npm - @node9/proxy - Versions diffs - 1.5.0 → 1.5.2 - Mend

@node9/proxy 1.5.0 → 1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli.js CHANGED Viewed

@@ -30,7 +30,52 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
+// src/audit/hasher.ts
+function canonicalise(value) {
+  return _canonicalise(value, /* @__PURE__ */ new WeakSet());
+}
+function _canonicalise(value, seen) {
+  if (value === null || typeof value !== "object") return value;
+  if (value instanceof Date) return value.toISOString();
+  if (value instanceof RegExp) return value.toString();
+  if (Buffer.isBuffer(value)) return value.toString("base64");
+  if (seen.has(value)) return "[Circular]";
+  seen.add(value);
+  let result;
+  if (Array.isArray(value)) {
+    result = value.map((v) => _canonicalise(v, seen));
+  } else {
+    const obj = value;
+    result = Object.fromEntries(
+      Object.keys(obj).sort().map((k) => [k, _canonicalise(obj[k], seen)])
+    );
+  }
+  seen.delete(value);
+  return result;
+}
+function hashArgs(args) {
+  const canonical = JSON.stringify(canonicalise(args) ?? null);
+  return (0, import_crypto.createHash)("sha256").update(canonical).digest("hex").slice(0, 32);
+}
+var import_crypto;
+var init_hasher = __esm({
+  "src/audit/hasher.ts"() {
+    "use strict";
+    import_crypto = require("crypto");
+  }
+});
 // src/audit/index.ts
+var audit_exports = {};
+__export(audit_exports, {
+  HOOK_DEBUG_LOG: () => HOOK_DEBUG_LOG,
+  LOCAL_AUDIT_LOG: () => LOCAL_AUDIT_LOG,
+  appendConfigAudit: () => appendConfigAudit,
+  appendHookDebug: () => appendHookDebug,
+  appendLocalAudit: () => appendLocalAudit,
+  appendToLog: () => appendToLog,
+  redactSecrets: () => redactSecrets
+});
 function redactSecrets(text) {
   if (!text) return text;
   let redacted = text;
@@ -52,24 +97,24 @@ function appendToLog(logPath, entry) {
   } catch {
   }
 }
-function appendHookDebug(toolName, args, meta) {
-  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   appendToLog(HOOK_DEBUG_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
-    args: safeArgs,
+    ...argsField,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
     hostname: import_os.default.hostname(),
     cwd: process.cwd()
   });
 }
-function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
-  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
-    args: safeArgs,
+    ...argsField,
     decision,
     checkedBy,
     agent: meta?.agent,
@@ -91,6 +136,7 @@ var init_audit = __esm({
     import_fs = __toESM(require("fs"));
     import_path = __toESM(require("path"));
     import_os = __toESM(require("os"));
+    init_hasher();
     LOCAL_AUDIT_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "audit.log");
     HOOK_DEBUG_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
   }
@@ -114,8 +160,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path27 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path27}: ${issue.message}`;
+    const path28 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path28}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -188,7 +234,8 @@ var init_config_schema = __esm({
         environment: import_zod.z.string().optional(),
         slackEnabled: import_zod.z.boolean().optional(),
         enableTrustSessions: import_zod.z.boolean().optional(),
-        allowGlobalPause: import_zod.z.boolean().optional()
+        allowGlobalPause: import_zod.z.boolean().optional(),
+        auditHashArgs: import_zod.z.boolean().optional()
       }).optional(),
       policy: import_zod.z.object({
         sandboxPaths: import_zod.z.array(import_zod.z.string()).optional(),
@@ -269,7 +316,7 @@ function readShieldsFile() {
 }
 function writeShieldsFile(data) {
   import_fs2.default.mkdirSync(import_path2.default.dirname(SHIELDS_STATE_FILE), { recursive: true });
-  const tmp = `${SHIELDS_STATE_FILE}.${import_crypto.default.randomBytes(6).toString("hex")}.tmp`;
+  const tmp = `${SHIELDS_STATE_FILE}.${import_crypto2.default.randomBytes(6).toString("hex")}.tmp`;
   const toWrite = { active: data.active };
   if (data.overrides && Object.keys(data.overrides).length > 0) toWrite.overrides = data.overrides;
   import_fs2.default.writeFileSync(tmp, JSON.stringify(toWrite, null, 2), { mode: 384 });
@@ -318,14 +365,14 @@ function resolveShieldRule(shieldName, identifier) {
   }
   return null;
 }
-var import_fs2, import_path2, import_os2, import_crypto, SHIELDS, SHIELDS_STATE_FILE;
+var import_fs2, import_path2, import_os2, import_crypto2, SHIELDS, SHIELDS_STATE_FILE;
 var init_shields = __esm({
   "src/shields.ts"() {
     "use strict";
     import_fs2 = __toESM(require("fs"));
     import_path2 = __toESM(require("path"));
     import_os2 = __toESM(require("os"));
-    import_crypto = __toESM(require("crypto"));
+    import_crypto2 = __toESM(require("crypto"));
     SHIELDS = {
       postgres: {
         name: "postgres",
@@ -746,6 +793,7 @@ var init_config = __esm({
         approvalTimeoutMs: 12e4,
         // 120-second auto-deny timeout
         flightRecorder: true,
+        auditHashArgs: true,
         approvers: { native: true, browser: true, cloud: false, terminal: true }
       },
       policy: {
@@ -1710,9 +1758,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path27) {
+function getNestedValue(obj, path28) {
   if (!obj || typeof obj !== "object") return null;
-  return path27.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path28.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function shouldSnapshot(toolName, args, config) {
   if (!config.settings.enableUndo) return false;
@@ -2488,6 +2536,58 @@ async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
   const { id, allowCount } = await res.json();
   return { id, allowCount: allowCount ?? 1 };
 }
+async function notifyTaint(filePath, source) {
+  if (!isDaemonRunning()) return;
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    await fetch(`${base}/taint`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ path: filePath, source }),
+      signal: AbortSignal.timeout(1e3)
+    });
+  } catch {
+  }
+}
+async function notifyTaintPropagate(src, dest, clearSource = false) {
+  if (!isDaemonRunning()) return;
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    await fetch(`${base}/taint/propagate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ src, dest, clearSource }),
+      signal: AbortSignal.timeout(1e3)
+    });
+  } catch {
+  }
+}
+async function checkTaint(paths) {
+  if (paths.length === 0) return { tainted: false };
+  if (!isDaemonRunning()) return { tainted: false, daemonUnavailable: true };
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    const res = await fetch(`${base}/taint/check`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ paths }),
+      signal: AbortSignal.timeout(2e3)
+    });
+    return await res.json();
+  } catch (err) {
+    try {
+      const { appendToLog: appendToLog2, HOOK_DEBUG_LOG: HOOK_DEBUG_LOG2 } = await Promise.resolve().then(() => (init_audit(), audit_exports));
+      appendToLog2(HOOK_DEBUG_LOG2, {
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        event: "checkTaint-error",
+        error: String(err),
+        paths
+      });
+    } catch {
+    }
+    return { tainted: false, daemonUnavailable: true };
+  }
+}
 async function resolveViaDaemon(id, decision, internalToken, source) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   await fetch(`${base}/resolve/${id}`, {
@@ -2959,6 +3059,40 @@ var init_cloud = __esm({
 });
 // src/auth/orchestrator.ts
+function isWriteTool(toolName) {
+  const t = toolName.toLowerCase().replace(/[^a-z_]/g, "_");
+  return WRITE_TOOLS.has(t);
+}
+function extractFilePaths(toolName, args) {
+  const paths = [];
+  if (!args || typeof args !== "object" || Array.isArray(args)) return paths;
+  const a = args;
+  for (const key of ["file_path", "path", "filename", "source", "src", "input"]) {
+    if (typeof a[key] === "string" && a[key]) paths.push(a[key]);
+  }
+  const cmd = typeof a.command === "string" ? a.command : typeof a.cmd === "string" ? a.cmd : "";
+  if (cmd) {
+    for (const m of cmd.matchAll(/(?:-T|--upload-file|--data(?:-binary)?)\s+@?(\S+)/g)) {
+      paths.push(m[1]);
+    }
+    for (const m of cmd.matchAll(/\b(?:scp|rsync)\s+(?:-\S+\s+)*(\S+)\s+\S+@/g)) {
+      paths.push(m[1]);
+    }
+    for (const m of cmd.matchAll(/<\s*(\S+)/g)) {
+      paths.push(m[1]);
+    }
+  }
+  return paths.filter(Boolean);
+}
+function isNetworkTool(toolName, args) {
+  const t = toolName.toLowerCase();
+  if (t === "bash" || t === "shell" || t === "run_shell_command" || t === "terminal.execute") {
+    const a = args;
+    const cmd = typeof a?.command === "string" ? a.command : typeof a?.cmd === "string" ? a.cmd : "";
+    return /\b(curl|wget|scp|rsync|nc|ncat|netcat|ssh)\b/.test(cmd);
+  }
+  return false;
+}
 function notifyActivity(data) {
   return new Promise((resolve) => {
     try {
@@ -2976,7 +3110,7 @@ function notifyActivity(data) {
 }
 async function authorizeHeadless(toolName, args, meta, options) {
   if (!options?.calledFromDaemon) {
-    const actId = (0, import_crypto2.randomUUID)();
+    const actId = (0, import_crypto3.randomUUID)();
     const actTs = Date.now();
     await notifyActivity({ id: actId, ts: actTs, tool: toolName, args, status: "pending" });
     const result = await _authorizeHeadlessCore(toolName, args, meta, {
@@ -2988,7 +3122,7 @@ async function authorizeHeadless(toolName, args, meta, options) {
         id: actId,
         tool: toolName,
         ts: actTs,
-        status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : "block",
+        status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : result.blockedByLabel?.includes("Taint") ? "taint" : "block",
         label: result.blockedByLabel
       });
     }
@@ -3002,6 +3136,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   if (pauseState.paused) return { approved: true, checkedBy: "paused" };
   const creds = getCredentials();
   const config = getConfig(options?.cwd);
+  const hashAuditArgs = config.settings.auditHashArgs === true;
   const isTestEnv2 = !!(process.env.VITEST || process.env.NODE_ENV === "test" || process.env.CI || process.env.NODE9_TESTING === "1");
   const approvers = {
     ...config.settings.approvers || { native: true, browser: true, cloud: true, terminal: true }
@@ -3012,13 +3147,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     approvers.terminal = false;
   }
   if (config.settings.enableHookLogDebug && !isTestEnv2) {
-    appendHookDebug(toolName, args, meta);
+    appendHookDebug(toolName, args, meta, hashAuditArgs);
   }
   const isManual = meta?.agent === "Terminal";
   let explainableLabel = "Local Config";
   let policyMatchedField;
   let policyMatchedWord;
   let riskMetadata;
+  let taintWarning = null;
+  if (isNetworkTool(toolName, args)) {
+    const filePaths = extractFilePaths(toolName, args);
+    if (filePaths.length > 0) {
+      const taintResult = await checkTaint(filePaths);
+      if (taintResult.tainted && taintResult.record) {
+        const { path: taintedPath, source: taintSource } = taintResult.record;
+        taintWarning = `\u26A0\uFE0F ${taintedPath} was flagged by ${taintSource} \u2014 this file may contain sensitive data`;
+      } else if (taintResult.daemonUnavailable) {
+        taintWarning = `\u26A0\uFE0F Taint service unavailable \u2014 cannot verify if ${filePaths.join(", ")} is clean`;
+      }
+    }
+  }
   if (config.policy.dlp.enabled && (!isIgnoredTool(toolName) || config.policy.dlp.scanIgnoredTools)) {
     const argsObj = args && typeof args === "object" && !Array.isArray(args) ? args : {};
     const filePath = String(argsObj.file_path ?? argsObj.path ?? argsObj.filename ?? "");
@@ -3026,7 +3174,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (dlpMatch) {
       const dlpReason = `\u{1F6A8} DATA LOSS PREVENTION: ${dlpMatch.patternName} detected in field "${dlpMatch.fieldPath}" (${dlpMatch.redactedSample})`;
       if (dlpMatch.severity === "block") {
-        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta);
+        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta, true);
+        if (isWriteTool(toolName) && filePath) {
+          await notifyTaint(filePath, `DLP:${dlpMatch.patternName}`);
+        }
         return {
           approved: false,
           reason: dlpReason,
@@ -3034,7 +3185,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           blockedByLabel: "\u{1F6A8} Node9 DLP (Secret Detected)"
         };
       }
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "dlp-review-flagged", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "allow", "dlp-review-flagged", meta, hashAuditArgs);
       explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
     }
   }
@@ -3042,7 +3194,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
-        appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
+        appendLocalAudit(toolName, args, "allow", "audit-mode", meta, hashAuditArgs);
         if (approvers.cloud && creds?.apiKey) {
           await auditLocalAllow(toolName, args, "audit-mode", creds, meta);
         }
@@ -3050,22 +3202,23 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     }
     return { approved: true, checkedBy: "audit" };
   }
-  if (!isIgnoredTool(toolName)) {
+  if (!taintWarning && !isIgnoredTool(toolName)) {
     if (getActiveTrustSession(toolName)) {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "trust", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta, hashAuditArgs);
       return { approved: true, checkedBy: "trust" };
     }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
         auditLocalAllow(toolName, args, "local-policy", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
       return { approved: true, checkedBy: "local-policy" };
     }
     if (policyResult.decision === "block") {
-      if (!isManual) appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
       return {
         approved: false,
         reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
@@ -3084,15 +3237,16 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       policyMatchedWord,
       policyResult.ruleName
     );
-    const persistent = getPersistentDecision(toolName);
+    const persistent = policyResult.ruleName ? null : getPersistentDecision(toolName);
     if (persistent === "allow") {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "persistent", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta, hashAuditArgs);
       return { approved: true, checkedBy: "persistent" };
     }
     if (persistent === "deny") {
-      if (!isManual) appendLocalAudit(toolName, args, "deny", "persistent-deny", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "deny", "persistent-deny", meta, hashAuditArgs);
       return {
         approved: false,
         reason: `This tool ("${toolName}") is explicitly listed in your 'Always Deny' list.`,
@@ -3100,10 +3254,21 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         blockedByLabel: "Persistent User Rule"
       };
     }
-  } else {
-    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta);
+  } else if (!taintWarning) {
+    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
     return { approved: true };
   }
+  if (taintWarning) {
+    explainableLabel = "\u{1F534} Node9 Taint (Exfiltration Prevention)";
+    riskMetadata = computeRiskMetadata(
+      args,
+      7,
+      explainableLabel,
+      void 0,
+      void 0,
+      taintWarning
+    );
+  }
   let cloudRequestId = null;
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
   if (cloudEnforced) {
@@ -3122,7 +3287,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         };
       }
       cloudRequestId = initResult.requestId || null;
-      explainableLabel = "Organization Policy (SaaS)";
+      if (!taintWarning) explainableLabel = "Organization Policy (SaaS)";
     } catch {
     }
   }
@@ -3309,19 +3474,20 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       args,
       finalResult.approved ? "allow" : "deny",
       finalResult.checkedBy || finalResult.blockedBy || "unknown",
-      meta
+      meta,
+      hashAuditArgs
     );
   }
   return finalResult;
 }
-var import_net, import_path13, import_os10, import_crypto2, ACTIVITY_SOCKET_PATH;
+var import_net, import_path13, import_os10, import_crypto3, WRITE_TOOLS, ACTIVITY_SOCKET_PATH;
 var init_orchestrator = __esm({
   "src/auth/orchestrator.ts"() {
     "use strict";
     import_net = __toESM(require("net"));
     import_path13 = __toESM(require("path"));
     import_os10 = __toESM(require("os"));
-    import_crypto2 = require("crypto");
+    import_crypto3 = require("crypto");
     init_native();
     init_context_sniper();
     init_dlp();
@@ -3331,6 +3497,17 @@ var init_orchestrator = __esm({
     init_state();
     init_daemon();
     init_cloud();
+    WRITE_TOOLS = /* @__PURE__ */ new Set([
+      "write",
+      "write_file",
+      "create_file",
+      "edit",
+      "multiedit",
+      "str_replace_based_edit_tool",
+      "replace",
+      "notebook_edit",
+      "notebookedit"
+    ]);
     ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path13.default.join(import_os10.default.tmpdir(), "node9-activity.sock");
   }
 });
@@ -4515,12 +4692,15 @@ var init_ui = __esm({
         const badgeClass = isEdit ? 'sniper-badge-edit' : 'sniper-badge-exec';
         const badgeLabel = isEdit ? '\u{1F4DD} Code Edit' : '\u{1F6D1} Execution';
         const tierLabel = \`Tier \${rm.tier} \xB7 \${esc(rm.blockedByLabel)}\`;
+        const isTaint = rm.blockedByLabel?.includes('Taint');
         const fileLine =
-          isEdit && rm.editFilePath
-            ? \`<div class="sniper-filepath">\u{1F4C2} \${esc(rm.editFilePath)}</div>\`
-            : !isEdit && rm.matchedWord
-              ? \`<div class="sniper-match">Matched: <code>\${esc(rm.matchedWord)}</code>\${rm.matchedField ? \` in <code>\${esc(rm.matchedField)}</code>\` : ''}</div>\`
-              : '';
+          isTaint && rm.ruleName
+            ? \`<div class="sniper-match">\u26A0\uFE0F \${esc(rm.ruleName)}</div>\`
+            : isEdit && rm.editFilePath
+              ? \`<div class="sniper-filepath">\u{1F4C2} \${esc(rm.editFilePath)}</div>\`
+              : !isEdit && rm.matchedWord
+                ? \`<div class="sniper-match">Matched: <code>\${esc(rm.matchedWord)}</code>\${rm.matchedField ? \` in <code>\${esc(rm.matchedField)}</code>\` : ''}</div>\`
+                : '';
         const snippetHtml = rm.contextSnippet ? \`<pre>\${esc(rm.contextSnippet)}</pre>\` : '';
         return \`
           <div class="sniper-header">
@@ -4991,11 +5171,11 @@ function commonPathPrefix(paths) {
   const prefix = common.join("/").replace(/\/?$/, "/");
   return prefix.length > 1 ? prefix : null;
 }
-var import_crypto3, SuggestionTracker;
+var import_crypto4, SuggestionTracker;
 var init_suggestion_tracker = __esm({
   "src/daemon/suggestion-tracker.ts"() {
     "use strict";
-    import_crypto3 = require("crypto");
+    import_crypto4 = require("crypto");
     SuggestionTracker = class {
       events = /* @__PURE__ */ new Map();
       threshold;
@@ -5041,7 +5221,7 @@ var init_suggestion_tracker = __esm({
           }
         } : { type: "ignoredTool", toolName };
         return {
-          id: (0, import_crypto3.randomUUID)(),
+          id: (0, import_crypto4.randomUUID)(),
           toolName,
           allowCount: events.length,
           suggestedRule,
@@ -5054,11 +5234,91 @@ var init_suggestion_tracker = __esm({
   }
 });
+// src/daemon/taint-store.ts
+var import_fs12, import_path15, DEFAULT_TTL_MS, TaintStore;
+var init_taint_store = __esm({
+  "src/daemon/taint-store.ts"() {
+    "use strict";
+    import_fs12 = __toESM(require("fs"));
+    import_path15 = __toESM(require("path"));
+    DEFAULT_TTL_MS = 60 * 60 * 1e3;
+    TaintStore = class {
+      records = /* @__PURE__ */ new Map();
+      /** Add or refresh taint on an absolute path. */
+      taint(filePath, source, ttlMs = DEFAULT_TTL_MS) {
+        const resolved = this._resolve(filePath);
+        const now = Date.now();
+        this.records.set(resolved, {
+          path: resolved,
+          source,
+          createdAt: now,
+          expiresAt: now + ttlMs
+        });
+      }
+      /**
+       * Check whether a path is currently tainted.
+       * Returns the TaintRecord if tainted (and not expired), null otherwise.
+       * Expired records are pruned on access.
+       */
+      check(filePath) {
+        const resolved = this._resolve(filePath);
+        const record = this.records.get(resolved);
+        if (!record) return null;
+        if (Date.now() > record.expiresAt) {
+          this.records.delete(resolved);
+          return null;
+        }
+        return record;
+      }
+      /**
+       * Propagate taint from sourcePath to destPath (e.g. cp, mv).
+       * For mv semantics (clearSource=true) the source taint is removed.
+       */
+      propagate(sourcePath, destPath, clearSource = false) {
+        const taintRecord = this.check(sourcePath);
+        if (!taintRecord) return;
+        const remainingMs = taintRecord.expiresAt - Date.now();
+        if (remainingMs > 0) {
+          const baseSource = taintRecord.source.replace(/^(propagated:)+/, "");
+          this.taint(destPath, `propagated:${baseSource}`, remainingMs);
+        }
+        if (clearSource) {
+          this.records.delete(this._resolve(sourcePath));
+        }
+      }
+      /** Remove all expired records. Called periodically by the daemon. */
+      prune() {
+        const now = Date.now();
+        for (const [key, record] of this.records) {
+          if (now > record.expiresAt) this.records.delete(key);
+        }
+      }
+      /** Return all non-expired taint records (for audit/debug). */
+      list() {
+        this.prune();
+        return [...this.records.values()];
+      }
+      /** Remove all taint records atomically. Used by tests to reset state between runs. */
+      clear() {
+        this.records.clear();
+      }
+      /** Resolve to absolute path, falling back to path.resolve if file doesn't exist yet. */
+      _resolve(filePath) {
+        try {
+          return import_fs12.default.realpathSync.native(import_path15.default.resolve(filePath));
+        } catch {
+          return import_path15.default.resolve(filePath);
+        }
+      }
+    };
+  }
+});
 // src/daemon/state.ts
 function loadInsightCounts() {
   try {
-    if (!import_fs12.default.existsSync(INSIGHT_COUNTS_FILE)) return;
-    const data = JSON.parse(import_fs12.default.readFileSync(INSIGHT_COUNTS_FILE, "utf-8"));
+    if (!import_fs13.default.existsSync(INSIGHT_COUNTS_FILE)) return;
+    const data = JSON.parse(import_fs13.default.readFileSync(INSIGHT_COUNTS_FILE, "utf-8"));
     for (const [tool, count] of Object.entries(data)) {
       if (typeof count === "number" && count > 0) insightCounts.set(tool, count);
     }
@@ -5097,23 +5357,23 @@ function markRejectionHandlerRegistered() {
   daemonRejectionHandlerRegistered = true;
 }
 function atomicWriteSync2(filePath, data, options) {
-  const dir = import_path15.default.dirname(filePath);
-  if (!import_fs12.default.existsSync(dir)) import_fs12.default.mkdirSync(dir, { recursive: true });
-  const tmpPath = `${filePath}.${(0, import_crypto4.randomUUID)()}.tmp`;
+  const dir = import_path16.default.dirname(filePath);
+  if (!import_fs13.default.existsSync(dir)) import_fs13.default.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${filePath}.${(0, import_crypto5.randomUUID)()}.tmp`;
   try {
-    import_fs12.default.writeFileSync(tmpPath, data, options);
+    import_fs13.default.writeFileSync(tmpPath, data, options);
   } catch (err) {
     try {
-      import_fs12.default.unlinkSync(tmpPath);
+      import_fs13.default.unlinkSync(tmpPath);
     } catch {
     }
     throw err;
   }
   try {
-    import_fs12.default.renameSync(tmpPath, filePath);
+    import_fs13.default.renameSync(tmpPath, filePath);
   } catch (err) {
     try {
-      import_fs12.default.unlinkSync(tmpPath);
+      import_fs13.default.unlinkSync(tmpPath);
     } catch {
     }
     throw err;
@@ -5137,16 +5397,16 @@ function appendAuditLog(data) {
       decision: data.decision,
       source: "daemon"
     };
-    const dir = import_path15.default.dirname(AUDIT_LOG_FILE);
-    if (!import_fs12.default.existsSync(dir)) import_fs12.default.mkdirSync(dir, { recursive: true });
-    import_fs12.default.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
+    const dir = import_path16.default.dirname(AUDIT_LOG_FILE);
+    if (!import_fs13.default.existsSync(dir)) import_fs13.default.mkdirSync(dir, { recursive: true });
+    import_fs13.default.appendFileSync(AUDIT_LOG_FILE, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
 function getAuditHistory(limit = 20) {
   try {
-    if (!import_fs12.default.existsSync(AUDIT_LOG_FILE)) return [];
-    const lines = import_fs12.default.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
+    if (!import_fs13.default.existsSync(AUDIT_LOG_FILE)) return [];
+    const lines = import_fs13.default.readFileSync(AUDIT_LOG_FILE, "utf-8").trim().split("\n");
     if (lines.length === 1 && lines[0] === "") return [];
     return lines.slice(-limit).map((l) => JSON.parse(l)).reverse();
   } catch {
@@ -5155,19 +5415,19 @@ function getAuditHistory(limit = 20) {
 }
 function getOrgName() {
   try {
-    if (import_fs12.default.existsSync(CREDENTIALS_FILE)) return "Node9 Cloud";
+    if (import_fs13.default.existsSync(CREDENTIALS_FILE)) return "Node9 Cloud";
   } catch {
   }
   return null;
 }
 function hasStoredSlackKey() {
-  return import_fs12.default.existsSync(CREDENTIALS_FILE);
+  return import_fs13.default.existsSync(CREDENTIALS_FILE);
 }
 function writeGlobalSetting(key, value) {
   let config = {};
   try {
-    if (import_fs12.default.existsSync(GLOBAL_CONFIG_FILE)) {
-      config = JSON.parse(import_fs12.default.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
+    if (import_fs13.default.existsSync(GLOBAL_CONFIG_FILE)) {
+      config = JSON.parse(import_fs13.default.readFileSync(GLOBAL_CONFIG_FILE, "utf-8"));
     }
   } catch {
   }
@@ -5179,8 +5439,8 @@ function writeTrustEntry(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (import_fs12.default.existsSync(TRUST_FILE2))
-        trust = JSON.parse(import_fs12.default.readFileSync(TRUST_FILE2, "utf-8"));
+      if (import_fs13.default.existsSync(TRUST_FILE2))
+        trust = JSON.parse(import_fs13.default.readFileSync(TRUST_FILE2, "utf-8"));
     } catch {
     }
     trust.entries = trust.entries.filter((e) => e.tool !== toolName && e.expiry > Date.now());
@@ -5191,8 +5451,8 @@ function writeTrustEntry(toolName, durationMs) {
 }
 function readPersistentDecisions() {
   try {
-    if (import_fs12.default.existsSync(DECISIONS_FILE)) {
-      return JSON.parse(import_fs12.default.readFileSync(DECISIONS_FILE, "utf-8"));
+    if (import_fs13.default.existsSync(DECISIONS_FILE)) {
+      return JSON.parse(import_fs13.default.readFileSync(DECISIONS_FILE, "utf-8"));
     }
   } catch {
   }
@@ -5257,7 +5517,7 @@ function abandonPending() {
   });
   if (autoStarted) {
     try {
-      import_fs12.default.unlinkSync(DAEMON_PID_FILE);
+      import_fs13.default.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
     setTimeout(() => {
@@ -5268,7 +5528,7 @@ function abandonPending() {
 }
 function startActivitySocket() {
   try {
-    import_fs12.default.unlinkSync(ACTIVITY_SOCKET_PATH2);
+    import_fs13.default.unlinkSync(ACTIVITY_SOCKET_PATH2);
   } catch {
   }
   const ACTIVITY_MAX_BYTES = 1024 * 1024;
@@ -5310,35 +5570,37 @@ function startActivitySocket() {
   unixServer.listen(ACTIVITY_SOCKET_PATH2);
   process.on("exit", () => {
     try {
-      import_fs12.default.unlinkSync(ACTIVITY_SOCKET_PATH2);
+      import_fs13.default.unlinkSync(ACTIVITY_SOCKET_PATH2);
     } catch {
     }
   });
 }
-var import_net2, import_fs12, import_path15, import_os12, import_child_process3, import_crypto4, homeDir, DAEMON_PID_FILE, DECISIONS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, INSIGHT_COUNTS_FILE, pending, sseClients, suggestionTracker, suggestions, insightCounts, _abandonTimer, _hadBrowserClient, _daemonServer, daemonRejectionHandlerRegistered, AUTO_DENY_MS, TRUST_DURATIONS, autoStarted, ACTIVITY_SOCKET_PATH2, ACTIVITY_RING_SIZE, activityRing, SECRET_KEY_RE;
+var import_net2, import_fs13, import_path16, import_os12, import_child_process3, import_crypto5, homeDir, DAEMON_PID_FILE, DECISIONS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, INSIGHT_COUNTS_FILE, pending, sseClients, suggestionTracker, suggestions, taintStore, insightCounts, _abandonTimer, _hadBrowserClient, _daemonServer, daemonRejectionHandlerRegistered, AUTO_DENY_MS, TRUST_DURATIONS, autoStarted, ACTIVITY_SOCKET_PATH2, ACTIVITY_RING_SIZE, activityRing, SECRET_KEY_RE;
 var init_state2 = __esm({
   "src/daemon/state.ts"() {
     "use strict";
     import_net2 = __toESM(require("net"));
-    import_fs12 = __toESM(require("fs"));
-    import_path15 = __toESM(require("path"));
+    import_fs13 = __toESM(require("fs"));
+    import_path16 = __toESM(require("path"));
     import_os12 = __toESM(require("os"));
     import_child_process3 = require("child_process");
-    import_crypto4 = require("crypto");
+    import_crypto5 = require("crypto");
     init_daemon();
     init_suggestion_tracker();
+    init_taint_store();
     homeDir = import_os12.default.homedir();
-    DAEMON_PID_FILE = import_path15.default.join(homeDir, ".node9", "daemon.pid");
-    DECISIONS_FILE = import_path15.default.join(homeDir, ".node9", "decisions.json");
-    AUDIT_LOG_FILE = import_path15.default.join(homeDir, ".node9", "audit.log");
-    TRUST_FILE2 = import_path15.default.join(homeDir, ".node9", "trust.json");
-    GLOBAL_CONFIG_FILE = import_path15.default.join(homeDir, ".node9", "config.json");
-    CREDENTIALS_FILE = import_path15.default.join(homeDir, ".node9", "credentials.json");
-    INSIGHT_COUNTS_FILE = import_path15.default.join(homeDir, ".node9", "insight-counts.json");
+    DAEMON_PID_FILE = import_path16.default.join(homeDir, ".node9", "daemon.pid");
+    DECISIONS_FILE = import_path16.default.join(homeDir, ".node9", "decisions.json");
+    AUDIT_LOG_FILE = import_path16.default.join(homeDir, ".node9", "audit.log");
+    TRUST_FILE2 = import_path16.default.join(homeDir, ".node9", "trust.json");
+    GLOBAL_CONFIG_FILE = import_path16.default.join(homeDir, ".node9", "config.json");
+    CREDENTIALS_FILE = import_path16.default.join(homeDir, ".node9", "credentials.json");
+    INSIGHT_COUNTS_FILE = import_path16.default.join(homeDir, ".node9", "insight-counts.json");
     pending = /* @__PURE__ */ new Map();
     sseClients = /* @__PURE__ */ new Set();
     suggestionTracker = new SuggestionTracker(3);
     suggestions = /* @__PURE__ */ new Map();
+    taintStore = new TaintStore();
     insightCounts = /* @__PURE__ */ new Map();
     _abandonTimer = null;
     _hadBrowserClient = false;
@@ -5351,7 +5613,7 @@ var init_state2 = __esm({
       "2h": 2 * 60 * 6e4
     };
     autoStarted = process.env.NODE9_AUTO_STARTED === "1";
-    ACTIVITY_SOCKET_PATH2 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path15.default.join(import_os12.default.tmpdir(), "node9-activity.sock");
+    ACTIVITY_SOCKET_PATH2 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path16.default.join(import_os12.default.tmpdir(), "node9-activity.sock");
     ACTIVITY_RING_SIZE = 100;
     activityRing = [];
     SECRET_KEY_RE = /password|secret|token|key|apikey|credential|auth/i;
@@ -5362,8 +5624,8 @@ var init_state2 = __esm({
 function patchConfig(configPath, patch) {
   let config = {};
   try {
-    if (import_fs13.default.existsSync(configPath)) {
-      config = JSON.parse(import_fs13.default.readFileSync(configPath, "utf8"));
+    if (import_fs14.default.existsSync(configPath)) {
+      config = JSON.parse(import_fs14.default.readFileSync(configPath, "utf8"));
     }
   } catch {
     throw new Error(`Cannot read config at ${configPath} \u2014 file may be corrupted`);
@@ -5382,44 +5644,44 @@ function patchConfig(configPath, patch) {
       ignored.push(patch.toolName);
     }
   }
-  const dir = import_path16.default.dirname(configPath);
-  import_fs13.default.mkdirSync(dir, { recursive: true });
+  const dir = import_path17.default.dirname(configPath);
+  import_fs14.default.mkdirSync(dir, { recursive: true });
   const tmp = configPath + ".node9-tmp";
   try {
-    import_fs13.default.writeFileSync(tmp, JSON.stringify(config, null, 2), { mode: 384 });
+    import_fs14.default.writeFileSync(tmp, JSON.stringify(config, null, 2), { mode: 384 });
   } catch (err) {
     try {
-      import_fs13.default.unlinkSync(tmp);
+      import_fs14.default.unlinkSync(tmp);
     } catch {
     }
     throw err;
   }
   try {
-    import_fs13.default.renameSync(tmp, configPath);
+    import_fs14.default.renameSync(tmp, configPath);
   } catch (err) {
     try {
-      import_fs13.default.unlinkSync(tmp);
+      import_fs14.default.unlinkSync(tmp);
     } catch {
     }
     throw err;
   }
 }
-var import_fs13, import_path16, import_os13, GLOBAL_CONFIG_PATH;
+var import_fs14, import_path17, import_os13, GLOBAL_CONFIG_PATH;
 var init_patch = __esm({
   "src/config/patch.ts"() {
     "use strict";
-    import_fs13 = __toESM(require("fs"));
-    import_path16 = __toESM(require("path"));
+    import_fs14 = __toESM(require("fs"));
+    import_path17 = __toESM(require("path"));
     import_os13 = __toESM(require("os"));
-    GLOBAL_CONFIG_PATH = import_path16.default.join(import_os13.default.homedir(), ".node9", "config.json");
+    GLOBAL_CONFIG_PATH = import_path17.default.join(import_os13.default.homedir(), ".node9", "config.json");
   }
 });
 // src/daemon/server.ts
 function startDaemon() {
   loadInsightCounts();
-  const csrfToken = (0, import_crypto5.randomUUID)();
-  const internalToken = (0, import_crypto5.randomUUID)();
+  const csrfToken = (0, import_crypto6.randomUUID)();
+  const internalToken = (0, import_crypto6.randomUUID)();
   const UI_HTML = UI_HTML_TEMPLATE.replace("{{CSRF_TOKEN}}", csrfToken);
   const validToken = (req) => req.headers["x-node9-token"] === csrfToken;
   const IDLE_TIMEOUT_MS = 12 * 60 * 60 * 1e3;
@@ -5432,7 +5694,7 @@ function startDaemon() {
     idleTimer = setTimeout(() => {
       if (autoStarted) {
         try {
-          import_fs14.default.unlinkSync(DAEMON_PID_FILE);
+          import_fs15.default.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
       }
@@ -5547,7 +5809,7 @@ data: ${JSON.stringify(item.data)}
           activityId,
           cwd
         } = JSON.parse(body);
-        const id = fromCLI && typeof activityId === "string" && activityId || (0, import_crypto5.randomUUID)();
+        const id = fromCLI && typeof activityId === "string" && activityId || (0, import_crypto6.randomUUID)();
         const entry = {
           id,
           toolName,
@@ -5587,7 +5849,7 @@ data: ${JSON.stringify(item.data)}
             status: "pending"
           });
         }
-        const projectCwd = typeof cwd === "string" && import_path17.default.isAbsolute(cwd) ? cwd : void 0;
+        const projectCwd = typeof cwd === "string" && import_path18.default.isAbsolute(cwd) ? cwd : void 0;
         const projectConfig = getConfig(projectCwd);
         const browserEnabled = projectConfig.settings.approvers?.browser !== false;
         const terminalEnabled = projectConfig.settings.approvers?.terminal !== false;
@@ -5938,8 +6200,8 @@ data: ${JSON.stringify(item.data)}
         const body = await readBody(req);
         const data = body ? JSON.parse(body) : {};
         const configPath = data.configPath ?? GLOBAL_CONFIG_PATH;
-        const node9Dir = import_path17.default.dirname(GLOBAL_CONFIG_PATH);
-        if (!import_path17.default.resolve(configPath).startsWith(node9Dir + import_path17.default.sep)) {
+        const node9Dir = import_path18.default.dirname(GLOBAL_CONFIG_PATH);
+        if (!import_path18.default.resolve(configPath).startsWith(node9Dir + import_path18.default.sep)) {
           res.writeHead(400, { "Content-Type": "application/json" });
           return res.end(
             JSON.stringify({ error: "configPath must be within the node9 config directory" })
@@ -5987,20 +6249,77 @@ data: ${JSON.stringify(item.data)}
         res.writeHead(400).end();
       }
     }
+    if (req.method === "POST" && pathname === "/taint") {
+      try {
+        const body = JSON.parse(await readBody(req));
+        if (typeof body.path !== "string" || typeof body.source !== "string") {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(JSON.stringify({ error: "path and source are required strings" }));
+        }
+        const ttlMs = typeof body.ttlMs === "number" ? body.ttlMs : void 0;
+        taintStore.taint(body.path, body.source, ttlMs);
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ ok: true }));
+      } catch {
+        res.writeHead(400).end();
+        return;
+      }
+    }
+    if (req.method === "POST" && pathname === "/taint/check") {
+      try {
+        const body = JSON.parse(await readBody(req));
+        if (!Array.isArray(body.paths)) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(JSON.stringify({ error: "paths must be an array" }));
+        }
+        if (body.paths.some((p) => typeof p !== "string")) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(JSON.stringify({ error: "all paths must be strings" }));
+        }
+        for (const p of body.paths) {
+          const record = taintStore.check(p);
+          if (record) {
+            res.writeHead(200, { "Content-Type": "application/json" });
+            return res.end(JSON.stringify({ tainted: true, record }));
+          }
+        }
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ tainted: false }));
+      } catch {
+        res.writeHead(400).end();
+        return;
+      }
+    }
+    if (req.method === "POST" && pathname === "/taint/propagate") {
+      try {
+        const body = JSON.parse(await readBody(req));
+        if (typeof body.src !== "string" || typeof body.dest !== "string") {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          return res.end(JSON.stringify({ error: "src and dest are required strings" }));
+        }
+        const clearSource = body.clearSource === true;
+        taintStore.propagate(body.src, body.dest, clearSource);
+        res.writeHead(200, { "Content-Type": "application/json" });
+        return res.end(JSON.stringify({ ok: true }));
+      } catch {
+        res.writeHead(400).end();
+        return;
+      }
+    }
     res.writeHead(404).end();
   });
   setDaemonServer(server);
   server.on("error", (e) => {
     if (e.code === "EADDRINUSE") {
       try {
-        if (import_fs14.default.existsSync(DAEMON_PID_FILE)) {
-          const { pid } = JSON.parse(import_fs14.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+        if (import_fs15.default.existsSync(DAEMON_PID_FILE)) {
+          const { pid } = JSON.parse(import_fs15.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
           process.kill(pid, 0);
           return process.exit(0);
         }
       } catch {
         try {
-          import_fs14.default.unlinkSync(DAEMON_PID_FILE);
+          import_fs15.default.unlinkSync(DAEMON_PID_FILE);
         } catch {
         }
         server.listen(DAEMON_PORT, DAEMON_HOST);
@@ -6059,14 +6378,14 @@ data: ${JSON.stringify(item.data)}
   }
   startActivitySocket();
 }
-var import_http, import_fs14, import_path17, import_crypto5, import_child_process4, import_chalk2;
+var import_http, import_fs15, import_path18, import_crypto6, import_child_process4, import_chalk2;
 var init_server = __esm({
   "src/daemon/server.ts"() {
     "use strict";
     import_http = __toESM(require("http"));
-    import_fs14 = __toESM(require("fs"));
-    import_path17 = __toESM(require("path"));
-    import_crypto5 = require("crypto");
+    import_fs15 = __toESM(require("fs"));
+    import_path18 = __toESM(require("path"));
+    import_crypto6 = require("crypto");
     import_child_process4 = require("child_process");
     import_chalk2 = __toESM(require("chalk"));
     init_core();
@@ -6080,24 +6399,24 @@ var init_server = __esm({
 // src/daemon/index.ts
 function stopDaemon() {
-  if (!import_fs15.default.existsSync(DAEMON_PID_FILE)) return console.log(import_chalk3.default.yellow("Not running."));
+  if (!import_fs16.default.existsSync(DAEMON_PID_FILE)) return console.log(import_chalk3.default.yellow("Not running."));
   try {
-    const { pid } = JSON.parse(import_fs15.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+    const { pid } = JSON.parse(import_fs16.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
     process.kill(pid, "SIGTERM");
     console.log(import_chalk3.default.green("\u2705 Stopped."));
   } catch {
     console.log(import_chalk3.default.gray("Cleaned up stale PID file."));
   } finally {
     try {
-      import_fs15.default.unlinkSync(DAEMON_PID_FILE);
+      import_fs16.default.unlinkSync(DAEMON_PID_FILE);
     } catch {
     }
   }
 }
 function daemonStatus() {
-  if (import_fs15.default.existsSync(DAEMON_PID_FILE)) {
+  if (import_fs16.default.existsSync(DAEMON_PID_FILE)) {
     try {
-      const { pid } = JSON.parse(import_fs15.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
+      const { pid } = JSON.parse(import_fs16.default.readFileSync(DAEMON_PID_FILE, "utf-8"));
       process.kill(pid, 0);
       console.log(import_chalk3.default.green("Node9 daemon: running"));
       return;
@@ -6116,11 +6435,11 @@ function daemonStatus() {
     console.log(import_chalk3.default.yellow("Node9 daemon: not running"));
   }
 }
-var import_fs15, import_chalk3, import_child_process5;
+var import_fs16, import_chalk3, import_child_process5;
 var init_daemon2 = __esm({
   "src/daemon/index.ts"() {
     "use strict";
-    import_fs15 = __toESM(require("fs"));
+    import_fs16 = __toESM(require("fs"));
     import_chalk3 = __toESM(require("chalk"));
     import_child_process5 = require("child_process");
     init_server();
@@ -6171,9 +6490,9 @@ function renderPending(activity) {
 }
 async function ensureDaemon() {
   let pidPort = null;
-  if (import_fs23.default.existsSync(PID_FILE)) {
+  if (import_fs24.default.existsSync(PID_FILE)) {
     try {
-      const { port } = JSON.parse(import_fs23.default.readFileSync(PID_FILE, "utf-8"));
+      const { port } = JSON.parse(import_fs24.default.readFileSync(PID_FILE, "utf-8"));
       pidPort = port;
     } catch {
       console.error(import_chalk16.default.dim("\u26A0\uFE0F  Could not read PID file; falling back to default port."));
@@ -6244,9 +6563,12 @@ function buildCardLines(req, localCount = 0) {
     ``,
     `${BOLD}${CYAN}\u2554\u2550\u2550 Node9 Approval Required \u2550\u2550\u2557${RESET}`,
     `${CYAN}\u2551${RESET} Tool:    ${BOLD}${req.toolName}${RESET}`,
-    `${CYAN}\u2551${RESET} Reason:  ${tierLabel} \u2014 ${blockedBy}${RESET}`,
-    `${CYAN}\u2551${RESET} Args:    ${GRAY}${argsPreview}${RESET}`
+    `${CYAN}\u2551${RESET} Reason:  ${tierLabel} \u2014 ${blockedBy}${RESET}`
   ];
+  if (req.riskMetadata?.ruleName && blockedBy.includes("Taint")) {
+    lines.push(`${CYAN}\u2551${RESET} ${YELLOW}\u26A0  ${req.riskMetadata.ruleName}${RESET}`);
+  }
+  lines.push(`${CYAN}\u2551${RESET} Args:    ${GRAY}${argsPreview}${RESET}`);
   if (localCount >= 2) {
     lines.push(
       `${CYAN}\u2551${RESET} ${YELLOW}\u{1F4A1}${RESET} Approved ${localCount}\xD7 before \u2014 ${BOLD}[a]${RESET}${YELLOW} creates a permanent rule${RESET}`
@@ -6308,12 +6630,13 @@ async function startTail(options = {}) {
   if (canApprove) import_readline3.default.emitKeypressEvents(process.stdin);
   function clearCard() {
     if (cardLineCount > 0) {
-      process.stdout.write(RESTORE_CURSOR + ERASE_DOWN);
+      import_readline3.default.moveCursor(process.stdout, 0, -cardLineCount);
+      process.stdout.write(ERASE_DOWN);
       cardLineCount = 0;
     }
   }
   function printCard(req2) {
-    process.stdout.write(HIDE_CURSOR + SAVE_CURSOR);
+    process.stdout.write(HIDE_CURSOR);
     const daemonPrior = req2.allowCount !== void 0 ? req2.allowCount - 1 : 0;
     const localPrior = localAllowCounts.get(req2.toolName) ?? 0;
     const priorCount = Math.max(daemonPrior, localPrior);
@@ -6349,7 +6672,7 @@ async function startTail(options = {}) {
       if (settled) return;
       settled = true;
       cleanup();
-      process.stdout.write(RESTORE_CURSOR + ERASE_DOWN);
+      clearCard();
       const stampedLines = buildCardLines(
         req2,
         Math.max(
@@ -6380,8 +6703,8 @@ async function startTail(options = {}) {
       }
       postDecisionHttp(req2.id, httpDecision, csrfToken, port, httpOpts).catch((err) => {
         try {
-          import_fs23.default.appendFileSync(
-            import_path25.default.join(import_os21.default.homedir(), ".node9", "hook-debug.log"),
+          import_fs24.default.appendFileSync(
+            import_path26.default.join(import_os21.default.homedir(), ".node9", "hook-debug.log"),
             `[tail] POST /decision failed: ${String(err)}
 `
           );
@@ -6396,7 +6719,7 @@ async function startTail(options = {}) {
       if (settled) return;
       settled = true;
       cleanup();
-      process.stdout.write(RESTORE_CURSOR + ERASE_DOWN);
+      clearCard();
       const priorCount = Math.max(
         req2.allowCount !== void 0 ? req2.allowCount - 1 : 0,
         localAllowCounts.get(req2.toolName) ?? 0
@@ -6593,21 +6916,21 @@ async function startTail(options = {}) {
     process.exit(1);
   });
 }
-var import_http2, import_chalk16, import_fs23, import_os21, import_path25, import_readline3, import_child_process13, PID_FILE, ICONS, RESET, BOLD, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, SAVE_CURSOR, RESTORE_CURSOR;
+var import_http2, import_chalk16, import_fs24, import_os21, import_path26, import_readline3, import_child_process13, PID_FILE, ICONS, RESET, BOLD, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN;
 var init_tail = __esm({
   "src/tui/tail.ts"() {
     "use strict";
     import_http2 = __toESM(require("http"));
     import_chalk16 = __toESM(require("chalk"));
-    import_fs23 = __toESM(require("fs"));
+    import_fs24 = __toESM(require("fs"));
     import_os21 = __toESM(require("os"));
-    import_path25 = __toESM(require("path"));
+    import_path26 = __toESM(require("path"));
     import_readline3 = __toESM(require("readline"));
     import_child_process13 = require("child_process");
     init_daemon2();
     init_daemon();
     init_core();
-    PID_FILE = import_path25.default.join(import_os21.default.homedir(), ".node9", "daemon.pid");
+    PID_FILE = import_path26.default.join(import_os21.default.homedir(), ".node9", "daemon.pid");
     ICONS = {
       bash: "\u{1F4BB}",
       shell: "\u{1F4BB}",
@@ -6635,8 +6958,6 @@ var init_tail = __esm({
     HIDE_CURSOR = "\x1B[?25l";
     SHOW_CURSOR = "\x1B[?25h";
     ERASE_DOWN = "\x1B[J";
-    SAVE_CURSOR = "\x1B7";
-    RESTORE_CURSOR = "\x1B8";
   }
 });
@@ -7033,8 +7354,8 @@ async function setupCursor() {
 // src/cli.ts
 init_daemon2();
 var import_chalk17 = __toESM(require("chalk"));
-var import_fs24 = __toESM(require("fs"));
-var import_path26 = __toESM(require("path"));
+var import_fs25 = __toESM(require("fs"));
+var import_path27 = __toESM(require("path"));
 var import_os22 = __toESM(require("os"));
 var import_prompts3 = require("@inquirer/prompts");
@@ -7256,8 +7577,8 @@ async function autoStartDaemonAndWait() {
 // src/cli/commands/check.ts
 var import_chalk5 = __toESM(require("chalk"));
-var import_fs17 = __toESM(require("fs"));
-var import_path19 = __toESM(require("path"));
+var import_fs18 = __toESM(require("fs"));
+var import_path20 = __toESM(require("path"));
 var import_os15 = __toESM(require("os"));
 init_orchestrator();
 init_daemon();
@@ -7266,26 +7587,26 @@ init_policy();
 // src/undo.ts
 var import_child_process8 = require("child_process");
-var import_crypto6 = __toESM(require("crypto"));
-var import_fs16 = __toESM(require("fs"));
-var import_path18 = __toESM(require("path"));
+var import_crypto7 = __toESM(require("crypto"));
+var import_fs17 = __toESM(require("fs"));
+var import_path19 = __toESM(require("path"));
 var import_os14 = __toESM(require("os"));
-var SNAPSHOT_STACK_PATH = import_path18.default.join(import_os14.default.homedir(), ".node9", "snapshots.json");
-var UNDO_LATEST_PATH = import_path18.default.join(import_os14.default.homedir(), ".node9", "undo_latest.txt");
+var SNAPSHOT_STACK_PATH = import_path19.default.join(import_os14.default.homedir(), ".node9", "snapshots.json");
+var UNDO_LATEST_PATH = import_path19.default.join(import_os14.default.homedir(), ".node9", "undo_latest.txt");
 var MAX_SNAPSHOTS = 10;
 var GIT_TIMEOUT = 15e3;
 function readStack() {
   try {
-    if (import_fs16.default.existsSync(SNAPSHOT_STACK_PATH))
-      return JSON.parse(import_fs16.default.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
+    if (import_fs17.default.existsSync(SNAPSHOT_STACK_PATH))
+      return JSON.parse(import_fs17.default.readFileSync(SNAPSHOT_STACK_PATH, "utf-8"));
   } catch {
   }
   return [];
 }
 function writeStack(stack) {
-  const dir = import_path18.default.dirname(SNAPSHOT_STACK_PATH);
-  if (!import_fs16.default.existsSync(dir)) import_fs16.default.mkdirSync(dir, { recursive: true });
-  import_fs16.default.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
+  const dir = import_path19.default.dirname(SNAPSHOT_STACK_PATH);
+  if (!import_fs17.default.existsSync(dir)) import_fs17.default.mkdirSync(dir, { recursive: true });
+  import_fs17.default.writeFileSync(SNAPSHOT_STACK_PATH, JSON.stringify(stack, null, 2));
 }
 function buildArgsSummary(tool, args) {
   if (!args || typeof args !== "object") return "";
@@ -7301,7 +7622,7 @@ function buildArgsSummary(tool, args) {
 function normalizeCwdForHash(cwd) {
   let normalized;
   try {
-    normalized = import_fs16.default.realpathSync(cwd);
+    normalized = import_fs17.default.realpathSync(cwd);
   } catch {
     normalized = cwd;
   }
@@ -7310,17 +7631,17 @@ function normalizeCwdForHash(cwd) {
   return normalized;
 }
 function getShadowRepoDir(cwd) {
-  const hash = import_crypto6.default.createHash("sha256").update(normalizeCwdForHash(cwd)).digest("hex").slice(0, 16);
-  return import_path18.default.join(import_os14.default.homedir(), ".node9", "snapshots", hash);
+  const hash = import_crypto7.default.createHash("sha256").update(normalizeCwdForHash(cwd)).digest("hex").slice(0, 16);
+  return import_path19.default.join(import_os14.default.homedir(), ".node9", "snapshots", hash);
 }
 function cleanOrphanedIndexFiles(shadowDir) {
   try {
     const cutoff = Date.now() - 6e4;
-    for (const f of import_fs16.default.readdirSync(shadowDir)) {
+    for (const f of import_fs17.default.readdirSync(shadowDir)) {
       if (f.startsWith("index_")) {
-        const fp = import_path18.default.join(shadowDir, f);
+        const fp = import_path19.default.join(shadowDir, f);
         try {
-          if (import_fs16.default.statSync(fp).mtimeMs < cutoff) import_fs16.default.unlinkSync(fp);
+          if (import_fs17.default.statSync(fp).mtimeMs < cutoff) import_fs17.default.unlinkSync(fp);
         } catch {
         }
       }
@@ -7332,7 +7653,7 @@ function writeShadowExcludes(shadowDir, ignorePaths) {
   const hardcoded = [".git", ".node9"];
   const lines = [...hardcoded, ...ignorePaths].join("\n");
   try {
-    import_fs16.default.writeFileSync(import_path18.default.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
+    import_fs17.default.writeFileSync(import_path19.default.join(shadowDir, "info", "exclude"), lines + "\n", "utf8");
   } catch {
   }
 }
@@ -7345,25 +7666,25 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   if (check.status === 0) {
-    const ptPath = import_path18.default.join(shadowDir, "project-path.txt");
+    const ptPath = import_path19.default.join(shadowDir, "project-path.txt");
     try {
-      const stored = import_fs16.default.readFileSync(ptPath, "utf8").trim();
+      const stored = import_fs17.default.readFileSync(ptPath, "utf8").trim();
       if (stored === normalizedCwd) return true;
       if (process.env.NODE9_DEBUG === "1")
         console.error(
           `[Node9] Shadow repo path mismatch: stored="${stored}" expected="${normalizedCwd}" \u2014 reinitializing`
         );
-      import_fs16.default.rmSync(shadowDir, { recursive: true, force: true });
+      import_fs17.default.rmSync(shadowDir, { recursive: true, force: true });
     } catch {
       try {
-        import_fs16.default.writeFileSync(ptPath, normalizedCwd, "utf8");
+        import_fs17.default.writeFileSync(ptPath, normalizedCwd, "utf8");
       } catch {
       }
       return true;
     }
   }
   try {
-    import_fs16.default.mkdirSync(shadowDir, { recursive: true });
+    import_fs17.default.mkdirSync(shadowDir, { recursive: true });
   } catch {
   }
   const init = (0, import_child_process8.spawnSync)("git", ["init", "--bare", shadowDir], { timeout: 5e3 });
@@ -7372,7 +7693,7 @@ function ensureShadowRepo(shadowDir, cwd) {
       console.error("[Node9] git init --bare failed:", init.stderr?.toString());
     return false;
   }
-  const configFile = import_path18.default.join(shadowDir, "config");
+  const configFile = import_path19.default.join(shadowDir, "config");
   (0, import_child_process8.spawnSync)("git", ["config", "--file", configFile, "core.untrackedCache", "true"], {
     timeout: 3e3
   });
@@ -7380,7 +7701,7 @@ function ensureShadowRepo(shadowDir, cwd) {
     timeout: 3e3
   });
   try {
-    import_fs16.default.writeFileSync(import_path18.default.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
+    import_fs17.default.writeFileSync(import_path19.default.join(shadowDir, "project-path.txt"), normalizedCwd, "utf8");
   } catch {
   }
   return true;
@@ -7403,7 +7724,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     const shadowDir = getShadowRepoDir(cwd);
     if (!ensureShadowRepo(shadowDir, cwd)) return null;
     writeShadowExcludes(shadowDir, ignorePaths);
-    indexFile = import_path18.default.join(shadowDir, `index_${process.pid}_${Date.now()}`);
+    indexFile = import_path19.default.join(shadowDir, `index_${process.pid}_${Date.now()}`);
     const shadowEnv = {
       ...process.env,
       GIT_DIR: shadowDir,
@@ -7432,7 +7753,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     const shouldGc = stack.length % 5 === 0;
     if (stack.length > MAX_SNAPSHOTS) stack.splice(0, stack.length - MAX_SNAPSHOTS);
     writeStack(stack);
-    import_fs16.default.writeFileSync(UNDO_LATEST_PATH, commitHash);
+    import_fs17.default.writeFileSync(UNDO_LATEST_PATH, commitHash);
     if (shouldGc) {
       (0, import_child_process8.spawn)("git", ["gc", "--auto"], { env: shadowEnv, detached: true, stdio: "ignore" }).unref();
     }
@@ -7443,7 +7764,7 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
   } finally {
     if (indexFile) {
       try {
-        import_fs16.default.unlinkSync(indexFile);
+        import_fs17.default.unlinkSync(indexFile);
       } catch {
       }
     }
@@ -7512,9 +7833,9 @@ function applyUndo(hash, cwd) {
       timeout: GIT_TIMEOUT
     }).stdout?.toString().trim().split("\n").filter(Boolean) ?? [];
     for (const file of [...tracked, ...untracked]) {
-      const fullPath = import_path18.default.join(dir, file);
-      if (!snapshotFiles.has(file) && import_fs16.default.existsSync(fullPath)) {
-        import_fs16.default.unlinkSync(fullPath);
+      const fullPath = import_path19.default.join(dir, file);
+      if (!snapshotFiles.has(file) && import_fs17.default.existsSync(fullPath)) {
+        import_fs17.default.unlinkSync(fullPath);
       }
     }
     return true;
@@ -7538,9 +7859,9 @@ function registerCheckCommand(program2) {
         } catch (err) {
           const tempConfig = getConfig();
           if (process.env.NODE9_DEBUG === "1" || tempConfig.settings.enableHookLogDebug) {
-            const logPath = import_path19.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
+            const logPath = import_path20.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
             const errMsg = err instanceof Error ? err.message : String(err);
-            import_fs17.default.appendFileSync(
+            import_fs18.default.appendFileSync(
               logPath,
               `[${(/* @__PURE__ */ new Date()).toISOString()}] JSON_PARSE_ERROR: ${errMsg}
 RAW: ${raw}
@@ -7551,10 +7872,10 @@ RAW: ${raw}
         }
         const config = getConfig(payload.cwd || void 0);
         if (process.env.NODE9_DEBUG === "1" || config.settings.enableHookLogDebug) {
-          const logPath = import_path19.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
-          if (!import_fs17.default.existsSync(import_path19.default.dirname(logPath)))
-            import_fs17.default.mkdirSync(import_path19.default.dirname(logPath), { recursive: true });
-          import_fs17.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
+          const logPath = import_path20.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
+          if (!import_fs18.default.existsSync(import_path20.default.dirname(logPath)))
+            import_fs18.default.mkdirSync(import_path20.default.dirname(logPath), { recursive: true });
+          import_fs18.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${raw}
 `);
         }
         const toolName = sanitize2(payload.tool_name ?? payload.name ?? "");
@@ -7567,8 +7888,8 @@ RAW: ${raw}
           const isHumanDecision = blockedByContext.toLowerCase().includes("user") || blockedByContext.toLowerCase().includes("daemon") || blockedByContext.toLowerCase().includes("decision");
           let ttyFd = null;
           try {
-            ttyFd = import_fs17.default.openSync("/dev/tty", "w");
-            const writeTty = (line) => import_fs17.default.writeSync(ttyFd, line + "\n");
+            ttyFd = import_fs18.default.openSync("/dev/tty", "w");
+            const writeTty = (line) => import_fs18.default.writeSync(ttyFd, line + "\n");
             if (blockedByContext.includes("DLP") || blockedByContext.includes("Secret Detected") || blockedByContext.includes("Credential Review")) {
               writeTty(import_chalk5.default.bgRed.white.bold(`
  \u{1F6A8} NODE9 DLP ALERT \u2014 CREDENTIAL DETECTED `));
@@ -7584,7 +7905,7 @@ RAW: ${raw}
           } finally {
             if (ttyFd !== null)
               try {
-                import_fs17.default.closeSync(ttyFd);
+                import_fs18.default.closeSync(ttyFd);
               } catch {
               }
           }
@@ -7615,7 +7936,7 @@ RAW: ${raw}
         if (shouldSnapshot(toolName, toolInput, config)) {
           await createShadowSnapshot(toolName, toolInput, config.policy.snapshot.ignorePaths);
         }
-        const safeCwdForAuth = typeof payload.cwd === "string" && import_path19.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const safeCwdForAuth = typeof payload.cwd === "string" && import_path20.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const result = await authorizeHeadless(toolName, toolInput, meta, {
           cwd: safeCwdForAuth
         });
@@ -7627,12 +7948,12 @@ RAW: ${raw}
         }
         if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && !process.stdout.isTTY && config.settings.autoStartDaemon) {
           try {
-            const tty = import_fs17.default.openSync("/dev/tty", "w");
-            import_fs17.default.writeSync(
+            const tty = import_fs18.default.openSync("/dev/tty", "w");
+            import_fs18.default.writeSync(
               tty,
               import_chalk5.default.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically...\n")
             );
-            import_fs17.default.closeSync(tty);
+            import_fs18.default.closeSync(tty);
           } catch {
           }
           const daemonReady = await autoStartDaemonAndWait();
@@ -7659,9 +7980,9 @@ RAW: ${raw}
         });
       } catch (err) {
         if (process.env.NODE9_DEBUG === "1") {
-          const logPath = import_path19.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
+          const logPath = import_path20.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
           const errMsg = err instanceof Error ? err.message : String(err);
-          import_fs17.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
+          import_fs18.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
 `);
         }
         process.exit(0);
@@ -7695,12 +8016,52 @@ RAW: ${raw}
 }
 // src/cli/commands/log.ts
-var import_fs18 = __toESM(require("fs"));
-var import_path20 = __toESM(require("path"));
+var import_fs19 = __toESM(require("fs"));
+var import_path21 = __toESM(require("path"));
 var import_os16 = __toESM(require("os"));
 init_audit();
 init_config();
 init_policy();
+init_daemon();
+// src/utils/cp-mv-parser.ts
+function parseCpMvOp(command) {
+  const trimmed = command.trim();
+  const tokens = trimmed.split(/\s+/);
+  if (tokens.length < 3) return null;
+  const [cmd, ...rest] = tokens;
+  const base = cmd.split("/").pop() ?? cmd;
+  if (base !== "cp" && base !== "mv") return null;
+  const args = [];
+  for (const tok of rest) {
+    if (tok === "--") {
+      args.push(...rest.slice(rest.indexOf("--") + 1));
+      break;
+    }
+    if (tok === "-t" || tok === "--target-directory") return null;
+    if (tok.startsWith("--target-directory=")) return null;
+    if (tok.startsWith("-") && !tok.startsWith("--")) {
+      if (tok.includes("t")) return null;
+      continue;
+    }
+    if (tok.startsWith("--")) {
+      continue;
+    }
+    args.push(tok);
+  }
+  if (args.length !== 2) return null;
+  const [src, dest] = args;
+  if (!src || !dest) return null;
+  if (containsShellMetachar(src) || containsShellMetachar(dest)) return null;
+  return { src, dest, clearSource: base === "mv" };
+}
+function containsShellMetachar(token) {
+  if (/[$`{;*?]/.test(token)) return true;
+  if (token.includes("\0")) return true;
+  return false;
+}
+// src/cli/commands/log.ts
 function sanitize3(value) {
   return value.replace(/[\x00-\x1F\x7F]/g, "");
 }
@@ -7719,11 +8080,20 @@ function registerLogCommand(program2) {
           decision: "allowed",
           source: "post-hook"
         };
-        const logPath = import_path20.default.join(import_os16.default.homedir(), ".node9", "audit.log");
-        if (!import_fs18.default.existsSync(import_path20.default.dirname(logPath)))
-          import_fs18.default.mkdirSync(import_path20.default.dirname(logPath), { recursive: true });
-        import_fs18.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
-        const safeCwd = typeof payload.cwd === "string" && import_path20.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const logPath = import_path21.default.join(import_os16.default.homedir(), ".node9", "audit.log");
+        if (!import_fs19.default.existsSync(import_path21.default.dirname(logPath)))
+          import_fs19.default.mkdirSync(import_path21.default.dirname(logPath), { recursive: true });
+        import_fs19.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+        if ((tool === "Bash" || tool === "bash") && isDaemonRunning()) {
+          const command = typeof rawInput === "object" && rawInput !== null && "command" in rawInput && typeof rawInput.command === "string" ? rawInput.command : null;
+          if (command) {
+            const op = parseCpMvOp(command);
+            if (op) {
+              await notifyTaintPropagate(op.src, op.dest, op.clearSource);
+            }
+          }
+        }
+        const safeCwd = typeof payload.cwd === "string" && import_path21.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
         const config = getConfig(safeCwd);
         if (shouldSnapshot(tool, {}, config)) {
           await createShadowSnapshot("unknown", {}, config.policy.snapshot.ignorePaths);
@@ -7732,9 +8102,9 @@ function registerLogCommand(program2) {
         const msg = err instanceof Error ? err.message : String(err);
         process.stderr.write(`[Node9] audit log error: ${msg}
 `);
-        const debugPath = import_path20.default.join(import_os16.default.homedir(), ".node9", "hook-debug.log");
+        const debugPath = import_path21.default.join(import_os16.default.homedir(), ".node9", "hook-debug.log");
         try {
-          import_fs18.default.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
+          import_fs19.default.appendFileSync(debugPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] LOG_ERROR: ${msg}
 `);
         } catch {
         }
@@ -8038,8 +8408,8 @@ function registerConfigShowCommand(program2) {
 // src/cli/commands/doctor.ts
 var import_chalk7 = __toESM(require("chalk"));
-var import_fs19 = __toESM(require("fs"));
-var import_path21 = __toESM(require("path"));
+var import_fs20 = __toESM(require("fs"));
+var import_path22 = __toESM(require("path"));
 var import_os17 = __toESM(require("os"));
 var import_child_process9 = require("child_process");
 init_daemon();
@@ -8094,10 +8464,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Configuration");
-    const globalConfigPath = import_path21.default.join(homeDir2, ".node9", "config.json");
-    if (import_fs19.default.existsSync(globalConfigPath)) {
+    const globalConfigPath = import_path22.default.join(homeDir2, ".node9", "config.json");
+    if (import_fs20.default.existsSync(globalConfigPath)) {
       try {
-        JSON.parse(import_fs19.default.readFileSync(globalConfigPath, "utf-8"));
+        JSON.parse(import_fs20.default.readFileSync(globalConfigPath, "utf-8"));
         pass("~/.node9/config.json found and valid");
       } catch {
         fail("~/.node9/config.json is invalid JSON", "Run: node9 init --force");
@@ -8105,10 +8475,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("~/.node9/config.json not found (using defaults)", "Run: node9 init");
     }
-    const projectConfigPath = import_path21.default.join(process.cwd(), "node9.config.json");
-    if (import_fs19.default.existsSync(projectConfigPath)) {
+    const projectConfigPath = import_path22.default.join(process.cwd(), "node9.config.json");
+    if (import_fs20.default.existsSync(projectConfigPath)) {
       try {
-        JSON.parse(import_fs19.default.readFileSync(projectConfigPath, "utf-8"));
+        JSON.parse(import_fs20.default.readFileSync(projectConfigPath, "utf-8"));
         pass("node9.config.json found and valid (project)");
       } catch {
         fail(
@@ -8117,8 +8487,8 @@ function registerDoctorCommand(program2, version2) {
         );
       }
     }
-    const credsPath = import_path21.default.join(homeDir2, ".node9", "credentials.json");
-    if (import_fs19.default.existsSync(credsPath)) {
+    const credsPath = import_path22.default.join(homeDir2, ".node9", "credentials.json");
+    if (import_fs20.default.existsSync(credsPath)) {
       pass("Cloud credentials found (~/.node9/credentials.json)");
     } else {
       warn(
@@ -8127,10 +8497,10 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     section("Agent Hooks");
-    const claudeSettingsPath = import_path21.default.join(homeDir2, ".claude", "settings.json");
-    if (import_fs19.default.existsSync(claudeSettingsPath)) {
+    const claudeSettingsPath = import_path22.default.join(homeDir2, ".claude", "settings.json");
+    if (import_fs20.default.existsSync(claudeSettingsPath)) {
       try {
-        const cs = JSON.parse(import_fs19.default.readFileSync(claudeSettingsPath, "utf-8"));
+        const cs = JSON.parse(import_fs20.default.readFileSync(claudeSettingsPath, "utf-8"));
         const hasHook = cs.hooks?.PreToolUse?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -8146,10 +8516,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Claude Code \u2014 not configured", "Run: node9 setup claude");
     }
-    const geminiSettingsPath = import_path21.default.join(homeDir2, ".gemini", "settings.json");
-    if (import_fs19.default.existsSync(geminiSettingsPath)) {
+    const geminiSettingsPath = import_path22.default.join(homeDir2, ".gemini", "settings.json");
+    if (import_fs20.default.existsSync(geminiSettingsPath)) {
       try {
-        const gs = JSON.parse(import_fs19.default.readFileSync(geminiSettingsPath, "utf-8"));
+        const gs = JSON.parse(import_fs20.default.readFileSync(geminiSettingsPath, "utf-8"));
         const hasHook = gs.hooks?.BeforeTool?.some(
           (m) => m.hooks.some((h) => h.command?.includes("node9") || h.command?.includes("cli.js"))
         );
@@ -8165,10 +8535,10 @@ function registerDoctorCommand(program2, version2) {
     } else {
       warn("Gemini CLI  \u2014 not configured", "Run: node9 setup gemini  (skip if not using Gemini)");
     }
-    const cursorHooksPath = import_path21.default.join(homeDir2, ".cursor", "hooks.json");
-    if (import_fs19.default.existsSync(cursorHooksPath)) {
+    const cursorHooksPath = import_path22.default.join(homeDir2, ".cursor", "hooks.json");
+    if (import_fs20.default.existsSync(cursorHooksPath)) {
       try {
-        const cur = JSON.parse(import_fs19.default.readFileSync(cursorHooksPath, "utf-8"));
+        const cur = JSON.parse(import_fs20.default.readFileSync(cursorHooksPath, "utf-8"));
         const hasHook = cur.hooks?.preToolUse?.some(
           (h) => h.command?.includes("node9") || h.command?.includes("cli.js")
         );
@@ -8206,8 +8576,8 @@ function registerDoctorCommand(program2, version2) {
 // src/cli/commands/audit.ts
 var import_chalk8 = __toESM(require("chalk"));
-var import_fs20 = __toESM(require("fs"));
-var import_path22 = __toESM(require("path"));
+var import_fs21 = __toESM(require("fs"));
+var import_path23 = __toESM(require("path"));
 var import_os18 = __toESM(require("os"));
 function formatRelativeTime(timestamp) {
   const diff = Date.now() - new Date(timestamp).getTime();
@@ -8221,14 +8591,14 @@ function formatRelativeTime(timestamp) {
 }
 function registerAuditCommand(program2) {
   program2.command("audit").description("View local execution audit log").option("--tail <n>", "Number of entries to show", "20").option("--tool <pattern>", "Filter by tool name (substring match)").option("--deny", "Show only denied actions").option("--json", "Output raw JSON").action((options) => {
-    const logPath = import_path22.default.join(import_os18.default.homedir(), ".node9", "audit.log");
-    if (!import_fs20.default.existsSync(logPath)) {
+    const logPath = import_path23.default.join(import_os18.default.homedir(), ".node9", "audit.log");
+    if (!import_fs21.default.existsSync(logPath)) {
       console.log(
         import_chalk8.default.yellow("No audit logs found. Run node9 with an agent to generate entries.")
       );
       return;
     }
-    const raw = import_fs20.default.readFileSync(logPath, "utf-8");
+    const raw = import_fs21.default.readFileSync(logPath, "utf-8");
     const lines = raw.split("\n").filter((l) => l.trim() !== "");
     let entries = lines.flatMap((line) => {
       try {
@@ -8346,14 +8716,14 @@ function registerDaemonCommand(program2) {
 // src/cli/commands/status.ts
 var import_chalk10 = __toESM(require("chalk"));
-var import_fs21 = __toESM(require("fs"));
-var import_path23 = __toESM(require("path"));
+var import_fs22 = __toESM(require("fs"));
+var import_path24 = __toESM(require("path"));
 var import_os19 = __toESM(require("os"));
 init_core();
 init_daemon();
 function readJson2(filePath) {
   try {
-    if (import_fs21.default.existsSync(filePath)) return JSON.parse(import_fs21.default.readFileSync(filePath, "utf-8"));
+    if (import_fs22.default.existsSync(filePath)) return JSON.parse(import_fs22.default.readFileSync(filePath, "utf-8"));
   } catch {
   }
   return null;
@@ -8418,13 +8788,13 @@ function registerStatusCommand(program2) {
     console.log("");
     const modeLabel = settings.mode === "audit" ? import_chalk10.default.blue("audit") : settings.mode === "strict" ? import_chalk10.default.red("strict") : import_chalk10.default.white("standard");
     console.log(`  Mode:    ${modeLabel}`);
-    const projectConfig = import_path23.default.join(process.cwd(), "node9.config.json");
-    const globalConfig = import_path23.default.join(import_os19.default.homedir(), ".node9", "config.json");
+    const projectConfig = import_path24.default.join(process.cwd(), "node9.config.json");
+    const globalConfig = import_path24.default.join(import_os19.default.homedir(), ".node9", "config.json");
     console.log(
-      `  Local:   ${import_fs21.default.existsSync(projectConfig) ? import_chalk10.default.green("Active (node9.config.json)") : import_chalk10.default.gray("Not present")}`
+      `  Local:   ${import_fs22.default.existsSync(projectConfig) ? import_chalk10.default.green("Active (node9.config.json)") : import_chalk10.default.gray("Not present")}`
     );
     console.log(
-      `  Global:  ${import_fs21.default.existsSync(globalConfig) ? import_chalk10.default.green("Active (~/.node9/config.json)") : import_chalk10.default.gray("Not present")}`
+      `  Global:  ${import_fs22.default.existsSync(globalConfig) ? import_chalk10.default.green("Active (~/.node9/config.json)") : import_chalk10.default.gray("Not present")}`
     );
     if (mergedConfig.policy.sandboxPaths.length > 0) {
       console.log(
@@ -8433,13 +8803,13 @@ function registerStatusCommand(program2) {
     }
     const homeDir2 = import_os19.default.homedir();
     const claudeSettings = readJson2(
-      import_path23.default.join(homeDir2, ".claude", "settings.json")
+      import_path24.default.join(homeDir2, ".claude", "settings.json")
     );
-    const claudeConfig = readJson2(import_path23.default.join(homeDir2, ".claude.json"));
+    const claudeConfig = readJson2(import_path24.default.join(homeDir2, ".claude.json"));
     const geminiSettings = readJson2(
-      import_path23.default.join(homeDir2, ".gemini", "settings.json")
+      import_path24.default.join(homeDir2, ".gemini", "settings.json")
     );
-    const cursorConfig = readJson2(import_path23.default.join(homeDir2, ".cursor", "mcp.json"));
+    const cursorConfig = readJson2(import_path24.default.join(homeDir2, ".cursor", "mcp.json"));
     const agentFound = claudeSettings || claudeConfig || geminiSettings || cursorConfig;
     if (agentFound) {
       console.log("");
@@ -8498,15 +8868,15 @@ function registerStatusCommand(program2) {
 // src/cli/commands/init.ts
 var import_chalk11 = __toESM(require("chalk"));
-var import_fs22 = __toESM(require("fs"));
-var import_path24 = __toESM(require("path"));
+var import_fs23 = __toESM(require("fs"));
+var import_path25 = __toESM(require("path"));
 var import_os20 = __toESM(require("os"));
 init_core();
 function registerInitCommand(program2) {
   program2.command("init").description("Set up Node9: create config and wire all detected AI agents").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").option("--skip-setup", "Only create config \u2014 do not wire AI agents").action(async (options) => {
     console.log(import_chalk11.default.cyan.bold("\n\u{1F6E1}\uFE0F  Node9 Init\n"));
-    const configPath = import_path24.default.join(import_os20.default.homedir(), ".node9", "config.json");
-    if (import_fs22.default.existsSync(configPath) && !options.force) {
+    const configPath = import_path25.default.join(import_os20.default.homedir(), ".node9", "config.json");
+    if (import_fs23.default.existsSync(configPath) && !options.force) {
       console.log(import_chalk11.default.blue(`\u2139\uFE0F  Config already exists: ${configPath}`));
     } else {
       const requestedMode = options.mode.toLowerCase();
@@ -8515,9 +8885,9 @@ function registerInitCommand(program2) {
         ...DEFAULT_CONFIG,
         settings: { ...DEFAULT_CONFIG.settings, mode: safeMode }
       };
-      const dir = import_path24.default.dirname(configPath);
-      if (!import_fs22.default.existsSync(dir)) import_fs22.default.mkdirSync(dir, { recursive: true });
-      import_fs22.default.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
+      const dir = import_path25.default.dirname(configPath);
+      if (!import_fs23.default.existsSync(dir)) import_fs23.default.mkdirSync(dir, { recursive: true });
+      import_fs23.default.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
       console.log(import_chalk11.default.green(`\u2705 Config created: ${configPath}`));
       console.log(import_chalk11.default.gray(`   Mode: ${safeMode}`));
     }
@@ -8973,20 +9343,20 @@ function registerTrustCommand(program2) {
 // src/cli.ts
 var { version } = JSON.parse(
-  import_fs24.default.readFileSync(import_path26.default.join(__dirname, "../package.json"), "utf-8")
+  import_fs25.default.readFileSync(import_path27.default.join(__dirname, "../package.json"), "utf-8")
 );
 var program = new import_commander.Command();
 program.name("node9").description("The Sudo Command for AI Agents").version(version);
 program.command("login").argument("<apiKey>").option("--local", "Save key for audit/logging only \u2014 local config still controls all decisions").option("--profile <name>", 'Save as a named profile (default: "default")').action((apiKey, options) => {
   const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  const credPath = import_path26.default.join(import_os22.default.homedir(), ".node9", "credentials.json");
-  if (!import_fs24.default.existsSync(import_path26.default.dirname(credPath)))
-    import_fs24.default.mkdirSync(import_path26.default.dirname(credPath), { recursive: true });
+  const credPath = import_path27.default.join(import_os22.default.homedir(), ".node9", "credentials.json");
+  if (!import_fs25.default.existsSync(import_path27.default.dirname(credPath)))
+    import_fs25.default.mkdirSync(import_path27.default.dirname(credPath), { recursive: true });
   const profileName = options.profile || "default";
   let existingCreds = {};
   try {
-    if (import_fs24.default.existsSync(credPath)) {
-      const raw = JSON.parse(import_fs24.default.readFileSync(credPath, "utf-8"));
+    if (import_fs25.default.existsSync(credPath)) {
+      const raw = JSON.parse(import_fs25.default.readFileSync(credPath, "utf-8"));
       if (raw.apiKey) {
         existingCreds = {
           default: { apiKey: raw.apiKey, apiUrl: raw.apiUrl || DEFAULT_API_URL }
@@ -8998,13 +9368,13 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
   } catch {
   }
   existingCreds[profileName] = { apiKey, apiUrl: DEFAULT_API_URL };
-  import_fs24.default.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
+  import_fs25.default.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
   if (profileName === "default") {
-    const configPath = import_path26.default.join(import_os22.default.homedir(), ".node9", "config.json");
+    const configPath = import_path27.default.join(import_os22.default.homedir(), ".node9", "config.json");
     let config = {};
     try {
-      if (import_fs24.default.existsSync(configPath))
-        config = JSON.parse(import_fs24.default.readFileSync(configPath, "utf-8"));
+      if (import_fs25.default.existsSync(configPath))
+        config = JSON.parse(import_fs25.default.readFileSync(configPath, "utf-8"));
     } catch {
     }
     if (!config.settings || typeof config.settings !== "object") config.settings = {};
@@ -9019,9 +9389,9 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
       approvers.cloud = false;
     }
     s.approvers = approvers;
-    if (!import_fs24.default.existsSync(import_path26.default.dirname(configPath)))
-      import_fs24.default.mkdirSync(import_path26.default.dirname(configPath), { recursive: true });
-    import_fs24.default.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+    if (!import_fs25.default.existsSync(import_path27.default.dirname(configPath)))
+      import_fs25.default.mkdirSync(import_path27.default.dirname(configPath), { recursive: true });
+    import_fs25.default.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
   }
   if (options.profile && profileName !== "default") {
     console.log(import_chalk17.default.green(`\u2705 Profile "${profileName}" saved`));
@@ -9107,15 +9477,15 @@ program.command("uninstall").description("Remove all Node9 hooks and optionally
     }
   }
   if (options.purge) {
-    const node9Dir = import_path26.default.join(import_os22.default.homedir(), ".node9");
-    if (import_fs24.default.existsSync(node9Dir)) {
+    const node9Dir = import_path27.default.join(import_os22.default.homedir(), ".node9");
+    if (import_fs25.default.existsSync(node9Dir)) {
       const confirmed = await (0, import_prompts3.confirm)({
         message: `Permanently delete ${node9Dir} (config, audit log, credentials)?`,
         default: false
       });
       if (confirmed) {
-        import_fs24.default.rmSync(node9Dir, { recursive: true });
-        if (import_fs24.default.existsSync(node9Dir)) {
+        import_fs25.default.rmSync(node9Dir, { recursive: true });
+        if (import_fs25.default.existsSync(node9Dir)) {
           console.error(
             import_chalk17.default.red("\n  \u26A0\uFE0F  ~/.node9/ could not be fully deleted \u2014 remove it manually.")
           );
@@ -9327,9 +9697,9 @@ if (process.argv[2] !== "daemon") {
     const isCheckHook = process.argv[2] === "check";
     if (isCheckHook) {
       if (process.env.NODE9_DEBUG === "1" || getConfig().settings.enableHookLogDebug) {
-        const logPath = import_path26.default.join(import_os22.default.homedir(), ".node9", "hook-debug.log");
+        const logPath = import_path27.default.join(import_os22.default.homedir(), ".node9", "hook-debug.log");
         const msg = reason instanceof Error ? reason.message : String(reason);
-        import_fs24.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
+        import_fs25.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
 `);
       }
       process.exit(0);