@node9/proxy 1.3.1 → 1.3.2

package/dist/cli.js

@@ -114,8 +114,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path22 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path22}: ${issue.message}`;
+    const path24 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path24}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -1178,8 +1178,440 @@ var init_dlp = __esm({
   }
 });
 
+// src/utils/provenance.ts
+function findInPath(cmd) {
+  if (import_path5.default.posix.isAbsolute(cmd)) return cmd;
+  const pathEnv = process.env.PATH ?? "";
+  for (const dir of pathEnv.split(import_path5.default.delimiter)) {
+    if (!dir) continue;
+    const full = import_path5.default.join(dir, cmd);
+    try {
+      import_fs5.default.accessSync(full, import_fs5.default.constants.X_OK);
+      return full;
+    } catch {
+    }
+  }
+  return null;
+}
+function _classifyPath(resolved, cwd) {
+  if (cwd && resolved.startsWith(cwd + "/")) {
+    return { trustLevel: "user", reason: "binary in project directory" };
+  }
+  const osTmp = import_os4.default.tmpdir();
+  const allSuspect = osTmp ? [...SUSPECT_PREFIXES, osTmp] : SUSPECT_PREFIXES;
+  if (allSuspect.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "suspect", reason: `binary in temp directory: ${resolved}` };
+  }
+  if (SYSTEM_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "system", reason: "" };
+  }
+  if (MANAGED_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "managed", reason: "" };
+  }
+  if (USER_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "user", reason: "" };
+  }
+  return { trustLevel: "unknown", reason: "binary in unrecognized location" };
+}
+function checkProvenance(cmd, cwd) {
+  const bare = cmd.startsWith("./") ? cmd.slice(2) : cmd;
+  if (import_path5.default.posix.isAbsolute(bare)) {
+    const early = _classifyPath(bare, cwd);
+    if (early.trustLevel === "suspect") {
+      return { resolvedPath: bare, ...early };
+    }
+  }
+  let resolved;
+  try {
+    const found = findInPath(bare);
+    if (!found) {
+      return {
+        resolvedPath: cmd,
+        trustLevel: "unknown",
+        reason: "binary not found in PATH"
+      };
+    }
+    resolved = import_fs5.default.realpathSync(found);
+  } catch {
+    return {
+      resolvedPath: cmd,
+      trustLevel: "unknown",
+      reason: "binary not found in PATH"
+    };
+  }
+  try {
+    const stat = import_fs5.default.statSync(resolved);
+    if (stat.mode & 2) {
+      return {
+        resolvedPath: resolved,
+        trustLevel: "suspect",
+        reason: "binary is world-writable"
+      };
+    }
+  } catch {
+    return {
+      resolvedPath: resolved,
+      trustLevel: "unknown",
+      reason: "could not stat binary"
+    };
+  }
+  const classify = _classifyPath(resolved, cwd);
+  return { resolvedPath: resolved, ...classify };
+}
+var import_fs5, import_path5, import_os4, SYSTEM_PREFIXES, MANAGED_PREFIXES, USER_PREFIXES, SUSPECT_PREFIXES;
+var init_provenance = __esm({
+  "src/utils/provenance.ts"() {
+    "use strict";
+    import_fs5 = __toESM(require("fs"));
+    import_path5 = __toESM(require("path"));
+    import_os4 = __toESM(require("os"));
+    SYSTEM_PREFIXES = ["/usr/bin", "/usr/sbin", "/bin", "/sbin"];
+    MANAGED_PREFIXES = ["/usr/local/bin", "/opt/homebrew", "/home/linuxbrew", "/nix/store"];
+    USER_PREFIXES = [
+      import_path5.default.join(import_os4.default.homedir(), "bin"),
+      import_path5.default.join(import_os4.default.homedir(), ".local", "bin"),
+      import_path5.default.join(import_os4.default.homedir(), ".cargo", "bin"),
+      import_path5.default.join(import_os4.default.homedir(), ".npm-global", "bin"),
+      import_path5.default.join(import_os4.default.homedir(), ".volta", "bin")
+    ];
+    SUSPECT_PREFIXES = ["/tmp", "/var/tmp", "/dev/shm"];
+  }
+});
+
+// src/policy/pipe-chain.ts
+function isSensitivePath(p) {
+  return SENSITIVE_PATTERNS.some((re) => re.test(p));
+}
+function splitOnPipe(cmd) {
+  const segments = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  for (let i = 0; i < cmd.length; i++) {
+    const ch = cmd[i];
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+      current += ch;
+    } else if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+      current += ch;
+    } else if (ch === "|" && !inSingle && !inDouble && cmd[i + 1] !== "|" && (i === 0 || cmd[i - 1] !== "|")) {
+      segments.push(current.trim());
+      current = "";
+    } else {
+      current += ch;
+    }
+  }
+  if (current.trim()) segments.push(current.trim());
+  return segments.filter(Boolean);
+}
+function positionalTokens(segment) {
+  return segment.split(/\s+/).slice(1).filter((t) => !t.startsWith("-") && !t.startsWith("@") && t.length > 0);
+}
+function analyzePipeChain(command) {
+  const segments = splitOnPipe(command);
+  if (segments.length < 2) {
+    return {
+      isPipeline: false,
+      hasSensitiveSource: false,
+      hasExternalSink: false,
+      hasObfuscation: false,
+      sourceFiles: [],
+      sinkTargets: [],
+      risk: "none"
+    };
+  }
+  const sourceFiles = [];
+  const sinkTargets = [];
+  let hasSensitiveSource = false;
+  let hasExternalSink = false;
+  let hasObfuscation = false;
+  for (const segment of segments) {
+    const tokens = segment.split(/\s+/).filter(Boolean);
+    if (tokens.length === 0) continue;
+    const binary = tokens[0].toLowerCase();
+    const args = positionalTokens(segment);
+    if (SOURCE_COMMANDS.has(binary)) {
+      sourceFiles.push(...args);
+      if (args.some(isSensitivePath)) hasSensitiveSource = true;
+    }
+    if (OBFUSCATORS.has(binary)) hasObfuscation = true;
+    if (SINK_COMMANDS.has(binary)) {
+      const targets = args.filter(
+        (a) => a.includes(".") || a.includes("://") || /^\d+\.\d+/.test(a)
+      );
+      sinkTargets.push(...targets);
+      if (targets.length > 0) hasExternalSink = true;
+    }
+  }
+  const fullCmd = command.toLowerCase();
+  if (!hasSensitiveSource) {
+    const redirMatch = fullCmd.match(/<\s*(\S+)/);
+    if (redirMatch && isSensitivePath(redirMatch[1])) {
+      hasSensitiveSource = true;
+      sourceFiles.push(redirMatch[1]);
+    }
+  }
+  const risk = hasSensitiveSource && hasExternalSink && hasObfuscation ? "critical" : hasSensitiveSource && hasExternalSink ? "high" : hasExternalSink ? "medium" : "none";
+  return {
+    isPipeline: true,
+    hasSensitiveSource,
+    hasExternalSink,
+    hasObfuscation,
+    sourceFiles,
+    sinkTargets,
+    risk
+  };
+}
+var SOURCE_COMMANDS, SINK_COMMANDS, OBFUSCATORS, SENSITIVE_PATTERNS;
+var init_pipe_chain = __esm({
+  "src/policy/pipe-chain.ts"() {
+    "use strict";
+    SOURCE_COMMANDS = /* @__PURE__ */ new Set([
+      "cat",
+      "head",
+      "tail",
+      "grep",
+      "awk",
+      "sed",
+      "cut",
+      "sort",
+      "tee",
+      "less",
+      "more",
+      "strings",
+      "xxd"
+    ]);
+    SINK_COMMANDS = /* @__PURE__ */ new Set([
+      "curl",
+      "wget",
+      "nc",
+      "ncat",
+      "netcat",
+      "ssh",
+      "scp",
+      "rsync",
+      "socat",
+      "ftp",
+      "sftp",
+      "telnet"
+    ]);
+    OBFUSCATORS = /* @__PURE__ */ new Set([
+      "base64",
+      "gzip",
+      "gunzip",
+      "bzip2",
+      "xz",
+      "zstd",
+      "openssl",
+      "gpg",
+      "python",
+      "python3",
+      "perl",
+      "ruby",
+      "node"
+    ]);
+    SENSITIVE_PATTERNS = [
+      /(?:^|\/)\.env(?:\.|$)/i,
+      // .env, .env.local, .env.production
+      /id_rsa|id_ed25519|id_ecdsa|id_dsa/i,
+      // SSH private keys
+      /\.pem$|\.key$|\.p12$|\.pfx$/i,
+      // certificate files
+      /(?:^|\/)\.ssh\//i,
+      // ~/.ssh/ directory
+      /(?:^|\/)\.aws\/credentials/i,
+      // AWS credentials
+      /(?:^|\/)\.netrc$/i,
+      // netrc (stores HTTP credentials)
+      /(?:^|\/)(passwd|shadow|sudoers)$/i,
+      // /etc/passwd, /etc/shadow
+      /(?:^|\/)credentials(?:\.json)?$/i
+      // generic credentials files
+    ];
+  }
+});
+
+// src/policy/flag-tables.ts
+function extractPositionalArgs(tokens, binary) {
+  const binaryName = import_path6.default.basename(binary).replace(/\.exe$/i, "");
+  const flagsWithValues = FLAGS_WITH_VALUES[binaryName] ?? /* @__PURE__ */ new Set();
+  const positional = [];
+  let skipNext = false;
+  for (const token of tokens) {
+    if (skipNext) {
+      skipNext = false;
+      continue;
+    }
+    if (token.startsWith("--") && token.includes("=")) continue;
+    if (token.startsWith("-") && token.length === 2 && flagsWithValues.has(token)) {
+      skipNext = true;
+      continue;
+    }
+    if (token.startsWith("--") && flagsWithValues.has(token)) {
+      skipNext = true;
+      continue;
+    }
+    const shortFlag = token.slice(0, 2);
+    if (token.startsWith("-") && token.length > 2 && flagsWithValues.has(shortFlag)) continue;
+    if (token.startsWith("-")) continue;
+    if (token.startsWith("@")) continue;
+    positional.push(token);
+  }
+  return positional;
+}
+function extractNetworkTargets(tokens, binary) {
+  return extractPositionalArgs(tokens, binary).map((t) => t.includes("@") ? t.split("@")[1] : t).map((t) => {
+    const colonIdx = t.indexOf(":");
+    if (colonIdx === -1) return t;
+    const afterColon = t.slice(colonIdx + 1);
+    if (/^\d+$/.test(afterColon)) return t.slice(0, colonIdx);
+    return t;
+  }).filter(Boolean);
+}
+var import_path6, FLAGS_WITH_VALUES;
+var init_flag_tables = __esm({
+  "src/policy/flag-tables.ts"() {
+    "use strict";
+    import_path6 = __toESM(require("path"));
+    FLAGS_WITH_VALUES = {
+      curl: /* @__PURE__ */ new Set([
+        "-H",
+        "--header",
+        "-A",
+        "--user-agent",
+        "-e",
+        "--referer",
+        "-x",
+        "--proxy",
+        "-u",
+        "--user",
+        "-d",
+        "--data",
+        "--data-raw",
+        "--data-binary",
+        "-o",
+        "--output",
+        "-F",
+        "--form",
+        "--connect-to",
+        "--resolve",
+        "--cacert",
+        "--cert",
+        "--key",
+        "-m",
+        "--max-time"
+      ]),
+      wget: /* @__PURE__ */ new Set([
+        "-O",
+        "--output-document",
+        "-P",
+        "--directory-prefix",
+        "-U",
+        "--user-agent",
+        "-e",
+        "--execute",
+        "--proxy",
+        "--ca-certificate"
+      ]),
+      nc: /* @__PURE__ */ new Set(["-x", "-p", "-s", "-w", "-W", "-I", "-O"]),
+      ncat: /* @__PURE__ */ new Set(["-x", "-p", "-s", "--proxy", "--proxy-auth", "-w", "--wait"]),
+      netcat: /* @__PURE__ */ new Set(["-x", "-p", "-s", "-w"]),
+      ssh: /* @__PURE__ */ new Set([
+        "-i",
+        "-l",
+        "-p",
+        "-o",
+        "-E",
+        "-F",
+        "-J",
+        "-L",
+        "-R",
+        "-W",
+        "-b",
+        "-c",
+        "-D",
+        "-e",
+        "-I",
+        "-S"
+      ]),
+      scp: /* @__PURE__ */ new Set(["-i", "-o", "-P", "-S"]),
+      rsync: /* @__PURE__ */ new Set(["-e", "--rsh", "--rsync-path", "--password-file", "--log-file"]),
+      socat: /* @__PURE__ */ new Set([])
+      // socat uses address syntax, not flags — no value-flags
+    };
+  }
+});
+
+// src/policy/ssh-parser.ts
+function tokenize(cmd) {
+  const tokens = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  for (const ch of cmd) {
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+    } else if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+    } else if ((ch === " " || ch === "	") && !inSingle && !inDouble) {
+      if (current) {
+        tokens.push(current);
+        current = "";
+      }
+    } else {
+      current += ch;
+    }
+  }
+  if (current) tokens.push(current);
+  return tokens;
+}
+function parseHost(raw) {
+  return raw.split("@").pop().split(":")[0];
+}
+function extractAllSshHosts(tokens) {
+  const hosts = /* @__PURE__ */ new Set();
+  for (let i = 0; i < tokens.length; i++) {
+    const t = tokens[i];
+    if (t === "-J" && tokens[i + 1]) {
+      for (const hop of tokens[++i].split(",")) {
+        const h = parseHost(hop);
+        if (h) hosts.add(h);
+      }
+      continue;
+    }
+    if (t === "-o" && tokens[i + 1]?.toLowerCase().startsWith("proxyjump=")) {
+      const val = tokens[++i].split("=").slice(1).join("=");
+      for (const hop of val.split(",")) {
+        const h = parseHost(hop);
+        if (h) hosts.add(h);
+      }
+      continue;
+    }
+    if (t === "-o" && tokens[i + 1]?.toLowerCase().startsWith("proxycommand=")) {
+      const raw = tokens[++i].split("=").slice(1).join("=").replace(/^['"]|['"]$/g, "");
+      const subTokens = tokenize(raw);
+      const binary = subTokens[0] ?? "";
+      extractNetworkTargets(subTokens.slice(1), binary).forEach((h) => hosts.add(h));
+      extractAllSshHosts(subTokens.slice(1)).forEach((h) => hosts.add(h));
+      continue;
+    }
+    if (!t.startsWith("-")) {
+      const h = parseHost(t);
+      if (h) hosts.add(h);
+    }
+  }
+  return [...hosts].filter(Boolean);
+}
+var init_ssh_parser = __esm({
+  "src/policy/ssh-parser.ts"() {
+    "use strict";
+    init_flag_tables();
+  }
+});
+
 // src/policy/index.ts
-function tokenize(toolName) {
+function tokenize2(toolName) {
   return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
 }
 function matchesPattern(text, patterns) {
@@ -1192,9 +1624,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path22) {
+function getNestedValue(obj, path24) {
   if (!obj || typeof obj !== "object") return null;
-  return path22.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path24.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function shouldSnapshot(toolName, args, config) {
   if (!config.settings.enableUndo) return false;
@@ -1329,7 +1761,7 @@ async function analyzeShellCommand(command) {
   }
   return { actions, paths, allTokens };
 }
-async function evaluatePolicy(toolName, args, agent) {
+async function evaluatePolicy(toolName, args, agent, cwd) {
   const config = getConfig();
   if (matchesPattern(toolName, config.policy.ignoredTools)) return { decision: "allow" };
   if (config.policy.smartRules.length > 0) {
@@ -1359,11 +1791,55 @@ async function evaluatePolicy(toolName, args, agent) {
     if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
       return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)", tier: 3 };
     }
+    const pipeAnalysis = analyzePipeChain(shellCommand);
+    if (pipeAnalysis.isPipeline) {
+      if (pipeAnalysis.risk === "critical") {
+        return {
+          decision: "block",
+          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
+          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${pipeAnalysis.sinkTargets.join(", ")}`,
+          tier: 3
+        };
+      }
+      if (pipeAnalysis.risk === "high") {
+        return {
+          decision: "review",
+          blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
+          reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${pipeAnalysis.sinkTargets.join(", ")}`,
+          tier: 3
+        };
+      }
+    }
+    const firstToken = analyzed.actions[0] ?? "";
+    if (["ssh", "scp", "rsync"].includes(firstToken)) {
+      const rawTokens = shellCommand.trim().split(/\s+/);
+      const sshHosts = extractAllSshHosts(rawTokens.slice(1));
+      allTokens.push(...sshHosts);
+    }
+    if (firstToken && import_path7.default.posix.isAbsolute(firstToken)) {
+      const prov = checkProvenance(firstToken, cwd);
+      if (prov.trustLevel === "suspect") {
+        return {
+          decision: config.settings.mode === "strict" ? "block" : "review",
+          blockedByLabel: "Node9: Suspect Binary",
+          reason: `Binary "${firstToken}" resolved to ${prov.resolvedPath} \u2014 ${prov.reason}`,
+          tier: 3
+        };
+      }
+      if (prov.trustLevel === "unknown" && config.settings.mode === "strict") {
+        return {
+          decision: "review",
+          blockedByLabel: "Node9: Unknown Binary (strict mode)",
+          reason: `Binary "${firstToken}" \u2014 ${prov.reason}`,
+          tier: 3
+        };
+      }
+    }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
     }
   } else {
-    allTokens = tokenize(toolName);
+    allTokens = tokenize2(toolName);
     if (args && typeof args === "object") {
       const flattenedArgs = JSON.stringify(args).toLowerCase();
       const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
@@ -1437,9 +1913,9 @@ async function evaluatePolicy(toolName, args, agent) {
 }
 async function explainPolicy(toolName, args) {
   const steps = [];
-  const globalPath = import_path5.default.join(import_os4.default.homedir(), ".node9", "config.json");
-  const projectPath = import_path5.default.join(process.cwd(), "node9.config.json");
-  const credsPath = import_path5.default.join(import_os4.default.homedir(), ".node9", "credentials.json");
+  const globalPath = import_path7.default.join(import_os5.default.homedir(), ".node9", "config.json");
+  const projectPath = import_path7.default.join(process.cwd(), "node9.config.json");
+  const credsPath = import_path7.default.join(import_os5.default.homedir(), ".node9", "credentials.json");
   const waterfall = [
     {
       tier: 1,
@@ -1450,19 +1926,19 @@ async function explainPolicy(toolName, args) {
     {
       tier: 2,
       label: "Cloud policy",
-      status: import_fs5.default.existsSync(credsPath) ? "active" : "missing",
-      note: import_fs5.default.existsSync(credsPath) ? "credentials found (not evaluated in explain mode)" : "not connected \u2014 run: node9 login"
+      status: import_fs6.default.existsSync(credsPath) ? "active" : "missing",
+      note: import_fs6.default.existsSync(credsPath) ? "credentials found (not evaluated in explain mode)" : "not connected \u2014 run: node9 login"
     },
     {
       tier: 3,
       label: "Project config",
-      status: import_fs5.default.existsSync(projectPath) ? "active" : "missing",
+      status: import_fs6.default.existsSync(projectPath) ? "active" : "missing",
       path: projectPath
     },
     {
       tier: 4,
       label: "Global config",
-      status: import_fs5.default.existsSync(globalPath) ? "active" : "missing",
+      status: import_fs6.default.existsSync(globalPath) ? "active" : "missing",
       path: globalPath
     },
     {
@@ -1594,7 +2070,7 @@ async function explainPolicy(toolName, args) {
       });
     }
   } else {
-    allTokens = tokenize(toolName);
+    allTokens = tokenize2(toolName);
     let detail = `No toolInspection match for "${toolName}" \u2014 tokens: [${allTokens.join(", ")}]`;
     if (args && typeof args === "object") {
       const flattenedArgs = JSON.stringify(args).toLowerCase();
@@ -1699,18 +2175,21 @@ function isIgnoredTool(toolName) {
   const config = getConfig();
   return matchesPattern(toolName, config.policy.ignoredTools);
 }
-var import_fs5, import_path5, import_os4, import_picomatch, import_sh_syntax, SQL_DML_KEYWORDS;
+var import_fs6, import_path7, import_os5, import_picomatch, import_sh_syntax, SQL_DML_KEYWORDS;
 var init_policy = __esm({
   "src/policy/index.ts"() {
     "use strict";
-    import_fs5 = __toESM(require("fs"));
-    import_path5 = __toESM(require("path"));
-    import_os4 = __toESM(require("os"));
+    import_fs6 = __toESM(require("fs"));
+    import_path7 = __toESM(require("path"));
+    import_os5 = __toESM(require("os"));
     import_picomatch = __toESM(require("picomatch"));
     import_sh_syntax = require("sh-syntax");
     init_dlp();
     init_config();
     init_regex();
+    init_provenance();
+    init_pipe_chain();
+    init_ssh_parser();
     SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
   }
 });
@@ -1718,11 +2197,11 @@ var init_policy = __esm({
 // src/auth/state.ts
 function checkPause() {
   try {
-    if (!import_fs6.default.existsSync(PAUSED_FILE)) return { paused: false };
-    const state = JSON.parse(import_fs6.default.readFileSync(PAUSED_FILE, "utf-8"));
+    if (!import_fs7.default.existsSync(PAUSED_FILE)) return { paused: false };
+    const state = JSON.parse(import_fs7.default.readFileSync(PAUSED_FILE, "utf-8"));
     if (state.expiry > 0 && Date.now() >= state.expiry) {
       try {
-        import_fs6.default.unlinkSync(PAUSED_FILE);
+        import_fs7.default.unlinkSync(PAUSED_FILE);
       } catch {
       }
       return { paused: false };
@@ -1733,11 +2212,11 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = import_path6.default.dirname(filePath);
-  if (!import_fs6.default.existsSync(dir)) import_fs6.default.mkdirSync(dir, { recursive: true });
-  const tmpPath = `${filePath}.${import_os5.default.hostname()}.${process.pid}.tmp`;
-  import_fs6.default.writeFileSync(tmpPath, data, options);
-  import_fs6.default.renameSync(tmpPath, filePath);
+  const dir = import_path8.default.dirname(filePath);
+  if (!import_fs7.default.existsSync(dir)) import_fs7.default.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${filePath}.${import_os6.default.hostname()}.${process.pid}.tmp`;
+  import_fs7.default.writeFileSync(tmpPath, data, options);
+  import_fs7.default.renameSync(tmpPath, filePath);
 }
 function pauseNode9(durationMs, durationStr) {
   const state = { expiry: Date.now() + durationMs, duration: durationStr };
@@ -1745,18 +2224,18 @@ function pauseNode9(durationMs, durationStr) {
 }
 function resumeNode9() {
   try {
-    if (import_fs6.default.existsSync(PAUSED_FILE)) import_fs6.default.unlinkSync(PAUSED_FILE);
+    if (import_fs7.default.existsSync(PAUSED_FILE)) import_fs7.default.unlinkSync(PAUSED_FILE);
   } catch {
   }
 }
 function getActiveTrustSession(toolName) {
   try {
-    if (!import_fs6.default.existsSync(TRUST_FILE)) return false;
-    const trust = JSON.parse(import_fs6.default.readFileSync(TRUST_FILE, "utf-8"));
+    if (!import_fs7.default.existsSync(TRUST_FILE)) return false;
+    const trust = JSON.parse(import_fs7.default.readFileSync(TRUST_FILE, "utf-8"));
     const now = Date.now();
     const active = trust.entries.filter((e) => e.expiry > now);
     if (active.length !== trust.entries.length) {
-      import_fs6.default.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
+      import_fs7.default.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
     }
     return active.some((e) => e.tool === toolName || matchesPattern(toolName, e.tool));
   } catch {
@@ -1767,8 +2246,8 @@ function writeTrustSession(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (import_fs6.default.existsSync(TRUST_FILE)) {
-        trust = JSON.parse(import_fs6.default.readFileSync(TRUST_FILE, "utf-8"));
+      if (import_fs7.default.existsSync(TRUST_FILE)) {
+        trust = JSON.parse(import_fs7.default.readFileSync(TRUST_FILE, "utf-8"));
       }
     } catch {
     }
@@ -1784,34 +2263,34 @@ function writeTrustSession(toolName, durationMs) {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = import_path6.default.join(import_os5.default.homedir(), ".node9", "decisions.json");
-    if (!import_fs6.default.existsSync(file)) return null;
-    const decisions = JSON.parse(import_fs6.default.readFileSync(file, "utf-8"));
+    const file = import_path8.default.join(import_os6.default.homedir(), ".node9", "decisions.json");
+    if (!import_fs7.default.existsSync(file)) return null;
+    const decisions = JSON.parse(import_fs7.default.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
     if (d === "allow" || d === "deny") return d;
   } catch {
   }
   return null;
 }
-var import_fs6, import_path6, import_os5, PAUSED_FILE, TRUST_FILE;
+var import_fs7, import_path8, import_os6, PAUSED_FILE, TRUST_FILE;
 var init_state = __esm({
   "src/auth/state.ts"() {
     "use strict";
-    import_fs6 = __toESM(require("fs"));
-    import_path6 = __toESM(require("path"));
-    import_os5 = __toESM(require("os"));
+    import_fs7 = __toESM(require("fs"));
+    import_path8 = __toESM(require("path"));
+    import_os6 = __toESM(require("os"));
     init_policy();
-    PAUSED_FILE = import_path6.default.join(import_os5.default.homedir(), ".node9", "PAUSED");
-    TRUST_FILE = import_path6.default.join(import_os5.default.homedir(), ".node9", "trust.json");
+    PAUSED_FILE = import_path8.default.join(import_os6.default.homedir(), ".node9", "PAUSED");
+    TRUST_FILE = import_path8.default.join(import_os6.default.homedir(), ".node9", "trust.json");
   }
 });
 
 // src/auth/daemon.ts
 function getInternalToken() {
   try {
-    const pidFile = import_path7.default.join(import_os6.default.homedir(), ".node9", "daemon.pid");
-    if (!import_fs7.default.existsSync(pidFile)) return null;
-    const data = JSON.parse(import_fs7.default.readFileSync(pidFile, "utf-8"));
+    const pidFile = import_path9.default.join(import_os7.default.homedir(), ".node9", "daemon.pid");
+    if (!import_fs8.default.existsSync(pidFile)) return null;
+    const data = JSON.parse(import_fs8.default.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
     return data.internalToken ?? null;
   } catch {
@@ -1819,10 +2298,10 @@ function getInternalToken() {
   }
 }
 function isDaemonRunning() {
-  const pidFile = import_path7.default.join(import_os6.default.homedir(), ".node9", "daemon.pid");
-  if (import_fs7.default.existsSync(pidFile)) {
+  const pidFile = import_path9.default.join(import_os7.default.homedir(), ".node9", "daemon.pid");
+  if (import_fs8.default.existsSync(pidFile)) {
     try {
-      const { pid, port } = JSON.parse(import_fs7.default.readFileSync(pidFile, "utf-8"));
+      const { pid, port } = JSON.parse(import_fs8.default.readFileSync(pidFile, "utf-8"));
       if (port !== DAEMON_PORT) return false;
       process.kill(pid, 0);
       return true;
@@ -1915,13 +2394,13 @@ async function resolveViaDaemon(id, decision, internalToken) {
     signal: AbortSignal.timeout(3e3)
   });
 }
-var import_fs7, import_path7, import_os6, import_child_process, DAEMON_PORT, DAEMON_HOST;
+var import_fs8, import_path9, import_os7, import_child_process, DAEMON_PORT, DAEMON_HOST;
 var init_daemon = __esm({
   "src/auth/daemon.ts"() {
     "use strict";
-    import_fs7 = __toESM(require("fs"));
-    import_path7 = __toESM(require("path"));
-    import_os6 = __toESM(require("os"));
+    import_fs8 = __toESM(require("fs"));
+    import_path9 = __toESM(require("path"));
+    import_os7 = __toESM(require("os"));
     import_child_process = require("child_process");
     DAEMON_PORT = 7391;
     DAEMON_HOST = "127.0.0.1";
@@ -1980,7 +2459,7 @@ function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWo
       intent = "EDIT";
       if (obj.file_path) {
         editFilePath = String(obj.file_path);
-        editFileName = import_path8.default.basename(editFilePath);
+        editFileName = import_path10.default.basename(editFilePath);
       }
       const result = extractContext(String(obj.new_string), matchedWord);
       contextSnippet = result.snippet;
@@ -2012,11 +2491,11 @@ function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWo
     ...ruleName && { ruleName }
   };
 }
-var import_path8, CODE_KEYS;
+var import_path10, CODE_KEYS;
 var init_context_sniper = __esm({
   "src/context-sniper.ts"() {
     "use strict";
-    import_path8 = __toESM(require("path"));
+    import_path10 = __toESM(require("path"));
     CODE_KEYS = [
       "command",
       "cmd",
@@ -2055,7 +2534,7 @@ function formatArgs(args, matchedField, matchedWord) {
   if (typeof parsed === "object" && !Array.isArray(parsed)) {
     const obj = parsed;
     if (obj.old_string !== void 0 && obj.new_string !== void 0) {
-      const file = obj.file_path ? import_path9.default.basename(String(obj.file_path)) : "file";
+      const file = obj.file_path ? import_path11.default.basename(String(obj.file_path)) : "file";
       const oldPreview = smartTruncate(String(obj.old_string), 120);
       const newPreview = extractContext(String(obj.new_string), matchedWord).snippet;
       return {
@@ -2228,12 +2707,12 @@ end run`;
     }
   });
 }
-var import_child_process2, import_path9, isTestEnv;
+var import_child_process2, import_path11, isTestEnv;
 var init_native = __esm({
   "src/ui/native.ts"() {
     "use strict";
     import_child_process2 = require("child_process");
-    import_path9 = __toESM(require("path"));
+    import_path11 = __toESM(require("path"));
     init_context_sniper();
     isTestEnv = () => {
       return process.env.NODE_ENV === "test" || process.env.VITEST === "true" || !!process.env.VITEST || process.env.CI === "true" || !!process.env.CI || process.env.NODE9_TESTING === "1";
@@ -2253,9 +2732,9 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
       context: {
         agent: meta?.agent,
         mcpServer: meta?.mcpServer,
-        hostname: import_os7.default.hostname(),
+        hostname: import_os8.default.hostname(),
         cwd: process.cwd(),
-        platform: import_os7.default.platform()
+        platform: import_os8.default.platform()
       }
     }),
     signal: AbortSignal.timeout(5e3)
@@ -2276,9 +2755,9 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
         context: {
           agent: meta?.agent,
           mcpServer: meta?.mcpServer,
-          hostname: import_os7.default.hostname(),
+          hostname: import_os8.default.hostname(),
           cwd: process.cwd(),
-          platform: import_os7.default.platform()
+          platform: import_os8.default.platform()
         },
         ...riskMetadata && { riskMetadata }
       }),
@@ -2334,26 +2813,26 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
     });
     clearTimeout(timer);
     if (!res.ok) {
-      import_fs8.default.appendFileSync(
+      import_fs9.default.appendFileSync(
         HOOK_DEBUG_LOG,
         `[resolve-cloud] PATCH ${resolveUrl} \u2192 HTTP ${res.status}
 `
       );
     }
   } catch (err) {
-    import_fs8.default.appendFileSync(
+    import_fs9.default.appendFileSync(
       HOOK_DEBUG_LOG,
       `[resolve-cloud] PATCH failed for ${requestId}: ${err.message}
 `
     );
   }
 }
-var import_fs8, import_os7;
+var import_fs9, import_os8;
 var init_cloud = __esm({
   "src/auth/cloud.ts"() {
     "use strict";
-    import_fs8 = __toESM(require("fs"));
-    import_os7 = __toESM(require("os"));
+    import_fs9 = __toESM(require("fs"));
+    import_os8 = __toESM(require("os"));
     init_audit();
   }
 });
@@ -2440,7 +2919,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   }
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
-      const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
+      const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
         appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
         if (approvers.cloud && creds?.apiKey) {
@@ -2705,13 +3184,13 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
   }
   return finalResult;
 }
-var import_net, import_path10, import_os8, import_crypto2, ACTIVITY_SOCKET_PATH;
+var import_net, import_path12, import_os9, import_crypto2, ACTIVITY_SOCKET_PATH;
 var init_orchestrator = __esm({
   "src/auth/orchestrator.ts"() {
     "use strict";
     import_net = __toESM(require("net"));
-    import_path10 = __toESM(require("path"));
-    import_os8 = __toESM(require("os"));
+    import_path12 = __toESM(require("path"));
+    import_os9 = __toESM(require("os"));
     import_crypto2 = require("crypto");
     init_native();
     init_context_sniper();
@@ -2722,7 +3201,7 @@ var init_orchestrator = __esm({
     init_state();
     init_daemon();
     init_cloud();
-    ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path10.default.join(import_os8.default.tmpdir(), "node9-activity.sock");
+    ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path12.default.join(import_os9.default.tmpdir(), "node9-activity.sock");
   }
 });
 
@@ -4215,11 +4694,11 @@ function markRejectionHandlerRegistered() {
   daemonRejectionHandlerRegistered = true;
 }
 function atomicWriteSync2(filePath, data, options) {
-  const dir = import_path12.default.dirname(filePath);
-  if (!import_fs10.default.existsSync(dir)) import_fs10.default.mkdirSync(dir, { recursive: true });
+  const dir = import_path14.default.dirname(filePath);
+  if (!import_fs11.default.existsSync(dir)) import_fs11.default.mkdirSync(dir, { recursive: true });
   const tmpPath = `${filePath}.${(0, import_crypto3.randomUUID)()}.tmp`;
-  import_fs10.default.writeFileSync(tmpPath, data, options);
-  import_fs10.default.renameSync(tmpPath, filePath);
+  import_fs11.default.writeFileSync(tmpPath, data, options);
+  import_fs11.default.renameSync(tmpPath, filePath);
 }
 function redactArgs(value) {
   if (!value || typeof value !== "object") return value;
@@ -4239,16 +4718,16 @@ function appendAuditLog(data) {
       decision: data.decision,
       source: "daemon"
     };
-    const dir = import_path12.default.dirname(AUDIT_LOG_FILE);
-    if (!import_fs10.default.existsSync(dir)) import_fs10.default.mkdirSync(dir, { recursive: true });
-    import_fs10.default.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
+    const dir = import_path14.default.dirname(AUDIT_LOG_FILE);
+    if (!import_fs11.default.existsSync(dir)) import_fs11.default.mkdirSync(dir, { recursive: true });
+    import_fs11.default.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
 function getAuditHistory(limit = 20) {
   try {
-    if (!import_fs10.default.existsSync(AUDIT_LOG_FILE)) return [];
-    const lines = import_fs10.default.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
+    if (!import_fs11.default.existsSync(AUDIT_LOG_FILE)) return [];
+    const lines = import_fs11.default.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
     if (lines.length === 1 && lines[0] === "") return [];
     return lines.slice(-limit).map((l) => JSON.parse(l)).reverse();
   } catch {
@@ -4257,19 +4736,19 @@ function getAuditHistory(limit = 20) {
 }
 function getOrgName() {
   try {
-    if (import_fs10.default.existsSync(CREDENTIALS_FILE)) return "Node9 Cloud";
+    if (import_fs11.default.existsSync(CREDENTIALS_FILE)) return "Node9 Cloud";
   } catch {
   }
   return null;
 }
 function hasStoredSlackKey() {
-  return import_fs10.default.existsSync(CREDENTIALS_FILE);
+  return import_fs11.default.existsSync(CREDENTIALS_FILE);
 }
 function writeGlobalSetting(key, value) {
   let config = {};
   try {
-    if (import_fs10.default.existsSync(GLOBAL_CONFIG_FILE)) {
-      config = JSON.parse(import_fs10.default.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
+    if (import_fs11.default.existsSync(GLOBAL_CONFIG_FILE)) {
+      config = JSON.parse(import_fs11.default.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
     }
   } catch {
   }
@@ -4281,8 +4760,8 @@ function writeTrustEntry(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (import_fs10.default.existsSync(TRUST_FILE2))
-        trust = JSON.parse(import_fs10.default.readFileSync(TRUST_FILE2, "utf-8"));
+      if (import_fs11.default.existsSync(TRUST_FILE2))
+        trust = JSON.parse(import_fs11.default.readFileSync(TRUST_FILE2, "utf-8"));
     } catch {
     }
     trust.entries = trust.entries.filter((e) => e.tool !== toolName && e.expiry > Date.now());
@@ -4293,8 +4772,8 @@ function writeTrustEntry(toolName, durationMs) {
 }
 function readPersistentDecisions() {
   try {
-    if (import_fs10.default.existsSync(DECISIONS_FILE)) {
-      return JSON.parse(import_fs10.default.readFileSync(DECISIONS_FILE, "utf-8"));
+    if (import_fs11.default.existsSync(DECISIONS_FILE)) {
+      return JSON.parse(import_fs11.default.readFileSync(DECISIONS_FILE, "utf-8"));
     }
   } catch {
   }
@@ -4359,7 +4838,7 @@ function abandonPending() {
   });
   if (autoStarted) {
     try {
-      import_fs10.default.unlinkSync(DAEMON_PID_FILE);
+      import_fs11.default.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
     setTimeout(() => {
@@ -4370,7 +4849,7 @@ function abandonPending() {
 }
 function startActivitySocket() {
   try {
-    import_fs10.default.unlinkSync(ACTIVITY_SOCKET_PATH2);
+    import_fs11.default.unlinkSync(ACTIVITY_SOCKET_PATH2);
   } catch {
   }
   const ACTIVITY_MAX_BYTES = 1024 * 1024;
@@ -4412,29 +4891,29 @@ function startActivitySocket() {
   unixServer.listen(ACTIVITY_SOCKET_PATH2);
   process.on("exit", () => {
     try {
-      import_fs10.default.unlinkSync(ACTIVITY_SOCKET_PATH2);
+      import_fs11.default.unlinkSync(ACTIVITY_SOCKET_PATH2);
     } catch {
     }
   });
 }
-var import_net2, import_fs10, import_path12, import_os10, import_child_process3, import_crypto3, homeDir, DAEMON_PID_FILE, DECISIONS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, pending, sseClients, _abandonTimer, _hadBrowserClient, _daemonServer, daemonRejectionHandlerRegistered, AUTO_DENY_MS, TRUST_DURATIONS, autoStarted, ACTIVITY_SOCKET_PATH2, ACTIVITY_RING_SIZE, activityRing, SECRET_KEY_RE;
+var import_net2, import_fs11, import_path14, import_os11, import_child_process3, import_crypto3, homeDir, DAEMON_PID_FILE, DECISIONS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, pending, sseClients, _abandonTimer, _hadBrowserClient, _daemonServer, daemonRejectionHandlerRegistered, AUTO_DENY_MS, TRUST_DURATIONS, autoStarted, ACTIVITY_SOCKET_PATH2, ACTIVITY_RING_SIZE, activityRing, SECRET_KEY_RE;
 var init_state2 = __esm({
   "src/daemon/state.ts"() {
     "use strict";
     import_net2 = __toESM(require("net"));
-    import_fs10 = __toESM(require("fs"));
-    import_path12 = __toESM(require("path"));
-    import_os10 = __toESM(require("os"));
+    import_fs11 = __toESM(require("fs"));
+    import_path14 = __toESM(require("path"));
+    import_os11 = __toESM(require("os"));
     import_child_process3 = require("child_process");
     import_crypto3 = require("crypto");
     init_daemon();
-    homeDir = import_os10.default.homedir();
-    DAEMON_PID_FILE = import_path12.default.join(homeDir, ".node9", "daemon.pid");
-    DECISIONS_FILE = import_path12.default.join(homeDir, ".node9", "decisions.json");
-    AUDIT_LOG_FILE = import_path12.default.join(homeDir, ".node9", "audit.log");
-    TRUST_FILE2 = import_path12.default.join(homeDir, ".node9", "trust.json");
-    GLOBAL_CONFIG_FILE = import_path12.default.join(homeDir, ".node9", "config.json");
-    CREDENTIALS_FILE = import_path12.default.join(homeDir, ".node9", "credentials.json");
+    homeDir = import_os11.default.homedir();
+    DAEMON_PID_FILE = import_path14.default.join(homeDir, ".node9", "daemon.pid");
+    DECISIONS_FILE = import_path14.default.join(homeDir, ".node9", "decisions.json");
+    AUDIT_LOG_FILE = import_path14.default.join(homeDir, ".node9", "audit.log");
+    TRUST_FILE2 = import_path14.default.join(homeDir, ".node9", "trust.json");
+    GLOBAL_CONFIG_FILE = import_path14.default.join(homeDir, ".node9", "config.json");
+    CREDENTIALS_FILE = import_path14.default.join(homeDir, ".node9", "credentials.json");
     pending = /* @__PURE__ */ new Map();
     sseClients = /* @__PURE__ */ new Set();
     _abandonTimer = null;
@@ -4448,7 +4927,7 @@ var init_state2 = __esm({
       "2h": 2 * 60 * 6e4
     };
     autoStarted = process.env.NODE9_AUTO_STARTED === "1";
-    ACTIVITY_SOCKET_PATH2 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path12.default.join(import_os10.default.tmpdir(), "node9-activity.sock");
+    ACTIVITY_SOCKET_PATH2 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path14.default.join(import_os11.default.tmpdir(), "node9-activity.sock");
     ACTIVITY_RING_SIZE = 100;
     activityRing = [];
     SECRET_KEY_RE = /password|secret|token|key|apikey|credential|auth/i;
@@ -4471,7 +4950,7 @@ function startDaemon() {
     idleTimer = setTimeout(() => {
       if (autoStarted) {
         try {
-          import_fs11.default.unlinkSync(DAEMON_PID_FILE);
+          import_fs12.default.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
       }
@@ -4613,7 +5092,7 @@ data: ${JSON.stringify(item.data)}
             status: "pending"
           });
         }
-        const projectCwd = typeof cwd === "string" && import_path13.default.isAbsolute(cwd) ? cwd : void 0;
+        const projectCwd = typeof cwd === "string" && import_path15.default.isAbsolute(cwd) ? cwd : void 0;
         const projectConfig = getConfig(projectCwd);
         const browserEnabled = projectConfig.settings.approvers?.browser !== false;
         const terminalEnabled = projectConfig.settings.approvers?.terminal !== false;
@@ -4917,14 +5396,14 @@ data: ${JSON.stringify(item.data)}
   server.on("error", (e) => {
     if (e.code === "EADDRINUSE") {
       try {
-        if (import_fs11.default.existsSync(DAEMON_PID_FILE)) {
-          const { pid } = JSON.parse(import_fs11.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+        if (import_fs12.default.existsSync(DAEMON_PID_FILE)) {
+          const { pid } = JSON.parse(import_fs12.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
           process.kill(pid, 0);
           return process.exit(0);
         }
       } catch {
         try {
-          import_fs11.default.unlinkSync(DAEMON_PID_FILE);
+          import_fs12.default.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
         server.listen(DAEMON_PORT, DAEMON_HOST);
@@ -4983,13 +5462,13 @@ data: ${JSON.stringify(item.data)}
   }
   startActivitySocket();
 }
-var import_http, import_fs11, import_path13, import_crypto4, import_child_process4, import_chalk2;
+var import_http, import_fs12, import_path15, import_crypto4, import_child_process4, import_chalk2;
 var init_server = __esm({
   "src/daemon/server.ts"() {
     "use strict";
     import_http = __toESM(require("http"));
-    import_fs11 = __toESM(require("fs"));
-    import_path13 = __toESM(require("path"));
+    import_fs12 = __toESM(require("fs"));
+    import_path15 = __toESM(require("path"));
     import_crypto4 = require("crypto");
     import_child_process4 = require("child_process");
     import_chalk2 = __toESM(require("chalk"));
@@ -5002,24 +5481,24 @@ var init_server = __esm({
 
 // src/daemon/index.ts
 function stopDaemon() {
-  if (!import_fs12.default.existsSync(DAEMON_PID_FILE)) return console.log(import_chalk3.default.yellow("Not running."));
+  if (!import_fs13.default.existsSync(DAEMON_PID_FILE)) return console.log(import_chalk3.default.yellow("Not running."));
   try {
-    const { pid } = JSON.parse(import_fs12.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+    const { pid } = JSON.parse(import_fs13.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
     process.kill(pid, "SIGTERM");
     console.log(import_chalk3.default.green("\u2705 Stopped."));
   } catch {
     console.log(import_chalk3.default.gray("Cleaned up stale PID file."));
   } finally {
     try {
-      import_fs12.default.unlinkSync(DAEMON_PID_FILE);
+      import_fs13.default.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
   }
 }
 function daemonStatus() {
-  if (import_fs12.default.existsSync(DAEMON_PID_FILE)) {
+  if (import_fs13.default.existsSync(DAEMON_PID_FILE)) {
     try {
-      const { pid } = JSON.parse(import_fs12.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+      const { pid } = JSON.parse(import_fs13.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
       process.kill(pid, 0);
       console.log(import_chalk3.default.green("Node9 daemon: running"));
       return;
@@ -5038,11 +5517,11 @@ function daemonStatus() {
     console.log(import_chalk3.default.yellow("Node9 daemon: not running"));
   }
 }
-var import_fs12, import_chalk3, import_child_process5;
+var import_fs13, import_chalk3, import_child_process5;
 var init_daemon2 = __esm({
   "src/daemon/index.ts"() {
     "use strict";
-    import_fs12 = __toESM(require("fs"));
+    import_fs13 = __toESM(require("fs"));
     import_chalk3 = __toESM(require("chalk"));
     import_child_process5 = require("child_process");
     init_server();
@@ -5093,9 +5572,9 @@ function renderPending(activity) {
 }
 async function ensureDaemon() {
   let pidPort = null;
-  if (import_fs19.default.existsSync(PID_FILE)) {
+  if (import_fs20.default.existsSync(PID_FILE)) {
     try {
-      const { port } = JSON.parse(import_fs19.default.readFileSync(PID_FILE, "utf-8"));
+      const { port } = JSON.parse(import_fs20.default.readFileSync(PID_FILE, "utf-8"));
       pidPort = port;
     } catch {
       console.error(import_chalk14.default.dim("\u26A0\uFE0F  Could not read PID file; falling back to default port."));
@@ -5260,8 +5739,8 @@ async function startTail(options = {}) {
       process.stdout.write(SHOW_CURSOR);
       postDecisionHttp(req2.id, decision, csrfToken, port).catch((err) => {
         try {
-          import_fs19.default.appendFileSync(
-            import_path20.default.join(import_os17.default.homedir(), ".node9", "hook-debug.log"),
+          import_fs20.default.appendFileSync(
+            import_path22.default.join(import_os18.default.homedir(), ".node9", "hook-debug.log"),
             `[tail] POST /decision failed: ${String(err)}
 `
           );
@@ -5446,20 +5925,20 @@ async function startTail(options = {}) {
     process.exit(1);
   });
 }
-var import_http2, import_chalk14, import_fs19, import_os17, import_path20, import_readline3, import_child_process13, PID_FILE, ICONS, RESET, BOLD, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, SAVE_CURSOR, RESTORE_CURSOR;
+var import_http2, import_chalk14, import_fs20, import_os18, import_path22, import_readline3, import_child_process13, PID_FILE, ICONS, RESET, BOLD, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, SAVE_CURSOR, RESTORE_CURSOR;
 var init_tail = __esm({
   "src/tui/tail.ts"() {
     "use strict";
     import_http2 = __toESM(require("http"));
     import_chalk14 = __toESM(require("chalk"));
-    import_fs19 = __toESM(require("fs"));
-    import_os17 = __toESM(require("os"));
-    import_path20 = __toESM(require("path"));
+    import_fs20 = __toESM(require("fs"));
+    import_os18 = __toESM(require("os"));
+    import_path22 = __toESM(require("path"));
     import_readline3 = __toESM(require("readline"));
     import_child_process13 = require("child_process");
     init_daemon2();
     init_core();
-    PID_FILE = import_path20.default.join(import_os17.default.homedir(), ".node9", "daemon.pid");
+    PID_FILE = import_path22.default.join(import_os18.default.homedir(), ".node9", "daemon.pid");
     ICONS = {
       bash: "\u{1F4BB}",
       shell: "\u{1F4BB}",
@@ -5497,9 +5976,9 @@ var import_commander = require("commander");
 init_core();
 
 // src/setup.ts
-var import_fs9 = __toESM(require("fs"));
-var import_path11 = __toESM(require("path"));
-var import_os9 = __toESM(require("os"));
+var import_fs10 = __toESM(require("fs"));
+var import_path13 = __toESM(require("path"));
+var import_os10 = __toESM(require("os"));
 var import_chalk = __toESM(require("chalk"));
 var import_prompts = require("@inquirer/prompts");
 function printDaemonTip() {
@@ -5516,26 +5995,26 @@ function fullPathCommand(subcommand) {
 }
 function readJson(filePath) {
   try {
-    if (import_fs9.default.existsSync(filePath)) {
-      return JSON.parse(import_fs9.default.readFileSync(filePath, "utf-8"));
+    if (import_fs10.default.existsSync(filePath)) {
+      return JSON.parse(import_fs10.default.readFileSync(filePath, "utf-8"));
     }
   } catch {
   }
   return null;
 }
 function writeJson(filePath, data) {
-  const dir = import_path11.default.dirname(filePath);
-  if (!import_fs9.default.existsSync(dir)) import_fs9.default.mkdirSync(dir, { recursive: true });
-  import_fs9.default.writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n");
+  const dir = import_path13.default.dirname(filePath);
+  if (!import_fs10.default.existsSync(dir)) import_fs10.default.mkdirSync(dir, { recursive: true });
+  import_fs10.default.writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n");
 }
 function isNode9Hook(cmd) {
   if (!cmd) return false;
   return /(?:^|[\s/\\])node9 (?:check|log)/.test(cmd) || /(?:^|[\s/\\])cli\.js (?:check|log)/.test(cmd);
 }
 function teardownClaude() {
-  const homeDir2 = import_os9.default.homedir();
-  const hooksPath = import_path11.default.join(homeDir2, ".claude", "settings.json");
-  const mcpPath = import_path11.default.join(homeDir2, ".claude.json");
+  const homeDir2 = import_os10.default.homedir();
+  const hooksPath = import_path13.default.join(homeDir2, ".claude", "settings.json");
+  const mcpPath = import_path13.default.join(homeDir2, ".claude.json");
   let changed = false;
   const settings = readJson(hooksPath);
   if (settings?.hooks) {
@@ -5583,8 +6062,8 @@ function teardownClaude() {
   }
 }
 function teardownGemini() {
-  const homeDir2 = import_os9.default.homedir();
-  const settingsPath = import_path11.default.join(homeDir2, ".gemini", "settings.json");
+  const homeDir2 = import_os10.default.homedir();
+  const settingsPath = import_path13.default.join(homeDir2, ".gemini", "settings.json");
   const settings = readJson(settingsPath);
   if (!settings) {
     console.log(import_chalk.default.blue("  \u2139\uFE0F  ~/.gemini/settings.json not found \u2014 nothing to remove"));
@@ -5622,8 +6101,8 @@ function teardownGemini() {
   }
 }
 function teardownCursor() {
-  const homeDir2 = import_os9.default.homedir();
-  const mcpPath = import_path11.default.join(homeDir2, ".cursor", "mcp.json");
+  const homeDir2 = import_os10.default.homedir();
+  const mcpPath = import_path13.default.join(homeDir2, ".cursor", "mcp.json");
   const mcpConfig = readJson(mcpPath);
   if (!mcpConfig?.mcpServers) {
     console.log(import_chalk.default.blue("  \u2139\uFE0F  ~/.cursor/mcp.json not found \u2014 nothing to remove"));
@@ -5649,9 +6128,9 @@ function teardownCursor() {
   }
 }
 async function setupClaude() {
-  const homeDir2 = import_os9.default.homedir();
-  const mcpPath = import_path11.default.join(homeDir2, ".claude.json");
-  const hooksPath = import_path11.default.join(homeDir2, ".claude", "settings.json");
+  const homeDir2 = import_os10.default.homedir();
+  const mcpPath = import_path13.default.join(homeDir2, ".claude.json");
+  const hooksPath = import_path13.default.join(homeDir2, ".claude", "settings.json");
   const claudeConfig = readJson(mcpPath) ?? {};
   const settings = readJson(hooksPath) ?? {};
   const servers = claudeConfig.mcpServers ?? {};
@@ -5725,8 +6204,8 @@ async function setupClaude() {
   }
 }
 async function setupGemini() {
-  const homeDir2 = import_os9.default.homedir();
-  const settingsPath = import_path11.default.join(homeDir2, ".gemini", "settings.json");
+  const homeDir2 = import_os10.default.homedir();
+  const settingsPath = import_path13.default.join(homeDir2, ".gemini", "settings.json");
   const settings = readJson(settingsPath) ?? {};
   const servers = settings.mcpServers ?? {};
   let anythingChanged = false;
@@ -5808,8 +6287,8 @@ async function setupGemini() {
   }
 }
 async function setupCursor() {
-  const homeDir2 = import_os9.default.homedir();
-  const mcpPath = import_path11.default.join(homeDir2, ".cursor", "mcp.json");
+  const homeDir2 = import_os10.default.homedir();
+  const mcpPath = import_path13.default.join(homeDir2, ".cursor", "mcp.json");
   const mcpConfig = readJson(mcpPath) ?? {};
   const servers = mcpConfig.mcpServers ?? {};
   let anythingChanged = false;
@@ -5866,9 +6345,9 @@ async function setupCursor() {
 // src/cli.ts
 init_daemon2();
 var import_chalk15 = __toESM(require("chalk"));
-var import_fs20 = __toESM(require("fs"));
-var import_path21 = __toESM(require("path"));
-var import_os18 = __toESM(require("os"));
+var import_fs21 = __toESM(require("fs"));
+var import_path23 = __toESM(require("path"));
+var import_os19 = __toESM(require("os"));
 var import_prompts3 = require("@inquirer/prompts");
 
 // src/utils/duration.ts
@@ -6089,9 +6568,9 @@ async function autoStartDaemonAndWait() {
 
 // src/cli/commands/check.ts
 var import_chalk5 = __toESM(require("chalk"));
-var import_fs14 = __toESM(require("fs"));
-var import_path15 = __toESM(require("path"));
-var import_os12 = __toESM(require("os"));
+var import_fs15 = __toESM(require("fs"));
+var import_path17 = __toESM(require("path"));
+var import_os13 = __toESM(require("os"));
 init_orchestrator();
 init_daemon();
 init_config();
@@ -6100,25 +6579,25 @@ init_policy();
 // src/undo.ts
 var import_child_process8 = require("child_process");
 var import_crypto5 = __toESM(require("crypto"));
-var import_fs13 = __toESM(require("fs"));
-var import_path14 = __toESM(require("path"));
-var import_os11 = __toESM(require("os"));
-var SNAPSHOT_STACK_PATH = import_path14.default.join(import_os11.default.homedir(), ".node9", "snapshots.json");
-var UNDO_LATEST_PATH = import_path14.default.join(import_os11.default.homedir(), ".node9", "undo_latest.txt");
+var import_fs14 = __toESM(require("fs"));
+var import_path16 = __toESM(require("path"));
+var import_os12 = __toESM(require("os"));
+var SNAPSHOT_STACK_PATH = import_path16.default.join(import_os12.default.homedir(), ".node9", "snapshots.json");
+var UNDO_LATEST_PATH = import_path16.default.join(import_os12.default.homedir(), ".node9", "undo_latest.txt");
 var MAX_SNAPSHOTS = 10;
 var GIT_TIMEOUT = 15e3;
 function readStack() {
   try {
-    if (import_fs13.default.existsSync(SNAPSHOT_STACK_PATH))
-      return JSON.parse(import_fs13.default.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
+    if (import_fs14.default.existsSync(SNAPSHOT_STACK_PATH))
+      return JSON.parse(import_fs14.default.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
   } catch {
   }
   return [];
 }
 function writeStack(stack) {
-  const dir = import_path14.default.dirname(SNAPSHOT_STACK_PATH);
-  if (!import_fs13.default.existsSync(dir)) import_fs13.default.mkdirSync(dir, { recursive: true });
-  import_fs13.default.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
+  const dir = import_path16.default.dirname(SNAPSHOT_STACK_PATH);
+  if (!import_fs14.default.existsSync(dir)) import_fs14.default.mkdirSync(dir, { recursive: true });
+  import_fs14.default.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
 }
 function buildArgsSummary(tool, args) {
   if (!args || typeof args !== "object") return "";
@@ -6134,7 +6613,7 @@ function buildArgsSummary(tool, args) {
 function normalizeCwdForHash(cwd) {
   let normalized;
   try {
-    normalized = import_fs13.default.realpathSync(cwd);
+    normalized = import_fs14.default.realpathSync(cwd);
   } catch {
     normalized = cwd;
   }
@@ -6144,16 +6623,16 @@ function normalizeCwdForHash(cwd) {
 }
 function getShadowRepoDir(cwd) {
   const hash = import_crypto5.default.createHash("sha256").update(normalizeCwdForHash(cwd)).digest("hex").slice(0, 16);
-  return import_path14.default.join(import_os11.default.homedir(), ".node9", "snapshots", hash);
+  return import_path16.default.join(import_os12.default.homedir(), ".node9", "snapshots", hash);
 }
 function cleanOrphanedIndexFiles(shadowDir) {
   try {
     const cutoff = Date.now() - 6e4;
-    for (const f of import_fs13.default.readdirSync(shadowDir)) {
+    for (const f of import_fs14.default.readdirSync(shadowDir)) {
       if (f.startsWith("index_")) {
-        const fp = import_path14.default.join(shadowDir, f);
+        const fp = import_path16.default.join(shadowDir, f);
         try {
-          if (import_fs13.default.statSync(fp).mtimeMs < cutoff) import_fs13.default.unlinkSync(fp);
+          if (import_fs14.default.statSync(fp).mtimeMs < cutoff) import_fs14.default.unlinkSync(fp);
         } catch {
         }
       }
@@ -6165,7 +6644,7 @@ function writeShadowExcludes(shadowDir, ignorePaths) {
   const hardcoded = [".git", ".node9"];
   const lines = [...hardcoded, ...ignorePaths].join("\n");
   try {
-    import_fs13.default.writeFileSync(import_path14.default.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
+    import_fs14.default.writeFileSync(import_path16.default.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
   } catch {
   }
 }
@@ -6178,25 +6657,25 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   if (check.status === 0) {
-    const ptPath = import_path14.default.join(shadowDir, "project-path.txt");
+    const ptPath = import_path16.default.join(shadowDir, "project-path.txt");
     try {
-      const stored = import_fs13.default.readFileSync(ptPath, "utf8").trim();
+      const stored = import_fs14.default.readFileSync(ptPath, "utf8").trim();
       if (stored === normalizedCwd) return true;
       if (process.env.NODE9_DEBUG === "1")
         console.error(
           `[Node9] Shadow repo path mismatch: stored="${stored}" expected="${normalizedCwd}" \u2014 reinitializing`
         );
-      import_fs13.default.rmSync(shadowDir, { recursive: true, force: true });
+      import_fs14.default.rmSync(shadowDir, { recursive: true, force: true });
     } catch {
       try {
-        import_fs13.default.writeFileSync(ptPath, normalizedCwd, "utf8");
+        import_fs14.default.writeFileSync(ptPath, normalizedCwd, "utf8");
       } catch {
       }
       return true;
     }
   }
   try {
-    import_fs13.default.mkdirSync(shadowDir, { recursive: true });
+    import_fs14.default.mkdirSync(shadowDir, { recursive: true });
   } catch {
   }
   const init = (0, import_child_process8.spawnSync)("git", ["init", "--bare", shadowDir], { timeout: 5e3 });
@@ -6205,7 +6684,7 @@ function ensureShadowRepo(shadowDir, cwd) {
       console.error("[Node9] git init --bare failed:", init.stderr?.toString());
     return false;
   }
-  const configFile = import_path14.default.join(shadowDir, "config");
+  const configFile = import_path16.default.join(shadowDir, "config");
   (0, import_child_process8.spawnSync)("git", ["config", "--file", configFile, "core.untrackedCache", "true"], {
     timeout: 3e3
   });
@@ -6213,7 +6692,7 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   try {
-    import_fs13.default.writeFileSync(import_path14.default.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
+    import_fs14.default.writeFileSync(import_path16.default.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
   } catch {
   }
   return true;
@@ -6236,7 +6715,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     const shadowDir = getShadowRepoDir(cwd);
     if (!ensureShadowRepo(shadowDir, cwd)) return null;
     writeShadowExcludes(shadowDir, ignorePaths);
-    indexFile = import_path14.default.join(shadowDir, `index_${process.pid}_${Date.now()}`);
+    indexFile = import_path16.default.join(shadowDir, `index_${process.pid}_${Date.now()}`);
     const shadowEnv = {
       ...process.env,
       GIT_DIR: shadowDir,
@@ -6265,7 +6744,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     const shouldGc = stack.length % 5 === 0;
     if (stack.length > MAX_SNAPSHOTS) stack.splice(0, stack.length - MAX_SNAPSHOTS);
     writeStack(stack);
-    import_fs13.default.writeFileSync(UNDO_LATEST_PATH, commitHash);
+    import_fs14.default.writeFileSync(UNDO_LATEST_PATH, commitHash);
     if (shouldGc) {
       (0, import_child_process8.spawn)("git", ["gc", "--auto"], { env: shadowEnv, detached: true, stdio: "ignore" }).unref();
     }
@@ -6276,7 +6755,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
   } finally {
     if (indexFile) {
       try {
-        import_fs13.default.unlinkSync(indexFile);
+        import_fs14.default.unlinkSync(indexFile);
       } catch {
       }
     }
@@ -6345,9 +6824,9 @@ function applyUndo(hash, cwd) {
       timeout: GIT_TIMEOUT
     }).stdout?.toString().trim().split("\n").filter(Boolean) ?? [];
     for (const file of [...tracked, ...untracked]) {
-      const fullPath = import_path14.default.join(dir, file);
-      if (!snapshotFiles.has(file) && import_fs13.default.existsSync(fullPath)) {
-        import_fs13.default.unlinkSync(fullPath);
+      const fullPath = import_path16.default.join(dir, file);
+      if (!snapshotFiles.has(file) && import_fs14.default.existsSync(fullPath)) {
+        import_fs14.default.unlinkSync(fullPath);
       }
     }
     return true;
@@ -6371,9 +6850,9 @@ function registerCheckCommand(program2) {
         } catch (err) {
           const tempConfig = getConfig();
           if (process.env.NODE9_DEBUG === "1" || tempConfig.settings.enableHookLogDebug) {
-            const logPath = import_path15.default.join(import_os12.default.homedir(), ".node9", "hook-debug.log");
+            const logPath = import_path17.default.join(import_os13.default.homedir(), ".node9", "hook-debug.log");
             const errMsg = err instanceof Error ? err.message : String(err);
-            import_fs14.default.appendFileSync(
+            import_fs15.default.appendFileSync(
               logPath,
               `[${(/* @__PURE__ */ new Date()).toISOString()}] JSON_PARSE_ERROR: ${errMsg}
 RAW: ${raw}
@@ -6384,10 +6863,10 @@ RAW: ${raw}
         }
         const config = getConfig(payload.cwd || void 0);
         if (process.env.NODE9_DEBUG === "1" || config.settings.enableHookLogDebug) {
-          const logPath = import_path15.default.join(import_os12.default.homedir(), ".node9", "hook-debug.log");
-          if (!import_fs14.default.existsSync(import_path15.default.dirname(logPath)))
-            import_fs14.default.mkdirSync(import_path15.default.dirname(logPath), { recursive: true });
-          import_fs14.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
+          const logPath = import_path17.default.join(import_os13.default.homedir(), ".node9", "hook-debug.log");
+          if (!import_fs15.default.existsSync(import_path17.default.dirname(logPath)))
+            import_fs15.default.mkdirSync(import_path17.default.dirname(logPath), { recursive: true });
+          import_fs15.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
 `);
         }
         const toolName = sanitize2(payload.tool_name ?? payload.name ?? "");
@@ -6400,8 +6879,8 @@ RAW: ${raw}
           const isHumanDecision = blockedByContext.toLowerCase().includes("user") || blockedByContext.toLowerCase().includes("daemon") || blockedByContext.toLowerCase().includes("decision");
           let ttyFd = null;
           try {
-            ttyFd = import_fs14.default.openSync("/dev/tty", "w");
-            const writeTty = (line) => import_fs14.default.writeSync(ttyFd, line + "\n");
+            ttyFd = import_fs15.default.openSync("/dev/tty", "w");
+            const writeTty = (line) => import_fs15.default.writeSync(ttyFd, line + "\n");
             if (blockedByContext.includes("DLP") || blockedByContext.includes("Secret Detected") || blockedByContext.includes("Credential Review")) {
               writeTty(import_chalk5.default.bgRed.white.bold(`
  \u{1F6A8} NODE9 DLP ALERT \u2014 CREDENTIAL DETECTED `));
@@ -6417,7 +6896,7 @@ RAW: ${raw}
           } finally {
             if (ttyFd !== null)
               try {
-                import_fs14.default.closeSync(ttyFd);
+                import_fs15.default.closeSync(ttyFd);
               } catch {
               }
           }
@@ -6448,7 +6927,7 @@ RAW: ${raw}
         if (shouldSnapshot(toolName, toolInput, config)) {
           await createShadowSnapshot(toolName, toolInput, config.policy.snapshot.ignorePaths);
         }
-        const safeCwdForAuth = typeof payload.cwd === "string" && import_path15.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const safeCwdForAuth = typeof payload.cwd === "string" && import_path17.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const result = await authorizeHeadless(toolName, toolInput, meta, {
           cwd: safeCwdForAuth
         });
@@ -6460,12 +6939,12 @@ RAW: ${raw}
         }
         if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && !process.stdout.isTTY && config.settings.autoStartDaemon) {
           try {
-            const tty = import_fs14.default.openSync("/dev/tty", "w");
-            import_fs14.default.writeSync(
+            const tty = import_fs15.default.openSync("/dev/tty", "w");
+            import_fs15.default.writeSync(
               tty,
               import_chalk5.default.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically...\n")
             );
-            import_fs14.default.closeSync(tty);
+            import_fs15.default.closeSync(tty);
           } catch {
           }
           const daemonReady = await autoStartDaemonAndWait();
@@ -6492,9 +6971,9 @@ RAW: ${raw}
         });
       } catch (err) {
         if (process.env.NODE9_DEBUG === "1") {
-          const logPath = import_path15.default.join(import_os12.default.homedir(), ".node9", "hook-debug.log");
+          const logPath = import_path17.default.join(import_os13.default.homedir(), ".node9", "hook-debug.log");
           const errMsg = err instanceof Error ? err.message : String(err);
-          import_fs14.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
+          import_fs15.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
 `);
         }
         process.exit(0);
@@ -6528,9 +7007,9 @@ RAW: ${raw}
 }
 
 // src/cli/commands/log.ts
-var import_fs15 = __toESM(require("fs"));
-var import_path16 = __toESM(require("path"));
-var import_os13 = __toESM(require("os"));
+var import_fs16 = __toESM(require("fs"));
+var import_path18 = __toESM(require("path"));
+var import_os14 = __toESM(require("os"));
 init_audit();
 init_config();
 init_policy();
@@ -6552,11 +7031,11 @@ function registerLogCommand(program2) {
           decision: "allowed",
           source: "post-hook"
         };
-        const logPath = import_path16.default.join(import_os13.default.homedir(), ".node9", "audit.log");
-        if (!import_fs15.default.existsSync(import_path16.default.dirname(logPath)))
-          import_fs15.default.mkdirSync(import_path16.default.dirname(logPath), { recursive: true });
-        import_fs15.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
-        const safeCwd = typeof payload.cwd === "string" && import_path16.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const logPath = import_path18.default.join(import_os14.default.homedir(), ".node9", "audit.log");
+        if (!import_fs16.default.existsSync(import_path18.default.dirname(logPath)))
+          import_fs16.default.mkdirSync(import_path18.default.dirname(logPath), { recursive: true });
+        import_fs16.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+        const safeCwd = typeof payload.cwd === "string" && import_path18.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const config = getConfig(safeCwd);
         if (shouldSnapshot(tool, {}, config)) {
           await createShadowSnapshot("unknown", {}, config.policy.snapshot.ignorePaths);
@@ -6565,9 +7044,9 @@ function registerLogCommand(program2) {
         const msg = err instanceof Error ? err.message : String(err);
         process.stderr.write(`[Node9] audit log error: ${msg}
 `);
-        const debugPath = import_path16.default.join(import_os13.default.homedir(), ".node9", "hook-debug.log");
+        const debugPath = import_path18.default.join(import_os14.default.homedir(), ".node9", "hook-debug.log");
         try {
-          import_fs15.default.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
+          import_fs16.default.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
 `);
         } catch {
         }
@@ -6871,14 +7350,14 @@ function registerConfigShowCommand(program2) {
 
 // src/cli/commands/doctor.ts
 var import_chalk7 = __toESM(require("chalk"));
-var import_fs16 = __toESM(require("fs"));
-var import_path17 = __toESM(require("path"));
-var import_os14 = __toESM(require("os"));
+var import_fs17 = __toESM(require("fs"));
+var import_path19 = __toESM(require("path"));
+var import_os15 = __toESM(require("os"));
 var import_child_process9 = require("child_process");
 init_daemon();
 function registerDoctorCommand(program2, version2) {
   program2.command("doctor").description("Check that Node9 is installed and configured correctly").action(() => {
-    const homeDir2 = import_os14.default.homedir();
+    const homeDir2 = import_os15.default.homedir();
     let failures = 0;
     function pass(msg) {
       console.log(import_chalk7.default.green("  \u2705 ") + msg);
@@ -6927,10 +7406,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Configuration");
-    const globalConfigPath = import_path17.default.join(homeDir2, ".node9", "config.json");
-    if (import_fs16.default.existsSync(globalConfigPath)) {
+    const globalConfigPath = import_path19.default.join(homeDir2, ".node9", "config.json");
+    if (import_fs17.default.existsSync(globalConfigPath)) {
       try {
-        JSON.parse(import_fs16.default.readFileSync(globalConfigPath, "utf-8"));
+        JSON.parse(import_fs17.default.readFileSync(globalConfigPath, "utf-8"));
         pass("~/.node9/config.json found and valid");
       } catch {
         fail("~/.node9/config.json is invalid JSON", "Run: node9 init --force");
@@ -6938,10 +7417,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("~/.node9/config.json not found (using defaults)", "Run: node9 init");
     }
-    const projectConfigPath = import_path17.default.join(process.cwd(), "node9.config.json");
-    if (import_fs16.default.existsSync(projectConfigPath)) {
+    const projectConfigPath = import_path19.default.join(process.cwd(), "node9.config.json");
+    if (import_fs17.default.existsSync(projectConfigPath)) {
       try {
-        JSON.parse(import_fs16.default.readFileSync(projectConfigPath, "utf-8"));
+        JSON.parse(import_fs17.default.readFileSync(projectConfigPath, "utf-8"));
         pass("node9.config.json found and valid (project)");
       } catch {
         fail(
@@ -6950,8 +7429,8 @@ function registerDoctorCommand(program2, version2) {
         );
       }
     }
-    const credsPath = import_path17.default.join(homeDir2, ".node9", "credentials.json");
-    if (import_fs16.default.existsSync(credsPath)) {
+    const credsPath = import_path19.default.join(homeDir2, ".node9", "credentials.json");
+    if (import_fs17.default.existsSync(credsPath)) {
       pass("Cloud credentials found (~/.node9/credentials.json)");
     } else {
       warn(
@@ -6960,10 +7439,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Agent Hooks");
-    const claudeSettingsPath = import_path17.default.join(homeDir2, ".claude", "settings.json");
-    if (import_fs16.default.existsSync(claudeSettingsPath)) {
+    const claudeSettingsPath = import_path19.default.join(homeDir2, ".claude", "settings.json");
+    if (import_fs17.default.existsSync(claudeSettingsPath)) {
       try {
-        const cs = JSON.parse(import_fs16.default.readFileSync(claudeSettingsPath, "utf-8"));
+        const cs = JSON.parse(import_fs17.default.readFileSync(claudeSettingsPath, "utf-8"));
         const hasHook = cs.hooks?.PreToolUse?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -6979,10 +7458,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Claude Code \u2014 not configured", "Run: node9 setup claude");
     }
-    const geminiSettingsPath = import_path17.default.join(homeDir2, ".gemini", "settings.json");
-    if (import_fs16.default.existsSync(geminiSettingsPath)) {
+    const geminiSettingsPath = import_path19.default.join(homeDir2, ".gemini", "settings.json");
+    if (import_fs17.default.existsSync(geminiSettingsPath)) {
       try {
-        const gs = JSON.parse(import_fs16.default.readFileSync(geminiSettingsPath, "utf-8"));
+        const gs = JSON.parse(import_fs17.default.readFileSync(geminiSettingsPath, "utf-8"));
         const hasHook = gs.hooks?.BeforeTool?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -6998,10 +7477,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Gemini CLI  \u2014 not configured", "Run: node9 setup gemini  (skip if not using Gemini)");
     }
-    const cursorHooksPath = import_path17.default.join(homeDir2, ".cursor", "hooks.json");
-    if (import_fs16.default.existsSync(cursorHooksPath)) {
+    const cursorHooksPath = import_path19.default.join(homeDir2, ".cursor", "hooks.json");
+    if (import_fs17.default.existsSync(cursorHooksPath)) {
       try {
-        const cur = JSON.parse(import_fs16.default.readFileSync(cursorHooksPath, "utf-8"));
+        const cur = JSON.parse(import_fs17.default.readFileSync(cursorHooksPath, "utf-8"));
         const hasHook = cur.hooks?.preToolUse?.some(
           (h) => h.command?.includes("node9") || h.command?.includes("cli.js")
         );
@@ -7039,9 +7518,9 @@ function registerDoctorCommand(program2, version2) {
 
 // src/cli/commands/audit.ts
 var import_chalk8 = __toESM(require("chalk"));
-var import_fs17 = __toESM(require("fs"));
-var import_path18 = __toESM(require("path"));
-var import_os15 = __toESM(require("os"));
+var import_fs18 = __toESM(require("fs"));
+var import_path20 = __toESM(require("path"));
+var import_os16 = __toESM(require("os"));
 function formatRelativeTime(timestamp) {
   const diff = Date.now() - new Date(timestamp).getTime();
   const sec = Math.floor(diff / 1e3);
@@ -7054,14 +7533,14 @@ function formatRelativeTime(timestamp) {
 }
 function registerAuditCommand(program2) {
   program2.command("audit").description("View local execution audit log").option("--tail <n>", "Number of entries to show", "20").option("--tool <pattern>", "Filter by tool name (substring match)").option("--deny", "Show only denied actions").option("--json", "Output raw JSON").action((options) => {
-    const logPath = import_path18.default.join(import_os15.default.homedir(), ".node9", "audit.log");
-    if (!import_fs17.default.existsSync(logPath)) {
+    const logPath = import_path20.default.join(import_os16.default.homedir(), ".node9", "audit.log");
+    if (!import_fs18.default.existsSync(logPath)) {
       console.log(
         import_chalk8.default.yellow("No audit logs found. Run node9 with an agent to generate entries.")
       );
       return;
     }
-    const raw = import_fs17.default.readFileSync(logPath, "utf-8");
+    const raw = import_fs18.default.readFileSync(logPath, "utf-8");
     const lines = raw.split("\n").filter((l) => l.trim() !== "");
     let entries = lines.flatMap((line) => {
       try {
@@ -7179,9 +7658,9 @@ function registerDaemonCommand(program2) {
 
 // src/cli/commands/status.ts
 var import_chalk10 = __toESM(require("chalk"));
-var import_fs18 = __toESM(require("fs"));
-var import_path19 = __toESM(require("path"));
-var import_os16 = __toESM(require("os"));
+var import_fs19 = __toESM(require("fs"));
+var import_path21 = __toESM(require("path"));
+var import_os17 = __toESM(require("os"));
 init_core();
 init_daemon();
 function registerStatusCommand(program2) {
@@ -7218,13 +7697,13 @@ function registerStatusCommand(program2) {
     console.log("");
     const modeLabel = settings.mode === "audit" ? import_chalk10.default.blue("audit") : settings.mode === "strict" ? import_chalk10.default.red("strict") : import_chalk10.default.white("standard");
     console.log(`  Mode:    ${modeLabel}`);
-    const projectConfig = import_path19.default.join(process.cwd(), "node9.config.json");
-    const globalConfig = import_path19.default.join(import_os16.default.homedir(), ".node9", "config.json");
+    const projectConfig = import_path21.default.join(process.cwd(), "node9.config.json");
+    const globalConfig = import_path21.default.join(import_os17.default.homedir(), ".node9", "config.json");
     console.log(
-      `  Local:   ${import_fs18.default.existsSync(projectConfig) ? import_chalk10.default.green("Active (node9.config.json)") : import_chalk10.default.gray("Not present")}`
+      `  Local:   ${import_fs19.default.existsSync(projectConfig) ? import_chalk10.default.green("Active (node9.config.json)") : import_chalk10.default.gray("Not present")}`
     );
     console.log(
-      `  Global:  ${import_fs18.default.existsSync(globalConfig) ? import_chalk10.default.green("Active (~/.node9/config.json)") : import_chalk10.default.gray("Not present")}`
+      `  Global:  ${import_fs19.default.existsSync(globalConfig) ? import_chalk10.default.green("Active (~/.node9/config.json)") : import_chalk10.default.gray("Not present")}`
     );
     if (mergedConfig.policy.sandboxPaths.length > 0) {
       console.log(
@@ -7403,6 +7882,7 @@ var import_chalk13 = __toESM(require("chalk"));
 var import_child_process12 = require("child_process");
 var import_execa3 = require("execa");
 init_orchestrator();
+init_provenance();
 function sanitize4(value) {
   return value.replace(/[\x00-\x1F\x7F]/g, "");
 }
@@ -7415,7 +7895,7 @@ function extractMcpServer(toolName) {
   const match = toolName.match(/^mcp__([^_](?:[^_]|_(?!_))*?)__/i);
   return match?.[1];
 }
-function tokenize2(cmd) {
+function tokenize3(cmd) {
   const tokens = [];
   let current = "";
   let inDouble = false;
@@ -7450,7 +7930,7 @@ function tokenize2(cmd) {
   return tokens;
 }
 async function runMcpGateway(upstreamCommand) {
-  const commandParts = tokenize2(upstreamCommand);
+  const commandParts = tokenize3(upstreamCommand);
   const cmd = commandParts[0];
   const cmdArgs = commandParts.slice(1);
   let executable = cmd;
@@ -7459,6 +7939,15 @@ async function runMcpGateway(upstreamCommand) {
     if (stdout) executable = stdout.trim();
   } catch {
   }
+  const prov = checkProvenance(executable);
+  if (prov.trustLevel === "suspect") {
+    console.error(
+      import_chalk13.default.red(
+        `\u26A0\uFE0F  Node9: Upstream MCP server binary is suspect \u2014 ${prov.reason} (${prov.resolvedPath})`
+      )
+    );
+    console.error(import_chalk13.default.red("   Verify this binary is trusted before proceeding."));
+  }
   console.error(import_chalk13.default.green(`\u{1F680} Node9 MCP Gateway: Monitoring [${upstreamCommand}]`));
   const UPSTREAM_INJECTOR_VARS = /* @__PURE__ */ new Set([
     "NODE_OPTIONS",
@@ -7600,20 +8089,20 @@ function registerMcpGatewayCommand(program2) {
 
 // src/cli.ts
 var { version } = JSON.parse(
-  import_fs20.default.readFileSync(import_path21.default.join(__dirname, "../package.json"), "utf-8")
+  import_fs21.default.readFileSync(import_path23.default.join(__dirname, "../package.json"), "utf-8")
 );
 var program = new import_commander.Command();
 program.name("node9").description("The Sudo Command for AI Agents").version(version);
 program.command("login").argument("<apiKey>").option("--local", "Save key for audit/logging only \u2014 local config still controls all decisions").option("--profile <name>", 'Save as a named profile (default: "default")').action((apiKey, options) => {
   const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  const credPath = import_path21.default.join(import_os18.default.homedir(), ".node9", "credentials.json");
-  if (!import_fs20.default.existsSync(import_path21.default.dirname(credPath)))
-    import_fs20.default.mkdirSync(import_path21.default.dirname(credPath), { recursive: true });
+  const credPath = import_path23.default.join(import_os19.default.homedir(), ".node9", "credentials.json");
+  if (!import_fs21.default.existsSync(import_path23.default.dirname(credPath)))
+    import_fs21.default.mkdirSync(import_path23.default.dirname(credPath), { recursive: true });
   const profileName = options.profile || "default";
   let existingCreds = {};
   try {
-    if (import_fs20.default.existsSync(credPath)) {
-      const raw = JSON.parse(import_fs20.default.readFileSync(credPath, "utf-8"));
+    if (import_fs21.default.existsSync(credPath)) {
+      const raw = JSON.parse(import_fs21.default.readFileSync(credPath, "utf-8"));
       if (raw.apiKey) {
         existingCreds = {
           default: { apiKey: raw.apiKey, apiUrl: raw.apiUrl || DEFAULT_API_URL }
@@ -7625,13 +8114,13 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
   } catch {
   }
   existingCreds[profileName] = { apiKey, apiUrl: DEFAULT_API_URL };
-  import_fs20.default.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
+  import_fs21.default.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
   if (profileName === "default") {
-    const configPath = import_path21.default.join(import_os18.default.homedir(), ".node9", "config.json");
+    const configPath = import_path23.default.join(import_os19.default.homedir(), ".node9", "config.json");
     let config = {};
     try {
-      if (import_fs20.default.existsSync(configPath))
-        config = JSON.parse(import_fs20.default.readFileSync(configPath, "utf-8"));
+      if (import_fs21.default.existsSync(configPath))
+        config = JSON.parse(import_fs21.default.readFileSync(configPath, "utf-8"));
     } catch {
     }
     if (!config.settings || typeof config.settings !== "object") config.settings = {};
@@ -7646,9 +8135,9 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
       approvers.cloud = false;
     }
     s.approvers = approvers;
-    if (!import_fs20.default.existsSync(import_path21.default.dirname(configPath)))
-      import_fs20.default.mkdirSync(import_path21.default.dirname(configPath), { recursive: true });
-    import_fs20.default.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+    if (!import_fs21.default.existsSync(import_path23.default.dirname(configPath)))
+      import_fs21.default.mkdirSync(import_path23.default.dirname(configPath), { recursive: true });
+    import_fs21.default.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
   }
   if (options.profile && profileName !== "default") {
     console.log(import_chalk15.default.green(`\u2705 Profile "${profileName}" saved`));
@@ -7734,15 +8223,15 @@ program.command("uninstall").description("Remove all Node9 hooks and optionally
     }
   }
   if (options.purge) {
-    const node9Dir = import_path21.default.join(import_os18.default.homedir(), ".node9");
-    if (import_fs20.default.existsSync(node9Dir)) {
+    const node9Dir = import_path23.default.join(import_os19.default.homedir(), ".node9");
+    if (import_fs21.default.existsSync(node9Dir)) {
       const confirmed = await (0, import_prompts3.confirm)({
         message: `Permanently delete ${node9Dir} (config, audit log, credentials)?`,
         default: false
       });
       if (confirmed) {
-        import_fs20.default.rmSync(node9Dir, { recursive: true });
-        if (import_fs20.default.existsSync(node9Dir)) {
+        import_fs21.default.rmSync(node9Dir, { recursive: true });
+        if (import_fs21.default.existsSync(node9Dir)) {
           console.error(
             import_chalk15.default.red("\n  \u26A0\uFE0F  ~/.node9/ could not be fully deleted \u2014 remove it manually.")
           );
@@ -7842,8 +8331,8 @@ program.command("explain").description(
   console.log("");
 });
 program.command("init").description("Create ~/.node9/config.json with default policy (safe to run multiple times)").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").action((options) => {
-  const configPath = import_path21.default.join(import_os18.default.homedir(), ".node9", "config.json");
-  if (import_fs20.default.existsSync(configPath) && !options.force) {
+  const configPath = import_path23.default.join(import_os19.default.homedir(), ".node9", "config.json");
+  if (import_fs21.default.existsSync(configPath) && !options.force) {
     console.log(import_chalk15.default.yellow(`\u2139\uFE0F  Global config already exists: ${configPath}`));
     console.log(import_chalk15.default.gray(`   Run with --force to overwrite.`));
     return;
@@ -7857,9 +8346,9 @@ program.command("init").description("Create ~/.node9/config.json with default po
       mode: safeMode
     }
   };
-  const dir = import_path21.default.dirname(configPath);
-  if (!import_fs20.default.existsSync(dir)) import_fs20.default.mkdirSync(dir, { recursive: true });
-  import_fs20.default.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
+  const dir = import_path23.default.dirname(configPath);
+  if (!import_fs21.default.existsSync(dir)) import_fs21.default.mkdirSync(dir, { recursive: true });
+  import_fs21.default.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
   console.log(import_chalk15.default.green(`\u2705 Global config created: ${configPath}`));
   console.log(import_chalk15.default.cyan(`   Mode set to: ${safeMode}`));
   console.log(
@@ -7977,9 +8466,9 @@ if (process.argv[2] !== "daemon") {
     const isCheckHook = process.argv[2] === "check";
     if (isCheckHook) {
       if (process.env.NODE9_DEBUG === "1" || getConfig().settings.enableHookLogDebug) {
-        const logPath = import_path21.default.join(import_os18.default.homedir(), ".node9", "hook-debug.log");
+        const logPath = import_path23.default.join(import_os19.default.homedir(), ".node9", "hook-debug.log");
         const msg = reason instanceof Error ? reason.message : String(reason);
-        import_fs20.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
+        import_fs21.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
 `);
       }
       process.exit(0);