@node9/proxy 1.16.0 → 1.18.0

package/dist/index.js

@@ -110,6 +110,7 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
     ...argsField,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
+    sessionId: meta?.sessionId,
     hostname: import_os.default.hostname(),
     cwd: process.cwd()
   });
@@ -2088,13 +2089,6 @@ var k8s_default = {
   ],
   dangerousWords: []
 };
-var mcp_tool_gating_default = {
-  name: "mcp-tool-gating",
-  description: "Intercept MCP tool lists and require user approval before the agent can use any tools from a new server",
-  aliases: ["mcp-gating", "mcp-tools"],
-  smartRules: [],
-  dangerousWords: []
-};
 var mongodb_default = {
   name: "mongodb",
   description: "Protects MongoDB databases from destructive AI operations",
@@ -2400,7 +2394,6 @@ var BUILTIN_SHIELDS = {
   [filesystem_default.name]: filesystem_default,
   [github_default.name]: github_default,
   [k8s_default.name]: k8s_default,
-  [mcp_tool_gating_default.name]: mcp_tool_gating_default,
   [mongodb_default.name]: mongodb_default,
   [postgres_default.name]: postgres_default,
   [project_jail_default.name]: project_jail_default,
@@ -2929,6 +2922,12 @@ function getConfig(cwd) {
       if (Array.isArray(raw.rules) && raw.rules.length > 0) {
         applyLayer({ policy: { smartRules: raw.rules } });
       }
+      if (raw.panicMode === true) {
+        mergedSettings.panicMode = true;
+      }
+      if (raw.shadowMode === true) {
+        mergedSettings.mode = "observe";
+      }
     } catch {
     }
   }
@@ -3866,6 +3865,12 @@ var KNOWN_CHECKED_BY = /* @__PURE__ */ new Set([
   "audit-mode",
   "local-policy",
   "smart-rule-block",
+  // Smart-rule block was downgraded to review because the daemon was
+  // running and we're not in CI. The block attempt is still recorded;
+  // the user got a popup. Distinct from 'smart-rule-block' so the
+  // dashboard can show "block rule overridden" separately from a hard
+  // block that fired with no human in the loop.
+  "smart-rule-block-override",
   "persistent",
   "trust",
   "observe-mode",
@@ -3886,7 +3891,7 @@ function validateApiUrl(raw) {
   }
   return null;
 }
-function auditLocalAllow(toolName, args, checkedBy, creds, meta, dlpInfo, containsSensitiveArgs = false) {
+function auditLocalAllow(toolName, args, checkedBy, creds, meta, dlpInfo, containsSensitiveArgs = false, riskMetadata) {
   const validated = validateApiUrl(creds.apiUrl);
   if (!validated) {
     try {
@@ -3903,6 +3908,10 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta, dlpInfo, contai
   const dlpSample = dlpInfo && typeof dlpInfo.redactedSample === "string" ? dlpInfo.redactedSample.slice(0, DLP_SAMPLE_MAX_LEN) : void 0;
   const dlpPattern = dlpInfo && typeof dlpInfo.pattern === "string" ? dlpInfo.pattern.slice(0, DLP_PATTERN_MAX_LEN) : void 0;
   const safeCheckedBy = KNOWN_CHECKED_BY.has(checkedBy) ? checkedBy : "unknown";
+  const cleanedRiskMetadata = riskMetadata ? Object.fromEntries(
+    Object.entries(riskMetadata).filter(([, v]) => typeof v === "string" && v.length > 0)
+  ) : void 0;
+  const hasRiskMetadata = cleanedRiskMetadata && Object.keys(cleanedRiskMetadata).length > 0;
   return fetch(`${validated.toString().replace(/\/$/, "")}/audit`, {
     method: "POST",
     headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
@@ -3911,6 +3920,13 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta, dlpInfo, contai
       args: safeArgs,
       checkedBy: safeCheckedBy,
       ...dlpInfo && { dlpPattern, dlpSample },
+      ...hasRiskMetadata && { riskMetadata: cleanedRiskMetadata },
+      // session_id (Claude Code + Gemini CLI) groups all audit rows from one
+      // agent run; transcript_path is the authoritative pointer to the
+      // session log (survives Gemini resume drift). Both optional —
+      // unsupported agents (MCP-mediated) leave them undefined.
+      ...meta?.sessionId && { runId: meta.sessionId },
+      ...meta?.transcriptPath && { transcriptPath: meta.transcriptPath },
       context: {
         agent: meta?.agent,
         mcpServer: meta?.mcpServer,
@@ -3961,6 +3977,9 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata, agentPol
       body: JSON.stringify({
         toolName,
         args,
+        // See auditLocalAllow above for the rationale on these two fields.
+        ...meta?.sessionId && { runId: meta.sessionId },
+        ...meta?.transcriptPath && { transcriptPath: meta.transcriptPath },
         context: {
           agent: meta?.agent,
           mcpServer: meta?.mcpServer,
@@ -4133,15 +4152,18 @@ async function authorizeHeadless(toolName, args, meta, options) {
   if (!options?.calledFromDaemon) {
     const actId = (0, import_crypto3.randomUUID)();
     const actTs = Date.now();
+    const stripAnsi = (s) => s.replace(/\x1b(?:\[[0-9;?]*[a-zA-Z]|\][^\x07\x1b]*(?:\x07|\x1b\\)|[@-_])/g, "");
+    const sanitizedAgent = meta?.agent ? stripAnsi(meta.agent).slice(0, 80) : void 0;
+    const sanitizedMcpServer = meta?.mcpServer ? stripAnsi(meta.mcpServer).slice(0, 40) : void 0;
     const socketOk = await notifyActivity({
       id: actId,
       ts: actTs,
       tool: toolName,
       args,
       status: "pending",
-      // Strip ANSI escape sequences — agent name comes from caller-supplied metadata
-      // and may be displayed in a terminal (node9 tail/watch), enabling injection.
-      agent: meta?.agent ? meta.agent.replace(/\x1b(?:\[[0-9;?]*[a-zA-Z]|\][^\x07\x1b]*(?:\x07|\x1b\\)|[@-_])/g, "").slice(0, 80) : void 0
+      agent: sanitizedAgent,
+      mcpServer: sanitizedMcpServer,
+      sessionId: meta?.sessionId
     });
     const result = await _authorizeHeadlessCore(toolName, args, meta, {
       ...options,
@@ -4159,7 +4181,10 @@ async function authorizeHeadless(toolName, args, meta, options) {
         status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : result.blockedByLabel?.includes("Taint") ? "taint" : "block",
         label: result.blockedByLabel,
         ruleHit: result.ruleHit,
-        observeWouldBlock: result.observeWouldBlock
+        observeWouldBlock: result.observeWouldBlock,
+        agent: sanitizedAgent,
+        mcpServer: sanitizedMcpServer,
+        sessionId: meta?.sessionId
       });
     }
     return result;
@@ -4179,9 +4204,9 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   };
   if (isTestEnv2) {
     approvers.native = false;
-    approvers.browser = false;
     approvers.terminal = false;
   }
+  approvers.browser = false;
   if (config.settings.enableHookLogDebug && !isTestEnv2) {
     appendHookDebug(toolName, args, meta, hashAuditArgs);
   }
@@ -4311,10 +4336,24 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         };
       }
     }
-    const policyResult = await evaluatePolicy2(toolName, args, meta?.agent);
+    let policyResult = await evaluatePolicy2(toolName, args, meta?.agent);
+    if (config.settings.panicMode && policyResult.decision === "review") {
+      policyResult = {
+        ...policyResult,
+        decision: "block",
+        blockedByLabel: "\u{1F6A8} Panic mode (org policy)",
+        reason: "Workspace is in panic mode \u2014 all review-verdict actions are blocked. Contact your admin to disable panic mode in the Node9 dashboard."
+      };
+    }
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
-        await auditLocalAllow(toolName, args, "local-policy", creds, meta);
+        await auditLocalAllow(toolName, args, "local-policy", creds, meta, void 0, false, {
+          ruleName: policyResult.ruleName,
+          ruleDescription: policyResult.ruleDescription,
+          blockedByLabel: policyResult.blockedByLabel,
+          matchedField: policyResult.matchedField,
+          matchedWord: policyResult.matchedWord
+        });
       if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
       return { approved: true, checkedBy: "local-policy" };
     }
@@ -4337,14 +4376,50 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         }
       } else if (isDaemonRunning() && !isTestEnv2) {
         if (!isManual)
-          appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+          appendLocalAudit(
+            toolName,
+            args,
+            "deny",
+            "smart-rule-block-override",
+            meta,
+            hashAuditArgs
+          );
         if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta);
+          auditLocalAllow(
+            toolName,
+            args,
+            "smart-rule-block-override",
+            creds,
+            meta,
+            void 0,
+            false,
+            {
+              ruleName: policyResult.ruleName,
+              ruleDescription: policyResult.ruleDescription,
+              blockedByLabel: policyResult.blockedByLabel,
+              matchedField: policyResult.matchedField,
+              matchedWord: policyResult.matchedWord
+            }
+          );
+        const baseLabel = policyResult.blockedByLabel || "Smart Rule";
+        const OVERRIDE_PREFIX = "\u26A0\uFE0F Override block rule: ";
+        if (!baseLabel.startsWith(OVERRIDE_PREFIX)) {
+          policyResult = {
+            ...policyResult,
+            blockedByLabel: `${OVERRIDE_PREFIX}${baseLabel}`
+          };
+        }
       } else {
         if (!isManual)
           appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
         if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta);
+          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta, void 0, false, {
+            ruleName: policyResult.ruleName,
+            ruleDescription: policyResult.ruleDescription,
+            blockedByLabel: policyResult.blockedByLabel,
+            matchedField: policyResult.matchedField,
+            matchedWord: policyResult.matchedWord
+          });
         return {
           approved: false,
           reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
@@ -4482,7 +4557,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   const internalToken = getInternalToken();
   let daemonEntryId = null;
   let daemonAllowCount = 1;
-  if ((approvers.browser || approvers.terminal) && isDaemonRunning() && !options?.calledFromDaemon) {
+  if (approvers.terminal && isDaemonRunning() && !options?.calledFromDaemon) {
     if (cloudEnforced && cloudRequestId) {
       const viewer = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(() => null);
       viewerId = viewer?.id ?? null;
@@ -4560,7 +4635,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       })()
     );
   }
-  if (daemonEntryId && (approvers.browser || approvers.terminal)) {
+  if (daemonEntryId && approvers.terminal) {
     racePromises.push(
       (async () => {
         const {
@@ -4571,19 +4646,14 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         if (daemonDecision === "abandoned") throw new Error("Abandoned");
         const isApproved = daemonDecision === "allow";
         const isRedirect = decisionSource === "terminal-redirect";
-        const src = decisionSource === "terminal" || decisionSource === "terminal-redirect" || decisionSource === "browser" ? decisionSource === "browser" ? "browser" : "terminal" : approvers.browser ? "browser" : "terminal";
-        const via = src === "terminal" ? "Terminal (node9 tail)" : "Browser Dashboard";
+        const via = "Terminal (node9 tail)";
         return {
           approved: isApproved,
-          reason: isApproved ? void 0 : (
-            // Use the redirect reason from the tail when choice [2] was selected;
-            // otherwise fall back to the generic rejection message.
-            isRedirect && daemonReason || `The human user rejected this action via the Node9 ${via}.`
-          ),
+          reason: isApproved ? void 0 : isRedirect && daemonReason || `The human user rejected this action via the Node9 ${via}.`,
           checkedBy: isApproved ? "daemon" : void 0,
           blockedBy: isApproved ? void 0 : "local-decision",
           blockedByLabel: isRedirect ? "Steered Redirect (Terminal)" : `User Decision (${via})`,
-          decisionSource: src
+          decisionSource: "terminal"
         };
       })()
     );

package/dist/index.mjs

@@ -90,6 +90,7 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
     ...argsField,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
+    sessionId: meta?.sessionId,
     hostname: os.hostname(),
     cwd: process.cwd()
   });
@@ -2058,13 +2059,6 @@ var k8s_default = {
   ],
   dangerousWords: []
 };
-var mcp_tool_gating_default = {
-  name: "mcp-tool-gating",
-  description: "Intercept MCP tool lists and require user approval before the agent can use any tools from a new server",
-  aliases: ["mcp-gating", "mcp-tools"],
-  smartRules: [],
-  dangerousWords: []
-};
 var mongodb_default = {
   name: "mongodb",
   description: "Protects MongoDB databases from destructive AI operations",
@@ -2370,7 +2364,6 @@ var BUILTIN_SHIELDS = {
   [filesystem_default.name]: filesystem_default,
   [github_default.name]: github_default,
   [k8s_default.name]: k8s_default,
-  [mcp_tool_gating_default.name]: mcp_tool_gating_default,
   [mongodb_default.name]: mongodb_default,
   [postgres_default.name]: postgres_default,
   [project_jail_default.name]: project_jail_default,
@@ -2899,6 +2892,12 @@ function getConfig(cwd) {
       if (Array.isArray(raw.rules) && raw.rules.length > 0) {
         applyLayer({ policy: { smartRules: raw.rules } });
       }
+      if (raw.panicMode === true) {
+        mergedSettings.panicMode = true;
+      }
+      if (raw.shadowMode === true) {
+        mergedSettings.mode = "observe";
+      }
     } catch {
     }
   }
@@ -3836,6 +3835,12 @@ var KNOWN_CHECKED_BY = /* @__PURE__ */ new Set([
   "audit-mode",
   "local-policy",
   "smart-rule-block",
+  // Smart-rule block was downgraded to review because the daemon was
+  // running and we're not in CI. The block attempt is still recorded;
+  // the user got a popup. Distinct from 'smart-rule-block' so the
+  // dashboard can show "block rule overridden" separately from a hard
+  // block that fired with no human in the loop.
+  "smart-rule-block-override",
   "persistent",
   "trust",
   "observe-mode",
@@ -3856,7 +3861,7 @@ function validateApiUrl(raw) {
   }
   return null;
 }
-function auditLocalAllow(toolName, args, checkedBy, creds, meta, dlpInfo, containsSensitiveArgs = false) {
+function auditLocalAllow(toolName, args, checkedBy, creds, meta, dlpInfo, containsSensitiveArgs = false, riskMetadata) {
   const validated = validateApiUrl(creds.apiUrl);
   if (!validated) {
     try {
@@ -3873,6 +3878,10 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta, dlpInfo, contai
   const dlpSample = dlpInfo && typeof dlpInfo.redactedSample === "string" ? dlpInfo.redactedSample.slice(0, DLP_SAMPLE_MAX_LEN) : void 0;
   const dlpPattern = dlpInfo && typeof dlpInfo.pattern === "string" ? dlpInfo.pattern.slice(0, DLP_PATTERN_MAX_LEN) : void 0;
   const safeCheckedBy = KNOWN_CHECKED_BY.has(checkedBy) ? checkedBy : "unknown";
+  const cleanedRiskMetadata = riskMetadata ? Object.fromEntries(
+    Object.entries(riskMetadata).filter(([, v]) => typeof v === "string" && v.length > 0)
+  ) : void 0;
+  const hasRiskMetadata = cleanedRiskMetadata && Object.keys(cleanedRiskMetadata).length > 0;
   return fetch(`${validated.toString().replace(/\/$/, "")}/audit`, {
     method: "POST",
     headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
@@ -3881,6 +3890,13 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta, dlpInfo, contai
       args: safeArgs,
       checkedBy: safeCheckedBy,
       ...dlpInfo && { dlpPattern, dlpSample },
+      ...hasRiskMetadata && { riskMetadata: cleanedRiskMetadata },
+      // session_id (Claude Code + Gemini CLI) groups all audit rows from one
+      // agent run; transcript_path is the authoritative pointer to the
+      // session log (survives Gemini resume drift). Both optional —
+      // unsupported agents (MCP-mediated) leave them undefined.
+      ...meta?.sessionId && { runId: meta.sessionId },
+      ...meta?.transcriptPath && { transcriptPath: meta.transcriptPath },
       context: {
         agent: meta?.agent,
         mcpServer: meta?.mcpServer,
@@ -3931,6 +3947,9 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata, agentPol
       body: JSON.stringify({
         toolName,
         args,
+        // See auditLocalAllow above for the rationale on these two fields.
+        ...meta?.sessionId && { runId: meta.sessionId },
+        ...meta?.transcriptPath && { transcriptPath: meta.transcriptPath },
         context: {
           agent: meta?.agent,
           mcpServer: meta?.mcpServer,
@@ -4103,15 +4122,18 @@ async function authorizeHeadless(toolName, args, meta, options) {
   if (!options?.calledFromDaemon) {
     const actId = randomUUID();
     const actTs = Date.now();
+    const stripAnsi = (s) => s.replace(/\x1b(?:\[[0-9;?]*[a-zA-Z]|\][^\x07\x1b]*(?:\x07|\x1b\\)|[@-_])/g, "");
+    const sanitizedAgent = meta?.agent ? stripAnsi(meta.agent).slice(0, 80) : void 0;
+    const sanitizedMcpServer = meta?.mcpServer ? stripAnsi(meta.mcpServer).slice(0, 40) : void 0;
     const socketOk = await notifyActivity({
       id: actId,
       ts: actTs,
       tool: toolName,
       args,
       status: "pending",
-      // Strip ANSI escape sequences — agent name comes from caller-supplied metadata
-      // and may be displayed in a terminal (node9 tail/watch), enabling injection.
-      agent: meta?.agent ? meta.agent.replace(/\x1b(?:\[[0-9;?]*[a-zA-Z]|\][^\x07\x1b]*(?:\x07|\x1b\\)|[@-_])/g, "").slice(0, 80) : void 0
+      agent: sanitizedAgent,
+      mcpServer: sanitizedMcpServer,
+      sessionId: meta?.sessionId
     });
     const result = await _authorizeHeadlessCore(toolName, args, meta, {
       ...options,
@@ -4129,7 +4151,10 @@ async function authorizeHeadless(toolName, args, meta, options) {
         status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : result.blockedByLabel?.includes("Taint") ? "taint" : "block",
         label: result.blockedByLabel,
         ruleHit: result.ruleHit,
-        observeWouldBlock: result.observeWouldBlock
+        observeWouldBlock: result.observeWouldBlock,
+        agent: sanitizedAgent,
+        mcpServer: sanitizedMcpServer,
+        sessionId: meta?.sessionId
       });
     }
     return result;
@@ -4149,9 +4174,9 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   };
   if (isTestEnv2) {
     approvers.native = false;
-    approvers.browser = false;
     approvers.terminal = false;
   }
+  approvers.browser = false;
   if (config.settings.enableHookLogDebug && !isTestEnv2) {
     appendHookDebug(toolName, args, meta, hashAuditArgs);
   }
@@ -4281,10 +4306,24 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         };
       }
     }
-    const policyResult = await evaluatePolicy2(toolName, args, meta?.agent);
+    let policyResult = await evaluatePolicy2(toolName, args, meta?.agent);
+    if (config.settings.panicMode && policyResult.decision === "review") {
+      policyResult = {
+        ...policyResult,
+        decision: "block",
+        blockedByLabel: "\u{1F6A8} Panic mode (org policy)",
+        reason: "Workspace is in panic mode \u2014 all review-verdict actions are blocked. Contact your admin to disable panic mode in the Node9 dashboard."
+      };
+    }
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
-        await auditLocalAllow(toolName, args, "local-policy", creds, meta);
+        await auditLocalAllow(toolName, args, "local-policy", creds, meta, void 0, false, {
+          ruleName: policyResult.ruleName,
+          ruleDescription: policyResult.ruleDescription,
+          blockedByLabel: policyResult.blockedByLabel,
+          matchedField: policyResult.matchedField,
+          matchedWord: policyResult.matchedWord
+        });
       if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
       return { approved: true, checkedBy: "local-policy" };
     }
@@ -4307,14 +4346,50 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         }
       } else if (isDaemonRunning() && !isTestEnv2) {
         if (!isManual)
-          appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+          appendLocalAudit(
+            toolName,
+            args,
+            "deny",
+            "smart-rule-block-override",
+            meta,
+            hashAuditArgs
+          );
         if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta);
+          auditLocalAllow(
+            toolName,
+            args,
+            "smart-rule-block-override",
+            creds,
+            meta,
+            void 0,
+            false,
+            {
+              ruleName: policyResult.ruleName,
+              ruleDescription: policyResult.ruleDescription,
+              blockedByLabel: policyResult.blockedByLabel,
+              matchedField: policyResult.matchedField,
+              matchedWord: policyResult.matchedWord
+            }
+          );
+        const baseLabel = policyResult.blockedByLabel || "Smart Rule";
+        const OVERRIDE_PREFIX = "\u26A0\uFE0F Override block rule: ";
+        if (!baseLabel.startsWith(OVERRIDE_PREFIX)) {
+          policyResult = {
+            ...policyResult,
+            blockedByLabel: `${OVERRIDE_PREFIX}${baseLabel}`
+          };
+        }
       } else {
         if (!isManual)
           appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
         if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta);
+          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta, void 0, false, {
+            ruleName: policyResult.ruleName,
+            ruleDescription: policyResult.ruleDescription,
+            blockedByLabel: policyResult.blockedByLabel,
+            matchedField: policyResult.matchedField,
+            matchedWord: policyResult.matchedWord
+          });
         return {
           approved: false,
           reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
@@ -4452,7 +4527,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   const internalToken = getInternalToken();
   let daemonEntryId = null;
   let daemonAllowCount = 1;
-  if ((approvers.browser || approvers.terminal) && isDaemonRunning() && !options?.calledFromDaemon) {
+  if (approvers.terminal && isDaemonRunning() && !options?.calledFromDaemon) {
     if (cloudEnforced && cloudRequestId) {
       const viewer = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(() => null);
       viewerId = viewer?.id ?? null;
@@ -4530,7 +4605,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       })()
     );
   }
-  if (daemonEntryId && (approvers.browser || approvers.terminal)) {
+  if (daemonEntryId && approvers.terminal) {
     racePromises.push(
       (async () => {
         const {
@@ -4541,19 +4616,14 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         if (daemonDecision === "abandoned") throw new Error("Abandoned");
         const isApproved = daemonDecision === "allow";
         const isRedirect = decisionSource === "terminal-redirect";
-        const src = decisionSource === "terminal" || decisionSource === "terminal-redirect" || decisionSource === "browser" ? decisionSource === "browser" ? "browser" : "terminal" : approvers.browser ? "browser" : "terminal";
-        const via = src === "terminal" ? "Terminal (node9 tail)" : "Browser Dashboard";
+        const via = "Terminal (node9 tail)";
         return {
           approved: isApproved,
-          reason: isApproved ? void 0 : (
-            // Use the redirect reason from the tail when choice [2] was selected;
-            // otherwise fall back to the generic rejection message.
-            isRedirect && daemonReason || `The human user rejected this action via the Node9 ${via}.`
-          ),
+          reason: isApproved ? void 0 : isRedirect && daemonReason || `The human user rejected this action via the Node9 ${via}.`,
           checkedBy: isApproved ? "daemon" : void 0,
           blockedBy: isApproved ? void 0 : "local-decision",
           blockedByLabel: isRedirect ? "Steered Redirect (Terminal)" : `User Decision (${via})`,
-          decisionSource: src
+          decisionSource: "terminal"
         };
       })()
     );

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.16.0",
+  "version": "1.18.0",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",