@node9/proxy 1.4.0 → 1.5.1

package/dist/cli.mjs

@@ -9,7 +9,51 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/audit/hasher.ts
+import { createHash } from "crypto";
+function canonicalise(value) {
+  return _canonicalise(value, /* @__PURE__ */ new WeakSet());
+}
+function _canonicalise(value, seen) {
+  if (value === null || typeof value !== "object") return value;
+  if (value instanceof Date) return value.toISOString();
+  if (value instanceof RegExp) return value.toString();
+  if (Buffer.isBuffer(value)) return value.toString("base64");
+  if (seen.has(value)) return "[Circular]";
+  seen.add(value);
+  let result;
+  if (Array.isArray(value)) {
+    result = value.map((v) => _canonicalise(v, seen));
+  } else {
+    const obj = value;
+    result = Object.fromEntries(
+      Object.keys(obj).sort().map((k) => [k, _canonicalise(obj[k], seen)])
+    );
+  }
+  seen.delete(value);
+  return result;
+}
+function hashArgs(args) {
+  const canonical = JSON.stringify(canonicalise(args) ?? null);
+  return createHash("sha256").update(canonical).digest("hex").slice(0, 32);
+}
+var init_hasher = __esm({
+  "src/audit/hasher.ts"() {
+    "use strict";
+  }
+});
+
 // src/audit/index.ts
+var audit_exports = {};
+__export(audit_exports, {
+  HOOK_DEBUG_LOG: () => HOOK_DEBUG_LOG,
+  LOCAL_AUDIT_LOG: () => LOCAL_AUDIT_LOG,
+  appendConfigAudit: () => appendConfigAudit,
+  appendHookDebug: () => appendHookDebug,
+  appendLocalAudit: () => appendLocalAudit,
+  appendToLog: () => appendToLog,
+  redactSecrets: () => redactSecrets
+});
 import fs from "fs";
 import path from "path";
 import os from "os";
@@ -34,24 +78,24 @@ function appendToLog(logPath, entry) {
   } catch {
   }
 }
-function appendHookDebug(toolName, args, meta) {
-  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   appendToLog(HOOK_DEBUG_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
-    args: safeArgs,
+    ...argsField,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
     hostname: os.hostname(),
     cwd: process.cwd()
   });
 }
-function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
-  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
-    args: safeArgs,
+    ...argsField,
     decision,
     checkedBy,
     agent: meta?.agent,
@@ -70,6 +114,7 @@ var LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG;
 var init_audit = __esm({
   "src/audit/index.ts"() {
     "use strict";
+    init_hasher();
     LOCAL_AUDIT_LOG = path.join(os.homedir(), ".node9", "audit.log");
     HOOK_DEBUG_LOG = path.join(os.homedir(), ".node9", "hook-debug.log");
   }
@@ -94,8 +139,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path25 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path25}: ${issue.message}`;
+    const path28 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path28}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -167,7 +212,8 @@ var init_config_schema = __esm({
         environment: z.string().optional(),
         slackEnabled: z.boolean().optional(),
         enableTrustSessions: z.boolean().optional(),
-        allowGlobalPause: z.boolean().optional()
+        allowGlobalPause: z.boolean().optional(),
+        auditHashArgs: z.boolean().optional()
       }).optional(),
       policy: z.object({
         sandboxPaths: z.array(z.string()).optional(),
@@ -725,6 +771,7 @@ var init_config = __esm({
         approvalTimeoutMs: 12e4,
         // 120-second auto-deny timeout
         flightRecorder: true,
+        auditHashArgs: true,
         approvers: { native: true, browser: true, cloud: false, terminal: true }
       },
       policy: {
@@ -1605,17 +1652,44 @@ function readTrustedHosts() {
     return [];
   }
 }
+function getFileMtime() {
+  try {
+    return fs6.statSync(getTrustedHostsPath()).mtimeMs;
+  } catch {
+    return 0;
+  }
+}
+function getCachedHosts() {
+  const now = Date.now();
+  if (_cache && now < _cache.expiry) {
+    const mtime = getFileMtime();
+    if (mtime === _cache.mtime) return _cache.hosts;
+  }
+  const hosts = readTrustedHosts();
+  _cache = { hosts, expiry: now + CACHE_TTL_MS, mtime: getFileMtime() };
+  return hosts;
+}
 function writeTrustedHosts(hosts) {
   const filePath = getTrustedHostsPath();
   fs6.mkdirSync(path7.dirname(filePath), { recursive: true });
   const tmp = filePath + ".node9-tmp";
-  fs6.writeFileSync(tmp, JSON.stringify({ hosts }, null, 2));
+  fs6.writeFileSync(tmp, JSON.stringify({ hosts }, null, 2), { mode: 384 });
   fs6.renameSync(tmp, filePath);
+  _cache = { hosts, expiry: Date.now() + CACHE_TTL_MS, mtime: getFileMtime() };
 }
 function addTrustedHost(host) {
+  const normalized = normalizeHost(host);
+  if (normalized.startsWith("*.")) {
+    const base = normalized.slice(2);
+    if (!base.includes(".")) {
+      throw new Error(
+        `Wildcard pattern '${normalized}' is too broad \u2014 the base domain must have at least one dot (e.g. '*.mycompany.com', not '*.com').`
+      );
+    }
+  }
   const hosts = readTrustedHosts();
-  if (hosts.some((h) => h.host === host)) return;
-  hosts.push({ host, addedAt: Date.now(), addedBy: "user" });
+  if (hosts.some((h) => h.host === normalized)) return;
+  hosts.push({ host: normalized, addedAt: Date.now(), addedBy: "user" });
   writeTrustedHosts(hosts);
 }
 function removeTrustedHost(host) {
@@ -1630,18 +1704,21 @@ function normalizeHost(raw) {
 }
 function isTrustedHost(host) {
   const normalized = normalizeHost(host);
-  return readTrustedHosts().some((entry) => {
+  return getCachedHosts().some((entry) => {
     const entryHost = entry.host.toLowerCase();
     if (entryHost.startsWith("*.")) {
       const domain = entryHost.slice(2);
-      return normalized === domain || normalized.endsWith("." + domain);
+      return normalized.endsWith("." + domain);
     }
     return normalized === entryHost;
   });
 }
+var _cache, CACHE_TTL_MS;
 var init_trusted_hosts = __esm({
   "src/auth/trusted-hosts.ts"() {
     "use strict";
+    _cache = null;
+    CACHE_TTL_MS = 5e3;
   }
 });
 
@@ -1664,9 +1741,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path25) {
+function getNestedValue(obj, path28) {
   if (!obj || typeof obj !== "object") return null;
-  return path25.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path28.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function shouldSnapshot(toolName, args, config) {
   if (!config.settings.enableUndo) return false;
@@ -1852,7 +1929,12 @@ async function evaluatePolicy(toolName, args, agent, cwd) {
         };
       }
       if (allTrusted) {
-        return { decision: "allow" };
+        return {
+          decision: "allow",
+          blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
+          reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
+          tier: 3
+        };
       }
       return {
         decision: "review",
@@ -2393,8 +2475,8 @@ async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityI
       signal: ctrl.signal
     });
     if (!res.ok) throw new Error("Daemon fail");
-    const { id } = await res.json();
-    return id;
+    const { id, allowCount } = await res.json();
+    return { id, allowCount: allowCount ?? 1 };
   } finally {
     clearTimeout(timer);
   }
@@ -2433,15 +2515,67 @@ async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
     signal: AbortSignal.timeout(3e3)
   });
   if (!res.ok) throw new Error("Daemon unreachable");
-  const { id } = await res.json();
-  return id;
+  const { id, allowCount } = await res.json();
+  return { id, allowCount: allowCount ?? 1 };
+}
+async function notifyTaint(filePath, source) {
+  if (!isDaemonRunning()) return;
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    await fetch(`${base}/taint`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ path: filePath, source }),
+      signal: AbortSignal.timeout(1e3)
+    });
+  } catch {
+  }
+}
+async function notifyTaintPropagate(src, dest, clearSource = false) {
+  if (!isDaemonRunning()) return;
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    await fetch(`${base}/taint/propagate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ src, dest, clearSource }),
+      signal: AbortSignal.timeout(1e3)
+    });
+  } catch {
+  }
+}
+async function checkTaint(paths) {
+  if (paths.length === 0) return { tainted: false };
+  if (!isDaemonRunning()) return { tainted: false, daemonUnavailable: true };
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    const res = await fetch(`${base}/taint/check`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ paths }),
+      signal: AbortSignal.timeout(2e3)
+    });
+    return await res.json();
+  } catch (err) {
+    try {
+      const { appendToLog: appendToLog2, HOOK_DEBUG_LOG: HOOK_DEBUG_LOG2 } = await Promise.resolve().then(() => (init_audit(), audit_exports));
+      appendToLog2(HOOK_DEBUG_LOG2, {
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        event: "checkTaint-error",
+        error: String(err),
+        paths
+      });
+    } catch {
+    }
+    return { tainted: false, daemonUnavailable: true };
+  }
 }
-async function resolveViaDaemon(id, decision, internalToken) {
+async function resolveViaDaemon(id, decision, internalToken, source) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   await fetch(`${base}/resolve/${id}`, {
     method: "POST",
     headers: { "Content-Type": "application/json", "X-Node9-Internal": internalToken },
-    body: JSON.stringify({ decision }),
+    body: JSON.stringify({ decision, ...source && { source } }),
     signal: AbortSignal.timeout(3e3)
   });
 }
@@ -2646,20 +2780,24 @@ ${smartTruncate(str, 500)}`
 function escapePango(text) {
   return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
-function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1) {
   const lines = [];
   if (locked) lines.push("\u26A0\uFE0F  LOCKED BY ADMIN POLICY\n");
   lines.push(`\u{1F916} ${agent || "AI Agent"}  |  \u{1F527} ${toolName}`);
   lines.push(`\u{1F6E1}\uFE0F  ${explainableLabel || "Security Policy"}`);
   lines.push("");
   lines.push(formattedArgs);
+  if (allowCount >= 3) {
+    lines.push("");
+    lines.push(`\u{1F4A1} Approved ${allowCount - 1}\xD7 before \u2014 "Always Allow" creates a permanent rule`);
+  }
   if (!locked) {
     lines.push("");
     lines.push('\u21B5 Enter = Allow \u21B5   |   \u238B Esc = Block \u238B   |   "Always Allow" = never ask again');
   }
   return lines.join("\n");
 }
-function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1) {
   const lines = [];
   if (locked) {
     lines.push('<span foreground="red" weight="bold">\u26A0\uFE0F  LOCKED BY ADMIN POLICY</span>');
@@ -2671,6 +2809,12 @@ function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, loc
   lines.push(`<i>\u{1F6E1}\uFE0F  ${escapePango(explainableLabel || "Security Policy")}</i>`);
   lines.push("");
   lines.push(`<tt>${escapePango(formattedArgs)}</tt>`);
+  if (allowCount >= 3) {
+    lines.push("");
+    lines.push(
+      `<span foreground="#f0c040">\u{1F4A1} Approved ${allowCount - 1}\xD7 before \u2014 "Always Allow" creates a permanent rule</span>`
+    );
+  }
   if (!locked) {
     lines.push("");
     lines.push(
@@ -2679,12 +2823,19 @@ function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, loc
   }
   return lines.join("\n");
 }
-async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord) {
+async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord, allowCount = 1) {
   if (isTestEnv()) return "deny";
   const { message: formattedArgs, intent } = formatArgs(args, matchedField, matchedWord);
   const intentLabel = intent === "EDIT" ? "Code Edit" : "Action Approval";
   const title = locked ? `\u26A1 Node9 \u2014 Locked` : `\u{1F6E1}\uFE0F Node9 \u2014 ${intentLabel}`;
-  const message = buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked);
+  const message = buildPlainMessage(
+    toolName,
+    formattedArgs,
+    agent,
+    explainableLabel,
+    locked,
+    allowCount
+  );
   return new Promise((resolve) => {
     let childProcess = null;
     const onAbort = () => {
@@ -2716,7 +2867,8 @@ end run`;
           formattedArgs,
           agent,
           explainableLabel,
-          locked
+          locked,
+          allowCount
         );
         const argsList = [
           locked ? "--info" : "--question",
@@ -2888,6 +3040,40 @@ import net from "net";
 import path13 from "path";
 import os10 from "os";
 import { randomUUID } from "crypto";
+function isWriteTool(toolName) {
+  const t = toolName.toLowerCase().replace(/[^a-z_]/g, "_");
+  return WRITE_TOOLS.has(t);
+}
+function extractFilePaths(toolName, args) {
+  const paths = [];
+  if (!args || typeof args !== "object" || Array.isArray(args)) return paths;
+  const a = args;
+  for (const key of ["file_path", "path", "filename", "source", "src", "input"]) {
+    if (typeof a[key] === "string" && a[key]) paths.push(a[key]);
+  }
+  const cmd = typeof a.command === "string" ? a.command : typeof a.cmd === "string" ? a.cmd : "";
+  if (cmd) {
+    for (const m of cmd.matchAll(/(?:-T|--upload-file|--data(?:-binary)?)\s+@?(\S+)/g)) {
+      paths.push(m[1]);
+    }
+    for (const m of cmd.matchAll(/\b(?:scp|rsync)\s+(?:-\S+\s+)*(\S+)\s+\S+@/g)) {
+      paths.push(m[1]);
+    }
+    for (const m of cmd.matchAll(/<\s*(\S+)/g)) {
+      paths.push(m[1]);
+    }
+  }
+  return paths.filter(Boolean);
+}
+function isNetworkTool(toolName, args) {
+  const t = toolName.toLowerCase();
+  if (t === "bash" || t === "shell" || t === "run_shell_command" || t === "terminal.execute") {
+    const a = args;
+    const cmd = typeof a?.command === "string" ? a.command : typeof a?.cmd === "string" ? a.cmd : "";
+    return /\b(curl|wget|scp|rsync|nc|ncat|netcat|ssh)\b/.test(cmd);
+  }
+  return false;
+}
 function notifyActivity(data) {
   return new Promise((resolve) => {
     try {
@@ -2917,7 +3103,7 @@ async function authorizeHeadless(toolName, args, meta, options) {
         id: actId,
         tool: toolName,
         ts: actTs,
-        status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : "block",
+        status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : result.blockedByLabel?.includes("Taint") ? "taint" : "block",
         label: result.blockedByLabel
       });
     }
@@ -2931,6 +3117,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   if (pauseState.paused) return { approved: true, checkedBy: "paused" };
   const creds = getCredentials();
   const config = getConfig(options?.cwd);
+  const hashAuditArgs = config.settings.auditHashArgs === true;
   const isTestEnv2 = !!(process.env.VITEST || process.env.NODE_ENV === "test" || process.env.CI || process.env.NODE9_TESTING === "1");
   const approvers = {
     ...config.settings.approvers || { native: true, browser: true, cloud: true, terminal: true }
@@ -2941,13 +3128,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     approvers.terminal = false;
   }
   if (config.settings.enableHookLogDebug && !isTestEnv2) {
-    appendHookDebug(toolName, args, meta);
+    appendHookDebug(toolName, args, meta, hashAuditArgs);
   }
   const isManual = meta?.agent === "Terminal";
   let explainableLabel = "Local Config";
   let policyMatchedField;
   let policyMatchedWord;
   let riskMetadata;
+  let taintWarning = null;
+  if (isNetworkTool(toolName, args)) {
+    const filePaths = extractFilePaths(toolName, args);
+    if (filePaths.length > 0) {
+      const taintResult = await checkTaint(filePaths);
+      if (taintResult.tainted && taintResult.record) {
+        const { path: taintedPath, source: taintSource } = taintResult.record;
+        taintWarning = `\u26A0\uFE0F ${taintedPath} was flagged by ${taintSource} \u2014 this file may contain sensitive data`;
+      } else if (taintResult.daemonUnavailable) {
+        taintWarning = `\u26A0\uFE0F Taint service unavailable \u2014 cannot verify if ${filePaths.join(", ")} is clean`;
+      }
+    }
+  }
   if (config.policy.dlp.enabled && (!isIgnoredTool(toolName) || config.policy.dlp.scanIgnoredTools)) {
     const argsObj = args && typeof args === "object" && !Array.isArray(args) ? args : {};
     const filePath = String(argsObj.file_path ?? argsObj.path ?? argsObj.filename ?? "");
@@ -2955,7 +3155,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (dlpMatch) {
       const dlpReason = `\u{1F6A8} DATA LOSS PREVENTION: ${dlpMatch.patternName} detected in field "${dlpMatch.fieldPath}" (${dlpMatch.redactedSample})`;
       if (dlpMatch.severity === "block") {
-        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta);
+        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta, true);
+        if (isWriteTool(toolName) && filePath) {
+          await notifyTaint(filePath, `DLP:${dlpMatch.patternName}`);
+        }
         return {
           approved: false,
           reason: dlpReason,
@@ -2963,7 +3166,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           blockedByLabel: "\u{1F6A8} Node9 DLP (Secret Detected)"
         };
       }
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "dlp-review-flagged", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "allow", "dlp-review-flagged", meta, hashAuditArgs);
       explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
     }
   }
@@ -2971,7 +3175,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
-        appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
+        appendLocalAudit(toolName, args, "allow", "audit-mode", meta, hashAuditArgs);
         if (approvers.cloud && creds?.apiKey) {
           await auditLocalAllow(toolName, args, "audit-mode", creds, meta);
         }
@@ -2979,22 +3183,23 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     }
     return { approved: true, checkedBy: "audit" };
   }
-  if (!isIgnoredTool(toolName)) {
+  if (!taintWarning && !isIgnoredTool(toolName)) {
     if (getActiveTrustSession(toolName)) {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "trust", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta, hashAuditArgs);
       return { approved: true, checkedBy: "trust" };
     }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
         auditLocalAllow(toolName, args, "local-policy", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
       return { approved: true, checkedBy: "local-policy" };
     }
     if (policyResult.decision === "block") {
-      if (!isManual) appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
       return {
         approved: false,
         reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
@@ -3013,15 +3218,16 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       policyMatchedWord,
       policyResult.ruleName
     );
-    const persistent = getPersistentDecision(toolName);
+    const persistent = policyResult.ruleName ? null : getPersistentDecision(toolName);
     if (persistent === "allow") {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "persistent", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta, hashAuditArgs);
       return { approved: true, checkedBy: "persistent" };
     }
     if (persistent === "deny") {
-      if (!isManual) appendLocalAudit(toolName, args, "deny", "persistent-deny", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "deny", "persistent-deny", meta, hashAuditArgs);
       return {
         approved: false,
         reason: `This tool ("${toolName}") is explicitly listed in your 'Always Deny' list.`,
@@ -3029,10 +3235,21 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         blockedByLabel: "Persistent User Rule"
       };
     }
-  } else {
-    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta);
+  } else if (!taintWarning) {
+    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
     return { approved: true };
   }
+  if (taintWarning) {
+    explainableLabel = "\u{1F534} Node9 Taint (Exfiltration Prevention)";
+    riskMetadata = computeRiskMetadata(
+      args,
+      7,
+      explainableLabel,
+      void 0,
+      void 0,
+      taintWarning
+    );
+  }
   let cloudRequestId = null;
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
   if (cloudEnforced) {
@@ -3051,7 +3268,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         };
       }
       cloudRequestId = initResult.requestId || null;
-      explainableLabel = "Organization Policy (SaaS)";
+      if (!taintWarning) explainableLabel = "Organization Policy (SaaS)";
     } catch {
     }
   }
@@ -3080,13 +3297,16 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   let viewerId = null;
   const internalToken = getInternalToken();
   let daemonEntryId = null;
+  let daemonAllowCount = 1;
   if ((approvers.browser || approvers.terminal) && isDaemonRunning() && !options?.calledFromDaemon) {
     if (cloudEnforced && cloudRequestId) {
-      viewerId = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(() => null);
+      const viewer = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(() => null);
+      viewerId = viewer?.id ?? null;
       daemonEntryId = viewerId;
+      if (viewer) daemonAllowCount = viewer.allowCount;
     } else {
       try {
-        daemonEntryId = await registerDaemonEntry(
+        const entry = await registerDaemonEntry(
           toolName,
           args,
           meta,
@@ -3094,6 +3314,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           options?.activityId,
           options?.cwd
         );
+        daemonEntryId = entry.id;
+        daemonAllowCount = entry.allowCount;
       } catch {
       }
     }
@@ -3129,7 +3351,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           false,
           signal,
           policyMatchedField,
-          policyMatchedWord
+          policyMatchedWord,
+          daemonAllowCount
         );
         if (decision === "always_allow") {
           writeTrustSession(toolName, 36e5);
@@ -3187,10 +3410,13 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       if (!resolved) {
         resolved = true;
         abortController.abort();
-        if (viewerId && internalToken) {
-          resolveViaDaemon(viewerId, res.approved ? "allow" : "deny", internalToken).catch(
-            () => null
-          );
+        if (daemonEntryId && internalToken) {
+          resolveViaDaemon(
+            daemonEntryId,
+            res.approved ? "allow" : "deny",
+            internalToken,
+            res.decisionSource
+          ).catch(() => null);
         }
         resolve(res);
       }
@@ -3229,12 +3455,13 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       args,
       finalResult.approved ? "allow" : "deny",
       finalResult.checkedBy || finalResult.blockedBy || "unknown",
-      meta
+      meta,
+      hashAuditArgs
     );
   }
   return finalResult;
 }
-var ACTIVITY_SOCKET_PATH;
+var WRITE_TOOLS, ACTIVITY_SOCKET_PATH;
 var init_orchestrator = __esm({
   "src/auth/orchestrator.ts"() {
     "use strict";
@@ -3247,6 +3474,17 @@ var init_orchestrator = __esm({
     init_state();
     init_daemon();
     init_cloud();
+    WRITE_TOOLS = /* @__PURE__ */ new Set([
+      "write",
+      "write_file",
+      "create_file",
+      "edit",
+      "multiedit",
+      "str_replace_based_edit_tool",
+      "replace",
+      "notebook_edit",
+      "notebookedit"
+    ]);
     ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path13.join(os10.tmpdir(), "node9-activity.sock");
   }
 });
@@ -3543,6 +3781,15 @@ var init_ui = __esm({
         padding: 5px 10px;
         margin-bottom: 14px;
       }
+      .insight-hint {
+        font-size: 12px;
+        color: #f0c040;
+        background: rgba(240, 192, 64, 0.08);
+        border: 1px solid rgba(240, 192, 64, 0.25);
+        border-radius: 6px;
+        padding: 6px 10px;
+        margin-bottom: 12px;
+      }
       pre {
         background: #0d1117;
         padding: 14px 16px;
@@ -4015,6 +4262,78 @@ var init_ui = __esm({
         color: var(--danger);
       }
 
+      /* \u2500\u2500 Suggestion cards \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+      .suggestion-card {
+        background: rgba(82, 130, 255, 0.06);
+        border: 1px solid rgba(82, 130, 255, 0.25);
+        border-radius: 8px;
+        padding: 10px 12px;
+        margin-bottom: 8px;
+      }
+      .suggestion-card:last-child {
+        margin-bottom: 0;
+      }
+      .suggestion-header {
+        display: flex;
+        align-items: center;
+        gap: 8px;
+        margin-bottom: 6px;
+      }
+      .suggestion-tool {
+        font-family: 'Fira Code', monospace;
+        font-size: 11px;
+        color: var(--text-bright);
+        flex: 1;
+        word-break: break-all;
+      }
+      .suggestion-count {
+        font-size: 10px;
+        color: var(--muted);
+        white-space: nowrap;
+      }
+      .suggestion-rule {
+        font-family: 'Fira Code', monospace;
+        font-size: 10px;
+        color: #79c0ff;
+        background: rgba(0, 0, 0, 0.25);
+        border-radius: 4px;
+        padding: 4px 8px;
+        margin-bottom: 8px;
+        word-break: break-all;
+        white-space: pre-wrap;
+      }
+      .suggestion-actions {
+        display: flex;
+        gap: 6px;
+      }
+      .btn-apply {
+        background: rgba(52, 125, 57, 0.2);
+        border: 1px solid rgba(87, 171, 90, 0.4);
+        color: #57ab5a;
+        padding: 4px 10px;
+        font-size: 11px;
+        border-radius: 5px;
+        font-family: inherit;
+        cursor: pointer;
+      }
+      .btn-apply:hover {
+        background: rgba(52, 125, 57, 0.35);
+      }
+      .btn-dismiss-suggestion {
+        background: transparent;
+        border: 1px solid var(--border);
+        color: var(--muted);
+        padding: 4px 10px;
+        font-size: 11px;
+        border-radius: 5px;
+        font-family: inherit;
+        cursor: pointer;
+      }
+      .btn-dismiss-suggestion:hover {
+        border-color: var(--danger);
+        color: var(--danger);
+      }
+
       .modal-overlay {
         display: none;
         position: fixed;
@@ -4196,6 +4515,11 @@ var init_ui = __esm({
             <div class="panel-title">\u{1F4CB} Persistent Decisions</div>
             <div id="decisionsList"><span class="decisions-empty">None yet.</span></div>
           </div>
+
+          <div class="panel" id="suggestionsPanel" style="display: none">
+            <div class="panel-title">\u{1F4A1} Smart Rule Suggestions</div>
+            <div id="suggestionsList"></div>
+          </div>
         </div>
       </div>
     </div>
@@ -4345,12 +4669,15 @@ var init_ui = __esm({
         const badgeClass = isEdit ? 'sniper-badge-edit' : 'sniper-badge-exec';
         const badgeLabel = isEdit ? '\u{1F4DD} Code Edit' : '\u{1F6D1} Execution';
         const tierLabel = \`Tier \${rm.tier} \xB7 \${esc(rm.blockedByLabel)}\`;
+        const isTaint = rm.blockedByLabel?.includes('Taint');
         const fileLine =
-          isEdit && rm.editFilePath
-            ? \`<div class="sniper-filepath">\u{1F4C2} \${esc(rm.editFilePath)}</div>\`
-            : !isEdit && rm.matchedWord
-              ? \`<div class="sniper-match">Matched: <code>\${esc(rm.matchedWord)}</code>\${rm.matchedField ? \` in <code>\${esc(rm.matchedField)}</code>\` : ''}</div>\`
-              : '';
+          isTaint && rm.ruleName
+            ? \`<div class="sniper-match">\u26A0\uFE0F \${esc(rm.ruleName)}</div>\`
+            : isEdit && rm.editFilePath
+              ? \`<div class="sniper-filepath">\u{1F4C2} \${esc(rm.editFilePath)}</div>\`
+              : !isEdit && rm.matchedWord
+                ? \`<div class="sniper-match">Matched: <code>\${esc(rm.matchedWord)}</code>\${rm.matchedField ? \` in <code>\${esc(rm.matchedField)}</code>\` : ''}</div>\`
+                : '';
         const snippetHtml = rm.contextSnippet ? \`<pre>\${esc(rm.contextSnippet)}</pre>\` : '';
         return \`
           <div class="sniper-header">
@@ -4385,6 +4712,7 @@ var init_ui = __esm({
         </div>
         <div class="tool-chip">\${esc(req.toolName)}</div>
         \${isSlack ? '<div class="slack-indicator">\u26A1 Awaiting Cloud approval \u2014 view only</div>' : ''}
+        \${req.allowCount >= 3 ? \`<div class="insight-hint">\u{1F4A1} Approved \${req.allowCount - 1}\xD7 before \u2014 "Always Allow" creates a permanent rule</div>\` : ''}
         \${renderPayload(req)}
         <div class="actions" id="act-\${req.id}">
           <button class="btn-allow" onclick="sendDecision('\${req.id}','allow',false)" \${dis}>\u2705 Allow this Action</button>
@@ -4451,6 +4779,14 @@ var init_ui = __esm({
         ev.addEventListener('shields-status', (e) => {
           renderShields(JSON.parse(e.data).shields);
         });
+        ev.addEventListener('suggestion:new', (e) => {
+          const s = JSON.parse(e.data);
+          addSuggestionCard(s);
+        });
+        ev.addEventListener('suggestion:resolved', (e) => {
+          const { id } = JSON.parse(e.data);
+          removeSuggestionCard(id);
+        });
 
         // \u2500\u2500 Flight Recorder \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
         ev.addEventListener('activity', (e) => {
@@ -4700,6 +5036,74 @@ var init_ui = __esm({
         .then((r) => r.json())
         .then(renderDecisions)
         .catch(() => {});
+
+      // \u2500\u2500 Smart Rule Suggestions \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+      function rulePreview(suggestion) {
+        const r = suggestion.suggestedRule;
+        if (r.type === 'ignoredTool') return \`ignoredTool: "\${r.toolName}"\`;
+        const cond = r.rule.conditions?.[0];
+        const condStr = cond ? \` where \${cond.field} \${cond.op} "\${cond.value}"\` : '';
+        return \`allow \${r.rule.tool}\${condStr}\`;
+      }
+
+      function addSuggestionCard(s) {
+        const panel = document.getElementById('suggestionsPanel');
+        const list = document.getElementById('suggestionsList');
+        panel.style.display = '';
+
+        const card = document.createElement('div');
+        card.className = 'suggestion-card';
+        card.id = 'sg-' + s.id;
+        card.innerHTML = \`
+          <div class="suggestion-header">
+            <span class="suggestion-tool">\${esc(s.toolName)}</span>
+            <span class="suggestion-count">allowed \${s.allowCount}\xD7</span>
+          </div>
+          <div class="suggestion-rule">\${esc(rulePreview(s))}</div>
+          <div class="suggestion-actions">
+            <button class="btn-apply" onclick="applySuggestion('\${esc(s.id)}')">Apply rule</button>
+            <button class="btn-dismiss-suggestion" onclick="dismissSuggestion('\${esc(s.id)}')">Dismiss</button>
+          </div>
+        \`;
+        list.appendChild(card);
+      }
+
+      function removeSuggestionCard(id) {
+        document.getElementById('sg-' + id)?.remove();
+        const list = document.getElementById('suggestionsList');
+        if (!list.querySelector('.suggestion-card')) {
+          document.getElementById('suggestionsPanel').style.display = 'none';
+        }
+      }
+
+      function applySuggestion(id) {
+        fetch('/suggestions/' + id + '/apply', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json', 'X-Node9-Token': CSRF_TOKEN },
+          body: JSON.stringify({}),
+        })
+          .then((r) => {
+            if (r.ok) removeSuggestionCard(id);
+          })
+          .catch(() => {});
+      }
+
+      function dismissSuggestion(id) {
+        fetch('/suggestions/' + id + '/dismiss', {
+          method: 'POST',
+          headers: { 'X-Node9-Token': CSRF_TOKEN },
+        })
+          .then((r) => {
+            if (r.ok) removeSuggestionCard(id);
+          })
+          .catch(() => {});
+      }
+
+      // Load any suggestions that survived a page reload (daemon still running)
+      fetch('/suggestions')
+        .then((r) => r.json())
+        .then((list) => list.filter((s) => s.status === 'pending').forEach(addSuggestionCard))
+        .catch(() => {});
     </script>
   </body>
 </html>
@@ -4717,13 +5121,203 @@ var init_ui2 = __esm({
   }
 });
 
-// src/daemon/state.ts
-import net2 from "net";
+// src/daemon/suggestion-tracker.ts
+import { randomUUID as randomUUID2 } from "crypto";
+function extractPath(args) {
+  if (!args || typeof args !== "object") return null;
+  const a = args;
+  for (const key of ["path", "file_path", "filename", "filepath", "dest", "destination"]) {
+    if (typeof a[key] === "string" && a[key]) return a[key];
+  }
+  return null;
+}
+function commonPathPrefix(paths) {
+  if (paths.length < 2) return null;
+  const dirParts = paths.map((p) => {
+    const lastSlash = p.lastIndexOf("/");
+    return lastSlash > 0 ? p.slice(0, lastSlash + 1) : "/";
+  });
+  const first = dirParts[0].split("/");
+  const common = [];
+  for (let i = 0; i < first.length; i++) {
+    if (dirParts.every((d) => d.split("/")[i] === first[i])) {
+      common.push(first[i]);
+    } else {
+      break;
+    }
+  }
+  const prefix = common.join("/").replace(/\/?$/, "/");
+  return prefix.length > 1 ? prefix : null;
+}
+var SuggestionTracker;
+var init_suggestion_tracker = __esm({
+  "src/daemon/suggestion-tracker.ts"() {
+    "use strict";
+    SuggestionTracker = class {
+      events = /* @__PURE__ */ new Map();
+      threshold;
+      constructor(threshold = 3) {
+        this.threshold = threshold;
+      }
+      /**
+       * Record a human-allowed review for a tool.
+       * Returns a Suggestion when the threshold is reached, null otherwise.
+       */
+      recordAllow(toolName, args) {
+        const events = this.events.get(toolName) ?? [];
+        events.push({ args, ts: Date.now() });
+        this.events.set(toolName, events);
+        if (events.length >= this.threshold) {
+          this.events.delete(toolName);
+          return this.generateSuggestion(toolName, events);
+        }
+        return null;
+      }
+      /**
+       * Reset the counter for a tool (e.g. when the user clicks Deny —
+       * don't suggest allowing something they just blocked).
+       */
+      resetTool(toolName) {
+        this.events.delete(toolName);
+      }
+      /** Current allow count for a tool (for tests). */
+      getCount(toolName) {
+        return this.events.get(toolName)?.length ?? 0;
+      }
+      generateSuggestion(toolName, events) {
+        const paths = events.map((e) => extractPath(e.args)).filter((p) => typeof p === "string" && p.length > 0);
+        const prefix = commonPathPrefix(paths);
+        const suggestedRule = prefix ? {
+          type: "smartRule",
+          rule: {
+            name: `allow-${toolName}-${prefix.replace(/[^a-z0-9]/gi, "-").replace(/-+/g, "-").replace(/^-|-$/g, "")}`,
+            tool: toolName,
+            conditions: [{ field: "path", op: "matchesGlob", value: `${prefix}**` }],
+            verdict: "allow",
+            reason: `Auto-suggested: ${toolName} allowed ${events.length}\xD7 in ${prefix}`
+          }
+        } : { type: "ignoredTool", toolName };
+        return {
+          id: randomUUID2(),
+          toolName,
+          allowCount: events.length,
+          suggestedRule,
+          status: "pending",
+          createdAt: Date.now(),
+          exampleArgs: events.slice(0, 3).map((e) => e.args)
+        };
+      }
+    };
+  }
+});
+
+// src/daemon/taint-store.ts
 import fs12 from "fs";
 import path15 from "path";
+var DEFAULT_TTL_MS, TaintStore;
+var init_taint_store = __esm({
+  "src/daemon/taint-store.ts"() {
+    "use strict";
+    DEFAULT_TTL_MS = 60 * 60 * 1e3;
+    TaintStore = class {
+      records = /* @__PURE__ */ new Map();
+      /** Add or refresh taint on an absolute path. */
+      taint(filePath, source, ttlMs = DEFAULT_TTL_MS) {
+        const resolved = this._resolve(filePath);
+        const now = Date.now();
+        this.records.set(resolved, {
+          path: resolved,
+          source,
+          createdAt: now,
+          expiresAt: now + ttlMs
+        });
+      }
+      /**
+       * Check whether a path is currently tainted.
+       * Returns the TaintRecord if tainted (and not expired), null otherwise.
+       * Expired records are pruned on access.
+       */
+      check(filePath) {
+        const resolved = this._resolve(filePath);
+        const record = this.records.get(resolved);
+        if (!record) return null;
+        if (Date.now() > record.expiresAt) {
+          this.records.delete(resolved);
+          return null;
+        }
+        return record;
+      }
+      /**
+       * Propagate taint from sourcePath to destPath (e.g. cp, mv).
+       * For mv semantics (clearSource=true) the source taint is removed.
+       */
+      propagate(sourcePath, destPath, clearSource = false) {
+        const taintRecord = this.check(sourcePath);
+        if (!taintRecord) return;
+        const remainingMs = taintRecord.expiresAt - Date.now();
+        if (remainingMs > 0) {
+          const baseSource = taintRecord.source.replace(/^(propagated:)+/, "");
+          this.taint(destPath, `propagated:${baseSource}`, remainingMs);
+        }
+        if (clearSource) {
+          this.records.delete(this._resolve(sourcePath));
+        }
+      }
+      /** Remove all expired records. Called periodically by the daemon. */
+      prune() {
+        const now = Date.now();
+        for (const [key, record] of this.records) {
+          if (now > record.expiresAt) this.records.delete(key);
+        }
+      }
+      /** Return all non-expired taint records (for audit/debug). */
+      list() {
+        this.prune();
+        return [...this.records.values()];
+      }
+      /** Remove all taint records atomically. Used by tests to reset state between runs. */
+      clear() {
+        this.records.clear();
+      }
+      /** Resolve to absolute path, falling back to path.resolve if file doesn't exist yet. */
+      _resolve(filePath) {
+        try {
+          return fs12.realpathSync.native(path15.resolve(filePath));
+        } catch {
+          return path15.resolve(filePath);
+        }
+      }
+    };
+  }
+});
+
+// src/daemon/state.ts
+import net2 from "net";
+import fs13 from "fs";
+import path16 from "path";
 import os12 from "os";
 import { spawn as spawn2 } from "child_process";
-import { randomUUID as randomUUID2 } from "crypto";
+import { randomUUID as randomUUID3 } from "crypto";
+function loadInsightCounts() {
+  try {
+    if (!fs13.existsSync(INSIGHT_COUNTS_FILE)) return;
+    const data = JSON.parse(fs13.readFileSync(INSIGHT_COUNTS_FILE, "utf-8"));
+    for (const [tool, count] of Object.entries(data)) {
+      if (typeof count === "number" && count > 0) insightCounts.set(tool, count);
+    }
+  } catch {
+  }
+}
+function saveInsightCounts() {
+  try {
+    const data = {};
+    insightCounts.forEach((count, tool) => {
+      data[tool] = count;
+    });
+    atomicWriteSync2(INSIGHT_COUNTS_FILE, JSON.stringify(data, null, 2), { mode: 384 });
+  } catch {
+  }
+}
 function getAbandonTimer() {
   return _abandonTimer;
 }
@@ -4746,11 +5340,27 @@ function markRejectionHandlerRegistered() {
   daemonRejectionHandlerRegistered = true;
 }
 function atomicWriteSync2(filePath, data, options) {
-  const dir = path15.dirname(filePath);
-  if (!fs12.existsSync(dir)) fs12.mkdirSync(dir, { recursive: true });
-  const tmpPath = `${filePath}.${randomUUID2()}.tmp`;
-  fs12.writeFileSync(tmpPath, data, options);
-  fs12.renameSync(tmpPath, filePath);
+  const dir = path16.dirname(filePath);
+  if (!fs13.existsSync(dir)) fs13.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${filePath}.${randomUUID3()}.tmp`;
+  try {
+    fs13.writeFileSync(tmpPath, data, options);
+  } catch (err) {
+    try {
+      fs13.unlinkSync(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
+  try {
+    fs13.renameSync(tmpPath, filePath);
+  } catch (err) {
+    try {
+      fs13.unlinkSync(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
 }
 function redactArgs(value) {
   if (!value || typeof value !== "object") return value;
@@ -4770,16 +5380,16 @@ function appendAuditLog(data) {
       decision: data.decision,
       source: "daemon"
     };
-    const dir = path15.dirname(AUDIT_LOG_FILE);
-    if (!fs12.existsSync(dir)) fs12.mkdirSync(dir, { recursive: true });
-    fs12.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
+    const dir = path16.dirname(AUDIT_LOG_FILE);
+    if (!fs13.existsSync(dir)) fs13.mkdirSync(dir, { recursive: true });
+    fs13.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
 function getAuditHistory(limit = 20) {
   try {
-    if (!fs12.existsSync(AUDIT_LOG_FILE)) return [];
-    const lines = fs12.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
+    if (!fs13.existsSync(AUDIT_LOG_FILE)) return [];
+    const lines = fs13.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
     if (lines.length === 1 && lines[0] === "") return [];
     return lines.slice(-limit).map((l) => JSON.parse(l)).reverse();
   } catch {
@@ -4788,19 +5398,19 @@ function getAuditHistory(limit = 20) {
 }
 function getOrgName() {
   try {
-    if (fs12.existsSync(CREDENTIALS_FILE)) return "Node9 Cloud";
+    if (fs13.existsSync(CREDENTIALS_FILE)) return "Node9 Cloud";
   } catch {
   }
   return null;
 }
 function hasStoredSlackKey() {
-  return fs12.existsSync(CREDENTIALS_FILE);
+  return fs13.existsSync(CREDENTIALS_FILE);
 }
 function writeGlobalSetting(key, value) {
   let config = {};
   try {
-    if (fs12.existsSync(GLOBAL_CONFIG_FILE)) {
-      config = JSON.parse(fs12.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
+    if (fs13.existsSync(GLOBAL_CONFIG_FILE)) {
+      config = JSON.parse(fs13.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
     }
   } catch {
   }
@@ -4812,8 +5422,8 @@ function writeTrustEntry(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (fs12.existsSync(TRUST_FILE2))
-        trust = JSON.parse(fs12.readFileSync(TRUST_FILE2, "utf-8"));
+      if (fs13.existsSync(TRUST_FILE2))
+        trust = JSON.parse(fs13.readFileSync(TRUST_FILE2, "utf-8"));
     } catch {
     }
     trust.entries = trust.entries.filter((e) => e.tool !== toolName && e.expiry > Date.now());
@@ -4824,8 +5434,8 @@ function writeTrustEntry(toolName, durationMs) {
 }
 function readPersistentDecisions() {
   try {
-    if (fs12.existsSync(DECISIONS_FILE)) {
-      return JSON.parse(fs12.readFileSync(DECISIONS_FILE, "utf-8"));
+    if (fs13.existsSync(DECISIONS_FILE)) {
+      return JSON.parse(fs13.readFileSync(DECISIONS_FILE, "utf-8"));
     }
   } catch {
   }
@@ -4890,7 +5500,7 @@ function abandonPending() {
   });
   if (autoStarted) {
     try {
-      fs12.unlinkSync(DAEMON_PID_FILE);
+      fs13.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
     setTimeout(() => {
@@ -4901,7 +5511,7 @@ function abandonPending() {
 }
 function startActivitySocket() {
   try {
-    fs12.unlinkSync(ACTIVITY_SOCKET_PATH2);
+    fs13.unlinkSync(ACTIVITY_SOCKET_PATH2);
   } catch {
   }
   const ACTIVITY_MAX_BYTES = 1024 * 1024;
@@ -4943,25 +5553,32 @@ function startActivitySocket() {
   unixServer.listen(ACTIVITY_SOCKET_PATH2);
   process.on("exit", () => {
     try {
-      fs12.unlinkSync(ACTIVITY_SOCKET_PATH2);
+      fs13.unlinkSync(ACTIVITY_SOCKET_PATH2);
     } catch {
     }
   });
 }
-var homeDir, DAEMON_PID_FILE, DECISIONS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, pending, sseClients, _abandonTimer, _hadBrowserClient, _daemonServer, daemonRejectionHandlerRegistered, AUTO_DENY_MS, TRUST_DURATIONS, autoStarted, ACTIVITY_SOCKET_PATH2, ACTIVITY_RING_SIZE, activityRing, SECRET_KEY_RE;
+var homeDir, DAEMON_PID_FILE, DECISIONS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, INSIGHT_COUNTS_FILE, pending, sseClients, suggestionTracker, suggestions, taintStore, insightCounts, _abandonTimer, _hadBrowserClient, _daemonServer, daemonRejectionHandlerRegistered, AUTO_DENY_MS, TRUST_DURATIONS, autoStarted, ACTIVITY_SOCKET_PATH2, ACTIVITY_RING_SIZE, activityRing, SECRET_KEY_RE;
 var init_state2 = __esm({
   "src/daemon/state.ts"() {
     "use strict";
     init_daemon();
+    init_suggestion_tracker();
+    init_taint_store();
     homeDir = os12.homedir();
-    DAEMON_PID_FILE = path15.join(homeDir, ".node9", "daemon.pid");
-    DECISIONS_FILE = path15.join(homeDir, ".node9", "decisions.json");
-    AUDIT_LOG_FILE = path15.join(homeDir, ".node9", "audit.log");
-    TRUST_FILE2 = path15.join(homeDir, ".node9", "trust.json");
-    GLOBAL_CONFIG_FILE = path15.join(homeDir, ".node9", "config.json");
-    CREDENTIALS_FILE = path15.join(homeDir, ".node9", "credentials.json");
+    DAEMON_PID_FILE = path16.join(homeDir, ".node9", "daemon.pid");
+    DECISIONS_FILE = path16.join(homeDir, ".node9", "decisions.json");
+    AUDIT_LOG_FILE = path16.join(homeDir, ".node9", "audit.log");
+    TRUST_FILE2 = path16.join(homeDir, ".node9", "trust.json");
+    GLOBAL_CONFIG_FILE = path16.join(homeDir, ".node9", "config.json");
+    CREDENTIALS_FILE = path16.join(homeDir, ".node9", "credentials.json");
+    INSIGHT_COUNTS_FILE = path16.join(homeDir, ".node9", "insight-counts.json");
     pending = /* @__PURE__ */ new Map();
     sseClients = /* @__PURE__ */ new Set();
+    suggestionTracker = new SuggestionTracker(3);
+    suggestions = /* @__PURE__ */ new Map();
+    taintStore = new TaintStore();
+    insightCounts = /* @__PURE__ */ new Map();
     _abandonTimer = null;
     _hadBrowserClient = false;
     _daemonServer = null;
@@ -4973,24 +5590,82 @@ var init_state2 = __esm({
       "2h": 2 * 60 * 6e4
     };
     autoStarted = process.env.NODE9_AUTO_STARTED === "1";
-    ACTIVITY_SOCKET_PATH2 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path15.join(os12.tmpdir(), "node9-activity.sock");
+    ACTIVITY_SOCKET_PATH2 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path16.join(os12.tmpdir(), "node9-activity.sock");
     ACTIVITY_RING_SIZE = 100;
     activityRing = [];
     SECRET_KEY_RE = /password|secret|token|key|apikey|credential|auth/i;
   }
 });
 
-// src/daemon/server.ts
-import http from "http";
-import fs13 from "fs";
-import path16 from "path";
-import { randomUUID as randomUUID3 } from "crypto";
-import { spawnSync as spawnSync2 } from "child_process";
-import chalk2 from "chalk";
-function startDaemon() {
-  const csrfToken = randomUUID3();
-  const internalToken = randomUUID3();
-  const UI_HTML = UI_HTML_TEMPLATE.replace("{{CSRF_TOKEN}}", csrfToken);
+// src/config/patch.ts
+import fs14 from "fs";
+import path17 from "path";
+import os13 from "os";
+function patchConfig(configPath, patch) {
+  let config = {};
+  try {
+    if (fs14.existsSync(configPath)) {
+      config = JSON.parse(fs14.readFileSync(configPath, "utf8"));
+    }
+  } catch {
+    throw new Error(`Cannot read config at ${configPath} \u2014 file may be corrupted`);
+  }
+  if (!config.policy || typeof config.policy !== "object") config.policy = {};
+  const policy = config.policy;
+  if (patch.type === "smartRule") {
+    if (!Array.isArray(policy.smartRules)) policy.smartRules = [];
+    const rules = policy.smartRules;
+    if (patch.rule.name && rules.some((r) => r.name === patch.rule.name)) return;
+    rules.push(patch.rule);
+  } else {
+    if (!Array.isArray(policy.ignoredTools)) policy.ignoredTools = [];
+    const ignored = policy.ignoredTools;
+    if (!ignored.includes(patch.toolName)) {
+      ignored.push(patch.toolName);
+    }
+  }
+  const dir = path17.dirname(configPath);
+  fs14.mkdirSync(dir, { recursive: true });
+  const tmp = configPath + ".node9-tmp";
+  try {
+    fs14.writeFileSync(tmp, JSON.stringify(config, null, 2), { mode: 384 });
+  } catch (err) {
+    try {
+      fs14.unlinkSync(tmp);
+    } catch {
+    }
+    throw err;
+  }
+  try {
+    fs14.renameSync(tmp, configPath);
+  } catch (err) {
+    try {
+      fs14.unlinkSync(tmp);
+    } catch {
+    }
+    throw err;
+  }
+}
+var GLOBAL_CONFIG_PATH;
+var init_patch = __esm({
+  "src/config/patch.ts"() {
+    "use strict";
+    GLOBAL_CONFIG_PATH = path17.join(os13.homedir(), ".node9", "config.json");
+  }
+});
+
+// src/daemon/server.ts
+import http from "http";
+import fs15 from "fs";
+import path18 from "path";
+import { randomUUID as randomUUID4 } from "crypto";
+import { spawnSync as spawnSync2 } from "child_process";
+import chalk2 from "chalk";
+function startDaemon() {
+  loadInsightCounts();
+  const csrfToken = randomUUID4();
+  const internalToken = randomUUID4();
+  const UI_HTML = UI_HTML_TEMPLATE.replace("{{CSRF_TOKEN}}", csrfToken);
   const validToken = (req) => req.headers["x-node9-token"] === csrfToken;
   const IDLE_TIMEOUT_MS = 12 * 60 * 60 * 1e3;
   const watchMode = process.env.NODE9_WATCH_MODE === "1";
@@ -5002,7 +5677,7 @@ function startDaemon() {
     idleTimer = setTimeout(() => {
       if (autoStarted) {
         try {
-          fs13.unlinkSync(DAEMON_PID_FILE);
+          fs15.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
       }
@@ -5011,8 +5686,14 @@ function startDaemon() {
     idleTimer.unref();
   }
   resetIdleTimer();
+  const allowedHosts = /* @__PURE__ */ new Set([`127.0.0.1:${DAEMON_PORT}`, `localhost:${DAEMON_PORT}`]);
   const server = http.createServer(async (req, res) => {
-    const reqUrl = new URL(req.url || "/", `http://${req.headers.host}`);
+    const host = req.headers.host ?? "";
+    if (!allowedHosts.has(host)) {
+      res.writeHead(421, { "Content-Type": "text/plain" });
+      return res.end("Misdirected Request");
+    }
+    const reqUrl = new URL(req.url || "/", `http://${host}`);
     const { pathname } = reqUrl;
     if (req.method === "GET" && pathname === "/") {
       res.writeHead(200, { "Content-Type": "text/html" });
@@ -5045,7 +5726,8 @@ data: ${JSON.stringify({
             slackDelegated: e.slackDelegated,
             timestamp: e.timestamp,
             agent: e.agent,
-            mcpServer: e.mcpServer
+            mcpServer: e.mcpServer,
+            allowCount: (insightCounts.get(e.toolName) ?? 0) + 1
           })),
           orgName: getOrgName(),
           autoDenyMs: getConfig().settings.approvalTimeoutMs ?? AUTO_DENY_MS
@@ -5087,6 +5769,12 @@ data: ${JSON.stringify(item.data)}
         }
       });
     }
+    if (req.method === "POST" && pathname === "/browser-opened") {
+      if (req.headers["x-node9-internal"] !== internalToken) return res.writeHead(403).end();
+      browserOpened = true;
+      res.writeHead(200).end();
+      return;
+    }
     if (req.method === "POST" && pathname === "/check") {
       try {
         resetIdleTimer();
@@ -5104,7 +5792,7 @@ data: ${JSON.stringify(item.data)}
           activityId,
           cwd
         } = JSON.parse(body);
-        const id = fromCLI && typeof activityId === "string" && activityId || randomUUID3();
+        const id = fromCLI && typeof activityId === "string" && activityId || randomUUID4();
         const entry = {
           id,
           toolName,
@@ -5130,7 +5818,7 @@ data: ${JSON.stringify(item.data)}
                 e.earlyReason = "No response \u2014 auto-denied after timeout";
               }
               pending.delete(id);
-              broadcast("remove", { id });
+              broadcast("remove", { id, decision: "deny" });
             }
           }, getConfig().settings.approvalTimeoutMs ?? AUTO_DENY_MS)
         };
@@ -5144,7 +5832,7 @@ data: ${JSON.stringify(item.data)}
             status: "pending"
           });
         }
-        const projectCwd = typeof cwd === "string" && path16.isAbsolute(cwd) ? cwd : void 0;
+        const projectCwd = typeof cwd === "string" && path18.isAbsolute(cwd) ? cwd : void 0;
         const projectConfig = getConfig(projectCwd);
         const browserEnabled = projectConfig.settings.approvers?.browser !== false;
         const terminalEnabled = projectConfig.settings.approvers?.terminal !== false;
@@ -5157,7 +5845,10 @@ data: ${JSON.stringify(item.data)}
             slackDelegated: entry.slackDelegated,
             agent: entry.agent,
             mcpServer: entry.mcpServer,
-            interactive: terminalEnabled
+            interactive: terminalEnabled,
+            // allowCount = what this count will be if the user allows.
+            // Terminal uses this to show the 💡 insight line on the Nth consecutive approval.
+            allowCount: (insightCounts.get(toolName) ?? 0) + 1
           });
           const browserAlreadyOpened = process.env.NODE9_BROWSER_OPENED === "1";
           if (browserEnabled && !browserOpened && !browserAlreadyOpened) {
@@ -5166,7 +5857,7 @@ data: ${JSON.stringify(item.data)}
           }
         }
         res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ id }));
+        res.end(JSON.stringify({ id, allowCount: (insightCounts.get(toolName) ?? 0) + 1 }));
         if (slackDelegated) return;
         authorizeHeadless(
           toolName,
@@ -5193,7 +5884,7 @@ data: ${JSON.stringify(item.data)}
           if (e.waiter) {
             e.waiter(decision, result.reason);
             pending.delete(id);
-            broadcast("remove", { id });
+            broadcast("remove", { id, decision });
           } else {
             e.earlyDecision = decision;
             e.earlyReason = result.reason;
@@ -5209,7 +5900,7 @@ data: ${JSON.stringify(item.data)}
             e.earlyReason = reason;
           }
           pending.delete(id);
-          broadcast("remove", { id });
+          broadcast("remove", { id, decision: "deny" });
         });
         return;
       } catch {
@@ -5240,12 +5931,14 @@ data: ${JSON.stringify(item.data)}
         res.end(JSON.stringify(body));
       };
       req.on("close", () => {
-        const e = pending.get(id);
-        if (e && e.waiter && e.earlyDecision === null) {
-          clearTimeout(e.timer);
-          pending.delete(id);
-          broadcast("remove", { id });
-        }
+        setTimeout(() => {
+          const e = pending.get(id);
+          if (e && e.waiter && e.earlyDecision === null) {
+            clearTimeout(e.timer);
+            pending.delete(id);
+            broadcast("remove", { id });
+          }
+        }, 200);
       });
       return;
     }
@@ -5274,10 +5967,10 @@ data: ${JSON.stringify(item.data)}
           if (entry.waiter) {
             entry.waiter("allow");
             pending.delete(id);
-            broadcast("remove", { id });
+            broadcast("remove", { id, decision: "allow" });
           } else {
             entry.earlyDecision = "allow";
-            broadcast("remove", { id });
+            broadcast("remove", { id, decision: "allow" });
             entry.timer = setTimeout(() => pending.delete(id), 3e4);
           }
           res.writeHead(200);
@@ -5291,16 +5984,29 @@ data: ${JSON.stringify(item.data)}
           decision: resolvedDecision
         });
         clearTimeout(entry.timer);
+        if (resolvedDecision === "allow" && !persist) {
+          insightCounts.set(entry.toolName, (insightCounts.get(entry.toolName) ?? 0) + 1);
+          saveInsightCounts();
+          const suggestion = suggestionTracker.recordAllow(entry.toolName, entry.args);
+          if (suggestion) {
+            suggestions.set(suggestion.id, suggestion);
+            broadcast("suggestion:new", suggestion);
+          }
+        } else if (resolvedDecision === "deny") {
+          insightCounts.delete(entry.toolName);
+          saveInsightCounts();
+          suggestionTracker.resetTool(entry.toolName);
+        }
         const VALID_SOURCES = /* @__PURE__ */ new Set(["terminal", "browser", "native"]);
         if (source && VALID_SOURCES.has(source)) entry.decisionSource = source;
         if (entry.waiter) {
           entry.waiter(resolvedDecision, reason);
           pending.delete(id);
-          broadcast("remove", { id });
+          broadcast("remove", { id, decision: resolvedDecision });
         } else {
           entry.earlyDecision = resolvedDecision;
           entry.earlyReason = reason;
-          broadcast("remove", { id });
+          broadcast("remove", { id, decision: resolvedDecision });
           entry.timer = setTimeout(() => pending.delete(id), 3e4);
         }
         res.writeHead(200);
@@ -5388,13 +6094,38 @@ data: ${JSON.stringify(item.data)}
         const id = pathname.split("/").pop();
         const entry = pending.get(id);
         if (!entry) return res.writeHead(404).end();
-        const { decision } = JSON.parse(await readBody(req));
-        appendAuditLog({ toolName: entry.toolName, args: entry.args, decision });
+        const { decision, source } = JSON.parse(await readBody(req));
+        const resolvedResolveDecision = decision === "allow" ? "allow" : "deny";
+        appendAuditLog({
+          toolName: entry.toolName,
+          args: entry.args,
+          decision: resolvedResolveDecision
+        });
         clearTimeout(entry.timer);
-        if (entry.waiter) entry.waiter(decision);
-        else entry.earlyDecision = decision;
+        if (resolvedResolveDecision === "allow") {
+          insightCounts.set(entry.toolName, (insightCounts.get(entry.toolName) ?? 0) + 1);
+          saveInsightCounts();
+        } else {
+          insightCounts.delete(entry.toolName);
+          saveInsightCounts();
+        }
+        if (!entry.slackDelegated) {
+          if (resolvedResolveDecision === "allow") {
+            const suggestion = suggestionTracker.recordAllow(entry.toolName, entry.args);
+            if (suggestion) {
+              suggestions.set(suggestion.id, suggestion);
+              broadcast("suggestion:new", suggestion);
+            }
+          } else {
+            suggestionTracker.resetTool(entry.toolName);
+          }
+        }
+        const VALID_RESOLVE_SOURCES = /* @__PURE__ */ new Set(["terminal", "browser", "native"]);
+        if (source && VALID_RESOLVE_SOURCES.has(source)) entry.decisionSource = source;
+        if (entry.waiter) entry.waiter(resolvedResolveDecision);
+        else entry.earlyDecision = resolvedResolveDecision;
         pending.delete(id);
-        broadcast("remove", { id });
+        broadcast("remove", { id, decision: resolvedResolveDecision });
         res.writeHead(200);
         return res.end(JSON.stringify({ ok: true }));
       } catch {
@@ -5442,20 +6173,136 @@ data: ${JSON.stringify(item.data)}
         res.writeHead(400).end();
       }
     }
+    if (req.method === "GET" && pathname === "/suggestions") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      return res.end(JSON.stringify([...suggestions.values()]));
+    }
+    if (req.method === "POST" && pathname.startsWith("/suggestions/") && pathname.endsWith("/apply")) {
+      if (!validToken(req)) return res.writeHead(403).end();
+      try {
+        const body = await readBody(req);
+        const data = body ? JSON.parse(body) : {};
+        const configPath = data.configPath ?? GLOBAL_CONFIG_PATH;
+        const node9Dir = path18.dirname(GLOBAL_CONFIG_PATH);
+        if (!path18.resolve(configPath).startsWith(node9Dir + path18.sep)) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(
+            JSON.stringify({ error: "configPath must be within the node9 config directory" })
+          );
+        }
+        const id = pathname.split("/")[2];
+        const suggestion = suggestions.get(id);
+        if (!suggestion) return res.writeHead(404).end();
+        let patch;
+        if (data.rule !== void 0) {
+          const parsed = SmartRuleSchema.safeParse(data.rule);
+          if (!parsed.success) {
+            res.writeHead(400, { "Content-Type": "application/json" });
+            return res.end(JSON.stringify({ error: parsed.error.message }));
+          }
+          patch = { type: "smartRule", rule: parsed.data };
+        } else {
+          patch = suggestion.suggestedRule;
+        }
+        patchConfig(configPath, patch);
+        _resetConfigCache();
+        insightCounts.delete(suggestion.toolName);
+        saveInsightCounts();
+        suggestion.status = "applied";
+        broadcast("suggestion:resolved", { id, status: "applied" });
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ ok: true }));
+      } catch (err) {
+        console.error(chalk2.red("[node9 daemon] POST /suggestions/:id/apply failed:"), err);
+        res.writeHead(500, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ error: String(err) }));
+      }
+    }
+    if (req.method === "POST" && pathname.startsWith("/suggestions/") && pathname.endsWith("/dismiss")) {
+      if (!validToken(req)) return res.writeHead(403).end();
+      try {
+        const id = pathname.split("/")[2];
+        const suggestion = suggestions.get(id);
+        if (!suggestion) return res.writeHead(404).end();
+        suggestion.status = "dismissed";
+        broadcast("suggestion:resolved", { id, status: "dismissed" });
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ ok: true }));
+      } catch {
+        res.writeHead(400).end();
+      }
+    }
+    if (req.method === "POST" && pathname === "/taint") {
+      try {
+        const body = JSON.parse(await readBody(req));
+        if (typeof body.path !== "string" || typeof body.source !== "string") {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(JSON.stringify({ error: "path and source are required strings" }));
+        }
+        const ttlMs = typeof body.ttlMs === "number" ? body.ttlMs : void 0;
+        taintStore.taint(body.path, body.source, ttlMs);
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ ok: true }));
+      } catch {
+        res.writeHead(400).end();
+        return;
+      }
+    }
+    if (req.method === "POST" && pathname === "/taint/check") {
+      try {
+        const body = JSON.parse(await readBody(req));
+        if (!Array.isArray(body.paths)) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(JSON.stringify({ error: "paths must be an array" }));
+        }
+        if (body.paths.some((p) => typeof p !== "string")) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(JSON.stringify({ error: "all paths must be strings" }));
+        }
+        for (const p of body.paths) {
+          const record = taintStore.check(p);
+          if (record) {
+            res.writeHead(200, { "Content-Type": "application/json" });
+            return res.end(JSON.stringify({ tainted: true, record }));
+          }
+        }
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ tainted: false }));
+      } catch {
+        res.writeHead(400).end();
+        return;
+      }
+    }
+    if (req.method === "POST" && pathname === "/taint/propagate") {
+      try {
+        const body = JSON.parse(await readBody(req));
+        if (typeof body.src !== "string" || typeof body.dest !== "string") {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(JSON.stringify({ error: "src and dest are required strings" }));
+        }
+        const clearSource = body.clearSource === true;
+        taintStore.propagate(body.src, body.dest, clearSource);
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ ok: true }));
+      } catch {
+        res.writeHead(400).end();
+        return;
+      }
+    }
     res.writeHead(404).end();
   });
   setDaemonServer(server);
   server.on("error", (e) => {
     if (e.code === "EADDRINUSE") {
       try {
-        if (fs13.existsSync(DAEMON_PID_FILE)) {
-          const { pid } = JSON.parse(fs13.readFileSync(DAEMON_PID_FILE, "utf-8"));
+        if (fs15.existsSync(DAEMON_PID_FILE)) {
+          const { pid } = JSON.parse(fs15.readFileSync(DAEMON_PID_FILE, "utf-8"));
           process.kill(pid, 0);
           return process.exit(0);
         }
       } catch {
         try {
-          fs13.unlinkSync(DAEMON_PID_FILE);
+          fs15.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
         server.listen(DAEMON_PORT, DAEMON_HOST);
@@ -5521,32 +6368,34 @@ var init_server = __esm({
     init_shields();
     init_ui2();
     init_state2();
+    init_patch();
+    init_config_schema();
   }
 });
 
 // src/daemon/index.ts
-import fs14 from "fs";
+import fs16 from "fs";
 import chalk3 from "chalk";
 import { spawnSync as spawnSync3 } from "child_process";
 function stopDaemon() {
-  if (!fs14.existsSync(DAEMON_PID_FILE)) return console.log(chalk3.yellow("Not running."));
+  if (!fs16.existsSync(DAEMON_PID_FILE)) return console.log(chalk3.yellow("Not running."));
   try {
-    const { pid } = JSON.parse(fs14.readFileSync(DAEMON_PID_FILE, "utf-8"));
+    const { pid } = JSON.parse(fs16.readFileSync(DAEMON_PID_FILE, "utf-8"));
     process.kill(pid, "SIGTERM");
     console.log(chalk3.green("\u2705 Stopped."));
   } catch {
     console.log(chalk3.gray("Cleaned up stale PID file."));
   } finally {
     try {
-      fs14.unlinkSync(DAEMON_PID_FILE);
+      fs16.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
   }
 }
 function daemonStatus() {
-  if (fs14.existsSync(DAEMON_PID_FILE)) {
+  if (fs16.existsSync(DAEMON_PID_FILE)) {
     try {
-      const { pid } = JSON.parse(fs14.readFileSync(DAEMON_PID_FILE, "utf-8"));
+      const { pid } = JSON.parse(fs16.readFileSync(DAEMON_PID_FILE, "utf-8"));
       process.kill(pid, 0);
       console.log(chalk3.green("Node9 daemon: running"));
       return;
@@ -5580,10 +6429,10 @@ __export(tail_exports, {
   startTail: () => startTail
 });
 import http2 from "http";
-import chalk15 from "chalk";
-import fs21 from "fs";
-import os19 from "os";
-import path23 from "path";
+import chalk16 from "chalk";
+import fs24 from "fs";
+import os21 from "os";
+import path26 from "path";
 import readline3 from "readline";
 import { spawn as spawn9, execSync as execSync3 } from "child_process";
 function getIcon(tool) {
@@ -5599,17 +6448,17 @@ function formatBase(activity) {
   const toolName = activity.tool.slice(0, 16).padEnd(16);
   const argsStr = JSON.stringify(activity.args ?? {}).replace(/\s+/g, " ");
   const argsPreview = argsStr.length > 70 ? argsStr.slice(0, 70) + "\u2026" : argsStr;
-  return `${chalk15.gray(time)} ${icon} ${chalk15.white.bold(toolName)} ${chalk15.dim(argsPreview)}`;
+  return `${chalk16.gray(time)} ${icon} ${chalk16.white.bold(toolName)} ${chalk16.dim(argsPreview)}`;
 }
 function renderResult(activity, result) {
   const base = formatBase(activity);
   let status;
   if (result.status === "allow") {
-    status = chalk15.green("\u2713 ALLOW");
+    status = chalk16.green("\u2713 ALLOW");
   } else if (result.status === "dlp") {
-    status = chalk15.bgRed.white.bold(" \u{1F6E1}\uFE0F  DLP ");
+    status = chalk16.bgRed.white.bold(" \u{1F6E1}\uFE0F  DLP ");
   } else {
-    status = chalk15.red("\u2717 BLOCK");
+    status = chalk16.red("\u2717 BLOCK");
   }
   if (process.stdout.isTTY) {
     readline3.clearLine(process.stdout, 0);
@@ -5619,16 +6468,16 @@ function renderResult(activity, result) {
 }
 function renderPending(activity) {
   if (!process.stdout.isTTY) return;
-  process.stdout.write(`${formatBase(activity)}  ${chalk15.yellow("\u25CF \u2026")}\r`);
+  process.stdout.write(`${formatBase(activity)}  ${chalk16.yellow("\u25CF \u2026")}\r`);
 }
 async function ensureDaemon() {
   let pidPort = null;
-  if (fs21.existsSync(PID_FILE)) {
+  if (fs24.existsSync(PID_FILE)) {
     try {
-      const { port } = JSON.parse(fs21.readFileSync(PID_FILE, "utf-8"));
+      const { port } = JSON.parse(fs24.readFileSync(PID_FILE, "utf-8"));
       pidPort = port;
     } catch {
-      console.error(chalk15.dim("\u26A0\uFE0F  Could not read PID file; falling back to default port."));
+      console.error(chalk16.dim("\u26A0\uFE0F  Could not read PID file; falling back to default port."));
     }
   }
   const checkPort = pidPort ?? DAEMON_PORT;
@@ -5639,7 +6488,7 @@ async function ensureDaemon() {
     if (res.ok) return checkPort;
   } catch {
   }
-  console.log(chalk15.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon..."));
+  console.log(chalk16.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon..."));
   const child = spawn9(process.execPath, [process.argv[1], "daemon"], {
     detached: true,
     stdio: "ignore",
@@ -5656,12 +6505,15 @@ async function ensureDaemon() {
     } catch {
     }
   }
-  console.error(chalk15.red("\u274C Daemon failed to start. Try: node9 daemon start"));
+  console.error(chalk16.red("\u274C Daemon failed to start. Try: node9 daemon start"));
   process.exit(1);
 }
-function postDecisionHttp(id, decision, csrfToken, port) {
+function postDecisionHttp(id, decision, csrfToken, port, opts) {
   return new Promise((resolve, reject) => {
-    const body = JSON.stringify({ decision, source: "terminal" });
+    const bodyObj = { decision, source: "terminal" };
+    if (opts?.persist) bodyObj.persist = true;
+    if (opts?.trustDuration) bodyObj.trustDuration = opts.trustDuration;
+    const body = JSON.stringify(bodyObj);
     const req = http2.request(
       {
         hostname: "127.0.0.1",
@@ -5684,22 +6536,33 @@ function postDecisionHttp(id, decision, csrfToken, port) {
     req.end(body);
   });
 }
-function buildCardLines(req) {
+function buildCardLines(req, localCount = 0) {
   const argsStr = JSON.stringify(req.args ?? {}).replace(/\s+/g, " ");
   const argsPreview = argsStr.length > 60 ? argsStr.slice(0, 60) + "\u2026" : argsStr;
   const tierLabel = req.riskMetadata?.tier != null ? req.riskMetadata.tier <= 2 ? `${YELLOW}\u26A0  Tier ${req.riskMetadata.tier}` : `${RED}\u{1F6D1} Tier ${req.riskMetadata.tier}` : `${YELLOW}\u26A0  Review`;
   const blockedBy = req.riskMetadata?.blockedByLabel ?? "Policy rule";
-  return [
+  const lines = [
     ``,
     `${BOLD}${CYAN}\u2554\u2550\u2550 Node9 Approval Required \u2550\u2550\u2557${RESET}`,
     `${CYAN}\u2551${RESET} Tool:    ${BOLD}${req.toolName}${RESET}`,
-    `${CYAN}\u2551${RESET} Reason:  ${tierLabel} \u2014 ${blockedBy}${RESET}`,
-    `${CYAN}\u2551${RESET} Args:    ${GRAY}${argsPreview}${RESET}`,
+    `${CYAN}\u2551${RESET} Reason:  ${tierLabel} \u2014 ${blockedBy}${RESET}`
+  ];
+  if (req.riskMetadata?.ruleName && blockedBy.includes("Taint")) {
+    lines.push(`${CYAN}\u2551${RESET} ${YELLOW}\u26A0  ${req.riskMetadata.ruleName}${RESET}`);
+  }
+  lines.push(`${CYAN}\u2551${RESET} Args:    ${GRAY}${argsPreview}${RESET}`);
+  if (localCount >= 2) {
+    lines.push(
+      `${CYAN}\u2551${RESET} ${YELLOW}\u{1F4A1}${RESET} Approved ${localCount}\xD7 before \u2014 ${BOLD}[a]${RESET}${YELLOW} creates a permanent rule${RESET}`
+    );
+  }
+  lines.push(
     `${CYAN}\u255A${RESET}`,
     ``,
-    `  ${BOLD}${GREEN}[A]${RESET} Allow   ${BOLD}${RED}[D]${RESET} Deny`,
+    `  ${BOLD}${GREEN}[\u21B5/y]${RESET} Allow   ${BOLD}${RED}[n]${RESET} Deny   ${BOLD}${YELLOW}[a]${RESET} Always Allow   ${BOLD}${CYAN}[t]${RESET} Trust 30m`,
     ``
-  ];
+  );
+  return lines;
 }
 async function startTail(options = {}) {
   const port = await ensureDaemon();
@@ -5727,7 +6590,7 @@ async function startTail(options = {}) {
       req2.end();
     });
     if (result.ok) {
-      console.log(chalk15.green("\u2713 Flight Recorder buffer cleared."));
+      console.log(chalk16.green("\u2713 Flight Recorder buffer cleared."));
     } else if (result.code === "ECONNREFUSED") {
       throw new Error("Daemon is not running. Start it with: node9 daemon start");
     } else if (result.code === "ETIMEDOUT") {
@@ -5744,17 +6607,22 @@ async function startTail(options = {}) {
   let cardActive = false;
   let cardLineCount = 0;
   let cancelActiveCard = null;
+  const localAllowCounts = /* @__PURE__ */ new Map();
   const canApprove = process.stdout.isTTY && process.stdin.isTTY;
   if (canApprove) readline3.emitKeypressEvents(process.stdin);
   function clearCard() {
     if (cardLineCount > 0) {
-      process.stdout.write(RESTORE_CURSOR + ERASE_DOWN);
+      readline3.moveCursor(process.stdout, 0, -cardLineCount);
+      process.stdout.write(ERASE_DOWN);
       cardLineCount = 0;
     }
   }
   function printCard(req2) {
-    process.stdout.write(HIDE_CURSOR + SAVE_CURSOR);
-    const lines = buildCardLines(req2);
+    process.stdout.write(HIDE_CURSOR);
+    const daemonPrior = req2.allowCount !== void 0 ? req2.allowCount - 1 : 0;
+    const localPrior = localAllowCounts.get(req2.toolName) ?? 0;
+    const priorCount = Math.max(daemonPrior, localPrior);
+    const lines = buildCardLines(req2, priorCount);
     for (const line of lines) process.stdout.write(line + "\n");
     cardLineCount = lines.length;
   }
@@ -5782,34 +6650,70 @@ async function startTail(options = {}) {
       process.stdin.pause();
       cancelActiveCard = null;
     };
-    const settle = (decision) => {
+    const settle = (action) => {
       if (settled) return;
       settled = true;
       cleanup();
       clearCard();
+      const stampedLines = buildCardLines(
+        req2,
+        Math.max(
+          req2.allowCount !== void 0 ? req2.allowCount - 1 : 0,
+          localAllowCounts.get(req2.toolName) ?? 0
+        )
+      );
+      const decisionStamp = action === "always-allow" ? chalk16.yellow("\u2605 ALWAYS ALLOW") : action === "trust" ? chalk16.cyan("\u23F1 TRUST 30m") : action === "allow" ? chalk16.green("\u2713 ALLOWED") : chalk16.red("\u2717 DENIED");
+      stampedLines.push(`  ${BOLD}\u2192${RESET} ${decisionStamp} ${GRAY}(terminal)${RESET}`, ``);
+      for (const line of stampedLines) process.stdout.write(line + "\n");
       process.stdout.write(SHOW_CURSOR);
-      postDecisionHttp(req2.id, decision, csrfToken, port).catch((err) => {
+      cardLineCount = 0;
+      if (action === "allow" || action === "always-allow" || action === "trust") {
+        localAllowCounts.set(req2.toolName, (localAllowCounts.get(req2.toolName) ?? 0) + 1);
+      } else if (action === "deny") {
+        localAllowCounts.delete(req2.toolName);
+      }
+      let httpDecision;
+      let httpOpts;
+      if (action === "always-allow") {
+        httpDecision = "allow";
+        httpOpts = { persist: true };
+      } else if (action === "trust") {
+        httpDecision = "trust";
+        httpOpts = { trustDuration: "30m" };
+      } else {
+        httpDecision = action;
+      }
+      postDecisionHttp(req2.id, httpDecision, csrfToken, port, httpOpts).catch((err) => {
         try {
-          fs21.appendFileSync(
-            path23.join(os19.homedir(), ".node9", "hook-debug.log"),
+          fs24.appendFileSync(
+            path26.join(os21.homedir(), ".node9", "hook-debug.log"),
             `[tail] POST /decision failed: ${String(err)}
 `
           );
         } catch {
         }
       });
-      const decisionLabel = decision === "allow" ? chalk15.green("\u2713 ALLOWED (terminal)") : chalk15.red("\u2717 DENIED (terminal)");
-      console.log(`${chalk15.cyan("\u25C6")} ${chalk15.bold(req2.toolName.padEnd(16))}  ${decisionLabel}`);
       approvalQueue.shift();
       cardActive = false;
       showNextCard();
     };
-    cancelActiveCard = () => {
+    cancelActiveCard = (externalDecision) => {
       if (settled) return;
       settled = true;
       cleanup();
       clearCard();
+      const priorCount = Math.max(
+        req2.allowCount !== void 0 ? req2.allowCount - 1 : 0,
+        localAllowCounts.get(req2.toolName) ?? 0
+      );
+      const stampedLines = buildCardLines(req2, priorCount);
+      if (externalDecision) {
+        const source = externalDecision === "allow" ? chalk16.green("\u2713 ALLOWED") : chalk16.red("\u2717 DENIED");
+        stampedLines.push(`  ${BOLD}\u2192${RESET} ${source} ${GRAY}(external)${RESET}`, ``);
+      }
+      for (const line of stampedLines) process.stdout.write(line + "\n");
       process.stdout.write(SHOW_CURSOR);
+      cardLineCount = 0;
       approvalQueue.shift();
       cardActive = false;
       showNextCard();
@@ -5817,10 +6721,14 @@ async function startTail(options = {}) {
     process.stdin.resume();
     onKeypress = (_str, key) => {
       const name = key?.name ?? "";
-      if (name === "a") {
+      if (name === "y" || name === "return") {
         settle("allow");
-      } else if (name === "d" || name === "return" || name === "enter" || key?.ctrl && name === "c") {
+      } else if (name === "n" || name === "d" || key?.ctrl && name === "c") {
         settle("deny");
+      } else if (name === "a") {
+        settle("always-allow");
+      } else if (name === "t") {
+        settle("trust");
       }
     };
     process.stdin.on("keypress", onKeypress);
@@ -5833,19 +6741,27 @@ async function startTail(options = {}) {
       else if (process.platform === "win32")
         execSync3(`cmd /c start "" "${dashboardUrl}"`, { stdio: "ignore" });
       else execSync3(`xdg-open "${dashboardUrl}"`, { stdio: "ignore" });
+      const intToken = getInternalToken();
+      fetch(`http://127.0.0.1:${port}/browser-opened`, {
+        method: "POST",
+        headers: intToken ? { "X-Node9-Internal": intToken } : {}
+      }).catch(() => {
+      });
     }
   } catch {
   }
-  console.log(chalk15.cyan.bold(`
-\u{1F6F0}\uFE0F  Node9 tail  `) + chalk15.dim(`\u2192 ${dashboardUrl}`));
+  console.log(chalk16.cyan.bold(`
+\u{1F6F0}\uFE0F  Node9 tail  `) + chalk16.dim(`\u2192 ${dashboardUrl}`));
   if (canApprove) {
-    console.log(chalk15.dim("Interactive approvals enabled. [A] Allow  [D] Deny"));
+    console.log(
+      chalk16.dim("Interactive approvals: [\u21B5/y] Allow  [n] Deny  [a] Always Allow  [t] Trust 30m")
+    );
   }
   if (options.history) {
-    console.log(chalk15.dim("Showing history + live events. Press Ctrl+C to exit.\n"));
+    console.log(chalk16.dim("Showing history + live events. Press Ctrl+C to exit.\n"));
   } else {
     console.log(
-      chalk15.dim("Showing live events only. Use --history to include past. Press Ctrl+C to exit.\n")
+      chalk16.dim("Showing live events only. Use --history to include past. Press Ctrl+C to exit.\n")
     );
   }
   process.on("SIGINT", () => {
@@ -5855,13 +6771,13 @@ async function startTail(options = {}) {
       readline3.clearLine(process.stdout, 0);
       readline3.cursorTo(process.stdout, 0);
     }
-    console.log(chalk15.dim("\n\u{1F6F0}\uFE0F  Disconnected."));
+    console.log(chalk16.dim("\n\u{1F6F0}\uFE0F  Disconnected."));
     process.exit(0);
   });
   const sseUrl = `http://127.0.0.1:${port}/events?capabilities=input`;
   const req = http2.get(sseUrl, (res) => {
     if (res.statusCode !== 200) {
-      console.error(chalk15.red(`Failed to connect: HTTP ${res.statusCode}`));
+      console.error(chalk16.red(`Failed to connect: HTTP ${res.statusCode}`));
       process.exit(1);
     }
     let currentEvent = "";
@@ -5891,7 +6807,7 @@ async function startTail(options = {}) {
         readline3.clearLine(process.stdout, 0);
         readline3.cursorTo(process.stdout, 0);
       }
-      console.log(chalk15.red("\n\u274C Daemon disconnected."));
+      console.log(chalk16.red("\n\u274C Daemon disconnected."));
       process.exit(1);
     });
   });
@@ -5932,11 +6848,17 @@ async function startTail(options = {}) {
     }
     if (event === "remove") {
       try {
-        const { id } = JSON.parse(rawData);
+        const { id, decision } = JSON.parse(rawData);
         const idx = approvalQueue.findIndex((r) => r.id === id);
         if (idx !== -1) {
           if (idx === 0 && cardActive && cancelActiveCard) {
-            cancelActiveCard();
+            const toolName = approvalQueue[0].toolName;
+            if (decision === "allow") {
+              localAllowCounts.set(toolName, (localAllowCounts.get(toolName) ?? 0) + 1);
+            } else if (decision === "deny") {
+              localAllowCounts.delete(toolName);
+            }
+            cancelActiveCard(decision);
           } else {
             approvalQueue.splice(idx, 1);
           }
@@ -5971,18 +6893,19 @@ async function startTail(options = {}) {
   }
   req.on("error", (err) => {
     const msg = err.code === "ECONNREFUSED" ? "Daemon is not running. Start it with: node9 daemon start" : err.message;
-    console.error(chalk15.red(`
+    console.error(chalk16.red(`
 \u274C ${msg}`));
     process.exit(1);
   });
 }
-var PID_FILE, ICONS, RESET, BOLD, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, SAVE_CURSOR, RESTORE_CURSOR;
+var PID_FILE, ICONS, RESET, BOLD, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN;
 var init_tail = __esm({
   "src/tui/tail.ts"() {
     "use strict";
     init_daemon2();
+    init_daemon();
     init_core();
-    PID_FILE = path23.join(os19.homedir(), ".node9", "daemon.pid");
+    PID_FILE = path26.join(os21.homedir(), ".node9", "daemon.pid");
     ICONS = {
       bash: "\u{1F4BB}",
       shell: "\u{1F4BB}",
@@ -6010,8 +6933,6 @@ var init_tail = __esm({
     HIDE_CURSOR = "\x1B[?25l";
     SHOW_CURSOR = "\x1B[?25h";
     ERASE_DOWN = "\x1B[J";
-    SAVE_CURSOR = "\x1B7";
-    RESTORE_CURSOR = "\x1B8";
   }
 });
 
@@ -6330,6 +7251,25 @@ async function setupGemini() {
     printDaemonTip();
   }
 }
+function detectAgents(homeDir2 = os11.homedir()) {
+  const exists = (p) => {
+    try {
+      return fs11.existsSync(p);
+    } catch (err) {
+      const code = err.code;
+      if (code !== "ENOENT") {
+        process.stderr.write(`[node9] detectAgents: cannot access ${p}: ${code ?? String(err)}
+`);
+      }
+      return false;
+    }
+  };
+  return {
+    claude: exists(path14.join(homeDir2, ".claude")) || exists(path14.join(homeDir2, ".claude.json")),
+    gemini: exists(path14.join(homeDir2, ".gemini")),
+    cursor: exists(path14.join(homeDir2, ".cursor"))
+  };
+}
 async function setupCursor() {
   const homeDir2 = os11.homedir();
   const mcpPath = path14.join(homeDir2, ".cursor", "mcp.json");
@@ -6388,10 +7328,10 @@ async function setupCursor() {
 
 // src/cli.ts
 init_daemon2();
-import chalk16 from "chalk";
-import fs22 from "fs";
-import path24 from "path";
-import os20 from "os";
+import chalk17 from "chalk";
+import fs25 from "fs";
+import path27 from "path";
+import os22 from "os";
 import { confirm as confirm3 } from "@inquirer/prompts";
 
 // src/utils/duration.ts
@@ -6616,32 +7556,32 @@ init_daemon();
 init_config();
 init_policy();
 import chalk5 from "chalk";
-import fs16 from "fs";
-import path18 from "path";
-import os14 from "os";
+import fs18 from "fs";
+import path20 from "path";
+import os15 from "os";
 
 // src/undo.ts
 import { spawnSync as spawnSync4, spawn as spawn5 } from "child_process";
 import crypto2 from "crypto";
-import fs15 from "fs";
-import path17 from "path";
-import os13 from "os";
-var SNAPSHOT_STACK_PATH = path17.join(os13.homedir(), ".node9", "snapshots.json");
-var UNDO_LATEST_PATH = path17.join(os13.homedir(), ".node9", "undo_latest.txt");
+import fs17 from "fs";
+import path19 from "path";
+import os14 from "os";
+var SNAPSHOT_STACK_PATH = path19.join(os14.homedir(), ".node9", "snapshots.json");
+var UNDO_LATEST_PATH = path19.join(os14.homedir(), ".node9", "undo_latest.txt");
 var MAX_SNAPSHOTS = 10;
 var GIT_TIMEOUT = 15e3;
 function readStack() {
   try {
-    if (fs15.existsSync(SNAPSHOT_STACK_PATH))
-      return JSON.parse(fs15.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
+    if (fs17.existsSync(SNAPSHOT_STACK_PATH))
+      return JSON.parse(fs17.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
   } catch {
   }
   return [];
 }
 function writeStack(stack) {
-  const dir = path17.dirname(SNAPSHOT_STACK_PATH);
-  if (!fs15.existsSync(dir)) fs15.mkdirSync(dir, { recursive: true });
-  fs15.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
+  const dir = path19.dirname(SNAPSHOT_STACK_PATH);
+  if (!fs17.existsSync(dir)) fs17.mkdirSync(dir, { recursive: true });
+  fs17.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
 }
 function buildArgsSummary(tool, args) {
   if (!args || typeof args !== "object") return "";
@@ -6657,7 +7597,7 @@ function buildArgsSummary(tool, args) {
 function normalizeCwdForHash(cwd) {
   let normalized;
   try {
-    normalized = fs15.realpathSync(cwd);
+    normalized = fs17.realpathSync(cwd);
   } catch {
     normalized = cwd;
   }
@@ -6667,16 +7607,16 @@ function normalizeCwdForHash(cwd) {
 }
 function getShadowRepoDir(cwd) {
   const hash = crypto2.createHash("sha256").update(normalizeCwdForHash(cwd)).digest("hex").slice(0, 16);
-  return path17.join(os13.homedir(), ".node9", "snapshots", hash);
+  return path19.join(os14.homedir(), ".node9", "snapshots", hash);
 }
 function cleanOrphanedIndexFiles(shadowDir) {
   try {
     const cutoff = Date.now() - 6e4;
-    for (const f of fs15.readdirSync(shadowDir)) {
+    for (const f of fs17.readdirSync(shadowDir)) {
       if (f.startsWith("index_")) {
-        const fp = path17.join(shadowDir, f);
+        const fp = path19.join(shadowDir, f);
         try {
-          if (fs15.statSync(fp).mtimeMs < cutoff) fs15.unlinkSync(fp);
+          if (fs17.statSync(fp).mtimeMs < cutoff) fs17.unlinkSync(fp);
         } catch {
         }
       }
@@ -6688,7 +7628,7 @@ function writeShadowExcludes(shadowDir, ignorePaths) {
   const hardcoded = [".git", ".node9"];
   const lines = [...hardcoded, ...ignorePaths].join("\n");
   try {
-    fs15.writeFileSync(path17.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
+    fs17.writeFileSync(path19.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
   } catch {
   }
 }
@@ -6701,25 +7641,25 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   if (check.status === 0) {
-    const ptPath = path17.join(shadowDir, "project-path.txt");
+    const ptPath = path19.join(shadowDir, "project-path.txt");
     try {
-      const stored = fs15.readFileSync(ptPath, "utf8").trim();
+      const stored = fs17.readFileSync(ptPath, "utf8").trim();
       if (stored === normalizedCwd) return true;
       if (process.env.NODE9_DEBUG === "1")
         console.error(
           `[Node9] Shadow repo path mismatch: stored="${stored}" expected="${normalizedCwd}" \u2014 reinitializing`
         );
-      fs15.rmSync(shadowDir, { recursive: true, force: true });
+      fs17.rmSync(shadowDir, { recursive: true, force: true });
     } catch {
       try {
-        fs15.writeFileSync(ptPath, normalizedCwd, "utf8");
+        fs17.writeFileSync(ptPath, normalizedCwd, "utf8");
       } catch {
       }
       return true;
     }
   }
   try {
-    fs15.mkdirSync(shadowDir, { recursive: true });
+    fs17.mkdirSync(shadowDir, { recursive: true });
   } catch {
   }
   const init = spawnSync4("git", ["init", "--bare", shadowDir], { timeout: 5e3 });
@@ -6728,7 +7668,7 @@ function ensureShadowRepo(shadowDir, cwd) {
       console.error("[Node9] git init --bare failed:", init.stderr?.toString());
     return false;
   }
-  const configFile = path17.join(shadowDir, "config");
+  const configFile = path19.join(shadowDir, "config");
   spawnSync4("git", ["config", "--file", configFile, "core.untrackedCache", "true"], {
     timeout: 3e3
   });
@@ -6736,7 +7676,7 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   try {
-    fs15.writeFileSync(path17.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
+    fs17.writeFileSync(path19.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
   } catch {
   }
   return true;
@@ -6759,7 +7699,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     const shadowDir = getShadowRepoDir(cwd);
     if (!ensureShadowRepo(shadowDir, cwd)) return null;
     writeShadowExcludes(shadowDir, ignorePaths);
-    indexFile = path17.join(shadowDir, `index_${process.pid}_${Date.now()}`);
+    indexFile = path19.join(shadowDir, `index_${process.pid}_${Date.now()}`);
     const shadowEnv = {
       ...process.env,
       GIT_DIR: shadowDir,
@@ -6788,7 +7728,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     const shouldGc = stack.length % 5 === 0;
     if (stack.length > MAX_SNAPSHOTS) stack.splice(0, stack.length - MAX_SNAPSHOTS);
     writeStack(stack);
-    fs15.writeFileSync(UNDO_LATEST_PATH, commitHash);
+    fs17.writeFileSync(UNDO_LATEST_PATH, commitHash);
     if (shouldGc) {
       spawn5("git", ["gc", "--auto"], { env: shadowEnv, detached: true, stdio: "ignore" }).unref();
     }
@@ -6799,7 +7739,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
   } finally {
     if (indexFile) {
       try {
-        fs15.unlinkSync(indexFile);
+        fs17.unlinkSync(indexFile);
       } catch {
       }
     }
@@ -6868,9 +7808,9 @@ function applyUndo(hash, cwd) {
       timeout: GIT_TIMEOUT
     }).stdout?.toString().trim().split("\n").filter(Boolean) ?? [];
     for (const file of [...tracked, ...untracked]) {
-      const fullPath = path17.join(dir, file);
-      if (!snapshotFiles.has(file) && fs15.existsSync(fullPath)) {
-        fs15.unlinkSync(fullPath);
+      const fullPath = path19.join(dir, file);
+      if (!snapshotFiles.has(file) && fs17.existsSync(fullPath)) {
+        fs17.unlinkSync(fullPath);
       }
     }
     return true;
@@ -6894,9 +7834,9 @@ function registerCheckCommand(program2) {
         } catch (err) {
           const tempConfig = getConfig();
           if (process.env.NODE9_DEBUG === "1" || tempConfig.settings.enableHookLogDebug) {
-            const logPath = path18.join(os14.homedir(), ".node9", "hook-debug.log");
+            const logPath = path20.join(os15.homedir(), ".node9", "hook-debug.log");
             const errMsg = err instanceof Error ? err.message : String(err);
-            fs16.appendFileSync(
+            fs18.appendFileSync(
               logPath,
               `[${(/* @__PURE__ */ new Date()).toISOString()}] JSON_PARSE_ERROR: ${errMsg}
 RAW: ${raw}
@@ -6907,10 +7847,10 @@ RAW: ${raw}
         }
         const config = getConfig(payload.cwd || void 0);
         if (process.env.NODE9_DEBUG === "1" || config.settings.enableHookLogDebug) {
-          const logPath = path18.join(os14.homedir(), ".node9", "hook-debug.log");
-          if (!fs16.existsSync(path18.dirname(logPath)))
-            fs16.mkdirSync(path18.dirname(logPath), { recursive: true });
-          fs16.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
+          const logPath = path20.join(os15.homedir(), ".node9", "hook-debug.log");
+          if (!fs18.existsSync(path20.dirname(logPath)))
+            fs18.mkdirSync(path20.dirname(logPath), { recursive: true });
+          fs18.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
 `);
         }
         const toolName = sanitize2(payload.tool_name ?? payload.name ?? "");
@@ -6923,8 +7863,8 @@ RAW: ${raw}
           const isHumanDecision = blockedByContext.toLowerCase().includes("user") || blockedByContext.toLowerCase().includes("daemon") || blockedByContext.toLowerCase().includes("decision");
           let ttyFd = null;
           try {
-            ttyFd = fs16.openSync("/dev/tty", "w");
-            const writeTty = (line) => fs16.writeSync(ttyFd, line + "\n");
+            ttyFd = fs18.openSync("/dev/tty", "w");
+            const writeTty = (line) => fs18.writeSync(ttyFd, line + "\n");
             if (blockedByContext.includes("DLP") || blockedByContext.includes("Secret Detected") || blockedByContext.includes("Credential Review")) {
               writeTty(chalk5.bgRed.white.bold(`
  \u{1F6A8} NODE9 DLP ALERT \u2014 CREDENTIAL DETECTED `));
@@ -6940,7 +7880,7 @@ RAW: ${raw}
           } finally {
             if (ttyFd !== null)
               try {
-                fs16.closeSync(ttyFd);
+                fs18.closeSync(ttyFd);
               } catch {
               }
           }
@@ -6971,7 +7911,7 @@ RAW: ${raw}
         if (shouldSnapshot(toolName, toolInput, config)) {
           await createShadowSnapshot(toolName, toolInput, config.policy.snapshot.ignorePaths);
         }
-        const safeCwdForAuth = typeof payload.cwd === "string" && path18.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const safeCwdForAuth = typeof payload.cwd === "string" && path20.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const result = await authorizeHeadless(toolName, toolInput, meta, {
           cwd: safeCwdForAuth
         });
@@ -6983,12 +7923,12 @@ RAW: ${raw}
         }
         if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && !process.stdout.isTTY && config.settings.autoStartDaemon) {
           try {
-            const tty = fs16.openSync("/dev/tty", "w");
-            fs16.writeSync(
+            const tty = fs18.openSync("/dev/tty", "w");
+            fs18.writeSync(
               tty,
               chalk5.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically...\n")
             );
-            fs16.closeSync(tty);
+            fs18.closeSync(tty);
           } catch {
           }
           const daemonReady = await autoStartDaemonAndWait();
@@ -7015,9 +7955,9 @@ RAW: ${raw}
         });
       } catch (err) {
         if (process.env.NODE9_DEBUG === "1") {
-          const logPath = path18.join(os14.homedir(), ".node9", "hook-debug.log");
+          const logPath = path20.join(os15.homedir(), ".node9", "hook-debug.log");
           const errMsg = err instanceof Error ? err.message : String(err);
-          fs16.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
+          fs18.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
 `);
         }
         process.exit(0);
@@ -7054,9 +7994,49 @@ RAW: ${raw}
 init_audit();
 init_config();
 init_policy();
-import fs17 from "fs";
-import path19 from "path";
-import os15 from "os";
+import fs19 from "fs";
+import path21 from "path";
+import os16 from "os";
+init_daemon();
+
+// src/utils/cp-mv-parser.ts
+function parseCpMvOp(command) {
+  const trimmed = command.trim();
+  const tokens = trimmed.split(/\s+/);
+  if (tokens.length < 3) return null;
+  const [cmd, ...rest] = tokens;
+  const base = cmd.split("/").pop() ?? cmd;
+  if (base !== "cp" && base !== "mv") return null;
+  const args = [];
+  for (const tok of rest) {
+    if (tok === "--") {
+      args.push(...rest.slice(rest.indexOf("--") + 1));
+      break;
+    }
+    if (tok === "-t" || tok === "--target-directory") return null;
+    if (tok.startsWith("--target-directory=")) return null;
+    if (tok.startsWith("-") && !tok.startsWith("--")) {
+      if (tok.includes("t")) return null;
+      continue;
+    }
+    if (tok.startsWith("--")) {
+      continue;
+    }
+    args.push(tok);
+  }
+  if (args.length !== 2) return null;
+  const [src, dest] = args;
+  if (!src || !dest) return null;
+  if (containsShellMetachar(src) || containsShellMetachar(dest)) return null;
+  return { src, dest, clearSource: base === "mv" };
+}
+function containsShellMetachar(token) {
+  if (/[$`{;*?]/.test(token)) return true;
+  if (token.includes("\0")) return true;
+  return false;
+}
+
+// src/cli/commands/log.ts
 function sanitize3(value) {
   return value.replace(/[\x00-\x1F\x7F]/g, "");
 }
@@ -7075,11 +8055,20 @@ function registerLogCommand(program2) {
           decision: "allowed",
           source: "post-hook"
         };
-        const logPath = path19.join(os15.homedir(), ".node9", "audit.log");
-        if (!fs17.existsSync(path19.dirname(logPath)))
-          fs17.mkdirSync(path19.dirname(logPath), { recursive: true });
-        fs17.appendFileSync(logPath, JSON.stringify(entry) + "\n");
-        const safeCwd = typeof payload.cwd === "string" && path19.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const logPath = path21.join(os16.homedir(), ".node9", "audit.log");
+        if (!fs19.existsSync(path21.dirname(logPath)))
+          fs19.mkdirSync(path21.dirname(logPath), { recursive: true });
+        fs19.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+        if ((tool === "Bash" || tool === "bash") && isDaemonRunning()) {
+          const command = typeof rawInput === "object" && rawInput !== null && "command" in rawInput && typeof rawInput.command === "string" ? rawInput.command : null;
+          if (command) {
+            const op = parseCpMvOp(command);
+            if (op) {
+              await notifyTaintPropagate(op.src, op.dest, op.clearSource);
+            }
+          }
+        }
+        const safeCwd = typeof payload.cwd === "string" && path21.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const config = getConfig(safeCwd);
         if (shouldSnapshot(tool, {}, config)) {
           await createShadowSnapshot("unknown", {}, config.policy.snapshot.ignorePaths);
@@ -7088,9 +8077,9 @@ function registerLogCommand(program2) {
         const msg = err instanceof Error ? err.message : String(err);
         process.stderr.write(`[Node9] audit log error: ${msg}
 `);
-        const debugPath = path19.join(os15.homedir(), ".node9", "hook-debug.log");
+        const debugPath = path21.join(os16.homedir(), ".node9", "hook-debug.log");
         try {
-          fs17.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
+          fs19.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
 `);
         } catch {
         }
@@ -7395,13 +8384,13 @@ function registerConfigShowCommand(program2) {
 // src/cli/commands/doctor.ts
 init_daemon();
 import chalk7 from "chalk";
-import fs18 from "fs";
-import path20 from "path";
-import os16 from "os";
+import fs20 from "fs";
+import path22 from "path";
+import os17 from "os";
 import { execSync as execSync2 } from "child_process";
 function registerDoctorCommand(program2, version2) {
   program2.command("doctor").description("Check that Node9 is installed and configured correctly").action(() => {
-    const homeDir2 = os16.homedir();
+    const homeDir2 = os17.homedir();
     let failures = 0;
     function pass(msg) {
       console.log(chalk7.green("  \u2705 ") + msg);
@@ -7450,10 +8439,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Configuration");
-    const globalConfigPath = path20.join(homeDir2, ".node9", "config.json");
-    if (fs18.existsSync(globalConfigPath)) {
+    const globalConfigPath = path22.join(homeDir2, ".node9", "config.json");
+    if (fs20.existsSync(globalConfigPath)) {
       try {
-        JSON.parse(fs18.readFileSync(globalConfigPath, "utf-8"));
+        JSON.parse(fs20.readFileSync(globalConfigPath, "utf-8"));
         pass("~/.node9/config.json found and valid");
       } catch {
         fail("~/.node9/config.json is invalid JSON", "Run: node9 init --force");
@@ -7461,10 +8450,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("~/.node9/config.json not found (using defaults)", "Run: node9 init");
     }
-    const projectConfigPath = path20.join(process.cwd(), "node9.config.json");
-    if (fs18.existsSync(projectConfigPath)) {
+    const projectConfigPath = path22.join(process.cwd(), "node9.config.json");
+    if (fs20.existsSync(projectConfigPath)) {
       try {
-        JSON.parse(fs18.readFileSync(projectConfigPath, "utf-8"));
+        JSON.parse(fs20.readFileSync(projectConfigPath, "utf-8"));
         pass("node9.config.json found and valid (project)");
       } catch {
         fail(
@@ -7473,8 +8462,8 @@ function registerDoctorCommand(program2, version2) {
         );
       }
     }
-    const credsPath = path20.join(homeDir2, ".node9", "credentials.json");
-    if (fs18.existsSync(credsPath)) {
+    const credsPath = path22.join(homeDir2, ".node9", "credentials.json");
+    if (fs20.existsSync(credsPath)) {
       pass("Cloud credentials found (~/.node9/credentials.json)");
     } else {
       warn(
@@ -7483,10 +8472,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Agent Hooks");
-    const claudeSettingsPath = path20.join(homeDir2, ".claude", "settings.json");
-    if (fs18.existsSync(claudeSettingsPath)) {
+    const claudeSettingsPath = path22.join(homeDir2, ".claude", "settings.json");
+    if (fs20.existsSync(claudeSettingsPath)) {
       try {
-        const cs = JSON.parse(fs18.readFileSync(claudeSettingsPath, "utf-8"));
+        const cs = JSON.parse(fs20.readFileSync(claudeSettingsPath, "utf-8"));
         const hasHook = cs.hooks?.PreToolUse?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -7502,10 +8491,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Claude Code \u2014 not configured", "Run: node9 setup claude");
     }
-    const geminiSettingsPath = path20.join(homeDir2, ".gemini", "settings.json");
-    if (fs18.existsSync(geminiSettingsPath)) {
+    const geminiSettingsPath = path22.join(homeDir2, ".gemini", "settings.json");
+    if (fs20.existsSync(geminiSettingsPath)) {
       try {
-        const gs = JSON.parse(fs18.readFileSync(geminiSettingsPath, "utf-8"));
+        const gs = JSON.parse(fs20.readFileSync(geminiSettingsPath, "utf-8"));
         const hasHook = gs.hooks?.BeforeTool?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -7521,10 +8510,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Gemini CLI  \u2014 not configured", "Run: node9 setup gemini  (skip if not using Gemini)");
     }
-    const cursorHooksPath = path20.join(homeDir2, ".cursor", "hooks.json");
-    if (fs18.existsSync(cursorHooksPath)) {
+    const cursorHooksPath = path22.join(homeDir2, ".cursor", "hooks.json");
+    if (fs20.existsSync(cursorHooksPath)) {
       try {
-        const cur = JSON.parse(fs18.readFileSync(cursorHooksPath, "utf-8"));
+        const cur = JSON.parse(fs20.readFileSync(cursorHooksPath, "utf-8"));
         const hasHook = cur.hooks?.preToolUse?.some(
           (h) => h.command?.includes("node9") || h.command?.includes("cli.js")
         );
@@ -7562,9 +8551,9 @@ function registerDoctorCommand(program2, version2) {
 
 // src/cli/commands/audit.ts
 import chalk8 from "chalk";
-import fs19 from "fs";
-import path21 from "path";
-import os17 from "os";
+import fs21 from "fs";
+import path23 from "path";
+import os18 from "os";
 function formatRelativeTime(timestamp) {
   const diff = Date.now() - new Date(timestamp).getTime();
   const sec = Math.floor(diff / 1e3);
@@ -7577,14 +8566,14 @@ function formatRelativeTime(timestamp) {
 }
 function registerAuditCommand(program2) {
   program2.command("audit").description("View local execution audit log").option("--tail <n>", "Number of entries to show", "20").option("--tool <pattern>", "Filter by tool name (substring match)").option("--deny", "Show only denied actions").option("--json", "Output raw JSON").action((options) => {
-    const logPath = path21.join(os17.homedir(), ".node9", "audit.log");
-    if (!fs19.existsSync(logPath)) {
+    const logPath = path23.join(os18.homedir(), ".node9", "audit.log");
+    if (!fs21.existsSync(logPath)) {
       console.log(
         chalk8.yellow("No audit logs found. Run node9 with an agent to generate entries.")
       );
       return;
     }
-    const raw = fs19.readFileSync(logPath, "utf-8");
+    const raw = fs21.readFileSync(logPath, "utf-8");
     const lines = raw.split("\n").filter((l) => l.trim() !== "");
     let entries = lines.flatMap((line) => {
       try {
@@ -7704,9 +8693,42 @@ function registerDaemonCommand(program2) {
 init_core();
 init_daemon();
 import chalk10 from "chalk";
-import fs20 from "fs";
-import path22 from "path";
-import os18 from "os";
+import fs22 from "fs";
+import path24 from "path";
+import os19 from "os";
+function readJson2(filePath) {
+  try {
+    if (fs22.existsSync(filePath)) return JSON.parse(fs22.readFileSync(filePath, "utf-8"));
+  } catch {
+  }
+  return null;
+}
+function isNode9Hook2(cmd) {
+  if (!cmd) return false;
+  return /(?:^|[\s/\\])node9 (?:check|log)/.test(cmd) || /(?:^|[\s/\\])cli\.js (?:check|log)/.test(cmd);
+}
+function wrappedMcpServers(servers) {
+  if (!servers) return [];
+  return Object.entries(servers).filter(([, s]) => s.command === "node9" && Array.isArray(s.args) && s.args.length > 0).map(([name, s]) => `${name} \u2192 ${s.args.join(" ")}`);
+}
+function printAgentSection(label, hookPairs, wrapped) {
+  console.log(chalk10.bold(`  ${label}`));
+  for (const { name, present } of hookPairs) {
+    if (present) {
+      console.log(chalk10.green(`    \u2713 ${name}`));
+    } else {
+      console.log(chalk10.red(`    \u2717 ${name}`) + chalk10.gray(" (not wired)"));
+    }
+  }
+  if (wrapped.length > 0) {
+    console.log(chalk10.cyan(`    MCP proxied:`));
+    for (const entry of wrapped) {
+      console.log(chalk10.gray(`      \u2022 ${entry}`));
+    }
+  } else {
+    console.log(chalk10.gray(`    MCP proxied: none`));
+  }
+}
 function registerStatusCommand(program2) {
   program2.command("status").description("Show current Node9 mode, policy source, and persistent decisions").action(() => {
     const creds = getCredentials();
@@ -7741,19 +8763,72 @@ function registerStatusCommand(program2) {
     console.log("");
     const modeLabel = settings.mode === "audit" ? chalk10.blue("audit") : settings.mode === "strict" ? chalk10.red("strict") : chalk10.white("standard");
     console.log(`  Mode:    ${modeLabel}`);
-    const projectConfig = path22.join(process.cwd(), "node9.config.json");
-    const globalConfig = path22.join(os18.homedir(), ".node9", "config.json");
+    const projectConfig = path24.join(process.cwd(), "node9.config.json");
+    const globalConfig = path24.join(os19.homedir(), ".node9", "config.json");
     console.log(
-      `  Local:   ${fs20.existsSync(projectConfig) ? chalk10.green("Active (node9.config.json)") : chalk10.gray("Not present")}`
+      `  Local:   ${fs22.existsSync(projectConfig) ? chalk10.green("Active (node9.config.json)") : chalk10.gray("Not present")}`
     );
     console.log(
-      `  Global:  ${fs20.existsSync(globalConfig) ? chalk10.green("Active (~/.node9/config.json)") : chalk10.gray("Not present")}`
+      `  Global:  ${fs22.existsSync(globalConfig) ? chalk10.green("Active (~/.node9/config.json)") : chalk10.gray("Not present")}`
     );
     if (mergedConfig.policy.sandboxPaths.length > 0) {
       console.log(
         `  Sandbox: ${chalk10.green(`${mergedConfig.policy.sandboxPaths.length} safe zones active`)}`
       );
     }
+    const homeDir2 = os19.homedir();
+    const claudeSettings = readJson2(
+      path24.join(homeDir2, ".claude", "settings.json")
+    );
+    const claudeConfig = readJson2(path24.join(homeDir2, ".claude.json"));
+    const geminiSettings = readJson2(
+      path24.join(homeDir2, ".gemini", "settings.json")
+    );
+    const cursorConfig = readJson2(path24.join(homeDir2, ".cursor", "mcp.json"));
+    const agentFound = claudeSettings || claudeConfig || geminiSettings || cursorConfig;
+    if (agentFound) {
+      console.log("");
+      console.log(chalk10.bold("  Agent Wiring:"));
+      console.log("");
+      if (claudeSettings || claudeConfig) {
+        const preHook = claudeSettings?.hooks?.PreToolUse?.some(
+          (m) => m.hooks.some((h) => isNode9Hook2(h.command))
+        ) ?? false;
+        const postHook = claudeSettings?.hooks?.PostToolUse?.some(
+          (m) => m.hooks.some((h) => isNode9Hook2(h.command))
+        ) ?? false;
+        printAgentSection(
+          "Claude Code",
+          [
+            { name: "PreToolUse  (node9 check)", present: preHook },
+            { name: "PostToolUse (node9 log)", present: postHook }
+          ],
+          wrappedMcpServers(claudeConfig?.mcpServers)
+        );
+        console.log("");
+      }
+      if (geminiSettings) {
+        const beforeHook = geminiSettings.hooks?.BeforeTool?.some(
+          (m) => m.hooks.some((h) => isNode9Hook2(h.command))
+        ) ?? false;
+        const afterHook = geminiSettings.hooks?.AfterTool?.some(
+          (m) => m.hooks.some((h) => isNode9Hook2(h.command))
+        ) ?? false;
+        printAgentSection(
+          "Gemini CLI",
+          [
+            { name: "BeforeTool  (node9 check)", present: beforeHook },
+            { name: "AfterTool   (node9 log)", present: afterHook }
+          ],
+          wrappedMcpServers(geminiSettings.mcpServers)
+        );
+        console.log("");
+      }
+      if (cursorConfig) {
+        printAgentSection("Cursor", [], wrappedMcpServers(cursorConfig.mcpServers));
+        console.log("");
+      }
+    }
     const pauseState = checkPause();
     if (pauseState.paused) {
       const expiresAt = pauseState.expiresAt ? new Date(pauseState.expiresAt).toLocaleTimeString() : "indefinitely";
@@ -7766,8 +8841,63 @@ function registerStatusCommand(program2) {
   });
 }
 
-// src/cli/commands/undo.ts
+// src/cli/commands/init.ts
+init_core();
 import chalk11 from "chalk";
+import fs23 from "fs";
+import path25 from "path";
+import os20 from "os";
+function registerInitCommand(program2) {
+  program2.command("init").description("Set up Node9: create config and wire all detected AI agents").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").option("--skip-setup", "Only create config \u2014 do not wire AI agents").action(async (options) => {
+    console.log(chalk11.cyan.bold("\n\u{1F6E1}\uFE0F  Node9 Init\n"));
+    const configPath = path25.join(os20.homedir(), ".node9", "config.json");
+    if (fs23.existsSync(configPath) && !options.force) {
+      console.log(chalk11.blue(`\u2139\uFE0F  Config already exists: ${configPath}`));
+    } else {
+      const requestedMode = options.mode.toLowerCase();
+      const safeMode = ["standard", "strict", "audit"].includes(requestedMode) ? requestedMode : DEFAULT_CONFIG.settings.mode;
+      const configToSave = {
+        ...DEFAULT_CONFIG,
+        settings: { ...DEFAULT_CONFIG.settings, mode: safeMode }
+      };
+      const dir = path25.dirname(configPath);
+      if (!fs23.existsSync(dir)) fs23.mkdirSync(dir, { recursive: true });
+      fs23.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
+      console.log(chalk11.green(`\u2705 Config created: ${configPath}`));
+      console.log(chalk11.gray(`   Mode: ${safeMode}`));
+    }
+    if (options.skipSetup) return;
+    console.log("");
+    const detected = detectAgents();
+    const found = Object.keys(detected).filter(
+      (k) => detected[k]
+    );
+    if (found.length === 0) {
+      console.log(
+        chalk11.gray("No AI agents detected. Install Claude Code, Gemini CLI, or Cursor")
+      );
+      console.log(chalk11.gray("then run: node9 addto <claude|gemini|cursor>"));
+      return;
+    }
+    console.log(chalk11.bold("Detected agents:"));
+    for (const agent of found) {
+      console.log(chalk11.green(`  \u2713 ${agent}`));
+    }
+    console.log("");
+    for (const agent of found) {
+      console.log(chalk11.bold(`Wiring ${agent}...`));
+      if (agent === "claude") await setupClaude();
+      else if (agent === "gemini") await setupGemini();
+      else if (agent === "cursor") await setupCursor();
+      console.log("");
+    }
+    console.log(chalk11.green.bold("\u{1F6E1}\uFE0F  Node9 is ready!"));
+    console.log(chalk11.gray("   Run: node9 daemon start"));
+  });
+}
+
+// src/cli/commands/undo.ts
+import chalk12 from "chalk";
 import { confirm as confirm2 } from "@inquirer/prompts";
 function registerUndoCommand(program2) {
   program2.command("undo").description(
@@ -7779,22 +8909,22 @@ function registerUndoCommand(program2) {
     if (history.length === 0) {
       if (!options.all && allHistory.length > 0) {
         console.log(
-          chalk11.yellow(
+          chalk12.yellow(
             `
 \u2139\uFE0F  No snapshots found for the current directory (${process.cwd()}).
-    Run ${chalk11.cyan("node9 undo --all")} to see snapshots from all projects.
+    Run ${chalk12.cyan("node9 undo --all")} to see snapshots from all projects.
 `
           )
         );
       } else {
-        console.log(chalk11.yellow("\n\u2139\uFE0F  No undo snapshots found.\n"));
+        console.log(chalk12.yellow("\n\u2139\uFE0F  No undo snapshots found.\n"));
       }
       return;
     }
     const idx = history.length - steps;
     if (idx < 0) {
       console.log(
-        chalk11.yellow(
+        chalk12.yellow(
           `
 \u2139\uFE0F  Only ${history.length} snapshot(s) available, cannot go back ${steps}.
 `
@@ -7806,19 +8936,19 @@ function registerUndoCommand(program2) {
     const age = Math.round((Date.now() - snapshot.timestamp) / 1e3);
     const ageStr = age < 60 ? `${age}s ago` : age < 3600 ? `${Math.round(age / 60)}m ago` : `${Math.round(age / 3600)}h ago`;
     console.log(
-      chalk11.magenta.bold(`
+      chalk12.magenta.bold(`
 \u23EA  Node9 Undo${steps > 1 ? ` (${steps} steps back)` : ""}`)
     );
     console.log(
-      chalk11.white(
-        `    Tool:  ${chalk11.cyan(snapshot.tool)}${snapshot.argsSummary ? chalk11.gray(" \u2192 " + snapshot.argsSummary) : ""}`
+      chalk12.white(
+        `    Tool:  ${chalk12.cyan(snapshot.tool)}${snapshot.argsSummary ? chalk12.gray(" \u2192 " + snapshot.argsSummary) : ""}`
       )
     );
-    console.log(chalk11.white(`    When:  ${chalk11.gray(ageStr)}`));
-    console.log(chalk11.white(`    Dir:   ${chalk11.gray(snapshot.cwd)}`));
+    console.log(chalk12.white(`    When:  ${chalk12.gray(ageStr)}`));
+    console.log(chalk12.white(`    Dir:   ${chalk12.gray(snapshot.cwd)}`));
     if (steps > 1)
       console.log(
-        chalk11.yellow(`    Note:  This will also undo the ${steps - 1} action(s) after it.`)
+        chalk12.yellow(`    Note:  This will also undo the ${steps - 1} action(s) after it.`)
       );
     console.log("");
     const diff = computeUndoDiff(snapshot.hash, snapshot.cwd);
@@ -7826,21 +8956,21 @@ function registerUndoCommand(program2) {
       const lines = diff.split("\n");
       for (const line of lines) {
         if (line.startsWith("+++") || line.startsWith("---")) {
-          console.log(chalk11.bold(line));
+          console.log(chalk12.bold(line));
         } else if (line.startsWith("+")) {
-          console.log(chalk11.green(line));
+          console.log(chalk12.green(line));
         } else if (line.startsWith("-")) {
-          console.log(chalk11.red(line));
+          console.log(chalk12.red(line));
         } else if (line.startsWith("@@")) {
-          console.log(chalk11.cyan(line));
+          console.log(chalk12.cyan(line));
         } else {
-          console.log(chalk11.gray(line));
+          console.log(chalk12.gray(line));
         }
       }
       console.log("");
     } else {
       console.log(
-        chalk11.gray("    (no diff available \u2014 working tree may already match snapshot)\n")
+        chalk12.gray("    (no diff available \u2014 working tree may already match snapshot)\n")
       );
     }
     const proceed = await confirm2({
@@ -7849,19 +8979,19 @@ function registerUndoCommand(program2) {
     });
     if (proceed) {
       if (applyUndo(snapshot.hash, snapshot.cwd)) {
-        console.log(chalk11.green("\n\u2705 Reverted successfully.\n"));
+        console.log(chalk12.green("\n\u2705 Reverted successfully.\n"));
       } else {
-        console.error(chalk11.red("\n\u274C Undo failed. Ensure you are in a Git repository.\n"));
+        console.error(chalk12.red("\n\u274C Undo failed. Ensure you are in a Git repository.\n"));
       }
     } else {
-      console.log(chalk11.gray("\nCancelled.\n"));
+      console.log(chalk12.gray("\nCancelled.\n"));
     }
   });
 }
 
 // src/cli/commands/watch.ts
 init_daemon();
-import chalk12 from "chalk";
+import chalk13 from "chalk";
 import { spawn as spawn7, spawnSync as spawnSync5 } from "child_process";
 function registerWatchCommand(program2) {
   program2.command("watch").description("Run a command under Node9 watch mode (daemon stays alive for the session)").argument("<command>", "Command to run").argument("[args...]", "Arguments for the command").action(async (cmd, args) => {
@@ -7877,7 +9007,7 @@ function registerWatchCommand(program2) {
         throw new Error("not running");
       }
     } catch {
-      console.error(chalk12.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon (watch mode)..."));
+      console.error(chalk13.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon (watch mode)..."));
       const child = spawn7(process.execPath, [process.argv[1], "daemon"], {
         detached: true,
         stdio: "ignore",
@@ -7899,12 +9029,12 @@ function registerWatchCommand(program2) {
         }
       }
       if (!ready) {
-        console.error(chalk12.red("\u274C Daemon failed to start. Try: node9 daemon start"));
+        console.error(chalk13.red("\u274C Daemon failed to start. Try: node9 daemon start"));
         process.exit(1);
       }
     }
     console.error(
-      chalk12.cyan.bold("\u{1F6E1}\uFE0F  Node9 watch") + chalk12.dim(` \u2192 localhost:${port}`) + chalk12.dim(
+      chalk13.cyan.bold("\u{1F6E1}\uFE0F  Node9 watch") + chalk13.dim(` \u2192 localhost:${port}`) + chalk13.dim(
         "\n   Tip: run `node9 tail` in another terminal to review and approve AI actions.\n"
       )
     );
@@ -7913,7 +9043,7 @@ function registerWatchCommand(program2) {
       env: { ...process.env, NODE9_WATCH_MODE: "1" }
     });
     if (result.error) {
-      console.error(chalk12.red(`\u274C Failed to run command: ${result.error.message}`));
+      console.error(chalk13.red(`\u274C Failed to run command: ${result.error.message}`));
       process.exit(1);
     }
     process.exit(result.status ?? 0);
@@ -7923,7 +9053,7 @@ function registerWatchCommand(program2) {
 // src/mcp-gateway/index.ts
 init_orchestrator();
 import readline2 from "readline";
-import chalk13 from "chalk";
+import chalk14 from "chalk";
 import { spawn as spawn8 } from "child_process";
 import { execa as execa2 } from "execa";
 init_provenance();
@@ -7986,13 +9116,13 @@ async function runMcpGateway(upstreamCommand) {
   const prov = checkProvenance(executable);
   if (prov.trustLevel === "suspect") {
     console.error(
-      chalk13.red(
+      chalk14.red(
         `\u26A0\uFE0F  Node9: Upstream MCP server binary is suspect \u2014 ${prov.reason} (${prov.resolvedPath})`
       )
     );
-    console.error(chalk13.red("   Verify this binary is trusted before proceeding."));
+    console.error(chalk14.red("   Verify this binary is trusted before proceeding."));
   }
-  console.error(chalk13.green(`\u{1F680} Node9 MCP Gateway: Monitoring [${upstreamCommand}]`));
+  console.error(chalk14.green(`\u{1F680} Node9 MCP Gateway: Monitoring [${upstreamCommand}]`));
   const UPSTREAM_INJECTOR_VARS = /* @__PURE__ */ new Set([
     "NODE_OPTIONS",
     "NODE_PATH",
@@ -8056,10 +9186,10 @@ async function runMcpGateway(upstreamCommand) {
           mcpServer
         });
         if (!result.approved) {
-          console.error(chalk13.red(`
+          console.error(chalk14.red(`
 \u{1F6D1} Node9 MCP Gateway: Action Blocked`));
-          console.error(chalk13.gray(`   Tool: ${toolName}`));
-          console.error(chalk13.gray(`   Reason: ${result.reason ?? "Security Policy"}
+          console.error(chalk14.gray(`   Tool: ${toolName}`));
+          console.error(chalk14.gray(`   Reason: ${result.reason ?? "Security Policy"}
 `));
           const blockedByLabel = result.blockedByLabel ?? result.reason ?? "Security Policy";
           const isHumanDecision = blockedByLabel.toLowerCase().includes("user") || blockedByLabel.toLowerCase().includes("daemon") || blockedByLabel.toLowerCase().includes("decision");
@@ -8133,7 +9263,7 @@ function registerMcpGatewayCommand(program2) {
 
 // src/cli/commands/trust.ts
 init_trusted_hosts();
-import chalk14 from "chalk";
+import chalk15 from "chalk";
 function isValidHost(host) {
   return /^(\*\.)?[a-z0-9][a-z0-9.-]*\.[a-z]{2,}$/.test(host);
 }
@@ -8143,44 +9273,44 @@ function registerTrustCommand(program2) {
     const normalized = normalizeHost(host.trim());
     if (!isValidHost(normalized)) {
       console.error(
-        chalk14.red(`
+        chalk15.red(`
 \u274C Invalid host: "${host}"
-`) + chalk14.gray("   Use an FQDN like api.mycompany.com or *.mycompany.com\n")
+`) + chalk15.gray("   Use an FQDN like api.mycompany.com or *.mycompany.com\n")
       );
       process.exit(1);
     }
     addTrustedHost(normalized);
-    console.log(chalk14.green(`
+    console.log(chalk15.green(`
 \u2705 ${normalized} added to trusted hosts.`));
     console.log(
-      chalk14.gray("   Pipe-chain blocks to this host: critical \u2192 review, high \u2192 allow\n")
+      chalk15.gray("   Pipe-chain blocks to this host: critical \u2192 review, high \u2192 allow\n")
     );
   });
   trustCmd.command("remove <host>").description("Remove a trusted host").action((host) => {
     const normalized = normalizeHost(host.trim());
     const removed = removeTrustedHost(normalized);
     if (!removed) {
-      console.error(chalk14.yellow(`
+      console.error(chalk15.yellow(`
 \u26A0\uFE0F  "${normalized}" is not in the trusted hosts list.
 `));
       process.exit(1);
     }
-    console.log(chalk14.green(`
+    console.log(chalk15.green(`
 \u2705 ${normalized} removed from trusted hosts.
 `));
   });
   trustCmd.command("list").description("Show all trusted hosts").action(() => {
     const hosts = readTrustedHosts();
     if (hosts.length === 0) {
-      console.log(chalk14.gray("\n  No trusted hosts configured.\n"));
-      console.log(`  Add one: ${chalk14.cyan("node9 trust add api.mycompany.com")}
+      console.log(chalk15.gray("\n  No trusted hosts configured.\n"));
+      console.log(`  Add one: ${chalk15.cyan("node9 trust add api.mycompany.com")}
 `);
       return;
     }
-    console.log(chalk14.bold("\n\u{1F513} Trusted Hosts\n"));
+    console.log(chalk15.bold("\n\u{1F513} Trusted Hosts\n"));
     for (const entry of hosts) {
       const date = new Date(entry.addedAt).toLocaleDateString();
-      console.log(`  ${chalk14.cyan(entry.host.padEnd(40))} ${chalk14.gray(`added ${date}`)}`);
+      console.log(`  ${chalk15.cyan(entry.host.padEnd(40))} ${chalk15.gray(`added ${date}`)}`);
     }
     console.log("");
   });
@@ -8188,20 +9318,20 @@ function registerTrustCommand(program2) {
 
 // src/cli.ts
 var { version } = JSON.parse(
-  fs22.readFileSync(path24.join(__dirname, "../package.json"), "utf-8")
+  fs25.readFileSync(path27.join(__dirname, "../package.json"), "utf-8")
 );
 var program = new Command();
 program.name("node9").description("The Sudo Command for AI Agents").version(version);
 program.command("login").argument("<apiKey>").option("--local", "Save key for audit/logging only \u2014 local config still controls all decisions").option("--profile <name>", 'Save as a named profile (default: "default")').action((apiKey, options) => {
   const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  const credPath = path24.join(os20.homedir(), ".node9", "credentials.json");
-  if (!fs22.existsSync(path24.dirname(credPath)))
-    fs22.mkdirSync(path24.dirname(credPath), { recursive: true });
+  const credPath = path27.join(os22.homedir(), ".node9", "credentials.json");
+  if (!fs25.existsSync(path27.dirname(credPath)))
+    fs25.mkdirSync(path27.dirname(credPath), { recursive: true });
   const profileName = options.profile || "default";
   let existingCreds = {};
   try {
-    if (fs22.existsSync(credPath)) {
-      const raw = JSON.parse(fs22.readFileSync(credPath, "utf-8"));
+    if (fs25.existsSync(credPath)) {
+      const raw = JSON.parse(fs25.readFileSync(credPath, "utf-8"));
       if (raw.apiKey) {
         existingCreds = {
           default: { apiKey: raw.apiKey, apiUrl: raw.apiUrl || DEFAULT_API_URL }
@@ -8213,13 +9343,13 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
   } catch {
   }
   existingCreds[profileName] = { apiKey, apiUrl: DEFAULT_API_URL };
-  fs22.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
+  fs25.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
   if (profileName === "default") {
-    const configPath = path24.join(os20.homedir(), ".node9", "config.json");
+    const configPath = path27.join(os22.homedir(), ".node9", "config.json");
     let config = {};
     try {
-      if (fs22.existsSync(configPath))
-        config = JSON.parse(fs22.readFileSync(configPath, "utf-8"));
+      if (fs25.existsSync(configPath))
+        config = JSON.parse(fs25.readFileSync(configPath, "utf-8"));
     } catch {
     }
     if (!config.settings || typeof config.settings !== "object") config.settings = {};
@@ -8234,36 +9364,36 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
       approvers.cloud = false;
     }
     s.approvers = approvers;
-    if (!fs22.existsSync(path24.dirname(configPath)))
-      fs22.mkdirSync(path24.dirname(configPath), { recursive: true });
-    fs22.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+    if (!fs25.existsSync(path27.dirname(configPath)))
+      fs25.mkdirSync(path27.dirname(configPath), { recursive: true });
+    fs25.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
   }
   if (options.profile && profileName !== "default") {
-    console.log(chalk16.green(`\u2705 Profile "${profileName}" saved`));
-    console.log(chalk16.gray(`   Switch to it per-session:  NODE9_PROFILE=${profileName} claude`));
+    console.log(chalk17.green(`\u2705 Profile "${profileName}" saved`));
+    console.log(chalk17.gray(`   Switch to it per-session:  NODE9_PROFILE=${profileName} claude`));
   } else if (options.local) {
-    console.log(chalk16.green(`\u2705 Privacy mode \u{1F6E1}\uFE0F`));
-    console.log(chalk16.gray(`   All decisions stay on this machine.`));
+    console.log(chalk17.green(`\u2705 Privacy mode \u{1F6E1}\uFE0F`));
+    console.log(chalk17.gray(`   All decisions stay on this machine.`));
   } else {
-    console.log(chalk16.green(`\u2705 Logged in \u2014 agent mode`));
-    console.log(chalk16.gray(`   Team policy enforced for all calls via Node9 cloud.`));
+    console.log(chalk17.green(`\u2705 Logged in \u2014 agent mode`));
+    console.log(chalk17.gray(`   Team policy enforced for all calls via Node9 cloud.`));
   }
 });
 program.command("addto").description("Integrate Node9 with an AI agent").addHelpText("after", "\n  Supported targets:  claude  gemini  cursor").argument("<target>", "The agent to protect: claude | gemini | cursor").action(async (target) => {
   if (target === "gemini") return await setupGemini();
   if (target === "claude") return await setupClaude();
   if (target === "cursor") return await setupCursor();
-  console.error(chalk16.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
+  console.error(chalk17.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
   process.exit(1);
 });
 program.command("setup").description('Alias for "addto" \u2014 integrate Node9 with an AI agent').addHelpText("after", "\n  Supported targets:  claude  gemini  cursor").argument("[target]", "The agent to protect: claude | gemini | cursor").action(async (target) => {
   if (!target) {
-    console.log(chalk16.cyan("\n\u{1F6E1}\uFE0F  Node9 Setup \u2014 integrate with your AI agent\n"));
-    console.log("  Usage:  " + chalk16.white("node9 setup <target>") + "\n");
+    console.log(chalk17.cyan("\n\u{1F6E1}\uFE0F  Node9 Setup \u2014 integrate with your AI agent\n"));
+    console.log("  Usage:  " + chalk17.white("node9 setup <target>") + "\n");
     console.log("  Targets:");
-    console.log("    " + chalk16.green("claude") + "   \u2014 Claude Code (hook mode)");
-    console.log("    " + chalk16.green("gemini") + "   \u2014 Gemini CLI (hook mode)");
-    console.log("    " + chalk16.green("cursor") + "   \u2014 Cursor (hook mode)");
+    console.log("    " + chalk17.green("claude") + "   \u2014 Claude Code (hook mode)");
+    console.log("    " + chalk17.green("gemini") + "   \u2014 Gemini CLI (hook mode)");
+    console.log("    " + chalk17.green("cursor") + "   \u2014 Cursor (hook mode)");
     console.log("");
     return;
   }
@@ -8271,7 +9401,7 @@ program.command("setup").description('Alias for "addto" \u2014 integrate Node9 w
   if (t === "gemini") return await setupGemini();
   if (t === "claude") return await setupClaude();
   if (t === "cursor") return await setupCursor();
-  console.error(chalk16.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
+  console.error(chalk17.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
   process.exit(1);
 });
 program.command("removefrom").description("Remove Node9 hooks from an AI agent configuration").addHelpText("after", "\n  Supported targets:  claude  gemini  cursor").argument("<target>", "The agent to remove from: claude | gemini | cursor").action((target) => {
@@ -8280,30 +9410,30 @@ program.command("removefrom").description("Remove Node9 hooks from an AI agent c
   else if (target === "gemini") fn = teardownGemini;
   else if (target === "cursor") fn = teardownCursor;
   else {
-    console.error(chalk16.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
+    console.error(chalk17.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
     process.exit(1);
   }
-  console.log(chalk16.cyan(`
+  console.log(chalk17.cyan(`
 \u{1F6E1}\uFE0F  Node9: removing hooks from ${target}...
 `));
   try {
     fn();
   } catch (err) {
-    console.error(chalk16.red(`  \u26A0\uFE0F  Failed: ${err instanceof Error ? err.message : String(err)}`));
+    console.error(chalk17.red(`  \u26A0\uFE0F  Failed: ${err instanceof Error ? err.message : String(err)}`));
     process.exit(1);
   }
-  console.log(chalk16.gray("\n  Restart the agent for changes to take effect."));
+  console.log(chalk17.gray("\n  Restart the agent for changes to take effect."));
 });
 program.command("uninstall").description("Remove all Node9 hooks and optionally delete config files").option("--purge", "Also delete ~/.node9/ directory (config, audit log, credentials)").action(async (options) => {
-  console.log(chalk16.cyan("\n\u{1F6E1}\uFE0F  Node9 Uninstall\n"));
-  console.log(chalk16.bold("Stopping daemon..."));
+  console.log(chalk17.cyan("\n\u{1F6E1}\uFE0F  Node9 Uninstall\n"));
+  console.log(chalk17.bold("Stopping daemon..."));
   try {
     stopDaemon();
-    console.log(chalk16.green("  \u2705 Daemon stopped"));
+    console.log(chalk17.green("  \u2705 Daemon stopped"));
   } catch {
-    console.log(chalk16.blue("  \u2139\uFE0F  Daemon was not running"));
+    console.log(chalk17.blue("  \u2139\uFE0F  Daemon was not running"));
   }
-  console.log(chalk16.bold("\nRemoving hooks..."));
+  console.log(chalk17.bold("\nRemoving hooks..."));
   let teardownFailed = false;
   for (const [label, fn] of [
     ["Claude", teardownClaude],
@@ -8315,45 +9445,45 @@ program.command("uninstall").description("Remove all Node9 hooks and optionally
     } catch (err) {
       teardownFailed = true;
       console.error(
-        chalk16.red(
+        chalk17.red(
           `  \u26A0\uFE0F  Failed to remove ${label} hooks: ${err instanceof Error ? err.message : String(err)}`
         )
       );
     }
   }
   if (options.purge) {
-    const node9Dir = path24.join(os20.homedir(), ".node9");
-    if (fs22.existsSync(node9Dir)) {
+    const node9Dir = path27.join(os22.homedir(), ".node9");
+    if (fs25.existsSync(node9Dir)) {
       const confirmed = await confirm3({
         message: `Permanently delete ${node9Dir} (config, audit log, credentials)?`,
         default: false
       });
       if (confirmed) {
-        fs22.rmSync(node9Dir, { recursive: true });
-        if (fs22.existsSync(node9Dir)) {
+        fs25.rmSync(node9Dir, { recursive: true });
+        if (fs25.existsSync(node9Dir)) {
           console.error(
-            chalk16.red("\n  \u26A0\uFE0F  ~/.node9/ could not be fully deleted \u2014 remove it manually.")
+            chalk17.red("\n  \u26A0\uFE0F  ~/.node9/ could not be fully deleted \u2014 remove it manually.")
           );
         } else {
-          console.log(chalk16.green("\n  \u2705 Deleted ~/.node9/ (config, audit log, credentials)"));
+          console.log(chalk17.green("\n  \u2705 Deleted ~/.node9/ (config, audit log, credentials)"));
         }
       } else {
-        console.log(chalk16.yellow("\n  Skipped \u2014 ~/.node9/ was not deleted."));
+        console.log(chalk17.yellow("\n  Skipped \u2014 ~/.node9/ was not deleted."));
       }
     } else {
-      console.log(chalk16.blue("\n  \u2139\uFE0F  ~/.node9/ not found \u2014 nothing to delete"));
+      console.log(chalk17.blue("\n  \u2139\uFE0F  ~/.node9/ not found \u2014 nothing to delete"));
     }
   } else {
     console.log(
-      chalk16.gray("\n  ~/.node9/ kept \u2014 run with --purge to delete config and audit log")
+      chalk17.gray("\n  ~/.node9/ kept \u2014 run with --purge to delete config and audit log")
     );
   }
   if (teardownFailed) {
-    console.error(chalk16.red("\n  \u26A0\uFE0F  Some hooks could not be removed \u2014 see errors above."));
+    console.error(chalk17.red("\n  \u26A0\uFE0F  Some hooks could not be removed \u2014 see errors above."));
     process.exit(1);
   }
-  console.log(chalk16.green.bold("\n\u{1F6E1}\uFE0F  Node9 removed. Run: npm uninstall -g @node9/proxy"));
-  console.log(chalk16.gray("   Restart any open AI agent sessions for changes to take effect.\n"));
+  console.log(chalk17.green.bold("\n\u{1F6E1}\uFE0F  Node9 removed. Run: npm uninstall -g @node9/proxy"));
+  console.log(chalk17.gray("   Restart any open AI agent sessions for changes to take effect.\n"));
 });
 registerDoctorCommand(program, version);
 program.command("explain").description(
@@ -8366,7 +9496,7 @@ program.command("explain").description(
       try {
         args = JSON.parse(trimmed);
       } catch {
-        console.error(chalk16.red(`
+        console.error(chalk17.red(`
 \u274C Invalid JSON: ${trimmed}
 `));
         process.exit(1);
@@ -8377,83 +9507,59 @@ program.command("explain").description(
   }
   const result = await explainPolicy(tool, args);
   console.log("");
-  console.log(chalk16.cyan.bold("\u{1F6E1}\uFE0F  Node9 Explain"));
+  console.log(chalk17.cyan.bold("\u{1F6E1}\uFE0F  Node9 Explain"));
   console.log("");
-  console.log(`   ${chalk16.bold("Tool:")}    ${chalk16.white(result.tool)}`);
+  console.log(`   ${chalk17.bold("Tool:")}    ${chalk17.white(result.tool)}`);
   if (argsRaw) {
     const preview = argsRaw.length > 80 ? argsRaw.slice(0, 77) + "\u2026" : argsRaw;
-    console.log(`   ${chalk16.bold("Input:")}   ${chalk16.gray(preview)}`);
+    console.log(`   ${chalk17.bold("Input:")}   ${chalk17.gray(preview)}`);
   }
   console.log("");
-  console.log(chalk16.bold("Config Sources (Waterfall):"));
+  console.log(chalk17.bold("Config Sources (Waterfall):"));
   for (const tier of result.waterfall) {
-    const num = chalk16.gray(`  ${tier.tier}.`);
+    const num = chalk17.gray(`  ${tier.tier}.`);
     const label = tier.label.padEnd(16);
     let statusStr;
     if (tier.tier === 1) {
-      statusStr = chalk16.gray(tier.note ?? "");
+      statusStr = chalk17.gray(tier.note ?? "");
     } else if (tier.status === "active") {
-      const loc = tier.path ? chalk16.gray(tier.path) : "";
-      const note = tier.note ? chalk16.gray(`(${tier.note})`) : "";
-      statusStr = chalk16.green("\u2713 active") + (loc ? "  " + loc : "") + (note ? "  " + note : "");
+      const loc = tier.path ? chalk17.gray(tier.path) : "";
+      const note = tier.note ? chalk17.gray(`(${tier.note})`) : "";
+      statusStr = chalk17.green("\u2713 active") + (loc ? "  " + loc : "") + (note ? "  " + note : "");
     } else {
-      statusStr = chalk16.gray("\u25CB " + (tier.note ?? "not found"));
+      statusStr = chalk17.gray("\u25CB " + (tier.note ?? "not found"));
     }
-    console.log(`${num} ${chalk16.white(label)} ${statusStr}`);
+    console.log(`${num} ${chalk17.white(label)} ${statusStr}`);
   }
   console.log("");
-  console.log(chalk16.bold("Policy Evaluation:"));
+  console.log(chalk17.bold("Policy Evaluation:"));
   for (const step of result.steps) {
     const isFinal = step.isFinal;
     let icon;
-    if (step.outcome === "allow") icon = chalk16.green("  \u2705");
-    else if (step.outcome === "review") icon = chalk16.red("  \u{1F534}");
-    else if (step.outcome === "skip") icon = chalk16.gray("  \u2500 ");
-    else icon = chalk16.gray("  \u25CB ");
+    if (step.outcome === "allow") icon = chalk17.green("  \u2705");
+    else if (step.outcome === "review") icon = chalk17.red("  \u{1F534}");
+    else if (step.outcome === "skip") icon = chalk17.gray("  \u2500 ");
+    else icon = chalk17.gray("  \u25CB ");
     const name = step.name.padEnd(18);
-    const nameStr = isFinal ? chalk16.white.bold(name) : chalk16.white(name);
-    const detail = isFinal ? chalk16.white(step.detail) : chalk16.gray(step.detail);
-    const arrow = isFinal ? chalk16.yellow("  \u2190 STOP") : "";
+    const nameStr = isFinal ? chalk17.white.bold(name) : chalk17.white(name);
+    const detail = isFinal ? chalk17.white(step.detail) : chalk17.gray(step.detail);
+    const arrow = isFinal ? chalk17.yellow("  \u2190 STOP") : "";
     console.log(`${icon} ${nameStr} ${detail}${arrow}`);
   }
   console.log("");
   if (result.decision === "allow") {
-    console.log(chalk16.green.bold("  Decision: \u2705 ALLOW") + chalk16.gray("  \u2014 no approval needed"));
+    console.log(chalk17.green.bold("  Decision: \u2705 ALLOW") + chalk17.gray("  \u2014 no approval needed"));
   } else {
     console.log(
-      chalk16.red.bold("  Decision: \u{1F534} REVIEW") + chalk16.gray("  \u2014 human approval required")
+      chalk17.red.bold("  Decision: \u{1F534} REVIEW") + chalk17.gray("  \u2014 human approval required")
     );
     if (result.blockedByLabel) {
-      console.log(chalk16.gray(`  Reason:   ${result.blockedByLabel}`));
+      console.log(chalk17.gray(`  Reason:   ${result.blockedByLabel}`));
     }
   }
   console.log("");
 });
-program.command("init").description("Create ~/.node9/config.json with default policy (safe to run multiple times)").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").action((options) => {
-  const configPath = path24.join(os20.homedir(), ".node9", "config.json");
-  if (fs22.existsSync(configPath) && !options.force) {
-    console.log(chalk16.yellow(`\u2139\uFE0F  Global config already exists: ${configPath}`));
-    console.log(chalk16.gray(`   Run with --force to overwrite.`));
-    return;
-  }
-  const requestedMode = options.mode.toLowerCase();
-  const safeMode = ["standard", "strict", "audit"].includes(requestedMode) ? requestedMode : DEFAULT_CONFIG.settings.mode;
-  const configToSave = {
-    ...DEFAULT_CONFIG,
-    settings: {
-      ...DEFAULT_CONFIG.settings,
-      mode: safeMode
-    }
-  };
-  const dir = path24.dirname(configPath);
-  if (!fs22.existsSync(dir)) fs22.mkdirSync(dir, { recursive: true });
-  fs22.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
-  console.log(chalk16.green(`\u2705 Global config created: ${configPath}`));
-  console.log(chalk16.cyan(`   Mode set to: ${safeMode}`));
-  console.log(
-    chalk16.gray(`   Undo Engine is ENABLED by default. Use 'node9 undo' to revert AI changes.`)
-  );
-});
+registerInitCommand(program);
 registerAuditCommand(program);
 registerStatusCommand(program);
 registerDaemonCommand(program);
@@ -8462,7 +9568,7 @@ program.command("tail").description("Stream live agent activity to the terminal"
   try {
     await startTail2(options);
   } catch (err) {
-    console.error(chalk16.red(`\u274C ${err instanceof Error ? err.message : String(err)}`));
+    console.error(chalk17.red(`\u274C ${err instanceof Error ? err.message : String(err)}`));
     process.exit(1);
   }
 });
@@ -8474,7 +9580,7 @@ program.command("pause").description("Temporarily disable Node9 protection for a
   const ms = parseDuration(options.duration);
   if (ms === null) {
     console.error(
-      chalk16.red(`
+      chalk17.red(`
 \u274C  Invalid duration: "${options.duration}". Use format like 15m, 1h, 30s.
 `)
     );
@@ -8482,20 +9588,20 @@ program.command("pause").description("Temporarily disable Node9 protection for a
   }
   pauseNode9(ms, options.duration);
   const expiresAt = new Date(Date.now() + ms).toLocaleTimeString();
-  console.log(chalk16.yellow(`
+  console.log(chalk17.yellow(`
 \u23F8  Node9 paused until ${expiresAt}`));
-  console.log(chalk16.gray(`   All tool calls will be allowed without review.`));
-  console.log(chalk16.gray(`   Run "node9 resume" to re-enable early.
+  console.log(chalk17.gray(`   All tool calls will be allowed without review.`));
+  console.log(chalk17.gray(`   Run "node9 resume" to re-enable early.
 `));
 });
 program.command("resume").description("Re-enable Node9 protection immediately").action(() => {
   const { paused } = checkPause();
   if (!paused) {
-    console.log(chalk16.gray("\nNode9 is already active \u2014 nothing to resume.\n"));
+    console.log(chalk17.gray("\nNode9 is already active \u2014 nothing to resume.\n"));
     return;
   }
   resumeNode9();
-  console.log(chalk16.green("\n\u25B6  Node9 resumed \u2014 protection is active.\n"));
+  console.log(chalk17.green("\n\u25B6  Node9 resumed \u2014 protection is active.\n"));
 });
 var HOOK_BASED_AGENTS = {
   claude: "claude",
@@ -8508,15 +9614,15 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
     if (HOOK_BASED_AGENTS[firstArg2] !== void 0) {
       const target = HOOK_BASED_AGENTS[firstArg2];
       console.error(
-        chalk16.yellow(`
+        chalk17.yellow(`
 \u26A0\uFE0F  Node9 proxy mode does not support "${target}" directly.`)
       );
-      console.error(chalk16.white(`
+      console.error(chalk17.white(`
    "${target}" uses its own hook system. Use:`));
       console.error(
-        chalk16.green(`     node9 addto ${target}   `) + chalk16.gray("# one-time setup")
+        chalk17.green(`     node9 addto ${target}   `) + chalk17.gray("# one-time setup")
       );
-      console.error(chalk16.green(`     ${target}              `) + chalk16.gray("# run normally"));
+      console.error(chalk17.green(`     ${target}              `) + chalk17.gray("# run normally"));
       process.exit(1);
     }
     const runArgs = firstArg2 === "shell" ? commandArgs.slice(1) : commandArgs;
@@ -8533,7 +9639,7 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
       }
     );
     if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && getConfig().settings.autoStartDaemon) {
-      console.error(chalk16.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically..."));
+      console.error(chalk17.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically..."));
       const daemonReady = await autoStartDaemonAndWait();
       if (daemonReady) result = await authorizeHeadless("shell", { command: fullCommand });
     }
@@ -8546,12 +9652,12 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
     }
     if (!result.approved) {
       console.error(
-        chalk16.red(`
+        chalk17.red(`
 \u274C Node9 Blocked: ${result.reason || "Dangerous command detected."}`)
       );
       process.exit(1);
     }
-    console.error(chalk16.green("\n\u2705 Approved \u2014 running command...\n"));
+    console.error(chalk17.green("\n\u2705 Approved \u2014 running command...\n"));
     await runProxy(fullCommand);
   } else {
     program.help();
@@ -8566,9 +9672,9 @@ if (process.argv[2] !== "daemon") {
     const isCheckHook = process.argv[2] === "check";
     if (isCheckHook) {
       if (process.env.NODE9_DEBUG === "1" || getConfig().settings.enableHookLogDebug) {
-        const logPath = path24.join(os20.homedir(), ".node9", "hook-debug.log");
+        const logPath = path27.join(os22.homedir(), ".node9", "hook-debug.log");
         const msg = reason instanceof Error ? reason.message : String(reason);
-        fs22.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
+        fs25.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
 `);
       }
       process.exit(0);