@node9/proxy 1.0.18 → 1.1.0

package/dist/index.mjs

@@ -1,13 +1,14 @@
 // src/core.ts
 import chalk2 from "chalk";
 import { confirm } from "@inquirer/prompts";
-import fs2 from "fs";
-import path4 from "path";
+import fs3 from "fs";
+import path5 from "path";
 import os2 from "os";
 import net from "net";
 import { randomUUID } from "crypto";
 import { spawnSync } from "child_process";
 import pm from "picomatch";
+import safeRegex from "safe-regex2";
 import { parse } from "sh-syntax";
 
 // src/ui/native.ts
@@ -429,8 +430,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path5 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path5}: ${issue.message}`;
+    const path6 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path6}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -643,6 +644,8 @@ function readActiveShields() {
 }
 
 // src/dlp.ts
+import fs2 from "fs";
+import path4 from "path";
 var DLP_PATTERNS = [
   { name: "AWS Access Key ID", regex: /\bAKIA[0-9A-Z]{16}\b/, severity: "block" },
   { name: "GitHub Token", regex: /\bgh[pous]_[A-Za-z0-9]{36}\b/, severity: "block" },
@@ -654,8 +657,76 @@ var DLP_PATTERNS = [
     regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/,
     severity: "block"
   },
+  // GCP service account JSON (detects the type field that uniquely identifies it)
+  {
+    name: "GCP Service Account",
+    regex: /"type"\s*:\s*"service_account"/,
+    severity: "block"
+  },
+  // NPM auth token in .npmrc format
+  {
+    name: "NPM Auth Token",
+    regex: /_authToken\s*=\s*[A-Za-z0-9_\-]{20,}/,
+    severity: "block"
+  },
   { name: "Bearer Token", regex: /Bearer\s+[a-zA-Z0-9\-._~+/]+=*/i, severity: "review" }
 ];
+var SENSITIVE_PATH_PATTERNS = [
+  /[/\\]\.ssh[/\\]/i,
+  /[/\\]\.aws[/\\]/i,
+  /[/\\]\.config[/\\]gcloud[/\\]/i,
+  /[/\\]\.azure[/\\]/i,
+  /[/\\]\.kube[/\\]config$/i,
+  /[/\\]\.env($|\.)/i,
+  // .env, .env.local, .env.production — not .envoy
+  /[/\\]\.git-credentials$/i,
+  /[/\\]\.npmrc$/i,
+  /[/\\]\.docker[/\\]config\.json$/i,
+  /[/\\][^/\\]+\.pem$/i,
+  /[/\\][^/\\]+\.key$/i,
+  /[/\\][^/\\]+\.p12$/i,
+  /[/\\][^/\\]+\.pfx$/i,
+  /^\/etc\/passwd$/,
+  /^\/etc\/shadow$/,
+  /^\/etc\/sudoers$/,
+  /[/\\]credentials\.json$/i,
+  /[/\\]id_rsa$/i,
+  /[/\\]id_ed25519$/i,
+  /[/\\]id_ecdsa$/i
+];
+function scanFilePath(filePath, cwd = process.cwd()) {
+  if (!filePath) return null;
+  let resolved;
+  try {
+    const absolute = path4.resolve(cwd, filePath);
+    resolved = fs2.realpathSync.native(absolute);
+  } catch (err) {
+    const code = err.code;
+    if (code === "ENOENT" || code === "ENOTDIR") {
+      resolved = path4.resolve(cwd, filePath);
+    } else {
+      return {
+        patternName: "Sensitive File Path",
+        fieldPath: "file_path",
+        redactedSample: filePath,
+        severity: "block"
+      };
+    }
+  }
+  const normalised = resolved.replace(/\\/g, "/");
+  for (const pattern of SENSITIVE_PATH_PATTERNS) {
+    if (pattern.test(normalised)) {
+      return {
+        patternName: "Sensitive File Path",
+        fieldPath: "file_path",
+        redactedSample: filePath,
+        // show original path in alert, not resolved
+        severity: "block"
+      };
+    }
+  }
+  return null;
+}
 function maskSecret(raw, pattern) {
   const match = raw.match(pattern);
   if (!match) return "****";
@@ -713,17 +784,17 @@ function scanArgs(args, depth = 0, fieldPath = "args") {
 }
 
 // src/core.ts
-var PAUSED_FILE = path4.join(os2.homedir(), ".node9", "PAUSED");
-var TRUST_FILE = path4.join(os2.homedir(), ".node9", "trust.json");
-var LOCAL_AUDIT_LOG = path4.join(os2.homedir(), ".node9", "audit.log");
-var HOOK_DEBUG_LOG = path4.join(os2.homedir(), ".node9", "hook-debug.log");
+var PAUSED_FILE = path5.join(os2.homedir(), ".node9", "PAUSED");
+var TRUST_FILE = path5.join(os2.homedir(), ".node9", "trust.json");
+var LOCAL_AUDIT_LOG = path5.join(os2.homedir(), ".node9", "audit.log");
+var HOOK_DEBUG_LOG = path5.join(os2.homedir(), ".node9", "hook-debug.log");
 function checkPause() {
   try {
-    if (!fs2.existsSync(PAUSED_FILE)) return { paused: false };
-    const state = JSON.parse(fs2.readFileSync(PAUSED_FILE, "utf-8"));
+    if (!fs3.existsSync(PAUSED_FILE)) return { paused: false };
+    const state = JSON.parse(fs3.readFileSync(PAUSED_FILE, "utf-8"));
     if (state.expiry > 0 && Date.now() >= state.expiry) {
       try {
-        fs2.unlinkSync(PAUSED_FILE);
+        fs3.unlinkSync(PAUSED_FILE);
       } catch {
       }
       return { paused: false };
@@ -734,20 +805,93 @@ function checkPause() {
   }
 }
 function atomicWriteSync(filePath, data, options) {
-  const dir = path4.dirname(filePath);
-  if (!fs2.existsSync(dir)) fs2.mkdirSync(dir, { recursive: true });
+  const dir = path5.dirname(filePath);
+  if (!fs3.existsSync(dir)) fs3.mkdirSync(dir, { recursive: true });
   const tmpPath = `${filePath}.${os2.hostname()}.${process.pid}.tmp`;
-  fs2.writeFileSync(tmpPath, data, options);
-  fs2.renameSync(tmpPath, filePath);
+  fs3.writeFileSync(tmpPath, data, options);
+  fs3.renameSync(tmpPath, filePath);
+}
+var MAX_REGEX_LENGTH = 100;
+var REGEX_CACHE_MAX = 500;
+var regexCache = /* @__PURE__ */ new Map();
+function validateRegex(pattern) {
+  if (!pattern) return "Pattern is required";
+  if (pattern.length > MAX_REGEX_LENGTH) return `Pattern exceeds max length of ${MAX_REGEX_LENGTH}`;
+  let parens = 0, brackets = 0, isEscaped = false, inCharClass = false;
+  for (let i = 0; i < pattern.length; i++) {
+    const char = pattern[i];
+    if (isEscaped) {
+      isEscaped = false;
+      continue;
+    }
+    if (char === "\\") {
+      isEscaped = true;
+      continue;
+    }
+    if (char === "[" && !inCharClass) {
+      inCharClass = true;
+      brackets++;
+      continue;
+    }
+    if (char === "]" && inCharClass) {
+      inCharClass = false;
+      brackets--;
+      continue;
+    }
+    if (inCharClass) continue;
+    if (char === "(") parens++;
+    else if (char === ")") parens--;
+  }
+  if (parens !== 0) return "Unbalanced parentheses";
+  if (brackets !== 0) return "Unbalanced brackets";
+  if (/\\\d+[*+{]/.test(pattern)) return "Quantified backreferences are forbidden (ReDoS risk)";
+  if (!safeRegex(pattern)) return "Pattern rejected: potential ReDoS vulnerability detected";
+  try {
+    new RegExp(pattern);
+  } catch (e) {
+    return `Invalid regex syntax: ${e.message}`;
+  }
+  return null;
+}
+function getCompiledRegex(pattern, flags = "") {
+  if (flags && !/^[gimsuy]+$/.test(flags)) {
+    if (process.env.NODE9_DEBUG === "1") console.error(`[Node9] Invalid regex flags: "${flags}"`);
+    return null;
+  }
+  const key = `${pattern}\0${flags}`;
+  if (regexCache.has(key)) {
+    const cached = regexCache.get(key);
+    regexCache.delete(key);
+    regexCache.set(key, cached);
+    return cached;
+  }
+  const err = validateRegex(pattern);
+  if (err) {
+    if (process.env.NODE9_DEBUG === "1")
+      console.error(`[Node9] Regex blocked: ${err} \u2014 pattern: "${pattern}"`);
+    return null;
+  }
+  try {
+    const re = new RegExp(pattern, flags);
+    if (regexCache.size >= REGEX_CACHE_MAX) {
+      const oldest = regexCache.keys().next().value;
+      if (oldest) regexCache.delete(oldest);
+    }
+    regexCache.set(key, re);
+    return re;
+  } catch (e) {
+    if (process.env.NODE9_DEBUG === "1") console.error(`[Node9] Regex compile failed:`, e);
+    return null;
+  }
 }
 function getActiveTrustSession(toolName) {
   try {
-    if (!fs2.existsSync(TRUST_FILE)) return false;
-    const trust = JSON.parse(fs2.readFileSync(TRUST_FILE, "utf-8"));
+    if (!fs3.existsSync(TRUST_FILE)) return false;
+    const trust = JSON.parse(fs3.readFileSync(TRUST_FILE, "utf-8"));
     const now = Date.now();
     const active = trust.entries.filter((e) => e.expiry > now);
     if (active.length !== trust.entries.length) {
-      fs2.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
+      fs3.writeFileSync(TRUST_FILE, JSON.stringify({ entries: active }, null, 2));
     }
     return active.some((e) => e.tool === toolName || matchesPattern(toolName, e.tool));
   } catch {
@@ -758,8 +902,8 @@ function writeTrustSession(toolName, durationMs) {
   try {
     let trust = { entries: [] };
     try {
-      if (fs2.existsSync(TRUST_FILE)) {
-        trust = JSON.parse(fs2.readFileSync(TRUST_FILE, "utf-8"));
+      if (fs3.existsSync(TRUST_FILE)) {
+        trust = JSON.parse(fs3.readFileSync(TRUST_FILE, "utf-8"));
       }
     } catch {
     }
@@ -775,9 +919,9 @@ function writeTrustSession(toolName, durationMs) {
 }
 function appendToLog(logPath, entry) {
   try {
-    const dir = path4.dirname(logPath);
-    if (!fs2.existsSync(dir)) fs2.mkdirSync(dir, { recursive: true });
-    fs2.appendFileSync(logPath, JSON.stringify(entry) + "\n");
+    const dir = path5.dirname(logPath);
+    if (!fs3.existsSync(dir)) fs3.mkdirSync(dir, { recursive: true });
+    fs3.appendFileSync(logPath, JSON.stringify(entry) + "\n");
   } catch {
   }
 }
@@ -819,9 +963,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path5) {
+function getNestedValue(obj, path6) {
   if (!obj || typeof obj !== "object") return null;
-  return path5.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path6.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -840,19 +984,16 @@ function evaluateSmartConditions(args, rule) {
         return val !== null && cond.value ? !val.includes(cond.value) : true;
       case "matches": {
         if (val === null || !cond.value) return false;
-        try {
-          return new RegExp(cond.value, cond.flags ?? "").test(val);
-        } catch {
-          return false;
-        }
+        const reM = getCompiledRegex(cond.value, cond.flags ?? "");
+        if (!reM) return false;
+        return reM.test(val);
       }
       case "notMatches": {
-        if (val === null || !cond.value) return true;
-        try {
-          return !new RegExp(cond.value, cond.flags ?? "").test(val);
-        } catch {
-          return true;
-        }
+        if (!cond.value) return false;
+        if (val === null) return true;
+        const reN = getCompiledRegex(cond.value, cond.flags ?? "");
+        if (!reN) return false;
+        return !reN.test(val);
       }
       case "matchesGlob":
         return val !== null && cond.value ? pm.isMatch(val, cond.value) : false;
@@ -1079,7 +1220,7 @@ var DEFAULT_CONFIG = {
           {
             field: "command",
             op: "matches",
-            value: "git push.*(--force|--force-with-lease|-f\\b)",
+            value: "^\\s*git\\b.*\\bpush\\b.*(--force|--force-with-lease|-f\\b)",
             flags: "i"
           }
         ],
@@ -1090,7 +1231,14 @@ var DEFAULT_CONFIG = {
       {
         name: "review-git-push",
         tool: "bash",
-        conditions: [{ field: "command", op: "matches", value: "^\\s*git\\s+push\\b", flags: "i" }],
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "^\\s*git\\b.*\\bpush\\b(?!.*(-f\\b|--force|--force-with-lease))",
+            flags: "i"
+          }
+        ],
         conditionMode: "all",
         verdict: "review",
         reason: "git push sends changes to a shared remote"
@@ -1102,7 +1250,7 @@ var DEFAULT_CONFIG = {
           {
             field: "command",
             op: "matches",
-            value: "git\\s+(reset\\s+--hard|clean\\s+-[fdxX]|rebase|tag\\s+-d|branch\\s+-[dD])",
+            value: "^\\s*git\\b.*(reset\\s+--hard|clean\\s+-[fdxX]|\\brebase\\b|tag\\s+-d|branch\\s+-[dD])",
             flags: "i"
           }
         ],
@@ -1167,9 +1315,9 @@ var ADVISORY_SMART_RULES = [
 var cachedConfig = null;
 function getInternalToken() {
   try {
-    const pidFile = path4.join(os2.homedir(), ".node9", "daemon.pid");
-    if (!fs2.existsSync(pidFile)) return null;
-    const data = JSON.parse(fs2.readFileSync(pidFile, "utf-8"));
+    const pidFile = path5.join(os2.homedir(), ".node9", "daemon.pid");
+    if (!fs3.existsSync(pidFile)) return null;
+    const data = JSON.parse(fs3.readFileSync(pidFile, "utf-8"));
     process.kill(data.pid, 0);
     return data.internalToken ?? null;
   } catch {
@@ -1289,10 +1437,10 @@ function isIgnoredTool(toolName) {
 var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function isDaemonRunning() {
-  const pidFile = path4.join(os2.homedir(), ".node9", "daemon.pid");
-  if (fs2.existsSync(pidFile)) {
+  const pidFile = path5.join(os2.homedir(), ".node9", "daemon.pid");
+  if (fs3.existsSync(pidFile)) {
     try {
-      const { pid, port } = JSON.parse(fs2.readFileSync(pidFile, "utf-8"));
+      const { pid, port } = JSON.parse(fs3.readFileSync(pidFile, "utf-8"));
       if (port !== DAEMON_PORT) return false;
       process.kill(pid, 0);
       return true;
@@ -1312,9 +1460,9 @@ function isDaemonRunning() {
 }
 function getPersistentDecision(toolName) {
   try {
-    const file = path4.join(os2.homedir(), ".node9", "decisions.json");
-    if (!fs2.existsSync(file)) return null;
-    const decisions = JSON.parse(fs2.readFileSync(file, "utf-8"));
+    const file = path5.join(os2.homedir(), ".node9", "decisions.json");
+    if (!fs3.existsSync(file)) return null;
+    const decisions = JSON.parse(fs3.readFileSync(file, "utf-8"));
     const d = decisions[toolName];
     if (d === "allow" || d === "deny") return d;
   } catch {
@@ -1396,7 +1544,7 @@ async function resolveViaDaemon(id, decision, internalToken) {
     signal: AbortSignal.timeout(3e3)
   });
 }
-var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path4.join(os2.tmpdir(), "node9-activity.sock");
+var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path5.join(os2.tmpdir(), "node9-activity.sock");
 function notifyActivity(data) {
   return new Promise((resolve) => {
     try {
@@ -1458,7 +1606,9 @@ async function _authorizeHeadlessCore(toolName, args, allowTerminalFallback = fa
   let policyMatchedWord;
   let riskMetadata;
   if (config.policy.dlp.enabled && (!isIgnoredTool(toolName) || config.policy.dlp.scanIgnoredTools)) {
-    const dlpMatch = scanArgs(args);
+    const argsObj = args && typeof args === "object" && !Array.isArray(args) ? args : {};
+    const filePath = String(argsObj.file_path ?? argsObj.path ?? argsObj.filename ?? "");
+    const dlpMatch = (filePath ? scanFilePath(filePath) : null) ?? scanArgs(args);
     if (dlpMatch) {
       const dlpReason = `\u{1F6A8} DATA LOSS PREVENTION: ${dlpMatch.patternName} detected in field "${dlpMatch.fieldPath}" (${dlpMatch.redactedSample})`;
       if (dlpMatch.severity === "block") {
@@ -1832,8 +1982,8 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
 }
 function getConfig() {
   if (cachedConfig) return cachedConfig;
-  const globalPath = path4.join(os2.homedir(), ".node9", "config.json");
-  const projectPath = path4.join(process.cwd(), "node9.config.json");
+  const globalPath = path5.join(os2.homedir(), ".node9", "config.json");
+  const projectPath = path5.join(process.cwd(), "node9.config.json");
   const globalConfig = tryLoadConfig(globalPath);
   const projectConfig = tryLoadConfig(projectPath);
   const mergedSettings = {
@@ -1928,10 +2078,10 @@ function getConfig() {
   return cachedConfig;
 }
 function tryLoadConfig(filePath) {
-  if (!fs2.existsSync(filePath)) return null;
+  if (!fs3.existsSync(filePath)) return null;
   let raw;
   try {
-    raw = JSON.parse(fs2.readFileSync(filePath, "utf-8"));
+    raw = JSON.parse(fs3.readFileSync(filePath, "utf-8"));
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     process.stderr.write(
@@ -1993,9 +2143,9 @@ function getCredentials() {
     };
   }
   try {
-    const credPath = path4.join(os2.homedir(), ".node9", "credentials.json");
-    if (fs2.existsSync(credPath)) {
-      const creds = JSON.parse(fs2.readFileSync(credPath, "utf-8"));
+    const credPath = path5.join(os2.homedir(), ".node9", "credentials.json");
+    if (fs3.existsSync(credPath)) {
+      const creds = JSON.parse(fs3.readFileSync(credPath, "utf-8"));
       const profileName = process.env.NODE9_PROFILE || "default";
       const profile = creds[profileName];
       if (profile?.apiKey) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.0.18",
+  "version": "1.1.0",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -71,6 +71,7 @@
     "commander": "^14.0.3",
     "execa": "^9.6.1",
     "picomatch": "^4.0.3",
+    "safe-regex2": "^5.1.0",
     "sh-syntax": "^0.5.8",
     "zod": "^3.25.76"
   },