@node9/proxy 1.7.1 → 1.8.3

package/dist/cli.js

@@ -268,6 +268,70 @@ var init_config_schema = __esm({
 });
 
 // src/shields.ts
+function validateShieldDefinition(raw, filePath) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    process.stderr.write(`[node9] Shield file is not an object: ${filePath}
+`);
+    return null;
+  }
+  const r = raw;
+  if (typeof r.name !== "string" || !r.name) {
+    process.stderr.write(`[node9] Shield file missing 'name': ${filePath}
+`);
+    return null;
+  }
+  if (typeof r.description !== "string") {
+    process.stderr.write(`[node9] Shield file missing 'description': ${filePath}
+`);
+    return null;
+  }
+  if (!Array.isArray(r.aliases)) {
+    process.stderr.write(`[node9] Shield file missing 'aliases' array: ${filePath}
+`);
+    return null;
+  }
+  if (!Array.isArray(r.smartRules)) {
+    process.stderr.write(`[node9] Shield file missing 'smartRules' array: ${filePath}
+`);
+    return null;
+  }
+  if (!Array.isArray(r.dangerousWords)) {
+    process.stderr.write(`[node9] Shield file missing 'dangerousWords' array: ${filePath}
+`);
+    return null;
+  }
+  return r;
+}
+function loadShieldsFromDir(dir, label) {
+  const result = {};
+  let entries;
+  try {
+    entries = import_fs2.default.readdirSync(dir).filter((f) => f.endsWith(".json"));
+  } catch (err2) {
+    if (err2.code !== "ENOENT") {
+      process.stderr.write(`[node9] Could not read ${label} shields dir ${dir}: ${String(err2)}
+`);
+    }
+    return result;
+  }
+  for (const file of entries) {
+    const filePath = import_path2.default.join(dir, file);
+    try {
+      const raw = JSON.parse(import_fs2.default.readFileSync(filePath, "utf-8"));
+      const shield = validateShieldDefinition(raw, filePath);
+      if (shield) result[shield.name] = shield;
+    } catch (err2) {
+      process.stderr.write(`[node9] Failed to load ${label} shield ${file}: ${String(err2)}
+`);
+    }
+  }
+  return result;
+}
+function buildSHIELDS() {
+  const builtins = loadShieldsFromDir(BUILTIN_DIR, "builtin");
+  const userShields = loadShieldsFromDir(USER_SHIELDS_DIR, "user");
+  return { ...builtins, ...userShields };
+}
 function resolveShieldName(input) {
   const lower = input.toLowerCase();
   if (SHIELDS[lower]) return lower;
@@ -374,7 +438,24 @@ function resolveShieldRule(shieldName, identifier) {
   }
   return null;
 }
-var import_fs2, import_path2, import_os2, import_crypto2, SHIELDS, SHIELDS_STATE_FILE;
+function installShield(name, shieldJson) {
+  if (!/^[a-zA-Z0-9_-]+$/.test(name)) {
+    throw new Error(
+      `Invalid shield name '${name}': only alphanumeric characters, hyphens, and underscores are allowed`
+    );
+  }
+  const shield = validateShieldDefinition(shieldJson, `<downloaded:${name}>`);
+  if (!shield) throw new Error(`Downloaded shield '${name}' failed validation`);
+  if (shield.name !== name) {
+    throw new Error(`Shield name mismatch: file declares '${shield.name}' but expected '${name}'`);
+  }
+  import_fs2.default.mkdirSync(USER_SHIELDS_DIR, { recursive: true });
+  const filePath = import_path2.default.join(USER_SHIELDS_DIR, `${name}.json`);
+  const tmp = `${filePath}.${import_crypto2.default.randomBytes(6).toString("hex")}.tmp`;
+  import_fs2.default.writeFileSync(tmp, JSON.stringify(shieldJson, null, 2), { mode: 384 });
+  import_fs2.default.renameSync(tmp, filePath);
+}
+var import_fs2, import_path2, import_os2, import_crypto2, BUILTIN_DIR, USER_SHIELDS_DIR, SHIELDS, SHIELDS_STATE_FILE;
 var init_shields = __esm({
   "src/shields.ts"() {
     "use strict";
@@ -382,251 +463,9 @@ var init_shields = __esm({
     import_path2 = __toESM(require("path"));
     import_os2 = __toESM(require("os"));
     import_crypto2 = __toESM(require("crypto"));
-    SHIELDS = {
-      postgres: {
-        name: "postgres",
-        description: "Protects PostgreSQL databases from destructive AI operations",
-        aliases: ["pg", "postgresql"],
-        smartRules: [
-          {
-            name: "shield:postgres:block-drop-table",
-            tool: "*",
-            conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
-            verdict: "block",
-            reason: "DROP TABLE is irreversible \u2014 blocked by Postgres shield"
-          },
-          {
-            name: "shield:postgres:block-truncate",
-            tool: "*",
-            conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
-            verdict: "block",
-            reason: "TRUNCATE is irreversible \u2014 blocked by Postgres shield"
-          },
-          {
-            name: "shield:postgres:block-drop-column",
-            tool: "*",
-            conditions: [
-              { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
-            ],
-            verdict: "block",
-            reason: "DROP COLUMN is irreversible \u2014 blocked by Postgres shield"
-          },
-          {
-            name: "shield:postgres:review-grant-revoke",
-            tool: "*",
-            conditions: [{ field: "sql", op: "matches", value: "\\b(GRANT|REVOKE)\\b", flags: "i" }],
-            verdict: "review",
-            reason: "Permission changes require human approval (Postgres shield)"
-          }
-        ],
-        dangerousWords: ["dropdb", "pg_dropcluster"]
-      },
-      github: {
-        name: "github",
-        description: "Protects GitHub repositories from destructive AI operations",
-        aliases: ["git"],
-        smartRules: [
-          {
-            // Note: git branch -d/-D is already caught by the built-in review-git-destructive rule.
-            // This rule adds coverage for `git push --delete` which the built-in does not match.
-            name: "shield:github:review-delete-branch-remote",
-            tool: "bash",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: "git\\s+push\\s+.*--delete",
-                flags: "i"
-              }
-            ],
-            verdict: "review",
-            reason: "Remote branch deletion requires human approval (GitHub shield)"
-          },
-          {
-            name: "shield:github:block-delete-repo",
-            tool: "*",
-            conditions: [
-              { field: "command", op: "matches", value: "gh\\s+repo\\s+delete", flags: "i" }
-            ],
-            verdict: "block",
-            reason: "Repository deletion is irreversible \u2014 blocked by GitHub shield"
-          }
-        ],
-        dangerousWords: []
-      },
-      aws: {
-        name: "aws",
-        description: "Protects AWS infrastructure from destructive AI operations",
-        aliases: ["amazon"],
-        smartRules: [
-          {
-            name: "shield:aws:block-delete-s3-bucket",
-            tool: "*",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
-                flags: "i"
-              }
-            ],
-            verdict: "block",
-            reason: "S3 bucket deletion is irreversible \u2014 blocked by AWS shield"
-          },
-          {
-            name: "shield:aws:review-iam-changes",
-            tool: "*",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
-                flags: "i"
-              }
-            ],
-            verdict: "review",
-            reason: "IAM changes require human approval (AWS shield)"
-          },
-          {
-            name: "shield:aws:block-ec2-terminate",
-            tool: "*",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: "aws\\s+ec2\\s+terminate-instances",
-                flags: "i"
-              }
-            ],
-            verdict: "block",
-            reason: "EC2 instance termination is irreversible \u2014 blocked by AWS shield"
-          },
-          {
-            name: "shield:aws:review-rds-delete",
-            tool: "*",
-            conditions: [
-              { field: "command", op: "matches", value: "aws\\s+rds\\s+delete-", flags: "i" }
-            ],
-            verdict: "review",
-            reason: "RDS deletion requires human approval (AWS shield)"
-          }
-        ],
-        dangerousWords: []
-      },
-      "bash-safe": {
-        name: "bash-safe",
-        description: "Blocks high-risk bash patterns: pipe-to-shell, rm -rf /, disk overwrites, eval",
-        aliases: ["bash", "shell"],
-        smartRules: [
-          {
-            name: "shield:bash-safe:block-pipe-to-shell",
-            tool: "bash",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: "(curl|wget)\\s+[^|]*\\|\\s*(bash|sh|zsh|fish|python3?|ruby|perl|node)",
-                flags: "i"
-              }
-            ],
-            verdict: "block",
-            reason: "Pipe-to-shell is a common supply-chain attack vector \u2014 blocked by bash-safe shield"
-          },
-          {
-            name: "shield:bash-safe:block-obfuscated-exec",
-            tool: "bash",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: "base64\\s+(-d|--decode).*\\|\\s*(bash|sh|zsh)",
-                flags: "i"
-              }
-            ],
-            verdict: "block",
-            reason: "Obfuscated execution via base64 decode \u2014 blocked by bash-safe shield"
-          },
-          {
-            name: "shield:bash-safe:block-rm-root",
-            tool: "bash",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)[a-zA-Z]*\\s+(\\/|~|\\$HOME|\\$\\{HOME\\})\\s*$",
-                flags: "i"
-              }
-            ],
-            verdict: "block",
-            reason: "rm -rf of root or home directory is catastrophic \u2014 blocked by bash-safe shield"
-          },
-          {
-            name: "shield:bash-safe:block-disk-overwrite",
-            tool: "bash",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: "dd\\s+.*of=\\/dev\\/(sd|nvme|hd|vd|xvd)",
-                flags: "i"
-              }
-            ],
-            verdict: "block",
-            reason: "Writing directly to a block device is irreversible \u2014 blocked by bash-safe shield"
-          },
-          {
-            name: "shield:bash-safe:review-eval",
-            tool: "bash",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: '\\beval\\s+[\\$`("]',
-                flags: "i"
-              }
-            ],
-            verdict: "review",
-            reason: "eval of dynamic content requires human approval (bash-safe shield)"
-          }
-        ],
-        dangerousWords: []
-      },
-      filesystem: {
-        name: "filesystem",
-        description: "Protects the local filesystem from dangerous AI operations",
-        aliases: ["fs"],
-        smartRules: [
-          {
-            name: "shield:filesystem:review-chmod-777",
-            tool: "bash",
-            conditions: [
-              { field: "command", op: "matches", value: "chmod\\s+(777|a\\+rwx)", flags: "i" }
-            ],
-            verdict: "review",
-            reason: "chmod 777 requires human approval (filesystem shield)"
-          },
-          {
-            name: "shield:filesystem:review-write-etc",
-            tool: "bash",
-            conditions: [
-              {
-                field: "command",
-                // Narrow to write-indicative operations to avoid approval fatigue on reads.
-                // Matches: tee /etc/*, cp .../etc/*, mv .../etc/*, > /etc/*, install .../etc/*
-                op: "matches",
-                value: "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
-              }
-            ],
-            verdict: "review",
-            reason: "Writing to /etc requires human approval (filesystem shield)"
-          }
-        ],
-        // dd removed: too common as a legitimate tool (disk imaging, file ops).
-        // mkfs removed: already in the built-in DANGEROUS_WORDS baseline.
-        // wipefs retained: rarely legitimate in an agent context and not in built-ins.
-        dangerousWords: ["wipefs"]
-      }
-    };
+    BUILTIN_DIR = import_path2.default.join(__dirname, "shields", "builtin");
+    USER_SHIELDS_DIR = import_path2.default.join(import_os2.default.homedir(), ".node9", "shields");
+    SHIELDS = buildSHIELDS();
     SHIELDS_STATE_FILE = import_path2.default.join(import_os2.default.homedir(), ".node9", "shields.json");
   }
 });
@@ -2598,7 +2437,7 @@ function isDaemonRunning() {
     return false;
   }
 }
-async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd, recoveryCommand, skipBackgroundAuth, viewOnly) {
+async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd, recoveryCommand, skipBackgroundAuth, viewOnly, localSmartRuleMatched) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const ctrl = new AbortController();
   const timer = setTimeout(() => ctrl.abort(), 5e3);
@@ -2619,7 +2458,8 @@ async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityI
         ...cwd && { cwd },
         ...recoveryCommand && { recoveryCommand },
         ...skipBackgroundAuth && { skipBackgroundAuth: true },
-        ...viewOnly && { viewOnly: true }
+        ...viewOnly && { viewOnly: true },
+        ...localSmartRuleMatched && { localSmartRuleMatched: true }
       }),
       signal: ctrl.signal
     });
@@ -3032,9 +2872,7 @@ end run`;
           "--text",
           pangoMessage,
           "--ok-label",
-          locked ? "Waiting..." : "Allow  \u21B5",
-          "--timeout",
-          "300"
+          locked ? "Waiting..." : "Allow  \u21B5"
         ];
         if (!locked) {
           argsList.push("--cancel-label", "Block  \u238B");
@@ -3314,6 +3152,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   let policyMatchedWord;
   let riskMetadata;
   let statefulRecoveryCommand;
+  let localSmartRuleMatched = false;
   let taintWarning = null;
   if (isNetworkTool(toolName, args)) {
     const filePaths = extractFilePaths(toolName, args);
@@ -3457,6 +3296,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     policyMatchedField = policyResult.matchedField;
     policyMatchedWord = policyResult.matchedWord;
+    if (policyResult.ruleName) localSmartRuleMatched = true;
     riskMetadata = computeRiskMetadata(
       args,
       policyResult.tier ?? 6,
@@ -3499,22 +3339,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   }
   let cloudRequestId = null;
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
-  if (cloudEnforced) {
+  if (cloudEnforced && !localSmartRuleMatched && !options?.localSmartRuleMatched) {
     try {
       const initResult = await initNode9SaaS(toolName, args, creds, meta, riskMetadata);
       if (!initResult.pending) {
         if (initResult.shadowMode) {
           return { approved: true, checkedBy: "cloud" };
         }
-        return {
-          approved: !!initResult.approved,
-          reason: initResult.reason || (initResult.approved ? void 0 : "Action rejected by organization policy."),
-          checkedBy: initResult.approved ? "cloud" : void 0,
-          blockedBy: initResult.approved ? void 0 : "team-policy",
-          blockedByLabel: "Organization Policy (SaaS)"
-        };
+        if (!localSmartRuleMatched && !options?.localSmartRuleMatched) {
+          return {
+            approved: !!initResult.approved,
+            reason: initResult.reason || (initResult.approved ? void 0 : "Action rejected by organization policy."),
+            checkedBy: initResult.approved ? "cloud" : void 0,
+            blockedBy: initResult.approved ? void 0 : "team-policy",
+            blockedByLabel: "Organization Policy (SaaS)"
+          };
+        }
+      }
+      if (!localSmartRuleMatched && !options?.localSmartRuleMatched) {
+        cloudRequestId = initResult.requestId || null;
       }
-      cloudRequestId = initResult.requestId || null;
       if (!taintWarning) explainableLabel = "Organization Policy (SaaS)";
     } catch {
     }
@@ -3560,7 +3404,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           riskMetadata,
           options?.activityId,
           options?.cwd,
-          statefulRecoveryCommand
+          statefulRecoveryCommand,
+          void 0,
+          void 0,
+          localSmartRuleMatched || options?.localSmartRuleMatched
         );
         daemonEntryId = entry.id;
         daemonAllowCount = entry.allowCount;
@@ -3568,7 +3415,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       }
     }
   }
-  if (cloudEnforced && cloudRequestId) {
+  if (cloudEnforced && cloudRequestId && !localSmartRuleMatched && !options?.localSmartRuleMatched) {
     racePromises.push(
       (async () => {
         try {
@@ -5842,6 +5689,12 @@ function estimateToolCost(tool, args) {
     const newStr = a.new_string ?? "";
     return String(newStr).length / BYTES_PER_TOKEN / 1e6 * OUTPUT_PRICE_PER_1M;
   }
+  if (t === "bash" || t === "shell" || t === "run_shell_command" || t === "terminal_execute") {
+    const command = String(a.command ?? a.cmd ?? a.input ?? "");
+    if (command.length > 0) {
+      return command.length / BYTES_PER_TOKEN / 1e6 * OUTPUT_PRICE_PER_1M;
+    }
+  }
   return void 0;
 }
 function broadcast(event, data) {
@@ -6230,7 +6083,8 @@ data: ${JSON.stringify(item.data)}
           viewOnly = false,
           fromCLI = false,
           activityId,
-          cwd
+          cwd,
+          localSmartRuleMatched = false
         } = JSON.parse(body);
         const id = fromCLI && typeof activityId === "string" && activityId || (0, import_crypto6.randomUUID)();
         const entry = {
@@ -6310,7 +6164,7 @@ data: ${JSON.stringify(item.data)}
             agent: typeof agent === "string" ? agent : void 0,
             mcpServer: typeof mcpServer === "string" ? mcpServer : void 0
           },
-          { calledFromDaemon: true }
+          { calledFromDaemon: true, localSmartRuleMatched: !!localSmartRuleMatched }
         ).then((result) => {
           const e = pending.get(id);
           if (!e) return;
@@ -6973,7 +6827,7 @@ async function ensureDaemon() {
   } catch {
   }
   console.log(import_chalk17.default.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon..."));
-  const child = (0, import_child_process13.spawn)(process.execPath, [process.argv[1], "daemon"], {
+  const child = (0, import_child_process14.spawn)(process.execPath, [process.argv[1], "daemon"], {
     detached: true,
     stdio: "ignore",
     env: { ...process.env, NODE9_AUTO_STARTED: "1" }
@@ -7147,6 +7001,7 @@ async function startTail(options = {}) {
     return;
   }
   const connectionTime = Date.now();
+  let initialReplayDone = false;
   const activityPending = /* @__PURE__ */ new Map();
   const orphanedResults = /* @__PURE__ */ new Map();
   let csrfToken = "";
@@ -7342,10 +7197,10 @@ async function startTail(options = {}) {
   try {
     const browserEnabled = getConfig().settings.approvers?.browser !== false;
     if (browserEnabled) {
-      if (process.platform === "darwin") (0, import_child_process13.execSync)(`open "${dashboardUrl}"`, { stdio: "ignore" });
+      if (process.platform === "darwin") (0, import_child_process14.execSync)(`open "${dashboardUrl}"`, { stdio: "ignore" });
       else if (process.platform === "win32")
-        (0, import_child_process13.execSync)(`cmd /c start "" "${dashboardUrl}"`, { stdio: "ignore" });
-      else (0, import_child_process13.execSync)(`xdg-open "${dashboardUrl}"`, { stdio: "ignore" });
+        (0, import_child_process14.execSync)(`cmd /c start "" "${dashboardUrl}"`, { stdio: "ignore" });
+      else (0, import_child_process14.execSync)(`xdg-open "${dashboardUrl}"`, { stdio: "ignore" });
       const intToken = getInternalToken();
       fetch(`http://127.0.0.1:${port}/browser-opened`, {
         method: "POST",
@@ -7478,11 +7333,17 @@ async function startTail(options = {}) {
       return;
     }
     if (event === "activity") {
+      const isReplayEvent = data.status && data.status !== "pending";
+      if (isReplayEvent && !initialReplayDone) {
+        renderResult(data, data);
+        return;
+      }
       if (!options.history && data.ts > 0 && data.ts < connectionTime) return;
-      if (data.status && data.status !== "pending") {
+      if (isReplayEvent) {
         renderResult(data, data);
         return;
       }
+      if (!initialReplayDone) initialReplayDone = true;
       const orphaned = orphanedResults.get(data.id);
       if (orphaned) {
         orphanedResults.delete(data.id);
@@ -7521,7 +7382,7 @@ async function startTail(options = {}) {
     process.exit(1);
   });
 }
-var import_http2, import_chalk17, import_fs25, import_os21, import_path28, import_readline5, import_child_process13, PID_FILE, ICONS, RESET2, BOLD2, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, DIVIDER;
+var import_http2, import_chalk17, import_fs25, import_os21, import_path28, import_readline5, import_child_process14, PID_FILE, ICONS, RESET2, BOLD2, RED, YELLOW, CYAN, GRAY, GREEN, HIDE_CURSOR, SHOW_CURSOR, ERASE_DOWN, DIVIDER;
 var init_tail = __esm({
   "src/tui/tail.ts"() {
     "use strict";
@@ -7531,7 +7392,7 @@ var init_tail = __esm({
     import_os21 = __toESM(require("os"));
     import_path28 = __toESM(require("path"));
     import_readline5 = __toESM(require("readline"));
-    import_child_process13 = require("child_process");
+    import_child_process14 = require("child_process");
     init_daemon2();
     init_daemon();
     init_core();
@@ -7866,6 +7727,24 @@ function renderContextLine(stdin) {
 async function main() {
   try {
     const [stdin, daemonStatus2] = await Promise.all([readStdin(), queryDaemon()]);
+    if (import_fs26.default.existsSync(import_path29.default.join(import_os22.default.homedir(), ".node9", "hud-debug"))) {
+      try {
+        const logPath = import_path29.default.join(import_os22.default.homedir(), ".node9", "hud-debug.log");
+        const MAX_LOG_SIZE = 10 * 1024 * 1024;
+        let size = 0;
+        try {
+          size = import_fs26.default.statSync(logPath).size;
+        } catch {
+        }
+        if (size < MAX_LOG_SIZE) {
+          import_fs26.default.appendFileSync(
+            logPath,
+            JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), stdin }) + "\n"
+          );
+        }
+      } catch {
+      }
+    }
     if (!daemonStatus2) {
       renderOffline();
       return;
@@ -7982,7 +7861,7 @@ function isNode9Hook(cmd) {
 function teardownClaude() {
   const homeDir2 = import_os10.default.homedir();
   const hooksPath = import_path14.default.join(homeDir2, ".claude", "settings.json");
-  const mcpPath = import_path14.default.join(homeDir2, ".claude.json");
+  const mcpPath = import_path14.default.join(homeDir2, ".claude", ".mcp.json");
   let changed = false;
   const settings = readJson(hooksPath);
   if (settings?.hooks) {
@@ -8008,11 +7887,12 @@ function teardownClaude() {
     let mcpChanged = false;
     if (removeNode9McpServer(claudeConfig.mcpServers)) {
       mcpChanged = true;
-      console.log(import_chalk.default.green("  \u2705 Removed node9 MCP server entry from ~/.claude.json"));
+      console.log(import_chalk.default.green("  \u2705 Removed node9 MCP server entry from ~/.claude/.mcp.json"));
     }
     for (const [name, server] of Object.entries(claudeConfig.mcpServers)) {
-      if (server.command === "node9" && Array.isArray(server.args) && server.args.length > 0) {
-        const [originalCmd, ...originalArgs] = server.args;
+      const args = server.args;
+      if (server.command === "node9" && Array.isArray(args) && args[0] === "mcp" && args[1] === "--upstream" && typeof args[2] === "string") {
+        const [originalCmd, ...originalArgs] = args[2].split(" ");
         claudeConfig.mcpServers[name] = {
           ...server,
           command: originalCmd,
@@ -8020,16 +7900,11 @@ function teardownClaude() {
         };
         mcpChanged = true;
       } else if (server.command === "node9") {
-        console.warn(
-          import_chalk.default.yellow(
-            `  \u26A0\uFE0F  Cannot unwrap MCP server "${name}" in ~/.claude.json \u2014 args is empty. Remove it manually.`
-          )
-        );
       }
     }
     if (mcpChanged) {
       writeJson(mcpPath, claudeConfig);
-      console.log(import_chalk.default.green("  \u2705 Unwrapped MCP servers in ~/.claude.json"));
+      console.log(import_chalk.default.green("  \u2705 Unwrapped MCP servers in ~/.claude/.mcp.json"));
     }
   }
 }
@@ -8058,8 +7933,9 @@ function teardownGemini() {
       console.log(import_chalk.default.green("  \u2705 Removed node9 MCP server entry from ~/.gemini/settings.json"));
     }
     for (const [name, server] of Object.entries(settings.mcpServers)) {
-      if (server.command === "node9" && Array.isArray(server.args) && server.args.length > 0) {
-        const [originalCmd, ...originalArgs] = server.args;
+      const args = server.args;
+      if (server.command === "node9" && Array.isArray(args) && args[0] === "mcp" && args[1] === "--upstream" && typeof args[2] === "string") {
+        const [originalCmd, ...originalArgs] = args[2].split(" ");
         settings.mcpServers[name] = {
           ...server,
           command: originalCmd,
@@ -8090,8 +7966,9 @@ function teardownCursor() {
     console.log(import_chalk.default.green("  \u2705 Removed node9 MCP server entry from ~/.cursor/mcp.json"));
   }
   for (const [name, server] of Object.entries(mcpConfig.mcpServers)) {
-    if (server.command === "node9" && Array.isArray(server.args) && server.args.length > 0) {
-      const [originalCmd, ...originalArgs] = server.args;
+    const args = server.args;
+    if (server.command === "node9" && Array.isArray(args) && args[0] === "mcp" && args[1] === "--upstream" && typeof args[2] === "string") {
+      const [originalCmd, ...originalArgs] = args[2].split(" ");
       mcpConfig.mcpServers[name] = {
         ...server,
         command: originalCmd,
@@ -8109,7 +7986,7 @@ function teardownCursor() {
 }
 async function setupClaude() {
   const homeDir2 = import_os10.default.homedir();
-  const mcpPath = import_path14.default.join(homeDir2, ".claude.json");
+  const mcpPath = import_path14.default.join(homeDir2, ".claude", ".mcp.json");
   const hooksPath = import_path14.default.join(homeDir2, ".claude", "settings.json");
   const claudeConfig = readJson(mcpPath) ?? {};
   const settings = readJson(hooksPath) ?? {};
@@ -8124,7 +8001,7 @@ async function setupClaude() {
     if (!settings.hooks.PreToolUse) settings.hooks.PreToolUse = [];
     settings.hooks.PreToolUse.push({
       matcher: ".*",
-      hooks: [{ type: "command", command: fullPathCommand("check"), timeout: 60 }]
+      hooks: [{ type: "command", command: fullPathCommand("check"), timeout: 600 }]
     });
     console.log(import_chalk.default.green("  \u2705 PreToolUse hook added  \u2192 node9 check"));
     hooksChanged = true;
@@ -8150,6 +8027,15 @@ async function setupClaude() {
     console.log(import_chalk.default.green("  \u2705 node9 MCP server added   \u2192 node9 mcp-server"));
     anythingChanged = true;
   }
+  const hudCommand = fullPathCommand("hud");
+  const statusLineObj = { type: "command", command: hudCommand };
+  const existingStatusLine = settings.statusLine;
+  const existingStatusCommand = typeof existingStatusLine === "object" ? existingStatusLine?.command : existingStatusLine;
+  if (existingStatusCommand !== hudCommand) {
+    settings.statusLine = statusLineObj;
+    hooksChanged = true;
+    anythingChanged = true;
+  }
   if (hooksChanged) {
     writeJson(hooksPath, settings);
     console.log("");
@@ -8157,20 +8043,24 @@ async function setupClaude() {
   const serversToWrap = [];
   for (const [name, server] of Object.entries(servers)) {
     if (!server.command || server.command === "node9") continue;
-    const parts = [server.command, ...server.args ?? []];
-    serversToWrap.push({ name, originalCmd: parts.join(" "), parts });
+    const upstream = [server.command, ...server.args ?? []].join(" ");
+    serversToWrap.push({ name, upstream });
   }
   if (serversToWrap.length > 0) {
     console.log(import_chalk.default.bold("The following existing entries will be modified:\n"));
     console.log(import_chalk.default.white(`  ${mcpPath}`));
-    for (const { name, originalCmd } of serversToWrap) {
-      console.log(import_chalk.default.gray(`    \u2022 ${name}: "${originalCmd}" \u2192 node9 ${originalCmd}`));
+    for (const { name, upstream } of serversToWrap) {
+      console.log(import_chalk.default.gray(`    \u2022 ${name}: "${upstream}" \u2192 node9 mcp --upstream "${upstream}"`));
     }
     console.log("");
     const proceed = await (0, import_prompts.confirm)({ message: "Wrap these MCP servers?", default: true });
     if (proceed) {
-      for (const { name, parts } of serversToWrap) {
-        servers[name] = { ...servers[name], command: "node9", args: parts };
+      for (const { name, upstream } of serversToWrap) {
+        servers[name] = {
+          ...servers[name],
+          command: "node9",
+          args: ["mcp", "--upstream", upstream]
+        };
       }
       claudeConfig.mcpServers = servers;
       writeJson(mcpPath, claudeConfig);
@@ -8250,20 +8140,24 @@ async function setupGemini() {
   const serversToWrap = [];
   for (const [name, server] of Object.entries(servers)) {
     if (!server.command || server.command === "node9") continue;
-    const parts = [server.command, ...server.args ?? []];
-    serversToWrap.push({ name, originalCmd: parts.join(" "), parts });
+    const upstream = [server.command, ...server.args ?? []].join(" ");
+    serversToWrap.push({ name, upstream });
   }
   if (serversToWrap.length > 0) {
     console.log(import_chalk.default.bold("The following existing entries will be modified:\n"));
     console.log(import_chalk.default.white(`  ${settingsPath}  (mcpServers)`));
-    for (const { name, originalCmd } of serversToWrap) {
-      console.log(import_chalk.default.gray(`    \u2022 ${name}: "${originalCmd}" \u2192 node9 ${originalCmd}`));
+    for (const { name, upstream } of serversToWrap) {
+      console.log(import_chalk.default.gray(`    \u2022 ${name}: "${upstream}" \u2192 node9 mcp --upstream "${upstream}"`));
     }
     console.log("");
     const proceed = await (0, import_prompts.confirm)({ message: "Wrap these MCP servers?", default: true });
     if (proceed) {
-      for (const { name, parts } of serversToWrap) {
-        servers[name] = { ...servers[name], command: "node9", args: parts };
+      for (const { name, upstream } of serversToWrap) {
+        servers[name] = {
+          ...servers[name],
+          command: "node9",
+          args: ["mcp", "--upstream", upstream]
+        };
       }
       settings.mcpServers = servers;
       writeJson(settingsPath, settings);
@@ -8322,20 +8216,24 @@ async function setupCursor() {
   const serversToWrap = [];
   for (const [name, server] of Object.entries(servers)) {
     if (!server.command || server.command === "node9") continue;
-    const parts = [server.command, ...server.args ?? []];
-    serversToWrap.push({ name, originalCmd: parts.join(" "), parts });
+    const upstream = [server.command, ...server.args ?? []].join(" ");
+    serversToWrap.push({ name, upstream });
   }
   if (serversToWrap.length > 0) {
     console.log(import_chalk.default.bold("The following existing entries will be modified:\n"));
     console.log(import_chalk.default.white(`  ${mcpPath}`));
-    for (const { name, originalCmd } of serversToWrap) {
-      console.log(import_chalk.default.gray(`    \u2022 ${name}: "${originalCmd}" \u2192 node9 ${originalCmd}`));
+    for (const { name, upstream } of serversToWrap) {
+      console.log(import_chalk.default.gray(`    \u2022 ${name}: "${upstream}" \u2192 node9 mcp --upstream "${upstream}"`));
     }
     console.log("");
     const proceed = await (0, import_prompts.confirm)({ message: "Wrap these MCP servers?", default: true });
     if (proceed) {
-      for (const { name, parts } of serversToWrap) {
-        servers[name] = { ...servers[name], command: "node9", args: parts };
+      for (const { name, upstream } of serversToWrap) {
+        servers[name] = {
+          ...servers[name],
+          command: "node9",
+          args: ["mcp", "--upstream", upstream]
+        };
       }
       mcpConfig.mcpServers = servers;
       writeJson(mcpPath, mcpConfig);
@@ -8398,20 +8296,24 @@ async function setupCodex() {
   const serversToWrap = [];
   for (const [name, server] of Object.entries(servers)) {
     if (!server.command || server.command === "node9") continue;
-    const parts = [server.command, ...server.args ?? []];
-    serversToWrap.push({ name, originalCmd: parts.join(" "), parts });
+    const upstream = [server.command, ...server.args ?? []].join(" ");
+    serversToWrap.push({ name, upstream });
   }
   if (serversToWrap.length > 0) {
     console.log(import_chalk.default.bold("The following existing entries will be modified:\n"));
     console.log(import_chalk.default.white(`  ${configPath}`));
-    for (const { name, originalCmd } of serversToWrap) {
-      console.log(import_chalk.default.gray(`    \u2022 ${name}: "${originalCmd}" \u2192 node9 ${originalCmd}`));
+    for (const { name, upstream } of serversToWrap) {
+      console.log(import_chalk.default.gray(`    \u2022 ${name}: "${upstream}" \u2192 node9 mcp --upstream "${upstream}"`));
     }
     console.log("");
     const proceed = await (0, import_prompts.confirm)({ message: "Wrap these MCP servers?", default: true });
     if (proceed) {
-      for (const { name, parts } of serversToWrap) {
-        servers[name] = { ...servers[name], command: "node9", args: parts };
+      for (const { name, upstream } of serversToWrap) {
+        servers[name] = {
+          ...servers[name],
+          command: "node9",
+          args: ["mcp", "--upstream", upstream]
+        };
       }
       config.mcp_servers = servers;
       writeToml(configPath, config);
@@ -8600,18 +8502,20 @@ async function runProxy(targetCommand) {
   const cmd = commandParts[0];
   const args = commandParts.slice(1);
   let executable = cmd;
+  let useShell = false;
   try {
     const { stdout } = await (0, import_execa.execa)("which", [cmd]);
     if (stdout) executable = stdout.trim();
   } catch {
+    useShell = true;
   }
   console.error(import_chalk4.default.green(`\u{1F680} Node9 Proxy Active: Monitoring [${targetCommand}]`));
-  const child = (0, import_child_process6.spawn)(executable, args, {
+  const spawnEnv = { ...process.env, FORCE_COLOR: "1" };
+  const child = useShell ? (0, import_child_process6.spawn)("/bin/bash", ["-c", targetCommand], {
     stdio: ["pipe", "pipe", "inherit"],
-    // We control STDIN and STDOUT
     shell: false,
-    env: { ...process.env, FORCE_COLOR: "1" }
-  });
+    env: spawnEnv
+  }) : (0, import_child_process6.spawn)(executable, args, { stdio: ["pipe", "pipe", "inherit"], shell: false, env: spawnEnv });
   const agentIn = import_readline.default.createInterface({ input: process.stdin, terminal: false });
   agentIn.on("line", async (line) => {
     let message;
@@ -8720,6 +8624,7 @@ async function autoStartDaemonAndWait() {
 // src/cli/commands/check.ts
 var import_chalk5 = __toESM(require("chalk"));
 var import_fs18 = __toESM(require("fs"));
+var import_child_process9 = require("child_process");
 var import_path20 = __toESM(require("path"));
 var import_os14 = __toESM(require("os"));
 init_orchestrator();
@@ -9103,6 +9008,37 @@ RAW: ${raw}
           process.exit(0);
         }
         const config = getConfig(payload.cwd || void 0);
+        if (config.settings.autoStartDaemon && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON) {
+          try {
+            const scriptPath = process.argv[1];
+            if (typeof scriptPath !== "string" || !import_path20.default.isAbsolute(scriptPath))
+              throw new Error("node9: argv[1] is not an absolute path");
+            const resolvedScript = import_fs18.default.realpathSync(scriptPath);
+            const expectedCli = import_fs18.default.realpathSync(import_path20.default.resolve(__dirname, "../../cli.js"));
+            if (resolvedScript !== expectedCli)
+              throw new Error(
+                "node9: daemon spawn aborted \u2014 argv[1] does not resolve to the node9 CLI"
+              );
+            const safeEnv = { ...process.env };
+            for (const key of [
+              "NODE_OPTIONS",
+              "LD_PRELOAD",
+              "LD_LIBRARY_PATH",
+              "DYLD_INSERT_LIBRARIES",
+              "NODE_PATH",
+              "ELECTRON_RUN_AS_NODE"
+            ]) {
+              delete safeEnv[key];
+            }
+            const d = (0, import_child_process9.spawn)(process.execPath, [scriptPath, "daemon"], {
+              detached: true,
+              stdio: "ignore",
+              env: { ...safeEnv, NODE9_AUTO_STARTED: "1", NODE9_BROWSER_OPENED: "1" }
+            });
+            d.unref();
+          } catch {
+          }
+        }
         if (process.env.NODE9_DEBUG === "1" || config.settings.enableHookLogDebug) {
           const logPath = import_path20.default.join(import_os14.default.homedir(), ".node9", "hook-debug.log");
           if (!import_fs18.default.existsSync(import_path20.default.dirname(logPath)))
@@ -9161,7 +9097,7 @@ RAW: ${raw}
               }
             }) + "\n"
           );
-          process.exit(0);
+          process.exit(2);
         };
         if (!toolName) {
           sendBlock("Node9: unrecognised hook payload \u2014 tool name missing.");
@@ -9396,6 +9332,27 @@ var import_chalk6 = __toESM(require("chalk"));
 init_shields();
 init_audit();
 init_config();
+
+// src/utils/https-fetch.ts
+var import_https = __toESM(require("https"));
+function httpsFetch(url) {
+  return new Promise((resolve, reject) => {
+    import_https.default.get(url, (res) => {
+      if (res.statusCode !== 200) {
+        reject(new Error(`HTTP ${String(res.statusCode)} for ${url}`));
+        res.resume();
+        return;
+      }
+      const chunks = [];
+      res.on("data", (chunk) => chunks.push(chunk));
+      res.on("end", () => resolve(Buffer.concat(chunks).toString("utf-8")));
+      res.on("error", reject);
+    }).on("error", reject);
+  });
+}
+
+// src/cli/commands/shield.ts
+var COMMUNITY_INDEX_URL = "https://raw.githubusercontent.com/node9ai/node9-proxy/main/shields/community/index.json";
 function registerShieldCommand(program2) {
   const shieldCmd = program2.command("shield").description("Manage pre-packaged security shield templates");
   shieldCmd.command("enable <service>").description("Enable a security shield for a specific service").action((service) => {
@@ -9455,7 +9412,32 @@ function registerShieldCommand(program2) {
 \u{1F6E1}\uFE0F  Shield "${name}" disabled.
 `));
   });
-  shieldCmd.command("list").description("Show all available shields").action(() => {
+  shieldCmd.command("list").description("Show available shields (add --community to browse the marketplace)").option("--community", "List shields available from the community marketplace").action((opts) => {
+    if (opts.community) {
+      console.log(import_chalk6.default.bold("\n\u{1F6E1}\uFE0F  Community Shield Marketplace\n"));
+      console.log(import_chalk6.default.gray("  Fetching index\u2026\n"));
+      httpsFetch(COMMUNITY_INDEX_URL).then((body) => {
+        const entries = JSON.parse(body);
+        const installed = new Set(listShields().map((s) => s.name));
+        for (const e of entries) {
+          const tag = installed.has(e.name) ? import_chalk6.default.green("installed") : import_chalk6.default.gray("available");
+          console.log(
+            `  ${tag}  ${import_chalk6.default.cyan(e.name.padEnd(12))} ${e.description}  ${import_chalk6.default.gray(`by ${e.author}`)}`
+          );
+        }
+        console.log("");
+        console.log(
+          import_chalk6.default.gray(`  Install a shield: ${import_chalk6.default.cyan("node9 shield install <name>")}
+`)
+        );
+      }).catch((err2) => {
+        console.error(import_chalk6.default.red(`
+\u274C Could not fetch community index: ${String(err2)}
+`));
+        process.exit(1);
+      });
+      return;
+    }
     const active = new Set(readActiveShields());
     console.log(import_chalk6.default.bold("\n\u{1F6E1}\uFE0F  Available Shields\n"));
     for (const shield of listShields()) {
@@ -9465,6 +9447,10 @@ function registerShieldCommand(program2) {
         console.log(import_chalk6.default.gray(`              aliases: ${shield.aliases.join(", ")}`));
     }
     console.log("");
+    console.log(
+      import_chalk6.default.gray(`  Browse community shields: ${import_chalk6.default.cyan("node9 shield list --community")}
+`)
+    );
   });
   shieldCmd.command("status").description("Show active shields and their individual rules with verdicts").action(() => {
     const active = readActiveShields();
@@ -9602,6 +9588,52 @@ function registerShieldCommand(program2) {
 `)
     );
   });
+  shieldCmd.command("install <name>").description("Install a shield from the community marketplace into ~/.node9/shields/").action((name) => {
+    if (!/^[a-zA-Z0-9_-]+$/.test(name)) {
+      console.error(
+        import_chalk6.default.red(
+          `
+\u274C Invalid shield name: only alphanumeric characters, hyphens, and underscores are allowed
+`
+        )
+      );
+      process.exit(1);
+    }
+    console.log(import_chalk6.default.bold(`
+\u{1F6E1}\uFE0F  Installing shield "${name}"\u2026
+`));
+    httpsFetch(COMMUNITY_INDEX_URL).then((indexBody) => {
+      const entries = JSON.parse(indexBody);
+      const entry = entries.find((e) => e.name === name);
+      if (!entry) {
+        const names = entries.map((e) => import_chalk6.default.cyan(e.name)).join(", ");
+        console.error(
+          import_chalk6.default.red(`\u274C Shield "${name}" not found in the community marketplace.
+`)
+        );
+        console.error(`  Available: ${names}
+`);
+        process.exit(1);
+      }
+      return httpsFetch(entry.url);
+    }).then((shieldBody) => {
+      const shieldJson = JSON.parse(shieldBody);
+      installShield(name, shieldJson);
+      console.log(
+        import_chalk6.default.green(`\u2705  Shield "${name}" installed to ~/.node9/shields/${name}.json`)
+      );
+      console.log(
+        import_chalk6.default.gray(`   Activate it with: ${import_chalk6.default.cyan(`node9 shield enable ${name}`)}
+`)
+      );
+      appendConfigAudit({ event: "shield-install", shield: name });
+    }).catch((err2) => {
+      console.error(import_chalk6.default.red(`
+\u274C Install failed: ${String(err2)}
+`));
+      process.exit(1);
+    });
+  });
 }
 function registerConfigShowCommand(program2) {
   program2.command("config show").description(
@@ -9675,7 +9707,7 @@ var import_chalk7 = __toESM(require("chalk"));
 var import_fs20 = __toESM(require("fs"));
 var import_path22 = __toESM(require("path"));
 var import_os16 = __toESM(require("os"));
-var import_child_process9 = require("child_process");
+var import_child_process10 = require("child_process");
 init_daemon();
 function registerDoctorCommand(program2, version2) {
   program2.command("doctor").description("Check that Node9 is installed and configured correctly").action(() => {
@@ -9701,7 +9733,7 @@ function registerDoctorCommand(program2, version2) {
 `));
     section("Binary");
     try {
-      const which = (0, import_child_process9.execSync)("which node9", { encoding: "utf-8", timeout: 3e3 }).trim();
+      const which = (0, import_child_process10.execSync)("which node9", { encoding: "utf-8", timeout: 3e3 }).trim();
       pass(`node9 found at ${which}`);
     } catch {
       warn(
@@ -9719,7 +9751,7 @@ function registerDoctorCommand(program2, version2) {
       );
     }
     try {
-      const gitVersion = (0, import_child_process9.execSync)("git --version", { encoding: "utf-8", timeout: 3e3 }).trim();
+      const gitVersion = (0, import_child_process10.execSync)("git --version", { encoding: "utf-8", timeout: 3e3 }).trim();
       pass(gitVersion);
     } catch {
       warn(
@@ -9916,7 +9948,7 @@ function registerAuditCommand(program2) {
 
 // src/cli/commands/daemon-cmd.ts
 var import_chalk9 = __toESM(require("chalk"));
-var import_child_process10 = require("child_process");
+var import_child_process11 = require("child_process");
 init_daemon2();
 init_daemon();
 function registerDaemonCommand(program2) {
@@ -9949,7 +9981,7 @@ function registerDaemonCommand(program2) {
           console.log(import_chalk9.default.green(`\u{1F310}  Opened browser: http://${DAEMON_HOST}:${DAEMON_PORT}/`));
           process.exit(0);
         }
-        const child = (0, import_child_process10.spawn)(process.execPath, [process.argv[1], "daemon"], {
+        const child = (0, import_child_process11.spawn)(process.execPath, [process.argv[1], "daemon"], {
           detached: true,
           stdio: "ignore"
         });
@@ -9964,7 +9996,7 @@ function registerDaemonCommand(program2) {
         process.exit(0);
       }
       if (options.background) {
-        const child = (0, import_child_process10.spawn)(process.execPath, [process.argv[1], "daemon"], {
+        const child = (0, import_child_process11.spawn)(process.execPath, [process.argv[1], "daemon"], {
           detached: true,
           stdio: "ignore"
         });
@@ -10135,7 +10167,7 @@ var import_chalk11 = __toESM(require("chalk"));
 var import_fs23 = __toESM(require("fs"));
 var import_path25 = __toESM(require("path"));
 var import_os19 = __toESM(require("os"));
-var import_https = __toESM(require("https"));
+var import_https2 = __toESM(require("https"));
 init_core();
 init_shields();
 var DEFAULT_SHIELDS = ["bash-safe", "filesystem", "postgres"];
@@ -10147,7 +10179,7 @@ function fireTelemetryPing(agents) {
       os: process.platform,
       node9_version: process.env.npm_package_version ?? "unknown"
     });
-    const req = import_https.default.request(
+    const req = import_https2.default.request(
       {
         hostname: "api.node9.ai",
         path: "/api/v1/telemetry",
@@ -10552,7 +10584,7 @@ function registerUndoCommand(program2) {
 
 // src/cli/commands/watch.ts
 var import_chalk14 = __toESM(require("chalk"));
-var import_child_process11 = require("child_process");
+var import_child_process12 = require("child_process");
 init_daemon();
 function registerWatchCommand(program2) {
   program2.command("watch").description("Run a command under Node9 watch mode (daemon stays alive for the session)").argument("<command>", "Command to run").argument("[args...]", "Arguments for the command").action(async (cmd, args) => {
@@ -10569,7 +10601,7 @@ function registerWatchCommand(program2) {
       }
     } catch {
       console.error(import_chalk14.default.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon (watch mode)..."));
-      const child = (0, import_child_process11.spawn)(process.execPath, [process.argv[1], "daemon"], {
+      const child = (0, import_child_process12.spawn)(process.execPath, [process.argv[1], "daemon"], {
         detached: true,
         stdio: "ignore",
         env: { ...process.env, NODE9_AUTO_STARTED: "1", NODE9_WATCH_MODE: "1" }
@@ -10599,7 +10631,7 @@ function registerWatchCommand(program2) {
         "\n   Tip: run `node9 tail` in another terminal to review and approve AI actions.\n"
       )
     );
-    const result = (0, import_child_process11.spawnSync)(cmd, args, {
+    const result = (0, import_child_process12.spawnSync)(cmd, args, {
       stdio: "inherit",
       env: { ...process.env, NODE9_WATCH_MODE: "1" }
     });
@@ -10614,7 +10646,7 @@ function registerWatchCommand(program2) {
 // src/mcp-gateway/index.ts
 var import_readline3 = __toESM(require("readline"));
 var import_chalk15 = __toESM(require("chalk"));
-var import_child_process12 = require("child_process");
+var import_child_process13 = require("child_process");
 var import_execa3 = require("execa");
 init_orchestrator();
 init_provenance();
@@ -10702,7 +10734,7 @@ async function runMcpGateway(upstreamCommand) {
   const safeEnv = Object.fromEntries(
     Object.entries(process.env).filter(([k]) => !UPSTREAM_INJECTOR_VARS.has(k))
   );
-  const child = (0, import_child_process12.spawn)(executable, cmdArgs, {
+  const child = (0, import_child_process13.spawn)(executable, cmdArgs, {
     stdio: ["pipe", "pipe", "inherit"],
     // control stdin/stdout; inherit stderr
     shell: false,
@@ -10785,8 +10817,11 @@ async function runMcpGateway(upstreamCommand) {
         return;
       } finally {
         authPending = false;
-        agentIn.resume();
-        if (deferredStdinEnd) child.stdin.end();
+        if (deferredStdinEnd) {
+          child.stdin.end();
+        } else {
+          agentIn.resume();
+        }
         if (deferredExitCode !== null) process.exit(deferredExitCode);
       }
       return;
@@ -11521,7 +11556,43 @@ registerMcpGatewayCommand(program);
 registerMcpServerCommand(program);
 registerCheckCommand(program);
 registerLogCommand(program);
-program.command("hud").description("Render node9 security statusline (spawned by Claude Code statusLine)").action(async () => {
+program.command("hud").description("Render node9 security statusline (spawned by Claude Code statusLine)").addHelpText(
+  "after",
+  `
+Outputs up to 3 lines to stdout, then exits:
+
+  Line 1 \u2014 Security state (always shown):
+    \u{1F6E1} node9 | <mode> [shields] | \u2705 allowed  \u{1F6D1} blocked  \u{1F6A8} dlp  ~$cost
+    Shows "offline" if the node9 daemon is not running.
+
+  Line 2 \u2014 Claude context & rate limits (shown when available):
+    <model>  \u2502 ctx \u2588\u2588\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591 61%  \u2502 5h \u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591 40% (2h 10m left)
+    Only appears when Claude Code passes context_window / rate_limits data via stdin.
+
+  Line 3 \u2014 Environment counts (shown when non-zero):
+    2 CLAUDE.md | 5 rules | 4 MCPs | 3 hooks
+    Counts CLAUDE.md files, rules/, MCP servers, and hook entries across user + project scope.
+    Disable with: { "settings": { "hud": { "showEnvironmentCounts": false } } } in node9.config.json
+
+Claude Code spawns this command every ~300ms and writes a JSON payload to stdin.
+Run "node9 addto claude" to register it as the statusLine.`
+).argument("[subcommand]", 'Optional: "debug on" / "debug off" to toggle stdin logging').argument("[state]", 'on|off \u2014 used with "debug" subcommand').action(async (subcommand, state) => {
+  if (subcommand === "debug") {
+    const flagFile = import_path30.default.join(import_os23.default.homedir(), ".node9", "hud-debug");
+    if (state === "on") {
+      import_fs27.default.mkdirSync(import_path30.default.dirname(flagFile), { recursive: true });
+      import_fs27.default.writeFileSync(flagFile, "");
+      console.log("HUD debug logging enabled \u2192 ~/.node9/hud-debug.log");
+      console.log("Tail it with: tail -f ~/.node9/hud-debug.log");
+    } else if (state === "off") {
+      if (import_fs27.default.existsSync(flagFile)) import_fs27.default.unlinkSync(flagFile);
+      console.log("HUD debug logging disabled.");
+    } else {
+      console.error("Usage: node9 hud debug on|off");
+      process.exit(1);
+    }
+    return;
+  }
   const { main: main2 } = await Promise.resolve().then(() => (init_hud(), hud_exports));
   await main2();
 });