npm - @node9/proxy - Versions diffs - 1.5.5 → 1.7.0 - Mend

@node9/proxy 1.5.5 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cli.js CHANGED Viewed

@@ -160,8 +160,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path30 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path30}: ${issue.message}`;
+    const path31 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path31}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -315,9 +315,9 @@ function readShieldsFile() {
       (e) => typeof e === "string" && e.length > 0 && e in SHIELDS
     ) : [];
     return { active, overrides: validateOverrides(parsed.overrides) };
-  } catch (err) {
-    if (err.code !== "ENOENT") {
-      process.stderr.write(`[node9] Warning: could not read shields state: ${String(err)}
+  } catch (err2) {
+    if (err2.code !== "ENOENT") {
+      process.stderr.write(`[node9] Warning: could not read shields state: ${String(err2)}
 `);
     }
     return { active: [] };
@@ -733,8 +733,8 @@ function tryLoadConfig(filePath) {
   let raw;
   try {
     raw = JSON.parse(import_fs3.default.readFileSync(filePath, "utf-8"));
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
+  } catch (err2) {
+    const msg = err2 instanceof Error ? err2.message : String(err2);
     process.stderr.write(
       `
 \u26A0\uFE0F  Node9: Failed to parse ${filePath}
@@ -799,7 +799,7 @@ var init_config = __esm({
     DEFAULT_CONFIG = {
       version: "1.0",
       settings: {
-        mode: "audit",
+        mode: "standard",
         autoStartDaemon: true,
         enableUndo: true,
         // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
@@ -1064,10 +1064,10 @@ function getCompiledRegex(pattern, flags = "") {
     regexCache.set(key, cached);
     return cached;
   }
-  const err = validateRegex(pattern);
-  if (err) {
+  const err2 = validateRegex(pattern);
+  if (err2) {
     if (process.env.NODE9_DEBUG === "1")
-      console.error(`[Node9] Regex blocked: ${err} \u2014 pattern: "${pattern}"`);
+      console.error(`[Node9] Regex blocked: ${err2} \u2014 pattern: "${pattern}"`);
     return null;
   }
   try {
@@ -1101,8 +1101,8 @@ function scanFilePath(filePath, cwd = process.cwd()) {
   try {
     const absolute = import_path4.default.resolve(cwd, filePath);
     resolved = import_fs4.default.realpathSync.native(absolute);
-  } catch (err) {
-    const code = err.code;
+  } catch (err2) {
+    const code = err2.code;
     if (code === "ENOENT" || code === "ENOTDIR") {
       resolved = import_path4.default.resolve(cwd, filePath);
     } else {
@@ -1774,9 +1774,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path30) {
+function getNestedValue(obj, path31) {
   if (!obj || typeof obj !== "object") return null;
-  return path30.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path31.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function shouldSnapshot(toolName, args, config) {
   if (!config.settings.enableUndo) return false;
@@ -2428,9 +2428,9 @@ function writeTrustSession(toolName, durationMs) {
     trust.entries = trust.entries.filter((e) => e.tool !== toolName && e.expiry > now);
     trust.entries.push({ tool: toolName, expiry: now + durationMs });
     atomicWriteSync(TRUST_FILE, JSON.stringify(trust, null, 2));
-  } catch (err) {
+  } catch (err2) {
     if (process.env.NODE9_DEBUG === "1") {
-      console.error("[Node9 Trust Error]:", err);
+      console.error("[Node9 Trust Error]:", err2);
     }
   }
 }
@@ -2627,13 +2627,13 @@ async function checkTaint(paths) {
       signal: AbortSignal.timeout(2e3)
     });
     return await res.json();
-  } catch (err) {
+  } catch (err2) {
     try {
       const { appendToLog: appendToLog2, HOOK_DEBUG_LOG: HOOK_DEBUG_LOG2 } = await Promise.resolve().then(() => (init_audit(), audit_exports));
       appendToLog2(HOOK_DEBUG_LOG2, {
         ts: (/* @__PURE__ */ new Date()).toISOString(),
         event: "checkTaint-error",
-        error: String(err),
+        error: String(err2),
         paths
       });
     } catch {
@@ -3128,10 +3128,10 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
 `
       );
     }
-  } catch (err) {
+  } catch (err2) {
     import_fs10.default.appendFileSync(
       HOOK_DEBUG_LOG,
-      `[resolve-cloud] PATCH failed for ${requestId}: ${err.message}
+      `[resolve-cloud] PATCH failed for ${requestId}: ${err2.message}
 `
     );
   }
@@ -3198,6 +3198,7 @@ async function authorizeHeadless(toolName, args, meta, options) {
       await notifyActivity({
         id: actId,
         tool: toolName,
+        args,
         ts: actTs,
         status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : result.blockedByLabel?.includes("Taint") ? "taint" : "block",
         label: result.blockedByLabel,
@@ -3501,10 +3502,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             blockedBy: cloudResult.approved ? void 0 : "team-policy",
             blockedByLabel: "Organization Policy (SaaS)"
           };
-        } catch (err) {
-          const error = err;
-          if (error.name === "AbortError" || error.message?.includes("Aborted")) throw err;
-          throw err;
+        } catch (err2) {
+          const error = err2;
+          if (error.name === "AbortError" || error.message?.includes("Aborted")) throw err2;
+          throw err2;
         }
       })()
     );
@@ -3597,10 +3598,10 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       }
     };
     for (const p of racePromises) {
-      p.then(finish).catch((err) => {
-        if (err.name === "AbortError" || err.message?.includes("canceled") || err.message?.includes("Aborted"))
+      p.then(finish).catch((err2) => {
+        if (err2.name === "AbortError" || err2.message?.includes("canceled") || err2.message?.includes("Aborted"))
           return;
-        if (err.message === "Abandoned") {
+        if (err2.message === "Abandoned") {
           finish({
             approved: false,
             reason: "Browser dashboard closed without making a decision.",
@@ -5476,6 +5477,7 @@ var init_session_counters = __esm({
       _blocked = 0;
       _dlpHits = 0;
       _wouldBlock = 0;
+      _estimatedCost = 0;
       _lastRuleHit = null;
       _lastBlockedTool = null;
       incrementAllowed() {
@@ -5490,6 +5492,10 @@ var init_session_counters = __esm({
       incrementWouldBlock() {
         this._wouldBlock++;
       }
+      addCost(amount) {
+        if (!isFinite(amount) || amount < 0) return;
+        this._estimatedCost += amount;
+      }
       recordRuleHit(label) {
         this._lastRuleHit = label;
       }
@@ -5502,6 +5508,7 @@ var init_session_counters = __esm({
           blocked: this._blocked,
           dlpHits: this._dlpHits,
           wouldBlock: this._wouldBlock,
+          estimatedCost: this._estimatedCost,
           lastRuleHit: this._lastRuleHit,
           lastBlockedTool: this._lastBlockedTool
         };
@@ -5511,6 +5518,7 @@ var init_session_counters = __esm({
         this._blocked = 0;
         this._dlpHits = 0;
         this._wouldBlock = 0;
+        this._estimatedCost = 0;
         this._lastRuleHit = null;
         this._lastBlockedTool = null;
       }
@@ -5615,21 +5623,21 @@ function atomicWriteSync2(filePath, data, options) {
   const tmpPath = `${filePath}.${(0, import_crypto5.randomUUID)()}.tmp`;
   try {
     import_fs13.default.writeFileSync(tmpPath, data, options);
-  } catch (err) {
+  } catch (err2) {
     try {
       import_fs13.default.unlinkSync(tmpPath);
     } catch {
     }
-    throw err;
+    throw err2;
   }
   try {
     import_fs13.default.renameSync(tmpPath, filePath);
-  } catch (err) {
+  } catch (err2) {
     try {
       import_fs13.default.unlinkSync(tmpPath);
     } catch {
     }
-    throw err;
+    throw err2;
   }
 }
 function redactArgs(value) {
@@ -5735,15 +5743,38 @@ function openBrowser(url) {
   } catch {
   }
 }
+function estimateToolCost(tool, args) {
+  const a = args ?? {};
+  const t = tool.toLowerCase().replace(/[^a-z_]/g, "_");
+  if (t.includes("read") || t === "glob" || t === "grep") {
+    const filePath = a.file_path ?? a.path;
+    if (filePath) {
+      try {
+        const bytes = import_fs13.default.statSync(filePath).size;
+        return bytes / BYTES_PER_TOKEN / 1e6 * INPUT_PRICE_PER_1M;
+      } catch {
+      }
+    }
+  }
+  if (t.includes("write")) {
+    const content = a.content ?? "";
+    return String(content).length / BYTES_PER_TOKEN / 1e6 * OUTPUT_PRICE_PER_1M;
+  }
+  if (t.includes("edit") || t === "str_replace_based_edit_tool") {
+    const newStr = a.new_string ?? "";
+    return String(newStr).length / BYTES_PER_TOKEN / 1e6 * OUTPUT_PRICE_PER_1M;
+  }
+  return void 0;
+}
 function broadcast(event, data) {
   if (event === "activity") {
     activityRing.push({ event, data });
     if (activityRing.length > ACTIVITY_RING_SIZE) activityRing.shift();
   } else if (event === "activity-result") {
-    const { id, status, label } = data;
+    const { id, status, label, costEstimate } = data;
     for (let i = activityRing.length - 1; i >= 0; i--) {
       if (activityRing[i].data.id === id) {
-        Object.assign(activityRing[i].data, { status, label });
+        Object.assign(activityRing[i].data, { status, label, costEstimate });
         break;
       }
     }
@@ -5808,6 +5839,16 @@ function startActivitySocket() {
           sessionHistory.recordTestFail(data.ts);
           return;
         }
+        if (data.status === "snapshot") {
+          broadcast("snapshot", {
+            hash: data.hash,
+            tool: data.tool,
+            argsSummary: data.argsSummary,
+            fileCount: data.fileCount,
+            ts: data.ts
+          });
+          return;
+        }
         if (data.status === "pending") {
           broadcast("activity", {
             id: data.id,
@@ -5835,10 +5876,13 @@ function startActivitySocket() {
             sessionCounters.incrementBlocked();
             sessionCounters.recordBlockedTool(data.tool);
           }
+          const costEstimate = data.status === "allow" ? estimateToolCost(data.tool, data.args) : void 0;
+          if (costEstimate != null && costEstimate > 0) sessionCounters.addCost(costEstimate);
           broadcast("activity-result", {
             id: data.id,
             status: data.status,
-            label: data.label
+            label: data.label,
+            costEstimate
           });
         }
       } catch {
@@ -5855,7 +5899,7 @@ function startActivitySocket() {
     }
   });
 }
-var import_net2, import_fs13, import_path16, import_os11, import_child_process3, import_crypto5, homeDir, DAEMON_PID_FILE, DECISIONS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, INSIGHT_COUNTS_FILE, pending, sseClients, suggestionTracker, suggestions, taintStore, insightCounts, _abandonTimer, _hadBrowserClient, _daemonServer, daemonRejectionHandlerRegistered, AUTO_DENY_MS, TRUST_DURATIONS, autoStarted, ACTIVITY_SOCKET_PATH2, ACTIVITY_RING_SIZE, activityRing, SECRET_KEY_RE, WRITE_TOOL_NAMES;
+var import_net2, import_fs13, import_path16, import_os11, import_child_process3, import_crypto5, homeDir, DAEMON_PID_FILE, DECISIONS_FILE, AUDIT_LOG_FILE, TRUST_FILE2, GLOBAL_CONFIG_FILE, CREDENTIALS_FILE, INSIGHT_COUNTS_FILE, pending, sseClients, suggestionTracker, suggestions, taintStore, insightCounts, _abandonTimer, _hadBrowserClient, _daemonServer, daemonRejectionHandlerRegistered, AUTO_DENY_MS, TRUST_DURATIONS, autoStarted, ACTIVITY_SOCKET_PATH2, ACTIVITY_RING_SIZE, activityRing, SECRET_KEY_RE, INPUT_PRICE_PER_1M, OUTPUT_PRICE_PER_1M, BYTES_PER_TOKEN, WRITE_TOOL_NAMES;
 var init_state2 = __esm({
   "src/daemon/state.ts"() {
     "use strict";
@@ -5899,6 +5943,9 @@ var init_state2 = __esm({
     ACTIVITY_RING_SIZE = 100;
     activityRing = [];
     SECRET_KEY_RE = /password|secret|token|key|apikey|credential|auth/i;
+    INPUT_PRICE_PER_1M = 3;
+    OUTPUT_PRICE_PER_1M = 15;
+    BYTES_PER_TOKEN = 4;
     WRITE_TOOL_NAMES = /* @__PURE__ */ new Set([
       "write",
       "write_file",
@@ -5942,21 +5989,21 @@ function patchConfig(configPath, patch) {
   const tmp = configPath + ".node9-tmp";
   try {
     import_fs14.default.writeFileSync(tmp, JSON.stringify(config, null, 2), { mode: 384 });
-  } catch (err) {
+  } catch (err2) {
     try {
       import_fs14.default.unlinkSync(tmp);
     } catch {
     }
-    throw err;
+    throw err2;
   }
   try {
     import_fs14.default.renameSync(tmp, configPath);
-  } catch (err) {
+  } catch (err2) {
     try {
       import_fs14.default.unlinkSync(tmp);
     } catch {
     }
-    throw err;
+    throw err2;
   }
 }
 var import_fs14, import_path17, import_os12, GLOBAL_CONFIG_PATH;
@@ -6208,11 +6255,11 @@ data: ${JSON.stringify(item.data)}
             e.earlyDecision = decision;
             e.earlyReason = result.reason;
           }
-        }).catch((err) => {
+        }).catch((err2) => {
           const e = pending.get(id);
           if (!e) return;
           clearTimeout(e.timer);
-          const reason = err?.reason || "No response \u2014 request timed out";
+          const reason = err2?.reason || "No response \u2014 request timed out";
           if (e.waiter) e.waiter("deny", reason);
           else {
             e.earlyDecision = "deny";
@@ -6339,8 +6386,8 @@ data: ${JSON.stringify(item.data)}
         const s = getGlobalSettings();
         res.writeHead(200, { "Content-Type": "application/json" });
         return res.end(JSON.stringify({ ...s, autoStarted }));
-      } catch (err) {
-        console.error(import_chalk2.default.red("[node9 daemon] GET /settings failed:"), err);
+      } catch (err2) {
+        console.error(import_chalk2.default.red("[node9 daemon] GET /settings failed:"), err2);
         res.writeHead(500, { "Content-Type": "application/json" });
         return res.end(JSON.stringify({ error: "internal" }));
       }
@@ -6356,7 +6403,8 @@ data: ${JSON.stringify(item.data)}
             allowed: counters.allowed,
             blocked: counters.blocked,
             dlpHits: counters.dlpHits,
-            wouldBlock: counters.wouldBlock
+            wouldBlock: counters.wouldBlock,
+            estimatedCost: counters.estimatedCost
           },
           taintedCount: taintStore.list().length,
           lastRuleHit: counters.lastRuleHit,
@@ -6364,8 +6412,8 @@ data: ${JSON.stringify(item.data)}
         };
         res.writeHead(200, { "Content-Type": "application/json" });
         return res.end(JSON.stringify(status));
-      } catch (err) {
-        console.error(import_chalk2.default.red("[node9 daemon] GET /status failed:"), err);
+      } catch (err2) {
+        console.error(import_chalk2.default.red("[node9 daemon] GET /status failed:"), err2);
         res.writeHead(500, { "Content-Type": "application/json" });
         return res.end(JSON.stringify({ error: "internal" }));
       }
@@ -6405,8 +6453,8 @@ data: ${JSON.stringify(item.data)}
         const s = getGlobalSettings();
         res.writeHead(200, { "Content-Type": "application/json" });
         return res.end(JSON.stringify({ hasKey: hasStoredSlackKey(), enabled: s.slackEnabled }));
-      } catch (err) {
-        console.error(import_chalk2.default.red("[node9 daemon] GET /slack-status failed:"), err);
+      } catch (err2) {
+        console.error(import_chalk2.default.red("[node9 daemon] GET /slack-status failed:"), err2);
         res.writeHead(500, { "Content-Type": "application/json" });
         return res.end(JSON.stringify({ error: "internal" }));
       }
@@ -6488,6 +6536,7 @@ data: ${JSON.stringify(item.data)}
     }
     if (req.method === "POST" && pathname === "/events/clear") {
       activityRing.length = 0;
+      sessionCounters.reset();
       res.writeHead(200, { "Content-Type": "application/json" });
       return res.end(JSON.stringify({ ok: true }));
     }
@@ -6566,10 +6615,10 @@ data: ${JSON.stringify(item.data)}
         broadcast("suggestion:resolved", { id, status: "applied" });
         res.writeHead(200, { "Content-Type": "application/json" });
         return res.end(JSON.stringify({ ok: true }));
-      } catch (err) {
-        console.error(import_chalk2.default.red("[node9 daemon] POST /suggestions/:id/apply failed:"), err);
+      } catch (err2) {
+        console.error(import_chalk2.default.red("[node9 daemon] POST /suggestions/:id/apply failed:"), err2);
         res.writeHead(500, { "Content-Type": "application/json" });
-        return res.end(JSON.stringify({ error: String(err) }));
+        return res.end(JSON.stringify({ error: String(err2) }));
       }
     }
     if (req.method === "POST" && pathname.startsWith("/suggestions/") && pathname.endsWith("/dismiss")) {
@@ -6801,7 +6850,7 @@ function formatBase(activity) {
   const time = new Date(activity.ts).toLocaleTimeString([], { hour12: false });
   const icon = getIcon(activity.tool);
   const toolName = activity.tool.slice(0, 16).padEnd(16);
-  const argsStr = JSON.stringify(activity.args ?? {}).replace(/\s+/g, " ");
+  const argsStr = JSON.stringify(activity.args ?? {}).replace(/\s+/g, " ").replaceAll(import_os21.default.homedir(), "~");
   const argsPreview = argsStr.length > 70 ? argsStr.slice(0, 70) + "\u2026" : argsStr;
   return `${import_chalk17.default.gray(time)} ${icon} ${import_chalk17.default.white.bold(toolName)} ${import_chalk17.default.dim(argsPreview)}`;
 }
@@ -6815,11 +6864,13 @@ function renderResult(activity, result) {
   } else {
     status = import_chalk17.default.red("\u2717 BLOCK");
   }
+  const cost = result.costEstimate ?? activity.costEstimate;
+  const costSuffix = cost == null ? "" : import_chalk17.default.dim(`  ~$${cost >= 1e-3 ? cost.toFixed(3) : "0.000"}`);
   if (process.stdout.isTTY) {
-    import_readline4.default.clearLine(process.stdout, 0);
-    import_readline4.default.cursorTo(process.stdout, 0);
+    import_readline5.default.clearLine(process.stdout, 0);
+    import_readline5.default.cursorTo(process.stdout, 0);
   }
-  console.log(`${base}  ${status}`);
+  console.log(`${base}  ${status}${costSuffix}`);
 }
 function renderPending(activity) {
   if (!process.stdout.isTTY) return;
@@ -6827,9 +6878,9 @@ function renderPending(activity) {
 }
 async function ensureDaemon() {
   let pidPort = null;
-  if (import_fs24.default.existsSync(PID_FILE)) {
+  if (import_fs25.default.existsSync(PID_FILE)) {
     try {
-      const { port } = JSON.parse(import_fs24.default.readFileSync(PID_FILE, "utf-8"));
+      const { port } = JSON.parse(import_fs25.default.readFileSync(PID_FILE, "utf-8"));
       pidPort = port;
     } catch {
       console.error(import_chalk17.default.dim("\u26A0\uFE0F  Could not read PID file; falling back to default port."));
@@ -6948,6 +6999,39 @@ function buildRecoveryCardLines(req) {
     ``
   ];
 }
+function readApproversFromDisk() {
+  const configPath = import_path28.default.join(import_os21.default.homedir(), ".node9", "config.json");
+  try {
+    const raw = JSON.parse(import_fs25.default.readFileSync(configPath, "utf-8"));
+    const settings = raw.settings ?? {};
+    return settings.approvers ?? {};
+  } catch {
+    return {};
+  }
+}
+function approverStatusLine() {
+  const a = readApproversFromDisk();
+  const fmt = (label, key) => {
+    const on = a[key] !== false;
+    return `[${key[0]}]${label.slice(1)} ${on ? import_chalk17.default.green("\u2713") : import_chalk17.default.dim("\u2717")}`;
+  };
+  return `${fmt("native", "native")}  ${fmt("browser", "browser")}  ${fmt("cloud", "cloud")}  ${fmt("terminal", "terminal")}`;
+}
+function toggleApprover(channel) {
+  const configPath = import_path28.default.join(import_os21.default.homedir(), ".node9", "config.json");
+  try {
+    const raw = JSON.parse(import_fs25.default.readFileSync(configPath, "utf-8"));
+    const settings = raw.settings ?? {};
+    const approvers = settings.approvers ?? {};
+    approvers[channel] = approvers[channel] === false;
+    settings.approvers = approvers;
+    raw.settings = settings;
+    import_fs25.default.writeFileSync(configPath, JSON.stringify(raw, null, 2) + "\n");
+  } catch (err2) {
+    process.stderr.write(`[node9] toggleApprover failed: ${String(err2)}
+`);
+  }
+}
 async function startTail(options = {}) {
   const port = await ensureDaemon();
   if (options.clear) {
@@ -6966,7 +7050,7 @@ async function startTail(options = {}) {
           res.resume();
         }
       );
-      req2.once("error", (err) => resolve({ ok: false, code: err.code }));
+      req2.once("error", (err2) => resolve({ ok: false, code: err2.code }));
       req2.setTimeout(2e3, () => {
         resolve({ ok: false, code: "ETIMEDOUT" });
         req2.destroy();
@@ -6993,10 +7077,48 @@ async function startTail(options = {}) {
   let cancelActiveCard = null;
   const localAllowCounts = /* @__PURE__ */ new Map();
   const canApprove = process.stdout.isTTY && process.stdin.isTTY;
-  if (canApprove) import_readline4.default.emitKeypressEvents(process.stdin);
+  if (canApprove) import_readline5.default.emitKeypressEvents(process.stdin);
+  let idleKeypressHandler = null;
+  function enterIdleMode() {
+    if (!canApprove || idleKeypressHandler !== null) return;
+    try {
+      process.stdin.setRawMode(true);
+    } catch {
+      return;
+    }
+    process.stdin.resume();
+    idleKeypressHandler = (_str, key) => {
+      const name = key?.name ?? "";
+      if (key?.ctrl && name === "c") {
+        process.kill(process.pid, "SIGINT");
+        return;
+      }
+      if (name === "q") {
+        process.kill(process.pid, "SIGINT");
+        return;
+      }
+      const channel = name === "n" ? "native" : name === "b" ? "browser" : name === "c" ? "cloud" : name === "t" ? "terminal" : null;
+      if (channel) {
+        toggleApprover(channel);
+        console.log(import_chalk17.default.dim(`  Approvers: ${approverStatusLine()}`));
+      }
+    };
+    process.stdin.on("keypress", idleKeypressHandler);
+  }
+  function exitIdleMode() {
+    if (idleKeypressHandler) {
+      process.stdin.removeListener("keypress", idleKeypressHandler);
+      idleKeypressHandler = null;
+    }
+    try {
+      process.stdin.setRawMode(false);
+    } catch {
+    }
+    process.stdin.pause();
+  }
   function clearCard() {
     if (cardLineCount > 0) {
-      import_readline4.default.moveCursor(process.stdout, 0, -cardLineCount);
+      import_readline5.default.moveCursor(process.stdout, 0, -cardLineCount);
       process.stdout.write(ERASE_DOWN);
       cardLineCount = 0;
     }
@@ -7012,10 +7134,12 @@ async function startTail(options = {}) {
   }
   function showNextCard() {
     if (cardActive || approvalQueue.length === 0 || !canApprove) return;
+    exitIdleMode();
     try {
       process.stdin.setRawMode(true);
     } catch {
       cardActive = false;
+      enterIdleMode();
       return;
     }
     cardActive = true;
@@ -7027,12 +7151,8 @@ async function startTail(options = {}) {
       const handler = onKeypress;
       onKeypress = null;
       if (handler) process.stdin.removeListener("keypress", handler);
-      try {
-        process.stdin.setRawMode(false);
-      } catch {
-      }
-      process.stdin.pause();
       cancelActiveCard = null;
+      enterIdleMode();
     };
     const settle = (action) => {
       if (settled) return;
@@ -7072,11 +7192,11 @@ async function startTail(options = {}) {
       } else {
         httpDecision = action;
       }
-      postDecisionHttp(req2.id, httpDecision, csrfToken, port, httpOpts).catch((err) => {
+      postDecisionHttp(req2.id, httpDecision, csrfToken, port, httpOpts).catch((err2) => {
         try {
-          import_fs24.default.appendFileSync(
-            import_path27.default.join(import_os20.default.homedir(), ".node9", "hook-debug.log"),
-            `[tail] POST /decision failed: ${String(err)}
+          import_fs25.default.appendFileSync(
+            import_path28.default.join(import_os21.default.homedir(), ".node9", "hook-debug.log"),
+            `[tail] POST /decision failed: ${String(err2)}
 `
           );
         } catch {
@@ -7159,23 +7279,21 @@ async function startTail(options = {}) {
   console.log(import_chalk17.default.cyan.bold(`
 \u{1F6F0}\uFE0F  Node9 tail  `) + import_chalk17.default.dim(`\u2192 ${dashboardUrl}`));
   if (canApprove) {
-    console.log(
-      import_chalk17.default.dim("Interactive approvals: [\u21B5/y] Allow  [n] Deny  [a] Always Allow  [t] Trust 30m")
-    );
+    console.log(import_chalk17.default.dim("Card: [\u21B5/y] Allow  [n] Deny  [a] Always  [t] Trust 30m"));
+    console.log(import_chalk17.default.dim(`Approvers (toggle): ${approverStatusLine()}  [q] quit`));
   }
   if (options.history) {
-    console.log(import_chalk17.default.dim("Showing history + live events. Press Ctrl+C to exit.\n"));
+    console.log(import_chalk17.default.dim("Showing history + live events.\n"));
   } else {
-    console.log(
-      import_chalk17.default.dim("Showing live events only. Use --history to include past. Press Ctrl+C to exit.\n")
-    );
+    console.log(import_chalk17.default.dim("Showing live events only. Use --history to include past.\n"));
   }
   process.on("SIGINT", () => {
+    exitIdleMode();
     clearCard();
     process.stdout.write(SHOW_CURSOR);
     if (process.stdout.isTTY) {
-      import_readline4.default.clearLine(process.stdout, 0);
-      import_readline4.default.cursorTo(process.stdout, 0);
+      import_readline5.default.clearLine(process.stdout, 0);
+      import_readline5.default.cursorTo(process.stdout, 0);
     }
     console.log(import_chalk17.default.dim("\n\u{1F6F0}\uFE0F  Disconnected."));
     process.exit(0);
@@ -7186,11 +7304,12 @@ async function startTail(options = {}) {
       console.error(import_chalk17.default.red(`Failed to connect: HTTP ${res.statusCode}`));
       process.exit(1);
     }
+    if (canApprove) enterIdleMode();
     let currentEvent = "";
     let currentData = "";
     res.on("error", () => {
     });
-    const rl = import_readline4.default.createInterface({ input: res, crlfDelay: Infinity });
+    const rl = import_readline5.default.createInterface({ input: res, crlfDelay: Infinity });
     rl.on("error", () => {
     });
     rl.on("line", (line) => {
@@ -7210,8 +7329,8 @@ async function startTail(options = {}) {
       clearCard();
       process.stdout.write(SHOW_CURSOR);
       if (process.stdout.isTTY) {
-        import_readline4.default.clearLine(process.stdout, 0);
-        import_readline4.default.cursorTo(process.stdout, 0);
+        import_readline5.default.clearLine(process.stdout, 0);
+        import_readline5.default.cursorTo(process.stdout, 0);
       }
       console.log(import_chalk17.default.red("\n\u274C Daemon disconnected."));
       process.exit(1);
@@ -7289,6 +7408,18 @@ async function startTail(options = {}) {
       const slowTool = /bash|shell|query|sql|agent/i.test(data.tool);
       if (slowTool) renderPending(data);
     }
+    if (event === "snapshot") {
+      const time = new Date(data.ts).toLocaleTimeString([], { hour12: false });
+      const hash = data.hash ?? "";
+      const summary = data.argsSummary ?? data.tool;
+      const fileCount = data.fileCount ?? 0;
+      const files = fileCount > 0 ? import_chalk17.default.dim(` \xB7 ${fileCount} file${fileCount === 1 ? "" : "s"}`) : "";
+      process.stdout.write(
+        `${import_chalk17.default.dim(time)}  ${import_chalk17.default.cyan("\u{1F4F8} snapshot")}  ${import_chalk17.default.dim(hash)}  ${summary}${files}
+`
+      );
+      return;
+    }
     if (event === "activity-result") {
       const original = activityPending.get(data.id);
       if (original) {
@@ -7297,28 +7428,28 @@ async function startTail(options = {}) {
       }
     }
   }
-  req.on("error", (err) => {
-    const msg = err.code === "ECONNREFUSED" ? "Daemon is not running. Start it with: node9 daemon start" : err.message;
+  req.on("error", (err2) => {
+    const msg = err2.code === "ECONNREFUSED" ? "Daemon is not running. Start it with: node9 daemon start" : err2.message;
     console.error(import_chalk17.default.red(`
 \u274C ${msg}`));
     process.exit(1);
   });
 }
-var import_http2, import_chalk17, import_fs24, import_os20, import_path27, import_readline4, import_child_process13, PID_FILE, ICONS, RESET2, BOLD2, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, DIVIDER;
+var import_http2, import_chalk17, import_fs25, import_os21, import_path28, import_readline5, import_child_process13, PID_FILE, ICONS, RESET2, BOLD2, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, DIVIDER;
 var init_tail = __esm({
   "src/tui/tail.ts"() {
     "use strict";
     import_http2 = __toESM(require("http"));
     import_chalk17 = __toESM(require("chalk"));
-    import_fs24 = __toESM(require("fs"));
-    import_os20 = __toESM(require("os"));
-    import_path27 = __toESM(require("path"));
-    import_readline4 = __toESM(require("readline"));
+    import_fs25 = __toESM(require("fs"));
+    import_os21 = __toESM(require("os"));
+    import_path28 = __toESM(require("path"));
+    import_readline5 = __toESM(require("readline"));
     import_child_process13 = require("child_process");
     init_daemon2();
     init_daemon();
     init_core();
-    PID_FILE = import_path27.default.join(import_os20.default.homedir(), ".node9", "daemon.pid");
+    PID_FILE = import_path28.default.join(import_os21.default.homedir(), ".node9", "daemon.pid");
     ICONS = {
       bash: "\u{1F4BB}",
       shell: "\u{1F4BB}",
@@ -7431,9 +7562,9 @@ function formatTimeLeft(resetsAt) {
   return ` (${m}m left)`;
 }
 function safeReadJson(filePath) {
-  if (!import_fs25.default.existsSync(filePath)) return null;
+  if (!import_fs26.default.existsSync(filePath)) return null;
   try {
-    return JSON.parse(import_fs25.default.readFileSync(filePath, "utf-8"));
+    return JSON.parse(import_fs26.default.readFileSync(filePath, "utf-8"));
   } catch {
     return null;
   }
@@ -7454,12 +7585,12 @@ function countHooksInFile(filePath) {
   return Object.keys(cfg.hooks).length;
 }
 function countRulesInDir(rulesDir) {
-  if (!import_fs25.default.existsSync(rulesDir)) return 0;
+  if (!import_fs26.default.existsSync(rulesDir)) return 0;
   let count = 0;
   try {
-    for (const entry of import_fs25.default.readdirSync(rulesDir, { withFileTypes: true })) {
+    for (const entry of import_fs26.default.readdirSync(rulesDir, { withFileTypes: true })) {
       if (entry.isDirectory()) {
-        count += countRulesInDir(import_path28.default.join(rulesDir, entry.name));
+        count += countRulesInDir(import_path29.default.join(rulesDir, entry.name));
       } else if (entry.isFile() && entry.name.endsWith(".md")) {
         count++;
       }
@@ -7470,46 +7601,46 @@ function countRulesInDir(rulesDir) {
 }
 function isSamePath(a, b) {
   try {
-    return import_path28.default.resolve(a) === import_path28.default.resolve(b);
+    return import_path29.default.resolve(a) === import_path29.default.resolve(b);
   } catch {
     return false;
   }
 }
 function countConfigs(cwd) {
-  const homeDir2 = import_os21.default.homedir();
-  const claudeDir = import_path28.default.join(homeDir2, ".claude");
+  const homeDir2 = import_os22.default.homedir();
+  const claudeDir = import_path29.default.join(homeDir2, ".claude");
   let claudeMdCount = 0;
   let rulesCount = 0;
   let hooksCount = 0;
   const userMcpServers = /* @__PURE__ */ new Set();
   const projectMcpServers = /* @__PURE__ */ new Set();
-  if (import_fs25.default.existsSync(import_path28.default.join(claudeDir, "CLAUDE.md"))) claudeMdCount++;
-  rulesCount += countRulesInDir(import_path28.default.join(claudeDir, "rules"));
-  const userSettings = import_path28.default.join(claudeDir, "settings.json");
+  if (import_fs26.default.existsSync(import_path29.default.join(claudeDir, "CLAUDE.md"))) claudeMdCount++;
+  rulesCount += countRulesInDir(import_path29.default.join(claudeDir, "rules"));
+  const userSettings = import_path29.default.join(claudeDir, "settings.json");
   for (const name of getMcpServerNames(userSettings)) userMcpServers.add(name);
   hooksCount += countHooksInFile(userSettings);
-  const userClaudeJson = import_path28.default.join(homeDir2, ".claude.json");
+  const userClaudeJson = import_path29.default.join(homeDir2, ".claude.json");
   for (const name of getMcpServerNames(userClaudeJson)) userMcpServers.add(name);
   for (const name of getDisabledMcpServers(userClaudeJson, "disabledMcpServers")) {
     userMcpServers.delete(name);
   }
   if (cwd) {
-    if (import_fs25.default.existsSync(import_path28.default.join(cwd, "CLAUDE.md"))) claudeMdCount++;
-    if (import_fs25.default.existsSync(import_path28.default.join(cwd, "CLAUDE.local.md"))) claudeMdCount++;
-    const projectClaudeDir = import_path28.default.join(cwd, ".claude");
+    if (import_fs26.default.existsSync(import_path29.default.join(cwd, "CLAUDE.md"))) claudeMdCount++;
+    if (import_fs26.default.existsSync(import_path29.default.join(cwd, "CLAUDE.local.md"))) claudeMdCount++;
+    const projectClaudeDir = import_path29.default.join(cwd, ".claude");
     const overlapsUserScope = isSamePath(projectClaudeDir, claudeDir);
     if (!overlapsUserScope) {
-      if (import_fs25.default.existsSync(import_path28.default.join(projectClaudeDir, "CLAUDE.md"))) claudeMdCount++;
-      rulesCount += countRulesInDir(import_path28.default.join(projectClaudeDir, "rules"));
-      const projSettings = import_path28.default.join(projectClaudeDir, "settings.json");
+      if (import_fs26.default.existsSync(import_path29.default.join(projectClaudeDir, "CLAUDE.md"))) claudeMdCount++;
+      rulesCount += countRulesInDir(import_path29.default.join(projectClaudeDir, "rules"));
+      const projSettings = import_path29.default.join(projectClaudeDir, "settings.json");
       for (const name of getMcpServerNames(projSettings)) projectMcpServers.add(name);
       hooksCount += countHooksInFile(projSettings);
     }
-    if (import_fs25.default.existsSync(import_path28.default.join(projectClaudeDir, "CLAUDE.local.md"))) claudeMdCount++;
-    const localSettings = import_path28.default.join(projectClaudeDir, "settings.local.json");
+    if (import_fs26.default.existsSync(import_path29.default.join(projectClaudeDir, "CLAUDE.local.md"))) claudeMdCount++;
+    const localSettings = import_path29.default.join(projectClaudeDir, "settings.local.json");
     for (const name of getMcpServerNames(localSettings)) projectMcpServers.add(name);
     hooksCount += countHooksInFile(localSettings);
-    const mcpJsonServers = getMcpServerNames(import_path28.default.join(cwd, ".mcp.json"));
+    const mcpJsonServers = getMcpServerNames(import_path29.default.join(cwd, ".mcp.json"));
     const disabledMcpJson = getDisabledMcpServers(localSettings, "disabledMcpjsonServers");
     for (const name of disabledMcpJson) mcpJsonServers.delete(name);
     for (const name of mcpJsonServers) projectMcpServers.add(name);
@@ -7567,6 +7698,11 @@ function renderSecurityLine(status) {
       parts.push(color(RED2, `\u{1F6A8} ${status.session.dlpHits} dlp`));
     }
   }
+  if (status.session.estimatedCost > 0) {
+    const cost = status.session.estimatedCost;
+    const costStr = cost >= 0.01 ? `$${cost.toFixed(2)}` : cost >= 1e-3 ? `$${cost.toFixed(3)}` : "<$0.001";
+    parts.push(color(DIM, `~${costStr}`));
+  }
   if (status.taintedCount > 0) {
     parts.push(color(YELLOW2, `\u{1F4A7} ${status.taintedCount} tainted`));
   }
@@ -7622,11 +7758,11 @@ async function main() {
       try {
         const cwd = stdin.cwd ?? process.cwd();
         for (const configPath of [
-          import_path28.default.join(cwd, "node9.config.json"),
-          import_path28.default.join(import_os21.default.homedir(), ".node9", "config.json")
+          import_path29.default.join(cwd, "node9.config.json"),
+          import_path29.default.join(import_os22.default.homedir(), ".node9", "config.json")
         ]) {
-          if (!import_fs25.default.existsSync(configPath)) continue;
-          const cfg = JSON.parse(import_fs25.default.readFileSync(configPath, "utf-8"));
+          if (!import_fs26.default.existsSync(configPath)) continue;
+          const cfg = JSON.parse(import_fs26.default.readFileSync(configPath, "utf-8"));
           const hud = cfg.settings?.hud;
           if (hud && "showEnvironmentCounts" in hud) return hud.showEnvironmentCounts !== false;
         }
@@ -7644,13 +7780,13 @@ async function main() {
     renderOffline();
   }
 }
-var import_fs25, import_path28, import_os21, import_http3, RESET3, BOLD3, DIM, RED2, GREEN2, YELLOW2, BLUE, MAGENTA, CYAN2, WHITE, BAR_FILLED, BAR_EMPTY, BAR_WIDTH;
+var import_fs26, import_path29, import_os22, import_http3, RESET3, BOLD3, DIM, RED2, GREEN2, YELLOW2, BLUE, MAGENTA, CYAN2, WHITE, BAR_FILLED, BAR_EMPTY, BAR_WIDTH;
 var init_hud = __esm({
   "src/cli/hud.ts"() {
     "use strict";
-    import_fs25 = __toESM(require("fs"));
-    import_path28 = __toESM(require("path"));
-    import_os21 = __toESM(require("os"));
+    import_fs26 = __toESM(require("fs"));
+    import_path29 = __toESM(require("path"));
+    import_os22 = __toESM(require("os"));
     import_http3 = __toESM(require("http"));
     init_daemon();
     RESET3 = "\x1B[0m";
@@ -7679,6 +7815,16 @@ var import_path14 = __toESM(require("path"));
 var import_os10 = __toESM(require("os"));
 var import_chalk = __toESM(require("chalk"));
 var import_prompts = require("@inquirer/prompts");
+var NODE9_MCP_SERVER_ENTRY = { command: "node9", args: ["mcp-server"] };
+function hasNode9McpServer(servers) {
+  const entry = servers["node9"];
+  return !!entry && entry.command === "node9" && Array.isArray(entry.args) && entry.args[0] === "mcp-server";
+}
+function removeNode9McpServer(servers) {
+  if (!hasNode9McpServer(servers)) return false;
+  delete servers["node9"];
+  return true;
+}
 function printDaemonTip() {
   console.log(
     import_chalk.default.cyan("\n   \u{1F4A1} Node9 will protect you automatically using Native OS popups.") + import_chalk.default.white("\n      To view your history or manage persistent rules, run:") + import_chalk.default.green("\n      node9 daemon --openui")
@@ -7736,6 +7882,10 @@ function teardownClaude() {
   const claudeConfig = readJson(mcpPath);
   if (claudeConfig?.mcpServers) {
     let mcpChanged = false;
+    if (removeNode9McpServer(claudeConfig.mcpServers)) {
+      mcpChanged = true;
+      console.log(import_chalk.default.green("  \u2705 Removed node9 MCP server entry from ~/.claude.json"));
+    }
     for (const [name, server] of Object.entries(claudeConfig.mcpServers)) {
       if (server.command === "node9" && Array.isArray(server.args) && server.args.length > 0) {
         const [originalCmd, ...originalArgs] = server.args;
@@ -7779,6 +7929,10 @@ function teardownGemini() {
     }
   }
   if (settings.mcpServers) {
+    if (removeNode9McpServer(settings.mcpServers)) {
+      changed = true;
+      console.log(import_chalk.default.green("  \u2705 Removed node9 MCP server entry from ~/.gemini/settings.json"));
+    }
     for (const [name, server] of Object.entries(settings.mcpServers)) {
       if (server.command === "node9" && Array.isArray(server.args) && server.args.length > 0) {
         const [originalCmd, ...originalArgs] = server.args;
@@ -7807,6 +7961,10 @@ function teardownCursor() {
     return;
   }
   let changed = false;
+  if (removeNode9McpServer(mcpConfig.mcpServers)) {
+    changed = true;
+    console.log(import_chalk.default.green("  \u2705 Removed node9 MCP server entry from ~/.cursor/mcp.json"));
+  }
   for (const [name, server] of Object.entries(mcpConfig.mcpServers)) {
     if (server.command === "node9" && Array.isArray(server.args) && server.args.length > 0) {
       const [originalCmd, ...originalArgs] = server.args;
@@ -7832,6 +7990,7 @@ async function setupClaude() {
   const claudeConfig = readJson(mcpPath) ?? {};
   const settings = readJson(hooksPath) ?? {};
   const servers = claudeConfig.mcpServers ?? {};
+  let hooksChanged = false;
   let anythingChanged = false;
   if (!settings.hooks) settings.hooks = {};
   const hasPreHook = settings.hooks.PreToolUse?.some(
@@ -7844,6 +8003,7 @@ async function setupClaude() {
       hooks: [{ type: "command", command: fullPathCommand("check"), timeout: 60 }]
     });
     console.log(import_chalk.default.green("  \u2705 PreToolUse hook added  \u2192 node9 check"));
+    hooksChanged = true;
     anythingChanged = true;
   }
   const hasPostHook = settings.hooks.PostToolUse?.some(
@@ -7856,9 +8016,17 @@ async function setupClaude() {
       hooks: [{ type: "command", command: fullPathCommand("log"), timeout: 600 }]
     });
     console.log(import_chalk.default.green("  \u2705 PostToolUse hook added \u2192 node9 log"));
+    hooksChanged = true;
     anythingChanged = true;
   }
-  if (anythingChanged) {
+  if (!hasNode9McpServer(servers)) {
+    servers["node9"] = NODE9_MCP_SERVER_ENTRY;
+    claudeConfig.mcpServers = servers;
+    writeJson(mcpPath, claudeConfig);
+    console.log(import_chalk.default.green("  \u2705 node9 MCP server added   \u2192 node9 mcp-server"));
+    anythingChanged = true;
+  }
+  if (hooksChanged) {
     writeJson(hooksPath, settings);
     console.log("");
   }
@@ -7906,6 +8074,7 @@ async function setupGemini() {
   const settingsPath = import_path14.default.join(homeDir2, ".gemini", "settings.json");
   const settings = readJson(settingsPath) ?? {};
   const servers = settings.mcpServers ?? {};
+  let hooksChanged = false;
   let anythingChanged = false;
   if (!settings.hooks) settings.hooks = {};
   const hasBeforeHook = Array.isArray(settings.hooks.BeforeTool) && settings.hooks.BeforeTool.some(
@@ -7926,6 +8095,7 @@ async function setupGemini() {
       ]
     });
     console.log(import_chalk.default.green("  \u2705 BeforeTool hook added \u2192 node9 check"));
+    hooksChanged = true;
     anythingChanged = true;
   }
   const hasAfterHook = Array.isArray(settings.hooks.AfterTool) && settings.hooks.AfterTool.some(
@@ -7939,9 +8109,17 @@ async function setupGemini() {
       hooks: [{ name: "node9-log", type: "command", command: fullPathCommand("log") }]
     });
     console.log(import_chalk.default.green("  \u2705 AfterTool hook added  \u2192 node9 log"));
+    hooksChanged = true;
     anythingChanged = true;
   }
-  if (anythingChanged) {
+  if (!hasNode9McpServer(servers)) {
+    servers["node9"] = NODE9_MCP_SERVER_ENTRY;
+    settings.mcpServers = servers;
+    console.log(import_chalk.default.green("  \u2705 node9 MCP server added   \u2192 node9 mcp-server"));
+    hooksChanged = true;
+    anythingChanged = true;
+  }
+  if (hooksChanged) {
     writeJson(settingsPath, settings);
     console.log("");
   }
@@ -7988,10 +8166,10 @@ function detectAgents(homeDir2 = import_os10.default.homedir()) {
   const exists = (p) => {
     try {
       return import_fs11.default.existsSync(p);
-    } catch (err) {
-      const code = err.code;
+    } catch (err2) {
+      const code = err2.code;
       if (code !== "ENOENT") {
-        process.stderr.write(`[node9] detectAgents: cannot access ${p}: ${code ?? String(err)}
+        process.stderr.write(`[node9] detectAgents: cannot access ${p}: ${code ?? String(err2)}
 `);
       }
       return false;
@@ -8009,6 +8187,13 @@ async function setupCursor() {
   const mcpConfig = readJson(mcpPath) ?? {};
   const servers = mcpConfig.mcpServers ?? {};
   let anythingChanged = false;
+  if (!hasNode9McpServer(servers)) {
+    servers["node9"] = NODE9_MCP_SERVER_ENTRY;
+    mcpConfig.mcpServers = servers;
+    writeJson(mcpPath, mcpConfig);
+    console.log(import_chalk.default.green("  \u2705 node9 MCP server added   \u2192 node9 mcp-server"));
+    anythingChanged = true;
+  }
   const serversToWrap = [];
   for (const [name, server] of Object.entries(servers)) {
     if (!server.command || server.command === "node9") continue;
@@ -8108,9 +8293,9 @@ function teardownHud() {
 // src/cli.ts
 init_daemon2();
 var import_chalk18 = __toESM(require("chalk"));
-var import_fs26 = __toESM(require("fs"));
-var import_path29 = __toESM(require("path"));
-var import_os22 = __toESM(require("os"));
+var import_fs27 = __toESM(require("fs"));
+var import_path30 = __toESM(require("path"));
+var import_os23 = __toESM(require("os"));
 var import_prompts2 = require("@inquirer/prompts");
 // src/utils/duration.ts
@@ -8345,8 +8530,29 @@ init_policy();
 var import_child_process8 = require("child_process");
 var import_crypto7 = __toESM(require("crypto"));
 var import_fs17 = __toESM(require("fs"));
+var import_net3 = __toESM(require("net"));
 var import_path19 = __toESM(require("path"));
 var import_os13 = __toESM(require("os"));
+var ACTIVITY_SOCKET_PATH3 = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path19.default.join(import_os13.default.tmpdir(), "node9-activity.sock");
+function notifySnapshotTaken(hash, tool, argsSummary, fileCount) {
+  try {
+    const payload = JSON.stringify({
+      status: "snapshot",
+      hash,
+      tool,
+      argsSummary,
+      fileCount,
+      ts: Date.now()
+    });
+    const sock = import_net3.default.createConnection(ACTIVITY_SOCKET_PATH3);
+    sock.on("connect", () => {
+      sock.end(payload);
+    });
+    sock.on("error", () => {
+    });
+  } catch {
+  }
+}
 var SNAPSHOT_STACK_PATH = import_path19.default.join(import_os13.default.homedir(), ".node9", "snapshots.json");
 var UNDO_LATEST_PATH = import_path19.default.join(import_os13.default.homedir(), ".node9", "undo_latest.txt");
 var MAX_SNAPSHOTS = 10;
@@ -8529,6 +8735,9 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
       if (filesRes.status === 0) {
         capturedFiles = filesRes.stdout?.toString().trim().split("\n").filter(Boolean) ?? [];
       }
+      if (capturedFiles.length === 0) {
+        return prevEntry.hash;
+      }
       const diffRes = (0, import_child_process8.spawnSync)("git", ["diff", prevEntry.hash, commitHash], {
         env: shadowEnv,
         timeout: GIT_TIMEOUT
@@ -8566,13 +8775,15 @@ async function createShadowSnapshot(tool = "unknown", args = {}, ignorePaths = [
     }
     if (cwdCount > MAX_SNAPSHOTS) stack.splice(oldestCwdIdx, 1);
     writeStack(stack);
+    const entry = stack[stack.length - 1];
+    notifySnapshotTaken(commitHash.slice(0, 7), tool, entry.argsSummary, capturedFiles.length);
     import_fs17.default.writeFileSync(UNDO_LATEST_PATH, commitHash);
     if (shouldGc) {
       (0, import_child_process8.spawn)("git", ["gc", "--auto"], { env: shadowEnv, detached: true, stdio: "ignore" }).unref();
     }
     return commitHash;
-  } catch (err) {
-    if (process.env.NODE9_DEBUG === "1") console.error("[Node9 Undo Engine Error]:", err);
+  } catch (err2) {
+    if (process.env.NODE9_DEBUG === "1") console.error("[Node9 Undo Engine Error]:", err2);
     return null;
   } finally {
     if (indexFile) {
@@ -8676,11 +8887,11 @@ function registerCheckCommand(program2) {
         let payload = JSON.parse(raw);
         try {
           payload = JSON.parse(raw);
-        } catch (err) {
+        } catch (err2) {
           const tempConfig = getConfig();
           if (process.env.NODE9_DEBUG === "1" || tempConfig.settings.enableHookLogDebug) {
             const logPath = import_path20.default.join(import_os14.default.homedir(), ".node9", "hook-debug.log");
-            const errMsg = err instanceof Error ? err.message : String(err);
+            const errMsg = err2 instanceof Error ? err2.message : String(err2);
             import_fs18.default.appendFileSync(
               logPath,
               `[${(/* @__PURE__ */ new Date()).toISOString()}] JSON_PARSE_ERROR: ${errMsg}
@@ -8801,10 +9012,10 @@ RAW: ${raw}
           ...result,
           blockedByLabel: result.blockedByLabel
         });
-      } catch (err) {
+      } catch (err2) {
         if (process.env.NODE9_DEBUG === "1") {
           const logPath = import_path20.default.join(import_os14.default.homedir(), ".node9", "hook-debug.log");
-          const errMsg = err instanceof Error ? err.message : String(err);
+          const errMsg = err2 instanceof Error ? err2.message : String(err2);
           import_fs18.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] ERROR: ${errMsg}
 `);
         }
@@ -8950,8 +9161,8 @@ function registerLogCommand(program2) {
         if (shouldSnapshot(tool, {}, config)) {
           await createShadowSnapshot("unknown", {}, config.policy.snapshot.ignorePaths);
         }
-      } catch (err) {
-        const msg = err instanceof Error ? err.message : String(err);
+      } catch (err2) {
+        const msg = err2 instanceof Error ? err2.message : String(err2);
         process.stderr.write(`[Node9] audit log error: ${msg}
 `);
         const debugPath = import_path21.default.join(import_os15.default.homedir(), ".node9", "hook-debug.log");
@@ -9723,25 +9934,79 @@ var import_chalk11 = __toESM(require("chalk"));
 var import_fs23 = __toESM(require("fs"));
 var import_path25 = __toESM(require("path"));
 var import_os19 = __toESM(require("os"));
+var import_https = __toESM(require("https"));
 init_core();
+function fireTelemetryPing(agents) {
+  try {
+    const body = JSON.stringify({
+      event: "init_completed",
+      agents_detected: agents,
+      os: process.platform,
+      node9_version: process.env.npm_package_version ?? "unknown"
+    });
+    const req = import_https.default.request(
+      {
+        hostname: "api.node9.ai",
+        path: "/api/v1/telemetry",
+        method: "POST",
+        headers: { "Content-Type": "application/json", "Content-Length": Buffer.byteLength(body) },
+        timeout: 3e3
+      },
+      (res) => {
+        res.resume();
+      }
+    );
+    req.on("error", () => {
+    });
+    req.on("timeout", () => {
+      req.destroy();
+    });
+    req.end(body);
+  } catch {
+  }
+}
 function registerInitCommand(program2) {
   program2.command("init").description("Set up Node9: create config and wire all detected AI agents").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").option("--skip-setup", "Only create config \u2014 do not wire AI agents").action(async (options) => {
     console.log(import_chalk11.default.cyan.bold("\n\u{1F6E1}\uFE0F  Node9 Init\n"));
+    let chosenMode = options.mode.toLowerCase();
+    if (!["standard", "strict", "audit"].includes(chosenMode)) {
+      chosenMode = DEFAULT_CONFIG.settings.mode;
+    }
+    {
+      const { confirm: confirm3 } = await import("@inquirer/prompts");
+      const enableShields = await confirm3({
+        message: "Enable recommended safety shields? (blocks rm -rf, SQL drops, pipe-to-shell)",
+        default: true
+      });
+      if (enableShields) chosenMode = "standard";
+      console.log("");
+    }
     const configPath = import_path25.default.join(import_os19.default.homedir(), ".node9", "config.json");
     if (import_fs23.default.existsSync(configPath) && !options.force) {
-      console.log(import_chalk11.default.blue(`\u2139\uFE0F  Config already exists: ${configPath}`));
+      try {
+        const existing = JSON.parse(import_fs23.default.readFileSync(configPath, "utf-8"));
+        const settings = existing.settings ?? {};
+        if (settings.mode !== chosenMode) {
+          settings.mode = chosenMode;
+          existing.settings = settings;
+          import_fs23.default.writeFileSync(configPath, JSON.stringify(existing, null, 2) + "\n");
+          console.log(import_chalk11.default.green(`\u2705 Mode updated: ${chosenMode}`));
+        } else {
+          console.log(import_chalk11.default.blue(`\u2139\uFE0F  Config already exists: ${configPath}`));
+        }
+      } catch {
+        console.log(import_chalk11.default.blue(`\u2139\uFE0F  Config already exists: ${configPath}`));
+      }
     } else {
-      const requestedMode = options.mode.toLowerCase();
-      const safeMode = ["standard", "strict", "audit"].includes(requestedMode) ? requestedMode : DEFAULT_CONFIG.settings.mode;
       const configToSave = {
         ...DEFAULT_CONFIG,
-        settings: { ...DEFAULT_CONFIG.settings, mode: safeMode }
+        settings: { ...DEFAULT_CONFIG.settings, mode: chosenMode }
       };
       const dir = import_path25.default.dirname(configPath);
       if (!import_fs23.default.existsSync(dir)) import_fs23.default.mkdirSync(dir, { recursive: true });
-      import_fs23.default.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
+      import_fs23.default.writeFileSync(configPath, JSON.stringify(configToSave, null, 2) + "\n");
       console.log(import_chalk11.default.green(`\u2705 Config created: ${configPath}`));
-      console.log(import_chalk11.default.gray(`   Mode: ${safeMode}`));
+      console.log(import_chalk11.default.gray(`   Mode: ${chosenMode}`));
     }
     if (options.skipSetup) return;
     console.log("");
@@ -9768,14 +10033,20 @@ function registerInitCommand(program2) {
       else if (agent === "cursor") await setupCursor();
       console.log("");
     }
-    if (detected.claude) {
-      setupHud();
-      console.log(import_chalk11.default.green("\u2705 node9 HUD added to Claude Code statusline"));
-      console.log(import_chalk11.default.gray("   Restart Claude Code to activate the security statusline."));
+    {
+      const { confirm: confirm3 } = await import("@inquirer/prompts");
+      const sendTelemetry = await confirm3({
+        message: "Send anonymous usage stats to help improve node9? (no code, no args)",
+        default: true
+      });
+      if (sendTelemetry) fireTelemetryPing(found);
       console.log("");
     }
     console.log(import_chalk11.default.green.bold("\u{1F6E1}\uFE0F  Node9 is ready!"));
-    console.log(import_chalk11.default.gray("   Run: node9 daemon start"));
+    console.log("");
+    console.log(import_chalk11.default.white("  Start watching:  ") + import_chalk11.default.cyan("node9 tail"));
+    console.log(import_chalk11.default.white("  Browser view:    ") + import_chalk11.default.cyan("node9 daemon --openui"));
+    console.log(import_chalk11.default.white("  Cloud dashboard: ") + import_chalk11.default.cyan("node9.ai"));
   });
 }
@@ -10337,6 +10608,347 @@ function registerMcpGatewayCommand(program2) {
   });
 }
+// src/mcp-server/index.ts
+var import_readline4 = __toESM(require("readline"));
+var import_fs24 = __toESM(require("fs"));
+var import_os20 = __toESM(require("os"));
+var import_path27 = __toESM(require("path"));
+init_core();
+init_daemon();
+init_shields();
+function ok(id, result) {
+  return JSON.stringify({ jsonrpc: "2.0", id: id ?? null, result });
+}
+function err(id, code, message) {
+  return JSON.stringify({ jsonrpc: "2.0", id: id ?? null, error: { code, message } });
+}
+var TOOLS = [
+  {
+    name: "node9_status",
+    description: "Show the current node9 protection status: mode, daemon state, undo engine, pause state, active shields, and whether agent hooks are wired. Use this to understand what protection is active before doing risky work.",
+    inputSchema: { type: "object", properties: {}, required: [] }
+  },
+  {
+    name: "node9_config_get",
+    description: "Read the current node9 configuration: security mode, approver channels, timeouts, DLP settings, and the number of active smart rules. Returns the merged config (env > cloud > project > global > defaults).",
+    inputSchema: { type: "object", properties: {}, required: [] }
+  },
+  {
+    name: "node9_shield_list",
+    description: "List all available node9 shields and which ones are currently active. Shields are pre-packaged rule sets for specific services (postgres, aws, github, filesystem).",
+    inputSchema: { type: "object", properties: {}, required: [] }
+  },
+  {
+    name: "node9_shield_enable",
+    description: "Enable a node9 shield for a specific service. Shields only add protection \u2014 they cannot be used to weaken or bypass node9. Use node9_shield_list to see available shield names.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        service: {
+          type: "string",
+          description: 'Shield name to enable (e.g. "postgres", "aws", "github", "filesystem").'
+        }
+      },
+      required: ["service"]
+    }
+  },
+  {
+    name: "node9_approver_list",
+    description: "List all node9 approver channels and their current enabled/disabled state. Approvers are the channels through which node9 asks a human to approve risky tool calls. Channels: native (OS popup), browser (web UI), cloud (team policy server), terminal (stdin).",
+    inputSchema: { type: "object", properties: {}, required: [] }
+  },
+  {
+    name: "node9_approver_set",
+    description: "Enable or disable a specific node9 approver channel in the global config (~/.node9/config.json). Use this to turn individual channels on or off without touching other settings. Channels: native, browser, cloud, terminal. WARNING: disabling all approvers means node9 cannot prompt for human approval \u2014 use with care.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        channel: {
+          type: "string",
+          enum: ["native", "browser", "cloud", "terminal"],
+          description: "Approver channel to configure."
+        },
+        enabled: {
+          type: "boolean",
+          description: "true to enable the channel, false to disable it."
+        }
+      },
+      required: ["channel", "enabled"]
+    }
+  },
+  {
+    name: "node9_undo_list",
+    description: "List the node9 snapshot history. Each entry shows the git hash, tool that triggered it, a short summary, affected files, working directory, and timestamp. Use this to find a hash before calling node9_undo_revert.",
+    inputSchema: { type: "object", properties: {}, required: [] }
+  },
+  {
+    name: "node9_undo_revert",
+    description: "Revert the working directory to a specific node9 snapshot. Call node9_undo_list first to find the hash you want to restore. WARNING: this overwrites current files \u2014 any unsaved work will be lost.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        hash: {
+          type: "string",
+          description: "The full git commit hash from node9_undo_list."
+        },
+        cwd: {
+          type: "string",
+          description: "Absolute path to the project directory. Defaults to process.cwd()."
+        }
+      },
+      required: ["hash"]
+    }
+  }
+];
+function handleStatus() {
+  const config = getConfig();
+  const settings = config.settings;
+  const paused = checkPause();
+  const daemonUp = isDaemonRunning();
+  const activeShields = readActiveShields();
+  const lines = [];
+  lines.push(`Mode: ${settings.mode}`);
+  lines.push(`Daemon: ${daemonUp ? "running" : "stopped"}`);
+  lines.push(`Undo engine: ${settings.enableUndo ? "enabled" : "disabled"}`);
+  if (paused.paused) {
+    const until = paused.expiresAt ? new Date(paused.expiresAt).toLocaleTimeString() : "indefinitely";
+    lines.push(`PAUSED until ${until} \u2014 all tool calls currently allowed`);
+  } else {
+    lines.push(`Pause state: not paused`);
+  }
+  lines.push(`Active shields: ${activeShields.length > 0 ? activeShields.join(", ") : "none"}`);
+  lines.push(`Smart rules: ${config.policy.smartRules.length} loaded`);
+  lines.push(`DLP: ${config.policy.dlp?.enabled !== false ? "enabled" : "disabled"}`);
+  const projectConfig = import_path27.default.join(process.cwd(), "node9.config.json");
+  const globalConfig = import_path27.default.join(import_os20.default.homedir(), ".node9", "config.json");
+  lines.push(
+    `Project config (node9.config.json): ${import_fs24.default.existsSync(projectConfig) ? "present" : "not found"}`
+  );
+  lines.push(
+    `Global config (~/.node9/config.json): ${import_fs24.default.existsSync(globalConfig) ? "present" : "not found"}`
+  );
+  return lines.join("\n");
+}
+function handleConfigGet() {
+  const config = getConfig();
+  const s = config.settings;
+  const lines = [
+    `mode: ${s.mode}`,
+    `enableUndo: ${s.enableUndo}`,
+    `flightRecorder: ${s.flightRecorder}`,
+    `approvalTimeoutMs: ${s.approvalTimeoutMs}`,
+    `approvers:`,
+    `  native:   ${s.approvers.native}`,
+    `  browser:  ${s.approvers.browser}`,
+    `  cloud:    ${s.approvers.cloud}`,
+    `  terminal: ${s.approvers.terminal}`,
+    `dlp.enabled: ${config.policy.dlp?.enabled !== false}`,
+    `dlp.scanIgnoredTools: ${config.policy.dlp?.scanIgnoredTools !== false}`,
+    `smartRules: ${config.policy.smartRules.length} active`,
+    `sandboxPaths: ${config.policy.sandboxPaths.length > 0 ? config.policy.sandboxPaths.join(", ") : "none"}`
+  ];
+  return lines.join("\n");
+}
+function handleShieldList() {
+  const all = listShields();
+  const active = new Set(readActiveShields());
+  if (all.length === 0) return "No shields available.";
+  const lines = all.map((shield) => {
+    const on = active.has(shield.name);
+    const ruleCount = shield.smartRules.length;
+    return `${on ? "[active]" : "[off]   "} ${shield.name.padEnd(12)} \u2014 ${shield.description ?? ""} (${ruleCount} rule${ruleCount === 1 ? "" : "s"})`;
+  });
+  lines.unshift(`${active.size} of ${all.length} shields active:
+`);
+  return lines.join("\n");
+}
+function handleShieldEnable(args) {
+  const service = args.service;
+  if (typeof service !== "string" || !service) {
+    throw new Error("service is required");
+  }
+  const name = resolveShieldName(service);
+  if (!name) {
+    throw new Error(
+      `Unknown shield: "${service}". Run node9_shield_list to see available shields.`
+    );
+  }
+  const active = readActiveShields();
+  if (active.includes(name)) {
+    return `Shield "${name}" is already active.`;
+  }
+  writeActiveShields([...active, name]);
+  const shield = getShield(name);
+  return `Shield "${name}" enabled \u2014 ${shield.smartRules.length} smart rule${shield.smartRules.length === 1 ? "" : "s"} now active.`;
+}
+var GLOBAL_CONFIG_PATH2 = import_path27.default.join(import_os20.default.homedir(), ".node9", "config.json");
+var APPROVER_CHANNELS = ["native", "browser", "cloud", "terminal"];
+function readGlobalConfigRaw() {
+  try {
+    if (import_fs24.default.existsSync(GLOBAL_CONFIG_PATH2)) {
+      return JSON.parse(import_fs24.default.readFileSync(GLOBAL_CONFIG_PATH2, "utf-8"));
+    }
+  } catch {
+  }
+  return {};
+}
+function writeGlobalConfigRaw(data) {
+  const dir = import_path27.default.dirname(GLOBAL_CONFIG_PATH2);
+  if (!import_fs24.default.existsSync(dir)) import_fs24.default.mkdirSync(dir, { recursive: true });
+  import_fs24.default.writeFileSync(GLOBAL_CONFIG_PATH2, JSON.stringify(data, null, 2) + "\n");
+}
+function handleApproverList() {
+  const config = getConfig();
+  const approvers = config.settings.approvers;
+  const lines = ["Approver channels:\n"];
+  for (const ch of APPROVER_CHANNELS) {
+    const on = approvers[ch];
+    lines.push(`  ${on ? "[enabled] " : "[disabled]"} ${ch}`);
+  }
+  const enabledCount = APPROVER_CHANNELS.filter((ch) => approvers[ch]).length;
+  if (enabledCount === 0) {
+    lines.push("\nWARNING: all approver channels are disabled \u2014 node9 cannot prompt for approval.");
+  }
+  return lines.join("\n");
+}
+function handleApproverSet(args) {
+  const channel = args.channel;
+  const enabled = args.enabled;
+  if (!channel || !APPROVER_CHANNELS.includes(channel)) {
+    throw new Error(
+      `Invalid channel: "${channel}". Must be one of: ${APPROVER_CHANNELS.join(", ")}.`
+    );
+  }
+  if (typeof enabled !== "boolean") {
+    throw new Error("enabled must be a boolean (true or false).");
+  }
+  const raw = readGlobalConfigRaw();
+  const settings = raw.settings ?? {};
+  const approvers = settings.approvers ?? {};
+  approvers[channel] = enabled;
+  settings.approvers = approvers;
+  raw.settings = settings;
+  writeGlobalConfigRaw(raw);
+  const currentApprovers = getConfig().settings.approvers;
+  const anyEnabled = APPROVER_CHANNELS.some(
+    (ch) => ch === channel ? enabled : currentApprovers[ch]
+  );
+  const suffix = anyEnabled ? "" : "\nWARNING: all approver channels are now disabled \u2014 node9 cannot prompt for approval.";
+  return `Approver channel "${channel}" ${enabled ? "enabled" : "disabled"} in ~/.node9/config.json.${suffix}`;
+}
+function handleUndoList() {
+  const history = getSnapshotHistory();
+  if (history.length === 0) {
+    return "No snapshots found. Node9 captures snapshots automatically before file edits.";
+  }
+  const lines = history.slice().reverse().map((entry, i) => {
+    const date = new Date(entry.timestamp).toLocaleString();
+    const files = entry.files?.length ? `${entry.files.length} file(s)` : "unknown files";
+    const summary = entry.argsSummary ? ` \u2014 ${entry.argsSummary}` : "";
+    return `[${i + 1}] ${entry.hash.slice(0, 7)}  ${date}  ${entry.tool}${summary}  (${files})  cwd: ${entry.cwd}
+    full hash: ${entry.hash}`;
+  });
+  return lines.join("\n\n");
+}
+function handleUndoRevert(args) {
+  const hash = args.hash;
+  if (typeof hash !== "string" || !hash) {
+    throw new Error("hash is required and must be a non-empty string");
+  }
+  if (!/^[0-9a-f]{7,40}$/i.test(hash)) {
+    throw new Error(`Invalid hash format: ${hash}`);
+  }
+  const cwd = typeof args.cwd === "string" && args.cwd ? args.cwd : process.cwd();
+  const success = applyUndo(hash, cwd);
+  if (!success) {
+    throw new Error(
+      `Revert failed for hash ${hash}. The snapshot may not exist for this directory, or git encountered an error.`
+    );
+  }
+  return `Successfully reverted to snapshot ${hash.slice(0, 7)} in ${cwd}.`;
+}
+function runMcpServer() {
+  const rl = import_readline4.default.createInterface({ input: process.stdin, terminal: false });
+  rl.on("line", (line) => {
+    let msg;
+    try {
+      msg = JSON.parse(line);
+    } catch {
+      process.stdout.write(err(null, -32700, "Parse error") + "\n");
+      return;
+    }
+    const { method, id, params } = msg;
+    if (method === "initialize") {
+      process.stdout.write(
+        ok(id, {
+          protocolVersion: "2024-11-05",
+          serverInfo: { name: "node9", version: "1.0.0" },
+          capabilities: { tools: {} }
+        }) + "\n"
+      );
+      return;
+    }
+    if (id === void 0 || id === null) {
+      return;
+    }
+    if (method === "tools/list") {
+      process.stdout.write(ok(id, { tools: TOOLS }) + "\n");
+      return;
+    }
+    if (method === "tools/call") {
+      const p = params ?? {};
+      const toolName = p.name;
+      const toolArgs = p.arguments ?? {};
+      try {
+        let text;
+        if (toolName === "node9_status") {
+          text = handleStatus();
+        } else if (toolName === "node9_config_get") {
+          text = handleConfigGet();
+        } else if (toolName === "node9_shield_list") {
+          text = handleShieldList();
+        } else if (toolName === "node9_shield_enable") {
+          text = handleShieldEnable(toolArgs);
+        } else if (toolName === "node9_approver_list") {
+          text = handleApproverList();
+        } else if (toolName === "node9_approver_set") {
+          text = handleApproverSet(toolArgs);
+        } else if (toolName === "node9_undo_list") {
+          text = handleUndoList();
+        } else if (toolName === "node9_undo_revert") {
+          text = handleUndoRevert(toolArgs);
+        } else {
+          process.stdout.write(err(id, -32601, `Unknown tool: ${toolName}`) + "\n");
+          return;
+        }
+        process.stdout.write(ok(id, { content: [{ type: "text", text }] }) + "\n");
+      } catch (e) {
+        const message = e instanceof Error ? e.message : String(e);
+        process.stdout.write(
+          ok(id, {
+            content: [{ type: "text", text: `Error: ${message}` }],
+            isError: true
+          }) + "\n"
+        );
+      }
+      return;
+    }
+    process.stdout.write(err(id, -32601, `Method not found: ${method}`) + "\n");
+  });
+  rl.on("close", () => {
+    process.exit(0);
+  });
+}
+// src/cli/commands/mcp-server.ts
+function registerMcpServerCommand(program2) {
+  program2.command("mcp-server").description(
+    "Run the Node9 MCP server \u2014 exposes node9 tools (undo, rules, \u2026) to Claude, Cursor, and Gemini"
+  ).action(() => {
+    runMcpServer();
+  });
+}
 // src/cli/commands/trust.ts
 var import_chalk16 = __toESM(require("chalk"));
 init_trusted_hosts();
@@ -10394,20 +11006,20 @@ function registerTrustCommand(program2) {
 // src/cli.ts
 var { version } = JSON.parse(
-  import_fs26.default.readFileSync(import_path29.default.join(__dirname, "../package.json"), "utf-8")
+  import_fs27.default.readFileSync(import_path30.default.join(__dirname, "../package.json"), "utf-8")
 );
 var program = new import_commander.Command();
 program.name("node9").description("The Sudo Command for AI Agents").version(version);
 program.command("login").argument("<apiKey>").option("--local", "Save key for audit/logging only \u2014 local config still controls all decisions").option("--profile <name>", 'Save as a named profile (default: "default")').action((apiKey, options) => {
   const DEFAULT_API_URL = "https://api.node9.ai/api/v1/intercept";
-  const credPath = import_path29.default.join(import_os22.default.homedir(), ".node9", "credentials.json");
-  if (!import_fs26.default.existsSync(import_path29.default.dirname(credPath)))
-    import_fs26.default.mkdirSync(import_path29.default.dirname(credPath), { recursive: true });
+  const credPath = import_path30.default.join(import_os23.default.homedir(), ".node9", "credentials.json");
+  if (!import_fs27.default.existsSync(import_path30.default.dirname(credPath)))
+    import_fs27.default.mkdirSync(import_path30.default.dirname(credPath), { recursive: true });
   const profileName = options.profile || "default";
   let existingCreds = {};
   try {
-    if (import_fs26.default.existsSync(credPath)) {
-      const raw = JSON.parse(import_fs26.default.readFileSync(credPath, "utf-8"));
+    if (import_fs27.default.existsSync(credPath)) {
+      const raw = JSON.parse(import_fs27.default.readFileSync(credPath, "utf-8"));
       if (raw.apiKey) {
         existingCreds = {
           default: { apiKey: raw.apiKey, apiUrl: raw.apiUrl || DEFAULT_API_URL }
@@ -10419,13 +11031,13 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
   } catch {
   }
   existingCreds[profileName] = { apiKey, apiUrl: DEFAULT_API_URL };
-  import_fs26.default.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
+  import_fs27.default.writeFileSync(credPath, JSON.stringify(existingCreds, null, 2), { mode: 384 });
   if (profileName === "default") {
-    const configPath = import_path29.default.join(import_os22.default.homedir(), ".node9", "config.json");
+    const configPath = import_path30.default.join(import_os23.default.homedir(), ".node9", "config.json");
     let config = {};
     try {
-      if (import_fs26.default.existsSync(configPath))
-        config = JSON.parse(import_fs26.default.readFileSync(configPath, "utf-8"));
+      if (import_fs27.default.existsSync(configPath))
+        config = JSON.parse(import_fs27.default.readFileSync(configPath, "utf-8"));
     } catch {
     }
     if (!config.settings || typeof config.settings !== "object") config.settings = {};
@@ -10440,9 +11052,9 @@ program.command("login").argument("<apiKey>").option("--local", "Save key for au
       approvers.cloud = false;
     }
     s.approvers = approvers;
-    if (!import_fs26.default.existsSync(import_path29.default.dirname(configPath)))
-      import_fs26.default.mkdirSync(import_path29.default.dirname(configPath), { recursive: true });
-    import_fs26.default.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+    if (!import_fs27.default.existsSync(import_path30.default.dirname(configPath)))
+      import_fs27.default.mkdirSync(import_path30.default.dirname(configPath), { recursive: true });
+    import_fs27.default.writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 384 });
   }
   if (options.profile && profileName !== "default") {
     console.log(import_chalk18.default.green(`\u2705 Profile "${profileName}" saved`));
@@ -10502,8 +11114,8 @@ program.command("removefrom").description("Remove Node9 hooks from an AI agent c
 `));
   try {
     fn();
-  } catch (err) {
-    console.error(import_chalk18.default.red(`  \u26A0\uFE0F  Failed: ${err instanceof Error ? err.message : String(err)}`));
+  } catch (err2) {
+    console.error(import_chalk18.default.red(`  \u26A0\uFE0F  Failed: ${err2 instanceof Error ? err2.message : String(err2)}`));
     process.exit(1);
   }
   console.log(import_chalk18.default.gray("\n  Restart the agent for changes to take effect."));
@@ -10526,25 +11138,25 @@ program.command("uninstall").description("Remove all Node9 hooks and optionally
   ]) {
     try {
       fn();
-    } catch (err) {
+    } catch (err2) {
       teardownFailed = true;
       console.error(
         import_chalk18.default.red(
-          `  \u26A0\uFE0F  Failed to remove ${label} hooks: ${err instanceof Error ? err.message : String(err)}`
+          `  \u26A0\uFE0F  Failed to remove ${label} hooks: ${err2 instanceof Error ? err2.message : String(err2)}`
         )
       );
     }
   }
   if (options.purge) {
-    const node9Dir = import_path29.default.join(import_os22.default.homedir(), ".node9");
-    if (import_fs26.default.existsSync(node9Dir)) {
+    const node9Dir = import_path30.default.join(import_os23.default.homedir(), ".node9");
+    if (import_fs27.default.existsSync(node9Dir)) {
       const confirmed = await (0, import_prompts2.confirm)({
         message: `Permanently delete ${node9Dir} (config, audit log, credentials)?`,
         default: false
       });
       if (confirmed) {
-        import_fs26.default.rmSync(node9Dir, { recursive: true });
-        if (import_fs26.default.existsSync(node9Dir)) {
+        import_fs27.default.rmSync(node9Dir, { recursive: true });
+        if (import_fs27.default.existsSync(node9Dir)) {
           console.error(
             import_chalk18.default.red("\n  \u26A0\uFE0F  ~/.node9/ could not be fully deleted \u2014 remove it manually.")
           );
@@ -10651,13 +11263,14 @@ program.command("tail").description("Stream live agent activity to the terminal"
   const { startTail: startTail2 } = await Promise.resolve().then(() => (init_tail(), tail_exports));
   try {
     await startTail2(options);
-  } catch (err) {
-    console.error(import_chalk18.default.red(`\u274C ${err instanceof Error ? err.message : String(err)}`));
+  } catch (err2) {
+    console.error(import_chalk18.default.red(`\u274C ${err2 instanceof Error ? err2.message : String(err2)}`));
     process.exit(1);
   }
 });
 registerWatchCommand(program);
 registerMcpGatewayCommand(program);
+registerMcpServerCommand(program);
 registerCheckCommand(program);
 registerLogCommand(program);
 program.command("hud").description("Render node9 security statusline (spawned by Claude Code statusLine)").action(async () => {
@@ -10760,9 +11373,9 @@ if (process.argv[2] !== "daemon") {
     const isCheckHook = process.argv[2] === "check";
     if (isCheckHook) {
       if (process.env.NODE9_DEBUG === "1" || getConfig().settings.enableHookLogDebug) {
-        const logPath = import_path29.default.join(import_os22.default.homedir(), ".node9", "hook-debug.log");
+        const logPath = import_path30.default.join(import_os23.default.homedir(), ".node9", "hook-debug.log");
         const msg = reason instanceof Error ? reason.message : String(reason);
-        import_fs26.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
+        import_fs27.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] UNHANDLED: ${msg}
 `);
       }
       process.exit(0);