@node9/proxy 1.7.0 → 1.8.2

package/dist/index.js

@@ -280,173 +280,73 @@ ${lines.join("\n")}`
 var import_fs2 = __toESM(require("fs"));
 var import_path2 = __toESM(require("path"));
 var import_os2 = __toESM(require("os"));
-var SHIELDS = {
-  postgres: {
-    name: "postgres",
-    description: "Protects PostgreSQL databases from destructive AI operations",
-    aliases: ["pg", "postgresql"],
-    smartRules: [
-      {
-        name: "shield:postgres:block-drop-table",
-        tool: "*",
-        conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
-        verdict: "block",
-        reason: "DROP TABLE is irreversible \u2014 blocked by Postgres shield"
-      },
-      {
-        name: "shield:postgres:block-truncate",
-        tool: "*",
-        conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
-        verdict: "block",
-        reason: "TRUNCATE is irreversible \u2014 blocked by Postgres shield"
-      },
-      {
-        name: "shield:postgres:block-drop-column",
-        tool: "*",
-        conditions: [
-          { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
-        ],
-        verdict: "block",
-        reason: "DROP COLUMN is irreversible \u2014 blocked by Postgres shield"
-      },
-      {
-        name: "shield:postgres:review-grant-revoke",
-        tool: "*",
-        conditions: [{ field: "sql", op: "matches", value: "\\b(GRANT|REVOKE)\\b", flags: "i" }],
-        verdict: "review",
-        reason: "Permission changes require human approval (Postgres shield)"
-      }
-    ],
-    dangerousWords: ["dropdb", "pg_dropcluster"]
-  },
-  github: {
-    name: "github",
-    description: "Protects GitHub repositories from destructive AI operations",
-    aliases: ["git"],
-    smartRules: [
-      {
-        // Note: git branch -d/-D is already caught by the built-in review-git-destructive rule.
-        // This rule adds coverage for `git push --delete` which the built-in does not match.
-        name: "shield:github:review-delete-branch-remote",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "git\\s+push\\s+.*--delete",
-            flags: "i"
-          }
-        ],
-        verdict: "review",
-        reason: "Remote branch deletion requires human approval (GitHub shield)"
-      },
-      {
-        name: "shield:github:block-delete-repo",
-        tool: "*",
-        conditions: [
-          { field: "command", op: "matches", value: "gh\\s+repo\\s+delete", flags: "i" }
-        ],
-        verdict: "block",
-        reason: "Repository deletion is irreversible \u2014 blocked by GitHub shield"
-      }
-    ],
-    dangerousWords: []
-  },
-  aws: {
-    name: "aws",
-    description: "Protects AWS infrastructure from destructive AI operations",
-    aliases: ["amazon"],
-    smartRules: [
-      {
-        name: "shield:aws:block-delete-s3-bucket",
-        tool: "*",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
-            flags: "i"
-          }
-        ],
-        verdict: "block",
-        reason: "S3 bucket deletion is irreversible \u2014 blocked by AWS shield"
-      },
-      {
-        name: "shield:aws:review-iam-changes",
-        tool: "*",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
-            flags: "i"
-          }
-        ],
-        verdict: "review",
-        reason: "IAM changes require human approval (AWS shield)"
-      },
-      {
-        name: "shield:aws:block-ec2-terminate",
-        tool: "*",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "aws\\s+ec2\\s+terminate-instances",
-            flags: "i"
-          }
-        ],
-        verdict: "block",
-        reason: "EC2 instance termination is irreversible \u2014 blocked by AWS shield"
-      },
-      {
-        name: "shield:aws:review-rds-delete",
-        tool: "*",
-        conditions: [
-          { field: "command", op: "matches", value: "aws\\s+rds\\s+delete-", flags: "i" }
-        ],
-        verdict: "review",
-        reason: "RDS deletion requires human approval (AWS shield)"
-      }
-    ],
-    dangerousWords: []
-  },
-  filesystem: {
-    name: "filesystem",
-    description: "Protects the local filesystem from dangerous AI operations",
-    aliases: ["fs"],
-    smartRules: [
-      {
-        name: "shield:filesystem:review-chmod-777",
-        tool: "bash",
-        conditions: [
-          { field: "command", op: "matches", value: "chmod\\s+(777|a\\+rwx)", flags: "i" }
-        ],
-        verdict: "review",
-        reason: "chmod 777 requires human approval (filesystem shield)"
-      },
-      {
-        name: "shield:filesystem:review-write-etc",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            // Narrow to write-indicative operations to avoid approval fatigue on reads.
-            // Matches: tee /etc/*, cp .../etc/*, mv .../etc/*, > /etc/*, install .../etc/*
-            op: "matches",
-            value: "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
-          }
-        ],
-        verdict: "review",
-        reason: "Writing to /etc requires human approval (filesystem shield)"
-      }
-    ],
-    // dd removed: too common as a legitimate tool (disk imaging, file ops).
-    // mkfs removed: already in the built-in DANGEROUS_WORDS baseline.
-    // wipefs retained: rarely legitimate in an agent context and not in built-ins.
-    dangerousWords: ["wipefs"]
+var BUILTIN_DIR = import_path2.default.join(__dirname, "shields", "builtin");
+var USER_SHIELDS_DIR = import_path2.default.join(import_os2.default.homedir(), ".node9", "shields");
+function validateShieldDefinition(raw, filePath) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    process.stderr.write(`[node9] Shield file is not an object: ${filePath}
+`);
+    return null;
   }
-};
+  const r = raw;
+  if (typeof r.name !== "string" || !r.name) {
+    process.stderr.write(`[node9] Shield file missing 'name': ${filePath}
+`);
+    return null;
+  }
+  if (typeof r.description !== "string") {
+    process.stderr.write(`[node9] Shield file missing 'description': ${filePath}
+`);
+    return null;
+  }
+  if (!Array.isArray(r.aliases)) {
+    process.stderr.write(`[node9] Shield file missing 'aliases' array: ${filePath}
+`);
+    return null;
+  }
+  if (!Array.isArray(r.smartRules)) {
+    process.stderr.write(`[node9] Shield file missing 'smartRules' array: ${filePath}
+`);
+    return null;
+  }
+  if (!Array.isArray(r.dangerousWords)) {
+    process.stderr.write(`[node9] Shield file missing 'dangerousWords' array: ${filePath}
+`);
+    return null;
+  }
+  return r;
+}
+function loadShieldsFromDir(dir, label) {
+  const result = {};
+  let entries;
+  try {
+    entries = import_fs2.default.readdirSync(dir).filter((f) => f.endsWith(".json"));
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      process.stderr.write(`[node9] Could not read ${label} shields dir ${dir}: ${String(err)}
+`);
+    }
+    return result;
+  }
+  for (const file of entries) {
+    const filePath = import_path2.default.join(dir, file);
+    try {
+      const raw = JSON.parse(import_fs2.default.readFileSync(filePath, "utf-8"));
+      const shield = validateShieldDefinition(raw, filePath);
+      if (shield) result[shield.name] = shield;
+    } catch (err) {
+      process.stderr.write(`[node9] Failed to load ${label} shield ${file}: ${String(err)}
+`);
+    }
+  }
+  return result;
+}
+function buildSHIELDS() {
+  const builtins = loadShieldsFromDir(BUILTIN_DIR, "builtin");
+  const userShields = loadShieldsFromDir(USER_SHIELDS_DIR, "user");
+  return { ...builtins, ...userShields };
+}
+var SHIELDS = buildSHIELDS();
 function resolveShieldName(input) {
   const lower = input.toLowerCase();
   if (SHIELDS[lower]) return lower;
@@ -2070,7 +1970,7 @@ function isDaemonRunning() {
     return false;
   }
 }
-async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd, recoveryCommand, skipBackgroundAuth, viewOnly) {
+async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd, recoveryCommand, skipBackgroundAuth, viewOnly, localSmartRuleMatched) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const ctrl = new AbortController();
   const timer = setTimeout(() => ctrl.abort(), 5e3);
@@ -2091,7 +1991,8 @@ async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityI
         ...cwd && { cwd },
         ...recoveryCommand && { recoveryCommand },
         ...skipBackgroundAuth && { skipBackgroundAuth: true },
-        ...viewOnly && { viewOnly: true }
+        ...viewOnly && { viewOnly: true },
+        ...localSmartRuleMatched && { localSmartRuleMatched: true }
       }),
       signal: ctrl.signal
     });
@@ -2759,6 +2660,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   let policyMatchedWord;
   let riskMetadata;
   let statefulRecoveryCommand;
+  let localSmartRuleMatched = false;
   let taintWarning = null;
   if (isNetworkTool(toolName, args)) {
     const filePaths = extractFilePaths(toolName, args);
@@ -2902,6 +2804,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     policyMatchedField = policyResult.matchedField;
     policyMatchedWord = policyResult.matchedWord;
+    if (policyResult.ruleName) localSmartRuleMatched = true;
     riskMetadata = computeRiskMetadata(
       args,
       policyResult.tier ?? 6,
@@ -2944,22 +2847,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   }
   let cloudRequestId = null;
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
-  if (cloudEnforced) {
+  if (cloudEnforced && !localSmartRuleMatched && !options?.localSmartRuleMatched) {
     try {
       const initResult = await initNode9SaaS(toolName, args, creds, meta, riskMetadata);
       if (!initResult.pending) {
         if (initResult.shadowMode) {
           return { approved: true, checkedBy: "cloud" };
         }
-        return {
-          approved: !!initResult.approved,
-          reason: initResult.reason || (initResult.approved ? void 0 : "Action rejected by organization policy."),
-          checkedBy: initResult.approved ? "cloud" : void 0,
-          blockedBy: initResult.approved ? void 0 : "team-policy",
-          blockedByLabel: "Organization Policy (SaaS)"
-        };
+        if (!localSmartRuleMatched && !options?.localSmartRuleMatched) {
+          return {
+            approved: !!initResult.approved,
+            reason: initResult.reason || (initResult.approved ? void 0 : "Action rejected by organization policy."),
+            checkedBy: initResult.approved ? "cloud" : void 0,
+            blockedBy: initResult.approved ? void 0 : "team-policy",
+            blockedByLabel: "Organization Policy (SaaS)"
+          };
+        }
+      }
+      if (!localSmartRuleMatched && !options?.localSmartRuleMatched) {
+        cloudRequestId = initResult.requestId || null;
       }
-      cloudRequestId = initResult.requestId || null;
       if (!taintWarning) explainableLabel = "Organization Policy (SaaS)";
     } catch {
     }
@@ -3005,7 +2912,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           riskMetadata,
           options?.activityId,
           options?.cwd,
-          statefulRecoveryCommand
+          statefulRecoveryCommand,
+          void 0,
+          void 0,
+          localSmartRuleMatched || options?.localSmartRuleMatched
         );
         daemonEntryId = entry.id;
         daemonAllowCount = entry.allowCount;
@@ -3013,7 +2923,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       }
     }
   }
-  if (cloudEnforced && cloudRequestId) {
+  if (cloudEnforced && cloudRequestId && !localSmartRuleMatched && !options?.localSmartRuleMatched) {
     racePromises.push(
       (async () => {
         try {

package/dist/index.mjs

@@ -250,173 +250,73 @@ ${lines.join("\n")}`
 import fs2 from "fs";
 import path2 from "path";
 import os2 from "os";
-var SHIELDS = {
-  postgres: {
-    name: "postgres",
-    description: "Protects PostgreSQL databases from destructive AI operations",
-    aliases: ["pg", "postgresql"],
-    smartRules: [
-      {
-        name: "shield:postgres:block-drop-table",
-        tool: "*",
-        conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
-        verdict: "block",
-        reason: "DROP TABLE is irreversible \u2014 blocked by Postgres shield"
-      },
-      {
-        name: "shield:postgres:block-truncate",
-        tool: "*",
-        conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
-        verdict: "block",
-        reason: "TRUNCATE is irreversible \u2014 blocked by Postgres shield"
-      },
-      {
-        name: "shield:postgres:block-drop-column",
-        tool: "*",
-        conditions: [
-          { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
-        ],
-        verdict: "block",
-        reason: "DROP COLUMN is irreversible \u2014 blocked by Postgres shield"
-      },
-      {
-        name: "shield:postgres:review-grant-revoke",
-        tool: "*",
-        conditions: [{ field: "sql", op: "matches", value: "\\b(GRANT|REVOKE)\\b", flags: "i" }],
-        verdict: "review",
-        reason: "Permission changes require human approval (Postgres shield)"
-      }
-    ],
-    dangerousWords: ["dropdb", "pg_dropcluster"]
-  },
-  github: {
-    name: "github",
-    description: "Protects GitHub repositories from destructive AI operations",
-    aliases: ["git"],
-    smartRules: [
-      {
-        // Note: git branch -d/-D is already caught by the built-in review-git-destructive rule.
-        // This rule adds coverage for `git push --delete` which the built-in does not match.
-        name: "shield:github:review-delete-branch-remote",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "git\\s+push\\s+.*--delete",
-            flags: "i"
-          }
-        ],
-        verdict: "review",
-        reason: "Remote branch deletion requires human approval (GitHub shield)"
-      },
-      {
-        name: "shield:github:block-delete-repo",
-        tool: "*",
-        conditions: [
-          { field: "command", op: "matches", value: "gh\\s+repo\\s+delete", flags: "i" }
-        ],
-        verdict: "block",
-        reason: "Repository deletion is irreversible \u2014 blocked by GitHub shield"
-      }
-    ],
-    dangerousWords: []
-  },
-  aws: {
-    name: "aws",
-    description: "Protects AWS infrastructure from destructive AI operations",
-    aliases: ["amazon"],
-    smartRules: [
-      {
-        name: "shield:aws:block-delete-s3-bucket",
-        tool: "*",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
-            flags: "i"
-          }
-        ],
-        verdict: "block",
-        reason: "S3 bucket deletion is irreversible \u2014 blocked by AWS shield"
-      },
-      {
-        name: "shield:aws:review-iam-changes",
-        tool: "*",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
-            flags: "i"
-          }
-        ],
-        verdict: "review",
-        reason: "IAM changes require human approval (AWS shield)"
-      },
-      {
-        name: "shield:aws:block-ec2-terminate",
-        tool: "*",
-        conditions: [
-          {
-            field: "command",
-            op: "matches",
-            value: "aws\\s+ec2\\s+terminate-instances",
-            flags: "i"
-          }
-        ],
-        verdict: "block",
-        reason: "EC2 instance termination is irreversible \u2014 blocked by AWS shield"
-      },
-      {
-        name: "shield:aws:review-rds-delete",
-        tool: "*",
-        conditions: [
-          { field: "command", op: "matches", value: "aws\\s+rds\\s+delete-", flags: "i" }
-        ],
-        verdict: "review",
-        reason: "RDS deletion requires human approval (AWS shield)"
-      }
-    ],
-    dangerousWords: []
-  },
-  filesystem: {
-    name: "filesystem",
-    description: "Protects the local filesystem from dangerous AI operations",
-    aliases: ["fs"],
-    smartRules: [
-      {
-        name: "shield:filesystem:review-chmod-777",
-        tool: "bash",
-        conditions: [
-          { field: "command", op: "matches", value: "chmod\\s+(777|a\\+rwx)", flags: "i" }
-        ],
-        verdict: "review",
-        reason: "chmod 777 requires human approval (filesystem shield)"
-      },
-      {
-        name: "shield:filesystem:review-write-etc",
-        tool: "bash",
-        conditions: [
-          {
-            field: "command",
-            // Narrow to write-indicative operations to avoid approval fatigue on reads.
-            // Matches: tee /etc/*, cp .../etc/*, mv .../etc/*, > /etc/*, install .../etc/*
-            op: "matches",
-            value: "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
-          }
-        ],
-        verdict: "review",
-        reason: "Writing to /etc requires human approval (filesystem shield)"
-      }
-    ],
-    // dd removed: too common as a legitimate tool (disk imaging, file ops).
-    // mkfs removed: already in the built-in DANGEROUS_WORDS baseline.
-    // wipefs retained: rarely legitimate in an agent context and not in built-ins.
-    dangerousWords: ["wipefs"]
+var BUILTIN_DIR = path2.join(__dirname, "shields", "builtin");
+var USER_SHIELDS_DIR = path2.join(os2.homedir(), ".node9", "shields");
+function validateShieldDefinition(raw, filePath) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    process.stderr.write(`[node9] Shield file is not an object: ${filePath}
+`);
+    return null;
   }
-};
+  const r = raw;
+  if (typeof r.name !== "string" || !r.name) {
+    process.stderr.write(`[node9] Shield file missing 'name': ${filePath}
+`);
+    return null;
+  }
+  if (typeof r.description !== "string") {
+    process.stderr.write(`[node9] Shield file missing 'description': ${filePath}
+`);
+    return null;
+  }
+  if (!Array.isArray(r.aliases)) {
+    process.stderr.write(`[node9] Shield file missing 'aliases' array: ${filePath}
+`);
+    return null;
+  }
+  if (!Array.isArray(r.smartRules)) {
+    process.stderr.write(`[node9] Shield file missing 'smartRules' array: ${filePath}
+`);
+    return null;
+  }
+  if (!Array.isArray(r.dangerousWords)) {
+    process.stderr.write(`[node9] Shield file missing 'dangerousWords' array: ${filePath}
+`);
+    return null;
+  }
+  return r;
+}
+function loadShieldsFromDir(dir, label) {
+  const result = {};
+  let entries;
+  try {
+    entries = fs2.readdirSync(dir).filter((f) => f.endsWith(".json"));
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      process.stderr.write(`[node9] Could not read ${label} shields dir ${dir}: ${String(err)}
+`);
+    }
+    return result;
+  }
+  for (const file of entries) {
+    const filePath = path2.join(dir, file);
+    try {
+      const raw = JSON.parse(fs2.readFileSync(filePath, "utf-8"));
+      const shield = validateShieldDefinition(raw, filePath);
+      if (shield) result[shield.name] = shield;
+    } catch (err) {
+      process.stderr.write(`[node9] Failed to load ${label} shield ${file}: ${String(err)}
+`);
+    }
+  }
+  return result;
+}
+function buildSHIELDS() {
+  const builtins = loadShieldsFromDir(BUILTIN_DIR, "builtin");
+  const userShields = loadShieldsFromDir(USER_SHIELDS_DIR, "user");
+  return { ...builtins, ...userShields };
+}
+var SHIELDS = buildSHIELDS();
 function resolveShieldName(input) {
   const lower = input.toLowerCase();
   if (SHIELDS[lower]) return lower;
@@ -2040,7 +1940,7 @@ function isDaemonRunning() {
     return false;
   }
 }
-async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd, recoveryCommand, skipBackgroundAuth, viewOnly) {
+async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd, recoveryCommand, skipBackgroundAuth, viewOnly, localSmartRuleMatched) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const ctrl = new AbortController();
   const timer = setTimeout(() => ctrl.abort(), 5e3);
@@ -2061,7 +1961,8 @@ async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityI
         ...cwd && { cwd },
         ...recoveryCommand && { recoveryCommand },
         ...skipBackgroundAuth && { skipBackgroundAuth: true },
-        ...viewOnly && { viewOnly: true }
+        ...viewOnly && { viewOnly: true },
+        ...localSmartRuleMatched && { localSmartRuleMatched: true }
       }),
       signal: ctrl.signal
     });
@@ -2729,6 +2630,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   let policyMatchedWord;
   let riskMetadata;
   let statefulRecoveryCommand;
+  let localSmartRuleMatched = false;
   let taintWarning = null;
   if (isNetworkTool(toolName, args)) {
     const filePaths = extractFilePaths(toolName, args);
@@ -2872,6 +2774,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     policyMatchedField = policyResult.matchedField;
     policyMatchedWord = policyResult.matchedWord;
+    if (policyResult.ruleName) localSmartRuleMatched = true;
     riskMetadata = computeRiskMetadata(
       args,
       policyResult.tier ?? 6,
@@ -2914,22 +2817,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   }
   let cloudRequestId = null;
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
-  if (cloudEnforced) {
+  if (cloudEnforced && !localSmartRuleMatched && !options?.localSmartRuleMatched) {
     try {
       const initResult = await initNode9SaaS(toolName, args, creds, meta, riskMetadata);
       if (!initResult.pending) {
         if (initResult.shadowMode) {
           return { approved: true, checkedBy: "cloud" };
         }
-        return {
-          approved: !!initResult.approved,
-          reason: initResult.reason || (initResult.approved ? void 0 : "Action rejected by organization policy."),
-          checkedBy: initResult.approved ? "cloud" : void 0,
-          blockedBy: initResult.approved ? void 0 : "team-policy",
-          blockedByLabel: "Organization Policy (SaaS)"
-        };
+        if (!localSmartRuleMatched && !options?.localSmartRuleMatched) {
+          return {
+            approved: !!initResult.approved,
+            reason: initResult.reason || (initResult.approved ? void 0 : "Action rejected by organization policy."),
+            checkedBy: initResult.approved ? "cloud" : void 0,
+            blockedBy: initResult.approved ? void 0 : "team-policy",
+            blockedByLabel: "Organization Policy (SaaS)"
+          };
+        }
+      }
+      if (!localSmartRuleMatched && !options?.localSmartRuleMatched) {
+        cloudRequestId = initResult.requestId || null;
       }
-      cloudRequestId = initResult.requestId || null;
       if (!taintWarning) explainableLabel = "Organization Policy (SaaS)";
     } catch {
     }
@@ -2975,7 +2882,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           riskMetadata,
           options?.activityId,
           options?.cwd,
-          statefulRecoveryCommand
+          statefulRecoveryCommand,
+          void 0,
+          void 0,
+          localSmartRuleMatched || options?.localSmartRuleMatched
         );
         daemonEntryId = entry.id;
         daemonAllowCount = entry.allowCount;
@@ -2983,7 +2893,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       }
     }
   }
-  if (cloudEnforced && cloudRequestId) {
+  if (cloudEnforced && cloudRequestId && !localSmartRuleMatched && !options?.localSmartRuleMatched) {
     racePromises.push(
       (async () => {
         try {