@node9/proxy 1.0.14 → 1.0.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +78 -7
- package/dist/cli.js +2037 -1175
- package/dist/cli.mjs +2021 -1157
- package/dist/index.js +60 -3
- package/dist/index.mjs +60 -3
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -40,6 +40,36 @@ Node9 initiates a **Concurrent Race** across all enabled channels. The first cha
|
|
|
40
40
|
- **Cloud (Slack):** Remote asynchronous approval for team governance.
|
|
41
41
|
- **Terminal:** Classic `[Y/n]` prompt for manual proxy usage and SSH sessions.
|
|
42
42
|
|
|
43
|
+
### 🛰️ Flight Recorder — See Everything, Instantly
|
|
44
|
+
|
|
45
|
+
Node9 records every tool call your AI agent makes in real-time — no polling, no log files, no refresh. Two ways to watch:
|
|
46
|
+
|
|
47
|
+
**Browser Dashboard** (`node9 daemon start` → `localhost:7391`)
|
|
48
|
+
|
|
49
|
+
A live 3-column dashboard. The left column streams every tool call as it happens, updating in-place from `● PENDING` to `✓ ALLOW` or `✗ BLOCK`. The center handles pending approvals. The right sidebar controls shields and persistent decisions — all without ever causing a browser scrollbar.
|
|
50
|
+
|
|
51
|
+
**Terminal** (`node9 tail`)
|
|
52
|
+
|
|
53
|
+
A split-pane friendly stream for terminal-first developers and SSH sessions:
|
|
54
|
+
|
|
55
|
+
```bash
|
|
56
|
+
node9 tail # live events only
|
|
57
|
+
node9 tail --history # replay recent history then go live
|
|
58
|
+
node9 tail | grep DLP # filter to DLP blocks only
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
```
|
|
62
|
+
🛰️ Node9 tail → localhost:7391
|
|
63
|
+
Showing live events. Press Ctrl+C to exit.
|
|
64
|
+
|
|
65
|
+
21:06:58 📖 Read {"file_path":"src/core.ts"} ✓ ALLOW
|
|
66
|
+
21:06:59 🔍 Grep {"pattern":"authorizeHeadless"} ✓ ALLOW
|
|
67
|
+
21:07:01 💻 Bash {"command":"npm run build"} ✓ ALLOW
|
|
68
|
+
21:07:04 💻 Bash {"command":"curl … Bearer sk-ant-…"} ✗ BLOCK 🛡️ DLP
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
`node9 tail` auto-starts the daemon if it isn't running — no setup step needed.
|
|
72
|
+
|
|
43
73
|
### 🧠 AI Negotiation Loop
|
|
44
74
|
|
|
45
75
|
Node9 doesn't just "cut the wire." When a command is blocked, it injects a **Structured Negotiation Prompt** back into the AI's context window. This teaches the AI why it was stopped and instructs it to pivot to a safer alternative.
|
|
@@ -99,12 +129,51 @@ Node9 has two layers of protection. You get Layer 1 automatically. Layer 2 is on
|
|
|
99
129
|
|
|
100
130
|
Built into the binary. Zero configuration required. Protects the tools every developer uses.
|
|
101
131
|
|
|
102
|
-
| What it protects
|
|
103
|
-
|
|
|
104
|
-
| **Git**
|
|
105
|
-
| **Shell**
|
|
106
|
-
| **SQL**
|
|
107
|
-
| **Filesystem**
|
|
132
|
+
| What it protects | Example blocked action |
|
|
133
|
+
| :---------------- | :------------------------------------------------------ |
|
|
134
|
+
| **Git** | `git push --force`, `git reset --hard`, `git clean -fd` |
|
|
135
|
+
| **Shell** | `curl ... \| bash`, `sudo` commands |
|
|
136
|
+
| **SQL** | `DELETE` / `UPDATE` without a `WHERE` clause |
|
|
137
|
+
| **Filesystem** | `rm -rf` targeting home directory |
|
|
138
|
+
| **Secrets (DLP)** | AWS keys, GitHub tokens, Stripe keys, PEM private keys |
|
|
139
|
+
|
|
140
|
+
### 🔍 DLP — Content Scanner (Always On)
|
|
141
|
+
|
|
142
|
+
Node9 scans **every tool call argument** for secrets before the command reaches your agent. If a credential is detected, Node9 hard-blocks the action, redacts the secret in the audit log, and injects a negotiation prompt telling the AI what went wrong.
|
|
143
|
+
|
|
144
|
+
**Built-in patterns:**
|
|
145
|
+
|
|
146
|
+
| Pattern | Severity | Prefix format |
|
|
147
|
+
| :---------------- | :------- | :-------------------------- |
|
|
148
|
+
| AWS Access Key ID | `block` | `AKIA` + 16 chars |
|
|
149
|
+
| GitHub Token | `block` | `ghp_`, `gho_`, `ghs_` |
|
|
150
|
+
| Slack Bot Token | `block` | `xoxb-` |
|
|
151
|
+
| OpenAI API Key | `block` | `sk-` + 20+ chars |
|
|
152
|
+
| Stripe Secret Key | `block` | `sk_live_` / `sk_test_` |
|
|
153
|
+
| PEM Private Key | `block` | `-----BEGIN PRIVATE KEY---` |
|
|
154
|
+
| Bearer Token | `review` | `Authorization: Bearer ...` |
|
|
155
|
+
|
|
156
|
+
`block` = hard deny, no approval prompt. `review` = routed through the normal race engine for human approval.
|
|
157
|
+
|
|
158
|
+
Secrets are **never logged in full** — the audit trail stores only a redacted sample (`AKIA****MPLE`).
|
|
159
|
+
|
|
160
|
+
**Config knobs** (in `node9.config.json` or `~/.node9/config.json`):
|
|
161
|
+
|
|
162
|
+
```json
|
|
163
|
+
{
|
|
164
|
+
"policy": {
|
|
165
|
+
"dlp": {
|
|
166
|
+
"enabled": true,
|
|
167
|
+
"scanIgnoredTools": true
|
|
168
|
+
}
|
|
169
|
+
}
|
|
170
|
+
}
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
| Key | Default | Description |
|
|
174
|
+
| :--------------------- | :------ | :----------------------------------------------------------------- |
|
|
175
|
+
| `dlp.enabled` | `true` | Master switch — disable to turn off all DLP scanning |
|
|
176
|
+
| `dlp.scanIgnoredTools` | `true` | Also scan tools in `ignoredTools` (e.g. `web_search`, `read_file`) |
|
|
108
177
|
|
|
109
178
|
### Layer 2 — Shields (Opt-in, Per Service)
|
|
110
179
|
|
|
@@ -251,6 +320,7 @@ Use `node9 explain <tool> <args>` to dry-run any tool call and see exactly which
|
|
|
251
320
|
| `node9 status` | Show current protection status and active rules |
|
|
252
321
|
| `node9 doctor` | Health check — verifies binaries, config, credentials, and all agent hooks |
|
|
253
322
|
| `node9 shield <cmd>` | Manage shields (`enable`, `disable`, `list`, `status`) |
|
|
323
|
+
| `node9 tail [--history]` | Stream live agent activity to the terminal (auto-starts daemon if needed) |
|
|
254
324
|
| `node9 explain <tool> [args]` | Trace the policy waterfall for a given tool call (dry-run, no approval prompt) |
|
|
255
325
|
| `node9 undo [--steps N]` | Revert the last N AI file edits using shadow Git snapshots |
|
|
256
326
|
| `node9 check` | Called by agent hooks; evaluates a pending tool call and exits 0 (allow) or 1 (block) |
|
|
@@ -318,7 +388,8 @@ A corporate policy has locked this action. You must click the "Approve" button i
|
|
|
318
388
|
- [x] **Shadow Git Snapshots** (1-click Undo for AI hallucinations)
|
|
319
389
|
- [x] **Identity-Aware Execution** (Differentiates between Human vs. AI risk levels)
|
|
320
390
|
- [x] **Shield Templates** (`node9 shield enable <service>` — one-click protection for Postgres, GitHub, AWS)
|
|
321
|
-
- [
|
|
391
|
+
- [x] **Content Scanner / DLP** (Detect and block secrets like AWS keys and Bearer tokens in-flight)
|
|
392
|
+
- [x] **Flight Recorder** (Real-time activity stream in browser dashboard and `node9 tail` terminal view)
|
|
322
393
|
- [ ] **Universal MCP Gateway** (Standalone security tunnel for LangChain, CrewAI, and any agent without native hooks)
|
|
323
394
|
- [ ] **Cursor & Windsurf Hook** (Native hook support for AI-first IDEs)
|
|
324
395
|
- [ ] **VS Code Extension** (Approval requests in a native sidebar — no more OS popups)
|