@node9/proxy 1.14.1 → 1.16.0

package/dist/index.js

@@ -288,8 +288,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path15 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path15}: ${issue.message}`;
+    const path13 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path13}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -302,794 +302,112 @@ ${lines.join("\n")}`
 var import_fs2 = __toESM(require("fs"));
 var import_path2 = __toESM(require("path"));
 var import_os2 = __toESM(require("os"));
-var BUILTIN_DIR = import_path2.default.join(__dirname, "shields", "builtin");
-var USER_SHIELDS_DIR = import_path2.default.join(import_os2.default.homedir(), ".node9", "shields");
-function validateShieldDefinition(raw, filePath) {
-  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
-    process.stderr.write(`[node9] Shield file is not an object: ${filePath}
-`);
-    return null;
-  }
-  const r = raw;
-  if (typeof r.name !== "string" || !r.name) {
-    process.stderr.write(`[node9] Shield file missing 'name': ${filePath}
-`);
-    return null;
-  }
-  if (typeof r.description !== "string") {
-    process.stderr.write(`[node9] Shield file missing 'description': ${filePath}
-`);
-    return null;
-  }
-  if (!Array.isArray(r.aliases)) {
-    process.stderr.write(`[node9] Shield file missing 'aliases' array: ${filePath}
-`);
-    return null;
-  }
-  if (!Array.isArray(r.smartRules)) {
-    process.stderr.write(`[node9] Shield file missing 'smartRules' array: ${filePath}
-`);
-    return null;
-  }
-  if (!Array.isArray(r.dangerousWords)) {
-    process.stderr.write(`[node9] Shield file missing 'dangerousWords' array: ${filePath}
-`);
-    return null;
-  }
-  return r;
-}
-function loadShieldsFromDir(dir, label) {
-  const result = {};
-  let entries;
-  try {
-    entries = import_fs2.default.readdirSync(dir).filter((f) => f.endsWith(".json"));
-  } catch (err) {
-    if (err.code !== "ENOENT") {
-      process.stderr.write(`[node9] Could not read ${label} shields dir ${dir}: ${String(err)}
-`);
-    }
-    return result;
-  }
-  for (const file of entries) {
-    const filePath = import_path2.default.join(dir, file);
-    try {
-      const raw = JSON.parse(import_fs2.default.readFileSync(filePath, "utf-8"));
-      const shield = validateShieldDefinition(raw, filePath);
-      if (shield) result[shield.name] = shield;
-    } catch (err) {
-      process.stderr.write(`[node9] Failed to load ${label} shield ${file}: ${String(err)}
-`);
-    }
-  }
-  return result;
-}
-function buildSHIELDS() {
-  const builtins = loadShieldsFromDir(BUILTIN_DIR, "builtin");
-  const userShields = loadShieldsFromDir(USER_SHIELDS_DIR, "user");
-  return { ...builtins, ...userShields };
-}
-var SHIELDS = buildSHIELDS();
-function resolveShieldName(input) {
-  const lower = input.toLowerCase();
-  if (SHIELDS[lower]) return lower;
-  for (const [name, def] of Object.entries(SHIELDS)) {
-    if (def.aliases.includes(lower)) return name;
-  }
-  return null;
-}
-function getShield(name) {
-  const resolved = resolveShieldName(name);
-  return resolved ? SHIELDS[resolved] : null;
-}
-var SHIELDS_STATE_FILE = import_path2.default.join(import_os2.default.homedir(), ".node9", "shields.json");
-function isShieldVerdict(v) {
-  return v === "allow" || v === "review" || v === "block";
-}
-function validateOverrides(raw) {
-  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return {};
-  const result = {};
-  for (const [shieldName, rules] of Object.entries(raw)) {
-    if (!rules || typeof rules !== "object" || Array.isArray(rules)) continue;
-    const validRules = {};
-    for (const [ruleName, verdict] of Object.entries(rules)) {
-      if (isShieldVerdict(verdict)) {
-        validRules[ruleName] = verdict;
-      } else {
-        process.stderr.write(
-          `[node9] Warning: shields.json contains invalid verdict "${String(verdict)}" for ${shieldName}/${ruleName} \u2014 entry ignored. File may be corrupted or tampered with.
-`
-        );
-      }
-    }
-    if (Object.keys(validRules).length > 0) result[shieldName] = validRules;
-  }
-  return result;
+
+// packages/policy-engine/dist/index.mjs
+var import_safe_regex2 = __toESM(require("safe-regex2"), 1);
+var import_mvdan_sh = __toESM(require("mvdan-sh"), 1);
+var import_picomatch = __toESM(require("picomatch"), 1);
+var import_safe_regex22 = __toESM(require("safe-regex2"), 1);
+var import_safe_regex23 = __toESM(require("safe-regex2"), 1);
+var import_crypto2 = __toESM(require("crypto"), 1);
+var ASSIGNMENT_CONTEXT_RE = /\b(?:password|passwd|secret|token|api[_-]?key|auth(?:_key|_token)?|credential|private[_-]?key|access[_-]?key|client[_-]?secret)\s*[=:]\s*/i;
+function isAssignmentContext(text) {
+  return ASSIGNMENT_CONTEXT_RE.test(text);
 }
-function readShieldsFile() {
-  try {
-    const raw = import_fs2.default.readFileSync(SHIELDS_STATE_FILE, "utf-8");
-    if (!raw.trim()) return { active: [] };
-    const parsed = JSON.parse(raw);
-    const active = Array.isArray(parsed.active) ? parsed.active.filter(
-      (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
-    ) : [];
-    return { active, overrides: validateOverrides(parsed.overrides) };
-  } catch (err) {
-    if (err.code !== "ENOENT") {
-      process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
-`);
-    }
-    return { active: [] };
+function shannonEntropy(s) {
+  if (s.length === 0) return 0;
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of s) freq.set(ch, (freq.get(ch) ?? 0) + 1);
+  let h = 0;
+  for (const count of freq.values()) {
+    const p = count / s.length;
+    h -= p * Math.log2(p);
   }
+  return h;
 }
-function readActiveShields() {
-  return readShieldsFile().active;
-}
-function readShieldOverrides() {
-  return readShieldsFile().overrides ?? {};
-}
-
-// src/config/index.ts
-var DANGEROUS_WORDS = [
-  "mkfs",
-  // formats/wipes a filesystem partition
-  "shred"
-  // permanently overwrites file contents (unrecoverable)
+var DLP_STOPWORDS = [
+  "example",
+  "placeholder",
+  "changeme",
+  "your_key",
+  "your_token",
+  "your_secret",
+  "replace_me",
+  "insert_key",
+  "put_your",
+  "fake",
+  "dummy",
+  "sample",
+  "xxxxxxxx",
+  "aaaaaa",
+  "bbbbbb",
+  "00000000",
+  "${",
+  "{{",
+  "%{",
+  "<your",
+  "test_key",
+  "test_token",
+  "your",
+  "here"
 ];
-var DEFAULT_CONFIG = {
-  version: "1.0",
-  settings: {
-    mode: "standard",
-    autoStartDaemon: true,
-    enableUndo: true,
-    // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
-    enableHookLogDebug: true,
-    approvalTimeoutMs: 12e4,
-    // 120-second auto-deny timeout
-    flightRecorder: true,
-    auditHashArgs: true,
-    approvers: { native: true, browser: false, cloud: false, terminal: true },
-    cloudSyncIntervalHours: 5
+var DLP_PATTERNS = [
+  // ── AWS ───────────────────────────────────────────────────────────────────
+  {
+    name: "AWS Access Key ID",
+    regex: /\b(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16}\b/,
+    severity: "block",
+    keywords: ["akia", "asia", "abia", "acca", "a3t"]
   },
-  policy: {
-    sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
-    dangerousWords: DANGEROUS_WORDS,
-    ignoredTools: [
-      "list_*",
-      "get_*",
-      "read_*",
-      "describe_*",
-      "read",
-      "glob",
-      "grep",
-      "ls",
-      "notebookread",
-      "notebookedit",
-      "webfetch",
-      "websearch",
-      "exitplanmode",
-      "askuserquestion",
-      "agent",
-      "task*",
-      "toolsearch",
-      "mcp__ide__*",
-      "getDiagnostics"
-    ],
-    toolInspection: {
-      bash: "command",
-      shell: "command",
-      run_shell_command: "command",
-      "terminal.execute": "command",
-      "postgres:query": "sql"
-    },
-    snapshot: {
-      tools: [
-        "str_replace_based_edit_tool",
-        "write_file",
-        "edit_file",
-        "create_file",
-        "edit",
-        "replace"
-      ],
-      onlyPaths: [],
-      ignorePaths: ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log"]
-    },
-    smartRules: [
-      // ── rm safety (critical — always evaluated first) ──────────────────────
-      {
-        name: "block-rm-rf-home",
-        tool: "bash",
-        conditionMode: "all",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            // Anchor rm as a shell command (not inside a string arg like a git commit message).
-            value: "(^|&&|\\|\\||;)\\s*rm\\b[^;&|]*\\s(-[rRfF]*[rR][rRfF]*|--recursive)(\\s|$)"
-          },
-          {
-            field: "command",
-            op: "matches",
-            value: "(~|\\/root(\\/|$)|\\$HOME|\\/home\\/)"
-          }
-        ],
-        verdict: "block",
-        reason: "Recursive delete of home directory is irreversible",
-        description: "The AI wants to recursively delete your home directory. This will permanently destroy all your personal files and cannot be undone."
-      },
-      // ── SQL safety ────────────────────────────────────────────────────────
-      {
-        name: "no-delete-without-where",
-        tool: "*",
-        conditions: [
-          { field: "sql", op: "matches", value: "^(DELETE|UPDATE)\\s", flags: "i" },
-          { field: "sql", op: "notMatches", value: "\\bWHERE\\b", flags: "i" }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table",
-        description: "The AI is running a SQL statement that will modify every row in the table \u2014 no WHERE filter was found. This could wipe or corrupt all your data."
-      },
-      {
-        name: "review-drop-truncate-shell",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            // Require a DB CLI in the command so grep/cat/echo of SQL strings don't trigger.
-            value: "(^|&&|\\|\\||;|\\|)\\s*(psql|mysql|sqlite3|sqlplus|cockroach|clickhouse-client|mongo)\\b",
-            flags: "i"
-          },
-          {
-            field: "command",
-            op: "matches",
-            value: "\\b(DROP|TRUNCATE)\\s+(TABLE|DATABASE|SCHEMA|INDEX)",
-            flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "SQL DDL destructive statement inside a shell command",
-        description: "The AI wants to drop or truncate a database table via the shell. This permanently deletes the table structure or all its data."
-      },
-      // ── Git safety ────────────────────────────────────────────────────────
-      {
-        name: "review-force-push",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            // Anchor git as a shell command so node -e / python -c scripts containing
-            // "git push --force" as a string don't false-positive.
-            value: "(^|&&|\\|\\||;)\\s*git\\s+push[^;&|]*(--force|--force-with-lease|-f\\b)",
-            flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "Force push rewrites remote history \u2014 confirm this is intentional",
-        description: "The AI wants to force push to a remote git branch. This rewrites shared history and can permanently destroy commits that teammates have already pulled."
-      },
-      {
-        name: "review-git-destructive",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            // Anchor git as a shell command so node -e / python -c scripts containing
-            // "git reset --hard" as a string don't false-positive.
-            value: "(^|&&|\\|\\||;)\\s*git\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase\\b|tag\\s+-d|branch\\s+-[dD])",
-            flags: "i"
-          },
-          {
-            field: "command",
-            op: "notMatches",
-            // Exclude recovery ops and routine branch-surgery (--onto) — these are not destructive.
-            value: "\\bgit\\s+rebase\\s+--(abort|continue|skip|onto)\\b",
-            flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "Destructive git operation \u2014 discards history or working-tree changes",
-        description: "The AI wants to run a destructive git operation (reset, rebase, clean, or branch delete) that can permanently discard commits or uncommitted work."
-      },
-      // ── Shell safety ──────────────────────────────────────────────────────
-      {
-        name: "review-sudo",
-        tool: "bash",
-        conditions: [{ field: "command", op: "matches", value: "\\bsudo\\s", flags: "i" }],
-        conditionMode: "all",
-        verdict: "review",
-        reason: "Command requires elevated privileges",
-        description: "The AI wants to run a command as root (sudo). Commands with root access can modify system files, install software, or change security settings."
-      },
-      {
-        name: "review-curl-pipe-shell",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            // Anchor curl/wget as a shell command so node -e scripts testing this
-            // regex pattern don't self-match as a false positive.
-            value: "(^|&&|\\|\\||;)\\s*(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
-            flags: "i"
-          }
-        ],
-        conditionMode: "all",
-        verdict: "block",
-        reason: "Piping remote script into a shell is a supply-chain attack vector",
-        description: "The AI wants to download a script from the internet and run it immediately, without you seeing what it contains. This is one of the most common ways malware gets installed."
-      }
-    ],
-    dlp: { enabled: true, scanIgnoredTools: true },
-    loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 },
-    skillPinning: { enabled: false, mode: "warn", roots: [] }
+  // ── GitHub ────────────────────────────────────────────────────────────────
+  {
+    name: "GitHub Token",
+    regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/,
+    severity: "block",
+    keywords: ["ghp_", "gho_", "ghu_", "ghs_"],
+    minEntropy: 3
   },
-  environments: {}
-};
-var ADVISORY_SMART_RULES = [
-  // ── rm safety ─────────────────────────────────────────────────────────────
-  // tool: '*' so they cover bash, shell, run_shell_command, and Gemini's Shell.
-  // Pattern '(^|&&|\|\||;)\s*rm\b' matches rm as a shell command (including in
-  // chained commands like 'cat foo && rm bar') but avoids false-positives on 'docker rm'.
   {
-    name: "allow-rm-safe-paths",
-    tool: "*",
-    conditionMode: "all",
-    conditions: [
-      { field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" },
-      {
-        field: "command",
-        op: "matches",
-        // Matches known-safe build artifact paths in the command.
-        value: "(node_modules|\\bdist\\b|\\.next|\\bcoverage\\b|\\.cache|\\btmp\\b|\\btemp\\b|\\.DS_Store)(\\/|\\s|$)"
-      }
-    ],
-    verdict: "allow",
-    reason: "Deleting a known-safe build artifact path"
+    name: "GitHub Fine-Grained PAT",
+    regex: /\bgithub_pat_\w{82}\b/,
+    severity: "block",
+    keywords: ["github_pat_"]
   },
+  // ── Slack ─────────────────────────────────────────────────────────────────
   {
-    name: "review-rm",
-    tool: "*",
-    conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
-    verdict: "review",
-    reason: "rm can permanently delete files \u2014 confirm the target path",
-    description: "The AI wants to delete files. Unlike moving to trash, rm is permanent \u2014 the files cannot be recovered without a backup."
+    name: "Slack Bot Token",
+    // Real tokens are ~50–80 chars; lower bound 20 avoids false negatives on partial tokens
+    regex: /\bxoxb-[0-9A-Za-z-]{20,100}\b/,
+    severity: "block",
+    keywords: ["xoxb-"]
   },
-  // ── SQL safety (Safe by Default) ──────────────────────────────────────────
-  // These rules fire when an AI calls a database tool directly (e.g. MCP postgres,
-  // mcp__postgres__query) with a destructive SQL statement in the 'sql' field.
-  // The postgres shield upgrades these from 'review' → 'block' for stricter teams;
-  // without a shield, users still get a human-approval gate on every destructive op.
+  // ── Anthropic ─────────────────────────────────────────────────────────────
+  // Listed before OpenAI — Anthropic keys start with sk-ant- which would also
+  // match the broader OpenAI sk- pattern; more specific rules must come first.
   {
-    name: "review-drop-table-sql",
-    tool: "*",
-    conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
-    verdict: "review",
-    reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead",
-    description: "The AI wants to drop a database table. This permanently deletes the table and all its data \u2014 there is no undo."
+    name: "Anthropic API Key",
+    regex: /\bsk-ant-api03-[a-zA-Z0-9_-]{93}AA\b/,
+    severity: "block",
+    keywords: ["sk-ant-api03"]
   },
   {
-    name: "review-truncate-sql",
-    tool: "*",
-    conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
-    verdict: "review",
-    reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead",
-    description: "The AI wants to truncate a database table, which instantly deletes every row. The table structure remains but all data is gone."
+    name: "Anthropic Admin Key",
+    regex: /\bsk-ant-admin01-[a-zA-Z0-9_-]{93}AA\b/,
+    severity: "block",
+    keywords: ["sk-ant-admin01"]
   },
+  // ── OpenAI ────────────────────────────────────────────────────────────────
   {
-    name: "review-drop-column-sql",
-    tool: "*",
-    conditions: [
-      { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
-    ],
-    verdict: "review",
-    reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead",
-    description: "The AI wants to drop a column from a database table. This permanently removes the column and all its data from every row."
-  }
-];
-var cachedConfig = null;
-function getCredentials() {
-  const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  if (process.env.NODE9_API_KEY) {
-    return {
-      apiKey: process.env.NODE9_API_KEY,
-      apiUrl: process.env.NODE9_API_URL || DEFAULT_API_URL
-    };
-  }
-  try {
-    const credPath = import_path3.default.join(import_os3.default.homedir(), ".node9", "credentials.json");
-    if (import_fs3.default.existsSync(credPath)) {
-      const creds = JSON.parse(import_fs3.default.readFileSync(credPath, "utf-8"));
-      const profileName = process.env.NODE9_PROFILE || "default";
-      const profile = creds[profileName];
-      if (profile?.apiKey) {
-        return {
-          apiKey: profile.apiKey,
-          apiUrl: profile.apiUrl || DEFAULT_API_URL
-        };
-      }
-      if (creds.apiKey) {
-        return {
-          apiKey: creds.apiKey,
-          apiUrl: creds.apiUrl || DEFAULT_API_URL
-        };
-      }
-    }
-  } catch {
-  }
-  return null;
-}
-function getActiveEnvironment(config) {
-  const env = config.settings.environment || process.env.NODE_ENV || "development";
-  return config.environments[env] ?? null;
-}
-function getConfig(cwd) {
-  if (!cwd && cachedConfig) return cachedConfig;
-  const globalPath = import_path3.default.join(import_os3.default.homedir(), ".node9", "config.json");
-  const projectPath = import_path3.default.join(cwd ?? process.cwd(), "node9.config.json");
-  const globalConfig = tryLoadConfig(globalPath);
-  const projectConfig = tryLoadConfig(projectPath);
-  const mergedSettings = {
-    ...DEFAULT_CONFIG.settings,
-    approvers: { ...DEFAULT_CONFIG.settings.approvers }
-  };
-  const mergedPolicy = {
-    sandboxPaths: [...DEFAULT_CONFIG.policy.sandboxPaths],
-    dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
-    ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
-    toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
-    smartRules: [...DEFAULT_CONFIG.policy.smartRules],
-    snapshot: {
-      tools: [...DEFAULT_CONFIG.policy.snapshot.tools],
-      onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
-      ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
-    },
-    dlp: { ...DEFAULT_CONFIG.policy.dlp },
-    loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection },
-    skillPinning: {
-      ...DEFAULT_CONFIG.policy.skillPinning,
-      roots: [...DEFAULT_CONFIG.policy.skillPinning.roots]
-    }
-  };
-  const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
-  const applyLayer = (source) => {
-    if (!source) return;
-    const s = source.settings || {};
-    const p = source.policy || {};
-    if (s.mode !== void 0) mergedSettings.mode = s.mode;
-    if (s.autoStartDaemon !== void 0) mergedSettings.autoStartDaemon = s.autoStartDaemon;
-    if (s.enableUndo !== void 0) mergedSettings.enableUndo = s.enableUndo;
-    if (s.enableHookLogDebug !== void 0)
-      mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
-    if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
-    if (s.approvalTimeoutMs !== void 0) mergedSettings.approvalTimeoutMs = s.approvalTimeoutMs;
-    if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
-      mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
-    if (s.environment !== void 0) mergedSettings.environment = s.environment;
-    if (s.cloudSyncIntervalHours !== void 0)
-      mergedSettings.cloudSyncIntervalHours = s.cloudSyncIntervalHours;
-    if (s.hud !== void 0) mergedSettings.hud = { ...mergedSettings.hud, ...s.hud };
-    if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
-    if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
-    if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
-    if (p.toolInspection)
-      mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
-    if (p.smartRules) {
-      const defaultBlocks = mergedPolicy.smartRules.filter((r) => r.verdict === "block");
-      const defaultNonBlocks = mergedPolicy.smartRules.filter((r) => r.verdict !== "block");
-      const userRuleNames = new Set(p.smartRules.filter((r) => r.name).map((r) => r.name));
-      const filteredBlocks = defaultBlocks.filter((r) => !r.name || !userRuleNames.has(r.name));
-      const filteredNonBlocks = defaultNonBlocks.filter(
-        (r) => !r.name || !userRuleNames.has(r.name)
-      );
-      mergedPolicy.smartRules = [...filteredBlocks, ...p.smartRules, ...filteredNonBlocks];
-    }
-    if (p.snapshot) {
-      const s2 = p.snapshot;
-      if (s2.tools) mergedPolicy.snapshot.tools.push(...s2.tools);
-      if (s2.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s2.onlyPaths);
-      if (s2.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s2.ignorePaths);
-    }
-    if (p.dlp) {
-      const d = p.dlp;
-      if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
-      if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
-    }
-    if (p.loopDetection) {
-      const ld = p.loopDetection;
-      if (ld.enabled !== void 0) mergedPolicy.loopDetection.enabled = ld.enabled;
-      if (ld.threshold !== void 0) mergedPolicy.loopDetection.threshold = ld.threshold;
-      if (ld.windowSeconds !== void 0)
-        mergedPolicy.loopDetection.windowSeconds = ld.windowSeconds;
-    }
-    if (p.skillPinning && typeof p.skillPinning === "object") {
-      const sp = p.skillPinning;
-      if (sp.enabled !== void 0) mergedPolicy.skillPinning.enabled = sp.enabled;
-      if (sp.mode !== void 0) mergedPolicy.skillPinning.mode = sp.mode;
-      if (Array.isArray(sp.roots)) {
-        for (const r of sp.roots) {
-          if (typeof r === "string" && r.length > 0) mergedPolicy.skillPinning.roots.push(r);
-        }
-      }
-    }
-    const envs = source.environments || {};
-    for (const [envName, envConfig] of Object.entries(envs)) {
-      if (envConfig && typeof envConfig === "object") {
-        const ec = envConfig;
-        mergedEnvironments[envName] = {
-          ...mergedEnvironments[envName],
-          // Validate field types before merging — do not blindly spread user input
-          ...typeof ec.requireApproval === "boolean" ? { requireApproval: ec.requireApproval } : {}
-        };
-      }
-    }
-  };
-  applyLayer(globalConfig);
-  applyLayer(projectConfig);
-  {
-    const cacheFile = import_path3.default.join(import_os3.default.homedir(), ".node9", "rules-cache.json");
-    try {
-      const raw = JSON.parse(import_fs3.default.readFileSync(cacheFile, "utf-8"));
-      if (Array.isArray(raw.rules) && raw.rules.length > 0) {
-        applyLayer({ policy: { smartRules: raw.rules } });
-      }
-    } catch {
-    }
-  }
-  const shieldOverrides = readShieldOverrides();
-  for (const shieldName of readActiveShields()) {
-    const shield = getShield(shieldName);
-    if (!shield) continue;
-    const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
-    const ruleOverrides = shieldOverrides[shieldName] ?? {};
-    for (const rule of shield.smartRules) {
-      if (!existingRuleNames.has(rule.name)) {
-        const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
-        mergedPolicy.smartRules.push(
-          overrideVerdict !== void 0 ? { ...rule, verdict: overrideVerdict } : rule
-        );
-      }
-    }
-    const existingWords = new Set(mergedPolicy.dangerousWords);
-    for (const word of shield.dangerousWords) {
-      if (!existingWords.has(word)) mergedPolicy.dangerousWords.push(word);
-    }
-  }
-  const existingAdvisoryNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
-  for (const rule of ADVISORY_SMART_RULES) {
-    if (!existingAdvisoryNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
-  }
-  if (process.env.NODE9_MODE) mergedSettings.mode = process.env.NODE9_MODE;
-  mergedPolicy.sandboxPaths = [...new Set(mergedPolicy.sandboxPaths)];
-  mergedPolicy.dangerousWords = [...new Set(mergedPolicy.dangerousWords)];
-  mergedPolicy.ignoredTools = [...new Set(mergedPolicy.ignoredTools)];
-  mergedPolicy.skillPinning.roots = [...new Set(mergedPolicy.skillPinning.roots)];
-  mergedPolicy.snapshot.tools = [...new Set(mergedPolicy.snapshot.tools)];
-  mergedPolicy.snapshot.onlyPaths = [...new Set(mergedPolicy.snapshot.onlyPaths)];
-  mergedPolicy.snapshot.ignorePaths = [...new Set(mergedPolicy.snapshot.ignorePaths)];
-  const result = {
-    settings: mergedSettings,
-    policy: mergedPolicy,
-    environments: mergedEnvironments
-  };
-  if (!cwd) cachedConfig = result;
-  return result;
-}
-function tryLoadConfig(filePath) {
-  if (!import_fs3.default.existsSync(filePath)) return null;
-  let raw;
-  try {
-    raw = JSON.parse(import_fs3.default.readFileSync(filePath, "utf-8"));
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    process.stderr.write(
-      `
-\u26A0\uFE0F  Node9: Failed to parse ${filePath}
-   ${msg}
-   \u2192 Using default config
-
-`
-    );
-    return null;
-  }
-  const SUPPORTED_VERSION = "1.0";
-  const SUPPORTED_MAJOR = SUPPORTED_VERSION.split(".")[0];
-  const fileVersion = raw?.version;
-  if (fileVersion !== void 0) {
-    const vStr = String(fileVersion);
-    const fileMajor = vStr.split(".")[0];
-    if (fileMajor !== SUPPORTED_MAJOR) {
-      process.stderr.write(
-        `
-\u274C  Node9: Config at ${filePath} has version "${vStr}" \u2014 major version is incompatible with this release (expected "${SUPPORTED_VERSION}"). Config will not be loaded.
-
-`
-      );
-      return null;
-    } else if (vStr !== SUPPORTED_VERSION) {
-      process.stderr.write(
-        `
-\u26A0\uFE0F  Node9: Config at ${filePath} declares version "${vStr}" \u2014 expected "${SUPPORTED_VERSION}". Continuing with best-effort parsing.
-
-`
-      );
-    }
-  }
-  const { sanitized, error } = sanitizeConfig(raw);
-  if (error) {
-    process.stderr.write(
-      `
-\u26A0\uFE0F  Node9: Invalid config at ${filePath}:
-${error.replace("Invalid config:\n", "")}
-   \u2192 Invalid fields ignored, using defaults for those keys
-
-`
-    );
-  }
-  return sanitized;
-}
-
-// src/utils/regex.ts
-var import_safe_regex2 = __toESM(require("safe-regex2"));
-var MAX_REGEX_LENGTH = 100;
-var REGEX_CACHE_MAX = 500;
-var regexCache = /* @__PURE__ */ new Map();
-function validateRegex(pattern) {
-  if (!pattern) return "Pattern is required";
-  if (pattern.length > MAX_REGEX_LENGTH) return `Pattern exceeds max length of ${MAX_REGEX_LENGTH}`;
-  try {
-    new RegExp(pattern);
-  } catch (e) {
-    return `Invalid regex syntax: ${e.message}`;
-  }
-  if (/\\\d+[*+{]/.test(pattern)) return "Quantified backreferences are forbidden (ReDoS risk)";
-  if (!(0, import_safe_regex2.default)(pattern)) return "Pattern rejected: potential ReDoS vulnerability detected";
-  return null;
-}
-function getCompiledRegex(pattern, flags = "") {
-  if (flags && !/^[gimsuy]+$/.test(flags)) {
-    if (process.env.NODE9_DEBUG === "1") console.error(`[Node9] Invalid regex flags: "${flags}"`);
-    return null;
-  }
-  const key = `${pattern}\0${flags}`;
-  if (regexCache.has(key)) {
-    const cached = regexCache.get(key);
-    regexCache.delete(key);
-    regexCache.set(key, cached);
-    return cached;
-  }
-  const err = validateRegex(pattern);
-  if (err) {
-    if (process.env.NODE9_DEBUG === "1")
-      console.error(`[Node9] Regex blocked: ${err} \u2014 pattern: "${pattern}"`);
-    return null;
-  }
-  try {
-    const re = new RegExp(pattern, flags);
-    if (regexCache.size >= REGEX_CACHE_MAX) {
-      const oldest = regexCache.keys().next().value;
-      if (oldest) regexCache.delete(oldest);
-    }
-    regexCache.set(key, re);
-    return re;
-  } catch (e) {
-    if (process.env.NODE9_DEBUG === "1") console.error(`[Node9] Regex compile failed:`, e);
-    return null;
-  }
-}
-
-// src/policy/index.ts
-var import_path8 = __toESM(require("path"));
-var import_picomatch = __toESM(require("picomatch"));
-var import_mvdan_sh = __toESM(require("mvdan-sh"));
-
-// src/dlp.ts
-var import_fs4 = __toESM(require("fs"));
-var import_path4 = __toESM(require("path"));
-var ASSIGNMENT_CONTEXT_RE = /\b(?:password|passwd|secret|token|api[_-]?key|auth(?:_key|_token)?|credential|private[_-]?key|access[_-]?key|client[_-]?secret)\s*[=:]\s*/i;
-function isAssignmentContext(text) {
-  return ASSIGNMENT_CONTEXT_RE.test(text);
-}
-function shannonEntropy(s) {
-  if (s.length === 0) return 0;
-  const freq = /* @__PURE__ */ new Map();
-  for (const ch of s) freq.set(ch, (freq.get(ch) ?? 0) + 1);
-  let h = 0;
-  for (const count of freq.values()) {
-    const p = count / s.length;
-    h -= p * Math.log2(p);
-  }
-  return h;
-}
-var DLP_STOPWORDS = [
-  "example",
-  "placeholder",
-  "changeme",
-  "your_key",
-  "your_token",
-  "your_secret",
-  "replace_me",
-  "insert_key",
-  "put_your",
-  "fake",
-  "dummy",
-  "sample",
-  "xxxxxxxx",
-  "aaaaaa",
-  "bbbbbb",
-  "00000000",
-  "${",
-  "{{",
-  "%{",
-  "<your",
-  "test_key",
-  "test_token",
-  "your",
-  "here"
-];
-var DLP_PATTERNS = [
-  // ── AWS ───────────────────────────────────────────────────────────────────
-  {
-    name: "AWS Access Key ID",
-    regex: /\b(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16}\b/,
+    name: "OpenAI API Key",
+    regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/,
     severity: "block",
-    keywords: ["akia", "asia", "abia", "acca", "a3t"]
+    keywords: ["sk-"],
+    minEntropy: 3.5
   },
-  // ── GitHub ────────────────────────────────────────────────────────────────
+  // ── Stripe ────────────────────────────────────────────────────────────────
   {
-    name: "GitHub Token",
-    regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/,
-    severity: "block",
-    keywords: ["ghp_", "gho_", "ghu_", "ghs_"],
-    minEntropy: 3
-  },
-  {
-    name: "GitHub Fine-Grained PAT",
-    regex: /\bgithub_pat_\w{82}\b/,
-    severity: "block",
-    keywords: ["github_pat_"]
-  },
-  // ── Slack ─────────────────────────────────────────────────────────────────
-  {
-    name: "Slack Bot Token",
-    // Real tokens are ~50–80 chars; lower bound 20 avoids false negatives on partial tokens
-    regex: /\bxoxb-[0-9A-Za-z-]{20,100}\b/,
-    severity: "block",
-    keywords: ["xoxb-"]
-  },
-  // ── Anthropic ─────────────────────────────────────────────────────────────
-  // Listed before OpenAI — Anthropic keys start with sk-ant- which would also
-  // match the broader OpenAI sk- pattern; more specific rules must come first.
-  {
-    name: "Anthropic API Key",
-    regex: /\bsk-ant-api03-[a-zA-Z0-9_-]{93}AA\b/,
-    severity: "block",
-    keywords: ["sk-ant-api03"]
-  },
-  {
-    name: "Anthropic Admin Key",
-    regex: /\bsk-ant-admin01-[a-zA-Z0-9_-]{93}AA\b/,
-    severity: "block",
-    keywords: ["sk-ant-admin01"]
-  },
-  // ── OpenAI ────────────────────────────────────────────────────────────────
-  {
-    name: "OpenAI API Key",
-    regex: /\bsk-[a-zA-Z0-9_-]{20,}\b/,
-    severity: "block",
-    keywords: ["sk-"],
-    minEntropy: 3.5
-  },
-  // ── Stripe ────────────────────────────────────────────────────────────────
-  {
-    name: "Stripe Secret Key",
-    regex: /\bsk_(?:live|test)_[0-9a-zA-Z]{24}\b/,
+    name: "Stripe Secret Key",
+    regex: /\bsk_(?:live|test)_[0-9a-zA-Z]{24}\b/,
     severity: "block",
     keywords: ["sk_live_", "sk_test_"]
   },
@@ -1452,39 +770,45 @@ var SENSITIVE_PATH_PATTERNS = [
   /[/\\]id_ed25519$/i,
   /[/\\]id_ecdsa$/i
 ];
-function scanFilePath(filePath, cwd = process.cwd()) {
-  if (!filePath) return null;
-  let resolved;
-  try {
-    const absolute = import_path4.default.resolve(cwd, filePath);
-    resolved = import_fs4.default.realpathSync.native(absolute);
-  } catch (err) {
-    const code = err.code;
-    if (code === "ENOENT" || code === "ENOTDIR") {
-      resolved = import_path4.default.resolve(cwd, filePath);
-    } else {
-      return {
-        patternName: "Sensitive File Path",
-        fieldPath: "file_path",
-        redactedSample: filePath,
-        severity: "block"
-      };
-    }
-  }
-  const normalised = resolved.replace(/\\/g, "/");
+function matchSensitivePath(resolvedPath, originalPath) {
+  const normalised = resolvedPath.replace(/\\/g, "/");
   for (const pattern of SENSITIVE_PATH_PATTERNS) {
     if (pattern.test(normalised)) {
       return {
         patternName: "Sensitive File Path",
         fieldPath: "file_path",
-        redactedSample: filePath,
-        // show original path in alert, not resolved
+        redactedSample: originalPath,
         severity: "block"
       };
     }
   }
   return null;
 }
+function sensitivePathMatch(originalPath) {
+  return {
+    patternName: "Sensitive File Path",
+    fieldPath: "file_path",
+    redactedSample: originalPath,
+    severity: "block"
+  };
+}
+function assertBuiltinPatternsAreSafe() {
+  for (const p of DLP_PATTERNS) {
+    if (!(0, import_safe_regex2.default)(p.regex.source)) {
+      throw new Error(
+        `[node9 engine] Builtin DLP pattern '${p.name}' is vulnerable to ReDoS: ${p.regex.source}`
+      );
+    }
+  }
+  for (const re of SENSITIVE_PATH_PATTERNS) {
+    if (!(0, import_safe_regex2.default)(re.source)) {
+      throw new Error(
+        `[node9 engine] Builtin sensitive-path pattern is vulnerable to ReDoS: ${re.source}`
+      );
+    }
+  }
+}
+assertBuiltinPatternsAreSafe();
 function maskSecret(raw, pattern) {
   const match = raw.match(pattern);
   if (!match) return "****";
@@ -1549,104 +873,165 @@ function scanArgs(args, depth = 0, fieldPath = "args") {
   }
   return null;
 }
-
-// src/utils/provenance.ts
-var import_fs5 = __toESM(require("fs"));
-var import_path5 = __toESM(require("path"));
-var import_os4 = __toESM(require("os"));
-var SYSTEM_PREFIXES = ["/usr/bin", "/usr/sbin", "/bin", "/sbin"];
-var MANAGED_PREFIXES = ["/usr/local/bin", "/opt/homebrew", "/home/linuxbrew", "/nix/store"];
-var USER_PREFIXES = [
-  import_path5.default.join(import_os4.default.homedir(), "bin"),
-  import_path5.default.join(import_os4.default.homedir(), ".local", "bin"),
-  import_path5.default.join(import_os4.default.homedir(), ".cargo", "bin"),
-  import_path5.default.join(import_os4.default.homedir(), ".npm-global", "bin"),
-  import_path5.default.join(import_os4.default.homedir(), ".volta", "bin")
-];
-var SUSPECT_PREFIXES = ["/tmp", "/var/tmp", "/dev/shm"];
-function findInPath(cmd) {
-  if (import_path5.default.posix.isAbsolute(cmd)) return cmd;
-  const pathEnv = process.env.PATH ?? "";
-  for (const dir of pathEnv.split(import_path5.default.delimiter)) {
-    if (!dir) continue;
-    const full = import_path5.default.join(dir, cmd);
-    try {
-      import_fs5.default.accessSync(full, import_fs5.default.constants.X_OK);
-      return full;
-    } catch {
+var { syntax } = import_mvdan_sh.default;
+var sharedParser = syntax.NewParser();
+var MESSAGE_FLAGS = /* @__PURE__ */ new Set([
+  "-m",
+  "--message",
+  "--body",
+  "--title",
+  "--description",
+  "--comment",
+  "--subject",
+  "--summary"
+]);
+var SHELL_INTERPRETERS = /* @__PURE__ */ new Set(["bash", "sh", "zsh", "fish", "dash", "ksh"]);
+var DOWNLOAD_CMDS = /* @__PURE__ */ new Set(["curl", "wget"]);
+function normalizeCommandForPolicy(command) {
+  try {
+    const f = sharedParser.Parse(command, "cmd");
+    const strips = [];
+    syntax.Walk(f, (node) => {
+      if (!node) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const args = n.Args || [];
+      for (let i = 0; i < args.length - 1; i++) {
+        const argParts = args[i].Parts || [];
+        if (argParts.length !== 1 || syntax.NodeType(argParts[0]) !== "Lit") continue;
+        const flagVal = argParts[0].Value || "";
+        if (!MESSAGE_FLAGS.has(flagVal.toLowerCase())) continue;
+        const next = args[i + 1];
+        const nextParts = next.Parts || [];
+        if (nextParts.length !== 1) continue;
+        const quotedNode = nextParts[0];
+        const nt = syntax.NodeType(quotedNode);
+        if (nt === "SglQuoted") {
+          strips.push([next.Pos().Offset(), next.End().Offset()]);
+        } else if (nt === "DblQuoted") {
+          const innerParts = quotedNode.Parts || [];
+          const allLit = innerParts.length === 0 || innerParts.every((p) => syntax.NodeType(p) === "Lit");
+          if (allLit) strips.push([next.Pos().Offset(), next.End().Offset()]);
+        }
+      }
+      return true;
+    });
+    if (strips.length === 0) return command;
+    strips.sort((a, b) => b[0] - a[0]);
+    let result = command;
+    for (const [start, end] of strips) {
+      result = result.slice(0, start) + '""' + result.slice(end);
     }
+    return result;
+  } catch {
+    return command;
   }
-  return null;
 }
-function _classifyPath(resolved, cwd) {
-  if (cwd && resolved.startsWith(cwd + "/")) {
-    return { trustLevel: "user", reason: "binary in project directory" };
-  }
-  const osTmp = import_os4.default.tmpdir();
-  const allSuspect = osTmp ? [...SUSPECT_PREFIXES, osTmp] : SUSPECT_PREFIXES;
-  if (allSuspect.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
-    return { trustLevel: "suspect", reason: `binary in temp directory: ${resolved}` };
-  }
-  if (SYSTEM_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
-    return { trustLevel: "system", reason: "" };
-  }
-  if (MANAGED_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
-    return { trustLevel: "managed", reason: "" };
-  }
-  if (USER_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
-    return { trustLevel: "user", reason: "" };
+function scanArgsForDynamicExec(args, startIdx) {
+  let hasCmdSubst = false;
+  let hasParamExp = false;
+  let hasCurl = false;
+  for (let i = startIdx; i < args.length; i++) {
+    syntax.Walk(args[i], (inner) => {
+      if (!inner) return false;
+      const inn = inner;
+      const it = syntax.NodeType(inn);
+      if (it === "CmdSubst") hasCmdSubst = true;
+      if (it === "ParamExp") hasParamExp = true;
+      if (it === "Lit" && DOWNLOAD_CMDS.has(inn.Value?.toLowerCase())) hasCurl = true;
+      return true;
+    });
   }
-  return { trustLevel: "unknown", reason: "binary in unrecognized location" };
+  if (hasCmdSubst && hasCurl) return "block";
+  if (hasCmdSubst || hasParamExp) return "review";
+  return null;
 }
-function checkProvenance(cmd, cwd) {
-  const bare = cmd.startsWith("./") ? cmd.slice(2) : cmd;
-  if (import_path5.default.posix.isAbsolute(bare)) {
-    const early = _classifyPath(bare, cwd);
-    if (early.trustLevel === "suspect") {
-      return { resolvedPath: bare, ...early };
-    }
-  }
-  let resolved;
-  try {
-    const found = findInPath(bare);
-    if (!found) {
-      return {
-        resolvedPath: cmd,
-        trustLevel: "unknown",
-        reason: "binary not found in PATH"
-      };
-    }
-    resolved = import_fs5.default.realpathSync(found);
-  } catch {
-    return {
-      resolvedPath: cmd,
-      trustLevel: "unknown",
-      reason: "binary not found in PATH"
-    };
-  }
+function detectDangerousShellExec(command) {
   try {
-    const stat = import_fs5.default.statSync(resolved);
-    if (stat.mode & 2) {
-      return {
-        resolvedPath: resolved,
-        trustLevel: "suspect",
-        reason: "binary is world-writable"
-      };
-    }
+    const f = sharedParser.Parse(command, "cmd");
+    let result = null;
+    syntax.Walk(f, (node) => {
+      if (!node || result === "block") return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const args = n.Args || [];
+      if (args.length === 0) return true;
+      const firstParts = args[0].Parts || [];
+      if (firstParts.length !== 1 || syntax.NodeType(firstParts[0]) !== "Lit") return true;
+      const cmdName = firstParts[0].Value?.toLowerCase() ?? "";
+      if (cmdName === "eval") {
+        const v = scanArgsForDynamicExec(args, 1);
+        if (v === "block" || v === "review" && result === null) result = v;
+      } else if (SHELL_INTERPRETERS.has(cmdName)) {
+        for (let i = 1; i < args.length - 1; i++) {
+          const flagParts = args[i].Parts || [];
+          if (flagParts.length !== 1 || syntax.NodeType(flagParts[0]) !== "Lit" || flagParts[0].Value !== "-c")
+            continue;
+          const v = scanArgsForDynamicExec(args, i + 1);
+          if (v === "block" || v === "review" && result === null) result = v;
+          break;
+        }
+      }
+      return true;
+    });
+    return result;
   } catch {
-    return {
-      resolvedPath: resolved,
-      trustLevel: "unknown",
-      reason: "could not stat binary"
-    };
+    return null;
   }
-  const classify = _classifyPath(resolved, cwd);
-  return { resolvedPath: resolved, ...classify };
 }
-
-// src/policy/pipe-chain.ts
-var SOURCE_COMMANDS = /* @__PURE__ */ new Set([
-  "cat",
+function analyzeShellCommand(command) {
+  const actions = [];
+  const paths = [];
+  const allTokens = [];
+  const addToken = (token) => {
+    const lower = token.toLowerCase();
+    allTokens.push(lower);
+    if (lower.includes("/")) allTokens.push(...lower.split("/").filter(Boolean));
+    if (lower.startsWith("-")) allTokens.push(lower.replace(/^-+/, ""));
+  };
+  try {
+    const f = sharedParser.Parse(command, "cmd");
+    syntax.Walk(f, (node) => {
+      if (!node) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const wordValues = (n.Args || []).map((arg) => {
+        return (arg.Parts || []).map((p) => (p.Value ?? "").replace(/\\(.)/g, "$1")).join("");
+      }).filter((s) => s.length > 0);
+      if (wordValues.length > 0) {
+        const cmd = wordValues[0].toLowerCase();
+        if (!actions.includes(cmd)) actions.push(cmd);
+        wordValues.forEach((w) => addToken(w));
+        wordValues.slice(1).forEach((w) => {
+          if (!w.startsWith("-")) paths.push(w);
+        });
+      }
+      return true;
+    });
+  } catch {
+  }
+  if (allTokens.length === 0) {
+    const normalized = command.replace(/\\(.)/g, "$1");
+    const sanitized = normalized.replace(/["'<>]/g, " ");
+    const segments = sanitized.split(/[|;&]|\$\(|\)|`/);
+    segments.forEach((segment) => {
+      const tokens = segment.trim().split(/\s+/).filter(Boolean);
+      if (tokens.length > 0) {
+        const action = tokens[0].toLowerCase();
+        if (!actions.includes(action)) actions.push(action);
+        tokens.forEach((t) => {
+          addToken(t);
+          if (t !== tokens[0] && !t.startsWith("-")) {
+            if (!paths.includes(t)) paths.push(t);
+          }
+        });
+      }
+    });
+  }
+  return { actions, paths, allTokens };
+}
+var SOURCE_COMMANDS = /* @__PURE__ */ new Set([
+  "cat",
   "head",
   "tail",
   "grep",
@@ -1791,9 +1176,10 @@ function analyzePipeChain(command) {
     risk
   };
 }
-
-// src/policy/flag-tables.ts
-var import_path6 = __toESM(require("path"));
+function basename(p) {
+  const segments = p.split(/[\\/]/);
+  return segments[segments.length - 1] || "";
+}
 var FLAGS_WITH_VALUES = {
   curl: /* @__PURE__ */ new Set([
     "-H",
@@ -1861,7 +1247,7 @@ var FLAGS_WITH_VALUES = {
   // socat uses address syntax, not flags — no value-flags
 };
 function extractPositionalArgs(tokens, binary) {
-  const binaryName = import_path6.default.basename(binary).replace(/\.exe$/i, "");
+  const binaryName = basename(binary).replace(/\.exe$/i, "");
   const flagsWithValues = FLAGS_WITH_VALUES[binaryName] ?? /* @__PURE__ */ new Set();
   const positional = [];
   let skipNext = false;
@@ -1896,8 +1282,6 @@ function extractNetworkTargets(tokens, binary) {
     return t;
   }).filter(Boolean);
 }
-
-// src/policy/ssh-parser.ts
 function tokenize(cmd) {
   const tokens = [];
   let current = "";
@@ -1957,60 +1341,42 @@ function extractAllSshHosts(tokens) {
   }
   return [...hosts].filter(Boolean);
 }
-
-// src/auth/trusted-hosts.ts
-var import_fs6 = __toESM(require("fs"));
-var import_path7 = __toESM(require("path"));
-var import_os5 = __toESM(require("os"));
-function getTrustedHostsPath() {
-  return import_path7.default.join(import_os5.default.homedir(), ".node9", "trusted-hosts.json");
-}
-function readTrustedHosts() {
+var MAX_REGEX_LENGTH = 100;
+var REGEX_CACHE_MAX = 500;
+var regexCache = /* @__PURE__ */ new Map();
+function validateRegex(pattern) {
+  if (!pattern) return "Pattern is required";
+  if (pattern.length > MAX_REGEX_LENGTH) return `Pattern exceeds max length of ${MAX_REGEX_LENGTH}`;
   try {
-    const raw = import_fs6.default.readFileSync(getTrustedHostsPath(), "utf8");
-    const parsed = JSON.parse(raw);
-    return Array.isArray(parsed.hosts) ? parsed.hosts : [];
-  } catch {
-    return [];
+    new RegExp(pattern);
+  } catch (e) {
+    return `Invalid regex syntax: ${e.message}`;
   }
+  if (/\\\d+[*+{]/.test(pattern)) return "Quantified backreferences are forbidden (ReDoS risk)";
+  if (!(0, import_safe_regex22.default)(pattern)) return "Pattern rejected: potential ReDoS vulnerability detected";
+  return null;
 }
-var _cache = null;
-var CACHE_TTL_MS = 5e3;
-function getFileMtime() {
+function getCompiledRegex(pattern, flags = "") {
+  if (flags && !/^[gimsuy]+$/.test(flags)) return null;
+  const key = `${pattern}\0${flags}`;
+  if (regexCache.has(key)) {
+    const cached = regexCache.get(key);
+    regexCache.delete(key);
+    regexCache.set(key, cached);
+    return cached;
+  }
+  if (validateRegex(pattern) !== null) return null;
   try {
-    return import_fs6.default.statSync(getTrustedHostsPath()).mtimeMs;
+    const re = new RegExp(pattern, flags);
+    if (regexCache.size >= REGEX_CACHE_MAX) {
+      const oldest = regexCache.keys().next().value;
+      if (oldest) regexCache.delete(oldest);
+    }
+    regexCache.set(key, re);
+    return re;
   } catch {
-    return 0;
-  }
-}
-function getCachedHosts() {
-  const now = Date.now();
-  if (_cache && now < _cache.expiry) {
-    const mtime = getFileMtime();
-    if (mtime === _cache.mtime) return _cache.hosts;
+    return null;
   }
-  const hosts = readTrustedHosts();
-  _cache = { hosts, expiry: now + CACHE_TTL_MS, mtime: getFileMtime() };
-  return hosts;
-}
-function normalizeHost(raw) {
-  return raw.toLowerCase().replace(/^https?:\/\//, "").replace(/\/.*$/, "").replace(/^[^@]+@/, "").replace(/:\d+$/, "");
-}
-function isTrustedHost(host) {
-  const normalized = normalizeHost(host);
-  return getCachedHosts().some((entry) => {
-    const entryHost = entry.host.toLowerCase();
-    if (entryHost.startsWith("*.")) {
-      const domain = entryHost.slice(2);
-      return normalized.endsWith("." + domain);
-    }
-    return normalized === entryHost;
-  });
-}
-
-// src/policy/index.ts
-function tokenize2(toolName) {
-  return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
 }
 function matchesPattern(text, patterns) {
   const p = Array.isArray(patterns) ? patterns : [patterns];
@@ -2022,444 +1388,1832 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path15) {
+var FORBIDDEN_PATH_SEGMENTS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+function getNestedValue(obj, path13) {
   if (!obj || typeof obj !== "object") return null;
-  return path15.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  const segments = path13.split(".");
+  for (const seg of segments) {
+    if (FORBIDDEN_PATH_SEGMENTS.has(seg)) return null;
+  }
+  return segments.reduce((prev, curr) => prev?.[curr], obj);
 }
-var { syntax } = import_mvdan_sh.default;
-var sharedParser = syntax.NewParser();
-var MESSAGE_FLAGS = /* @__PURE__ */ new Set([
-  "-m",
-  "--message",
-  "--body",
-  "--title",
-  "--description",
-  "--comment",
-  "--subject",
-  "--summary"
-]);
-function normalizeCommandForPolicy(command) {
-  try {
-    const f = sharedParser.Parse(command, "cmd");
-    const strips = [];
-    syntax.Walk(f, (node) => {
-      if (!node) return false;
-      const n = node;
-      if (syntax.NodeType(n) !== "CallExpr") return true;
-      const args = n.Args || [];
-      for (let i = 0; i < args.length - 1; i++) {
-        const argParts = args[i].Parts || [];
-        if (argParts.length !== 1 || syntax.NodeType(argParts[0]) !== "Lit") continue;
-        const flagVal = argParts[0].Value || "";
-        if (!MESSAGE_FLAGS.has(flagVal.toLowerCase())) continue;
-        const next = args[i + 1];
-        const nextParts = next.Parts || [];
-        if (nextParts.length !== 1) continue;
-        const quotedNode = nextParts[0];
-        const nt = syntax.NodeType(quotedNode);
-        if (nt === "SglQuoted") {
-          strips.push([next.Pos().Offset(), next.End().Offset()]);
-        } else if (nt === "DblQuoted") {
-          const innerParts = quotedNode.Parts || [];
-          const allLit = innerParts.length === 0 || innerParts.every((p) => syntax.NodeType(p) === "Lit");
-          if (allLit) strips.push([next.Pos().Offset(), next.End().Offset()]);
-        }
+function evaluateSmartConditions(args, rule) {
+  if (!rule.conditions || rule.conditions.length === 0) return true;
+  const mode = rule.conditionMode ?? "all";
+  const results = rule.conditions.map((cond) => {
+    const rawVal = getNestedValue(args, cond.field);
+    const normalized = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
+    const val = cond.field === "command" && normalized !== null ? normalizeCommandForPolicy(normalized) : normalized;
+    switch (cond.op) {
+      case "exists":
+        return val !== null && val !== "";
+      case "notExists":
+        return val === null || val === "";
+      case "contains":
+        return val !== null && cond.value ? val.includes(cond.value) : false;
+      case "notContains":
+        return val !== null && cond.value ? !val.includes(cond.value) : true;
+      case "matches": {
+        if (val === null || !cond.value) return false;
+        const reM = getCompiledRegex(cond.value, cond.flags ?? "");
+        if (!reM) return false;
+        return reM.test(val);
       }
-      return true;
-    });
-    if (strips.length === 0) return command;
-    strips.sort((a, b) => b[0] - a[0]);
-    let result = command;
-    for (const [start, end] of strips) {
-      result = result.slice(0, start) + '""' + result.slice(end);
+      case "notMatches": {
+        if (!cond.value) return false;
+        if (val === null) return true;
+        const reN = getCompiledRegex(cond.value, cond.flags ?? "");
+        if (!reN) return false;
+        return !reN.test(val);
+      }
+      case "matchesGlob":
+        return val !== null && cond.value ? import_picomatch.default.isMatch(val, cond.value) : false;
+      case "notMatchesGlob":
+        return val !== null && cond.value ? !import_picomatch.default.isMatch(val, cond.value) : false;
+      default:
+        return false;
     }
-    return result;
-  } catch {
-    return command;
+  });
+  return mode === "any" ? results.some((r) => r) : results.every((r) => r);
+}
+function tokenize2(toolName) {
+  return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
+}
+function extractShellCommand(toolName, args, toolInspection) {
+  const patterns = Object.keys(toolInspection);
+  const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
+  if (!matchingPattern) return null;
+  const fieldPath = toolInspection[matchingPattern];
+  const value = getNestedValue(args, fieldPath);
+  return typeof value === "string" ? value : null;
+}
+function isSqlTool(toolName, toolInspection) {
+  const patterns = Object.keys(toolInspection);
+  const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
+  if (!matchingPattern) return false;
+  const fieldName = toolInspection[matchingPattern];
+  return fieldName === "sql" || fieldName === "query";
+}
+var SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
+async function evaluatePolicy(config, toolName, args, context = {}, hooks = {}) {
+  const { agent, cwd, activeEnvironment } = context;
+  const { checkProvenance: checkProvenance2, isTrustedHost: isTrustedHost2 } = hooks;
+  const wouldBeIgnored = matchesPattern(toolName, config.policy.ignoredTools);
+  if (config.policy.dlp.enabled && (!wouldBeIgnored || config.policy.dlp.scanIgnoredTools)) {
+    const dlpMatch = args !== void 0 ? scanArgs(args) : null;
+    if (dlpMatch) {
+      return {
+        decision: dlpMatch.severity,
+        blockedByLabel: `DLP: ${dlpMatch.patternName}`,
+        reason: `${dlpMatch.patternName} detected in ${dlpMatch.fieldPath}`
+      };
+    }
+  }
+  if (wouldBeIgnored) return { decision: "allow" };
+  if (config.policy.smartRules.length > 0) {
+    const matchedRule = config.policy.smartRules.find(
+      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+    );
+    if (matchedRule) {
+      if (matchedRule.verdict === "allow")
+        return { decision: "allow", ruleName: matchedRule.name ?? matchedRule.tool };
+      return {
+        decision: matchedRule.verdict,
+        blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
+        reason: matchedRule.reason,
+        tier: 2,
+        ruleName: matchedRule.name ?? matchedRule.tool,
+        ...(matchedRule.description ?? matchedRule.reason) && {
+          ruleDescription: matchedRule.description ?? matchedRule.reason
+        },
+        ...matchedRule.verdict === "block" && matchedRule.dependsOnState?.length && {
+          dependsOnStatePredicates: matchedRule.dependsOnState
+        },
+        ...matchedRule.verdict === "block" && matchedRule.recoveryCommand && {
+          recoveryCommand: matchedRule.recoveryCommand
+        }
+      };
+    }
+  }
+  let allTokens = [];
+  let pathTokens = [];
+  const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
+  if (shellCommand) {
+    const analyzed = analyzeShellCommand(shellCommand);
+    allTokens = analyzed.allTokens;
+    pathTokens = analyzed.paths;
+    const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
+    if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
+      return {
+        decision: "review",
+        blockedByLabel: "Node9 Standard (Inline Execution)",
+        ruleDescription: "The AI is running code directly from the command line. Review the full script below before allowing it to execute.",
+        tier: 3
+      };
+    }
+    const evalVerdict = detectDangerousShellExec(shellCommand);
+    if (evalVerdict === "block") {
+      return {
+        decision: "block",
+        blockedByLabel: "Node9: Eval Remote Execution",
+        reason: "eval of remote download (curl/wget) is a near-certain supply-chain attack",
+        ruleDescription: "The AI is downloading a script from the internet and running it immediately without inspection. This is a common way malware gets installed.",
+        tier: 3
+      };
+    }
+    if (evalVerdict === "review") {
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Eval Dynamic Content",
+        reason: "eval of dynamic content (variable or subshell expansion) requires approval",
+        ruleDescription: "The AI is running a command that includes a variable or subshell expansion. The actual command executed at runtime may differ from what is shown here.",
+        tier: 3
+      };
+    }
+    const pipeAnalysis = analyzePipeChain(shellCommand);
+    if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
+      const sinks = pipeAnalysis.sinkTargets;
+      const allTrusted = sinks.length > 0 && sinks.every((host) => isTrustedHost2 ? isTrustedHost2(host) : false);
+      if (pipeAnalysis.risk === "critical") {
+        if (allTrusted) {
+          return {
+            decision: "review",
+            blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
+            reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
+            tier: 3
+          };
+        }
+        return {
+          decision: "block",
+          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
+          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+          tier: 3
+        };
+      }
+      if (allTrusted) {
+        return {
+          decision: "allow",
+          blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
+          reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
+          tier: 3
+        };
+      }
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
+        reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+        tier: 3
+      };
+    }
+    const firstToken = analyzed.actions[0] ?? "";
+    if (["ssh", "scp", "rsync"].includes(firstToken)) {
+      const rawTokens = shellCommand.trim().split(/\s+/);
+      const sshHosts = extractAllSshHosts(rawTokens.slice(1));
+      allTokens.push(...sshHosts);
+    }
+    if (firstToken && firstToken.startsWith("/") && checkProvenance2) {
+      const prov = checkProvenance2(firstToken, cwd);
+      if (prov.trustLevel === "suspect") {
+        return {
+          decision: config.settings.mode === "strict" ? "block" : "review",
+          blockedByLabel: "Node9: Suspect Binary",
+          reason: `Binary "${firstToken}" resolved to ${prov.resolvedPath} \u2014 ${prov.reason}`,
+          tier: 3
+        };
+      }
+      if (prov.trustLevel === "unknown" && config.settings.mode === "strict") {
+        return {
+          decision: "review",
+          blockedByLabel: "Node9: Unknown Binary (strict mode)",
+          reason: `Binary "${firstToken}" \u2014 ${prov.reason}`,
+          tier: 3
+        };
+      }
+    }
+    if (isSqlTool(toolName, config.policy.toolInspection)) {
+      allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
+    }
+  } else {
+    allTokens = tokenize2(toolName);
+    if (args && typeof args === "object") {
+      const flattenedArgs = JSON.stringify(args).toLowerCase();
+      const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
+      allTokens.push(...extraTokens);
+    }
+  }
+  const isManual = agent === "Terminal";
+  if (isManual) {
+    const SYSTEM_DISASTER_COMMANDS = ["mkfs", "shred", "dd", "drop", "truncate", "purge"];
+    const hasSystemDisaster = allTokens.some(
+      (t) => SYSTEM_DISASTER_COMMANDS.includes(t.toLowerCase())
+    );
+    const isRootWipe = allTokens.includes("rm") && (allTokens.includes("/") || allTokens.includes("/*"));
+    if (hasSystemDisaster || isRootWipe) {
+      return { decision: "review", blockedByLabel: "Manual Nuclear Protection", tier: 3 };
+    }
+    return { decision: "allow" };
+  }
+  if (pathTokens.length > 0 && config.policy.sandboxPaths.length > 0) {
+    const allInSandbox = pathTokens.every((p) => matchesPattern(p, config.policy.sandboxPaths));
+    if (allInSandbox) return { decision: "allow" };
+  }
+  let matchedDangerousWord;
+  const isDangerous = allTokens.some(
+    (token) => config.policy.dangerousWords.some((word) => {
+      const w = word.toLowerCase();
+      const hit = token === w || (() => {
+        try {
+          return new RegExp(`\\b${w}\\b`, "i").test(token);
+        } catch {
+          return false;
+        }
+      })();
+      if (hit && !matchedDangerousWord) matchedDangerousWord = word;
+      return hit;
+    })
+  );
+  if (isDangerous) {
+    let matchedField;
+    if (matchedDangerousWord && args && typeof args === "object" && !Array.isArray(args)) {
+      const obj = args;
+      for (const [key, value] of Object.entries(obj)) {
+        if (typeof value === "string") {
+          try {
+            if (new RegExp(
+              `\\b${matchedDangerousWord.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`,
+              "i"
+            ).test(value)) {
+              matchedField = key;
+              break;
+            }
+          } catch {
+          }
+        }
+      }
+    }
+    return {
+      decision: "review",
+      blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`,
+      matchedWord: matchedDangerousWord,
+      matchedField,
+      ruleDescription: `This command contains a flagged keyword ("${matchedDangerousWord}") from your node9 config. Review it before allowing.`,
+      tier: 6
+    };
+  }
+  if (config.settings.mode === "strict") {
+    if (activeEnvironment?.requireApproval === false) return { decision: "allow" };
+    return { decision: "review", blockedByLabel: "Global Config (Strict Mode Active)", tier: 7 };
+  }
+  return { decision: "allow" };
+}
+function isIgnoredTool(toolName, config) {
+  return matchesPattern(toolName, config.policy.ignoredTools);
+}
+var aws_default = {
+  name: "aws",
+  description: "Protects AWS infrastructure from destructive AI operations",
+  aliases: ["amazon"],
+  smartRules: [
+    {
+      name: "shield:aws:block-delete-s3-bucket",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "S3 bucket deletion is irreversible \u2014 blocked by AWS shield"
+    },
+    {
+      name: "shield:aws:review-iam-changes",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "IAM changes require human approval (AWS shield)"
+    },
+    {
+      name: "shield:aws:block-ec2-terminate",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "aws\\s+ec2\\s+terminate-instances",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "EC2 instance termination is irreversible \u2014 blocked by AWS shield"
+    },
+    {
+      name: "shield:aws:review-rds-delete",
+      tool: "*",
+      conditions: [
+        { field: "command", op: "matches", value: "aws\\s+rds\\s+delete-", flags: "i" }
+      ],
+      verdict: "review",
+      reason: "RDS deletion requires human approval (AWS shield)"
+    }
+  ],
+  dangerousWords: []
+};
+var bash_safe_default = {
+  name: "bash-safe",
+  description: "Blocks high-risk bash patterns: pipe-to-shell, rm -rf /, disk overwrites, eval",
+  aliases: ["bash", "shell"],
+  smartRules: [
+    {
+      name: "shield:bash-safe:block-pipe-to-shell",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(^|&&|\\|\\||;)\\s*(curl|wget)\\s+[^|]*\\|\\s*(?:(bash|sh|zsh|fish)|(python3?|ruby|perl|node)\\b(?!\\s+-[cem]\\b))",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Pipe-to-shell is a common supply-chain attack vector \u2014 blocked by bash-safe shield"
+    },
+    {
+      name: "shield:bash-safe:block-obfuscated-exec",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\bbase64\\s+(-d|--decode)[^|;&]*\\|\\s*(bash|sh|zsh)",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Obfuscated execution via base64 decode \u2014 blocked by bash-safe shield"
+    },
+    {
+      name: "shield:bash-safe:block-rm-root",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)[a-zA-Z]*\\s+(\\/|~|\\$HOME|\\$\\{HOME\\})\\s*$",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "rm -rf of root or home directory is catastrophic \u2014 blocked by bash-safe shield"
+    },
+    {
+      name: "shield:bash-safe:block-disk-overwrite",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(^|&&|\\|\\||;)\\s*dd\\s+.*of=\\/dev\\/(sd|nvme|hd|vd|xvd)",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Writing directly to a block device is irreversible \u2014 blocked by bash-safe shield"
+    },
+    {
+      name: "shield:bash-safe:block-eval-remote",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(^|&&|\\|\\||;)\\s*eval\\s+.*\\$\\((curl|wget)\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "eval of remote download is a near-certain supply-chain attack \u2014 blocked by bash-safe shield"
+    },
+    {
+      name: "shield:bash-safe:review-eval-dynamic",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: '(^|&&|\\|\\||[;|\\n{(`])\\s*eval\\s+([\\$`(]|"[^"]*\\$)',
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "eval of dynamic content \u2014 backup regex rule for scan path (real-time uses AST detection)"
+    }
+  ],
+  dangerousWords: []
+};
+var docker_default = {
+  name: "docker",
+  description: "Protects Docker environments from destructive AI operations",
+  aliases: [],
+  smartRules: [
+    {
+      name: "shield:docker:block-system-prune",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+system\\s+prune",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "docker system prune removes all unused containers, images, and volumes \u2014 blocked by Docker shield"
+    },
+    {
+      name: "shield:docker:block-volume-prune",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+volume\\s+prune",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "docker volume prune destroys all unused volumes and their data \u2014 blocked by Docker shield"
+    },
+    {
+      name: "shield:docker:block-rm-force",
+      tool: "*",
+      conditionMode: "all",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+rm\\b",
+          flags: "i"
+        },
+        {
+          field: "command",
+          op: "matches",
+          value: "(^|\\s)(-f|--force)(\\s|$)",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Force-removing running containers is destructive \u2014 blocked by Docker shield"
+    },
+    {
+      name: "shield:docker:review-volume-rm",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+volume\\s+rm\\s+",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Volume removal deletes persistent data and requires human approval (Docker shield)"
+    },
+    {
+      name: "shield:docker:review-stop-kill",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+(stop|kill)\\s+",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Stopping or killing containers requires human approval (Docker shield)"
+    },
+    {
+      name: "shield:docker:review-image-rm",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+image\\s+rm\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Image removal requires human approval (Docker shield)"
+    },
+    {
+      name: "shield:docker:review-rmi-force",
+      tool: "*",
+      conditionMode: "all",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "docker\\s+rmi\\b",
+          flags: "i"
+        },
+        {
+          field: "command",
+          op: "matches",
+          value: "(^|\\s)(-f|--force)(\\s|$)",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Force image removal requires human approval (Docker shield)"
+    }
+  ],
+  dangerousWords: []
+};
+var filesystem_default = {
+  name: "filesystem",
+  description: "Protects the local filesystem from dangerous AI operations",
+  aliases: ["fs"],
+  smartRules: [
+    {
+      name: "shield:filesystem:review-chmod-777",
+      tool: "bash",
+      conditions: [
+        { field: "command", op: "matches", value: "chmod\\s+(777|a\\+rwx)", flags: "i" }
+      ],
+      verdict: "review",
+      reason: "chmod 777 requires human approval (filesystem shield)"
+    },
+    {
+      name: "shield:filesystem:review-write-etc",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
+        }
+      ],
+      verdict: "review",
+      reason: "Writing to /etc requires human approval (filesystem shield)"
+    }
+  ],
+  dangerousWords: ["wipefs"]
+};
+var github_default = {
+  name: "github",
+  description: "Protects GitHub repositories from destructive AI operations",
+  aliases: ["git"],
+  smartRules: [
+    {
+      name: "shield:github:review-delete-branch-remote",
+      tool: "bash",
+      conditions: [
+        { field: "command", op: "matches", value: "git\\s+push\\s+.*--delete", flags: "i" }
+      ],
+      verdict: "review",
+      reason: "Remote branch deletion requires human approval (GitHub shield)"
+    },
+    {
+      name: "shield:github:block-delete-repo",
+      tool: "*",
+      conditions: [
+        { field: "command", op: "matches", value: "gh\\s+repo\\s+delete", flags: "i" }
+      ],
+      verdict: "block",
+      reason: "Repository deletion is irreversible \u2014 blocked by GitHub shield"
+    }
+  ],
+  dangerousWords: []
+};
+var k8s_default = {
+  name: "k8s",
+  description: "Protects Kubernetes clusters from destructive AI operations",
+  aliases: ["kubernetes", "kubectl"],
+  smartRules: [
+    {
+      name: "shield:k8s:block-delete-namespace",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "kubectl\\s+delete\\s+(ns|namespace)\\s+",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Deleting a namespace destroys all resources inside it \u2014 blocked by k8s shield"
+    },
+    {
+      name: "shield:k8s:block-delete-all",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "kubectl\\s+delete\\s+.*--all\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "kubectl delete --all is irreversible \u2014 blocked by k8s shield"
+    },
+    {
+      name: "shield:k8s:block-helm-uninstall",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "helm\\s+(uninstall|delete|del)\\s+",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "helm uninstall removes a release and its resources \u2014 blocked by k8s shield"
+    },
+    {
+      name: "shield:k8s:review-scale-zero",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "kubectl\\s+scale\\s+.*--replicas=0",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Scaling to zero takes down a workload and requires human approval (k8s shield)"
+    },
+    {
+      name: "shield:k8s:review-delete-deployment",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "kubectl\\s+delete\\s+(deployment|deploy|statefulset|sts|daemonset|ds)\\s+",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Deleting a workload requires human approval (k8s shield)"
+    },
+    {
+      name: "shield:k8s:review-apply-force",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "kubectl\\s+(apply|replace)\\s+.*--force",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Force-apply overwrites live resources and requires human approval (k8s shield)"
+    }
+  ],
+  dangerousWords: []
+};
+var mcp_tool_gating_default = {
+  name: "mcp-tool-gating",
+  description: "Intercept MCP tool lists and require user approval before the agent can use any tools from a new server",
+  aliases: ["mcp-gating", "mcp-tools"],
+  smartRules: [],
+  dangerousWords: []
+};
+var mongodb_default = {
+  name: "mongodb",
+  description: "Protects MongoDB databases from destructive AI operations",
+  aliases: ["mongo"],
+  smartRules: [
+    {
+      name: "shield:mongodb:block-drop-database",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\.dropDatabase\\s*\\(",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "dropDatabase is irreversible \u2014 blocked by MongoDB shield"
+    },
+    {
+      name: "shield:mongodb:block-drop-collection",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\.drop\\s*\\(|db\\.getCollection\\([^)]+\\)\\.drop\\s*\\(",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Collection drop is irreversible \u2014 blocked by MongoDB shield"
+    },
+    {
+      name: "shield:mongodb:block-delete-many-empty-filter",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\.deleteMany\\s*\\(\\s*\\{\\s*\\}\\s*\\)",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "deleteMany({}) with empty filter wipes the entire collection \u2014 blocked by MongoDB shield"
+    },
+    {
+      name: "shield:mongodb:review-delete-many",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\.deleteMany\\s*\\(",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "deleteMany requires human approval (MongoDB shield)"
+    },
+    {
+      name: "shield:mongodb:review-drop-index",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\.dropIndex\\s*\\(|\\.dropIndexes\\s*\\(",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Index drops affect query performance and require human approval (MongoDB shield)"
+    }
+  ],
+  dangerousWords: ["dropDatabase", "dropCollection", "mongodrop"]
+};
+var postgres_default = {
+  name: "postgres",
+  description: "Protects PostgreSQL databases from destructive AI operations",
+  aliases: ["pg", "postgresql"],
+  smartRules: [
+    {
+      name: "shield:postgres:block-drop-table",
+      tool: "*",
+      conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+      verdict: "block",
+      reason: "DROP TABLE is irreversible \u2014 blocked by Postgres shield"
+    },
+    {
+      name: "shield:postgres:block-truncate",
+      tool: "*",
+      conditions: [
+        { field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }
+      ],
+      verdict: "block",
+      reason: "TRUNCATE is irreversible \u2014 blocked by Postgres shield"
+    },
+    {
+      name: "shield:postgres:block-drop-column",
+      tool: "*",
+      conditions: [
+        { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+      ],
+      verdict: "block",
+      reason: "DROP COLUMN is irreversible \u2014 blocked by Postgres shield"
+    },
+    {
+      name: "shield:postgres:review-grant-revoke",
+      tool: "*",
+      conditions: [
+        { field: "sql", op: "matches", value: "\\b(GRANT|REVOKE)\\b", flags: "i" }
+      ],
+      verdict: "review",
+      reason: "Permission changes require human approval (Postgres shield)"
+    }
+  ],
+  dangerousWords: ["dropdb", "pg_dropcluster"]
+};
+var project_jail_default = {
+  name: "project-jail",
+  description: "Restricts AI agents from reading sensitive credential files outside the current project",
+  aliases: ["jail"],
+  smartRules: [
+    {
+      name: "shield:project-jail:block-read-ssh",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.ssh[\\/\\\\]",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading SSH private keys is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-aws",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.aws[\\/\\\\]",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading AWS credentials is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-env",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*\\.env(\\.local|\\.production|\\.staging)?\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading .env files is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-credentials",
+      tool: "bash",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials)",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading credential files is blocked by project-jail shield"
+    }
+  ],
+  dangerousWords: []
+};
+var redis_default = {
+  name: "redis",
+  description: "Protects Redis instances from destructive AI operations",
+  aliases: [],
+  smartRules: [
+    {
+      name: "shield:redis:block-flushall",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\bFLUSHALL\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "FLUSHALL deletes every key in every database \u2014 blocked by Redis shield"
+    },
+    {
+      name: "shield:redis:block-flushdb",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\bFLUSHDB\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "FLUSHDB deletes all keys in the current database \u2014 blocked by Redis shield"
+    },
+    {
+      name: "shield:redis:block-config-resetstat",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\bCONFIG\\s+RESETSTAT\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "CONFIG RESETSTAT resets server statistics irreversibly \u2014 blocked by Redis shield"
+    },
+    {
+      name: "shield:redis:review-config-set",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\bCONFIG\\s+SET\\b",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "CONFIG SET changes live server configuration and requires human approval (Redis shield)"
+    },
+    {
+      name: "shield:redis:review-del-wildcard",
+      tool: "*",
+      conditions: [
+        {
+          field: "command",
+          op: "matches",
+          value: "\\bDEL\\b.*[*?\\[]|redis-cli.*--scan.*\\|.*xargs.*del",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Wildcard key deletion requires human approval (Redis shield)"
+    }
+  ],
+  dangerousWords: ["FLUSHALL", "FLUSHDB"]
+};
+function isShieldVerdict(v) {
+  return v === "allow" || v === "review" || v === "block";
+}
+function validateShieldDefinition(raw) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    return { error: "Shield file is not an object" };
+  }
+  const r = raw;
+  if (typeof r.name !== "string" || !r.name) return { error: "Shield file missing 'name'" };
+  if (typeof r.description !== "string") return { error: "Shield file missing 'description'" };
+  if (!Array.isArray(r.aliases)) return { error: "Shield file missing 'aliases' array" };
+  if (!Array.isArray(r.smartRules)) return { error: "Shield file missing 'smartRules' array" };
+  if (!Array.isArray(r.dangerousWords))
+    return { error: "Shield file missing 'dangerousWords' array" };
+  return { ok: r };
+}
+function validateOverrides(raw) {
+  const warnings = [];
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) return { overrides: {}, warnings };
+  const result = {};
+  for (const [shieldName, rules] of Object.entries(raw)) {
+    if (!rules || typeof rules !== "object" || Array.isArray(rules)) continue;
+    const validRules = {};
+    for (const [ruleName, verdict] of Object.entries(rules)) {
+      if (isShieldVerdict(verdict)) {
+        validRules[ruleName] = verdict;
+      } else {
+        warnings.push(
+          `shields.json contains invalid verdict "${String(verdict)}" for ${shieldName}/${ruleName} \u2014 entry ignored. File may be corrupted or tampered with.`
+        );
+      }
+    }
+    if (Object.keys(validRules).length > 0) result[shieldName] = validRules;
+  }
+  return { overrides: result, warnings };
+}
+var BUILTIN_SHIELDS = {
+  [aws_default.name]: aws_default,
+  [bash_safe_default.name]: bash_safe_default,
+  [docker_default.name]: docker_default,
+  [filesystem_default.name]: filesystem_default,
+  [github_default.name]: github_default,
+  [k8s_default.name]: k8s_default,
+  [mcp_tool_gating_default.name]: mcp_tool_gating_default,
+  [mongodb_default.name]: mongodb_default,
+  [postgres_default.name]: postgres_default,
+  [project_jail_default.name]: project_jail_default,
+  [redis_default.name]: redis_default
+};
+function assertBuiltinShieldRegexesAreSafe() {
+  for (const shield of Object.values(BUILTIN_SHIELDS)) {
+    for (const rule of shield.smartRules) {
+      const conditions = rule.conditions ?? [];
+      for (const cond of conditions) {
+        if (cond.op !== "matches" && cond.op !== "notMatches") continue;
+        const pattern = cond.value;
+        if (!pattern) continue;
+        if (!(0, import_safe_regex23.default)(pattern)) {
+          throw new Error(
+            `[node9 engine] Shield '${shield.name}' rule '${rule.name ?? rule.tool}' has unsafe regex: ${pattern}`
+          );
+        }
+      }
+    }
+  }
+}
+assertBuiltinShieldRegexesAreSafe();
+var LOOP_MAX_RECORDS = 500;
+function computeArgsHash(args) {
+  const str = JSON.stringify(args ?? "");
+  return import_crypto2.default.createHash("sha256").update(str).digest("hex").slice(0, 16);
+}
+function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
+  const hash = computeArgsHash(args);
+  const cutoff = now - windowMs;
+  const fresh = records.filter((r) => r.ts >= cutoff);
+  fresh.push({ t: tool, h: hash, ts: now });
+  const count = fresh.filter((r) => r.t === tool && r.h === hash).length;
+  const nextRecords = fresh.slice(-LOOP_MAX_RECORDS);
+  return { nextRecords, count, looping: count >= threshold };
+}
+
+// src/shields.ts
+var USER_SHIELDS_DIR = import_path2.default.join(import_os2.default.homedir(), ".node9", "shields");
+function loadUserShields() {
+  const result = {};
+  let entries;
+  try {
+    entries = import_fs2.default.readdirSync(USER_SHIELDS_DIR).filter((f) => f.endsWith(".json"));
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      process.stderr.write(
+        `[node9] Could not read user shields dir ${USER_SHIELDS_DIR}: ${String(err)}
+`
+      );
+    }
+    return result;
+  }
+  for (const file of entries) {
+    const filePath = import_path2.default.join(USER_SHIELDS_DIR, file);
+    try {
+      const raw = JSON.parse(import_fs2.default.readFileSync(filePath, "utf-8"));
+      const v = validateShieldDefinition(raw);
+      if ("error" in v) {
+        process.stderr.write(`[node9] ${v.error}: ${filePath}
+`);
+        continue;
+      }
+      result[v.ok.name] = v.ok;
+    } catch (err) {
+      process.stderr.write(`[node9] Failed to load user shield ${file}: ${String(err)}
+`);
+    }
+  }
+  return result;
+}
+function buildSHIELDS() {
+  return { ...BUILTIN_SHIELDS, ...loadUserShields() };
+}
+var SHIELDS = buildSHIELDS();
+function resolveShieldName(input) {
+  const lower = input.toLowerCase();
+  if (SHIELDS[lower]) return lower;
+  for (const [name, def] of Object.entries(SHIELDS)) {
+    if (def.aliases.includes(lower)) return name;
+  }
+  return null;
+}
+function getShield(name) {
+  const resolved = resolveShieldName(name);
+  return resolved ? SHIELDS[resolved] : null;
+}
+var SHIELDS_STATE_FILE = import_path2.default.join(import_os2.default.homedir(), ".node9", "shields.json");
+function readShieldsFile() {
+  try {
+    const raw = import_fs2.default.readFileSync(SHIELDS_STATE_FILE, "utf-8");
+    if (!raw.trim()) return { active: [] };
+    const parsed = JSON.parse(raw);
+    const active = Array.isArray(parsed.active) ? parsed.active.filter(
+      (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
+    ) : [];
+    const { overrides, warnings } = validateOverrides(parsed.overrides);
+    for (const w of warnings) {
+      process.stderr.write(`[node9] Warning: ${w}
+`);
+    }
+    return { active, overrides };
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
+`);
+    }
+    return { active: [] };
+  }
+}
+function readActiveShields() {
+  return readShieldsFile().active;
+}
+function readShieldOverrides() {
+  return readShieldsFile().overrides ?? {};
+}
+
+// src/config/index.ts
+var DANGEROUS_WORDS = [
+  "mkfs",
+  // formats/wipes a filesystem partition
+  "shred"
+  // permanently overwrites file contents (unrecoverable)
+];
+var DEFAULT_CONFIG = {
+  version: "1.0",
+  settings: {
+    mode: "standard",
+    autoStartDaemon: true,
+    enableUndo: true,
+    // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
+    enableHookLogDebug: true,
+    approvalTimeoutMs: 12e4,
+    // 120-second auto-deny timeout
+    flightRecorder: true,
+    auditHashArgs: true,
+    approvers: { native: true, browser: false, cloud: false, terminal: true },
+    cloudSyncIntervalHours: 5
+  },
+  policy: {
+    sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
+    dangerousWords: DANGEROUS_WORDS,
+    ignoredTools: [
+      "list_*",
+      "get_*",
+      "read_*",
+      "describe_*",
+      "read",
+      "glob",
+      "grep",
+      "ls",
+      "notebookread",
+      "notebookedit",
+      "webfetch",
+      "websearch",
+      "exitplanmode",
+      "askuserquestion",
+      "agent",
+      "task*",
+      "toolsearch",
+      "mcp__ide__*",
+      "getDiagnostics"
+    ],
+    toolInspection: {
+      bash: "command",
+      shell: "command",
+      run_shell_command: "command",
+      "terminal.execute": "command",
+      "postgres:query": "sql"
+    },
+    snapshot: {
+      tools: [
+        "str_replace_based_edit_tool",
+        "write_file",
+        "edit_file",
+        "create_file",
+        "edit",
+        "replace"
+      ],
+      onlyPaths: [],
+      ignorePaths: ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log"]
+    },
+    smartRules: [
+      // ── rm safety (critical — always evaluated first) ──────────────────────
+      {
+        name: "block-rm-rf-home",
+        tool: "bash",
+        conditionMode: "all",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            // Anchor rm as a shell command (not inside a string arg like a git commit message).
+            value: "(^|&&|\\|\\||;)\\s*rm\\b[^;&|]*\\s(-[rRfF]*[rR][rRfF]*|--recursive)(\\s|$)"
+          },
+          {
+            field: "command",
+            op: "matches",
+            value: "(~|\\/root(\\/|$)|\\$HOME|\\/home\\/)"
+          }
+        ],
+        verdict: "block",
+        reason: "Recursive delete of home directory is irreversible",
+        description: "The AI wants to recursively delete your home directory. This will permanently destroy all your personal files and cannot be undone."
+      },
+      // ── SQL safety ────────────────────────────────────────────────────────
+      {
+        name: "no-delete-without-where",
+        tool: "*",
+        conditions: [
+          { field: "sql", op: "matches", value: "^(DELETE|UPDATE)\\s", flags: "i" },
+          { field: "sql", op: "notMatches", value: "\\bWHERE\\b", flags: "i" }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table",
+        description: "The AI is running a SQL statement that will modify every row in the table \u2014 no WHERE filter was found. This could wipe or corrupt all your data."
+      },
+      {
+        name: "review-drop-truncate-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            // Require a DB CLI in the command so grep/cat/echo of SQL strings don't trigger.
+            value: "(^|&&|\\|\\||;|\\|)\\s*(psql|mysql|sqlite3|sqlplus|cockroach|clickhouse-client|mongo)\\b",
+            flags: "i"
+          },
+          {
+            field: "command",
+            op: "matches",
+            value: "\\b(DROP|TRUNCATE)\\s+(TABLE|DATABASE|SCHEMA|INDEX)",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "SQL DDL destructive statement inside a shell command",
+        description: "The AI wants to drop or truncate a database table via the shell. This permanently deletes the table structure or all its data."
+      },
+      // ── Git safety ────────────────────────────────────────────────────────
+      {
+        name: "review-force-push",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            // Anchor git as a shell command so node -e / python -c scripts containing
+            // "git push --force" as a string don't false-positive.
+            value: "(^|&&|\\|\\||;)\\s*git\\s+push[^;&|]*(--force|--force-with-lease|-f\\b)",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "Force push rewrites remote history \u2014 confirm this is intentional",
+        description: "The AI wants to force push to a remote git branch. This rewrites shared history and can permanently destroy commits that teammates have already pulled."
+      },
+      {
+        name: "review-git-destructive",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            // Anchor git as a shell command so node -e / python -c scripts containing
+            // "git reset --hard" as a string don't false-positive.
+            value: "(^|&&|\\|\\||;)\\s*git\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase\\b|tag\\s+-d|branch\\s+-[dD])",
+            flags: "i"
+          },
+          {
+            field: "command",
+            op: "notMatches",
+            // Exclude recovery ops and routine branch-surgery (--onto) — these are not destructive.
+            value: "\\bgit\\s+rebase\\s+--(abort|continue|skip|onto)\\b",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "Destructive git operation \u2014 discards history or working-tree changes",
+        description: "The AI wants to run a destructive git operation (reset, rebase, clean, or branch delete) that can permanently discard commits or uncommitted work."
+      },
+      // ── Shell safety ──────────────────────────────────────────────────────
+      {
+        name: "review-sudo",
+        tool: "bash",
+        conditions: [{ field: "command", op: "matches", value: "\\bsudo\\s", flags: "i" }],
+        conditionMode: "all",
+        verdict: "review",
+        reason: "Command requires elevated privileges",
+        description: "The AI wants to run a command as root (sudo). Commands with root access can modify system files, install software, or change security settings."
+      },
+      {
+        name: "review-curl-pipe-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            // Anchor curl/wget as a shell command so node -e scripts testing this
+            // regex pattern don't self-match as a false positive.
+            value: "(^|&&|\\|\\||;)\\s*(curl|wget)[^|]*\\|\\s*(ba|z|da|fi|c|k)?sh",
+            flags: "i"
+          }
+        ],
+        conditionMode: "all",
+        verdict: "block",
+        reason: "Piping remote script into a shell is a supply-chain attack vector",
+        description: "The AI wants to download a script from the internet and run it immediately, without you seeing what it contains. This is one of the most common ways malware gets installed."
+      }
+    ],
+    dlp: { enabled: true, scanIgnoredTools: true },
+    loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 },
+    skillPinning: { enabled: false, mode: "warn", roots: [] }
+  },
+  environments: {}
+};
+var ADVISORY_SMART_RULES = [
+  // ── rm safety ─────────────────────────────────────────────────────────────
+  // tool: '*' so they cover bash, shell, run_shell_command, and Gemini's Shell.
+  // Pattern '(^|&&|\|\||;)\s*rm\b' matches rm as a shell command (including in
+  // chained commands like 'cat foo && rm bar') but avoids false-positives on 'docker rm'.
+  {
+    name: "allow-rm-safe-paths",
+    tool: "*",
+    conditionMode: "all",
+    conditions: [
+      { field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" },
+      {
+        field: "command",
+        op: "matches",
+        // Matches known-safe build artifact paths in the command.
+        value: "(node_modules|\\bdist\\b|\\.next|\\bcoverage\\b|\\.cache|\\btmp\\b|\\btemp\\b|\\.DS_Store)(\\/|\\s|$)"
+      }
+    ],
+    verdict: "allow",
+    reason: "Deleting a known-safe build artifact path"
+  },
+  {
+    name: "review-rm",
+    tool: "*",
+    conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
+    verdict: "review",
+    reason: "rm can permanently delete files \u2014 confirm the target path",
+    description: "The AI wants to delete files. Unlike moving to trash, rm is permanent \u2014 the files cannot be recovered without a backup."
+  },
+  // ── SQL safety (Safe by Default) ──────────────────────────────────────────
+  // These rules fire when an AI calls a database tool directly (e.g. MCP postgres,
+  // mcp__postgres__query) with a destructive SQL statement in the 'sql' field.
+  // The postgres shield upgrades these from 'review' → 'block' for stricter teams;
+  // without a shield, users still get a human-approval gate on every destructive op.
+  {
+    name: "review-drop-table-sql",
+    tool: "*",
+    conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
+    verdict: "review",
+    reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead",
+    description: "The AI wants to drop a database table. This permanently deletes the table and all its data \u2014 there is no undo."
+  },
+  {
+    name: "review-truncate-sql",
+    tool: "*",
+    conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
+    verdict: "review",
+    reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead",
+    description: "The AI wants to truncate a database table, which instantly deletes every row. The table structure remains but all data is gone."
+  },
+  {
+    name: "review-drop-column-sql",
+    tool: "*",
+    conditions: [
+      { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
+    ],
+    verdict: "review",
+    reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead",
+    description: "The AI wants to drop a column from a database table. This permanently removes the column and all its data from every row."
   }
-}
-var SHELL_INTERPRETERS = /* @__PURE__ */ new Set(["bash", "sh", "zsh", "fish", "dash", "ksh"]);
-var DOWNLOAD_CMDS = /* @__PURE__ */ new Set(["curl", "wget"]);
-function scanArgsForDynamicExec(args, startIdx) {
-  let hasCmdSubst = false;
-  let hasParamExp = false;
-  let hasCurl = false;
-  for (let i = startIdx; i < args.length; i++) {
-    syntax.Walk(args[i], (inner) => {
-      if (!inner) return false;
-      const inn = inner;
-      const it = syntax.NodeType(inn);
-      if (it === "CmdSubst") hasCmdSubst = true;
-      if (it === "ParamExp") hasParamExp = true;
-      if (it === "Lit" && DOWNLOAD_CMDS.has(inn.Value?.toLowerCase())) hasCurl = true;
-      return true;
-    });
+];
+var cachedConfig = null;
+function getCredentials() {
+  const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
+  if (process.env.NODE9_API_KEY) {
+    return {
+      apiKey: process.env.NODE9_API_KEY,
+      apiUrl: process.env.NODE9_API_URL || DEFAULT_API_URL
+    };
   }
-  if (hasCmdSubst && hasCurl) return "block";
-  if (hasCmdSubst || hasParamExp) return "review";
-  return null;
-}
-function detectDangerousShellExec(command) {
   try {
-    const f = sharedParser.Parse(command, "cmd");
-    let result = null;
-    syntax.Walk(f, (node) => {
-      if (!node || result === "block") return false;
-      const n = node;
-      if (syntax.NodeType(n) !== "CallExpr") return true;
-      const args = n.Args || [];
-      if (args.length === 0) return true;
-      const firstParts = args[0].Parts || [];
-      if (firstParts.length !== 1 || syntax.NodeType(firstParts[0]) !== "Lit") return true;
-      const cmdName = firstParts[0].Value?.toLowerCase() ?? "";
-      if (cmdName === "eval") {
-        const v = scanArgsForDynamicExec(args, 1);
-        if (v === "block" || v === "review" && result === null) result = v;
-      } else if (SHELL_INTERPRETERS.has(cmdName)) {
-        for (let i = 1; i < args.length - 1; i++) {
-          const flagParts = args[i].Parts || [];
-          if (flagParts.length !== 1 || syntax.NodeType(flagParts[0]) !== "Lit" || flagParts[0].Value !== "-c")
-            continue;
-          const v = scanArgsForDynamicExec(args, i + 1);
-          if (v === "block" || v === "review" && result === null) result = v;
-          break;
-        }
-      }
-      return true;
-    });
-    return result;
-  } catch {
-    return null;
-  }
-}
-function evaluateSmartConditions(args, rule) {
-  if (!rule.conditions || rule.conditions.length === 0) return true;
-  const mode = rule.conditionMode ?? "all";
-  const results = rule.conditions.map((cond) => {
-    const rawVal = getNestedValue(args, cond.field);
-    const normalized = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
-    const val = cond.field === "command" && normalized !== null ? normalizeCommandForPolicy(normalized) : normalized;
-    switch (cond.op) {
-      case "exists":
-        return val !== null && val !== "";
-      case "notExists":
-        return val === null || val === "";
-      case "contains":
-        return val !== null && cond.value ? val.includes(cond.value) : false;
-      case "notContains":
-        return val !== null && cond.value ? !val.includes(cond.value) : true;
-      case "matches": {
-        if (val === null || !cond.value) return false;
-        const reM = getCompiledRegex(cond.value, cond.flags ?? "");
-        if (!reM) return false;
-        return reM.test(val);
+    const credPath = import_path3.default.join(import_os3.default.homedir(), ".node9", "credentials.json");
+    if (import_fs3.default.existsSync(credPath)) {
+      const creds = JSON.parse(import_fs3.default.readFileSync(credPath, "utf-8"));
+      const profileName = process.env.NODE9_PROFILE || "default";
+      const profile = creds[profileName];
+      if (profile?.apiKey) {
+        return {
+          apiKey: profile.apiKey,
+          apiUrl: profile.apiUrl || DEFAULT_API_URL
+        };
       }
-      case "notMatches": {
-        if (!cond.value) return false;
-        if (val === null) return true;
-        const reN = getCompiledRegex(cond.value, cond.flags ?? "");
-        if (!reN) return false;
-        return !reN.test(val);
+      if (creds.apiKey) {
+        return {
+          apiKey: creds.apiKey,
+          apiUrl: creds.apiUrl || DEFAULT_API_URL
+        };
       }
-      case "matchesGlob":
-        return val !== null && cond.value ? import_picomatch.default.isMatch(val, cond.value) : false;
-      case "notMatchesGlob":
-        return val !== null && cond.value ? !import_picomatch.default.isMatch(val, cond.value) : false;
-      default:
-        return false;
     }
-  });
-  return mode === "any" ? results.some((r) => r) : results.every((r) => r);
-}
-function extractShellCommand(toolName, args, toolInspection) {
-  const patterns = Object.keys(toolInspection);
-  const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
-  if (!matchingPattern) return null;
-  const fieldPath = toolInspection[matchingPattern];
-  const value = getNestedValue(args, fieldPath);
-  return typeof value === "string" ? value : null;
-}
-function isSqlTool(toolName, toolInspection) {
-  const patterns = Object.keys(toolInspection);
-  const matchingPattern = patterns.find((p) => matchesPattern(toolName, p));
-  if (!matchingPattern) return false;
-  const fieldName = toolInspection[matchingPattern];
-  return fieldName === "sql" || fieldName === "query";
-}
-var SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
-function analyzeShellCommand(command) {
-  const actions = [];
-  const paths = [];
-  const allTokens = [];
-  const addToken = (token) => {
-    const lower = token.toLowerCase();
-    allTokens.push(lower);
-    if (lower.includes("/")) allTokens.push(...lower.split("/").filter(Boolean));
-    if (lower.startsWith("-")) allTokens.push(lower.replace(/^-+/, ""));
-  };
-  try {
-    const f = sharedParser.Parse(command, "cmd");
-    syntax.Walk(f, (node) => {
-      if (!node) return false;
-      const n = node;
-      if (syntax.NodeType(n) !== "CallExpr") return true;
-      const wordValues = (n.Args || []).map((arg) => {
-        return (arg.Parts || []).map((p) => (p.Value ?? "").replace(/\\(.)/g, "$1")).join("");
-      }).filter((s) => s.length > 0);
-      if (wordValues.length > 0) {
-        const cmd = wordValues[0].toLowerCase();
-        if (!actions.includes(cmd)) actions.push(cmd);
-        wordValues.forEach((w) => addToken(w));
-        wordValues.slice(1).forEach((w) => {
-          if (!w.startsWith("-")) paths.push(w);
-        });
-      }
-      return true;
-    });
   } catch {
   }
-  if (allTokens.length === 0) {
-    const normalized = command.replace(/\\(.)/g, "$1");
-    const sanitized = normalized.replace(/["'<>]/g, " ");
-    const segments = sanitized.split(/[|;&]|\$\(|\)|`/);
-    segments.forEach((segment) => {
-      const tokens = segment.trim().split(/\s+/).filter(Boolean);
-      if (tokens.length > 0) {
-        const action = tokens[0].toLowerCase();
-        if (!actions.includes(action)) actions.push(action);
-        tokens.forEach((t) => {
-          addToken(t);
-          if (t !== tokens[0] && !t.startsWith("-")) {
-            if (!paths.includes(t)) paths.push(t);
-          }
-        });
-      }
-    });
-  }
-  return { actions, paths, allTokens };
+  return null;
 }
-async function evaluatePolicy(toolName, args, agent, cwd) {
-  const config = getConfig();
-  const wouldBeIgnored = matchesPattern(toolName, config.policy.ignoredTools);
-  if (config.policy.dlp.enabled && (!wouldBeIgnored || config.policy.dlp.scanIgnoredTools)) {
-    const dlpMatch = args !== void 0 ? scanArgs(args) : null;
-    if (dlpMatch) {
-      return {
-        decision: dlpMatch.severity,
-        blockedByLabel: `DLP: ${dlpMatch.patternName}`,
-        reason: `${dlpMatch.patternName} detected in ${dlpMatch.fieldPath}`
-      };
+function getActiveEnvironment(config) {
+  const env = config.settings.environment || process.env.NODE_ENV || "development";
+  return config.environments[env] ?? null;
+}
+function getConfig(cwd) {
+  if (!cwd && cachedConfig) return cachedConfig;
+  const globalPath = import_path3.default.join(import_os3.default.homedir(), ".node9", "config.json");
+  const projectPath = import_path3.default.join(cwd ?? process.cwd(), "node9.config.json");
+  const globalConfig = tryLoadConfig(globalPath);
+  const projectConfig = tryLoadConfig(projectPath);
+  const mergedSettings = {
+    ...DEFAULT_CONFIG.settings,
+    approvers: { ...DEFAULT_CONFIG.settings.approvers }
+  };
+  const mergedPolicy = {
+    sandboxPaths: [...DEFAULT_CONFIG.policy.sandboxPaths],
+    dangerousWords: [...DEFAULT_CONFIG.policy.dangerousWords],
+    ignoredTools: [...DEFAULT_CONFIG.policy.ignoredTools],
+    toolInspection: { ...DEFAULT_CONFIG.policy.toolInspection },
+    smartRules: [...DEFAULT_CONFIG.policy.smartRules],
+    snapshot: {
+      tools: [...DEFAULT_CONFIG.policy.snapshot.tools],
+      onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
+      ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
+    },
+    dlp: { ...DEFAULT_CONFIG.policy.dlp },
+    loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection },
+    skillPinning: {
+      ...DEFAULT_CONFIG.policy.skillPinning,
+      roots: [...DEFAULT_CONFIG.policy.skillPinning.roots]
     }
-  }
-  if (wouldBeIgnored) return { decision: "allow" };
-  if (config.policy.smartRules.length > 0) {
-    const matchedRule = config.policy.smartRules.find(
-      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
-    );
-    if (matchedRule) {
-      if (matchedRule.verdict === "allow")
-        return { decision: "allow", ruleName: matchedRule.name ?? matchedRule.tool };
-      return {
-        decision: matchedRule.verdict,
-        blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
-        reason: matchedRule.reason,
-        tier: 2,
-        ruleName: matchedRule.name ?? matchedRule.tool,
-        ...(matchedRule.description ?? matchedRule.reason) && {
-          ruleDescription: matchedRule.description ?? matchedRule.reason
-        },
-        ...matchedRule.verdict === "block" && matchedRule.dependsOnState?.length && {
-          dependsOnStatePredicates: matchedRule.dependsOnState
-        },
-        ...matchedRule.verdict === "block" && matchedRule.recoveryCommand && {
-          recoveryCommand: matchedRule.recoveryCommand
-        }
-      };
+  };
+  const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
+  const applyLayer = (source) => {
+    if (!source) return;
+    const s = source.settings || {};
+    const p = source.policy || {};
+    if (s.mode !== void 0) mergedSettings.mode = s.mode;
+    if (s.autoStartDaemon !== void 0) mergedSettings.autoStartDaemon = s.autoStartDaemon;
+    if (s.enableUndo !== void 0) mergedSettings.enableUndo = s.enableUndo;
+    if (s.enableHookLogDebug !== void 0)
+      mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
+    if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
+    if (s.approvalTimeoutMs !== void 0) mergedSettings.approvalTimeoutMs = s.approvalTimeoutMs;
+    if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
+      mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
+    if (s.environment !== void 0) mergedSettings.environment = s.environment;
+    if (s.cloudSyncIntervalHours !== void 0)
+      mergedSettings.cloudSyncIntervalHours = s.cloudSyncIntervalHours;
+    if (s.hud !== void 0) mergedSettings.hud = { ...mergedSettings.hud, ...s.hud };
+    if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
+    if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
+    if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
+    if (p.toolInspection)
+      mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
+    if (p.smartRules) {
+      const defaultBlocks = mergedPolicy.smartRules.filter((r) => r.verdict === "block");
+      const defaultNonBlocks = mergedPolicy.smartRules.filter((r) => r.verdict !== "block");
+      const userRuleNames = new Set(p.smartRules.filter((r) => r.name).map((r) => r.name));
+      const filteredBlocks = defaultBlocks.filter((r) => !r.name || !userRuleNames.has(r.name));
+      const filteredNonBlocks = defaultNonBlocks.filter(
+        (r) => !r.name || !userRuleNames.has(r.name)
+      );
+      mergedPolicy.smartRules = [...filteredBlocks, ...p.smartRules, ...filteredNonBlocks];
     }
-  }
-  let allTokens = [];
-  let pathTokens = [];
-  const shellCommand = extractShellCommand(toolName, args, config.policy.toolInspection);
-  if (shellCommand) {
-    const analyzed = analyzeShellCommand(shellCommand);
-    allTokens = analyzed.allTokens;
-    pathTokens = analyzed.paths;
-    const INLINE_EXEC_PATTERN = /^(python3?|bash|sh|zsh|perl|ruby|node|php|lua)\s+(-c|-e|-eval)\s/i;
-    if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
-      return {
-        decision: "review",
-        blockedByLabel: "Node9 Standard (Inline Execution)",
-        ruleDescription: "The AI is running code directly from the command line. Review the full script below before allowing it to execute.",
-        tier: 3
-      };
+    if (p.snapshot) {
+      const s2 = p.snapshot;
+      if (s2.tools) mergedPolicy.snapshot.tools.push(...s2.tools);
+      if (s2.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s2.onlyPaths);
+      if (s2.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s2.ignorePaths);
     }
-    const evalVerdict = detectDangerousShellExec(shellCommand);
-    if (evalVerdict === "block") {
-      return {
-        decision: "block",
-        blockedByLabel: "Node9: Eval Remote Execution",
-        reason: "eval of remote download (curl/wget) is a near-certain supply-chain attack",
-        ruleDescription: "The AI is downloading a script from the internet and running it immediately without inspection. This is a common way malware gets installed.",
-        tier: 3
-      };
+    if (p.dlp) {
+      const d = p.dlp;
+      if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
+      if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
     }
-    if (evalVerdict === "review") {
-      return {
-        decision: "review",
-        blockedByLabel: "Node9: Eval Dynamic Content",
-        reason: "eval of dynamic content (variable or subshell expansion) requires approval",
-        ruleDescription: "The AI is running a command that includes a variable or subshell expansion. The actual command executed at runtime may differ from what is shown here.",
-        tier: 3
-      };
+    if (p.loopDetection) {
+      const ld = p.loopDetection;
+      if (ld.enabled !== void 0) mergedPolicy.loopDetection.enabled = ld.enabled;
+      if (ld.threshold !== void 0) mergedPolicy.loopDetection.threshold = ld.threshold;
+      if (ld.windowSeconds !== void 0)
+        mergedPolicy.loopDetection.windowSeconds = ld.windowSeconds;
     }
-    const pipeAnalysis = analyzePipeChain(shellCommand);
-    if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
-      const sinks = pipeAnalysis.sinkTargets;
-      const allTrusted = sinks.length > 0 && sinks.every(isTrustedHost);
-      if (pipeAnalysis.risk === "critical") {
-        if (allTrusted) {
-          return {
-            decision: "review",
-            blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
-            reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
-            tier: 3
-          };
+    if (p.skillPinning && typeof p.skillPinning === "object") {
+      const sp = p.skillPinning;
+      if (sp.enabled !== void 0) mergedPolicy.skillPinning.enabled = sp.enabled;
+      if (sp.mode !== void 0) mergedPolicy.skillPinning.mode = sp.mode;
+      if (Array.isArray(sp.roots)) {
+        for (const r of sp.roots) {
+          if (typeof r === "string" && r.length > 0) mergedPolicy.skillPinning.roots.push(r);
         }
-        return {
-          decision: "block",
-          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
-          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-          tier: 3
-        };
       }
-      if (allTrusted) {
-        return {
-          decision: "allow",
-          blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
-          reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
-          tier: 3
+    }
+    const envs = source.environments || {};
+    for (const [envName, envConfig] of Object.entries(envs)) {
+      if (envConfig && typeof envConfig === "object") {
+        const ec = envConfig;
+        mergedEnvironments[envName] = {
+          ...mergedEnvironments[envName],
+          // Validate field types before merging — do not blindly spread user input
+          ...typeof ec.requireApproval === "boolean" ? { requireApproval: ec.requireApproval } : {}
         };
       }
-      return {
-        decision: "review",
-        blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
-        reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-        tier: 3
-      };
-    }
-    const firstToken = analyzed.actions[0] ?? "";
-    if (["ssh", "scp", "rsync"].includes(firstToken)) {
-      const rawTokens = shellCommand.trim().split(/\s+/);
-      const sshHosts = extractAllSshHosts(rawTokens.slice(1));
-      allTokens.push(...sshHosts);
     }
-    if (firstToken && import_path8.default.posix.isAbsolute(firstToken)) {
-      const prov = checkProvenance(firstToken, cwd);
-      if (prov.trustLevel === "suspect") {
-        return {
-          decision: config.settings.mode === "strict" ? "block" : "review",
-          blockedByLabel: "Node9: Suspect Binary",
-          reason: `Binary "${firstToken}" resolved to ${prov.resolvedPath} \u2014 ${prov.reason}`,
-          tier: 3
-        };
+  };
+  applyLayer(globalConfig);
+  applyLayer(projectConfig);
+  {
+    const cacheFile = import_path3.default.join(import_os3.default.homedir(), ".node9", "rules-cache.json");
+    try {
+      const raw = JSON.parse(import_fs3.default.readFileSync(cacheFile, "utf-8"));
+      if (Array.isArray(raw.rules) && raw.rules.length > 0) {
+        applyLayer({ policy: { smartRules: raw.rules } });
       }
-      if (prov.trustLevel === "unknown" && config.settings.mode === "strict") {
-        return {
-          decision: "review",
-          blockedByLabel: "Node9: Unknown Binary (strict mode)",
-          reason: `Binary "${firstToken}" \u2014 ${prov.reason}`,
-          tier: 3
-        };
+    } catch {
+    }
+  }
+  const shieldOverrides = readShieldOverrides();
+  for (const shieldName of readActiveShields()) {
+    const shield = getShield(shieldName);
+    if (!shield) continue;
+    const existingRuleNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+    const ruleOverrides = shieldOverrides[shieldName] ?? {};
+    for (const rule of shield.smartRules) {
+      if (!existingRuleNames.has(rule.name)) {
+        const overrideVerdict = rule.name ? ruleOverrides[rule.name] : void 0;
+        mergedPolicy.smartRules.push(
+          overrideVerdict !== void 0 ? { ...rule, verdict: overrideVerdict } : rule
+        );
       }
     }
-    if (isSqlTool(toolName, config.policy.toolInspection)) {
-      allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
+    const existingWords = new Set(mergedPolicy.dangerousWords);
+    for (const word of shield.dangerousWords) {
+      if (!existingWords.has(word)) mergedPolicy.dangerousWords.push(word);
+    }
+  }
+  const existingAdvisoryNames = new Set(mergedPolicy.smartRules.map((r) => r.name));
+  for (const rule of ADVISORY_SMART_RULES) {
+    if (!existingAdvisoryNames.has(rule.name)) mergedPolicy.smartRules.push(rule);
+  }
+  if (process.env.NODE9_MODE) mergedSettings.mode = process.env.NODE9_MODE;
+  mergedPolicy.sandboxPaths = [...new Set(mergedPolicy.sandboxPaths)];
+  mergedPolicy.dangerousWords = [...new Set(mergedPolicy.dangerousWords)];
+  mergedPolicy.ignoredTools = [...new Set(mergedPolicy.ignoredTools)];
+  mergedPolicy.skillPinning.roots = [...new Set(mergedPolicy.skillPinning.roots)];
+  mergedPolicy.snapshot.tools = [...new Set(mergedPolicy.snapshot.tools)];
+  mergedPolicy.snapshot.onlyPaths = [...new Set(mergedPolicy.snapshot.onlyPaths)];
+  mergedPolicy.snapshot.ignorePaths = [...new Set(mergedPolicy.snapshot.ignorePaths)];
+  const result = {
+    settings: mergedSettings,
+    policy: mergedPolicy,
+    environments: mergedEnvironments
+  };
+  if (!cwd) cachedConfig = result;
+  return result;
+}
+function tryLoadConfig(filePath) {
+  if (!import_fs3.default.existsSync(filePath)) return null;
+  let raw;
+  try {
+    raw = JSON.parse(import_fs3.default.readFileSync(filePath, "utf-8"));
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    process.stderr.write(
+      `
+\u26A0\uFE0F  Node9: Failed to parse ${filePath}
+   ${msg}
+   \u2192 Using default config
+
+`
+    );
+    return null;
+  }
+  const SUPPORTED_VERSION = "1.0";
+  const SUPPORTED_MAJOR = SUPPORTED_VERSION.split(".")[0];
+  const fileVersion = raw?.version;
+  if (fileVersion !== void 0) {
+    const vStr = String(fileVersion);
+    const fileMajor = vStr.split(".")[0];
+    if (fileMajor !== SUPPORTED_MAJOR) {
+      process.stderr.write(
+        `
+\u274C  Node9: Config at ${filePath} has version "${vStr}" \u2014 major version is incompatible with this release (expected "${SUPPORTED_VERSION}"). Config will not be loaded.
+
+`
+      );
+      return null;
+    } else if (vStr !== SUPPORTED_VERSION) {
+      process.stderr.write(
+        `
+\u26A0\uFE0F  Node9: Config at ${filePath} declares version "${vStr}" \u2014 expected "${SUPPORTED_VERSION}". Continuing with best-effort parsing.
+
+`
+      );
+    }
+  }
+  const { sanitized, error } = sanitizeConfig(raw);
+  if (error) {
+    process.stderr.write(
+      `
+\u26A0\uFE0F  Node9: Invalid config at ${filePath}:
+${error.replace("Invalid config:\n", "")}
+   \u2192 Invalid fields ignored, using defaults for those keys
+
+`
+    );
+  }
+  return sanitized;
+}
+
+// src/policy/index.ts
+var import_picomatch2 = __toESM(require("picomatch"));
+
+// src/dlp.ts
+var import_fs4 = __toESM(require("fs"));
+var import_path4 = __toESM(require("path"));
+function scanFilePath(filePath, cwd = process.cwd()) {
+  if (!filePath) return null;
+  let resolved;
+  try {
+    const absolute = import_path4.default.resolve(cwd, filePath);
+    resolved = import_fs4.default.realpathSync.native(absolute);
+  } catch (err) {
+    const code = err.code;
+    if (code === "ENOENT" || code === "ENOTDIR") {
+      resolved = import_path4.default.resolve(cwd, filePath);
+    } else {
+      return sensitivePathMatch(filePath);
     }
-  } else {
-    allTokens = tokenize2(toolName);
-    if (args && typeof args === "object") {
-      const flattenedArgs = JSON.stringify(args).toLowerCase();
-      const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
-      allTokens.push(...extraTokens);
+  }
+  return matchSensitivePath(resolved, filePath);
+}
+
+// src/utils/provenance.ts
+var import_fs5 = __toESM(require("fs"));
+var import_path5 = __toESM(require("path"));
+var import_os4 = __toESM(require("os"));
+var SYSTEM_PREFIXES = ["/usr/bin", "/usr/sbin", "/bin", "/sbin"];
+var MANAGED_PREFIXES = ["/usr/local/bin", "/opt/homebrew", "/home/linuxbrew", "/nix/store"];
+var USER_PREFIXES = [
+  import_path5.default.join(import_os4.default.homedir(), "bin"),
+  import_path5.default.join(import_os4.default.homedir(), ".local", "bin"),
+  import_path5.default.join(import_os4.default.homedir(), ".cargo", "bin"),
+  import_path5.default.join(import_os4.default.homedir(), ".npm-global", "bin"),
+  import_path5.default.join(import_os4.default.homedir(), ".volta", "bin")
+];
+var SUSPECT_PREFIXES = ["/tmp", "/var/tmp", "/dev/shm"];
+function findInPath(cmd) {
+  if (import_path5.default.posix.isAbsolute(cmd)) return cmd;
+  const pathEnv = process.env.PATH ?? "";
+  for (const dir of pathEnv.split(import_path5.default.delimiter)) {
+    if (!dir) continue;
+    const full = import_path5.default.join(dir, cmd);
+    try {
+      import_fs5.default.accessSync(full, import_fs5.default.constants.X_OK);
+      return full;
+    } catch {
     }
   }
-  const isManual = agent === "Terminal";
-  if (isManual) {
-    const SYSTEM_DISASTER_COMMANDS = ["mkfs", "shred", "dd", "drop", "truncate", "purge"];
-    const hasSystemDisaster = allTokens.some(
-      (t) => SYSTEM_DISASTER_COMMANDS.includes(t.toLowerCase())
-    );
-    const isRootWipe = allTokens.includes("rm") && (allTokens.includes("/") || allTokens.includes("/*"));
-    if (hasSystemDisaster || isRootWipe) {
-      return { decision: "review", blockedByLabel: "Manual Nuclear Protection", tier: 3 };
+  return null;
+}
+function _classifyPath(resolved, cwd) {
+  if (cwd && resolved.startsWith(cwd + "/")) {
+    return { trustLevel: "user", reason: "binary in project directory" };
+  }
+  const osTmp = import_os4.default.tmpdir();
+  const allSuspect = osTmp ? [...SUSPECT_PREFIXES, osTmp] : SUSPECT_PREFIXES;
+  if (allSuspect.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "suspect", reason: `binary in temp directory: ${resolved}` };
+  }
+  if (SYSTEM_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "system", reason: "" };
+  }
+  if (MANAGED_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "managed", reason: "" };
+  }
+  if (USER_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "user", reason: "" };
+  }
+  return { trustLevel: "unknown", reason: "binary in unrecognized location" };
+}
+function checkProvenance(cmd, cwd) {
+  const bare = cmd.startsWith("./") ? cmd.slice(2) : cmd;
+  if (import_path5.default.posix.isAbsolute(bare)) {
+    const early = _classifyPath(bare, cwd);
+    if (early.trustLevel === "suspect") {
+      return { resolvedPath: bare, ...early };
     }
-    return { decision: "allow" };
   }
-  if (pathTokens.length > 0 && config.policy.sandboxPaths.length > 0) {
-    const allInSandbox = pathTokens.every((p) => matchesPattern(p, config.policy.sandboxPaths));
-    if (allInSandbox) return { decision: "allow" };
+  let resolved;
+  try {
+    const found = findInPath(bare);
+    if (!found) {
+      return {
+        resolvedPath: cmd,
+        trustLevel: "unknown",
+        reason: "binary not found in PATH"
+      };
+    }
+    resolved = import_fs5.default.realpathSync(found);
+  } catch {
+    return {
+      resolvedPath: cmd,
+      trustLevel: "unknown",
+      reason: "binary not found in PATH"
+    };
   }
-  let matchedDangerousWord;
-  const isDangerous = allTokens.some(
-    (token) => config.policy.dangerousWords.some((word) => {
-      const w = word.toLowerCase();
-      const hit = token === w || (() => {
-        try {
-          return new RegExp(`\\b${w}\\b`, "i").test(token);
-        } catch {
-          return false;
-        }
-      })();
-      if (hit && !matchedDangerousWord) matchedDangerousWord = word;
-      return hit;
-    })
-  );
-  if (isDangerous) {
-    let matchedField;
-    if (matchedDangerousWord && args && typeof args === "object" && !Array.isArray(args)) {
-      const obj = args;
-      for (const [key, value] of Object.entries(obj)) {
-        if (typeof value === "string") {
-          try {
-            if (new RegExp(
-              `\\b${matchedDangerousWord.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`,
-              "i"
-            ).test(value)) {
-              matchedField = key;
-              break;
-            }
-          } catch {
-          }
-        }
-      }
+  try {
+    const stat = import_fs5.default.statSync(resolved);
+    if (stat.mode & 2) {
+      return {
+        resolvedPath: resolved,
+        trustLevel: "suspect",
+        reason: "binary is world-writable"
+      };
     }
+  } catch {
     return {
-      decision: "review",
-      blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`,
-      matchedWord: matchedDangerousWord,
-      matchedField,
-      ruleDescription: `This command contains a flagged keyword ("${matchedDangerousWord}") from your node9 config. Review it before allowing.`,
-      tier: 6
+      resolvedPath: resolved,
+      trustLevel: "unknown",
+      reason: "could not stat binary"
     };
   }
-  if (config.settings.mode === "strict") {
-    const envConfig = getActiveEnvironment(config);
-    if (envConfig?.requireApproval === false) return { decision: "allow" };
-    return { decision: "review", blockedByLabel: "Global Config (Strict Mode Active)", tier: 7 };
+  const classify = _classifyPath(resolved, cwd);
+  return { resolvedPath: resolved, ...classify };
+}
+
+// src/auth/trusted-hosts.ts
+var import_fs6 = __toESM(require("fs"));
+var import_path6 = __toESM(require("path"));
+var import_os5 = __toESM(require("os"));
+function getTrustedHostsPath() {
+  return import_path6.default.join(import_os5.default.homedir(), ".node9", "trusted-hosts.json");
+}
+function readTrustedHosts() {
+  try {
+    const raw = import_fs6.default.readFileSync(getTrustedHostsPath(), "utf8");
+    const parsed = JSON.parse(raw);
+    return Array.isArray(parsed.hosts) ? parsed.hosts : [];
+  } catch {
+    return [];
   }
-  return { decision: "allow" };
 }
-function isIgnoredTool(toolName) {
+var _cache = null;
+var CACHE_TTL_MS = 5e3;
+function getFileMtime() {
+  try {
+    return import_fs6.default.statSync(getTrustedHostsPath()).mtimeMs;
+  } catch {
+    return 0;
+  }
+}
+function getCachedHosts() {
+  const now = Date.now();
+  if (_cache && now < _cache.expiry) {
+    const mtime = getFileMtime();
+    if (mtime === _cache.mtime) return _cache.hosts;
+  }
+  const hosts = readTrustedHosts();
+  _cache = { hosts, expiry: now + CACHE_TTL_MS, mtime: getFileMtime() };
+  return hosts;
+}
+function normalizeHost(raw) {
+  return raw.toLowerCase().replace(/^https?:\/\//, "").replace(/\/.*$/, "").replace(/^[^@]+@/, "").replace(/:\d+$/, "");
+}
+function isTrustedHost(host) {
+  const normalized = normalizeHost(host);
+  return getCachedHosts().some((entry) => {
+    const entryHost = entry.host.toLowerCase();
+    if (entryHost.startsWith("*.")) {
+      const domain = entryHost.slice(2);
+      return normalized.endsWith("." + domain);
+    }
+    return normalized === entryHost;
+  });
+}
+
+// src/policy/index.ts
+async function evaluatePolicy2(toolName, args, agent, cwd) {
   const config = getConfig();
-  return matchesPattern(toolName, config.policy.ignoredTools);
+  const activeEnvironment = getActiveEnvironment(config) ?? void 0;
+  return evaluatePolicy(
+    config,
+    toolName,
+    args,
+    { agent, cwd, activeEnvironment },
+    { checkProvenance, isTrustedHost }
+  );
+}
+function isIgnoredTool2(toolName) {
+  return isIgnoredTool(toolName, getConfig());
 }
 
 // src/auth/state.ts
 var import_fs7 = __toESM(require("fs"));
-var import_path9 = __toESM(require("path"));
+var import_path7 = __toESM(require("path"));
 var import_os6 = __toESM(require("os"));
-var PAUSED_FILE = import_path9.default.join(import_os6.default.homedir(), ".node9", "PAUSED");
-var TRUST_FILE = import_path9.default.join(import_os6.default.homedir(), ".node9", "trust.json");
+var PAUSED_FILE = import_path7.default.join(import_os6.default.homedir(), ".node9", "PAUSED");
+var TRUST_FILE = import_path7.default.join(import_os6.default.homedir(), ".node9", "trust.json");
 function extractCommandPattern(toolName, args) {
   const lower = toolName.toLowerCase();
   if (lower !== "bash" && lower !== "execute_bash" && lower !== "shell") return void 0;
@@ -2486,7 +3240,7 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = import_path9.default.dirname(filePath);
+  const dir = import_path7.default.dirname(filePath);
   if (!import_fs7.default.existsSync(dir)) import_fs7.default.mkdirSync(dir, { recursive: true });
   const tmpPath = `${filePath}.${import_os6.default.hostname()}.${process.pid}.tmp`;
   import_fs7.default.writeFileSync(tmpPath, data, options);
@@ -2541,7 +3295,7 @@ function writeTrustSession(toolName, durationMs, args) {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = import_path9.default.join(import_os6.default.homedir(), ".node9", "decisions.json");
+    const file = import_path7.default.join(import_os6.default.homedir(), ".node9", "decisions.json");
     if (!import_fs7.default.existsSync(file)) return null;
     const decisions = JSON.parse(import_fs7.default.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
@@ -2554,10 +3308,10 @@ function getPersistentDecision(toolName) {
 // src/auth/daemon.ts
 var import_fs8 = __toESM(require("fs"));
 var import_net = __toESM(require("net"));
-var import_path10 = __toESM(require("path"));
+var import_path8 = __toESM(require("path"));
 var import_os7 = __toESM(require("os"));
 var import_child_process = require("child_process");
-var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path10.default.join(import_os7.default.tmpdir(), "node9-activity.sock");
+var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path8.default.join(import_os7.default.tmpdir(), "node9-activity.sock");
 function notifyActivitySocket(data) {
   return new Promise((resolve) => {
     try {
@@ -2590,7 +3344,7 @@ var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function getInternalToken() {
   try {
-    const pidFile = import_path10.default.join(import_os7.default.homedir(), ".node9", "daemon.pid");
+    const pidFile = import_path8.default.join(import_os7.default.homedir(), ".node9", "daemon.pid");
     if (!import_fs8.default.existsSync(pidFile)) return null;
     const data = JSON.parse(import_fs8.default.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
@@ -2600,7 +3354,7 @@ function getInternalToken() {
   }
 }
 function isDaemonRunning() {
-  const pidFile = import_path10.default.join(import_os7.default.homedir(), ".node9", "daemon.pid");
+  const pidFile = import_path8.default.join(import_os7.default.homedir(), ".node9", "daemon.pid");
   if (import_fs8.default.existsSync(pidFile)) {
     let pid;
     let port;
@@ -2773,10 +3527,10 @@ var import_crypto3 = require("crypto");
 
 // src/ui/native.ts
 var import_child_process2 = require("child_process");
-var import_path12 = __toESM(require("path"));
+var import_path10 = __toESM(require("path"));
 
 // src/context-sniper.ts
-var import_path11 = __toESM(require("path"));
+var import_path9 = __toESM(require("path"));
 function smartTruncate(str, maxLen = 500) {
   if (str.length <= maxLen) return str;
   const edge = Math.floor(maxLen / 2) - 3;
@@ -2844,7 +3598,7 @@ function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWo
       intent = "EDIT";
       if (obj.file_path) {
         editFilePath = String(obj.file_path);
-        editFileName = import_path11.default.basename(editFilePath);
+        editFileName = import_path9.default.basename(editFilePath);
       }
       const result = extractContext(String(obj.new_string), matchedWord);
       contextSnippet = result.snippet;
@@ -2899,7 +3653,7 @@ function formatArgs(args, matchedField, matchedWord) {
   if (typeof parsed === "object" && !Array.isArray(parsed)) {
     const obj = parsed;
     if (obj.old_string !== void 0 && obj.new_string !== void 0) {
-      const file = obj.file_path ? import_path12.default.basename(String(obj.file_path)) : "file";
+      const file = obj.file_path ? import_path10.default.basename(String(obj.file_path)) : "file";
       const oldPreview = smartTruncate(String(obj.old_string), 120);
       const newPreview = extractContext(String(obj.new_string), matchedWord).snippet;
       return {
@@ -3100,7 +3854,7 @@ init_audit();
 // src/auth/cloud.ts
 var import_fs9 = __toESM(require("fs"));
 var import_os8 = __toESM(require("os"));
-var import_path13 = __toESM(require("path"));
+var import_path11 = __toESM(require("path"));
 init_audit();
 var DLP_SAMPLE_MAX_LEN = 200;
 var DLP_PATTERN_MAX_LEN = 100;
@@ -3177,7 +3931,7 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata, agentPol
   let ciContext;
   if (process.env.CI) {
     try {
-      const ciContextPath = import_path13.default.join(import_os8.default.homedir(), ".node9", "ci-context.json");
+      const ciContextPath = import_path11.default.join(import_os8.default.homedir(), ".node9", "ci-context.json");
       const stats = import_fs9.default.statSync(ciContextPath);
       if (stats.size > 1e4) throw new Error("ci-context.json exceeds 10 KB");
       const raw = import_fs9.default.readFileSync(ciContextPath, "utf8");
@@ -3293,16 +4047,10 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
 
 // src/loop-detector.ts
 var import_fs10 = __toESM(require("fs"));
-var import_path14 = __toESM(require("path"));
+var import_path12 = __toESM(require("path"));
 var import_os9 = __toESM(require("os"));
-var import_crypto2 = __toESM(require("crypto"));
 function loopStateFile() {
-  return import_path14.default.join(import_os9.default.homedir(), ".node9", "loop-state.json");
-}
-var MAX_RECORDS = 500;
-function computeArgsHash(args) {
-  const str = JSON.stringify(args ?? "");
-  return import_crypto2.default.createHash("sha256").update(str).digest("hex").slice(0, 16);
+  return import_path12.default.join(import_os9.default.homedir(), ".node9", "loop-state.json");
 }
 function readState() {
   try {
@@ -3316,7 +4064,7 @@ function readState() {
   }
 }
 function writeState(records) {
-  const dir = import_path14.default.dirname(loopStateFile());
+  const dir = import_path12.default.dirname(loopStateFile());
   if (!import_fs10.default.existsSync(dir)) import_fs10.default.mkdirSync(dir, { recursive: true });
   const tmpPath = `${loopStateFile()}.${import_os9.default.hostname()}.${process.pid}.tmp`;
   import_fs10.default.writeFileSync(tmpPath, JSON.stringify(records));
@@ -3324,14 +4072,9 @@ function writeState(records) {
 }
 function recordAndCheck(tool, args, threshold = 3, windowMs = 12e4) {
   try {
-    const hash = computeArgsHash(args);
-    const now = Date.now();
-    const cutoff = now - windowMs;
-    const records = readState().filter((r) => r.ts >= cutoff);
-    records.push({ t: tool, h: hash, ts: now });
-    const count = records.filter((r) => r.t === tool && r.h === hash).length;
-    writeState(records.slice(-MAX_RECORDS));
-    return { looping: count >= threshold, count };
+    const result = evaluateLoopWindow(readState(), tool, args, threshold, windowMs, Date.now());
+    writeState(result.nextRecords);
+    return { looping: result.looping, count: result.count };
   } catch {
     return { looping: false, count: 0 };
   }
@@ -3464,7 +4207,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       }
     }
   }
-  if (config.policy.dlp.enabled && (!isIgnoredTool(toolName) || config.policy.dlp.scanIgnoredTools)) {
+  if (config.policy.dlp.enabled && (!isIgnoredTool2(toolName) || config.policy.dlp.scanIgnoredTools)) {
     const argsObj = args && typeof args === "object" && !Array.isArray(args) ? args : {};
     const filePath = String(argsObj.file_path ?? argsObj.path ?? argsObj.filename ?? "");
     const dlpMatch = (filePath ? scanFilePath(filePath) : null) ?? scanArgs(args);
@@ -3514,8 +4257,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     }
   }
   if (isObserveMode) {
-    if (!isIgnoredTool(toolName)) {
-      const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
+    if (!isIgnoredTool2(toolName)) {
+      const policyResult = await evaluatePolicy2(toolName, args, meta?.agent, options?.cwd);
       const wouldBlock = policyResult.decision === "block";
       if (!isManual)
         appendLocalAudit(
@@ -3539,8 +4282,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     return { approved: true, checkedBy: "audit" };
   }
   if (config.settings.mode === "audit") {
-    if (!isIgnoredTool(toolName)) {
-      const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
+    if (!isIgnoredTool2(toolName)) {
+      const policyResult = await evaluatePolicy2(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
         appendLocalAudit(toolName, args, "allow", "audit-mode", meta, hashAuditArgs);
         if (approvers.cloud && creds?.apiKey) {
@@ -3550,7 +4293,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     }
     return { approved: true, checkedBy: "audit" };
   }
-  if (!taintWarning && !isIgnoredTool(toolName)) {
+  if (!taintWarning && !isIgnoredTool2(toolName)) {
     const ld = config.policy.loopDetection;
     if (ld.enabled) {
       const loopResult = recordAndCheck(toolName, args, ld.threshold, ld.windowSeconds * 1e3);
@@ -3568,7 +4311,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         };
       }
     }
-    const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
+    const policyResult = await evaluatePolicy2(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "local-policy", creds, meta);