@node9/proxy 1.4.0 → 1.5.1

package/dist/cli.js

@@ -30,7 +30,52 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 
+// src/audit/hasher.ts
+function canonicalise(value) {
+  return _canonicalise(value, /* @__PURE__ */ new WeakSet());
+}
+function _canonicalise(value, seen) {
+  if (value === null || typeof value !== "object") return value;
+  if (value instanceof Date) return value.toISOString();
+  if (value instanceof RegExp) return value.toString();
+  if (Buffer.isBuffer(value)) return value.toString("base64");
+  if (seen.has(value)) return "[Circular]";
+  seen.add(value);
+  let result;
+  if (Array.isArray(value)) {
+    result = value.map((v) => _canonicalise(v, seen));
+  } else {
+    const obj = value;
+    result = Object.fromEntries(
+      Object.keys(obj).sort().map((k) => [k, _canonicalise(obj[k], seen)])
+    );
+  }
+  seen.delete(value);
+  return result;
+}
+function hashArgs(args) {
+  const canonical = JSON.stringify(canonicalise(args) ?? null);
+  return (0, import_crypto.createHash)("sha256").update(canonical).digest("hex").slice(0, 32);
+}
+var import_crypto;
+var init_hasher = __esm({
+  "src/audit/hasher.ts"() {
+    "use strict";
+    import_crypto = require("crypto");
+  }
+});
+
 // src/audit/index.ts
+var audit_exports = {};
+__export(audit_exports, {
+  HOOK_DEBUG_LOG: () => HOOK_DEBUG_LOG,
+  LOCAL_AUDIT_LOG: () => LOCAL_AUDIT_LOG,
+  appendConfigAudit: () => appendConfigAudit,
+  appendHookDebug: () => appendHookDebug,
+  appendLocalAudit: () => appendLocalAudit,
+  appendToLog: () => appendToLog,
+  redactSecrets: () => redactSecrets
+});
 function redactSecrets(text) {
   if (!text) return text;
   let redacted = text;
@@ -52,24 +97,24 @@ function appendToLog(logPath, entry) {
   } catch {
   }
 }
-function appendHookDebug(toolName, args, meta) {
-  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   appendToLog(HOOK_DEBUG_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
-    args: safeArgs,
+    ...argsField,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
     hostname: import_os.default.hostname(),
     cwd: process.cwd()
   });
 }
-function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
-  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
-    args: safeArgs,
+    ...argsField,
     decision,
     checkedBy,
     agent: meta?.agent,
@@ -91,6 +136,7 @@ var init_audit = __esm({
     import_fs = __toESM(require("fs"));
     import_path = __toESM(require("path"));
     import_os = __toESM(require("os"));
+    init_hasher();
     LOCAL_AUDIT_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "audit.log");
     HOOK_DEBUG_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
   }
@@ -114,8 +160,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path25 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path25}: ${issue.message}`;
+    const path28 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path28}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -188,7 +234,8 @@ var init_config_schema = __esm({
         environment: import_zod.z.string().optional(),
         slackEnabled: import_zod.z.boolean().optional(),
         enableTrustSessions: import_zod.z.boolean().optional(),
-        allowGlobalPause: import_zod.z.boolean().optional()
+        allowGlobalPause: import_zod.z.boolean().optional(),
+        auditHashArgs: import_zod.z.boolean().optional()
       }).optional(),
       policy: import_zod.z.object({
         sandboxPaths: import_zod.z.array(import_zod.z.string()).optional(),
@@ -269,7 +316,7 @@ function readShieldsFile() {
 }
 function writeShieldsFile(data) {
   import_fs2.default.mkdirSync(import_path2.default.dirname(SHIELDS_STATE_FILE), { recursive: true });
-  const tmp = `${SHIELDS_STATE_FILE}.${import_crypto.default.randomBytes(6).toString("hex")}.tmp`;
+  const tmp = `${SHIELDS_STATE_FILE}.${import_crypto2.default.randomBytes(6).toString("hex")}.tmp`;
   const toWrite = { active: data.active };
   if (data.overrides && Object.keys(data.overrides).length > 0) toWrite.overrides = data.overrides;
   import_fs2.default.writeFileSync(tmp, JSON.stringify(toWrite, null, 2), { mode: 384 });
@@ -318,14 +365,14 @@ function resolveShieldRule(shieldName, identifier) {
   }
   return null;
 }
-var import_fs2, import_path2, import_os2, import_crypto, SHIELDS, SHIELDS_STATE_FILE;
+var import_fs2, import_path2, import_os2, import_crypto2, SHIELDS, SHIELDS_STATE_FILE;
 var init_shields = __esm({
   "src/shields.ts"() {
     "use strict";
     import_fs2 = __toESM(require("fs"));
     import_path2 = __toESM(require("path"));
     import_os2 = __toESM(require("os"));
-    import_crypto = __toESM(require("crypto"));
+    import_crypto2 = __toESM(require("crypto"));
     SHIELDS = {
       postgres: {
         name: "postgres",
@@ -746,6 +793,7 @@ var init_config = __esm({
         approvalTimeoutMs: 12e4,
         // 120-second auto-deny timeout
         flightRecorder: true,
+        auditHashArgs: true,
         approvers: { native: true, browser: true, cloud: false, terminal: true }
       },
       policy: {
@@ -1623,17 +1671,44 @@ function readTrustedHosts() {
     return [];
   }
 }
+function getFileMtime() {
+  try {
+    return import_fs6.default.statSync(getTrustedHostsPath()).mtimeMs;
+  } catch {
+    return 0;
+  }
+}
+function getCachedHosts() {
+  const now = Date.now();
+  if (_cache && now < _cache.expiry) {
+    const mtime = getFileMtime();
+    if (mtime === _cache.mtime) return _cache.hosts;
+  }
+  const hosts = readTrustedHosts();
+  _cache = { hosts, expiry: now + CACHE_TTL_MS, mtime: getFileMtime() };
+  return hosts;
+}
 function writeTrustedHosts(hosts) {
   const filePath = getTrustedHostsPath();
   import_fs6.default.mkdirSync(import_path7.default.dirname(filePath), { recursive: true });
   const tmp = filePath + ".node9-tmp";
-  import_fs6.default.writeFileSync(tmp, JSON.stringify({ hosts }, null, 2));
+  import_fs6.default.writeFileSync(tmp, JSON.stringify({ hosts }, null, 2), { mode: 384 });
   import_fs6.default.renameSync(tmp, filePath);
+  _cache = { hosts, expiry: Date.now() + CACHE_TTL_MS, mtime: getFileMtime() };
 }
 function addTrustedHost(host) {
+  const normalized = normalizeHost(host);
+  if (normalized.startsWith("*.")) {
+    const base = normalized.slice(2);
+    if (!base.includes(".")) {
+      throw new Error(
+        `Wildcard pattern '${normalized}' is too broad \u2014 the base domain must have at least one dot (e.g. '*.mycompany.com', not '*.com').`
+      );
+    }
+  }
   const hosts = readTrustedHosts();
-  if (hosts.some((h) => h.host === host)) return;
-  hosts.push({ host, addedAt: Date.now(), addedBy: "user" });
+  if (hosts.some((h) => h.host === normalized)) return;
+  hosts.push({ host: normalized, addedAt: Date.now(), addedBy: "user" });
   writeTrustedHosts(hosts);
 }
 function removeTrustedHost(host) {
@@ -1648,22 +1723,24 @@ function normalizeHost(raw) {
 }
 function isTrustedHost(host) {
   const normalized = normalizeHost(host);
-  return readTrustedHosts().some((entry) => {
+  return getCachedHosts().some((entry) => {
     const entryHost = entry.host.toLowerCase();
     if (entryHost.startsWith("*.")) {
       const domain = entryHost.slice(2);
-      return normalized === domain || normalized.endsWith("." + domain);
+      return normalized.endsWith("." + domain);
     }
     return normalized === entryHost;
   });
 }
-var import_fs6, import_path7, import_os5;
+var import_fs6, import_path7, import_os5, _cache, CACHE_TTL_MS;
 var init_trusted_hosts = __esm({
   "src/auth/trusted-hosts.ts"() {
     "use strict";
     import_fs6 = __toESM(require("fs"));
     import_path7 = __toESM(require("path"));
     import_os5 = __toESM(require("os"));
+    _cache = null;
+    CACHE_TTL_MS = 5e3;
   }
 });
 
@@ -1681,9 +1758,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path25) {
+function getNestedValue(obj, path28) {
   if (!obj || typeof obj !== "object") return null;
-  return path25.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path28.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function shouldSnapshot(toolName, args, config) {
   if (!config.settings.enableUndo) return false;
@@ -1869,7 +1946,12 @@ async function evaluatePolicy(toolName, args, agent, cwd) {
         };
       }
       if (allTrusted) {
-        return { decision: "allow" };
+        return {
+          decision: "allow",
+          blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
+          reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
+          tier: 3
+        };
       }
       return {
         decision: "review",
@@ -2411,8 +2493,8 @@ async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityI
       signal: ctrl.signal
     });
     if (!res.ok) throw new Error("Daemon fail");
-    const { id } = await res.json();
-    return id;
+    const { id, allowCount } = await res.json();
+    return { id, allowCount: allowCount ?? 1 };
   } finally {
     clearTimeout(timer);
   }
@@ -2451,15 +2533,67 @@ async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
     signal: AbortSignal.timeout(3e3)
   });
   if (!res.ok) throw new Error("Daemon unreachable");
-  const { id } = await res.json();
-  return id;
+  const { id, allowCount } = await res.json();
+  return { id, allowCount: allowCount ?? 1 };
+}
+async function notifyTaint(filePath, source) {
+  if (!isDaemonRunning()) return;
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    await fetch(`${base}/taint`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ path: filePath, source }),
+      signal: AbortSignal.timeout(1e3)
+    });
+  } catch {
+  }
+}
+async function notifyTaintPropagate(src, dest, clearSource = false) {
+  if (!isDaemonRunning()) return;
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    await fetch(`${base}/taint/propagate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ src, dest, clearSource }),
+      signal: AbortSignal.timeout(1e3)
+    });
+  } catch {
+  }
 }
-async function resolveViaDaemon(id, decision, internalToken) {
+async function checkTaint(paths) {
+  if (paths.length === 0) return { tainted: false };
+  if (!isDaemonRunning()) return { tainted: false, daemonUnavailable: true };
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    const res = await fetch(`${base}/taint/check`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ paths }),
+      signal: AbortSignal.timeout(2e3)
+    });
+    return await res.json();
+  } catch (err) {
+    try {
+      const { appendToLog: appendToLog2, HOOK_DEBUG_LOG: HOOK_DEBUG_LOG2 } = await Promise.resolve().then(() => (init_audit(), audit_exports));
+      appendToLog2(HOOK_DEBUG_LOG2, {
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        event: "checkTaint-error",
+        error: String(err),
+        paths
+      });
+    } catch {
+    }
+    return { tainted: false, daemonUnavailable: true };
+  }
+}
+async function resolveViaDaemon(id, decision, internalToken, source) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   await fetch(`${base}/resolve/${id}`, {
     method: "POST",
     headers: { "Content-Type": "application/json", "X-Node9-Internal": internalToken },
-    body: JSON.stringify({ decision }),
+    body: JSON.stringify({ decision, ...source && { source } }),
     signal: AbortSignal.timeout(3e3)
   });
 }
@@ -2666,20 +2800,24 @@ ${smartTruncate(str, 500)}`
 function escapePango(text) {
   return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
-function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1) {
   const lines = [];
   if (locked) lines.push("\u26A0\uFE0F  LOCKED BY ADMIN POLICY\n");
   lines.push(`\u{1F916} ${agent || "AI Agent"}  |  \u{1F527} ${toolName}`);
   lines.push(`\u{1F6E1}\uFE0F  ${explainableLabel || "Security Policy"}`);
   lines.push("");
   lines.push(formattedArgs);
+  if (allowCount >= 3) {
+    lines.push("");
+    lines.push(`\u{1F4A1} Approved ${allowCount - 1}\xD7 before \u2014 "Always Allow" creates a permanent rule`);
+  }
   if (!locked) {
     lines.push("");
     lines.push('\u21B5 Enter = Allow \u21B5   |   \u238B Esc = Block \u238B   |   "Always Allow" = never ask again');
   }
   return lines.join("\n");
 }
-function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1) {
   const lines = [];
   if (locked) {
     lines.push('<span foreground="red" weight="bold">\u26A0\uFE0F  LOCKED BY ADMIN POLICY</span>');
@@ -2691,6 +2829,12 @@ function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, loc
   lines.push(`<i>\u{1F6E1}\uFE0F  ${escapePango(explainableLabel || "Security Policy")}</i>`);
   lines.push("");
   lines.push(`<tt>${escapePango(formattedArgs)}</tt>`);
+  if (allowCount >= 3) {
+    lines.push("");
+    lines.push(
+      `<span foreground="#f0c040">\u{1F4A1} Approved ${allowCount - 1}\xD7 before \u2014 "Always Allow" creates a permanent rule</span>`
+    );
+  }
   if (!locked) {
     lines.push("");
     lines.push(
@@ -2699,12 +2843,19 @@ function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, loc
   }
   return lines.join("\n");
 }
-async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord) {
+async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord, allowCount = 1) {
   if (isTestEnv()) return "deny";
   const { message: formattedArgs, intent } = formatArgs(args, matchedField, matchedWord);
   const intentLabel = intent === "EDIT" ? "Code Edit" : "Action Approval";
   const title = locked ? `\u26A1 Node9 \u2014 Locked` : `\u{1F6E1}\uFE0F Node9 \u2014 ${intentLabel}`;
-  const message = buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked);
+  const message = buildPlainMessage(
+    toolName,
+    formattedArgs,
+    agent,
+    explainableLabel,
+    locked,
+    allowCount
+  );
   return new Promise((resolve) => {
     let childProcess = null;
     const onAbort = () => {
@@ -2736,7 +2887,8 @@ end run`;
           formattedArgs,
           agent,
           explainableLabel,
-          locked
+          locked,
+          allowCount
         );
         const argsList = [
           locked ? "--info" : "--question",
@@ -2907,6 +3059,40 @@ var init_cloud = __esm({
 });
 
 // src/auth/orchestrator.ts
+function isWriteTool(toolName) {
+  const t = toolName.toLowerCase().replace(/[^a-z_]/g, "_");
+  return WRITE_TOOLS.has(t);
+}
+function extractFilePaths(toolName, args) {
+  const paths = [];
+  if (!args || typeof args !== "object" || Array.isArray(args)) return paths;
+  const a = args;
+  for (const key of ["file_path", "path", "filename", "source", "src", "input"]) {
+    if (typeof a[key] === "string" && a[key]) paths.push(a[key]);
+  }
+  const cmd = typeof a.command === "string" ? a.command : typeof a.cmd === "string" ? a.cmd : "";
+  if (cmd) {
+    for (const m of cmd.matchAll(/(?:-T|--upload-file|--data(?:-binary)?)\s+@?(\S+)/g)) {
+      paths.push(m[1]);
+    }
+    for (const m of cmd.matchAll(/\b(?:scp|rsync)\s+(?:-\S+\s+)*(\S+)\s+\S+@/g)) {
+      paths.push(m[1]);
+    }
+    for (const m of cmd.matchAll(/<\s*(\S+)/g)) {
+      paths.push(m[1]);
+    }
+  }
+  return paths.filter(Boolean);
+}
+function isNetworkTool(toolName, args) {
+  const t = toolName.toLowerCase();
+  if (t === "bash" || t === "shell" || t === "run_shell_command" || t === "terminal.execute") {
+    const a = args;
+    const cmd = typeof a?.command === "string" ? a.command : typeof a?.cmd === "string" ? a.cmd : "";
+    return /\b(curl|wget|scp|rsync|nc|ncat|netcat|ssh)\b/.test(cmd);
+  }
+  return false;
+}
 function notifyActivity(data) {
   return new Promise((resolve) => {
     try {
@@ -2924,7 +3110,7 @@ function notifyActivity(data) {
 }
 async function authorizeHeadless(toolName, args, meta, options) {
   if (!options?.calledFromDaemon) {
-    const actId = (0, import_crypto2.randomUUID)();
+    const actId = (0, import_crypto3.randomUUID)();
     const actTs = Date.now();
     await notifyActivity({ id: actId, ts: actTs, tool: toolName, args, status: "pending" });
     const result = await _authorizeHeadlessCore(toolName, args, meta, {
@@ -2936,7 +3122,7 @@ async function authorizeHeadless(toolName, args, meta, options) {
         id: actId,
         tool: toolName,
         ts: actTs,
-        status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : "block",
+        status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : result.blockedByLabel?.includes("Taint") ? "taint" : "block",
         label: result.blockedByLabel
       });
     }
@@ -2950,6 +3136,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   if (pauseState.paused) return { approved: true, checkedBy: "paused" };
   const creds = getCredentials();
   const config = getConfig(options?.cwd);
+  const hashAuditArgs = config.settings.auditHashArgs === true;
   const isTestEnv2 = !!(process.env.VITEST || process.env.NODE_ENV === "test" || process.env.CI || process.env.NODE9_TESTING === "1");
   const approvers = {
     ...config.settings.approvers || { native: true, browser: true, cloud: true, terminal: true }
@@ -2960,13 +3147,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     approvers.terminal = false;
   }
   if (config.settings.enableHookLogDebug && !isTestEnv2) {
-    appendHookDebug(toolName, args, meta);
+    appendHookDebug(toolName, args, meta, hashAuditArgs);
   }
   const isManual = meta?.agent === "Terminal";
   let explainableLabel = "Local Config";
   let policyMatchedField;
   let policyMatchedWord;
   let riskMetadata;
+  let taintWarning = null;
+  if (isNetworkTool(toolName, args)) {
+    const filePaths = extractFilePaths(toolName, args);
+    if (filePaths.length > 0) {
+      const taintResult = await checkTaint(filePaths);
+      if (taintResult.tainted && taintResult.record) {
+        const { path: taintedPath, source: taintSource } = taintResult.record;
+        taintWarning = `\u26A0\uFE0F ${taintedPath} was flagged by ${taintSource} \u2014 this file may contain sensitive data`;
+      } else if (taintResult.daemonUnavailable) {
+        taintWarning = `\u26A0\uFE0F Taint service unavailable \u2014 cannot verify if ${filePaths.join(", ")} is clean`;
+      }
+    }
+  }
   if (config.policy.dlp.enabled && (!isIgnoredTool(toolName) || config.policy.dlp.scanIgnoredTools)) {
     const argsObj = args && typeof args === "object" && !Array.isArray(args) ? args : {};
     const filePath = String(argsObj.file_path ?? argsObj.path ?? argsObj.filename ?? "");
@@ -2974,7 +3174,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (dlpMatch) {
       const dlpReason = `\u{1F6A8} DATA LOSS PREVENTION: ${dlpMatch.patternName} detected in field "${dlpMatch.fieldPath}" (${dlpMatch.redactedSample})`;
       if (dlpMatch.severity === "block") {
-        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta);
+        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta, true);
+        if (isWriteTool(toolName) && filePath) {
+          await notifyTaint(filePath, `DLP:${dlpMatch.patternName}`);
+        }
         return {
           approved: false,
           reason: dlpReason,
@@ -2982,7 +3185,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           blockedByLabel: "\u{1F6A8} Node9 DLP (Secret Detected)"
         };
       }
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "dlp-review-flagged", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "allow", "dlp-review-flagged", meta, hashAuditArgs);
       explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
     }
   }
@@ -2990,7 +3194,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
-        appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
+        appendLocalAudit(toolName, args, "allow", "audit-mode", meta, hashAuditArgs);
         if (approvers.cloud && creds?.apiKey) {
           await auditLocalAllow(toolName, args, "audit-mode", creds, meta);
         }
@@ -2998,22 +3202,23 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     }
     return { approved: true, checkedBy: "audit" };
   }
-  if (!isIgnoredTool(toolName)) {
+  if (!taintWarning && !isIgnoredTool(toolName)) {
     if (getActiveTrustSession(toolName)) {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "trust", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta, hashAuditArgs);
       return { approved: true, checkedBy: "trust" };
     }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
         auditLocalAllow(toolName, args, "local-policy", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
       return { approved: true, checkedBy: "local-policy" };
     }
     if (policyResult.decision === "block") {
-      if (!isManual) appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
       return {
         approved: false,
         reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
@@ -3032,15 +3237,16 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       policyMatchedWord,
       policyResult.ruleName
     );
-    const persistent = getPersistentDecision(toolName);
+    const persistent = policyResult.ruleName ? null : getPersistentDecision(toolName);
     if (persistent === "allow") {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "persistent", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta, hashAuditArgs);
       return { approved: true, checkedBy: "persistent" };
     }
     if (persistent === "deny") {
-      if (!isManual) appendLocalAudit(toolName, args, "deny", "persistent-deny", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "deny", "persistent-deny", meta, hashAuditArgs);
       return {
         approved: false,
         reason: `This tool ("${toolName}") is explicitly listed in your 'Always Deny' list.`,
@@ -3048,10 +3254,21 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         blockedByLabel: "Persistent User Rule"
       };
     }
-  } else {
-    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta);
+  } else if (!taintWarning) {
+    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
     return { approved: true };
   }
+  if (taintWarning) {
+    explainableLabel = "\u{1F534} Node9 Taint (Exfiltration Prevention)";
+    riskMetadata = computeRiskMetadata(
+      args,
+      7,
+      explainableLabel,
+      void 0,
+      void 0,
+      taintWarning
+    );
+  }
   let cloudRequestId = null;
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
   if (cloudEnforced) {
@@ -3070,7 +3287,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         };
       }
       cloudRequestId = initResult.requestId || null;
-      explainableLabel = "Organization Policy (SaaS)";
+      if (!taintWarning) explainableLabel = "Organization Policy (SaaS)";
     } catch {
     }
   }
@@ -3099,13 +3316,16 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   let viewerId = null;
   const internalToken = getInternalToken();
   let daemonEntryId = null;
+  let daemonAllowCount = 1;
   if ((approvers.browser || approvers.terminal) && isDaemonRunning() && !options?.calledFromDaemon) {
     if (cloudEnforced && cloudRequestId) {
-      viewerId = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(() => null);
+      const viewer = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(() => null);
+      viewerId = viewer?.id ?? null;
       daemonEntryId = viewerId;
+      if (viewer) daemonAllowCount = viewer.allowCount;
     } else {
       try {
-        daemonEntryId = await registerDaemonEntry(
+        const entry = await registerDaemonEntry(
           toolName,
           args,
           meta,
@@ -3113,6 +3333,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           options?.activityId,
           options?.cwd
         );
+        daemonEntryId = entry.id;
+        daemonAllowCount = entry.allowCount;
       } catch {
       }
     }
@@ -3148,7 +3370,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           false,
           signal,
           policyMatchedField,
-          policyMatchedWord
+          policyMatchedWord,
+          daemonAllowCount
         );
         if (decision === "always_allow") {
           writeTrustSession(toolName, 36e5);
@@ -3206,10 +3429,13 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       if (!resolved) {
         resolved = true;
         abortController.abort();
-        if (viewerId && internalToken) {
-          resolveViaDaemon(viewerId, res.approved ? "allow" : "deny", internalToken).catch(
-            () => null
-          );
+        if (daemonEntryId && internalToken) {
+          resolveViaDaemon(
+            daemonEntryId,
+            res.approved ? "allow" : "deny",
+            internalToken,
+            res.decisionSource
+          ).catch(() => null);
         }
         resolve(res);
       }
@@ -3248,19 +3474,20 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       args,
       finalResult.approved ? "allow" : "deny",
       finalResult.checkedBy || finalResult.blockedBy || "unknown",
-      meta
+      meta,
+      hashAuditArgs
     );
   }
   return finalResult;
 }
-var import_net, import_path13, import_os10, import_crypto2, ACTIVITY_SOCKET_PATH;
+var import_net, import_path13, import_os10, import_crypto3, WRITE_TOOLS, ACTIVITY_SOCKET_PATH;
 var init_orchestrator = __esm({
   "src/auth/orchestrator.ts"() {
     "use strict";
     import_net = __toESM(require("net"));
     import_path13 = __toESM(require("path"));
     import_os10 = __toESM(require("os"));
-    import_crypto2 = require("crypto");
+    import_crypto3 = require("crypto");
     init_native();
     init_context_sniper();
     init_dlp();
@@ -3270,6 +3497,17 @@ var init_orchestrator = __esm({
     init_state();
     init_daemon();
     init_cloud();
+    WRITE_TOOLS = /* @__PURE__ */ new Set([
+      "write",
+      "write_file",
+      "create_file",
+      "edit",
+      "multiedit",
+      "str_replace_based_edit_tool",
+      "replace",
+      "notebook_edit",
+      "notebookedit"
+    ]);
     ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path13.default.join(import_os10.default.tmpdir(), "node9-activity.sock");
   }
 });
@@ -3566,6 +3804,15 @@ var init_ui = __esm({
         padding: 5px 10px;
         margin-bottom: 14px;
       }
+      .insight-hint {
+        font-size: 12px;
+        color: #f0c040;
+        background: rgba(240, 192, 64, 0.08);
+        border: 1px solid rgba(240, 192, 64, 0.25);
+        border-radius: 6px;
+        padding: 6px 10px;
+        margin-bottom: 12px;
+      }
       pre {
         background: #0d1117;
         padding: 14px 16px;
@@ -4038,6 +4285,78 @@ var init_ui = __esm({
         color: var(--danger);
       }
 
+      /* \u2500\u2500 Suggestion cards \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+      .suggestion-card {
+        background: rgba(82, 130, 255, 0.06);
+        border: 1px solid rgba(82, 130, 255, 0.25);
+        border-radius: 8px;
+        padding: 10px 12px;
+        margin-bottom: 8px;
+      }
+      .suggestion-card:last-child {
+        margin-bottom: 0;
+      }
+      .suggestion-header {
+        display: flex;
+        align-items: center;
+        gap: 8px;
+        margin-bottom: 6px;
+      }
+      .suggestion-tool {
+        font-family: 'Fira Code', monospace;
+        font-size: 11px;
+        color: var(--text-bright);
+        flex: 1;
+        word-break: break-all;
+      }
+      .suggestion-count {
+        font-size: 10px;
+        color: var(--muted);
+        white-space: nowrap;
+      }
+      .suggestion-rule {
+        font-family: 'Fira Code', monospace;
+        font-size: 10px;
+        color: #79c0ff;
+        background: rgba(0, 0, 0, 0.25);
+        border-radius: 4px;
+        padding: 4px 8px;
+        margin-bottom: 8px;
+        word-break: break-all;
+        white-space: pre-wrap;
+      }
+      .suggestion-actions {
+        display: flex;
+        gap: 6px;
+      }
+      .btn-apply {
+        background: rgba(52, 125, 57, 0.2);
+        border: 1px solid rgba(87, 171, 90, 0.4);
+        color: #57ab5a;
+        padding: 4px 10px;
+        font-size: 11px;
+        border-radius: 5px;
+        font-family: inherit;
+        cursor: pointer;
+      }
+      .btn-apply:hover {
+        background: rgba(52, 125, 57, 0.35);
+      }
+      .btn-dismiss-suggestion {
+        background: transparent;
+        border: 1px solid var(--border);
+        color: var(--muted);
+        padding: 4px 10px;
+        font-size: 11px;
+        border-radius: 5px;
+        font-family: inherit;
+        cursor: pointer;
+      }
+      .btn-dismiss-suggestion:hover {
+        border-color: var(--danger);
+        color: var(--danger);
+      }
+
       .modal-overlay {
         display: none;
         position: fixed;
@@ -4219,6 +4538,11 @@ var init_ui = __esm({
             <div class="panel-title">\u{1F4CB} Persistent Decisions</div>
             <div id="decisionsList"><span class="decisions-empty">None yet.</span></div>
           </div>
+
+          <div class="panel" id="suggestionsPanel" style="display: none">
+            <div class="panel-title">\u{1F4A1} Smart Rule Suggestions</div>
+            <div id="suggestionsList"></div>
+          </div>
         </div>
       </div>
     </div>
@@ -4368,12 +4692,15 @@ var init_ui = __esm({
         const badgeClass = isEdit ? 'sniper-badge-edit' : 'sniper-badge-exec';
         const badgeLabel = isEdit ? '\u{1F4DD} Code Edit' : '\u{1F6D1} Execution';
         const tierLabel = \`Tier \${rm.tier} \xB7 \${esc(rm.blockedByLabel)}\`;
+        const isTaint = rm.blockedByLabel?.includes('Taint');
         const fileLine =
-          isEdit && rm.editFilePath
-            ? \`<div class="sniper-filepath">\u{1F4C2} \${esc(rm.editFilePath)}</div>\`
-            : !isEdit && rm.matchedWord
-              ? \`<div class="sniper-match">Matched: <code>\${esc(rm.matchedWord)}</code>\${rm.matchedField ? \` in <code>\${esc(rm.matchedField)}</code>\` : ''}</div>\`
-              : '';
+          isTaint && rm.ruleName
+            ? \`<div class="sniper-match">\u26A0\uFE0F \${esc(rm.ruleName)}</div>\`
+            : isEdit && rm.editFilePath
+              ? \`<div class="sniper-filepath">\u{1F4C2} \${esc(rm.editFilePath)}</div>\`
+              : !isEdit && rm.matchedWord
+                ? \`<div class="sniper-match">Matched: <code>\${esc(rm.matchedWord)}</code>\${rm.matchedField ? \` in <code>\${esc(rm.matchedField)}</code>\` : ''}</div>\`
+                : '';
         const snippetHtml = rm.contextSnippet ? \`<pre>\${esc(rm.contextSnippet)}</pre>\` : '';
         return \`
           <div class="sniper-header">
@@ -4408,6 +4735,7 @@ var init_ui = __esm({
         </div>
         <div class="tool-chip">\${esc(req.toolName)}</div>
         \${isSlack ? '<div class="slack-indicator">\u26A1 Awaiting Cloud approval \u2014 view only</div>' : ''}
+        \${req.allowCount >= 3 ? \`<div class="insight-hint">\u{1F4A1} Approved \${req.allowCount - 1}\xD7 before \u2014 "Always Allow" creates a permanent rule</div>\` : ''}
         \${renderPayload(req)}
         <div class="actions" id="act-\${req.id}">
           <button class="btn-allow" onclick="sendDecision('\${req.id}','allow',false)" \${dis}>\u2705 Allow this Action</button>
@@ -4474,6 +4802,14 @@ var init_ui = __esm({
         ev.addEventListener('shields-status', (e) => {
           renderShields(JSON.parse(e.data).shields);
         });
+        ev.addEventListener('suggestion:new', (e) => {
+          const s = JSON.parse(e.data);
+          addSuggestionCard(s);
+        });
+        ev.addEventListener('suggestion:resolved', (e) => {
+          const { id } = JSON.parse(e.data);
+          removeSuggestionCard(id);
+        });
 
         // \u2500\u2500 Flight Recorder \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
         ev.addEventListener('activity', (e) => {
@@ -4723,6 +5059,74 @@ var init_ui = __esm({
         .then((r) => r.json())
         .then(renderDecisions)
         .catch(() => {});
+
+      // \u2500\u2500 Smart Rule Suggestions \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+      function rulePreview(suggestion) {
+        const r = suggestion.suggestedRule;
+        if (r.type === 'ignoredTool') return \`ignoredTool: "\${r.toolName}"\`;
+        const cond = r.rule.conditions?.[0];
+        const condStr = cond ? \` where \${cond.field} \${cond.op} "\${cond.value}"\` : '';
+        return \`allow \${r.rule.tool}\${condStr}\`;
+      }
+
+      function addSuggestionCard(s) {
+        const panel = document.getElementById('suggestionsPanel');
+        const list = document.getElementById('suggestionsList');
+        panel.style.display = '';
+
+        const card = document.createElement('div');
+        card.className = 'suggestion-card';
+        card.id = 'sg-' + s.id;
+        card.innerHTML = \`
+          <div class="suggestion-header">
+            <span class="suggestion-tool">\${esc(s.toolName)}</span>
+            <span class="suggestion-count">allowed \${s.allowCount}\xD7</span>
+          </div>
+          <div class="suggestion-rule">\${esc(rulePreview(s))}</div>
+          <div class="suggestion-actions">
+            <button class="btn-apply" onclick="applySuggestion('\${esc(s.id)}')">Apply rule</button>
+            <button class="btn-dismiss-suggestion" onclick="dismissSuggestion('\${esc(s.id)}')">Dismiss</button>
+          </div>
+        \`;
+        list.appendChild(card);
+      }
+
+      function removeSuggestionCard(id) {
+        document.getElementById('sg-' + id)?.remove();
+        const list = document.getElementById('suggestionsList');
+        if (!list.querySelector('.suggestion-card')) {
+          document.getElementById('suggestionsPanel').style.display = 'none';
+        }
+      }
+
+      function applySuggestion(id) {
+        fetch('/suggestions/' + id + '/apply', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json', 'X-Node9-Token': CSRF_TOKEN },
+          body: JSON.stringify({}),
+        })
+          .then((r) => {
+            if (r.ok) removeSuggestionCard(id);
+          })
+          .catch(() => {});
+      }
+
+      function dismissSuggestion(id) {
+        fetch('/suggestions/' + id + '/dismiss', {
+          method: 'POST',
+          headers: { 'X-Node9-Token': CSRF_TOKEN },
+        })
+          .then((r) => {
+            if (r.ok) removeSuggestionCard(id);
+          })
+          .catch(() => {});
+      }
+
+      // Load any suggestions that survived a page reload (daemon still running)
+      fetch('/suggestions')
+        .then((r) => r.json())
+        .then((list) => list.filter((s) => s.status === 'pending').forEach(addSuggestionCard))
+        .catch(() => {});
     </script>
   </body>
 </html>
@@ -4740,7 +5144,197 @@ var init_ui2 = __esm({
   }
 });
 
+// src/daemon/suggestion-tracker.ts
+function extractPath(args) {
+  if (!args || typeof args !== "object") return null;
+  const a = args;
+  for (const key of ["path", "file_path", "filename", "filepath", "dest", "destination"]) {
+    if (typeof a[key] === "string" && a[key]) return a[key];
+  }
+  return null;
+}
+function commonPathPrefix(paths) {
+  if (paths.length < 2) return null;
+  const dirParts = paths.map((p) => {
+    const lastSlash = p.lastIndexOf("/");
+    return lastSlash > 0 ? p.slice(0, lastSlash + 1) : "/";
+  });
+  const first = dirParts[0].split("/");
+  const common = [];
+  for (let i = 0; i < first.length; i++) {
+    if (dirParts.every((d) => d.split("/")[i] === first[i])) {
+      common.push(first[i]);
+    } else {
+      break;
+    }
+  }
+  const prefix = common.join("/").replace(/\/?$/, "/");
+  return prefix.length > 1 ? prefix : null;
+}
+var import_crypto4, SuggestionTracker;
+var init_suggestion_tracker = __esm({
+  "src/daemon/suggestion-tracker.ts"() {
+    "use strict";
+    import_crypto4 = require("crypto");
+    SuggestionTracker = class {
+      events = /* @__PURE__ */ new Map();
+      threshold;
+      constructor(threshold = 3) {
+        this.threshold = threshold;
+      }
+      /**
+       * Record a human-allowed review for a tool.
+       * Returns a Suggestion when the threshold is reached, null otherwise.
+       */
+      recordAllow(toolName, args) {
+        const events = this.events.get(toolName) ?? [];
+        events.push({ args, ts: Date.now() });
+        this.events.set(toolName, events);
+        if (events.length >= this.threshold) {
+          this.events.delete(toolName);
+          return this.generateSuggestion(toolName, events);
+        }
+        return null;
+      }
+      /**
+       * Reset the counter for a tool (e.g. when the user clicks Deny —
+       * don't suggest allowing something they just blocked).
+       */
+      resetTool(toolName) {
+        this.events.delete(toolName);
+      }
+      /** Current allow count for a tool (for tests). */
+      getCount(toolName) {
+        return this.events.get(toolName)?.length ?? 0;
+      }
+      generateSuggestion(toolName, events) {
+        const paths = events.map((e) => extractPath(e.args)).filter((p) => typeof p === "string" && p.length > 0);
+        const prefix = commonPathPrefix(paths);
+        const suggestedRule = prefix ? {
+          type: "smartRule",
+          rule: {
+            name: `allow-${toolName}-${prefix.replace(/[^a-z0-9]/gi, "-").replace(/-+/g, "-").replace(/^-|-$/g, "")}`,
+            tool: toolName,
+            conditions: [{ field: "path", op: "matchesGlob", value: `${prefix}**` }],
+            verdict: "allow",
+            reason: `Auto-suggested: ${toolName} allowed ${events.length}\xD7 in ${prefix}`
+          }
+        } : { type: "ignoredTool", toolName };
+        return {
+          id: (0, import_crypto4.randomUUID)(),
+          toolName,
+          allowCount: events.length,
+          suggestedRule,
+          status: "pending",
+          createdAt: Date.now(),
+          exampleArgs: events.slice(0, 3).map((e) => e.args)
+        };
+      }
+    };
+  }
+});
+
+// src/daemon/taint-store.ts
+var import_fs12, import_path15, DEFAULT_TTL_MS, TaintStore;
+var init_taint_store = __esm({
+  "src/daemon/taint-store.ts"() {
+    "use strict";
+    import_fs12 = __toESM(require("fs"));
+    import_path15 = __toESM(require("path"));
+    DEFAULT_TTL_MS = 60 * 60 * 1e3;
+    TaintStore = class {
+      records = /* @__PURE__ */ new Map();
+      /** Add or refresh taint on an absolute path. */
+      taint(filePath, source, ttlMs = DEFAULT_TTL_MS) {
+        const resolved = this._resolve(filePath);
+        const now = Date.now();
+        this.records.set(resolved, {
+          path: resolved,
+          source,
+          createdAt: now,
+          expiresAt: now + ttlMs
+        });
+      }
+      /**
+       * Check whether a path is currently tainted.
+       * Returns the TaintRecord if tainted (and not expired), null otherwise.
+       * Expired records are pruned on access.
+       */
+      check(filePath) {
+        const resolved = this._resolve(filePath);
+        const record = this.records.get(resolved);
+        if (!record) return null;
+        if (Date.now() > record.expiresAt) {
+          this.records.delete(resolved);
+          return null;
+        }
+        return record;
+      }
+      /**
+       * Propagate taint from sourcePath to destPath (e.g. cp, mv).
+       * For mv semantics (clearSource=true) the source taint is removed.
+       */
+      propagate(sourcePath, destPath, clearSource = false) {
+        const taintRecord = this.check(sourcePath);
+        if (!taintRecord) return;
+        const remainingMs = taintRecord.expiresAt - Date.now();
+        if (remainingMs > 0) {
+          const baseSource = taintRecord.source.replace(/^(propagated:)+/, "");
+          this.taint(destPath, `propagated:${baseSource}`, remainingMs);
+        }
+        if (clearSource) {
+          this.records.delete(this._resolve(sourcePath));
+        }
+      }
+      /** Remove all expired records. Called periodically by the daemon. */
+      prune() {
+        const now = Date.now();
+        for (const [key, record] of this.records) {
+          if (now > record.expiresAt) this.records.delete(key);
+        }
+      }
+      /** Return all non-expired taint records (for audit/debug). */
+      list() {
+        this.prune();
+        return [...this.records.values()];
+      }
+      /** Remove all taint records atomically. Used by tests to reset state between runs. */
+      clear() {
+        this.records.clear();
+      }
+      /** Resolve to absolute path, falling back to path.resolve if file doesn't exist yet. */
+      _resolve(filePath) {
+        try {
+          return import_fs12.default.realpathSync.native(import_path15.default.resolve(filePath));
+        } catch {
+          return import_path15.default.resolve(filePath);
+        }
+      }
+    };
+  }
+});
+
 // src/daemon/state.ts
+function loadInsightCounts() {
+  try {
+    if (!import_fs13.default.existsSync(INSIGHT_COUNTS_FILE)) return;
+    const data = JSON.parse(import_fs13.default.readFileSync(INSIGHT_COUNTS_FILE, "utf-8"));
+    for (const [tool, count] of Object.entries(data)) {
+      if (typeof count === "number" && count > 0) insightCounts.set(tool, count);
+    }
+  } catch {
+  }
+}
+function saveInsightCounts() {
+  try {
+    const data = {};
+    insightCounts.forEach((count, tool) => {
+      data[tool] = count;
+    });
+    atomicWriteSync2(INSIGHT_COUNTS_FILE, JSON.stringify(data, null, 2), { mode: 384 });
+  } catch {
+  }
+}
 function getAbandonTimer() {
   return _abandonTimer;
 }
@@ -4763,11 +5357,27 @@ function markRejectionHandlerRegistered() {
   daemonRejectionHandlerRegistered = true;
 }
 function atomicWriteSync2(filePath, data, options) {
-  const dir = import_path15.default.dirname(filePath);
-  if (!import_fs12.default.existsSync(dir)) import_fs12.default.mkdirSync(dir, { recursive: true });
-  const tmpPath = `${filePath}.${(0, import_crypto3.randomUUID)()}.tmp`;
-  import_fs12.default.writeFileSync(tmpPath, data, options);
-  import_fs12.default.renameSync(tmpPath, filePath);
+  const dir = import_path16.default.dirname(filePath);
+  if (!import_fs13.default.existsSync(dir)) import_fs13.default.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${filePath}.${(0, import_crypto5.randomUUID)()}.tmp`;
+  try {
+    import_fs13.default.writeFileSync(tmpPath, data, options);
+  } catch (err) {
+    try {
+      import_fs13.default.unlinkSync(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  try {
+    import_fs13.default.renameSync(tmpPath, filePath);
+  } catch (err) {
+    try {
+      import_fs13.default.unlinkSync(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
 }
 function redactArgs(value) {
   if (!value || typeof value !== "object") return value;
@@ -4787,16 +5397,16 @@ function appendAuditLog(data) {
       decision: data.decision,
       source: "daemon"
     };
-    const dir = import_path15.default.dirname(AUDIT_LOG_FILE);
-    if (!import_fs12.default.existsSync(dir)) import_fs12.default.mkdirSync(dir, { recursive: true });
-    import_fs12.default.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
+    const dir = import_path16.default.dirname(AUDIT_LOG_FILE);
+    if (!import_fs13.default.existsSync(dir)) import_fs13.default.mkdirSync(dir, { recursive: true });
+    import_fs13.default.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
 function getAuditHistory(limit = 20) {
   try {
-    if (!import_fs12.default.existsSync(AUDIT_LOG_FILE)) return [];
-    const lines = import_fs12.default.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
+    if (!import_fs13.default.existsSync(AUDIT_LOG_FILE)) return [];
+    const lines = import_fs13.default.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
     if (lines.length === 1 && lines[0] === "") return [];
     return lines.slice(-limit).map((l) => JSON.parse(l)).reverse();
   } catch {
@@ -4805,19 +5415,19 @@ function getAuditHistory(limit = 20) {
 }
 function getOrgName() {
   try {
-    if (import_fs12.default.existsSync(CREDENTIALS_FILE)) return "Node9 Cloud";
+    if (import_fs13.default.existsSync(CREDENTIALS_FILE)) return "Node9 Cloud";
   } catch {
   }
   return null;
 }
 function hasStoredSlackKey() {
-  return import_fs12.default.existsSync(CREDENTIALS_FILE);
+  return import_fs13.default.existsSync(CREDENTIALS_FILE);
 }
 function writeGlobalSetting(key, value) {
   let config = {};
   try {
-    if (import_fs12.default.existsSync(GLOBAL_CONFIG_FILE)) {
-      config = JSON.parse(import_fs12.default.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
+    if (import_fs13.default.existsSync(GLOBAL_CONFIG_FILE)) {
+      config = JSON.parse(import_fs13.default.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
     }
   } catch {
   }
@@ -4829,8 +5439,8 @@ function writeTrustEntry(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (import_fs12.default.existsSync(TRUST_FILE2))
-        trust = JSON.parse(import_fs12.default.readFileSync(TRUST_FILE2, "utf-8"));
+      if (import_fs13.default.existsSync(TRUST_FILE2))
+        trust = JSON.parse(import_fs13.default.readFileSync(TRUST_FILE2, "utf-8"));
     } catch {
     }
     trust.entries = trust.entries.filter((e) => e.tool !== toolName && e.expiry > Date.now());
@@ -4841,8 +5451,8 @@ function writeTrustEntry(toolName, durationMs) {
 }
 function readPersistentDecisions() {
   try {
-    if (import_fs12.default.existsSync(DECISIONS_FILE)) {
-      return JSON.parse(import_fs12.default.readFileSync(DECISIONS_FILE, "utf-8"));
+    if (import_fs13.default.existsSync(DECISIONS_FILE)) {
+      return JSON.parse(import_fs13.default.readFileSync(DECISIONS_FILE, "utf-8"));
     }
   } catch {
   }
@@ -4907,7 +5517,7 @@ function abandonPending() {
   });
   if (autoStarted) {
     try {
-      import_fs12.default.unlinkSync(DAEMON_PID_FILE);
+      import_fs13.default.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
     setTimeout(() => {
@@ -4918,7 +5528,7 @@ function abandonPending() {
 }
 function startActivitySocket() {
   try {
-    import_fs12.default.unlinkSync(ACTIVITY_SOCKET_PATH2);
+    import_fs13.default.unlinkSync(ACTIVITY_SOCKET_PATH2);
   } catch {
   }
   const ACTIVITY_MAX_BYTES = 1024 * 1024;
@@ -4960,31 +5570,38 @@ function startActivitySocket() {
   unixServer.listen(ACTIVITY_SOCKET_PATH2);
   process.on("exit", () => {
     try {
-      import_fs12.default.unlinkSync(ACTIVITY_SOCKET_PATH2);
+      import_fs13.default.unlinkSync(ACTIVITY_SOCKET_PATH2);
     } catch {
     }
   });
 }
-var import_net2, import_fs12, import_path15, import_os12, import_child_process3, import_crypto3, homeDir, DAEMON_PID_FILE, DECISIONS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, pending, sseClients, _abandonTimer, _hadBrowserClient, _daemonServer, daemonRejectionHandlerRegistered, AUTO_DENY_MS, TRUST_DURATIONS, autoStarted, ACTIVITY_SOCKET_PATH2, ACTIVITY_RING_SIZE, activityRing, SECRET_KEY_RE;
+var import_net2, import_fs13, import_path16, import_os12, import_child_process3, import_crypto5, homeDir, DAEMON_PID_FILE, DECISIONS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, INSIGHT_COUNTS_FILE, pending, sseClients, suggestionTracker, suggestions, taintStore, insightCounts, _abandonTimer, _hadBrowserClient, _daemonServer, daemonRejectionHandlerRegistered, AUTO_DENY_MS, TRUST_DURATIONS, autoStarted, ACTIVITY_SOCKET_PATH2, ACTIVITY_RING_SIZE, activityRing, SECRET_KEY_RE;
 var init_state2 = __esm({
   "src/daemon/state.ts"() {
     "use strict";
     import_net2 = __toESM(require("net"));
-    import_fs12 = __toESM(require("fs"));
-    import_path15 = __toESM(require("path"));
+    import_fs13 = __toESM(require("fs"));
+    import_path16 = __toESM(require("path"));
     import_os12 = __toESM(require("os"));
     import_child_process3 = require("child_process");
-    import_crypto3 = require("crypto");
+    import_crypto5 = require("crypto");
     init_daemon();
+    init_suggestion_tracker();
+    init_taint_store();
     homeDir = import_os12.default.homedir();
-    DAEMON_PID_FILE = import_path15.default.join(homeDir, ".node9", "daemon.pid");
-    DECISIONS_FILE = import_path15.default.join(homeDir, ".node9", "decisions.json");
-    AUDIT_LOG_FILE = import_path15.default.join(homeDir, ".node9", "audit.log");
-    TRUST_FILE2 = import_path15.default.join(homeDir, ".node9", "trust.json");
-    GLOBAL_CONFIG_FILE = import_path15.default.join(homeDir, ".node9", "config.json");
-    CREDENTIALS_FILE = import_path15.default.join(homeDir, ".node9", "credentials.json");
+    DAEMON_PID_FILE = import_path16.default.join(homeDir, ".node9", "daemon.pid");
+    DECISIONS_FILE = import_path16.default.join(homeDir, ".node9", "decisions.json");
+    AUDIT_LOG_FILE = import_path16.default.join(homeDir, ".node9", "audit.log");
+    TRUST_FILE2 = import_path16.default.join(homeDir, ".node9", "trust.json");
+    GLOBAL_CONFIG_FILE = import_path16.default.join(homeDir, ".node9", "config.json");
+    CREDENTIALS_FILE = import_path16.default.join(homeDir, ".node9", "credentials.json");
+    INSIGHT_COUNTS_FILE = import_path16.default.join(homeDir, ".node9", "insight-counts.json");
     pending = /* @__PURE__ */ new Map();
     sseClients = /* @__PURE__ */ new Set();
+    suggestionTracker = new SuggestionTracker(3);
+    suggestions = /* @__PURE__ */ new Map();
+    taintStore = new TaintStore();
+    insightCounts = /* @__PURE__ */ new Map();
     _abandonTimer = null;
     _hadBrowserClient = false;
     _daemonServer = null;
@@ -4996,17 +5613,75 @@ var init_state2 = __esm({
       "2h": 2 * 60 * 6e4
     };
     autoStarted = process.env.NODE9_AUTO_STARTED === "1";
-    ACTIVITY_SOCKET_PATH2 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path15.default.join(import_os12.default.tmpdir(), "node9-activity.sock");
+    ACTIVITY_SOCKET_PATH2 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path16.default.join(import_os12.default.tmpdir(), "node9-activity.sock");
     ACTIVITY_RING_SIZE = 100;
     activityRing = [];
     SECRET_KEY_RE = /password|secret|token|key|apikey|credential|auth/i;
   }
 });
 
+// src/config/patch.ts
+function patchConfig(configPath, patch) {
+  let config = {};
+  try {
+    if (import_fs14.default.existsSync(configPath)) {
+      config = JSON.parse(import_fs14.default.readFileSync(configPath, "utf8"));
+    }
+  } catch {
+    throw new Error(`Cannot read config at ${configPath} \u2014 file may be corrupted`);
+  }
+  if (!config.policy || typeof config.policy !== "object") config.policy = {};
+  const policy = config.policy;
+  if (patch.type === "smartRule") {
+    if (!Array.isArray(policy.smartRules)) policy.smartRules = [];
+    const rules = policy.smartRules;
+    if (patch.rule.name && rules.some((r) => r.name === patch.rule.name)) return;
+    rules.push(patch.rule);
+  } else {
+    if (!Array.isArray(policy.ignoredTools)) policy.ignoredTools = [];
+    const ignored = policy.ignoredTools;
+    if (!ignored.includes(patch.toolName)) {
+      ignored.push(patch.toolName);
+    }
+  }
+  const dir = import_path17.default.dirname(configPath);
+  import_fs14.default.mkdirSync(dir, { recursive: true });
+  const tmp = configPath + ".node9-tmp";
+  try {
+    import_fs14.default.writeFileSync(tmp, JSON.stringify(config, null, 2), { mode: 384 });
+  } catch (err) {
+    try {
+      import_fs14.default.unlinkSync(tmp);
+    } catch {
+    }
+    throw err;
+  }
+  try {
+    import_fs14.default.renameSync(tmp, configPath);
+  } catch (err) {
+    try {
+      import_fs14.default.unlinkSync(tmp);
+    } catch {
+    }
+    throw err;
+  }
+}
+var import_fs14, import_path17, import_os13, GLOBAL_CONFIG_PATH;
+var init_patch = __esm({
+  "src/config/patch.ts"() {
+    "use strict";
+    import_fs14 = __toESM(require("fs"));
+    import_path17 = __toESM(require("path"));
+    import_os13 = __toESM(require("os"));
+    GLOBAL_CONFIG_PATH = import_path17.default.join(import_os13.default.homedir(), ".node9", "config.json");
+  }
+});
+
 // src/daemon/server.ts
 function startDaemon() {
-  const csrfToken = (0, import_crypto4.randomUUID)();
-  const internalToken = (0, import_crypto4.randomUUID)();
+  loadInsightCounts();
+  const csrfToken = (0, import_crypto6.randomUUID)();
+  const internalToken = (0, import_crypto6.randomUUID)();
   const UI_HTML = UI_HTML_TEMPLATE.replace("{{CSRF_TOKEN}}", csrfToken);
   const validToken = (req) => req.headers["x-node9-token"] === csrfToken;
   const IDLE_TIMEOUT_MS = 12 * 60 * 60 * 1e3;
@@ -5019,7 +5694,7 @@ function startDaemon() {
     idleTimer = setTimeout(() => {
       if (autoStarted) {
         try {
-          import_fs13.default.unlinkSync(DAEMON_PID_FILE);
+          import_fs15.default.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
       }
@@ -5028,8 +5703,14 @@ function startDaemon() {
     idleTimer.unref();
   }
   resetIdleTimer();
+  const allowedHosts = /* @__PURE__ */ new Set([`127.0.0.1:${DAEMON_PORT}`, `localhost:${DAEMON_PORT}`]);
   const server = import_http.default.createServer(async (req, res) => {
-    const reqUrl = new URL(req.url || "/", `http://${req.headers.host}`);
+    const host = req.headers.host ?? "";
+    if (!allowedHosts.has(host)) {
+      res.writeHead(421, { "Content-Type": "text/plain" });
+      return res.end("Misdirected Request");
+    }
+    const reqUrl = new URL(req.url || "/", `http://${host}`);
     const { pathname } = reqUrl;
     if (req.method === "GET" && pathname === "/") {
       res.writeHead(200, { "Content-Type": "text/html" });
@@ -5062,7 +5743,8 @@ data: ${JSON.stringify({
             slackDelegated: e.slackDelegated,
             timestamp: e.timestamp,
             agent: e.agent,
-            mcpServer: e.mcpServer
+            mcpServer: e.mcpServer,
+            allowCount: (insightCounts.get(e.toolName) ?? 0) + 1
           })),
           orgName: getOrgName(),
           autoDenyMs: getConfig().settings.approvalTimeoutMs ?? AUTO_DENY_MS
@@ -5104,6 +5786,12 @@ data: ${JSON.stringify(item.data)}
         }
       });
     }
+    if (req.method === "POST" && pathname === "/browser-opened") {
+      if (req.headers["x-node9-internal"] !== internalToken) return res.writeHead(403).end();
+      browserOpened = true;
+      res.writeHead(200).end();
+      return;
+    }
     if (req.method === "POST" && pathname === "/check") {
       try {
         resetIdleTimer();
@@ -5121,7 +5809,7 @@ data: ${JSON.stringify(item.data)}
           activityId,
           cwd
         } = JSON.parse(body);
-        const id = fromCLI && typeof activityId === "string" && activityId || (0, import_crypto4.randomUUID)();
+        const id = fromCLI && typeof activityId === "string" && activityId || (0, import_crypto6.randomUUID)();
         const entry = {
           id,
           toolName,
@@ -5147,7 +5835,7 @@ data: ${JSON.stringify(item.data)}
                 e.earlyReason = "No response \u2014 auto-denied after timeout";
               }
               pending.delete(id);
-              broadcast("remove", { id });
+              broadcast("remove", { id, decision: "deny" });
             }
           }, getConfig().settings.approvalTimeoutMs ?? AUTO_DENY_MS)
         };
@@ -5161,7 +5849,7 @@ data: ${JSON.stringify(item.data)}
             status: "pending"
           });
         }
-        const projectCwd = typeof cwd === "string" && import_path16.default.isAbsolute(cwd) ? cwd : void 0;
+        const projectCwd = typeof cwd === "string" && import_path18.default.isAbsolute(cwd) ? cwd : void 0;
         const projectConfig = getConfig(projectCwd);
         const browserEnabled = projectConfig.settings.approvers?.browser !== false;
         const terminalEnabled = projectConfig.settings.approvers?.terminal !== false;
@@ -5174,7 +5862,10 @@ data: ${JSON.stringify(item.data)}
             slackDelegated: entry.slackDelegated,
             agent: entry.agent,
             mcpServer: entry.mcpServer,
-            interactive: terminalEnabled
+            interactive: terminalEnabled,
+            // allowCount = what this count will be if the user allows.
+            // Terminal uses this to show the 💡 insight line on the Nth consecutive approval.
+            allowCount: (insightCounts.get(toolName) ?? 0) + 1
           });
           const browserAlreadyOpened = process.env.NODE9_BROWSER_OPENED === "1";
           if (browserEnabled && !browserOpened && !browserAlreadyOpened) {
@@ -5183,7 +5874,7 @@ data: ${JSON.stringify(item.data)}
           }
         }
         res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ id }));
+        res.end(JSON.stringify({ id, allowCount: (insightCounts.get(toolName) ?? 0) + 1 }));
         if (slackDelegated) return;
         authorizeHeadless(
           toolName,
@@ -5210,7 +5901,7 @@ data: ${JSON.stringify(item.data)}
           if (e.waiter) {
             e.waiter(decision, result.reason);
             pending.delete(id);
-            broadcast("remove", { id });
+            broadcast("remove", { id, decision });
           } else {
             e.earlyDecision = decision;
             e.earlyReason = result.reason;
@@ -5226,7 +5917,7 @@ data: ${JSON.stringify(item.data)}
             e.earlyReason = reason;
           }
           pending.delete(id);
-          broadcast("remove", { id });
+          broadcast("remove", { id, decision: "deny" });
         });
         return;
       } catch {
@@ -5257,12 +5948,14 @@ data: ${JSON.stringify(item.data)}
         res.end(JSON.stringify(body));
       };
       req.on("close", () => {
-        const e = pending.get(id);
-        if (e && e.waiter && e.earlyDecision === null) {
-          clearTimeout(e.timer);
-          pending.delete(id);
-          broadcast("remove", { id });
-        }
+        setTimeout(() => {
+          const e = pending.get(id);
+          if (e && e.waiter && e.earlyDecision === null) {
+            clearTimeout(e.timer);
+            pending.delete(id);
+            broadcast("remove", { id });
+          }
+        }, 200);
       });
       return;
     }
@@ -5291,10 +5984,10 @@ data: ${JSON.stringify(item.data)}
           if (entry.waiter) {
             entry.waiter("allow");
             pending.delete(id);
-            broadcast("remove", { id });
+            broadcast("remove", { id, decision: "allow" });
           } else {
             entry.earlyDecision = "allow";
-            broadcast("remove", { id });
+            broadcast("remove", { id, decision: "allow" });
             entry.timer = setTimeout(() => pending.delete(id), 3e4);
           }
           res.writeHead(200);
@@ -5308,16 +6001,29 @@ data: ${JSON.stringify(item.data)}
           decision: resolvedDecision
         });
         clearTimeout(entry.timer);
+        if (resolvedDecision === "allow" && !persist) {
+          insightCounts.set(entry.toolName, (insightCounts.get(entry.toolName) ?? 0) + 1);
+          saveInsightCounts();
+          const suggestion = suggestionTracker.recordAllow(entry.toolName, entry.args);
+          if (suggestion) {
+            suggestions.set(suggestion.id, suggestion);
+            broadcast("suggestion:new", suggestion);
+          }
+        } else if (resolvedDecision === "deny") {
+          insightCounts.delete(entry.toolName);
+          saveInsightCounts();
+          suggestionTracker.resetTool(entry.toolName);
+        }
         const VALID_SOURCES = /* @__PURE__ */ new Set(["terminal", "browser", "native"]);
         if (source && VALID_SOURCES.has(source)) entry.decisionSource = source;
         if (entry.waiter) {
           entry.waiter(resolvedDecision, reason);
           pending.delete(id);
-          broadcast("remove", { id });
+          broadcast("remove", { id, decision: resolvedDecision });
         } else {
           entry.earlyDecision = resolvedDecision;
           entry.earlyReason = reason;
-          broadcast("remove", { id });
+          broadcast("remove", { id, decision: resolvedDecision });
           entry.timer = setTimeout(() => pending.delete(id), 3e4);
         }
         res.writeHead(200);
@@ -5405,13 +6111,38 @@ data: ${JSON.stringify(item.data)}
         const id = pathname.split("/").pop();
         const entry = pending.get(id);
         if (!entry) return res.writeHead(404).end();
-        const { decision } = JSON.parse(await readBody(req));
-        appendAuditLog({ toolName: entry.toolName, args: entry.args, decision });
+        const { decision, source } = JSON.parse(await readBody(req));
+        const resolvedResolveDecision = decision === "allow" ? "allow" : "deny";
+        appendAuditLog({
+          toolName: entry.toolName,
+          args: entry.args,
+          decision: resolvedResolveDecision
+        });
         clearTimeout(entry.timer);
-        if (entry.waiter) entry.waiter(decision);
-        else entry.earlyDecision = decision;
+        if (resolvedResolveDecision === "allow") {
+          insightCounts.set(entry.toolName, (insightCounts.get(entry.toolName) ?? 0) + 1);
+          saveInsightCounts();
+        } else {
+          insightCounts.delete(entry.toolName);
+          saveInsightCounts();
+        }
+        if (!entry.slackDelegated) {
+          if (resolvedResolveDecision === "allow") {
+            const suggestion = suggestionTracker.recordAllow(entry.toolName, entry.args);
+            if (suggestion) {
+              suggestions.set(suggestion.id, suggestion);
+              broadcast("suggestion:new", suggestion);
+            }
+          } else {
+            suggestionTracker.resetTool(entry.toolName);
+          }
+        }
+        const VALID_RESOLVE_SOURCES = /* @__PURE__ */ new Set(["terminal", "browser", "native"]);
+        if (source && VALID_RESOLVE_SOURCES.has(source)) entry.decisionSource = source;
+        if (entry.waiter) entry.waiter(resolvedResolveDecision);
+        else entry.earlyDecision = resolvedResolveDecision;
         pending.delete(id);
-        broadcast("remove", { id });
+        broadcast("remove", { id, decision: resolvedResolveDecision });
         res.writeHead(200);
         return res.end(JSON.stringify({ ok: true }));
       } catch {
@@ -5459,20 +6190,136 @@ data: ${JSON.stringify(item.data)}
         res.writeHead(400).end();
       }
     }
+    if (req.method === "GET" && pathname === "/suggestions") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      return res.end(JSON.stringify([...suggestions.values()]));
+    }
+    if (req.method === "POST" && pathname.startsWith("/suggestions/") && pathname.endsWith("/apply")) {
+      if (!validToken(req)) return res.writeHead(403).end();
+      try {
+        const body = await readBody(req);
+        const data = body ? JSON.parse(body) : {};
+        const configPath = data.configPath ?? GLOBAL_CONFIG_PATH;
+        const node9Dir = import_path18.default.dirname(GLOBAL_CONFIG_PATH);
+        if (!import_path18.default.resolve(configPath).startsWith(node9Dir + import_path18.default.sep)) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(
+            JSON.stringify({ error: "configPath must be within the node9 config directory" })
+          );
+        }
+        const id = pathname.split("/")[2];
+        const suggestion = suggestions.get(id);
+        if (!suggestion) return res.writeHead(404).end();
+        let patch;
+        if (data.rule !== void 0) {
+          const parsed = SmartRuleSchema.safeParse(data.rule);
+          if (!parsed.success) {
+            res.writeHead(400, { "Content-Type": "application/json" });
+            return res.end(JSON.stringify({ error: parsed.error.message }));
+          }
+          patch = { type: "smartRule", rule: parsed.data };
+        } else {
+          patch = suggestion.suggestedRule;
+        }
+        patchConfig(configPath, patch);
+        _resetConfigCache();
+        insightCounts.delete(suggestion.toolName);
+        saveInsightCounts();
+        suggestion.status = "applied";
+        broadcast("suggestion:resolved", { id, status: "applied" });
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ ok: true }));
+      } catch (err) {
+        console.error(import_chalk2.default.red("[node9 daemon] POST /suggestions/:id/apply failed:"), err);
+        res.writeHead(500, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ error: String(err) }));
+      }
+    }
+    if (req.method === "POST" && pathname.startsWith("/suggestions/") && pathname.endsWith("/dismiss")) {
+      if (!validToken(req)) return res.writeHead(403).end();
+      try {
+        const id = pathname.split("/")[2];
+        const suggestion = suggestions.get(id);
+        if (!suggestion) return res.writeHead(404).end();
+        suggestion.status = "dismissed";
+        broadcast("suggestion:resolved", { id, status: "dismissed" });
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ ok: true }));
+      } catch {
+        res.writeHead(400).end();
+      }
+    }
+    if (req.method === "POST" && pathname === "/taint") {
+      try {
+        const body = JSON.parse(await readBody(req));
+        if (typeof body.path !== "string" || typeof body.source !== "string") {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(JSON.stringify({ error: "path and source are required strings" }));
+        }
+        const ttlMs = typeof body.ttlMs === "number" ? body.ttlMs : void 0;
+        taintStore.taint(body.path, body.source, ttlMs);
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ ok: true }));
+      } catch {
+        res.writeHead(400).end();
+        return;
+      }
+    }
+    if (req.method === "POST" && pathname === "/taint/check") {
+      try {
+        const body = JSON.parse(await readBody(req));
+        if (!Array.isArray(body.paths)) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(JSON.stringify({ error: "paths must be an array" }));
+        }
+        if (body.paths.some((p) => typeof p !== "string")) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(JSON.stringify({ error: "all paths must be strings" }));
+        }
+        for (const p of body.paths) {
+          const record = taintStore.check(p);
+          if (record) {
+            res.writeHead(200, { "Content-Type": "application/json" });
+            return res.end(JSON.stringify({ tainted: true, record }));
+          }
+        }
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ tainted: false }));
+      } catch {
+        res.writeHead(400).end();
+        return;
+      }
+    }
+    if (req.method === "POST" && pathname === "/taint/propagate") {
+      try {
+        const body = JSON.parse(await readBody(req));
+        if (typeof body.src !== "string" || typeof body.dest !== "string") {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(JSON.stringify({ error: "src and dest are required strings" }));
+        }
+        const clearSource = body.clearSource === true;
+        taintStore.propagate(body.src, body.dest, clearSource);
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ ok: true }));
+      } catch {
+        res.writeHead(400).end();
+        return;
+      }
+    }
     res.writeHead(404).end();
   });
   setDaemonServer(server);
   server.on("error", (e) => {
     if (e.code === "EADDRINUSE") {
       try {
-        if (import_fs13.default.existsSync(DAEMON_PID_FILE)) {
-          const { pid } = JSON.parse(import_fs13.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+        if (import_fs15.default.existsSync(DAEMON_PID_FILE)) {
+          const { pid } = JSON.parse(import_fs15.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
           process.kill(pid, 0);
           return process.exit(0);
         }
       } catch {
         try {
-          import_fs13.default.unlinkSync(DAEMON_PID_FILE);
+          import_fs15.default.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
         server.listen(DAEMON_PORT, DAEMON_HOST);
@@ -5531,43 +6378,45 @@ data: ${JSON.stringify(item.data)}
   }
   startActivitySocket();
 }
-var import_http, import_fs13, import_path16, import_crypto4, import_child_process4, import_chalk2;
+var import_http, import_fs15, import_path18, import_crypto6, import_child_process4, import_chalk2;
 var init_server = __esm({
   "src/daemon/server.ts"() {
     "use strict";
     import_http = __toESM(require("http"));
-    import_fs13 = __toESM(require("fs"));
-    import_path16 = __toESM(require("path"));
-    import_crypto4 = require("crypto");
+    import_fs15 = __toESM(require("fs"));
+    import_path18 = __toESM(require("path"));
+    import_crypto6 = require("crypto");
     import_child_process4 = require("child_process");
     import_chalk2 = __toESM(require("chalk"));
     init_core();
     init_shields();
     init_ui2();
     init_state2();
+    init_patch();
+    init_config_schema();
   }
 });
 
 // src/daemon/index.ts
 function stopDaemon() {
-  if (!import_fs14.default.existsSync(DAEMON_PID_FILE)) return console.log(import_chalk3.default.yellow("Not running."));
+  if (!import_fs16.default.existsSync(DAEMON_PID_FILE)) return console.log(import_chalk3.default.yellow("Not running."));
   try {
-    const { pid } = JSON.parse(import_fs14.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+    const { pid } = JSON.parse(import_fs16.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
     process.kill(pid, "SIGTERM");
     console.log(import_chalk3.default.green("\u2705 Stopped."));
   } catch {
     console.log(import_chalk3.default.gray("Cleaned up stale PID file."));
   } finally {
     try {
-      import_fs14.default.unlinkSync(DAEMON_PID_FILE);
+      import_fs16.default.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
   }
 }
 function daemonStatus() {
-  if (import_fs14.default.existsSync(DAEMON_PID_FILE)) {
+  if (import_fs16.default.existsSync(DAEMON_PID_FILE)) {
     try {
-      const { pid } = JSON.parse(import_fs14.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+      const { pid } = JSON.parse(import_fs16.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
       process.kill(pid, 0);
       console.log(import_chalk3.default.green("Node9 daemon: running"));
       return;
@@ -5586,11 +6435,11 @@ function daemonStatus() {
     console.log(import_chalk3.default.yellow("Node9 daemon: not running"));
   }
 }
-var import_fs14, import_chalk3, import_child_process5;
+var import_fs16, import_chalk3, import_child_process5;
 var init_daemon2 = __esm({
   "src/daemon/index.ts"() {
     "use strict";
-    import_fs14 = __toESM(require("fs"));
+    import_fs16 = __toESM(require("fs"));
     import_chalk3 = __toESM(require("chalk"));
     import_child_process5 = require("child_process");
     init_server();
@@ -5617,17 +6466,17 @@ function formatBase(activity) {
   const toolName = activity.tool.slice(0, 16).padEnd(16);
   const argsStr = JSON.stringify(activity.args ?? {}).replace(/\s+/g, " ");
   const argsPreview = argsStr.length > 70 ? argsStr.slice(0, 70) + "\u2026" : argsStr;
-  return `${import_chalk15.default.gray(time)} ${icon} ${import_chalk15.default.white.bold(toolName)} ${import_chalk15.default.dim(argsPreview)}`;
+  return `${import_chalk16.default.gray(time)} ${icon} ${import_chalk16.default.white.bold(toolName)} ${import_chalk16.default.dim(argsPreview)}`;
 }
 function renderResult(activity, result) {
   const base = formatBase(activity);
   let status;
   if (result.status === "allow") {
-    status = import_chalk15.default.green("\u2713 ALLOW");
+    status = import_chalk16.default.green("\u2713 ALLOW");
   } else if (result.status === "dlp") {
-    status = import_chalk15.default.bgRed.white.bold(" \u{1F6E1}\uFE0F  DLP ");
+    status = import_chalk16.default.bgRed.white.bold(" \u{1F6E1}\uFE0F  DLP ");
   } else {
-    status = import_chalk15.default.red("\u2717 BLOCK");
+    status = import_chalk16.default.red("\u2717 BLOCK");
   }
   if (process.stdout.isTTY) {
     import_readline3.default.clearLine(process.stdout, 0);
@@ -5637,16 +6486,16 @@ function renderResult(activity, result) {
 }
 function renderPending(activity) {
   if (!process.stdout.isTTY) return;
-  process.stdout.write(`${formatBase(activity)}  ${import_chalk15.default.yellow("\u25CF \u2026")}\r`);
+  process.stdout.write(`${formatBase(activity)}  ${import_chalk16.default.yellow("\u25CF \u2026")}\r`);
 }
 async function ensureDaemon() {
   let pidPort = null;
-  if (import_fs21.default.existsSync(PID_FILE)) {
+  if (import_fs24.default.existsSync(PID_FILE)) {
     try {
-      const { port } = JSON.parse(import_fs21.default.readFileSync(PID_FILE, "utf-8"));
+      const { port } = JSON.parse(import_fs24.default.readFileSync(PID_FILE, "utf-8"));
       pidPort = port;
     } catch {
-      console.error(import_chalk15.default.dim("\u26A0\uFE0F  Could not read PID file; falling back to default port."));
+      console.error(import_chalk16.default.dim("\u26A0\uFE0F  Could not read PID file; falling back to default port."));
     }
   }
   const checkPort = pidPort ?? DAEMON_PORT;
@@ -5657,7 +6506,7 @@ async function ensureDaemon() {
     if (res.ok) return checkPort;
   } catch {
   }
-  console.log(import_chalk15.default.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon..."));
+  console.log(import_chalk16.default.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon..."));
   const child = (0, import_child_process13.spawn)(process.execPath, [process.argv[1], "daemon"], {
     detached: true,
     stdio: "ignore",
@@ -5674,12 +6523,15 @@ async function ensureDaemon() {
     } catch {
     }
   }
-  console.error(import_chalk15.default.red("\u274C Daemon failed to start. Try: node9 daemon start"));
+  console.error(import_chalk16.default.red("\u274C Daemon failed to start. Try: node9 daemon start"));
   process.exit(1);
 }
-function postDecisionHttp(id, decision, csrfToken, port) {
+function postDecisionHttp(id, decision, csrfToken, port, opts) {
   return new Promise((resolve, reject) => {
-    const body = JSON.stringify({ decision, source: "terminal" });
+    const bodyObj = { decision, source: "terminal" };
+    if (opts?.persist) bodyObj.persist = true;
+    if (opts?.trustDuration) bodyObj.trustDuration = opts.trustDuration;
+    const body = JSON.stringify(bodyObj);
     const req = import_http2.default.request(
       {
         hostname: "127.0.0.1",
@@ -5702,22 +6554,33 @@ function postDecisionHttp(id, decision, csrfToken, port) {
     req.end(body);
   });
 }
-function buildCardLines(req) {
+function buildCardLines(req, localCount = 0) {
   const argsStr = JSON.stringify(req.args ?? {}).replace(/\s+/g, " ");
   const argsPreview = argsStr.length > 60 ? argsStr.slice(0, 60) + "\u2026" : argsStr;
   const tierLabel = req.riskMetadata?.tier != null ? req.riskMetadata.tier <= 2 ? `${YELLOW}\u26A0  Tier ${req.riskMetadata.tier}` : `${RED}\u{1F6D1} Tier ${req.riskMetadata.tier}` : `${YELLOW}\u26A0  Review`;
   const blockedBy = req.riskMetadata?.blockedByLabel ?? "Policy rule";
-  return [
+  const lines = [
     ``,
     `${BOLD}${CYAN}\u2554\u2550\u2550 Node9 Approval Required \u2550\u2550\u2557${RESET}`,
     `${CYAN}\u2551${RESET} Tool:    ${BOLD}${req.toolName}${RESET}`,
-    `${CYAN}\u2551${RESET} Reason:  ${tierLabel} \u2014 ${blockedBy}${RESET}`,
-    `${CYAN}\u2551${RESET} Args:    ${GRAY}${argsPreview}${RESET}`,
+    `${CYAN}\u2551${RESET} Reason:  ${tierLabel} \u2014 ${blockedBy}${RESET}`
+  ];
+  if (req.riskMetadata?.ruleName && blockedBy.includes("Taint")) {
+    lines.push(`${CYAN}\u2551${RESET} ${YELLOW}\u26A0  ${req.riskMetadata.ruleName}${RESET}`);
+  }
+  lines.push(`${CYAN}\u2551${RESET} Args:    ${GRAY}${argsPreview}${RESET}`);
+  if (localCount >= 2) {
+    lines.push(
+      `${CYAN}\u2551${RESET} ${YELLOW}\u{1F4A1}${RESET} Approved ${localCount}\xD7 before \u2014 ${BOLD}[a]${RESET}${YELLOW} creates a permanent rule${RESET}`
+    );
+  }
+  lines.push(
     `${CYAN}\u255A${RESET}`,
     ``,
-    `  ${BOLD}${GREEN}[A]${RESET} Allow   ${BOLD}${RED}[D]${RESET} Deny`,
+    `  ${BOLD}${GREEN}[\u21B5/y]${RESET} Allow   ${BOLD}${RED}[n]${RESET} Deny   ${BOLD}${YELLOW}[a]${RESET} Always Allow   ${BOLD}${CYAN}[t]${RESET} Trust 30m`,
     ``
-  ];
+  );
+  return lines;
 }
 async function startTail(options = {}) {
   const port = await ensureDaemon();
@@ -5745,7 +6608,7 @@ async function startTail(options = {}) {
       req2.end();
     });
     if (result.ok) {
-      console.log(import_chalk15.default.green("\u2713 Flight Recorder buffer cleared."));
+      console.log(import_chalk16.default.green("\u2713 Flight Recorder buffer cleared."));
     } else if (result.code === "ECONNREFUSED") {
       throw new Error("Daemon is not running. Start it with: node9 daemon start");
     } else if (result.code === "ETIMEDOUT") {
@@ -5762,17 +6625,22 @@ async function startTail(options = {}) {
   let cardActive = false;
   let cardLineCount = 0;
   let cancelActiveCard = null;
+  const localAllowCounts = /* @__PURE__ */ new Map();
   const canApprove = process.stdout.isTTY && process.stdin.isTTY;
   if (canApprove) import_readline3.default.emitKeypressEvents(process.stdin);
   function clearCard() {
     if (cardLineCount > 0) {
-      process.stdout.write(RESTORE_CURSOR + ERASE_DOWN);
+      import_readline3.default.moveCursor(process.stdout, 0, -cardLineCount);
+      process.stdout.write(ERASE_DOWN);
       cardLineCount = 0;
     }
   }
   function printCard(req2) {
-    process.stdout.write(HIDE_CURSOR + SAVE_CURSOR);
-    const lines = buildCardLines(req2);
+    process.stdout.write(HIDE_CURSOR);
+    const daemonPrior = req2.allowCount !== void 0 ? req2.allowCount - 1 : 0;
+    const localPrior = localAllowCounts.get(req2.toolName) ?? 0;
+    const priorCount = Math.max(daemonPrior, localPrior);
+    const lines = buildCardLines(req2, priorCount);
     for (const line of lines) process.stdout.write(line + "\n");
     cardLineCount = lines.length;
   }
@@ -5800,34 +6668,70 @@ async function startTail(options = {}) {
       process.stdin.pause();
       cancelActiveCard = null;
     };
-    const settle = (decision) => {
+    const settle = (action) => {
       if (settled) return;
       settled = true;
       cleanup();
       clearCard();
+      const stampedLines = buildCardLines(
+        req2,
+        Math.max(
+          req2.allowCount !== void 0 ? req2.allowCount - 1 : 0,
+          localAllowCounts.get(req2.toolName) ?? 0
+        )
+      );
+      const decisionStamp = action === "always-allow" ? import_chalk16.default.yellow("\u2605 ALWAYS ALLOW") : action === "trust" ? import_chalk16.default.cyan("\u23F1 TRUST 30m") : action === "allow" ? import_chalk16.default.green("\u2713 ALLOWED") : import_chalk16.default.red("\u2717 DENIED");
+      stampedLines.push(`  ${BOLD}\u2192${RESET} ${decisionStamp} ${GRAY}(terminal)${RESET}`, ``);
+      for (const line of stampedLines) process.stdout.write(line + "\n");
       process.stdout.write(SHOW_CURSOR);
-      postDecisionHttp(req2.id, decision, csrfToken, port).catch((err) => {
+      cardLineCount = 0;
+      if (action === "allow" || action === "always-allow" || action === "trust") {
+        localAllowCounts.set(req2.toolName, (localAllowCounts.get(req2.toolName) ?? 0) + 1);
+      } else if (action === "deny") {
+        localAllowCounts.delete(req2.toolName);
+      }
+      let httpDecision;
+      let httpOpts;
+      if (action === "always-allow") {
+        httpDecision = "allow";
+        httpOpts = { persist: true };
+      } else if (action === "trust") {
+        httpDecision = "trust";
+        httpOpts = { trustDuration: "30m" };
+      } else {
+        httpDecision = action;
+      }
+      postDecisionHttp(req2.id, httpDecision, csrfToken, port, httpOpts).catch((err) => {
         try {
-          import_fs21.default.appendFileSync(
-            import_path23.default.join(import_os19.default.homedir(), ".node9", "hook-debug.log"),
+          import_fs24.default.appendFileSync(
+            import_path26.default.join(import_os21.default.homedir(), ".node9", "hook-debug.log"),
             `[tail] POST /decision failed: ${String(err)}
 `
           );
         } catch {
         }
       });
-      const decisionLabel = decision === "allow" ? import_chalk15.default.green("\u2713 ALLOWED (terminal)") : import_chalk15.default.red("\u2717 DENIED (terminal)");
-      console.log(`${import_chalk15.default.cyan("\u25C6")} ${import_chalk15.default.bold(req2.toolName.padEnd(16))}  ${decisionLabel}`);
       approvalQueue.shift();
       cardActive = false;
       showNextCard();
     };
-    cancelActiveCard = () => {
+    cancelActiveCard = (externalDecision) => {
       if (settled) return;
       settled = true;
       cleanup();
       clearCard();
+      const priorCount = Math.max(
+        req2.allowCount !== void 0 ? req2.allowCount - 1 : 0,
+        localAllowCounts.get(req2.toolName) ?? 0
+      );
+      const stampedLines = buildCardLines(req2, priorCount);
+      if (externalDecision) {
+        const source = externalDecision === "allow" ? import_chalk16.default.green("\u2713 ALLOWED") : import_chalk16.default.red("\u2717 DENIED");
+        stampedLines.push(`  ${BOLD}\u2192${RESET} ${source} ${GRAY}(external)${RESET}`, ``);
+      }
+      for (const line of stampedLines) process.stdout.write(line + "\n");
       process.stdout.write(SHOW_CURSOR);
+      cardLineCount = 0;
       approvalQueue.shift();
       cardActive = false;
       showNextCard();
@@ -5835,10 +6739,14 @@ async function startTail(options = {}) {
     process.stdin.resume();
     onKeypress = (_str, key) => {
       const name = key?.name ?? "";
-      if (name === "a") {
+      if (name === "y" || name === "return") {
         settle("allow");
-      } else if (name === "d" || name === "return" || name === "enter" || key?.ctrl && name === "c") {
+      } else if (name === "n" || name === "d" || key?.ctrl && name === "c") {
         settle("deny");
+      } else if (name === "a") {
+        settle("always-allow");
+      } else if (name === "t") {
+        settle("trust");
       }
     };
     process.stdin.on("keypress", onKeypress);
@@ -5851,19 +6759,27 @@ async function startTail(options = {}) {
       else if (process.platform === "win32")
         (0, import_child_process13.execSync)(`cmd /c start "" "${dashboardUrl}"`, { stdio: "ignore" });
       else (0, import_child_process13.execSync)(`xdg-open "${dashboardUrl}"`, { stdio: "ignore" });
+      const intToken = getInternalToken();
+      fetch(`http://127.0.0.1:${port}/browser-opened`, {
+        method: "POST",
+        headers: intToken ? { "X-Node9-Internal": intToken } : {}
+      }).catch(() => {
+      });
     }
   } catch {
   }
-  console.log(import_chalk15.default.cyan.bold(`
-\u{1F6F0}\uFE0F  Node9 tail  `) + import_chalk15.default.dim(`\u2192 ${dashboardUrl}`));
+  console.log(import_chalk16.default.cyan.bold(`
+\u{1F6F0}\uFE0F  Node9 tail  `) + import_chalk16.default.dim(`\u2192 ${dashboardUrl}`));
   if (canApprove) {
-    console.log(import_chalk15.default.dim("Interactive approvals enabled. [A] Allow  [D] Deny"));
+    console.log(
+      import_chalk16.default.dim("Interactive approvals: [\u21B5/y] Allow  [n] Deny  [a] Always Allow  [t] Trust 30m")
+    );
   }
   if (options.history) {
-    console.log(import_chalk15.default.dim("Showing history + live events. Press Ctrl+C to exit.\n"));
+    console.log(import_chalk16.default.dim("Showing history + live events. Press Ctrl+C to exit.\n"));
   } else {
     console.log(
-      import_chalk15.default.dim("Showing live events only. Use --history to include past. Press Ctrl+C to exit.\n")
+      import_chalk16.default.dim("Showing live events only. Use --history to include past. Press Ctrl+C to exit.\n")
     );
   }
   process.on("SIGINT", () => {
@@ -5873,13 +6789,13 @@ async function startTail(options = {}) {
       import_readline3.default.clearLine(process.stdout, 0);
       import_readline3.default.cursorTo(process.stdout, 0);
     }
-    console.log(import_chalk15.default.dim("\n\u{1F6F0}\uFE0F  Disconnected."));
+    console.log(import_chalk16.default.dim("\n\u{1F6F0}\uFE0F  Disconnected."));
     process.exit(0);
   });
   const sseUrl = `http://127.0.0.1:${port}/events?capabilities=input`;
   const req = import_http2.default.get(sseUrl, (res) => {
     if (res.statusCode !== 200) {
-      console.error(import_chalk15.default.red(`Failed to connect: HTTP ${res.statusCode}`));
+      console.error(import_chalk16.default.red(`Failed to connect: HTTP ${res.statusCode}`));
       process.exit(1);
     }
     let currentEvent = "";
@@ -5909,7 +6825,7 @@ async function startTail(options = {}) {
         import_readline3.default.clearLine(process.stdout, 0);
         import_readline3.default.cursorTo(process.stdout, 0);
       }
-      console.log(import_chalk15.default.red("\n\u274C Daemon disconnected."));
+      console.log(import_chalk16.default.red("\n\u274C Daemon disconnected."));
       process.exit(1);
     });
   });
@@ -5950,11 +6866,17 @@ async function startTail(options = {}) {
     }
     if (event === "remove") {
       try {
-        const { id } = JSON.parse(rawData);
+        const { id, decision } = JSON.parse(rawData);
         const idx = approvalQueue.findIndex((r) => r.id === id);
         if (idx !== -1) {
           if (idx === 0 && cardActive && cancelActiveCard) {
-            cancelActiveCard();
+            const toolName = approvalQueue[0].toolName;
+            if (decision === "allow") {
+              localAllowCounts.set(toolName, (localAllowCounts.get(toolName) ?? 0) + 1);
+            } else if (decision === "deny") {
+              localAllowCounts.delete(toolName);
+            }
+            cancelActiveCard(decision);
           } else {
             approvalQueue.splice(idx, 1);
           }
@@ -5989,25 +6911,26 @@ async function startTail(options = {}) {
   }
   req.on("error", (err) => {
     const msg = err.code === "ECONNREFUSED" ? "Daemon is not running. Start it with: node9 daemon start" : err.message;
-    console.error(import_chalk15.default.red(`
+    console.error(import_chalk16.default.red(`
 \u274C ${msg}`));
     process.exit(1);
   });
 }
-var import_http2, import_chalk15, import_fs21, import_os19, import_path23, import_readline3, import_child_process13, PID_FILE, ICONS, RESET, BOLD, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, SAVE_CURSOR, RESTORE_CURSOR;
+var import_http2, import_chalk16, import_fs24, import_os21, import_path26, import_readline3, import_child_process13, PID_FILE, ICONS, RESET, BOLD, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN;
 var init_tail = __esm({
   "src/tui/tail.ts"() {
     "use strict";
     import_http2 = __toESM(require("http"));
-    import_chalk15 = __toESM(require("chalk"));
-    import_fs21 = __toESM(require("fs"));
-    import_os19 = __toESM(require("os"));
-    import_path23 = __toESM(require("path"));
+    import_chalk16 = __toESM(require("chalk"));
+    import_fs24 = __toESM(require("fs"));
+    import_os21 = __toESM(require("os"));
+    import_path26 = __toESM(require("path"));
     import_readline3 = __toESM(require("readline"));
     import_child_process13 = require("child_process");
     init_daemon2();
+    init_daemon();
     init_core();
-    PID_FILE = import_path23.default.join(import_os19.default.homedir(), ".node9", "daemon.pid");
+    PID_FILE = import_path26.default.join(import_os21.default.homedir(), ".node9", "daemon.pid");
     ICONS = {
       bash: "\u{1F4BB}",
       shell: "\u{1F4BB}",
@@ -6035,8 +6958,6 @@ var init_tail = __esm({
     HIDE_CURSOR = "\x1B[?25l";
     SHOW_CURSOR = "\x1B[?25h";
     ERASE_DOWN = "\x1B[J";
-    SAVE_CURSOR = "\x1B7";
-    RESTORE_CURSOR = "\x1B8";
   }
 });
 
@@ -6355,6 +7276,25 @@ async function setupGemini() {
     printDaemonTip();
   }
 }
+function detectAgents(homeDir2 = import_os11.default.homedir()) {
+  const exists = (p) => {
+    try {
+      return import_fs11.default.existsSync(p);
+    } catch (err) {
+      const code = err.code;
+      if (code !== "ENOENT") {
+        process.stderr.write(`[node9] detectAgents: cannot access ${p}: ${code ?? String(err)}
+`);
+      }
+      return false;
+    }
+  };
+  return {
+    claude: exists(import_path14.default.join(homeDir2, ".claude")) || exists(import_path14.default.join(homeDir2, ".claude.json")),
+    gemini: exists(import_path14.default.join(homeDir2, ".gemini")),
+    cursor: exists(import_path14.default.join(homeDir2, ".cursor"))
+  };
+}
 async function setupCursor() {
   const homeDir2 = import_os11.default.homedir();
   const mcpPath = import_path14.default.join(homeDir2, ".cursor", "mcp.json");
@@ -6413,10 +7353,10 @@ async function setupCursor() {
 
 // src/cli.ts
 init_daemon2();
-var import_chalk16 = __toESM(require("chalk"));
-var import_fs22 = __toESM(require("fs"));
-var import_path24 = __toESM(require("path"));
-var import_os20 = __toESM(require("os"));
+var import_chalk17 = __toESM(require("chalk"));
+var import_fs25 = __toESM(require("fs"));
+var import_path27 = __toESM(require("path"));
+var import_os22 = __toESM(require("os"));
 var import_prompts3 = require("@inquirer/prompts");
 
 // src/utils/duration.ts
@@ -6637,9 +7577,9 @@ async function autoStartDaemonAndWait() {
 
 // src/cli/commands/check.ts
 var import_chalk5 = __toESM(require("chalk"));
-var import_fs16 = __toESM(require("fs"));
-var import_path18 = __toESM(require("path"));
-var import_os14 = __toESM(require("os"));
+var import_fs18 = __toESM(require("fs"));
+var import_path20 = __toESM(require("path"));
+var import_os15 = __toESM(require("os"));
 init_orchestrator();
 init_daemon();
 init_config();
@@ -6647,26 +7587,26 @@ init_policy();
 
 // src/undo.ts
 var import_child_process8 = require("child_process");
-var import_crypto5 = __toESM(require("crypto"));
-var import_fs15 = __toESM(require("fs"));
-var import_path17 = __toESM(require("path"));
-var import_os13 = __toESM(require("os"));
-var SNAPSHOT_STACK_PATH = import_path17.default.join(import_os13.default.homedir(), ".node9", "snapshots.json");
-var UNDO_LATEST_PATH = import_path17.default.join(import_os13.default.homedir(), ".node9", "undo_latest.txt");
+var import_crypto7 = __toESM(require("crypto"));
+var import_fs17 = __toESM(require("fs"));
+var import_path19 = __toESM(require("path"));
+var import_os14 = __toESM(require("os"));
+var SNAPSHOT_STACK_PATH = import_path19.default.join(import_os14.default.homedir(), ".node9", "snapshots.json");
+var UNDO_LATEST_PATH = import_path19.default.join(import_os14.default.homedir(), ".node9", "undo_latest.txt");
 var MAX_SNAPSHOTS = 10;
 var GIT_TIMEOUT = 15e3;
 function readStack() {
   try {
-    if (import_fs15.default.existsSync(SNAPSHOT_STACK_PATH))
-      return JSON.parse(import_fs15.default.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
+    if (import_fs17.default.existsSync(SNAPSHOT_STACK_PATH))
+      return JSON.parse(import_fs17.default.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
   } catch {
   }
   return [];
 }
 function writeStack(stack) {
-  const dir = import_path17.default.dirname(SNAPSHOT_STACK_PATH);
-  if (!import_fs15.default.existsSync(dir)) import_fs15.default.mkdirSync(dir, { recursive: true });
-  import_fs15.default.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
+  const dir = import_path19.default.dirname(SNAPSHOT_STACK_PATH);
+  if (!import_fs17.default.existsSync(dir)) import_fs17.default.mkdirSync(dir, { recursive: true });
+  import_fs17.default.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
 }
 function buildArgsSummary(tool, args) {
   if (!args || typeof args !== "object") return "";
@@ -6682,7 +7622,7 @@ function buildArgsSummary(tool, args) {
 function normalizeCwdForHash(cwd) {
   let normalized;
   try {
-    normalized = import_fs15.default.realpathSync(cwd);
+    normalized = import_fs17.default.realpathSync(cwd);
   } catch {
     normalized = cwd;
   }
@@ -6691,17 +7631,17 @@ function normalizeCwdForHash(cwd) {
   return normalized;
 }
 function getShadowRepoDir(cwd) {
-  const hash = import_crypto5.default.createHash("sha256").update(normalizeCwdForHash(cwd)).digest("hex").slice(0, 16);
-  return import_path17.default.join(import_os13.default.homedir(), ".node9", "snapshots", hash);
+  const hash = import_crypto7.default.createHash("sha256").update(normalizeCwdForHash(cwd)).digest("hex").slice(0, 16);
+  return import_path19.default.join(import_os14.default.homedir(), ".node9", "snapshots", hash);
 }
 function cleanOrphanedIndexFiles(shadowDir) {
   try {
     const cutoff = Date.now() - 6e4;
-    for (const f of import_fs15.default.readdirSync(shadowDir)) {
+    for (const f of import_fs17.default.readdirSync(shadowDir)) {
       if (f.startsWith("index_")) {
-        const fp = import_path17.default.join(shadowDir, f);
+        const fp = import_path19.default.join(shadowDir, f);
         try {
-          if (import_fs15.default.statSync(fp).mtimeMs < cutoff) import_fs15.default.unlinkSync(fp);
+          if (import_fs17.default.statSync(fp).mtimeMs < cutoff) import_fs17.default.unlinkSync(fp);
         } catch {
         }
       }
@@ -6713,7 +7653,7 @@ function writeShadowExcludes(shadowDir, ignorePaths) {
   const hardcoded = [".git", ".node9"];
   const lines = [...hardcoded, ...ignorePaths].join("\n");
   try {
-    import_fs15.default.writeFileSync(import_path17.default.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
+    import_fs17.default.writeFileSync(import_path19.default.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
   } catch {
   }
 }
@@ -6726,25 +7666,25 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   if (check.status === 0) {
-    const ptPath = import_path17.default.join(shadowDir, "project-path.txt");
+    const ptPath = import_path19.default.join(shadowDir, "project-path.txt");
     try {
-      const stored = import_fs15.default.readFileSync(ptPath, "utf8").trim();
+      const stored = import_fs17.default.readFileSync(ptPath, "utf8").trim();
       if (stored === normalizedCwd) return true;
       if (process.env.NODE9_DEBUG === "1")
         console.error(
           `[Node9] Shadow repo path mismatch: stored="${stored}" expected="${normalizedCwd}" \u2014 reinitializing`
         );
-      import_fs15.default.rmSync(shadowDir, { recursive: true, force: true });
+      import_fs17.default.rmSync(shadowDir, { recursive: true, force: true });
     } catch {
       try {
-        import_fs15.default.writeFileSync(ptPath, normalizedCwd, "utf8");
+        import_fs17.default.writeFileSync(ptPath, normalizedCwd, "utf8");
       } catch {
       }
       return true;
     }
   }
   try {
-    import_fs15.default.mkdirSync(shadowDir, { recursive: true });
+    import_fs17.default.mkdirSync(shadowDir, { recursive: true });
   } catch {
   }
   const init = (0, import_child_process8.spawnSync)("git", ["init", "--bare", shadowDir], { timeout: 5e3 });
@@ -6753,7 +7693,7 @@ function ensureShadowRepo(shadowDir, cwd) {
       console.error("[Node9] git init --bare failed:", init.stderr?.toString());
     return false;
   }
-  const configFile = import_path17.default.join(shadowDir, "config");
+  const configFile = import_path19.default.join(shadowDir, "config");
   (0, import_child_process8.spawnSync)("git", ["config", "--file", configFile, "core.untrackedCache", "true"], {
     timeout: 3e3
   });
@@ -6761,7 +7701,7 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   try {
-    import_fs15.default.writeFileSync(import_path17.default.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
+    import_fs17.default.writeFileSync(import_path19.default.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
   } catch {
   }
   return true;
@@ -6784,7 +7724,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     const shadowDir = getShadowRepoDir(cwd);
     if (!ensureShadowRepo(shadowDir, cwd)) return null;
     writeShadowExcludes(shadowDir, ignorePaths);
-    indexFile = import_path17.default.join(shadowDir, `index_${process.pid}_${Date.now()}`);
+    indexFile = import_path19.default.join(shadowDir, `index_${process.pid}_${Date.now()}`);
     const shadowEnv = {
       ...process.env,
       GIT_DIR: shadowDir,
@@ -6813,7 +7753,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     const shouldGc = stack.length % 5 === 0;
     if (stack.length > MAX_SNAPSHOTS) stack.splice(0, stack.length - MAX_SNAPSHOTS);
     writeStack(stack);
-    import_fs15.default.writeFileSync(UNDO_LATEST_PATH, commitHash);
+    import_fs17.default.writeFileSync(UNDO_LATEST_PATH, commitHash);
     if (shouldGc) {
       (0, import_child_process8.spawn)("git", ["gc", "--auto"], { env: shadowEnv, detached: true, stdio: "ignore" }).unref();
     }
@@ -6824,7 +7764,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
   } finally {
     if (indexFile) {
       try {
-        import_fs15.default.unlinkSync(indexFile);
+        import_fs17.default.unlinkSync(indexFile);
       } catch {
       }
     }
@@ -6893,9 +7833,9 @@ function applyUndo(hash, cwd) {
       timeout: GIT_TIMEOUT
     }).stdout?.toString().trim().split("\n").filter(Boolean) ?? [];
     for (const file of [...tracked, ...untracked]) {
-      const fullPath = import_path17.default.join(dir, file);
-      if (!snapshotFiles.has(file) && import_fs15.default.existsSync(fullPath)) {
-        import_fs15.default.unlinkSync(fullPath);
+      const fullPath = import_path19.default.join(dir, file);
+      if (!snapshotFiles.has(file) && import_fs17.default.existsSync(fullPath)) {
+        import_fs17.default.unlinkSync(fullPath);
       }
     }
     return true;
@@ -6919,9 +7859,9 @@ function registerCheckCommand(program2) {
         } catch (err) {
           const tempConfig = getConfig();
           if (process.env.NODE9_DEBUG === "1" || tempConfig.settings.enableHookLogDebug) {
-            const logPath = import_path18.default.join(import_os14.default.homedir(), ".node9", "hook-debug.log");
+            const logPath = import_path20.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
             const errMsg = err instanceof Error ? err.message : String(err);
-            import_fs16.default.appendFileSync(
+            import_fs18.default.appendFileSync(
               logPath,
               `[${(/* @__PURE__ */ new Date()).toISOString()}] JSON_PARSE_ERROR: ${errMsg}
 RAW: ${raw}
@@ -6932,10 +7872,10 @@ RAW: ${raw}
         }
         const config = getConfig(payload.cwd || void 0);
         if (process.env.NODE9_DEBUG === "1" || config.settings.enableHookLogDebug) {
-          const logPath = import_path18.default.join(import_os14.default.homedir(), ".node9", "hook-debug.log");
-          if (!import_fs16.default.existsSync(import_path18.default.dirname(logPath)))
-            import_fs16.default.mkdirSync(import_path18.default.dirname(logPath), { recursive: true });
-          import_fs16.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
+          const logPath = import_path20.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
+          if (!import_fs18.default.existsSync(import_path20.default.dirname(logPath)))
+            import_fs18.default.mkdirSync(import_path20.default.dirname(logPath), { recursive: true });
+          import_fs18.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
 `);
         }
         const toolName = sanitize2(payload.tool_name ?? payload.name ?? "");
@@ -6948,8 +7888,8 @@ RAW: ${raw}
           const isHumanDecision = blockedByContext.toLowerCase().includes("user") || blockedByContext.toLowerCase().includes("daemon") || blockedByContext.toLowerCase().includes("decision");
           let ttyFd = null;
           try {
-            ttyFd = import_fs16.default.openSync("/dev/tty", "w");
-            const writeTty = (line) => import_fs16.default.writeSync(ttyFd, line + "\n");
+            ttyFd = import_fs18.default.openSync("/dev/tty", "w");
+            const writeTty = (line) => import_fs18.default.writeSync(ttyFd, line + "\n");
             if (blockedByContext.includes("DLP") || blockedByContext.includes("Secret Detected") || blockedByContext.includes("Credential Review")) {
               writeTty(import_chalk5.default.bgRed.white.bold(`
  \u{1F6A8} NODE9 DLP ALERT \u2014 CREDENTIAL DETECTED `));
@@ -6965,7 +7905,7 @@ RAW: ${raw}
           } finally {
             if (ttyFd !== null)
               try {
-                import_fs16.default.closeSync(ttyFd);
+                import_fs18.default.closeSync(ttyFd);
               } catch {
               }
           }
@@ -6996,7 +7936,7 @@ RAW: ${raw}
         if (shouldSnapshot(toolName, toolInput, config)) {
           await createShadowSnapshot(toolName, toolInput, config.policy.snapshot.ignorePaths);
         }
-        const safeCwdForAuth = typeof payload.cwd === "string" && import_path18.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const safeCwdForAuth = typeof payload.cwd === "string" && import_path20.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const result = await authorizeHeadless(toolName, toolInput, meta, {
           cwd: safeCwdForAuth
         });
@@ -7008,12 +7948,12 @@ RAW: ${raw}
         }
         if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && !process.stdout.isTTY && config.settings.autoStartDaemon) {
           try {
-            const tty = import_fs16.default.openSync("/dev/tty", "w");
-            import_fs16.default.writeSync(
+            const tty = import_fs18.default.openSync("/dev/tty", "w");
+            import_fs18.default.writeSync(
               tty,
               import_chalk5.default.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically...\n")
             );
-            import_fs16.default.closeSync(tty);
+            import_fs18.default.closeSync(tty);
           } catch {
           }
           const daemonReady = await autoStartDaemonAndWait();
@@ -7040,9 +7980,9 @@ RAW: ${raw}
         });
       } catch (err) {
         if (process.env.NODE9_DEBUG === "1") {
-          const logPath = import_path18.default.join(import_os14.default.homedir(), ".node9", "hook-debug.log");
+          const logPath = import_path20.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
           const errMsg = err instanceof Error ? err.message : String(err);
-          import_fs16.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
+          import_fs18.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
 `);
         }
         process.exit(0);
@@ -7076,12 +8016,52 @@ RAW: ${raw}
 }
 
 // src/cli/commands/log.ts
-var import_fs17 = __toESM(require("fs"));
-var import_path19 = __toESM(require("path"));
-var import_os15 = __toESM(require("os"));
+var import_fs19 = __toESM(require("fs"));
+var import_path21 = __toESM(require("path"));
+var import_os16 = __toESM(require("os"));
 init_audit();
 init_config();
 init_policy();
+init_daemon();
+
+// src/utils/cp-mv-parser.ts
+function parseCpMvOp(command) {
+  const trimmed = command.trim();
+  const tokens = trimmed.split(/\s+/);
+  if (tokens.length < 3) return null;
+  const [cmd, ...rest] = tokens;
+  const base = cmd.split("/").pop() ?? cmd;
+  if (base !== "cp" && base !== "mv") return null;
+  const args = [];
+  for (const tok of rest) {
+    if (tok === "--") {
+      args.push(...rest.slice(rest.indexOf("--") + 1));
+      break;
+    }
+    if (tok === "-t" || tok === "--target-directory") return null;
+    if (tok.startsWith("--target-directory=")) return null;
+    if (tok.startsWith("-") && !tok.startsWith("--")) {
+      if (tok.includes("t")) return null;
+      continue;
+    }
+    if (tok.startsWith("--")) {
+      continue;
+    }
+    args.push(tok);
+  }
+  if (args.length !== 2) return null;
+  const [src, dest] = args;
+  if (!src || !dest) return null;
+  if (containsShellMetachar(src) || containsShellMetachar(dest)) return null;
+  return { src, dest, clearSource: base === "mv" };
+}
+function containsShellMetachar(token) {
+  if (/[$`{;*?]/.test(token)) return true;
+  if (token.includes("\0")) return true;
+  return false;
+}
+
+// src/cli/commands/log.ts
 function sanitize3(value) {
   return value.replace(/[\x00-\x1F\x7F]/g, "");
 }
@@ -7100,11 +8080,20 @@ function registerLogCommand(program2) {
           decision: "allowed",
           source: "post-hook"
         };
-        const logPath = import_path19.default.join(import_os15.default.homedir(), ".node9", "audit.log");
-        if (!import_fs17.default.existsSync(import_path19.default.dirname(logPath)))
-          import_fs17.default.mkdirSync(import_path19.default.dirname(logPath), { recursive: true });
-        import_fs17.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
-        const safeCwd = typeof payload.cwd === "string" && import_path19.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const logPath = import_path21.default.join(import_os16.default.homedir(), ".node9", "audit.log");
+        if (!import_fs19.default.existsSync(import_path21.default.dirname(logPath)))
+          import_fs19.default.mkdirSync(import_path21.default.dirname(logPath), { recursive: true });
+        import_fs19.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+        if ((tool === "Bash" || tool === "bash") && isDaemonRunning()) {
+          const command = typeof rawInput === "object" && rawInput !== null && "command" in rawInput && typeof rawInput.command === "string" ? rawInput.command : null;
+          if (command) {
+            const op = parseCpMvOp(command);
+            if (op) {
+              await notifyTaintPropagate(op.src, op.dest, op.clearSource);
+            }
+          }
+        }
+        const safeCwd = typeof payload.cwd === "string" && import_path21.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const config = getConfig(safeCwd);
         if (shouldSnapshot(tool, {}, config)) {
           await createShadowSnapshot("unknown", {}, config.policy.snapshot.ignorePaths);
@@ -7113,9 +8102,9 @@ function registerLogCommand(program2) {
         const msg = err instanceof Error ? err.message : String(err);
         process.stderr.write(`[Node9] audit log error: ${msg}
 `);
-        const debugPath = import_path19.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
+        const debugPath = import_path21.default.join(import_os16.default.homedir(), ".node9", "hook-debug.log");
         try {
-          import_fs17.default.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
+          import_fs19.default.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
 `);
         } catch {
         }
@@ -7419,14 +8408,14 @@ function registerConfigShowCommand(program2) {
 
 // src/cli/commands/doctor.ts
 var import_chalk7 = __toESM(require("chalk"));
-var import_fs18 = __toESM(require("fs"));
-var import_path20 = __toESM(require("path"));
-var import_os16 = __toESM(require("os"));
+var import_fs20 = __toESM(require("fs"));
+var import_path22 = __toESM(require("path"));
+var import_os17 = __toESM(require("os"));
 var import_child_process9 = require("child_process");
 init_daemon();
 function registerDoctorCommand(program2, version2) {
   program2.command("doctor").description("Check that Node9 is installed and configured correctly").action(() => {
-    const homeDir2 = import_os16.default.homedir();
+    const homeDir2 = import_os17.default.homedir();
     let failures = 0;
     function pass(msg) {
       console.log(import_chalk7.default.green("  \u2705 ") + msg);
@@ -7475,10 +8464,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Configuration");
-    const globalConfigPath = import_path20.default.join(homeDir2, ".node9", "config.json");
-    if (import_fs18.default.existsSync(globalConfigPath)) {
+    const globalConfigPath = import_path22.default.join(homeDir2, ".node9", "config.json");
+    if (import_fs20.default.existsSync(globalConfigPath)) {
       try {
-        JSON.parse(import_fs18.default.readFileSync(globalConfigPath, "utf-8"));
+        JSON.parse(import_fs20.default.readFileSync(globalConfigPath, "utf-8"));
         pass("~/.node9/config.json found and valid");
       } catch {
         fail("~/.node9/config.json is invalid JSON", "Run: node9 init --force");
@@ -7486,10 +8475,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("~/.node9/config.json not found (using defaults)", "Run: node9 init");
     }
-    const projectConfigPath = import_path20.default.join(process.cwd(), "node9.config.json");
-    if (import_fs18.default.existsSync(projectConfigPath)) {
+    const projectConfigPath = import_path22.default.join(process.cwd(), "node9.config.json");
+    if (import_fs20.default.existsSync(projectConfigPath)) {
       try {
-        JSON.parse(import_fs18.default.readFileSync(projectConfigPath, "utf-8"));
+        JSON.parse(import_fs20.default.readFileSync(projectConfigPath, "utf-8"));
         pass("node9.config.json found and valid (project)");
       } catch {
         fail(
@@ -7498,8 +8487,8 @@ function registerDoctorCommand(program2, version2) {
         );
       }
     }
-    const credsPath = import_path20.default.join(homeDir2, ".node9", "credentials.json");
-    if (import_fs18.default.existsSync(credsPath)) {
+    const credsPath = import_path22.default.join(homeDir2, ".node9", "credentials.json");
+    if (import_fs20.default.existsSync(credsPath)) {
       pass("Cloud credentials found (~/.node9/credentials.json)");
     } else {
       warn(
@@ -7508,10 +8497,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Agent Hooks");
-    const claudeSettingsPath = import_path20.default.join(homeDir2, ".claude", "settings.json");
-    if (import_fs18.default.existsSync(claudeSettingsPath)) {
+    const claudeSettingsPath = import_path22.default.join(homeDir2, ".claude", "settings.json");
+    if (import_fs20.default.existsSync(claudeSettingsPath)) {
       try {
-        const cs = JSON.parse(import_fs18.default.readFileSync(claudeSettingsPath, "utf-8"));
+        const cs = JSON.parse(import_fs20.default.readFileSync(claudeSettingsPath, "utf-8"));
         const hasHook = cs.hooks?.PreToolUse?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -7527,10 +8516,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Claude Code \u2014 not configured", "Run: node9 setup claude");
     }
-    const geminiSettingsPath = import_path20.default.join(homeDir2, ".gemini", "settings.json");
-    if (import_fs18.default.existsSync(geminiSettingsPath)) {
+    const geminiSettingsPath = import_path22.default.join(homeDir2, ".gemini", "settings.json");
+    if (import_fs20.default.existsSync(geminiSettingsPath)) {
       try {
-        const gs = JSON.parse(import_fs18.default.readFileSync(geminiSettingsPath, "utf-8"));
+        const gs = JSON.parse(import_fs20.default.readFileSync(geminiSettingsPath, "utf-8"));
         const hasHook = gs.hooks?.BeforeTool?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -7546,10 +8535,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Gemini CLI  \u2014 not configured", "Run: node9 setup gemini  (skip if not using Gemini)");
     }
-    const cursorHooksPath = import_path20.default.join(homeDir2, ".cursor", "hooks.json");
-    if (import_fs18.default.existsSync(cursorHooksPath)) {
+    const cursorHooksPath = import_path22.default.join(homeDir2, ".cursor", "hooks.json");
+    if (import_fs20.default.existsSync(cursorHooksPath)) {
       try {
-        const cur = JSON.parse(import_fs18.default.readFileSync(cursorHooksPath, "utf-8"));
+        const cur = JSON.parse(import_fs20.default.readFileSync(cursorHooksPath, "utf-8"));
         const hasHook = cur.hooks?.preToolUse?.some(
           (h) => h.command?.includes("node9") || h.command?.includes("cli.js")
         );
@@ -7587,9 +8576,9 @@ function registerDoctorCommand(program2, version2) {
 
 // src/cli/commands/audit.ts
 var import_chalk8 = __toESM(require("chalk"));
-var import_fs19 = __toESM(require("fs"));
-var import_path21 = __toESM(require("path"));
-var import_os17 = __toESM(require("os"));
+var import_fs21 = __toESM(require("fs"));
+var import_path23 = __toESM(require("path"));
+var import_os18 = __toESM(require("os"));
 function formatRelativeTime(timestamp) {
   const diff = Date.now() - new Date(timestamp).getTime();
   const sec = Math.floor(diff / 1e3);
@@ -7602,14 +8591,14 @@ function formatRelativeTime(timestamp) {
 }
 function registerAuditCommand(program2) {
   program2.command("audit").description("View local execution audit log").option("--tail <n>", "Number of entries to show", "20").option("--tool <pattern>", "Filter by tool name (substring match)").option("--deny", "Show only denied actions").option("--json", "Output raw JSON").action((options) => {
-    const logPath = import_path21.default.join(import_os17.default.homedir(), ".node9", "audit.log");
-    if (!import_fs19.default.existsSync(logPath)) {
+    const logPath = import_path23.default.join(import_os18.default.homedir(), ".node9", "audit.log");
+    if (!import_fs21.default.existsSync(logPath)) {
       console.log(
         import_chalk8.default.yellow("No audit logs found. Run node9 with an agent to generate entries.")
       );
       return;
     }
-    const raw = import_fs19.default.readFileSync(logPath, "utf-8");
+    const raw = import_fs21.default.readFileSync(logPath, "utf-8");
     const lines = raw.split("\n").filter((l) => l.trim() !== "");
     let entries = lines.flatMap((line) => {
       try {
@@ -7727,11 +8716,44 @@ function registerDaemonCommand(program2) {
 
 // src/cli/commands/status.ts
 var import_chalk10 = __toESM(require("chalk"));
-var import_fs20 = __toESM(require("fs"));
-var import_path22 = __toESM(require("path"));
-var import_os18 = __toESM(require("os"));
+var import_fs22 = __toESM(require("fs"));
+var import_path24 = __toESM(require("path"));
+var import_os19 = __toESM(require("os"));
 init_core();
 init_daemon();
+function readJson2(filePath) {
+  try {
+    if (import_fs22.default.existsSync(filePath)) return JSON.parse(import_fs22.default.readFileSync(filePath, "utf-8"));
+  } catch {
+  }
+  return null;
+}
+function isNode9Hook2(cmd) {
+  if (!cmd) return false;
+  return /(?:^|[\s/\\])node9 (?:check|log)/.test(cmd) || /(?:^|[\s/\\])cli\.js (?:check|log)/.test(cmd);
+}
+function wrappedMcpServers(servers) {
+  if (!servers) return [];
+  return Object.entries(servers).filter(([, s]) => s.command === "node9" && Array.isArray(s.args) && s.args.length > 0).map(([name, s]) => `${name} \u2192 ${s.args.join(" ")}`);
+}
+function printAgentSection(label, hookPairs, wrapped) {
+  console.log(import_chalk10.default.bold(`  ${label}`));
+  for (const { name, present } of hookPairs) {
+    if (present) {
+      console.log(import_chalk10.default.green(`    \u2713 ${name}`));
+    } else {
+      console.log(import_chalk10.default.red(`    \u2717 ${name}`) + import_chalk10.default.gray(" (not wired)"));
+    }
+  }
+  if (wrapped.length > 0) {
+    console.log(import_chalk10.default.cyan(`    MCP proxied:`));
+    for (const entry of wrapped) {
+      console.log(import_chalk10.default.gray(`      \u2022 ${entry}`));
+    }
+  } else {
+    console.log(import_chalk10.default.gray(`    MCP proxied: none`));
+  }
+}
 function registerStatusCommand(program2) {
   program2.command("status").description("Show current Node9 mode, policy source, and persistent decisions").action(() => {
     const creds = getCredentials();
@@ -7766,19 +8788,72 @@ function registerStatusCommand(program2) {
     console.log("");
     const modeLabel = settings.mode === "audit" ? import_chalk10.default.blue("audit") : settings.mode === "strict" ? import_chalk10.default.red("strict") : import_chalk10.default.white("standard");
     console.log(`  Mode:    ${modeLabel}`);
-    const projectConfig = import_path22.default.join(process.cwd(), "node9.config.json");
-    const globalConfig = import_path22.default.join(import_os18.default.homedir(), ".node9", "config.json");
+    const projectConfig = import_path24.default.join(process.cwd(), "node9.config.json");
+    const globalConfig = import_path24.default.join(import_os19.default.homedir(), ".node9", "config.json");
     console.log(
-      `  Local:   ${import_fs20.default.existsSync(projectConfig) ? import_chalk10.default.green("Active (node9.config.json)") : import_chalk10.default.gray("Not present")}`
+      `  Local:   ${import_fs22.default.existsSync(projectConfig) ? import_chalk10.default.green("Active (node9.config.json)") : import_chalk10.default.gray("Not present")}`
     );
     console.log(
-      `  Global:  ${import_fs20.default.existsSync(globalConfig) ? import_chalk10.default.green("Active (~/.node9/config.json)") : import_chalk10.default.gray("Not present")}`
+      `  Global:  ${import_fs22.default.existsSync(globalConfig) ? import_chalk10.default.green("Active (~/.node9/config.json)") : import_chalk10.default.gray("Not present")}`
     );
     if (mergedConfig.policy.sandboxPaths.length > 0) {
       console.log(
         `  Sandbox: ${import_chalk10.default.green(`${mergedConfig.policy.sandboxPaths.length} safe zones active`)}`
       );
     }
+    const homeDir2 = import_os19.default.homedir();
+    const claudeSettings = readJson2(
+      import_path24.default.join(homeDir2, ".claude", "settings.json")
+    );
+    const claudeConfig = readJson2(import_path24.default.join(homeDir2, ".claude.json"));
+    const geminiSettings = readJson2(
+      import_path24.default.join(homeDir2, ".gemini", "settings.json")
+    );
+    const cursorConfig = readJson2(import_path24.default.join(homeDir2, ".cursor", "mcp.json"));
+    const agentFound = claudeSettings || claudeConfig || geminiSettings || cursorConfig;
+    if (agentFound) {
+      console.log("");
+      console.log(import_chalk10.default.bold("  Agent Wiring:"));
+      console.log("");
+      if (claudeSettings || claudeConfig) {
+        const preHook = claudeSettings?.hooks?.PreToolUse?.some(
+          (m) => m.hooks.some((h) => isNode9Hook2(h.command))
+        ) ?? false;
+        const postHook = claudeSettings?.hooks?.PostToolUse?.some(
+          (m) => m.hooks.some((h) => isNode9Hook2(h.command))
+        ) ?? false;
+        printAgentSection(
+          "Claude Code",
+          [
+            { name: "PreToolUse  (node9 check)", present: preHook },
+            { name: "PostToolUse (node9 log)", present: postHook }
+          ],
+          wrappedMcpServers(claudeConfig?.mcpServers)
+        );
+        console.log("");
+      }
+      if (geminiSettings) {
+        const beforeHook = geminiSettings.hooks?.BeforeTool?.some(
+          (m) => m.hooks.some((h) => isNode9Hook2(h.command))
+        ) ?? false;
+        const afterHook = geminiSettings.hooks?.AfterTool?.some(
+          (m) => m.hooks.some((h) => isNode9Hook2(h.command))
+        ) ?? false;
+        printAgentSection(
+          "Gemini CLI",
+          [
+            { name: "BeforeTool  (node9 check)", present: beforeHook },
+            { name: "AfterTool   (node9 log)", present: afterHook }
+          ],
+          wrappedMcpServers(geminiSettings.mcpServers)
+        );
+        console.log("");
+      }
+      if (cursorConfig) {
+        printAgentSection("Cursor", [], wrappedMcpServers(cursorConfig.mcpServers));
+        console.log("");
+      }
+    }
     const pauseState = checkPause();
     if (pauseState.paused) {
       const expiresAt = pauseState.expiresAt ? new Date(pauseState.expiresAt).toLocaleTimeString() : "indefinitely";
@@ -7791,8 +8866,63 @@ function registerStatusCommand(program2) {
   });
 }
 
-// src/cli/commands/undo.ts
+// src/cli/commands/init.ts
 var import_chalk11 = __toESM(require("chalk"));
+var import_fs23 = __toESM(require("fs"));
+var import_path25 = __toESM(require("path"));
+var import_os20 = __toESM(require("os"));
+init_core();
+function registerInitCommand(program2) {
+  program2.command("init").description("Set up Node9: create config and wire all detected AI agents").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").option("--skip-setup", "Only create config \u2014 do not wire AI agents").action(async (options) => {
+    console.log(import_chalk11.default.cyan.bold("\n\u{1F6E1}\uFE0F  Node9 Init\n"));
+    const configPath = import_path25.default.join(import_os20.default.homedir(), ".node9", "config.json");
+    if (import_fs23.default.existsSync(configPath) && !options.force) {
+      console.log(import_chalk11.default.blue(`\u2139\uFE0F  Config already exists: ${configPath}`));
+    } else {
+      const requestedMode = options.mode.toLowerCase();
+      const safeMode = ["standard", "strict", "audit"].includes(requestedMode) ? requestedMode : DEFAULT_CONFIG.settings.mode;
+      const configToSave = {
+        ...DEFAULT_CONFIG,
+        settings: { ...DEFAULT_CONFIG.settings, mode: safeMode }
+      };
+      const dir = import_path25.default.dirname(configPath);
+      if (!import_fs23.default.existsSync(dir)) import_fs23.default.mkdirSync(dir, { recursive: true });
+      import_fs23.default.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
+      console.log(import_chalk11.default.green(`\u2705 Config created: ${configPath}`));
+      console.log(import_chalk11.default.gray(`   Mode: ${safeMode}`));
+    }
+    if (options.skipSetup) return;
+    console.log("");
+    const detected = detectAgents();
+    const found = Object.keys(detected).filter(
+      (k) => detected[k]
+    );
+    if (found.length === 0) {
+      console.log(
+        import_chalk11.default.gray("No AI agents detected. Install Claude Code, Gemini CLI, or Cursor")
+      );
+      console.log(import_chalk11.default.gray("then run: node9 addto <claude|gemini|cursor>"));
+      return;
+    }
+    console.log(import_chalk11.default.bold("Detected agents:"));
+    for (const agent of found) {
+      console.log(import_chalk11.default.green(`  \u2713 ${agent}`));
+    }
+    console.log("");
+    for (const agent of found) {
+      console.log(import_chalk11.default.bold(`Wiring ${agent}...`));
+      if (agent === "claude") await setupClaude();
+      else if (agent === "gemini") await setupGemini();
+      else if (agent === "cursor") await setupCursor();
+      console.log("");
+    }
+    console.log(import_chalk11.default.green.bold("\u{1F6E1}\uFE0F  Node9 is ready!"));
+    console.log(import_chalk11.default.gray("   Run: node9 daemon start"));
+  });
+}
+
+// src/cli/commands/undo.ts
+var import_chalk12 = __toESM(require("chalk"));
 var import_prompts2 = require("@inquirer/prompts");
 function registerUndoCommand(program2) {
   program2.command("undo").description(
@@ -7804,22 +8934,22 @@ function registerUndoCommand(program2) {
     if (history.length === 0) {
       if (!options.all && allHistory.length > 0) {
         console.log(
-          import_chalk11.default.yellow(
+          import_chalk12.default.yellow(
             `
 \u2139\uFE0F  No snapshots found for the current directory (${process.cwd()}).
-    Run ${import_chalk11.default.cyan("node9 undo --all")} to see snapshots from all projects.
+    Run ${import_chalk12.default.cyan("node9 undo --all")} to see snapshots from all projects.
 `
           )
         );
       } else {
-        console.log(import_chalk11.default.yellow("\n\u2139\uFE0F  No undo snapshots found.\n"));
+        console.log(import_chalk12.default.yellow("\n\u2139\uFE0F  No undo snapshots found.\n"));
       }
       return;
     }
     const idx = history.length - steps;
     if (idx < 0) {
       console.log(
-        import_chalk11.default.yellow(
+        import_chalk12.default.yellow(
           `
 \u2139\uFE0F  Only ${history.length} snapshot(s) available, cannot go back ${steps}.
 `
@@ -7831,19 +8961,19 @@ function registerUndoCommand(program2) {
     const age = Math.round((Date.now() - snapshot.timestamp) / 1e3);
     const ageStr = age < 60 ? `${age}s ago` : age < 3600 ? `${Math.round(age / 60)}m ago` : `${Math.round(age / 3600)}h ago`;
     console.log(
-      import_chalk11.default.magenta.bold(`
+      import_chalk12.default.magenta.bold(`
 \u23EA  Node9 Undo${steps > 1 ? ` (${steps} steps back)` : ""}`)
     );
     console.log(
-      import_chalk11.default.white(
-        `    Tool:  ${import_chalk11.default.cyan(snapshot.tool)}${snapshot.argsSummary ? import_chalk11.default.gray(" \u2192 " + snapshot.argsSummary) : ""}`
+      import_chalk12.default.white(
+        `    Tool:  ${import_chalk12.default.cyan(snapshot.tool)}${snapshot.argsSummary ? import_chalk12.default.gray(" \u2192 " + snapshot.argsSummary) : ""}`
       )
     );
-    console.log(import_chalk11.default.white(`    When:  ${import_chalk11.default.gray(ageStr)}`));
-    console.log(import_chalk11.default.white(`    Dir:   ${import_chalk11.default.gray(snapshot.cwd)}`));
+    console.log(import_chalk12.default.white(`    When:  ${import_chalk12.default.gray(ageStr)}`));
+    console.log(import_chalk12.default.white(`    Dir:   ${import_chalk12.default.gray(snapshot.cwd)}`));
     if (steps > 1)
       console.log(
-        import_chalk11.default.yellow(`    Note:  This will also undo the ${steps - 1} action(s) after it.`)
+        import_chalk12.default.yellow(`    Note:  This will also undo the ${steps - 1} action(s) after it.`)
       );
     console.log("");
     const diff = computeUndoDiff(snapshot.hash, snapshot.cwd);
@@ -7851,21 +8981,21 @@ function registerUndoCommand(program2) {
       const lines = diff.split("\n");
       for (const line of lines) {
         if (line.startsWith("+++") || line.startsWith("---")) {
-          console.log(import_chalk11.default.bold(line));
+          console.log(import_chalk12.default.bold(line));
         } else if (line.startsWith("+")) {
-          console.log(import_chalk11.default.green(line));
+          console.log(import_chalk12.default.green(line));
         } else if (line.startsWith("-")) {
-          console.log(import_chalk11.default.red(line));
+          console.log(import_chalk12.default.red(line));
         } else if (line.startsWith("@@")) {
-          console.log(import_chalk11.default.cyan(line));
+          console.log(import_chalk12.default.cyan(line));
         } else {
-          console.log(import_chalk11.default.gray(line));
+          console.log(import_chalk12.default.gray(line));
         }
       }
       console.log("");
     } else {
       console.log(
-        import_chalk11.default.gray("    (no diff available \u2014 working tree may already match snapshot)\n")
+        import_chalk12.default.gray("    (no diff available \u2014 working tree may already match snapshot)\n")
       );
     }
     const proceed = await (0, import_prompts2.confirm)({
@@ -7874,18 +9004,18 @@ function registerUndoCommand(program2) {
     });
     if (proceed) {
       if (applyUndo(snapshot.hash, snapshot.cwd)) {
-        console.log(import_chalk11.default.green("\n\u2705 Reverted successfully.\n"));
+        console.log(import_chalk12.default.green("\n\u2705 Reverted successfully.\n"));
       } else {
-        console.error(import_chalk11.default.red("\n\u274C Undo failed. Ensure you are in a Git repository.\n"));
+        console.error(import_chalk12.default.red("\n\u274C Undo failed. Ensure you are in a Git repository.\n"));
       }
     } else {
-      console.log(import_chalk11.default.gray("\nCancelled.\n"));
+      console.log(import_chalk12.default.gray("\nCancelled.\n"));
     }
   });
 }
 
 // src/cli/commands/watch.ts
-var import_chalk12 = __toESM(require("chalk"));
+var import_chalk13 = __toESM(require("chalk"));
 var import_child_process11 = require("child_process");
 init_daemon();
 function registerWatchCommand(program2) {
@@ -7902,7 +9032,7 @@ function registerWatchCommand(program2) {
         throw new Error("not running");
       }
     } catch {
-      console.error(import_chalk12.default.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon (watch mode)..."));
+      console.error(import_chalk13.default.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon (watch mode)..."));
       const child = (0, import_child_process11.spawn)(process.execPath, [process.argv[1], "daemon"], {
         detached: true,
         stdio: "ignore",
@@ -7924,12 +9054,12 @@ function registerWatchCommand(program2) {
         }
       }
       if (!ready) {
-        console.error(import_chalk12.default.red("\u274C Daemon failed to start. Try: node9 daemon start"));
+        console.error(import_chalk13.default.red("\u274C Daemon failed to start. Try: node9 daemon start"));
         process.exit(1);
       }
     }
     console.error(
-      import_chalk12.default.cyan.bold("\u{1F6E1}\uFE0F  Node9 watch") + import_chalk12.default.dim(` \u2192 localhost:${port}`) + import_chalk12.default.dim(
+      import_chalk13.default.cyan.bold("\u{1F6E1}\uFE0F  Node9 watch") + import_chalk13.default.dim(` \u2192 localhost:${port}`) + import_chalk13.default.dim(
         "\n   Tip: run `node9 tail` in another terminal to review and approve AI actions.\n"
       )
     );
@@ -7938,7 +9068,7 @@ function registerWatchCommand(program2) {
       env: { ...process.env, NODE9_WATCH_MODE: "1" }
     });
     if (result.error) {
-      console.error(import_chalk12.default.red(`\u274C Failed to run command: ${result.error.message}`));
+      console.error(import_chalk13.default.red(`\u274C Failed to run command: ${result.error.message}`));
       process.exit(1);
     }
     process.exit(result.status ?? 0);
@@ -7947,7 +9077,7 @@ function registerWatchCommand(program2) {
 
 // src/mcp-gateway/index.ts
 var import_readline2 = __toESM(require("readline"));
-var import_chalk13 = __toESM(require("chalk"));
+var import_chalk14 = __toESM(require("chalk"));
 var import_child_process12 = require("child_process");
 var import_execa3 = require("execa");
 init_orchestrator();
@@ -8011,13 +9141,13 @@ async function runMcpGateway(upstreamCommand) {
   const prov = checkProvenance(executable);
   if (prov.trustLevel === "suspect") {
     console.error(
-      import_chalk13.default.red(
+      import_chalk14.default.red(
         `\u26A0\uFE0F  Node9: Upstream MCP server binary is suspect \u2014 ${prov.reason} (${prov.resolvedPath})`
       )
     );
-    console.error(import_chalk13.default.red("   Verify this binary is trusted before proceeding."));
+    console.error(import_chalk14.default.red("   Verify this binary is trusted before proceeding."));
   }
-  console.error(import_chalk13.default.green(`\u{1F680} Node9 MCP Gateway: Monitoring [${upstreamCommand}]`));
+  console.error(import_chalk14.default.green(`\u{1F680} Node9 MCP Gateway: Monitoring [${upstreamCommand}]`));
   const UPSTREAM_INJECTOR_VARS = /* @__PURE__ */ new Set([
     "NODE_OPTIONS",
     "NODE_PATH",
@@ -8081,10 +9211,10 @@ async function runMcpGateway(upstreamCommand) {
           mcpServer
         });
         if (!result.approved) {
-          console.error(import_chalk13.default.red(`
+          console.error(import_chalk14.default.red(`
 \u{1F6D1} Node9 MCP Gateway: Action Blocked`));
-          console.error(import_chalk13.default.gray(`   Tool: ${toolName}`));
-          console.error(import_chalk13.default.gray(`   Reason: ${result.reason ?? "Security Policy"}
+          console.error(import_chalk14.default.gray(`   Tool: ${toolName}`));
+          console.error(import_chalk14.default.gray(`   Reason: ${result.reason ?? "Security Policy"}
 `));
           const blockedByLabel = result.blockedByLabel ?? result.reason ?? "Security Policy";
           const isHumanDecision = blockedByLabel.toLowerCase().includes("user") || blockedByLabel.toLowerCase().includes("daemon") || blockedByLabel.toLowerCase().includes("decision");
@@ -8157,7 +9287,7 @@ function registerMcpGatewayCommand(program2) {
 }
 
 // src/cli/commands/trust.ts
-var import_chalk14 = __toESM(require("chalk"));
+var import_chalk15 = __toESM(require("chalk"));
 init_trusted_hosts();
 function isValidHost(host) {
   return /^(\*\.)?[a-z0-9][a-z0-9.-]*\.[a-z]{2,}$/.test(host);
@@ -8168,44 +9298,44 @@ function registerTrustCommand(program2) {
     const normalized = normalizeHost(host.trim());
     if (!isValidHost(normalized)) {
       console.error(
-        import_chalk14.default.red(`
+        import_chalk15.default.red(`
 \u274C Invalid host: "${host}"
-`) + import_chalk14.default.gray("   Use an FQDN like api.mycompany.com or *.mycompany.com\n")
+`) + import_chalk15.default.gray("   Use an FQDN like api.mycompany.com or *.mycompany.com\n")
       );
       process.exit(1);
     }
     addTrustedHost(normalized);
-    console.log(import_chalk14.default.green(`
+    console.log(import_chalk15.default.green(`
 \u2705 ${normalized} added to trusted hosts.`));
     console.log(
-      import_chalk14.default.gray("   Pipe-chain blocks to this host: critical \u2192 review, high \u2192 allow\n")
+      import_chalk15.default.gray("   Pipe-chain blocks to this host: critical \u2192 review, high \u2192 allow\n")
     );
   });
   trustCmd.command("remove <host>").description("Remove a trusted host").action((host) => {
     const normalized = normalizeHost(host.trim());
     const removed = removeTrustedHost(normalized);
     if (!removed) {
-      console.error(import_chalk14.default.yellow(`
+      console.error(import_chalk15.default.yellow(`
 \u26A0\uFE0F  "${normalized}" is not in the trusted hosts list.
 `));
       process.exit(1);
     }
-    console.log(import_chalk14.default.green(`
+    console.log(import_chalk15.default.green(`
 \u2705 ${normalized} removed from trusted hosts.
 `));
   });
   trustCmd.command("list").description("Show all trusted hosts").action(() => {
     const hosts = readTrustedHosts();
     if (hosts.length === 0) {
-      console.log(import_chalk14.default.gray("\n  No trusted hosts configured.\n"));
-      console.log(`  Add one: ${import_chalk14.default.cyan("node9 trust add api.mycompany.com")}
+      console.log(import_chalk15.default.gray("\n  No trusted hosts configured.\n"));
+      console.log(`  Add one: ${import_chalk15.default.cyan("node9 trust add api.mycompany.com")}
 `);
       return;
     }
-    console.log(import_chalk14.default.bold("\n\u{1F513} Trusted Hosts\n"));
+    console.log(import_chalk15.default.bold("\n\u{1F513} Trusted Hosts\n"));
     for (const entry of hosts) {
       const date = new Date(entry.addedAt).toLocaleDateString();
-      console.log(`  ${import_chalk14.default.cyan(entry.host.padEnd(40))} ${import_chalk14.default.gray(`added ${date}`)}`);
+      console.log(`  ${import_chalk15.default.cyan(entry.host.padEnd(40))} ${import_chalk15.default.gray(`added ${date}`)}`);
     }
     console.log("");
   });
@@ -8213,20 +9343,20 @@ function registerTrustCommand(program2) {
 
 // src/cli.ts
 var { version } = JSON.parse(
-  import_fs22.default.readFileSync(import_path24.default.join(__dirname, "../package.json"), "utf-8")
+  import_fs25.default.readFileSync(import_path27.default.join(__dirname, "../package.json"), "utf-8")
 );
 var program = new import_commander.Command();
 program.name("node9").description("The Sudo Command for AI Agents").version(version);
 program.command("login").argument("<apiKey>").option("--local", "Save key for audit/logging only \u2014 local config still controls all decisions").option("--profile <name>", 'Save as a named profile (default: "default")').action((apiKey, options) => {
   const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  const credPath = import_path24.default.join(import_os20.default.homedir(), ".node9", "credentials.json");
-  if (!import_fs22.default.existsSync(import_path24.default.dirname(credPath)))
-    import_fs22.default.mkdirSync(import_path24.default.dirname(credPath), { recursive: true });
+  const credPath = import_path27.default.join(import_os22.default.homedir(), ".node9", "credentials.json");
+  if (!import_fs25.default.existsSync(import_path27.default.dirname(credPath)))
+    import_fs25.default.mkdirSync(import_path27.default.dirname(credPath), { recursive: true });
   const profileName = options.profile || "default";
   let existingCreds = {};
   try {
-    if (import_fs22.default.existsSync(credPath)) {
-      const raw = JSON.parse(import_fs22.default.readFileSync(credPath, "utf-8"));
+    if (import_fs25.default.existsSync(credPath)) {
+      const raw = JSON.parse(import_fs25.default.readFileSync(credPath, "utf-8"));
       if (raw.apiKey) {
         existingCreds = {
           default: { apiKey: raw.apiKey, apiUrl: raw.apiUrl || DEFAULT_API_URL }
@@ -8238,13 +9368,13 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
   } catch {
   }
   existingCreds[profileName] = { apiKey, apiUrl: DEFAULT_API_URL };
-  import_fs22.default.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
+  import_fs25.default.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
   if (profileName === "default") {
-    const configPath = import_path24.default.join(import_os20.default.homedir(), ".node9", "config.json");
+    const configPath = import_path27.default.join(import_os22.default.homedir(), ".node9", "config.json");
     let config = {};
     try {
-      if (import_fs22.default.existsSync(configPath))
-        config = JSON.parse(import_fs22.default.readFileSync(configPath, "utf-8"));
+      if (import_fs25.default.existsSync(configPath))
+        config = JSON.parse(import_fs25.default.readFileSync(configPath, "utf-8"));
     } catch {
     }
     if (!config.settings || typeof config.settings !== "object") config.settings = {};
@@ -8259,36 +9389,36 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
       approvers.cloud = false;
     }
     s.approvers = approvers;
-    if (!import_fs22.default.existsSync(import_path24.default.dirname(configPath)))
-      import_fs22.default.mkdirSync(import_path24.default.dirname(configPath), { recursive: true });
-    import_fs22.default.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+    if (!import_fs25.default.existsSync(import_path27.default.dirname(configPath)))
+      import_fs25.default.mkdirSync(import_path27.default.dirname(configPath), { recursive: true });
+    import_fs25.default.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
   }
   if (options.profile && profileName !== "default") {
-    console.log(import_chalk16.default.green(`\u2705 Profile "${profileName}" saved`));
-    console.log(import_chalk16.default.gray(`   Switch to it per-session:  NODE9_PROFILE=${profileName} claude`));
+    console.log(import_chalk17.default.green(`\u2705 Profile "${profileName}" saved`));
+    console.log(import_chalk17.default.gray(`   Switch to it per-session:  NODE9_PROFILE=${profileName} claude`));
   } else if (options.local) {
-    console.log(import_chalk16.default.green(`\u2705 Privacy mode \u{1F6E1}\uFE0F`));
-    console.log(import_chalk16.default.gray(`   All decisions stay on this machine.`));
+    console.log(import_chalk17.default.green(`\u2705 Privacy mode \u{1F6E1}\uFE0F`));
+    console.log(import_chalk17.default.gray(`   All decisions stay on this machine.`));
   } else {
-    console.log(import_chalk16.default.green(`\u2705 Logged in \u2014 agent mode`));
-    console.log(import_chalk16.default.gray(`   Team policy enforced for all calls via Node9 cloud.`));
+    console.log(import_chalk17.default.green(`\u2705 Logged in \u2014 agent mode`));
+    console.log(import_chalk17.default.gray(`   Team policy enforced for all calls via Node9 cloud.`));
   }
 });
 program.command("addto").description("Integrate Node9 with an AI agent").addHelpText("after", "\n  Supported targets:  claude  gemini  cursor").argument("<target>", "The agent to protect: claude | gemini | cursor").action(async (target) => {
   if (target === "gemini") return await setupGemini();
   if (target === "claude") return await setupClaude();
   if (target === "cursor") return await setupCursor();
-  console.error(import_chalk16.default.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
+  console.error(import_chalk17.default.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
   process.exit(1);
 });
 program.command("setup").description('Alias for "addto" \u2014 integrate Node9 with an AI agent').addHelpText("after", "\n  Supported targets:  claude  gemini  cursor").argument("[target]", "The agent to protect: claude | gemini | cursor").action(async (target) => {
   if (!target) {
-    console.log(import_chalk16.default.cyan("\n\u{1F6E1}\uFE0F  Node9 Setup \u2014 integrate with your AI agent\n"));
-    console.log("  Usage:  " + import_chalk16.default.white("node9 setup <target>") + "\n");
+    console.log(import_chalk17.default.cyan("\n\u{1F6E1}\uFE0F  Node9 Setup \u2014 integrate with your AI agent\n"));
+    console.log("  Usage:  " + import_chalk17.default.white("node9 setup <target>") + "\n");
     console.log("  Targets:");
-    console.log("    " + import_chalk16.default.green("claude") + "   \u2014 Claude Code (hook mode)");
-    console.log("    " + import_chalk16.default.green("gemini") + "   \u2014 Gemini CLI (hook mode)");
-    console.log("    " + import_chalk16.default.green("cursor") + "   \u2014 Cursor (hook mode)");
+    console.log("    " + import_chalk17.default.green("claude") + "   \u2014 Claude Code (hook mode)");
+    console.log("    " + import_chalk17.default.green("gemini") + "   \u2014 Gemini CLI (hook mode)");
+    console.log("    " + import_chalk17.default.green("cursor") + "   \u2014 Cursor (hook mode)");
     console.log("");
     return;
   }
@@ -8296,7 +9426,7 @@ program.command("setup").description('Alias for "addto" \u2014 integrate Node9 w
   if (t === "gemini") return await setupGemini();
   if (t === "claude") return await setupClaude();
   if (t === "cursor") return await setupCursor();
-  console.error(import_chalk16.default.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
+  console.error(import_chalk17.default.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
   process.exit(1);
 });
 program.command("removefrom").description("Remove Node9 hooks from an AI agent configuration").addHelpText("after", "\n  Supported targets:  claude  gemini  cursor").argument("<target>", "The agent to remove from: claude | gemini | cursor").action((target) => {
@@ -8305,30 +9435,30 @@ program.command("removefrom").description("Remove Node9 hooks from an AI agent c
   else if (target === "gemini") fn = teardownGemini;
   else if (target === "cursor") fn = teardownCursor;
   else {
-    console.error(import_chalk16.default.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
+    console.error(import_chalk17.default.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
     process.exit(1);
   }
-  console.log(import_chalk16.default.cyan(`
+  console.log(import_chalk17.default.cyan(`
 \u{1F6E1}\uFE0F  Node9: removing hooks from ${target}...
 `));
   try {
     fn();
   } catch (err) {
-    console.error(import_chalk16.default.red(`  \u26A0\uFE0F  Failed: ${err instanceof Error ? err.message : String(err)}`));
+    console.error(import_chalk17.default.red(`  \u26A0\uFE0F  Failed: ${err instanceof Error ? err.message : String(err)}`));
     process.exit(1);
   }
-  console.log(import_chalk16.default.gray("\n  Restart the agent for changes to take effect."));
+  console.log(import_chalk17.default.gray("\n  Restart the agent for changes to take effect."));
 });
 program.command("uninstall").description("Remove all Node9 hooks and optionally delete config files").option("--purge", "Also delete ~/.node9/ directory (config, audit log, credentials)").action(async (options) => {
-  console.log(import_chalk16.default.cyan("\n\u{1F6E1}\uFE0F  Node9 Uninstall\n"));
-  console.log(import_chalk16.default.bold("Stopping daemon..."));
+  console.log(import_chalk17.default.cyan("\n\u{1F6E1}\uFE0F  Node9 Uninstall\n"));
+  console.log(import_chalk17.default.bold("Stopping daemon..."));
   try {
     stopDaemon();
-    console.log(import_chalk16.default.green("  \u2705 Daemon stopped"));
+    console.log(import_chalk17.default.green("  \u2705 Daemon stopped"));
   } catch {
-    console.log(import_chalk16.default.blue("  \u2139\uFE0F  Daemon was not running"));
+    console.log(import_chalk17.default.blue("  \u2139\uFE0F  Daemon was not running"));
   }
-  console.log(import_chalk16.default.bold("\nRemoving hooks..."));
+  console.log(import_chalk17.default.bold("\nRemoving hooks..."));
   let teardownFailed = false;
   for (const [label, fn] of [
     ["Claude", teardownClaude],
@@ -8340,45 +9470,45 @@ program.command("uninstall").description("Remove all Node9 hooks and optionally
     } catch (err) {
       teardownFailed = true;
       console.error(
-        import_chalk16.default.red(
+        import_chalk17.default.red(
           `  \u26A0\uFE0F  Failed to remove ${label} hooks: ${err instanceof Error ? err.message : String(err)}`
         )
       );
     }
   }
   if (options.purge) {
-    const node9Dir = import_path24.default.join(import_os20.default.homedir(), ".node9");
-    if (import_fs22.default.existsSync(node9Dir)) {
+    const node9Dir = import_path27.default.join(import_os22.default.homedir(), ".node9");
+    if (import_fs25.default.existsSync(node9Dir)) {
       const confirmed = await (0, import_prompts3.confirm)({
         message: `Permanently delete ${node9Dir} (config, audit log, credentials)?`,
         default: false
       });
       if (confirmed) {
-        import_fs22.default.rmSync(node9Dir, { recursive: true });
-        if (import_fs22.default.existsSync(node9Dir)) {
+        import_fs25.default.rmSync(node9Dir, { recursive: true });
+        if (import_fs25.default.existsSync(node9Dir)) {
           console.error(
-            import_chalk16.default.red("\n  \u26A0\uFE0F  ~/.node9/ could not be fully deleted \u2014 remove it manually.")
+            import_chalk17.default.red("\n  \u26A0\uFE0F  ~/.node9/ could not be fully deleted \u2014 remove it manually.")
           );
         } else {
-          console.log(import_chalk16.default.green("\n  \u2705 Deleted ~/.node9/ (config, audit log, credentials)"));
+          console.log(import_chalk17.default.green("\n  \u2705 Deleted ~/.node9/ (config, audit log, credentials)"));
         }
       } else {
-        console.log(import_chalk16.default.yellow("\n  Skipped \u2014 ~/.node9/ was not deleted."));
+        console.log(import_chalk17.default.yellow("\n  Skipped \u2014 ~/.node9/ was not deleted."));
       }
     } else {
-      console.log(import_chalk16.default.blue("\n  \u2139\uFE0F  ~/.node9/ not found \u2014 nothing to delete"));
+      console.log(import_chalk17.default.blue("\n  \u2139\uFE0F  ~/.node9/ not found \u2014 nothing to delete"));
     }
   } else {
     console.log(
-      import_chalk16.default.gray("\n  ~/.node9/ kept \u2014 run with --purge to delete config and audit log")
+      import_chalk17.default.gray("\n  ~/.node9/ kept \u2014 run with --purge to delete config and audit log")
     );
   }
   if (teardownFailed) {
-    console.error(import_chalk16.default.red("\n  \u26A0\uFE0F  Some hooks could not be removed \u2014 see errors above."));
+    console.error(import_chalk17.default.red("\n  \u26A0\uFE0F  Some hooks could not be removed \u2014 see errors above."));
     process.exit(1);
   }
-  console.log(import_chalk16.default.green.bold("\n\u{1F6E1}\uFE0F  Node9 removed. Run: npm uninstall -g @node9/proxy"));
-  console.log(import_chalk16.default.gray("   Restart any open AI agent sessions for changes to take effect.\n"));
+  console.log(import_chalk17.default.green.bold("\n\u{1F6E1}\uFE0F  Node9 removed. Run: npm uninstall -g @node9/proxy"));
+  console.log(import_chalk17.default.gray("   Restart any open AI agent sessions for changes to take effect.\n"));
 });
 registerDoctorCommand(program, version);
 program.command("explain").description(
@@ -8391,7 +9521,7 @@ program.command("explain").description(
       try {
         args = JSON.parse(trimmed);
       } catch {
-        console.error(import_chalk16.default.red(`
+        console.error(import_chalk17.default.red(`
 \u274C Invalid JSON: ${trimmed}
 `));
         process.exit(1);
@@ -8402,83 +9532,59 @@ program.command("explain").description(
   }
   const result = await explainPolicy(tool, args);
   console.log("");
-  console.log(import_chalk16.default.cyan.bold("\u{1F6E1}\uFE0F  Node9 Explain"));
+  console.log(import_chalk17.default.cyan.bold("\u{1F6E1}\uFE0F  Node9 Explain"));
   console.log("");
-  console.log(`   ${import_chalk16.default.bold("Tool:")}    ${import_chalk16.default.white(result.tool)}`);
+  console.log(`   ${import_chalk17.default.bold("Tool:")}    ${import_chalk17.default.white(result.tool)}`);
   if (argsRaw) {
     const preview = argsRaw.length > 80 ? argsRaw.slice(0, 77) + "\u2026" : argsRaw;
-    console.log(`   ${import_chalk16.default.bold("Input:")}   ${import_chalk16.default.gray(preview)}`);
+    console.log(`   ${import_chalk17.default.bold("Input:")}   ${import_chalk17.default.gray(preview)}`);
   }
   console.log("");
-  console.log(import_chalk16.default.bold("Config Sources (Waterfall):"));
+  console.log(import_chalk17.default.bold("Config Sources (Waterfall):"));
   for (const tier of result.waterfall) {
-    const num = import_chalk16.default.gray(`  ${tier.tier}.`);
+    const num = import_chalk17.default.gray(`  ${tier.tier}.`);
     const label = tier.label.padEnd(16);
     let statusStr;
     if (tier.tier === 1) {
-      statusStr = import_chalk16.default.gray(tier.note ?? "");
+      statusStr = import_chalk17.default.gray(tier.note ?? "");
     } else if (tier.status === "active") {
-      const loc = tier.path ? import_chalk16.default.gray(tier.path) : "";
-      const note = tier.note ? import_chalk16.default.gray(`(${tier.note})`) : "";
-      statusStr = import_chalk16.default.green("\u2713 active") + (loc ? "  " + loc : "") + (note ? "  " + note : "");
+      const loc = tier.path ? import_chalk17.default.gray(tier.path) : "";
+      const note = tier.note ? import_chalk17.default.gray(`(${tier.note})`) : "";
+      statusStr = import_chalk17.default.green("\u2713 active") + (loc ? "  " + loc : "") + (note ? "  " + note : "");
     } else {
-      statusStr = import_chalk16.default.gray("\u25CB " + (tier.note ?? "not found"));
+      statusStr = import_chalk17.default.gray("\u25CB " + (tier.note ?? "not found"));
     }
-    console.log(`${num} ${import_chalk16.default.white(label)} ${statusStr}`);
+    console.log(`${num} ${import_chalk17.default.white(label)} ${statusStr}`);
   }
   console.log("");
-  console.log(import_chalk16.default.bold("Policy Evaluation:"));
+  console.log(import_chalk17.default.bold("Policy Evaluation:"));
   for (const step of result.steps) {
     const isFinal = step.isFinal;
     let icon;
-    if (step.outcome === "allow") icon = import_chalk16.default.green("  \u2705");
-    else if (step.outcome === "review") icon = import_chalk16.default.red("  \u{1F534}");
-    else if (step.outcome === "skip") icon = import_chalk16.default.gray("  \u2500 ");
-    else icon = import_chalk16.default.gray("  \u25CB ");
+    if (step.outcome === "allow") icon = import_chalk17.default.green("  \u2705");
+    else if (step.outcome === "review") icon = import_chalk17.default.red("  \u{1F534}");
+    else if (step.outcome === "skip") icon = import_chalk17.default.gray("  \u2500 ");
+    else icon = import_chalk17.default.gray("  \u25CB ");
     const name = step.name.padEnd(18);
-    const nameStr = isFinal ? import_chalk16.default.white.bold(name) : import_chalk16.default.white(name);
-    const detail = isFinal ? import_chalk16.default.white(step.detail) : import_chalk16.default.gray(step.detail);
-    const arrow = isFinal ? import_chalk16.default.yellow("  \u2190 STOP") : "";
+    const nameStr = isFinal ? import_chalk17.default.white.bold(name) : import_chalk17.default.white(name);
+    const detail = isFinal ? import_chalk17.default.white(step.detail) : import_chalk17.default.gray(step.detail);
+    const arrow = isFinal ? import_chalk17.default.yellow("  \u2190 STOP") : "";
     console.log(`${icon} ${nameStr} ${detail}${arrow}`);
   }
   console.log("");
   if (result.decision === "allow") {
-    console.log(import_chalk16.default.green.bold("  Decision: \u2705 ALLOW") + import_chalk16.default.gray("  \u2014 no approval needed"));
+    console.log(import_chalk17.default.green.bold("  Decision: \u2705 ALLOW") + import_chalk17.default.gray("  \u2014 no approval needed"));
   } else {
     console.log(
-      import_chalk16.default.red.bold("  Decision: \u{1F534} REVIEW") + import_chalk16.default.gray("  \u2014 human approval required")
+      import_chalk17.default.red.bold("  Decision: \u{1F534} REVIEW") + import_chalk17.default.gray("  \u2014 human approval required")
     );
     if (result.blockedByLabel) {
-      console.log(import_chalk16.default.gray(`  Reason:   ${result.blockedByLabel}`));
+      console.log(import_chalk17.default.gray(`  Reason:   ${result.blockedByLabel}`));
     }
   }
   console.log("");
 });
-program.command("init").description("Create ~/.node9/config.json with default policy (safe to run multiple times)").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").action((options) => {
-  const configPath = import_path24.default.join(import_os20.default.homedir(), ".node9", "config.json");
-  if (import_fs22.default.existsSync(configPath) && !options.force) {
-    console.log(import_chalk16.default.yellow(`\u2139\uFE0F  Global config already exists: ${configPath}`));
-    console.log(import_chalk16.default.gray(`   Run with --force to overwrite.`));
-    return;
-  }
-  const requestedMode = options.mode.toLowerCase();
-  const safeMode = ["standard", "strict", "audit"].includes(requestedMode) ? requestedMode : DEFAULT_CONFIG.settings.mode;
-  const configToSave = {
-    ...DEFAULT_CONFIG,
-    settings: {
-      ...DEFAULT_CONFIG.settings,
-      mode: safeMode
-    }
-  };
-  const dir = import_path24.default.dirname(configPath);
-  if (!import_fs22.default.existsSync(dir)) import_fs22.default.mkdirSync(dir, { recursive: true });
-  import_fs22.default.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
-  console.log(import_chalk16.default.green(`\u2705 Global config created: ${configPath}`));
-  console.log(import_chalk16.default.cyan(`   Mode set to: ${safeMode}`));
-  console.log(
-    import_chalk16.default.gray(`   Undo Engine is ENABLED by default. Use 'node9 undo' to revert AI changes.`)
-  );
-});
+registerInitCommand(program);
 registerAuditCommand(program);
 registerStatusCommand(program);
 registerDaemonCommand(program);
@@ -8487,7 +9593,7 @@ program.command("tail").description("Stream live agent activity to the terminal"
   try {
     await startTail2(options);
   } catch (err) {
-    console.error(import_chalk16.default.red(`\u274C ${err instanceof Error ? err.message : String(err)}`));
+    console.error(import_chalk17.default.red(`\u274C ${err instanceof Error ? err.message : String(err)}`));
     process.exit(1);
   }
 });
@@ -8499,7 +9605,7 @@ program.command("pause").description("Temporarily disable Node9 protection for a
   const ms = parseDuration(options.duration);
   if (ms === null) {
     console.error(
-      import_chalk16.default.red(`
+      import_chalk17.default.red(`
 \u274C  Invalid duration: "${options.duration}". Use format like 15m, 1h, 30s.
 `)
     );
@@ -8507,20 +9613,20 @@ program.command("pause").description("Temporarily disable Node9 protection for a
   }
   pauseNode9(ms, options.duration);
   const expiresAt = new Date(Date.now() + ms).toLocaleTimeString();
-  console.log(import_chalk16.default.yellow(`
+  console.log(import_chalk17.default.yellow(`
 \u23F8  Node9 paused until ${expiresAt}`));
-  console.log(import_chalk16.default.gray(`   All tool calls will be allowed without review.`));
-  console.log(import_chalk16.default.gray(`   Run "node9 resume" to re-enable early.
+  console.log(import_chalk17.default.gray(`   All tool calls will be allowed without review.`));
+  console.log(import_chalk17.default.gray(`   Run "node9 resume" to re-enable early.
 `));
 });
 program.command("resume").description("Re-enable Node9 protection immediately").action(() => {
   const { paused } = checkPause();
   if (!paused) {
-    console.log(import_chalk16.default.gray("\nNode9 is already active \u2014 nothing to resume.\n"));
+    console.log(import_chalk17.default.gray("\nNode9 is already active \u2014 nothing to resume.\n"));
     return;
   }
   resumeNode9();
-  console.log(import_chalk16.default.green("\n\u25B6  Node9 resumed \u2014 protection is active.\n"));
+  console.log(import_chalk17.default.green("\n\u25B6  Node9 resumed \u2014 protection is active.\n"));
 });
 var HOOK_BASED_AGENTS = {
   claude: "claude",
@@ -8533,15 +9639,15 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
     if (HOOK_BASED_AGENTS[firstArg2] !== void 0) {
       const target = HOOK_BASED_AGENTS[firstArg2];
       console.error(
-        import_chalk16.default.yellow(`
+        import_chalk17.default.yellow(`
 \u26A0\uFE0F  Node9 proxy mode does not support "${target}" directly.`)
       );
-      console.error(import_chalk16.default.white(`
+      console.error(import_chalk17.default.white(`
    "${target}" uses its own hook system. Use:`));
       console.error(
-        import_chalk16.default.green(`     node9 addto ${target}   `) + import_chalk16.default.gray("# one-time setup")
+        import_chalk17.default.green(`     node9 addto ${target}   `) + import_chalk17.default.gray("# one-time setup")
       );
-      console.error(import_chalk16.default.green(`     ${target}              `) + import_chalk16.default.gray("# run normally"));
+      console.error(import_chalk17.default.green(`     ${target}              `) + import_chalk17.default.gray("# run normally"));
       process.exit(1);
     }
     const runArgs = firstArg2 === "shell" ? commandArgs.slice(1) : commandArgs;
@@ -8558,7 +9664,7 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
       }
     );
     if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && getConfig().settings.autoStartDaemon) {
-      console.error(import_chalk16.default.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically..."));
+      console.error(import_chalk17.default.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically..."));
       const daemonReady = await autoStartDaemonAndWait();
       if (daemonReady) result = await authorizeHeadless("shell", { command: fullCommand });
     }
@@ -8571,12 +9677,12 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
     }
     if (!result.approved) {
       console.error(
-        import_chalk16.default.red(`
+        import_chalk17.default.red(`
 \u274C Node9 Blocked: ${result.reason || "Dangerous command detected."}`)
       );
       process.exit(1);
     }
-    console.error(import_chalk16.default.green("\n\u2705 Approved \u2014 running command...\n"));
+    console.error(import_chalk17.default.green("\n\u2705 Approved \u2014 running command...\n"));
     await runProxy(fullCommand);
   } else {
     program.help();
@@ -8591,9 +9697,9 @@ if (process.argv[2] !== "daemon") {
     const isCheckHook = process.argv[2] === "check";
     if (isCheckHook) {
       if (process.env.NODE9_DEBUG === "1" || getConfig().settings.enableHookLogDebug) {
-        const logPath = import_path24.default.join(import_os20.default.homedir(), ".node9", "hook-debug.log");
+        const logPath = import_path27.default.join(import_os22.default.homedir(), ".node9", "hook-debug.log");
         const msg = reason instanceof Error ? reason.message : String(reason);
-        import_fs22.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
+        import_fs25.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
 `);
       }
       process.exit(0);