@node9/proxy 1.8.2 → 1.8.3

package/dist/cli.mjs

@@ -2852,9 +2852,7 @@ end run`;
           "--text",
           pangoMessage,
           "--ok-label",
-          locked ? "Waiting..." : "Allow  \u21B5",
-          "--timeout",
-          "300"
+          locked ? "Waiting..." : "Allow  \u21B5"
         ];
         if (!locked) {
           argsList.push("--cancel-label", "Block  \u238B");
@@ -5674,6 +5672,12 @@ function estimateToolCost(tool, args) {
     const newStr = a.new_string ?? "";
     return String(newStr).length / BYTES_PER_TOKEN / 1e6 * OUTPUT_PRICE_PER_1M;
   }
+  if (t === "bash" || t === "shell" || t === "run_shell_command" || t === "terminal_execute") {
+    const command = String(a.command ?? a.cmd ?? a.input ?? "");
+    if (command.length > 0) {
+      return command.length / BYTES_PER_TOKEN / 1e6 * OUTPUT_PRICE_PER_1M;
+    }
+  }
   return void 0;
 }
 function broadcast(event, data) {
@@ -6748,7 +6752,7 @@ import fs25 from "fs";
 import os21 from "os";
 import path28 from "path";
 import readline5 from "readline";
-import { spawn as spawn9, execSync as execSync3 } from "child_process";
+import { spawn as spawn10, execSync as execSync3 } from "child_process";
 function getIcon(tool) {
   const t = tool.toLowerCase();
   for (const [k, v] of Object.entries(ICONS)) {
@@ -6805,7 +6809,7 @@ async function ensureDaemon() {
   } catch {
   }
   console.log(chalk17.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon..."));
-  const child = spawn9(process.execPath, [process.argv[1], "daemon"], {
+  const child = spawn10(process.execPath, [process.argv[1], "daemon"], {
     detached: true,
     stdio: "ignore",
     env: { ...process.env, NODE9_AUTO_STARTED: "1" }
@@ -6979,6 +6983,7 @@ async function startTail(options = {}) {
     return;
   }
   const connectionTime = Date.now();
+  let initialReplayDone = false;
   const activityPending = /* @__PURE__ */ new Map();
   const orphanedResults = /* @__PURE__ */ new Map();
   let csrfToken = "";
@@ -7310,11 +7315,17 @@ async function startTail(options = {}) {
       return;
     }
     if (event === "activity") {
+      const isReplayEvent = data.status && data.status !== "pending";
+      if (isReplayEvent && !initialReplayDone) {
+        renderResult(data, data);
+        return;
+      }
       if (!options.history && data.ts > 0 && data.ts < connectionTime) return;
-      if (data.status && data.status !== "pending") {
+      if (isReplayEvent) {
         renderResult(data, data);
         return;
       }
+      if (!initialReplayDone) initialReplayDone = true;
       const orphaned = orphanedResults.get(data.id);
       if (orphaned) {
         orphanedResults.delete(data.id);
@@ -7695,6 +7706,24 @@ function renderContextLine(stdin) {
 async function main() {
   try {
     const [stdin, daemonStatus2] = await Promise.all([readStdin(), queryDaemon()]);
+    if (fs26.existsSync(path29.join(os22.homedir(), ".node9", "hud-debug"))) {
+      try {
+        const logPath = path29.join(os22.homedir(), ".node9", "hud-debug.log");
+        const MAX_LOG_SIZE = 10 * 1024 * 1024;
+        let size = 0;
+        try {
+          size = fs26.statSync(logPath).size;
+        } catch {
+        }
+        if (size < MAX_LOG_SIZE) {
+          fs26.appendFileSync(
+            logPath,
+            JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), stdin }) + "\n"
+          );
+        }
+      } catch {
+      }
+    }
     if (!daemonStatus2) {
       renderOffline();
       return;
@@ -7807,7 +7836,7 @@ function isNode9Hook(cmd) {
 function teardownClaude() {
   const homeDir2 = os10.homedir();
   const hooksPath = path14.join(homeDir2, ".claude", "settings.json");
-  const mcpPath = path14.join(homeDir2, ".claude.json");
+  const mcpPath = path14.join(homeDir2, ".claude", ".mcp.json");
   let changed = false;
   const settings = readJson(hooksPath);
   if (settings?.hooks) {
@@ -7833,11 +7862,12 @@ function teardownClaude() {
     let mcpChanged = false;
     if (removeNode9McpServer(claudeConfig.mcpServers)) {
       mcpChanged = true;
-      console.log(chalk.green("  \u2705 Removed node9 MCP server entry from ~/.claude.json"));
+      console.log(chalk.green("  \u2705 Removed node9 MCP server entry from ~/.claude/.mcp.json"));
     }
     for (const [name, server] of Object.entries(claudeConfig.mcpServers)) {
-      if (server.command === "node9" && Array.isArray(server.args) && server.args.length > 0) {
-        const [originalCmd, ...originalArgs] = server.args;
+      const args = server.args;
+      if (server.command === "node9" && Array.isArray(args) && args[0] === "mcp" && args[1] === "--upstream" && typeof args[2] === "string") {
+        const [originalCmd, ...originalArgs] = args[2].split(" ");
         claudeConfig.mcpServers[name] = {
           ...server,
           command: originalCmd,
@@ -7845,16 +7875,11 @@ function teardownClaude() {
         };
         mcpChanged = true;
       } else if (server.command === "node9") {
-        console.warn(
-          chalk.yellow(
-            `  \u26A0\uFE0F  Cannot unwrap MCP server "${name}" in ~/.claude.json \u2014 args is empty. Remove it manually.`
-          )
-        );
       }
     }
     if (mcpChanged) {
       writeJson(mcpPath, claudeConfig);
-      console.log(chalk.green("  \u2705 Unwrapped MCP servers in ~/.claude.json"));
+      console.log(chalk.green("  \u2705 Unwrapped MCP servers in ~/.claude/.mcp.json"));
     }
   }
 }
@@ -7883,8 +7908,9 @@ function teardownGemini() {
       console.log(chalk.green("  \u2705 Removed node9 MCP server entry from ~/.gemini/settings.json"));
     }
     for (const [name, server] of Object.entries(settings.mcpServers)) {
-      if (server.command === "node9" && Array.isArray(server.args) && server.args.length > 0) {
-        const [originalCmd, ...originalArgs] = server.args;
+      const args = server.args;
+      if (server.command === "node9" && Array.isArray(args) && args[0] === "mcp" && args[1] === "--upstream" && typeof args[2] === "string") {
+        const [originalCmd, ...originalArgs] = args[2].split(" ");
         settings.mcpServers[name] = {
           ...server,
           command: originalCmd,
@@ -7915,8 +7941,9 @@ function teardownCursor() {
     console.log(chalk.green("  \u2705 Removed node9 MCP server entry from ~/.cursor/mcp.json"));
   }
   for (const [name, server] of Object.entries(mcpConfig.mcpServers)) {
-    if (server.command === "node9" && Array.isArray(server.args) && server.args.length > 0) {
-      const [originalCmd, ...originalArgs] = server.args;
+    const args = server.args;
+    if (server.command === "node9" && Array.isArray(args) && args[0] === "mcp" && args[1] === "--upstream" && typeof args[2] === "string") {
+      const [originalCmd, ...originalArgs] = args[2].split(" ");
       mcpConfig.mcpServers[name] = {
         ...server,
         command: originalCmd,
@@ -7934,7 +7961,7 @@ function teardownCursor() {
 }
 async function setupClaude() {
   const homeDir2 = os10.homedir();
-  const mcpPath = path14.join(homeDir2, ".claude.json");
+  const mcpPath = path14.join(homeDir2, ".claude", ".mcp.json");
   const hooksPath = path14.join(homeDir2, ".claude", "settings.json");
   const claudeConfig = readJson(mcpPath) ?? {};
   const settings = readJson(hooksPath) ?? {};
@@ -7949,7 +7976,7 @@ async function setupClaude() {
     if (!settings.hooks.PreToolUse) settings.hooks.PreToolUse = [];
     settings.hooks.PreToolUse.push({
       matcher: ".*",
-      hooks: [{ type: "command", command: fullPathCommand("check"), timeout: 60 }]
+      hooks: [{ type: "command", command: fullPathCommand("check"), timeout: 600 }]
     });
     console.log(chalk.green("  \u2705 PreToolUse hook added  \u2192 node9 check"));
     hooksChanged = true;
@@ -7975,6 +8002,15 @@ async function setupClaude() {
     console.log(chalk.green("  \u2705 node9 MCP server added   \u2192 node9 mcp-server"));
     anythingChanged = true;
   }
+  const hudCommand = fullPathCommand("hud");
+  const statusLineObj = { type: "command", command: hudCommand };
+  const existingStatusLine = settings.statusLine;
+  const existingStatusCommand = typeof existingStatusLine === "object" ? existingStatusLine?.command : existingStatusLine;
+  if (existingStatusCommand !== hudCommand) {
+    settings.statusLine = statusLineObj;
+    hooksChanged = true;
+    anythingChanged = true;
+  }
   if (hooksChanged) {
     writeJson(hooksPath, settings);
     console.log("");
@@ -7982,20 +8018,24 @@ async function setupClaude() {
   const serversToWrap = [];
   for (const [name, server] of Object.entries(servers)) {
     if (!server.command || server.command === "node9") continue;
-    const parts = [server.command, ...server.args ?? []];
-    serversToWrap.push({ name, originalCmd: parts.join(" "), parts });
+    const upstream = [server.command, ...server.args ?? []].join(" ");
+    serversToWrap.push({ name, upstream });
   }
   if (serversToWrap.length > 0) {
     console.log(chalk.bold("The following existing entries will be modified:\n"));
     console.log(chalk.white(`  ${mcpPath}`));
-    for (const { name, originalCmd } of serversToWrap) {
-      console.log(chalk.gray(`    \u2022 ${name}: "${originalCmd}" \u2192 node9 ${originalCmd}`));
+    for (const { name, upstream } of serversToWrap) {
+      console.log(chalk.gray(`    \u2022 ${name}: "${upstream}" \u2192 node9 mcp --upstream "${upstream}"`));
     }
     console.log("");
     const proceed = await confirm({ message: "Wrap these MCP servers?", default: true });
     if (proceed) {
-      for (const { name, parts } of serversToWrap) {
-        servers[name] = { ...servers[name], command: "node9", args: parts };
+      for (const { name, upstream } of serversToWrap) {
+        servers[name] = {
+          ...servers[name],
+          command: "node9",
+          args: ["mcp", "--upstream", upstream]
+        };
       }
       claudeConfig.mcpServers = servers;
       writeJson(mcpPath, claudeConfig);
@@ -8075,20 +8115,24 @@ async function setupGemini() {
   const serversToWrap = [];
   for (const [name, server] of Object.entries(servers)) {
     if (!server.command || server.command === "node9") continue;
-    const parts = [server.command, ...server.args ?? []];
-    serversToWrap.push({ name, originalCmd: parts.join(" "), parts });
+    const upstream = [server.command, ...server.args ?? []].join(" ");
+    serversToWrap.push({ name, upstream });
   }
   if (serversToWrap.length > 0) {
     console.log(chalk.bold("The following existing entries will be modified:\n"));
     console.log(chalk.white(`  ${settingsPath}  (mcpServers)`));
-    for (const { name, originalCmd } of serversToWrap) {
-      console.log(chalk.gray(`    \u2022 ${name}: "${originalCmd}" \u2192 node9 ${originalCmd}`));
+    for (const { name, upstream } of serversToWrap) {
+      console.log(chalk.gray(`    \u2022 ${name}: "${upstream}" \u2192 node9 mcp --upstream "${upstream}"`));
     }
     console.log("");
     const proceed = await confirm({ message: "Wrap these MCP servers?", default: true });
     if (proceed) {
-      for (const { name, parts } of serversToWrap) {
-        servers[name] = { ...servers[name], command: "node9", args: parts };
+      for (const { name, upstream } of serversToWrap) {
+        servers[name] = {
+          ...servers[name],
+          command: "node9",
+          args: ["mcp", "--upstream", upstream]
+        };
       }
       settings.mcpServers = servers;
       writeJson(settingsPath, settings);
@@ -8147,20 +8191,24 @@ async function setupCursor() {
   const serversToWrap = [];
   for (const [name, server] of Object.entries(servers)) {
     if (!server.command || server.command === "node9") continue;
-    const parts = [server.command, ...server.args ?? []];
-    serversToWrap.push({ name, originalCmd: parts.join(" "), parts });
+    const upstream = [server.command, ...server.args ?? []].join(" ");
+    serversToWrap.push({ name, upstream });
   }
   if (serversToWrap.length > 0) {
     console.log(chalk.bold("The following existing entries will be modified:\n"));
     console.log(chalk.white(`  ${mcpPath}`));
-    for (const { name, originalCmd } of serversToWrap) {
-      console.log(chalk.gray(`    \u2022 ${name}: "${originalCmd}" \u2192 node9 ${originalCmd}`));
+    for (const { name, upstream } of serversToWrap) {
+      console.log(chalk.gray(`    \u2022 ${name}: "${upstream}" \u2192 node9 mcp --upstream "${upstream}"`));
     }
     console.log("");
     const proceed = await confirm({ message: "Wrap these MCP servers?", default: true });
     if (proceed) {
-      for (const { name, parts } of serversToWrap) {
-        servers[name] = { ...servers[name], command: "node9", args: parts };
+      for (const { name, upstream } of serversToWrap) {
+        servers[name] = {
+          ...servers[name],
+          command: "node9",
+          args: ["mcp", "--upstream", upstream]
+        };
       }
       mcpConfig.mcpServers = servers;
       writeJson(mcpPath, mcpConfig);
@@ -8223,20 +8271,24 @@ async function setupCodex() {
   const serversToWrap = [];
   for (const [name, server] of Object.entries(servers)) {
     if (!server.command || server.command === "node9") continue;
-    const parts = [server.command, ...server.args ?? []];
-    serversToWrap.push({ name, originalCmd: parts.join(" "), parts });
+    const upstream = [server.command, ...server.args ?? []].join(" ");
+    serversToWrap.push({ name, upstream });
   }
   if (serversToWrap.length > 0) {
     console.log(chalk.bold("The following existing entries will be modified:\n"));
     console.log(chalk.white(`  ${configPath}`));
-    for (const { name, originalCmd } of serversToWrap) {
-      console.log(chalk.gray(`    \u2022 ${name}: "${originalCmd}" \u2192 node9 ${originalCmd}`));
+    for (const { name, upstream } of serversToWrap) {
+      console.log(chalk.gray(`    \u2022 ${name}: "${upstream}" \u2192 node9 mcp --upstream "${upstream}"`));
     }
     console.log("");
     const proceed = await confirm({ message: "Wrap these MCP servers?", default: true });
     if (proceed) {
-      for (const { name, parts } of serversToWrap) {
-        servers[name] = { ...servers[name], command: "node9", args: parts };
+      for (const { name, upstream } of serversToWrap) {
+        servers[name] = {
+          ...servers[name],
+          command: "node9",
+          args: ["mcp", "--upstream", upstream]
+        };
       }
       config.mcp_servers = servers;
       writeToml(configPath, config);
@@ -8425,18 +8477,20 @@ async function runProxy(targetCommand) {
   const cmd = commandParts[0];
   const args = commandParts.slice(1);
   let executable = cmd;
+  let useShell = false;
   try {
     const { stdout } = await execa("which", [cmd]);
     if (stdout) executable = stdout.trim();
   } catch {
+    useShell = true;
   }
   console.error(chalk4.green(`\u{1F680} Node9 Proxy Active: Monitoring [${targetCommand}]`));
-  const child = spawn3(executable, args, {
+  const spawnEnv = { ...process.env, FORCE_COLOR: "1" };
+  const child = useShell ? spawn3("/bin/bash", ["-c", targetCommand], {
     stdio: ["pipe", "pipe", "inherit"],
-    // We control STDIN and STDOUT
     shell: false,
-    env: { ...process.env, FORCE_COLOR: "1" }
-  });
+    env: spawnEnv
+  }) : spawn3(executable, args, { stdio: ["pipe", "pipe", "inherit"], shell: false, env: spawnEnv });
   const agentIn = readline.createInterface({ input: process.stdin, terminal: false });
   agentIn.on("line", async (line) => {
     let message;
@@ -8549,6 +8603,7 @@ init_config();
 init_policy();
 import chalk5 from "chalk";
 import fs18 from "fs";
+import { spawn as spawn6 } from "child_process";
 import path20 from "path";
 import os14 from "os";
 
@@ -8928,6 +8983,37 @@ RAW: ${raw}
           process.exit(0);
         }
         const config = getConfig(payload.cwd || void 0);
+        if (config.settings.autoStartDaemon && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON) {
+          try {
+            const scriptPath = process.argv[1];
+            if (typeof scriptPath !== "string" || !path20.isAbsolute(scriptPath))
+              throw new Error("node9: argv[1] is not an absolute path");
+            const resolvedScript = fs18.realpathSync(scriptPath);
+            const expectedCli = fs18.realpathSync(path20.resolve(__dirname, "../../cli.js"));
+            if (resolvedScript !== expectedCli)
+              throw new Error(
+                "node9: daemon spawn aborted \u2014 argv[1] does not resolve to the node9 CLI"
+              );
+            const safeEnv = { ...process.env };
+            for (const key of [
+              "NODE_OPTIONS",
+              "LD_PRELOAD",
+              "LD_LIBRARY_PATH",
+              "DYLD_INSERT_LIBRARIES",
+              "NODE_PATH",
+              "ELECTRON_RUN_AS_NODE"
+            ]) {
+              delete safeEnv[key];
+            }
+            const d = spawn6(process.execPath, [scriptPath, "daemon"], {
+              detached: true,
+              stdio: "ignore",
+              env: { ...safeEnv, NODE9_AUTO_STARTED: "1", NODE9_BROWSER_OPENED: "1" }
+            });
+            d.unref();
+          } catch {
+          }
+        }
         if (process.env.NODE9_DEBUG === "1" || config.settings.enableHookLogDebug) {
           const logPath = path20.join(os14.homedir(), ".node9", "hook-debug.log");
           if (!fs18.existsSync(path20.dirname(logPath)))
@@ -9839,7 +9925,7 @@ function registerAuditCommand(program2) {
 init_daemon2();
 init_daemon();
 import chalk9 from "chalk";
-import { spawn as spawn6 } from "child_process";
+import { spawn as spawn7 } from "child_process";
 function registerDaemonCommand(program2) {
   program2.command("daemon").description("Run the local approval server").argument("[action]", "start | stop | status (default: start)").option("-b, --background", "Start the daemon in the background (detached)").option("-o, --openui", "Start in background and open browser").option(
     "-w, --watch",
@@ -9870,7 +9956,7 @@ function registerDaemonCommand(program2) {
           console.log(chalk9.green(`\u{1F310}  Opened browser: http://${DAEMON_HOST}:${DAEMON_PORT}/`));
           process.exit(0);
         }
-        const child = spawn6(process.execPath, [process.argv[1], "daemon"], {
+        const child = spawn7(process.execPath, [process.argv[1], "daemon"], {
           detached: true,
           stdio: "ignore"
         });
@@ -9885,7 +9971,7 @@ function registerDaemonCommand(program2) {
         process.exit(0);
       }
       if (options.background) {
-        const child = spawn6(process.execPath, [process.argv[1], "daemon"], {
+        const child = spawn7(process.execPath, [process.argv[1], "daemon"], {
           detached: true,
           stdio: "ignore"
         });
@@ -10474,7 +10560,7 @@ function registerUndoCommand(program2) {
 // src/cli/commands/watch.ts
 init_daemon();
 import chalk14 from "chalk";
-import { spawn as spawn7, spawnSync as spawnSync5 } from "child_process";
+import { spawn as spawn8, spawnSync as spawnSync5 } from "child_process";
 function registerWatchCommand(program2) {
   program2.command("watch").description("Run a command under Node9 watch mode (daemon stays alive for the session)").argument("<command>", "Command to run").argument("[args...]", "Arguments for the command").action(async (cmd, args) => {
     let port = DAEMON_PORT;
@@ -10490,7 +10576,7 @@ function registerWatchCommand(program2) {
       }
     } catch {
       console.error(chalk14.dim("\u{1F6E1}\uFE0F  Starting Node9 daemon (watch mode)..."));
-      const child = spawn7(process.execPath, [process.argv[1], "daemon"], {
+      const child = spawn8(process.execPath, [process.argv[1], "daemon"], {
         detached: true,
         stdio: "ignore",
         env: { ...process.env, NODE9_AUTO_STARTED: "1", NODE9_WATCH_MODE: "1" }
@@ -10536,7 +10622,7 @@ function registerWatchCommand(program2) {
 init_orchestrator();
 import readline3 from "readline";
 import chalk15 from "chalk";
-import { spawn as spawn8 } from "child_process";
+import { spawn as spawn9 } from "child_process";
 import { execa as execa2 } from "execa";
 init_provenance();
 function sanitize4(value) {
@@ -10623,7 +10709,7 @@ async function runMcpGateway(upstreamCommand) {
   const safeEnv = Object.fromEntries(
     Object.entries(process.env).filter(([k]) => !UPSTREAM_INJECTOR_VARS.has(k))
   );
-  const child = spawn8(executable, cmdArgs, {
+  const child = spawn9(executable, cmdArgs, {
     stdio: ["pipe", "pipe", "inherit"],
     // control stdin/stdout; inherit stderr
     shell: false,
@@ -10706,8 +10792,11 @@ async function runMcpGateway(upstreamCommand) {
         return;
       } finally {
         authPending = false;
-        agentIn.resume();
-        if (deferredStdinEnd) child.stdin.end();
+        if (deferredStdinEnd) {
+          child.stdin.end();
+        } else {
+          agentIn.resume();
+        }
         if (deferredExitCode !== null) process.exit(deferredExitCode);
       }
       return;
@@ -11442,7 +11531,43 @@ registerMcpGatewayCommand(program);
 registerMcpServerCommand(program);
 registerCheckCommand(program);
 registerLogCommand(program);
-program.command("hud").description("Render node9 security statusline (spawned by Claude Code statusLine)").action(async () => {
+program.command("hud").description("Render node9 security statusline (spawned by Claude Code statusLine)").addHelpText(
+  "after",
+  `
+Outputs up to 3 lines to stdout, then exits:
+
+  Line 1 \u2014 Security state (always shown):
+    \u{1F6E1} node9 | <mode> [shields] | \u2705 allowed  \u{1F6D1} blocked  \u{1F6A8} dlp  ~$cost
+    Shows "offline" if the node9 daemon is not running.
+
+  Line 2 \u2014 Claude context & rate limits (shown when available):
+    <model>  \u2502 ctx \u2588\u2588\u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591 61%  \u2502 5h \u2588\u2588\u2588\u2588\u2591\u2591\u2591\u2591\u2591\u2591 40% (2h 10m left)
+    Only appears when Claude Code passes context_window / rate_limits data via stdin.
+
+  Line 3 \u2014 Environment counts (shown when non-zero):
+    2 CLAUDE.md | 5 rules | 4 MCPs | 3 hooks
+    Counts CLAUDE.md files, rules/, MCP servers, and hook entries across user + project scope.
+    Disable with: { "settings": { "hud": { "showEnvironmentCounts": false } } } in node9.config.json
+
+Claude Code spawns this command every ~300ms and writes a JSON payload to stdin.
+Run "node9 addto claude" to register it as the statusLine.`
+).argument("[subcommand]", 'Optional: "debug on" / "debug off" to toggle stdin logging').argument("[state]", 'on|off \u2014 used with "debug" subcommand').action(async (subcommand, state) => {
+  if (subcommand === "debug") {
+    const flagFile = path30.join(os23.homedir(), ".node9", "hud-debug");
+    if (state === "on") {
+      fs27.mkdirSync(path30.dirname(flagFile), { recursive: true });
+      fs27.writeFileSync(flagFile, "");
+      console.log("HUD debug logging enabled \u2192 ~/.node9/hud-debug.log");
+      console.log("Tail it with: tail -f ~/.node9/hud-debug.log");
+    } else if (state === "off") {
+      if (fs27.existsSync(flagFile)) fs27.unlinkSync(flagFile);
+      console.log("HUD debug logging disabled.");
+    } else {
+      console.error("Usage: node9 hud debug on|off");
+      process.exit(1);
+    }
+    return;
+  }
   const { main: main2 } = await Promise.resolve().then(() => (init_hud(), hud_exports));
   await main2();
 });

package/dist/index.js

@@ -2382,9 +2382,7 @@ end run`;
           "--text",
           pangoMessage,
           "--ok-label",
-          locked ? "Waiting..." : "Allow  \u21B5",
-          "--timeout",
-          "300"
+          locked ? "Waiting..." : "Allow  \u21B5"
         ];
         if (!locked) {
           argsList.push("--cancel-label", "Block  \u238B");

package/dist/index.mjs

@@ -2352,9 +2352,7 @@ end run`;
           "--text",
           pangoMessage,
           "--ok-label",
-          locked ? "Waiting..." : "Allow  \u21B5",
-          "--timeout",
-          "300"
+          locked ? "Waiting..." : "Allow  \u21B5"
         ];
         if (!locked) {
           argsList.push("--cancel-label", "Block  \u238B");

package/dist/shields/builtin/docker.json

@@ -0,0 +1,120 @@
+{
+  "name": "docker",
+  "description": "Protects Docker environments from destructive AI operations",
+  "aliases": [],
+  "smartRules": [
+    {
+      "name": "shield:docker:block-system-prune",
+      "tool": "*",
+      "conditions": [
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "docker\\s+system\\s+prune",
+          "flags": "i"
+        }
+      ],
+      "verdict": "block",
+      "reason": "docker system prune removes all unused containers, images, and volumes — blocked by Docker shield"
+    },
+    {
+      "name": "shield:docker:block-volume-prune",
+      "tool": "*",
+      "conditions": [
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "docker\\s+volume\\s+prune",
+          "flags": "i"
+        }
+      ],
+      "verdict": "block",
+      "reason": "docker volume prune destroys all unused volumes and their data — blocked by Docker shield"
+    },
+    {
+      "name": "shield:docker:block-rm-force",
+      "tool": "*",
+      "conditionMode": "all",
+      "conditions": [
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "docker\\s+rm\\b",
+          "flags": "i"
+        },
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "(^|\\s)(-f|--force)(\\s|$)",
+          "flags": "i"
+        }
+      ],
+      "verdict": "block",
+      "reason": "Force-removing running containers is destructive — blocked by Docker shield"
+    },
+    {
+      "name": "shield:docker:review-volume-rm",
+      "tool": "*",
+      "conditions": [
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "docker\\s+volume\\s+rm\\s+",
+          "flags": "i"
+        }
+      ],
+      "verdict": "review",
+      "reason": "Volume removal deletes persistent data and requires human approval (Docker shield)"
+    },
+    {
+      "name": "shield:docker:review-stop-kill",
+      "tool": "*",
+      "conditions": [
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "docker\\s+(stop|kill)\\s+",
+          "flags": "i"
+        }
+      ],
+      "verdict": "review",
+      "reason": "Stopping or killing containers requires human approval (Docker shield)"
+    },
+    {
+      "name": "shield:docker:review-image-rm",
+      "tool": "*",
+      "conditions": [
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "docker\\s+image\\s+rm\\b",
+          "flags": "i"
+        }
+      ],
+      "verdict": "review",
+      "reason": "Image removal requires human approval (Docker shield)"
+    },
+    {
+      "name": "shield:docker:review-rmi-force",
+      "tool": "*",
+      "conditionMode": "all",
+      "conditions": [
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "docker\\s+rmi\\b",
+          "flags": "i"
+        },
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "(^|\\s)(-f|--force)(\\s|$)",
+          "flags": "i"
+        }
+      ],
+      "verdict": "review",
+      "reason": "Force image removal requires human approval (Docker shield)"
+    }
+  ],
+  "dangerousWords": []
+}