@node9/proxy 1.0.1 → 1.0.2

package/dist/index.js

@@ -115,21 +115,47 @@ function sendDesktopNotification(title, body) {
   } catch {
   }
 }
+function escapePango(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+  const lines = [];
+  if (locked) lines.push("\u26A0\uFE0F  LOCKED BY ADMIN POLICY\n");
+  lines.push(`\u{1F916} ${agent || "AI Agent"}  |  \u{1F527} ${toolName}`);
+  lines.push(`\u{1F6E1}\uFE0F  ${explainableLabel || "Security Policy"}`);
+  lines.push("");
+  lines.push(formattedArgs);
+  if (!locked) {
+    lines.push("");
+    lines.push('\u21B5 Enter = Allow \u21B5   |   \u238B Esc = Block \u238B   |   "Always Allow" = never ask again');
+  }
+  return lines.join("\n");
+}
+function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+  const lines = [];
+  if (locked) {
+    lines.push('<span foreground="red" weight="bold">\u26A0\uFE0F  LOCKED BY ADMIN POLICY</span>');
+    lines.push("");
+  }
+  lines.push(
+    `<b>\u{1F916} ${escapePango(agent || "AI Agent")}</b>  |  <b>\u{1F527} <tt>${escapePango(toolName)}</tt></b>`
+  );
+  lines.push(`<i>\u{1F6E1}\uFE0F  ${escapePango(explainableLabel || "Security Policy")}</i>`);
+  lines.push("");
+  lines.push(`<tt>${escapePango(formattedArgs)}</tt>`);
+  if (!locked) {
+    lines.push("");
+    lines.push(
+      '<small>\u21B5 Enter = <b>Allow \u21B5</b>   |   \u238B Esc = <b>Block \u238B</b>   |   "Always Allow" = never ask again</small>'
+    );
+  }
+  return lines.join("\n");
+}
 async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal) {
   if (isTestEnv()) return "deny";
   const formattedArgs = formatArgs(args);
   const title = locked ? `\u26A1 Node9 \u2014 Locked` : `\u{1F6E1}\uFE0F Node9 \u2014 Action Approval`;
-  let message = "";
-  if (locked) message += `\u26A0\uFE0F LOCKED BY ADMIN POLICY
-`;
-  message += `Tool:  ${toolName}
-`;
-  message += `Agent: ${agent || "AI Agent"}
-`;
-  message += `Rule:  ${explainableLabel || "Security Policy"}
-
-`;
-  message += `${formattedArgs}`;
+  const message = buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked);
   process.stderr.write(import_chalk.default.yellow(`
 \u{1F6E1}\uFE0F  Node9: Intercepted "${toolName}" \u2014 awaiting user...
 `));
@@ -150,7 +176,7 @@ async function askNativePopup(toolName, args, agent, explainableLabel, locked =
     }
     try {
       if (process.platform === "darwin") {
-        const buttons = locked ? `buttons {"Waiting\u2026"} default button "Waiting\u2026"` : `buttons {"Block", "Always Allow", "Allow"} default button "Allow" cancel button "Block"`;
+        const buttons = locked ? `buttons {"Waiting\u2026"} default button "Waiting\u2026"` : `buttons {"Block \u238B", "Always Allow", "Allow \u21B5"} default button "Allow \u21B5" cancel button "Block \u238B"`;
         const script = `on run argv
 tell application "System Events"
 activate
@@ -159,21 +185,28 @@ end tell
 end run`;
         childProcess = (0, import_child_process.spawn)("osascript", ["-e", script, "--", message, title]);
       } else if (process.platform === "linux") {
+        const pangoMessage = buildPangoMessage(
+          toolName,
+          formattedArgs,
+          agent,
+          explainableLabel,
+          locked
+        );
         const argsList = [
           locked ? "--info" : "--question",
           "--modal",
-          "--width=450",
+          "--width=480",
           "--title",
           title,
           "--text",
-          message,
+          pangoMessage,
           "--ok-label",
-          locked ? "Waiting..." : "Allow",
+          locked ? "Waiting..." : "Allow  \u21B5",
           "--timeout",
           "300"
         ];
         if (!locked) {
-          argsList.push("--cancel-label", "Block");
+          argsList.push("--cancel-label", "Block  \u238B");
           argsList.push("--extra-button", "Always Allow");
         }
         childProcess = (0, import_child_process.spawn)("zenity", argsList);
@@ -201,6 +234,8 @@ end run`;
 // src/core.ts
 var PAUSED_FILE = import_path.default.join(import_os.default.homedir(), ".node9", "PAUSED");
 var TRUST_FILE = import_path.default.join(import_os.default.homedir(), ".node9", "trust.json");
+var LOCAL_AUDIT_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "audit.log");
+var HOOK_DEBUG_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
 function checkPause() {
   try {
     if (!import_fs.default.existsSync(PAUSED_FILE)) return { paused: false };
@@ -257,36 +292,39 @@ function writeTrustSession(toolName, durationMs) {
     }
   }
 }
-function appendAuditModeEntry(toolName, args) {
+function appendToLog(logPath, entry) {
   try {
-    const entry = JSON.stringify({
-      ts: (/* @__PURE__ */ new Date()).toISOString(),
-      tool: toolName,
-      args,
-      decision: "would-have-blocked",
-      source: "audit-mode"
-    });
-    const logPath = import_path.default.join(import_os.default.homedir(), ".node9", "audit.log");
     const dir = import_path.default.dirname(logPath);
     if (!import_fs.default.existsSync(dir)) import_fs.default.mkdirSync(dir, { recursive: true });
-    import_fs.default.appendFileSync(logPath, entry + "\n");
+    import_fs.default.appendFileSync(logPath, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
-var DANGEROUS_WORDS = [
-  "delete",
-  "drop",
-  "remove",
-  "terminate",
-  "refund",
-  "write",
-  "update",
-  "destroy",
-  "rm",
-  "rmdir",
-  "purge",
-  "format"
-];
+function appendHookDebug(toolName, args, meta) {
+  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+  appendToLog(HOOK_DEBUG_LOG, {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    tool: toolName,
+    args: safeArgs,
+    agent: meta?.agent,
+    mcpServer: meta?.mcpServer,
+    hostname: import_os.default.hostname(),
+    cwd: process.cwd()
+  });
+}
+function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
+  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+  appendToLog(LOCAL_AUDIT_LOG, {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    tool: toolName,
+    args: safeArgs,
+    decision,
+    checkedBy,
+    agent: meta?.agent,
+    mcpServer: meta?.mcpServer,
+    hostname: import_os.default.hostname()
+  });
+}
 function tokenize(toolName) {
   return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
 }
@@ -380,16 +418,41 @@ async function analyzeShellCommand(command) {
   }
   return { actions, paths, allTokens };
 }
+function redactSecrets(text) {
+  if (!text) return text;
+  let redacted = text;
+  redacted = redacted.replace(
+    /(authorization:\s*(?:bearer|basic)\s+)[a-zA-Z0-9._\-\/\\=]+/gi,
+    "$1********"
+  );
+  redacted = redacted.replace(
+    /(api[_-]?key|secret|password|token)([:=]\s*['"]?)[a-zA-Z0-9._\-]{8,}/gi,
+    "$1$2********"
+  );
+  return redacted;
+}
+var DANGEROUS_WORDS = [
+  "drop",
+  "truncate",
+  "purge",
+  "format",
+  "destroy",
+  "terminate",
+  "revoke",
+  "docker",
+  "psql"
+];
 var DEFAULT_CONFIG = {
   settings: {
     mode: "standard",
     autoStartDaemon: true,
-    enableUndo: false,
+    enableUndo: true,
+    // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
     enableHookLogDebug: false,
     approvers: { native: true, browser: true, cloud: true, terminal: true }
   },
   policy: {
-    sandboxPaths: [],
+    sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
     dangerousWords: DANGEROUS_WORDS,
     ignoredTools: [
       "list_*",
@@ -397,12 +460,44 @@ var DEFAULT_CONFIG = {
       "read_*",
       "describe_*",
       "read",
+      "glob",
       "grep",
       "ls",
-      "askuserquestion"
+      "notebookread",
+      "notebookedit",
+      "webfetch",
+      "websearch",
+      "exitplanmode",
+      "askuserquestion",
+      "agent",
+      "task*",
+      "toolsearch",
+      "mcp__ide__*",
+      "getDiagnostics"
     ],
-    toolInspection: { bash: "command", shell: "command" },
-    rules: [{ action: "rm", allowPaths: ["**/node_modules/**", "dist/**", ".DS_Store"] }]
+    toolInspection: {
+      bash: "command",
+      shell: "command",
+      run_shell_command: "command",
+      "terminal.execute": "command",
+      "postgres:query": "sql"
+    },
+    rules: [
+      {
+        action: "rm",
+        allowPaths: [
+          "**/node_modules/**",
+          "dist/**",
+          "build/**",
+          ".next/**",
+          "coverage/**",
+          ".cache/**",
+          "tmp/**",
+          "temp/**",
+          ".DS_Store"
+        ]
+      }
+    ]
   },
   environments: {}
 };
@@ -440,20 +535,15 @@ async function evaluatePolicy(toolName, args, agent) {
   }
   const isManual = agent === "Terminal";
   if (isManual) {
-    const NUCLEAR_COMMANDS = [
-      "drop",
-      "destroy",
-      "purge",
-      "rmdir",
-      "format",
-      "truncate",
-      "alter",
-      "grant",
-      "revoke",
-      "docker"
-    ];
-    const hasNuclear = allTokens.some((t) => NUCLEAR_COMMANDS.includes(t.toLowerCase()));
-    if (!hasNuclear) return { decision: "allow" };
+    const SYSTEM_DISASTER_COMMANDS = ["mkfs", "shred", "dd", "drop", "truncate", "purge"];
+    const hasSystemDisaster = allTokens.some(
+      (t) => SYSTEM_DISASTER_COMMANDS.includes(t.toLowerCase())
+    );
+    const isRootWipe = allTokens.includes("rm") && (allTokens.includes("/") || allTokens.includes("/*"));
+    if (hasSystemDisaster || isRootWipe) {
+      return { decision: "review", blockedByLabel: "Manual Nuclear Protection" };
+    }
+    return { decision: "allow" };
   }
   if (pathTokens.length > 0 && config.policy.sandboxPaths.length > 0) {
     const allInSandbox = pathTokens.every((p) => matchesPattern(p, config.policy.sandboxPaths));
@@ -467,27 +557,39 @@ async function evaluatePolicy(toolName, args, agent) {
       if (pathTokens.length > 0) {
         const anyBlocked = pathTokens.some((p) => matchesPattern(p, rule.blockPaths || []));
         if (anyBlocked)
-          return { decision: "review", blockedByLabel: "Project/Global Config (Rule Block)" };
+          return {
+            decision: "review",
+            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`
+          };
         const allAllowed = pathTokens.every((p) => matchesPattern(p, rule.allowPaths || []));
         if (allAllowed) return { decision: "allow" };
       }
-      return { decision: "review", blockedByLabel: "Project/Global Config (Rule Default Block)" };
+      return {
+        decision: "review",
+        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`
+      };
     }
   }
+  let matchedDangerousWord;
   const isDangerous = allTokens.some(
     (token) => config.policy.dangerousWords.some((word) => {
       const w = word.toLowerCase();
-      if (token === w) return true;
-      try {
-        return new RegExp(`\\b${w}\\b`, "i").test(token);
-      } catch {
-        return false;
-      }
+      const hit = token === w || (() => {
+        try {
+          return new RegExp(`\\b${w}\\b`, "i").test(token);
+        } catch {
+          return false;
+        }
+      })();
+      if (hit && !matchedDangerousWord) matchedDangerousWord = word;
+      return hit;
     })
   );
   if (isDangerous) {
-    const label = isManual ? "Manual Nuclear Protection" : "Project/Global Config (Dangerous Word)";
-    return { decision: "review", blockedByLabel: label };
+    return {
+      decision: "review",
+      blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`
+    };
   }
   if (config.settings.mode === "strict") {
     const envConfig = getActiveEnvironment(config);
@@ -602,13 +704,16 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
     approvers.browser = false;
     approvers.terminal = false;
   }
+  if (config.settings.enableHookLogDebug && !isTestEnv2) {
+    appendHookDebug(toolName, args, meta);
+  }
   const isManual = meta?.agent === "Terminal";
   let explainableLabel = "Local Config";
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
       if (policyResult.decision === "review") {
-        appendAuditModeEntry(toolName, args);
+        appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
         sendDesktopNotification(
           "Node9 Audit Mode",
           `Would have blocked "${toolName}" (${policyResult.blockedByLabel || "Local Config"}) \u2014 running in audit mode`
@@ -620,20 +725,24 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   if (!isIgnoredTool(toolName)) {
     if (getActiveTrustSession(toolName)) {
       if (creds?.apiKey) auditLocalAllow(toolName, args, "trust", creds, meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta);
       return { approved: true, checkedBy: "trust" };
     }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (creds?.apiKey) auditLocalAllow(toolName, args, "local-policy", creds, meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
       return { approved: true, checkedBy: "local-policy" };
     }
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     const persistent = getPersistentDecision(toolName);
     if (persistent === "allow") {
       if (creds?.apiKey) auditLocalAllow(toolName, args, "persistent", creds, meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta);
       return { approved: true, checkedBy: "persistent" };
     }
     if (persistent === "deny") {
+      if (!isManual) appendLocalAudit(toolName, args, "deny", "persistent-deny", meta);
       return {
         approved: false,
         reason: `This tool ("${toolName}") is explicitly listed in your 'Always Deny' list.`,
@@ -643,6 +752,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
     }
   } else {
     if (creds?.apiKey) auditLocalAllow(toolName, args, "ignoredTools", creds, meta);
+    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta);
     return { approved: true };
   }
   let cloudRequestId = null;
@@ -867,6 +977,15 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
   if (cloudRequestId && creds && finalResult.checkedBy !== "cloud") {
     await resolveNode9SaaS(cloudRequestId, creds, finalResult.approved);
   }
+  if (!isManual) {
+    appendLocalAudit(
+      toolName,
+      args,
+      finalResult.approved ? "allow" : "deny",
+      finalResult.checkedBy || finalResult.blockedBy || "unknown",
+      meta
+    );
+  }
   return finalResult;
 }
 function getConfig() {
@@ -897,8 +1016,8 @@ function getConfig() {
       mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
     if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
     if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
-    if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
     if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
+    if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
     if (p.toolInspection)
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
     if (p.rules) mergedPolicy.rules.push(...p.rules);