npm - @node9/proxy - Versions diffs - 1.29.0 → 1.31.0 - Mend

@node9/proxy 1.29.0 → 1.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.mjs CHANGED Viewed

@@ -51,11 +51,17 @@ __export(audit_exports, {
   appendHookDebug: () => appendHookDebug,
   appendLocalAudit: () => appendLocalAudit,
   appendToLog: () => appendToLog,
+  buildArgsPreview: () => buildArgsPreview,
+  generateEventId: () => generateEventId,
   redactSecrets: () => redactSecrets
 });
 import fs from "fs";
 import path from "path";
 import os from "os";
+import crypto from "crypto";
+function generateEventId() {
+  return `${Date.now().toString(36)}-${crypto.randomBytes(6).toString("hex")}`;
+}
 function isTestCall(toolName, args) {
   if (toolName !== "Bash" && toolName !== "bash") return false;
   const cmd = args?.command;
@@ -74,6 +80,17 @@ function redactSecrets(text) {
   );
   return redacted;
 }
+function buildArgsPreview(args) {
+  try {
+    const o = args && typeof args === "object" ? args : null;
+    const primary = o && (o.command ?? o.file_path ?? o.path ?? o.url ?? o.query);
+    const text = typeof primary === "string" ? primary : args ? JSON.stringify(args) : "";
+    if (!text) return void 0;
+    return redactSecrets(text).slice(0, 120);
+  } catch {
+    return void 0;
+  }
+}
 function appendToLog(logPath, entry) {
   try {
     const dir = path.dirname(logPath);
@@ -96,11 +113,18 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
   });
 }
 function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
-  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
+  const isDlpRow = checkedBy.toLowerCase().includes("dlp") || Boolean(meta?.dlpPattern);
+  const preview = auditHashArgsEnabled && !isDlpRow ? buildArgsPreview(args) : void 0;
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args), ...preview ? { argsPreview: preview } : {} } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   const testRun = isTestCall(toolName, args) || process.env.NODE9_TESTING === "1" ? { testRun: true } : {};
   const ruleNameField = meta?.ruleName ? { ruleName: meta.ruleName } : {};
   const agentToolNameField = meta?.agentToolName ? { agentToolName: meta.agentToolName } : {};
+  const dlpFields = meta?.dlpPattern ? { dlpPattern: meta.dlpPattern, dlpSample: meta.dlpSample } : {};
+  const cloudLinkField = meta?.cloudRequestId ? { cloudRequestId: meta.cloudRequestId } : {};
   appendToLog(LOCAL_AUDIT_LOG, {
+    // eid first: the outbox shipper dedups on it, and a fixed leading field
+    // makes the JSONL easy to eyeball.
+    eid: generateEventId(),
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
     ...agentToolNameField,
@@ -108,6 +132,8 @@ function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashAr
     decision,
     checkedBy,
     ...ruleNameField,
+    ...dlpFields,
+    ...cloudLinkField,
     ...testRun,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
@@ -216,7 +242,13 @@ var ConfigFileSchema = z.object({
     allowGlobalPause: z.boolean().optional(),
     auditHashArgs: z.boolean().optional(),
     agentPolicy: z.enum(["require_approval", "block_on_rules"]).optional(),
-    cloudSyncIntervalHours: z.number().positive().optional()
+    cloudSyncIntervalHours: z.number().positive().optional(),
+    // Outbox shipper (audit.log → SaaS batch ingest). enabled defaults
+    // to true; set false to fall back to local-only auditing.
+    shipper: z.object({
+      enabled: z.boolean().optional(),
+      intervalSeconds: z.number().min(5).optional()
+    }).optional()
   }).optional(),
   policy: z.object({
     sandboxPaths: z.array(z.string()).optional(),
@@ -231,7 +263,15 @@ var ConfigFileSchema = z.object({
     }).optional(),
     dlp: z.object({
       enabled: z.boolean().optional(),
-      scanIgnoredTools: z.boolean().optional()
+      scanIgnoredTools: z.boolean().optional(),
+      pii: z.enum(["off", "block"]).optional()
+    }).optional(),
+    egress: z.object({
+      enabled: z.boolean().optional(),
+      mode: z.enum(["off", "review", "block"]).optional(),
+      allow: z.array(z.string()).optional(),
+      deny: z.array(z.string()).optional(),
+      allowPrivate: z.boolean().optional()
     }).optional(),
     loopDetection: z.object({
       enabled: z.boolean().optional(),
@@ -284,7 +324,7 @@ import mvdanSh from "mvdan-sh";
 import pm from "picomatch";
 import safeRegex2 from "safe-regex2";
 import safeRegex3 from "safe-regex2";
-import crypto from "crypto";
+import crypto2 from "crypto";
 var ASSIGNMENT_CONTEXT_RE = /\b(?:password|passwd|secret|token|api[_-]?key|auth(?:_key|_token)?|credential|private[_-]?key|access[_-]?key|client[_-]?secret)\s*[=:]\s*/i;
 function isAssignmentContext(text) {
   return ASSIGNMENT_CONTEXT_RE.test(text);
@@ -1213,6 +1253,201 @@ function extractLiteralArgs(callExpr) {
   }
   return { name, flags, paths };
 }
+var NET_BINARIES = /* @__PURE__ */ new Set(["curl", "wget", "scp", "ssh", "nc", "ncat", "netcat"]);
+var VALUE_FLAGS = {
+  curl: /* @__PURE__ */ new Set([
+    "-d",
+    "--data",
+    "--data-ascii",
+    "--data-binary",
+    "--data-raw",
+    "--data-urlencode",
+    "-F",
+    "--form",
+    "-H",
+    "--header",
+    "-X",
+    "--request",
+    "-o",
+    "--output",
+    "-T",
+    "--upload-file",
+    "-u",
+    "--user",
+    "-e",
+    "--referer",
+    "-A",
+    "--user-agent",
+    "-b",
+    "--cookie",
+    "-c",
+    "--cookie-jar",
+    "--connect-to",
+    "--resolve",
+    "--cacert",
+    "--cert",
+    "--key",
+    "-x",
+    "--proxy",
+    "-m",
+    "--max-time",
+    "--retry"
+  ]),
+  wget: /* @__PURE__ */ new Set([
+    "-O",
+    "--output-document",
+    "--post-data",
+    "--post-file",
+    "--header",
+    "-U",
+    "--user-agent",
+    "--user",
+    "--password",
+    "-o",
+    "--output-file",
+    "-P",
+    "--directory-prefix",
+    "-t",
+    "--tries",
+    "-T",
+    "--timeout"
+  ]),
+  scp: /* @__PURE__ */ new Set(["-i", "-F", "-l", "-o", "-c", "-S", "-P", "-J", "-D", "-W"]),
+  ssh: /* @__PURE__ */ new Set([
+    "-i",
+    "-p",
+    "-o",
+    "-l",
+    "-F",
+    "-c",
+    "-L",
+    "-R",
+    "-D",
+    "-W",
+    "-b",
+    "-e",
+    "-m",
+    "-O",
+    "-Q",
+    "-S",
+    "-J",
+    "-w",
+    "-B",
+    "-I",
+    "-E"
+  ]),
+  nc: /* @__PURE__ */ new Set(["-p", "-s", "-w", "-X", "-x", "-e", "-g", "-G", "-i", "-O", "-T", "-q", "-m"])
+};
+function resolveWordLiteral(w) {
+  const parts = w?.Parts || [];
+  let s = "";
+  for (const p of parts) {
+    const t = syntax.NodeType(p);
+    if (t === "Lit") s += (p.Value ?? "").replace(/\\(.)/g, "$1");
+    else if (t === "SglQuoted") s += p.Value ?? "";
+    else if (t === "DblQuoted") {
+      const inner = p.Parts || [];
+      if (!inner.every((ip) => syntax.NodeType(ip) === "Lit")) return null;
+      s += inner.map((ip) => ip.Value ?? "").join("");
+    } else {
+      return null;
+    }
+  }
+  return s;
+}
+function parseDestHost(token) {
+  if (!token) return null;
+  let t = token.trim();
+  if (!t || t.startsWith("-")) return null;
+  if (/^[a-z][a-z0-9+.-]*:\/\//i.test(t)) {
+    try {
+      const h = new URL(t).hostname.toLowerCase();
+      return h || null;
+    } catch {
+      return null;
+    }
+  }
+  const at = t.lastIndexOf("@");
+  if (at >= 0) t = t.slice(at + 1);
+  t = t.split("/")[0];
+  t = t.replace(/:\d+$/, "");
+  t = t.split(":")[0];
+  t = t.toLowerCase();
+  if (t.length > 253) return null;
+  if (t === "localhost") return t;
+  if (/^[a-z0-9.-]+\.[a-z0-9.-]+$/.test(t)) return t;
+  return null;
+}
+function destTokensForBinary(binary, args) {
+  const valueFlags = VALUE_FLAGS[binary] ?? /* @__PURE__ */ new Set();
+  const positionals = [];
+  const urlFlagValues = [];
+  for (let i = 0; i < args.length; i++) {
+    const tok = args[i];
+    if (tok === null) continue;
+    if (tok.startsWith("-")) {
+      if (tok.startsWith("--url=")) {
+        urlFlagValues.push(tok.slice("--url=".length));
+        continue;
+      }
+      if (tok === "--url") {
+        const next = args[i + 1];
+        if (typeof next === "string") urlFlagValues.push(next);
+        i++;
+        continue;
+      }
+      if (tok.includes("=")) continue;
+      if (valueFlags.has(tok)) i++;
+      continue;
+    }
+    positionals.push(tok);
+  }
+  switch (binary) {
+    case "curl":
+    case "wget":
+      return [...urlFlagValues, ...positionals];
+    case "ssh":
+      return positionals.slice(0, 1);
+    case "scp":
+      return positionals.filter((p) => p.includes(":") || p.includes("@"));
+    case "nc":
+    case "ncat":
+    case "netcat":
+      return positionals.slice(0, 1);
+    default:
+      return [];
+  }
+}
+function extractShellDestinations(command) {
+  const f = parseShared(command);
+  if (f === PARSE_FAIL) return [];
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  try {
+    syntax.Walk(f, (node) => {
+      if (!node) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const callArgs = n.Args || [];
+      if (callArgs.length === 0) return true;
+      const name = (resolveWordLiteral(callArgs[0]) || "").toLowerCase();
+      if (!NET_BINARIES.has(name)) return true;
+      const rest = callArgs.slice(1).map((a) => resolveWordLiteral(a));
+      for (const raw of destTokensForBinary(name, rest)) {
+        const host = parseDestHost(raw);
+        if (!host) continue;
+        const key = `${name}:${host}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        out.push({ host, binary: name, raw });
+      }
+      return true;
+    });
+  } catch {
+    return out;
+  }
+  return out;
+}
 var FS_OP_CACHE_MAX = 5e3;
 var fsOpCache = /* @__PURE__ */ new Map();
 function analyzeFsOperation(command) {
@@ -1342,6 +1577,83 @@ function analyzeShellCommand(command) {
   }
   return { actions, paths, allTokens };
 }
+var DEFAULT_EGRESS_ALLOWLIST = [
+  "*.github.com",
+  "*.githubusercontent.com",
+  "*.npmjs.org",
+  "pypi.org",
+  "*.pythonhosted.org",
+  "crates.io",
+  "*.crates.io",
+  "rubygems.org",
+  "proxy.golang.org",
+  "sum.golang.org",
+  "*.anthropic.com",
+  "*.openai.com",
+  "*.googleapis.com",
+  "*.docker.io",
+  "*.docker.com",
+  "deb.debian.org",
+  "*.ubuntu.com"
+];
+function hostMatches(host, pattern) {
+  const h = host.toLowerCase();
+  const p = pattern.toLowerCase().trim();
+  if (!p) return false;
+  if (p === "*") return true;
+  if (p.startsWith("*.")) {
+    const suffix = p.slice(2);
+    return h === suffix || h.endsWith("." + suffix);
+  }
+  return h === p;
+}
+function matchesAny(host, patterns) {
+  for (const p of patterns) if (hostMatches(host, p)) return true;
+  return false;
+}
+function isPrivateHost(host) {
+  const h = host.toLowerCase();
+  if (h === "localhost" || h === "0.0.0.0") return true;
+  if (h.endsWith(".local") || h.endsWith(".internal") || h.endsWith(".localhost")) return true;
+  if (/^127\./.test(h)) return true;
+  if (/^10\./.test(h)) return true;
+  if (/^192\.168\./.test(h)) return true;
+  if (/^172\.(1[6-9]|2\d|3[01])\./.test(h)) return true;
+  return false;
+}
+function evaluateEgress(dests, policy) {
+  if (!policy.enabled) return null;
+  let review = null;
+  for (const d of dests) {
+    if (matchesAny(d.host, policy.deny)) {
+      return {
+        verdict: "block",
+        host: d.host,
+        binary: d.binary,
+        reason: `Egress to ${d.host} is on the deny list.`
+      };
+    }
+    if (policy.allowPrivate && isPrivateHost(d.host)) continue;
+    if (matchesAny(d.host, policy.allow) || matchesAny(d.host, DEFAULT_EGRESS_ALLOWLIST)) continue;
+    if (policy.mode === "block") {
+      return {
+        verdict: "block",
+        host: d.host,
+        binary: d.binary,
+        reason: `Egress to unknown host ${d.host} is blocked (egress policy: block).`
+      };
+    }
+    if (policy.mode === "review" && !review) {
+      review = {
+        verdict: "review",
+        host: d.host,
+        binary: d.binary,
+        reason: `${d.binary} is sending data to an unrecognized host (${d.host}). Approve this destination?`
+      };
+    }
+  }
+  return review;
+}
 var SOURCE_COMMANDS = /* @__PURE__ */ new Set([
   "cat",
   "head",
@@ -1907,6 +2219,22 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
     }
     const ptVerdict = pipeChainVerdict(shellCommand, isTrustedHost2);
     if (ptVerdict) return ptVerdict;
+    if (config.policy.egress?.enabled) {
+      const dests = extractShellDestinations(shellCommand);
+      if (dests.length > 0) {
+        const eg = evaluateEgress(dests, config.policy.egress);
+        if (eg) {
+          return {
+            decision: eg.verdict,
+            blockedByLabel: eg.verdict === "block" ? "\u{1F310} Node9 Egress (Blocked)" : "\u{1F310} Node9 Egress (Review)",
+            reason: eg.reason,
+            ruleName: `egress:${eg.binary}:${eg.host}`,
+            ruleDescription: eg.reason,
+            tier: eg.verdict === "block" ? 3 : 4
+          };
+        }
+      }
+    }
     const firstToken = analyzed.actions[0] ?? "";
     if (["ssh", "scp", "rsync"].includes(firstToken)) {
       const rawTokens = shellCommand.trim().split(/\s+/);
@@ -2817,7 +3145,7 @@ assertBuiltinShieldRegexesAreSafe();
 var LOOP_MAX_RECORDS = 500;
 function computeArgsHash(args) {
   const str = JSON.stringify(args ?? "");
-  return crypto.createHash("sha256").update(str).digest("hex").slice(0, 16);
+  return crypto2.createHash("sha256").update(str).digest("hex").slice(0, 16);
 }
 function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
   const hash = computeArgsHash(args);
@@ -2828,6 +3156,32 @@ function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
   const nextRecords = fresh.slice(-LOOP_MAX_RECORDS);
   return { nextRecords, count, looping: count >= threshold };
 }
+var PII_EMAIL_RE = /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/;
+var PII_SSN_RE = /\b\d{3}-\d{2}-\d{4}\b/;
+var PII_PHONE_RE = /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]\d{3}[-.\s]\d{4}\b/;
+var PII_CC_RE = /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6\d{3})[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/;
+function detectPii(text) {
+  const found = /* @__PURE__ */ new Set();
+  if (/@/.test(text) && PII_EMAIL_RE.test(text)) found.add("Email");
+  if (/-/.test(text) && PII_SSN_RE.test(text)) found.add("SSN");
+  if (PII_PHONE_RE.test(text)) found.add("Phone");
+  if (PII_CC_RE.test(text)) found.add("Credit Card");
+  return [...found];
+}
+var REALTIME_PII_PATTERNS = ["SSN", "Credit Card"];
+var MAX_PII_SCAN_BYTES = 1e5;
+function detectArgsPii(args) {
+  if (args === null || args === void 0) return [];
+  let text;
+  try {
+    text = typeof args === "string" ? args : JSON.stringify(args);
+  } catch {
+    return [];
+  }
+  if (typeof text !== "string") return [];
+  if (text.length > MAX_PII_SCAN_BYTES) text = text.slice(0, MAX_PII_SCAN_BYTES);
+  return detectPii(text).filter((p) => REALTIME_PII_PATTERNS.includes(p));
+}
 var LONG_OUTPUT_THRESHOLD_BYTES = 100 * 1024;
 // src/shields.ts
@@ -2930,7 +3284,8 @@ var DEFAULT_CONFIG = {
     flightRecorder: true,
     auditHashArgs: true,
     approvers: { native: true, browser: false, cloud: false, terminal: true },
-    cloudSyncIntervalHours: 5
+    cloudSyncIntervalHours: 5,
+    shipper: { enabled: true, intervalSeconds: 20 }
   },
   policy: {
     sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
@@ -3114,7 +3469,8 @@ var DEFAULT_CONFIG = {
         description: "The AI wants to download a script from the internet and run it immediately, without you seeing what it contains. This is one of the most common ways malware gets installed."
       }
     ],
-    dlp: { enabled: true, scanIgnoredTools: true },
+    dlp: { enabled: true, scanIgnoredTools: true, pii: "off" },
+    egress: { enabled: false, mode: "review", allow: [], deny: [], allowPrivate: true },
     loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 },
     skillPinning: { enabled: false, mode: "warn", roots: [] }
   },
@@ -3225,7 +3581,8 @@ function getConfig(cwd) {
   const projectConfig = tryLoadConfig(projectPath);
   const mergedSettings = {
     ...DEFAULT_CONFIG.settings,
-    approvers: { ...DEFAULT_CONFIG.settings.approvers }
+    approvers: { ...DEFAULT_CONFIG.settings.approvers },
+    shipper: { ...DEFAULT_CONFIG.settings.shipper }
   };
   const mergedPolicy = {
     sandboxPaths: [...DEFAULT_CONFIG.policy.sandboxPaths],
@@ -3239,6 +3596,11 @@ function getConfig(cwd) {
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
     },
     dlp: { ...DEFAULT_CONFIG.policy.dlp },
+    egress: {
+      ...DEFAULT_CONFIG.policy.egress,
+      allow: [...DEFAULT_CONFIG.policy.egress.allow],
+      deny: [...DEFAULT_CONFIG.policy.egress.deny]
+    },
     loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection },
     skillPinning: {
       ...DEFAULT_CONFIG.policy.skillPinning,
@@ -3256,6 +3618,7 @@ function getConfig(cwd) {
     if (s.enableHookLogDebug !== void 0)
       mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
     if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
+    if (s.shipper) mergedSettings.shipper = { ...mergedSettings.shipper, ...s.shipper };
     if (s.approvalTimeoutMs !== void 0) mergedSettings.approvalTimeoutMs = s.approvalTimeoutMs;
     if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
       mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
@@ -3288,6 +3651,15 @@ function getConfig(cwd) {
       const d = p.dlp;
       if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
       if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
+      if (d.pii !== void 0) mergedPolicy.dlp.pii = d.pii;
+    }
+    if (p.egress) {
+      const e = p.egress;
+      if (e.enabled !== void 0) mergedPolicy.egress.enabled = e.enabled;
+      if (e.mode !== void 0) mergedPolicy.egress.mode = e.mode;
+      if (Array.isArray(e.allow)) mergedPolicy.egress.allow.push(...e.allow);
+      if (Array.isArray(e.deny)) mergedPolicy.egress.deny.push(...e.deny);
+      if (e.allowPrivate !== void 0) mergedPolicy.egress.allowPrivate = e.allowPrivate;
     }
     if (p.loopDetection) {
       const ld = p.loopDetection;
@@ -4030,6 +4402,15 @@ function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWo
 var isTestEnv = () => {
   return process.env.NODE_ENV === "test" || process.env.VITEST === "true" || !!process.env.VITEST || process.env.CI === "true" || !!process.env.CI || process.env.NODE9_TESTING === "1";
 };
+var MIN_INTERACTION_MS = 400;
+function resolveNativeDecision(opts) {
+  const { code, output, elapsedMs, locked } = opts;
+  if (locked) return "deny";
+  const tooFast = elapsedMs < MIN_INTERACTION_MS;
+  if (output.includes("Always Allow")) return tooFast ? "deny" : "always_allow";
+  if (code === 0) return tooFast ? "deny" : "allow";
+  return "deny";
+}
 function formatArgs(args, matchedField, matchedWord) {
   if (args === null || args === void 0) return { message: "(none)", intent: "EXEC" };
   let parsed = args;
@@ -4173,6 +4554,7 @@ async function askNativePopup(toolName, args, agent, explainableLabel, locked =
   );
   return new Promise((resolve) => {
     let childProcess = null;
+    const startedAt = Date.now();
     const onAbort = () => {
       if (childProcess && childProcess.pid) {
         try {
@@ -4230,13 +4612,14 @@ end run`;
       }
       let output = "";
       childProcess?.stdout?.on("data", (d) => output += d.toString());
-      childProcess?.on("close", (code) => {
+      childProcess?.on("error", () => {
         if (signal) signal.removeEventListener("abort", onAbort);
-        if (locked) return resolve("deny");
-        if (output.includes("Always Allow")) return resolve("always_allow");
-        if (code === 0) return resolve("allow");
         resolve("deny");
       });
+      childProcess?.on("close", (code) => {
+        if (signal) signal.removeEventListener("abort", onAbort);
+        resolve(resolveNativeDecision({ code, output, elapsedMs: Date.now() - startedAt, locked }));
+      });
     } catch {
       resolve("deny");
     }
@@ -4251,91 +4634,6 @@ init_audit();
 import fs9 from "fs";
 import os8 from "os";
 import path11 from "path";
-var DLP_SAMPLE_MAX_LEN = 200;
-var DLP_PATTERN_MAX_LEN = 100;
-var KNOWN_CHECKED_BY = /* @__PURE__ */ new Set([
-  "dlp-block",
-  "observe-mode-dlp-would-block",
-  "dlp-review-flagged",
-  "loop-detected",
-  "audit-mode",
-  "local-policy",
-  "smart-rule-block",
-  // Smart-rule block was downgraded to review because the daemon was
-  // running and we're not in CI. The block attempt is still recorded;
-  // the user got a popup. Distinct from 'smart-rule-block' so the
-  // dashboard can show "block rule overridden" separately from a hard
-  // block that fired with no human in the loop.
-  "smart-rule-block-override",
-  "persistent",
-  "trust",
-  "observe-mode",
-  "observe-mode-would-block"
-]);
-function validateApiUrl(raw) {
-  let u;
-  try {
-    u = new URL(raw);
-  } catch {
-    return null;
-  }
-  if (u.username || u.password) return null;
-  if (u.protocol === "https:") return u;
-  if (u.protocol === "http:") {
-    const h = u.hostname;
-    if (h === "127.0.0.1" || h === "localhost" || h === "::1" || h === "[::1]") return u;
-  }
-  return null;
-}
-function auditLocalAllow(toolName, args, checkedBy, creds, meta, dlpInfo, containsSensitiveArgs = false, riskMetadata) {
-  const validated = validateApiUrl(creds.apiUrl);
-  if (!validated) {
-    try {
-      fs9.appendFileSync(
-        HOOK_DEBUG_LOG,
-        `[audit] refused to send: invalid apiUrl scheme/host (got "${String(creds.apiUrl).slice(0, 200)}")
-`
-      );
-    } catch {
-    }
-    return Promise.resolve();
-  }
-  const safeArgs = containsSensitiveArgs ? { tool: toolName, redacted: true } : args;
-  const dlpSample = dlpInfo && typeof dlpInfo.redactedSample === "string" ? dlpInfo.redactedSample.slice(0, DLP_SAMPLE_MAX_LEN) : void 0;
-  const dlpPattern = dlpInfo && typeof dlpInfo.pattern === "string" ? dlpInfo.pattern.slice(0, DLP_PATTERN_MAX_LEN) : void 0;
-  const safeCheckedBy = KNOWN_CHECKED_BY.has(checkedBy) ? checkedBy : "unknown";
-  const cleanedRiskMetadata = riskMetadata ? Object.fromEntries(
-    Object.entries(riskMetadata).filter(([, v]) => typeof v === "string" && v.length > 0)
-  ) : void 0;
-  const hasRiskMetadata = cleanedRiskMetadata && Object.keys(cleanedRiskMetadata).length > 0;
-  return fetch(`${validated.toString().replace(/\/$/, "")}/audit`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
-    body: JSON.stringify({
-      toolName,
-      args: safeArgs,
-      checkedBy: safeCheckedBy,
-      ...dlpInfo && { dlpPattern, dlpSample },
-      ...hasRiskMetadata && { riskMetadata: cleanedRiskMetadata },
-      // session_id (Claude Code + Gemini CLI) groups all audit rows from one
-      // agent run; transcript_path is the authoritative pointer to the
-      // session log (survives Gemini resume drift). Both optional —
-      // unsupported agents (MCP-mediated) leave them undefined.
-      ...meta?.sessionId && { runId: meta.sessionId },
-      ...meta?.transcriptPath && { transcriptPath: meta.transcriptPath },
-      context: {
-        agent: meta?.agent,
-        mcpServer: meta?.mcpServer,
-        hostname: os8.hostname(),
-        cwd: process.cwd(),
-        platform: os8.platform()
-      }
-    }),
-    signal: AbortSignal.timeout(5e3)
-  }).then(() => {
-  }).catch(() => {
-  });
-}
 async function initNode9SaaS(toolName, args, creds, meta, riskMetadata, agentPolicy, forceReview) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 1e4);
@@ -4623,6 +4921,37 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       if (taintResult.tainted && taintResult.record) {
         const { path: taintedPath, source: taintSource } = taintResult.record;
         taintWarning = `\u26A0\uFE0F ${taintedPath} was flagged by ${taintSource} \u2014 this file may contain sensitive data`;
+        if (config.policy.egress?.enabled) {
+          const a = args && typeof args === "object" && !Array.isArray(args) ? args : {};
+          const cmd = typeof a.command === "string" ? a.command : typeof a.cmd === "string" ? a.cmd : "";
+          const dests = cmd ? extractShellDestinations(cmd) : [];
+          const eg = dests.length > 0 ? evaluateEgress(dests, config.policy.egress) : null;
+          if (eg) {
+            if (!isManual)
+              appendLocalAudit(
+                toolName,
+                args,
+                "deny",
+                isObserveMode ? "observe-mode-taint-egress-would-block" : "taint-egress-block",
+                { ...meta, ruleName: `taint-egress:${eg.host}` },
+                hashAuditArgs
+              );
+            if (isObserveMode) {
+              return {
+                approved: true,
+                checkedBy: "audit",
+                observeWouldBlock: true,
+                blockedByLabel: "\u{1F534} Node9 Taint+Egress (Exfiltration)"
+              };
+            }
+            return {
+              approved: false,
+              reason: `\u{1F534} EXFILTRATION BLOCKED: the tainted file "${taintedPath}" is being sent to untrusted host "${eg.host}". A flagged file leaving to an unrecognized destination is blocked outright.`,
+              blockedBy: "local-config",
+              blockedByLabel: "\u{1F534} Node9 Taint+Egress (Exfiltration Blocked)"
+            };
+          }
+        }
       } else if (taintResult.daemonUnavailable) {
         taintWarning = `\u26A0\uFE0F Taint service unavailable \u2014 cannot verify if ${filePaths.join(", ")} is clean`;
       }
@@ -4641,17 +4970,11 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             args,
             "deny",
             isObserveMode ? "observe-mode-dlp-would-block" : "dlp-block",
-            meta,
-            true
-          );
-        if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(
-            toolName,
-            args,
-            isObserveMode ? "observe-mode-dlp-would-block" : "dlp-block",
-            creds,
-            meta,
-            { pattern: dlpMatch.patternName, redactedSample: dlpMatch.redactedSample },
+            {
+              ...meta,
+              dlpPattern: dlpMatch.patternName,
+              dlpSample: dlpMatch.redactedSample
+            },
             true
           );
         if (isWriteTool(toolName) && filePath) {
@@ -4677,6 +5000,35 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
     }
   }
+  if (config.policy.dlp.pii === "block" && (!isIgnoredTool2(toolName) || config.policy.dlp.scanIgnoredTools)) {
+    const piiFound = detectArgsPii(args);
+    if (piiFound.length > 0) {
+      const piiReason = `\u{1F512} PII DETECTED: ${piiFound.join(", ")} found in tool arguments. Remove or tokenize personal data before passing it to a tool.`;
+      if (!isManual)
+        appendLocalAudit(
+          toolName,
+          args,
+          "deny",
+          isObserveMode ? "observe-mode-pii-would-block" : "pii-block",
+          { ...meta, piiPatterns: piiFound.join(",") },
+          true
+        );
+      if (isObserveMode) {
+        return {
+          approved: true,
+          checkedBy: "audit",
+          observeWouldBlock: true,
+          blockedByLabel: "\u{1F512} Node9 PII (Detected)"
+        };
+      }
+      return {
+        approved: false,
+        reason: piiReason,
+        blockedBy: "local-config",
+        blockedByLabel: "\u{1F512} Node9 PII (Detected)"
+      };
+    }
+  }
   if (isObserveMode) {
     if (!isIgnoredTool2(toolName)) {
       const policyResult = await evaluatePolicy2(toolName, args, meta?.agent, options?.cwd);
@@ -4707,9 +5059,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       const policyResult = await evaluatePolicy2(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
         appendLocalAudit(toolName, args, "allow", "audit-mode", meta, hashAuditArgs);
-        if (approvers.cloud && creds?.apiKey) {
-          await auditLocalAllow(toolName, args, "audit-mode", creds, meta);
-        }
       }
     }
     return { approved: true, checkedBy: "audit" };
@@ -4722,8 +5071,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         const reason = `It looks like you've called "${toolName}" ${loopResult.count} times with identical arguments in the last ${ld.windowSeconds}s. Are you stuck? Step back and reconsider your approach \u2014 what are you actually trying to accomplish, and is there a different way to get there?`;
         if (!isManual)
           appendLocalAudit(toolName, args, "deny", "loop-detected", meta, hashAuditArgs);
-        if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(toolName, args, "loop-detected", creds, meta, void 0, true);
         return {
           approved: false,
           reason,
@@ -4742,15 +5089,15 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       };
     }
     if (policyResult.decision === "allow") {
-      if (approvers.cloud && creds?.apiKey)
-        await auditLocalAllow(toolName, args, "local-policy", creds, meta, void 0, false, {
-          ruleName: policyResult.ruleName,
-          ruleDescription: policyResult.ruleDescription,
-          blockedByLabel: policyResult.blockedByLabel,
-          matchedField: policyResult.matchedField,
-          matchedWord: policyResult.matchedWord
-        });
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
+      if (!isManual)
+        appendLocalAudit(
+          toolName,
+          args,
+          "allow",
+          "local-policy",
+          { ...meta, ruleName: policyResult.ruleName },
+          hashAuditArgs
+        );
       return { approved: true, checkedBy: "local-policy" };
     }
     if (policyResult.decision === "block") {
@@ -4783,23 +5130,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             { ...meta, ruleName: policyResult.ruleName },
             hashAuditArgs
           );
-        if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(
-            toolName,
-            args,
-            "smart-rule-block-override",
-            creds,
-            meta,
-            void 0,
-            false,
-            {
-              ruleName: policyResult.ruleName,
-              ruleDescription: policyResult.ruleDescription,
-              blockedByLabel: policyResult.blockedByLabel,
-              matchedField: policyResult.matchedField,
-              matchedWord: policyResult.matchedWord
-            }
-          );
         const baseLabel = policyResult.blockedByLabel || "Smart Rule";
         const OVERRIDE_PREFIX = "\u26A0\uFE0F Override block rule: ";
         if (!baseLabel.startsWith(OVERRIDE_PREFIX)) {
@@ -4824,14 +5154,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             { ...meta, ruleName: policyResult.ruleName },
             hashAuditArgs
           );
-        if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta, void 0, false, {
-            ruleName: policyResult.ruleName,
-            ruleDescription: policyResult.ruleDescription,
-            blockedByLabel: policyResult.blockedByLabel,
-            matchedField: policyResult.matchedField,
-            matchedWord: policyResult.matchedWord
-          });
         return {
           approved: false,
           reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
@@ -4860,8 +5182,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (policyRuleDescription) riskMetadata.ruleDescription = policyRuleDescription.slice(0, 200);
     const persistent = policyResult.ruleName ? null : getPersistentDecision(toolName);
     if (persistent === "allow") {
-      if (approvers.cloud && creds?.apiKey)
-        await auditLocalAllow(toolName, args, "persistent", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta, hashAuditArgs);
       return { approved: true, checkedBy: "persistent" };
     }
@@ -4894,8 +5214,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     }
   }
   if (!taintWarning && getActiveTrustSession(toolName, args)) {
-    if (approvers.cloud && creds?.apiKey)
-      await auditLocalAllow(toolName, args, "trust", creds, meta);
     if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta, hashAuditArgs);
     return { approved: true, checkedBy: "trust" };
   }
@@ -5140,7 +5458,12 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       args,
       finalResult.approved ? "allow" : "deny",
       finalResult.checkedBy || finalResult.blockedBy || "unknown",
-      meta,
+      // cloudRequestId links this row to the BE-origin AuditLog row the
+      // /intercept handshake created — the shipper hands it to the SaaS so
+      // the BE enriches that row instead of inserting a duplicate. Matters
+      // for EVERY racer outcome, not just cloud wins: a native-popup
+      // decision on a cloud-pending request would otherwise count twice.
+      cloudRequestId ? { ...meta, cloudRequestId } : meta,
       hashAuditArgs
     );
   }