@node9/proxy 1.10.1 → 1.10.3

package/dist/index.js

@@ -239,7 +239,8 @@ var ConfigFileSchema = import_zod.z.object({
     enableTrustSessions: import_zod.z.boolean().optional(),
     allowGlobalPause: import_zod.z.boolean().optional(),
     auditHashArgs: import_zod.z.boolean().optional(),
-    agentPolicy: import_zod.z.enum(["require_approval", "block_on_rules"]).optional()
+    agentPolicy: import_zod.z.enum(["require_approval", "block_on_rules"]).optional(),
+    cloudSyncIntervalHours: import_zod.z.number().positive().optional()
   }).optional(),
   policy: import_zod.z.object({
     sandboxPaths: import_zod.z.array(import_zod.z.string()).optional(),
@@ -441,7 +442,8 @@ var DEFAULT_CONFIG = {
     // 120-second auto-deny timeout
     flightRecorder: true,
     auditHashArgs: true,
-    approvers: { native: true, browser: true, cloud: false, terminal: true }
+    approvers: { native: true, browser: true, cloud: false, terminal: true },
+    cloudSyncIntervalHours: 5
   },
   policy: {
     sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
@@ -756,6 +758,8 @@ function getConfig(cwd) {
     if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
       mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
     if (s.environment !== void 0) mergedSettings.environment = s.environment;
+    if (s.cloudSyncIntervalHours !== void 0)
+      mergedSettings.cloudSyncIntervalHours = s.cloudSyncIntervalHours;
     if (s.hud !== void 0) mergedSettings.hud = { ...mergedSettings.hud, ...s.hud };
     if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
     if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
@@ -765,7 +769,12 @@ function getConfig(cwd) {
     if (p.smartRules) {
       const defaultBlocks = mergedPolicy.smartRules.filter((r) => r.verdict === "block");
       const defaultNonBlocks = mergedPolicy.smartRules.filter((r) => r.verdict !== "block");
-      mergedPolicy.smartRules = [...defaultBlocks, ...p.smartRules, ...defaultNonBlocks];
+      const userRuleNames = new Set(p.smartRules.filter((r) => r.name).map((r) => r.name));
+      const filteredBlocks = defaultBlocks.filter((r) => !r.name || !userRuleNames.has(r.name));
+      const filteredNonBlocks = defaultNonBlocks.filter(
+        (r) => !r.name || !userRuleNames.has(r.name)
+      );
+      mergedPolicy.smartRules = [...filteredBlocks, ...p.smartRules, ...filteredNonBlocks];
     }
     if (p.snapshot) {
       const s2 = p.snapshot;
@@ -799,6 +808,16 @@ function getConfig(cwd) {
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
+  {
+    const cacheFile = import_path3.default.join(import_os3.default.homedir(), ".node9", "rules-cache.json");
+    try {
+      const raw = JSON.parse(import_fs3.default.readFileSync(cacheFile, "utf-8"));
+      if (Array.isArray(raw.rules) && raw.rules.length > 0) {
+        applyLayer({ policy: { smartRules: raw.rules } });
+      }
+    } catch {
+    }
+  }
   const shieldOverrides = readShieldOverrides();
   for (const shieldName of readActiveShields()) {
     const shield = getShield(shieldName);
@@ -1990,19 +2009,44 @@ function getInternalToken() {
 function isDaemonRunning() {
   const pidFile = import_path10.default.join(import_os7.default.homedir(), ".node9", "daemon.pid");
   if (import_fs8.default.existsSync(pidFile)) {
+    let pid;
+    let port;
     try {
-      const { pid, port } = JSON.parse(import_fs8.default.readFileSync(pidFile, "utf-8"));
-      if (port !== DAEMON_PORT) return false;
-      process.kill(pid, 0);
-      return true;
+      const data = JSON.parse(import_fs8.default.readFileSync(pidFile, "utf-8"));
+      pid = data.pid;
+      port = data.port;
     } catch {
       return false;
     }
+    if (port !== DAEMON_PORT) {
+      return false;
+    }
+    const MAX_PID = 4194304;
+    if (typeof pid !== "number" || !Number.isInteger(pid) || pid <= 0 || pid > MAX_PID) {
+      return false;
+    }
+    try {
+      process.kill(pid, 0);
+    } catch (err) {
+      if (err instanceof Error && "code" in err && err.code === "ESRCH") {
+        try {
+          import_fs8.default.unlinkSync(pidFile);
+        } catch {
+        }
+      }
+      return false;
+    }
+    const r = (0, import_child_process.spawnSync)("ss", ["-Htnp", `sport = :${DAEMON_PORT}`], {
+      encoding: "utf8",
+      timeout: 300
+    });
+    if (r.status === 0 && (r.stdout ?? "").includes(`:${DAEMON_PORT}`)) return true;
+    return false;
   }
   try {
     const r = (0, import_child_process.spawnSync)("ss", ["-Htnp", `sport = :${DAEMON_PORT}`], {
       encoding: "utf8",
-      timeout: 500
+      timeout: 300
     });
     return r.status === 0 && (r.stdout ?? "").includes(`:${DAEMON_PORT}`);
   } catch {

package/dist/index.mjs

@@ -209,7 +209,8 @@ var ConfigFileSchema = z.object({
     enableTrustSessions: z.boolean().optional(),
     allowGlobalPause: z.boolean().optional(),
     auditHashArgs: z.boolean().optional(),
-    agentPolicy: z.enum(["require_approval", "block_on_rules"]).optional()
+    agentPolicy: z.enum(["require_approval", "block_on_rules"]).optional(),
+    cloudSyncIntervalHours: z.number().positive().optional()
   }).optional(),
   policy: z.object({
     sandboxPaths: z.array(z.string()).optional(),
@@ -411,7 +412,8 @@ var DEFAULT_CONFIG = {
     // 120-second auto-deny timeout
     flightRecorder: true,
     auditHashArgs: true,
-    approvers: { native: true, browser: true, cloud: false, terminal: true }
+    approvers: { native: true, browser: true, cloud: false, terminal: true },
+    cloudSyncIntervalHours: 5
   },
   policy: {
     sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
@@ -726,6 +728,8 @@ function getConfig(cwd) {
     if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
       mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
     if (s.environment !== void 0) mergedSettings.environment = s.environment;
+    if (s.cloudSyncIntervalHours !== void 0)
+      mergedSettings.cloudSyncIntervalHours = s.cloudSyncIntervalHours;
     if (s.hud !== void 0) mergedSettings.hud = { ...mergedSettings.hud, ...s.hud };
     if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
     if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
@@ -735,7 +739,12 @@ function getConfig(cwd) {
     if (p.smartRules) {
       const defaultBlocks = mergedPolicy.smartRules.filter((r) => r.verdict === "block");
       const defaultNonBlocks = mergedPolicy.smartRules.filter((r) => r.verdict !== "block");
-      mergedPolicy.smartRules = [...defaultBlocks, ...p.smartRules, ...defaultNonBlocks];
+      const userRuleNames = new Set(p.smartRules.filter((r) => r.name).map((r) => r.name));
+      const filteredBlocks = defaultBlocks.filter((r) => !r.name || !userRuleNames.has(r.name));
+      const filteredNonBlocks = defaultNonBlocks.filter(
+        (r) => !r.name || !userRuleNames.has(r.name)
+      );
+      mergedPolicy.smartRules = [...filteredBlocks, ...p.smartRules, ...filteredNonBlocks];
     }
     if (p.snapshot) {
       const s2 = p.snapshot;
@@ -769,6 +778,16 @@ function getConfig(cwd) {
   };
   applyLayer(globalConfig);
   applyLayer(projectConfig);
+  {
+    const cacheFile = path3.join(os3.homedir(), ".node9", "rules-cache.json");
+    try {
+      const raw = JSON.parse(fs3.readFileSync(cacheFile, "utf-8"));
+      if (Array.isArray(raw.rules) && raw.rules.length > 0) {
+        applyLayer({ policy: { smartRules: raw.rules } });
+      }
+    } catch {
+    }
+  }
   const shieldOverrides = readShieldOverrides();
   for (const shieldName of readActiveShields()) {
     const shield = getShield(shieldName);
@@ -1960,19 +1979,44 @@ function getInternalToken() {
 function isDaemonRunning() {
   const pidFile = path10.join(os7.homedir(), ".node9", "daemon.pid");
   if (fs8.existsSync(pidFile)) {
+    let pid;
+    let port;
     try {
-      const { pid, port } = JSON.parse(fs8.readFileSync(pidFile, "utf-8"));
-      if (port !== DAEMON_PORT) return false;
-      process.kill(pid, 0);
-      return true;
+      const data = JSON.parse(fs8.readFileSync(pidFile, "utf-8"));
+      pid = data.pid;
+      port = data.port;
     } catch {
       return false;
     }
+    if (port !== DAEMON_PORT) {
+      return false;
+    }
+    const MAX_PID = 4194304;
+    if (typeof pid !== "number" || !Number.isInteger(pid) || pid <= 0 || pid > MAX_PID) {
+      return false;
+    }
+    try {
+      process.kill(pid, 0);
+    } catch (err) {
+      if (err instanceof Error && "code" in err && err.code === "ESRCH") {
+        try {
+          fs8.unlinkSync(pidFile);
+        } catch {
+        }
+      }
+      return false;
+    }
+    const r = spawnSync("ss", ["-Htnp", `sport = :${DAEMON_PORT}`], {
+      encoding: "utf8",
+      timeout: 300
+    });
+    if (r.status === 0 && (r.stdout ?? "").includes(`:${DAEMON_PORT}`)) return true;
+    return false;
   }
   try {
     const r = spawnSync("ss", ["-Htnp", `sport = :${DAEMON_PORT}`], {
       encoding: "utf8",
-      timeout: 500
+      timeout: 300
     });
     return r.status === 0 && (r.stdout ?? "").includes(`:${DAEMON_PORT}`);
   } catch {

package/dist/shields/builtin/bash-safe.json

@@ -10,7 +10,7 @@
         {
           "field": "command",
           "op": "matches",
-          "value": "(curl|wget)\\s+[^|]*\\|\\s*(bash|sh|zsh|fish|python3?|ruby|perl|node)",
+          "value": "(curl|wget)\\s+[^|]*\\|\\s*(?:(bash|sh|zsh|fish)|(python3?|ruby|perl|node)\\b(?!\\s+-[cem]\\b))",
           "flags": "i"
         }
       ],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.10.1",
+  "version": "1.10.3",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",