@node9/proxy 1.18.3 → 1.19.1

package/dist/index.js

@@ -1045,6 +1045,202 @@ function detectDangerousShellExec(command) {
     return null;
   }
 }
+var FS_READ_TOOLS = /* @__PURE__ */ new Set([
+  "cat",
+  "less",
+  "head",
+  "tail",
+  "bat",
+  "more",
+  "open",
+  "print",
+  "nano",
+  "vim",
+  "vi",
+  "emacs",
+  "code",
+  "type"
+]);
+var FS_OP_PRESCREEN_RE = /(?:^|[\s|;&(`\n])(?:rm|cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\b/;
+var HOME_CACHE_ALLOWLIST = [
+  ".cache",
+  ".npm/_npx",
+  ".npm/_cacache",
+  ".cargo/registry",
+  ".gradle/caches",
+  ".gradle/.tmp",
+  ".m2/repository",
+  ".pnpm-store",
+  ".yarn/cache",
+  ".yarn/.cache",
+  ".cache/pip",
+  ".local/share/Trash",
+  ".rustup/downloads"
+];
+var SENSITIVE_PATH_RULES = [
+  {
+    rule: "shield:project-jail:block-read-ssh",
+    reason: "Reading SSH private keys is blocked by project-jail shield",
+    match: (p) => /(^|[\\/])\.ssh[\\/]/i.test(p)
+  },
+  {
+    rule: "shield:project-jail:block-read-aws",
+    reason: "Reading AWS credentials is blocked by project-jail shield",
+    match: (p) => /(^|[\\/])\.aws[\\/]/i.test(p)
+  },
+  {
+    rule: "shield:project-jail:block-read-env",
+    reason: "Reading .env files is blocked by project-jail shield",
+    match: (p) => /(?:^|[\\/])\.env(?:\.local|\.production|\.staging)?$/i.test(p)
+  },
+  {
+    rule: "shield:project-jail:block-read-credentials",
+    reason: "Reading credential files is blocked by project-jail shield",
+    match: (p) => /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials)$/i.test(
+      p
+    )
+  }
+];
+var BASH_TOOL_NAMES = /* @__PURE__ */ new Set([
+  "bash",
+  "execute_bash",
+  "run_shell_command",
+  "shell",
+  "exec_command"
+]);
+function isBashTool(toolName) {
+  return BASH_TOOL_NAMES.has(toolName.toLowerCase());
+}
+var AST_FS_REGEX_RULES = /* @__PURE__ */ new Set([
+  "block-rm-rf-home",
+  "shield:project-jail:block-read-ssh",
+  "shield:project-jail:block-read-aws",
+  "shield:project-jail:block-read-env",
+  "shield:project-jail:block-read-credentials"
+]);
+function isProtectedHomePath(rawPath) {
+  let p = rawPath.replace(/^\$HOME[\\/]?|^\$\{HOME\}[\\/]?/, "~/");
+  let underHome = false;
+  if (p === "~" || p.startsWith("~/") || p.startsWith("~\\")) {
+    p = p.replace(/^~[\\/]?/, "");
+    underHome = true;
+  } else if (/^\/home\/[^/]+/.test(p) || /^\/root(\/|$)/.test(p)) {
+    p = p.replace(/^\/home\/[^/]+[\\/]?|^\/root[\\/]?/, "");
+    underHome = true;
+  }
+  if (!underHome) return false;
+  if (p === "" || p === "." || p === "./") return true;
+  for (const safe of HOME_CACHE_ALLOWLIST) {
+    if (p === safe || p.startsWith(safe + "/") || p.startsWith(safe + "\\")) {
+      return false;
+    }
+  }
+  return true;
+}
+function extractLiteralArgs(callExpr) {
+  const args = callExpr.Args || [];
+  if (args.length === 0) return { name: "", flags: [], paths: [] };
+  const litFromWord = (w) => {
+    const parts = w?.Parts || [];
+    let s = "";
+    for (const p of parts) {
+      const t = syntax.NodeType(p);
+      if (t === "Lit") s += (p.Value ?? "").replace(/\\(.)/g, "$1");
+      else if (t === "SglQuoted") s += p.Value ?? "";
+      else if (t === "DblQuoted") {
+        const inner = p.Parts || [];
+        if (!inner.every((ip) => syntax.NodeType(ip) === "Lit")) return null;
+        s += inner.map((ip) => ip.Value ?? "").join("");
+      } else {
+        return null;
+      }
+    }
+    return s;
+  };
+  const name = (litFromWord(args[0]) || "").toLowerCase();
+  const flags = [];
+  const paths = [];
+  for (let i = 1; i < args.length; i++) {
+    const v = litFromWord(args[i]);
+    if (v === null) continue;
+    if (v.startsWith("-")) flags.push(v);
+    else paths.push(v);
+  }
+  return { name, flags, paths };
+}
+var FS_OP_CACHE_MAX = 5e3;
+var fsOpCache = /* @__PURE__ */ new Map();
+function analyzeFsOperation(command) {
+  if (!FS_OP_PRESCREEN_RE.test(command)) return null;
+  if (fsOpCache.has(command)) {
+    const hit = fsOpCache.get(command) ?? null;
+    fsOpCache.delete(command);
+    fsOpCache.set(command, hit);
+    return hit;
+  }
+  const computed = analyzeFsOperationImpl(command);
+  if (fsOpCache.size >= FS_OP_CACHE_MAX) {
+    const oldest = fsOpCache.keys().next().value;
+    if (oldest !== void 0) fsOpCache.delete(oldest);
+  }
+  fsOpCache.set(command, computed);
+  return computed;
+}
+function analyzeFsOperationImpl(command) {
+  const f = parseShared(command);
+  if (f === PARSE_FAIL) return null;
+  let result = null;
+  try {
+    syntax.Walk(f, (node) => {
+      if (!node || result) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const { name, flags, paths } = extractLiteralArgs(n);
+      if (!name) return true;
+      if (name === "rm") {
+        const flagStr = flags.join("").toLowerCase();
+        const hasR = /[r]/.test(flagStr) || flags.includes("--recursive");
+        const hasF = /[f]/.test(flagStr) || flags.includes("--force");
+        if (hasR && hasF) {
+          for (const p of paths) {
+            if (isProtectedHomePath(p)) {
+              result = {
+                ruleName: "block-rm-rf-home",
+                verdict: "block",
+                reason: "Recursive delete of home directory is irreversible",
+                path: p
+              };
+              return false;
+            }
+            if (p === "/" || /^\/+$/.test(p)) {
+              result = {
+                ruleName: "block-rm-rf-home",
+                verdict: "block",
+                reason: "Recursive delete of root is catastrophic",
+                path: p
+              };
+              return false;
+            }
+          }
+        }
+      }
+      if (FS_READ_TOOLS.has(name)) {
+        for (const p of paths) {
+          for (const sp of SENSITIVE_PATH_RULES) {
+            if (sp.match(p)) {
+              result = { ruleName: sp.rule, verdict: "block", reason: sp.reason, path: p };
+              return false;
+            }
+          }
+        }
+      }
+      return true;
+    });
+    return result;
+  } catch {
+    return null;
+  }
+}
 function analyzeShellCommand(command) {
   const actions = [];
   const paths = [];
@@ -1529,6 +1725,43 @@ function isSqlTool(toolName, toolInspection) {
   return fieldName === "sql" || fieldName === "query";
 }
 var SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
+function pipeChainVerdict(command, isTrustedHost2) {
+  const pipeAnalysis = analyzePipeChain(command);
+  if (!pipeAnalysis.isPipeline) return null;
+  if (pipeAnalysis.risk !== "critical" && pipeAnalysis.risk !== "high") return null;
+  const sinks = pipeAnalysis.sinkTargets;
+  const allTrusted = sinks.length > 0 && sinks.every((host) => isTrustedHost2 ? isTrustedHost2(host) : false);
+  if (pipeAnalysis.risk === "critical") {
+    if (allTrusted) {
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
+        reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
+        tier: 3
+      };
+    }
+    return {
+      decision: "block",
+      blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
+      reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+      tier: 3
+    };
+  }
+  if (allTrusted) {
+    return {
+      decision: "allow",
+      blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
+      reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
+      tier: 3
+    };
+  }
+  return {
+    decision: "review",
+    blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
+    reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+    tier: 3
+  };
+}
 async function evaluatePolicy(config, toolName, args, context = {}, hooks = {}) {
   const { agent, cwd, activeEnvironment } = context;
   const { checkProvenance: checkProvenance2, isTrustedHost: isTrustedHost2 } = hooks;
@@ -1544,9 +1777,27 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
     }
   }
   if (wouldBeIgnored) return { decision: "allow" };
+  const bashCommand = agent !== "Terminal" && isBashTool(toolName) && args && typeof args === "object" ? typeof args.command === "string" ? args.command : null : null;
+  if (bashCommand !== null) {
+    const pipeVerdict = pipeChainVerdict(bashCommand, isTrustedHost2);
+    if (pipeVerdict) return pipeVerdict;
+    const fsVerdict = analyzeFsOperation(bashCommand);
+    if (fsVerdict) {
+      const isShieldRule = fsVerdict.ruleName.startsWith("shield:");
+      const labelPrefix = isShieldRule ? "project-jail (AST)" : "Node9 (AST)";
+      return {
+        decision: fsVerdict.verdict,
+        blockedByLabel: `${labelPrefix}: ${fsVerdict.ruleName}`,
+        reason: fsVerdict.reason,
+        tier: 2,
+        ruleName: fsVerdict.ruleName,
+        ruleDescription: fsVerdict.reason
+      };
+    }
+  }
   if (config.policy.smartRules.length > 0) {
     const matchedRule = config.policy.smartRules.find(
-      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+      (rule) => matchesPattern(toolName, rule.tool) && !(bashCommand !== null && rule.name && AST_FS_REGEX_RULES.has(rule.name)) && evaluateSmartConditions(args, rule)
     );
     if (matchedRule) {
       if (matchedRule.verdict === "allow")
@@ -1604,41 +1855,8 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
         tier: 3
       };
     }
-    const pipeAnalysis = analyzePipeChain(shellCommand);
-    if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
-      const sinks = pipeAnalysis.sinkTargets;
-      const allTrusted = sinks.length > 0 && sinks.every((host) => isTrustedHost2 ? isTrustedHost2(host) : false);
-      if (pipeAnalysis.risk === "critical") {
-        if (allTrusted) {
-          return {
-            decision: "review",
-            blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
-            reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
-            tier: 3
-          };
-        }
-        return {
-          decision: "block",
-          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
-          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-          tier: 3
-        };
-      }
-      if (allTrusted) {
-        return {
-          decision: "allow",
-          blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
-          reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
-          tier: 3
-        };
-      }
-      return {
-        decision: "review",
-        blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
-        reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-        tier: 3
-      };
-    }
+    const ptVerdict = pipeChainVerdict(shellCommand, isTrustedHost2);
+    if (ptVerdict) return ptVerdict;
     const firstToken = analyzed.actions[0] ?? "";
     if (["ssh", "scp", "rsync"].includes(firstToken)) {
       const rawTokens = shellCommand.trim().split(/\s+/);
@@ -2504,6 +2722,7 @@ function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
   const nextRecords = fresh.slice(-LOOP_MAX_RECORDS);
   return { nextRecords, count, looping: count >= threshold };
 }
+var LONG_OUTPUT_THRESHOLD_BYTES = 100 * 1024;
 
 // src/shields.ts
 var USER_SHIELDS_DIR = import_path2.default.join(import_os2.default.homedir(), ".node9", "shields");

package/dist/index.mjs

@@ -1015,6 +1015,202 @@ function detectDangerousShellExec(command) {
     return null;
   }
 }
+var FS_READ_TOOLS = /* @__PURE__ */ new Set([
+  "cat",
+  "less",
+  "head",
+  "tail",
+  "bat",
+  "more",
+  "open",
+  "print",
+  "nano",
+  "vim",
+  "vi",
+  "emacs",
+  "code",
+  "type"
+]);
+var FS_OP_PRESCREEN_RE = /(?:^|[\s|;&(`\n])(?:rm|cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\b/;
+var HOME_CACHE_ALLOWLIST = [
+  ".cache",
+  ".npm/_npx",
+  ".npm/_cacache",
+  ".cargo/registry",
+  ".gradle/caches",
+  ".gradle/.tmp",
+  ".m2/repository",
+  ".pnpm-store",
+  ".yarn/cache",
+  ".yarn/.cache",
+  ".cache/pip",
+  ".local/share/Trash",
+  ".rustup/downloads"
+];
+var SENSITIVE_PATH_RULES = [
+  {
+    rule: "shield:project-jail:block-read-ssh",
+    reason: "Reading SSH private keys is blocked by project-jail shield",
+    match: (p) => /(^|[\\/])\.ssh[\\/]/i.test(p)
+  },
+  {
+    rule: "shield:project-jail:block-read-aws",
+    reason: "Reading AWS credentials is blocked by project-jail shield",
+    match: (p) => /(^|[\\/])\.aws[\\/]/i.test(p)
+  },
+  {
+    rule: "shield:project-jail:block-read-env",
+    reason: "Reading .env files is blocked by project-jail shield",
+    match: (p) => /(?:^|[\\/])\.env(?:\.local|\.production|\.staging)?$/i.test(p)
+  },
+  {
+    rule: "shield:project-jail:block-read-credentials",
+    reason: "Reading credential files is blocked by project-jail shield",
+    match: (p) => /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials)$/i.test(
+      p
+    )
+  }
+];
+var BASH_TOOL_NAMES = /* @__PURE__ */ new Set([
+  "bash",
+  "execute_bash",
+  "run_shell_command",
+  "shell",
+  "exec_command"
+]);
+function isBashTool(toolName) {
+  return BASH_TOOL_NAMES.has(toolName.toLowerCase());
+}
+var AST_FS_REGEX_RULES = /* @__PURE__ */ new Set([
+  "block-rm-rf-home",
+  "shield:project-jail:block-read-ssh",
+  "shield:project-jail:block-read-aws",
+  "shield:project-jail:block-read-env",
+  "shield:project-jail:block-read-credentials"
+]);
+function isProtectedHomePath(rawPath) {
+  let p = rawPath.replace(/^\$HOME[\\/]?|^\$\{HOME\}[\\/]?/, "~/");
+  let underHome = false;
+  if (p === "~" || p.startsWith("~/") || p.startsWith("~\\")) {
+    p = p.replace(/^~[\\/]?/, "");
+    underHome = true;
+  } else if (/^\/home\/[^/]+/.test(p) || /^\/root(\/|$)/.test(p)) {
+    p = p.replace(/^\/home\/[^/]+[\\/]?|^\/root[\\/]?/, "");
+    underHome = true;
+  }
+  if (!underHome) return false;
+  if (p === "" || p === "." || p === "./") return true;
+  for (const safe of HOME_CACHE_ALLOWLIST) {
+    if (p === safe || p.startsWith(safe + "/") || p.startsWith(safe + "\\")) {
+      return false;
+    }
+  }
+  return true;
+}
+function extractLiteralArgs(callExpr) {
+  const args = callExpr.Args || [];
+  if (args.length === 0) return { name: "", flags: [], paths: [] };
+  const litFromWord = (w) => {
+    const parts = w?.Parts || [];
+    let s = "";
+    for (const p of parts) {
+      const t = syntax.NodeType(p);
+      if (t === "Lit") s += (p.Value ?? "").replace(/\\(.)/g, "$1");
+      else if (t === "SglQuoted") s += p.Value ?? "";
+      else if (t === "DblQuoted") {
+        const inner = p.Parts || [];
+        if (!inner.every((ip) => syntax.NodeType(ip) === "Lit")) return null;
+        s += inner.map((ip) => ip.Value ?? "").join("");
+      } else {
+        return null;
+      }
+    }
+    return s;
+  };
+  const name = (litFromWord(args[0]) || "").toLowerCase();
+  const flags = [];
+  const paths = [];
+  for (let i = 1; i < args.length; i++) {
+    const v = litFromWord(args[i]);
+    if (v === null) continue;
+    if (v.startsWith("-")) flags.push(v);
+    else paths.push(v);
+  }
+  return { name, flags, paths };
+}
+var FS_OP_CACHE_MAX = 5e3;
+var fsOpCache = /* @__PURE__ */ new Map();
+function analyzeFsOperation(command) {
+  if (!FS_OP_PRESCREEN_RE.test(command)) return null;
+  if (fsOpCache.has(command)) {
+    const hit = fsOpCache.get(command) ?? null;
+    fsOpCache.delete(command);
+    fsOpCache.set(command, hit);
+    return hit;
+  }
+  const computed = analyzeFsOperationImpl(command);
+  if (fsOpCache.size >= FS_OP_CACHE_MAX) {
+    const oldest = fsOpCache.keys().next().value;
+    if (oldest !== void 0) fsOpCache.delete(oldest);
+  }
+  fsOpCache.set(command, computed);
+  return computed;
+}
+function analyzeFsOperationImpl(command) {
+  const f = parseShared(command);
+  if (f === PARSE_FAIL) return null;
+  let result = null;
+  try {
+    syntax.Walk(f, (node) => {
+      if (!node || result) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const { name, flags, paths } = extractLiteralArgs(n);
+      if (!name) return true;
+      if (name === "rm") {
+        const flagStr = flags.join("").toLowerCase();
+        const hasR = /[r]/.test(flagStr) || flags.includes("--recursive");
+        const hasF = /[f]/.test(flagStr) || flags.includes("--force");
+        if (hasR && hasF) {
+          for (const p of paths) {
+            if (isProtectedHomePath(p)) {
+              result = {
+                ruleName: "block-rm-rf-home",
+                verdict: "block",
+                reason: "Recursive delete of home directory is irreversible",
+                path: p
+              };
+              return false;
+            }
+            if (p === "/" || /^\/+$/.test(p)) {
+              result = {
+                ruleName: "block-rm-rf-home",
+                verdict: "block",
+                reason: "Recursive delete of root is catastrophic",
+                path: p
+              };
+              return false;
+            }
+          }
+        }
+      }
+      if (FS_READ_TOOLS.has(name)) {
+        for (const p of paths) {
+          for (const sp of SENSITIVE_PATH_RULES) {
+            if (sp.match(p)) {
+              result = { ruleName: sp.rule, verdict: "block", reason: sp.reason, path: p };
+              return false;
+            }
+          }
+        }
+      }
+      return true;
+    });
+    return result;
+  } catch {
+    return null;
+  }
+}
 function analyzeShellCommand(command) {
   const actions = [];
   const paths = [];
@@ -1499,6 +1695,43 @@ function isSqlTool(toolName, toolInspection) {
   return fieldName === "sql" || fieldName === "query";
 }
 var SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
+function pipeChainVerdict(command, isTrustedHost2) {
+  const pipeAnalysis = analyzePipeChain(command);
+  if (!pipeAnalysis.isPipeline) return null;
+  if (pipeAnalysis.risk !== "critical" && pipeAnalysis.risk !== "high") return null;
+  const sinks = pipeAnalysis.sinkTargets;
+  const allTrusted = sinks.length > 0 && sinks.every((host) => isTrustedHost2 ? isTrustedHost2(host) : false);
+  if (pipeAnalysis.risk === "critical") {
+    if (allTrusted) {
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
+        reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
+        tier: 3
+      };
+    }
+    return {
+      decision: "block",
+      blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
+      reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+      tier: 3
+    };
+  }
+  if (allTrusted) {
+    return {
+      decision: "allow",
+      blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
+      reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
+      tier: 3
+    };
+  }
+  return {
+    decision: "review",
+    blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
+    reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+    tier: 3
+  };
+}
 async function evaluatePolicy(config, toolName, args, context = {}, hooks = {}) {
   const { agent, cwd, activeEnvironment } = context;
   const { checkProvenance: checkProvenance2, isTrustedHost: isTrustedHost2 } = hooks;
@@ -1514,9 +1747,27 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
     }
   }
   if (wouldBeIgnored) return { decision: "allow" };
+  const bashCommand = agent !== "Terminal" && isBashTool(toolName) && args && typeof args === "object" ? typeof args.command === "string" ? args.command : null : null;
+  if (bashCommand !== null) {
+    const pipeVerdict = pipeChainVerdict(bashCommand, isTrustedHost2);
+    if (pipeVerdict) return pipeVerdict;
+    const fsVerdict = analyzeFsOperation(bashCommand);
+    if (fsVerdict) {
+      const isShieldRule = fsVerdict.ruleName.startsWith("shield:");
+      const labelPrefix = isShieldRule ? "project-jail (AST)" : "Node9 (AST)";
+      return {
+        decision: fsVerdict.verdict,
+        blockedByLabel: `${labelPrefix}: ${fsVerdict.ruleName}`,
+        reason: fsVerdict.reason,
+        tier: 2,
+        ruleName: fsVerdict.ruleName,
+        ruleDescription: fsVerdict.reason
+      };
+    }
+  }
   if (config.policy.smartRules.length > 0) {
     const matchedRule = config.policy.smartRules.find(
-      (rule) => matchesPattern(toolName, rule.tool) && evaluateSmartConditions(args, rule)
+      (rule) => matchesPattern(toolName, rule.tool) && !(bashCommand !== null && rule.name && AST_FS_REGEX_RULES.has(rule.name)) && evaluateSmartConditions(args, rule)
     );
     if (matchedRule) {
       if (matchedRule.verdict === "allow")
@@ -1574,41 +1825,8 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
         tier: 3
       };
     }
-    const pipeAnalysis = analyzePipeChain(shellCommand);
-    if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
-      const sinks = pipeAnalysis.sinkTargets;
-      const allTrusted = sinks.length > 0 && sinks.every((host) => isTrustedHost2 ? isTrustedHost2(host) : false);
-      if (pipeAnalysis.risk === "critical") {
-        if (allTrusted) {
-          return {
-            decision: "review",
-            blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
-            reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
-            tier: 3
-          };
-        }
-        return {
-          decision: "block",
-          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
-          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-          tier: 3
-        };
-      }
-      if (allTrusted) {
-        return {
-          decision: "allow",
-          blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
-          reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
-          tier: 3
-        };
-      }
-      return {
-        decision: "review",
-        blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
-        reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
-        tier: 3
-      };
-    }
+    const ptVerdict = pipeChainVerdict(shellCommand, isTrustedHost2);
+    if (ptVerdict) return ptVerdict;
     const firstToken = analyzed.actions[0] ?? "";
     if (["ssh", "scp", "rsync"].includes(firstToken)) {
       const rawTokens = shellCommand.trim().split(/\s+/);
@@ -2474,6 +2692,7 @@ function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
   const nextRecords = fresh.slice(-LOOP_MAX_RECORDS);
   return { nextRecords, count, looping: count >= threshold };
 }
+var LONG_OUTPUT_THRESHOLD_BYTES = 100 * 1024;
 
 // src/shields.ts
 var USER_SHIELDS_DIR = path2.join(os2.homedir(), ".node9", "shields");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.18.3",
+  "version": "1.19.1",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -59,6 +59,8 @@
     "lint:fix": "eslint . --fix",
     "format": "prettier --write .",
     "format:check": "prettier --check .",
+    "check:extractor-version": "node scripts/check-extractor-version.mjs",
+    "bump-extractor-version": "node scripts/check-extractor-version.mjs --bump",
     "fix": "npm run format && npm run lint:fix",
     "validate": "npm run format && npm run lint && npm run typecheck && npm run test && npm run test:e2e && npm run build",
     "test:e2e": "cross-env NODE9_TESTING=1 bash scripts/e2e.sh",