@node9/proxy 1.4.0 → 1.5.1

package/dist/index.js

@@ -5,6 +5,9 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -27,19 +30,52 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// src/index.ts
-var src_exports = {};
-__export(src_exports, {
-  protect: () => protect
+// src/audit/hasher.ts
+function canonicalise(value) {
+  return _canonicalise(value, /* @__PURE__ */ new WeakSet());
+}
+function _canonicalise(value, seen) {
+  if (value === null || typeof value !== "object") return value;
+  if (value instanceof Date) return value.toISOString();
+  if (value instanceof RegExp) return value.toString();
+  if (Buffer.isBuffer(value)) return value.toString("base64");
+  if (seen.has(value)) return "[Circular]";
+  seen.add(value);
+  let result;
+  if (Array.isArray(value)) {
+    result = value.map((v) => _canonicalise(v, seen));
+  } else {
+    const obj = value;
+    result = Object.fromEntries(
+      Object.keys(obj).sort().map((k) => [k, _canonicalise(obj[k], seen)])
+    );
+  }
+  seen.delete(value);
+  return result;
+}
+function hashArgs(args) {
+  const canonical = JSON.stringify(canonicalise(args) ?? null);
+  return (0, import_crypto.createHash)("sha256").update(canonical).digest("hex").slice(0, 32);
+}
+var import_crypto;
+var init_hasher = __esm({
+  "src/audit/hasher.ts"() {
+    "use strict";
+    import_crypto = require("crypto");
+  }
 });
-module.exports = __toCommonJS(src_exports);
 
 // src/audit/index.ts
-var import_fs = __toESM(require("fs"));
-var import_path = __toESM(require("path"));
-var import_os = __toESM(require("os"));
-var LOCAL_AUDIT_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "audit.log");
-var HOOK_DEBUG_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
+var audit_exports = {};
+__export(audit_exports, {
+  HOOK_DEBUG_LOG: () => HOOK_DEBUG_LOG,
+  LOCAL_AUDIT_LOG: () => LOCAL_AUDIT_LOG,
+  appendConfigAudit: () => appendConfigAudit,
+  appendHookDebug: () => appendHookDebug,
+  appendLocalAudit: () => appendLocalAudit,
+  appendToLog: () => appendToLog,
+  redactSecrets: () => redactSecrets
+});
 function redactSecrets(text) {
   if (!text) return text;
   let redacted = text;
@@ -61,24 +97,24 @@ function appendToLog(logPath, entry) {
   } catch {
   }
 }
-function appendHookDebug(toolName, args, meta) {
-  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   appendToLog(HOOK_DEBUG_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
-    args: safeArgs,
+    ...argsField,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
     hostname: import_os.default.hostname(),
     cwd: process.cwd()
   });
 }
-function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
-  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
-    args: safeArgs,
+    ...argsField,
     decision,
     checkedBy,
     agent: meta?.agent,
@@ -86,6 +122,35 @@ function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
     hostname: import_os.default.hostname()
   });
 }
+function appendConfigAudit(entry) {
+  appendToLog(LOCAL_AUDIT_LOG, {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    ...entry,
+    hostname: import_os.default.hostname()
+  });
+}
+var import_fs, import_path, import_os, LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG;
+var init_audit = __esm({
+  "src/audit/index.ts"() {
+    "use strict";
+    import_fs = __toESM(require("fs"));
+    import_path = __toESM(require("path"));
+    import_os = __toESM(require("os"));
+    init_hasher();
+    LOCAL_AUDIT_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "audit.log");
+    HOOK_DEBUG_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
+  }
+});
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  protect: () => protect
+});
+module.exports = __toCommonJS(src_exports);
+
+// src/core.ts
+init_audit();
 
 // src/config/index.ts
 var import_fs3 = __toESM(require("fs"));
@@ -154,7 +219,8 @@ var ConfigFileSchema = import_zod.z.object({
     environment: import_zod.z.string().optional(),
     slackEnabled: import_zod.z.boolean().optional(),
     enableTrustSessions: import_zod.z.boolean().optional(),
-    allowGlobalPause: import_zod.z.boolean().optional()
+    allowGlobalPause: import_zod.z.boolean().optional(),
+    auditHashArgs: import_zod.z.boolean().optional()
   }).optional(),
   policy: import_zod.z.object({
     sandboxPaths: import_zod.z.array(import_zod.z.string()).optional(),
@@ -450,6 +516,7 @@ var DEFAULT_CONFIG = {
     approvalTimeoutMs: 12e4,
     // 120-second auto-deny timeout
     flightRecorder: true,
+    auditHashArgs: true,
     approvers: { native: true, browser: true, cloud: false, terminal: true }
   },
   policy: {
@@ -1492,16 +1559,35 @@ function readTrustedHosts() {
     return [];
   }
 }
+var _cache = null;
+var CACHE_TTL_MS = 5e3;
+function getFileMtime() {
+  try {
+    return import_fs6.default.statSync(getTrustedHostsPath()).mtimeMs;
+  } catch {
+    return 0;
+  }
+}
+function getCachedHosts() {
+  const now = Date.now();
+  if (_cache && now < _cache.expiry) {
+    const mtime = getFileMtime();
+    if (mtime === _cache.mtime) return _cache.hosts;
+  }
+  const hosts = readTrustedHosts();
+  _cache = { hosts, expiry: now + CACHE_TTL_MS, mtime: getFileMtime() };
+  return hosts;
+}
 function normalizeHost(raw) {
   return raw.toLowerCase().replace(/^https?:\/\//, "").replace(/\/.*$/, "").replace(/^[^@]+@/, "").replace(/:\d+$/, "");
 }
 function isTrustedHost(host) {
   const normalized = normalizeHost(host);
-  return readTrustedHosts().some((entry) => {
+  return getCachedHosts().some((entry) => {
     const entryHost = entry.host.toLowerCase();
     if (entryHost.startsWith("*.")) {
       const domain = entryHost.slice(2);
-      return normalized === domain || normalized.endsWith("." + domain);
+      return normalized.endsWith("." + domain);
     }
     return normalized === entryHost;
   });
@@ -1698,7 +1784,12 @@ async function evaluatePolicy(toolName, args, agent, cwd) {
         };
       }
       if (allTrusted) {
-        return { decision: "allow" };
+        return {
+          decision: "allow",
+          blockedByLabel: "Node9: Pipe-Chain to Trusted Host",
+          reason: `Sensitive file piped to trusted host(s): ${sinks.join(", ")}`,
+          tier: 3
+        };
       }
       return {
         decision: "review",
@@ -1950,8 +2041,8 @@ async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityI
       signal: ctrl.signal
     });
     if (!res.ok) throw new Error("Daemon fail");
-    const { id } = await res.json();
-    return id;
+    const { id, allowCount } = await res.json();
+    return { id, allowCount: allowCount ?? 1 };
   } finally {
     clearTimeout(timer);
   }
@@ -1990,15 +2081,54 @@ async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
     signal: AbortSignal.timeout(3e3)
   });
   if (!res.ok) throw new Error("Daemon unreachable");
-  const { id } = await res.json();
-  return id;
+  const { id, allowCount } = await res.json();
+  return { id, allowCount: allowCount ?? 1 };
+}
+async function notifyTaint(filePath, source) {
+  if (!isDaemonRunning()) return;
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    await fetch(`${base}/taint`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ path: filePath, source }),
+      signal: AbortSignal.timeout(1e3)
+    });
+  } catch {
+  }
+}
+async function checkTaint(paths) {
+  if (paths.length === 0) return { tainted: false };
+  if (!isDaemonRunning()) return { tainted: false, daemonUnavailable: true };
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    const res = await fetch(`${base}/taint/check`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ paths }),
+      signal: AbortSignal.timeout(2e3)
+    });
+    return await res.json();
+  } catch (err) {
+    try {
+      const { appendToLog: appendToLog2, HOOK_DEBUG_LOG: HOOK_DEBUG_LOG2 } = await Promise.resolve().then(() => (init_audit(), audit_exports));
+      appendToLog2(HOOK_DEBUG_LOG2, {
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        event: "checkTaint-error",
+        error: String(err),
+        paths
+      });
+    } catch {
+    }
+    return { tainted: false, daemonUnavailable: true };
+  }
 }
-async function resolveViaDaemon(id, decision, internalToken) {
+async function resolveViaDaemon(id, decision, internalToken, source) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   await fetch(`${base}/resolve/${id}`, {
     method: "POST",
     headers: { "Content-Type": "application/json", "X-Node9-Internal": internalToken },
-    body: JSON.stringify({ decision }),
+    body: JSON.stringify({ decision, ...source && { source } }),
     signal: AbortSignal.timeout(3e3)
   });
 }
@@ -2007,7 +2137,7 @@ async function resolveViaDaemon(id, decision, internalToken) {
 var import_net = __toESM(require("net"));
 var import_path13 = __toESM(require("path"));
 var import_os9 = __toESM(require("os"));
-var import_crypto = require("crypto");
+var import_crypto2 = require("crypto");
 
 // src/ui/native.ts
 var import_child_process2 = require("child_process");
@@ -2200,20 +2330,24 @@ ${smartTruncate(str, 500)}`
 function escapePango(text) {
   return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
-function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1) {
   const lines = [];
   if (locked) lines.push("\u26A0\uFE0F  LOCKED BY ADMIN POLICY\n");
   lines.push(`\u{1F916} ${agent || "AI Agent"}  |  \u{1F527} ${toolName}`);
   lines.push(`\u{1F6E1}\uFE0F  ${explainableLabel || "Security Policy"}`);
   lines.push("");
   lines.push(formattedArgs);
+  if (allowCount >= 3) {
+    lines.push("");
+    lines.push(`\u{1F4A1} Approved ${allowCount - 1}\xD7 before \u2014 "Always Allow" creates a permanent rule`);
+  }
   if (!locked) {
     lines.push("");
     lines.push('\u21B5 Enter = Allow \u21B5   |   \u238B Esc = Block \u238B   |   "Always Allow" = never ask again');
   }
   return lines.join("\n");
 }
-function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1) {
   const lines = [];
   if (locked) {
     lines.push('<span foreground="red" weight="bold">\u26A0\uFE0F  LOCKED BY ADMIN POLICY</span>');
@@ -2225,6 +2359,12 @@ function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, loc
   lines.push(`<i>\u{1F6E1}\uFE0F  ${escapePango(explainableLabel || "Security Policy")}</i>`);
   lines.push("");
   lines.push(`<tt>${escapePango(formattedArgs)}</tt>`);
+  if (allowCount >= 3) {
+    lines.push("");
+    lines.push(
+      `<span foreground="#f0c040">\u{1F4A1} Approved ${allowCount - 1}\xD7 before \u2014 "Always Allow" creates a permanent rule</span>`
+    );
+  }
   if (!locked) {
     lines.push("");
     lines.push(
@@ -2233,12 +2373,19 @@ function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, loc
   }
   return lines.join("\n");
 }
-async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord) {
+async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord, allowCount = 1) {
   if (isTestEnv()) return "deny";
   const { message: formattedArgs, intent } = formatArgs(args, matchedField, matchedWord);
   const intentLabel = intent === "EDIT" ? "Code Edit" : "Action Approval";
   const title = locked ? `\u26A1 Node9 \u2014 Locked` : `\u{1F6E1}\uFE0F Node9 \u2014 ${intentLabel}`;
-  const message = buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked);
+  const message = buildPlainMessage(
+    toolName,
+    formattedArgs,
+    agent,
+    explainableLabel,
+    locked,
+    allowCount
+  );
   return new Promise((resolve) => {
     let childProcess = null;
     const onAbort = () => {
@@ -2270,7 +2417,8 @@ end run`;
           formattedArgs,
           agent,
           explainableLabel,
-          locked
+          locked,
+          allowCount
         );
         const argsList = [
           locked ? "--info" : "--question",
@@ -2311,9 +2459,13 @@ end run`;
   });
 }
 
+// src/auth/orchestrator.ts
+init_audit();
+
 // src/auth/cloud.ts
 var import_fs9 = __toESM(require("fs"));
 var import_os8 = __toESM(require("os"));
+init_audit();
 function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
   return fetch(`${creds.apiUrl}/audit`, {
     method: "POST",
@@ -2422,6 +2574,51 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
 }
 
 // src/auth/orchestrator.ts
+var WRITE_TOOLS = /* @__PURE__ */ new Set([
+  "write",
+  "write_file",
+  "create_file",
+  "edit",
+  "multiedit",
+  "str_replace_based_edit_tool",
+  "replace",
+  "notebook_edit",
+  "notebookedit"
+]);
+function isWriteTool(toolName) {
+  const t = toolName.toLowerCase().replace(/[^a-z_]/g, "_");
+  return WRITE_TOOLS.has(t);
+}
+function extractFilePaths(toolName, args) {
+  const paths = [];
+  if (!args || typeof args !== "object" || Array.isArray(args)) return paths;
+  const a = args;
+  for (const key of ["file_path", "path", "filename", "source", "src", "input"]) {
+    if (typeof a[key] === "string" && a[key]) paths.push(a[key]);
+  }
+  const cmd = typeof a.command === "string" ? a.command : typeof a.cmd === "string" ? a.cmd : "";
+  if (cmd) {
+    for (const m of cmd.matchAll(/(?:-T|--upload-file|--data(?:-binary)?)\s+@?(\S+)/g)) {
+      paths.push(m[1]);
+    }
+    for (const m of cmd.matchAll(/\b(?:scp|rsync)\s+(?:-\S+\s+)*(\S+)\s+\S+@/g)) {
+      paths.push(m[1]);
+    }
+    for (const m of cmd.matchAll(/<\s*(\S+)/g)) {
+      paths.push(m[1]);
+    }
+  }
+  return paths.filter(Boolean);
+}
+function isNetworkTool(toolName, args) {
+  const t = toolName.toLowerCase();
+  if (t === "bash" || t === "shell" || t === "run_shell_command" || t === "terminal.execute") {
+    const a = args;
+    const cmd = typeof a?.command === "string" ? a.command : typeof a?.cmd === "string" ? a.cmd : "";
+    return /\b(curl|wget|scp|rsync|nc|ncat|netcat|ssh)\b/.test(cmd);
+  }
+  return false;
+}
 var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path13.default.join(import_os9.default.tmpdir(), "node9-activity.sock");
 function notifyActivity(data) {
   return new Promise((resolve) => {
@@ -2440,7 +2637,7 @@ function notifyActivity(data) {
 }
 async function authorizeHeadless(toolName, args, meta, options) {
   if (!options?.calledFromDaemon) {
-    const actId = (0, import_crypto.randomUUID)();
+    const actId = (0, import_crypto2.randomUUID)();
     const actTs = Date.now();
     await notifyActivity({ id: actId, ts: actTs, tool: toolName, args, status: "pending" });
     const result = await _authorizeHeadlessCore(toolName, args, meta, {
@@ -2452,7 +2649,7 @@ async function authorizeHeadless(toolName, args, meta, options) {
         id: actId,
         tool: toolName,
         ts: actTs,
-        status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : "block",
+        status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : result.blockedByLabel?.includes("Taint") ? "taint" : "block",
         label: result.blockedByLabel
       });
     }
@@ -2466,6 +2663,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   if (pauseState.paused) return { approved: true, checkedBy: "paused" };
   const creds = getCredentials();
   const config = getConfig(options?.cwd);
+  const hashAuditArgs = config.settings.auditHashArgs === true;
   const isTestEnv2 = !!(process.env.VITEST || process.env.NODE_ENV === "test" || process.env.CI || process.env.NODE9_TESTING === "1");
   const approvers = {
     ...config.settings.approvers || { native: true, browser: true, cloud: true, terminal: true }
@@ -2476,13 +2674,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     approvers.terminal = false;
   }
   if (config.settings.enableHookLogDebug && !isTestEnv2) {
-    appendHookDebug(toolName, args, meta);
+    appendHookDebug(toolName, args, meta, hashAuditArgs);
   }
   const isManual = meta?.agent === "Terminal";
   let explainableLabel = "Local Config";
   let policyMatchedField;
   let policyMatchedWord;
   let riskMetadata;
+  let taintWarning = null;
+  if (isNetworkTool(toolName, args)) {
+    const filePaths = extractFilePaths(toolName, args);
+    if (filePaths.length > 0) {
+      const taintResult = await checkTaint(filePaths);
+      if (taintResult.tainted && taintResult.record) {
+        const { path: taintedPath, source: taintSource } = taintResult.record;
+        taintWarning = `\u26A0\uFE0F ${taintedPath} was flagged by ${taintSource} \u2014 this file may contain sensitive data`;
+      } else if (taintResult.daemonUnavailable) {
+        taintWarning = `\u26A0\uFE0F Taint service unavailable \u2014 cannot verify if ${filePaths.join(", ")} is clean`;
+      }
+    }
+  }
   if (config.policy.dlp.enabled && (!isIgnoredTool(toolName) || config.policy.dlp.scanIgnoredTools)) {
     const argsObj = args && typeof args === "object" && !Array.isArray(args) ? args : {};
     const filePath = String(argsObj.file_path ?? argsObj.path ?? argsObj.filename ?? "");
@@ -2490,7 +2701,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (dlpMatch) {
       const dlpReason = `\u{1F6A8} DATA LOSS PREVENTION: ${dlpMatch.patternName} detected in field "${dlpMatch.fieldPath}" (${dlpMatch.redactedSample})`;
       if (dlpMatch.severity === "block") {
-        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta);
+        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta, true);
+        if (isWriteTool(toolName) && filePath) {
+          await notifyTaint(filePath, `DLP:${dlpMatch.patternName}`);
+        }
         return {
           approved: false,
           reason: dlpReason,
@@ -2498,7 +2712,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           blockedByLabel: "\u{1F6A8} Node9 DLP (Secret Detected)"
         };
       }
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "dlp-review-flagged", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "allow", "dlp-review-flagged", meta, hashAuditArgs);
       explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
     }
   }
@@ -2506,7 +2721,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
-        appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
+        appendLocalAudit(toolName, args, "allow", "audit-mode", meta, hashAuditArgs);
         if (approvers.cloud && creds?.apiKey) {
           await auditLocalAllow(toolName, args, "audit-mode", creds, meta);
         }
@@ -2514,22 +2729,23 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     }
     return { approved: true, checkedBy: "audit" };
   }
-  if (!isIgnoredTool(toolName)) {
+  if (!taintWarning && !isIgnoredTool(toolName)) {
     if (getActiveTrustSession(toolName)) {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "trust", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta, hashAuditArgs);
       return { approved: true, checkedBy: "trust" };
     }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
         auditLocalAllow(toolName, args, "local-policy", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
       return { approved: true, checkedBy: "local-policy" };
     }
     if (policyResult.decision === "block") {
-      if (!isManual) appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
       return {
         approved: false,
         reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
@@ -2548,15 +2764,16 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       policyMatchedWord,
       policyResult.ruleName
     );
-    const persistent = getPersistentDecision(toolName);
+    const persistent = policyResult.ruleName ? null : getPersistentDecision(toolName);
     if (persistent === "allow") {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "persistent", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta, hashAuditArgs);
       return { approved: true, checkedBy: "persistent" };
     }
     if (persistent === "deny") {
-      if (!isManual) appendLocalAudit(toolName, args, "deny", "persistent-deny", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "deny", "persistent-deny", meta, hashAuditArgs);
       return {
         approved: false,
         reason: `This tool ("${toolName}") is explicitly listed in your 'Always Deny' list.`,
@@ -2564,10 +2781,21 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         blockedByLabel: "Persistent User Rule"
       };
     }
-  } else {
-    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta);
+  } else if (!taintWarning) {
+    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
     return { approved: true };
   }
+  if (taintWarning) {
+    explainableLabel = "\u{1F534} Node9 Taint (Exfiltration Prevention)";
+    riskMetadata = computeRiskMetadata(
+      args,
+      7,
+      explainableLabel,
+      void 0,
+      void 0,
+      taintWarning
+    );
+  }
   let cloudRequestId = null;
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
   if (cloudEnforced) {
@@ -2586,7 +2814,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         };
       }
       cloudRequestId = initResult.requestId || null;
-      explainableLabel = "Organization Policy (SaaS)";
+      if (!taintWarning) explainableLabel = "Organization Policy (SaaS)";
     } catch {
     }
   }
@@ -2615,13 +2843,16 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   let viewerId = null;
   const internalToken = getInternalToken();
   let daemonEntryId = null;
+  let daemonAllowCount = 1;
   if ((approvers.browser || approvers.terminal) && isDaemonRunning() && !options?.calledFromDaemon) {
     if (cloudEnforced && cloudRequestId) {
-      viewerId = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(() => null);
+      const viewer = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(() => null);
+      viewerId = viewer?.id ?? null;
       daemonEntryId = viewerId;
+      if (viewer) daemonAllowCount = viewer.allowCount;
     } else {
       try {
-        daemonEntryId = await registerDaemonEntry(
+        const entry = await registerDaemonEntry(
           toolName,
           args,
           meta,
@@ -2629,6 +2860,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           options?.activityId,
           options?.cwd
         );
+        daemonEntryId = entry.id;
+        daemonAllowCount = entry.allowCount;
       } catch {
       }
     }
@@ -2664,7 +2897,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           false,
           signal,
           policyMatchedField,
-          policyMatchedWord
+          policyMatchedWord,
+          daemonAllowCount
         );
         if (decision === "always_allow") {
           writeTrustSession(toolName, 36e5);
@@ -2722,10 +2956,13 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       if (!resolved) {
         resolved = true;
         abortController.abort();
-        if (viewerId && internalToken) {
-          resolveViaDaemon(viewerId, res.approved ? "allow" : "deny", internalToken).catch(
-            () => null
-          );
+        if (daemonEntryId && internalToken) {
+          resolveViaDaemon(
+            daemonEntryId,
+            res.approved ? "allow" : "deny",
+            internalToken,
+            res.decisionSource
+          ).catch(() => null);
         }
         resolve(res);
       }
@@ -2764,7 +3001,8 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       args,
       finalResult.approved ? "allow" : "deny",
       finalResult.checkedBy || finalResult.blockedBy || "unknown",
-      meta
+      meta,
+      hashAuditArgs
     );
   }
   return finalResult;