npm - @node9/proxy - Versions diffs - 1.18.2 → 1.19.0 - Mend

@node9/proxy 1.18.2 → 1.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli.mjs CHANGED Viewed

@@ -428,9 +428,65 @@ function redactText(text) {
   }
   return { result, found };
 }
+function isCatHeredocOrLit(part) {
+  if (!part) return false;
+  const t = syntax.NodeType(part);
+  if (t === "Lit") return true;
+  if (t !== "CmdSubst") return false;
+  const stmts = part.Stmts || [];
+  if (stmts.length !== 1) return false;
+  const stmt = stmts[0];
+  const redirs = stmt.Redirs || stmt.Cmd?.Redirs || [];
+  const hasHeredoc = redirs.some((r) => r && r.Hdoc);
+  if (!hasHeredoc) return false;
+  const cmd = stmt.Cmd;
+  if (!cmd || syntax.NodeType(cmd) !== "CallExpr") return false;
+  const firstArg2 = cmd.Args?.[0]?.Parts || [];
+  if (firstArg2.length !== 1 || syntax.NodeType(firstArg2[0]) !== "Lit") return false;
+  return (firstArg2[0].Value || "").toLowerCase() === "cat";
+}
+function parseShared(command) {
+  const cached = astCache.get(command);
+  if (cached !== void 0) {
+    astCache.delete(command);
+    astCache.set(command, cached);
+    return cached;
+  }
+  let parsed;
+  try {
+    parsed = sharedParser.Parse(command, "cmd");
+  } catch {
+    parsed = PARSE_FAIL;
+  }
+  if (astCache.size >= AST_CACHE_MAX) {
+    const oldest = astCache.keys().next().value;
+    if (oldest !== void 0) astCache.delete(oldest);
+  }
+  astCache.set(command, parsed);
+  return parsed;
+}
+function cachedNormalize(command, compute) {
+  const hit = normalizeCache.get(command);
+  if (hit !== void 0) {
+    normalizeCache.delete(command);
+    normalizeCache.set(command, hit);
+    return hit;
+  }
+  const result = compute();
+  if (normalizeCache.size >= NORMALIZE_CACHE_MAX) {
+    const oldest = normalizeCache.keys().next().value;
+    if (oldest !== void 0) normalizeCache.delete(oldest);
+  }
+  normalizeCache.set(command, result);
+  return result;
+}
 function normalizeCommandForPolicy(command) {
+  return cachedNormalize(command, () => normalizeCommandForPolicyImpl(command));
+}
+function normalizeCommandForPolicyImpl(command) {
+  const f = parseShared(command);
+  if (f === PARSE_FAIL) return command;
   try {
-    const f = sharedParser.Parse(command, "cmd");
     const strips = [];
     syntax.Walk(f, (node) => {
       if (!node) return false;
@@ -452,7 +508,11 @@ function normalizeCommandForPolicy(command) {
         } else if (nt === "DblQuoted") {
           const innerParts = quotedNode.Parts || [];
           const allLit = innerParts.length === 0 || innerParts.every((p) => syntax.NodeType(p) === "Lit");
-          if (allLit) strips.push([next.Pos().Offset(), next.End().Offset()]);
+          if (allLit) {
+            strips.push([next.Pos().Offset(), next.End().Offset()]);
+          } else if (innerParts.every((p) => isCatHeredocOrLit(p))) {
+            strips.push([next.Pos().Offset(), next.End().Offset()]);
+          }
         }
       }
       return true;
@@ -520,6 +580,130 @@ function detectDangerousShellExec(command) {
     return null;
   }
 }
+function isBashTool(toolName) {
+  return BASH_TOOL_NAMES.has(toolName.toLowerCase());
+}
+function isProtectedHomePath(rawPath) {
+  let p = rawPath.replace(/^\$HOME[\\/]?|^\$\{HOME\}[\\/]?/, "~/");
+  let underHome = false;
+  if (p === "~" || p.startsWith("~/") || p.startsWith("~\\")) {
+    p = p.replace(/^~[\\/]?/, "");
+    underHome = true;
+  } else if (/^\/home\/[^/]+/.test(p) || /^\/root(\/|$)/.test(p)) {
+    p = p.replace(/^\/home\/[^/]+[\\/]?|^\/root[\\/]?/, "");
+    underHome = true;
+  }
+  if (!underHome) return false;
+  if (p === "" || p === "." || p === "./") return true;
+  for (const safe of HOME_CACHE_ALLOWLIST) {
+    if (p === safe || p.startsWith(safe + "/") || p.startsWith(safe + "\\")) {
+      return false;
+    }
+  }
+  return true;
+}
+function extractLiteralArgs(callExpr) {
+  const args = callExpr.Args || [];
+  if (args.length === 0) return { name: "", flags: [], paths: [] };
+  const litFromWord = (w) => {
+    const parts = w?.Parts || [];
+    let s = "";
+    for (const p of parts) {
+      const t = syntax.NodeType(p);
+      if (t === "Lit") s += (p.Value ?? "").replace(/\\(.)/g, "$1");
+      else if (t === "SglQuoted") s += p.Value ?? "";
+      else if (t === "DblQuoted") {
+        const inner = p.Parts || [];
+        if (!inner.every((ip) => syntax.NodeType(ip) === "Lit")) return null;
+        s += inner.map((ip) => ip.Value ?? "").join("");
+      } else {
+        return null;
+      }
+    }
+    return s;
+  };
+  const name = (litFromWord(args[0]) || "").toLowerCase();
+  const flags = [];
+  const paths = [];
+  for (let i = 1; i < args.length; i++) {
+    const v = litFromWord(args[i]);
+    if (v === null) continue;
+    if (v.startsWith("-")) flags.push(v);
+    else paths.push(v);
+  }
+  return { name, flags, paths };
+}
+function analyzeFsOperation(command) {
+  if (!FS_OP_PRESCREEN_RE.test(command)) return null;
+  if (fsOpCache.has(command)) {
+    const hit = fsOpCache.get(command) ?? null;
+    fsOpCache.delete(command);
+    fsOpCache.set(command, hit);
+    return hit;
+  }
+  const computed = analyzeFsOperationImpl(command);
+  if (fsOpCache.size >= FS_OP_CACHE_MAX) {
+    const oldest = fsOpCache.keys().next().value;
+    if (oldest !== void 0) fsOpCache.delete(oldest);
+  }
+  fsOpCache.set(command, computed);
+  return computed;
+}
+function analyzeFsOperationImpl(command) {
+  const f = parseShared(command);
+  if (f === PARSE_FAIL) return null;
+  let result = null;
+  try {
+    syntax.Walk(f, (node) => {
+      if (!node || result) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const { name, flags, paths } = extractLiteralArgs(n);
+      if (!name) return true;
+      if (name === "rm") {
+        const flagStr = flags.join("").toLowerCase();
+        const hasR = /[r]/.test(flagStr) || flags.includes("--recursive");
+        const hasF = /[f]/.test(flagStr) || flags.includes("--force");
+        if (hasR && hasF) {
+          for (const p of paths) {
+            if (isProtectedHomePath(p)) {
+              result = {
+                ruleName: "block-rm-rf-home",
+                verdict: "block",
+                reason: "Recursive delete of home directory is irreversible",
+                path: p
+              };
+              return false;
+            }
+            if (p === "/" || /^\/+$/.test(p)) {
+              result = {
+                ruleName: "block-rm-rf-home",
+                verdict: "block",
+                reason: "Recursive delete of root is catastrophic",
+                path: p
+              };
+              return false;
+            }
+          }
+        }
+      }
+      if (FS_READ_TOOLS.has(name)) {
+        for (const p of paths) {
+          for (const sp of SENSITIVE_PATH_RULES) {
+            if (sp.match(p)) {
+              result = { ruleName: sp.rule, verdict: "block", reason: sp.reason, path: p };
+              return false;
+            }
+          }
+        }
+      }
+      return true;
+    });
+    return result;
+  } catch {
+    return null;
+  }
+}
 function analyzeShellCommand(command) {
   const actions = [];
   const paths = [];
@@ -809,10 +993,18 @@ function getNestedValue(obj, path49) {
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
   const mode = rule.conditionMode ?? "all";
+  const fieldCache = /* @__PURE__ */ new Map();
+  const resolveField = (field) => {
+    if (fieldCache.has(field)) return fieldCache.get(field) ?? null;
+    const rawVal = getNestedValue(args, field);
+    const rawStr = rawVal !== null && rawVal !== void 0 ? String(rawVal) : null;
+    const stripped = field === "command" && rawStr !== null ? normalizeCommandForPolicy(rawStr) : rawStr;
+    const val = stripped !== null ? stripped.replace(/\s+/g, " ").trim() : null;
+    fieldCache.set(field, val);
+    return val;
+  };
   const results = rule.conditions.map((cond) => {
-    const rawVal = getNestedValue(args, cond.field);
-    const normalized = rawVal !== null && rawVal !== void 0 ? String(rawVal).replace(/\s+/g, " ").trim() : null;
-    const val = cond.field === "command" && normalized !== null ? normalizeCommandForPolicy(normalized) : normalized;
+    const val = resolveField(cond.field);
     switch (cond.op) {
       case "exists":
         return val !== null && val !== "";
@@ -863,6 +1055,43 @@ function isSqlTool(toolName, toolInspection) {
   const fieldName = toolInspection[matchingPattern];
   return fieldName === "sql" || fieldName === "query";
 }
+function pipeChainVerdict(command, isTrustedHost2) {
+  const pipeAnalysis = analyzePipeChain(command);
+  if (!pipeAnalysis.isPipeline) return null;
+  if (pipeAnalysis.risk !== "critical" && pipeAnalysis.risk !== "high") return null;
+  const sinks = pipeAnalysis.sinkTargets;
+  const allTrusted = sinks.length > 0 && sinks.every((host) => isTrustedHost2 ? isTrustedHost2(host) : false);
+  if (pipeAnalysis.risk === "critical") {
+    if (allTrusted) {
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
+        reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
+        tier: 3
+      };
+    }
+    return {
+      decision: "block",
+      blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
+      reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+      tier: 3
+    };
+  }
+  if (allTrusted) {
+    return {
+      decision: "allow",
+      blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
+      reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
+      tier: 3
+    };
+  }
+  return {
+    decision: "review",
+    blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
+    reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+    tier: 3
+  };
+}
 async function evaluatePolicy(config, toolName, args, context = {}, hooks = {}) {
   const { agent, cwd, activeEnvironment } = context;
   const { checkProvenance: checkProvenance2, isTrustedHost: isTrustedHost2 } = hooks;
@@ -878,9 +1107,27 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
     }
   }
   if (wouldBeIgnored) return { decision: "allow" };
+  const bashCommand = agent !== "Terminal" && isBashTool(toolName) && args && typeof args === "object" ? typeof args.command === "string" ? args.command : null : null;
+  if (bashCommand !== null) {
+    const pipeVerdict = pipeChainVerdict(bashCommand, isTrustedHost2);
+    if (pipeVerdict) return pipeVerdict;
+    const fsVerdict = analyzeFsOperation(bashCommand);
+    if (fsVerdict) {
+      const isShieldRule = fsVerdict.ruleName.startsWith("shield:");
+      const labelPrefix = isShieldRule ? "project-jail (AST)" : "Node9 (AST)";
+      return {
+        decision: fsVerdict.verdict,
+        blockedByLabel: `${labelPrefix}: ${fsVerdict.ruleName}`,
+        reason: fsVerdict.reason,
+        tier: 2,
+        ruleName: fsVerdict.ruleName,
+        ruleDescription: fsVerdict.reason
+      };
+    }
+  }
   if (config.policy.smartRules.length > 0) {
     const matchedRule = config.policy.smartRules.find(
-      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+      (rule) => matchesPattern(toolName, rule.tool) && !(bashCommand !== null && rule.name && AST_FS_REGEX_RULES.has(rule.name)) && evaluateSmartConditions(args, rule)
     );
     if (matchedRule) {
       if (matchedRule.verdict === "allow")
@@ -938,41 +1185,8 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
         tier: 3
       };
     }
-    const pipeAnalysis = analyzePipeChain(shellCommand);
-    if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
-      const sinks = pipeAnalysis.sinkTargets;
-      const allTrusted = sinks.length > 0 && sinks.every((host) => isTrustedHost2 ? isTrustedHost2(host) : false);
-      if (pipeAnalysis.risk === "critical") {
-        if (allTrusted) {
-          return {
-            decision: "review",
-            blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
-            reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
-            tier: 3
-          };
-        }
-        return {
-          decision: "block",
-          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
-          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-          tier: 3
-        };
-      }
-      if (allTrusted) {
-        return {
-          decision: "allow",
-          blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
-          reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
-          tier: 3
-        };
-      }
-      return {
-        decision: "review",
-        blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
-        reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-        tier: 3
-      };
-    }
+    const ptVerdict = pipeChainVerdict(shellCommand, isTrustedHost2);
+    if (ptVerdict) return ptVerdict;
     const firstToken = analyzed.actions[0] ?? "";
     if (["ssh", "scp", "rsync"].includes(firstToken)) {
       const rawTokens = shellCommand.trim().split(/\s+/);
@@ -1294,7 +1508,323 @@ function summarizeBlast(result, opts = {}) {
     }))
   };
 }
-var ASSIGNMENT_CONTEXT_RE, DLP_STOPWORDS, DLP_PATTERNS, DLP_PATTERNS_GLOBAL, SENSITIVE_PATH_PATTERNS, MAX_DEPTH, MAX_STRING_BYTES, MAX_JSON_PARSE_BYTES, syntax, sharedParser, MESSAGE_FLAGS, SHELL_INTERPRETERS, DOWNLOAD_CMDS, SOURCE_COMMANDS, SINK_COMMANDS, OBFUSCATORS, SENSITIVE_PATTERNS, FLAGS_WITH_VALUES, MAX_REGEX_LENGTH, REGEX_CACHE_MAX, regexCache, FORBIDDEN_PATH_SEGMENTS, SQL_DML_KEYWORDS, aws_default, bash_safe_default, docker_default, filesystem_default, github_default, k8s_default, mongodb_default, postgres_default, project_jail_default, redis_default, BUILTIN_SHIELDS, LOOP_MAX_RECORDS, FINDING_TO_SIGNAL, SCAN_SIGNAL_WEIGHTS, LOOP_THRESHOLD_FOR_WASTE, COST_PER_LOOP_ITER_USD;
+function detectPii(text) {
+  const found = /* @__PURE__ */ new Set();
+  if (/@/.test(text) && PII_EMAIL_RE.test(text)) found.add("Email");
+  if (/-/.test(text) && PII_SSN_RE.test(text)) found.add("SSN");
+  if (PII_PHONE_RE.test(text)) found.add("Phone");
+  if (PII_CC_RE.test(text)) found.add("Credit Card");
+  return [...found];
+}
+function extractCanonicalFindings(call, ctx) {
+  const out = [];
+  const ts = call.timestamp;
+  const toolNameLower = call.toolName.toLowerCase();
+  const command = typeof call.args.command === "string" ? call.args.command : null;
+  const isBash = isBashTool(call.toolName) && command !== null;
+  if (call.outputBytes !== void 0 && call.outputBytes > LONG_OUTPUT_THRESHOLD_BYTES) {
+    out.push(
+      makeFinding({
+        type: "long-output-redacted",
+        ruleName: "long-output-redacted",
+        verdict: "review",
+        severity: "medium",
+        reason: `Tool output exceeded ${LONG_OUTPUT_THRESHOLD_BYTES} bytes and was redacted`,
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine"
+      })
+    );
+  }
+  if (ctx.dlpEnabled) {
+    const dlp = scanArgs(call.args);
+    if (dlp) {
+      out.push(
+        makeFinding({
+          type: "dlp",
+          ruleName: `dlp:${dlp.patternName}`,
+          patternName: dlp.patternName,
+          verdict: dlp.severity === "block" ? "block" : "review",
+          severity: dlp.severity === "block" ? "critical" : "medium",
+          reason: `${dlp.patternName} detected in ${dlp.fieldPath}`,
+          toolName: call.toolName,
+          ctx,
+          ts,
+          sourceType: "engine",
+          input: call.args,
+          redactedSample: dlp.redactedSample
+        })
+      );
+    }
+  }
+  for (const value of stringValues(call.args)) {
+    const piiHits = detectPii(value);
+    for (const pattern of piiHits) {
+      out.push(
+        makeFinding({
+          type: "pii",
+          ruleName: `pii:${pattern.toLowerCase().replace(/\s+/g, "-")}`,
+          patternName: pattern,
+          verdict: "review",
+          severity: "medium",
+          reason: `${pattern} pattern detected in tool input`,
+          toolName: call.toolName,
+          ctx,
+          ts,
+          sourceType: "engine"
+        })
+      );
+    }
+  }
+  if (FILE_TOOLS.has(toolNameLower)) {
+    const filePath = typeof call.args.file_path === "string" && call.args.file_path || typeof call.args.path === "string" && call.args.path || typeof call.args.pattern === "string" && call.args.pattern || "";
+    if (filePath && SENSITIVE_PATH_RE.test(filePath)) {
+      out.push(
+        makeFinding({
+          type: "sensitive-file-read",
+          ruleName: "sensitive-file-read",
+          verdict: "review",
+          severity: "critical",
+          reason: `Sensitive file path read via ${call.toolName}`,
+          toolName: call.toolName,
+          ctx,
+          ts,
+          sourceType: "engine",
+          subjectPath: filePath
+        })
+      );
+    }
+  }
+  if (!isBash || command === null) {
+    return out;
+  }
+  const fsVerdict = analyzeFsOperation(command);
+  if (fsVerdict) {
+    const isShield = fsVerdict.ruleName.startsWith("shield:");
+    out.push(
+      makeFinding({
+        type: "ast-fs-op",
+        ruleName: fsVerdict.ruleName,
+        verdict: fsVerdict.verdict,
+        severity: classifyRuleSeverity(fsVerdict.ruleName, fsVerdict.verdict),
+        reason: fsVerdict.reason,
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: isShield ? "shield" : "engine",
+        shieldLabel: isShield ? "project-jail (AST)" : "Node9 (AST)",
+        subjectPath: fsVerdict.path,
+        input: call.args
+      })
+    );
+  }
+  for (const source of ctx.rules) {
+    const r = source.rule;
+    if (r.verdict === "allow") continue;
+    if (r.tool && !matchesPattern(toolNameLower, r.tool)) continue;
+    if (r.name && AST_FS_REGEX_RULES.has(r.name)) continue;
+    if (!evaluateSmartConditions(call.args, r)) continue;
+    out.push(
+      makeFinding({
+        type: "smart-rule",
+        ruleName: r.name ?? r.tool,
+        verdict: r.verdict === "block" ? "block" : "review",
+        severity: classifyRuleSeverity(r.name ?? r.tool, r.verdict),
+        reason: r.reason ?? `Smart rule ${r.name ?? r.tool} fired`,
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: source.sourceType,
+        shieldLabel: source.shieldLabel,
+        input: call.args
+      })
+    );
+    break;
+  }
+  const evalVerdict = detectDangerousShellExec(command);
+  if (evalVerdict) {
+    out.push(
+      makeFinding({
+        type: "eval-of-remote",
+        ruleName: "eval-of-remote",
+        verdict: evalVerdict,
+        severity: classifyRuleSeverity("eval-remote", evalVerdict),
+        reason: evalVerdict === "block" ? "Eval of remote download is a near-certain supply-chain attack" : "Eval of dynamic content (variable / subshell) requires approval",
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine",
+        input: call.args
+      })
+    );
+  }
+  const pipe = analyzePipeChain(command);
+  if (pipe.isPipeline && pipe.risk === "critical") {
+    out.push(
+      makeFinding({
+        type: "pipe-to-shell",
+        ruleName: "pipe-to-shell",
+        verdict: "block",
+        severity: "critical",
+        reason: `Sensitive file piped through obfuscator to network sink: ${pipe.sourceFiles.join(", ")} \u2192 ${pipe.sinkTargets.join(", ")}`,
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine",
+        input: call.args
+      })
+    );
+  }
+  if (DESTRUCTIVE_OP_RE.test(command)) {
+    out.push(
+      makeFinding({
+        type: "destructive-op",
+        ruleName: "destructive-op",
+        verdict: "review",
+        severity: "high",
+        reason: "Destructive operation pattern detected",
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine",
+        input: call.args
+      })
+    );
+  }
+  if (PRIVILEGE_ESCALATION_RE.test(command)) {
+    out.push(
+      makeFinding({
+        type: "privilege-escalation",
+        ruleName: "privilege-escalation",
+        verdict: "review",
+        severity: "high",
+        reason: "Privilege-escalation pattern detected",
+        toolName: call.toolName,
+        ctx,
+        ts,
+        sourceType: "engine",
+        input: call.args
+      })
+    );
+  }
+  return out;
+}
+function extractSessionLevelFindings(calls, ctx) {
+  if (!ctx.loopDetection.enabled || calls.length === 0) return [];
+  const out = [];
+  const seenLoopKeys = /* @__PURE__ */ new Set();
+  const ONE_YEAR_MS = 365 * 24 * 60 * 60 * 1e3;
+  const windowMs = ctx.loopDetection.windowSeconds <= 0 ? ONE_YEAR_MS : ctx.loopDetection.windowSeconds * 1e3;
+  let records = [];
+  let syntheticTs = 0;
+  for (let i = 0; i < calls.length; i++) {
+    const call = calls[i];
+    const parsed = new Date(call.timestamp).getTime();
+    const now = Number.isFinite(parsed) ? parsed : ++syntheticTs;
+    const verdict = evaluateLoopWindow(
+      records,
+      call.toolName,
+      call.args,
+      ctx.loopDetection.threshold,
+      windowMs,
+      now
+    );
+    records = verdict.nextRecords;
+    if (!verdict.looping) continue;
+    const last = records[records.length - 1];
+    const key = `${last.t}|${last.h}`;
+    if (seenLoopKeys.has(key)) continue;
+    seenLoopKeys.add(key);
+    out.push({
+      type: "loop",
+      ruleName: "loop",
+      verdict: "review",
+      severity: "medium",
+      reason: `Tool called ${verdict.count} times with identical args within window`,
+      toolName: call.toolName,
+      agent: ctx.agent,
+      sessionId: ctx.sessionId,
+      project: ctx.project,
+      lineIndex: call.lineIndex,
+      sourceType: "engine",
+      firstSeenAt: call.timestamp,
+      lastSeenAt: call.timestamp,
+      occurrenceCount: 1,
+      loopCount: verdict.count,
+      loopKind: "loop",
+      commandPreview: previewArgs(call.args, DEDUPE_PREVIEW_LEN),
+      costUsd: verdict.count * COST_PER_LOOP_ITER_USD
+    });
+  }
+  return out;
+}
+function toScanFinding(c) {
+  const typeMap = {
+    "smart-rule": null,
+    "ast-fs-op": null,
+    dlp: "dlp",
+    pii: "pii",
+    "sensitive-file-read": "sensitive-file-read",
+    "privilege-escalation": "privilege-escalation",
+    "destructive-op": "destructive-op",
+    "pipe-to-shell": "pipe-to-shell",
+    "eval-of-remote": "eval-of-remote",
+    loop: "loop",
+    "long-output-redacted": "long-output-redacted"
+  };
+  const sfType = typeMap[c.type];
+  if (sfType === null) return null;
+  return {
+    sessionId: c.sessionId,
+    type: sfType,
+    ...c.patternName && { patternName: c.patternName },
+    lineIndex: c.lineIndex
+  };
+}
+function previewArgs(input, max) {
+  const cmd = input.command ?? input.query ?? input.file_path ?? JSON.stringify(input);
+  const s = String(cmd).replace(TERMINAL_ESCAPE_RE, "").replace(/\s+/g, " ").trim();
+  return s.length > max ? s.slice(0, max - 1) + "\u2026" : s;
+}
+function makeFinding(args) {
+  const f = {
+    type: args.type,
+    ruleName: args.ruleName,
+    verdict: args.verdict,
+    severity: args.severity,
+    reason: args.reason,
+    toolName: args.toolName,
+    agent: args.ctx.agent,
+    sessionId: args.ctx.sessionId,
+    project: args.ctx.project,
+    lineIndex: args.ctx.lineIndex,
+    sourceType: args.sourceType,
+    firstSeenAt: args.ts,
+    lastSeenAt: args.ts,
+    occurrenceCount: 1
+  };
+  if (args.shieldLabel) f.shieldLabel = args.shieldLabel;
+  if (args.subjectPath) f.subjectPath = args.subjectPath;
+  if (args.input) f.input = args.input;
+  if (args.patternName) f.patternName = args.patternName;
+  if (args.redactedSample) f.redactedSample = args.redactedSample;
+  return f;
+}
+function* stringValues(obj, depth = 0) {
+  if (depth > 6) return;
+  if (typeof obj === "string") {
+    if (obj.length > 0) yield obj;
+    return;
+  }
+  if (!obj || typeof obj !== "object") return;
+  if (Array.isArray(obj)) {
+    for (const v of obj) yield* stringValues(v, depth + 1);
+    return;
+  }
+  for (const v of Object.values(obj)) yield* stringValues(v, depth + 1);
+}
+var ASSIGNMENT_CONTEXT_RE, DLP_STOPWORDS, DLP_PATTERNS, DLP_PATTERNS_GLOBAL, SENSITIVE_PATH_PATTERNS, MAX_DEPTH, MAX_STRING_BYTES, MAX_JSON_PARSE_BYTES, syntax, sharedParser, MESSAGE_FLAGS, SHELL_INTERPRETERS, DOWNLOAD_CMDS, NORMALIZE_CACHE_MAX, normalizeCache, AST_CACHE_MAX, astCache, PARSE_FAIL, FS_READ_TOOLS, FS_OP_PRESCREEN_RE, HOME_CACHE_ALLOWLIST, SENSITIVE_PATH_RULES, BASH_TOOL_NAMES, AST_FS_REGEX_RULES, FS_OP_CACHE_MAX, fsOpCache, SOURCE_COMMANDS, SINK_COMMANDS, OBFUSCATORS, SENSITIVE_PATTERNS, FLAGS_WITH_VALUES, MAX_REGEX_LENGTH, REGEX_CACHE_MAX, regexCache, FORBIDDEN_PATH_SEGMENTS, SQL_DML_KEYWORDS, aws_default, bash_safe_default, docker_default, filesystem_default, github_default, k8s_default, mongodb_default, postgres_default, project_jail_default, redis_default, BUILTIN_SHIELDS, LOOP_MAX_RECORDS, FINDING_TO_SIGNAL, SCAN_SIGNAL_WEIGHTS, LOOP_THRESHOLD_FOR_WASTE, COST_PER_LOOP_ITER_USD, DESTRUCTIVE_OP_RE, PRIVILEGE_ESCALATION_RE, SENSITIVE_PATH_RE, FILE_TOOLS, PII_EMAIL_RE, PII_SSN_RE, PII_PHONE_RE, PII_CC_RE, LONG_OUTPUT_THRESHOLD_BYTES, CANONICAL_EXTRACTOR_VERSION, DEDUPE_PREVIEW_LEN, TERMINAL_ESCAPE_RE;
 var init_dist = __esm({
   "packages/policy-engine/dist/index.mjs"() {
     "use strict";
@@ -1762,6 +2292,83 @@ var init_dist = __esm({
     ]);
     SHELL_INTERPRETERS = /* @__PURE__ */ new Set(["bash", "sh", "zsh", "fish", "dash", "ksh"]);
     DOWNLOAD_CMDS = /* @__PURE__ */ new Set(["curl", "wget"]);
+    NORMALIZE_CACHE_MAX = 5e3;
+    normalizeCache = /* @__PURE__ */ new Map();
+    AST_CACHE_MAX = 5e3;
+    astCache = /* @__PURE__ */ new Map();
+    PARSE_FAIL = /* @__PURE__ */ Symbol("parse-fail");
+    FS_READ_TOOLS = /* @__PURE__ */ new Set([
+      "cat",
+      "less",
+      "head",
+      "tail",
+      "bat",
+      "more",
+      "open",
+      "print",
+      "nano",
+      "vim",
+      "vi",
+      "emacs",
+      "code",
+      "type"
+    ]);
+    FS_OP_PRESCREEN_RE = /(?:^|[\s|;&(`\n])(?:rm|cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\b/;
+    HOME_CACHE_ALLOWLIST = [
+      ".cache",
+      ".npm/_npx",
+      ".npm/_cacache",
+      ".cargo/registry",
+      ".gradle/caches",
+      ".gradle/.tmp",
+      ".m2/repository",
+      ".pnpm-store",
+      ".yarn/cache",
+      ".yarn/.cache",
+      ".cache/pip",
+      ".local/share/Trash",
+      ".rustup/downloads"
+    ];
+    SENSITIVE_PATH_RULES = [
+      {
+        rule: "shield:project-jail:block-read-ssh",
+        reason: "Reading SSH private keys is blocked by project-jail shield",
+        match: (p) => /(^|[\\/])\.ssh[\\/]/i.test(p)
+      },
+      {
+        rule: "shield:project-jail:block-read-aws",
+        reason: "Reading AWS credentials is blocked by project-jail shield",
+        match: (p) => /(^|[\\/])\.aws[\\/]/i.test(p)
+      },
+      {
+        rule: "shield:project-jail:block-read-env",
+        reason: "Reading .env files is blocked by project-jail shield",
+        match: (p) => /(?:^|[\\/])\.env(?:\.local|\.production|\.staging)?$/i.test(p)
+      },
+      {
+        rule: "shield:project-jail:block-read-credentials",
+        reason: "Reading credential files is blocked by project-jail shield",
+        match: (p) => /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials)$/i.test(
+          p
+        )
+      }
+    ];
+    BASH_TOOL_NAMES = /* @__PURE__ */ new Set([
+      "bash",
+      "execute_bash",
+      "run_shell_command",
+      "shell",
+      "exec_command"
+    ]);
+    AST_FS_REGEX_RULES = /* @__PURE__ */ new Set([
+      "block-rm-rf-home",
+      "shield:project-jail:block-read-ssh",
+      "shield:project-jail:block-read-aws",
+      "shield:project-jail:block-read-env",
+      "shield:project-jail:block-read-credentials"
+    ]);
+    FS_OP_CACHE_MAX = 5e3;
+    fsOpCache = /* @__PURE__ */ new Map();
     SOURCE_COMMANDS = /* @__PURE__ */ new Set([
       "cat",
       "head",
@@ -2616,6 +3223,31 @@ var init_dist = __esm({
     };
     LOOP_THRESHOLD_FOR_WASTE = 3;
     COST_PER_LOOP_ITER_USD = 6e-3;
+    DESTRUCTIVE_OP_RE = /\brm\s+-[rRf]+\b|\bDROP\s+(TABLE|DATABASE|COLLECTION|SCHEMA)\b|\bTRUNCATE\s+TABLE\b|\bgit\s+push\s+(--force|-f)\b|\bFLUSHALL\b|\bFLUSHDB\b|\bkubectl\s+delete\b|\bhelm\s+uninstall\b/i;
+    PRIVILEGE_ESCALATION_RE = /\b(sudo|su)\b\s+[a-z]|\bchmod\s+(0?777|\+x)\b|\bchown\s+root\b/i;
+    SENSITIVE_PATH_RE = /\.aws\/(credentials|config)\b|\.ssh\/(id_rsa|id_ed25519|id_ecdsa|id_dsa)\b|\.env(\.|$|\b)|\.config\/gcloud\/credentials\.db\b|\.docker\/config\.json\b|\.netrc\b|\.npmrc\b|\.node9\/credentials\.json\b/i;
+    FILE_TOOLS = /* @__PURE__ */ new Set([
+      "read",
+      "read_file",
+      "edit",
+      "edit_file",
+      "write",
+      "write_file",
+      "multiedit",
+      "grep",
+      "grep_search",
+      "glob",
+      "list_files"
+    ]);
+    PII_EMAIL_RE = /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/;
+    PII_SSN_RE = /\b\d{3}-\d{2}-\d{4}\b/;
+    PII_PHONE_RE = /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]\d{3}[-.\s]\d{4}\b/;
+    PII_CC_RE = /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6\d{3})[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/;
+    LONG_OUTPUT_THRESHOLD_BYTES = 100 * 1024;
+    CANONICAL_EXTRACTOR_VERSION = "canonical-v1";
+    DEDUPE_PREVIEW_LEN = 120;
+    TERMINAL_ESCAPE_RE = // eslint-disable-next-line no-control-regex
+    /\x1b\[[0-9;?]*[A-Za-z]|\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)|\x1b[@-_]|[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/g;
   }
 });
@@ -5541,9 +6173,7 @@ function removeNode9McpServer(servers) {
   return true;
 }
 function printDaemonTip() {
-  console.log(
-    chalk.cyan("\n   \u{1F4A1} Node9 will protect you automatically using Native OS popups.") + chalk.white("\n      To view your history or manage persistent rules, run:") + chalk.green("\n      node9 daemon --openui")
-  );
+  console.log(chalk.cyan("\n   \u{1F4A1} Node9 will protect you automatically using Native OS popups."));
 }
 function fullPathCommand(subcommand) {
   if (process.env.NODE9_TESTING === "1") return `node9 ${subcommand}`;
@@ -6627,7 +7257,8 @@ function buildScanSummary(agents) {
       timestamp: f.timestamp,
       project: f.project,
       sessionId: f.sessionId,
-      agent: f.agent
+      agent: f.agent,
+      kind: f.kind
     }))
   );
   const byVerdict = {
@@ -6645,10 +7276,7 @@ function buildScanSummary(agents) {
     costUSD: a.scan.totalCostUSD
   })).filter((s) => s.sessions > 0 || s.findings > 0);
   const sections = buildSections(allFindings);
-  const wastedIters = allLoops.reduce(
-    (sum, l) => sum + Math.max(0, l.count - LOOP_THRESHOLD_FOR_WASTE),
-    0
-  );
+  const wastedIters = allLoops.filter((l) => l.kind !== "long-iteration").reduce((sum, l) => sum + Math.max(0, l.count - LOOP_THRESHOLD_FOR_WASTE), 0);
   const loopWastedUSD = wastedIters * COST_PER_LOOP_ITER_USD;
   return {
     stats,
@@ -7263,8 +7891,10 @@ var init_costSync = __esm({
 // src/daemon/scan-watermark.ts
 var scan_watermark_exports = {};
 __export(scan_watermark_exports, {
+  WATERMARK_SCHEMA_VERSION: () => WATERMARK_SCHEMA_VERSION,
   extractFindingsFromLine: () => extractFindingsFromLine,
   loadWatermark: () => loadWatermark,
+  markUploadComplete: () => markUploadComplete,
   saveWatermark: () => saveWatermark,
   scanDelta: () => scanDelta,
   tickScanWatcher: () => tickScanWatcher
@@ -7273,18 +7903,68 @@ import fs16 from "fs";
 import os15 from "os";
 import path18 from "path";
 import readline from "readline";
+function freshWatermark() {
+  return {
+    schemaVersion: WATERMARK_SCHEMA_VERSION,
+    extractorVersion: CANONICAL_EXTRACTOR_VERSION,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    files: {}
+  };
+}
 function loadWatermark() {
+  let raw;
   try {
-    const raw = fs16.readFileSync(WATERMARK_FILE(), "utf-8");
-    const parsed = JSON.parse(raw);
-    if (typeof parsed.createdAt === "string" && parsed.files && typeof parsed.files === "object") {
-      return parsed;
-    }
+    raw = fs16.readFileSync(WATERMARK_FILE(), "utf-8");
   } catch {
+    return { status: "fresh", wm: freshWatermark() };
   }
-  return { createdAt: (/* @__PURE__ */ new Date()).toISOString(), files: {} };
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return { status: "fresh", wm: freshWatermark() };
+  }
+  if (typeof parsed.createdAt !== "string" || !parsed.files || typeof parsed.files !== "object") {
+    return { status: "fresh", wm: freshWatermark() };
+  }
+  const fileSchemaVersion = typeof parsed.schemaVersion === "number" ? parsed.schemaVersion : 1;
+  if (fileSchemaVersion > WATERMARK_SCHEMA_VERSION) {
+    const wm2 = {
+      schemaVersion: fileSchemaVersion,
+      extractorVersion: typeof parsed.extractorVersion === "string" ? parsed.extractorVersion : CANONICAL_EXTRACTOR_VERSION,
+      createdAt: parsed.createdAt,
+      files: parsed.files
+    };
+    return { status: "schema-future", wm: wm2 };
+  }
+  const fileExtractorVersion = typeof parsed.extractorVersion === "string" ? parsed.extractorVersion : "";
+  if (fileExtractorVersion !== CANONICAL_EXTRACTOR_VERSION) {
+    const filesIn = parsed.files;
+    const filesOut = {};
+    for (const [k, v] of Object.entries(filesIn)) {
+      filesOut[k] = { scannedTo: 0 };
+      void v;
+    }
+    const wm2 = {
+      schemaVersion: WATERMARK_SCHEMA_VERSION,
+      extractorVersion: CANONICAL_EXTRACTOR_VERSION,
+      pendingResetUploadAs: "totals",
+      createdAt: parsed.createdAt,
+      files: filesOut
+    };
+    return { status: "extractor-stale", wm: wm2 };
+  }
+  const wm = {
+    schemaVersion: WATERMARK_SCHEMA_VERSION,
+    extractorVersion: CANONICAL_EXTRACTOR_VERSION,
+    ...parsed.pendingResetUploadAs === "totals" && { pendingResetUploadAs: "totals" },
+    createdAt: parsed.createdAt,
+    files: parsed.files
+  };
+  return { status: "current", wm };
 }
 function saveWatermark(wm) {
+  if (wm.schemaVersion > WATERMARK_SCHEMA_VERSION) return;
   const target = WATERMARK_FILE();
   const dir = path18.dirname(target);
   if (!fs16.existsSync(dir)) fs16.mkdirSync(dir, { recursive: true });
@@ -7377,6 +8057,16 @@ function extractFindingsFromLine(line, sessionId, lineIndex) {
       }
     }
   }
+  const ctx = {
+    sessionId,
+    lineIndex,
+    project: "",
+    agent: "claude",
+    rules: [],
+    toolInspection: { bash: "command", execute_bash: "command" },
+    dlpEnabled: false
+    // line-level DLP runs above already
+  };
   const message = line.message;
   if (message && typeof message === "object") {
     const content = message.content;
@@ -7387,73 +8077,105 @@ function extractFindingsFromLine(line, sessionId, lineIndex) {
         if (b.type === "tool_result") {
           const c = b.content;
           const len = typeof c === "string" ? c.length : Array.isArray(c) ? JSON.stringify(c).length : 0;
-          if (len > LONG_OUTPUT_THRESHOLD_BYTES) {
+          if (len > LONG_OUTPUT_THRESHOLD_BYTES2) {
             findings.push({
               type: "long-output-redacted",
               sessionId,
               lineIndex
             });
           }
+          continue;
         }
         if (b.type !== "tool_use") continue;
-        const toolName = typeof b.name === "string" ? b.name.toLowerCase() : "";
-        const input = b.input;
-        if (FILE_TOOLS.has(toolName)) {
-          const filePath = typeof input?.file_path === "string" && input.file_path || typeof input?.path === "string" && input.path || typeof input?.pattern === "string" && input.pattern || "";
-          if (filePath && SENSITIVE_PATH_RE.test(filePath)) {
-            findings.push({
-              type: "sensitive-file-read",
-              sessionId,
-              lineIndex
-            });
-          }
-        }
-        if (toolName !== "bash" && toolName !== "execute_bash") continue;
-        const command = input && typeof input.command === "string" ? input.command : "";
-        if (!command) continue;
-        const verdict = detectDangerousShellExec(command);
-        if (verdict) {
-          findings.push({ type: "eval-of-remote", sessionId, lineIndex });
-        }
-        const pipe = analyzePipeChain(command);
-        if (pipe.isPipeline && pipe.risk === "critical") {
-          findings.push({ type: "pipe-to-shell", sessionId, lineIndex });
-        }
-        if (DESTRUCTIVE_OP_RE.test(command)) {
-          findings.push({ type: "destructive-op", sessionId, lineIndex });
-        }
-        if (PRIVILEGE_ESCALATION_RE.test(command)) {
-          findings.push({
-            type: "privilege-escalation",
-            sessionId,
-            lineIndex
-          });
+        const toolName = typeof b.name === "string" ? b.name : "";
+        const input = b.input ?? {};
+        const call = {
+          toolName,
+          args: input,
+          timestamp: typeof obj.timestamp === "string" ? obj.timestamp : ""
+        };
+        const canonical = extractCanonicalFindings(call, ctx);
+        for (const cf of canonical) {
+          const sf = toScanFinding(cf);
+          if (sf) findings.push(sf);
         }
       }
     }
   }
   return findings;
 }
-function detectPii(text) {
-  const found = /* @__PURE__ */ new Set();
-  if (/@/.test(text) && PII_EMAIL_RE.test(text)) found.add("Email");
-  if (/-/.test(text) && PII_SSN_RE.test(text)) found.add("SSN");
-  if (PII_PHONE_RE.test(text)) found.add("Phone");
-  if (PII_CC_RE.test(text)) found.add("Credit Card");
-  return [...found];
+function markUploadComplete() {
+  const state = loadWatermark();
+  if (state.status === "schema-future") return;
+  if (state.status === "extractor-stale") return;
+  if (!state.wm.pendingResetUploadAs) return;
+  delete state.wm.pendingResetUploadAs;
+  saveWatermark(state.wm);
 }
 async function tickScanWatcher() {
   if (process.env.NODE9_SCAN_DISABLE === "1") {
-    return {
-      findings: [],
-      totalToolCalls: 0,
-      toolCallsBySession: {},
-      filesScanned: 0,
-      filesNew: 0,
-      filesSkipped: 0
-    };
+    return emptyTick("deltas");
+  }
+  const state = loadWatermark();
+  if (state.status === "schema-future") {
+    if (process.env.NODE9_DEBUG === "1") {
+      process.stderr.write("[node9] watermark schema is from a newer daemon \u2014 skipping tick.\n");
+    }
+    return { ...emptyTick("deltas"), schemaFuture: true };
+  }
+  if (state.status === "extractor-stale") {
+    if (process.env.NODE9_SKIP_WATERMARK_RESET === "1") {
+      const acknowledged = readRawWatermarkPreservingOffsets();
+      if (acknowledged) {
+        saveWatermark(acknowledged);
+      }
+      process.stderr.write(
+        "[node9] Extractor upgrade acknowledged via NODE9_SKIP_WATERMARK_RESET.\n       Existing verdicts not refreshed \u2014 run `node9 scan --upload-history`\n       to backfill them through the new pipeline.\n"
+      );
+      return runActualTick(loadWatermark().wm);
+    }
+    process.stderr.write(
+      "[node9] Detector upgrade detected \u2014 re-scanning history through the new\n        pipeline. Expect a one-time SaaS payload spike on this tick.\n        Set NODE9_SKIP_WATERMARK_RESET=1 to skip.\n"
+    );
+  }
+  return runActualTick(state.wm);
+}
+function emptyTick(uploadAs) {
+  return {
+    findings: [],
+    totalToolCalls: 0,
+    toolCallsBySession: {},
+    filesScanned: 0,
+    filesNew: 0,
+    filesSkipped: 0,
+    uploadAs,
+    schemaFuture: false
+  };
+}
+function readRawWatermarkPreservingOffsets() {
+  let raw;
+  try {
+    raw = fs16.readFileSync(WATERMARK_FILE(), "utf-8");
+  } catch {
+    return null;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return null;
   }
-  const wm = loadWatermark();
+  if (typeof parsed.createdAt !== "string" || !parsed.files || typeof parsed.files !== "object") {
+    return null;
+  }
+  return {
+    schemaVersion: WATERMARK_SCHEMA_VERSION,
+    extractorVersion: CANONICAL_EXTRACTOR_VERSION,
+    createdAt: parsed.createdAt,
+    files: parsed.files
+  };
+}
+async function runActualTick(wm) {
   const watermarkCreatedAt = new Date(wm.createdAt).getTime();
   const findings = [];
   let totalToolCalls = 0;
@@ -7500,10 +8222,20 @@ async function tickScanWatcher() {
     wm.files[filePath] = { scannedTo: newScannedTo };
     filesScanned++;
   }
+  const uploadAs = wm.pendingResetUploadAs === "totals" ? "totals" : "deltas";
   saveWatermark(wm);
-  return { findings, totalToolCalls, toolCallsBySession, filesScanned, filesNew, filesSkipped };
+  return {
+    findings,
+    totalToolCalls,
+    toolCallsBySession,
+    filesScanned,
+    filesNew,
+    filesSkipped,
+    uploadAs,
+    schemaFuture: false
+  };
 }
-var PROJECTS_DIR, WATERMARK_FILE, MAX_LINE_BYTES, DESTRUCTIVE_OP_RE, LONG_OUTPUT_THRESHOLD_BYTES, FILE_TOOLS, SENSITIVE_PATH_RE, PII_EMAIL_RE, PII_SSN_RE, PII_PHONE_RE, PII_CC_RE, PRIVILEGE_ESCALATION_RE;
+var PROJECTS_DIR, WATERMARK_FILE, MAX_LINE_BYTES, WATERMARK_SCHEMA_VERSION, LONG_OUTPUT_THRESHOLD_BYTES2;
 var init_scan_watermark = __esm({
   "src/daemon/scan-watermark.ts"() {
     "use strict";
@@ -7512,27 +8244,8 @@ var init_scan_watermark = __esm({
     PROJECTS_DIR = () => path18.join(os15.homedir(), ".claude", "projects");
     WATERMARK_FILE = () => path18.join(os15.homedir(), ".node9", "scan-watermark.json");
     MAX_LINE_BYTES = 2 * 1024 * 1024;
-    DESTRUCTIVE_OP_RE = /\brm\s+-[rRf]+\b|\bDROP\s+(TABLE|DATABASE|COLLECTION|SCHEMA)\b|\bTRUNCATE\s+TABLE\b|\bgit\s+push\s+(--force|-f)\b|\bFLUSHALL\b|\bFLUSHDB\b|\bkubectl\s+delete\b|\bhelm\s+uninstall\b/i;
-    LONG_OUTPUT_THRESHOLD_BYTES = 100 * 1024;
-    FILE_TOOLS = /* @__PURE__ */ new Set([
-      "read",
-      "read_file",
-      "edit",
-      "edit_file",
-      "write",
-      "write_file",
-      "multiedit",
-      "grep",
-      "grep_search",
-      "glob",
-      "list_files"
-    ]);
-    SENSITIVE_PATH_RE = /\.aws\/(credentials|config)\b|\.ssh\/(id_rsa|id_ed25519|id_ecdsa|id_dsa)\b|\.env(\.|$|\b)|\.config\/gcloud\/credentials\.db\b|\.docker\/config\.json\b|\.netrc\b|\.npmrc\b|\.node9\/credentials\.json\b/i;
-    PII_EMAIL_RE = /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/;
-    PII_SSN_RE = /\b\d{3}-\d{2}-\d{4}\b/;
-    PII_PHONE_RE = /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]\d{3}[-.\s]\d{4}\b/;
-    PII_CC_RE = /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6\d{3})[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/;
-    PRIVILEGE_ESCALATION_RE = /\b(sudo|su)\b\s+[a-z]|\bchmod\s+(0?777|\+x)\b|\bchown\s+root\b/i;
+    WATERMARK_SCHEMA_VERSION = 2;
+    LONG_OUTPUT_THRESHOLD_BYTES2 = LONG_OUTPUT_THRESHOLD_BYTES;
   }
 });
@@ -7657,6 +8370,13 @@ async function runUploadHistory(opts) {
   let linesParsed = 0;
   let linesSkipped = 0;
   const dailyEntries = [];
+  const liveLoopCfg = getConfig().policy.loopDetection;
+  const loopCfg = {
+    enabled: liveLoopCfg.enabled,
+    threshold: 3,
+    windowSeconds: 0
+    // "no window" — engine treats this as session-wide
+  };
   for (const { filePath, sessionId, projectDir } of iterateJsonlFiles(cutoffMs)) {
     filesScanned++;
     let content;
@@ -7666,6 +8386,7 @@ async function runUploadHistory(opts) {
       continue;
     }
     let lineIndex = 0;
+    const sessionCalls = [];
     for (const line of content.split("\n")) {
       if (!line.trim()) continue;
       let obj;
@@ -7682,10 +8403,38 @@ async function runUploadHistory(opts) {
       if (obj["type"] === "assistant" && Array.isArray(msg?.content) && msg.content.some((b) => b.type === "tool_use")) {
         totalToolCalls++;
         toolCallsBySession[sessionId] = (toolCallsBySession[sessionId] ?? 0) + 1;
+        const ts = typeof obj.timestamp === "string" ? obj.timestamp : "";
+        for (const block of msg.content) {
+          if (!block || typeof block !== "object") continue;
+          const b = block;
+          if (b.type !== "tool_use") continue;
+          sessionCalls.push({
+            toolName: typeof b.name === "string" ? b.name : "",
+            args: b.input ?? {},
+            timestamp: ts,
+            lineIndex
+          });
+        }
       }
       linesParsed++;
       lineIndex++;
     }
+    if (loopCfg.enabled && sessionCalls.length > 0) {
+      const loops = extractSessionLevelFindings(sessionCalls, {
+        sessionId,
+        project: decodeProjectDirName(projectDir),
+        agent: "claude",
+        loopDetection: {
+          enabled: loopCfg.enabled,
+          threshold: loopCfg.threshold,
+          windowSeconds: loopCfg.windowSeconds
+        }
+      });
+      for (const cf of loops) {
+        const sf = toScanFinding(cf);
+        if (sf) findings.push(sf);
+      }
+    }
     const fallbackWorkingDir = decodeProjectDirName(projectDir);
     const dailyMap = parseJSONLFile(filePath, fallbackWorkingDir);
     for (const entry of dailyMap.values()) {
@@ -7710,7 +8459,8 @@ async function runUploadHistory(opts) {
   const scanUrl = creds.apiUrl.endsWith("/policies/sync") ? creds.apiUrl.replace(/\/policies\/sync$/, "/scan/report") : `${creds.apiUrl.replace(/\/$/, "")}/scan/report`;
   await postJson(scanUrl, creds.apiKey, {
     ...summary,
-    sessionTotals
+    sessionTotals,
+    extractorVersion: CANONICAL_EXTRACTOR_VERSION
   });
   console.log(chalk3.green(`   \u2713 Uploaded scanner findings`));
   if (dailyEntries.length > 0) {
@@ -7812,6 +8562,20 @@ function geminiModelPrice(model) {
   if (base.includes("flash")) return GEMINI_PRICING["gemini-2.0-flash"];
   return null;
 }
+function isNode9SelfOutput(text) {
+  let hits = 0;
+  for (const re of SELF_OUTPUT_MARKERS) {
+    if (re.test(text)) hits++;
+    if (hits >= 2) return true;
+  }
+  return false;
+}
+function looksLikeFixtureToken(sample) {
+  for (const re of FIXTURE_TOKEN_PATTERNS) {
+    if (re.test(sample)) return true;
+  }
+  return false;
+}
 function num(n) {
   return n.toLocaleString();
 }
@@ -7832,7 +8596,7 @@ function fmtTs(ts) {
   }
 }
 function stripTerminalEscapes(s) {
-  return s.replace(TERMINAL_ESCAPE_RE, "");
+  return s.replace(TERMINAL_ESCAPE_RE2, "");
 }
 function preview(input, max) {
   const cmd = input.command ?? input.query ?? input.file_path ?? JSON.stringify(input);
@@ -7875,6 +8639,45 @@ function buildRecurringPatternSet(findings) {
   }
   return recurring;
 }
+function pushFsOpAstFinding(command, toolName, input, timestamp, projLabel, sessionId, agent, result) {
+  const fsVerdict = analyzeFsOperation(command);
+  if (!fsVerdict) return false;
+  const synthRule = {
+    name: fsVerdict.ruleName,
+    tool: "bash",
+    conditions: [],
+    verdict: fsVerdict.verdict,
+    reason: fsVerdict.reason
+  };
+  const isShieldRule = fsVerdict.ruleName.startsWith("shield:");
+  const synthSource = isShieldRule ? {
+    shieldName: "project-jail",
+    shieldLabel: "project-jail (AST)",
+    sourceType: "shield",
+    rule: synthRule
+  } : {
+    shieldName: "",
+    shieldLabel: "default (AST)",
+    sourceType: "default",
+    rule: synthRule
+  };
+  const inputPreview = preview(input, 120);
+  const isDupe = result.findings.some(
+    (f) => f.source.rule.name === synthRule.name && preview(f.input, 120) === inputPreview && f.project === projLabel
+  );
+  if (!isDupe) {
+    result.findings.push({
+      source: synthSource,
+      toolName,
+      input,
+      timestamp,
+      project: projLabel,
+      sessionId,
+      agent
+    });
+  }
+  return true;
+}
 function isStaleFinding(timestamp, now = Date.now()) {
   if (!timestamp) return false;
   const t = Date.parse(timestamp);
@@ -7908,15 +8711,24 @@ function detectLoops(calls, project, sessionId, agent) {
     const entry = counts.get(key) ?? {
       count: 0,
       timestamp: call.timestamp,
+      firstTs: null,
+      lastTs: null,
       input: call.input,
       toolName: call.toolName
     };
     entry.count++;
+    const t = call.timestamp ? Date.parse(call.timestamp) : NaN;
+    if (!Number.isNaN(t)) {
+      if (entry.firstTs === null || t < entry.firstTs) entry.firstTs = t;
+      if (entry.lastTs === null || t > entry.lastTs) entry.lastTs = t;
+    }
     counts.set(key, entry);
   }
   const findings = [];
   for (const [, entry] of counts) {
     if (entry.count >= LOOP_THRESHOLD) {
+      const span = entry.firstTs !== null && entry.lastTs !== null ? entry.lastTs - entry.firstTs : 0;
+      const kind = span >= LOOP_TIMESPAN_THRESHOLD_MS ? "long-iteration" : "loop";
       findings.push({
         toolName: entry.toolName,
         commandPreview: preview(entry.input, 80),
@@ -7924,7 +8736,8 @@ function detectLoops(calls, project, sessionId, agent) {
         timestamp: entry.timestamp,
         project,
         sessionId,
-        agent
+        agent,
+        kind
       });
     }
   }
@@ -8143,8 +8956,10 @@ function scanClaudeHistory(startDate, onProgress, onLine) {
               }
               const resultText = typeof block.content === "string" ? block.content : Array.isArray(block.content) ? block.content.map((c) => c.text ?? "").join("\n") : null;
               if (!resultText) continue;
+              if (isNode9SelfOutput(resultText)) continue;
               const dlpMatch = scanArgs({ text: resultText });
               if (dlpMatch) {
+                if (looksLikeFixtureToken(dlpMatch.redactedSample)) continue;
                 if (firstDlpTs === null) firstDlpTs = entry.timestamp ?? null;
                 const isDupe = result.dlpFindings.some(
                   (f) => f.patternName === dlpMatch.patternName && f.redactedSample === dlpMatch.redactedSample && f.project === projLabel
@@ -8215,11 +9030,26 @@ function scanClaudeHistory(startDate, onProgress, onLine) {
               });
             }
           }
-          let ruleMatched = false;
+          let astFsMatched = false;
+          const astRanForBash = toolNameLower === "bash" || toolNameLower === "execute_bash";
+          if (astRanForBash) {
+            astFsMatched = pushFsOpAstFinding(
+              String(input.command ?? ""),
+              toolName,
+              input,
+              entry.timestamp ?? "",
+              projLabel,
+              sessionId,
+              "claude",
+              result
+            );
+          }
+          let ruleMatched = astFsMatched;
           for (const source of ruleSources) {
             const { rule } = source;
             if (rule.verdict === "allow") continue;
             if (rule.tool && !matchesPattern(toolNameLower, rule.tool)) continue;
+            if (astRanForBash && rule.name && AST_FS_REGEX_RULES.has(rule.name)) continue;
             if (!evaluateSmartConditions(input, rule)) continue;
             const inputPreview = preview(input, 120);
             const isDupe = result.findings.some(
@@ -8415,11 +9245,26 @@ function scanGeminiHistory(startDate, onProgress, onLine) {
               });
             }
           }
-          let ruleMatched = false;
+          let astFsMatched = false;
+          const astRanForBash = toolNameLower === "run_shell_command" || toolNameLower === "shell";
+          if (astRanForBash) {
+            astFsMatched = pushFsOpAstFinding(
+              String(input.command ?? ""),
+              toolName,
+              input,
+              msg.timestamp ?? "",
+              projLabel,
+              sessionId,
+              "gemini",
+              result
+            );
+          }
+          let ruleMatched = astFsMatched;
           for (const source of ruleSources) {
             const { rule } = source;
             if (rule.verdict === "allow") continue;
             if (rule.tool && !matchesPattern(toolNameLower, rule.tool)) continue;
+            if (astRanForBash && rule.name && AST_FS_REGEX_RULES.has(rule.name)) continue;
             if (!evaluateSmartConditions(input, rule)) continue;
             const inputPreview = preview(input, 120);
             const isDupe = result.findings.some(
@@ -8637,12 +9482,27 @@ function scanCodexHistory(startDate, onProgress, onLine) {
           });
         }
       }
-      let ruleMatched = false;
+      let astFsMatched = false;
+      const astRanForBash = toolNameLower === "exec_command" || toolNameLower === "bash";
+      if (astRanForBash) {
+        astFsMatched = pushFsOpAstFinding(
+          String(input["command"] ?? ""),
+          toolName,
+          input,
+          ts,
+          projLabel,
+          sessionId,
+          "codex",
+          result
+        );
+      }
+      let ruleMatched = astFsMatched;
       for (const source of ruleSources) {
         const { rule } = source;
         if (rule.verdict === "allow") continue;
         if (rule.tool && !matchesPattern(toolNameLower === "exec_command" ? "bash" : toolNameLower, rule.tool))
           continue;
+        if (astRanForBash && rule.name && AST_FS_REGEX_RULES.has(rule.name)) continue;
         if (!evaluateSmartConditions(input, rule)) continue;
         const inputPreview = preview(input, 120);
         const isDupe = result.findings.some(
@@ -8842,15 +9702,22 @@ function renderCompactScorecard(input) {
       chalk4.red("\u{1F6D1}  ") + chalk4.red.bold(String(blockedCount).padEnd(4)) + chalk4.dim("would have blocked".padEnd(20)) + chalk4.dim(`(${topBlocked})`)
     );
   }
-  if (scan.loopFindings.length > 0) {
-    const wastedCalls = scan.loopFindings.reduce((s, l) => s + Math.max(0, l.count - 1), 0);
+  const realLoops = scan.loopFindings.filter((l) => l.kind !== "long-iteration");
+  const longIterations = scan.loopFindings.filter((l) => l.kind === "long-iteration");
+  if (realLoops.length > 0) {
+    const wastedCalls = realLoops.reduce((s, l) => s + Math.max(0, l.count - 1), 0);
     const wastePct = scan.totalToolCalls > 0 ? Math.round(wastedCalls / scan.totalToolCalls * 100) : 0;
     const wasteParts = [];
     if (wastePct > 0) wasteParts.push(`${wastePct}% wasted`);
     if (summary.loopWastedUSD > 0) wasteParts.push("~" + fmtCost(summary.loopWastedUSD));
     const wasteSummary = wasteParts.length ? `(${wasteParts.join("  \xB7  ")})` : "";
     console.log(
-      chalk4.yellow("\u{1F501}  ") + chalk4.yellow.bold(String(scan.loopFindings.length).padEnd(4)) + chalk4.dim("agent loops".padEnd(20)) + chalk4.dim(wasteSummary)
+      chalk4.yellow("\u{1F501}  ") + chalk4.yellow.bold(String(realLoops.length).padEnd(4)) + chalk4.dim("agent loops".padEnd(20)) + chalk4.dim(wasteSummary)
+    );
+  }
+  if (longIterations.length > 0) {
+    console.log(
+      chalk4.dim("\u{1F4C2}  ") + chalk4.dim.bold(String(longIterations.length).padEnd(4)) + chalk4.dim("long iterations".padEnd(20)) + chalk4.dim("(deep work \u2014 not waste)")
     );
   }
   if (reviewCount > 0) {
@@ -9003,7 +9870,7 @@ function renderNarrativeScorecard(input) {
   console.log("");
 }
 function registerScanCommand(program2) {
-  program2.command("scan").description("Forecast: scan agent history and show what node9 would catch if installed").option("--all", "Scan all history (default: last 30 days)").option("--days <n>", "Scan last N days of history", "30").option("--top <n>", "Max findings to show per rule (default: 5)", "5").option("--drill-down", "Show all findings with full commands and session IDs").option("--compact", "Compact one-screen scorecard \u2014 for screenshots and sharing").option("--narrative", "Severity-grouped report \u2014 for video / dramatic sharing").option(
+  program2.command("scan").description("Forecast: scan agent history and show what node9 would catch if installed").option("--all", "Scan all history (default: last 90 days)").option("--days <n>", "Scan last N days of history", "90").option("--top <n>", "Max findings to show per rule (default: 5)", "5").option("--drill-down", "Show all findings with full commands and session IDs").option("--compact", "Compact one-screen scorecard \u2014 for screenshots and sharing").option("--narrative", "Severity-grouped report \u2014 for video / dramatic sharing").option(
     "--upload-history",
     "Upload aggregate counts from existing JSONL sessions to the SaaS dashboard. Defaults to last 3 months; override with --since. Idempotent (safe to re-run)."
   ).option(
@@ -9022,7 +9889,7 @@ function registerScanCommand(program2) {
       const previewWidth = 70;
       const startDate = options.all ? null : (() => {
         const d = /* @__PURE__ */ new Date();
-        d.setDate(d.getDate() - (parseInt(options.days, 10) || 30));
+        d.setDate(d.getDate() - (parseInt(options.days, 10) || 90));
         d.setHours(0, 0, 0, 0);
         return d;
       })();
@@ -9096,7 +9963,7 @@ function registerScanCommand(program2) {
         );
         return;
       }
-      const rangeLabel = options.all ? chalk4.dim("all time") : chalk4.dim(`last ${options.days ?? 30} days`);
+      const rangeLabel = options.all ? chalk4.dim("all time") : chalk4.dim(`last ${options.days ?? 90} days`);
       const dateRange = scan.firstDate && scan.lastDate ? chalk4.dim(`  ${fmtTs(scan.firstDate)} \u2013 ${fmtTs(scan.lastDate)}`) : "";
       const breakdownParts = [];
       if (claudeScan.sessions > 0)
@@ -9382,13 +10249,14 @@ function registerScanCommand(program2) {
     }
   );
 }
-var CLAUDE_PRICING, GEMINI_PRICING, CODE_EXTENSIONS, TERMINAL_ESCAPE_RE, LOOP_TOOLS, LOOP_THRESHOLD, STUCK_TOOLS_MIN_WASTE, STUCK_TOOLS_LIMIT, RECURRING_SESSION_THRESHOLD, STALE_AGE_DAYS, DEFAULT_RULE_NAMES, classifyRuleSeverity2, narrativeRuleLabel2;
+var CLAUDE_PRICING, GEMINI_PRICING, CODE_EXTENSIONS, SELF_OUTPUT_MARKERS, FIXTURE_TOKEN_PATTERNS, TERMINAL_ESCAPE_RE2, LOOP_TOOLS, LOOP_THRESHOLD, LOOP_TIMESPAN_THRESHOLD_MS, STUCK_TOOLS_MIN_WASTE, STUCK_TOOLS_LIMIT, RECURRING_SESSION_THRESHOLD, STALE_AGE_DAYS, DEFAULT_RULE_NAMES, classifyRuleSeverity2, narrativeRuleLabel2;
 var init_scan = __esm({
   "src/cli/commands/scan.ts"() {
     "use strict";
     init_shields();
     init_config();
     init_policy();
+    init_dist();
     init_dlp();
     init_dist();
     init_scan_summary();
@@ -9441,7 +10309,23 @@ var init_scan = __esm({
       ".vue",
       ".svelte"
     ]);
-    TERMINAL_ESCAPE_RE = /\x1b\[[0-9;?]*[A-Za-z]|\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)|\x1b[@-_]|[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/g;
+    SELF_OUTPUT_MARKERS = [
+      /redactedSample:\s*['"]/,
+      /patternName:\s*['"]/,
+      /\bseverity:\s*['"](?:block|review|allow)['"]/,
+      /NODE9 SECURITY ALERT/
+    ];
+    FIXTURE_TOKEN_PATTERNS = [
+      /(.)\1{5,}/,
+      // 6+ repeated characters (aaaaaa, 000000)
+      /(?:EXAMPLE|FAKE|DUMMY|PLACEHOLDER|XXXXX)/i,
+      /abcdefghijklmn/i,
+      // long alpha sequence — fixture, not entropy
+      /1234567890/,
+      // long digit sequence — fixture, not entropy
+      /qwerty/i
+    ];
+    TERMINAL_ESCAPE_RE2 = /\x1b\[[0-9;?]*[A-Za-z]|\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)|\x1b[@-_]|[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/g;
     LOOP_TOOLS = /* @__PURE__ */ new Set([
       "bash",
       "execute_bash",
@@ -9453,6 +10337,7 @@ var init_scan = __esm({
       "multiedit"
     ]);
     LOOP_THRESHOLD = 3;
+    LOOP_TIMESPAN_THRESHOLD_MS = 10 * 60 * 1e3;
     STUCK_TOOLS_MIN_WASTE = 5;
     STUCK_TOOLS_LIMIT = 3;
     RECURRING_SESSION_THRESHOLD = 3;
@@ -9984,7 +10869,86 @@ function abandonPending() {
     }, 200);
   }
 }
+function logActivitySocket(msg) {
+  try {
+    fs20.appendFileSync(
+      path22.join(homeDir, ".node9", "hook-debug.log"),
+      `[${(/* @__PURE__ */ new Date()).toISOString()}] [activity-socket] ${msg}
+`
+    );
+  } catch {
+  }
+}
+function shouldRebind(now = Date.now()) {
+  if (activityCircuitTripped) return false;
+  activityRebindAttempts = activityRebindAttempts.filter(
+    (t) => now - t < ACTIVITY_REBIND_WINDOW_MS
+  );
+  activityRebindAttempts.push(now);
+  if (activityRebindAttempts.length > ACTIVITY_REBIND_MAX_ATTEMPTS) {
+    activityCircuitTripped = true;
+    return false;
+  }
+  return true;
+}
 function startActivitySocket() {
+  bindActivitySocket();
+  if (process.platform !== "win32") {
+    try {
+      activitySocketWatcher = fs20.watch(os18.tmpdir(), (eventType, filename) => {
+        if (filename !== path22.basename(ACTIVITY_SOCKET_PATH2)) return;
+        if (eventType !== "rename") return;
+        if (fs20.existsSync(ACTIVITY_SOCKET_PATH2)) return;
+        attemptRebind("watch-unlink");
+      });
+      activitySocketWatcher.on("error", (err2) => {
+        logActivitySocket(`watcher error: ${err2.message}`);
+      });
+      activitySocketWatcher.unref();
+    } catch (err2) {
+      logActivitySocket(`failed to start watcher: ${err2.message}`);
+    }
+  }
+  activityHealthInterval = setInterval(() => {
+    if (!fs20.existsSync(ACTIVITY_SOCKET_PATH2)) attemptRebind("health-probe");
+  }, ACTIVITY_HEALTH_PROBE_MS);
+  activityHealthInterval.unref();
+  process.on("exit", () => {
+    if (activitySocketWatcher) {
+      try {
+        activitySocketWatcher.close();
+      } catch {
+      }
+    }
+    if (activityHealthInterval) clearInterval(activityHealthInterval);
+    try {
+      fs20.unlinkSync(ACTIVITY_SOCKET_PATH2);
+    } catch {
+    }
+  });
+}
+function attemptRebind(reason) {
+  if (!shouldRebind()) {
+    logActivitySocket(
+      `circuit breaker tripped after ${ACTIVITY_REBIND_MAX_ATTEMPTS} attempts in ${ACTIVITY_REBIND_WINDOW_MS}ms \u2014 flight recorder down`
+    );
+    broadcast("flight-recorder-down", {
+      reason: "rebind-loop",
+      message: "Activity socket repeatedly disappearing \u2014 run: node9 daemon restart"
+    });
+    return;
+  }
+  logActivitySocket(`rebinding (reason: ${reason}, attempt ${activityRebindAttempts.length})`);
+  if (activitySocketServer) {
+    try {
+      activitySocketServer.close();
+    } catch {
+    }
+    activitySocketServer = null;
+  }
+  bindActivitySocket();
+}
+function bindActivitySocket() {
   try {
     fs20.unlinkSync(ACTIVITY_SOCKET_PATH2);
   } catch {
@@ -10082,15 +11046,15 @@ function startActivitySocket() {
     socket.on("error", () => {
     });
   });
-  unixServer.listen(ACTIVITY_SOCKET_PATH2);
-  process.on("exit", () => {
-    try {
-      fs20.unlinkSync(ACTIVITY_SOCKET_PATH2);
-    } catch {
-    }
+  unixServer.on("error", (err2) => {
+    logActivitySocket(`server error: ${err2.message}`);
+  });
+  unixServer.listen(ACTIVITY_SOCKET_PATH2, () => {
+    logActivitySocket(`bound to ${ACTIVITY_SOCKET_PATH2}`);
   });
+  activitySocketServer = unixServer;
 }
-var homeDir, DAEMON_PID_FILE, DECISIONS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, INSIGHT_COUNTS_FILE, pending, sseClients, suggestionTracker, taintStore, insightCounts, _abandonTimer, _hadBrowserClient, _daemonServer, daemonRejectionHandlerRegistered, AUTO_DENY_MS, TRUST_DURATIONS, autoStarted, ACTIVITY_SOCKET_PATH2, ACTIVITY_RING_SIZE, activityRing, LARGE_RESPONSE_RING_SIZE, largeResponseRing, cachedScanResult, cachedScanTs, SCAN_CACHE_TTL_MS, SECRET_KEY_RE, INPUT_PRICE_PER_1M, OUTPUT_PRICE_PER_1M, BYTES_PER_TOKEN, WRITE_TOOL_NAMES;
+var homeDir, DAEMON_PID_FILE, DECISIONS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, INSIGHT_COUNTS_FILE, pending, sseClients, suggestionTracker, taintStore, insightCounts, _abandonTimer, _hadBrowserClient, _daemonServer, daemonRejectionHandlerRegistered, AUTO_DENY_MS, TRUST_DURATIONS, autoStarted, ACTIVITY_SOCKET_PATH2, ACTIVITY_RING_SIZE, activityRing, LARGE_RESPONSE_RING_SIZE, largeResponseRing, cachedScanResult, cachedScanTs, SCAN_CACHE_TTL_MS, SECRET_KEY_RE, INPUT_PRICE_PER_1M, OUTPUT_PRICE_PER_1M, BYTES_PER_TOKEN, WRITE_TOOL_NAMES, ACTIVITY_REBIND_MAX_ATTEMPTS, ACTIVITY_REBIND_WINDOW_MS, ACTIVITY_HEALTH_PROBE_MS, activitySocketServer, activitySocketWatcher, activityHealthInterval, activityRebindAttempts, activityCircuitTripped;
 var init_state2 = __esm({
   "src/daemon/state.ts"() {
     "use strict";
@@ -10146,6 +11110,14 @@ var init_state2 = __esm({
       "notebook_edit",
       "notebookedit"
     ]);
+    ACTIVITY_REBIND_MAX_ATTEMPTS = 5;
+    ACTIVITY_REBIND_WINDOW_MS = 6e4;
+    ACTIVITY_HEALTH_PROBE_MS = 3e4;
+    activitySocketServer = null;
+    activitySocketWatcher = null;
+    activityHealthInterval = null;
+    activityRebindAttempts = [];
+    activityCircuitTripped = false;
   }
 });
@@ -10352,16 +11324,19 @@ async function pushBlastSnapshot(creds) {
 async function pushScanSnapshot(creds) {
   try {
     const tick = await tickScanWatcher();
+    if (tick.schemaFuture) return;
     if (tick.findings.length === 0 && tick.totalToolCalls === 0) {
       return;
     }
     const summary = summarizeScan(tick.findings, {
       totalToolCalls: tick.totalToolCalls
     });
-    const sessionDeltas = buildSessionDeltas(tick.findings, tick.toolCallsBySession);
+    const perSession = buildSessionDeltas(tick.findings, tick.toolCallsBySession);
     const scanUrl = creds.apiUrl.endsWith("/policies/sync") ? creds.apiUrl.replace(/\/policies\/sync$/, "/scan/report") : null;
     if (!scanUrl) return;
+    const body = tick.uploadAs === "totals" ? { ...summary, sessionTotals: perSession, extractorVersion: CANONICAL_EXTRACTOR_VERSION } : { ...summary, sessionDeltas: perSession, extractorVersion: CANONICAL_EXTRACTOR_VERSION };
     const parsed = new URL(scanUrl);
+    let posted = false;
     await new Promise((resolve) => {
       const req = https2.request(
         {
@@ -10376,6 +11351,9 @@ async function pushScanSnapshot(creds) {
           timeout: 1e4
         },
         (res) => {
+          if (res.statusCode && res.statusCode >= 200 && res.statusCode < 300) {
+            posted = true;
+          }
           res.resume();
           res.on("end", resolve);
           res.on("error", () => resolve());
@@ -10386,9 +11364,12 @@ async function pushScanSnapshot(creds) {
         req.destroy();
         resolve();
       });
-      req.write(JSON.stringify({ ...summary, sessionDeltas }));
+      req.write(JSON.stringify(body));
       req.end();
     });
+    if (posted && tick.uploadAs === "totals") {
+      markUploadComplete();
+    }
   } catch {
   }
 }
@@ -12292,6 +13273,8 @@ async function startTail(options = {}) {
   let initialReplayDone = false;
   const activityPending = /* @__PURE__ */ new Map();
   const orphanedResults = /* @__PURE__ */ new Map();
+  let lastActivityFromDaemon = Date.now();
+  let stallWarned = false;
   const authToken = getInternalToken() ?? "";
   const approvalQueue = [];
   let cardActive = false;
@@ -12518,6 +13501,24 @@ async function startTail(options = {}) {
     console.log(chalk29.dim("\n\u{1F6F0}\uFE0F  Disconnected."));
     process.exit(0);
   });
+  const STALL_THRESHOLD_MS = 6e4;
+  const stallWatchdog = setInterval(() => {
+    if (stallWarned) return;
+    if (Date.now() - lastActivityFromDaemon < STALL_THRESHOLD_MS) return;
+    try {
+      const auditMtime = fs44.statSync(auditLog).mtimeMs;
+      if (Date.now() - auditMtime >= STALL_THRESHOLD_MS) return;
+      console.log("");
+      console.log(
+        chalk29.yellow(
+          "\u26A0\uFE0F  Tail appears stalled \u2014 hooks are firing but no events are arriving. Try: node9 daemon restart"
+        )
+      );
+      stallWarned = true;
+    } catch {
+    }
+  }, STALL_THRESHOLD_MS / 2);
+  stallWatchdog.unref();
   const sseUrl = `http://127.0.0.1:${port}/events?capabilities=input`;
   const req = http2.get(
     sseUrl,
@@ -12563,7 +13564,18 @@ async function startTail(options = {}) {
     }
   );
   function handleMessage(event, rawData) {
+    lastActivityFromDaemon = Date.now();
     if (event === "csrf") return;
+    if (event === "flight-recorder-down") {
+      try {
+        const parsed = JSON.parse(rawData);
+        const msg = parsed.message ?? "Flight recorder is down \u2014 run: node9 daemon restart";
+        console.log("");
+        console.log(chalk29.bgRed.white.bold(` \u26A0\uFE0F  ${msg} `));
+      } catch {
+      }
+      return;
+    }
     if (event === "init") {
       try {
         const parsed = JSON.parse(rawData);
@@ -16139,7 +17151,6 @@ function registerInitCommand(program2) {
       console.log(chalk15.green.bold(`\u{1F6E1}\uFE0F  Node9 is protecting ${agentList}!`));
       console.log("");
       console.log(chalk15.white("  Watch live:  ") + chalk15.cyan("node9 tail"));
-      console.log(chalk15.white("  Local UI:    ") + chalk15.cyan("node9 daemon --openui"));
       console.log("");
       console.log(chalk15.gray("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
       console.log(