@node9/proxy 1.0.1 → 1.0.3

package/dist/cli.mjs

@@ -84,21 +84,47 @@ function sendDesktopNotification(title, body) {
   } catch {
   }
 }
+function escapePango(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+  const lines = [];
+  if (locked) lines.push("\u26A0\uFE0F  LOCKED BY ADMIN POLICY\n");
+  lines.push(`\u{1F916} ${agent || "AI Agent"}  |  \u{1F527} ${toolName}`);
+  lines.push(`\u{1F6E1}\uFE0F  ${explainableLabel || "Security Policy"}`);
+  lines.push("");
+  lines.push(formattedArgs);
+  if (!locked) {
+    lines.push("");
+    lines.push('\u21B5 Enter = Allow \u21B5   |   \u238B Esc = Block \u238B   |   "Always Allow" = never ask again');
+  }
+  return lines.join("\n");
+}
+function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked) {
+  const lines = [];
+  if (locked) {
+    lines.push('<span foreground="red" weight="bold">\u26A0\uFE0F  LOCKED BY ADMIN POLICY</span>');
+    lines.push("");
+  }
+  lines.push(
+    `<b>\u{1F916} ${escapePango(agent || "AI Agent")}</b>  |  <b>\u{1F527} <tt>${escapePango(toolName)}</tt></b>`
+  );
+  lines.push(`<i>\u{1F6E1}\uFE0F  ${escapePango(explainableLabel || "Security Policy")}</i>`);
+  lines.push("");
+  lines.push(`<tt>${escapePango(formattedArgs)}</tt>`);
+  if (!locked) {
+    lines.push("");
+    lines.push(
+      '<small>\u21B5 Enter = <b>Allow \u21B5</b>   |   \u238B Esc = <b>Block \u238B</b>   |   "Always Allow" = never ask again</small>'
+    );
+  }
+  return lines.join("\n");
+}
 async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal) {
   if (isTestEnv()) return "deny";
   const formattedArgs = formatArgs(args);
   const title = locked ? `\u26A1 Node9 \u2014 Locked` : `\u{1F6E1}\uFE0F Node9 \u2014 Action Approval`;
-  let message = "";
-  if (locked) message += `\u26A0\uFE0F LOCKED BY ADMIN POLICY
-`;
-  message += `Tool:  ${toolName}
-`;
-  message += `Agent: ${agent || "AI Agent"}
-`;
-  message += `Rule:  ${explainableLabel || "Security Policy"}
-
-`;
-  message += `${formattedArgs}`;
+  const message = buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked);
   process.stderr.write(chalk.yellow(`
 \u{1F6E1}\uFE0F  Node9: Intercepted "${toolName}" \u2014 awaiting user...
 `));
@@ -119,7 +145,7 @@ async function askNativePopup(toolName, args, agent, explainableLabel, locked =
     }
     try {
       if (process.platform === "darwin") {
-        const buttons = locked ? `buttons {"Waiting\u2026"} default button "Waiting\u2026"` : `buttons {"Block", "Always Allow", "Allow"} default button "Allow" cancel button "Block"`;
+        const buttons = locked ? `buttons {"Waiting\u2026"} default button "Waiting\u2026"` : `buttons {"Block \u238B", "Always Allow", "Allow \u21B5"} default button "Allow \u21B5" cancel button "Block \u238B"`;
         const script = `on run argv
 tell application "System Events"
 activate
@@ -128,21 +154,28 @@ end tell
 end run`;
         childProcess = spawn("osascript", ["-e", script, "--", message, title]);
       } else if (process.platform === "linux") {
+        const pangoMessage = buildPangoMessage(
+          toolName,
+          formattedArgs,
+          agent,
+          explainableLabel,
+          locked
+        );
         const argsList = [
           locked ? "--info" : "--question",
           "--modal",
-          "--width=450",
+          "--width=480",
           "--title",
           title,
           "--text",
-          message,
+          pangoMessage,
           "--ok-label",
-          locked ? "Waiting..." : "Allow",
+          locked ? "Waiting..." : "Allow  \u21B5",
           "--timeout",
           "300"
         ];
         if (!locked) {
-          argsList.push("--cancel-label", "Block");
+          argsList.push("--cancel-label", "Block  \u238B");
           argsList.push("--extra-button", "Always Allow");
         }
         childProcess = spawn("zenity", argsList);
@@ -170,6 +203,8 @@ end run`;
 // src/core.ts
 var PAUSED_FILE = path.join(os.homedir(), ".node9", "PAUSED");
 var TRUST_FILE = path.join(os.homedir(), ".node9", "trust.json");
+var LOCAL_AUDIT_LOG = path.join(os.homedir(), ".node9", "audit.log");
+var HOOK_DEBUG_LOG = path.join(os.homedir(), ".node9", "hook-debug.log");
 function checkPause() {
   try {
     if (!fs.existsSync(PAUSED_FILE)) return { paused: false };
@@ -236,36 +271,39 @@ function writeTrustSession(toolName, durationMs) {
     }
   }
 }
-function appendAuditModeEntry(toolName, args) {
+function appendToLog(logPath, entry) {
   try {
-    const entry = JSON.stringify({
-      ts: (/* @__PURE__ */ new Date()).toISOString(),
-      tool: toolName,
-      args,
-      decision: "would-have-blocked",
-      source: "audit-mode"
-    });
-    const logPath = path.join(os.homedir(), ".node9", "audit.log");
     const dir = path.dirname(logPath);
     if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-    fs.appendFileSync(logPath, entry + "\n");
+    fs.appendFileSync(logPath, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
-var DANGEROUS_WORDS = [
-  "delete",
-  "drop",
-  "remove",
-  "terminate",
-  "refund",
-  "write",
-  "update",
-  "destroy",
-  "rm",
-  "rmdir",
-  "purge",
-  "format"
-];
+function appendHookDebug(toolName, args, meta) {
+  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+  appendToLog(HOOK_DEBUG_LOG, {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    tool: toolName,
+    args: safeArgs,
+    agent: meta?.agent,
+    mcpServer: meta?.mcpServer,
+    hostname: os.hostname(),
+    cwd: process.cwd()
+  });
+}
+function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
+  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+  appendToLog(LOCAL_AUDIT_LOG, {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    tool: toolName,
+    args: safeArgs,
+    decision,
+    checkedBy,
+    agent: meta?.agent,
+    mcpServer: meta?.mcpServer,
+    hostname: os.hostname()
+  });
+}
 function tokenize(toolName) {
   return toolName.toLowerCase().split(/[_.\-\s]+/).filter(Boolean);
 }
@@ -372,16 +410,28 @@ function redactSecrets(text) {
   );
   return redacted;
 }
+var DANGEROUS_WORDS = [
+  "drop",
+  "truncate",
+  "purge",
+  "format",
+  "destroy",
+  "terminate",
+  "revoke",
+  "docker",
+  "psql"
+];
 var DEFAULT_CONFIG = {
   settings: {
     mode: "standard",
     autoStartDaemon: true,
-    enableUndo: false,
+    enableUndo: true,
+    // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
     enableHookLogDebug: false,
     approvers: { native: true, browser: true, cloud: true, terminal: true }
   },
   policy: {
-    sandboxPaths: [],
+    sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
     dangerousWords: DANGEROUS_WORDS,
     ignoredTools: [
       "list_*",
@@ -389,12 +439,44 @@ var DEFAULT_CONFIG = {
       "read_*",
       "describe_*",
       "read",
+      "glob",
       "grep",
       "ls",
-      "askuserquestion"
+      "notebookread",
+      "notebookedit",
+      "webfetch",
+      "websearch",
+      "exitplanmode",
+      "askuserquestion",
+      "agent",
+      "task*",
+      "toolsearch",
+      "mcp__ide__*",
+      "getDiagnostics"
     ],
-    toolInspection: { bash: "command", shell: "command" },
-    rules: [{ action: "rm", allowPaths: ["**/node_modules/**", "dist/**", ".DS_Store"] }]
+    toolInspection: {
+      bash: "command",
+      shell: "command",
+      run_shell_command: "command",
+      "terminal.execute": "command",
+      "postgres:query": "sql"
+    },
+    rules: [
+      {
+        action: "rm",
+        allowPaths: [
+          "**/node_modules/**",
+          "dist/**",
+          "build/**",
+          ".next/**",
+          "coverage/**",
+          ".cache/**",
+          "tmp/**",
+          "temp/**",
+          ".DS_Store"
+        ]
+      }
+    ]
   },
   environments: {}
 };
@@ -459,20 +541,15 @@ async function evaluatePolicy(toolName, args, agent) {
   }
   const isManual = agent === "Terminal";
   if (isManual) {
-    const NUCLEAR_COMMANDS = [
-      "drop",
-      "destroy",
-      "purge",
-      "rmdir",
-      "format",
-      "truncate",
-      "alter",
-      "grant",
-      "revoke",
-      "docker"
-    ];
-    const hasNuclear = allTokens.some((t) => NUCLEAR_COMMANDS.includes(t.toLowerCase()));
-    if (!hasNuclear) return { decision: "allow" };
+    const SYSTEM_DISASTER_COMMANDS = ["mkfs", "shred", "dd", "drop", "truncate", "purge"];
+    const hasSystemDisaster = allTokens.some(
+      (t) => SYSTEM_DISASTER_COMMANDS.includes(t.toLowerCase())
+    );
+    const isRootWipe = allTokens.includes("rm") && (allTokens.includes("/") || allTokens.includes("/*"));
+    if (hasSystemDisaster || isRootWipe) {
+      return { decision: "review", blockedByLabel: "Manual Nuclear Protection" };
+    }
+    return { decision: "allow" };
   }
   if (pathTokens.length > 0 && config.policy.sandboxPaths.length > 0) {
     const allInSandbox = pathTokens.every((p) => matchesPattern(p, config.policy.sandboxPaths));
@@ -486,27 +563,39 @@ async function evaluatePolicy(toolName, args, agent) {
       if (pathTokens.length > 0) {
         const anyBlocked = pathTokens.some((p) => matchesPattern(p, rule.blockPaths || []));
         if (anyBlocked)
-          return { decision: "review", blockedByLabel: "Project/Global Config (Rule Block)" };
+          return {
+            decision: "review",
+            blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (path blocked)`
+          };
         const allAllowed = pathTokens.every((p) => matchesPattern(p, rule.allowPaths || []));
         if (allAllowed) return { decision: "allow" };
       }
-      return { decision: "review", blockedByLabel: "Project/Global Config (Rule Default Block)" };
+      return {
+        decision: "review",
+        blockedByLabel: `Project/Global Config \u2014 rule "${rule.action}" (default block)`
+      };
     }
   }
+  let matchedDangerousWord;
   const isDangerous = allTokens.some(
     (token) => config.policy.dangerousWords.some((word) => {
       const w = word.toLowerCase();
-      if (token === w) return true;
-      try {
-        return new RegExp(`\\b${w}\\b`, "i").test(token);
-      } catch {
-        return false;
-      }
+      const hit = token === w || (() => {
+        try {
+          return new RegExp(`\\b${w}\\b`, "i").test(token);
+        } catch {
+          return false;
+        }
+      })();
+      if (hit && !matchedDangerousWord) matchedDangerousWord = word;
+      return hit;
     })
   );
   if (isDangerous) {
-    const label = isManual ? "Manual Nuclear Protection" : "Project/Global Config (Dangerous Word)";
-    return { decision: "review", blockedByLabel: label };
+    return {
+      decision: "review",
+      blockedByLabel: `Project/Global Config \u2014 dangerous word: "${matchedDangerousWord}"`
+    };
   }
   if (config.settings.mode === "strict") {
     const envConfig = getActiveEnvironment(config);
@@ -621,13 +710,16 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
     approvers.browser = false;
     approvers.terminal = false;
   }
+  if (config.settings.enableHookLogDebug && !isTestEnv2) {
+    appendHookDebug(toolName, args, meta);
+  }
   const isManual = meta?.agent === "Terminal";
   let explainableLabel = "Local Config";
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
       if (policyResult.decision === "review") {
-        appendAuditModeEntry(toolName, args);
+        appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
         sendDesktopNotification(
           "Node9 Audit Mode",
           `Would have blocked "${toolName}" (${policyResult.blockedByLabel || "Local Config"}) \u2014 running in audit mode`
@@ -639,20 +731,24 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   if (!isIgnoredTool(toolName)) {
     if (getActiveTrustSession(toolName)) {
       if (creds?.apiKey) auditLocalAllow(toolName, args, "trust", creds, meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta);
       return { approved: true, checkedBy: "trust" };
     }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (creds?.apiKey) auditLocalAllow(toolName, args, "local-policy", creds, meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
       return { approved: true, checkedBy: "local-policy" };
     }
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     const persistent = getPersistentDecision(toolName);
     if (persistent === "allow") {
       if (creds?.apiKey) auditLocalAllow(toolName, args, "persistent", creds, meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta);
       return { approved: true, checkedBy: "persistent" };
     }
     if (persistent === "deny") {
+      if (!isManual) appendLocalAudit(toolName, args, "deny", "persistent-deny", meta);
       return {
         approved: false,
         reason: `This tool ("${toolName}") is explicitly listed in your 'Always Deny' list.`,
@@ -662,6 +758,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
     }
   } else {
     if (creds?.apiKey) auditLocalAllow(toolName, args, "ignoredTools", creds, meta);
+    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta);
     return { approved: true };
   }
   let cloudRequestId = null;
@@ -669,8 +766,7 @@ async function authorizeHeadless(toolName, args, allowTerminalFallback = false,
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
   if (cloudEnforced) {
     try {
-      const envConfig = getActiveEnvironment(getConfig());
-      const initResult = await initNode9SaaS(toolName, args, creds, envConfig?.slackChannel, meta);
+      const initResult = await initNode9SaaS(toolName, args, creds, meta);
       if (!initResult.pending) {
         return {
           approved: !!initResult.approved,
@@ -886,6 +982,15 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
   if (cloudRequestId && creds && finalResult.checkedBy !== "cloud") {
     await resolveNode9SaaS(cloudRequestId, creds, finalResult.approved);
   }
+  if (!isManual) {
+    appendLocalAudit(
+      toolName,
+      args,
+      finalResult.approved ? "allow" : "deny",
+      finalResult.checkedBy || finalResult.blockedBy || "unknown",
+      meta
+    );
+  }
   return finalResult;
 }
 function getConfig() {
@@ -915,9 +1020,10 @@ function getConfig() {
     if (s.enableHookLogDebug !== void 0)
       mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
     if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
+    if (s.environment !== void 0) mergedSettings.environment = s.environment;
     if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
-    if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
     if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
+    if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
     if (p.toolInspection)
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
     if (p.rules) mergedPolicy.rules.push(...p.rules);
@@ -944,7 +1050,7 @@ function tryLoadConfig(filePath) {
   }
 }
 function getActiveEnvironment(config) {
-  const env = process.env.NODE_ENV || "development";
+  const env = config.settings.environment || process.env.NODE_ENV || "development";
   return config.environments[env] ?? null;
 }
 function getCredentials() {
@@ -1000,7 +1106,7 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
   }).catch(() => {
   });
 }
-async function initNode9SaaS(toolName, args, creds, slackChannel, meta) {
+async function initNode9SaaS(toolName, args, creds, meta) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 1e4);
   try {
@@ -1010,7 +1116,6 @@ async function initNode9SaaS(toolName, args, creds, slackChannel, meta) {
       body: JSON.stringify({
         toolName,
         args,
-        slackChannel,
         context: {
           agent: meta?.agent,
           mcpServer: meta?.mcpServer,
@@ -3054,75 +3159,30 @@ program.command("addto").description("Integrate Node9 with an AI agent").addHelp
   console.error(chalk5.red(`Unknown target: "${target}". Supported: claude, gemini, cursor`));
   process.exit(1);
 });
-program.command("init").description("Create ~/.node9/config.json with default policy (safe to run multiple times)").option("--force", "Overwrite existing config").action((options) => {
+program.command("init").description("Create ~/.node9/config.json with default policy (safe to run multiple times)").option("--force", "Overwrite existing config").option("-m, --mode <mode>", "Set initial security mode (standard, strict, audit)", "standard").action((options) => {
   const configPath = path5.join(os5.homedir(), ".node9", "config.json");
   if (fs5.existsSync(configPath) && !options.force) {
     console.log(chalk5.yellow(`\u2139\uFE0F  Global config already exists: ${configPath}`));
     console.log(chalk5.gray(`   Run with --force to overwrite.`));
     return;
   }
-  const defaultConfig = {
-    version: "1.0",
+  const requestedMode = options.mode.toLowerCase();
+  const safeMode = ["standard", "strict", "audit"].includes(requestedMode) ? requestedMode : DEFAULT_CONFIG.settings.mode;
+  const configToSave = {
+    ...DEFAULT_CONFIG,
     settings: {
-      mode: "standard",
-      autoStartDaemon: true,
-      enableUndo: true,
-      enableHookLogDebug: false,
-      approvers: { native: true, browser: true, cloud: true, terminal: true }
-    },
-    policy: {
-      sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
-      dangerousWords: DANGEROUS_WORDS,
-      ignoredTools: [
-        "list_*",
-        "get_*",
-        "read_*",
-        "describe_*",
-        "read",
-        "write",
-        "edit",
-        "glob",
-        "grep",
-        "ls",
-        "notebookread",
-        "notebookedit",
-        "webfetch",
-        "websearch",
-        "exitplanmode",
-        "askuserquestion",
-        "agent",
-        "task*"
-      ],
-      toolInspection: {
-        bash: "command",
-        shell: "command",
-        run_shell_command: "command",
-        "terminal.execute": "command",
-        "postgres:query": "sql"
-      },
-      rules: [
-        {
-          action: "rm",
-          allowPaths: [
-            "**/node_modules/**",
-            "dist/**",
-            "build/**",
-            ".next/**",
-            "coverage/**",
-            ".cache/**",
-            "tmp/**",
-            "temp/**",
-            ".DS_Store"
-          ]
-        }
-      ]
+      ...DEFAULT_CONFIG.settings,
+      mode: safeMode
     }
   };
-  if (!fs5.existsSync(path5.dirname(configPath)))
-    fs5.mkdirSync(path5.dirname(configPath), { recursive: true });
-  fs5.writeFileSync(configPath, JSON.stringify(defaultConfig, null, 2));
+  const dir = path5.dirname(configPath);
+  if (!fs5.existsSync(dir)) fs5.mkdirSync(dir, { recursive: true });
+  fs5.writeFileSync(configPath, JSON.stringify(configToSave, null, 2));
   console.log(chalk5.green(`\u2705 Global config created: ${configPath}`));
-  console.log(chalk5.gray(`   Edit this file to add custom tool inspection or security rules.`));
+  console.log(chalk5.cyan(`   Mode set to: ${safeMode}`));
+  console.log(
+    chalk5.gray(`   Undo Engine is ENABLED by default. Use 'node9 undo' to revert AI changes.`)
+  );
 });
 program.command("status").description("Show current Node9 mode, policy source, and persistent decisions").action(() => {
   const creds = getCredentials();
@@ -3269,23 +3329,24 @@ RAW: ${raw}
         let aiFeedbackMessage = "";
         if (isHumanDecision) {
           aiFeedbackMessage = `NODE9 SECURITY INTERVENTION: The human user specifically REJECTED this action.
-        REASON: ${msg || "No specific reason provided by user."}
+REASON: ${msg || "No specific reason provided by user."}
 
-        INSTRUCTIONS FOR AI AGENT:
-        - Do NOT retry this exact command immediately.
-        - Explain to the user that you understand they blocked the action.
-        - Ask the user if there is an alternative approach they would prefer, or if they intended to block this action entirely.
-        - If you believe this action is critical, explain your reasoning to the user and ask them to run 'node9 pause 15m' to allow you to proceed.`;
+INSTRUCTIONS FOR AI AGENT:
+- Do NOT retry this exact command immediately.
+- Explain to the user that you understand they blocked the action.
+- Ask the user if there is an alternative approach they would prefer, or if they intended to block this action entirely.
+- If you believe this action is critical, explain your reasoning to the user and ask them to run 'node9 pause 15m' to allow you to proceed.`;
         } else {
           aiFeedbackMessage = `NODE9 SECURITY INTERVENTION: Action blocked by automated policy [${blockedByContext}].
-        REASON: ${msg}
+REASON: ${msg}
 
-        INSTRUCTIONS FOR AI AGENT:
-        - This command violates the current security configuration.
-        - Do NOT attempt to bypass this rule with bash syntax tricks; it will be blocked again.
-        - Pivot to a non-destructive or read-only alternative.
-        - Inform the user which security rule was triggered.`;
+INSTRUCTIONS FOR AI AGENT:
+- This command violates the current security configuration.
+- Do NOT attempt to bypass this rule with bash syntax tricks; it will be blocked again.
+- Pivot to a non-destructive or read-only alternative.
+- Inform the user which security rule was triggered.`;
         }
+        console.error(chalk5.dim(`   (Detailed instructions sent to AI agent)`));
         process.stdout.write(
           JSON.stringify({
             decision: "block",
@@ -3480,7 +3541,9 @@ program.argument("[command...]", "The agent command to run (e.g., gemini)").acti
       process.exit(1);
     }
     const fullCommand = commandArgs.join(" ");
-    let result = await authorizeHeadless("shell", { command: fullCommand });
+    let result = await authorizeHeadless("shell", { command: fullCommand }, true, {
+      agent: "Terminal"
+    });
     if (result.noApprovalMechanism && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON && getConfig().settings.autoStartDaemon) {
       console.error(chalk5.cyan("\n\u{1F6E1}\uFE0F  Node9: Starting approval daemon automatically..."));
       const daemonReady = await autoStartDaemonAndWait();