npm - @node9/proxy - Versions diffs - 1.14.1 → 1.15.0 - Mend

@node9/proxy 1.14.1 → 1.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/README.md +17 -0
package/dist/cli.js +3080 -2168
package/dist/cli.mjs +3060 -2150
package/dist/index.js +2110 -1367
package/dist/index.mjs +2501 -1758
package/package.json +5 -2
package/dist/shields/builtin/aws.json +0 -59
package/dist/shields/builtin/bash-safe.json +0 -92
package/dist/shields/builtin/docker.json +0 -120
package/dist/shields/builtin/filesystem.json +0 -30
package/dist/shields/builtin/github.json +0 -26
package/dist/shields/builtin/k8s.json +0 -92
package/dist/shields/builtin/mcp-tool-gating.json +0 -7
package/dist/shields/builtin/mongodb.json +0 -78
package/dist/shields/builtin/postgres.json +0 -42
package/dist/shields/builtin/project-jail.json +0 -64
package/dist/shields/builtin/redis.json +0 -78

package/dist/index.mjs CHANGED Viewed

@@ -258,8 +258,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path15 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path15}: ${issue.message}`;
+    const path13 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path13}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -272,789 +272,107 @@ ${lines.join("\n")}`
 import fs2 from "fs";
 import path2 from "path";
 import os2 from "os";
-var BUILTIN_DIR = path2.join(__dirname, "shields", "builtin");
-var USER_SHIELDS_DIR = path2.join(os2.homedir(), ".node9", "shields");
-function validateShieldDefinition(raw, filePath) {
-  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
-    process.stderr.write(`[node9] Shield file is not an object: ${filePath}
-`);
-    return null;
-  }
-  const r = raw;
-  if (typeof r.name !== "string" || !r.name) {
-    process.stderr.write(`[node9] Shield file missing 'name': ${filePath}
-`);
-    return null;
-  }
-  if (typeof r.description !== "string") {
-    process.stderr.write(`[node9] Shield file missing 'description': ${filePath}
-`);
-    return null;
-  }
-  if (!Array.isArray(r.aliases)) {
-    process.stderr.write(`[node9] Shield file missing 'aliases' array: ${filePath}
-`);
-    return null;
-  }
-  if (!Array.isArray(r.smartRules)) {
-    process.stderr.write(`[node9] Shield file missing 'smartRules' array: ${filePath}
-`);
-    return null;
-  }
-  if (!Array.isArray(r.dangerousWords)) {
-    process.stderr.write(`[node9] Shield file missing 'dangerousWords' array: ${filePath}
-`);
-    return null;
-  }
-  return r;
-}
-function loadShieldsFromDir(dir, label) {
-  const result = {};
-  let entries;
-  try {
-    entries = fs2.readdirSync(dir).filter((f) => f.endsWith(".json"));
-  } catch (err) {
-    if (err.code !== "ENOENT") {
-      process.stderr.write(`[node9] Could not read ${label} shields dir ${dir}: ${String(err)}
-`);
-    }
-    return result;
-  }
-  for (const file of entries) {
-    const filePath = path2.join(dir, file);
-    try {
-      const raw = JSON.parse(fs2.readFileSync(filePath, "utf-8"));
-      const shield = validateShieldDefinition(raw, filePath);
-      if (shield) result[shield.name] = shield;
-    } catch (err) {
-      process.stderr.write(`[node9] Failed to load ${label} shield ${file}: ${String(err)}
-`);
-    }
-  }
-  return result;
-}
-function buildSHIELDS() {
-  const builtins = loadShieldsFromDir(BUILTIN_DIR, "builtin");
-  const userShields = loadShieldsFromDir(USER_SHIELDS_DIR, "user");
-  return { ...builtins, ...userShields };
-}
-var SHIELDS = buildSHIELDS();
-function resolveShieldName(input) {
-  const lower = input.toLowerCase();
-  if (SHIELDS[lower]) return lower;
-  for (const [name, def] of Object.entries(SHIELDS)) {
-    if (def.aliases.includes(lower)) return name;
-  }
-  return null;
-}
-function getShield(name) {
-  const resolved = resolveShieldName(name);
-  return resolved ? SHIELDS[resolved] : null;
-}
-var SHIELDS_STATE_FILE = path2.join(os2.homedir(), ".node9", "shields.json");
-function isShieldVerdict(v) {
-  return v === "allow" || v === "review" || v === "block";
-}
-function validateOverrides(raw) {
-  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return {};
-  const result = {};
-  for (const [shieldName, rules] of Object.entries(raw)) {
-    if (!rules || typeof rules !== "object" || Array.isArray(rules)) continue;
-    const validRules = {};
-    for (const [ruleName, verdict] of Object.entries(rules)) {
-      if (isShieldVerdict(verdict)) {
-        validRules[ruleName] = verdict;
-      } else {
-        process.stderr.write(
-          `[node9] Warning: shields.json contains invalid verdict "${String(verdict)}" for ${shieldName}/${ruleName} \u2014 entry ignored. File may be corrupted or tampered with.
-`
-        );
-      }
-    }
-    if (Object.keys(validRules).length > 0) result[shieldName] = validRules;
-  }
-  return result;
+// packages/policy-engine/dist/index.mjs
+import safeRegex from "safe-regex2";
+import mvdanSh from "mvdan-sh";
+import pm from "picomatch";
+import safeRegex2 from "safe-regex2";
+import safeRegex3 from "safe-regex2";
+import crypto from "crypto";
+var ASSIGNMENT_CONTEXT_RE = /\b(?:password|passwd|secret|token|api[_-]?key|auth(?:_key|_token)?|credential|private[_-]?key|access[_-]?key|client[_-]?secret)\s*[=:]\s*/i;
+function isAssignmentContext(text) {
+  return ASSIGNMENT_CONTEXT_RE.test(text);
 }
-function readShieldsFile() {
-  try {
-    const raw = fs2.readFileSync(SHIELDS_STATE_FILE, "utf-8");
-    if (!raw.trim()) return { active: [] };
-    const parsed = JSON.parse(raw);
-    const active = Array.isArray(parsed.active) ? parsed.active.filter(
-      (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
-    ) : [];
-    return { active, overrides: validateOverrides(parsed.overrides) };
-  } catch (err) {
-    if (err.code !== "ENOENT") {
-      process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
-`);
-    }
-    return { active: [] };
+function shannonEntropy(s) {
+  if (s.length === 0) return 0;
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of s) freq.set(ch, (freq.get(ch) ?? 0) + 1);
+  let h = 0;
+  for (const count of freq.values()) {
+    const p = count / s.length;
+    h -= p * Math.log2(p);
   }
+  return h;
 }
-function readActiveShields() {
-  return readShieldsFile().active;
-}
-function readShieldOverrides() {
-  return readShieldsFile().overrides ?? {};
-}
-// src/config/index.ts
-var DANGEROUS_WORDS = [
-  "mkfs",
-  // formats/wipes a filesystem partition
-  "shred"
-  // permanently overwrites file contents (unrecoverable)
+var DLP_STOPWORDS = [
+  "example",
+  "placeholder",
+  "changeme",
+  "your_key",
+  "your_token",
+  "your_secret",
+  "replace_me",
+  "insert_key",
+  "put_your",
+  "fake",
+  "dummy",
+  "sample",
+  "xxxxxxxx",
+  "aaaaaa",
+  "bbbbbb",
+  "00000000",
+  "${",
+  "{{",
+  "%{",
+  "<your",
+  "test_key",
+  "test_token",
+  "your",
+  "here"
 ];
-var DEFAULT_CONFIG = {
-  version: "1.0",
-  settings: {
-    mode: "standard",
-    autoStartDaemon: true,
-    enableUndo: true,
-    // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
-    enableHookLogDebug: true,
-    approvalTimeoutMs: 12e4,
-    // 120-second auto-deny timeout
-    flightRecorder: true,
-    auditHashArgs: true,
-    approvers: { native: true, browser: false, cloud: false, terminal: true },
-    cloudSyncIntervalHours: 5
+var DLP_PATTERNS = [
+  // ── AWS ───────────────────────────────────────────────────────────────────
+  {
+    name: "AWS Access Key ID",
+    regex: /\b(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16}\b/,
+    severity: "block",
+    keywords: ["akia", "asia", "abia", "acca", "a3t"]
   },
-  policy: {
-    sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
-    dangerousWords: DANGEROUS_WORDS,
-    ignoredTools: [
-      "list_*",
-      "get_*",
-      "read_*",
-      "describe_*",
-      "read",
-      "glob",
-      "grep",
-      "ls",
-      "notebookread",
-      "notebookedit",
-      "webfetch",
-      "websearch",
-      "exitplanmode",
-      "askuserquestion",
-      "agent",
-      "task*",
-      "toolsearch",
-      "mcp__ide__*",
-      "getDiagnostics"
-    ],
-    toolInspection: {
-      bash: "command",
-      shell: "command",
-      run_shell_command: "command",
-      "terminal.execute": "command",
-      "postgres:query": "sql"
-    },
-    snapshot: {
-      tools: [
-        "str_replace_based_edit_tool",
-        "write_file",
-        "edit_file",
-        "create_file",
-        "edit",
-        "replace"
-      ],
-      onlyPaths: [],
-      ignorePaths: ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log"]
-    },
-    smartRules: [
-      // ── rm safety (critical — always evaluated first) ──────────────────────
-      {
-        name: "block-rm-rf-home",
-        tool: "bash",
-        conditionMode: "all",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            // Anchor rm as a shell command (not inside a string arg like a git commit message).
-            value: "(^|&&|\\|\\||;)\\s*rm\\b[^;&|]*\\s(-[rRfF]*[rR][rRfF]*|--recursive)(\\s|$)"
-          },
-          {
-            field: "command",
-            op: "matches",
-            value: "(~|\\/root(\\/|$)|\\$HOME|\\/home\\/)"
-          }
-        ],
-        verdict: "block",
-        reason: "Recursive delete of home directory is irreversible",
-        description: "The AI wants to recursively delete your home directory. This will permanently destroy all your personal files and cannot be undone."
-      },
-      // ── SQL safety ────────────────────────────────────────────────────────
-      {
-        name: "no-delete-without-where",
-        tool: "*",
-        conditions: [
-          { field: "sql", op: "matches", value: "^(DELETE|UPDATE)\\s", flags: "i" },
-          { field: "sql", op: "notMatches", value: "\\bWHERE\\b", flags: "i" }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table",
-        description: "The AI is running a SQL statement that will modify every row in the table \u2014 no WHERE filter was found. This could wipe or corrupt all your data."
-      },
-      {
-        name: "review-drop-truncate-shell",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            // Require a DB CLI in the command so grep/cat/echo of SQL strings don't trigger.
-            value: "(^|&&|\\|\\||;|\\|)\\s*(psql|mysql|sqlite3|sqlplus|cockroach|clickhouse-client|mongo)\\b",
-            flags: "i"
-          },
-          {
-            field: "command",
-            op: "matches",
-            value: "\\b(DROP|TRUNCATE)\\s+(TABLE|DATABASE|SCHEMA|INDEX)",
-            flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "SQL DDL destructive statement inside a shell command",
-        description: "The AI wants to drop or truncate a database table via the shell. This permanently deletes the table structure or all its data."
-      },
-      // ── Git safety ────────────────────────────────────────────────────────
-      {
-        name: "review-force-push",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            // Anchor git as a shell command so node -e / python -c scripts containing
-            // "git push --force" as a string don't false-positive.
-            value: "(^|&&|\\|\\||;)\\s*git\\s+push[^;&|]*(--force|--force-with-lease|-f\\b)",
-            flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "Force push rewrites remote history \u2014 confirm this is intentional",
-        description: "The AI wants to force push to a remote git branch. This rewrites shared history and can permanently destroy commits that teammates have already pulled."
-      },
-      {
-        name: "review-git-destructive",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            // Anchor git as a shell command so node -e / python -c scripts containing
-            // "git reset --hard" as a string don't false-positive.
-            value: "(^|&&|\\|\\||;)\\s*git\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase\\b|tag\\s+-d|branch\\s+-[dD])",
-            flags: "i"
-          },
-          {
-            field: "command",
-            op: "notMatches",
-            // Exclude recovery ops and routine branch-surgery (--onto) — these are not destructive.
-            value: "\\bgit\\s+rebase\\s+--(abort|continue|skip|onto)\\b",
-            flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "Destructive git operation \u2014 discards history or working-tree changes",
-        description: "The AI wants to run a destructive git operation (reset, rebase, clean, or branch delete) that can permanently discard commits or uncommitted work."
-      },
-      // ── Shell safety ──────────────────────────────────────────────────────
-      {
-        name: "review-sudo",
-        tool: "bash",
-        conditions: [{ field: "command", op: "matches", value: "\\bsudo\\s", flags: "i" }],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "Command requires elevated privileges",
-        description: "The AI wants to run a command as root (sudo). Commands with root access can modify system files, install software, or change security settings."
-      },
-      {
-        name: "review-curl-pipe-shell",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            // Anchor curl/wget as a shell command so node -e scripts testing this
-            // regex pattern don't self-match as a false positive.
-            value: "(^|&&|\\|\\||;)\\s*(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
-            flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "block",
-        reason: "Piping remote script into a shell is a supply-chain attack vector",
-        description: "The AI wants to download a script from the internet and run it immediately, without you seeing what it contains. This is one of the most common ways malware gets installed."
-      }
-    ],
-    dlp: { enabled: true, scanIgnoredTools: true },
-    loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 },
-    skillPinning: { enabled: false, mode: "warn", roots: [] }
+  // ── GitHub ────────────────────────────────────────────────────────────────
+  {
+    name: "GitHub Token",
+    regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/,
+    severity: "block",
+    keywords: ["ghp_", "gho_", "ghu_", "ghs_"],
+    minEntropy: 3
   },
-  environments: {}
-};
-var ADVISORY_SMART_RULES = [
-  // ── rm safety ─────────────────────────────────────────────────────────────
-  // tool: '*' so they cover bash, shell, run_shell_command, and Gemini's Shell.
-  // Pattern '(^|&&|\|\||;)\s*rm\b' matches rm as a shell command (including in
-  // chained commands like 'cat foo && rm bar') but avoids false-positives on 'docker rm'.
   {
-    name: "allow-rm-safe-paths",
-    tool: "*",
-    conditionMode: "all",
-    conditions: [
-      { field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" },
-      {
-        field: "command",
-        op: "matches",
-        // Matches known-safe build artifact paths in the command.
-        value: "(node_modules|\\bdist\\b|\\.next|\\bcoverage\\b|\\.cache|\\btmp\\b|\\btemp\\b|\\.DS_Store)(\\/|\\s|$)"
-      }
-    ],
-    verdict: "allow",
-    reason: "Deleting a known-safe build artifact path"
+    name: "GitHub Fine-Grained PAT",
+    regex: /\bgithub_pat_\w{82}\b/,
+    severity: "block",
+    keywords: ["github_pat_"]
   },
+  // ── Slack ─────────────────────────────────────────────────────────────────
   {
-    name: "review-rm",
-    tool: "*",
-    conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
-    verdict: "review",
-    reason: "rm can permanently delete files \u2014 confirm the target path",
-    description: "The AI wants to delete files. Unlike moving to trash, rm is permanent \u2014 the files cannot be recovered without a backup."
+    name: "Slack Bot Token",
+    // Real tokens are ~50–80 chars; lower bound 20 avoids false negatives on partial tokens
+    regex: /\bxoxb-[0-9A-Za-z-]{20,100}\b/,
+    severity: "block",
+    keywords: ["xoxb-"]
   },
-  // ── SQL safety (Safe by Default) ──────────────────────────────────────────
-  // These rules fire when an AI calls a database tool directly (e.g. MCP postgres,
-  // mcp__postgres__query) with a destructive SQL statement in the 'sql' field.
-  // The postgres shield upgrades these from 'review' → 'block' for stricter teams;
-  // without a shield, users still get a human-approval gate on every destructive op.
+  // ── Anthropic ─────────────────────────────────────────────────────────────
+  // Listed before OpenAI — Anthropic keys start with sk-ant- which would also
+  // match the broader OpenAI sk- pattern; more specific rules must come first.
   {
-    name: "review-drop-table-sql",
-    tool: "*",
-    conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
-    verdict: "review",
-    reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead",
-    description: "The AI wants to drop a database table. This permanently deletes the table and all its data \u2014 there is no undo."
+    name: "Anthropic API Key",
+    regex: /\bsk-ant-api03-[a-zA-Z0-9_-]{93}AA\b/,
+    severity: "block",
+    keywords: ["sk-ant-api03"]
   },
   {
-    name: "review-truncate-sql",
-    tool: "*",
-    conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
-    verdict: "review",
-    reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead",
-    description: "The AI wants to truncate a database table, which instantly deletes every row. The table structure remains but all data is gone."
+    name: "Anthropic Admin Key",
+    regex: /\bsk-ant-admin01-[a-zA-Z0-9_-]{93}AA\b/,
+    severity: "block",
+    keywords: ["sk-ant-admin01"]
   },
+  // ── OpenAI ────────────────────────────────────────────────────────────────
   {
-    name: "review-drop-column-sql",
-    tool: "*",
-    conditions: [
-      { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
-    ],
-    verdict: "review",
-    reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead",
-    description: "The AI wants to drop a column from a database table. This permanently removes the column and all its data from every row."
-  }
-];
-var cachedConfig = null;
-function getCredentials() {
-  const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  if (process.env.NODE9_API_KEY) {
-    return {
-      apiKey: process.env.NODE9_API_KEY,
-      apiUrl: process.env.NODE9_API_URL || DEFAULT_API_URL
-    };
-  }
-  try {
-    const credPath = path3.join(os3.homedir(), ".node9", "credentials.json");
-    if (fs3.existsSync(credPath)) {
-      const creds = JSON.parse(fs3.readFileSync(credPath, "utf-8"));
-      const profileName = process.env.NODE9_PROFILE || "default";
-      const profile = creds[profileName];
-      if (profile?.apiKey) {
-        return {
-          apiKey: profile.apiKey,
-          apiUrl: profile.apiUrl || DEFAULT_API_URL
-        };
-      }
-      if (creds.apiKey) {
-        return {
-          apiKey: creds.apiKey,
-          apiUrl: creds.apiUrl || DEFAULT_API_URL
-        };
-      }
-    }
-  } catch {
-  }
-  return null;
-}
-function getActiveEnvironment(config) {
-  const env = config.settings.environment || process.env.NODE_ENV || "development";
-  return config.environments[env] ?? null;
-}
-function getConfig(cwd) {
-  if (!cwd && cachedConfig) return cachedConfig;
-  const globalPath = path3.join(os3.homedir(), ".node9", "config.json");
-  const projectPath = path3.join(cwd ?? process.cwd(), "node9.config.json");
-  const globalConfig = tryLoadConfig(globalPath);
-  const projectConfig = tryLoadConfig(projectPath);
-  const mergedSettings = {
-    ...DEFAULT_CONFIG.settings,
-    approvers: { ...DEFAULT_CONFIG.settings.approvers }
-  };
-  const mergedPolicy = {
-    sandboxPaths: [...DEFAULT_CONFIG.policy.sandboxPaths],
-    dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
-    ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
-    toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
-    smartRules: [...DEFAULT_CONFIG.policy.smartRules],
-    snapshot: {
-      tools: [...DEFAULT_CONFIG.policy.snapshot.tools],
-      onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
-      ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
-    },
-    dlp: { ...DEFAULT_CONFIG.policy.dlp },
-    loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection },
-    skillPinning: {
-      ...DEFAULT_CONFIG.policy.skillPinning,
-      roots: [...DEFAULT_CONFIG.policy.skillPinning.roots]
-    }
-  };
-  const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
-  const applyLayer = (source) => {
-    if (!source) return;
-    const s = source.settings || {};
-    const p = source.policy || {};
-    if (s.mode !== void 0) mergedSettings.mode = s.mode;
-    if (s.autoStartDaemon !== void 0) mergedSettings.autoStartDaemon = s.autoStartDaemon;
-    if (s.enableUndo !== void 0) mergedSettings.enableUndo = s.enableUndo;
-    if (s.enableHookLogDebug !== void 0)
-      mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
-    if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
-    if (s.approvalTimeoutMs !== void 0) mergedSettings.approvalTimeoutMs = s.approvalTimeoutMs;
-    if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
-      mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
-    if (s.environment !== void 0) mergedSettings.environment = s.environment;
-    if (s.cloudSyncIntervalHours !== void 0)
-      mergedSettings.cloudSyncIntervalHours = s.cloudSyncIntervalHours;
-    if (s.hud !== void 0) mergedSettings.hud = { ...mergedSettings.hud, ...s.hud };
-    if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
-    if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
-    if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
-    if (p.toolInspection)
-      mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
-    if (p.smartRules) {
-      const defaultBlocks = mergedPolicy.smartRules.filter((r) => r.verdict === "block");
-      const defaultNonBlocks = mergedPolicy.smartRules.filter((r) => r.verdict !== "block");
-      const userRuleNames = new Set(p.smartRules.filter((r) => r.name).map((r) => r.name));
-      const filteredBlocks = defaultBlocks.filter((r) => !r.name || !userRuleNames.has(r.name));
-      const filteredNonBlocks = defaultNonBlocks.filter(
-        (r) => !r.name || !userRuleNames.has(r.name)
-      );
-      mergedPolicy.smartRules = [...filteredBlocks, ...p.smartRules, ...filteredNonBlocks];
-    }
-    if (p.snapshot) {
-      const s2 = p.snapshot;
-      if (s2.tools) mergedPolicy.snapshot.tools.push(...s2.tools);
-      if (s2.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s2.onlyPaths);
-      if (s2.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s2.ignorePaths);
-    }
-    if (p.dlp) {
-      const d = p.dlp;
-      if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
-      if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
-    }
-    if (p.loopDetection) {
-      const ld = p.loopDetection;
-      if (ld.enabled !== void 0) mergedPolicy.loopDetection.enabled = ld.enabled;
-      if (ld.threshold !== void 0) mergedPolicy.loopDetection.threshold = ld.threshold;
-      if (ld.windowSeconds !== void 0)
-        mergedPolicy.loopDetection.windowSeconds = ld.windowSeconds;
-    }
-    if (p.skillPinning && typeof p.skillPinning === "object") {
-      const sp = p.skillPinning;
-      if (sp.enabled !== void 0) mergedPolicy.skillPinning.enabled = sp.enabled;
-      if (sp.mode !== void 0) mergedPolicy.skillPinning.mode = sp.mode;
-      if (Array.isArray(sp.roots)) {
-        for (const r of sp.roots) {
-          if (typeof r === "string" && r.length > 0) mergedPolicy.skillPinning.roots.push(r);
-        }
-      }
-    }
-    const envs = source.environments || {};
-    for (const [envName, envConfig] of Object.entries(envs)) {
-      if (envConfig && typeof envConfig === "object") {
-        const ec = envConfig;
-        mergedEnvironments[envName] = {
-          ...mergedEnvironments[envName],
-          // Validate field types before merging — do not blindly spread user input
-          ...typeof ec.requireApproval === "boolean" ? { requireApproval: ec.requireApproval } : {}
-        };
-      }
-    }
-  };
-  applyLayer(globalConfig);
-  applyLayer(projectConfig);
-  {
-    const cacheFile = path3.join(os3.homedir(), ".node9", "rules-cache.json");
-    try {
-      const raw = JSON.parse(fs3.readFileSync(cacheFile, "utf-8"));
-      if (Array.isArray(raw.rules) && raw.rules.length > 0) {
-        applyLayer({ policy: { smartRules: raw.rules } });
-      }
-    } catch {
-    }
-  }
-  const shieldOverrides = readShieldOverrides();
-  for (const shieldName of readActiveShields()) {
-    const shield = getShield(shieldName);
-    if (!shield) continue;
-    const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
-    const ruleOverrides = shieldOverrides[shieldName] ?? {};
-    for (const rule of shield.smartRules) {
-      if (!existingRuleNames.has(rule.name)) {
-        const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
-        mergedPolicy.smartRules.push(
-          overrideVerdict !== void 0 ? { ...rule, verdict: overrideVerdict } : rule
-        );
-      }
-    }
-    const existingWords = new Set(mergedPolicy.dangerousWords);
-    for (const word of shield.dangerousWords) {
-      if (!existingWords.has(word)) mergedPolicy.dangerousWords.push(word);
-    }
-  }
-  const existingAdvisoryNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
-  for (const rule of ADVISORY_SMART_RULES) {
-    if (!existingAdvisoryNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
-  }
-  if (process.env.NODE9_MODE) mergedSettings.mode = process.env.NODE9_MODE;
-  mergedPolicy.sandboxPaths = [...new Set(mergedPolicy.sandboxPaths)];
-  mergedPolicy.dangerousWords = [...new Set(mergedPolicy.dangerousWords)];
-  mergedPolicy.ignoredTools = [...new Set(mergedPolicy.ignoredTools)];
-  mergedPolicy.skillPinning.roots = [...new Set(mergedPolicy.skillPinning.roots)];
-  mergedPolicy.snapshot.tools = [...new Set(mergedPolicy.snapshot.tools)];
-  mergedPolicy.snapshot.onlyPaths = [...new Set(mergedPolicy.snapshot.onlyPaths)];
-  mergedPolicy.snapshot.ignorePaths = [...new Set(mergedPolicy.snapshot.ignorePaths)];
-  const result = {
-    settings: mergedSettings,
-    policy: mergedPolicy,
-    environments: mergedEnvironments
-  };
-  if (!cwd) cachedConfig = result;
-  return result;
-}
-function tryLoadConfig(filePath) {
-  if (!fs3.existsSync(filePath)) return null;
-  let raw;
-  try {
-    raw = JSON.parse(fs3.readFileSync(filePath, "utf-8"));
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    process.stderr.write(
-      `
-\u26A0\uFE0F  Node9: Failed to parse ${filePath}
-   ${msg}
-   \u2192 Using default config
-`
-    );
-    return null;
-  }
-  const SUPPORTED_VERSION = "1.0";
-  const SUPPORTED_MAJOR = SUPPORTED_VERSION.split(".")[0];
-  const fileVersion = raw?.version;
-  if (fileVersion !== void 0) {
-    const vStr = String(fileVersion);
-    const fileMajor = vStr.split(".")[0];
-    if (fileMajor !== SUPPORTED_MAJOR) {
-      process.stderr.write(
-        `
-\u274C  Node9: Config at ${filePath} has version "${vStr}" \u2014 major version is incompatible with this release (expected "${SUPPORTED_VERSION}"). Config will not be loaded.
-`
-      );
-      return null;
-    } else if (vStr !== SUPPORTED_VERSION) {
-      process.stderr.write(
-        `
-\u26A0\uFE0F  Node9: Config at ${filePath} declares version "${vStr}" \u2014 expected "${SUPPORTED_VERSION}". Continuing with best-effort parsing.
-`
-      );
-    }
-  }
-  const { sanitized, error } = sanitizeConfig(raw);
-  if (error) {
-    process.stderr.write(
-      `
-\u26A0\uFE0F  Node9: Invalid config at ${filePath}:
-${error.replace("Invalid config:\n", "")}
-   \u2192 Invalid fields ignored, using defaults for those keys
-`
-    );
-  }
-  return sanitized;
-}
-// src/utils/regex.ts
-import safeRegex from "safe-regex2";
-var MAX_REGEX_LENGTH = 100;
-var REGEX_CACHE_MAX = 500;
-var regexCache = /* @__PURE__ */ new Map();
-function validateRegex(pattern) {
-  if (!pattern) return "Pattern is required";
-  if (pattern.length > MAX_REGEX_LENGTH) return `Pattern exceeds max length of ${MAX_REGEX_LENGTH}`;
-  try {
-    new RegExp(pattern);
-  } catch (e) {
-    return `Invalid regex syntax: ${e.message}`;
-  }
-  if (/\\\d+[*+{]/.test(pattern)) return "Quantified backreferences are forbidden (ReDoS risk)";
-  if (!safeRegex(pattern)) return "Pattern rejected: potential ReDoS vulnerability detected";
-  return null;
-}
-function getCompiledRegex(pattern, flags = "") {
-  if (flags && !/^[gimsuy]+$/.test(flags)) {
-    if (process.env.NODE9_DEBUG === "1") console.error(`[Node9] Invalid regex flags: "${flags}"`);
-    return null;
-  }
-  const key = `${pattern}\0${flags}`;
-  if (regexCache.has(key)) {
-    const cached = regexCache.get(key);
-    regexCache.delete(key);
-    regexCache.set(key, cached);
-    return cached;
-  }
-  const err = validateRegex(pattern);
-  if (err) {
-    if (process.env.NODE9_DEBUG === "1")
-      console.error(`[Node9] Regex blocked: ${err} \u2014 pattern: "${pattern}"`);
-    return null;
-  }
-  try {
-    const re = new RegExp(pattern, flags);
-    if (regexCache.size >= REGEX_CACHE_MAX) {
-      const oldest = regexCache.keys().next().value;
-      if (oldest) regexCache.delete(oldest);
-    }
-    regexCache.set(key, re);
-    return re;
-  } catch (e) {
-    if (process.env.NODE9_DEBUG === "1") console.error(`[Node9] Regex compile failed:`, e);
-    return null;
-  }
-}
-// src/policy/index.ts
-import path8 from "path";
-import pm from "picomatch";
-import mvdanSh from "mvdan-sh";
-// src/dlp.ts
-import fs4 from "fs";
-import path4 from "path";
-var ASSIGNMENT_CONTEXT_RE = /\b(?:password|passwd|secret|token|api[_-]?key|auth(?:_key|_token)?|credential|private[_-]?key|access[_-]?key|client[_-]?secret)\s*[=:]\s*/i;
-function isAssignmentContext(text) {
-  return ASSIGNMENT_CONTEXT_RE.test(text);
-}
-function shannonEntropy(s) {
-  if (s.length === 0) return 0;
-  const freq = /* @__PURE__ */ new Map();
-  for (const ch of s) freq.set(ch, (freq.get(ch) ?? 0) + 1);
-  let h = 0;
-  for (const count of freq.values()) {
-    const p = count / s.length;
-    h -= p * Math.log2(p);
-  }
-  return h;
-}
-var DLP_STOPWORDS = [
-  "example",
-  "placeholder",
-  "changeme",
-  "your_key",
-  "your_token",
-  "your_secret",
-  "replace_me",
-  "insert_key",
-  "put_your",
-  "fake",
-  "dummy",
-  "sample",
-  "xxxxxxxx",
-  "aaaaaa",
-  "bbbbbb",
-  "00000000",
-  "${",
-  "{{",
-  "%{",
-  "<your",
-  "test_key",
-  "test_token",
-  "your",
-  "here"
-];
-var DLP_PATTERNS = [
-  // ── AWS ───────────────────────────────────────────────────────────────────
-  {
-    name: "AWS Access Key ID",
-    regex: /\b(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16}\b/,
+    name: "OpenAI API Key",
+    regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/,
     severity: "block",
-    keywords: ["akia", "asia", "abia", "acca", "a3t"]
-  },
-  // ── GitHub ────────────────────────────────────────────────────────────────
-  {
-    name: "GitHub Token",
-    regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/,
-    severity: "block",
-    keywords: ["ghp_", "gho_", "ghu_", "ghs_"],
-    minEntropy: 3
-  },
-  {
-    name: "GitHub Fine-Grained PAT",
-    regex: /\bgithub_pat_\w{82}\b/,
-    severity: "block",
-    keywords: ["github_pat_"]
-  },
-  // ── Slack ─────────────────────────────────────────────────────────────────
-  {
-    name: "Slack Bot Token",
-    // Real tokens are ~50–80 chars; lower bound 20 avoids false negatives on partial tokens
-    regex: /\bxoxb-[0-9A-Za-z-]{20,100}\b/,
-    severity: "block",
-    keywords: ["xoxb-"]
-  },
-  // ── Anthropic ─────────────────────────────────────────────────────────────
-  // Listed before OpenAI — Anthropic keys start with sk-ant- which would also
-  // match the broader OpenAI sk- pattern; more specific rules must come first.
-  {
-    name: "Anthropic API Key",
-    regex: /\bsk-ant-api03-[a-zA-Z0-9_-]{93}AA\b/,
-    severity: "block",
-    keywords: ["sk-ant-api03"]
-  },
-  {
-    name: "Anthropic Admin Key",
-    regex: /\bsk-ant-admin01-[a-zA-Z0-9_-]{93}AA\b/,
-    severity: "block",
-    keywords: ["sk-ant-admin01"]
-  },
-  // ── OpenAI ────────────────────────────────────────────────────────────────
-  {
-    name: "OpenAI API Key",
-    regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/,
-    severity: "block",
-    keywords: ["sk-"],
-    minEntropy: 3.5
+    keywords: ["sk-"],
+    minEntropy: 3.5
   },
   // ── Stripe ────────────────────────────────────────────────────────────────
   {
@@ -1389,1047 +707,2483 @@ var DLP_PATTERNS = [
     severity: "block",
     keywords: ["age-secret-key-"]
   }
-];
-var DLP_PATTERNS_GLOBAL = DLP_PATTERNS.map(
-  (p) => ({
-    pattern: p,
-    globalRegex: new RegExp(
-      p.regex.source,
-      p.regex.flags.includes("g") ? p.regex.flags : p.regex.flags + "g"
-    )
-  })
-);
-var SENSITIVE_PATH_PATTERNS = [
-  /[/\\]\.ssh[/\\]/i,
-  /[/\\]\.aws[/\\]/i,
-  /[/\\]\.config[/\\]gcloud[/\\]/i,
-  /[/\\]\.azure[/\\]/i,
-  /[/\\]\.kube[/\\]config$/i,
-  /[/\\]\.env($|\.)/i,
-  // .env, .env.local, .env.production — not .envoy
-  /[/\\]\.git-credentials$/i,
-  /[/\\]\.npmrc$/i,
-  /[/\\]\.docker[/\\]config\.json$/i,
-  /[/\\][^/\\]+\.pem$/i,
-  /[/\\][^/\\]+\.key$/i,
-  /[/\\][^/\\]+\.p12$/i,
-  /[/\\][^/\\]+\.pfx$/i,
-  /^(?:[a-zA-Z]:)?\/etc\/passwd$/,
-  /^(?:[a-zA-Z]:)?\/etc\/shadow$/,
-  /^(?:[a-zA-Z]:)?\/etc\/sudoers$/,
-  /[/\\]credentials\.json$/i,
-  /[/\\]id_rsa$/i,
-  /[/\\]id_ed25519$/i,
-  /[/\\]id_ecdsa$/i
-];
-function scanFilePath(filePath, cwd = process.cwd()) {
-  if (!filePath) return null;
-  let resolved;
-  try {
-    const absolute = path4.resolve(cwd, filePath);
-    resolved = fs4.realpathSync.native(absolute);
-  } catch (err) {
-    const code = err.code;
-    if (code === "ENOENT" || code === "ENOTDIR") {
-      resolved = path4.resolve(cwd, filePath);
+];
+var DLP_PATTERNS_GLOBAL = DLP_PATTERNS.map(
+  (p) => ({
+    pattern: p,
+    globalRegex: new RegExp(
+      p.regex.source,
+      p.regex.flags.includes("g") ? p.regex.flags : p.regex.flags + "g"
+    )
+  })
+);
+var SENSITIVE_PATH_PATTERNS = [
+  /[/\\]\.ssh[/\\]/i,
+  /[/\\]\.aws[/\\]/i,
+  /[/\\]\.config[/\\]gcloud[/\\]/i,
+  /[/\\]\.azure[/\\]/i,
+  /[/\\]\.kube[/\\]config$/i,
+  /[/\\]\.env($|\.)/i,
+  // .env, .env.local, .env.production — not .envoy
+  /[/\\]\.git-credentials$/i,
+  /[/\\]\.npmrc$/i,
+  /[/\\]\.docker[/\\]config\.json$/i,
+  /[/\\][^/\\]+\.pem$/i,
+  /[/\\][^/\\]+\.key$/i,
+  /[/\\][^/\\]+\.p12$/i,
+  /[/\\][^/\\]+\.pfx$/i,
+  /^(?:[a-zA-Z]:)?\/etc\/passwd$/,
+  /^(?:[a-zA-Z]:)?\/etc\/shadow$/,
+  /^(?:[a-zA-Z]:)?\/etc\/sudoers$/,
+  /[/\\]credentials\.json$/i,
+  /[/\\]id_rsa$/i,
+  /[/\\]id_ed25519$/i,
+  /[/\\]id_ecdsa$/i
+];
+function matchSensitivePath(resolvedPath, originalPath) {
+  const normalised = resolvedPath.replace(/\\/g, "/");
+  for (const pattern of SENSITIVE_PATH_PATTERNS) {
+    if (pattern.test(normalised)) {
+      return {
+        patternName: "Sensitive File Path",
+        fieldPath: "file_path",
+        redactedSample: originalPath,
+        severity: "block"
+      };
+    }
+  }
+  return null;
+}
+function sensitivePathMatch(originalPath) {
+  return {
+    patternName: "Sensitive File Path",
+    fieldPath: "file_path",
+    redactedSample: originalPath,
+    severity: "block"
+  };
+}
+function assertBuiltinPatternsAreSafe() {
+  for (const p of DLP_PATTERNS) {
+    if (!safeRegex(p.regex.source)) {
+      throw new Error(
+        `[node9 engine] Builtin DLP pattern '${p.name}' is vulnerable to ReDoS: ${p.regex.source}`
+      );
+    }
+  }
+  for (const re of SENSITIVE_PATH_PATTERNS) {
+    if (!safeRegex(re.source)) {
+      throw new Error(
+        `[node9 engine] Builtin sensitive-path pattern is vulnerable to ReDoS: ${re.source}`
+      );
+    }
+  }
+}
+assertBuiltinPatternsAreSafe();
+function maskSecret(raw, pattern) {
+  const match = raw.match(pattern);
+  if (!match) return "****";
+  const secret = match[0];
+  if (secret.length < 8) return "****";
+  const prefix = secret.slice(0, 4);
+  const suffix = secret.slice(-4);
+  const stars = "*".repeat(Math.min(secret.length - 8, 12));
+  return `${prefix}${stars}${suffix}`;
+}
+var MAX_DEPTH = 5;
+var MAX_STRING_BYTES = 1e5;
+var MAX_JSON_PARSE_BYTES = 1e4;
+function scanArgs(args, depth = 0, fieldPath = "args") {
+  if (depth > MAX_DEPTH || args === null || args === void 0) return null;
+  if (Array.isArray(args)) {
+    for (let i = 0; i < args.length; i++) {
+      const match = scanArgs(args[i], depth + 1, `${fieldPath}[${i}]`);
+      if (match) return match;
+    }
+    return null;
+  }
+  if (typeof args === "object") {
+    for (const [key, value] of Object.entries(args)) {
+      const match = scanArgs(value, depth + 1, `${fieldPath}.${key}`);
+      if (match) return match;
+    }
+    return null;
+  }
+  if (typeof args === "string") {
+    const text = args.length > MAX_STRING_BYTES ? args.slice(0, MAX_STRING_BYTES) : args;
+    const textLower = text.toLowerCase();
+    const assignmentCtx = isAssignmentContext(text);
+    for (const pattern of DLP_PATTERNS) {
+      if (pattern.keywords && !pattern.keywords.some((kw) => textLower.includes(kw.toLowerCase()))) {
+        continue;
+      }
+      if (pattern.regex.test(text)) {
+        const raw = text.match(pattern.regex)?.[0] ?? "";
+        if (DLP_STOPWORDS.some((sw) => raw.toLowerCase().includes(sw))) continue;
+        if (pattern.minEntropy !== void 0 && shannonEntropy(raw) < pattern.minEntropy) continue;
+        const severity = pattern.contextBoost && assignmentCtx ? "block" : pattern.severity;
+        return {
+          patternName: pattern.name,
+          fieldPath,
+          redactedSample: maskSecret(text, pattern.regex),
+          severity
+        };
+      }
+    }
+    if (text.length < MAX_JSON_PARSE_BYTES) {
+      const trimmed = text.trim();
+      if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+        try {
+          const parsed = JSON.parse(text);
+          const inner = scanArgs(parsed, depth + 1, fieldPath);
+          if (inner) return inner;
+        } catch {
+        }
+      }
+    }
+  }
+  return null;
+}
+var { syntax } = mvdanSh;
+var sharedParser = syntax.NewParser();
+var MESSAGE_FLAGS = /* @__PURE__ */ new Set([
+  "-m",
+  "--message",
+  "--body",
+  "--title",
+  "--description",
+  "--comment",
+  "--subject",
+  "--summary"
+]);
+var SHELL_INTERPRETERS = /* @__PURE__ */ new Set(["bash", "sh", "zsh", "fish", "dash", "ksh"]);
+var DOWNLOAD_CMDS = /* @__PURE__ */ new Set(["curl", "wget"]);
+function normalizeCommandForPolicy(command) {
+  try {
+    const f = sharedParser.Parse(command, "cmd");
+    const strips = [];
+    syntax.Walk(f, (node) => {
+      if (!node) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const args = n.Args || [];
+      for (let i = 0; i < args.length - 1; i++) {
+        const argParts = args[i].Parts || [];
+        if (argParts.length !== 1 || syntax.NodeType(argParts[0]) !== "Lit") continue;
+        const flagVal = argParts[0].Value || "";
+        if (!MESSAGE_FLAGS.has(flagVal.toLowerCase())) continue;
+        const next = args[i + 1];
+        const nextParts = next.Parts || [];
+        if (nextParts.length !== 1) continue;
+        const quotedNode = nextParts[0];
+        const nt = syntax.NodeType(quotedNode);
+        if (nt === "SglQuoted") {
+          strips.push([next.Pos().Offset(), next.End().Offset()]);
+        } else if (nt === "DblQuoted") {
+          const innerParts = quotedNode.Parts || [];
+          const allLit = innerParts.length === 0 || innerParts.every((p) => syntax.NodeType(p) === "Lit");
+          if (allLit) strips.push([next.Pos().Offset(), next.End().Offset()]);
+        }
+      }
+      return true;
+    });
+    if (strips.length === 0) return command;
+    strips.sort((a, b) => b[0] - a[0]);
+    let result = command;
+    for (const [start, end] of strips) {
+      result = result.slice(0, start) + '""' + result.slice(end);
+    }
+    return result;
+  } catch {
+    return command;
+  }
+}
+function scanArgsForDynamicExec(args, startIdx) {
+  let hasCmdSubst = false;
+  let hasParamExp = false;
+  let hasCurl = false;
+  for (let i = startIdx; i < args.length; i++) {
+    syntax.Walk(args[i], (inner) => {
+      if (!inner) return false;
+      const inn = inner;
+      const it = syntax.NodeType(inn);
+      if (it === "CmdSubst") hasCmdSubst = true;
+      if (it === "ParamExp") hasParamExp = true;
+      if (it === "Lit" && DOWNLOAD_CMDS.has(inn.Value?.toLowerCase())) hasCurl = true;
+      return true;
+    });
+  }
+  if (hasCmdSubst && hasCurl) return "block";
+  if (hasCmdSubst || hasParamExp) return "review";
+  return null;
+}
+function detectDangerousShellExec(command) {
+  try {
+    const f = sharedParser.Parse(command, "cmd");
+    let result = null;
+    syntax.Walk(f, (node) => {
+      if (!node || result === "block") return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const args = n.Args || [];
+      if (args.length === 0) return true;
+      const firstParts = args[0].Parts || [];
+      if (firstParts.length !== 1 || syntax.NodeType(firstParts[0]) !== "Lit") return true;
+      const cmdName = firstParts[0].Value?.toLowerCase() ?? "";
+      if (cmdName === "eval") {
+        const v = scanArgsForDynamicExec(args, 1);
+        if (v === "block" || v === "review" && result === null) result = v;
+      } else if (SHELL_INTERPRETERS.has(cmdName)) {
+        for (let i = 1; i < args.length - 1; i++) {
+          const flagParts = args[i].Parts || [];
+          if (flagParts.length !== 1 || syntax.NodeType(flagParts[0]) !== "Lit" || flagParts[0].Value !== "-c")
+            continue;
+          const v = scanArgsForDynamicExec(args, i + 1);
+          if (v === "block" || v === "review" && result === null) result = v;
+          break;
+        }
+      }
+      return true;
+    });
+    return result;
+  } catch {
+    return null;
+  }
+}
+function analyzeShellCommand(command) {
+  const actions = [];
+  const paths = [];
+  const allTokens = [];
+  const addToken = (token) => {
+    const lower = token.toLowerCase();
+    allTokens.push(lower);
+    if (lower.includes("/")) allTokens.push(...lower.split("/").filter(Boolean));
+    if (lower.startsWith("-")) allTokens.push(lower.replace(/^-+/, ""));
+  };
+  try {
+    const f = sharedParser.Parse(command, "cmd");
+    syntax.Walk(f, (node) => {
+      if (!node) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const wordValues = (n.Args || []).map((arg) => {
+        return (arg.Parts || []).map((p) => (p.Value ?? "").replace(/\\(.)/g, "$1")).join("");
+      }).filter((s) => s.length > 0);
+      if (wordValues.length > 0) {
+        const cmd = wordValues[0].toLowerCase();
+        if (!actions.includes(cmd)) actions.push(cmd);
+        wordValues.forEach((w) => addToken(w));
+        wordValues.slice(1).forEach((w) => {
+          if (!w.startsWith("-")) paths.push(w);
+        });
+      }
+      return true;
+    });
+  } catch {
+  }
+  if (allTokens.length === 0) {
+    const normalized = command.replace(/\\(.)/g, "$1");
+    const sanitized = normalized.replace(/["'<>]/g, " ");
+    const segments = sanitized.split(/[|;&]|\$\(|\)|`/);
+    segments.forEach((segment) => {
+      const tokens = segment.trim().split(/\s+/).filter(Boolean);
+      if (tokens.length > 0) {
+        const action = tokens[0].toLowerCase();
+        if (!actions.includes(action)) actions.push(action);
+        tokens.forEach((t) => {
+          addToken(t);
+          if (t !== tokens[0] && !t.startsWith("-")) {
+            if (!paths.includes(t)) paths.push(t);
+          }
+        });
+      }
+    });
+  }
+  return { actions, paths, allTokens };
+}
+var SOURCE_COMMANDS = /* @__PURE__ */ new Set([
+  "cat",
+  "head",
+  "tail",
+  "grep",
+  "awk",
+  "sed",
+  "cut",
+  "sort",
+  "tee",
+  "less",
+  "more",
+  "strings",
+  "xxd"
+]);
+var SINK_COMMANDS = /* @__PURE__ */ new Set([
+  "curl",
+  "wget",
+  "nc",
+  "ncat",
+  "netcat",
+  "ssh",
+  "scp",
+  "rsync",
+  "socat",
+  "ftp",
+  "sftp",
+  "telnet"
+]);
+var OBFUSCATORS = /* @__PURE__ */ new Set([
+  "base64",
+  "gzip",
+  "gunzip",
+  "bzip2",
+  "xz",
+  "zstd",
+  "openssl",
+  "gpg",
+  "python",
+  "python3",
+  "perl",
+  "ruby",
+  "node"
+]);
+var SENSITIVE_PATTERNS = [
+  /(?:^|\/)\.env(?:\.|$)/i,
+  // .env, .env.local, .env.production
+  /id_rsa|id_ed25519|id_ecdsa|id_dsa/i,
+  // SSH private keys
+  /\.pem$|\.key$|\.p12$|\.pfx$/i,
+  // certificate files
+  /(?:^|\/)\.ssh\//i,
+  // ~/.ssh/ directory
+  /(?:^|\/)\.aws\/credentials/i,
+  // AWS credentials
+  /(?:^|\/)\.netrc$/i,
+  // netrc (stores HTTP credentials)
+  /(?:^|\/)(passwd|shadow|sudoers)$/i,
+  // /etc/passwd, /etc/shadow
+  /(?:^|\/)credentials(?:\.json)?$/i
+  // generic credentials files
+];
+function isSensitivePath(p) {
+  return SENSITIVE_PATTERNS.some((re) => re.test(p));
+}
+function splitOnPipe(cmd) {
+  const segments = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  for (let i = 0; i < cmd.length; i++) {
+    const ch = cmd[i];
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+      current += ch;
+    } else if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+      current += ch;
+    } else if (ch === "|" && !inSingle && !inDouble && cmd[i + 1] !== "|" && (i === 0 || cmd[i - 1] !== "|")) {
+      segments.push(current.trim());
+      current = "";
+    } else {
+      current += ch;
+    }
+  }
+  if (current.trim()) segments.push(current.trim());
+  return segments.filter(Boolean);
+}
+function positionalTokens(segment) {
+  return segment.split(/\s+/).slice(1).filter((t) => !t.startsWith("-") && !t.startsWith("@") && t.length > 0);
+}
+function analyzePipeChain(command) {
+  const segments = splitOnPipe(command);
+  if (segments.length < 2) {
+    return {
+      isPipeline: false,
+      hasSensitiveSource: false,
+      hasExternalSink: false,
+      hasObfuscation: false,
+      sourceFiles: [],
+      sinkTargets: [],
+      risk: "none"
+    };
+  }
+  const sourceFiles = [];
+  const sinkTargets = [];
+  let hasSensitiveSource = false;
+  let hasExternalSink = false;
+  let hasObfuscation = false;
+  for (const segment of segments) {
+    const tokens = segment.split(/\s+/).filter(Boolean);
+    if (tokens.length === 0) continue;
+    const binary = tokens[0].toLowerCase();
+    const args = positionalTokens(segment);
+    if (SOURCE_COMMANDS.has(binary)) {
+      sourceFiles.push(...args);
+      if (args.some(isSensitivePath)) hasSensitiveSource = true;
+    }
+    if (OBFUSCATORS.has(binary)) hasObfuscation = true;
+    if (SINK_COMMANDS.has(binary)) {
+      const targets = args.filter(
+        (a) => a.includes(".") || a.includes("://") || /^\d+\.\d+/.test(a)
+      );
+      sinkTargets.push(...targets);
+      if (targets.length > 0) hasExternalSink = true;
+    }
+  }
+  const fullCmd = command.toLowerCase();
+  if (!hasSensitiveSource) {
+    const redirMatch = fullCmd.match(/<\s*(\S+)/);
+    if (redirMatch && isSensitivePath(redirMatch[1])) {
+      hasSensitiveSource = true;
+      sourceFiles.push(redirMatch[1]);
+    }
+  }
+  const risk = hasSensitiveSource && hasExternalSink && hasObfuscation ? "critical" : hasSensitiveSource && hasExternalSink ? "high" : hasExternalSink ? "medium" : "none";
+  return {
+    isPipeline: true,
+    hasSensitiveSource,
+    hasExternalSink,
+    hasObfuscation,
+    sourceFiles,
+    sinkTargets,
+    risk
+  };
+}
+function basename(p) {
+  const segments = p.split(/[\\/]/);
+  return segments[segments.length - 1] || "";
+}
+var FLAGS_WITH_VALUES = {
+  curl: /* @__PURE__ */ new Set([
+    "-H",
+    "--header",
+    "-A",
+    "--user-agent",
+    "-e",
+    "--referer",
+    "-x",
+    "--proxy",
+    "-u",
+    "--user",
+    "-d",
+    "--data",
+    "--data-raw",
+    "--data-binary",
+    "-o",
+    "--output",
+    "-F",
+    "--form",
+    "--connect-to",
+    "--resolve",
+    "--cacert",
+    "--cert",
+    "--key",
+    "-m",
+    "--max-time"
+  ]),
+  wget: /* @__PURE__ */ new Set([
+    "-O",
+    "--output-document",
+    "-P",
+    "--directory-prefix",
+    "-U",
+    "--user-agent",
+    "-e",
+    "--execute",
+    "--proxy",
+    "--ca-certificate"
+  ]),
+  nc: /* @__PURE__ */ new Set(["-x", "-p", "-s", "-w", "-W", "-I", "-O"]),
+  ncat: /* @__PURE__ */ new Set(["-x", "-p", "-s", "--proxy", "--proxy-auth", "-w", "--wait"]),
+  netcat: /* @__PURE__ */ new Set(["-x", "-p", "-s", "-w"]),
+  ssh: /* @__PURE__ */ new Set([
+    "-i",
+    "-l",
+    "-p",
+    "-o",
+    "-E",
+    "-F",
+    "-J",
+    "-L",
+    "-R",
+    "-W",
+    "-b",
+    "-c",
+    "-D",
+    "-e",
+    "-I",
+    "-S"
+  ]),
+  scp: /* @__PURE__ */ new Set(["-i", "-o", "-P", "-S"]),
+  rsync: /* @__PURE__ */ new Set(["-e", "--rsh", "--rsync-path", "--password-file", "--log-file"]),
+  socat: /* @__PURE__ */ new Set([])
+  // socat uses address syntax, not flags — no value-flags
+};
+function extractPositionalArgs(tokens, binary) {
+  const binaryName = basename(binary).replace(/\.exe$/i, "");
+  const flagsWithValues = FLAGS_WITH_VALUES[binaryName] ?? /* @__PURE__ */ new Set();
+  const positional = [];
+  let skipNext = false;
+  for (const token of tokens) {
+    if (skipNext) {
+      skipNext = false;
+      continue;
+    }
+    if (token.startsWith("--") && token.includes("=")) continue;
+    if (token.startsWith("-") && token.length === 2 && flagsWithValues.has(token)) {
+      skipNext = true;
+      continue;
+    }
+    if (token.startsWith("--") && flagsWithValues.has(token)) {
+      skipNext = true;
+      continue;
+    }
+    const shortFlag = token.slice(0, 2);
+    if (token.startsWith("-") && token.length > 2 && flagsWithValues.has(shortFlag)) continue;
+    if (token.startsWith("-")) continue;
+    if (token.startsWith("@")) continue;
+    positional.push(token);
+  }
+  return positional;
+}
+function extractNetworkTargets(tokens, binary) {
+  return extractPositionalArgs(tokens, binary).map((t) => t.includes("@") ? t.split("@")[1] : t).map((t) => {
+    const colonIdx = t.indexOf(":");
+    if (colonIdx === -1) return t;
+    const afterColon = t.slice(colonIdx + 1);
+    if (/^\d+$/.test(afterColon)) return t.slice(0, colonIdx);
+    return t;
+  }).filter(Boolean);
+}
+function tokenize(cmd) {
+  const tokens = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  for (const ch of cmd) {
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+    } else if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+    } else if ((ch === " " || ch === "	") && !inSingle && !inDouble) {
+      if (current) {
+        tokens.push(current);
+        current = "";
+      }
     } else {
+      current += ch;
+    }
+  }
+  if (current) tokens.push(current);
+  return tokens;
+}
+function parseHost(raw) {
+  return raw.split("@").pop().split(":")[0];
+}
+function extractAllSshHosts(tokens) {
+  const hosts = /* @__PURE__ */ new Set();
+  for (let i = 0; i < tokens.length; i++) {
+    const t = tokens[i];
+    if (t === "-J" && tokens[i + 1]) {
+      for (const hop of tokens[++i].split(",")) {
+        const h = parseHost(hop);
+        if (h) hosts.add(h);
+      }
+      continue;
+    }
+    if (t === "-o" && tokens[i + 1]?.toLowerCase().startsWith("proxyjump=")) {
+      const val = tokens[++i].split("=").slice(1).join("=");
+      for (const hop of val.split(",")) {
+        const h = parseHost(hop);
+        if (h) hosts.add(h);
+      }
+      continue;
+    }
+    if (t === "-o" && tokens[i + 1]?.toLowerCase().startsWith("proxycommand=")) {
+      const raw = tokens[++i].split("=").slice(1).join("=").replace(/^['"]|['"]$/g, "");
+      const subTokens = tokenize(raw);
+      const binary = subTokens[0] ?? "";
+      extractNetworkTargets(subTokens.slice(1), binary).forEach((h) => hosts.add(h));
+      extractAllSshHosts(subTokens.slice(1)).forEach((h) => hosts.add(h));
+      continue;
+    }
+    if (!t.startsWith("-")) {
+      const h = parseHost(t);
+      if (h) hosts.add(h);
+    }
+  }
+  return [...hosts].filter(Boolean);
+}
+var MAX_REGEX_LENGTH = 100;
+var REGEX_CACHE_MAX = 500;
+var regexCache = /* @__PURE__ */ new Map();
+function validateRegex(pattern) {
+  if (!pattern) return "Pattern is required";
+  if (pattern.length > MAX_REGEX_LENGTH) return `Pattern exceeds max length of ${MAX_REGEX_LENGTH}`;
+  try {
+    new RegExp(pattern);
+  } catch (e) {
+    return `Invalid regex syntax: ${e.message}`;
+  }
+  if (/\\\d+[*+{]/.test(pattern)) return "Quantified backreferences are forbidden (ReDoS risk)";
+  if (!safeRegex2(pattern)) return "Pattern rejected: potential ReDoS vulnerability detected";
+  return null;
+}
+function getCompiledRegex(pattern, flags = "") {
+  if (flags && !/^[gimsuy]+$/.test(flags)) return null;
+  const key = `${pattern}\0${flags}`;
+  if (regexCache.has(key)) {
+    const cached = regexCache.get(key);
+    regexCache.delete(key);
+    regexCache.set(key, cached);
+    return cached;
+  }
+  if (validateRegex(pattern) !== null) return null;
+  try {
+    const re = new RegExp(pattern, flags);
+    if (regexCache.size >= REGEX_CACHE_MAX) {
+      const oldest = regexCache.keys().next().value;
+      if (oldest) regexCache.delete(oldest);
+    }
+    regexCache.set(key, re);
+    return re;
+  } catch {
+    return null;
+  }
+}
+function matchesPattern(text, patterns) {
+  const p = Array.isArray(patterns) ? patterns : [patterns];
+  if (p.length === 0) return false;
+  const isMatch = pm(p, { nocase: true, dot: true });
+  const target = text.toLowerCase();
+  const directMatch = isMatch(target);
+  if (directMatch) return true;
+  const withoutDotSlash = text.replace(/^\.\//, "");
+  return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
+}
+var FORBIDDEN_PATH_SEGMENTS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+function getNestedValue(obj, path13) {
+  if (!obj || typeof obj !== "object") return null;
+  const segments = path13.split(".");
+  for (const seg of segments) {
+    if (FORBIDDEN_PATH_SEGMENTS.has(seg)) return null;
+  }
+  return segments.reduce((prev, curr) => prev?.[curr], obj);
+}
+function evaluateSmartConditions(args, rule) {
+  if (!rule.conditions || rule.conditions.length === 0) return true;
+  const mode = rule.conditionMode ?? "all";
+  const results = rule.conditions.map((cond) => {
+    const rawVal = getNestedValue(args, cond.field);
+    const normalized = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
+    const val = cond.field === "command" && normalized !== null ? normalizeCommandForPolicy(normalized) : normalized;
+    switch (cond.op) {
+      case "exists":
+        return val !== null && val !== "";
+      case "notExists":
+        return val === null || val === "";
+      case "contains":
+        return val !== null && cond.value ? val.includes(cond.value) : false;
+      case "notContains":
+        return val !== null && cond.value ? !val.includes(cond.value) : true;
+      case "matches": {
+        if (val === null || !cond.value) return false;
+        const reM = getCompiledRegex(cond.value, cond.flags ?? "");
+        if (!reM) return false;
+        return reM.test(val);
+      }
+      case "notMatches": {
+        if (!cond.value) return false;
+        if (val === null) return true;
+        const reN = getCompiledRegex(cond.value, cond.flags ?? "");
+        if (!reN) return false;
+        return !reN.test(val);
+      }
+      case "matchesGlob":
+        return val !== null && cond.value ? pm.isMatch(val, cond.value) : false;
+      case "notMatchesGlob":
+        return val !== null && cond.value ? !pm.isMatch(val, cond.value) : false;
+      default:
+        return false;
+    }
+  });
+  return mode === "any" ? results.some((r) => r) : results.every((r) => r);
+}
+function tokenize2(toolName) {
+  return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
+}
+function extractShellCommand(toolName, args, toolInspection) {
+  const patterns = Object.keys(toolInspection);
+  const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
+  if (!matchingPattern) return null;
+  const fieldPath = toolInspection[matchingPattern];
+  const value = getNestedValue(args, fieldPath);
+  return typeof value === "string" ? value : null;
+}
+function isSqlTool(toolName, toolInspection) {
+  const patterns = Object.keys(toolInspection);
+  const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
+  if (!matchingPattern) return false;
+  const fieldName = toolInspection[matchingPattern];
+  return fieldName === "sql" || fieldName === "query";
+}
+var SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
+async function evaluatePolicy(config, toolName, args, context = {}, hooks = {}) {
+  const { agent, cwd, activeEnvironment } = context;
+  const { checkProvenance: checkProvenance2, isTrustedHost: isTrustedHost2 } = hooks;
+  const wouldBeIgnored = matchesPattern(toolName, config.policy.ignoredTools);
+  if (config.policy.dlp.enabled && (!wouldBeIgnored || config.policy.dlp.scanIgnoredTools)) {
+    const dlpMatch = args !== void 0 ? scanArgs(args) : null;
+    if (dlpMatch) {
       return {
-        patternName: "Sensitive File Path",
-        fieldPath: "file_path",
-        redactedSample: filePath,
-        severity: "block"
+        decision: dlpMatch.severity,
+        blockedByLabel: `DLP: ${dlpMatch.patternName}`,
+        reason: `${dlpMatch.patternName} detected in ${dlpMatch.fieldPath}`
       };
     }
   }
-  const normalised = resolved.replace(/\\/g, "/");
-  for (const pattern of SENSITIVE_PATH_PATTERNS) {
-    if (pattern.test(normalised)) {
+  if (wouldBeIgnored) return { decision: "allow" };
+  if (config.policy.smartRules.length > 0) {
+    const matchedRule = config.policy.smartRules.find(
+      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+    );
+    if (matchedRule) {
+      if (matchedRule.verdict === "allow")
+        return { decision: "allow", ruleName: matchedRule.name ?? matchedRule.tool };
       return {
-        patternName: "Sensitive File Path",
-        fieldPath: "file_path",
-        redactedSample: filePath,
-        // show original path in alert, not resolved
-        severity: "block"
+        decision: matchedRule.verdict,
+        blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
+        reason: matchedRule.reason,
+        tier: 2,
+        ruleName: matchedRule.name ?? matchedRule.tool,
+        ...(matchedRule.description ?? matchedRule.reason) && {
+          ruleDescription: matchedRule.description ?? matchedRule.reason
+        },
+        ...matchedRule.verdict === "block" && matchedRule.dependsOnState?.length && {
+          dependsOnStatePredicates: matchedRule.dependsOnState
+        },
+        ...matchedRule.verdict === "block" && matchedRule.recoveryCommand && {
+          recoveryCommand: matchedRule.recoveryCommand
+        }
       };
     }
   }
-  return null;
-}
-function maskSecret(raw, pattern) {
-  const match = raw.match(pattern);
-  if (!match) return "****";
-  const secret = match[0];
-  if (secret.length < 8) return "****";
-  const prefix = secret.slice(0, 4);
-  const suffix = secret.slice(-4);
-  const stars = "*".repeat(Math.min(secret.length - 8, 12));
-  return `${prefix}${stars}${suffix}`;
-}
-var MAX_DEPTH = 5;
-var MAX_STRING_BYTES = 1e5;
-var MAX_JSON_PARSE_BYTES = 1e4;
-function scanArgs(args, depth = 0, fieldPath = "args") {
-  if (depth > MAX_DEPTH || args === null || args === void 0) return null;
-  if (Array.isArray(args)) {
-    for (let i = 0; i < args.length; i++) {
-      const match = scanArgs(args[i], depth + 1, `${fieldPath}[${i}]`);
-      if (match) return match;
+  let allTokens = [];
+  let pathTokens = [];
+  const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
+  if (shellCommand) {
+    const analyzed = analyzeShellCommand(shellCommand);
+    allTokens = analyzed.allTokens;
+    pathTokens = analyzed.paths;
+    const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
+    if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
+      return {
+        decision: "review",
+        blockedByLabel: "Node9 Standard (Inline Execution)",
+        ruleDescription: "The AI is running code directly from the command line. Review the full script below before allowing it to execute.",
+        tier: 3
+      };
     }
-    return null;
-  }
-  if (typeof args === "object") {
-    for (const [key, value] of Object.entries(args)) {
-      const match = scanArgs(value, depth + 1, `${fieldPath}.${key}`);
-      if (match) return match;
+    const evalVerdict = detectDangerousShellExec(shellCommand);
+    if (evalVerdict === "block") {
+      return {
+        decision: "block",
+        blockedByLabel: "Node9: Eval Remote Execution",
+        reason: "eval of remote download (curl/wget) is a near-certain supply-chain attack",
+        ruleDescription: "The AI is downloading a script from the internet and running it immediately without inspection. This is a common way malware gets installed.",
+        tier: 3
+      };
     }
-    return null;
-  }
-  if (typeof args === "string") {
-    const text = args.length > MAX_STRING_BYTES ? args.slice(0, MAX_STRING_BYTES) : args;
-    const textLower = text.toLowerCase();
-    const assignmentCtx = isAssignmentContext(text);
-    for (const pattern of DLP_PATTERNS) {
-      if (pattern.keywords && !pattern.keywords.some((kw) => textLower.includes(kw.toLowerCase()))) {
-        continue;
+    if (evalVerdict === "review") {
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Eval Dynamic Content",
+        reason: "eval of dynamic content (variable or subshell expansion) requires approval",
+        ruleDescription: "The AI is running a command that includes a variable or subshell expansion. The actual command executed at runtime may differ from what is shown here.",
+        tier: 3
+      };
+    }
+    const pipeAnalysis = analyzePipeChain(shellCommand);
+    if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
+      const sinks = pipeAnalysis.sinkTargets;
+      const allTrusted = sinks.length > 0 && sinks.every((host) => isTrustedHost2 ? isTrustedHost2(host) : false);
+      if (pipeAnalysis.risk === "critical") {
+        if (allTrusted) {
+          return {
+            decision: "review",
+            blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
+            reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
+            tier: 3
+          };
+        }
+        return {
+          decision: "block",
+          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
+          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+          tier: 3
+        };
       }
-      if (pattern.regex.test(text)) {
-        const raw = text.match(pattern.regex)?.[0] ?? "";
-        if (DLP_STOPWORDS.some((sw) => raw.toLowerCase().includes(sw))) continue;
-        if (pattern.minEntropy !== void 0 && shannonEntropy(raw) < pattern.minEntropy) continue;
-        const severity = pattern.contextBoost && assignmentCtx ? "block" : pattern.severity;
+      if (allTrusted) {
         return {
-          patternName: pattern.name,
-          fieldPath,
-          redactedSample: maskSecret(text, pattern.regex),
-          severity
+          decision: "allow",
+          blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
+          reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
+          tier: 3
         };
       }
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
+        reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+        tier: 3
+      };
     }
-    if (text.length < MAX_JSON_PARSE_BYTES) {
-      const trimmed = text.trim();
-      if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
-        try {
-          const parsed = JSON.parse(text);
-          const inner = scanArgs(parsed, depth + 1, fieldPath);
-          if (inner) return inner;
-        } catch {
-        }
-      }
+    const firstToken = analyzed.actions[0] ?? "";
+    if (["ssh", "scp", "rsync"].includes(firstToken)) {
+      const rawTokens = shellCommand.trim().split(/\s+/);
+      const sshHosts = extractAllSshHosts(rawTokens.slice(1));
+      allTokens.push(...sshHosts);
     }
-  }
-  return null;
-}
-// src/utils/provenance.ts
-import fs5 from "fs";
-import path5 from "path";
-import os4 from "os";
-var SYSTEM_PREFIXES = ["/usr/bin", "/usr/sbin", "/bin", "/sbin"];
-var MANAGED_PREFIXES = ["/usr/local/bin", "/opt/homebrew", "/home/linuxbrew", "/nix/store"];
-var USER_PREFIXES = [
-  path5.join(os4.homedir(), "bin"),
-  path5.join(os4.homedir(), ".local", "bin"),
-  path5.join(os4.homedir(), ".cargo", "bin"),
-  path5.join(os4.homedir(), ".npm-global", "bin"),
-  path5.join(os4.homedir(), ".volta", "bin")
-];
-var SUSPECT_PREFIXES = ["/tmp", "/var/tmp", "/dev/shm"];
-function findInPath(cmd) {
-  if (path5.posix.isAbsolute(cmd)) return cmd;
-  const pathEnv = process.env.PATH ?? "";
-  for (const dir of pathEnv.split(path5.delimiter)) {
-    if (!dir) continue;
-    const full = path5.join(dir, cmd);
-    try {
-      fs5.accessSync(full, fs5.constants.X_OK);
-      return full;
-    } catch {
+    if (firstToken && firstToken.startsWith("/") && checkProvenance2) {
+      const prov = checkProvenance2(firstToken, cwd);
+      if (prov.trustLevel === "suspect") {
+        return {
+          decision: config.settings.mode === "strict" ? "block" : "review",
+          blockedByLabel: "Node9: Suspect Binary",
+          reason: `Binary "${firstToken}" resolved to ${prov.resolvedPath} \u2014 ${prov.reason}`,
+          tier: 3
+        };
+      }
+      if (prov.trustLevel === "unknown" && config.settings.mode === "strict") {
+        return {
+          decision: "review",
+          blockedByLabel: "Node9: Unknown Binary (strict mode)",
+          reason: `Binary "${firstToken}" \u2014 ${prov.reason}`,
+          tier: 3
+        };
+      }
     }
-  }
-  return null;
-}
-function _classifyPath(resolved, cwd) {
-  if (cwd && resolved.startsWith(cwd + "/")) {
-    return { trustLevel: "user", reason: "binary in project directory" };
-  }
-  const osTmp = os4.tmpdir();
-  const allSuspect = osTmp ? [...SUSPECT_PREFIXES, osTmp] : SUSPECT_PREFIXES;
-  if (allSuspect.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
-    return { trustLevel: "suspect", reason: `binary in temp directory: ${resolved}` };
-  }
-  if (SYSTEM_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
-    return { trustLevel: "system", reason: "" };
-  }
-  if (MANAGED_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
-    return { trustLevel: "managed", reason: "" };
-  }
-  if (USER_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
-    return { trustLevel: "user", reason: "" };
-  }
-  return { trustLevel: "unknown", reason: "binary in unrecognized location" };
-}
-function checkProvenance(cmd, cwd) {
-  const bare = cmd.startsWith("./") ? cmd.slice(2) : cmd;
-  if (path5.posix.isAbsolute(bare)) {
-    const early = _classifyPath(bare, cwd);
-    if (early.trustLevel === "suspect") {
-      return { resolvedPath: bare, ...early };
+    if (isSqlTool(toolName, config.policy.toolInspection)) {
+      allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
+    }
+  } else {
+    allTokens = tokenize2(toolName);
+    if (args && typeof args === "object") {
+      const flattenedArgs = JSON.stringify(args).toLowerCase();
+      const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
+      allTokens.push(...extraTokens);
     }
   }
-  let resolved;
-  try {
-    const found = findInPath(bare);
-    if (!found) {
-      return {
-        resolvedPath: cmd,
-        trustLevel: "unknown",
-        reason: "binary not found in PATH"
-      };
+  const isManual = agent === "Terminal";
+  if (isManual) {
+    const SYSTEM_DISASTER_COMMANDS = ["mkfs", "shred", "dd", "drop", "truncate", "purge"];
+    const hasSystemDisaster = allTokens.some(
+      (t) => SYSTEM_DISASTER_COMMANDS.includes(t.toLowerCase())
+    );
+    const isRootWipe = allTokens.includes("rm") && (allTokens.includes("/") || allTokens.includes("/*"));
+    if (hasSystemDisaster || isRootWipe) {
+      return { decision: "review", blockedByLabel: "Manual Nuclear Protection", tier: 3 };
     }
-    resolved = fs5.realpathSync(found);
-  } catch {
-    return {
-      resolvedPath: cmd,
-      trustLevel: "unknown",
-      reason: "binary not found in PATH"
-    };
+    return { decision: "allow" };
   }
-  try {
-    const stat = fs5.statSync(resolved);
-    if (stat.mode & 2) {
-      return {
-        resolvedPath: resolved,
-        trustLevel: "suspect",
-        reason: "binary is world-writable"
-      };
+  if (pathTokens.length > 0 && config.policy.sandboxPaths.length > 0) {
+    const allInSandbox = pathTokens.every((p) => matchesPattern(p, config.policy.sandboxPaths));
+    if (allInSandbox) return { decision: "allow" };
+  }
+  let matchedDangerousWord;
+  const isDangerous = allTokens.some(
+    (token) => config.policy.dangerousWords.some((word) => {
+      const w = word.toLowerCase();
+      const hit = token === w || (() => {
+        try {
+          return new RegExp(`\\b${w}\\b`, "i").test(token);
+        } catch {
+          return false;
+        }
+      })();
+      if (hit && !matchedDangerousWord) matchedDangerousWord = word;
+      return hit;
+    })
+  );
+  if (isDangerous) {
+    let matchedField;
+    if (matchedDangerousWord && args && typeof args === "object" && !Array.isArray(args)) {
+      const obj = args;
+      for (const [key, value] of Object.entries(obj)) {
+        if (typeof value === "string") {
+          try {
+            if (new RegExp(
+              `\\b${matchedDangerousWord.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`,
+              "i"
+            ).test(value)) {
+              matchedField = key;
+              break;
+            }
+          } catch {
+          }
+        }
+      }
     }
-  } catch {
     return {
-      resolvedPath: resolved,
-      trustLevel: "unknown",
-      reason: "could not stat binary"
+      decision: "review",
+      blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`,
+      matchedWord: matchedDangerousWord,
+      matchedField,
+      ruleDescription: `This command contains a flagged keyword ("${matchedDangerousWord}") from your node9 config. Review it before allowing.`,
+      tier: 6
     };
   }
-  const classify = _classifyPath(resolved, cwd);
-  return { resolvedPath: resolved, ...classify };
+  if (config.settings.mode === "strict") {
+    if (activeEnvironment?.requireApproval === false) return { decision: "allow" };
+    return { decision: "review", blockedByLabel: "Global Config (Strict Mode Active)", tier: 7 };
+  }
+  return { decision: "allow" };
 }
-// src/policy/pipe-chain.ts
-var SOURCE_COMMANDS = /* @__PURE__ */ new Set([
-  "cat",
-  "head",
-  "tail",
-  "grep",
-  "awk",
-  "sed",
-  "cut",
-  "sort",
-  "tee",
-  "less",
-  "more",
-  "strings",
-  "xxd"
-]);
-var SINK_COMMANDS = /* @__PURE__ */ new Set([
-  "curl",
-  "wget",
-  "nc",
-  "ncat",
-  "netcat",
-  "ssh",
-  "scp",
-  "rsync",
-  "socat",
-  "ftp",
-  "sftp",
-  "telnet"
-]);
-var OBFUSCATORS = /* @__PURE__ */ new Set([
-  "base64",
-  "gzip",
-  "gunzip",
-  "bzip2",
-  "xz",
-  "zstd",
-  "openssl",
-  "gpg",
-  "python",
-  "python3",
-  "perl",
-  "ruby",
-  "node"
-]);
-var SENSITIVE_PATTERNS = [
-  /(?:^|\/)\.env(?:\.|$)/i,
-  // .env, .env.local, .env.production
-  /id_rsa|id_ed25519|id_ecdsa|id_dsa/i,
-  // SSH private keys
-  /\.pem$|\.key$|\.p12$|\.pfx$/i,
-  // certificate files
-  /(?:^|\/)\.ssh\//i,
-  // ~/.ssh/ directory
-  /(?:^|\/)\.aws\/credentials/i,
-  // AWS credentials
-  /(?:^|\/)\.netrc$/i,
-  // netrc (stores HTTP credentials)
-  /(?:^|\/)(passwd|shadow|sudoers)$/i,
-  // /etc/passwd, /etc/shadow
-  /(?:^|\/)credentials(?:\.json)?$/i
-  // generic credentials files
-];
-function isSensitivePath(p) {
-  return SENSITIVE_PATTERNS.some((re) => re.test(p));
+function isIgnoredTool(toolName, config) {
+  return matchesPattern(toolName, config.policy.ignoredTools);
 }
-function splitOnPipe(cmd) {
-  const segments = [];
-  let current = "";
-  let inSingle = false;
-  let inDouble = false;
-  for (let i = 0; i < cmd.length; i++) {
-    const ch = cmd[i];
-    if (ch === "'" && !inDouble) {
-      inSingle = !inSingle;
-      current += ch;
-    } else if (ch === '"' && !inSingle) {
-      inDouble = !inDouble;
-      current += ch;
-    } else if (ch === "|" && !inSingle && !inDouble && cmd[i + 1] !== "|" && (i === 0 || cmd[i - 1] !== "|")) {
-      segments.push(current.trim());
-      current = "";
-    } else {
-      current += ch;
+var aws_default = {
+  name: "aws",
+  description: "Protects AWS infrastructure from destructive AI operations",
+  aliases: ["amazon"],
+  smartRules: [
+    {
+      name: "shield:aws:block-delete-s3-bucket",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "S3 bucket deletion is irreversible \u2014 blocked by AWS shield"
+    },
+    {
+      name: "shield:aws:review-iam-changes",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "IAM changes require human approval (AWS shield)"
+    },
+    {
+      name: "shield:aws:block-ec2-terminate",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "aws\\s+ec2\\s+terminate-instances",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "EC2 instance termination is irreversible \u2014 blocked by AWS shield"
+    },
+    {
+      name: "shield:aws:review-rds-delete",
+      tool: "*",
+      conditions: [
+        { field: "command", op: "matches", value: "aws\\s+rds\\s+delete-", flags: "i" }
+      ],
+      verdict: "review",
+      reason: "RDS deletion requires human approval (AWS shield)"
+    }
+  ],
+  dangerousWords: []
+};
+var bash_safe_default = {
+  name: "bash-safe",
+  description: "Blocks high-risk bash patterns: pipe-to-shell, rm -rf /, disk overwrites, eval",
+  aliases: ["bash", "shell"],
+  smartRules: [
+    {
+      name: "shield:bash-safe:block-pipe-to-shell",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(^|&&|\\|\\||;)\\s*(curl|wget)\\s+[^|]*\\|\\s*(?:(bash|sh|zsh|fish)|(python3?|ruby|perl|node)\\b(?!\\s+-[cem]\\b))",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Pipe-to-shell is a common supply-chain attack vector \u2014 blocked by bash-safe shield"
+    },
+    {
+      name: "shield:bash-safe:block-obfuscated-exec",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\bbase64\\s+(-d|--decode)[^|;&]*\\|\\s*(bash|sh|zsh)",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Obfuscated execution via base64 decode \u2014 blocked by bash-safe shield"
+    },
+    {
+      name: "shield:bash-safe:block-rm-root",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)[a-zA-Z]*\\s+(\\/|~|\\$HOME|\\$\\{HOME\\})\\s*$",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "rm -rf of root or home directory is catastrophic \u2014 blocked by bash-safe shield"
+    },
+    {
+      name: "shield:bash-safe:block-disk-overwrite",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(^|&&|\\|\\||;)\\s*dd\\s+.*of=\\/dev\\/(sd|nvme|hd|vd|xvd)",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Writing directly to a block device is irreversible \u2014 blocked by bash-safe shield"
+    },
+    {
+      name: "shield:bash-safe:block-eval-remote",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(^|&&|\\|\\||;)\\s*eval\\s+.*\\$\\((curl|wget)\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "eval of remote download is a near-certain supply-chain attack \u2014 blocked by bash-safe shield"
+    },
+    {
+      name: "shield:bash-safe:review-eval-dynamic",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: '(^|&&|\\|\\||[;|\\n{(`])\\s*eval\\s+([\\$`(]|"[^"]*\\$)',
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "eval of dynamic content \u2014 backup regex rule for scan path (real-time uses AST detection)"
+    }
+  ],
+  dangerousWords: []
+};
+var docker_default = {
+  name: "docker",
+  description: "Protects Docker environments from destructive AI operations",
+  aliases: [],
+  smartRules: [
+    {
+      name: "shield:docker:block-system-prune",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+system\\s+prune",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "docker system prune removes all unused containers, images, and volumes \u2014 blocked by Docker shield"
+    },
+    {
+      name: "shield:docker:block-volume-prune",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+volume\\s+prune",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "docker volume prune destroys all unused volumes and their data \u2014 blocked by Docker shield"
+    },
+    {
+      name: "shield:docker:block-rm-force",
+      tool: "*",
+      conditionMode: "all",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+rm\\b",
+          flags: "i"
+        },
+        {
+          field: "command",
+          op: "matches",
+          value: "(^|\\s)(-f|--force)(\\s|$)",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Force-removing running containers is destructive \u2014 blocked by Docker shield"
+    },
+    {
+      name: "shield:docker:review-volume-rm",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+volume\\s+rm\\s+",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Volume removal deletes persistent data and requires human approval (Docker shield)"
+    },
+    {
+      name: "shield:docker:review-stop-kill",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+(stop|kill)\\s+",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Stopping or killing containers requires human approval (Docker shield)"
+    },
+    {
+      name: "shield:docker:review-image-rm",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+image\\s+rm\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Image removal requires human approval (Docker shield)"
+    },
+    {
+      name: "shield:docker:review-rmi-force",
+      tool: "*",
+      conditionMode: "all",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+rmi\\b",
+          flags: "i"
+        },
+        {
+          field: "command",
+          op: "matches",
+          value: "(^|\\s)(-f|--force)(\\s|$)",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Force image removal requires human approval (Docker shield)"
     }
-  }
-  if (current.trim()) segments.push(current.trim());
-  return segments.filter(Boolean);
-}
-function positionalTokens(segment) {
-  return segment.split(/\s+/).slice(1).filter((t) => !t.startsWith("-") && !t.startsWith("@") && t.length > 0);
-}
-function analyzePipeChain(command) {
-  const segments = splitOnPipe(command);
-  if (segments.length < 2) {
-    return {
-      isPipeline: false,
-      hasSensitiveSource: false,
-      hasExternalSink: false,
-      hasObfuscation: false,
-      sourceFiles: [],
-      sinkTargets: [],
-      risk: "none"
-    };
-  }
-  const sourceFiles = [];
-  const sinkTargets = [];
-  let hasSensitiveSource = false;
-  let hasExternalSink = false;
-  let hasObfuscation = false;
-  for (const segment of segments) {
-    const tokens = segment.split(/\s+/).filter(Boolean);
-    if (tokens.length === 0) continue;
-    const binary = tokens[0].toLowerCase();
-    const args = positionalTokens(segment);
-    if (SOURCE_COMMANDS.has(binary)) {
-      sourceFiles.push(...args);
-      if (args.some(isSensitivePath)) hasSensitiveSource = true;
+  ],
+  dangerousWords: []
+};
+var filesystem_default = {
+  name: "filesystem",
+  description: "Protects the local filesystem from dangerous AI operations",
+  aliases: ["fs"],
+  smartRules: [
+    {
+      name: "shield:filesystem:review-chmod-777",
+      tool: "bash",
+      conditions: [
+        { field: "command", op: "matches", value: "chmod\\s+(777|a\\+rwx)", flags: "i" }
+      ],
+      verdict: "review",
+      reason: "chmod 777 requires human approval (filesystem shield)"
+    },
+    {
+      name: "shield:filesystem:review-write-etc",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
+        }
+      ],
+      verdict: "review",
+      reason: "Writing to /etc requires human approval (filesystem shield)"
     }
-    if (OBFUSCATORS.has(binary)) hasObfuscation = true;
-    if (SINK_COMMANDS.has(binary)) {
-      const targets = args.filter(
-        (a) => a.includes(".") || a.includes("://") || /^\d+\.\d+/.test(a)
-      );
-      sinkTargets.push(...targets);
-      if (targets.length > 0) hasExternalSink = true;
+  ],
+  dangerousWords: ["wipefs"]
+};
+var github_default = {
+  name: "github",
+  description: "Protects GitHub repositories from destructive AI operations",
+  aliases: ["git"],
+  smartRules: [
+    {
+      name: "shield:github:review-delete-branch-remote",
+      tool: "bash",
+      conditions: [
+        { field: "command", op: "matches", value: "git\\s+push\\s+.*--delete", flags: "i" }
+      ],
+      verdict: "review",
+      reason: "Remote branch deletion requires human approval (GitHub shield)"
+    },
+    {
+      name: "shield:github:block-delete-repo",
+      tool: "*",
+      conditions: [
+        { field: "command", op: "matches", value: "gh\\s+repo\\s+delete", flags: "i" }
+      ],
+      verdict: "block",
+      reason: "Repository deletion is irreversible \u2014 blocked by GitHub shield"
     }
-  }
-  const fullCmd = command.toLowerCase();
-  if (!hasSensitiveSource) {
-    const redirMatch = fullCmd.match(/<\s*(\S+)/);
-    if (redirMatch && isSensitivePath(redirMatch[1])) {
-      hasSensitiveSource = true;
-      sourceFiles.push(redirMatch[1]);
+  ],
+  dangerousWords: []
+};
+var k8s_default = {
+  name: "k8s",
+  description: "Protects Kubernetes clusters from destructive AI operations",
+  aliases: ["kubernetes", "kubectl"],
+  smartRules: [
+    {
+      name: "shield:k8s:block-delete-namespace",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "kubectl\\s+delete\\s+(ns|namespace)\\s+",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Deleting a namespace destroys all resources inside it \u2014 blocked by k8s shield"
+    },
+    {
+      name: "shield:k8s:block-delete-all",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "kubectl\\s+delete\\s+.*--all\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "kubectl delete --all is irreversible \u2014 blocked by k8s shield"
+    },
+    {
+      name: "shield:k8s:block-helm-uninstall",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "helm\\s+(uninstall|delete|del)\\s+",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "helm uninstall removes a release and its resources \u2014 blocked by k8s shield"
+    },
+    {
+      name: "shield:k8s:review-scale-zero",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "kubectl\\s+scale\\s+.*--replicas=0",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Scaling to zero takes down a workload and requires human approval (k8s shield)"
+    },
+    {
+      name: "shield:k8s:review-delete-deployment",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "kubectl\\s+delete\\s+(deployment|deploy|statefulset|sts|daemonset|ds)\\s+",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Deleting a workload requires human approval (k8s shield)"
+    },
+    {
+      name: "shield:k8s:review-apply-force",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "kubectl\\s+(apply|replace)\\s+.*--force",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Force-apply overwrites live resources and requires human approval (k8s shield)"
     }
-  }
-  const risk = hasSensitiveSource && hasExternalSink && hasObfuscation ? "critical" : hasSensitiveSource && hasExternalSink ? "high" : hasExternalSink ? "medium" : "none";
-  return {
-    isPipeline: true,
-    hasSensitiveSource,
-    hasExternalSink,
-    hasObfuscation,
-    sourceFiles,
-    sinkTargets,
-    risk
-  };
-}
-// src/policy/flag-tables.ts
-import path6 from "path";
-var FLAGS_WITH_VALUES = {
-  curl: /* @__PURE__ */ new Set([
-    "-H",
-    "--header",
-    "-A",
-    "--user-agent",
-    "-e",
-    "--referer",
-    "-x",
-    "--proxy",
-    "-u",
-    "--user",
-    "-d",
-    "--data",
-    "--data-raw",
-    "--data-binary",
-    "-o",
-    "--output",
-    "-F",
-    "--form",
-    "--connect-to",
-    "--resolve",
-    "--cacert",
-    "--cert",
-    "--key",
-    "-m",
-    "--max-time"
-  ]),
-  wget: /* @__PURE__ */ new Set([
-    "-O",
-    "--output-document",
-    "-P",
-    "--directory-prefix",
-    "-U",
-    "--user-agent",
-    "-e",
-    "--execute",
-    "--proxy",
-    "--ca-certificate"
-  ]),
-  nc: /* @__PURE__ */ new Set(["-x", "-p", "-s", "-w", "-W", "-I", "-O"]),
-  ncat: /* @__PURE__ */ new Set(["-x", "-p", "-s", "--proxy", "--proxy-auth", "-w", "--wait"]),
-  netcat: /* @__PURE__ */ new Set(["-x", "-p", "-s", "-w"]),
-  ssh: /* @__PURE__ */ new Set([
-    "-i",
-    "-l",
-    "-p",
-    "-o",
-    "-E",
-    "-F",
-    "-J",
-    "-L",
-    "-R",
-    "-W",
-    "-b",
-    "-c",
-    "-D",
-    "-e",
-    "-I",
-    "-S"
-  ]),
-  scp: /* @__PURE__ */ new Set(["-i", "-o", "-P", "-S"]),
-  rsync: /* @__PURE__ */ new Set(["-e", "--rsh", "--rsync-path", "--password-file", "--log-file"]),
-  socat: /* @__PURE__ */ new Set([])
-  // socat uses address syntax, not flags — no value-flags
+  ],
+  dangerousWords: []
 };
-function extractPositionalArgs(tokens, binary) {
-  const binaryName = path6.basename(binary).replace(/\.exe$/i, "");
-  const flagsWithValues = FLAGS_WITH_VALUES[binaryName] ?? /* @__PURE__ */ new Set();
-  const positional = [];
-  let skipNext = false;
-  for (const token of tokens) {
-    if (skipNext) {
-      skipNext = false;
-      continue;
+var mcp_tool_gating_default = {
+  name: "mcp-tool-gating",
+  description: "Intercept MCP tool lists and require user approval before the agent can use any tools from a new server",
+  aliases: ["mcp-gating", "mcp-tools"],
+  smartRules: [],
+  dangerousWords: []
+};
+var mongodb_default = {
+  name: "mongodb",
+  description: "Protects MongoDB databases from destructive AI operations",
+  aliases: ["mongo"],
+  smartRules: [
+    {
+      name: "shield:mongodb:block-drop-database",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\.dropDatabase\\s*\\(",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "dropDatabase is irreversible \u2014 blocked by MongoDB shield"
+    },
+    {
+      name: "shield:mongodb:block-drop-collection",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\.drop\\s*\\(|db\\.getCollection\\([^)]+\\)\\.drop\\s*\\(",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Collection drop is irreversible \u2014 blocked by MongoDB shield"
+    },
+    {
+      name: "shield:mongodb:block-delete-many-empty-filter",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\.deleteMany\\s*\\(\\s*\\{\\s*\\}\\s*\\)",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "deleteMany({}) with empty filter wipes the entire collection \u2014 blocked by MongoDB shield"
+    },
+    {
+      name: "shield:mongodb:review-delete-many",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\.deleteMany\\s*\\(",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "deleteMany requires human approval (MongoDB shield)"
+    },
+    {
+      name: "shield:mongodb:review-drop-index",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\.dropIndex\\s*\\(|\\.dropIndexes\\s*\\(",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Index drops affect query performance and require human approval (MongoDB shield)"
+    }
+  ],
+  dangerousWords: ["dropDatabase", "dropCollection", "mongodrop"]
+};
+var postgres_default = {
+  name: "postgres",
+  description: "Protects PostgreSQL databases from destructive AI operations",
+  aliases: ["pg", "postgresql"],
+  smartRules: [
+    {
+      name: "shield:postgres:block-drop-table",
+      tool: "*",
+      conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+      verdict: "block",
+      reason: "DROP TABLE is irreversible \u2014 blocked by Postgres shield"
+    },
+    {
+      name: "shield:postgres:block-truncate",
+      tool: "*",
+      conditions: [
+        { field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }
+      ],
+      verdict: "block",
+      reason: "TRUNCATE is irreversible \u2014 blocked by Postgres shield"
+    },
+    {
+      name: "shield:postgres:block-drop-column",
+      tool: "*",
+      conditions: [
+        { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+      ],
+      verdict: "block",
+      reason: "DROP COLUMN is irreversible \u2014 blocked by Postgres shield"
+    },
+    {
+      name: "shield:postgres:review-grant-revoke",
+      tool: "*",
+      conditions: [
+        { field: "sql", op: "matches", value: "\\b(GRANT|REVOKE)\\b", flags: "i" }
+      ],
+      verdict: "review",
+      reason: "Permission changes require human approval (Postgres shield)"
+    }
+  ],
+  dangerousWords: ["dropdb", "pg_dropcluster"]
+};
+var project_jail_default = {
+  name: "project-jail",
+  description: "Restricts AI agents from reading sensitive credential files outside the current project",
+  aliases: ["jail"],
+  smartRules: [
+    {
+      name: "shield:project-jail:block-read-ssh",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.ssh[\\/\\\\]",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading SSH private keys is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-aws",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.aws[\\/\\\\]",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading AWS credentials is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-env",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*\\.env(\\.local|\\.production|\\.staging)?\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading .env files is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-credentials",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials)",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading credential files is blocked by project-jail shield"
+    }
+  ],
+  dangerousWords: []
+};
+var redis_default = {
+  name: "redis",
+  description: "Protects Redis instances from destructive AI operations",
+  aliases: [],
+  smartRules: [
+    {
+      name: "shield:redis:block-flushall",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\bFLUSHALL\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "FLUSHALL deletes every key in every database \u2014 blocked by Redis shield"
+    },
+    {
+      name: "shield:redis:block-flushdb",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\bFLUSHDB\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "FLUSHDB deletes all keys in the current database \u2014 blocked by Redis shield"
+    },
+    {
+      name: "shield:redis:block-config-resetstat",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\bCONFIG\\s+RESETSTAT\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "CONFIG RESETSTAT resets server statistics irreversibly \u2014 blocked by Redis shield"
+    },
+    {
+      name: "shield:redis:review-config-set",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\bCONFIG\\s+SET\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "CONFIG SET changes live server configuration and requires human approval (Redis shield)"
+    },
+    {
+      name: "shield:redis:review-del-wildcard",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\bDEL\\b.*[*?\\[]|redis-cli.*--scan.*\\|.*xargs.*del",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Wildcard key deletion requires human approval (Redis shield)"
     }
-    if (token.startsWith("--") && token.includes("=")) continue;
-    if (token.startsWith("-") && token.length === 2 && flagsWithValues.has(token)) {
-      skipNext = true;
-      continue;
+  ],
+  dangerousWords: ["FLUSHALL", "FLUSHDB"]
+};
+function isShieldVerdict(v) {
+  return v === "allow" || v === "review" || v === "block";
+}
+function validateShieldDefinition(raw) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return { error: "Shield file is not an object" };
+  }
+  const r = raw;
+  if (typeof r.name !== "string" || !r.name) return { error: "Shield file missing 'name'" };
+  if (typeof r.description !== "string") return { error: "Shield file missing 'description'" };
+  if (!Array.isArray(r.aliases)) return { error: "Shield file missing 'aliases' array" };
+  if (!Array.isArray(r.smartRules)) return { error: "Shield file missing 'smartRules' array" };
+  if (!Array.isArray(r.dangerousWords))
+    return { error: "Shield file missing 'dangerousWords' array" };
+  return { ok: r };
+}
+function validateOverrides(raw) {
+  const warnings = [];
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return { overrides: {}, warnings };
+  const result = {};
+  for (const [shieldName, rules] of Object.entries(raw)) {
+    if (!rules || typeof rules !== "object" || Array.isArray(rules)) continue;
+    const validRules = {};
+    for (const [ruleName, verdict] of Object.entries(rules)) {
+      if (isShieldVerdict(verdict)) {
+        validRules[ruleName] = verdict;
+      } else {
+        warnings.push(
+          `shields.json contains invalid verdict "${String(verdict)}" for ${shieldName}/${ruleName} \u2014 entry ignored. File may be corrupted or tampered with.`
+        );
+      }
     }
-    if (token.startsWith("--") && flagsWithValues.has(token)) {
-      skipNext = true;
-      continue;
+    if (Object.keys(validRules).length > 0) result[shieldName] = validRules;
+  }
+  return { overrides: result, warnings };
+}
+var BUILTIN_SHIELDS = {
+  [aws_default.name]: aws_default,
+  [bash_safe_default.name]: bash_safe_default,
+  [docker_default.name]: docker_default,
+  [filesystem_default.name]: filesystem_default,
+  [github_default.name]: github_default,
+  [k8s_default.name]: k8s_default,
+  [mcp_tool_gating_default.name]: mcp_tool_gating_default,
+  [mongodb_default.name]: mongodb_default,
+  [postgres_default.name]: postgres_default,
+  [project_jail_default.name]: project_jail_default,
+  [redis_default.name]: redis_default
+};
+function assertBuiltinShieldRegexesAreSafe() {
+  for (const shield of Object.values(BUILTIN_SHIELDS)) {
+    for (const rule of shield.smartRules) {
+      const conditions = rule.conditions ?? [];
+      for (const cond of conditions) {
+        if (cond.op !== "matches" && cond.op !== "notMatches") continue;
+        const pattern = cond.value;
+        if (!pattern) continue;
+        if (!safeRegex3(pattern)) {
+          throw new Error(
+            `[node9 engine] Shield '${shield.name}' rule '${rule.name ?? rule.tool}' has unsafe regex: ${pattern}`
+          );
+        }
+      }
     }
-    const shortFlag = token.slice(0, 2);
-    if (token.startsWith("-") && token.length > 2 && flagsWithValues.has(shortFlag)) continue;
-    if (token.startsWith("-")) continue;
-    if (token.startsWith("@")) continue;
-    positional.push(token);
   }
-  return positional;
 }
-function extractNetworkTargets(tokens, binary) {
-  return extractPositionalArgs(tokens, binary).map((t) => t.includes("@") ? t.split("@")[1] : t).map((t) => {
-    const colonIdx = t.indexOf(":");
-    if (colonIdx === -1) return t;
-    const afterColon = t.slice(colonIdx + 1);
-    if (/^\d+$/.test(afterColon)) return t.slice(0, colonIdx);
-    return t;
-  }).filter(Boolean);
+assertBuiltinShieldRegexesAreSafe();
+var LOOP_MAX_RECORDS = 500;
+function computeArgsHash(args) {
+  const str = JSON.stringify(args ?? "");
+  return crypto.createHash("sha256").update(str).digest("hex").slice(0, 16);
+}
+function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
+  const hash = computeArgsHash(args);
+  const cutoff = now - windowMs;
+  const fresh = records.filter((r) => r.ts >= cutoff);
+  fresh.push({ t: tool, h: hash, ts: now });
+  const count = fresh.filter((r) => r.t === tool && r.h === hash).length;
+  const nextRecords = fresh.slice(-LOOP_MAX_RECORDS);
+  return { nextRecords, count, looping: count >= threshold };
 }
-// src/policy/ssh-parser.ts
-function tokenize(cmd) {
-  const tokens = [];
-  let current = "";
-  let inSingle = false;
-  let inDouble = false;
-  for (const ch of cmd) {
-    if (ch === "'" && !inDouble) {
-      inSingle = !inSingle;
-    } else if (ch === '"' && !inSingle) {
-      inDouble = !inDouble;
-    } else if ((ch === " " || ch === "	") && !inSingle && !inDouble) {
-      if (current) {
-        tokens.push(current);
-        current = "";
+// src/shields.ts
+var USER_SHIELDS_DIR = path2.join(os2.homedir(), ".node9", "shields");
+function loadUserShields() {
+  const result = {};
+  let entries;
+  try {
+    entries = fs2.readdirSync(USER_SHIELDS_DIR).filter((f) => f.endsWith(".json"));
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      process.stderr.write(
+        `[node9] Could not read user shields dir ${USER_SHIELDS_DIR}: ${String(err)}
+`
+      );
+    }
+    return result;
+  }
+  for (const file of entries) {
+    const filePath = path2.join(USER_SHIELDS_DIR, file);
+    try {
+      const raw = JSON.parse(fs2.readFileSync(filePath, "utf-8"));
+      const v = validateShieldDefinition(raw);
+      if ("error" in v) {
+        process.stderr.write(`[node9] ${v.error}: ${filePath}
+`);
+        continue;
       }
-    } else {
-      current += ch;
+      result[v.ok.name] = v.ok;
+    } catch (err) {
+      process.stderr.write(`[node9] Failed to load user shield ${file}: ${String(err)}
+`);
     }
   }
-  if (current) tokens.push(current);
-  return tokens;
+  return result;
 }
-function parseHost(raw) {
-  return raw.split("@").pop().split(":")[0];
+function buildSHIELDS() {
+  return { ...BUILTIN_SHIELDS, ...loadUserShields() };
 }
-function extractAllSshHosts(tokens) {
-  const hosts = /* @__PURE__ */ new Set();
-  for (let i = 0; i < tokens.length; i++) {
-    const t = tokens[i];
-    if (t === "-J" && tokens[i + 1]) {
-      for (const hop of tokens[++i].split(",")) {
-        const h = parseHost(hop);
-        if (h) hosts.add(h);
-      }
-      continue;
+var SHIELDS = buildSHIELDS();
+function resolveShieldName(input) {
+  const lower = input.toLowerCase();
+  if (SHIELDS[lower]) return lower;
+  for (const [name, def] of Object.entries(SHIELDS)) {
+    if (def.aliases.includes(lower)) return name;
+  }
+  return null;
+}
+function getShield(name) {
+  const resolved = resolveShieldName(name);
+  return resolved ? SHIELDS[resolved] : null;
+}
+var SHIELDS_STATE_FILE = path2.join(os2.homedir(), ".node9", "shields.json");
+function readShieldsFile() {
+  try {
+    const raw = fs2.readFileSync(SHIELDS_STATE_FILE, "utf-8");
+    if (!raw.trim()) return { active: [] };
+    const parsed = JSON.parse(raw);
+    const active = Array.isArray(parsed.active) ? parsed.active.filter(
+      (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
+    ) : [];
+    const { overrides, warnings } = validateOverrides(parsed.overrides);
+    for (const w of warnings) {
+      process.stderr.write(`[node9] Warning: ${w}
+`);
     }
-    if (t === "-o" && tokens[i + 1]?.toLowerCase().startsWith("proxyjump=")) {
-      const val = tokens[++i].split("=").slice(1).join("=");
-      for (const hop of val.split(",")) {
-        const h = parseHost(hop);
-        if (h) hosts.add(h);
+    return { active, overrides };
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
+`);
+    }
+    return { active: [] };
+  }
+}
+function readActiveShields() {
+  return readShieldsFile().active;
+}
+function readShieldOverrides() {
+  return readShieldsFile().overrides ?? {};
+}
+// src/config/index.ts
+var DANGEROUS_WORDS = [
+  "mkfs",
+  // formats/wipes a filesystem partition
+  "shred"
+  // permanently overwrites file contents (unrecoverable)
+];
+var DEFAULT_CONFIG = {
+  version: "1.0",
+  settings: {
+    mode: "standard",
+    autoStartDaemon: true,
+    enableUndo: true,
+    // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
+    enableHookLogDebug: true,
+    approvalTimeoutMs: 12e4,
+    // 120-second auto-deny timeout
+    flightRecorder: true,
+    auditHashArgs: true,
+    approvers: { native: true, browser: false, cloud: false, terminal: true },
+    cloudSyncIntervalHours: 5
+  },
+  policy: {
+    sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
+    dangerousWords: DANGEROUS_WORDS,
+    ignoredTools: [
+      "list_*",
+      "get_*",
+      "read_*",
+      "describe_*",
+      "read",
+      "glob",
+      "grep",
+      "ls",
+      "notebookread",
+      "notebookedit",
+      "webfetch",
+      "websearch",
+      "exitplanmode",
+      "askuserquestion",
+      "agent",
+      "task*",
+      "toolsearch",
+      "mcp__ide__*",
+      "getDiagnostics"
+    ],
+    toolInspection: {
+      bash: "command",
+      shell: "command",
+      run_shell_command: "command",
+      "terminal.execute": "command",
+      "postgres:query": "sql"
+    },
+    snapshot: {
+      tools: [
+        "str_replace_based_edit_tool",
+        "write_file",
+        "edit_file",
+        "create_file",
+        "edit",
+        "replace"
+      ],
+      onlyPaths: [],
+      ignorePaths: ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log"]
+    },
+    smartRules: [
+      // ── rm safety (critical — always evaluated first) ──────────────────────
+      {
+        name: "block-rm-rf-home",
+        tool: "bash",
+        conditionMode: "all",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            // Anchor rm as a shell command (not inside a string arg like a git commit message).
+            value: "(^|&&|\\|\\||;)\\s*rm\\b[^;&|]*\\s(-[rRfF]*[rR][rRfF]*|--recursive)(\\s|$)"
+          },
+          {
+            field: "command",
+            op: "matches",
+            value: "(~|\\/root(\\/|$)|\\$HOME|\\/home\\/)"
+          }
+        ],
+        verdict: "block",
+        reason: "Recursive delete of home directory is irreversible",
+        description: "The AI wants to recursively delete your home directory. This will permanently destroy all your personal files and cannot be undone."
+      },
+      // ── SQL safety ────────────────────────────────────────────────────────
+      {
+        name: "no-delete-without-where",
+        tool: "*",
+        conditions: [
+          { field: "sql", op: "matches", value: "^(DELETE|UPDATE)\\s", flags: "i" },
+          { field: "sql", op: "notMatches", value: "\\bWHERE\\b", flags: "i" }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table",
+        description: "The AI is running a SQL statement that will modify every row in the table \u2014 no WHERE filter was found. This could wipe or corrupt all your data."
+      },
+      {
+        name: "review-drop-truncate-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            // Require a DB CLI in the command so grep/cat/echo of SQL strings don't trigger.
+            value: "(^|&&|\\|\\||;|\\|)\\s*(psql|mysql|sqlite3|sqlplus|cockroach|clickhouse-client|mongo)\\b",
+            flags: "i"
+          },
+          {
+            field: "command",
+            op: "matches",
+            value: "\\b(DROP|TRUNCATE)\\s+(TABLE|DATABASE|SCHEMA|INDEX)",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "SQL DDL destructive statement inside a shell command",
+        description: "The AI wants to drop or truncate a database table via the shell. This permanently deletes the table structure or all its data."
+      },
+      // ── Git safety ────────────────────────────────────────────────────────
+      {
+        name: "review-force-push",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            // Anchor git as a shell command so node -e / python -c scripts containing
+            // "git push --force" as a string don't false-positive.
+            value: "(^|&&|\\|\\||;)\\s*git\\s+push[^;&|]*(--force|--force-with-lease|-f\\b)",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "Force push rewrites remote history \u2014 confirm this is intentional",
+        description: "The AI wants to force push to a remote git branch. This rewrites shared history and can permanently destroy commits that teammates have already pulled."
+      },
+      {
+        name: "review-git-destructive",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            // Anchor git as a shell command so node -e / python -c scripts containing
+            // "git reset --hard" as a string don't false-positive.
+            value: "(^|&&|\\|\\||;)\\s*git\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase\\b|tag\\s+-d|branch\\s+-[dD])",
+            flags: "i"
+          },
+          {
+            field: "command",
+            op: "notMatches",
+            // Exclude recovery ops and routine branch-surgery (--onto) — these are not destructive.
+            value: "\\bgit\\s+rebase\\s+--(abort|continue|skip|onto)\\b",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "Destructive git operation \u2014 discards history or working-tree changes",
+        description: "The AI wants to run a destructive git operation (reset, rebase, clean, or branch delete) that can permanently discard commits or uncommitted work."
+      },
+      // ── Shell safety ──────────────────────────────────────────────────────
+      {
+        name: "review-sudo",
+        tool: "bash",
+        conditions: [{ field: "command", op: "matches", value: "\\bsudo\\s", flags: "i" }],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "Command requires elevated privileges",
+        description: "The AI wants to run a command as root (sudo). Commands with root access can modify system files, install software, or change security settings."
+      },
+      {
+        name: "review-curl-pipe-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            // Anchor curl/wget as a shell command so node -e scripts testing this
+            // regex pattern don't self-match as a false positive.
+            value: "(^|&&|\\|\\||;)\\s*(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "block",
+        reason: "Piping remote script into a shell is a supply-chain attack vector",
+        description: "The AI wants to download a script from the internet and run it immediately, without you seeing what it contains. This is one of the most common ways malware gets installed."
       }
-      continue;
-    }
-    if (t === "-o" && tokens[i + 1]?.toLowerCase().startsWith("proxycommand=")) {
-      const raw = tokens[++i].split("=").slice(1).join("=").replace(/^['"]|['"]$/g, "");
-      const subTokens = tokenize(raw);
-      const binary = subTokens[0] ?? "";
-      extractNetworkTargets(subTokens.slice(1), binary).forEach((h) => hosts.add(h));
-      extractAllSshHosts(subTokens.slice(1)).forEach((h) => hosts.add(h));
-      continue;
-    }
-    if (!t.startsWith("-")) {
-      const h = parseHost(t);
-      if (h) hosts.add(h);
-    }
-  }
-  return [...hosts].filter(Boolean);
-}
-// src/auth/trusted-hosts.ts
-import fs6 from "fs";
-import path7 from "path";
-import os5 from "os";
-function getTrustedHostsPath() {
-  return path7.join(os5.homedir(), ".node9", "trusted-hosts.json");
-}
-function readTrustedHosts() {
-  try {
-    const raw = fs6.readFileSync(getTrustedHostsPath(), "utf8");
-    const parsed = JSON.parse(raw);
-    return Array.isArray(parsed.hosts) ? parsed.hosts : [];
-  } catch {
-    return [];
-  }
-}
-var _cache = null;
-var CACHE_TTL_MS = 5e3;
-function getFileMtime() {
-  try {
-    return fs6.statSync(getTrustedHostsPath()).mtimeMs;
-  } catch {
-    return 0;
-  }
-}
-function getCachedHosts() {
-  const now = Date.now();
-  if (_cache && now < _cache.expiry) {
-    const mtime = getFileMtime();
-    if (mtime === _cache.mtime) return _cache.hosts;
-  }
-  const hosts = readTrustedHosts();
-  _cache = { hosts, expiry: now + CACHE_TTL_MS, mtime: getFileMtime() };
-  return hosts;
-}
-function normalizeHost(raw) {
-  return raw.toLowerCase().replace(/^https?:\/\//, "").replace(/\/.*$/, "").replace(/^[^@]+@/, "").replace(/:\d+$/, "");
-}
-function isTrustedHost(host) {
-  const normalized = normalizeHost(host);
-  return getCachedHosts().some((entry) => {
-    const entryHost = entry.host.toLowerCase();
-    if (entryHost.startsWith("*.")) {
-      const domain = entryHost.slice(2);
-      return normalized.endsWith("." + domain);
-    }
-    return normalized === entryHost;
-  });
-}
-// src/policy/index.ts
-function tokenize2(toolName) {
-  return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
-}
-function matchesPattern(text, patterns) {
-  const p = Array.isArray(patterns) ? patterns : [patterns];
-  if (p.length === 0) return false;
-  const isMatch = pm(p, { nocase: true, dot: true });
-  const target = text.toLowerCase();
-  const directMatch = isMatch(target);
-  if (directMatch) return true;
-  const withoutDotSlash = text.replace(/^\.\//, "");
-  return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
-}
-function getNestedValue(obj, path15) {
-  if (!obj || typeof obj !== "object") return null;
-  return path15.split(".").reduce((prev, curr) => prev?.[curr], obj);
-}
-var { syntax } = mvdanSh;
-var sharedParser = syntax.NewParser();
-var MESSAGE_FLAGS = /* @__PURE__ */ new Set([
-  "-m",
-  "--message",
-  "--body",
-  "--title",
-  "--description",
-  "--comment",
-  "--subject",
-  "--summary"
-]);
-function normalizeCommandForPolicy(command) {
-  try {
-    const f = sharedParser.Parse(command, "cmd");
-    const strips = [];
-    syntax.Walk(f, (node) => {
-      if (!node) return false;
-      const n = node;
-      if (syntax.NodeType(n) !== "CallExpr") return true;
-      const args = n.Args || [];
-      for (let i = 0; i < args.length - 1; i++) {
-        const argParts = args[i].Parts || [];
-        if (argParts.length !== 1 || syntax.NodeType(argParts[0]) !== "Lit") continue;
-        const flagVal = argParts[0].Value || "";
-        if (!MESSAGE_FLAGS.has(flagVal.toLowerCase())) continue;
-        const next = args[i + 1];
-        const nextParts = next.Parts || [];
-        if (nextParts.length !== 1) continue;
-        const quotedNode = nextParts[0];
-        const nt = syntax.NodeType(quotedNode);
-        if (nt === "SglQuoted") {
-          strips.push([next.Pos().Offset(), next.End().Offset()]);
-        } else if (nt === "DblQuoted") {
-          const innerParts = quotedNode.Parts || [];
-          const allLit = innerParts.length === 0 || innerParts.every((p) => syntax.NodeType(p) === "Lit");
-          if (allLit) strips.push([next.Pos().Offset(), next.End().Offset()]);
-        }
+    ],
+    dlp: { enabled: true, scanIgnoredTools: true },
+    loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 },
+    skillPinning: { enabled: false, mode: "warn", roots: [] }
+  },
+  environments: {}
+};
+var ADVISORY_SMART_RULES = [
+  // ── rm safety ─────────────────────────────────────────────────────────────
+  // tool: '*' so they cover bash, shell, run_shell_command, and Gemini's Shell.
+  // Pattern '(^|&&|\|\||;)\s*rm\b' matches rm as a shell command (including in
+  // chained commands like 'cat foo && rm bar') but avoids false-positives on 'docker rm'.
+  {
+    name: "allow-rm-safe-paths",
+    tool: "*",
+    conditionMode: "all",
+    conditions: [
+      { field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" },
+      {
+        field: "command",
+        op: "matches",
+        // Matches known-safe build artifact paths in the command.
+        value: "(node_modules|\\bdist\\b|\\.next|\\bcoverage\\b|\\.cache|\\btmp\\b|\\btemp\\b|\\.DS_Store)(\\/|\\s|$)"
       }
-      return true;
-    });
-    if (strips.length === 0) return command;
-    strips.sort((a, b) => b[0] - a[0]);
-    let result = command;
-    for (const [start, end] of strips) {
-      result = result.slice(0, start) + '""' + result.slice(end);
-    }
-    return result;
-  } catch {
-    return command;
+    ],
+    verdict: "allow",
+    reason: "Deleting a known-safe build artifact path"
+  },
+  {
+    name: "review-rm",
+    tool: "*",
+    conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
+    verdict: "review",
+    reason: "rm can permanently delete files \u2014 confirm the target path",
+    description: "The AI wants to delete files. Unlike moving to trash, rm is permanent \u2014 the files cannot be recovered without a backup."
+  },
+  // ── SQL safety (Safe by Default) ──────────────────────────────────────────
+  // These rules fire when an AI calls a database tool directly (e.g. MCP postgres,
+  // mcp__postgres__query) with a destructive SQL statement in the 'sql' field.
+  // The postgres shield upgrades these from 'review' → 'block' for stricter teams;
+  // without a shield, users still get a human-approval gate on every destructive op.
+  {
+    name: "review-drop-table-sql",
+    tool: "*",
+    conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+    verdict: "review",
+    reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead",
+    description: "The AI wants to drop a database table. This permanently deletes the table and all its data \u2014 there is no undo."
+  },
+  {
+    name: "review-truncate-sql",
+    tool: "*",
+    conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
+    verdict: "review",
+    reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead",
+    description: "The AI wants to truncate a database table, which instantly deletes every row. The table structure remains but all data is gone."
+  },
+  {
+    name: "review-drop-column-sql",
+    tool: "*",
+    conditions: [
+      { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+    ],
+    verdict: "review",
+    reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead",
+    description: "The AI wants to drop a column from a database table. This permanently removes the column and all its data from every row."
   }
-}
-var SHELL_INTERPRETERS = /* @__PURE__ */ new Set(["bash", "sh", "zsh", "fish", "dash", "ksh"]);
-var DOWNLOAD_CMDS = /* @__PURE__ */ new Set(["curl", "wget"]);
-function scanArgsForDynamicExec(args, startIdx) {
-  let hasCmdSubst = false;
-  let hasParamExp = false;
-  let hasCurl = false;
-  for (let i = startIdx; i < args.length; i++) {
-    syntax.Walk(args[i], (inner) => {
-      if (!inner) return false;
-      const inn = inner;
-      const it = syntax.NodeType(inn);
-      if (it === "CmdSubst") hasCmdSubst = true;
-      if (it === "ParamExp") hasParamExp = true;
-      if (it === "Lit" && DOWNLOAD_CMDS.has(inn.Value?.toLowerCase())) hasCurl = true;
-      return true;
-    });
+];
+var cachedConfig = null;
+function getCredentials() {
+  const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
+  if (process.env.NODE9_API_KEY) {
+    return {
+      apiKey: process.env.NODE9_API_KEY,
+      apiUrl: process.env.NODE9_API_URL || DEFAULT_API_URL
+    };
   }
-  if (hasCmdSubst && hasCurl) return "block";
-  if (hasCmdSubst || hasParamExp) return "review";
-  return null;
-}
-function detectDangerousShellExec(command) {
   try {
-    const f = sharedParser.Parse(command, "cmd");
-    let result = null;
-    syntax.Walk(f, (node) => {
-      if (!node || result === "block") return false;
-      const n = node;
-      if (syntax.NodeType(n) !== "CallExpr") return true;
-      const args = n.Args || [];
-      if (args.length === 0) return true;
-      const firstParts = args[0].Parts || [];
-      if (firstParts.length !== 1 || syntax.NodeType(firstParts[0]) !== "Lit") return true;
-      const cmdName = firstParts[0].Value?.toLowerCase() ?? "";
-      if (cmdName === "eval") {
-        const v = scanArgsForDynamicExec(args, 1);
-        if (v === "block" || v === "review" && result === null) result = v;
-      } else if (SHELL_INTERPRETERS.has(cmdName)) {
-        for (let i = 1; i < args.length - 1; i++) {
-          const flagParts = args[i].Parts || [];
-          if (flagParts.length !== 1 || syntax.NodeType(flagParts[0]) !== "Lit" || flagParts[0].Value !== "-c")
-            continue;
-          const v = scanArgsForDynamicExec(args, i + 1);
-          if (v === "block" || v === "review" && result === null) result = v;
-          break;
-        }
-      }
-      return true;
-    });
-    return result;
-  } catch {
-    return null;
-  }
-}
-function evaluateSmartConditions(args, rule) {
-  if (!rule.conditions || rule.conditions.length === 0) return true;
-  const mode = rule.conditionMode ?? "all";
-  const results = rule.conditions.map((cond) => {
-    const rawVal = getNestedValue(args, cond.field);
-    const normalized = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
-    const val = cond.field === "command" && normalized !== null ? normalizeCommandForPolicy(normalized) : normalized;
-    switch (cond.op) {
-      case "exists":
-        return val !== null && val !== "";
-      case "notExists":
-        return val === null || val === "";
-      case "contains":
-        return val !== null && cond.value ? val.includes(cond.value) : false;
-      case "notContains":
-        return val !== null && cond.value ? !val.includes(cond.value) : true;
-      case "matches": {
-        if (val === null || !cond.value) return false;
-        const reM = getCompiledRegex(cond.value, cond.flags ?? "");
-        if (!reM) return false;
-        return reM.test(val);
+    const credPath = path3.join(os3.homedir(), ".node9", "credentials.json");
+    if (fs3.existsSync(credPath)) {
+      const creds = JSON.parse(fs3.readFileSync(credPath, "utf-8"));
+      const profileName = process.env.NODE9_PROFILE || "default";
+      const profile = creds[profileName];
+      if (profile?.apiKey) {
+        return {
+          apiKey: profile.apiKey,
+          apiUrl: profile.apiUrl || DEFAULT_API_URL
+        };
       }
-      case "notMatches": {
-        if (!cond.value) return false;
-        if (val === null) return true;
-        const reN = getCompiledRegex(cond.value, cond.flags ?? "");
-        if (!reN) return false;
-        return !reN.test(val);
+      if (creds.apiKey) {
+        return {
+          apiKey: creds.apiKey,
+          apiUrl: creds.apiUrl || DEFAULT_API_URL
+        };
       }
-      case "matchesGlob":
-        return val !== null && cond.value ? pm.isMatch(val, cond.value) : false;
-      case "notMatchesGlob":
-        return val !== null && cond.value ? !pm.isMatch(val, cond.value) : false;
-      default:
-        return false;
     }
-  });
-  return mode === "any" ? results.some((r) => r) : results.every((r) => r);
-}
-function extractShellCommand(toolName, args, toolInspection) {
-  const patterns = Object.keys(toolInspection);
-  const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
-  if (!matchingPattern) return null;
-  const fieldPath = toolInspection[matchingPattern];
-  const value = getNestedValue(args, fieldPath);
-  return typeof value === "string" ? value : null;
-}
-function isSqlTool(toolName, toolInspection) {
-  const patterns = Object.keys(toolInspection);
-  const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
-  if (!matchingPattern) return false;
-  const fieldName = toolInspection[matchingPattern];
-  return fieldName === "sql" || fieldName === "query";
-}
-var SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
-function analyzeShellCommand(command) {
-  const actions = [];
-  const paths = [];
-  const allTokens = [];
-  const addToken = (token) => {
-    const lower = token.toLowerCase();
-    allTokens.push(lower);
-    if (lower.includes("/")) allTokens.push(...lower.split("/").filter(Boolean));
-    if (lower.startsWith("-")) allTokens.push(lower.replace(/^-+/, ""));
-  };
-  try {
-    const f = sharedParser.Parse(command, "cmd");
-    syntax.Walk(f, (node) => {
-      if (!node) return false;
-      const n = node;
-      if (syntax.NodeType(n) !== "CallExpr") return true;
-      const wordValues = (n.Args || []).map((arg) => {
-        return (arg.Parts || []).map((p) => (p.Value ?? "").replace(/\\(.)/g, "$1")).join("");
-      }).filter((s) => s.length > 0);
-      if (wordValues.length > 0) {
-        const cmd = wordValues[0].toLowerCase();
-        if (!actions.includes(cmd)) actions.push(cmd);
-        wordValues.forEach((w) => addToken(w));
-        wordValues.slice(1).forEach((w) => {
-          if (!w.startsWith("-")) paths.push(w);
-        });
-      }
-      return true;
-    });
   } catch {
   }
-  if (allTokens.length === 0) {
-    const normalized = command.replace(/\\(.)/g, "$1");
-    const sanitized = normalized.replace(/["'<>]/g, " ");
-    const segments = sanitized.split(/[|;&]|\$\(|\)|`/);
-    segments.forEach((segment) => {
-      const tokens = segment.trim().split(/\s+/).filter(Boolean);
-      if (tokens.length > 0) {
-        const action = tokens[0].toLowerCase();
-        if (!actions.includes(action)) actions.push(action);
-        tokens.forEach((t) => {
-          addToken(t);
-          if (t !== tokens[0] && !t.startsWith("-")) {
-            if (!paths.includes(t)) paths.push(t);
-          }
-        });
-      }
-    });
-  }
-  return { actions, paths, allTokens };
+  return null;
 }
-async function evaluatePolicy(toolName, args, agent, cwd) {
-  const config = getConfig();
-  const wouldBeIgnored = matchesPattern(toolName, config.policy.ignoredTools);
-  if (config.policy.dlp.enabled && (!wouldBeIgnored || config.policy.dlp.scanIgnoredTools)) {
-    const dlpMatch = args !== void 0 ? scanArgs(args) : null;
-    if (dlpMatch) {
-      return {
-        decision: dlpMatch.severity,
-        blockedByLabel: `DLP: ${dlpMatch.patternName}`,
-        reason: `${dlpMatch.patternName} detected in ${dlpMatch.fieldPath}`
-      };
+function getActiveEnvironment(config) {
+  const env = config.settings.environment || process.env.NODE_ENV || "development";
+  return config.environments[env] ?? null;
+}
+function getConfig(cwd) {
+  if (!cwd && cachedConfig) return cachedConfig;
+  const globalPath = path3.join(os3.homedir(), ".node9", "config.json");
+  const projectPath = path3.join(cwd ?? process.cwd(), "node9.config.json");
+  const globalConfig = tryLoadConfig(globalPath);
+  const projectConfig = tryLoadConfig(projectPath);
+  const mergedSettings = {
+    ...DEFAULT_CONFIG.settings,
+    approvers: { ...DEFAULT_CONFIG.settings.approvers }
+  };
+  const mergedPolicy = {
+    sandboxPaths: [...DEFAULT_CONFIG.policy.sandboxPaths],
+    dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
+    ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
+    toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
+    smartRules: [...DEFAULT_CONFIG.policy.smartRules],
+    snapshot: {
+      tools: [...DEFAULT_CONFIG.policy.snapshot.tools],
+      onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
+      ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
+    },
+    dlp: { ...DEFAULT_CONFIG.policy.dlp },
+    loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection },
+    skillPinning: {
+      ...DEFAULT_CONFIG.policy.skillPinning,
+      roots: [...DEFAULT_CONFIG.policy.skillPinning.roots]
     }
-  }
-  if (wouldBeIgnored) return { decision: "allow" };
-  if (config.policy.smartRules.length > 0) {
-    const matchedRule = config.policy.smartRules.find(
-      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
-    );
-    if (matchedRule) {
-      if (matchedRule.verdict === "allow")
-        return { decision: "allow", ruleName: matchedRule.name ?? matchedRule.tool };
-      return {
-        decision: matchedRule.verdict,
-        blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
-        reason: matchedRule.reason,
-        tier: 2,
-        ruleName: matchedRule.name ?? matchedRule.tool,
-        ...(matchedRule.description ?? matchedRule.reason) && {
-          ruleDescription: matchedRule.description ?? matchedRule.reason
-        },
-        ...matchedRule.verdict === "block" && matchedRule.dependsOnState?.length && {
-          dependsOnStatePredicates: matchedRule.dependsOnState
-        },
-        ...matchedRule.verdict === "block" && matchedRule.recoveryCommand && {
-          recoveryCommand: matchedRule.recoveryCommand
-        }
-      };
+  };
+  const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
+  const applyLayer = (source) => {
+    if (!source) return;
+    const s = source.settings || {};
+    const p = source.policy || {};
+    if (s.mode !== void 0) mergedSettings.mode = s.mode;
+    if (s.autoStartDaemon !== void 0) mergedSettings.autoStartDaemon = s.autoStartDaemon;
+    if (s.enableUndo !== void 0) mergedSettings.enableUndo = s.enableUndo;
+    if (s.enableHookLogDebug !== void 0)
+      mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
+    if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
+    if (s.approvalTimeoutMs !== void 0) mergedSettings.approvalTimeoutMs = s.approvalTimeoutMs;
+    if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
+      mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
+    if (s.environment !== void 0) mergedSettings.environment = s.environment;
+    if (s.cloudSyncIntervalHours !== void 0)
+      mergedSettings.cloudSyncIntervalHours = s.cloudSyncIntervalHours;
+    if (s.hud !== void 0) mergedSettings.hud = { ...mergedSettings.hud, ...s.hud };
+    if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
+    if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
+    if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
+    if (p.toolInspection)
+      mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
+    if (p.smartRules) {
+      const defaultBlocks = mergedPolicy.smartRules.filter((r) => r.verdict === "block");
+      const defaultNonBlocks = mergedPolicy.smartRules.filter((r) => r.verdict !== "block");
+      const userRuleNames = new Set(p.smartRules.filter((r) => r.name).map((r) => r.name));
+      const filteredBlocks = defaultBlocks.filter((r) => !r.name || !userRuleNames.has(r.name));
+      const filteredNonBlocks = defaultNonBlocks.filter(
+        (r) => !r.name || !userRuleNames.has(r.name)
+      );
+      mergedPolicy.smartRules = [...filteredBlocks, ...p.smartRules, ...filteredNonBlocks];
     }
-  }
-  let allTokens = [];
-  let pathTokens = [];
-  const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
-  if (shellCommand) {
-    const analyzed = analyzeShellCommand(shellCommand);
-    allTokens = analyzed.allTokens;
-    pathTokens = analyzed.paths;
-    const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
-    if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
-      return {
-        decision: "review",
-        blockedByLabel: "Node9 Standard (Inline Execution)",
-        ruleDescription: "The AI is running code directly from the command line. Review the full script below before allowing it to execute.",
-        tier: 3
-      };
+    if (p.snapshot) {
+      const s2 = p.snapshot;
+      if (s2.tools) mergedPolicy.snapshot.tools.push(...s2.tools);
+      if (s2.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s2.onlyPaths);
+      if (s2.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s2.ignorePaths);
     }
-    const evalVerdict = detectDangerousShellExec(shellCommand);
-    if (evalVerdict === "block") {
-      return {
-        decision: "block",
-        blockedByLabel: "Node9: Eval Remote Execution",
-        reason: "eval of remote download (curl/wget) is a near-certain supply-chain attack",
-        ruleDescription: "The AI is downloading a script from the internet and running it immediately without inspection. This is a common way malware gets installed.",
-        tier: 3
-      };
+    if (p.dlp) {
+      const d = p.dlp;
+      if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
+      if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
     }
-    if (evalVerdict === "review") {
-      return {
-        decision: "review",
-        blockedByLabel: "Node9: Eval Dynamic Content",
-        reason: "eval of dynamic content (variable or subshell expansion) requires approval",
-        ruleDescription: "The AI is running a command that includes a variable or subshell expansion. The actual command executed at runtime may differ from what is shown here.",
-        tier: 3
-      };
+    if (p.loopDetection) {
+      const ld = p.loopDetection;
+      if (ld.enabled !== void 0) mergedPolicy.loopDetection.enabled = ld.enabled;
+      if (ld.threshold !== void 0) mergedPolicy.loopDetection.threshold = ld.threshold;
+      if (ld.windowSeconds !== void 0)
+        mergedPolicy.loopDetection.windowSeconds = ld.windowSeconds;
     }
-    const pipeAnalysis = analyzePipeChain(shellCommand);
-    if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
-      const sinks = pipeAnalysis.sinkTargets;
-      const allTrusted = sinks.length > 0 && sinks.every(isTrustedHost);
-      if (pipeAnalysis.risk === "critical") {
-        if (allTrusted) {
-          return {
-            decision: "review",
-            blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
-            reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
-            tier: 3
-          };
+    if (p.skillPinning && typeof p.skillPinning === "object") {
+      const sp = p.skillPinning;
+      if (sp.enabled !== void 0) mergedPolicy.skillPinning.enabled = sp.enabled;
+      if (sp.mode !== void 0) mergedPolicy.skillPinning.mode = sp.mode;
+      if (Array.isArray(sp.roots)) {
+        for (const r of sp.roots) {
+          if (typeof r === "string" && r.length > 0) mergedPolicy.skillPinning.roots.push(r);
         }
-        return {
-          decision: "block",
-          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
-          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-          tier: 3
-        };
       }
-      if (allTrusted) {
-        return {
-          decision: "allow",
-          blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
-          reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
-          tier: 3
+    }
+    const envs = source.environments || {};
+    for (const [envName, envConfig] of Object.entries(envs)) {
+      if (envConfig && typeof envConfig === "object") {
+        const ec = envConfig;
+        mergedEnvironments[envName] = {
+          ...mergedEnvironments[envName],
+          // Validate field types before merging — do not blindly spread user input
+          ...typeof ec.requireApproval === "boolean" ? { requireApproval: ec.requireApproval } : {}
         };
       }
-      return {
-        decision: "review",
-        blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
-        reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-        tier: 3
-      };
-    }
-    const firstToken = analyzed.actions[0] ?? "";
-    if (["ssh", "scp", "rsync"].includes(firstToken)) {
-      const rawTokens = shellCommand.trim().split(/\s+/);
-      const sshHosts = extractAllSshHosts(rawTokens.slice(1));
-      allTokens.push(...sshHosts);
     }
-    if (firstToken && path8.posix.isAbsolute(firstToken)) {
-      const prov = checkProvenance(firstToken, cwd);
-      if (prov.trustLevel === "suspect") {
-        return {
-          decision: config.settings.mode === "strict" ? "block" : "review",
-          blockedByLabel: "Node9: Suspect Binary",
-          reason: `Binary "${firstToken}" resolved to ${prov.resolvedPath} \u2014 ${prov.reason}`,
-          tier: 3
-        };
+  };
+  applyLayer(globalConfig);
+  applyLayer(projectConfig);
+  {
+    const cacheFile = path3.join(os3.homedir(), ".node9", "rules-cache.json");
+    try {
+      const raw = JSON.parse(fs3.readFileSync(cacheFile, "utf-8"));
+      if (Array.isArray(raw.rules) && raw.rules.length > 0) {
+        applyLayer({ policy: { smartRules: raw.rules } });
       }
-      if (prov.trustLevel === "unknown" && config.settings.mode === "strict") {
-        return {
-          decision: "review",
-          blockedByLabel: "Node9: Unknown Binary (strict mode)",
-          reason: `Binary "${firstToken}" \u2014 ${prov.reason}`,
-          tier: 3
-        };
+    } catch {
+    }
+  }
+  const shieldOverrides = readShieldOverrides();
+  for (const shieldName of readActiveShields()) {
+    const shield = getShield(shieldName);
+    if (!shield) continue;
+    const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+    const ruleOverrides = shieldOverrides[shieldName] ?? {};
+    for (const rule of shield.smartRules) {
+      if (!existingRuleNames.has(rule.name)) {
+        const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
+        mergedPolicy.smartRules.push(
+          overrideVerdict !== void 0 ? { ...rule, verdict: overrideVerdict } : rule
+        );
       }
     }
-    if (isSqlTool(toolName, config.policy.toolInspection)) {
-      allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
+    const existingWords = new Set(mergedPolicy.dangerousWords);
+    for (const word of shield.dangerousWords) {
+      if (!existingWords.has(word)) mergedPolicy.dangerousWords.push(word);
+    }
+  }
+  const existingAdvisoryNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+  for (const rule of ADVISORY_SMART_RULES) {
+    if (!existingAdvisoryNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+  }
+  if (process.env.NODE9_MODE) mergedSettings.mode = process.env.NODE9_MODE;
+  mergedPolicy.sandboxPaths = [...new Set(mergedPolicy.sandboxPaths)];
+  mergedPolicy.dangerousWords = [...new Set(mergedPolicy.dangerousWords)];
+  mergedPolicy.ignoredTools = [...new Set(mergedPolicy.ignoredTools)];
+  mergedPolicy.skillPinning.roots = [...new Set(mergedPolicy.skillPinning.roots)];
+  mergedPolicy.snapshot.tools = [...new Set(mergedPolicy.snapshot.tools)];
+  mergedPolicy.snapshot.onlyPaths = [...new Set(mergedPolicy.snapshot.onlyPaths)];
+  mergedPolicy.snapshot.ignorePaths = [...new Set(mergedPolicy.snapshot.ignorePaths)];
+  const result = {
+    settings: mergedSettings,
+    policy: mergedPolicy,
+    environments: mergedEnvironments
+  };
+  if (!cwd) cachedConfig = result;
+  return result;
+}
+function tryLoadConfig(filePath) {
+  if (!fs3.existsSync(filePath)) return null;
+  let raw;
+  try {
+    raw = JSON.parse(fs3.readFileSync(filePath, "utf-8"));
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    process.stderr.write(
+      `
+\u26A0\uFE0F  Node9: Failed to parse ${filePath}
+   ${msg}
+   \u2192 Using default config
+`
+    );
+    return null;
+  }
+  const SUPPORTED_VERSION = "1.0";
+  const SUPPORTED_MAJOR = SUPPORTED_VERSION.split(".")[0];
+  const fileVersion = raw?.version;
+  if (fileVersion !== void 0) {
+    const vStr = String(fileVersion);
+    const fileMajor = vStr.split(".")[0];
+    if (fileMajor !== SUPPORTED_MAJOR) {
+      process.stderr.write(
+        `
+\u274C  Node9: Config at ${filePath} has version "${vStr}" \u2014 major version is incompatible with this release (expected "${SUPPORTED_VERSION}"). Config will not be loaded.
+`
+      );
+      return null;
+    } else if (vStr !== SUPPORTED_VERSION) {
+      process.stderr.write(
+        `
+\u26A0\uFE0F  Node9: Config at ${filePath} declares version "${vStr}" \u2014 expected "${SUPPORTED_VERSION}". Continuing with best-effort parsing.
+`
+      );
+    }
+  }
+  const { sanitized, error } = sanitizeConfig(raw);
+  if (error) {
+    process.stderr.write(
+      `
+\u26A0\uFE0F  Node9: Invalid config at ${filePath}:
+${error.replace("Invalid config:\n", "")}
+   \u2192 Invalid fields ignored, using defaults for those keys
+`
+    );
+  }
+  return sanitized;
+}
+// src/policy/index.ts
+import pm2 from "picomatch";
+// src/dlp.ts
+import fs4 from "fs";
+import path4 from "path";
+function scanFilePath(filePath, cwd = process.cwd()) {
+  if (!filePath) return null;
+  let resolved;
+  try {
+    const absolute = path4.resolve(cwd, filePath);
+    resolved = fs4.realpathSync.native(absolute);
+  } catch (err) {
+    const code = err.code;
+    if (code === "ENOENT" || code === "ENOTDIR") {
+      resolved = path4.resolve(cwd, filePath);
+    } else {
+      return sensitivePathMatch(filePath);
     }
-  } else {
-    allTokens = tokenize2(toolName);
-    if (args && typeof args === "object") {
-      const flattenedArgs = JSON.stringify(args).toLowerCase();
-      const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
-      allTokens.push(...extraTokens);
+  }
+  return matchSensitivePath(resolved, filePath);
+}
+// src/utils/provenance.ts
+import fs5 from "fs";
+import path5 from "path";
+import os4 from "os";
+var SYSTEM_PREFIXES = ["/usr/bin", "/usr/sbin", "/bin", "/sbin"];
+var MANAGED_PREFIXES = ["/usr/local/bin", "/opt/homebrew", "/home/linuxbrew", "/nix/store"];
+var USER_PREFIXES = [
+  path5.join(os4.homedir(), "bin"),
+  path5.join(os4.homedir(), ".local", "bin"),
+  path5.join(os4.homedir(), ".cargo", "bin"),
+  path5.join(os4.homedir(), ".npm-global", "bin"),
+  path5.join(os4.homedir(), ".volta", "bin")
+];
+var SUSPECT_PREFIXES = ["/tmp", "/var/tmp", "/dev/shm"];
+function findInPath(cmd) {
+  if (path5.posix.isAbsolute(cmd)) return cmd;
+  const pathEnv = process.env.PATH ?? "";
+  for (const dir of pathEnv.split(path5.delimiter)) {
+    if (!dir) continue;
+    const full = path5.join(dir, cmd);
+    try {
+      fs5.accessSync(full, fs5.constants.X_OK);
+      return full;
+    } catch {
     }
   }
-  const isManual = agent === "Terminal";
-  if (isManual) {
-    const SYSTEM_DISASTER_COMMANDS = ["mkfs", "shred", "dd", "drop", "truncate", "purge"];
-    const hasSystemDisaster = allTokens.some(
-      (t) => SYSTEM_DISASTER_COMMANDS.includes(t.toLowerCase())
-    );
-    const isRootWipe = allTokens.includes("rm") && (allTokens.includes("/") || allTokens.includes("/*"));
-    if (hasSystemDisaster || isRootWipe) {
-      return { decision: "review", blockedByLabel: "Manual Nuclear Protection", tier: 3 };
+  return null;
+}
+function _classifyPath(resolved, cwd) {
+  if (cwd && resolved.startsWith(cwd + "/")) {
+    return { trustLevel: "user", reason: "binary in project directory" };
+  }
+  const osTmp = os4.tmpdir();
+  const allSuspect = osTmp ? [...SUSPECT_PREFIXES, osTmp] : SUSPECT_PREFIXES;
+  if (allSuspect.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "suspect", reason: `binary in temp directory: ${resolved}` };
+  }
+  if (SYSTEM_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "system", reason: "" };
+  }
+  if (MANAGED_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "managed", reason: "" };
+  }
+  if (USER_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "user", reason: "" };
+  }
+  return { trustLevel: "unknown", reason: "binary in unrecognized location" };
+}
+function checkProvenance(cmd, cwd) {
+  const bare = cmd.startsWith("./") ? cmd.slice(2) : cmd;
+  if (path5.posix.isAbsolute(bare)) {
+    const early = _classifyPath(bare, cwd);
+    if (early.trustLevel === "suspect") {
+      return { resolvedPath: bare, ...early };
     }
-    return { decision: "allow" };
   }
-  if (pathTokens.length > 0 && config.policy.sandboxPaths.length > 0) {
-    const allInSandbox = pathTokens.every((p) => matchesPattern(p, config.policy.sandboxPaths));
-    if (allInSandbox) return { decision: "allow" };
+  let resolved;
+  try {
+    const found = findInPath(bare);
+    if (!found) {
+      return {
+        resolvedPath: cmd,
+        trustLevel: "unknown",
+        reason: "binary not found in PATH"
+      };
+    }
+    resolved = fs5.realpathSync(found);
+  } catch {
+    return {
+      resolvedPath: cmd,
+      trustLevel: "unknown",
+      reason: "binary not found in PATH"
+    };
   }
-  let matchedDangerousWord;
-  const isDangerous = allTokens.some(
-    (token) => config.policy.dangerousWords.some((word) => {
-      const w = word.toLowerCase();
-      const hit = token === w || (() => {
-        try {
-          return new RegExp(`\\b${w}\\b`, "i").test(token);
-        } catch {
-          return false;
-        }
-      })();
-      if (hit && !matchedDangerousWord) matchedDangerousWord = word;
-      return hit;
-    })
-  );
-  if (isDangerous) {
-    let matchedField;
-    if (matchedDangerousWord && args && typeof args === "object" && !Array.isArray(args)) {
-      const obj = args;
-      for (const [key, value] of Object.entries(obj)) {
-        if (typeof value === "string") {
-          try {
-            if (new RegExp(
-              `\\b${matchedDangerousWord.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`,
-              "i"
-            ).test(value)) {
-              matchedField = key;
-              break;
-            }
-          } catch {
-          }
-        }
-      }
+  try {
+    const stat = fs5.statSync(resolved);
+    if (stat.mode & 2) {
+      return {
+        resolvedPath: resolved,
+        trustLevel: "suspect",
+        reason: "binary is world-writable"
+      };
     }
+  } catch {
     return {
-      decision: "review",
-      blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`,
-      matchedWord: matchedDangerousWord,
-      matchedField,
-      ruleDescription: `This command contains a flagged keyword ("${matchedDangerousWord}") from your node9 config. Review it before allowing.`,
-      tier: 6
+      resolvedPath: resolved,
+      trustLevel: "unknown",
+      reason: "could not stat binary"
     };
   }
-  if (config.settings.mode === "strict") {
-    const envConfig = getActiveEnvironment(config);
-    if (envConfig?.requireApproval === false) return { decision: "allow" };
-    return { decision: "review", blockedByLabel: "Global Config (Strict Mode Active)", tier: 7 };
+  const classify = _classifyPath(resolved, cwd);
+  return { resolvedPath: resolved, ...classify };
+}
+// src/auth/trusted-hosts.ts
+import fs6 from "fs";
+import path6 from "path";
+import os5 from "os";
+function getTrustedHostsPath() {
+  return path6.join(os5.homedir(), ".node9", "trusted-hosts.json");
+}
+function readTrustedHosts() {
+  try {
+    const raw = fs6.readFileSync(getTrustedHostsPath(), "utf8");
+    const parsed = JSON.parse(raw);
+    return Array.isArray(parsed.hosts) ? parsed.hosts : [];
+  } catch {
+    return [];
   }
-  return { decision: "allow" };
 }
-function isIgnoredTool(toolName) {
+var _cache = null;
+var CACHE_TTL_MS = 5e3;
+function getFileMtime() {
+  try {
+    return fs6.statSync(getTrustedHostsPath()).mtimeMs;
+  } catch {
+    return 0;
+  }
+}
+function getCachedHosts() {
+  const now = Date.now();
+  if (_cache && now < _cache.expiry) {
+    const mtime = getFileMtime();
+    if (mtime === _cache.mtime) return _cache.hosts;
+  }
+  const hosts = readTrustedHosts();
+  _cache = { hosts, expiry: now + CACHE_TTL_MS, mtime: getFileMtime() };
+  return hosts;
+}
+function normalizeHost(raw) {
+  return raw.toLowerCase().replace(/^https?:\/\//, "").replace(/\/.*$/, "").replace(/^[^@]+@/, "").replace(/:\d+$/, "");
+}
+function isTrustedHost(host) {
+  const normalized = normalizeHost(host);
+  return getCachedHosts().some((entry) => {
+    const entryHost = entry.host.toLowerCase();
+    if (entryHost.startsWith("*.")) {
+      const domain = entryHost.slice(2);
+      return normalized.endsWith("." + domain);
+    }
+    return normalized === entryHost;
+  });
+}
+// src/policy/index.ts
+async function evaluatePolicy2(toolName, args, agent, cwd) {
   const config = getConfig();
-  return matchesPattern(toolName, config.policy.ignoredTools);
+  const activeEnvironment = getActiveEnvironment(config) ?? void 0;
+  return evaluatePolicy(
+    config,
+    toolName,
+    args,
+    { agent, cwd, activeEnvironment },
+    { checkProvenance, isTrustedHost }
+  );
+}
+function isIgnoredTool2(toolName) {
+  return isIgnoredTool(toolName, getConfig());
 }
 // src/auth/state.ts
 import fs7 from "fs";
-import path9 from "path";
+import path7 from "path";
 import os6 from "os";
-var PAUSED_FILE = path9.join(os6.homedir(), ".node9", "PAUSED");
-var TRUST_FILE = path9.join(os6.homedir(), ".node9", "trust.json");
+var PAUSED_FILE = path7.join(os6.homedir(), ".node9", "PAUSED");
+var TRUST_FILE = path7.join(os6.homedir(), ".node9", "trust.json");
 function extractCommandPattern(toolName, args) {
   const lower = toolName.toLowerCase();
   if (lower !== "bash" && lower !== "execute_bash" && lower !== "shell") return void 0;
@@ -2456,7 +3210,7 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = path9.dirname(filePath);
+  const dir = path7.dirname(filePath);
   if (!fs7.existsSync(dir)) fs7.mkdirSync(dir, { recursive: true });
   const tmpPath = `${filePath}.${os6.hostname()}.${process.pid}.tmp`;
   fs7.writeFileSync(tmpPath, data, options);
@@ -2511,7 +3265,7 @@ function writeTrustSession(toolName, durationMs, args) {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = path9.join(os6.homedir(), ".node9", "decisions.json");
+    const file = path7.join(os6.homedir(), ".node9", "decisions.json");
     if (!fs7.existsSync(file)) return null;
     const decisions = JSON.parse(fs7.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
@@ -2524,10 +3278,10 @@ function getPersistentDecision(toolName) {
 // src/auth/daemon.ts
 import fs8 from "fs";
 import net from "net";
-import path10 from "path";
+import path8 from "path";
 import os7 from "os";
 import { spawnSync } from "child_process";
-var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path10.join(os7.tmpdir(), "node9-activity.sock");
+var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path8.join(os7.tmpdir(), "node9-activity.sock");
 function notifyActivitySocket(data) {
   return new Promise((resolve) => {
     try {
@@ -2560,7 +3314,7 @@ var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function getInternalToken() {
   try {
-    const pidFile = path10.join(os7.homedir(), ".node9", "daemon.pid");
+    const pidFile = path8.join(os7.homedir(), ".node9", "daemon.pid");
     if (!fs8.existsSync(pidFile)) return null;
     const data = JSON.parse(fs8.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
@@ -2570,7 +3324,7 @@ function getInternalToken() {
   }
 }
 function isDaemonRunning() {
-  const pidFile = path10.join(os7.homedir(), ".node9", "daemon.pid");
+  const pidFile = path8.join(os7.homedir(), ".node9", "daemon.pid");
   if (fs8.existsSync(pidFile)) {
     let pid;
     let port;
@@ -2743,10 +3497,10 @@ import { randomUUID } from "crypto";
 // src/ui/native.ts
 import { spawn } from "child_process";
-import path12 from "path";
+import path10 from "path";
 // src/context-sniper.ts
-import path11 from "path";
+import path9 from "path";
 function smartTruncate(str, maxLen = 500) {
   if (str.length <= maxLen) return str;
   const edge = Math.floor(maxLen / 2) - 3;
@@ -2814,7 +3568,7 @@ function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWo
       intent = "EDIT";
       if (obj.file_path) {
         editFilePath = String(obj.file_path);
-        editFileName = path11.basename(editFilePath);
+        editFileName = path9.basename(editFilePath);
       }
       const result = extractContext(String(obj.new_string), matchedWord);
       contextSnippet = result.snippet;
@@ -2869,7 +3623,7 @@ function formatArgs(args, matchedField, matchedWord) {
   if (typeof parsed === "object" && !Array.isArray(parsed)) {
     const obj = parsed;
     if (obj.old_string !== void 0 && obj.new_string !== void 0) {
-      const file = obj.file_path ? path12.basename(String(obj.file_path)) : "file";
+      const file = obj.file_path ? path10.basename(String(obj.file_path)) : "file";
       const oldPreview = smartTruncate(String(obj.old_string), 120);
       const newPreview = extractContext(String(obj.new_string), matchedWord).snippet;
       return {
@@ -3071,7 +3825,7 @@ init_audit();
 init_audit();
 import fs9 from "fs";
 import os8 from "os";
-import path13 from "path";
+import path11 from "path";
 var DLP_SAMPLE_MAX_LEN = 200;
 var DLP_PATTERN_MAX_LEN = 100;
 var KNOWN_CHECKED_BY = /* @__PURE__ */ new Set([
@@ -3147,7 +3901,7 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata, agentPol
   let ciContext;
   if (process.env.CI) {
     try {
-      const ciContextPath = path13.join(os8.homedir(), ".node9", "ci-context.json");
+      const ciContextPath = path11.join(os8.homedir(), ".node9", "ci-context.json");
       const stats = fs9.statSync(ciContextPath);
       if (stats.size > 1e4) throw new Error("ci-context.json exceeds 10 KB");
       const raw = fs9.readFileSync(ciContextPath, "utf8");
@@ -3263,16 +4017,10 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
 // src/loop-detector.ts
 import fs10 from "fs";
-import path14 from "path";
+import path12 from "path";
 import os9 from "os";
-import crypto from "crypto";
 function loopStateFile() {
-  return path14.join(os9.homedir(), ".node9", "loop-state.json");
-}
-var MAX_RECORDS = 500;
-function computeArgsHash(args) {
-  const str = JSON.stringify(args ?? "");
-  return crypto.createHash("sha256").update(str).digest("hex").slice(0, 16);
+  return path12.join(os9.homedir(), ".node9", "loop-state.json");
 }
 function readState() {
   try {
@@ -3286,7 +4034,7 @@ function readState() {
   }
 }
 function writeState(records) {
-  const dir = path14.dirname(loopStateFile());
+  const dir = path12.dirname(loopStateFile());
   if (!fs10.existsSync(dir)) fs10.mkdirSync(dir, { recursive: true });
   const tmpPath = `${loopStateFile()}.${os9.hostname()}.${process.pid}.tmp`;
   fs10.writeFileSync(tmpPath, JSON.stringify(records));
@@ -3294,14 +4042,9 @@ function writeState(records) {
 }
 function recordAndCheck(tool, args, threshold = 3, windowMs = 12e4) {
   try {
-    const hash = computeArgsHash(args);
-    const now = Date.now();
-    const cutoff = now - windowMs;
-    const records = readState().filter((r) => r.ts >= cutoff);
-    records.push({ t: tool, h: hash, ts: now });
-    const count = records.filter((r) => r.t === tool && r.h === hash).length;
-    writeState(records.slice(-MAX_RECORDS));
-    return { looping: count >= threshold, count };
+    const result = evaluateLoopWindow(readState(), tool, args, threshold, windowMs, Date.now());
+    writeState(result.nextRecords);
+    return { looping: result.looping, count: result.count };
   } catch {
     return { looping: false, count: 0 };
   }
@@ -3434,7 +4177,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       }
     }
   }
-  if (config.policy.dlp.enabled && (!isIgnoredTool(toolName) || config.policy.dlp.scanIgnoredTools)) {
+  if (config.policy.dlp.enabled && (!isIgnoredTool2(toolName) || config.policy.dlp.scanIgnoredTools)) {
     const argsObj = args && typeof args === "object" && !Array.isArray(args) ? args : {};
     const filePath = String(argsObj.file_path ?? argsObj.path ?? argsObj.filename ?? "");
     const dlpMatch = (filePath ? scanFilePath(filePath) : null) ?? scanArgs(args);
@@ -3484,8 +4227,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     }
   }
   if (isObserveMode) {
-    if (!isIgnoredTool(toolName)) {
-      const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
+    if (!isIgnoredTool2(toolName)) {
+      const policyResult = await evaluatePolicy2(toolName, args, meta?.agent, options?.cwd);
       const wouldBlock = policyResult.decision === "block";
       if (!isManual)
         appendLocalAudit(
@@ -3509,8 +4252,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     return { approved: true, checkedBy: "audit" };
   }
   if (config.settings.mode === "audit") {
-    if (!isIgnoredTool(toolName)) {
-      const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
+    if (!isIgnoredTool2(toolName)) {
+      const policyResult = await evaluatePolicy2(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
         appendLocalAudit(toolName, args, "allow", "audit-mode", meta, hashAuditArgs);
         if (approvers.cloud && creds?.apiKey) {
@@ -3520,7 +4263,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     }
     return { approved: true, checkedBy: "audit" };
   }
-  if (!taintWarning && !isIgnoredTool(toolName)) {
+  if (!taintWarning && !isIgnoredTool2(toolName)) {
     const ld = config.policy.loopDetection;
     if (ld.enabled) {
       const loopResult = recordAndCheck(toolName, args, ld.threshold, ld.windowSeconds * 1e3);
@@ -3538,7 +4281,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         };
       }
     }
-    const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
+    const policyResult = await evaluatePolicy2(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "local-policy", creds, meta);