@node9/proxy 1.3.1 → 1.4.0

package/dist/index.js

@@ -191,8 +191,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path10 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path10}: ${issue.message}`;
+    const path14 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path14}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -922,6 +922,7 @@ function getCompiledRegex(pattern, flags = "") {
 }
 
 // src/policy/index.ts
+var import_path8 = __toESM(require("path"));
 var import_picomatch = __toESM(require("picomatch"));
 var import_sh_syntax = require("sh-syntax");
 
@@ -1067,8 +1068,447 @@ function scanArgs(args, depth = 0, fieldPath = "args") {
   return null;
 }
 
+// src/utils/provenance.ts
+var import_fs5 = __toESM(require("fs"));
+var import_path5 = __toESM(require("path"));
+var import_os4 = __toESM(require("os"));
+var SYSTEM_PREFIXES = ["/usr/bin", "/usr/sbin", "/bin", "/sbin"];
+var MANAGED_PREFIXES = ["/usr/local/bin", "/opt/homebrew", "/home/linuxbrew", "/nix/store"];
+var USER_PREFIXES = [
+  import_path5.default.join(import_os4.default.homedir(), "bin"),
+  import_path5.default.join(import_os4.default.homedir(), ".local", "bin"),
+  import_path5.default.join(import_os4.default.homedir(), ".cargo", "bin"),
+  import_path5.default.join(import_os4.default.homedir(), ".npm-global", "bin"),
+  import_path5.default.join(import_os4.default.homedir(), ".volta", "bin")
+];
+var SUSPECT_PREFIXES = ["/tmp", "/var/tmp", "/dev/shm"];
+function findInPath(cmd) {
+  if (import_path5.default.posix.isAbsolute(cmd)) return cmd;
+  const pathEnv = process.env.PATH ?? "";
+  for (const dir of pathEnv.split(import_path5.default.delimiter)) {
+    if (!dir) continue;
+    const full = import_path5.default.join(dir, cmd);
+    try {
+      import_fs5.default.accessSync(full, import_fs5.default.constants.X_OK);
+      return full;
+    } catch {
+    }
+  }
+  return null;
+}
+function _classifyPath(resolved, cwd) {
+  if (cwd && resolved.startsWith(cwd + "/")) {
+    return { trustLevel: "user", reason: "binary in project directory" };
+  }
+  const osTmp = import_os4.default.tmpdir();
+  const allSuspect = osTmp ? [...SUSPECT_PREFIXES, osTmp] : SUSPECT_PREFIXES;
+  if (allSuspect.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "suspect", reason: `binary in temp directory: ${resolved}` };
+  }
+  if (SYSTEM_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "system", reason: "" };
+  }
+  if (MANAGED_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "managed", reason: "" };
+  }
+  if (USER_PREFIXES.some((p) => resolved === p || resolved.startsWith(p + "/"))) {
+    return { trustLevel: "user", reason: "" };
+  }
+  return { trustLevel: "unknown", reason: "binary in unrecognized location" };
+}
+function checkProvenance(cmd, cwd) {
+  const bare = cmd.startsWith("./") ? cmd.slice(2) : cmd;
+  if (import_path5.default.posix.isAbsolute(bare)) {
+    const early = _classifyPath(bare, cwd);
+    if (early.trustLevel === "suspect") {
+      return { resolvedPath: bare, ...early };
+    }
+  }
+  let resolved;
+  try {
+    const found = findInPath(bare);
+    if (!found) {
+      return {
+        resolvedPath: cmd,
+        trustLevel: "unknown",
+        reason: "binary not found in PATH"
+      };
+    }
+    resolved = import_fs5.default.realpathSync(found);
+  } catch {
+    return {
+      resolvedPath: cmd,
+      trustLevel: "unknown",
+      reason: "binary not found in PATH"
+    };
+  }
+  try {
+    const stat = import_fs5.default.statSync(resolved);
+    if (stat.mode & 2) {
+      return {
+        resolvedPath: resolved,
+        trustLevel: "suspect",
+        reason: "binary is world-writable"
+      };
+    }
+  } catch {
+    return {
+      resolvedPath: resolved,
+      trustLevel: "unknown",
+      reason: "could not stat binary"
+    };
+  }
+  const classify = _classifyPath(resolved, cwd);
+  return { resolvedPath: resolved, ...classify };
+}
+
+// src/policy/pipe-chain.ts
+var SOURCE_COMMANDS = /* @__PURE__ */ new Set([
+  "cat",
+  "head",
+  "tail",
+  "grep",
+  "awk",
+  "sed",
+  "cut",
+  "sort",
+  "tee",
+  "less",
+  "more",
+  "strings",
+  "xxd"
+]);
+var SINK_COMMANDS = /* @__PURE__ */ new Set([
+  "curl",
+  "wget",
+  "nc",
+  "ncat",
+  "netcat",
+  "ssh",
+  "scp",
+  "rsync",
+  "socat",
+  "ftp",
+  "sftp",
+  "telnet"
+]);
+var OBFUSCATORS = /* @__PURE__ */ new Set([
+  "base64",
+  "gzip",
+  "gunzip",
+  "bzip2",
+  "xz",
+  "zstd",
+  "openssl",
+  "gpg",
+  "python",
+  "python3",
+  "perl",
+  "ruby",
+  "node"
+]);
+var SENSITIVE_PATTERNS = [
+  /(?:^|\/)\.env(?:\.|$)/i,
+  // .env, .env.local, .env.production
+  /id_rsa|id_ed25519|id_ecdsa|id_dsa/i,
+  // SSH private keys
+  /\.pem$|\.key$|\.p12$|\.pfx$/i,
+  // certificate files
+  /(?:^|\/)\.ssh\//i,
+  // ~/.ssh/ directory
+  /(?:^|\/)\.aws\/credentials/i,
+  // AWS credentials
+  /(?:^|\/)\.netrc$/i,
+  // netrc (stores HTTP credentials)
+  /(?:^|\/)(passwd|shadow|sudoers)$/i,
+  // /etc/passwd, /etc/shadow
+  /(?:^|\/)credentials(?:\.json)?$/i
+  // generic credentials files
+];
+function isSensitivePath(p) {
+  return SENSITIVE_PATTERNS.some((re) => re.test(p));
+}
+function splitOnPipe(cmd) {
+  const segments = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  for (let i = 0; i < cmd.length; i++) {
+    const ch = cmd[i];
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+      current += ch;
+    } else if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+      current += ch;
+    } else if (ch === "|" && !inSingle && !inDouble && cmd[i + 1] !== "|" && (i === 0 || cmd[i - 1] !== "|")) {
+      segments.push(current.trim());
+      current = "";
+    } else {
+      current += ch;
+    }
+  }
+  if (current.trim()) segments.push(current.trim());
+  return segments.filter(Boolean);
+}
+function positionalTokens(segment) {
+  return segment.split(/\s+/).slice(1).filter((t) => !t.startsWith("-") && !t.startsWith("@") && t.length > 0);
+}
+function analyzePipeChain(command) {
+  const segments = splitOnPipe(command);
+  if (segments.length < 2) {
+    return {
+      isPipeline: false,
+      hasSensitiveSource: false,
+      hasExternalSink: false,
+      hasObfuscation: false,
+      sourceFiles: [],
+      sinkTargets: [],
+      risk: "none"
+    };
+  }
+  const sourceFiles = [];
+  const sinkTargets = [];
+  let hasSensitiveSource = false;
+  let hasExternalSink = false;
+  let hasObfuscation = false;
+  for (const segment of segments) {
+    const tokens = segment.split(/\s+/).filter(Boolean);
+    if (tokens.length === 0) continue;
+    const binary = tokens[0].toLowerCase();
+    const args = positionalTokens(segment);
+    if (SOURCE_COMMANDS.has(binary)) {
+      sourceFiles.push(...args);
+      if (args.some(isSensitivePath)) hasSensitiveSource = true;
+    }
+    if (OBFUSCATORS.has(binary)) hasObfuscation = true;
+    if (SINK_COMMANDS.has(binary)) {
+      const targets = args.filter(
+        (a) => a.includes(".") || a.includes("://") || /^\d+\.\d+/.test(a)
+      );
+      sinkTargets.push(...targets);
+      if (targets.length > 0) hasExternalSink = true;
+    }
+  }
+  const fullCmd = command.toLowerCase();
+  if (!hasSensitiveSource) {
+    const redirMatch = fullCmd.match(/<\s*(\S+)/);
+    if (redirMatch && isSensitivePath(redirMatch[1])) {
+      hasSensitiveSource = true;
+      sourceFiles.push(redirMatch[1]);
+    }
+  }
+  const risk = hasSensitiveSource && hasExternalSink && hasObfuscation ? "critical" : hasSensitiveSource && hasExternalSink ? "high" : hasExternalSink ? "medium" : "none";
+  return {
+    isPipeline: true,
+    hasSensitiveSource,
+    hasExternalSink,
+    hasObfuscation,
+    sourceFiles,
+    sinkTargets,
+    risk
+  };
+}
+
+// src/policy/flag-tables.ts
+var import_path6 = __toESM(require("path"));
+var FLAGS_WITH_VALUES = {
+  curl: /* @__PURE__ */ new Set([
+    "-H",
+    "--header",
+    "-A",
+    "--user-agent",
+    "-e",
+    "--referer",
+    "-x",
+    "--proxy",
+    "-u",
+    "--user",
+    "-d",
+    "--data",
+    "--data-raw",
+    "--data-binary",
+    "-o",
+    "--output",
+    "-F",
+    "--form",
+    "--connect-to",
+    "--resolve",
+    "--cacert",
+    "--cert",
+    "--key",
+    "-m",
+    "--max-time"
+  ]),
+  wget: /* @__PURE__ */ new Set([
+    "-O",
+    "--output-document",
+    "-P",
+    "--directory-prefix",
+    "-U",
+    "--user-agent",
+    "-e",
+    "--execute",
+    "--proxy",
+    "--ca-certificate"
+  ]),
+  nc: /* @__PURE__ */ new Set(["-x", "-p", "-s", "-w", "-W", "-I", "-O"]),
+  ncat: /* @__PURE__ */ new Set(["-x", "-p", "-s", "--proxy", "--proxy-auth", "-w", "--wait"]),
+  netcat: /* @__PURE__ */ new Set(["-x", "-p", "-s", "-w"]),
+  ssh: /* @__PURE__ */ new Set([
+    "-i",
+    "-l",
+    "-p",
+    "-o",
+    "-E",
+    "-F",
+    "-J",
+    "-L",
+    "-R",
+    "-W",
+    "-b",
+    "-c",
+    "-D",
+    "-e",
+    "-I",
+    "-S"
+  ]),
+  scp: /* @__PURE__ */ new Set(["-i", "-o", "-P", "-S"]),
+  rsync: /* @__PURE__ */ new Set(["-e", "--rsh", "--rsync-path", "--password-file", "--log-file"]),
+  socat: /* @__PURE__ */ new Set([])
+  // socat uses address syntax, not flags — no value-flags
+};
+function extractPositionalArgs(tokens, binary) {
+  const binaryName = import_path6.default.basename(binary).replace(/\.exe$/i, "");
+  const flagsWithValues = FLAGS_WITH_VALUES[binaryName] ?? /* @__PURE__ */ new Set();
+  const positional = [];
+  let skipNext = false;
+  for (const token of tokens) {
+    if (skipNext) {
+      skipNext = false;
+      continue;
+    }
+    if (token.startsWith("--") && token.includes("=")) continue;
+    if (token.startsWith("-") && token.length === 2 && flagsWithValues.has(token)) {
+      skipNext = true;
+      continue;
+    }
+    if (token.startsWith("--") && flagsWithValues.has(token)) {
+      skipNext = true;
+      continue;
+    }
+    const shortFlag = token.slice(0, 2);
+    if (token.startsWith("-") && token.length > 2 && flagsWithValues.has(shortFlag)) continue;
+    if (token.startsWith("-")) continue;
+    if (token.startsWith("@")) continue;
+    positional.push(token);
+  }
+  return positional;
+}
+function extractNetworkTargets(tokens, binary) {
+  return extractPositionalArgs(tokens, binary).map((t) => t.includes("@") ? t.split("@")[1] : t).map((t) => {
+    const colonIdx = t.indexOf(":");
+    if (colonIdx === -1) return t;
+    const afterColon = t.slice(colonIdx + 1);
+    if (/^\d+$/.test(afterColon)) return t.slice(0, colonIdx);
+    return t;
+  }).filter(Boolean);
+}
+
+// src/policy/ssh-parser.ts
+function tokenize(cmd) {
+  const tokens = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  for (const ch of cmd) {
+    if (ch === "'" && !inDouble) {
+      inSingle = !inSingle;
+    } else if (ch === '"' && !inSingle) {
+      inDouble = !inDouble;
+    } else if ((ch === " " || ch === "	") && !inSingle && !inDouble) {
+      if (current) {
+        tokens.push(current);
+        current = "";
+      }
+    } else {
+      current += ch;
+    }
+  }
+  if (current) tokens.push(current);
+  return tokens;
+}
+function parseHost(raw) {
+  return raw.split("@").pop().split(":")[0];
+}
+function extractAllSshHosts(tokens) {
+  const hosts = /* @__PURE__ */ new Set();
+  for (let i = 0; i < tokens.length; i++) {
+    const t = tokens[i];
+    if (t === "-J" && tokens[i + 1]) {
+      for (const hop of tokens[++i].split(",")) {
+        const h = parseHost(hop);
+        if (h) hosts.add(h);
+      }
+      continue;
+    }
+    if (t === "-o" && tokens[i + 1]?.toLowerCase().startsWith("proxyjump=")) {
+      const val = tokens[++i].split("=").slice(1).join("=");
+      for (const hop of val.split(",")) {
+        const h = parseHost(hop);
+        if (h) hosts.add(h);
+      }
+      continue;
+    }
+    if (t === "-o" && tokens[i + 1]?.toLowerCase().startsWith("proxycommand=")) {
+      const raw = tokens[++i].split("=").slice(1).join("=").replace(/^['"]|['"]$/g, "");
+      const subTokens = tokenize(raw);
+      const binary = subTokens[0] ?? "";
+      extractNetworkTargets(subTokens.slice(1), binary).forEach((h) => hosts.add(h));
+      extractAllSshHosts(subTokens.slice(1)).forEach((h) => hosts.add(h));
+      continue;
+    }
+    if (!t.startsWith("-")) {
+      const h = parseHost(t);
+      if (h) hosts.add(h);
+    }
+  }
+  return [...hosts].filter(Boolean);
+}
+
+// src/auth/trusted-hosts.ts
+var import_fs6 = __toESM(require("fs"));
+var import_path7 = __toESM(require("path"));
+var import_os5 = __toESM(require("os"));
+function getTrustedHostsPath() {
+  return import_path7.default.join(import_os5.default.homedir(), ".node9", "trusted-hosts.json");
+}
+function readTrustedHosts() {
+  try {
+    const raw = import_fs6.default.readFileSync(getTrustedHostsPath(), "utf8");
+    const parsed = JSON.parse(raw);
+    return Array.isArray(parsed.hosts) ? parsed.hosts : [];
+  } catch {
+    return [];
+  }
+}
+function normalizeHost(raw) {
+  return raw.toLowerCase().replace(/^https?:\/\//, "").replace(/\/.*$/, "").replace(/^[^@]+@/, "").replace(/:\d+$/, "");
+}
+function isTrustedHost(host) {
+  const normalized = normalizeHost(host);
+  return readTrustedHosts().some((entry) => {
+    const entryHost = entry.host.toLowerCase();
+    if (entryHost.startsWith("*.")) {
+      const domain = entryHost.slice(2);
+      return normalized === domain || normalized.endsWith("." + domain);
+    }
+    return normalized === entryHost;
+  });
+}
+
 // src/policy/index.ts
-function tokenize(toolName) {
+function tokenize2(toolName) {
   return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
 }
 function matchesPattern(text, patterns) {
@@ -1081,9 +1521,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path10) {
+function getNestedValue(obj, path14) {
   if (!obj || typeof obj !== "object") return null;
-  return path10.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path14.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -1207,7 +1647,7 @@ async function analyzeShellCommand(command) {
   }
   return { actions, paths, allTokens };
 }
-async function evaluatePolicy(toolName, args, agent) {
+async function evaluatePolicy(toolName, args, agent, cwd) {
   const config = getConfig();
   if (matchesPattern(toolName, config.policy.ignoredTools)) return { decision: "allow" };
   if (config.policy.smartRules.length > 0) {
@@ -1237,11 +1677,66 @@ async function evaluatePolicy(toolName, args, agent) {
     if (INLINE_EXEC_PATTERN.test(shellCommand.trim())) {
       return { decision: "review", blockedByLabel: "Node9 Standard (Inline Execution)", tier: 3 };
     }
+    const pipeAnalysis = analyzePipeChain(shellCommand);
+    if (pipeAnalysis.isPipeline && (pipeAnalysis.risk === "critical" || pipeAnalysis.risk === "high")) {
+      const sinks = pipeAnalysis.sinkTargets;
+      const allTrusted = sinks.length > 0 && sinks.every(isTrustedHost);
+      if (pipeAnalysis.risk === "critical") {
+        if (allTrusted) {
+          return {
+            decision: "review",
+            blockedByLabel: "Node9: Pipe-Chain to Trusted Host (obfuscated)",
+            reason: `Obfuscated pipe to trusted host(s): ${sinks.join(", ")} \u2014 requires approval`,
+            tier: 3
+          };
+        }
+        return {
+          decision: "block",
+          blockedByLabel: "Node9: Pipe-Chain Exfiltration (critical)",
+          reason: `Sensitive file piped through obfuscator to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+          tier: 3
+        };
+      }
+      if (allTrusted) {
+        return { decision: "allow" };
+      }
+      return {
+        decision: "review",
+        blockedByLabel: "Node9: Pipe-Chain Exfiltration (high)",
+        reason: `Sensitive file piped to network sink: ${pipeAnalysis.sourceFiles.join(", ")} \u2192 ${sinks.join(", ")}`,
+        tier: 3
+      };
+    }
+    const firstToken = analyzed.actions[0] ?? "";
+    if (["ssh", "scp", "rsync"].includes(firstToken)) {
+      const rawTokens = shellCommand.trim().split(/\s+/);
+      const sshHosts = extractAllSshHosts(rawTokens.slice(1));
+      allTokens.push(...sshHosts);
+    }
+    if (firstToken && import_path8.default.posix.isAbsolute(firstToken)) {
+      const prov = checkProvenance(firstToken, cwd);
+      if (prov.trustLevel === "suspect") {
+        return {
+          decision: config.settings.mode === "strict" ? "block" : "review",
+          blockedByLabel: "Node9: Suspect Binary",
+          reason: `Binary "${firstToken}" resolved to ${prov.resolvedPath} \u2014 ${prov.reason}`,
+          tier: 3
+        };
+      }
+      if (prov.trustLevel === "unknown" && config.settings.mode === "strict") {
+        return {
+          decision: "review",
+          blockedByLabel: "Node9: Unknown Binary (strict mode)",
+          reason: `Binary "${firstToken}" \u2014 ${prov.reason}`,
+          tier: 3
+        };
+      }
+    }
     if (isSqlTool(toolName, config.policy.toolInspection)) {
       allTokens = allTokens.filter((t) => !SQL_DML_KEYWORDS.has(t.toLowerCase()));
     }
   } else {
-    allTokens = tokenize(toolName);
+    allTokens = tokenize2(toolName);
     if (args && typeof args === "object") {
       const flattenedArgs = JSON.stringify(args).toLowerCase();
       const extraTokens = flattenedArgs.split(/[^a-zA-Z0-9]+/).filter((t) => t.length > 1);
@@ -1319,18 +1814,18 @@ function isIgnoredTool(toolName) {
 }
 
 // src/auth/state.ts
-var import_fs5 = __toESM(require("fs"));
-var import_path5 = __toESM(require("path"));
-var import_os4 = __toESM(require("os"));
-var PAUSED_FILE = import_path5.default.join(import_os4.default.homedir(), ".node9", "PAUSED");
-var TRUST_FILE = import_path5.default.join(import_os4.default.homedir(), ".node9", "trust.json");
+var import_fs7 = __toESM(require("fs"));
+var import_path9 = __toESM(require("path"));
+var import_os6 = __toESM(require("os"));
+var PAUSED_FILE = import_path9.default.join(import_os6.default.homedir(), ".node9", "PAUSED");
+var TRUST_FILE = import_path9.default.join(import_os6.default.homedir(), ".node9", "trust.json");
 function checkPause() {
   try {
-    if (!import_fs5.default.existsSync(PAUSED_FILE)) return { paused: false };
-    const state = JSON.parse(import_fs5.default.readFileSync(PAUSED_FILE, "utf-8"));
+    if (!import_fs7.default.existsSync(PAUSED_FILE)) return { paused: false };
+    const state = JSON.parse(import_fs7.default.readFileSync(PAUSED_FILE, "utf-8"));
     if (state.expiry > 0 && Date.now() >= state.expiry) {
       try {
-        import_fs5.default.unlinkSync(PAUSED_FILE);
+        import_fs7.default.unlinkSync(PAUSED_FILE);
       } catch {
       }
       return { paused: false };
@@ -1341,20 +1836,20 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = import_path5.default.dirname(filePath);
-  if (!import_fs5.default.existsSync(dir)) import_fs5.default.mkdirSync(dir, { recursive: true });
-  const tmpPath = `${filePath}.${import_os4.default.hostname()}.${process.pid}.tmp`;
-  import_fs5.default.writeFileSync(tmpPath, data, options);
-  import_fs5.default.renameSync(tmpPath, filePath);
+  const dir = import_path9.default.dirname(filePath);
+  if (!import_fs7.default.existsSync(dir)) import_fs7.default.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${filePath}.${import_os6.default.hostname()}.${process.pid}.tmp`;
+  import_fs7.default.writeFileSync(tmpPath, data, options);
+  import_fs7.default.renameSync(tmpPath, filePath);
 }
 function getActiveTrustSession(toolName) {
   try {
-    if (!import_fs5.default.existsSync(TRUST_FILE)) return false;
-    const trust = JSON.parse(import_fs5.default.readFileSync(TRUST_FILE, "utf-8"));
+    if (!import_fs7.default.existsSync(TRUST_FILE)) return false;
+    const trust = JSON.parse(import_fs7.default.readFileSync(TRUST_FILE, "utf-8"));
     const now = Date.now();
     const active = trust.entries.filter((e) => e.expiry > now);
     if (active.length !== trust.entries.length) {
-      import_fs5.default.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
+      import_fs7.default.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
     }
     return active.some((e) => e.tool === toolName || matchesPattern(toolName, e.tool));
   } catch {
@@ -1365,8 +1860,8 @@ function writeTrustSession(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (import_fs5.default.existsSync(TRUST_FILE)) {
-        trust = JSON.parse(import_fs5.default.readFileSync(TRUST_FILE, "utf-8"));
+      if (import_fs7.default.existsSync(TRUST_FILE)) {
+        trust = JSON.parse(import_fs7.default.readFileSync(TRUST_FILE, "utf-8"));
       }
     } catch {
     }
@@ -1382,9 +1877,9 @@ function writeTrustSession(toolName, durationMs) {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = import_path5.default.join(import_os4.default.homedir(), ".node9", "decisions.json");
-    if (!import_fs5.default.existsSync(file)) return null;
-    const decisions = JSON.parse(import_fs5.default.readFileSync(file, "utf-8"));
+    const file = import_path9.default.join(import_os6.default.homedir(), ".node9", "decisions.json");
+    if (!import_fs7.default.existsSync(file)) return null;
+    const decisions = JSON.parse(import_fs7.default.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
     if (d === "allow" || d === "deny") return d;
   } catch {
@@ -1393,17 +1888,17 @@ function getPersistentDecision(toolName) {
 }
 
 // src/auth/daemon.ts
-var import_fs6 = __toESM(require("fs"));
-var import_path6 = __toESM(require("path"));
-var import_os5 = __toESM(require("os"));
+var import_fs8 = __toESM(require("fs"));
+var import_path10 = __toESM(require("path"));
+var import_os7 = __toESM(require("os"));
 var import_child_process = require("child_process");
 var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function getInternalToken() {
   try {
-    const pidFile = import_path6.default.join(import_os5.default.homedir(), ".node9", "daemon.pid");
-    if (!import_fs6.default.existsSync(pidFile)) return null;
-    const data = JSON.parse(import_fs6.default.readFileSync(pidFile, "utf-8"));
+    const pidFile = import_path10.default.join(import_os7.default.homedir(), ".node9", "daemon.pid");
+    if (!import_fs8.default.existsSync(pidFile)) return null;
+    const data = JSON.parse(import_fs8.default.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
     return data.internalToken ?? null;
   } catch {
@@ -1411,10 +1906,10 @@ function getInternalToken() {
   }
 }
 function isDaemonRunning() {
-  const pidFile = import_path6.default.join(import_os5.default.homedir(), ".node9", "daemon.pid");
-  if (import_fs6.default.existsSync(pidFile)) {
+  const pidFile = import_path10.default.join(import_os7.default.homedir(), ".node9", "daemon.pid");
+  if (import_fs8.default.existsSync(pidFile)) {
     try {
-      const { pid, port } = JSON.parse(import_fs6.default.readFileSync(pidFile, "utf-8"));
+      const { pid, port } = JSON.parse(import_fs8.default.readFileSync(pidFile, "utf-8"));
       if (port !== DAEMON_PORT) return false;
       process.kill(pid, 0);
       return true;
@@ -1510,16 +2005,16 @@ async function resolveViaDaemon(id, decision, internalToken) {
 
 // src/auth/orchestrator.ts
 var import_net = __toESM(require("net"));
-var import_path9 = __toESM(require("path"));
-var import_os7 = __toESM(require("os"));
+var import_path13 = __toESM(require("path"));
+var import_os9 = __toESM(require("os"));
 var import_crypto = require("crypto");
 
 // src/ui/native.ts
 var import_child_process2 = require("child_process");
-var import_path8 = __toESM(require("path"));
+var import_path12 = __toESM(require("path"));
 
 // src/context-sniper.ts
-var import_path7 = __toESM(require("path"));
+var import_path11 = __toESM(require("path"));
 function smartTruncate(str, maxLen = 500) {
   if (str.length <= maxLen) return str;
   const edge = Math.floor(maxLen / 2) - 3;
@@ -1587,7 +2082,7 @@ function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWo
       intent = "EDIT";
       if (obj.file_path) {
         editFilePath = String(obj.file_path);
-        editFileName = import_path7.default.basename(editFilePath);
+        editFileName = import_path11.default.basename(editFilePath);
       }
       const result = extractContext(String(obj.new_string), matchedWord);
       contextSnippet = result.snippet;
@@ -1642,7 +2137,7 @@ function formatArgs(args, matchedField, matchedWord) {
   if (typeof parsed === "object" && !Array.isArray(parsed)) {
     const obj = parsed;
     if (obj.old_string !== void 0 && obj.new_string !== void 0) {
-      const file = obj.file_path ? import_path8.default.basename(String(obj.file_path)) : "file";
+      const file = obj.file_path ? import_path12.default.basename(String(obj.file_path)) : "file";
       const oldPreview = smartTruncate(String(obj.old_string), 120);
       const newPreview = extractContext(String(obj.new_string), matchedWord).snippet;
       return {
@@ -1817,8 +2312,8 @@ end run`;
 }
 
 // src/auth/cloud.ts
-var import_fs7 = __toESM(require("fs"));
-var import_os6 = __toESM(require("os"));
+var import_fs9 = __toESM(require("fs"));
+var import_os8 = __toESM(require("os"));
 function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
   return fetch(`${creds.apiUrl}/audit`, {
     method: "POST",
@@ -1830,9 +2325,9 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
       context: {
         agent: meta?.agent,
         mcpServer: meta?.mcpServer,
-        hostname: import_os6.default.hostname(),
+        hostname: import_os8.default.hostname(),
         cwd: process.cwd(),
-        platform: import_os6.default.platform()
+        platform: import_os8.default.platform()
       }
     }),
     signal: AbortSignal.timeout(5e3)
@@ -1853,9 +2348,9 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
         context: {
           agent: meta?.agent,
           mcpServer: meta?.mcpServer,
-          hostname: import_os6.default.hostname(),
+          hostname: import_os8.default.hostname(),
           cwd: process.cwd(),
-          platform: import_os6.default.platform()
+          platform: import_os8.default.platform()
         },
         ...riskMetadata && { riskMetadata }
       }),
@@ -1911,14 +2406,14 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
     });
     clearTimeout(timer);
     if (!res.ok) {
-      import_fs7.default.appendFileSync(
+      import_fs9.default.appendFileSync(
         HOOK_DEBUG_LOG,
         `[resolve-cloud] PATCH ${resolveUrl} \u2192 HTTP ${res.status}
 `
       );
     }
   } catch (err) {
-    import_fs7.default.appendFileSync(
+    import_fs9.default.appendFileSync(
       HOOK_DEBUG_LOG,
       `[resolve-cloud] PATCH failed for ${requestId}: ${err.message}
 `
@@ -1927,7 +2422,7 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
 }
 
 // src/auth/orchestrator.ts
-var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path9.default.join(import_os7.default.tmpdir(), "node9-activity.sock");
+var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path13.default.join(import_os9.default.tmpdir(), "node9-activity.sock");
 function notifyActivity(data) {
   return new Promise((resolve) => {
     try {
@@ -2009,7 +2504,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   }
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
-      const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
+      const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
         appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
         if (approvers.cloud && creds?.apiKey) {