@node9/proxy 1.0.14 → 1.0.16

package/README.md

@@ -40,6 +40,36 @@ Node9 initiates a **Concurrent Race** across all enabled channels. The first cha
 - **Cloud (Slack):** Remote asynchronous approval for team governance.
 - **Terminal:** Classic `[Y/n]` prompt for manual proxy usage and SSH sessions.
 
+### 🛰️ Flight Recorder — See Everything, Instantly
+
+Node9 records every tool call your AI agent makes in real-time — no polling, no log files, no refresh. Two ways to watch:
+
+**Browser Dashboard** (`node9 daemon start` → `localhost:7391`)
+
+A live 3-column dashboard. The left column streams every tool call as it happens, updating in-place from `● PENDING` to `✓ ALLOW` or `✗ BLOCK`. The center handles pending approvals. The right sidebar controls shields and persistent decisions — all without ever causing a browser scrollbar.
+
+**Terminal** (`node9 tail`)
+
+A split-pane friendly stream for terminal-first developers and SSH sessions:
+
+```bash
+node9 tail                # live events only
+node9 tail --history      # replay recent history then go live
+node9 tail | grep DLP     # filter to DLP blocks only
+```
+
+```
+🛰️  Node9 tail  → localhost:7391
+Showing live events. Press Ctrl+C to exit.
+
+21:06:58 📖 Read            {"file_path":"src/core.ts"}            ✓ ALLOW
+21:06:59 🔍 Grep            {"pattern":"authorizeHeadless"}        ✓ ALLOW
+21:07:01 💻 Bash            {"command":"npm run build"}            ✓ ALLOW
+21:07:04 💻 Bash            {"command":"curl … Bearer sk-ant-…"}   ✗ BLOCK 🛡️ DLP
+```
+
+`node9 tail` auto-starts the daemon if it isn't running — no setup step needed.
+
 ### 🧠 AI Negotiation Loop
 
 Node9 doesn't just "cut the wire." When a command is blocked, it injects a **Structured Negotiation Prompt** back into the AI's context window. This teaches the AI why it was stopped and instructs it to pivot to a safer alternative.
@@ -99,12 +129,51 @@ Node9 has two layers of protection. You get Layer 1 automatically. Layer 2 is on
 
 Built into the binary. Zero configuration required. Protects the tools every developer uses.
 
-| What it protects | Example blocked action                                  |
-| :--------------- | :------------------------------------------------------ |
-| **Git**          | `git push --force`, `git reset --hard`, `git clean -fd` |
-| **Shell**        | `curl ... \| bash`, `sudo` commands                     |
-| **SQL**          | `DELETE` / `UPDATE` without a `WHERE` clause            |
-| **Filesystem**   | `rm -rf` targeting home directory                       |
+| What it protects  | Example blocked action                                  |
+| :---------------- | :------------------------------------------------------ |
+| **Git**           | `git push --force`, `git reset --hard`, `git clean -fd` |
+| **Shell**         | `curl ... \| bash`, `sudo` commands                     |
+| **SQL**           | `DELETE` / `UPDATE` without a `WHERE` clause            |
+| **Filesystem**    | `rm -rf` targeting home directory                       |
+| **Secrets (DLP)** | AWS keys, GitHub tokens, Stripe keys, PEM private keys  |
+
+### 🔍 DLP — Content Scanner (Always On)
+
+Node9 scans **every tool call argument** for secrets before the command reaches your agent. If a credential is detected, Node9 hard-blocks the action, redacts the secret in the audit log, and injects a negotiation prompt telling the AI what went wrong.
+
+**Built-in patterns:**
+
+| Pattern           | Severity | Prefix format               |
+| :---------------- | :------- | :-------------------------- |
+| AWS Access Key ID | `block`  | `AKIA` + 16 chars           |
+| GitHub Token      | `block`  | `ghp_`, `gho_`, `ghs_`      |
+| Slack Bot Token   | `block`  | `xoxb-`                     |
+| OpenAI API Key    | `block`  | `sk-` + 20+ chars           |
+| Stripe Secret Key | `block`  | `sk_live_` / `sk_test_`     |
+| PEM Private Key   | `block`  | `-----BEGIN PRIVATE KEY---` |
+| Bearer Token      | `review` | `Authorization: Bearer ...` |
+
+`block` = hard deny, no approval prompt. `review` = routed through the normal race engine for human approval.
+
+Secrets are **never logged in full** — the audit trail stores only a redacted sample (`AKIA****MPLE`).
+
+**Config knobs** (in `node9.config.json` or `~/.node9/config.json`):
+
+```json
+{
+  "policy": {
+    "dlp": {
+      "enabled": true,
+      "scanIgnoredTools": true
+    }
+  }
+}
+```
+
+| Key                    | Default | Description                                                        |
+| :--------------------- | :------ | :----------------------------------------------------------------- |
+| `dlp.enabled`          | `true`  | Master switch — disable to turn off all DLP scanning               |
+| `dlp.scanIgnoredTools` | `true`  | Also scan tools in `ignoredTools` (e.g. `web_search`, `read_file`) |
 
 ### Layer 2 — Shields (Opt-in, Per Service)
 
@@ -215,29 +284,35 @@ Use `node9 explain <tool> <args>` to dry-run any tool call and see exactly which
 
 ```json
 {
+  "version": "1.0",
   "settings": {
-    "mode": "standard",
+    "mode": "audit",
     "enableUndo": true,
+    "flightRecorder": true,
     "approvalTimeoutMs": 30000,
     "approvers": {
       "native": true,
       "browser": true,
-      "cloud": true,
+      "cloud": false,
       "terminal": true
     }
   }
 }
 ```
 
-| Key                  | Default      | Description                                                  |
-| :------------------- | :----------- | :----------------------------------------------------------- |
-| `mode`               | `"standard"` | `standard` \| `strict` \| `audit`                            |
-| `enableUndo`         | `true`       | Take git snapshots before every AI file edit                 |
-| `approvalTimeoutMs`  | `0`          | Auto-deny after N ms if no human responds (0 = wait forever) |
-| `approvers.native`   | `true`       | OS-native popup                                              |
-| `approvers.browser`  | `true`       | Browser dashboard (`node9 daemon`)                           |
-| `approvers.cloud`    | `true`       | Slack / SaaS approval                                        |
-| `approvers.terminal` | `true`       | `[Y/n]` prompt in terminal                                   |
+| Key                  | Default   | Description                                                                     |
+| :------------------- | :-------- | :------------------------------------------------------------------------------ |
+| `mode`               | `"audit"` | `audit` (log-only) \| `standard` (approve/block) \| `strict` (deny by default)  |
+| `enableUndo`         | `true`    | Take git snapshots before every AI file edit                                    |
+| `flightRecorder`     | `true`    | Record tool call activity to the flight recorder ring buffer for the browser UI |
+| `approvalTimeoutMs`  | `30000`   | Auto-deny after N ms if no human responds (`0` = wait forever)                  |
+| `approvers.native`   | `true`    | OS-native popup                                                                 |
+| `approvers.browser`  | `true`    | Browser dashboard (`node9 daemon`)                                              |
+| `approvers.cloud`    | `false`   | Slack / SaaS approval — requires `node9 login`; opt-in only                     |
+| `approvers.terminal` | `true`    | `[Y/n]` prompt in terminal                                                      |
+
+> **Tip — choosing a mode:**
+> Start with the default `audit` to observe what your agent does without blocking anything. Once you understand its behaviour, switch to `standard` (blocks dangerous commands with human approval) or `strict` (denies anything not explicitly allowed) in your `~/.node9/config.json` or project `node9.config.json`.
 
 ---
 
@@ -251,6 +326,7 @@ Use `node9 explain <tool> <args>` to dry-run any tool call and see exactly which
 | `node9 status`                | Show current protection status and active rules                                       |
 | `node9 doctor`                | Health check — verifies binaries, config, credentials, and all agent hooks            |
 | `node9 shield <cmd>`          | Manage shields (`enable`, `disable`, `list`, `status`)                                |
+| `node9 tail [--history]`      | Stream live agent activity to the terminal (auto-starts daemon if needed)             |
 | `node9 explain <tool> [args]` | Trace the policy waterfall for a given tool call (dry-run, no approval prompt)        |
 | `node9 undo [--steps N]`      | Revert the last N AI file edits using shadow Git snapshots                            |
 | `node9 check`                 | Called by agent hooks; evaluates a pending tool call and exits 0 (allow) or 1 (block) |
@@ -299,7 +375,7 @@ Verdict: BLOCK  (dangerous word: rm -rf)
 ## 🔧 Troubleshooting
 
 **`node9 check` exits immediately / Claude is never blocked**
-Node9 fails open by design to prevent breaking your agent. Check debug logs: `NODE9_DEBUG=1 claude`.
+Node9 fails open by design to prevent breaking your agent. Check debug logs: `NODE9_DEBUG=1 claude`. Also verify you are in `standard` or `strict` mode — the default `audit` mode approves everything and only logs.
 
 **Terminal prompt never appears during Claude/Gemini sessions**
 Interactive agents run hooks in a "Headless" subprocess. You **must** enable `native: true` or `browser: true` in your config to see approval prompts.
@@ -307,6 +383,9 @@ Interactive agents run hooks in a "Headless" subprocess. You **must** enable `na
 **"Blocked by Organization (SaaS)"**
 A corporate policy has locked this action. You must click the "Approve" button in your company's Slack channel to proceed.
 
+**`node9 tail --history` says "Daemon failed to start" even though the daemon is running**
+This can happen when the daemon's PID file (`~/.node9/daemon.pid`) is missing — for example after a crash or a botched restart left a daemon running without a PID file. Node9 now detects this automatically: it performs an HTTP health probe and a live port check before deciding the daemon is gone. If you hit this on an older version, run `node9 daemon stop` then `node9 daemon -b` to create a clean PID file.
+
 ---
 
 ## 🗺️ Roadmap
@@ -318,7 +397,8 @@ A corporate policy has locked this action. You must click the "Approve" button i
 - [x] **Shadow Git Snapshots** (1-click Undo for AI hallucinations)
 - [x] **Identity-Aware Execution** (Differentiates between Human vs. AI risk levels)
 - [x] **Shield Templates** (`node9 shield enable <service>` — one-click protection for Postgres, GitHub, AWS)
-- [ ] **Content Scanner / DLP** (Detect and block secrets like AWS keys and Bearer tokens in-flight)
+- [x] **Content Scanner / DLP** (Detect and block secrets like AWS keys and Bearer tokens in-flight)
+- [x] **Flight Recorder** (Real-time activity stream in browser dashboard and `node9 tail` terminal view)
 - [ ] **Universal MCP Gateway** (Standalone security tunnel for LangChain, CrewAI, and any agent without native hooks)
 - [ ] **Cursor & Windsurf Hook** (Native hook support for AI-first IDEs)
 - [ ] **VS Code Extension** (Approval requests in a native sidebar — no more OS popups)