@node9/proxy 1.11.3 → 1.11.4

package/dist/cli.js

@@ -786,7 +786,7 @@ var init_config = __esm({
         // 120-second auto-deny timeout
         flightRecorder: true,
         auditHashArgs: true,
-        approvers: { native: true, browser: true, cloud: false, terminal: true },
+        approvers: { native: true, browser: false, cloud: false, terminal: true },
         cloudSyncIntervalHours: 5
       },
       policy: {
@@ -893,7 +893,7 @@ var init_config = __esm({
           },
           // ── Git safety ────────────────────────────────────────────────────────
           {
-            name: "block-force-push",
+            name: "review-force-push",
             tool: "bash",
             conditions: [
               {
@@ -906,8 +906,8 @@ var init_config = __esm({
               }
             ],
             conditionMode: "all",
-            verdict: "block",
-            reason: "Force push overwrites remote history and cannot be undone",
+            verdict: "review",
+            reason: "Force push rewrites remote history \u2014 confirm this is intentional",
             description: "The AI wants to force push to a remote git branch. This rewrites shared history and can permanently destroy commits that teammates have already pulled."
           },
           {
@@ -917,14 +917,16 @@ var init_config = __esm({
               {
                 field: "command",
                 op: "matches",
-                value: "\\bgit\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase\\b|tag\\s+-d|branch\\s+-[dD])",
+                // Anchor git as a shell command so node -e / python -c scripts containing
+                // "git reset --hard" as a string don't false-positive.
+                value: "(^|&&|\\|\\||;)\\s*git\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase\\b|tag\\s+-d|branch\\s+-[dD])",
                 flags: "i"
               },
               {
                 field: "command",
                 op: "notMatches",
-                // Exclude recovery ops — these resolve a conflict, not start a destructive action.
-                value: "\\bgit\\s+rebase\\s+--(abort|continue|skip)\\b",
+                // Exclude recovery ops and routine branch-surgery (--onto) — these are not destructive.
+                value: "\\bgit\\s+rebase\\s+--(abort|continue|skip|onto)\\b",
                 flags: "i"
               }
             ],
@@ -1150,8 +1152,14 @@ function scanArgs(args, depth = 0, fieldPath = "args") {
   }
   if (typeof args === "string") {
     const text = args.length > MAX_STRING_BYTES ? args.slice(0, MAX_STRING_BYTES) : args;
+    const textLower = text.toLowerCase();
     for (const pattern of DLP_PATTERNS) {
+      if (pattern.keywords && !pattern.keywords.some((kw) => textLower.includes(kw.toLowerCase()))) {
+        continue;
+      }
       if (pattern.regex.test(text)) {
+        const matchedValue = (text.match(pattern.regex)?.[0] ?? "").toLowerCase();
+        if (DLP_STOPWORDS.some((sw) => matchedValue.includes(sw))) continue;
         return {
           patternName: pattern.name,
           fieldPath,
@@ -1176,8 +1184,14 @@ function scanArgs(args, depth = 0, fieldPath = "args") {
 }
 function scanText(text) {
   const t = text.length > MAX_STRING_BYTES ? text.slice(0, MAX_STRING_BYTES) : text;
+  const tLower = t.toLowerCase();
   for (const pattern of DLP_PATTERNS) {
+    if (pattern.keywords && !pattern.keywords.some((kw) => tLower.includes(kw.toLowerCase()))) {
+      continue;
+    }
     if (pattern.regex.test(t)) {
+      const matchedValue = (t.match(pattern.regex)?.[0] ?? "").toLowerCase();
+      if (DLP_STOPWORDS.some((sw) => matchedValue.includes(sw))) continue;
       return {
         patternName: pattern.name,
         fieldPath: "response-text",
@@ -1188,38 +1202,315 @@ function scanText(text) {
   }
   return null;
 }
-var import_fs4, import_path4, DLP_PATTERNS, SENSITIVE_PATH_PATTERNS, MAX_DEPTH, MAX_STRING_BYTES, MAX_JSON_PARSE_BYTES;
+var import_fs4, import_path4, DLP_STOPWORDS, DLP_PATTERNS, SENSITIVE_PATH_PATTERNS, MAX_DEPTH, MAX_STRING_BYTES, MAX_JSON_PARSE_BYTES;
 var init_dlp = __esm({
   "src/dlp.ts"() {
     "use strict";
     import_fs4 = __toESM(require("fs"));
     import_path4 = __toESM(require("path"));
+    DLP_STOPWORDS = [
+      "example",
+      "placeholder",
+      "changeme",
+      "your_key",
+      "your_token",
+      "your_secret",
+      "replace_me",
+      "insert_key",
+      "put_your",
+      "fake",
+      "dummy",
+      "sample",
+      "xxxxxxxx",
+      "aaaaaa",
+      "bbbbbb",
+      "00000000",
+      "${",
+      "{{",
+      "%{",
+      "<your",
+      "test_key",
+      "test_token"
+    ];
     DLP_PATTERNS = [
-      { name: "AWS Access Key ID", regex: /\bAKIA[0-9A-Z]{16}\b/, severity: "block" },
-      { name: "GitHub Token", regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/, severity: "block" },
-      // Slack bot tokens: xoxb- + variable segment. Real tokens are ~50–80 chars;
-      // lower bound 20 avoids false negatives on partial tokens, upper 100 caps scan cost.
-      { name: "Slack Bot Token", regex: /\bxoxb-[0-9A-Za-z-]{20,100}\b/, severity: "block" },
-      { name: "OpenAI API Key", regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/, severity: "block" },
-      { name: "Stripe Secret Key", regex: /\bsk_(?:live|test)_[0-9a-zA-Z]{24}\b/, severity: "block" },
+      // ── AWS ───────────────────────────────────────────────────────────────────
       {
-        name: "Private Key (PEM)",
-        regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/,
-        severity: "block"
+        name: "AWS Access Key ID",
+        regex: /\b(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16}\b/,
+        severity: "block",
+        keywords: ["akia", "asia", "abia", "acca", "a3t"]
+      },
+      // ── GitHub ────────────────────────────────────────────────────────────────
+      {
+        name: "GitHub Token",
+        regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/,
+        severity: "block",
+        keywords: ["ghp_", "gho_", "ghu_", "ghs_"]
+      },
+      {
+        name: "GitHub Fine-Grained PAT",
+        regex: /\bgithub_pat_\w{82}\b/,
+        severity: "block",
+        keywords: ["github_pat_"]
+      },
+      // ── Slack ─────────────────────────────────────────────────────────────────
+      {
+        name: "Slack Bot Token",
+        // Real tokens are ~50–80 chars; lower bound 20 avoids false negatives on partial tokens
+        regex: /\bxoxb-[0-9A-Za-z-]{20,100}\b/,
+        severity: "block",
+        keywords: ["xoxb-"]
+      },
+      // ── Anthropic ─────────────────────────────────────────────────────────────
+      // Listed before OpenAI — Anthropic keys start with sk-ant- which would also
+      // match the broader OpenAI sk- pattern; more specific rules must come first.
+      {
+        name: "Anthropic API Key",
+        regex: /\bsk-ant-api03-[a-zA-Z0-9_-]{93}AA\b/,
+        severity: "block",
+        keywords: ["sk-ant-api03"]
+      },
+      {
+        name: "Anthropic Admin Key",
+        regex: /\bsk-ant-admin01-[a-zA-Z0-9_-]{93}AA\b/,
+        severity: "block",
+        keywords: ["sk-ant-admin01"]
+      },
+      // ── OpenAI ────────────────────────────────────────────────────────────────
+      {
+        name: "OpenAI API Key",
+        regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/,
+        severity: "block",
+        keywords: ["sk-"]
+      },
+      // ── Stripe ────────────────────────────────────────────────────────────────
+      {
+        name: "Stripe Secret Key",
+        regex: /\bsk_(?:live|test)_[0-9a-zA-Z]{24}\b/,
+        severity: "block",
+        keywords: ["sk_live_", "sk_test_"]
+      },
+      // ── GCP ───────────────────────────────────────────────────────────────────
+      {
+        name: "GCP API Key",
+        regex: /\bAIza[0-9A-Za-z_-]{35}\b/,
+        severity: "block",
+        keywords: ["aiza"]
       },
-      // GCP service account JSON (detects the type field that uniquely identifies it)
       {
         name: "GCP Service Account",
         regex: /"type"\s*:\s*"service_account"/,
-        severity: "block"
+        severity: "block",
+        keywords: ["service_account"]
+      },
+      // ── Azure ─────────────────────────────────────────────────────────────────
+      // Pattern: 3 alphanum chars + digit + Q~ + 31-34 alphanum chars
+      {
+        name: "Azure AD Client Secret",
+        regex: /(?:^|[\s>=:(,])([a-zA-Z0-9_~.]{3}\dQ~[a-zA-Z0-9_~.-]{31,34})(?:$|[\s<),])/,
+        severity: "block",
+        keywords: ["q~"]
+      },
+      // ── Databricks ────────────────────────────────────────────────────────────
+      {
+        name: "Databricks API Token",
+        regex: /\bdapi[a-f0-9]{32}(?:-\d)?\b/,
+        severity: "block",
+        keywords: ["dapi"]
       },
-      // NPM auth token in .npmrc format
+      // ── DigitalOcean ──────────────────────────────────────────────────────────
+      {
+        name: "DigitalOcean PAT",
+        regex: /\bdop_v1_[a-f0-9]{64}\b/,
+        severity: "block",
+        keywords: ["dop_v1_"]
+      },
+      {
+        name: "DigitalOcean Access Token",
+        regex: /\bdoo_v1_[a-f0-9]{64}\b/,
+        severity: "block",
+        keywords: ["doo_v1_"]
+      },
+      // ── Doppler ───────────────────────────────────────────────────────────────
+      {
+        name: "Doppler Token",
+        regex: /\bdp\.pt\.[a-z0-9]{43}\b/i,
+        severity: "block",
+        keywords: ["dp.pt."]
+      },
+      // ── HashiCorp Vault ───────────────────────────────────────────────────────
+      {
+        name: "HashiCorp Vault Service Token",
+        regex: /\bhvs\.[\w-]{90,120}\b/,
+        severity: "block",
+        keywords: ["hvs."]
+      },
+      {
+        name: "HashiCorp Vault Batch Token",
+        regex: /\bhvb\.[\w-]{138,300}\b/,
+        severity: "block",
+        keywords: ["hvb."]
+      },
+      // ── Hugging Face ──────────────────────────────────────────────────────────
+      { name: "HuggingFace Token", regex: /\bhf_[A-Za-z]{34}\b/, severity: "block", keywords: ["hf_"] },
+      // ── Postman ───────────────────────────────────────────────────────────────
+      {
+        name: "Postman API Token",
+        regex: /\bPMAK-[a-f0-9]{24}-[a-f0-9]{34}\b/i,
+        severity: "block",
+        keywords: ["pmak-"]
+      },
+      // ── Pulumi ────────────────────────────────────────────────────────────────
+      {
+        name: "Pulumi Access Token",
+        regex: /\bpul-[a-f0-9]{40}\b/,
+        severity: "block",
+        keywords: ["pul-"]
+      },
+      // ── SendGrid ──────────────────────────────────────────────────────────────
+      {
+        name: "SendGrid API Key",
+        regex: /\bSG\.[a-zA-Z0-9=_.-]{66}\b/,
+        severity: "block",
+        keywords: ["sg."]
+      },
+      // ── Private keys (PEM) ────────────────────────────────────────────────────
+      {
+        name: "Private Key (PEM)",
+        regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/,
+        severity: "block",
+        keywords: ["-----begin"]
+      },
+      // ── NPM ───────────────────────────────────────────────────────────────────
       {
         name: "NPM Auth Token",
-        regex: /_authToken\s*=\s*[A-Za-z0-9_\-]{20,}/,
-        severity: "block"
+        regex: /_authToken\s*=\s*[A-Za-z0-9_-]{20,}/,
+        severity: "block",
+        keywords: ["_authtoken"]
+      },
+      // ── JWT ───────────────────────────────────────────────────────────────────
+      // review (not block): JWTs appear legitimately in API calls; flag for human approval
+      {
+        name: "JWT",
+        regex: /\bey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/_-]{17,}\.[a-zA-Z0-9\/_-]{10,}={0,2}\b/,
+        severity: "review",
+        keywords: ["eyj"]
+      },
+      // ── Stripe (extended — adds restricted key rk_ prefix) ──────────────────
+      {
+        name: "Stripe Restricted Key",
+        regex: /\brk_(?:live|test|prod)_[0-9a-zA-Z]{10,99}\b/,
+        severity: "block",
+        keywords: ["rk_live_", "rk_test_", "rk_prod_"]
+      },
+      // ── Slack (app token) ─────────────────────────────────────────────────────
+      {
+        name: "Slack App Token",
+        regex: /\bxapp-\d-[A-Z0-9]+-\d+-[a-f0-9]+\b/,
+        severity: "block",
+        keywords: ["xapp-"]
+      },
+      // ── GitLab ────────────────────────────────────────────────────────────────
+      { name: "GitLab PAT", regex: /\bglpat-[\w-]{20}\b/, severity: "block", keywords: ["glpat-"] },
+      {
+        name: "GitLab Deploy Token",
+        regex: /\bgldt-[0-9a-zA-Z_-]{20}\b/,
+        severity: "block",
+        keywords: ["gldt-"]
+      },
+      {
+        name: "GitLab CI Job Token",
+        regex: /\bglcbt-[0-9a-zA-Z]{1,5}_[0-9a-zA-Z_-]{20}\b/,
+        severity: "block",
+        keywords: ["glcbt-"]
+      },
+      // ── npm (publish token) ───────────────────────────────────────────────────
+      {
+        name: "npm Access Token",
+        regex: /\bnpm_[a-zA-Z0-9]{36}\b/,
+        severity: "block",
+        keywords: ["npm_"]
+      },
+      // ── Shopify ───────────────────────────────────────────────────────────────
+      {
+        name: "Shopify Access Token",
+        regex: /\bshpat_[a-fA-F0-9]{32}\b/,
+        severity: "block",
+        keywords: ["shpat_"]
+      },
+      {
+        name: "Shopify Custom Access Token",
+        regex: /\bshpca_[a-fA-F0-9]{32}\b/,
+        severity: "block",
+        keywords: ["shpca_"]
+      },
+      {
+        name: "Shopify Private App Token",
+        regex: /\bshppa_[a-fA-F0-9]{32}\b/,
+        severity: "block",
+        keywords: ["shppa_"]
+      },
+      {
+        name: "Shopify Shared Secret",
+        regex: /\bshpss_[a-fA-F0-9]{32}\b/,
+        severity: "block",
+        keywords: ["shpss_"]
+      },
+      // ── Linear ────────────────────────────────────────────────────────────────
+      {
+        name: "Linear API Key",
+        regex: /\blin_api_[a-zA-Z0-9]{40}\b/,
+        severity: "block",
+        keywords: ["lin_api_"]
+      },
+      // ── PlanetScale ───────────────────────────────────────────────────────────
+      {
+        name: "PlanetScale API Token",
+        regex: /\bpscale_tkn_[\w.-]{32,64}\b/,
+        severity: "block",
+        keywords: ["pscale_tkn_"]
+      },
+      {
+        name: "PlanetScale Password",
+        regex: /\bpscale_pw_[\w.-]{32,64}\b/,
+        severity: "block",
+        keywords: ["pscale_pw_"]
+      },
+      // ── Sentry ────────────────────────────────────────────────────────────────
+      {
+        name: "Sentry User Token",
+        regex: /\bsntryu_[a-f0-9]{64}\b/,
+        severity: "block",
+        keywords: ["sntryu_"]
+      },
+      // ── Grafana ───────────────────────────────────────────────────────────────
+      {
+        name: "Grafana Service Account Token",
+        regex: /\bglsa_[a-zA-Z0-9]{32}_[a-f0-9]{8}\b/,
+        severity: "block",
+        keywords: ["glsa_"]
+      },
+      // ── Heroku ────────────────────────────────────────────────────────────────
+      {
+        name: "Heroku API Key",
+        regex: /\bHRKU-AA[0-9a-zA-Z_-]{58}\b/,
+        severity: "block",
+        keywords: ["hrku-aa"]
+      },
+      // ── PyPI ──────────────────────────────────────────────────────────────────
+      {
+        name: "PyPI Upload Token",
+        regex: /\bpypi-[A-Za-z0-9_-]{50,}\b/,
+        severity: "block",
+        keywords: ["pypi-"]
       },
-      { name: "Bearer Token", regex: /Bearer\s+[a-zA-Z0-9\-._~+/]{20,}=*/i, severity: "review" }
+      // ── Bearer Token ─────────────────────────────────────────────────────────
+      {
+        name: "Bearer Token",
+        regex: /Bearer\s+[a-zA-Z0-9\-._~+/]{20,}=*/i,
+        severity: "review",
+        keywords: ["bearer"]
+      }
     ];
     SENSITIVE_PATH_PATTERNS = [
       /[/\\]\.ssh[/\\]/i,
@@ -1786,17 +2077,97 @@ function getNestedValue(obj, path43) {
   if (!obj || typeof obj !== "object") return null;
   return path43.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
-function stripStringArguments(cmd) {
-  let result = cmd;
-  result = result.replace(
-    /\b(node|python3?|ruby|perl|php|deno)\s+(-[ecr]|eval)\s+("(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')/gi,
-    '$1 $2 ""'
-  );
-  result = result.replace(
-    /\s(-m|--message|--body|--title|--description)\s+("(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*')/g,
-    ' $1 ""'
-  );
-  return result;
+function normalizeCommandForPolicy(command) {
+  try {
+    const f = sharedParser.Parse(command, "cmd");
+    const strips = [];
+    syntax.Walk(f, (node) => {
+      if (!node) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const args = n.Args || [];
+      for (let i = 0; i < args.length - 1; i++) {
+        const argParts = args[i].Parts || [];
+        if (argParts.length !== 1 || syntax.NodeType(argParts[0]) !== "Lit") continue;
+        const flagVal = argParts[0].Value || "";
+        if (!MESSAGE_FLAGS.has(flagVal.toLowerCase())) continue;
+        const next = args[i + 1];
+        const nextParts = next.Parts || [];
+        if (nextParts.length !== 1) continue;
+        const quotedNode = nextParts[0];
+        const nt = syntax.NodeType(quotedNode);
+        if (nt === "SglQuoted") {
+          strips.push([next.Pos().Offset(), next.End().Offset()]);
+        } else if (nt === "DblQuoted") {
+          const innerParts = quotedNode.Parts || [];
+          const allLit = innerParts.length === 0 || innerParts.every((p) => syntax.NodeType(p) === "Lit");
+          if (allLit) strips.push([next.Pos().Offset(), next.End().Offset()]);
+        }
+      }
+      return true;
+    });
+    if (strips.length === 0) return command;
+    strips.sort((a, b) => b[0] - a[0]);
+    let result = command;
+    for (const [start, end] of strips) {
+      result = result.slice(0, start) + '""' + result.slice(end);
+    }
+    return result;
+  } catch {
+    return command;
+  }
+}
+function scanArgsForDynamicExec(args, startIdx) {
+  let hasCmdSubst = false;
+  let hasParamExp = false;
+  let hasCurl = false;
+  for (let i = startIdx; i < args.length; i++) {
+    syntax.Walk(args[i], (inner) => {
+      if (!inner) return false;
+      const inn = inner;
+      const it = syntax.NodeType(inn);
+      if (it === "CmdSubst") hasCmdSubst = true;
+      if (it === "ParamExp") hasParamExp = true;
+      if (it === "Lit" && DOWNLOAD_CMDS.has(inn.Value?.toLowerCase())) hasCurl = true;
+      return true;
+    });
+  }
+  if (hasCmdSubst && hasCurl) return "block";
+  if (hasCmdSubst || hasParamExp) return "review";
+  return null;
+}
+function detectDangerousShellExec(command) {
+  try {
+    const f = sharedParser.Parse(command, "cmd");
+    let result = null;
+    syntax.Walk(f, (node) => {
+      if (!node || result === "block") return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const args = n.Args || [];
+      if (args.length === 0) return true;
+      const firstParts = args[0].Parts || [];
+      if (firstParts.length !== 1 || syntax.NodeType(firstParts[0]) !== "Lit") return true;
+      const cmdName = firstParts[0].Value?.toLowerCase() ?? "";
+      if (cmdName === "eval") {
+        const v = scanArgsForDynamicExec(args, 1);
+        if (v === "block" || v === "review" && result === null) result = v;
+      } else if (SHELL_INTERPRETERS.has(cmdName)) {
+        for (let i = 1; i < args.length - 1; i++) {
+          const flagParts = args[i].Parts || [];
+          if (flagParts.length !== 1 || syntax.NodeType(flagParts[0]) !== "Lit" || flagParts[0].Value !== "-c")
+            continue;
+          const v = scanArgsForDynamicExec(args, i + 1);
+          if (v === "block" || v === "review" && result === null) result = v;
+          break;
+        }
+      }
+      return true;
+    });
+    return result;
+  } catch {
+    return null;
+  }
 }
 function shouldSnapshot(toolName, args, config) {
   if (!config.settings.enableUndo) return false;
@@ -1816,7 +2187,7 @@ function evaluateSmartConditions(args, rule) {
   const results = rule.conditions.map((cond) => {
     const rawVal = getNestedValue(args, cond.field);
     const normalized = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
-    const val = cond.field === "command" && normalized !== null ? stripStringArguments(normalized) : normalized;
+    const val = cond.field === "command" && normalized !== null ? normalizeCommandForPolicy(normalized) : normalized;
     switch (cond.op) {
       case "exists":
         return val !== null && val !== "";
@@ -1864,52 +2235,35 @@ function isSqlTool(toolName, toolInspection) {
   const fieldName = toolInspection[matchingPattern];
   return fieldName === "sql" || fieldName === "query";
 }
-async function analyzeShellCommand(command) {
+function analyzeShellCommand(command) {
   const actions = [];
   const paths = [];
   const allTokens = [];
   const addToken = (token) => {
     const lower = token.toLowerCase();
     allTokens.push(lower);
-    if (lower.includes("/")) {
-      const segments = lower.split("/").filter(Boolean);
-      allTokens.push(...segments);
-    }
-    if (lower.startsWith("-")) {
-      allTokens.push(lower.replace(/^-+/, ""));
-    }
+    if (lower.includes("/")) allTokens.push(...lower.split("/").filter(Boolean));
+    if (lower.startsWith("-")) allTokens.push(lower.replace(/^-+/, ""));
   };
   try {
-    const ast = await (0, import_sh_syntax.parse)(command);
-    const walk = (node) => {
-      if (!node) return;
-      if (node.type === "CallExpr") {
-        const parts = (node.Args || []).map((arg) => {
-          return (arg.Parts || []).map((p) => p.Value || "").join("");
-        }).filter((s) => s.length > 0);
-        if (parts.length > 0) {
-          actions.push(parts[0].toLowerCase());
-          parts.forEach((p) => addToken(p));
-          parts.slice(1).forEach((p) => {
-            if (!p.startsWith("-")) paths.push(p);
-          });
-        }
-      }
-      for (const key in node) {
-        if (key === "Parent") continue;
-        const val = node[key];
-        if (Array.isArray(val)) {
-          val.forEach((child) => {
-            if (child && typeof child === "object" && "type" in child) {
-              walk(child);
-            }
-          });
-        } else if (val && typeof val === "object" && "type" in val) {
-          walk(val);
-        }
+    const f = sharedParser.Parse(command, "cmd");
+    syntax.Walk(f, (node) => {
+      if (!node) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const wordValues = (n.Args || []).map((arg) => {
+        return (arg.Parts || []).map((p) => (p.Value ?? "").replace(/\\(.)/g, "$1")).join("");
+      }).filter((s) => s.length > 0);
+      if (wordValues.length > 0) {
+        const cmd = wordValues[0].toLowerCase();
+        if (!actions.includes(cmd)) actions.push(cmd);
+        wordValues.forEach((w) => addToken(w));
+        wordValues.slice(1).forEach((w) => {
+          if (!w.startsWith("-")) paths.push(w);
+        });
       }
-    };
-    walk(ast);
+      return true;
+    });
   } catch {
   }
   if (allTokens.length === 0) {
@@ -1934,7 +2288,18 @@ async function analyzeShellCommand(command) {
 }
 async function evaluatePolicy(toolName, args, agent, cwd) {
   const config = getConfig();
-  if (matchesPattern(toolName, config.policy.ignoredTools)) return { decision: "allow" };
+  const wouldBeIgnored = matchesPattern(toolName, config.policy.ignoredTools);
+  if (config.policy.dlp.enabled && (!wouldBeIgnored || config.policy.dlp.scanIgnoredTools)) {
+    const dlpMatch = args !== void 0 ? scanArgs(args) : null;
+    if (dlpMatch) {
+      return {
+        decision: dlpMatch.severity,
+        blockedByLabel: `DLP: ${dlpMatch.patternName}`,
+        reason: `${dlpMatch.patternName} detected in ${dlpMatch.fieldPath}`
+      };
+    }
+  }
+  if (wouldBeIgnored) return { decision: "allow" };
   if (config.policy.smartRules.length > 0) {
     const matchedRule = config.policy.smartRules.find(
       (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
@@ -1964,13 +2329,30 @@ async function evaluatePolicy(toolName, args, agent, cwd) {
   let pathTokens = [];
   const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
   if (shellCommand) {
-    const analyzed = await analyzeShellCommand(shellCommand);
+    const analyzed = analyzeShellCommand(shellCommand);
     allTokens = analyzed.allTokens;
     pathTokens = analyzed.paths;
     const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
     if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
       return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)", tier: 3 };
     }
+    const evalVerdict = detectDangerousShellExec(shellCommand);
+    if (evalVerdict === "block") {
+      return {
+        decision: "block",
+        blockedByLabel: "Node9: Eval Remote Execution",
+        reason: "eval of remote download (curl/wget) is a near-certain supply-chain attack",
+        tier: 3
+      };
+    }
+    if (evalVerdict === "review") {
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Eval Dynamic Content",
+        reason: "eval of dynamic content (variable or subshell expansion) requires approval",
+        tier: 3
+      };
+    }
     const pipeAnalysis = analyzePipeChain(shellCommand);
     if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
       const sinks = pipeAnalysis.sinkTargets;
@@ -2224,7 +2606,7 @@ async function explainPolicy(toolName, args) {
   let pathTokens = [];
   const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
   if (shellCommand) {
-    const analyzed = await analyzeShellCommand(shellCommand);
+    const analyzed = analyzeShellCommand(shellCommand);
     allTokens = analyzed.allTokens;
     pathTokens = analyzed.paths;
     const patterns = Object.keys(config.policy.toolInspection);
@@ -2257,6 +2639,25 @@ async function explainPolicy(toolName, args) {
       outcome: "checked",
       detail: "No inline execution pattern detected"
     });
+    const evalVerdict = detectDangerousShellExec(shellCommand);
+    if (evalVerdict) {
+      const label = evalVerdict === "block" ? "Node9: Eval Remote Execution" : "Node9: Eval Dynamic Content";
+      const detail = evalVerdict === "block" ? "eval of remote download (curl/wget) \u2014 near-certain supply-chain attack" : "eval of dynamic content (variable or subshell expansion) \u2014 requires approval";
+      steps.push({ name: "AST eval detection", outcome: evalVerdict, detail, isFinal: true });
+      return {
+        tool: toolName,
+        args,
+        waterfall,
+        steps,
+        decision: evalVerdict,
+        blockedByLabel: label
+      };
+    }
+    steps.push({
+      name: "AST eval detection",
+      outcome: "checked",
+      detail: "No dangerous eval detected"
+    });
     if (isSqlTool(toolName, config.policy.toolInspection)) {
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
       steps.push({
@@ -2371,7 +2772,7 @@ function isIgnoredTool(toolName) {
   const config = getConfig();
   return matchesPattern(toolName, config.policy.ignoredTools);
 }
-var import_fs7, import_path8, import_os6, import_picomatch, import_sh_syntax, SQL_DML_KEYWORDS;
+var import_fs7, import_path8, import_os6, import_picomatch, import_mvdan_sh, syntax, sharedParser, MESSAGE_FLAGS, SHELL_INTERPRETERS, DOWNLOAD_CMDS, SQL_DML_KEYWORDS;
 var init_policy = __esm({
   "src/policy/index.ts"() {
     "use strict";
@@ -2379,7 +2780,7 @@ var init_policy = __esm({
     import_path8 = __toESM(require("path"));
     import_os6 = __toESM(require("os"));
     import_picomatch = __toESM(require("picomatch"));
-    import_sh_syntax = require("sh-syntax");
+    import_mvdan_sh = __toESM(require("mvdan-sh"));
     init_dlp();
     init_config();
     init_regex();
@@ -2387,6 +2788,20 @@ var init_policy = __esm({
     init_pipe_chain();
     init_ssh_parser();
     init_trusted_hosts();
+    ({ syntax } = import_mvdan_sh.default);
+    sharedParser = syntax.NewParser();
+    MESSAGE_FLAGS = /* @__PURE__ */ new Set([
+      "-m",
+      "--message",
+      "--body",
+      "--title",
+      "--description",
+      "--comment",
+      "--subject",
+      "--summary"
+    ]);
+    SHELL_INTERPRETERS = /* @__PURE__ */ new Set(["bash", "sh", "zsh", "fish", "dash", "ksh"]);
+    DOWNLOAD_CMDS = /* @__PURE__ */ new Set(["curl", "wget"]);
     SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
   }
 });
@@ -7925,7 +8340,7 @@ async function ensureDaemon() {
   } catch {
   }
   console.log(import_chalk25.default.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon..."));
-  const child = (0, import_child_process15.spawn)(process.execPath, [process.argv[1], "daemon"], {
+  const child = (0, import_child_process16.spawn)(process.execPath, [process.argv[1], "daemon"], {
     detached: true,
     stdio: "ignore",
     env: { ...process.env, NODE9_AUTO_STARTED: "1" }
@@ -8328,10 +8743,10 @@ async function startTail(options = {}) {
   try {
     const browserEnabled = getConfig().settings.approvers?.browser !== false;
     if (browserEnabled) {
-      if (process.platform === "darwin") (0, import_child_process15.execSync)(`open "${dashboardUrl}"`, { stdio: "ignore" });
+      if (process.platform === "darwin") (0, import_child_process16.execSync)(`open "${dashboardUrl}"`, { stdio: "ignore" });
       else if (process.platform === "win32")
-        (0, import_child_process15.execSync)(`cmd /c start "" "${dashboardUrl}"`, { stdio: "ignore" });
-      else (0, import_child_process15.execSync)(`xdg-open "${dashboardUrl}"`, { stdio: "ignore" });
+        (0, import_child_process16.execSync)(`cmd /c start "" "${dashboardUrl}"`, { stdio: "ignore" });
+      else (0, import_child_process16.execSync)(`xdg-open "${dashboardUrl}"`, { stdio: "ignore" });
       const intToken = getInternalToken();
       fetch(`http://127.0.0.1:${port}/browser-opened`, {
         method: "POST",
@@ -8528,7 +8943,7 @@ async function startTail(options = {}) {
     process.exit(1);
   });
 }
-var import_http2, import_chalk25, import_fs37, import_os33, import_path40, import_readline5, import_child_process15, PID_FILE, ICONS, MODEL_CONTEXT_LIMITS, RESET2, BOLD2, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, pendingShownForId, pendingWrappedLines, DIVIDER;
+var import_http2, import_chalk25, import_fs37, import_os33, import_path40, import_readline5, import_child_process16, PID_FILE, ICONS, MODEL_CONTEXT_LIMITS, RESET2, BOLD2, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, pendingShownForId, pendingWrappedLines, DIVIDER;
 var init_tail = __esm({
   "src/tui/tail.ts"() {
     "use strict";
@@ -8538,7 +8953,7 @@ var init_tail = __esm({
     import_os33 = __toESM(require("os"));
     import_path40 = __toESM(require("path"));
     import_readline5 = __toESM(require("readline"));
-    import_child_process15 = require("child_process");
+    import_child_process16 = require("child_process");
     init_daemon2();
     init_daemon();
     init_core();
@@ -9335,6 +9750,25 @@ async function setupGemini() {
     printDaemonTip();
   }
 }
+function claudeDesktopConfigPath(homeDir2 = import_os11.default.homedir()) {
+  if (process.platform === "darwin") {
+    return import_path15.default.join(
+      homeDir2,
+      "Library",
+      "Application Support",
+      "Claude",
+      "claude_desktop_config.json"
+    );
+  }
+  if (process.platform === "linux") {
+    return import_path15.default.join(homeDir2, ".config", "Claude", "claude_desktop_config.json");
+  }
+  if (process.platform === "win32") {
+    const appData = process.env.APPDATA ?? import_path15.default.join(homeDir2, "AppData", "Roaming");
+    return import_path15.default.join(appData, "Claude", "claude_desktop_config.json");
+  }
+  return null;
+}
 function detectAgents(homeDir2 = import_os11.default.homedir()) {
   const exists = (p) => {
     try {
@@ -9348,13 +9782,15 @@ function detectAgents(homeDir2 = import_os11.default.homedir()) {
       return false;
     }
   };
+  const desktopPath = claudeDesktopConfigPath(homeDir2);
   return {
     claude: exists(import_path15.default.join(homeDir2, ".claude")) || exists(import_path15.default.join(homeDir2, ".claude.json")),
     gemini: exists(import_path15.default.join(homeDir2, ".gemini")),
     cursor: exists(import_path15.default.join(homeDir2, ".cursor")),
     codex: exists(import_path15.default.join(homeDir2, ".codex")),
     windsurf: exists(import_path15.default.join(homeDir2, ".codeium", "windsurf")),
-    vscode: exists(import_path15.default.join(homeDir2, ".vscode"))
+    vscode: exists(import_path15.default.join(homeDir2, ".vscode")),
+    claudeDesktop: desktopPath !== null && exists(import_path15.default.dirname(desktopPath))
   };
 }
 async function setupCursor() {
@@ -9780,6 +10216,105 @@ function teardownVSCode() {
     console.log(import_chalk.default.blue("  \u2139\uFE0F  No Node9-wrapped MCP servers found in ~/.vscode/mcp.json"));
   }
 }
+async function setupClaudeDesktop() {
+  const configPath = claudeDesktopConfigPath();
+  if (!configPath) {
+    console.log(import_chalk.default.yellow("  \u26A0\uFE0F  Claude Desktop is not supported on this platform."));
+    return;
+  }
+  const config = readJson(configPath) ?? {};
+  const servers = config.mcpServers ?? {};
+  let anythingChanged = false;
+  if (!hasNode9McpServer(servers)) {
+    servers["node9"] = NODE9_MCP_SERVER_ENTRY;
+    config.mcpServers = servers;
+    writeJson(configPath, config);
+    console.log(import_chalk.default.green("  \u2705 node9 MCP server added   \u2192 node9 mcp-server"));
+    anythingChanged = true;
+  }
+  const serversToWrap = [];
+  for (const [name, server] of Object.entries(servers)) {
+    if (!server.command || server.command === "node9") continue;
+    serversToWrap.push({ name, upstream: [server.command, ...server.args ?? []].join(" ") });
+  }
+  if (serversToWrap.length > 0) {
+    console.log(import_chalk.default.bold("The following existing entries will be modified:\n"));
+    console.log(import_chalk.default.white(`  ${configPath}`));
+    for (const { name, upstream } of serversToWrap) {
+      console.log(import_chalk.default.gray(`    \u2022 ${name}: "${upstream}" \u2192 node9 mcp --upstream "${upstream}"`));
+    }
+    console.log("");
+    const proceed = await (0, import_prompts.confirm)({ message: "Wrap these MCP servers?", default: true });
+    if (proceed) {
+      for (const { name, upstream } of serversToWrap) {
+        servers[name] = {
+          ...servers[name],
+          command: "node9",
+          args: ["mcp", "--upstream", upstream]
+        };
+      }
+      config.mcpServers = servers;
+      writeJson(configPath, config);
+      console.log(import_chalk.default.green(`
+  \u2705 ${serversToWrap.length} MCP server(s) wrapped`));
+      anythingChanged = true;
+    } else {
+      console.log(import_chalk.default.yellow("  Skipped MCP server wrapping."));
+    }
+    console.log("");
+  }
+  console.log(
+    import_chalk.default.yellow(
+      "  \u26A0\uFE0F  Note: Claude Desktop does not support pre-execution hooks.\n     MCP proxy wrapping is the only supported protection mode."
+    )
+  );
+  console.log("");
+  if (!anythingChanged && serversToWrap.length === 0) {
+    console.log(import_chalk.default.blue("\u2139\uFE0F  Node9 is already fully configured for Claude Desktop."));
+    printDaemonTip();
+    return;
+  }
+  if (anythingChanged) {
+    console.log(import_chalk.default.green.bold("\u{1F6E1}\uFE0F  Node9 is now protecting Claude Desktop via MCP proxy!"));
+    console.log(import_chalk.default.gray("    Restart Claude Desktop for changes to take effect."));
+    printDaemonTip();
+  }
+}
+function teardownClaudeDesktop() {
+  const configPath = claudeDesktopConfigPath();
+  if (!configPath) {
+    console.log(import_chalk.default.yellow("  \u26A0\uFE0F  Claude Desktop is not supported on this platform."));
+    return;
+  }
+  const config = readJson(configPath);
+  if (!config?.mcpServers) {
+    console.log(import_chalk.default.blue("  \u2139\uFE0F  Claude Desktop config not found \u2014 nothing to remove"));
+    return;
+  }
+  let changed = false;
+  if (removeNode9McpServer(config.mcpServers)) {
+    changed = true;
+    console.log(import_chalk.default.green(`  \u2705 Removed node9 MCP server entry from ${configPath}`));
+  }
+  for (const [name, server] of Object.entries(config.mcpServers)) {
+    const args = server.args;
+    if (server.command === "node9" && Array.isArray(args) && args[0] === "mcp" && args[1] === "--upstream" && typeof args[2] === "string") {
+      const [originalCmd, ...originalArgs] = args[2].split(" ");
+      config.mcpServers[name] = {
+        ...server,
+        command: originalCmd,
+        args: originalArgs.length ? originalArgs : void 0
+      };
+      changed = true;
+    }
+  }
+  if (changed) {
+    writeJson(configPath, config);
+    console.log(import_chalk.default.green("  \u2705 Unwrapped MCP servers in Claude Desktop config"));
+  } else {
+    console.log(import_chalk.default.blue("  \u2139\uFE0F  No Node9-wrapped MCP servers found in Claude Desktop config"));
+  }
+}
 function getAgentsStatus(homeDir2 = import_os11.default.homedir()) {
   const detected = detectAgents(homeDir2);
   const claudeWired = (() => {
@@ -9850,6 +10385,18 @@ function getAgentsStatus(homeDir2 = import_os11.default.homedir()) {
       installed: detected.codex,
       wired: codexWired,
       mode: detected.codex ? "mcp" : null
+    },
+    {
+      name: "claudeDesktop",
+      label: "Claude Desktop",
+      installed: detected.claudeDesktop,
+      wired: (() => {
+        const cfgPath = claudeDesktopConfigPath(homeDir2);
+        if (!cfgPath) return false;
+        const cfg = readJson(cfgPath);
+        return !!(cfg?.mcpServers && hasNode9McpServer(cfg.mcpServers));
+      })(),
+      mode: detected.claudeDesktop ? "mcp" : null
     }
   ];
 }
@@ -10966,7 +11513,6 @@ var import_path27 = __toESM(require("path"));
 var import_os21 = __toESM(require("os"));
 init_audit();
 init_config();
-init_policy();
 init_daemon();
 
 // src/utils/cp-mv-parser.ts
@@ -11077,8 +11623,20 @@ function registerLogCommand(program2) {
         }
         const safeCwd = typeof payload.cwd === "string" && import_path27.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const config = getConfig(safeCwd);
-        if (shouldSnapshot(tool, {}, config)) {
-          await createShadowSnapshot("unknown", {}, config.policy.snapshot.ignorePaths);
+        if ((tool === "Bash" || tool === "bash") && config.settings.enableUndo !== false) {
+          const bashCommand = typeof rawInput === "object" && rawInput !== null && "command" in rawInput && typeof rawInput.command === "string" ? rawInput.command : null;
+          if (bashCommand) {
+            const effectiveCwd = safeCwd ?? process.cwd();
+            const history = getSnapshotHistory();
+            const hasPrior = history.some((e) => e.cwd === effectiveCwd);
+            if (hasPrior) {
+              await createShadowSnapshot(
+                "Bash",
+                { command: bashCommand },
+                config.policy.snapshot.ignorePaths
+              );
+            }
+          }
         }
       } catch (err2) {
         const msg = err2 instanceof Error ? err2.message : String(err2);
@@ -11796,6 +12354,18 @@ function isAllow(decision) {
 function isDlp(checkedBy) {
   return !!checkedBy?.includes("dlp");
 }
+var BLOCK_REASON_LABELS = {
+  timeout: "Popup timeout",
+  "smart-rule-block": "Smart rule",
+  "observe-mode-dlp-would-block": "DLP (observe)",
+  "persistent-deny": "Persistent deny",
+  "local-decision": "User denied",
+  "dlp-block": "DLP block",
+  "loop-detected": "Loop detected"
+};
+function humanBlockReason(reason) {
+  return BLOCK_REASON_LABELS[reason] ?? reason;
+}
 function barStr(value, max, width) {
   if (max === 0 || width <= 0) return "\u2591".repeat(width);
   const filled = Math.max(1, Math.round(value / max * width));
@@ -11914,20 +12484,106 @@ function loadClaudeCost(start, end) {
   }
   return { total, byDay, byModel, inputTokens, outputTokens, cacheWriteTokens, cacheReadTokens };
 }
-function registerReportCommand(program2) {
-  program2.command("report").description("Activity and security report \u2014 what Claude did, what was blocked").option("--period <period>", "today | 7d | 30d | month", "7d").option("--no-tests", "exclude test runner calls (npm test, vitest, pytest\u2026) from stats").action((options) => {
-    const period = ["today", "7d", "30d", "month"].includes(
-      options.period
-    ) ? options.period : "7d";
-    const logPath = import_path30.default.join(import_os24.default.homedir(), ".node9", "audit.log");
-    const allEntries = parseAuditLog(logPath);
-    const unackedDlp = allEntries.filter((e) => e.source === "response-dlp");
-    if (unackedDlp.length > 0) {
-      console.log("");
-      console.log(
-        import_chalk9.default.bgRed.white.bold(
-          ` \u26A0\uFE0F  DLP ALERT: ${unackedDlp.length} secret${unackedDlp.length !== 1 ? "s" : ""} found in Claude response text `
-        ) + "  " + import_chalk9.default.yellow("\u2192 run: node9 dlp")
+function loadCodexCost(start, end) {
+  const sessionsBase = import_path30.default.join(import_os24.default.homedir(), ".codex", "sessions");
+  const byDay = /* @__PURE__ */ new Map();
+  let total = 0;
+  let toolCalls = 0;
+  if (!import_fs28.default.existsSync(sessionsBase)) return { total, byDay, toolCalls };
+  const jsonlFiles = [];
+  try {
+    for (const year of import_fs28.default.readdirSync(sessionsBase)) {
+      const yearPath = import_path30.default.join(sessionsBase, year);
+      try {
+        if (!import_fs28.default.statSync(yearPath).isDirectory()) continue;
+      } catch {
+        continue;
+      }
+      for (const month of import_fs28.default.readdirSync(yearPath)) {
+        const monthPath = import_path30.default.join(yearPath, month);
+        try {
+          if (!import_fs28.default.statSync(monthPath).isDirectory()) continue;
+        } catch {
+          continue;
+        }
+        for (const day of import_fs28.default.readdirSync(monthPath)) {
+          const dayPath = import_path30.default.join(monthPath, day);
+          try {
+            if (!import_fs28.default.statSync(dayPath).isDirectory()) continue;
+          } catch {
+            continue;
+          }
+          for (const file of import_fs28.default.readdirSync(dayPath)) {
+            if (file.endsWith(".jsonl")) jsonlFiles.push(import_path30.default.join(dayPath, file));
+          }
+        }
+      }
+    }
+  } catch {
+    return { total, byDay, toolCalls };
+  }
+  for (const filePath of jsonlFiles) {
+    let lines;
+    try {
+      lines = import_fs28.default.readFileSync(filePath, "utf-8").split("\n");
+    } catch {
+      continue;
+    }
+    let sessionStart2 = "";
+    let lastTotalInput = 0;
+    let lastTotalCached = 0;
+    let lastTotalOutput = 0;
+    let sessionToolCalls = 0;
+    for (const line of lines) {
+      if (!line.trim()) continue;
+      let entry;
+      try {
+        entry = JSON.parse(line);
+      } catch {
+        continue;
+      }
+      const p = entry.payload ?? {};
+      if (entry.type === "session_meta") {
+        sessionStart2 = String(p["timestamp"] ?? "");
+        continue;
+      }
+      if (entry.type === "event_msg" && p["type"] === "token_count") {
+        const info = p["info"] ?? {};
+        const usage = info["total_token_usage"] ?? {};
+        lastTotalInput = usage["input_tokens"] ?? lastTotalInput;
+        lastTotalCached = usage["cached_input_tokens"] ?? lastTotalCached;
+        lastTotalOutput = usage["output_tokens"] ?? lastTotalOutput;
+      }
+      if (entry.type === "response_item" && p["type"] === "function_call") {
+        sessionToolCalls++;
+      }
+    }
+    if (!sessionStart2) continue;
+    const ts = new Date(sessionStart2);
+    if (ts < start || ts > end) continue;
+    const nonCached = Math.max(0, lastTotalInput - lastTotalCached);
+    const cost = nonCached * 5e-6 + lastTotalCached * 25e-7 + lastTotalOutput * 15e-6;
+    total += cost;
+    toolCalls += sessionToolCalls;
+    const dateKey = sessionStart2.slice(0, 10);
+    byDay.set(dateKey, (byDay.get(dateKey) ?? 0) + cost);
+  }
+  return { total, byDay, toolCalls };
+}
+function registerReportCommand(program2) {
+  program2.command("report").description("Activity and security report \u2014 what Claude did, what was blocked").option("--period <period>", "today | 7d | 30d | month", "7d").option("--no-tests", "exclude test runner calls (npm test, vitest, pytest\u2026) from stats").action((options) => {
+    const period = ["today", "7d", "30d", "month"].includes(
+      options.period
+    ) ? options.period : "7d";
+    const logPath = import_path30.default.join(import_os24.default.homedir(), ".node9", "audit.log");
+    const allEntries = parseAuditLog(logPath);
+    const unackedDlp = allEntries.filter((e) => e.source === "response-dlp");
+    if (unackedDlp.length > 0) {
+      console.log("");
+      console.log(
+        import_chalk9.default.bgRed.white.bold(
+          ` \u26A0\uFE0F  DLP ALERT: ${unackedDlp.length} secret${unackedDlp.length !== 1 ? "s" : ""} found in Claude response text `
+        ) + "  " + import_chalk9.default.yellow("\u2192 run: node9 dlp")
       );
     }
     if (allEntries.length === 0) {
@@ -11938,7 +12594,7 @@ function registerReportCommand(program2) {
     }
     const { start, end } = getDateRange(period);
     const {
-      total: costUSD,
+      total: claudeCostUSD,
       byDay: costByDay,
       byModel: costByModel,
       inputTokens: costInputTokens,
@@ -11946,6 +12602,15 @@ function registerReportCommand(program2) {
       cacheWriteTokens: costCacheWrite,
       cacheReadTokens: costCacheRead
     } = loadClaudeCost(start, end);
+    const {
+      total: codexCostUSD,
+      byDay: codexCostByDay,
+      toolCalls: codexToolCalls
+    } = loadCodexCost(start, end);
+    const costUSD = claudeCostUSD + codexCostUSD;
+    for (const [day, c] of codexCostByDay) {
+      costByDay.set(day, (costByDay.get(day) ?? 0) + c);
+    }
     const periodMs = end.getTime() - start.getTime();
     const priorEnd = new Date(start.getTime() - 1);
     const priorStart = new Date(start.getTime() - periodMs);
@@ -12028,6 +12693,7 @@ function registerReportCommand(program2) {
       if (e.testResult === "pass") testPasses++;
       else if (e.testResult === "fail") testFails++;
     }
+    if (codexToolCalls > 0) agentMap.set("Codex", (agentMap.get("Codex") ?? 0) + codexToolCalls);
     const total = entries.length;
     const topTools = [...toolMap.entries()].sort((a, b) => b[1].calls - a[1].calls).slice(0, 8);
     const topBlocks = [...blockMap.entries()].sort((a, b) => b[1] - a[1]).slice(0, 6);
@@ -12154,7 +12820,8 @@ function registerReportCommand(program2) {
       let rightStyled = "";
       if (i < topBlocks.length) {
         const [reason, count] = topBlocks[i];
-        const label = reason.length > LABEL - 1 ? reason.slice(0, LABEL - 2) + "\u2026" : reason;
+        const readable = humanBlockReason(reason);
+        const label = readable.length > LABEL - 1 ? readable.slice(0, LABEL - 2) + "\u2026" : readable;
         const countStr = num(count).padStart(BLOCK_COUNT_W);
         const b = colorBar(count, maxBlock, BAR);
         rightStyled = import_chalk9.default.white(label.padEnd(LABEL)) + b + " " + import_chalk9.default.red(countStr);
@@ -12220,31 +12887,24 @@ function registerReportCommand(program2) {
       console.log("");
       console.log("  " + import_chalk9.default.bold("Tokens") + "  " + import_chalk9.default.dim(`${num(totalTokens)} total`));
       console.log("  " + import_chalk9.default.dim("\u2500".repeat(Math.min(50, W - 4))));
-      const tokenRows = [
+      const TOK_BAR = Math.max(6, Math.min(20, W - 30));
+      const TOK_LABEL = 14;
+      const maxNonCache = Math.max(costInputTokens, costOutputTokens, costCacheWrite, 1);
+      const nonCacheRows = [
         ["Input", costInputTokens, import_chalk9.default.cyan(num(costInputTokens))],
         ["Output", costOutputTokens, import_chalk9.default.white(num(costOutputTokens))],
-        ["Cache write", costCacheWrite, import_chalk9.default.yellow(num(costCacheWrite))],
-        ["Cache read", costCacheRead, import_chalk9.default.green(num(costCacheRead))]
+        ["Cache write", costCacheWrite, import_chalk9.default.yellow(num(costCacheWrite))]
       ];
-      const maxTok = Math.max(
-        costInputTokens,
-        costOutputTokens,
-        costCacheWrite,
-        costCacheRead,
-        1
-      );
-      const TOK_BAR = Math.max(6, Math.min(20, W - 30));
-      const TOK_LABEL = 14;
-      for (const [label, count, colored] of tokenRows) {
+      for (const [label, count, colored] of nonCacheRows) {
         if (count === 0) continue;
-        const b = colorBar(count, maxTok, TOK_BAR);
+        const b = colorBar(count, maxNonCache, TOK_BAR);
         console.log("  " + import_chalk9.default.white(label.padEnd(TOK_LABEL)) + b + "  " + colored);
       }
-      if (cacheHitPct > 0) {
+      if (costCacheRead > 0) {
+        const cacheBar = colorBar(costCacheRead, costCacheRead, TOK_BAR);
+        const pct = cacheHitPct > 0 ? import_chalk9.default.dim(`  ${cacheHitPct}% hit rate`) : "";
         console.log(
-          "  " + import_chalk9.default.dim(
-            `Cache hit rate: ${cacheHitPct}%  (saves ~${fmtCost(costCacheRead * 27e-7)} vs fresh input)`
-          )
+          "  " + import_chalk9.default.white("Cache read".padEnd(TOK_LABEL)) + cacheBar + "  " + import_chalk9.default.green(num(costCacheRead)) + pct
         );
       }
     }
@@ -12260,6 +12920,11 @@ function registerReportCommand(program2) {
       console.log("");
       console.log("  " + import_chalk9.default.bold("Cost") + "  " + costHeaderRight);
       console.log("  " + import_chalk9.default.dim("\u2500".repeat(Math.min(50, W - 4))));
+      if (codexCostUSD > 0)
+        costByModel.set(
+          "codex (openai)",
+          (costByModel.get("codex (openai)") ?? 0) + codexCostUSD
+        );
       const modelList = [...costByModel.entries()].sort((a, b) => b[1] - a[1]);
       const maxModelCost = Math.max(...modelList.map(([, v]) => v), 1e-9);
       const MODEL_LABEL = 22;
@@ -12686,6 +13351,7 @@ function registerInitCommand(program2) {
       else if (agent === "codex") await setupCodex();
       else if (agent === "windsurf") await setupWindsurf();
       else if (agent === "vscode") await setupVSCode();
+      else if (agent === "claudeDesktop") await setupClaudeDesktop();
       console.log("");
     }
     if ((process.platform === "darwin" || process.platform === "linux") && process.stdout.isTTY) {
@@ -13515,6 +14181,7 @@ var import_readline4 = __toESM(require("readline"));
 var import_fs32 = __toESM(require("fs"));
 var import_os28 = __toESM(require("os"));
 var import_path35 = __toESM(require("path"));
+var import_child_process15 = require("child_process");
 init_core();
 init_daemon();
 init_shields();
@@ -13594,8 +14261,31 @@ var TOOLS = [
   },
   {
     name: "node9_undo_list",
-    description: "List the node9 snapshot history. Each entry shows the git hash, tool that triggered it, a short summary, affected files, working directory, and timestamp. Use this to find a hash before calling node9_undo_revert.",
-    inputSchema: { type: "object", properties: {}, required: [] }
+    description: "List the node9 snapshot history. Each entry shows the git hash, tool that triggered it, a short summary, affected files, working directory, and timestamp. Use this to find a hash before calling node9_undo_revert or node9_undo_detail.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        cwd: {
+          type: "string",
+          description: "Filter to snapshots for a specific project directory. Omit to show all projects."
+        }
+      },
+      required: []
+    }
+  },
+  {
+    name: "node9_undo_detail",
+    description: "Show the full details of a specific node9 snapshot: unified diff, exact files changed, tool that triggered it, command summary, working directory, and timestamp. Use this to understand exactly what a snapshot contains before deciding to revert.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        hash: {
+          type: "string",
+          description: "The git commit hash (full or 7-char prefix) from node9_undo_list."
+        }
+      },
+      required: ["hash"]
+    }
   },
   {
     name: "node9_undo_revert",
@@ -13617,13 +14307,18 @@ var TOOLS = [
   },
   {
     name: "node9_audit_get",
-    description: "Read recent entries from the node9 audit log (~/.node9/audit.log). Each entry shows timestamp, tool name, decision (allow/block/review), and agent. Use this to review what AI actions have been taken recently.",
+    description: "Read recent entries from the node9 audit log (~/.node9/audit.log). Each entry shows timestamp, tool name, decision (allow/block/review), command/args, and agent. Use this to review what AI actions have been taken recently, especially blocked or reviewed ops.",
     inputSchema: {
       type: "object",
       properties: {
         limit: {
           type: "number",
           description: "Number of recent entries to return (default: 20, max: 100)."
+        },
+        filter: {
+          type: "string",
+          enum: ["all", "block", "review"],
+          description: 'Filter by decision. Omit or use "all" to show every entry.'
         }
       },
       required: []
@@ -13634,6 +14329,53 @@ var TOOLS = [
     description: "Show all active smart rules in detail \u2014 name, tool, verdict, conditions, and reason. Includes default rules, shield rules, and any custom project rules. Use this to understand exactly what is being blocked or reviewed.",
     inputSchema: { type: "object", properties: {}, required: [] }
   },
+  {
+    name: "node9_scan",
+    description: "Scan all AI agent history (Claude + Gemini) and report what node9 would have blocked or flagged. Shows blocked operations, reviewed commands, credential leaks, and agent spend. Use this to audit past activity and find security gaps before they become incidents.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        drill_down: {
+          type: "boolean",
+          description: "Show full commands and session IDs for every finding (default: false for a clean summary)."
+        }
+      },
+      required: []
+    }
+  },
+  {
+    name: "node9_report",
+    description: "Show an activity and security report: tool call counts, blocks, DLP findings, agent cost, and daily trends for a chosen period. Covers all AI agents (Claude, Gemini, etc.).",
+    inputSchema: {
+      type: "object",
+      properties: {
+        period: {
+          type: "string",
+          enum: ["today", "7d", "30d", "month"],
+          description: "Time period for the report (default: 7d)."
+        },
+        no_tests: {
+          type: "boolean",
+          description: "Exclude test runner calls (npm test, vitest, pytest\u2026) from stats."
+        }
+      },
+      required: []
+    }
+  },
+  {
+    name: "node9_session",
+    description: "List recent AI agent sessions with per-session summaries: tool calls, cost, modified files, and any blocked operations. Pass a session_id to see the full tool trace for that session.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        detail: {
+          type: "string",
+          description: "Session ID to show the full tool trace for. Omit to list all recent sessions."
+        }
+      },
+      required: []
+    }
+  },
   {
     name: "node9_rule_add",
     description: 'Add a new protective smart rule to the global node9 config (~/.node9/config.json). Rules can block or send dangerous commands for human review based on regex conditions. IMPORTANT: only "block" and "review" verdicts are permitted \u2014 "allow" rules are never accepted because they would weaken node9 security. Rules can only be added, never removed.',
@@ -13826,21 +14568,40 @@ function handleApproverSet(args) {
 }
 function handleAuditGet(args) {
   const limit = Math.min(typeof args.limit === "number" ? args.limit : 20, 100);
+  const filter = typeof args.filter === "string" && args.filter !== "all" ? args.filter : null;
   const auditPath = import_path35.default.join(import_os28.default.homedir(), ".node9", "audit.log");
   if (!import_fs32.default.existsSync(auditPath)) return "No audit log found.";
-  const lines = import_fs32.default.readFileSync(auditPath, "utf-8").trim().split("\n").filter(Boolean);
-  const recent = lines.slice(-limit);
-  const entries = recent.map((line) => {
+  const rawLines = import_fs32.default.readFileSync(auditPath, "utf-8").trim().split("\n").filter(Boolean);
+  const parsed = [];
+  for (const line of rawLines) {
     try {
       const e = JSON.parse(line);
-      return `${e.ts}  ${String(e.tool).padEnd(20)} ${String(e.decision).padEnd(8)} ${e.agent ?? ""}`;
+      const decision = String(e.decision ?? "allow");
+      if (filter && decision !== filter) continue;
+      const argsObj = e.args;
+      let detail = "";
+      if (argsObj) {
+        const cmd = argsObj.command ?? argsObj.file_path ?? argsObj.path ?? argsObj.sql;
+        if (typeof cmd === "string" && cmd) {
+          detail = cmd.length > 80 ? cmd.slice(0, 80) + "\u2026" : cmd;
+        }
+      }
+      const decisionPad = decision === "block" ? "[BLOCK] " : decision === "review" ? "[review]" : "[allow] ";
+      const toolPad = String(e.tool ?? "").padEnd(20);
+      const line2 = `${e.ts}  ${decisionPad}  ${toolPad}  ${detail}`;
+      parsed.push({ raw: line, decision, formatted: line2 });
     } catch {
-      return line;
+      parsed.push({ raw: line, decision: "allow", formatted: line });
     }
-  });
-  return `Last ${entries.length} audit entries:
+  }
+  const recent = parsed.slice(-limit);
+  if (recent.length === 0) {
+    return filter ? `No ${filter} entries found in audit log.` : "Audit log is empty.";
+  }
+  const header = filter ? `Last ${recent.length} ${filter.toUpperCase()} entries:` : `Last ${recent.length} audit entries:`;
+  return `${header}
 
-${entries.join("\n")}`;
+${recent.map((e) => e.formatted).join("\n")}`;
 }
 function handlePolicyGet() {
   const config = getConfig();
@@ -13893,10 +14654,43 @@ function handleRuleAdd(args) {
   writeGlobalConfigRaw(raw);
   return `Rule "${name}" added to ~/.node9/config.json \u2014 verdict: ${verdict} when ${field} matches "${pattern}"`;
 }
-function handleUndoList() {
-  const history = getSnapshotHistory();
+function runCliCommand(subArgs) {
+  const result = (0, import_child_process15.spawnSync)(process.execPath, [process.argv[1], ...subArgs], {
+    encoding: "utf-8",
+    timeout: 6e4,
+    // Disable colors — stdout is piped (not a TTY), chalk auto-detects, but be explicit
+    env: { ...process.env, NO_COLOR: "1", FORCE_COLOR: "0" }
+  });
+  if (result.error) throw result.error;
+  const out = (result.stdout ?? "").trimEnd();
+  if (!out && result.stderr) throw new Error(result.stderr.trimEnd());
+  return out || "(no output)";
+}
+function handleScanMcp(args) {
+  const cliArgs = ["scan"];
+  if (args.drill_down === true) cliArgs.push("--drill-down");
+  return runCliCommand(cliArgs);
+}
+function handleReportMcp(args) {
+  const cliArgs = ["report"];
+  if (typeof args.period === "string") cliArgs.push("--period", args.period);
+  if (args.no_tests === true) cliArgs.push("--no-tests");
+  return runCliCommand(cliArgs);
+}
+function handleSessionMcp(args) {
+  const cliArgs = ["sessions"];
+  if (typeof args.detail === "string" && args.detail) cliArgs.push("--detail", args.detail);
+  return runCliCommand(cliArgs);
+}
+function handleUndoList(args) {
+  const cwdFilter = typeof args.cwd === "string" && args.cwd ? args.cwd : null;
+  let history = getSnapshotHistory();
+  if (cwdFilter) {
+    history = history.filter((e) => e.cwd === cwdFilter);
+  }
   if (history.length === 0) {
-    return "No snapshots found. Node9 captures snapshots automatically before file edits.";
+    const hint = cwdFilter ? ` for cwd: ${cwdFilter}` : "";
+    return `No snapshots found${hint}. Node9 captures snapshots automatically before file edits.`;
   }
   const lines = history.slice().reverse().map((entry, i) => {
     const date = new Date(entry.timestamp).toLocaleString();
@@ -13905,7 +14699,39 @@ function handleUndoList() {
     return `[${i + 1}] ${entry.hash.slice(0, 7)}  ${date}  ${entry.tool}${summary}  (${files})  cwd: ${entry.cwd}
     full hash: ${entry.hash}`;
   });
-  return lines.join("\n\n");
+  const header = cwdFilter ? `${lines.length} snapshot(s) for ${cwdFilter}:` : `${lines.length} snapshot(s) across all projects:`;
+  return `${header}
+
+${lines.join("\n\n")}`;
+}
+function handleUndoDetail(args) {
+  const hash = args.hash;
+  if (typeof hash !== "string" || !hash) {
+    throw new Error("hash is required");
+  }
+  const history = getSnapshotHistory();
+  const entry = history.find((e) => e.hash === hash || e.hash.startsWith(hash));
+  if (!entry) {
+    throw new Error(`Snapshot ${hash} not found. Run node9_undo_list to see available snapshots.`);
+  }
+  const lines = [];
+  lines.push(`Hash:    ${entry.hash}`);
+  lines.push(`Tool:    ${entry.tool}`);
+  lines.push(`Summary: ${entry.argsSummary || "(none)"}`);
+  lines.push(`CWD:     ${entry.cwd}`);
+  lines.push(`Time:    ${new Date(entry.timestamp).toLocaleString()}`);
+  lines.push(`Files:   ${entry.files?.length ? entry.files.join(", ") : "(none recorded)"}`);
+  if (entry.diff) {
+    lines.push("");
+    lines.push("\u2500\u2500 Diff \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+    lines.push(entry.diff);
+  } else {
+    lines.push("");
+    lines.push(
+      "No diff available (first snapshot for this project, or snapshot predates diff capture)."
+    );
+  }
+  return lines.join("\n");
 }
 function handleUndoRevert(args) {
   const hash = args.hash;
@@ -13973,7 +14799,9 @@ function runMcpServer() {
         } else if (toolName === "node9_approver_set") {
           text = handleApproverSet(toolArgs);
         } else if (toolName === "node9_undo_list") {
-          text = handleUndoList();
+          text = handleUndoList(toolArgs);
+        } else if (toolName === "node9_undo_detail") {
+          text = handleUndoDetail(toolArgs);
         } else if (toolName === "node9_undo_revert") {
           text = handleUndoRevert(toolArgs);
         } else if (toolName === "node9_audit_get") {
@@ -13982,6 +14810,12 @@ function runMcpServer() {
           text = handlePolicyGet();
         } else if (toolName === "node9_rule_add") {
           text = handleRuleAdd(toolArgs);
+        } else if (toolName === "node9_scan") {
+          text = handleScanMcp(toolArgs);
+        } else if (toolName === "node9_report") {
+          text = handleReportMcp(toolArgs);
+        } else if (toolName === "node9_session") {
+          text = handleSessionMcp(toolArgs);
         } else {
           process.stdout.write(err(id, -32601, `Unknown tool: ${toolName}`) + "\n");
           return;
@@ -14220,7 +15054,8 @@ var SETUP_FN = {
   cursor: setupCursor,
   codex: setupCodex,
   windsurf: setupWindsurf,
-  vscode: setupVSCode
+  vscode: setupVSCode,
+  claudeDesktop: setupClaudeDesktop
 };
 var TEARDOWN_FN = {
   claude: teardownClaude,
@@ -14228,7 +15063,8 @@ var TEARDOWN_FN = {
   cursor: teardownCursor,
   codex: teardownCodex,
   windsurf: teardownWindsurf,
-  vscode: teardownVSCode
+  vscode: teardownVSCode,
+  claudeDesktop: teardownClaudeDesktop
 };
 var AGENT_NAMES = Object.keys(SETUP_FN);
 function registerAgentsCommand(program2) {
@@ -14352,11 +15188,18 @@ function preview(input, max) {
   const s = String(cmd).replace(/\s+/g, " ").trim();
   return s.length > max ? s.slice(0, max - 1) + "\u2026" : s;
 }
+function fullCommand(input) {
+  const cmd = input.command ?? input.query ?? input.file_path ?? JSON.stringify(input);
+  return String(cmd).replace(/\s+/g, " ").trim();
+}
+var DEFAULT_RULE_NAMES = new Set(
+  DEFAULT_CONFIG.policy.smartRules.map((r) => r.name).filter(Boolean)
+);
 function buildRuleSources() {
   const sources = [];
   for (const [shieldName, shield] of Object.entries(SHIELDS)) {
     for (const rule of shield.smartRules) {
-      sources.push({ shieldName, shieldLabel: shieldName, rule });
+      sources.push({ shieldName, shieldLabel: shieldName, sourceType: "shield", rule });
     }
   }
   try {
@@ -14365,9 +15208,12 @@ function buildRuleSources() {
       if (!rule.name) continue;
       if (rule.name.startsWith("shield:")) continue;
       const isCloud = rule.name.startsWith("cloud:");
+      const isDefault = DEFAULT_RULE_NAMES.has(rule.name);
+      const sourceType = isCloud ? "user" : isDefault ? "default" : "user";
       sources.push({
-        shieldName: isCloud ? "cloud" : "custom",
-        shieldLabel: isCloud ? "Cloud Policy" : "Your Rules",
+        shieldName: isCloud ? "cloud" : isDefault ? "default" : "custom",
+        shieldLabel: isCloud ? "Cloud Policy" : isDefault ? "Default Rules" : "Your Rules",
+        sourceType,
         rule
       });
     }
@@ -14413,6 +15259,7 @@ function scanClaudeHistory(startDate) {
     for (const file of files) {
       result.filesScanned++;
       result.sessions++;
+      const sessionId = file.replace(/\.jsonl$/, "");
       let raw;
       try {
         raw = import_fs33.default.readFileSync(import_path36.default.join(projPath, file), "utf-8");
@@ -14471,10 +15318,12 @@ function scanClaudeHistory(startDate) {
                 toolName,
                 timestamp: entry.timestamp ?? "",
                 project: projLabel,
+                sessionId,
                 agent: "claude"
               });
             }
           }
+          let ruleMatched = false;
           for (const source of ruleSources) {
             const { rule } = source;
             if (rule.verdict === "allow") continue;
@@ -14491,11 +15340,45 @@ function scanClaudeHistory(startDate) {
                 input,
                 timestamp: entry.timestamp ?? "",
                 project: projLabel,
+                sessionId,
                 agent: "claude"
               });
             }
+            ruleMatched = true;
             break;
           }
+          if (!ruleMatched && (toolNameLower === "bash" || toolNameLower === "execute_bash")) {
+            const shellVerdict = detectDangerousShellExec(String(input.command ?? ""));
+            if (shellVerdict) {
+              const astRule = {
+                name: `ast:bash-safe:${shellVerdict}-shell-exec-remote`,
+                tool: "bash",
+                conditions: [],
+                verdict: shellVerdict,
+                reason: `Shell execution of remote download detected by AST analysis (bash-safe)`
+              };
+              const inputPreview = preview(input, 120);
+              const isDupe = result.findings.some(
+                (f) => f.source.rule.name === astRule.name && preview(f.input, 120) === inputPreview && f.project === projLabel
+              );
+              if (!isDupe) {
+                result.findings.push({
+                  source: {
+                    shieldName: "bash-safe",
+                    shieldLabel: "bash-safe (AST)",
+                    sourceType: "shield",
+                    rule: astRule
+                  },
+                  toolName,
+                  input,
+                  timestamp: entry.timestamp ?? "",
+                  project: projLabel,
+                  sessionId,
+                  agent: "claude"
+                });
+              }
+            }
+          }
         }
       }
     }
@@ -14545,6 +15428,7 @@ function scanGeminiHistory(startDate) {
     }
     for (const chatFile of chatFiles) {
       result.filesScanned++;
+      const sessionId = chatFile.replace(/\.json$/, "");
       let raw;
       try {
         raw = import_fs33.default.readFileSync(import_path36.default.join(chatsDir, chatFile), "utf-8");
@@ -14598,10 +15482,12 @@ function scanGeminiHistory(startDate) {
                 toolName,
                 timestamp: msg.timestamp ?? "",
                 project: projLabel,
+                sessionId,
                 agent: "gemini"
               });
             }
           }
+          let ruleMatched = false;
           for (const source of ruleSources) {
             const { rule } = source;
             if (rule.verdict === "allow") continue;
@@ -14618,17 +15504,244 @@ function scanGeminiHistory(startDate) {
                 input,
                 timestamp: msg.timestamp ?? "",
                 project: projLabel,
+                sessionId,
                 agent: "gemini"
               });
             }
+            ruleMatched = true;
             break;
           }
+          const isShellTool = ["bash", "execute_bash", "run_shell_command", "shell"].includes(
+            toolNameLower
+          );
+          if (!ruleMatched && isShellTool) {
+            const shellVerdict = detectDangerousShellExec(String(input.command ?? ""));
+            if (shellVerdict) {
+              const astRule = {
+                name: `ast:bash-safe:${shellVerdict}-shell-exec-remote`,
+                tool: "bash",
+                conditions: [],
+                verdict: shellVerdict,
+                reason: `Shell execution of remote download detected by AST analysis (bash-safe)`
+              };
+              const inputPreview = preview(input, 120);
+              const isDupe = result.findings.some(
+                (f) => f.source.rule.name === astRule.name && preview(f.input, 120) === inputPreview && f.project === projLabel
+              );
+              if (!isDupe) {
+                result.findings.push({
+                  source: {
+                    shieldName: "bash-safe",
+                    shieldLabel: "bash-safe (AST)",
+                    sourceType: "shield",
+                    rule: astRule
+                  },
+                  toolName,
+                  input,
+                  timestamp: msg.timestamp ?? "",
+                  project: projLabel,
+                  sessionId,
+                  agent: "gemini"
+                });
+              }
+            }
+          }
         }
       }
     }
   }
   return result;
 }
+function scanCodexHistory(startDate) {
+  const sessionsBase = import_path36.default.join(import_os29.default.homedir(), ".codex", "sessions");
+  const result = {
+    filesScanned: 0,
+    sessions: 0,
+    totalToolCalls: 0,
+    bashCalls: 0,
+    findings: [],
+    dlpFindings: [],
+    totalCostUSD: 0,
+    firstDate: null,
+    lastDate: null
+  };
+  if (!import_fs33.default.existsSync(sessionsBase)) return result;
+  const jsonlFiles = [];
+  try {
+    for (const year of import_fs33.default.readdirSync(sessionsBase)) {
+      const yearPath = import_path36.default.join(sessionsBase, year);
+      try {
+        if (!import_fs33.default.statSync(yearPath).isDirectory()) continue;
+      } catch {
+        continue;
+      }
+      for (const month of import_fs33.default.readdirSync(yearPath)) {
+        const monthPath = import_path36.default.join(yearPath, month);
+        try {
+          if (!import_fs33.default.statSync(monthPath).isDirectory()) continue;
+        } catch {
+          continue;
+        }
+        for (const day of import_fs33.default.readdirSync(monthPath)) {
+          const dayPath = import_path36.default.join(monthPath, day);
+          try {
+            if (!import_fs33.default.statSync(dayPath).isDirectory()) continue;
+          } catch {
+            continue;
+          }
+          for (const file of import_fs33.default.readdirSync(dayPath)) {
+            if (file.endsWith(".jsonl")) jsonlFiles.push(import_path36.default.join(dayPath, file));
+          }
+        }
+      }
+    }
+  } catch {
+    return result;
+  }
+  const ruleSources = buildRuleSources();
+  for (const filePath of jsonlFiles) {
+    result.filesScanned++;
+    let lines;
+    try {
+      lines = import_fs33.default.readFileSync(filePath, "utf-8").split("\n");
+    } catch {
+      continue;
+    }
+    let sessionId = "";
+    let startTime = "";
+    let projLabel = "";
+    result.sessions++;
+    let lastTotalInput = 0;
+    let lastTotalCached = 0;
+    let lastTotalOutput = 0;
+    for (const line of lines) {
+      if (!line.trim()) continue;
+      let entry;
+      try {
+        entry = JSON.parse(line);
+      } catch {
+        continue;
+      }
+      const payload = entry.payload ?? {};
+      if (entry.type === "session_meta") {
+        sessionId = String(payload["id"] ?? filePath);
+        startTime = String(payload["timestamp"] ?? "");
+        const cwd = String(payload["cwd"] ?? "");
+        projLabel = cwd.replace(import_os29.default.homedir(), "~").slice(0, 40);
+        continue;
+      }
+      if (entry.type === "event_msg" && payload["type"] === "token_count") {
+        const info = payload["info"];
+        const usage = info?.["total_token_usage"] ?? {};
+        lastTotalInput = usage["input_tokens"] ?? lastTotalInput;
+        lastTotalCached = usage["cached_input_tokens"] ?? lastTotalCached;
+        lastTotalOutput = usage["output_tokens"] ?? lastTotalOutput;
+        continue;
+      }
+      if (entry.type !== "response_item") continue;
+      if (payload["type"] !== "function_call") continue;
+      const ts = startTime;
+      if (startDate && ts && new Date(ts) < startDate) continue;
+      if (ts) {
+        if (!result.firstDate || ts < result.firstDate) result.firstDate = ts;
+        if (!result.lastDate || ts > result.lastDate) result.lastDate = ts;
+      }
+      result.totalToolCalls++;
+      const toolName = String(payload["name"] ?? "");
+      const toolNameLower = toolName.toLowerCase();
+      let input = {};
+      try {
+        input = JSON.parse(String(payload["arguments"] ?? "{}"));
+      } catch {
+      }
+      if ("cmd" in input && !("command" in input)) {
+        input = { ...input, command: input["cmd"] };
+      }
+      if (toolNameLower === "exec_command" || toolNameLower === "shell") {
+        result.bashCalls++;
+      }
+      const rawCmd = String(input["command"] ?? "").trimStart();
+      if (/^node9\s+(scan|explain|report|tail|dlp|status|sessions|audit)\b/.test(rawCmd)) continue;
+      const dlpMatch = scanArgs(input);
+      if (dlpMatch) {
+        const isDupe = result.dlpFindings.some(
+          (f) => f.patternName === dlpMatch.patternName && f.redactedSample === dlpMatch.redactedSample && f.project === projLabel
+        );
+        if (!isDupe) {
+          result.dlpFindings.push({
+            patternName: dlpMatch.patternName,
+            redactedSample: dlpMatch.redactedSample,
+            toolName,
+            timestamp: ts,
+            project: projLabel,
+            sessionId,
+            agent: "codex"
+          });
+        }
+      }
+      let ruleMatched = false;
+      for (const source of ruleSources) {
+        const { rule } = source;
+        if (rule.verdict === "allow") continue;
+        if (rule.tool && !matchesPattern(toolNameLower === "exec_command" ? "bash" : toolNameLower, rule.tool))
+          continue;
+        if (!evaluateSmartConditions(input, rule)) continue;
+        const inputPreview = preview(input, 120);
+        const isDupe = result.findings.some(
+          (f) => f.source.rule.name === rule.name && preview(f.input, 120) === inputPreview && f.project === projLabel
+        );
+        if (!isDupe) {
+          result.findings.push({
+            source,
+            toolName,
+            input,
+            timestamp: ts,
+            project: projLabel,
+            sessionId,
+            agent: "codex"
+          });
+        }
+        ruleMatched = true;
+        break;
+      }
+      if (!ruleMatched && (toolNameLower === "exec_command" || toolNameLower === "shell")) {
+        const shellVerdict = detectDangerousShellExec(String(input["command"] ?? ""));
+        if (shellVerdict) {
+          const astRule = {
+            name: `ast:bash-safe:${shellVerdict}-shell-exec-remote`,
+            tool: "bash",
+            conditions: [],
+            verdict: shellVerdict,
+            reason: `Shell execution of remote download detected by AST analysis (bash-safe)`
+          };
+          const inputPreview = preview(input, 120);
+          const isDupe = result.findings.some(
+            (f) => f.source.rule.name === astRule.name && preview(f.input, 120) === inputPreview && f.project === projLabel
+          );
+          if (!isDupe) {
+            result.findings.push({
+              source: {
+                shieldName: "bash-safe",
+                shieldLabel: "bash-safe (AST)",
+                sourceType: "shield",
+                rule: astRule
+              },
+              toolName,
+              input,
+              timestamp: ts,
+              project: projLabel,
+              sessionId,
+              agent: "codex"
+            });
+          }
+        }
+      }
+    }
+    const nonCached = Math.max(0, lastTotalInput - lastTotalCached);
+    result.totalCostUSD += nonCached * 5e-6 + lastTotalCached * 25e-7 + lastTotalOutput * 15e-6;
+  }
+  return result;
+}
 function mergeScans(a, b) {
   const dates = [a.firstDate, b.firstDate].filter(Boolean);
   const lastDates = [a.lastDate, b.lastDate].filter(Boolean);
@@ -14644,22 +15757,67 @@ function mergeScans(a, b) {
     lastDate: lastDates.length ? lastDates.sort().at(-1) : null
   };
 }
+function verdictIcon(verdict) {
+  return verdict === "block" ? "\u{1F6D1}" : "\u{1F441} ";
+}
+function printFindingRow(f, drillDown, showSessionId, previewWidth) {
+  const ts = f.timestamp ? import_chalk21.default.dim(fmtTs(f.timestamp) + "  ") : "";
+  const proj = import_chalk21.default.dim(f.project.slice(0, 22).padEnd(22) + "  ");
+  const agentBadge = f.agent === "gemini" ? import_chalk21.default.blue("[Gemini]  ") : f.agent === "codex" ? import_chalk21.default.magenta("[Codex]   ") : import_chalk21.default.cyan("[Claude]  ");
+  const cmd = drillDown ? import_chalk21.default.gray(fullCommand(f.input)) : import_chalk21.default.gray(preview(f.input, previewWidth));
+  const sessionSuffix = showSessionId && f.sessionId ? import_chalk21.default.dim(`  \u2192 ${f.sessionId.slice(0, 8)}`) : "";
+  console.log(`      ${ts}${proj}${agentBadge}${cmd}${sessionSuffix}`);
+}
+function printRuleGroup(ruleFindings, topN, drillDown, previewWidth) {
+  const rule = ruleFindings[0].source.rule;
+  const ruleCount = ruleFindings.length;
+  const countBadge = ruleCount > 1 ? import_chalk21.default.white(` \xD7${ruleCount}`) : "";
+  const shortName = (rule.name ?? "unnamed").replace(/^shield:[^:]+:/, "");
+  const icon = verdictIcon(rule.verdict ?? "review");
+  console.log(
+    "    " + icon + "  " + import_chalk21.default.white(shortName) + countBadge + (rule.reason ? import_chalk21.default.dim(`  \u2014 ${rule.reason}`) : "")
+  );
+  const shown = drillDown ? ruleFindings : ruleFindings.slice(0, topN);
+  for (const f of shown) {
+    printFindingRow(f, drillDown, drillDown, previewWidth);
+  }
+  if (!drillDown && ruleFindings.length > topN) {
+    console.log(
+      import_chalk21.default.dim(`      \u2026 and ${ruleFindings.length - topN} more  (--drill-down for full list)`)
+    );
+  }
+}
 function registerScanCommand(program2) {
-  program2.command("scan").description("Forecast: scan agent history and show what node9 would catch if installed").option("--all", "Scan all history (default: last 90 days)").option("--days <n>", "Scan last N days of history", "90").option("--top <n>", "Max findings to show per shield", "5").action((options) => {
-    const topN = Math.max(1, parseInt(options.top, 10) || 5);
+  program2.command("scan").description("Forecast: scan agent history and show what node9 would catch if installed").option("--all", "Scan all history (default: last 90 days)").option("--days <n>", "Scan last N days of history", "90").option("--top <n>", "Max findings to show per rule (default: 5)", "5").option("--drill-down", "Show all findings with full commands and session IDs").action((options) => {
+    const drillDown = options.drillDown ?? false;
+    const topN = drillDown ? Infinity : Math.max(1, parseInt(options.top, 10) || 5);
+    const previewWidth = 70;
     const startDate = options.all ? null : (() => {
       const d = /* @__PURE__ */ new Date();
       d.setDate(d.getDate() - (parseInt(options.days, 10) || 90));
       d.setHours(0, 0, 0, 0);
       return d;
     })();
+    const isInstalled = import_fs33.default.existsSync(import_path36.default.join(import_os29.default.homedir(), ".node9", "audit.log"));
     console.log("");
-    console.log(import_chalk21.default.cyan.bold("\u{1F50D}  node9 scan") + import_chalk21.default.dim("  \u2014 what would node9 catch?"));
+    if (!isInstalled) {
+      console.log(
+        import_chalk21.default.bold("\u{1F6E1}  node9") + import_chalk21.default.dim("  \u2014  security layer for AI coding agents")
+      );
+      console.log(
+        import_chalk21.default.dim("   Intercepts dangerous tool calls before they execute. No config needed.")
+      );
+      console.log("");
+    }
+    console.log(
+      import_chalk21.default.cyan.bold("\u{1F50D}  Scanning your AI history") + import_chalk21.default.dim("  \u2014 what would node9 have caught?")
+    );
     console.log("");
     process.stdout.write(import_chalk21.default.dim("  Scanning\u2026"));
     const claudeScan = scanClaudeHistory(startDate);
     const geminiScan = scanGeminiHistory(startDate);
-    const scan = mergeScans(claudeScan, geminiScan);
+    const codexScan = scanCodexHistory(startDate);
+    const scan = mergeScans(mergeScans(claudeScan, geminiScan), codexScan);
     process.stdout.write("\r" + " ".repeat(20) + "\r");
     if (scan.filesScanned === 0) {
       console.log(import_chalk21.default.yellow("  No session history found."));
@@ -14672,95 +15830,151 @@ function registerScanCommand(program2) {
     }
     const rangeLabel = options.all ? import_chalk21.default.dim("all time") : import_chalk21.default.dim(`last ${options.days ?? 90} days`);
     const dateRange = scan.firstDate && scan.lastDate ? import_chalk21.default.dim(`  ${fmtTs(scan.firstDate)} \u2013 ${fmtTs(scan.lastDate)}`) : "";
-    const sessionBreakdown = claudeScan.sessions > 0 && geminiScan.sessions > 0 ? import_chalk21.default.dim("(") + import_chalk21.default.cyan(String(claudeScan.sessions)) + import_chalk21.default.dim(" Claude \xB7 ") + import_chalk21.default.blue(String(geminiScan.sessions)) + import_chalk21.default.dim(" Gemini)") : "";
+    const breakdownParts = [];
+    if (claudeScan.sessions > 0)
+      breakdownParts.push(import_chalk21.default.cyan(String(claudeScan.sessions)) + import_chalk21.default.dim(" Claude"));
+    if (geminiScan.sessions > 0)
+      breakdownParts.push(import_chalk21.default.blue(String(geminiScan.sessions)) + import_chalk21.default.dim(" Gemini"));
+    if (codexScan.sessions > 0)
+      breakdownParts.push(import_chalk21.default.magenta(String(codexScan.sessions)) + import_chalk21.default.dim(" Codex"));
+    const sessionBreakdown = breakdownParts.length > 1 ? import_chalk21.default.dim("(") + breakdownParts.join(import_chalk21.default.dim(" \xB7 ")) + import_chalk21.default.dim(")") : "";
     console.log(
       "  " + import_chalk21.default.white(num2(scan.sessions)) + import_chalk21.default.dim(" sessions  ") + sessionBreakdown + (sessionBreakdown ? "  " : "") + import_chalk21.default.white(num2(scan.totalToolCalls)) + import_chalk21.default.dim(" tool calls  ") + import_chalk21.default.white(num2(scan.bashCalls)) + import_chalk21.default.dim(" bash commands  ") + rangeLabel + dateRange
     );
     console.log("");
-    const byShield = /* @__PURE__ */ new Map();
-    for (const f of scan.findings) {
-      const key = f.source.shieldName;
-      const entry = byShield.get(key) ?? { label: f.source.shieldLabel, findings: [] };
-      entry.findings.push(f);
-      byShield.set(key, entry);
-    }
     const totalFindings = scan.findings.length;
+    const blockedCount = scan.findings.filter((f) => f.source.rule.verdict === "block").length;
+    const reviewCount = totalFindings - blockedCount;
     if (totalFindings === 0 && scan.dlpFindings.length === 0) {
-      console.log(import_chalk21.default.green("  \u2705 No findings across all shields and rules."));
-      console.log(import_chalk21.default.dim("  node9 is still worth running \u2014 it monitors in real time.\n"));
+      console.log(import_chalk21.default.green("  \u2705 No risky operations found in your history."));
+      console.log(
+        import_chalk21.default.dim("  node9 is still worth running \u2014 it monitors every tool call in real time.\n")
+      );
     } else {
-      if (totalFindings > 0) {
+      const totalRisky = totalFindings + scan.dlpFindings.length;
+      const heroLine = isInstalled ? import_chalk21.default.bold(
+        `  Found ${import_chalk21.default.yellow(String(totalRisky))} risky operation${totalRisky !== 1 ? "s" : ""} in your history`
+      ) : import_chalk21.default.bold(
+        `  ${import_chalk21.default.red.bold(String(totalRisky))} risky operation${totalRisky !== 1 ? "s" : ""} found \u2014 none were blocked`
+      );
+      console.log(heroLine);
+      console.log("");
+      if (blockedCount > 0) {
         console.log(
-          "  " + import_chalk21.default.bold("If node9 had been installed:") + "  " + import_chalk21.default.yellow.bold(
-            `${num2(totalFindings)} command${totalFindings !== 1 ? "s" : ""} flagged for review`
-          )
+          "    " + import_chalk21.default.red("\u{1F6D1}  Would have blocked") + "   " + import_chalk21.default.red.bold(String(blockedCount).padStart(5)) + import_chalk21.default.dim("   operations stopped before execution")
         );
-        console.log("");
-        const sorted = [...byShield.entries()].sort(
-          (a, b) => b[1].findings.length - a[1].findings.length
+      }
+      if (reviewCount > 0) {
+        console.log(
+          "    " + import_chalk21.default.yellow("\u{1F441}   Would have flagged") + "   " + import_chalk21.default.yellow.bold(String(reviewCount).padStart(5)) + import_chalk21.default.dim("   sent to you for approval")
         );
-        for (const [shieldName, { label, findings }] of sorted) {
-          const count = findings.length;
-          const isUserRule = shieldName === "custom" || shieldName === "cloud";
-          const shieldBadge = isUserRule ? import_chalk21.default.magenta(label) : import_chalk21.default.cyan(label);
-          console.log("  " + import_chalk21.default.dim("\u2500".repeat(70)));
-          console.log(
-            "  " + shieldBadge + import_chalk21.default.dim("  \xB7  ") + import_chalk21.default.yellow(`${num2(count)} finding${count !== 1 ? "s" : ""}`) + (isUserRule ? "" : import_chalk21.default.dim(`  \u2192  node9 shield enable ${shieldName}`))
-          );
-          const byRule = /* @__PURE__ */ new Map();
-          for (const f of findings) {
-            const ruleKey = f.source.rule.name ?? "unnamed";
-            const arr = byRule.get(ruleKey) ?? [];
-            arr.push(f);
-            byRule.set(ruleKey, arr);
-          }
-          for (const [, ruleFindings] of byRule) {
-            const rule = ruleFindings[0].source.rule;
-            const ruleCount = ruleFindings.length;
-            const countBadge = ruleCount > 1 ? import_chalk21.default.white(` \xD7${ruleCount}`) : "";
-            const shortName = (rule.name ?? "unnamed").replace(/^shield:[^:]+:/, "");
-            console.log(
-              "    " + import_chalk21.default.white(shortName) + countBadge + (rule.reason ? import_chalk21.default.dim(`  \u2014 ${rule.reason}`) : "")
-            );
-            const shown = ruleFindings.slice(0, topN);
-            for (const f of shown) {
-              const ts = f.timestamp ? import_chalk21.default.dim(fmtTs(f.timestamp) + "  ") : "";
-              const proj = import_chalk21.default.dim(f.project.slice(0, 22).padEnd(22) + "  ");
-              const agentBadge = f.agent === "gemini" ? import_chalk21.default.blue("[Gemini]  ") : import_chalk21.default.cyan("[Claude]  ");
-              const cmd = import_chalk21.default.gray(preview(f.input, 45));
-              console.log(`      ${ts}${proj}${agentBadge}${cmd}`);
-            }
-            if (ruleFindings.length > topN) {
-              console.log(
-                import_chalk21.default.dim(
-                  `      \u2026 and ${ruleFindings.length - topN} more (--top ${ruleFindings.length})`
-                )
-              );
-            }
-          }
-          console.log("");
+      }
+      if (scan.dlpFindings.length > 0) {
+        console.log(
+          "    " + import_chalk21.default.red("\u{1F511}  Credential leak") + "     " + import_chalk21.default.red.bold(String(scan.dlpFindings.length).padStart(5)) + import_chalk21.default.dim("   secret detected in tool call")
+        );
+      }
+      console.log("");
+      const sections = [];
+      const defaultFindings = scan.findings.filter((f) => f.source.sourceType === "default");
+      if (defaultFindings.length > 0) {
+        sections.push({
+          label: "Default Rules",
+          subtitle: "built-in, always on",
+          findings: defaultFindings
+        });
+      }
+      const byShield = /* @__PURE__ */ new Map();
+      for (const f of scan.findings.filter((f2) => f2.source.sourceType === "shield")) {
+        const arr = byShield.get(f.source.shieldName) ?? [];
+        arr.push(f);
+        byShield.set(f.source.shieldName, arr);
+      }
+      const shieldsWithFindings = [...byShield.entries()].sort(
+        (a, b) => b[1].length - a[1].length
+      );
+      for (const [shieldName, findings] of shieldsWithFindings) {
+        const description = SHIELDS[shieldName]?.description ?? "";
+        sections.push({
+          label: shieldName,
+          subtitle: description,
+          shieldKey: shieldName,
+          findings
+        });
+      }
+      const userFindings = scan.findings.filter(
+        (f) => f.source.sourceType === "user" || f.source.shieldName === "cloud"
+      );
+      if (userFindings.length > 0) {
+        sections.push({
+          label: "Your Rules",
+          subtitle: "added in node9.config.json",
+          findings: userFindings
+        });
+      }
+      for (const section of sections) {
+        const sectionBlocked = section.findings.filter(
+          (f) => f.source.rule.verdict === "block"
+        ).length;
+        const sectionReview = section.findings.length - sectionBlocked;
+        const countParts = [];
+        if (sectionBlocked > 0) countParts.push(import_chalk21.default.red(`${sectionBlocked} blocked`));
+        if (sectionReview > 0) countParts.push(import_chalk21.default.yellow(`${sectionReview} review`));
+        const countStr = countParts.join(import_chalk21.default.dim(" \xB7 "));
+        const enableHint = section.shieldKey ? import_chalk21.default.dim(`  \u2192  node9 shield enable ${section.shieldKey}`) : "";
+        console.log("  " + import_chalk21.default.dim("\u2500".repeat(70)));
+        console.log(
+          "  " + import_chalk21.default.bold(section.label) + (section.subtitle ? import_chalk21.default.dim(`  \xB7  ${section.subtitle}`) : "") + "  " + countStr + enableHint
+        );
+        const byRule = /* @__PURE__ */ new Map();
+        for (const f of section.findings) {
+          const ruleKey = f.source.rule.name ?? "unnamed";
+          const arr = byRule.get(ruleKey) ?? [];
+          arr.push(f);
+          byRule.set(ruleKey, arr);
+        }
+        const sortedRules = [...byRule.entries()].sort((a, b) => {
+          const aBlock = a[1][0].source.rule.verdict === "block" ? 1 : 0;
+          const bBlock = b[1][0].source.rule.verdict === "block" ? 1 : 0;
+          if (bBlock !== aBlock) return bBlock - aBlock;
+          return b[1].length - a[1].length;
+        });
+        for (const [, ruleFindings] of sortedRules) {
+          printRuleGroup(ruleFindings, topN, drillDown, previewWidth);
         }
+        console.log("");
+      }
+      const emptyShields = Object.keys(SHIELDS).filter((n) => !byShield.has(n)).sort();
+      if (emptyShields.length > 0) {
+        console.log("  " + import_chalk21.default.dim("\u2500".repeat(70)));
+        console.log(
+          "  " + import_chalk21.default.bold("Shields") + import_chalk21.default.dim("  \xB7  no findings in your history") + "  " + import_chalk21.default.green("\u2713")
+        );
+        console.log("  " + import_chalk21.default.dim(emptyShields.join(" \xB7 ")));
+        console.log("  " + import_chalk21.default.dim("\u2192  node9 shield enable <name>  to activate any shield"));
+        console.log("");
       }
       if (scan.dlpFindings.length > 0) {
         console.log("  " + import_chalk21.default.dim("\u2500".repeat(70)));
         console.log(
-          "  " + import_chalk21.default.red.bold("Secrets / DLP") + import_chalk21.default.dim("  \xB7  ") + import_chalk21.default.red(
+          "  " + import_chalk21.default.red.bold("\u{1F511}  Credential Leaks") + import_chalk21.default.dim("  \xB7  ") + import_chalk21.default.red(
             `${num2(scan.dlpFindings.length)} potential secret leak${scan.dlpFindings.length !== 1 ? "s" : ""}`
           )
         );
-        const shownDlp = scan.dlpFindings.slice(0, topN);
+        const shownDlp = drillDown ? scan.dlpFindings : scan.dlpFindings.slice(0, topN);
         for (const f of shownDlp) {
           const ts = f.timestamp ? import_chalk21.default.dim(fmtTs(f.timestamp) + "  ") : "";
           const proj = import_chalk21.default.dim(f.project.slice(0, 22).padEnd(22) + "  ");
-          const agentBadge = f.agent === "gemini" ? import_chalk21.default.blue("[Gemini]  ") : import_chalk21.default.cyan("[Claude]  ");
+          const agentBadge = f.agent === "gemini" ? import_chalk21.default.blue("[Gemini]  ") : f.agent === "codex" ? import_chalk21.default.magenta("[Codex]   ") : import_chalk21.default.cyan("[Claude]  ");
+          const sessionSuffix = f.sessionId ? import_chalk21.default.dim(`  \u2192 ${f.sessionId.slice(0, 8)}`) : "";
           console.log(
-            `    ${ts}${proj}${agentBadge}` + import_chalk21.default.yellow(f.patternName) + import_chalk21.default.dim("  ") + import_chalk21.default.gray(f.redactedSample)
+            `    ${ts}${proj}${agentBadge}` + import_chalk21.default.yellow(f.patternName) + import_chalk21.default.dim("  ") + import_chalk21.default.gray(f.redactedSample) + sessionSuffix
           );
         }
-        if (scan.dlpFindings.length > topN) {
+        if (!drillDown && scan.dlpFindings.length > topN) {
           console.log(
             import_chalk21.default.dim(
-              `    \u2026 and ${scan.dlpFindings.length - topN} more (--top ${scan.dlpFindings.length})`
+              `    \u2026 and ${scan.dlpFindings.length - topN} more  (--drill-down for full list)`
             )
           );
         }
@@ -14773,17 +15987,41 @@ function registerScanCommand(program2) {
       );
       console.log("");
     }
-    const auditLog = import_path36.default.join(import_os29.default.homedir(), ".node9", "audit.log");
-    if (import_fs33.default.existsSync(auditLog)) {
-      console.log(import_chalk21.default.green("  \u2705 node9 is active \u2014 future sessions are protected."));
+    if (isInstalled) {
+      console.log(import_chalk21.default.green("  \u2705 node9 is active \u2014 your future sessions are protected."));
       console.log(
-        import_chalk21.default.dim("  Run ") + import_chalk21.default.cyan("node9 report") + import_chalk21.default.dim(" to see live stats.")
+        import_chalk21.default.dim("  Run ") + import_chalk21.default.cyan("node9 report") + import_chalk21.default.dim(" to see live protection stats.")
       );
+      if (drillDown) {
+        console.log(
+          import_chalk21.default.dim("  Run ") + import_chalk21.default.cyan("node9 sessions --detail <session-id>") + import_chalk21.default.dim(" to see the full conversation for any session above.")
+        );
+      } else {
+        console.log(
+          import_chalk21.default.dim("  Run ") + import_chalk21.default.cyan("node9 scan --drill-down") + import_chalk21.default.dim(" to see full commands and session IDs.")
+        );
+      }
     } else {
-      console.log(import_chalk21.default.yellow.bold("  \u26A1 node9 was not running during these sessions."));
+      const riskySummary = totalFindings + scan.dlpFindings.length;
+      if (riskySummary > 0) {
+        console.log(
+          import_chalk21.default.yellow.bold(
+            `  \u26A1 ${riskySummary} operation${riskySummary !== 1 ? "s" : ""} ran unprotected.`
+          ) + import_chalk21.default.dim(" node9 would have caught them.")
+        );
+      }
+      console.log("");
+      console.log(import_chalk21.default.bold("  Protect your next session in 30 seconds:"));
+      console.log("");
+      console.log("    " + import_chalk21.default.cyan("npm install -g @node9/proxy"));
+      console.log("    " + import_chalk21.default.cyan("node9 init"));
+      console.log("");
+      console.log(import_chalk21.default.dim("  node9 hooks into Claude Code automatically."));
       console.log(
-        "  " + import_chalk21.default.white("Run ") + import_chalk21.default.cyan("node9 init") + import_chalk21.default.white(" to start protecting your AI agents.")
+        import_chalk21.default.dim("  Every tool call is checked before it runs \u2014 no proxy, no latency.")
       );
+      console.log("");
+      console.log("  " + import_chalk21.default.dim("\u2192 ") + import_chalk21.default.underline("https://node9.ai"));
     }
     console.log("");
   });
@@ -15050,6 +16288,7 @@ function buildGeminiSessions(days, allAuditEntries) {
         projectLabel: projectLabel(projectRoot),
         firstPrompt,
         startTime,
+        lastActiveTime: lastToolTs || startTime,
         toolCalls,
         blockedCalls,
         costUSD,
@@ -15061,6 +16300,128 @@ function buildGeminiSessions(days, allAuditEntries) {
   }
   return summaries;
 }
+function buildCodexSessions(days, allAuditEntries) {
+  const sessionsBase = import_path37.default.join(import_os30.default.homedir(), ".codex", "sessions");
+  if (!import_fs34.default.existsSync(sessionsBase)) return [];
+  const cutoff = days !== null ? (() => {
+    const d = /* @__PURE__ */ new Date();
+    d.setDate(d.getDate() - days);
+    d.setHours(0, 0, 0, 0);
+    return d;
+  })() : null;
+  const jsonlFiles = [];
+  try {
+    for (const year of import_fs34.default.readdirSync(sessionsBase)) {
+      const yearPath = import_path37.default.join(sessionsBase, year);
+      try {
+        if (!import_fs34.default.statSync(yearPath).isDirectory()) continue;
+      } catch {
+        continue;
+      }
+      for (const month of import_fs34.default.readdirSync(yearPath)) {
+        const monthPath = import_path37.default.join(yearPath, month);
+        try {
+          if (!import_fs34.default.statSync(monthPath).isDirectory()) continue;
+        } catch {
+          continue;
+        }
+        for (const day of import_fs34.default.readdirSync(monthPath)) {
+          const dayPath = import_path37.default.join(monthPath, day);
+          try {
+            if (!import_fs34.default.statSync(dayPath).isDirectory()) continue;
+          } catch {
+            continue;
+          }
+          for (const file of import_fs34.default.readdirSync(dayPath)) {
+            if (file.endsWith(".jsonl")) jsonlFiles.push(import_path37.default.join(dayPath, file));
+          }
+        }
+      }
+    }
+  } catch {
+    return [];
+  }
+  const summaries = [];
+  for (const filePath of jsonlFiles) {
+    let lines;
+    try {
+      lines = import_fs34.default.readFileSync(filePath, "utf-8").split("\n");
+    } catch {
+      continue;
+    }
+    let sessionId = "";
+    let startTime = "";
+    let cwd = "";
+    let firstPrompt = "";
+    const toolCalls = [];
+    let lastToolTs = "";
+    let lastTotalInput = 0;
+    let lastTotalCached = 0;
+    let lastTotalOutput = 0;
+    for (const line of lines) {
+      if (!line.trim()) continue;
+      let entry;
+      try {
+        entry = JSON.parse(line);
+      } catch {
+        continue;
+      }
+      const p = entry.payload ?? {};
+      if (entry.type === "session_meta") {
+        sessionId = String(p["id"] ?? "");
+        startTime = String(p["timestamp"] ?? "");
+        cwd = String(p["cwd"] ?? "");
+        continue;
+      }
+      if (entry.type === "event_msg" && p["type"] === "user_message" && !firstPrompt) {
+        firstPrompt = String(p["message"] ?? "");
+        continue;
+      }
+      if (entry.type === "event_msg" && p["type"] === "token_count") {
+        const info = p["info"] ?? {};
+        const usage = info["total_token_usage"] ?? {};
+        lastTotalInput = usage["input_tokens"] ?? lastTotalInput;
+        lastTotalCached = usage["cached_input_tokens"] ?? lastTotalCached;
+        lastTotalOutput = usage["output_tokens"] ?? lastTotalOutput;
+        continue;
+      }
+      if (entry.type === "response_item" && p["type"] === "function_call") {
+        const tool = String(p["name"] ?? "");
+        let input = {};
+        try {
+          input = JSON.parse(String(p["arguments"] ?? "{}"));
+        } catch {
+        }
+        const ts = entry.timestamp ?? startTime;
+        toolCalls.push({ tool, input, timestamp: ts });
+        if (ts > lastToolTs) lastToolTs = ts;
+      }
+    }
+    if (!sessionId || !startTime) continue;
+    if (cutoff && new Date(startTime) < cutoff) continue;
+    const nonCached = Math.max(0, lastTotalInput - lastTotalCached);
+    const costUSD = nonCached * 5e-6 + lastTotalCached * 25e-7 + lastTotalOutput * 15e-6;
+    const windowEnd = new Date(
+      Math.max(new Date(startTime).getTime(), lastToolTs ? new Date(lastToolTs).getTime() : 0) + 5 * 60 * 1e3
+    ).toISOString();
+    const blockedCalls = auditEntriesInWindow(allAuditEntries, startTime, windowEnd);
+    summaries.push({
+      sessionId,
+      project: cwd,
+      projectLabel: projectLabel(cwd),
+      firstPrompt,
+      startTime,
+      lastActiveTime: lastToolTs || startTime,
+      toolCalls,
+      blockedCalls,
+      costUSD,
+      hasSnapshot: false,
+      modifiedFiles: [],
+      agent: "codex"
+    });
+  }
+  return summaries;
+}
 function buildSessions(days, historyPath) {
   const hPath = historyPath ?? import_path37.default.join(import_os30.default.homedir(), ".claude", "history.jsonl");
   let historyRaw;
@@ -15101,12 +16462,14 @@ function buildSessions(days, historyPath) {
       // 5 min buffer
     ).toISOString();
     const blockedCalls = auditEntriesInWindow(allAuditEntries, windowStart, windowEnd);
+    const lastActiveTime = lastToolTs || entry.timestamp;
     summaries.push({
       sessionId: entry.sessionId,
       project: entry.project,
       projectLabel: projectLabel(entry.project),
       firstPrompt: entry.display,
       startTime: entry.timestamp,
+      lastActiveTime,
       toolCalls,
       blockedCalls,
       costUSD,
@@ -15117,8 +16480,9 @@ function buildSessions(days, historyPath) {
   }
   if (!historyPath) {
     summaries.push(...buildGeminiSessions(days, allAuditEntries));
+    summaries.push(...buildCodexSessions(days, allAuditEntries));
   }
-  summaries.sort((a, b) => a.startTime > b.startTime ? -1 : 1);
+  summaries.sort((a, b) => a.lastActiveTime > b.lastActiveTime ? -1 : 1);
   return summaries;
 }
 function fmtCost3(usd) {
@@ -15260,22 +16624,25 @@ function renderList(summaries, totalCost) {
   console.log("");
   let lastGroup = "";
   for (const s of summaries) {
-    const group = fmtDate2(s.startTime) + "  " + s.projectLabel;
+    const activeDate = fmtDate2(s.lastActiveTime);
+    const group = activeDate + "  " + s.projectLabel;
     if (group !== lastGroup) {
-      console.log(
-        import_chalk22.default.dim("  \u2500\u2500\u2500 ") + import_chalk22.default.bold(fmtDate2(s.startTime)) + import_chalk22.default.dim("  " + s.projectLabel)
-      );
+      console.log(import_chalk22.default.dim("  \u2500\u2500\u2500 ") + import_chalk22.default.bold(activeDate) + import_chalk22.default.dim("  " + s.projectLabel));
       lastGroup = group;
     }
+    const startDate = fmtDate2(s.startTime);
+    const dateRange = startDate !== activeDate ? import_chalk22.default.dim(" (" + startDate + " \u2192 " + activeDate + ")") : "";
     const timeStr = import_chalk22.default.dim(fmtTime(s.startTime));
     const prompt = import_chalk22.default.white(truncate(s.firstPrompt.replace(/\n/g, " "), 50).padEnd(50));
     const tools = s.toolCalls.length > 0 ? import_chalk22.default.dim(String(s.toolCalls.length).padStart(3) + " tools") : import_chalk22.default.dim("  0 tools");
     const cost = s.costUSD > 0 ? import_chalk22.default.dim("  " + fmtCost3(s.costUSD).padEnd(8)) : "          ";
     const blocked = s.blockedCalls.length > 0 ? import_chalk22.default.red("  \u{1F6D1} " + String(s.blockedCalls.length)) : "";
     const snap = s.hasSnapshot ? import_chalk22.default.green("  \u{1F4F8}") : "";
-    const agentBadge = s.agent === "gemini" ? import_chalk22.default.blue("  [Gemini]") : import_chalk22.default.cyan("  [Claude]");
+    const agentBadge = s.agent === "gemini" ? import_chalk22.default.blue("  [Gemini]") : s.agent === "codex" ? import_chalk22.default.magenta("  [Codex]") : import_chalk22.default.cyan("  [Claude]");
     const sid = import_chalk22.default.dim("  " + s.sessionId.slice(0, 8));
-    console.log(`  ${timeStr}  ${prompt}  ${tools}${cost}${blocked}${snap}${agentBadge}${sid}`);
+    console.log(
+      `  ${timeStr}  ${prompt}  ${tools}${cost}${blocked}${snap}${agentBadge}${sid}${dateRange}`
+    );
   }
   console.log("");
   console.log(
@@ -15291,7 +16658,7 @@ function renderDetail(s) {
   );
   console.log(import_chalk22.default.bold("  Project  ") + import_chalk22.default.white(s.projectLabel));
   if (s.agent) {
-    const agentLabel2 = s.agent === "gemini" ? import_chalk22.default.blue("Gemini CLI") : import_chalk22.default.cyan("Claude Code");
+    const agentLabel2 = s.agent === "gemini" ? import_chalk22.default.blue("Gemini CLI") : s.agent === "codex" ? import_chalk22.default.magenta("Codex") : import_chalk22.default.cyan("Claude Code");
     console.log(import_chalk22.default.bold("  Agent    ") + agentLabel2);
   }
   console.log(import_chalk22.default.bold("  When     ") + import_chalk22.default.white(fmtDateTime(s.startTime)));
@@ -15362,7 +16729,12 @@ function registerSessionsCommand(program2) {
     console.log("");
     process.stdout.write(import_chalk22.default.dim("  Loading\u2026"));
     const summaries = buildSessions(days);
-    process.stdout.write("\r" + " ".repeat(20) + "\r");
+    if (process.stdout.isTTY) {
+      process.stdout.clearLine(0);
+      process.stdout.cursorTo(0);
+    } else {
+      process.stdout.write("\n");
+    }
     if (options.detail) {
       const target = summaries.find(
         (s) => s.sessionId === options.detail || s.sessionId.startsWith(options.detail)
@@ -16001,10 +17373,10 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
       program.help();
       return;
     }
-    const fullCommand = runArgs.join(" ");
+    const fullCommand2 = runArgs.join(" ");
     let result = await authorizeHeadless(
       "shell",
-      { command: fullCommand },
+      { command: fullCommand2 },
       {
         agent: "Terminal"
       }
@@ -16012,11 +17384,11 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
     if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && getConfig().settings.autoStartDaemon) {
       console.error(import_chalk26.default.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically..."));
       const daemonReady = await autoStartDaemonAndWait();
-      if (daemonReady) result = await authorizeHeadless("shell", { command: fullCommand });
+      if (daemonReady) result = await authorizeHeadless("shell", { command: fullCommand2 });
     }
     if (result.noApprovalMechanism && process.stdout.isTTY) {
       const approved = await (0, import_prompts2.confirm)({
-        message: `\u{1F6E1}\uFE0F  Node9: Allow "${fullCommand}"?`,
+        message: `\u{1F6E1}\uFE0F  Node9: Allow "${fullCommand2}"?`,
         default: false
       });
       result = { approved, reason: approved ? void 0 : "Denied by user at terminal." };
@@ -16029,7 +17401,7 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
       process.exit(1);
     }
     console.error(import_chalk26.default.green("\n\u2705 Approved \u2014 running command...\n"));
-    await runProxy(fullCommand);
+    await runProxy(fullCommand2);
   } else {
     program.help();
   }