@node9/proxy 1.3.1 → 1.4.0

package/dist/cli.mjs

@@ -94,8 +94,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path22 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path22}: ${issue.message}`;
+    const path25 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path25}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -1157,13 +1157,501 @@ var init_dlp = __esm({
   }
 });
 
-// src/policy/index.ts
+// src/utils/provenance.ts
 import fs5 from "fs";
 import path5 from "path";
 import os4 from "os";
+function findInPath(cmd) {
+  if (path5.posix.isAbsolute(cmd)) return cmd;
+  const pathEnv = process.env.PATH ?? "";
+  for (const dir of pathEnv.split(path5.delimiter)) {
+    if (!dir) continue;
+    const full = path5.join(dir, cmd);
+    try {
+      fs5.accessSync(full, fs5.constants.X_OK);
+      return full;
+    } catch {
+    }
+  }
+  return null;
+}
+function _classifyPath(resolved, cwd) {
+  if (cwd && resolved.startsWith(cwd + "/")) {
+    return { trustLevel: "user", reason: "binary in project directory" };
+  }
+  const osTmp = os4.tmpdir();
+  const allSuspect = osTmp ? [...SUSPECT_PREFIXES, osTmp] : SUSPECT_PREFIXES;
+  if (allSuspect.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "suspect", reason: `binary in temp directory: ${resolved}` };
+  }
+  if (SYSTEM_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "system", reason: "" };
+  }
+  if (MANAGED_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "managed", reason: "" };
+  }
+  if (USER_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "user", reason: "" };
+  }
+  return { trustLevel: "unknown", reason: "binary in unrecognized location" };
+}
+function checkProvenance(cmd, cwd) {
+  const bare = cmd.startsWith("./") ? cmd.slice(2) : cmd;
+  if (path5.posix.isAbsolute(bare)) {
+    const early = _classifyPath(bare, cwd);
+    if (early.trustLevel === "suspect") {
+      return { resolvedPath: bare, ...early };
+    }
+  }
+  let resolved;
+  try {
+    const found = findInPath(bare);
+    if (!found) {
+      return {
+        resolvedPath: cmd,
+        trustLevel: "unknown",
+        reason: "binary not found in PATH"
+      };
+    }
+    resolved = fs5.realpathSync(found);
+  } catch {
+    return {
+      resolvedPath: cmd,
+      trustLevel: "unknown",
+      reason: "binary not found in PATH"
+    };
+  }
+  try {
+    const stat = fs5.statSync(resolved);
+    if (stat.mode & 2) {
+      return {
+        resolvedPath: resolved,
+        trustLevel: "suspect",
+        reason: "binary is world-writable"
+      };
+    }
+  } catch {
+    return {
+      resolvedPath: resolved,
+      trustLevel: "unknown",
+      reason: "could not stat binary"
+    };
+  }
+  const classify = _classifyPath(resolved, cwd);
+  return { resolvedPath: resolved, ...classify };
+}
+var SYSTEM_PREFIXES, MANAGED_PREFIXES, USER_PREFIXES, SUSPECT_PREFIXES;
+var init_provenance = __esm({
+  "src/utils/provenance.ts"() {
+    "use strict";
+    SYSTEM_PREFIXES = ["/usr/bin", "/usr/sbin", "/bin", "/sbin"];
+    MANAGED_PREFIXES = ["/usr/local/bin", "/opt/homebrew", "/home/linuxbrew", "/nix/store"];
+    USER_PREFIXES = [
+      path5.join(os4.homedir(), "bin"),
+      path5.join(os4.homedir(), ".local", "bin"),
+      path5.join(os4.homedir(), ".cargo", "bin"),
+      path5.join(os4.homedir(), ".npm-global", "bin"),
+      path5.join(os4.homedir(), ".volta", "bin")
+    ];
+    SUSPECT_PREFIXES = ["/tmp", "/var/tmp", "/dev/shm"];
+  }
+});
+
+// src/policy/pipe-chain.ts
+function isSensitivePath(p) {
+  return SENSITIVE_PATTERNS.some((re) => re.test(p));
+}
+function splitOnPipe(cmd) {
+  const segments = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  for (let i = 0; i < cmd.length; i++) {
+    const ch = cmd[i];
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+      current += ch;
+    } else if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+      current += ch;
+    } else if (ch === "|" && !inSingle && !inDouble && cmd[i + 1] !== "|" && (i === 0 || cmd[i - 1] !== "|")) {
+      segments.push(current.trim());
+      current = "";
+    } else {
+      current += ch;
+    }
+  }
+  if (current.trim()) segments.push(current.trim());
+  return segments.filter(Boolean);
+}
+function positionalTokens(segment) {
+  return segment.split(/\s+/).slice(1).filter((t) => !t.startsWith("-") && !t.startsWith("@") && t.length > 0);
+}
+function analyzePipeChain(command) {
+  const segments = splitOnPipe(command);
+  if (segments.length < 2) {
+    return {
+      isPipeline: false,
+      hasSensitiveSource: false,
+      hasExternalSink: false,
+      hasObfuscation: false,
+      sourceFiles: [],
+      sinkTargets: [],
+      risk: "none"
+    };
+  }
+  const sourceFiles = [];
+  const sinkTargets = [];
+  let hasSensitiveSource = false;
+  let hasExternalSink = false;
+  let hasObfuscation = false;
+  for (const segment of segments) {
+    const tokens = segment.split(/\s+/).filter(Boolean);
+    if (tokens.length === 0) continue;
+    const binary = tokens[0].toLowerCase();
+    const args = positionalTokens(segment);
+    if (SOURCE_COMMANDS.has(binary)) {
+      sourceFiles.push(...args);
+      if (args.some(isSensitivePath)) hasSensitiveSource = true;
+    }
+    if (OBFUSCATORS.has(binary)) hasObfuscation = true;
+    if (SINK_COMMANDS.has(binary)) {
+      const targets = args.filter(
+        (a) => a.includes(".") || a.includes("://") || /^\d+\.\d+/.test(a)
+      );
+      sinkTargets.push(...targets);
+      if (targets.length > 0) hasExternalSink = true;
+    }
+  }
+  const fullCmd = command.toLowerCase();
+  if (!hasSensitiveSource) {
+    const redirMatch = fullCmd.match(/<\s*(\S+)/);
+    if (redirMatch && isSensitivePath(redirMatch[1])) {
+      hasSensitiveSource = true;
+      sourceFiles.push(redirMatch[1]);
+    }
+  }
+  const risk = hasSensitiveSource && hasExternalSink && hasObfuscation ? "critical" : hasSensitiveSource && hasExternalSink ? "high" : hasExternalSink ? "medium" : "none";
+  return {
+    isPipeline: true,
+    hasSensitiveSource,
+    hasExternalSink,
+    hasObfuscation,
+    sourceFiles,
+    sinkTargets,
+    risk
+  };
+}
+var SOURCE_COMMANDS, SINK_COMMANDS, OBFUSCATORS, SENSITIVE_PATTERNS;
+var init_pipe_chain = __esm({
+  "src/policy/pipe-chain.ts"() {
+    "use strict";
+    SOURCE_COMMANDS = /* @__PURE__ */ new Set([
+      "cat",
+      "head",
+      "tail",
+      "grep",
+      "awk",
+      "sed",
+      "cut",
+      "sort",
+      "tee",
+      "less",
+      "more",
+      "strings",
+      "xxd"
+    ]);
+    SINK_COMMANDS = /* @__PURE__ */ new Set([
+      "curl",
+      "wget",
+      "nc",
+      "ncat",
+      "netcat",
+      "ssh",
+      "scp",
+      "rsync",
+      "socat",
+      "ftp",
+      "sftp",
+      "telnet"
+    ]);
+    OBFUSCATORS = /* @__PURE__ */ new Set([
+      "base64",
+      "gzip",
+      "gunzip",
+      "bzip2",
+      "xz",
+      "zstd",
+      "openssl",
+      "gpg",
+      "python",
+      "python3",
+      "perl",
+      "ruby",
+      "node"
+    ]);
+    SENSITIVE_PATTERNS = [
+      /(?:^|\/)\.env(?:\.|$)/i,
+      // .env, .env.local, .env.production
+      /id_rsa|id_ed25519|id_ecdsa|id_dsa/i,
+      // SSH private keys
+      /\.pem$|\.key$|\.p12$|\.pfx$/i,
+      // certificate files
+      /(?:^|\/)\.ssh\//i,
+      // ~/.ssh/ directory
+      /(?:^|\/)\.aws\/credentials/i,
+      // AWS credentials
+      /(?:^|\/)\.netrc$/i,
+      // netrc (stores HTTP credentials)
+      /(?:^|\/)(passwd|shadow|sudoers)$/i,
+      // /etc/passwd, /etc/shadow
+      /(?:^|\/)credentials(?:\.json)?$/i
+      // generic credentials files
+    ];
+  }
+});
+
+// src/policy/flag-tables.ts
+import path6 from "path";
+function extractPositionalArgs(tokens, binary) {
+  const binaryName = path6.basename(binary).replace(/\.exe$/i, "");
+  const flagsWithValues = FLAGS_WITH_VALUES[binaryName] ?? /* @__PURE__ */ new Set();
+  const positional = [];
+  let skipNext = false;
+  for (const token of tokens) {
+    if (skipNext) {
+      skipNext = false;
+      continue;
+    }
+    if (token.startsWith("--") && token.includes("=")) continue;
+    if (token.startsWith("-") && token.length === 2 && flagsWithValues.has(token)) {
+      skipNext = true;
+      continue;
+    }
+    if (token.startsWith("--") && flagsWithValues.has(token)) {
+      skipNext = true;
+      continue;
+    }
+    const shortFlag = token.slice(0, 2);
+    if (token.startsWith("-") && token.length > 2 && flagsWithValues.has(shortFlag)) continue;
+    if (token.startsWith("-")) continue;
+    if (token.startsWith("@")) continue;
+    positional.push(token);
+  }
+  return positional;
+}
+function extractNetworkTargets(tokens, binary) {
+  return extractPositionalArgs(tokens, binary).map((t) => t.includes("@") ? t.split("@")[1] : t).map((t) => {
+    const colonIdx = t.indexOf(":");
+    if (colonIdx === -1) return t;
+    const afterColon = t.slice(colonIdx + 1);
+    if (/^\d+$/.test(afterColon)) return t.slice(0, colonIdx);
+    return t;
+  }).filter(Boolean);
+}
+var FLAGS_WITH_VALUES;
+var init_flag_tables = __esm({
+  "src/policy/flag-tables.ts"() {
+    "use strict";
+    FLAGS_WITH_VALUES = {
+      curl: /* @__PURE__ */ new Set([
+        "-H",
+        "--header",
+        "-A",
+        "--user-agent",
+        "-e",
+        "--referer",
+        "-x",
+        "--proxy",
+        "-u",
+        "--user",
+        "-d",
+        "--data",
+        "--data-raw",
+        "--data-binary",
+        "-o",
+        "--output",
+        "-F",
+        "--form",
+        "--connect-to",
+        "--resolve",
+        "--cacert",
+        "--cert",
+        "--key",
+        "-m",
+        "--max-time"
+      ]),
+      wget: /* @__PURE__ */ new Set([
+        "-O",
+        "--output-document",
+        "-P",
+        "--directory-prefix",
+        "-U",
+        "--user-agent",
+        "-e",
+        "--execute",
+        "--proxy",
+        "--ca-certificate"
+      ]),
+      nc: /* @__PURE__ */ new Set(["-x", "-p", "-s", "-w", "-W", "-I", "-O"]),
+      ncat: /* @__PURE__ */ new Set(["-x", "-p", "-s", "--proxy", "--proxy-auth", "-w", "--wait"]),
+      netcat: /* @__PURE__ */ new Set(["-x", "-p", "-s", "-w"]),
+      ssh: /* @__PURE__ */ new Set([
+        "-i",
+        "-l",
+        "-p",
+        "-o",
+        "-E",
+        "-F",
+        "-J",
+        "-L",
+        "-R",
+        "-W",
+        "-b",
+        "-c",
+        "-D",
+        "-e",
+        "-I",
+        "-S"
+      ]),
+      scp: /* @__PURE__ */ new Set(["-i", "-o", "-P", "-S"]),
+      rsync: /* @__PURE__ */ new Set(["-e", "--rsh", "--rsync-path", "--password-file", "--log-file"]),
+      socat: /* @__PURE__ */ new Set([])
+      // socat uses address syntax, not flags — no value-flags
+    };
+  }
+});
+
+// src/policy/ssh-parser.ts
+function tokenize(cmd) {
+  const tokens = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  for (const ch of cmd) {
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+    } else if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+    } else if ((ch === " " || ch === "	") && !inSingle && !inDouble) {
+      if (current) {
+        tokens.push(current);
+        current = "";
+      }
+    } else {
+      current += ch;
+    }
+  }
+  if (current) tokens.push(current);
+  return tokens;
+}
+function parseHost(raw) {
+  return raw.split("@").pop().split(":")[0];
+}
+function extractAllSshHosts(tokens) {
+  const hosts = /* @__PURE__ */ new Set();
+  for (let i = 0; i < tokens.length; i++) {
+    const t = tokens[i];
+    if (t === "-J" && tokens[i + 1]) {
+      for (const hop of tokens[++i].split(",")) {
+        const h = parseHost(hop);
+        if (h) hosts.add(h);
+      }
+      continue;
+    }
+    if (t === "-o" && tokens[i + 1]?.toLowerCase().startsWith("proxyjump=")) {
+      const val = tokens[++i].split("=").slice(1).join("=");
+      for (const hop of val.split(",")) {
+        const h = parseHost(hop);
+        if (h) hosts.add(h);
+      }
+      continue;
+    }
+    if (t === "-o" && tokens[i + 1]?.toLowerCase().startsWith("proxycommand=")) {
+      const raw = tokens[++i].split("=").slice(1).join("=").replace(/^['"]|['"]$/g, "");
+      const subTokens = tokenize(raw);
+      const binary = subTokens[0] ?? "";
+      extractNetworkTargets(subTokens.slice(1), binary).forEach((h) => hosts.add(h));
+      extractAllSshHosts(subTokens.slice(1)).forEach((h) => hosts.add(h));
+      continue;
+    }
+    if (!t.startsWith("-")) {
+      const h = parseHost(t);
+      if (h) hosts.add(h);
+    }
+  }
+  return [...hosts].filter(Boolean);
+}
+var init_ssh_parser = __esm({
+  "src/policy/ssh-parser.ts"() {
+    "use strict";
+    init_flag_tables();
+  }
+});
+
+// src/auth/trusted-hosts.ts
+import fs6 from "fs";
+import path7 from "path";
+import os5 from "os";
+function getTrustedHostsPath() {
+  return path7.join(os5.homedir(), ".node9", "trusted-hosts.json");
+}
+function readTrustedHosts() {
+  try {
+    const raw = fs6.readFileSync(getTrustedHostsPath(), "utf8");
+    const parsed = JSON.parse(raw);
+    return Array.isArray(parsed.hosts) ? parsed.hosts : [];
+  } catch {
+    return [];
+  }
+}
+function writeTrustedHosts(hosts) {
+  const filePath = getTrustedHostsPath();
+  fs6.mkdirSync(path7.dirname(filePath), { recursive: true });
+  const tmp = filePath + ".node9-tmp";
+  fs6.writeFileSync(tmp, JSON.stringify({ hosts }, null, 2));
+  fs6.renameSync(tmp, filePath);
+}
+function addTrustedHost(host) {
+  const hosts = readTrustedHosts();
+  if (hosts.some((h) => h.host === host)) return;
+  hosts.push({ host, addedAt: Date.now(), addedBy: "user" });
+  writeTrustedHosts(hosts);
+}
+function removeTrustedHost(host) {
+  const hosts = readTrustedHosts();
+  const filtered = hosts.filter((h) => h.host !== host);
+  if (filtered.length === hosts.length) return false;
+  writeTrustedHosts(filtered);
+  return true;
+}
+function normalizeHost(raw) {
+  return raw.toLowerCase().replace(/^https?:\/\//, "").replace(/\/.*$/, "").replace(/^[^@]+@/, "").replace(/:\d+$/, "");
+}
+function isTrustedHost(host) {
+  const normalized = normalizeHost(host);
+  return readTrustedHosts().some((entry) => {
+    const entryHost = entry.host.toLowerCase();
+    if (entryHost.startsWith("*.")) {
+      const domain = entryHost.slice(2);
+      return normalized === domain || normalized.endsWith("." + domain);
+    }
+    return normalized === entryHost;
+  });
+}
+var init_trusted_hosts = __esm({
+  "src/auth/trusted-hosts.ts"() {
+    "use strict";
+  }
+});
+
+// src/policy/index.ts
+import fs7 from "fs";
+import path8 from "path";
+import os6 from "os";
 import pm from "picomatch";
 import { parse } from "sh-syntax";
-function tokenize(toolName) {
+function tokenize2(toolName) {
   return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
 }
 function matchesPattern(text, patterns) {
@@ -1176,9 +1664,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path22) {
+function getNestedValue(obj, path25) {
   if (!obj || typeof obj !== "object") return null;
-  return path22.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path25.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function shouldSnapshot(toolName, args, config) {
   if (!config.settings.enableUndo) return false;
@@ -1313,7 +1801,7 @@ async function analyzeShellCommand(command) {
   }
   return { actions, paths, allTokens };
 }
-async function evaluatePolicy(toolName, args, agent) {
+async function evaluatePolicy(toolName, args, agent, cwd) {
   const config = getConfig();
   if (matchesPattern(toolName, config.policy.ignoredTools)) return { decision: "allow" };
   if (config.policy.smartRules.length > 0) {
@@ -1343,11 +1831,66 @@ async function evaluatePolicy(toolName, args, agent) {
     if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
       return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)", tier: 3 };
     }
+    const pipeAnalysis = analyzePipeChain(shellCommand);
+    if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
+      const sinks = pipeAnalysis.sinkTargets;
+      const allTrusted = sinks.length > 0 && sinks.every(isTrustedHost);
+      if (pipeAnalysis.risk === "critical") {
+        if (allTrusted) {
+          return {
+            decision: "review",
+            blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
+            reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
+            tier: 3
+          };
+        }
+        return {
+          decision: "block",
+          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
+          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+          tier: 3
+        };
+      }
+      if (allTrusted) {
+        return { decision: "allow" };
+      }
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
+        reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+        tier: 3
+      };
+    }
+    const firstToken = analyzed.actions[0] ?? "";
+    if (["ssh", "scp", "rsync"].includes(firstToken)) {
+      const rawTokens = shellCommand.trim().split(/\s+/);
+      const sshHosts = extractAllSshHosts(rawTokens.slice(1));
+      allTokens.push(...sshHosts);
+    }
+    if (firstToken && path8.posix.isAbsolute(firstToken)) {
+      const prov = checkProvenance(firstToken, cwd);
+      if (prov.trustLevel === "suspect") {
+        return {
+          decision: config.settings.mode === "strict" ? "block" : "review",
+          blockedByLabel: "Node9: Suspect Binary",
+          reason: `Binary "${firstToken}" resolved to ${prov.resolvedPath} \u2014 ${prov.reason}`,
+          tier: 3
+        };
+      }
+      if (prov.trustLevel === "unknown" && config.settings.mode === "strict") {
+        return {
+          decision: "review",
+          blockedByLabel: "Node9: Unknown Binary (strict mode)",
+          reason: `Binary "${firstToken}" \u2014 ${prov.reason}`,
+          tier: 3
+        };
+      }
+    }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
     }
   } else {
-    allTokens = tokenize(toolName);
+    allTokens = tokenize2(toolName);
     if (args && typeof args === "object") {
       const flattenedArgs = JSON.stringify(args).toLowerCase();
       const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
@@ -1421,9 +1964,9 @@ async function evaluatePolicy(toolName, args, agent) {
 }
 async function explainPolicy(toolName, args) {
   const steps = [];
-  const globalPath = path5.join(os4.homedir(), ".node9", "config.json");
-  const projectPath = path5.join(process.cwd(), "node9.config.json");
-  const credsPath = path5.join(os4.homedir(), ".node9", "credentials.json");
+  const globalPath = path8.join(os6.homedir(), ".node9", "config.json");
+  const projectPath = path8.join(process.cwd(), "node9.config.json");
+  const credsPath = path8.join(os6.homedir(), ".node9", "credentials.json");
   const waterfall = [
     {
       tier: 1,
@@ -1434,19 +1977,19 @@ async function explainPolicy(toolName, args) {
     {
       tier: 2,
       label: "Cloud policy",
-      status: fs5.existsSync(credsPath) ? "active" : "missing",
-      note: fs5.existsSync(credsPath) ? "credentials found (not evaluated in explain mode)" : "not connected \u2014 run: node9 login"
+      status: fs7.existsSync(credsPath) ? "active" : "missing",
+      note: fs7.existsSync(credsPath) ? "credentials found (not evaluated in explain mode)" : "not connected \u2014 run: node9 login"
     },
     {
       tier: 3,
       label: "Project config",
-      status: fs5.existsSync(projectPath) ? "active" : "missing",
+      status: fs7.existsSync(projectPath) ? "active" : "missing",
       path: projectPath
     },
     {
       tier: 4,
       label: "Global config",
-      status: fs5.existsSync(globalPath) ? "active" : "missing",
+      status: fs7.existsSync(globalPath) ? "active" : "missing",
       path: globalPath
     },
     {
@@ -1578,7 +2121,7 @@ async function explainPolicy(toolName, args) {
       });
     }
   } else {
-    allTokens = tokenize(toolName);
+    allTokens = tokenize2(toolName);
     let detail = `No toolInspection match for "${toolName}" \u2014 tokens: [${allTokens.join(", ")}]`;
     if (args && typeof args === "object") {
       const flattenedArgs = JSON.stringify(args).toLowerCase();
@@ -1690,21 +2233,25 @@ var init_policy = __esm({
     init_dlp();
     init_config();
     init_regex();
+    init_provenance();
+    init_pipe_chain();
+    init_ssh_parser();
+    init_trusted_hosts();
     SQL_DML_KEYWORDS = /* @__PURE__ */ new Set(["select", "insert", "update", "delete", "merge", "upsert"]);
   }
 });
 
 // src/auth/state.ts
-import fs6 from "fs";
-import path6 from "path";
-import os5 from "os";
+import fs8 from "fs";
+import path9 from "path";
+import os7 from "os";
 function checkPause() {
   try {
-    if (!fs6.existsSync(PAUSED_FILE)) return { paused: false };
-    const state = JSON.parse(fs6.readFileSync(PAUSED_FILE, "utf-8"));
+    if (!fs8.existsSync(PAUSED_FILE)) return { paused: false };
+    const state = JSON.parse(fs8.readFileSync(PAUSED_FILE, "utf-8"));
     if (state.expiry > 0 && Date.now() >= state.expiry) {
       try {
-        fs6.unlinkSync(PAUSED_FILE);
+        fs8.unlinkSync(PAUSED_FILE);
       } catch {
       }
       return { paused: false };
@@ -1715,11 +2262,11 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = path6.dirname(filePath);
-  if (!fs6.existsSync(dir)) fs6.mkdirSync(dir, { recursive: true });
-  const tmpPath = `${filePath}.${os5.hostname()}.${process.pid}.tmp`;
-  fs6.writeFileSync(tmpPath, data, options);
-  fs6.renameSync(tmpPath, filePath);
+  const dir = path9.dirname(filePath);
+  if (!fs8.existsSync(dir)) fs8.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${filePath}.${os7.hostname()}.${process.pid}.tmp`;
+  fs8.writeFileSync(tmpPath, data, options);
+  fs8.renameSync(tmpPath, filePath);
 }
 function pauseNode9(durationMs, durationStr) {
   const state = { expiry: Date.now() + durationMs, duration: durationStr };
@@ -1727,18 +2274,18 @@ function pauseNode9(durationMs, durationStr) {
 }
 function resumeNode9() {
   try {
-    if (fs6.existsSync(PAUSED_FILE)) fs6.unlinkSync(PAUSED_FILE);
+    if (fs8.existsSync(PAUSED_FILE)) fs8.unlinkSync(PAUSED_FILE);
   } catch {
   }
 }
 function getActiveTrustSession(toolName) {
   try {
-    if (!fs6.existsSync(TRUST_FILE)) return false;
-    const trust = JSON.parse(fs6.readFileSync(TRUST_FILE, "utf-8"));
+    if (!fs8.existsSync(TRUST_FILE)) return false;
+    const trust = JSON.parse(fs8.readFileSync(TRUST_FILE, "utf-8"));
     const now = Date.now();
     const active = trust.entries.filter((e) => e.expiry > now);
     if (active.length !== trust.entries.length) {
-      fs6.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
+      fs8.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
     }
     return active.some((e) => e.tool === toolName || matchesPattern(toolName, e.tool));
   } catch {
@@ -1749,8 +2296,8 @@ function writeTrustSession(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (fs6.existsSync(TRUST_FILE)) {
-        trust = JSON.parse(fs6.readFileSync(TRUST_FILE, "utf-8"));
+      if (fs8.existsSync(TRUST_FILE)) {
+        trust = JSON.parse(fs8.readFileSync(TRUST_FILE, "utf-8"));
       }
     } catch {
     }
@@ -1766,9 +2313,9 @@ function writeTrustSession(toolName, durationMs) {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = path6.join(os5.homedir(), ".node9", "decisions.json");
-    if (!fs6.existsSync(file)) return null;
-    const decisions = JSON.parse(fs6.readFileSync(file, "utf-8"));
+    const file = path9.join(os7.homedir(), ".node9", "decisions.json");
+    if (!fs8.existsSync(file)) return null;
+    const decisions = JSON.parse(fs8.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
     if (d === "allow" || d === "deny") return d;
   } catch {
@@ -1780,21 +2327,21 @@ var init_state = __esm({
   "src/auth/state.ts"() {
     "use strict";
     init_policy();
-    PAUSED_FILE = path6.join(os5.homedir(), ".node9", "PAUSED");
-    TRUST_FILE = path6.join(os5.homedir(), ".node9", "trust.json");
+    PAUSED_FILE = path9.join(os7.homedir(), ".node9", "PAUSED");
+    TRUST_FILE = path9.join(os7.homedir(), ".node9", "trust.json");
   }
 });
 
 // src/auth/daemon.ts
-import fs7 from "fs";
-import path7 from "path";
-import os6 from "os";
+import fs9 from "fs";
+import path10 from "path";
+import os8 from "os";
 import { spawnSync } from "child_process";
 function getInternalToken() {
   try {
-    const pidFile = path7.join(os6.homedir(), ".node9", "daemon.pid");
-    if (!fs7.existsSync(pidFile)) return null;
-    const data = JSON.parse(fs7.readFileSync(pidFile, "utf-8"));
+    const pidFile = path10.join(os8.homedir(), ".node9", "daemon.pid");
+    if (!fs9.existsSync(pidFile)) return null;
+    const data = JSON.parse(fs9.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
     return data.internalToken ?? null;
   } catch {
@@ -1802,10 +2349,10 @@ function getInternalToken() {
   }
 }
 function isDaemonRunning() {
-  const pidFile = path7.join(os6.homedir(), ".node9", "daemon.pid");
-  if (fs7.existsSync(pidFile)) {
+  const pidFile = path10.join(os8.homedir(), ".node9", "daemon.pid");
+  if (fs9.existsSync(pidFile)) {
     try {
-      const { pid, port } = JSON.parse(fs7.readFileSync(pidFile, "utf-8"));
+      const { pid, port } = JSON.parse(fs9.readFileSync(pidFile, "utf-8"));
       if (port !== DAEMON_PORT) return false;
       process.kill(pid, 0);
       return true;
@@ -1908,7 +2455,7 @@ var init_daemon = __esm({
 });
 
 // src/context-sniper.ts
-import path8 from "path";
+import path11 from "path";
 function smartTruncate(str, maxLen = 500) {
   if (str.length <= maxLen) return str;
   const edge = Math.floor(maxLen / 2) - 3;
@@ -1960,7 +2507,7 @@ function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWo
       intent = "EDIT";
       if (obj.file_path) {
         editFilePath = String(obj.file_path);
-        editFileName = path8.basename(editFilePath);
+        editFileName = path11.basename(editFilePath);
       }
       const result = extractContext(String(obj.new_string), matchedWord);
       contextSnippet = result.snippet;
@@ -2017,7 +2564,7 @@ var init_context_sniper = __esm({
 
 // src/ui/native.ts
 import { spawn } from "child_process";
-import path9 from "path";
+import path12 from "path";
 function formatArgs(args, matchedField, matchedWord) {
   if (args === null || args === void 0) return { message: "(none)", intent: "EXEC" };
   let parsed = args;
@@ -2036,7 +2583,7 @@ function formatArgs(args, matchedField, matchedWord) {
   if (typeof parsed === "object" && !Array.isArray(parsed)) {
     const obj = parsed;
     if (obj.old_string !== void 0 && obj.new_string !== void 0) {
-      const file = obj.file_path ? path9.basename(String(obj.file_path)) : "file";
+      const file = obj.file_path ? path12.basename(String(obj.file_path)) : "file";
       const oldPreview = smartTruncate(String(obj.old_string), 120);
       const newPreview = extractContext(String(obj.new_string), matchedWord).snippet;
       return {
@@ -2221,8 +2768,8 @@ var init_native = __esm({
 });
 
 // src/auth/cloud.ts
-import fs8 from "fs";
-import os7 from "os";
+import fs10 from "fs";
+import os9 from "os";
 function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
   return fetch(`${creds.apiUrl}/audit`, {
     method: "POST",
@@ -2234,9 +2781,9 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
       context: {
         agent: meta?.agent,
         mcpServer: meta?.mcpServer,
-        hostname: os7.hostname(),
+        hostname: os9.hostname(),
         cwd: process.cwd(),
-        platform: os7.platform()
+        platform: os9.platform()
       }
     }),
     signal: AbortSignal.timeout(5e3)
@@ -2257,9 +2804,9 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
         context: {
           agent: meta?.agent,
           mcpServer: meta?.mcpServer,
-          hostname: os7.hostname(),
+          hostname: os9.hostname(),
           cwd: process.cwd(),
-          platform: os7.platform()
+          platform: os9.platform()
         },
         ...riskMetadata && { riskMetadata }
       }),
@@ -2315,14 +2862,14 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
     });
     clearTimeout(timer);
     if (!res.ok) {
-      fs8.appendFileSync(
+      fs10.appendFileSync(
         HOOK_DEBUG_LOG,
         `[resolve-cloud] PATCH ${resolveUrl} \u2192 HTTP ${res.status}
 `
       );
     }
   } catch (err) {
-    fs8.appendFileSync(
+    fs10.appendFileSync(
       HOOK_DEBUG_LOG,
       `[resolve-cloud] PATCH failed for ${requestId}: ${err.message}
 `
@@ -2338,8 +2885,8 @@ var init_cloud = __esm({
 
 // src/auth/orchestrator.ts
 import net from "net";
-import path10 from "path";
-import os8 from "os";
+import path13 from "path";
+import os10 from "os";
 import { randomUUID } from "crypto";
 function notifyActivity(data) {
   return new Promise((resolve) => {
@@ -2422,7 +2969,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   }
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
-      const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
+      const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
         appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
         if (approvers.cloud && creds?.apiKey) {
@@ -2700,7 +3247,7 @@ var init_orchestrator = __esm({
     init_state();
     init_daemon();
     init_cloud();
-    ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path10.join(os8.tmpdir(), "node9-activity.sock");
+    ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path13.join(os10.tmpdir(), "node9-activity.sock");
   }
 });
 
@@ -4172,9 +4719,9 @@ var init_ui2 = __esm({
 
 // src/daemon/state.ts
 import net2 from "net";
-import fs10 from "fs";
-import path12 from "path";
-import os10 from "os";
+import fs12 from "fs";
+import path15 from "path";
+import os12 from "os";
 import { spawn as spawn2 } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
 function getAbandonTimer() {
@@ -4199,11 +4746,11 @@ function markRejectionHandlerRegistered() {
   daemonRejectionHandlerRegistered = true;
 }
 function atomicWriteSync2(filePath, data, options) {
-  const dir = path12.dirname(filePath);
-  if (!fs10.existsSync(dir)) fs10.mkdirSync(dir, { recursive: true });
+  const dir = path15.dirname(filePath);
+  if (!fs12.existsSync(dir)) fs12.mkdirSync(dir, { recursive: true });
   const tmpPath = `${filePath}.${randomUUID2()}.tmp`;
-  fs10.writeFileSync(tmpPath, data, options);
-  fs10.renameSync(tmpPath, filePath);
+  fs12.writeFileSync(tmpPath, data, options);
+  fs12.renameSync(tmpPath, filePath);
 }
 function redactArgs(value) {
   if (!value || typeof value !== "object") return value;
@@ -4223,16 +4770,16 @@ function appendAuditLog(data) {
       decision: data.decision,
       source: "daemon"
     };
-    const dir = path12.dirname(AUDIT_LOG_FILE);
-    if (!fs10.existsSync(dir)) fs10.mkdirSync(dir, { recursive: true });
-    fs10.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
+    const dir = path15.dirname(AUDIT_LOG_FILE);
+    if (!fs12.existsSync(dir)) fs12.mkdirSync(dir, { recursive: true });
+    fs12.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
 function getAuditHistory(limit = 20) {
   try {
-    if (!fs10.existsSync(AUDIT_LOG_FILE)) return [];
-    const lines = fs10.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
+    if (!fs12.existsSync(AUDIT_LOG_FILE)) return [];
+    const lines = fs12.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
     if (lines.length === 1 && lines[0] === "") return [];
     return lines.slice(-limit).map((l) => JSON.parse(l)).reverse();
   } catch {
@@ -4241,19 +4788,19 @@ function getAuditHistory(limit = 20) {
 }
 function getOrgName() {
   try {
-    if (fs10.existsSync(CREDENTIALS_FILE)) return "Node9 Cloud";
+    if (fs12.existsSync(CREDENTIALS_FILE)) return "Node9 Cloud";
   } catch {
   }
   return null;
 }
 function hasStoredSlackKey() {
-  return fs10.existsSync(CREDENTIALS_FILE);
+  return fs12.existsSync(CREDENTIALS_FILE);
 }
 function writeGlobalSetting(key, value) {
   let config = {};
   try {
-    if (fs10.existsSync(GLOBAL_CONFIG_FILE)) {
-      config = JSON.parse(fs10.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
+    if (fs12.existsSync(GLOBAL_CONFIG_FILE)) {
+      config = JSON.parse(fs12.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
     }
   } catch {
   }
@@ -4265,8 +4812,8 @@ function writeTrustEntry(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (fs10.existsSync(TRUST_FILE2))
-        trust = JSON.parse(fs10.readFileSync(TRUST_FILE2, "utf-8"));
+      if (fs12.existsSync(TRUST_FILE2))
+        trust = JSON.parse(fs12.readFileSync(TRUST_FILE2, "utf-8"));
     } catch {
     }
     trust.entries = trust.entries.filter((e) => e.tool !== toolName && e.expiry > Date.now());
@@ -4277,8 +4824,8 @@ function writeTrustEntry(toolName, durationMs) {
 }
 function readPersistentDecisions() {
   try {
-    if (fs10.existsSync(DECISIONS_FILE)) {
-      return JSON.parse(fs10.readFileSync(DECISIONS_FILE, "utf-8"));
+    if (fs12.existsSync(DECISIONS_FILE)) {
+      return JSON.parse(fs12.readFileSync(DECISIONS_FILE, "utf-8"));
     }
   } catch {
   }
@@ -4343,7 +4890,7 @@ function abandonPending() {
   });
   if (autoStarted) {
     try {
-      fs10.unlinkSync(DAEMON_PID_FILE);
+      fs12.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
     setTimeout(() => {
@@ -4354,7 +4901,7 @@ function abandonPending() {
 }
 function startActivitySocket() {
   try {
-    fs10.unlinkSync(ACTIVITY_SOCKET_PATH2);
+    fs12.unlinkSync(ACTIVITY_SOCKET_PATH2);
   } catch {
   }
   const ACTIVITY_MAX_BYTES = 1024 * 1024;
@@ -4396,7 +4943,7 @@ function startActivitySocket() {
   unixServer.listen(ACTIVITY_SOCKET_PATH2);
   process.on("exit", () => {
     try {
-      fs10.unlinkSync(ACTIVITY_SOCKET_PATH2);
+      fs12.unlinkSync(ACTIVITY_SOCKET_PATH2);
     } catch {
     }
   });
@@ -4406,13 +4953,13 @@ var init_state2 = __esm({
   "src/daemon/state.ts"() {
     "use strict";
     init_daemon();
-    homeDir = os10.homedir();
-    DAEMON_PID_FILE = path12.join(homeDir, ".node9", "daemon.pid");
-    DECISIONS_FILE = path12.join(homeDir, ".node9", "decisions.json");
-    AUDIT_LOG_FILE = path12.join(homeDir, ".node9", "audit.log");
-    TRUST_FILE2 = path12.join(homeDir, ".node9", "trust.json");
-    GLOBAL_CONFIG_FILE = path12.join(homeDir, ".node9", "config.json");
-    CREDENTIALS_FILE = path12.join(homeDir, ".node9", "credentials.json");
+    homeDir = os12.homedir();
+    DAEMON_PID_FILE = path15.join(homeDir, ".node9", "daemon.pid");
+    DECISIONS_FILE = path15.join(homeDir, ".node9", "decisions.json");
+    AUDIT_LOG_FILE = path15.join(homeDir, ".node9", "audit.log");
+    TRUST_FILE2 = path15.join(homeDir, ".node9", "trust.json");
+    GLOBAL_CONFIG_FILE = path15.join(homeDir, ".node9", "config.json");
+    CREDENTIALS_FILE = path15.join(homeDir, ".node9", "credentials.json");
     pending = /* @__PURE__ */ new Map();
     sseClients = /* @__PURE__ */ new Set();
     _abandonTimer = null;
@@ -4426,7 +4973,7 @@ var init_state2 = __esm({
       "2h": 2 * 60 * 6e4
     };
     autoStarted = process.env.NODE9_AUTO_STARTED === "1";
-    ACTIVITY_SOCKET_PATH2 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path12.join(os10.tmpdir(), "node9-activity.sock");
+    ACTIVITY_SOCKET_PATH2 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path15.join(os12.tmpdir(), "node9-activity.sock");
     ACTIVITY_RING_SIZE = 100;
     activityRing = [];
     SECRET_KEY_RE = /password|secret|token|key|apikey|credential|auth/i;
@@ -4435,8 +4982,8 @@ var init_state2 = __esm({
 
 // src/daemon/server.ts
 import http from "http";
-import fs11 from "fs";
-import path13 from "path";
+import fs13 from "fs";
+import path16 from "path";
 import { randomUUID as randomUUID3 } from "crypto";
 import { spawnSync as spawnSync2 } from "child_process";
 import chalk2 from "chalk";
@@ -4455,7 +5002,7 @@ function startDaemon() {
     idleTimer = setTimeout(() => {
       if (autoStarted) {
         try {
-          fs11.unlinkSync(DAEMON_PID_FILE);
+          fs13.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
       }
@@ -4597,7 +5144,7 @@ data: ${JSON.stringify(item.data)}
             status: "pending"
           });
         }
-        const projectCwd = typeof cwd === "string" && path13.isAbsolute(cwd) ? cwd : void 0;
+        const projectCwd = typeof cwd === "string" && path16.isAbsolute(cwd) ? cwd : void 0;
         const projectConfig = getConfig(projectCwd);
         const browserEnabled = projectConfig.settings.approvers?.browser !== false;
         const terminalEnabled = projectConfig.settings.approvers?.terminal !== false;
@@ -4901,14 +5448,14 @@ data: ${JSON.stringify(item.data)}
   server.on("error", (e) => {
     if (e.code === "EADDRINUSE") {
       try {
-        if (fs11.existsSync(DAEMON_PID_FILE)) {
-          const { pid } = JSON.parse(fs11.readFileSync(DAEMON_PID_FILE, "utf-8"));
+        if (fs13.existsSync(DAEMON_PID_FILE)) {
+          const { pid } = JSON.parse(fs13.readFileSync(DAEMON_PID_FILE, "utf-8"));
           process.kill(pid, 0);
           return process.exit(0);
         }
       } catch {
         try {
-          fs11.unlinkSync(DAEMON_PID_FILE);
+          fs13.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
         server.listen(DAEMON_PORT, DAEMON_HOST);
@@ -4978,28 +5525,28 @@ var init_server = __esm({
 });
 
 // src/daemon/index.ts
-import fs12 from "fs";
+import fs14 from "fs";
 import chalk3 from "chalk";
 import { spawnSync as spawnSync3 } from "child_process";
 function stopDaemon() {
-  if (!fs12.existsSync(DAEMON_PID_FILE)) return console.log(chalk3.yellow("Not running."));
+  if (!fs14.existsSync(DAEMON_PID_FILE)) return console.log(chalk3.yellow("Not running."));
   try {
-    const { pid } = JSON.parse(fs12.readFileSync(DAEMON_PID_FILE, "utf-8"));
+    const { pid } = JSON.parse(fs14.readFileSync(DAEMON_PID_FILE, "utf-8"));
     process.kill(pid, "SIGTERM");
     console.log(chalk3.green("\u2705 Stopped."));
   } catch {
     console.log(chalk3.gray("Cleaned up stale PID file."));
   } finally {
     try {
-      fs12.unlinkSync(DAEMON_PID_FILE);
+      fs14.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
   }
 }
 function daemonStatus() {
-  if (fs12.existsSync(DAEMON_PID_FILE)) {
+  if (fs14.existsSync(DAEMON_PID_FILE)) {
     try {
-      const { pid } = JSON.parse(fs12.readFileSync(DAEMON_PID_FILE, "utf-8"));
+      const { pid } = JSON.parse(fs14.readFileSync(DAEMON_PID_FILE, "utf-8"));
       process.kill(pid, 0);
       console.log(chalk3.green("Node9 daemon: running"));
       return;
@@ -5033,10 +5580,10 @@ __export(tail_exports, {
   startTail: () => startTail
 });
 import http2 from "http";
-import chalk14 from "chalk";
-import fs19 from "fs";
-import os17 from "os";
-import path20 from "path";
+import chalk15 from "chalk";
+import fs21 from "fs";
+import os19 from "os";
+import path23 from "path";
 import readline3 from "readline";
 import { spawn as spawn9, execSync as execSync3 } from "child_process";
 function getIcon(tool) {
@@ -5052,17 +5599,17 @@ function formatBase(activity) {
   const toolName = activity.tool.slice(0, 16).padEnd(16);
   const argsStr = JSON.stringify(activity.args ?? {}).replace(/\s+/g, " ");
   const argsPreview = argsStr.length > 70 ? argsStr.slice(0, 70) + "\u2026" : argsStr;
-  return `${chalk14.gray(time)} ${icon} ${chalk14.white.bold(toolName)} ${chalk14.dim(argsPreview)}`;
+  return `${chalk15.gray(time)} ${icon} ${chalk15.white.bold(toolName)} ${chalk15.dim(argsPreview)}`;
 }
 function renderResult(activity, result) {
   const base = formatBase(activity);
   let status;
   if (result.status === "allow") {
-    status = chalk14.green("\u2713 ALLOW");
+    status = chalk15.green("\u2713 ALLOW");
   } else if (result.status === "dlp") {
-    status = chalk14.bgRed.white.bold(" \u{1F6E1}\uFE0F  DLP ");
+    status = chalk15.bgRed.white.bold(" \u{1F6E1}\uFE0F  DLP ");
   } else {
-    status = chalk14.red("\u2717 BLOCK");
+    status = chalk15.red("\u2717 BLOCK");
   }
   if (process.stdout.isTTY) {
     readline3.clearLine(process.stdout, 0);
@@ -5072,16 +5619,16 @@ function renderResult(activity, result) {
 }
 function renderPending(activity) {
   if (!process.stdout.isTTY) return;
-  process.stdout.write(`${formatBase(activity)}  ${chalk14.yellow("\u25CF \u2026")}\r`);
+  process.stdout.write(`${formatBase(activity)}  ${chalk15.yellow("\u25CF \u2026")}\r`);
 }
 async function ensureDaemon() {
   let pidPort = null;
-  if (fs19.existsSync(PID_FILE)) {
+  if (fs21.existsSync(PID_FILE)) {
     try {
-      const { port } = JSON.parse(fs19.readFileSync(PID_FILE, "utf-8"));
+      const { port } = JSON.parse(fs21.readFileSync(PID_FILE, "utf-8"));
       pidPort = port;
     } catch {
-      console.error(chalk14.dim("\u26A0\uFE0F  Could not read PID file; falling back to default port."));
+      console.error(chalk15.dim("\u26A0\uFE0F  Could not read PID file; falling back to default port."));
     }
   }
   const checkPort = pidPort ?? DAEMON_PORT;
@@ -5092,7 +5639,7 @@ async function ensureDaemon() {
     if (res.ok) return checkPort;
   } catch {
   }
-  console.log(chalk14.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon..."));
+  console.log(chalk15.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon..."));
   const child = spawn9(process.execPath, [process.argv[1], "daemon"], {
     detached: true,
     stdio: "ignore",
@@ -5109,7 +5656,7 @@ async function ensureDaemon() {
     } catch {
     }
   }
-  console.error(chalk14.red("\u274C Daemon failed to start. Try: node9 daemon start"));
+  console.error(chalk15.red("\u274C Daemon failed to start. Try: node9 daemon start"));
   process.exit(1);
 }
 function postDecisionHttp(id, decision, csrfToken, port) {
@@ -5180,7 +5727,7 @@ async function startTail(options = {}) {
       req2.end();
     });
     if (result.ok) {
-      console.log(chalk14.green("\u2713 Flight Recorder buffer cleared."));
+      console.log(chalk15.green("\u2713 Flight Recorder buffer cleared."));
     } else if (result.code === "ECONNREFUSED") {
       throw new Error("Daemon is not running. Start it with: node9 daemon start");
     } else if (result.code === "ETIMEDOUT") {
@@ -5243,16 +5790,16 @@ async function startTail(options = {}) {
       process.stdout.write(SHOW_CURSOR);
       postDecisionHttp(req2.id, decision, csrfToken, port).catch((err) => {
         try {
-          fs19.appendFileSync(
-            path20.join(os17.homedir(), ".node9", "hook-debug.log"),
+          fs21.appendFileSync(
+            path23.join(os19.homedir(), ".node9", "hook-debug.log"),
             `[tail] POST /decision failed: ${String(err)}
 `
           );
         } catch {
         }
       });
-      const decisionLabel = decision === "allow" ? chalk14.green("\u2713 ALLOWED (terminal)") : chalk14.red("\u2717 DENIED (terminal)");
-      console.log(`${chalk14.cyan("\u25C6")} ${chalk14.bold(req2.toolName.padEnd(16))}  ${decisionLabel}`);
+      const decisionLabel = decision === "allow" ? chalk15.green("\u2713 ALLOWED (terminal)") : chalk15.red("\u2717 DENIED (terminal)");
+      console.log(`${chalk15.cyan("\u25C6")} ${chalk15.bold(req2.toolName.padEnd(16))}  ${decisionLabel}`);
       approvalQueue.shift();
       cardActive = false;
       showNextCard();
@@ -5289,16 +5836,16 @@ async function startTail(options = {}) {
     }
   } catch {
   }
-  console.log(chalk14.cyan.bold(`
-\u{1F6F0}\uFE0F  Node9 tail  `) + chalk14.dim(`\u2192 ${dashboardUrl}`));
+  console.log(chalk15.cyan.bold(`
+\u{1F6F0}\uFE0F  Node9 tail  `) + chalk15.dim(`\u2192 ${dashboardUrl}`));
   if (canApprove) {
-    console.log(chalk14.dim("Interactive approvals enabled. [A] Allow  [D] Deny"));
+    console.log(chalk15.dim("Interactive approvals enabled. [A] Allow  [D] Deny"));
   }
   if (options.history) {
-    console.log(chalk14.dim("Showing history + live events. Press Ctrl+C to exit.\n"));
+    console.log(chalk15.dim("Showing history + live events. Press Ctrl+C to exit.\n"));
   } else {
     console.log(
-      chalk14.dim("Showing live events only. Use --history to include past. Press Ctrl+C to exit.\n")
+      chalk15.dim("Showing live events only. Use --history to include past. Press Ctrl+C to exit.\n")
     );
   }
   process.on("SIGINT", () => {
@@ -5308,13 +5855,13 @@ async function startTail(options = {}) {
       readline3.clearLine(process.stdout, 0);
       readline3.cursorTo(process.stdout, 0);
     }
-    console.log(chalk14.dim("\n\u{1F6F0}\uFE0F  Disconnected."));
+    console.log(chalk15.dim("\n\u{1F6F0}\uFE0F  Disconnected."));
     process.exit(0);
   });
   const sseUrl = `http://127.0.0.1:${port}/events?capabilities=input`;
   const req = http2.get(sseUrl, (res) => {
     if (res.statusCode !== 200) {
-      console.error(chalk14.red(`Failed to connect: HTTP ${res.statusCode}`));
+      console.error(chalk15.red(`Failed to connect: HTTP ${res.statusCode}`));
       process.exit(1);
     }
     let currentEvent = "";
@@ -5344,7 +5891,7 @@ async function startTail(options = {}) {
         readline3.clearLine(process.stdout, 0);
         readline3.cursorTo(process.stdout, 0);
       }
-      console.log(chalk14.red("\n\u274C Daemon disconnected."));
+      console.log(chalk15.red("\n\u274C Daemon disconnected."));
       process.exit(1);
     });
   });
@@ -5424,7 +5971,7 @@ async function startTail(options = {}) {
   }
   req.on("error", (err) => {
     const msg = err.code === "ECONNREFUSED" ? "Daemon is not running. Start it with: node9 daemon start" : err.message;
-    console.error(chalk14.red(`
+    console.error(chalk15.red(`
 \u274C ${msg}`));
     process.exit(1);
   });
@@ -5435,7 +5982,7 @@ var init_tail = __esm({
     "use strict";
     init_daemon2();
     init_core();
-    PID_FILE = path20.join(os17.homedir(), ".node9", "daemon.pid");
+    PID_FILE = path23.join(os19.homedir(), ".node9", "daemon.pid");
     ICONS = {
       bash: "\u{1F4BB}",
       shell: "\u{1F4BB}",
@@ -5473,9 +6020,9 @@ init_core();
 import { Command } from "commander";
 
 // src/setup.ts
-import fs9 from "fs";
-import path11 from "path";
-import os9 from "os";
+import fs11 from "fs";
+import path14 from "path";
+import os11 from "os";
 import chalk from "chalk";
 import { confirm } from "@inquirer/prompts";
 function printDaemonTip() {
@@ -5492,26 +6039,26 @@ function fullPathCommand(subcommand) {
 }
 function readJson(filePath) {
   try {
-    if (fs9.existsSync(filePath)) {
-      return JSON.parse(fs9.readFileSync(filePath, "utf-8"));
+    if (fs11.existsSync(filePath)) {
+      return JSON.parse(fs11.readFileSync(filePath, "utf-8"));
     }
   } catch {
   }
   return null;
 }
 function writeJson(filePath, data) {
-  const dir = path11.dirname(filePath);
-  if (!fs9.existsSync(dir)) fs9.mkdirSync(dir, { recursive: true });
-  fs9.writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n");
+  const dir = path14.dirname(filePath);
+  if (!fs11.existsSync(dir)) fs11.mkdirSync(dir, { recursive: true });
+  fs11.writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n");
 }
 function isNode9Hook(cmd) {
   if (!cmd) return false;
   return /(?:^|[\s/\\])node9 (?:check|log)/.test(cmd) || /(?:^|[\s/\\])cli\.js (?:check|log)/.test(cmd);
 }
 function teardownClaude() {
-  const homeDir2 = os9.homedir();
-  const hooksPath = path11.join(homeDir2, ".claude", "settings.json");
-  const mcpPath = path11.join(homeDir2, ".claude.json");
+  const homeDir2 = os11.homedir();
+  const hooksPath = path14.join(homeDir2, ".claude", "settings.json");
+  const mcpPath = path14.join(homeDir2, ".claude.json");
   let changed = false;
   const settings = readJson(hooksPath);
   if (settings?.hooks) {
@@ -5559,8 +6106,8 @@ function teardownClaude() {
   }
 }
 function teardownGemini() {
-  const homeDir2 = os9.homedir();
-  const settingsPath = path11.join(homeDir2, ".gemini", "settings.json");
+  const homeDir2 = os11.homedir();
+  const settingsPath = path14.join(homeDir2, ".gemini", "settings.json");
   const settings = readJson(settingsPath);
   if (!settings) {
     console.log(chalk.blue("  \u2139\uFE0F  ~/.gemini/settings.json not found \u2014 nothing to remove"));
@@ -5598,8 +6145,8 @@ function teardownGemini() {
   }
 }
 function teardownCursor() {
-  const homeDir2 = os9.homedir();
-  const mcpPath = path11.join(homeDir2, ".cursor", "mcp.json");
+  const homeDir2 = os11.homedir();
+  const mcpPath = path14.join(homeDir2, ".cursor", "mcp.json");
   const mcpConfig = readJson(mcpPath);
   if (!mcpConfig?.mcpServers) {
     console.log(chalk.blue("  \u2139\uFE0F  ~/.cursor/mcp.json not found \u2014 nothing to remove"));
@@ -5625,9 +6172,9 @@ function teardownCursor() {
   }
 }
 async function setupClaude() {
-  const homeDir2 = os9.homedir();
-  const mcpPath = path11.join(homeDir2, ".claude.json");
-  const hooksPath = path11.join(homeDir2, ".claude", "settings.json");
+  const homeDir2 = os11.homedir();
+  const mcpPath = path14.join(homeDir2, ".claude.json");
+  const hooksPath = path14.join(homeDir2, ".claude", "settings.json");
   const claudeConfig = readJson(mcpPath) ?? {};
   const settings = readJson(hooksPath) ?? {};
   const servers = claudeConfig.mcpServers ?? {};
@@ -5701,8 +6248,8 @@ async function setupClaude() {
   }
 }
 async function setupGemini() {
-  const homeDir2 = os9.homedir();
-  const settingsPath = path11.join(homeDir2, ".gemini", "settings.json");
+  const homeDir2 = os11.homedir();
+  const settingsPath = path14.join(homeDir2, ".gemini", "settings.json");
   const settings = readJson(settingsPath) ?? {};
   const servers = settings.mcpServers ?? {};
   let anythingChanged = false;
@@ -5784,8 +6331,8 @@ async function setupGemini() {
   }
 }
 async function setupCursor() {
-  const homeDir2 = os9.homedir();
-  const mcpPath = path11.join(homeDir2, ".cursor", "mcp.json");
+  const homeDir2 = os11.homedir();
+  const mcpPath = path14.join(homeDir2, ".cursor", "mcp.json");
   const mcpConfig = readJson(mcpPath) ?? {};
   const servers = mcpConfig.mcpServers ?? {};
   let anythingChanged = false;
@@ -5841,10 +6388,10 @@ async function setupCursor() {
 
 // src/cli.ts
 init_daemon2();
-import chalk15 from "chalk";
-import fs20 from "fs";
-import path21 from "path";
-import os18 from "os";
+import chalk16 from "chalk";
+import fs22 from "fs";
+import path24 from "path";
+import os20 from "os";
 import { confirm as confirm3 } from "@inquirer/prompts";
 
 // src/utils/duration.ts
@@ -6069,32 +6616,32 @@ init_daemon();
 init_config();
 init_policy();
 import chalk5 from "chalk";
-import fs14 from "fs";
-import path15 from "path";
-import os12 from "os";
+import fs16 from "fs";
+import path18 from "path";
+import os14 from "os";
 
 // src/undo.ts
 import { spawnSync as spawnSync4, spawn as spawn5 } from "child_process";
 import crypto2 from "crypto";
-import fs13 from "fs";
-import path14 from "path";
-import os11 from "os";
-var SNAPSHOT_STACK_PATH = path14.join(os11.homedir(), ".node9", "snapshots.json");
-var UNDO_LATEST_PATH = path14.join(os11.homedir(), ".node9", "undo_latest.txt");
+import fs15 from "fs";
+import path17 from "path";
+import os13 from "os";
+var SNAPSHOT_STACK_PATH = path17.join(os13.homedir(), ".node9", "snapshots.json");
+var UNDO_LATEST_PATH = path17.join(os13.homedir(), ".node9", "undo_latest.txt");
 var MAX_SNAPSHOTS = 10;
 var GIT_TIMEOUT = 15e3;
 function readStack() {
   try {
-    if (fs13.existsSync(SNAPSHOT_STACK_PATH))
-      return JSON.parse(fs13.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
+    if (fs15.existsSync(SNAPSHOT_STACK_PATH))
+      return JSON.parse(fs15.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
   } catch {
   }
   return [];
 }
 function writeStack(stack) {
-  const dir = path14.dirname(SNAPSHOT_STACK_PATH);
-  if (!fs13.existsSync(dir)) fs13.mkdirSync(dir, { recursive: true });
-  fs13.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
+  const dir = path17.dirname(SNAPSHOT_STACK_PATH);
+  if (!fs15.existsSync(dir)) fs15.mkdirSync(dir, { recursive: true });
+  fs15.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
 }
 function buildArgsSummary(tool, args) {
   if (!args || typeof args !== "object") return "";
@@ -6110,7 +6657,7 @@ function buildArgsSummary(tool, args) {
 function normalizeCwdForHash(cwd) {
   let normalized;
   try {
-    normalized = fs13.realpathSync(cwd);
+    normalized = fs15.realpathSync(cwd);
   } catch {
     normalized = cwd;
   }
@@ -6120,16 +6667,16 @@ function normalizeCwdForHash(cwd) {
 }
 function getShadowRepoDir(cwd) {
   const hash = crypto2.createHash("sha256").update(normalizeCwdForHash(cwd)).digest("hex").slice(0, 16);
-  return path14.join(os11.homedir(), ".node9", "snapshots", hash);
+  return path17.join(os13.homedir(), ".node9", "snapshots", hash);
 }
 function cleanOrphanedIndexFiles(shadowDir) {
   try {
     const cutoff = Date.now() - 6e4;
-    for (const f of fs13.readdirSync(shadowDir)) {
+    for (const f of fs15.readdirSync(shadowDir)) {
       if (f.startsWith("index_")) {
-        const fp = path14.join(shadowDir, f);
+        const fp = path17.join(shadowDir, f);
         try {
-          if (fs13.statSync(fp).mtimeMs < cutoff) fs13.unlinkSync(fp);
+          if (fs15.statSync(fp).mtimeMs < cutoff) fs15.unlinkSync(fp);
         } catch {
         }
       }
@@ -6141,7 +6688,7 @@ function writeShadowExcludes(shadowDir, ignorePaths) {
   const hardcoded = [".git", ".node9"];
   const lines = [...hardcoded, ...ignorePaths].join("\n");
   try {
-    fs13.writeFileSync(path14.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
+    fs15.writeFileSync(path17.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
   } catch {
   }
 }
@@ -6154,25 +6701,25 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   if (check.status === 0) {
-    const ptPath = path14.join(shadowDir, "project-path.txt");
+    const ptPath = path17.join(shadowDir, "project-path.txt");
     try {
-      const stored = fs13.readFileSync(ptPath, "utf8").trim();
+      const stored = fs15.readFileSync(ptPath, "utf8").trim();
       if (stored === normalizedCwd) return true;
       if (process.env.NODE9_DEBUG === "1")
         console.error(
           `[Node9] Shadow repo path mismatch: stored="${stored}" expected="${normalizedCwd}" \u2014 reinitializing`
         );
-      fs13.rmSync(shadowDir, { recursive: true, force: true });
+      fs15.rmSync(shadowDir, { recursive: true, force: true });
     } catch {
       try {
-        fs13.writeFileSync(ptPath, normalizedCwd, "utf8");
+        fs15.writeFileSync(ptPath, normalizedCwd, "utf8");
       } catch {
       }
       return true;
     }
   }
   try {
-    fs13.mkdirSync(shadowDir, { recursive: true });
+    fs15.mkdirSync(shadowDir, { recursive: true });
   } catch {
   }
   const init = spawnSync4("git", ["init", "--bare", shadowDir], { timeout: 5e3 });
@@ -6181,7 +6728,7 @@ function ensureShadowRepo(shadowDir, cwd) {
       console.error("[Node9] git init --bare failed:", init.stderr?.toString());
     return false;
   }
-  const configFile = path14.join(shadowDir, "config");
+  const configFile = path17.join(shadowDir, "config");
   spawnSync4("git", ["config", "--file", configFile, "core.untrackedCache", "true"], {
     timeout: 3e3
   });
@@ -6189,7 +6736,7 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   try {
-    fs13.writeFileSync(path14.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
+    fs15.writeFileSync(path17.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
   } catch {
   }
   return true;
@@ -6212,7 +6759,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     const shadowDir = getShadowRepoDir(cwd);
     if (!ensureShadowRepo(shadowDir, cwd)) return null;
     writeShadowExcludes(shadowDir, ignorePaths);
-    indexFile = path14.join(shadowDir, `index_${process.pid}_${Date.now()}`);
+    indexFile = path17.join(shadowDir, `index_${process.pid}_${Date.now()}`);
     const shadowEnv = {
       ...process.env,
       GIT_DIR: shadowDir,
@@ -6241,7 +6788,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     const shouldGc = stack.length % 5 === 0;
     if (stack.length > MAX_SNAPSHOTS) stack.splice(0, stack.length - MAX_SNAPSHOTS);
     writeStack(stack);
-    fs13.writeFileSync(UNDO_LATEST_PATH, commitHash);
+    fs15.writeFileSync(UNDO_LATEST_PATH, commitHash);
     if (shouldGc) {
       spawn5("git", ["gc", "--auto"], { env: shadowEnv, detached: true, stdio: "ignore" }).unref();
     }
@@ -6252,7 +6799,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
   } finally {
     if (indexFile) {
       try {
-        fs13.unlinkSync(indexFile);
+        fs15.unlinkSync(indexFile);
       } catch {
       }
     }
@@ -6321,9 +6868,9 @@ function applyUndo(hash, cwd) {
       timeout: GIT_TIMEOUT
     }).stdout?.toString().trim().split("\n").filter(Boolean) ?? [];
     for (const file of [...tracked, ...untracked]) {
-      const fullPath = path14.join(dir, file);
-      if (!snapshotFiles.has(file) && fs13.existsSync(fullPath)) {
-        fs13.unlinkSync(fullPath);
+      const fullPath = path17.join(dir, file);
+      if (!snapshotFiles.has(file) && fs15.existsSync(fullPath)) {
+        fs15.unlinkSync(fullPath);
       }
     }
     return true;
@@ -6347,9 +6894,9 @@ function registerCheckCommand(program2) {
         } catch (err) {
           const tempConfig = getConfig();
           if (process.env.NODE9_DEBUG === "1" || tempConfig.settings.enableHookLogDebug) {
-            const logPath = path15.join(os12.homedir(), ".node9", "hook-debug.log");
+            const logPath = path18.join(os14.homedir(), ".node9", "hook-debug.log");
             const errMsg = err instanceof Error ? err.message : String(err);
-            fs14.appendFileSync(
+            fs16.appendFileSync(
               logPath,
               `[${(/* @__PURE__ */ new Date()).toISOString()}] JSON_PARSE_ERROR: ${errMsg}
 RAW: ${raw}
@@ -6360,10 +6907,10 @@ RAW: ${raw}
         }
         const config = getConfig(payload.cwd || void 0);
         if (process.env.NODE9_DEBUG === "1" || config.settings.enableHookLogDebug) {
-          const logPath = path15.join(os12.homedir(), ".node9", "hook-debug.log");
-          if (!fs14.existsSync(path15.dirname(logPath)))
-            fs14.mkdirSync(path15.dirname(logPath), { recursive: true });
-          fs14.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
+          const logPath = path18.join(os14.homedir(), ".node9", "hook-debug.log");
+          if (!fs16.existsSync(path18.dirname(logPath)))
+            fs16.mkdirSync(path18.dirname(logPath), { recursive: true });
+          fs16.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
 `);
         }
         const toolName = sanitize2(payload.tool_name ?? payload.name ?? "");
@@ -6376,8 +6923,8 @@ RAW: ${raw}
           const isHumanDecision = blockedByContext.toLowerCase().includes("user") || blockedByContext.toLowerCase().includes("daemon") || blockedByContext.toLowerCase().includes("decision");
           let ttyFd = null;
           try {
-            ttyFd = fs14.openSync("/dev/tty", "w");
-            const writeTty = (line) => fs14.writeSync(ttyFd, line + "\n");
+            ttyFd = fs16.openSync("/dev/tty", "w");
+            const writeTty = (line) => fs16.writeSync(ttyFd, line + "\n");
             if (blockedByContext.includes("DLP") || blockedByContext.includes("Secret Detected") || blockedByContext.includes("Credential Review")) {
               writeTty(chalk5.bgRed.white.bold(`
  \u{1F6A8} NODE9 DLP ALERT \u2014 CREDENTIAL DETECTED `));
@@ -6393,7 +6940,7 @@ RAW: ${raw}
           } finally {
             if (ttyFd !== null)
               try {
-                fs14.closeSync(ttyFd);
+                fs16.closeSync(ttyFd);
               } catch {
               }
           }
@@ -6424,7 +6971,7 @@ RAW: ${raw}
         if (shouldSnapshot(toolName, toolInput, config)) {
           await createShadowSnapshot(toolName, toolInput, config.policy.snapshot.ignorePaths);
         }
-        const safeCwdForAuth = typeof payload.cwd === "string" && path15.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const safeCwdForAuth = typeof payload.cwd === "string" && path18.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const result = await authorizeHeadless(toolName, toolInput, meta, {
           cwd: safeCwdForAuth
         });
@@ -6436,12 +6983,12 @@ RAW: ${raw}
         }
         if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && !process.stdout.isTTY && config.settings.autoStartDaemon) {
           try {
-            const tty = fs14.openSync("/dev/tty", "w");
-            fs14.writeSync(
+            const tty = fs16.openSync("/dev/tty", "w");
+            fs16.writeSync(
               tty,
               chalk5.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically...\n")
             );
-            fs14.closeSync(tty);
+            fs16.closeSync(tty);
           } catch {
           }
           const daemonReady = await autoStartDaemonAndWait();
@@ -6468,9 +7015,9 @@ RAW: ${raw}
         });
       } catch (err) {
         if (process.env.NODE9_DEBUG === "1") {
-          const logPath = path15.join(os12.homedir(), ".node9", "hook-debug.log");
+          const logPath = path18.join(os14.homedir(), ".node9", "hook-debug.log");
           const errMsg = err instanceof Error ? err.message : String(err);
-          fs14.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
+          fs16.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
 `);
         }
         process.exit(0);
@@ -6507,9 +7054,9 @@ RAW: ${raw}
 init_audit();
 init_config();
 init_policy();
-import fs15 from "fs";
-import path16 from "path";
-import os13 from "os";
+import fs17 from "fs";
+import path19 from "path";
+import os15 from "os";
 function sanitize3(value) {
   return value.replace(/[\x00-\x1F\x7F]/g, "");
 }
@@ -6528,11 +7075,11 @@ function registerLogCommand(program2) {
           decision: "allowed",
           source: "post-hook"
         };
-        const logPath = path16.join(os13.homedir(), ".node9", "audit.log");
-        if (!fs15.existsSync(path16.dirname(logPath)))
-          fs15.mkdirSync(path16.dirname(logPath), { recursive: true });
-        fs15.appendFileSync(logPath, JSON.stringify(entry) + "\n");
-        const safeCwd = typeof payload.cwd === "string" && path16.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const logPath = path19.join(os15.homedir(), ".node9", "audit.log");
+        if (!fs17.existsSync(path19.dirname(logPath)))
+          fs17.mkdirSync(path19.dirname(logPath), { recursive: true });
+        fs17.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+        const safeCwd = typeof payload.cwd === "string" && path19.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const config = getConfig(safeCwd);
         if (shouldSnapshot(tool, {}, config)) {
           await createShadowSnapshot("unknown", {}, config.policy.snapshot.ignorePaths);
@@ -6541,9 +7088,9 @@ function registerLogCommand(program2) {
         const msg = err instanceof Error ? err.message : String(err);
         process.stderr.write(`[Node9] audit log error: ${msg}
 `);
-        const debugPath = path16.join(os13.homedir(), ".node9", "hook-debug.log");
+        const debugPath = path19.join(os15.homedir(), ".node9", "hook-debug.log");
         try {
-          fs15.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
+          fs17.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
 `);
         } catch {
         }
@@ -6848,13 +7395,13 @@ function registerConfigShowCommand(program2) {
 // src/cli/commands/doctor.ts
 init_daemon();
 import chalk7 from "chalk";
-import fs16 from "fs";
-import path17 from "path";
-import os14 from "os";
+import fs18 from "fs";
+import path20 from "path";
+import os16 from "os";
 import { execSync as execSync2 } from "child_process";
 function registerDoctorCommand(program2, version2) {
   program2.command("doctor").description("Check that Node9 is installed and configured correctly").action(() => {
-    const homeDir2 = os14.homedir();
+    const homeDir2 = os16.homedir();
     let failures = 0;
     function pass(msg) {
       console.log(chalk7.green("  \u2705 ") + msg);
@@ -6903,10 +7450,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Configuration");
-    const globalConfigPath = path17.join(homeDir2, ".node9", "config.json");
-    if (fs16.existsSync(globalConfigPath)) {
+    const globalConfigPath = path20.join(homeDir2, ".node9", "config.json");
+    if (fs18.existsSync(globalConfigPath)) {
       try {
-        JSON.parse(fs16.readFileSync(globalConfigPath, "utf-8"));
+        JSON.parse(fs18.readFileSync(globalConfigPath, "utf-8"));
         pass("~/.node9/config.json found and valid");
       } catch {
         fail("~/.node9/config.json is invalid JSON", "Run: node9 init --force");
@@ -6914,10 +7461,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("~/.node9/config.json not found (using defaults)", "Run: node9 init");
     }
-    const projectConfigPath = path17.join(process.cwd(), "node9.config.json");
-    if (fs16.existsSync(projectConfigPath)) {
+    const projectConfigPath = path20.join(process.cwd(), "node9.config.json");
+    if (fs18.existsSync(projectConfigPath)) {
       try {
-        JSON.parse(fs16.readFileSync(projectConfigPath, "utf-8"));
+        JSON.parse(fs18.readFileSync(projectConfigPath, "utf-8"));
         pass("node9.config.json found and valid (project)");
       } catch {
         fail(
@@ -6926,8 +7473,8 @@ function registerDoctorCommand(program2, version2) {
         );
       }
     }
-    const credsPath = path17.join(homeDir2, ".node9", "credentials.json");
-    if (fs16.existsSync(credsPath)) {
+    const credsPath = path20.join(homeDir2, ".node9", "credentials.json");
+    if (fs18.existsSync(credsPath)) {
       pass("Cloud credentials found (~/.node9/credentials.json)");
     } else {
       warn(
@@ -6936,10 +7483,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Agent Hooks");
-    const claudeSettingsPath = path17.join(homeDir2, ".claude", "settings.json");
-    if (fs16.existsSync(claudeSettingsPath)) {
+    const claudeSettingsPath = path20.join(homeDir2, ".claude", "settings.json");
+    if (fs18.existsSync(claudeSettingsPath)) {
       try {
-        const cs = JSON.parse(fs16.readFileSync(claudeSettingsPath, "utf-8"));
+        const cs = JSON.parse(fs18.readFileSync(claudeSettingsPath, "utf-8"));
         const hasHook = cs.hooks?.PreToolUse?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -6955,10 +7502,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Claude Code \u2014 not configured", "Run: node9 setup claude");
     }
-    const geminiSettingsPath = path17.join(homeDir2, ".gemini", "settings.json");
-    if (fs16.existsSync(geminiSettingsPath)) {
+    const geminiSettingsPath = path20.join(homeDir2, ".gemini", "settings.json");
+    if (fs18.existsSync(geminiSettingsPath)) {
       try {
-        const gs = JSON.parse(fs16.readFileSync(geminiSettingsPath, "utf-8"));
+        const gs = JSON.parse(fs18.readFileSync(geminiSettingsPath, "utf-8"));
         const hasHook = gs.hooks?.BeforeTool?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -6974,10 +7521,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Gemini CLI  \u2014 not configured", "Run: node9 setup gemini  (skip if not using Gemini)");
     }
-    const cursorHooksPath = path17.join(homeDir2, ".cursor", "hooks.json");
-    if (fs16.existsSync(cursorHooksPath)) {
+    const cursorHooksPath = path20.join(homeDir2, ".cursor", "hooks.json");
+    if (fs18.existsSync(cursorHooksPath)) {
       try {
-        const cur = JSON.parse(fs16.readFileSync(cursorHooksPath, "utf-8"));
+        const cur = JSON.parse(fs18.readFileSync(cursorHooksPath, "utf-8"));
         const hasHook = cur.hooks?.preToolUse?.some(
           (h) => h.command?.includes("node9") || h.command?.includes("cli.js")
         );
@@ -7015,9 +7562,9 @@ function registerDoctorCommand(program2, version2) {
 
 // src/cli/commands/audit.ts
 import chalk8 from "chalk";
-import fs17 from "fs";
-import path18 from "path";
-import os15 from "os";
+import fs19 from "fs";
+import path21 from "path";
+import os17 from "os";
 function formatRelativeTime(timestamp) {
   const diff = Date.now() - new Date(timestamp).getTime();
   const sec = Math.floor(diff / 1e3);
@@ -7030,14 +7577,14 @@ function formatRelativeTime(timestamp) {
 }
 function registerAuditCommand(program2) {
   program2.command("audit").description("View local execution audit log").option("--tail <n>", "Number of entries to show", "20").option("--tool <pattern>", "Filter by tool name (substring match)").option("--deny", "Show only denied actions").option("--json", "Output raw JSON").action((options) => {
-    const logPath = path18.join(os15.homedir(), ".node9", "audit.log");
-    if (!fs17.existsSync(logPath)) {
+    const logPath = path21.join(os17.homedir(), ".node9", "audit.log");
+    if (!fs19.existsSync(logPath)) {
       console.log(
         chalk8.yellow("No audit logs found. Run node9 with an agent to generate entries.")
       );
       return;
     }
-    const raw = fs17.readFileSync(logPath, "utf-8");
+    const raw = fs19.readFileSync(logPath, "utf-8");
     const lines = raw.split("\n").filter((l) => l.trim() !== "");
     let entries = lines.flatMap((line) => {
       try {
@@ -7157,9 +7704,9 @@ function registerDaemonCommand(program2) {
 init_core();
 init_daemon();
 import chalk10 from "chalk";
-import fs18 from "fs";
-import path19 from "path";
-import os16 from "os";
+import fs20 from "fs";
+import path22 from "path";
+import os18 from "os";
 function registerStatusCommand(program2) {
   program2.command("status").description("Show current Node9 mode, policy source, and persistent decisions").action(() => {
     const creds = getCredentials();
@@ -7194,13 +7741,13 @@ function registerStatusCommand(program2) {
     console.log("");
     const modeLabel = settings.mode === "audit" ? chalk10.blue("audit") : settings.mode === "strict" ? chalk10.red("strict") : chalk10.white("standard");
     console.log(`  Mode:    ${modeLabel}`);
-    const projectConfig = path19.join(process.cwd(), "node9.config.json");
-    const globalConfig = path19.join(os16.homedir(), ".node9", "config.json");
+    const projectConfig = path22.join(process.cwd(), "node9.config.json");
+    const globalConfig = path22.join(os18.homedir(), ".node9", "config.json");
     console.log(
-      `  Local:   ${fs18.existsSync(projectConfig) ? chalk10.green("Active (node9.config.json)") : chalk10.gray("Not present")}`
+      `  Local:   ${fs20.existsSync(projectConfig) ? chalk10.green("Active (node9.config.json)") : chalk10.gray("Not present")}`
     );
     console.log(
-      `  Global:  ${fs18.existsSync(globalConfig) ? chalk10.green("Active (~/.node9/config.json)") : chalk10.gray("Not present")}`
+      `  Global:  ${fs20.existsSync(globalConfig) ? chalk10.green("Active (~/.node9/config.json)") : chalk10.gray("Not present")}`
     );
     if (mergedConfig.policy.sandboxPaths.length > 0) {
       console.log(
@@ -7379,6 +7926,7 @@ import readline2 from "readline";
 import chalk13 from "chalk";
 import { spawn as spawn8 } from "child_process";
 import { execa as execa2 } from "execa";
+init_provenance();
 function sanitize4(value) {
   return value.replace(/[\x00-\x1F\x7F]/g, "");
 }
@@ -7391,7 +7939,7 @@ function extractMcpServer(toolName) {
   const match = toolName.match(/^mcp__([^_](?:[^_]|_(?!_))*?)__/i);
   return match?.[1];
 }
-function tokenize2(cmd) {
+function tokenize3(cmd) {
   const tokens = [];
   let current = "";
   let inDouble = false;
@@ -7426,7 +7974,7 @@ function tokenize2(cmd) {
   return tokens;
 }
 async function runMcpGateway(upstreamCommand) {
-  const commandParts = tokenize2(upstreamCommand);
+  const commandParts = tokenize3(upstreamCommand);
   const cmd = commandParts[0];
   const cmdArgs = commandParts.slice(1);
   let executable = cmd;
@@ -7435,6 +7983,15 @@ async function runMcpGateway(upstreamCommand) {
     if (stdout) executable = stdout.trim();
   } catch {
   }
+  const prov = checkProvenance(executable);
+  if (prov.trustLevel === "suspect") {
+    console.error(
+      chalk13.red(
+        `\u26A0\uFE0F  Node9: Upstream MCP server binary is suspect \u2014 ${prov.reason} (${prov.resolvedPath})`
+      )
+    );
+    console.error(chalk13.red("   Verify this binary is trusted before proceeding."));
+  }
   console.error(chalk13.green(`\u{1F680} Node9 MCP Gateway: Monitoring [${upstreamCommand}]`));
   const UPSTREAM_INJECTOR_VARS = /* @__PURE__ */ new Set([
     "NODE_OPTIONS",
@@ -7574,22 +8131,77 @@ function registerMcpGatewayCommand(program2) {
   });
 }
 
+// src/cli/commands/trust.ts
+init_trusted_hosts();
+import chalk14 from "chalk";
+function isValidHost(host) {
+  return /^(\*\.)?[a-z0-9][a-z0-9.-]*\.[a-z]{2,}$/.test(host);
+}
+function registerTrustCommand(program2) {
+  const trustCmd = program2.command("trust").description("Manage trusted network hosts (reduces approval friction for known destinations)");
+  trustCmd.command("add <host>").description("Add a trusted host \u2014 pipe-chain blocks targeting this host are downgraded").action((host) => {
+    const normalized = normalizeHost(host.trim());
+    if (!isValidHost(normalized)) {
+      console.error(
+        chalk14.red(`
+\u274C Invalid host: "${host}"
+`) + chalk14.gray("   Use an FQDN like api.mycompany.com or *.mycompany.com\n")
+      );
+      process.exit(1);
+    }
+    addTrustedHost(normalized);
+    console.log(chalk14.green(`
+\u2705 ${normalized} added to trusted hosts.`));
+    console.log(
+      chalk14.gray("   Pipe-chain blocks to this host: critical \u2192 review, high \u2192 allow\n")
+    );
+  });
+  trustCmd.command("remove <host>").description("Remove a trusted host").action((host) => {
+    const normalized = normalizeHost(host.trim());
+    const removed = removeTrustedHost(normalized);
+    if (!removed) {
+      console.error(chalk14.yellow(`
+\u26A0\uFE0F  "${normalized}" is not in the trusted hosts list.
+`));
+      process.exit(1);
+    }
+    console.log(chalk14.green(`
+\u2705 ${normalized} removed from trusted hosts.
+`));
+  });
+  trustCmd.command("list").description("Show all trusted hosts").action(() => {
+    const hosts = readTrustedHosts();
+    if (hosts.length === 0) {
+      console.log(chalk14.gray("\n  No trusted hosts configured.\n"));
+      console.log(`  Add one: ${chalk14.cyan("node9 trust add api.mycompany.com")}
+`);
+      return;
+    }
+    console.log(chalk14.bold("\n\u{1F513} Trusted Hosts\n"));
+    for (const entry of hosts) {
+      const date = new Date(entry.addedAt).toLocaleDateString();
+      console.log(`  ${chalk14.cyan(entry.host.padEnd(40))} ${chalk14.gray(`added ${date}`)}`);
+    }
+    console.log("");
+  });
+}
+
 // src/cli.ts
 var { version } = JSON.parse(
-  fs20.readFileSync(path21.join(__dirname, "../package.json"), "utf-8")
+  fs22.readFileSync(path24.join(__dirname, "../package.json"), "utf-8")
 );
 var program = new Command();
 program.name("node9").description("The Sudo Command for AI Agents").version(version);
 program.command("login").argument("<apiKey>").option("--local", "Save key for audit/logging only \u2014 local config still controls all decisions").option("--profile <name>", 'Save as a named profile (default: "default")').action((apiKey, options) => {
   const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  const credPath = path21.join(os18.homedir(), ".node9", "credentials.json");
-  if (!fs20.existsSync(path21.dirname(credPath)))
-    fs20.mkdirSync(path21.dirname(credPath), { recursive: true });
+  const credPath = path24.join(os20.homedir(), ".node9", "credentials.json");
+  if (!fs22.existsSync(path24.dirname(credPath)))
+    fs22.mkdirSync(path24.dirname(credPath), { recursive: true });
   const profileName = options.profile || "default";
   let existingCreds = {};
   try {
-    if (fs20.existsSync(credPath)) {
-      const raw = JSON.parse(fs20.readFileSync(credPath, "utf-8"));
+    if (fs22.existsSync(credPath)) {
+      const raw = JSON.parse(fs22.readFileSync(credPath, "utf-8"));
       if (raw.apiKey) {
         existingCreds = {
           default: { apiKey: raw.apiKey, apiUrl: raw.apiUrl || DEFAULT_API_URL }
@@ -7601,13 +8213,13 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
   } catch {
   }
   existingCreds[profileName] = { apiKey, apiUrl: DEFAULT_API_URL };
-  fs20.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
+  fs22.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
   if (profileName === "default") {
-    const configPath = path21.join(os18.homedir(), ".node9", "config.json");
+    const configPath = path24.join(os20.homedir(), ".node9", "config.json");
     let config = {};
     try {
-      if (fs20.existsSync(configPath))
-        config = JSON.parse(fs20.readFileSync(configPath, "utf-8"));
+      if (fs22.existsSync(configPath))
+        config = JSON.parse(fs22.readFileSync(configPath, "utf-8"));
     } catch {
     }
     if (!config.settings || typeof config.settings !== "object") config.settings = {};
@@ -7622,36 +8234,36 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
       approvers.cloud = false;
     }
     s.approvers = approvers;
-    if (!fs20.existsSync(path21.dirname(configPath)))
-      fs20.mkdirSync(path21.dirname(configPath), { recursive: true });
-    fs20.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+    if (!fs22.existsSync(path24.dirname(configPath)))
+      fs22.mkdirSync(path24.dirname(configPath), { recursive: true });
+    fs22.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
   }
   if (options.profile && profileName !== "default") {
-    console.log(chalk15.green(`\u2705 Profile "${profileName}" saved`));
-    console.log(chalk15.gray(`   Switch to it per-session:  NODE9_PROFILE=${profileName} claude`));
+    console.log(chalk16.green(`\u2705 Profile "${profileName}" saved`));
+    console.log(chalk16.gray(`   Switch to it per-session:  NODE9_PROFILE=${profileName} claude`));
   } else if (options.local) {
-    console.log(chalk15.green(`\u2705 Privacy mode \u{1F6E1}\uFE0F`));
-    console.log(chalk15.gray(`   All decisions stay on this machine.`));
+    console.log(chalk16.green(`\u2705 Privacy mode \u{1F6E1}\uFE0F`));
+    console.log(chalk16.gray(`   All decisions stay on this machine.`));
   } else {
-    console.log(chalk15.green(`\u2705 Logged in \u2014 agent mode`));
-    console.log(chalk15.gray(`   Team policy enforced for all calls via Node9 cloud.`));
+    console.log(chalk16.green(`\u2705 Logged in \u2014 agent mode`));
+    console.log(chalk16.gray(`   Team policy enforced for all calls via Node9 cloud.`));
   }
 });
 program.command("addto").description("Integrate Node9 with an AI agent").addHelpText("after", "\n  Supported targets:  claude  gemini  cursor").argument("<target>", "The agent to protect: claude | gemini | cursor").action(async (target) => {
   if (target === "gemini") return await setupGemini();
   if (target === "claude") return await setupClaude();
   if (target === "cursor") return await setupCursor();
-  console.error(chalk15.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
+  console.error(chalk16.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
   process.exit(1);
 });
 program.command("setup").description('Alias for "addto" \u2014 integrate Node9 with an AI agent').addHelpText("after", "\n  Supported targets:  claude  gemini  cursor").argument("[target]", "The agent to protect: claude | gemini | cursor").action(async (target) => {
   if (!target) {
-    console.log(chalk15.cyan("\n\u{1F6E1}\uFE0F  Node9 Setup \u2014 integrate with your AI agent\n"));
-    console.log("  Usage:  " + chalk15.white("node9 setup <target>") + "\n");
+    console.log(chalk16.cyan("\n\u{1F6E1}\uFE0F  Node9 Setup \u2014 integrate with your AI agent\n"));
+    console.log("  Usage:  " + chalk16.white("node9 setup <target>") + "\n");
     console.log("  Targets:");
-    console.log("    " + chalk15.green("claude") + "   \u2014 Claude Code (hook mode)");
-    console.log("    " + chalk15.green("gemini") + "   \u2014 Gemini CLI (hook mode)");
-    console.log("    " + chalk15.green("cursor") + "   \u2014 Cursor (hook mode)");
+    console.log("    " + chalk16.green("claude") + "   \u2014 Claude Code (hook mode)");
+    console.log("    " + chalk16.green("gemini") + "   \u2014 Gemini CLI (hook mode)");
+    console.log("    " + chalk16.green("cursor") + "   \u2014 Cursor (hook mode)");
     console.log("");
     return;
   }
@@ -7659,7 +8271,7 @@ program.command("setup").description('Alias for "addto" \u2014 integrate Node9 w
   if (t === "gemini") return await setupGemini();
   if (t === "claude") return await setupClaude();
   if (t === "cursor") return await setupCursor();
-  console.error(chalk15.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
+  console.error(chalk16.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
   process.exit(1);
 });
 program.command("removefrom").description("Remove Node9 hooks from an AI agent configuration").addHelpText("after", "\n  Supported targets:  claude  gemini  cursor").argument("<target>", "The agent to remove from: claude | gemini | cursor").action((target) => {
@@ -7668,30 +8280,30 @@ program.command("removefrom").description("Remove Node9 hooks from an AI agent c
   else if (target === "gemini") fn = teardownGemini;
   else if (target === "cursor") fn = teardownCursor;
   else {
-    console.error(chalk15.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
+    console.error(chalk16.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
     process.exit(1);
   }
-  console.log(chalk15.cyan(`
+  console.log(chalk16.cyan(`
 \u{1F6E1}\uFE0F  Node9: removing hooks from ${target}...
 `));
   try {
     fn();
   } catch (err) {
-    console.error(chalk15.red(`  \u26A0\uFE0F  Failed: ${err instanceof Error ? err.message : String(err)}`));
+    console.error(chalk16.red(`  \u26A0\uFE0F  Failed: ${err instanceof Error ? err.message : String(err)}`));
     process.exit(1);
   }
-  console.log(chalk15.gray("\n  Restart the agent for changes to take effect."));
+  console.log(chalk16.gray("\n  Restart the agent for changes to take effect."));
 });
 program.command("uninstall").description("Remove all Node9 hooks and optionally delete config files").option("--purge", "Also delete ~/.node9/ directory (config, audit log, credentials)").action(async (options) => {
-  console.log(chalk15.cyan("\n\u{1F6E1}\uFE0F  Node9 Uninstall\n"));
-  console.log(chalk15.bold("Stopping daemon..."));
+  console.log(chalk16.cyan("\n\u{1F6E1}\uFE0F  Node9 Uninstall\n"));
+  console.log(chalk16.bold("Stopping daemon..."));
   try {
     stopDaemon();
-    console.log(chalk15.green("  \u2705 Daemon stopped"));
+    console.log(chalk16.green("  \u2705 Daemon stopped"));
   } catch {
-    console.log(chalk15.blue("  \u2139\uFE0F  Daemon was not running"));
+    console.log(chalk16.blue("  \u2139\uFE0F  Daemon was not running"));
   }
-  console.log(chalk15.bold("\nRemoving hooks..."));
+  console.log(chalk16.bold("\nRemoving hooks..."));
   let teardownFailed = false;
   for (const [label, fn] of [
     ["Claude", teardownClaude],
@@ -7703,45 +8315,45 @@ program.command("uninstall").description("Remove all Node9 hooks and optionally
     } catch (err) {
       teardownFailed = true;
       console.error(
-        chalk15.red(
+        chalk16.red(
           `  \u26A0\uFE0F  Failed to remove ${label} hooks: ${err instanceof Error ? err.message : String(err)}`
         )
       );
     }
   }
   if (options.purge) {
-    const node9Dir = path21.join(os18.homedir(), ".node9");
-    if (fs20.existsSync(node9Dir)) {
+    const node9Dir = path24.join(os20.homedir(), ".node9");
+    if (fs22.existsSync(node9Dir)) {
       const confirmed = await confirm3({
         message: `Permanently delete ${node9Dir} (config, audit log, credentials)?`,
         default: false
       });
       if (confirmed) {
-        fs20.rmSync(node9Dir, { recursive: true });
-        if (fs20.existsSync(node9Dir)) {
+        fs22.rmSync(node9Dir, { recursive: true });
+        if (fs22.existsSync(node9Dir)) {
           console.error(
-            chalk15.red("\n  \u26A0\uFE0F  ~/.node9/ could not be fully deleted \u2014 remove it manually.")
+            chalk16.red("\n  \u26A0\uFE0F  ~/.node9/ could not be fully deleted \u2014 remove it manually.")
           );
         } else {
-          console.log(chalk15.green("\n  \u2705 Deleted ~/.node9/ (config, audit log, credentials)"));
+          console.log(chalk16.green("\n  \u2705 Deleted ~/.node9/ (config, audit log, credentials)"));
         }
       } else {
-        console.log(chalk15.yellow("\n  Skipped \u2014 ~/.node9/ was not deleted."));
+        console.log(chalk16.yellow("\n  Skipped \u2014 ~/.node9/ was not deleted."));
       }
     } else {
-      console.log(chalk15.blue("\n  \u2139\uFE0F  ~/.node9/ not found \u2014 nothing to delete"));
+      console.log(chalk16.blue("\n  \u2139\uFE0F  ~/.node9/ not found \u2014 nothing to delete"));
     }
   } else {
     console.log(
-      chalk15.gray("\n  ~/.node9/ kept \u2014 run with --purge to delete config and audit log")
+      chalk16.gray("\n  ~/.node9/ kept \u2014 run with --purge to delete config and audit log")
     );
   }
   if (teardownFailed) {
-    console.error(chalk15.red("\n  \u26A0\uFE0F  Some hooks could not be removed \u2014 see errors above."));
+    console.error(chalk16.red("\n  \u26A0\uFE0F  Some hooks could not be removed \u2014 see errors above."));
     process.exit(1);
   }
-  console.log(chalk15.green.bold("\n\u{1F6E1}\uFE0F  Node9 removed. Run: npm uninstall -g @node9/proxy"));
-  console.log(chalk15.gray("   Restart any open AI agent sessions for changes to take effect.\n"));
+  console.log(chalk16.green.bold("\n\u{1F6E1}\uFE0F  Node9 removed. Run: npm uninstall -g @node9/proxy"));
+  console.log(chalk16.gray("   Restart any open AI agent sessions for changes to take effect.\n"));
 });
 registerDoctorCommand(program, version);
 program.command("explain").description(
@@ -7754,7 +8366,7 @@ program.command("explain").description(
       try {
         args = JSON.parse(trimmed);
       } catch {
-        console.error(chalk15.red(`
+        console.error(chalk16.red(`
 \u274C Invalid JSON: ${trimmed}
 `));
         process.exit(1);
@@ -7765,63 +8377,63 @@ program.command("explain").description(
   }
   const result = await explainPolicy(tool, args);
   console.log("");
-  console.log(chalk15.cyan.bold("\u{1F6E1}\uFE0F  Node9 Explain"));
+  console.log(chalk16.cyan.bold("\u{1F6E1}\uFE0F  Node9 Explain"));
   console.log("");
-  console.log(`   ${chalk15.bold("Tool:")}    ${chalk15.white(result.tool)}`);
+  console.log(`   ${chalk16.bold("Tool:")}    ${chalk16.white(result.tool)}`);
   if (argsRaw) {
     const preview = argsRaw.length > 80 ? argsRaw.slice(0, 77) + "\u2026" : argsRaw;
-    console.log(`   ${chalk15.bold("Input:")}   ${chalk15.gray(preview)}`);
+    console.log(`   ${chalk16.bold("Input:")}   ${chalk16.gray(preview)}`);
   }
   console.log("");
-  console.log(chalk15.bold("Config Sources (Waterfall):"));
+  console.log(chalk16.bold("Config Sources (Waterfall):"));
   for (const tier of result.waterfall) {
-    const num = chalk15.gray(`  ${tier.tier}.`);
+    const num = chalk16.gray(`  ${tier.tier}.`);
     const label = tier.label.padEnd(16);
     let statusStr;
     if (tier.tier === 1) {
-      statusStr = chalk15.gray(tier.note ?? "");
+      statusStr = chalk16.gray(tier.note ?? "");
     } else if (tier.status === "active") {
-      const loc = tier.path ? chalk15.gray(tier.path) : "";
-      const note = tier.note ? chalk15.gray(`(${tier.note})`) : "";
-      statusStr = chalk15.green("\u2713 active") + (loc ? "  " + loc : "") + (note ? "  " + note : "");
+      const loc = tier.path ? chalk16.gray(tier.path) : "";
+      const note = tier.note ? chalk16.gray(`(${tier.note})`) : "";
+      statusStr = chalk16.green("\u2713 active") + (loc ? "  " + loc : "") + (note ? "  " + note : "");
     } else {
-      statusStr = chalk15.gray("\u25CB " + (tier.note ?? "not found"));
+      statusStr = chalk16.gray("\u25CB " + (tier.note ?? "not found"));
     }
-    console.log(`${num} ${chalk15.white(label)} ${statusStr}`);
+    console.log(`${num} ${chalk16.white(label)} ${statusStr}`);
   }
   console.log("");
-  console.log(chalk15.bold("Policy Evaluation:"));
+  console.log(chalk16.bold("Policy Evaluation:"));
   for (const step of result.steps) {
     const isFinal = step.isFinal;
     let icon;
-    if (step.outcome === "allow") icon = chalk15.green("  \u2705");
-    else if (step.outcome === "review") icon = chalk15.red("  \u{1F534}");
-    else if (step.outcome === "skip") icon = chalk15.gray("  \u2500 ");
-    else icon = chalk15.gray("  \u25CB ");
+    if (step.outcome === "allow") icon = chalk16.green("  \u2705");
+    else if (step.outcome === "review") icon = chalk16.red("  \u{1F534}");
+    else if (step.outcome === "skip") icon = chalk16.gray("  \u2500 ");
+    else icon = chalk16.gray("  \u25CB ");
     const name = step.name.padEnd(18);
-    const nameStr = isFinal ? chalk15.white.bold(name) : chalk15.white(name);
-    const detail = isFinal ? chalk15.white(step.detail) : chalk15.gray(step.detail);
-    const arrow = isFinal ? chalk15.yellow("  \u2190 STOP") : "";
+    const nameStr = isFinal ? chalk16.white.bold(name) : chalk16.white(name);
+    const detail = isFinal ? chalk16.white(step.detail) : chalk16.gray(step.detail);
+    const arrow = isFinal ? chalk16.yellow("  \u2190 STOP") : "";
     console.log(`${icon} ${nameStr} ${detail}${arrow}`);
   }
   console.log("");
   if (result.decision === "allow") {
-    console.log(chalk15.green.bold("  Decision: \u2705 ALLOW") + chalk15.gray("  \u2014 no approval needed"));
+    console.log(chalk16.green.bold("  Decision: \u2705 ALLOW") + chalk16.gray("  \u2014 no approval needed"));
   } else {
     console.log(
-      chalk15.red.bold("  Decision: \u{1F534} REVIEW") + chalk15.gray("  \u2014 human approval required")
+      chalk16.red.bold("  Decision: \u{1F534} REVIEW") + chalk16.gray("  \u2014 human approval required")
     );
     if (result.blockedByLabel) {
-      console.log(chalk15.gray(`  Reason:   ${result.blockedByLabel}`));
+      console.log(chalk16.gray(`  Reason:   ${result.blockedByLabel}`));
     }
   }
   console.log("");
 });
 program.command("init").description("Create ~/.node9/config.json with default policy (safe to run multiple times)").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").action((options) => {
-  const configPath = path21.join(os18.homedir(), ".node9", "config.json");
-  if (fs20.existsSync(configPath) && !options.force) {
-    console.log(chalk15.yellow(`\u2139\uFE0F  Global config already exists: ${configPath}`));
-    console.log(chalk15.gray(`   Run with --force to overwrite.`));
+  const configPath = path24.join(os20.homedir(), ".node9", "config.json");
+  if (fs22.existsSync(configPath) && !options.force) {
+    console.log(chalk16.yellow(`\u2139\uFE0F  Global config already exists: ${configPath}`));
+    console.log(chalk16.gray(`   Run with --force to overwrite.`));
     return;
   }
   const requestedMode = options.mode.toLowerCase();
@@ -7833,13 +8445,13 @@ program.command("init").description("Create ~/.node9/config.json with default po
       mode: safeMode
     }
   };
-  const dir = path21.dirname(configPath);
-  if (!fs20.existsSync(dir)) fs20.mkdirSync(dir, { recursive: true });
-  fs20.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
-  console.log(chalk15.green(`\u2705 Global config created: ${configPath}`));
-  console.log(chalk15.cyan(`   Mode set to: ${safeMode}`));
+  const dir = path24.dirname(configPath);
+  if (!fs22.existsSync(dir)) fs22.mkdirSync(dir, { recursive: true });
+  fs22.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
+  console.log(chalk16.green(`\u2705 Global config created: ${configPath}`));
+  console.log(chalk16.cyan(`   Mode set to: ${safeMode}`));
   console.log(
-    chalk15.gray(`   Undo Engine is ENABLED by default. Use 'node9 undo' to revert AI changes.`)
+    chalk16.gray(`   Undo Engine is ENABLED by default. Use 'node9 undo' to revert AI changes.`)
   );
 });
 registerAuditCommand(program);
@@ -7850,7 +8462,7 @@ program.command("tail").description("Stream live agent activity to the terminal"
   try {
     await startTail2(options);
   } catch (err) {
-    console.error(chalk15.red(`\u274C ${err instanceof Error ? err.message : String(err)}`));
+    console.error(chalk16.red(`\u274C ${err instanceof Error ? err.message : String(err)}`));
     process.exit(1);
   }
 });
@@ -7862,7 +8474,7 @@ program.command("pause").description("Temporarily disable Node9 protection for a
   const ms = parseDuration(options.duration);
   if (ms === null) {
     console.error(
-      chalk15.red(`
+      chalk16.red(`
 \u274C  Invalid duration: "${options.duration}". Use format like 15m, 1h, 30s.
 `)
     );
@@ -7870,20 +8482,20 @@ program.command("pause").description("Temporarily disable Node9 protection for a
   }
   pauseNode9(ms, options.duration);
   const expiresAt = new Date(Date.now() + ms).toLocaleTimeString();
-  console.log(chalk15.yellow(`
+  console.log(chalk16.yellow(`
 \u23F8  Node9 paused until ${expiresAt}`));
-  console.log(chalk15.gray(`   All tool calls will be allowed without review.`));
-  console.log(chalk15.gray(`   Run "node9 resume" to re-enable early.
+  console.log(chalk16.gray(`   All tool calls will be allowed without review.`));
+  console.log(chalk16.gray(`   Run "node9 resume" to re-enable early.
 `));
 });
 program.command("resume").description("Re-enable Node9 protection immediately").action(() => {
   const { paused } = checkPause();
   if (!paused) {
-    console.log(chalk15.gray("\nNode9 is already active \u2014 nothing to resume.\n"));
+    console.log(chalk16.gray("\nNode9 is already active \u2014 nothing to resume.\n"));
     return;
   }
   resumeNode9();
-  console.log(chalk15.green("\n\u25B6  Node9 resumed \u2014 protection is active.\n"));
+  console.log(chalk16.green("\n\u25B6  Node9 resumed \u2014 protection is active.\n"));
 });
 var HOOK_BASED_AGENTS = {
   claude: "claude",
@@ -7896,15 +8508,15 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
     if (HOOK_BASED_AGENTS[firstArg2] !== void 0) {
       const target = HOOK_BASED_AGENTS[firstArg2];
       console.error(
-        chalk15.yellow(`
+        chalk16.yellow(`
 \u26A0\uFE0F  Node9 proxy mode does not support "${target}" directly.`)
       );
-      console.error(chalk15.white(`
+      console.error(chalk16.white(`
    "${target}" uses its own hook system. Use:`));
       console.error(
-        chalk15.green(`     node9 addto ${target}   `) + chalk15.gray("# one-time setup")
+        chalk16.green(`     node9 addto ${target}   `) + chalk16.gray("# one-time setup")
       );
-      console.error(chalk15.green(`     ${target}              `) + chalk15.gray("# run normally"));
+      console.error(chalk16.green(`     ${target}              `) + chalk16.gray("# run normally"));
       process.exit(1);
     }
     const runArgs = firstArg2 === "shell" ? commandArgs.slice(1) : commandArgs;
@@ -7921,7 +8533,7 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
       }
     );
     if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && getConfig().settings.autoStartDaemon) {
-      console.error(chalk15.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically..."));
+      console.error(chalk16.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically..."));
       const daemonReady = await autoStartDaemonAndWait();
       if (daemonReady) result = await authorizeHeadless("shell", { command: fullCommand });
     }
@@ -7934,12 +8546,12 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
     }
     if (!result.approved) {
       console.error(
-        chalk15.red(`
+        chalk16.red(`
 \u274C Node9 Blocked: ${result.reason || "Dangerous command detected."}`)
       );
       process.exit(1);
     }
-    console.error(chalk15.green("\n\u2705 Approved \u2014 running command...\n"));
+    console.error(chalk16.green("\n\u2705 Approved \u2014 running command...\n"));
     await runProxy(fullCommand);
   } else {
     program.help();
@@ -7948,14 +8560,15 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
 registerUndoCommand(program);
 registerShieldCommand(program);
 registerConfigShowCommand(program);
+registerTrustCommand(program);
 if (process.argv[2] !== "daemon") {
   process.on("unhandledRejection", (reason) => {
     const isCheckHook = process.argv[2] === "check";
     if (isCheckHook) {
       if (process.env.NODE9_DEBUG === "1" || getConfig().settings.enableHookLogDebug) {
-        const logPath = path21.join(os18.homedir(), ".node9", "hook-debug.log");
+        const logPath = path24.join(os20.homedir(), ".node9", "hook-debug.log");
         const msg = reason instanceof Error ? reason.message : String(reason);
-        fs20.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
+        fs22.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
 `);
       }
       process.exit(0);