,
+    severity: "block",
+    keywords: ["gldt-"]
+  },
+  {
+    name: "GitLab CI Job Token",
+    regex: /\bglcbt-[0-9a-zA-Z]{1,5}_[0-9a-zA-Z_-]{20}\b/,
+    severity: "block",
+    keywords: ["glcbt-"]
+  },
+  // ── npm (publish token) ───────────────────────────────────────────────────
+  {
+    name: "npm Access Token",
+    regex: /\bnpm_[a-zA-Z0-9]{36}\b/,
+    severity: "block",
+    keywords: ["npm_"]
+  },
+  // ── Shopify ───────────────────────────────────────────────────────────────
+  {
+    name: "Shopify Access Token",
+    regex: /\bshpat_[a-fA-F0-9]{32}\b/,
+    severity: "block",
+    keywords: ["shpat_"]
+  },
+  {
+    name: "Shopify Custom Access Token",
+    regex: /\bshpca_[a-fA-F0-9]{32}\b/,
+    severity: "block",
+    keywords: ["shpca_"]
+  },
+  {
+    name: "Shopify Private App Token",
+    regex: /\bshppa_[a-fA-F0-9]{32}\b/,
+    severity: "block",
+    keywords: ["shppa_"]
+  },
+  {
+    name: "Shopify Shared Secret",
+    regex: /\bshpss_[a-fA-F0-9]{32}\b/,
+    severity: "block",
+    keywords: ["shpss_"]
+  },
+  // ── Linear ────────────────────────────────────────────────────────────────
+  {
+    name: "Linear API Key",
+    regex: /\blin_api_[a-zA-Z0-9]{40}\b/,
+    severity: "block",
+    keywords: ["lin_api_"]
   },
-  { name: "Bearer Token", regex: /Bearer\s+[a-zA-Z0-9\-._~+/]{20,}=*/i, severity: "review" }
+  // ── PlanetScale ───────────────────────────────────────────────────────────
+  {
+    name: "PlanetScale API Token",
+    regex: /\bpscale_tkn_[\w.-]{32,64}\b/,
+    severity: "block",
+    keywords: ["pscale_tkn_"]
+  },
+  {
+    name: "PlanetScale Password",
+    regex: /\bpscale_pw_[\w.-]{32,64}\b/,
+    severity: "block",
+    keywords: ["pscale_pw_"]
+  },
+  // ── Sentry ────────────────────────────────────────────────────────────────
+  {
+    name: "Sentry User Token",
+    regex: /\bsntryu_[a-f0-9]{64}\b/,
+    severity: "block",
+    keywords: ["sntryu_"]
+  },
+  // ── Grafana ───────────────────────────────────────────────────────────────
+  {
+    name: "Grafana Service Account Token",
+    regex: /\bglsa_[a-zA-Z0-9]{32}_[a-f0-9]{8}\b/,
+    severity: "block",
+    keywords: ["glsa_"]
+  },
+  // ── Heroku ────────────────────────────────────────────────────────────────
+  {
+    name: "Heroku API Key",
+    regex: /\bHRKU-AA[0-9a-zA-Z_-]{58}\b/,
+    severity: "block",
+    keywords: ["hrku-aa"]
+  },
+  // ── PyPI ──────────────────────────────────────────────────────────────────
+  {
+    name: "PyPI Upload Token",
+    regex: /\bpypi-[A-Za-z0-9_-]{50,}\b/,
+    severity: "block",
+    keywords: ["pypi-"]
+  },
+  // ── Bearer Token ─────────────────────────────────────────────────────────
+  {
+    name: "Bearer Token",
+    regex: /Bearer\s+[a-zA-Z0-9\-._~+/]{20,}=*/i,
+    severity: "review",
+    keywords: ["bearer"]
+  }
 ];
 var SENSITIVE_PATH_PATTERNS = [
   /[/\\]\.ssh[/\\]/i,
@@ -1103,8 +1382,14 @@ function scanArgs(args, depth = 0, fieldPath = "args") {
   }
   if (typeof args === "string") {
     const text = args.length > MAX_STRING_BYTES ? args.slice(0, MAX_STRING_BYTES) : args;
+    const textLower = text.toLowerCase();
     for (const pattern of DLP_PATTERNS) {
+      if (pattern.keywords && !pattern.keywords.some((kw) => textLower.includes(kw.toLowerCase()))) {
+        continue;
+      }
       if (pattern.regex.test(text)) {
+        const matchedValue = (text.match(pattern.regex)?.[0] ?? "").toLowerCase();
+        if (DLP_STOPWORDS.some((sw) => matchedValue.includes(sw))) continue;
         return {
           patternName: pattern.name,
           fieldPath,
@@ -1604,17 +1889,111 @@ function getNestedValue(obj, path15) {
   if (!obj || typeof obj !== "object") return null;
   return path15.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
-function stripStringArguments(cmd) {
-  let result = cmd;
-  result = result.replace(
-    /\b(node|python3?|ruby|perl|php|deno)\s+(-[ecr]|eval)\s+("(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')/gi,
-    '$1 $2 ""'
-  );
-  result = result.replace(
-    /\s(-m|--message|--body|--title|--description)\s+("(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')/g,
-    ' $1 ""'
-  );
-  return result;
+var { syntax } = import_mvdan_sh.default;
+var sharedParser = syntax.NewParser();
+var MESSAGE_FLAGS = /* @__PURE__ */ new Set([
+  "-m",
+  "--message",
+  "--body",
+  "--title",
+  "--description",
+  "--comment",
+  "--subject",
+  "--summary"
+]);
+function normalizeCommandForPolicy(command) {
+  try {
+    const f = sharedParser.Parse(command, "cmd");
+    const strips = [];
+    syntax.Walk(f, (node) => {
+      if (!node) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const args = n.Args || [];
+      for (let i = 0; i < args.length - 1; i++) {
+        const argParts = args[i].Parts || [];
+        if (argParts.length !== 1 || syntax.NodeType(argParts[0]) !== "Lit") continue;
+        const flagVal = argParts[0].Value || "";
+        if (!MESSAGE_FLAGS.has(flagVal.toLowerCase())) continue;
+        const next = args[i + 1];
+        const nextParts = next.Parts || [];
+        if (nextParts.length !== 1) continue;
+        const quotedNode = nextParts[0];
+        const nt = syntax.NodeType(quotedNode);
+        if (nt === "SglQuoted") {
+          strips.push([next.Pos().Offset(), next.End().Offset()]);
+        } else if (nt === "DblQuoted") {
+          const innerParts = quotedNode.Parts || [];
+          const allLit = innerParts.length === 0 || innerParts.every((p) => syntax.NodeType(p) === "Lit");
+          if (allLit) strips.push([next.Pos().Offset(), next.End().Offset()]);
+        }
+      }
+      return true;
+    });
+    if (strips.length === 0) return command;
+    strips.sort((a, b) => b[0] - a[0]);
+    let result = command;
+    for (const [start, end] of strips) {
+      result = result.slice(0, start) + '""' + result.slice(end);
+    }
+    return result;
+  } catch {
+    return command;
+  }
+}
+var SHELL_INTERPRETERS = /* @__PURE__ */ new Set(["bash", "sh", "zsh", "fish", "dash", "ksh"]);
+var DOWNLOAD_CMDS = /* @__PURE__ */ new Set(["curl", "wget"]);
+function scanArgsForDynamicExec(args, startIdx) {
+  let hasCmdSubst = false;
+  let hasParamExp = false;
+  let hasCurl = false;
+  for (let i = startIdx; i < args.length; i++) {
+    syntax.Walk(args[i], (inner) => {
+      if (!inner) return false;
+      const inn = inner;
+      const it = syntax.NodeType(inn);
+      if (it === "CmdSubst") hasCmdSubst = true;
+      if (it === "ParamExp") hasParamExp = true;
+      if (it === "Lit" && DOWNLOAD_CMDS.has(inn.Value?.toLowerCase())) hasCurl = true;
+      return true;
+    });
+  }
+  if (hasCmdSubst && hasCurl) return "block";
+  if (hasCmdSubst || hasParamExp) return "review";
+  return null;
+}
+function detectDangerousShellExec(command) {
+  try {
+    const f = sharedParser.Parse(command, "cmd");
+    let result = null;
+    syntax.Walk(f, (node) => {
+      if (!node || result === "block") return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const args = n.Args || [];
+      if (args.length === 0) return true;
+      const firstParts = args[0].Parts || [];
+      if (firstParts.length !== 1 || syntax.NodeType(firstParts[0]) !== "Lit") return true;
+      const cmdName = firstParts[0].Value?.toLowerCase() ?? "";
+      if (cmdName === "eval") {
+        const v = scanArgsForDynamicExec(args, 1);
+        if (v === "block" || v === "review" && result === null) result = v;
+      } else if (SHELL_INTERPRETERS.has(cmdName)) {
+        for (let i = 1; i < args.length - 1; i++) {
+          const flagParts = args[i].Parts || [];
+          if (flagParts.length !== 1 || syntax.NodeType(flagParts[0]) !== "Lit" || flagParts[0].Value !== "-c")
+            continue;
+          const v = scanArgsForDynamicExec(args, i + 1);
+          if (v === "block" || v === "review" && result === null) result = v;
+          break;
+        }
+      }
+      return true;
+    });
+    return result;
+  } catch {
+    return null;
+  }
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -1622,7 +2001,7 @@ function evaluateSmartConditions(args, rule) {
   const results = rule.conditions.map((cond) => {
     const rawVal = getNestedValue(args, cond.field);
     const normalized = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
-    const val = cond.field === "command" && normalized !== null ? stripStringArguments(normalized) : normalized;
+    const val = cond.field === "command" && normalized !== null ? normalizeCommandForPolicy(normalized) : normalized;
     switch (cond.op) {
       case "exists":
         return val !== null && val !== "";
@@ -1671,52 +2050,35 @@ function isSqlTool(toolName, toolInspection) {
   return fieldName === "sql" || fieldName === "query";
 }
 var SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
-async function analyzeShellCommand(command) {
+function analyzeShellCommand(command) {
   const actions = [];
   const paths = [];
   const allTokens = [];
   const addToken = (token) => {
     const lower = token.toLowerCase();
     allTokens.push(lower);
-    if (lower.includes("/")) {
-      const segments = lower.split("/").filter(Boolean);
-      allTokens.push(...segments);
-    }
-    if (lower.startsWith("-")) {
-      allTokens.push(lower.replace(/^-+/, ""));
-    }
+    if (lower.includes("/")) allTokens.push(...lower.split("/").filter(Boolean));
+    if (lower.startsWith("-")) allTokens.push(lower.replace(/^-+/, ""));
   };
   try {
-    const ast = await (0, import_sh_syntax.parse)(command);
-    const walk = (node) => {
-      if (!node) return;
-      if (node.type === "CallExpr") {
-        const parts = (node.Args || []).map((arg) => {
-          return (arg.Parts || []).map((p) => p.Value || "").join("");
-        }).filter((s) => s.length > 0);
-        if (parts.length > 0) {
-          actions.push(parts[0].toLowerCase());
-          parts.forEach((p) => addToken(p));
-          parts.slice(1).forEach((p) => {
-            if (!p.startsWith("-")) paths.push(p);
-          });
-        }
-      }
-      for (const key in node) {
-        if (key === "Parent") continue;
-        const val = node[key];
-        if (Array.isArray(val)) {
-          val.forEach((child) => {
-            if (child && typeof child === "object" && "type" in child) {
-              walk(child);
-            }
-          });
-        } else if (val && typeof val === "object" && "type" in val) {
-          walk(val);
-        }
+    const f = sharedParser.Parse(command, "cmd");
+    syntax.Walk(f, (node) => {
+      if (!node) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const wordValues = (n.Args || []).map((arg) => {
+        return (arg.Parts || []).map((p) => (p.Value ?? "").replace(/\\(.)/g, "$1")).join("");
+      }).filter((s) => s.length > 0);
+      if (wordValues.length > 0) {
+        const cmd = wordValues[0].toLowerCase();
+        if (!actions.includes(cmd)) actions.push(cmd);
+        wordValues.forEach((w) => addToken(w));
+        wordValues.slice(1).forEach((w) => {
+          if (!w.startsWith("-")) paths.push(w);
+        });
       }
-    };
-    walk(ast);
+      return true;
+    });
   } catch {
   }
   if (allTokens.length === 0) {
@@ -1741,7 +2103,18 @@ async function analyzeShellCommand(command) {
 }
 async function evaluatePolicy(toolName, args, agent, cwd) {
   const config = getConfig();
-  if (matchesPattern(toolName, config.policy.ignoredTools)) return { decision: "allow" };
+  const wouldBeIgnored = matchesPattern(toolName, config.policy.ignoredTools);
+  if (config.policy.dlp.enabled && (!wouldBeIgnored || config.policy.dlp.scanIgnoredTools)) {
+    const dlpMatch = args !== void 0 ? scanArgs(args) : null;
+    if (dlpMatch) {
+      return {
+        decision: dlpMatch.severity,
+        blockedByLabel: `DLP: ${dlpMatch.patternName}`,
+        reason: `${dlpMatch.patternName} detected in ${dlpMatch.fieldPath}`
+      };
+    }
+  }
+  if (wouldBeIgnored) return { decision: "allow" };
   if (config.policy.smartRules.length > 0) {
     const matchedRule = config.policy.smartRules.find(
       (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
@@ -1771,13 +2144,30 @@ async function evaluatePolicy(toolName, args, agent, cwd) {
   let pathTokens = [];
   const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
   if (shellCommand) {
-    const analyzed = await analyzeShellCommand(shellCommand);
+    const analyzed = analyzeShellCommand(shellCommand);
     allTokens = analyzed.allTokens;
     pathTokens = analyzed.paths;
     const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
     if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
       return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)", tier: 3 };
     }
+    const evalVerdict = detectDangerousShellExec(shellCommand);
+    if (evalVerdict === "block") {
+      return {
+        decision: "block",
+        blockedByLabel: "Node9: Eval Remote Execution",
+        reason: "eval of remote download (curl/wget) is a near-certain supply-chain attack",
+        tier: 3
+      };
+    }
+    if (evalVerdict === "review") {
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Eval Dynamic Content",
+        reason: "eval of dynamic content (variable or subshell expansion) requires approval",
+        tier: 3
+      };
+    }
     const pipeAnalysis = analyzePipeChain(shellCommand);
     if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
       const sinks = pipeAnalysis.sinkTargets;