npm - @node9/proxy - Versions diffs - 1.3.1 → 1.3.2 - Mend

@node9/proxy 1.3.1 → 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli.mjs CHANGED Viewed

@@ -94,8 +94,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path22 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path22}: ${issue.message}`;
+    const path24 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path24}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -1157,13 +1157,445 @@ var init_dlp = __esm({
   }
 });
-// src/policy/index.ts
+// src/utils/provenance.ts
 import fs5 from "fs";
 import path5 from "path";
 import os4 from "os";
+function findInPath(cmd) {
+  if (path5.posix.isAbsolute(cmd)) return cmd;
+  const pathEnv = process.env.PATH ?? "";
+  for (const dir of pathEnv.split(path5.delimiter)) {
+    if (!dir) continue;
+    const full = path5.join(dir, cmd);
+    try {
+      fs5.accessSync(full, fs5.constants.X_OK);
+      return full;
+    } catch {
+    }
+  }
+  return null;
+}
+function _classifyPath(resolved, cwd) {
+  if (cwd && resolved.startsWith(cwd + "/")) {
+    return { trustLevel: "user", reason: "binary in project directory" };
+  }
+  const osTmp = os4.tmpdir();
+  const allSuspect = osTmp ? [...SUSPECT_PREFIXES, osTmp] : SUSPECT_PREFIXES;
+  if (allSuspect.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "suspect", reason: `binary in temp directory: ${resolved}` };
+  }
+  if (SYSTEM_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "system", reason: "" };
+  }
+  if (MANAGED_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "managed", reason: "" };
+  }
+  if (USER_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "user", reason: "" };
+  }
+  return { trustLevel: "unknown", reason: "binary in unrecognized location" };
+}
+function checkProvenance(cmd, cwd) {
+  const bare = cmd.startsWith("./") ? cmd.slice(2) : cmd;
+  if (path5.posix.isAbsolute(bare)) {
+    const early = _classifyPath(bare, cwd);
+    if (early.trustLevel === "suspect") {
+      return { resolvedPath: bare, ...early };
+    }
+  }
+  let resolved;
+  try {
+    const found = findInPath(bare);
+    if (!found) {
+      return {
+        resolvedPath: cmd,
+        trustLevel: "unknown",
+        reason: "binary not found in PATH"
+      };
+    }
+    resolved = fs5.realpathSync(found);
+  } catch {
+    return {
+      resolvedPath: cmd,
+      trustLevel: "unknown",
+      reason: "binary not found in PATH"
+    };
+  }
+  try {
+    const stat = fs5.statSync(resolved);
+    if (stat.mode & 2) {
+      return {
+        resolvedPath: resolved,
+        trustLevel: "suspect",
+        reason: "binary is world-writable"
+      };
+    }
+  } catch {
+    return {
+      resolvedPath: resolved,
+      trustLevel: "unknown",
+      reason: "could not stat binary"
+    };
+  }
+  const classify = _classifyPath(resolved, cwd);
+  return { resolvedPath: resolved, ...classify };
+}
+var SYSTEM_PREFIXES, MANAGED_PREFIXES, USER_PREFIXES, SUSPECT_PREFIXES;
+var init_provenance = __esm({
+  "src/utils/provenance.ts"() {
+    "use strict";
+    SYSTEM_PREFIXES = ["/usr/bin", "/usr/sbin", "/bin", "/sbin"];
+    MANAGED_PREFIXES = ["/usr/local/bin", "/opt/homebrew", "/home/linuxbrew", "/nix/store"];
+    USER_PREFIXES = [
+      path5.join(os4.homedir(), "bin"),
+      path5.join(os4.homedir(), ".local", "bin"),
+      path5.join(os4.homedir(), ".cargo", "bin"),
+      path5.join(os4.homedir(), ".npm-global", "bin"),
+      path5.join(os4.homedir(), ".volta", "bin")
+    ];
+    SUSPECT_PREFIXES = ["/tmp", "/var/tmp", "/dev/shm"];
+  }
+});
+// src/policy/pipe-chain.ts
+function isSensitivePath(p) {
+  return SENSITIVE_PATTERNS.some((re) => re.test(p));
+}
+function splitOnPipe(cmd) {
+  const segments = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  for (let i = 0; i < cmd.length; i++) {
+    const ch = cmd[i];
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+      current += ch;
+    } else if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+      current += ch;
+    } else if (ch === "|" && !inSingle && !inDouble && cmd[i + 1] !== "|" && (i === 0 || cmd[i - 1] !== "|")) {
+      segments.push(current.trim());
+      current = "";
+    } else {
+      current += ch;
+    }
+  }
+  if (current.trim()) segments.push(current.trim());
+  return segments.filter(Boolean);
+}
+function positionalTokens(segment) {
+  return segment.split(/\s+/).slice(1).filter((t) => !t.startsWith("-") && !t.startsWith("@") && t.length > 0);
+}
+function analyzePipeChain(command) {
+  const segments = splitOnPipe(command);
+  if (segments.length < 2) {
+    return {
+      isPipeline: false,
+      hasSensitiveSource: false,
+      hasExternalSink: false,
+      hasObfuscation: false,
+      sourceFiles: [],
+      sinkTargets: [],
+      risk: "none"
+    };
+  }
+  const sourceFiles = [];
+  const sinkTargets = [];
+  let hasSensitiveSource = false;
+  let hasExternalSink = false;
+  let hasObfuscation = false;
+  for (const segment of segments) {
+    const tokens = segment.split(/\s+/).filter(Boolean);
+    if (tokens.length === 0) continue;
+    const binary = tokens[0].toLowerCase();
+    const args = positionalTokens(segment);
+    if (SOURCE_COMMANDS.has(binary)) {
+      sourceFiles.push(...args);
+      if (args.some(isSensitivePath)) hasSensitiveSource = true;
+    }
+    if (OBFUSCATORS.has(binary)) hasObfuscation = true;
+    if (SINK_COMMANDS.has(binary)) {
+      const targets = args.filter(
+        (a) => a.includes(".") || a.includes("://") || /^\d+\.\d+/.test(a)
+      );
+      sinkTargets.push(...targets);
+      if (targets.length > 0) hasExternalSink = true;
+    }
+  }
+  const fullCmd = command.toLowerCase();
+  if (!hasSensitiveSource) {
+    const redirMatch = fullCmd.match(/<\s*(\S+)/);
+    if (redirMatch && isSensitivePath(redirMatch[1])) {
+      hasSensitiveSource = true;
+      sourceFiles.push(redirMatch[1]);
+    }
+  }
+  const risk = hasSensitiveSource && hasExternalSink && hasObfuscation ? "critical" : hasSensitiveSource && hasExternalSink ? "high" : hasExternalSink ? "medium" : "none";
+  return {
+    isPipeline: true,
+    hasSensitiveSource,
+    hasExternalSink,
+    hasObfuscation,
+    sourceFiles,
+    sinkTargets,
+    risk
+  };
+}
+var SOURCE_COMMANDS, SINK_COMMANDS, OBFUSCATORS, SENSITIVE_PATTERNS;
+var init_pipe_chain = __esm({
+  "src/policy/pipe-chain.ts"() {
+    "use strict";
+    SOURCE_COMMANDS = /* @__PURE__ */ new Set([
+      "cat",
+      "head",
+      "tail",
+      "grep",
+      "awk",
+      "sed",
+      "cut",
+      "sort",
+      "tee",
+      "less",
+      "more",
+      "strings",
+      "xxd"
+    ]);
+    SINK_COMMANDS = /* @__PURE__ */ new Set([
+      "curl",
+      "wget",
+      "nc",
+      "ncat",
+      "netcat",
+      "ssh",
+      "scp",
+      "rsync",
+      "socat",
+      "ftp",
+      "sftp",
+      "telnet"
+    ]);
+    OBFUSCATORS = /* @__PURE__ */ new Set([
+      "base64",
+      "gzip",
+      "gunzip",
+      "bzip2",
+      "xz",
+      "zstd",
+      "openssl",
+      "gpg",
+      "python",
+      "python3",
+      "perl",
+      "ruby",
+      "node"
+    ]);
+    SENSITIVE_PATTERNS = [
+      /(?:^|\/)\.env(?:\.|$)/i,
+      // .env, .env.local, .env.production
+      /id_rsa|id_ed25519|id_ecdsa|id_dsa/i,
+      // SSH private keys
+      /\.pem$|\.key$|\.p12$|\.pfx$/i,
+      // certificate files
+      /(?:^|\/)\.ssh\//i,
+      // ~/.ssh/ directory
+      /(?:^|\/)\.aws\/credentials/i,
+      // AWS credentials
+      /(?:^|\/)\.netrc$/i,
+      // netrc (stores HTTP credentials)
+      /(?:^|\/)(passwd|shadow|sudoers)$/i,
+      // /etc/passwd, /etc/shadow
+      /(?:^|\/)credentials(?:\.json)?$/i
+      // generic credentials files
+    ];
+  }
+});
+// src/policy/flag-tables.ts
+import path6 from "path";
+function extractPositionalArgs(tokens, binary) {
+  const binaryName = path6.basename(binary).replace(/\.exe$/i, "");
+  const flagsWithValues = FLAGS_WITH_VALUES[binaryName] ?? /* @__PURE__ */ new Set();
+  const positional = [];
+  let skipNext = false;
+  for (const token of tokens) {
+    if (skipNext) {
+      skipNext = false;
+      continue;
+    }
+    if (token.startsWith("--") && token.includes("=")) continue;
+    if (token.startsWith("-") && token.length === 2 && flagsWithValues.has(token)) {
+      skipNext = true;
+      continue;
+    }
+    if (token.startsWith("--") && flagsWithValues.has(token)) {
+      skipNext = true;
+      continue;
+    }
+    const shortFlag = token.slice(0, 2);
+    if (token.startsWith("-") && token.length > 2 && flagsWithValues.has(shortFlag)) continue;
+    if (token.startsWith("-")) continue;
+    if (token.startsWith("@")) continue;
+    positional.push(token);
+  }
+  return positional;
+}
+function extractNetworkTargets(tokens, binary) {
+  return extractPositionalArgs(tokens, binary).map((t) => t.includes("@") ? t.split("@")[1] : t).map((t) => {
+    const colonIdx = t.indexOf(":");
+    if (colonIdx === -1) return t;
+    const afterColon = t.slice(colonIdx + 1);
+    if (/^\d+$/.test(afterColon)) return t.slice(0, colonIdx);
+    return t;
+  }).filter(Boolean);
+}
+var FLAGS_WITH_VALUES;
+var init_flag_tables = __esm({
+  "src/policy/flag-tables.ts"() {
+    "use strict";
+    FLAGS_WITH_VALUES = {
+      curl: /* @__PURE__ */ new Set([
+        "-H",
+        "--header",
+        "-A",
+        "--user-agent",
+        "-e",
+        "--referer",
+        "-x",
+        "--proxy",
+        "-u",
+        "--user",
+        "-d",
+        "--data",
+        "--data-raw",
+        "--data-binary",
+        "-o",
+        "--output",
+        "-F",
+        "--form",
+        "--connect-to",
+        "--resolve",
+        "--cacert",
+        "--cert",
+        "--key",
+        "-m",
+        "--max-time"
+      ]),
+      wget: /* @__PURE__ */ new Set([
+        "-O",
+        "--output-document",
+        "-P",
+        "--directory-prefix",
+        "-U",
+        "--user-agent",
+        "-e",
+        "--execute",
+        "--proxy",
+        "--ca-certificate"
+      ]),
+      nc: /* @__PURE__ */ new Set(["-x", "-p", "-s", "-w", "-W", "-I", "-O"]),
+      ncat: /* @__PURE__ */ new Set(["-x", "-p", "-s", "--proxy", "--proxy-auth", "-w", "--wait"]),
+      netcat: /* @__PURE__ */ new Set(["-x", "-p", "-s", "-w"]),
+      ssh: /* @__PURE__ */ new Set([
+        "-i",
+        "-l",
+        "-p",
+        "-o",
+        "-E",
+        "-F",
+        "-J",
+        "-L",
+        "-R",
+        "-W",
+        "-b",
+        "-c",
+        "-D",
+        "-e",
+        "-I",
+        "-S"
+      ]),
+      scp: /* @__PURE__ */ new Set(["-i", "-o", "-P", "-S"]),
+      rsync: /* @__PURE__ */ new Set(["-e", "--rsh", "--rsync-path", "--password-file", "--log-file"]),
+      socat: /* @__PURE__ */ new Set([])
+      // socat uses address syntax, not flags — no value-flags
+    };
+  }
+});
+// src/policy/ssh-parser.ts
+function tokenize(cmd) {
+  const tokens = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  for (const ch of cmd) {
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+    } else if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+    } else if ((ch === " " || ch === "	") && !inSingle && !inDouble) {
+      if (current) {
+        tokens.push(current);
+        current = "";
+      }
+    } else {
+      current += ch;
+    }
+  }
+  if (current) tokens.push(current);
+  return tokens;
+}
+function parseHost(raw) {
+  return raw.split("@").pop().split(":")[0];
+}
+function extractAllSshHosts(tokens) {
+  const hosts = /* @__PURE__ */ new Set();
+  for (let i = 0; i < tokens.length; i++) {
+    const t = tokens[i];
+    if (t === "-J" && tokens[i + 1]) {
+      for (const hop of tokens[++i].split(",")) {
+        const h = parseHost(hop);
+        if (h) hosts.add(h);
+      }
+      continue;
+    }
+    if (t === "-o" && tokens[i + 1]?.toLowerCase().startsWith("proxyjump=")) {
+      const val = tokens[++i].split("=").slice(1).join("=");
+      for (const hop of val.split(",")) {
+        const h = parseHost(hop);
+        if (h) hosts.add(h);
+      }
+      continue;
+    }
+    if (t === "-o" && tokens[i + 1]?.toLowerCase().startsWith("proxycommand=")) {
+      const raw = tokens[++i].split("=").slice(1).join("=").replace(/^['"]|['"]$/g, "");
+      const subTokens = tokenize(raw);
+      const binary = subTokens[0] ?? "";
+      extractNetworkTargets(subTokens.slice(1), binary).forEach((h) => hosts.add(h));
+      extractAllSshHosts(subTokens.slice(1)).forEach((h) => hosts.add(h));
+      continue;
+    }
+    if (!t.startsWith("-")) {
+      const h = parseHost(t);
+      if (h) hosts.add(h);
+    }
+  }
+  return [...hosts].filter(Boolean);
+}
+var init_ssh_parser = __esm({
+  "src/policy/ssh-parser.ts"() {
+    "use strict";
+    init_flag_tables();
+  }
+});
+// src/policy/index.ts
+import fs6 from "fs";
+import path7 from "path";
+import os5 from "os";
 import pm from "picomatch";
 import { parse } from "sh-syntax";
-function tokenize(toolName) {
+function tokenize2(toolName) {
   return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
 }
 function matchesPattern(text, patterns) {
@@ -1176,9 +1608,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path22) {
+function getNestedValue(obj, path24) {
   if (!obj || typeof obj !== "object") return null;
-  return path22.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path24.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function shouldSnapshot(toolName, args, config) {
   if (!config.settings.enableUndo) return false;
@@ -1313,7 +1745,7 @@ async function analyzeShellCommand(command) {
   }
   return { actions, paths, allTokens };
 }
-async function evaluatePolicy(toolName, args, agent) {
+async function evaluatePolicy(toolName, args, agent, cwd) {
   const config = getConfig();
   if (matchesPattern(toolName, config.policy.ignoredTools)) return { decision: "allow" };
   if (config.policy.smartRules.length > 0) {
@@ -1343,11 +1775,55 @@ async function evaluatePolicy(toolName, args, agent) {
     if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
       return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)", tier: 3 };
     }
+    const pipeAnalysis = analyzePipeChain(shellCommand);
+    if (pipeAnalysis.isPipeline) {
+      if (pipeAnalysis.risk === "critical") {
+        return {
+          decision: "block",
+          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
+          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${pipeAnalysis.sinkTargets.join(", ")}`,
+          tier: 3
+        };
+      }
+      if (pipeAnalysis.risk === "high") {
+        return {
+          decision: "review",
+          blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
+          reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${pipeAnalysis.sinkTargets.join(", ")}`,
+          tier: 3
+        };
+      }
+    }
+    const firstToken = analyzed.actions[0] ?? "";
+    if (["ssh", "scp", "rsync"].includes(firstToken)) {
+      const rawTokens = shellCommand.trim().split(/\s+/);
+      const sshHosts = extractAllSshHosts(rawTokens.slice(1));
+      allTokens.push(...sshHosts);
+    }
+    if (firstToken && path7.posix.isAbsolute(firstToken)) {
+      const prov = checkProvenance(firstToken, cwd);
+      if (prov.trustLevel === "suspect") {
+        return {
+          decision: config.settings.mode === "strict" ? "block" : "review",
+          blockedByLabel: "Node9: Suspect Binary",
+          reason: `Binary "${firstToken}" resolved to ${prov.resolvedPath} \u2014 ${prov.reason}`,
+          tier: 3
+        };
+      }
+      if (prov.trustLevel === "unknown" && config.settings.mode === "strict") {
+        return {
+          decision: "review",
+          blockedByLabel: "Node9: Unknown Binary (strict mode)",
+          reason: `Binary "${firstToken}" \u2014 ${prov.reason}`,
+          tier: 3
+        };
+      }
+    }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
     }
   } else {
-    allTokens = tokenize(toolName);
+    allTokens = tokenize2(toolName);
     if (args && typeof args === "object") {
       const flattenedArgs = JSON.stringify(args).toLowerCase();
       const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
@@ -1421,9 +1897,9 @@ async function evaluatePolicy(toolName, args, agent) {
 }
 async function explainPolicy(toolName, args) {
   const steps = [];
-  const globalPath = path5.join(os4.homedir(), ".node9", "config.json");
-  const projectPath = path5.join(process.cwd(), "node9.config.json");
-  const credsPath = path5.join(os4.homedir(), ".node9", "credentials.json");
+  const globalPath = path7.join(os5.homedir(), ".node9", "config.json");
+  const projectPath = path7.join(process.cwd(), "node9.config.json");
+  const credsPath = path7.join(os5.homedir(), ".node9", "credentials.json");
   const waterfall = [
     {
       tier: 1,
@@ -1434,19 +1910,19 @@ async function explainPolicy(toolName, args) {
     {
       tier: 2,
       label: "Cloud policy",
-      status: fs5.existsSync(credsPath) ? "active" : "missing",
-      note: fs5.existsSync(credsPath) ? "credentials found (not evaluated in explain mode)" : "not connected \u2014 run: node9 login"
+      status: fs6.existsSync(credsPath) ? "active" : "missing",
+      note: fs6.existsSync(credsPath) ? "credentials found (not evaluated in explain mode)" : "not connected \u2014 run: node9 login"
     },
     {
       tier: 3,
       label: "Project config",
-      status: fs5.existsSync(projectPath) ? "active" : "missing",
+      status: fs6.existsSync(projectPath) ? "active" : "missing",
       path: projectPath
     },
     {
       tier: 4,
       label: "Global config",
-      status: fs5.existsSync(globalPath) ? "active" : "missing",
+      status: fs6.existsSync(globalPath) ? "active" : "missing",
       path: globalPath
     },
     {
@@ -1578,7 +2054,7 @@ async function explainPolicy(toolName, args) {
       });
     }
   } else {
-    allTokens = tokenize(toolName);
+    allTokens = tokenize2(toolName);
     let detail = `No toolInspection match for "${toolName}" \u2014 tokens: [${allTokens.join(", ")}]`;
     if (args && typeof args === "object") {
       const flattenedArgs = JSON.stringify(args).toLowerCase();
@@ -1690,21 +2166,24 @@ var init_policy = __esm({
     init_dlp();
     init_config();
     init_regex();
+    init_provenance();
+    init_pipe_chain();
+    init_ssh_parser();
     SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
   }
 });
 // src/auth/state.ts
-import fs6 from "fs";
-import path6 from "path";
-import os5 from "os";
+import fs7 from "fs";
+import path8 from "path";
+import os6 from "os";
 function checkPause() {
   try {
-    if (!fs6.existsSync(PAUSED_FILE)) return { paused: false };
-    const state = JSON.parse(fs6.readFileSync(PAUSED_FILE, "utf-8"));
+    if (!fs7.existsSync(PAUSED_FILE)) return { paused: false };
+    const state = JSON.parse(fs7.readFileSync(PAUSED_FILE, "utf-8"));
     if (state.expiry > 0 && Date.now() >= state.expiry) {
       try {
-        fs6.unlinkSync(PAUSED_FILE);
+        fs7.unlinkSync(PAUSED_FILE);
       } catch {
       }
       return { paused: false };
@@ -1715,11 +2194,11 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = path6.dirname(filePath);
-  if (!fs6.existsSync(dir)) fs6.mkdirSync(dir, { recursive: true });
-  const tmpPath = `${filePath}.${os5.hostname()}.${process.pid}.tmp`;
-  fs6.writeFileSync(tmpPath, data, options);
-  fs6.renameSync(tmpPath, filePath);
+  const dir = path8.dirname(filePath);
+  if (!fs7.existsSync(dir)) fs7.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${filePath}.${os6.hostname()}.${process.pid}.tmp`;
+  fs7.writeFileSync(tmpPath, data, options);
+  fs7.renameSync(tmpPath, filePath);
 }
 function pauseNode9(durationMs, durationStr) {
   const state = { expiry: Date.now() + durationMs, duration: durationStr };
@@ -1727,18 +2206,18 @@ function pauseNode9(durationMs, durationStr) {
 }
 function resumeNode9() {
   try {
-    if (fs6.existsSync(PAUSED_FILE)) fs6.unlinkSync(PAUSED_FILE);
+    if (fs7.existsSync(PAUSED_FILE)) fs7.unlinkSync(PAUSED_FILE);
   } catch {
   }
 }
 function getActiveTrustSession(toolName) {
   try {
-    if (!fs6.existsSync(TRUST_FILE)) return false;
-    const trust = JSON.parse(fs6.readFileSync(TRUST_FILE, "utf-8"));
+    if (!fs7.existsSync(TRUST_FILE)) return false;
+    const trust = JSON.parse(fs7.readFileSync(TRUST_FILE, "utf-8"));
     const now = Date.now();
     const active = trust.entries.filter((e) => e.expiry > now);
     if (active.length !== trust.entries.length) {
-      fs6.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
+      fs7.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
     }
     return active.some((e) => e.tool === toolName || matchesPattern(toolName, e.tool));
   } catch {
@@ -1749,8 +2228,8 @@ function writeTrustSession(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (fs6.existsSync(TRUST_FILE)) {
-        trust = JSON.parse(fs6.readFileSync(TRUST_FILE, "utf-8"));
+      if (fs7.existsSync(TRUST_FILE)) {
+        trust = JSON.parse(fs7.readFileSync(TRUST_FILE, "utf-8"));
       }
     } catch {
     }
@@ -1766,9 +2245,9 @@ function writeTrustSession(toolName, durationMs) {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = path6.join(os5.homedir(), ".node9", "decisions.json");
-    if (!fs6.existsSync(file)) return null;
-    const decisions = JSON.parse(fs6.readFileSync(file, "utf-8"));
+    const file = path8.join(os6.homedir(), ".node9", "decisions.json");
+    if (!fs7.existsSync(file)) return null;
+    const decisions = JSON.parse(fs7.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
     if (d === "allow" || d === "deny") return d;
   } catch {
@@ -1780,21 +2259,21 @@ var init_state = __esm({
   "src/auth/state.ts"() {
     "use strict";
     init_policy();
-    PAUSED_FILE = path6.join(os5.homedir(), ".node9", "PAUSED");
-    TRUST_FILE = path6.join(os5.homedir(), ".node9", "trust.json");
+    PAUSED_FILE = path8.join(os6.homedir(), ".node9", "PAUSED");
+    TRUST_FILE = path8.join(os6.homedir(), ".node9", "trust.json");
   }
 });
 // src/auth/daemon.ts
-import fs7 from "fs";
-import path7 from "path";
-import os6 from "os";
+import fs8 from "fs";
+import path9 from "path";
+import os7 from "os";
 import { spawnSync } from "child_process";
 function getInternalToken() {
   try {
-    const pidFile = path7.join(os6.homedir(), ".node9", "daemon.pid");
-    if (!fs7.existsSync(pidFile)) return null;
-    const data = JSON.parse(fs7.readFileSync(pidFile, "utf-8"));
+    const pidFile = path9.join(os7.homedir(), ".node9", "daemon.pid");
+    if (!fs8.existsSync(pidFile)) return null;
+    const data = JSON.parse(fs8.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
     return data.internalToken ?? null;
   } catch {
@@ -1802,10 +2281,10 @@ function getInternalToken() {
   }
 }
 function isDaemonRunning() {
-  const pidFile = path7.join(os6.homedir(), ".node9", "daemon.pid");
-  if (fs7.existsSync(pidFile)) {
+  const pidFile = path9.join(os7.homedir(), ".node9", "daemon.pid");
+  if (fs8.existsSync(pidFile)) {
     try {
-      const { pid, port } = JSON.parse(fs7.readFileSync(pidFile, "utf-8"));
+      const { pid, port } = JSON.parse(fs8.readFileSync(pidFile, "utf-8"));
       if (port !== DAEMON_PORT) return false;
       process.kill(pid, 0);
       return true;
@@ -1908,7 +2387,7 @@ var init_daemon = __esm({
 });
 // src/context-sniper.ts
-import path8 from "path";
+import path10 from "path";
 function smartTruncate(str, maxLen = 500) {
   if (str.length <= maxLen) return str;
   const edge = Math.floor(maxLen / 2) - 3;
@@ -1960,7 +2439,7 @@ function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWo
       intent = "EDIT";
       if (obj.file_path) {
         editFilePath = String(obj.file_path);
-        editFileName = path8.basename(editFilePath);
+        editFileName = path10.basename(editFilePath);
       }
       const result = extractContext(String(obj.new_string), matchedWord);
       contextSnippet = result.snippet;
@@ -2017,7 +2496,7 @@ var init_context_sniper = __esm({
 // src/ui/native.ts
 import { spawn } from "child_process";
-import path9 from "path";
+import path11 from "path";
 function formatArgs(args, matchedField, matchedWord) {
   if (args === null || args === void 0) return { message: "(none)", intent: "EXEC" };
   let parsed = args;
@@ -2036,7 +2515,7 @@ function formatArgs(args, matchedField, matchedWord) {
   if (typeof parsed === "object" && !Array.isArray(parsed)) {
     const obj = parsed;
     if (obj.old_string !== void 0 && obj.new_string !== void 0) {
-      const file = obj.file_path ? path9.basename(String(obj.file_path)) : "file";
+      const file = obj.file_path ? path11.basename(String(obj.file_path)) : "file";
       const oldPreview = smartTruncate(String(obj.old_string), 120);
       const newPreview = extractContext(String(obj.new_string), matchedWord).snippet;
       return {
@@ -2221,8 +2700,8 @@ var init_native = __esm({
 });
 // src/auth/cloud.ts
-import fs8 from "fs";
-import os7 from "os";
+import fs9 from "fs";
+import os8 from "os";
 function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
   return fetch(`${creds.apiUrl}/audit`, {
     method: "POST",
@@ -2234,9 +2713,9 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
       context: {
         agent: meta?.agent,
         mcpServer: meta?.mcpServer,
-        hostname: os7.hostname(),
+        hostname: os8.hostname(),
         cwd: process.cwd(),
-        platform: os7.platform()
+        platform: os8.platform()
       }
     }),
     signal: AbortSignal.timeout(5e3)
@@ -2257,9 +2736,9 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
         context: {
           agent: meta?.agent,
           mcpServer: meta?.mcpServer,
-          hostname: os7.hostname(),
+          hostname: os8.hostname(),
           cwd: process.cwd(),
-          platform: os7.platform()
+          platform: os8.platform()
         },
         ...riskMetadata && { riskMetadata }
       }),
@@ -2315,14 +2794,14 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
     });
     clearTimeout(timer);
     if (!res.ok) {
-      fs8.appendFileSync(
+      fs9.appendFileSync(
         HOOK_DEBUG_LOG,
         `[resolve-cloud] PATCH ${resolveUrl} \u2192 HTTP ${res.status}
 `
       );
     }
   } catch (err) {
-    fs8.appendFileSync(
+    fs9.appendFileSync(
       HOOK_DEBUG_LOG,
       `[resolve-cloud] PATCH failed for ${requestId}: ${err.message}
 `
@@ -2338,8 +2817,8 @@ var init_cloud = __esm({
 // src/auth/orchestrator.ts
 import net from "net";
-import path10 from "path";
-import os8 from "os";
+import path12 from "path";
+import os9 from "os";
 import { randomUUID } from "crypto";
 function notifyActivity(data) {
   return new Promise((resolve) => {
@@ -2422,7 +2901,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   }
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
-      const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
+      const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
         appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
         if (approvers.cloud && creds?.apiKey) {
@@ -2700,7 +3179,7 @@ var init_orchestrator = __esm({
     init_state();
     init_daemon();
     init_cloud();
-    ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path10.join(os8.tmpdir(), "node9-activity.sock");
+    ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path12.join(os9.tmpdir(), "node9-activity.sock");
   }
 });
@@ -4172,9 +4651,9 @@ var init_ui2 = __esm({
 // src/daemon/state.ts
 import net2 from "net";
-import fs10 from "fs";
-import path12 from "path";
-import os10 from "os";
+import fs11 from "fs";
+import path14 from "path";
+import os11 from "os";
 import { spawn as spawn2 } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
 function getAbandonTimer() {
@@ -4199,11 +4678,11 @@ function markRejectionHandlerRegistered() {
   daemonRejectionHandlerRegistered = true;
 }
 function atomicWriteSync2(filePath, data, options) {
-  const dir = path12.dirname(filePath);
-  if (!fs10.existsSync(dir)) fs10.mkdirSync(dir, { recursive: true });
+  const dir = path14.dirname(filePath);
+  if (!fs11.existsSync(dir)) fs11.mkdirSync(dir, { recursive: true });
   const tmpPath = `${filePath}.${randomUUID2()}.tmp`;
-  fs10.writeFileSync(tmpPath, data, options);
-  fs10.renameSync(tmpPath, filePath);
+  fs11.writeFileSync(tmpPath, data, options);
+  fs11.renameSync(tmpPath, filePath);
 }
 function redactArgs(value) {
   if (!value || typeof value !== "object") return value;
@@ -4223,16 +4702,16 @@ function appendAuditLog(data) {
       decision: data.decision,
       source: "daemon"
     };
-    const dir = path12.dirname(AUDIT_LOG_FILE);
-    if (!fs10.existsSync(dir)) fs10.mkdirSync(dir, { recursive: true });
-    fs10.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
+    const dir = path14.dirname(AUDIT_LOG_FILE);
+    if (!fs11.existsSync(dir)) fs11.mkdirSync(dir, { recursive: true });
+    fs11.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
 function getAuditHistory(limit = 20) {
   try {
-    if (!fs10.existsSync(AUDIT_LOG_FILE)) return [];
-    const lines = fs10.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
+    if (!fs11.existsSync(AUDIT_LOG_FILE)) return [];
+    const lines = fs11.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
     if (lines.length === 1 && lines[0] === "") return [];
     return lines.slice(-limit).map((l) => JSON.parse(l)).reverse();
   } catch {
@@ -4241,19 +4720,19 @@ function getAuditHistory(limit = 20) {
 }
 function getOrgName() {
   try {
-    if (fs10.existsSync(CREDENTIALS_FILE)) return "Node9 Cloud";
+    if (fs11.existsSync(CREDENTIALS_FILE)) return "Node9 Cloud";
   } catch {
   }
   return null;
 }
 function hasStoredSlackKey() {
-  return fs10.existsSync(CREDENTIALS_FILE);
+  return fs11.existsSync(CREDENTIALS_FILE);
 }
 function writeGlobalSetting(key, value) {
   let config = {};
   try {
-    if (fs10.existsSync(GLOBAL_CONFIG_FILE)) {
-      config = JSON.parse(fs10.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
+    if (fs11.existsSync(GLOBAL_CONFIG_FILE)) {
+      config = JSON.parse(fs11.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
     }
   } catch {
   }
@@ -4265,8 +4744,8 @@ function writeTrustEntry(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (fs10.existsSync(TRUST_FILE2))
-        trust = JSON.parse(fs10.readFileSync(TRUST_FILE2, "utf-8"));
+      if (fs11.existsSync(TRUST_FILE2))
+        trust = JSON.parse(fs11.readFileSync(TRUST_FILE2, "utf-8"));
     } catch {
     }
     trust.entries = trust.entries.filter((e) => e.tool !== toolName && e.expiry > Date.now());
@@ -4277,8 +4756,8 @@ function writeTrustEntry(toolName, durationMs) {
 }
 function readPersistentDecisions() {
   try {
-    if (fs10.existsSync(DECISIONS_FILE)) {
-      return JSON.parse(fs10.readFileSync(DECISIONS_FILE, "utf-8"));
+    if (fs11.existsSync(DECISIONS_FILE)) {
+      return JSON.parse(fs11.readFileSync(DECISIONS_FILE, "utf-8"));
     }
   } catch {
   }
@@ -4343,7 +4822,7 @@ function abandonPending() {
   });
   if (autoStarted) {
     try {
-      fs10.unlinkSync(DAEMON_PID_FILE);
+      fs11.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
     setTimeout(() => {
@@ -4354,7 +4833,7 @@ function abandonPending() {
 }
 function startActivitySocket() {
   try {
-    fs10.unlinkSync(ACTIVITY_SOCKET_PATH2);
+    fs11.unlinkSync(ACTIVITY_SOCKET_PATH2);
   } catch {
   }
   const ACTIVITY_MAX_BYTES = 1024 * 1024;
@@ -4396,7 +4875,7 @@ function startActivitySocket() {
   unixServer.listen(ACTIVITY_SOCKET_PATH2);
   process.on("exit", () => {
     try {
-      fs10.unlinkSync(ACTIVITY_SOCKET_PATH2);
+      fs11.unlinkSync(ACTIVITY_SOCKET_PATH2);
     } catch {
     }
   });
@@ -4406,13 +4885,13 @@ var init_state2 = __esm({
   "src/daemon/state.ts"() {
     "use strict";
     init_daemon();
-    homeDir = os10.homedir();
-    DAEMON_PID_FILE = path12.join(homeDir, ".node9", "daemon.pid");
-    DECISIONS_FILE = path12.join(homeDir, ".node9", "decisions.json");
-    AUDIT_LOG_FILE = path12.join(homeDir, ".node9", "audit.log");
-    TRUST_FILE2 = path12.join(homeDir, ".node9", "trust.json");
-    GLOBAL_CONFIG_FILE = path12.join(homeDir, ".node9", "config.json");
-    CREDENTIALS_FILE = path12.join(homeDir, ".node9", "credentials.json");
+    homeDir = os11.homedir();
+    DAEMON_PID_FILE = path14.join(homeDir, ".node9", "daemon.pid");
+    DECISIONS_FILE = path14.join(homeDir, ".node9", "decisions.json");
+    AUDIT_LOG_FILE = path14.join(homeDir, ".node9", "audit.log");
+    TRUST_FILE2 = path14.join(homeDir, ".node9", "trust.json");
+    GLOBAL_CONFIG_FILE = path14.join(homeDir, ".node9", "config.json");
+    CREDENTIALS_FILE = path14.join(homeDir, ".node9", "credentials.json");
     pending = /* @__PURE__ */ new Map();
     sseClients = /* @__PURE__ */ new Set();
     _abandonTimer = null;
@@ -4426,7 +4905,7 @@ var init_state2 = __esm({
       "2h": 2 * 60 * 6e4
     };
     autoStarted = process.env.NODE9_AUTO_STARTED === "1";
-    ACTIVITY_SOCKET_PATH2 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path12.join(os10.tmpdir(), "node9-activity.sock");
+    ACTIVITY_SOCKET_PATH2 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path14.join(os11.tmpdir(), "node9-activity.sock");
     ACTIVITY_RING_SIZE = 100;
     activityRing = [];
     SECRET_KEY_RE = /password|secret|token|key|apikey|credential|auth/i;
@@ -4435,8 +4914,8 @@ var init_state2 = __esm({
 // src/daemon/server.ts
 import http from "http";
-import fs11 from "fs";
-import path13 from "path";
+import fs12 from "fs";
+import path15 from "path";
 import { randomUUID as randomUUID3 } from "crypto";
 import { spawnSync as spawnSync2 } from "child_process";
 import chalk2 from "chalk";
@@ -4455,7 +4934,7 @@ function startDaemon() {
     idleTimer = setTimeout(() => {
       if (autoStarted) {
         try {
-          fs11.unlinkSync(DAEMON_PID_FILE);
+          fs12.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
       }
@@ -4597,7 +5076,7 @@ data: ${JSON.stringify(item.data)}
             status: "pending"
           });
         }
-        const projectCwd = typeof cwd === "string" && path13.isAbsolute(cwd) ? cwd : void 0;
+        const projectCwd = typeof cwd === "string" && path15.isAbsolute(cwd) ? cwd : void 0;
         const projectConfig = getConfig(projectCwd);
         const browserEnabled = projectConfig.settings.approvers?.browser !== false;
         const terminalEnabled = projectConfig.settings.approvers?.terminal !== false;
@@ -4901,14 +5380,14 @@ data: ${JSON.stringify(item.data)}
   server.on("error", (e) => {
     if (e.code === "EADDRINUSE") {
       try {
-        if (fs11.existsSync(DAEMON_PID_FILE)) {
-          const { pid } = JSON.parse(fs11.readFileSync(DAEMON_PID_FILE, "utf-8"));
+        if (fs12.existsSync(DAEMON_PID_FILE)) {
+          const { pid } = JSON.parse(fs12.readFileSync(DAEMON_PID_FILE, "utf-8"));
           process.kill(pid, 0);
           return process.exit(0);
         }
       } catch {
         try {
-          fs11.unlinkSync(DAEMON_PID_FILE);
+          fs12.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
         server.listen(DAEMON_PORT, DAEMON_HOST);
@@ -4978,28 +5457,28 @@ var init_server = __esm({
 });
 // src/daemon/index.ts
-import fs12 from "fs";
+import fs13 from "fs";
 import chalk3 from "chalk";
 import { spawnSync as spawnSync3 } from "child_process";
 function stopDaemon() {
-  if (!fs12.existsSync(DAEMON_PID_FILE)) return console.log(chalk3.yellow("Not running."));
+  if (!fs13.existsSync(DAEMON_PID_FILE)) return console.log(chalk3.yellow("Not running."));
   try {
-    const { pid } = JSON.parse(fs12.readFileSync(DAEMON_PID_FILE, "utf-8"));
+    const { pid } = JSON.parse(fs13.readFileSync(DAEMON_PID_FILE, "utf-8"));
     process.kill(pid, "SIGTERM");
     console.log(chalk3.green("\u2705 Stopped."));
   } catch {
     console.log(chalk3.gray("Cleaned up stale PID file."));
   } finally {
     try {
-      fs12.unlinkSync(DAEMON_PID_FILE);
+      fs13.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
   }
 }
 function daemonStatus() {
-  if (fs12.existsSync(DAEMON_PID_FILE)) {
+  if (fs13.existsSync(DAEMON_PID_FILE)) {
     try {
-      const { pid } = JSON.parse(fs12.readFileSync(DAEMON_PID_FILE, "utf-8"));
+      const { pid } = JSON.parse(fs13.readFileSync(DAEMON_PID_FILE, "utf-8"));
       process.kill(pid, 0);
       console.log(chalk3.green("Node9 daemon: running"));
       return;
@@ -5034,9 +5513,9 @@ __export(tail_exports, {
 });
 import http2 from "http";
 import chalk14 from "chalk";
-import fs19 from "fs";
-import os17 from "os";
-import path20 from "path";
+import fs20 from "fs";
+import os18 from "os";
+import path22 from "path";
 import readline3 from "readline";
 import { spawn as spawn9, execSync as execSync3 } from "child_process";
 function getIcon(tool) {
@@ -5076,9 +5555,9 @@ function renderPending(activity) {
 }
 async function ensureDaemon() {
   let pidPort = null;
-  if (fs19.existsSync(PID_FILE)) {
+  if (fs20.existsSync(PID_FILE)) {
     try {
-      const { port } = JSON.parse(fs19.readFileSync(PID_FILE, "utf-8"));
+      const { port } = JSON.parse(fs20.readFileSync(PID_FILE, "utf-8"));
       pidPort = port;
     } catch {
       console.error(chalk14.dim("\u26A0\uFE0F  Could not read PID file; falling back to default port."));
@@ -5243,8 +5722,8 @@ async function startTail(options = {}) {
       process.stdout.write(SHOW_CURSOR);
       postDecisionHttp(req2.id, decision, csrfToken, port).catch((err) => {
         try {
-          fs19.appendFileSync(
-            path20.join(os17.homedir(), ".node9", "hook-debug.log"),
+          fs20.appendFileSync(
+            path22.join(os18.homedir(), ".node9", "hook-debug.log"),
             `[tail] POST /decision failed: ${String(err)}
 `
           );
@@ -5435,7 +5914,7 @@ var init_tail = __esm({
     "use strict";
     init_daemon2();
     init_core();
-    PID_FILE = path20.join(os17.homedir(), ".node9", "daemon.pid");
+    PID_FILE = path22.join(os18.homedir(), ".node9", "daemon.pid");
     ICONS = {
       bash: "\u{1F4BB}",
       shell: "\u{1F4BB}",
@@ -5473,9 +5952,9 @@ init_core();
 import { Command } from "commander";
 // src/setup.ts
-import fs9 from "fs";
-import path11 from "path";
-import os9 from "os";
+import fs10 from "fs";
+import path13 from "path";
+import os10 from "os";
 import chalk from "chalk";
 import { confirm } from "@inquirer/prompts";
 function printDaemonTip() {
@@ -5492,26 +5971,26 @@ function fullPathCommand(subcommand) {
 }
 function readJson(filePath) {
   try {
-    if (fs9.existsSync(filePath)) {
-      return JSON.parse(fs9.readFileSync(filePath, "utf-8"));
+    if (fs10.existsSync(filePath)) {
+      return JSON.parse(fs10.readFileSync(filePath, "utf-8"));
     }
   } catch {
   }
   return null;
 }
 function writeJson(filePath, data) {
-  const dir = path11.dirname(filePath);
-  if (!fs9.existsSync(dir)) fs9.mkdirSync(dir, { recursive: true });
-  fs9.writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n");
+  const dir = path13.dirname(filePath);
+  if (!fs10.existsSync(dir)) fs10.mkdirSync(dir, { recursive: true });
+  fs10.writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n");
 }
 function isNode9Hook(cmd) {
   if (!cmd) return false;
   return /(?:^|[\s/\\])node9 (?:check|log)/.test(cmd) || /(?:^|[\s/\\])cli\.js (?:check|log)/.test(cmd);
 }
 function teardownClaude() {
-  const homeDir2 = os9.homedir();
-  const hooksPath = path11.join(homeDir2, ".claude", "settings.json");
-  const mcpPath = path11.join(homeDir2, ".claude.json");
+  const homeDir2 = os10.homedir();
+  const hooksPath = path13.join(homeDir2, ".claude", "settings.json");
+  const mcpPath = path13.join(homeDir2, ".claude.json");
   let changed = false;
   const settings = readJson(hooksPath);
   if (settings?.hooks) {
@@ -5559,8 +6038,8 @@ function teardownClaude() {
   }
 }
 function teardownGemini() {
-  const homeDir2 = os9.homedir();
-  const settingsPath = path11.join(homeDir2, ".gemini", "settings.json");
+  const homeDir2 = os10.homedir();
+  const settingsPath = path13.join(homeDir2, ".gemini", "settings.json");
   const settings = readJson(settingsPath);
   if (!settings) {
     console.log(chalk.blue("  \u2139\uFE0F  ~/.gemini/settings.json not found \u2014 nothing to remove"));
@@ -5598,8 +6077,8 @@ function teardownGemini() {
   }
 }
 function teardownCursor() {
-  const homeDir2 = os9.homedir();
-  const mcpPath = path11.join(homeDir2, ".cursor", "mcp.json");
+  const homeDir2 = os10.homedir();
+  const mcpPath = path13.join(homeDir2, ".cursor", "mcp.json");
   const mcpConfig = readJson(mcpPath);
   if (!mcpConfig?.mcpServers) {
     console.log(chalk.blue("  \u2139\uFE0F  ~/.cursor/mcp.json not found \u2014 nothing to remove"));
@@ -5625,9 +6104,9 @@ function teardownCursor() {
   }
 }
 async function setupClaude() {
-  const homeDir2 = os9.homedir();
-  const mcpPath = path11.join(homeDir2, ".claude.json");
-  const hooksPath = path11.join(homeDir2, ".claude", "settings.json");
+  const homeDir2 = os10.homedir();
+  const mcpPath = path13.join(homeDir2, ".claude.json");
+  const hooksPath = path13.join(homeDir2, ".claude", "settings.json");
   const claudeConfig = readJson(mcpPath) ?? {};
   const settings = readJson(hooksPath) ?? {};
   const servers = claudeConfig.mcpServers ?? {};
@@ -5701,8 +6180,8 @@ async function setupClaude() {
   }
 }
 async function setupGemini() {
-  const homeDir2 = os9.homedir();
-  const settingsPath = path11.join(homeDir2, ".gemini", "settings.json");
+  const homeDir2 = os10.homedir();
+  const settingsPath = path13.join(homeDir2, ".gemini", "settings.json");
   const settings = readJson(settingsPath) ?? {};
   const servers = settings.mcpServers ?? {};
   let anythingChanged = false;
@@ -5784,8 +6263,8 @@ async function setupGemini() {
   }
 }
 async function setupCursor() {
-  const homeDir2 = os9.homedir();
-  const mcpPath = path11.join(homeDir2, ".cursor", "mcp.json");
+  const homeDir2 = os10.homedir();
+  const mcpPath = path13.join(homeDir2, ".cursor", "mcp.json");
   const mcpConfig = readJson(mcpPath) ?? {};
   const servers = mcpConfig.mcpServers ?? {};
   let anythingChanged = false;
@@ -5842,9 +6321,9 @@ async function setupCursor() {
 // src/cli.ts
 init_daemon2();
 import chalk15 from "chalk";
-import fs20 from "fs";
-import path21 from "path";
-import os18 from "os";
+import fs21 from "fs";
+import path23 from "path";
+import os19 from "os";
 import { confirm as confirm3 } from "@inquirer/prompts";
 // src/utils/duration.ts
@@ -6069,32 +6548,32 @@ init_daemon();
 init_config();
 init_policy();
 import chalk5 from "chalk";
-import fs14 from "fs";
-import path15 from "path";
-import os12 from "os";
+import fs15 from "fs";
+import path17 from "path";
+import os13 from "os";
 // src/undo.ts
 import { spawnSync as spawnSync4, spawn as spawn5 } from "child_process";
 import crypto2 from "crypto";
-import fs13 from "fs";
-import path14 from "path";
-import os11 from "os";
-var SNAPSHOT_STACK_PATH = path14.join(os11.homedir(), ".node9", "snapshots.json");
-var UNDO_LATEST_PATH = path14.join(os11.homedir(), ".node9", "undo_latest.txt");
+import fs14 from "fs";
+import path16 from "path";
+import os12 from "os";
+var SNAPSHOT_STACK_PATH = path16.join(os12.homedir(), ".node9", "snapshots.json");
+var UNDO_LATEST_PATH = path16.join(os12.homedir(), ".node9", "undo_latest.txt");
 var MAX_SNAPSHOTS = 10;
 var GIT_TIMEOUT = 15e3;
 function readStack() {
   try {
-    if (fs13.existsSync(SNAPSHOT_STACK_PATH))
-      return JSON.parse(fs13.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
+    if (fs14.existsSync(SNAPSHOT_STACK_PATH))
+      return JSON.parse(fs14.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
   } catch {
   }
   return [];
 }
 function writeStack(stack) {
-  const dir = path14.dirname(SNAPSHOT_STACK_PATH);
-  if (!fs13.existsSync(dir)) fs13.mkdirSync(dir, { recursive: true });
-  fs13.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
+  const dir = path16.dirname(SNAPSHOT_STACK_PATH);
+  if (!fs14.existsSync(dir)) fs14.mkdirSync(dir, { recursive: true });
+  fs14.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
 }
 function buildArgsSummary(tool, args) {
   if (!args || typeof args !== "object") return "";
@@ -6110,7 +6589,7 @@ function buildArgsSummary(tool, args) {
 function normalizeCwdForHash(cwd) {
   let normalized;
   try {
-    normalized = fs13.realpathSync(cwd);
+    normalized = fs14.realpathSync(cwd);
   } catch {
     normalized = cwd;
   }
@@ -6120,16 +6599,16 @@ function normalizeCwdForHash(cwd) {
 }
 function getShadowRepoDir(cwd) {
   const hash = crypto2.createHash("sha256").update(normalizeCwdForHash(cwd)).digest("hex").slice(0, 16);
-  return path14.join(os11.homedir(), ".node9", "snapshots", hash);
+  return path16.join(os12.homedir(), ".node9", "snapshots", hash);
 }
 function cleanOrphanedIndexFiles(shadowDir) {
   try {
     const cutoff = Date.now() - 6e4;
-    for (const f of fs13.readdirSync(shadowDir)) {
+    for (const f of fs14.readdirSync(shadowDir)) {
       if (f.startsWith("index_")) {
-        const fp = path14.join(shadowDir, f);
+        const fp = path16.join(shadowDir, f);
         try {
-          if (fs13.statSync(fp).mtimeMs < cutoff) fs13.unlinkSync(fp);
+          if (fs14.statSync(fp).mtimeMs < cutoff) fs14.unlinkSync(fp);
         } catch {
         }
       }
@@ -6141,7 +6620,7 @@ function writeShadowExcludes(shadowDir, ignorePaths) {
   const hardcoded = [".git", ".node9"];
   const lines = [...hardcoded, ...ignorePaths].join("\n");
   try {
-    fs13.writeFileSync(path14.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
+    fs14.writeFileSync(path16.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
   } catch {
   }
 }
@@ -6154,25 +6633,25 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   if (check.status === 0) {
-    const ptPath = path14.join(shadowDir, "project-path.txt");
+    const ptPath = path16.join(shadowDir, "project-path.txt");
     try {
-      const stored = fs13.readFileSync(ptPath, "utf8").trim();
+      const stored = fs14.readFileSync(ptPath, "utf8").trim();
       if (stored === normalizedCwd) return true;
       if (process.env.NODE9_DEBUG === "1")
         console.error(
           `[Node9] Shadow repo path mismatch: stored="${stored}" expected="${normalizedCwd}" \u2014 reinitializing`
         );
-      fs13.rmSync(shadowDir, { recursive: true, force: true });
+      fs14.rmSync(shadowDir, { recursive: true, force: true });
     } catch {
       try {
-        fs13.writeFileSync(ptPath, normalizedCwd, "utf8");
+        fs14.writeFileSync(ptPath, normalizedCwd, "utf8");
       } catch {
       }
       return true;
     }
   }
   try {
-    fs13.mkdirSync(shadowDir, { recursive: true });
+    fs14.mkdirSync(shadowDir, { recursive: true });
   } catch {
   }
   const init = spawnSync4("git", ["init", "--bare", shadowDir], { timeout: 5e3 });
@@ -6181,7 +6660,7 @@ function ensureShadowRepo(shadowDir, cwd) {
       console.error("[Node9] git init --bare failed:", init.stderr?.toString());
     return false;
   }
-  const configFile = path14.join(shadowDir, "config");
+  const configFile = path16.join(shadowDir, "config");
   spawnSync4("git", ["config", "--file", configFile, "core.untrackedCache", "true"], {
     timeout: 3e3
   });
@@ -6189,7 +6668,7 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   try {
-    fs13.writeFileSync(path14.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
+    fs14.writeFileSync(path16.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
   } catch {
   }
   return true;
@@ -6212,7 +6691,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     const shadowDir = getShadowRepoDir(cwd);
     if (!ensureShadowRepo(shadowDir, cwd)) return null;
     writeShadowExcludes(shadowDir, ignorePaths);
-    indexFile = path14.join(shadowDir, `index_${process.pid}_${Date.now()}`);
+    indexFile = path16.join(shadowDir, `index_${process.pid}_${Date.now()}`);
     const shadowEnv = {
       ...process.env,
       GIT_DIR: shadowDir,
@@ -6241,7 +6720,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     const shouldGc = stack.length % 5 === 0;
     if (stack.length > MAX_SNAPSHOTS) stack.splice(0, stack.length - MAX_SNAPSHOTS);
     writeStack(stack);
-    fs13.writeFileSync(UNDO_LATEST_PATH, commitHash);
+    fs14.writeFileSync(UNDO_LATEST_PATH, commitHash);
     if (shouldGc) {
       spawn5("git", ["gc", "--auto"], { env: shadowEnv, detached: true, stdio: "ignore" }).unref();
     }
@@ -6252,7 +6731,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
   } finally {
     if (indexFile) {
       try {
-        fs13.unlinkSync(indexFile);
+        fs14.unlinkSync(indexFile);
       } catch {
       }
     }
@@ -6321,9 +6800,9 @@ function applyUndo(hash, cwd) {
       timeout: GIT_TIMEOUT
     }).stdout?.toString().trim().split("\n").filter(Boolean) ?? [];
     for (const file of [...tracked, ...untracked]) {
-      const fullPath = path14.join(dir, file);
-      if (!snapshotFiles.has(file) && fs13.existsSync(fullPath)) {
-        fs13.unlinkSync(fullPath);
+      const fullPath = path16.join(dir, file);
+      if (!snapshotFiles.has(file) && fs14.existsSync(fullPath)) {
+        fs14.unlinkSync(fullPath);
       }
     }
     return true;
@@ -6347,9 +6826,9 @@ function registerCheckCommand(program2) {
         } catch (err) {
           const tempConfig = getConfig();
           if (process.env.NODE9_DEBUG === "1" || tempConfig.settings.enableHookLogDebug) {
-            const logPath = path15.join(os12.homedir(), ".node9", "hook-debug.log");
+            const logPath = path17.join(os13.homedir(), ".node9", "hook-debug.log");
             const errMsg = err instanceof Error ? err.message : String(err);
-            fs14.appendFileSync(
+            fs15.appendFileSync(
               logPath,
               `[${(/* @__PURE__ */ new Date()).toISOString()}] JSON_PARSE_ERROR: ${errMsg}
 RAW: ${raw}
@@ -6360,10 +6839,10 @@ RAW: ${raw}
         }
         const config = getConfig(payload.cwd || void 0);
         if (process.env.NODE9_DEBUG === "1" || config.settings.enableHookLogDebug) {
-          const logPath = path15.join(os12.homedir(), ".node9", "hook-debug.log");
-          if (!fs14.existsSync(path15.dirname(logPath)))
-            fs14.mkdirSync(path15.dirname(logPath), { recursive: true });
-          fs14.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
+          const logPath = path17.join(os13.homedir(), ".node9", "hook-debug.log");
+          if (!fs15.existsSync(path17.dirname(logPath)))
+            fs15.mkdirSync(path17.dirname(logPath), { recursive: true });
+          fs15.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
 `);
         }
         const toolName = sanitize2(payload.tool_name ?? payload.name ?? "");
@@ -6376,8 +6855,8 @@ RAW: ${raw}
           const isHumanDecision = blockedByContext.toLowerCase().includes("user") || blockedByContext.toLowerCase().includes("daemon") || blockedByContext.toLowerCase().includes("decision");
           let ttyFd = null;
           try {
-            ttyFd = fs14.openSync("/dev/tty", "w");
-            const writeTty = (line) => fs14.writeSync(ttyFd, line + "\n");
+            ttyFd = fs15.openSync("/dev/tty", "w");
+            const writeTty = (line) => fs15.writeSync(ttyFd, line + "\n");
             if (blockedByContext.includes("DLP") || blockedByContext.includes("Secret Detected") || blockedByContext.includes("Credential Review")) {
               writeTty(chalk5.bgRed.white.bold(`
  \u{1F6A8} NODE9 DLP ALERT \u2014 CREDENTIAL DETECTED `));
@@ -6393,7 +6872,7 @@ RAW: ${raw}
           } finally {
             if (ttyFd !== null)
               try {
-                fs14.closeSync(ttyFd);
+                fs15.closeSync(ttyFd);
               } catch {
               }
           }
@@ -6424,7 +6903,7 @@ RAW: ${raw}
         if (shouldSnapshot(toolName, toolInput, config)) {
           await createShadowSnapshot(toolName, toolInput, config.policy.snapshot.ignorePaths);
         }
-        const safeCwdForAuth = typeof payload.cwd === "string" && path15.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const safeCwdForAuth = typeof payload.cwd === "string" && path17.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const result = await authorizeHeadless(toolName, toolInput, meta, {
           cwd: safeCwdForAuth
         });
@@ -6436,12 +6915,12 @@ RAW: ${raw}
         }
         if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && !process.stdout.isTTY && config.settings.autoStartDaemon) {
           try {
-            const tty = fs14.openSync("/dev/tty", "w");
-            fs14.writeSync(
+            const tty = fs15.openSync("/dev/tty", "w");
+            fs15.writeSync(
               tty,
               chalk5.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically...\n")
             );
-            fs14.closeSync(tty);
+            fs15.closeSync(tty);
           } catch {
           }
           const daemonReady = await autoStartDaemonAndWait();
@@ -6468,9 +6947,9 @@ RAW: ${raw}
         });
       } catch (err) {
         if (process.env.NODE9_DEBUG === "1") {
-          const logPath = path15.join(os12.homedir(), ".node9", "hook-debug.log");
+          const logPath = path17.join(os13.homedir(), ".node9", "hook-debug.log");
           const errMsg = err instanceof Error ? err.message : String(err);
-          fs14.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
+          fs15.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
 `);
         }
         process.exit(0);
@@ -6507,9 +6986,9 @@ RAW: ${raw}
 init_audit();
 init_config();
 init_policy();
-import fs15 from "fs";
-import path16 from "path";
-import os13 from "os";
+import fs16 from "fs";
+import path18 from "path";
+import os14 from "os";
 function sanitize3(value) {
   return value.replace(/[\x00-\x1F\x7F]/g, "");
 }
@@ -6528,11 +7007,11 @@ function registerLogCommand(program2) {
           decision: "allowed",
           source: "post-hook"
         };
-        const logPath = path16.join(os13.homedir(), ".node9", "audit.log");
-        if (!fs15.existsSync(path16.dirname(logPath)))
-          fs15.mkdirSync(path16.dirname(logPath), { recursive: true });
-        fs15.appendFileSync(logPath, JSON.stringify(entry) + "\n");
-        const safeCwd = typeof payload.cwd === "string" && path16.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const logPath = path18.join(os14.homedir(), ".node9", "audit.log");
+        if (!fs16.existsSync(path18.dirname(logPath)))
+          fs16.mkdirSync(path18.dirname(logPath), { recursive: true });
+        fs16.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+        const safeCwd = typeof payload.cwd === "string" && path18.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const config = getConfig(safeCwd);
         if (shouldSnapshot(tool, {}, config)) {
           await createShadowSnapshot("unknown", {}, config.policy.snapshot.ignorePaths);
@@ -6541,9 +7020,9 @@ function registerLogCommand(program2) {
         const msg = err instanceof Error ? err.message : String(err);
         process.stderr.write(`[Node9] audit log error: ${msg}
 `);
-        const debugPath = path16.join(os13.homedir(), ".node9", "hook-debug.log");
+        const debugPath = path18.join(os14.homedir(), ".node9", "hook-debug.log");
         try {
-          fs15.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
+          fs16.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
 `);
         } catch {
         }
@@ -6848,13 +7327,13 @@ function registerConfigShowCommand(program2) {
 // src/cli/commands/doctor.ts
 init_daemon();
 import chalk7 from "chalk";
-import fs16 from "fs";
-import path17 from "path";
-import os14 from "os";
+import fs17 from "fs";
+import path19 from "path";
+import os15 from "os";
 import { execSync as execSync2 } from "child_process";
 function registerDoctorCommand(program2, version2) {
   program2.command("doctor").description("Check that Node9 is installed and configured correctly").action(() => {
-    const homeDir2 = os14.homedir();
+    const homeDir2 = os15.homedir();
     let failures = 0;
     function pass(msg) {
       console.log(chalk7.green("  \u2705 ") + msg);
@@ -6903,10 +7382,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Configuration");
-    const globalConfigPath = path17.join(homeDir2, ".node9", "config.json");
-    if (fs16.existsSync(globalConfigPath)) {
+    const globalConfigPath = path19.join(homeDir2, ".node9", "config.json");
+    if (fs17.existsSync(globalConfigPath)) {
       try {
-        JSON.parse(fs16.readFileSync(globalConfigPath, "utf-8"));
+        JSON.parse(fs17.readFileSync(globalConfigPath, "utf-8"));
         pass("~/.node9/config.json found and valid");
       } catch {
         fail("~/.node9/config.json is invalid JSON", "Run: node9 init --force");
@@ -6914,10 +7393,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("~/.node9/config.json not found (using defaults)", "Run: node9 init");
     }
-    const projectConfigPath = path17.join(process.cwd(), "node9.config.json");
-    if (fs16.existsSync(projectConfigPath)) {
+    const projectConfigPath = path19.join(process.cwd(), "node9.config.json");
+    if (fs17.existsSync(projectConfigPath)) {
       try {
-        JSON.parse(fs16.readFileSync(projectConfigPath, "utf-8"));
+        JSON.parse(fs17.readFileSync(projectConfigPath, "utf-8"));
         pass("node9.config.json found and valid (project)");
       } catch {
         fail(
@@ -6926,8 +7405,8 @@ function registerDoctorCommand(program2, version2) {
         );
       }
     }
-    const credsPath = path17.join(homeDir2, ".node9", "credentials.json");
-    if (fs16.existsSync(credsPath)) {
+    const credsPath = path19.join(homeDir2, ".node9", "credentials.json");
+    if (fs17.existsSync(credsPath)) {
       pass("Cloud credentials found (~/.node9/credentials.json)");
     } else {
       warn(
@@ -6936,10 +7415,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Agent Hooks");
-    const claudeSettingsPath = path17.join(homeDir2, ".claude", "settings.json");
-    if (fs16.existsSync(claudeSettingsPath)) {
+    const claudeSettingsPath = path19.join(homeDir2, ".claude", "settings.json");
+    if (fs17.existsSync(claudeSettingsPath)) {
       try {
-        const cs = JSON.parse(fs16.readFileSync(claudeSettingsPath, "utf-8"));
+        const cs = JSON.parse(fs17.readFileSync(claudeSettingsPath, "utf-8"));
         const hasHook = cs.hooks?.PreToolUse?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -6955,10 +7434,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Claude Code \u2014 not configured", "Run: node9 setup claude");
     }
-    const geminiSettingsPath = path17.join(homeDir2, ".gemini", "settings.json");
-    if (fs16.existsSync(geminiSettingsPath)) {
+    const geminiSettingsPath = path19.join(homeDir2, ".gemini", "settings.json");
+    if (fs17.existsSync(geminiSettingsPath)) {
       try {
-        const gs = JSON.parse(fs16.readFileSync(geminiSettingsPath, "utf-8"));
+        const gs = JSON.parse(fs17.readFileSync(geminiSettingsPath, "utf-8"));
         const hasHook = gs.hooks?.BeforeTool?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -6974,10 +7453,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Gemini CLI  \u2014 not configured", "Run: node9 setup gemini  (skip if not using Gemini)");
     }
-    const cursorHooksPath = path17.join(homeDir2, ".cursor", "hooks.json");
-    if (fs16.existsSync(cursorHooksPath)) {
+    const cursorHooksPath = path19.join(homeDir2, ".cursor", "hooks.json");
+    if (fs17.existsSync(cursorHooksPath)) {
       try {
-        const cur = JSON.parse(fs16.readFileSync(cursorHooksPath, "utf-8"));
+        const cur = JSON.parse(fs17.readFileSync(cursorHooksPath, "utf-8"));
         const hasHook = cur.hooks?.preToolUse?.some(
           (h) => h.command?.includes("node9") || h.command?.includes("cli.js")
         );
@@ -7015,9 +7494,9 @@ function registerDoctorCommand(program2, version2) {
 // src/cli/commands/audit.ts
 import chalk8 from "chalk";
-import fs17 from "fs";
-import path18 from "path";
-import os15 from "os";
+import fs18 from "fs";
+import path20 from "path";
+import os16 from "os";
 function formatRelativeTime(timestamp) {
   const diff = Date.now() - new Date(timestamp).getTime();
   const sec = Math.floor(diff / 1e3);
@@ -7030,14 +7509,14 @@ function formatRelativeTime(timestamp) {
 }
 function registerAuditCommand(program2) {
   program2.command("audit").description("View local execution audit log").option("--tail <n>", "Number of entries to show", "20").option("--tool <pattern>", "Filter by tool name (substring match)").option("--deny", "Show only denied actions").option("--json", "Output raw JSON").action((options) => {
-    const logPath = path18.join(os15.homedir(), ".node9", "audit.log");
-    if (!fs17.existsSync(logPath)) {
+    const logPath = path20.join(os16.homedir(), ".node9", "audit.log");
+    if (!fs18.existsSync(logPath)) {
       console.log(
         chalk8.yellow("No audit logs found. Run node9 with an agent to generate entries.")
       );
       return;
     }
-    const raw = fs17.readFileSync(logPath, "utf-8");
+    const raw = fs18.readFileSync(logPath, "utf-8");
     const lines = raw.split("\n").filter((l) => l.trim() !== "");
     let entries = lines.flatMap((line) => {
       try {
@@ -7157,9 +7636,9 @@ function registerDaemonCommand(program2) {
 init_core();
 init_daemon();
 import chalk10 from "chalk";
-import fs18 from "fs";
-import path19 from "path";
-import os16 from "os";
+import fs19 from "fs";
+import path21 from "path";
+import os17 from "os";
 function registerStatusCommand(program2) {
   program2.command("status").description("Show current Node9 mode, policy source, and persistent decisions").action(() => {
     const creds = getCredentials();
@@ -7194,13 +7673,13 @@ function registerStatusCommand(program2) {
     console.log("");
     const modeLabel = settings.mode === "audit" ? chalk10.blue("audit") : settings.mode === "strict" ? chalk10.red("strict") : chalk10.white("standard");
     console.log(`  Mode:    ${modeLabel}`);
-    const projectConfig = path19.join(process.cwd(), "node9.config.json");
-    const globalConfig = path19.join(os16.homedir(), ".node9", "config.json");
+    const projectConfig = path21.join(process.cwd(), "node9.config.json");
+    const globalConfig = path21.join(os17.homedir(), ".node9", "config.json");
     console.log(
-      `  Local:   ${fs18.existsSync(projectConfig) ? chalk10.green("Active (node9.config.json)") : chalk10.gray("Not present")}`
+      `  Local:   ${fs19.existsSync(projectConfig) ? chalk10.green("Active (node9.config.json)") : chalk10.gray("Not present")}`
     );
     console.log(
-      `  Global:  ${fs18.existsSync(globalConfig) ? chalk10.green("Active (~/.node9/config.json)") : chalk10.gray("Not present")}`
+      `  Global:  ${fs19.existsSync(globalConfig) ? chalk10.green("Active (~/.node9/config.json)") : chalk10.gray("Not present")}`
     );
     if (mergedConfig.policy.sandboxPaths.length > 0) {
       console.log(
@@ -7379,6 +7858,7 @@ import readline2 from "readline";
 import chalk13 from "chalk";
 import { spawn as spawn8 } from "child_process";
 import { execa as execa2 } from "execa";
+init_provenance();
 function sanitize4(value) {
   return value.replace(/[\x00-\x1F\x7F]/g, "");
 }
@@ -7391,7 +7871,7 @@ function extractMcpServer(toolName) {
   const match = toolName.match(/^mcp__([^_](?:[^_]|_(?!_))*?)__/i);
   return match?.[1];
 }
-function tokenize2(cmd) {
+function tokenize3(cmd) {
   const tokens = [];
   let current = "";
   let inDouble = false;
@@ -7426,7 +7906,7 @@ function tokenize2(cmd) {
   return tokens;
 }
 async function runMcpGateway(upstreamCommand) {
-  const commandParts = tokenize2(upstreamCommand);
+  const commandParts = tokenize3(upstreamCommand);
   const cmd = commandParts[0];
   const cmdArgs = commandParts.slice(1);
   let executable = cmd;
@@ -7435,6 +7915,15 @@ async function runMcpGateway(upstreamCommand) {
     if (stdout) executable = stdout.trim();
   } catch {
   }
+  const prov = checkProvenance(executable);
+  if (prov.trustLevel === "suspect") {
+    console.error(
+      chalk13.red(
+        `\u26A0\uFE0F  Node9: Upstream MCP server binary is suspect \u2014 ${prov.reason} (${prov.resolvedPath})`
+      )
+    );
+    console.error(chalk13.red("   Verify this binary is trusted before proceeding."));
+  }
   console.error(chalk13.green(`\u{1F680} Node9 MCP Gateway: Monitoring [${upstreamCommand}]`));
   const UPSTREAM_INJECTOR_VARS = /* @__PURE__ */ new Set([
     "NODE_OPTIONS",
@@ -7576,20 +8065,20 @@ function registerMcpGatewayCommand(program2) {
 // src/cli.ts
 var { version } = JSON.parse(
-  fs20.readFileSync(path21.join(__dirname, "../package.json"), "utf-8")
+  fs21.readFileSync(path23.join(__dirname, "../package.json"), "utf-8")
 );
 var program = new Command();
 program.name("node9").description("The Sudo Command for AI Agents").version(version);
 program.command("login").argument("<apiKey>").option("--local", "Save key for audit/logging only \u2014 local config still controls all decisions").option("--profile <name>", 'Save as a named profile (default: "default")').action((apiKey, options) => {
   const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  const credPath = path21.join(os18.homedir(), ".node9", "credentials.json");
-  if (!fs20.existsSync(path21.dirname(credPath)))
-    fs20.mkdirSync(path21.dirname(credPath), { recursive: true });
+  const credPath = path23.join(os19.homedir(), ".node9", "credentials.json");
+  if (!fs21.existsSync(path23.dirname(credPath)))
+    fs21.mkdirSync(path23.dirname(credPath), { recursive: true });
   const profileName = options.profile || "default";
   let existingCreds = {};
   try {
-    if (fs20.existsSync(credPath)) {
-      const raw = JSON.parse(fs20.readFileSync(credPath, "utf-8"));
+    if (fs21.existsSync(credPath)) {
+      const raw = JSON.parse(fs21.readFileSync(credPath, "utf-8"));
       if (raw.apiKey) {
         existingCreds = {
           default: { apiKey: raw.apiKey, apiUrl: raw.apiUrl || DEFAULT_API_URL }
@@ -7601,13 +8090,13 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
   } catch {
   }
   existingCreds[profileName] = { apiKey, apiUrl: DEFAULT_API_URL };
-  fs20.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
+  fs21.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
   if (profileName === "default") {
-    const configPath = path21.join(os18.homedir(), ".node9", "config.json");
+    const configPath = path23.join(os19.homedir(), ".node9", "config.json");
     let config = {};
     try {
-      if (fs20.existsSync(configPath))
-        config = JSON.parse(fs20.readFileSync(configPath, "utf-8"));
+      if (fs21.existsSync(configPath))
+        config = JSON.parse(fs21.readFileSync(configPath, "utf-8"));
     } catch {
     }
     if (!config.settings || typeof config.settings !== "object") config.settings = {};
@@ -7622,9 +8111,9 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
       approvers.cloud = false;
     }
     s.approvers = approvers;
-    if (!fs20.existsSync(path21.dirname(configPath)))
-      fs20.mkdirSync(path21.dirname(configPath), { recursive: true });
-    fs20.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+    if (!fs21.existsSync(path23.dirname(configPath)))
+      fs21.mkdirSync(path23.dirname(configPath), { recursive: true });
+    fs21.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
   }
   if (options.profile && profileName !== "default") {
     console.log(chalk15.green(`\u2705 Profile "${profileName}" saved`));
@@ -7710,15 +8199,15 @@ program.command("uninstall").description("Remove all Node9 hooks and optionally
     }
   }
   if (options.purge) {
-    const node9Dir = path21.join(os18.homedir(), ".node9");
-    if (fs20.existsSync(node9Dir)) {
+    const node9Dir = path23.join(os19.homedir(), ".node9");
+    if (fs21.existsSync(node9Dir)) {
       const confirmed = await confirm3({
         message: `Permanently delete ${node9Dir} (config, audit log, credentials)?`,
         default: false
       });
       if (confirmed) {
-        fs20.rmSync(node9Dir, { recursive: true });
-        if (fs20.existsSync(node9Dir)) {
+        fs21.rmSync(node9Dir, { recursive: true });
+        if (fs21.existsSync(node9Dir)) {
           console.error(
             chalk15.red("\n  \u26A0\uFE0F  ~/.node9/ could not be fully deleted \u2014 remove it manually.")
           );
@@ -7818,8 +8307,8 @@ program.command("explain").description(
   console.log("");
 });
 program.command("init").description("Create ~/.node9/config.json with default policy (safe to run multiple times)").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").action((options) => {
-  const configPath = path21.join(os18.homedir(), ".node9", "config.json");
-  if (fs20.existsSync(configPath) && !options.force) {
+  const configPath = path23.join(os19.homedir(), ".node9", "config.json");
+  if (fs21.existsSync(configPath) && !options.force) {
     console.log(chalk15.yellow(`\u2139\uFE0F  Global config already exists: ${configPath}`));
     console.log(chalk15.gray(`   Run with --force to overwrite.`));
     return;
@@ -7833,9 +8322,9 @@ program.command("init").description("Create ~/.node9/config.json with default po
       mode: safeMode
     }
   };
-  const dir = path21.dirname(configPath);
-  if (!fs20.existsSync(dir)) fs20.mkdirSync(dir, { recursive: true });
-  fs20.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
+  const dir = path23.dirname(configPath);
+  if (!fs21.existsSync(dir)) fs21.mkdirSync(dir, { recursive: true });
+  fs21.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
   console.log(chalk15.green(`\u2705 Global config created: ${configPath}`));
   console.log(chalk15.cyan(`   Mode set to: ${safeMode}`));
   console.log(
@@ -7953,9 +8442,9 @@ if (process.argv[2] !== "daemon") {
     const isCheckHook = process.argv[2] === "check";
     if (isCheckHook) {
       if (process.env.NODE9_DEBUG === "1" || getConfig().settings.enableHookLogDebug) {
-        const logPath = path21.join(os18.homedir(), ".node9", "hook-debug.log");
+        const logPath = path23.join(os19.homedir(), ".node9", "hook-debug.log");
         const msg = reason instanceof Error ? reason.message : String(reason);
-        fs20.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
+        fs21.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
 `);
       }
       process.exit(0);