feat: add DLP content scanner + fix Cursor hook + fix shields warning

DLP Engine (src/dlp.ts):
- 7 built-in patterns: AWS key, GitHub token, Slack, OpenAI, Stripe, PEM, Bearer
- Recursive scanner with depth limit (5) and string length cap (100 KB)
- JSON-in-string detection for agents that stringify nested objects
- maskSecret() — only redacted sample stored, full secret never leaves dlp.ts
- severity: 'block' for known high-confidence patterns, 'review' for Bearer

Core integration (src/core.ts):
- DLP check runs before ignoredTools fast-path and audit mode
- Hard block for 'block' patterns; 'review' falls through to race engine
- DLP step 0 in explainPolicy waterfall
- dlp config merged per-layer in getConfig() with enabled/scanIgnoredTools

CLI (src/cli.ts):
- DLP-specific negotiation message (rotate the key, use env vars, don't retry)
- chalk.bgRed.white.bold alarm banner when blockedByLabel includes 'DLP'

Cursor fix (src/setup.ts):
- Remove hooks.json writing — Cursor does not support this format
- Print clear warning that native hook mode is pending Cursor support
- Only MCP proxy wrapping is configured

Shields fix (src/shields.ts):
- Treat empty shields.json as missing (suppress spurious parse warnings in tests)

Tests: 353 passing (22 new DLP tests, fake secrets split via concatenation)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: nawi-25

src/__tests__/dlp.test.ts

@@ -0,0 +1,195 @@
+import { describe, it, expect } from 'vitest';
+import { scanArgs, DLP_PATTERNS } from '../dlp.js';
+
+// NOTE: All fake secret strings are built via concatenation so GitHub's secret
+// scanner doesn't flag this test file. The values are obviously fake (sequential
+// letters/numbers) and are never used outside of these unit tests.
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+// Fake AWS Access Key ID — split to defeat static secret scanners
+const FAKE_AWS_KEY = 'AKIA' + 'IOSFODNN7' + 'EXAMPLE';
+
+// Stripe keys: sk_(live|test)_ + exactly 24 alphanumeric chars
+const FAKE_STRIPE_LIVE = 'sk_live_' + 'abcdefghijklmnop' + 'qrstuvwx';
+const FAKE_STRIPE_TEST = 'sk_test_' + 'abcdefghijklmnop' + 'qrstuvwx';
+
+// OpenAI key: sk- + 20+ alphanumeric chars
+const FAKE_OPENAI_KEY = 'sk-' + 'abcdefghij' + '1234567890klmn';
+
+// Slack bot token
+const FAKE_SLACK_TOKEN = 'xoxb-' + '1234-5678-abcdefghij';
+
+// ── Pattern coverage ──────────────────────────────────────────────────────────
+
+describe('DLP_PATTERNS — built-in patterns', () => {
+  it('detects AWS Access Key ID', () => {
+    const match = scanArgs({ command: `aws s3 cp --key ${FAKE_AWS_KEY} s3://bucket/` });
+    expect(match).not.toBeNull();
+    expect(match!.patternName).toBe('AWS Access Key ID');
+    expect(match!.severity).toBe('block');
+    expect(match!.redactedSample).not.toContain(FAKE_AWS_KEY);
+    expect(match!.redactedSample).toMatch(/AKIA\*+MPLE/);
+  });
+
+  it('detects GitHub personal access token (ghp_)', () => {
+    const token = 'ghp_' + 'a'.repeat(36);
+    const match = scanArgs({ command: `git clone https://${token}@github.com/org/repo` });
+    expect(match).not.toBeNull();
+    expect(match!.patternName).toBe('GitHub Token');
+    expect(match!.severity).toBe('block');
+    expect(match!.redactedSample).not.toContain(token);
+  });
+
+  it('detects GitHub OAuth token (gho_)', () => {
+    const token = 'gho_' + 'b'.repeat(36);
+    const match = scanArgs({ env: { TOKEN: token } });
+    expect(match).not.toBeNull();
+    expect(match!.patternName).toBe('GitHub Token');
+  });
+
+  it('detects Slack bot token', () => {
+    const match = scanArgs({ header: `Authorization: ${FAKE_SLACK_TOKEN}` });
+    expect(match).not.toBeNull();
+    expect(match!.patternName).toBe('Slack Bot Token');
+    expect(match!.severity).toBe('block');
+  });
+
+  it('detects OpenAI API key', () => {
+    const match = scanArgs({ command: `curl -H "Authorization: ${FAKE_OPENAI_KEY}"` });
+    expect(match).not.toBeNull();
+    expect(match!.patternName).toBe('OpenAI API Key');
+    expect(match!.severity).toBe('block');
+  });
+
+  it('detects Stripe live secret key', () => {
+    const match = scanArgs({ env: `STRIPE_KEY=${FAKE_STRIPE_LIVE}` });
+    expect(match).not.toBeNull();
+    expect(match!.patternName).toBe('Stripe Secret Key');
+    expect(match!.severity).toBe('block');
+  });
+
+  it('detects Stripe test secret key', () => {
+    const match = scanArgs({ env: `STRIPE_KEY=${FAKE_STRIPE_TEST}` });
+    expect(match).not.toBeNull();
+    expect(match!.patternName).toBe('Stripe Secret Key');
+  });
+
+  it('detects PEM private key header', () => {
+    const pemHeader = '-----BEGIN RSA ' + 'PRIVATE KEY-----';
+    const match = scanArgs({ content: `${pemHeader}\nMIIEowIBAAK...` });
+    expect(match).not.toBeNull();
+    expect(match!.patternName).toBe('Private Key (PEM)');
+    expect(match!.severity).toBe('block');
+  });
+
+  it('detects Bearer token with review severity', () => {
+    const match = scanArgs({ header: 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.payload.sig' });
+    expect(match).not.toBeNull();
+    expect(match!.patternName).toBe('Bearer Token');
+    expect(match!.severity).toBe('review'); // not a hard block
+  });
+});
+
+// ── Redaction ─────────────────────────────────────────────────────────────────
+
+describe('maskSecret redaction', () => {
+  it('shows first 4 + last 4 chars of the matched secret', () => {
+    const match = scanArgs({ key: FAKE_AWS_KEY });
+    expect(match).not.toBeNull();
+    // prefix = 'AKIA', suffix = 'MPLE'
+    expect(match!.redactedSample).toMatch(/^AKIA/);
+    expect(match!.redactedSample).toMatch(/MPLE$/);
+    expect(match!.redactedSample).toContain('*');
+    expect(match!.redactedSample).not.toContain('IOSFODNN7EXA');
+  });
+});
+
+// ── Recursive scanning ────────────────────────────────────────────────────────
+
+describe('scanArgs — recursive object scanning', () => {
+  it('scans nested objects', () => {
+    const match = scanArgs({ outer: { inner: { key: FAKE_AWS_KEY } } });
+    expect(match).not.toBeNull();
+    expect(match!.fieldPath).toBe('args.outer.inner.key');
+  });
+
+  it('scans arrays', () => {
+    const match = scanArgs({ envVars: ['SAFE=value', `SECRET=${FAKE_AWS_KEY}`] });
+    expect(match).not.toBeNull();
+    expect(match!.fieldPath).toContain('[1]');
+  });
+
+  it('returns null for clean args', () => {
+    expect(scanArgs({ command: 'ls -la /tmp', options: { verbose: true } })).toBeNull();
+  });
+
+  it('returns null for non-object primitives', () => {
+    expect(scanArgs(42)).toBeNull();
+    expect(scanArgs(null)).toBeNull();
+    expect(scanArgs(undefined)).toBeNull();
+  });
+});
+
+// ── JSON-in-string ────────────────────────────────────────────────────────────
+
+describe('scanArgs — JSON-in-string detection', () => {
+  it('detects a secret inside a JSON-encoded string field', () => {
+    const inner = JSON.stringify({ api_key: FAKE_AWS_KEY, region: 'us-east-1' });
+    const match = scanArgs({ content: inner });
+    expect(match).not.toBeNull();
+    expect(match!.patternName).toBe('AWS Access Key ID');
+  });
+
+  it('does not crash on invalid JSON strings', () => {
+    expect(() => scanArgs({ content: '{not valid json' })).not.toThrow();
+  });
+
+  it('skips JSON parse for strings longer than 10 KB', () => {
+    const longJson = '{"key": "' + 'x'.repeat(10_001) + '"}';
+    // Should not throw and should not attempt to parse
+    expect(() => scanArgs({ content: longJson })).not.toThrow();
+  });
+});
+
+// ── Depth & length limits ─────────────────────────────────────────────────────
+
+describe('scanArgs — performance guards', () => {
+  it('stops recursion at MAX_DEPTH (5)', () => {
+    // 6 levels deep — secret at level 6 should not be found
+    const deep = { a: { b: { c: { d: { e: { f: FAKE_AWS_KEY } } } } } };
+    const match = scanArgs(deep);
+    // depth=0 is the top-level object, key 'a' is depth 1, ..., key 'f' is depth 6
+    // Our MAX_DEPTH=5 guard returns null at depth > 5, so the string at depth 6 is skipped
+    expect(match).toBeNull();
+  });
+
+  it('only scans the first 100 KB of a long string', () => {
+    // Secret is beyond the 100 KB limit — should not be found
+    const padding = 'x'.repeat(100_001);
+    const match = scanArgs({ content: padding + FAKE_AWS_KEY });
+    expect(match).toBeNull();
+  });
+
+  it('finds a secret within the first 100 KB', () => {
+    const padding = 'x'.repeat(50_000);
+    const match = scanArgs({ content: `${padding} ${FAKE_AWS_KEY} ` });
+    expect(match).not.toBeNull();
+  });
+});
+
+// ── All patterns export ───────────────────────────────────────────────────────
+
+describe('DLP_PATTERNS export', () => {
+  it('exports at least 7 built-in patterns', () => {
+    expect(DLP_PATTERNS.length).toBeGreaterThanOrEqual(7);
+  });
+
+  it('all patterns have name, regex, and severity', () => {
+    for (const p of DLP_PATTERNS) {
+      expect(p.name).toBeTruthy();
+      expect(p.regex).toBeInstanceOf(RegExp);
+      expect(['block', 'review']).toContain(p.severity);
+    }
+  });
+});

src/__tests__/setup.test.ts

@@ -185,31 +185,15 @@ describe('setupGemini', () => {
 // ── setupCursor ───────────────────────────────────────────────────────────────
 
 describe('setupCursor', () => {
-  const hooksPath = '/mock/home/.cursor/hooks.json';
   const mcpPath = '/mock/home/.cursor/mcp.json';
 
-  it('adds both hooks immediately on a fresh install — no prompt', async () => {
+  it('does not write hooks.json — Cursor does not support native hooks', async () => {
     const confirm = await getConfirm();
     await setupCursor();
 
     expect(confirm).not.toHaveBeenCalled();
-    const written = writtenTo(hooksPath);
-    expect(written.version).toBe(1);
-    expect(written.hooks.preToolUse[0].command).toBe('node9 check');
-    expect(written.hooks.postToolUse[0].command).toBe('node9 log');
-  });
-
-  it('does not add hooks that already exist', async () => {
-    withExistingFile(hooksPath, {
-      version: 1,
-      hooks: {
-        preToolUse: [{ command: 'node9', args: ['check'] }],
-        postToolUse: [{ command: 'node9', args: ['log'] }],
-      },
-    });
-
-    await setupCursor();
-    expect(writtenTo(hooksPath)).toBeNull();
+    // hooks.json must never be written
+    expect(writtenTo('/mock/home/.cursor/hooks.json')).toBeNull();
   });
 
   it('prompts before wrapping existing MCP servers', async () => {
@@ -247,19 +231,4 @@ describe('setupCursor', () => {
     await setupCursor();
     expect(writtenTo(mcpPath)).toBeNull();
   });
-
-  it('preserves existing hooks from other tools when adding node9', async () => {
-    withExistingFile(hooksPath, {
-      version: 1,
-      hooks: { preToolUse: [{ command: 'some-other-tool' }] },
-    });
-
-    await setupCursor();
-
-    const written = writtenTo(hooksPath);
-    // node9 should be appended, not replace the existing hook
-    expect(written.hooks.preToolUse).toHaveLength(2);
-    expect(written.hooks.preToolUse[0].command).toBe('some-other-tool');
-    expect(written.hooks.preToolUse[1].command).toBe('node9 check');
-  });
 });

src/cli.ts

@@ -83,6 +83,20 @@ INSTRUCTIONS:
 
   const label = blockedByLabel.toLowerCase();
 
+  if (
+    label.includes('dlp') ||
+    label.includes('secret detected') ||
+    label.includes('credential review')
+  ) {
+    return `NODE9 SECURITY ALERT: A sensitive credential (API key, token, or private key) was found in your tool call arguments.
+CRITICAL INSTRUCTION: Do NOT retry this action.
+REQUIRED ACTIONS:
+1. Remove the hardcoded credential from your command or code.
+2. Use an environment variable or a dedicated secrets manager instead.
+3. Treat the leaked credential as compromised and rotate it immediately.
+Do NOT attempt to bypass this check or pass the credential through another tool.`;
+  }
+
   if (label.includes('sql safety') && label.includes('delete without where')) {
     return `NODE9: Blocked — DELETE without WHERE clause would wipe the entire table.
 INSTRUCTION: Add a WHERE clause to scope the deletion (e.g. WHERE id = <value>).
@@ -1025,7 +1039,16 @@ program
             blockedByContext.toLowerCase().includes('decision');
 
           // 3. Print to the human terminal for visibility
-          console.error(chalk.red(`\n🛑 Node9 blocked "${toolName}"`));
+          if (
+            blockedByContext.includes('DLP') ||
+            blockedByContext.includes('Secret Detected') ||
+            blockedByContext.includes('Credential Review')
+          ) {
+            console.error(chalk.bgRed.white.bold(`\n 🚨 NODE9 DLP ALERT — CREDENTIAL DETECTED `));
+            console.error(chalk.red.bold(`   A sensitive secret was found in the tool arguments!`));
+          } else {
+            console.error(chalk.red(`\n🛑 Node9 blocked "${toolName}"`));
+          }
           console.error(chalk.gray(`   Triggered by: ${blockedByContext}`));
           if (result?.changeHint) console.error(chalk.cyan(`   To change:  ${result.changeHint}`));
           console.error('');

src/config-schema.ts

@@ -89,6 +89,12 @@ export const ConfigFileSchema = z
             ignorePaths: z.array(z.string()).optional(),
           })
           .optional(),
+        dlp: z
+          .object({
+            enabled: z.boolean().optional(),
+            scanIgnoredTools: z.boolean().optional(),
+          })
+          .optional(),
       })
       .optional(),
     environments: z.record(z.object({ requireApproval: z.boolean().optional() })).optional(),