@node9/proxy 1.10.3 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +5 -0
  2. package/dist/cli.js +802 -359
  3. package/dist/cli.mjs +800 -357
  4. package/dist/index.js +58 -14
  5. package/dist/index.mjs +58 -14
  6. package/package.json +1 -1
package/README.md CHANGED
@@ -102,6 +102,10 @@ node9 mcp pin reset # clear all pins (re-pin on next connection)
102
102
 
103
103
  This is automatic — no configuration needed. The gateway pins on first `tools/list` and enforces on every subsequent session.
104
104
 
105
+ ### Skills Pinning — installed-plugin drift detection
106
+
107
+ Marketplace plugins at `~/.claude/plugins/marketplaces/` come from registries, not your workspace — `git status` never sees them. Each installed plugin gets its own pin (same model as MCP server pinning): installing a new plugin creates a new pin silently; only changes to an already-pinned plugin trigger drift. Opt-in via `policy.skillPinning.enabled: true`; use `mode: 'block'` for strict enforcement. User-edited files are **not** in default scope. Extend via `policy.skillPinning.roots`.
108
+
105
109
  ---
106
110
 
107
111
  ## Python SDK — govern any Python agent
@@ -125,6 +129,7 @@ configure(agent_name="my-agent", policy="require_approval")
125
129
  - **Shell:** blocks `curl | bash`, `sudo` commands
126
130
  - **DLP:** blocks AWS keys, GitHub tokens, Stripe keys, PEM private keys in any tool call argument
127
131
  - **Auto-undo:** git snapshot before every AI file edit → `node9 undo` to revert
132
+ - **Skills Pinning:** SHA-256 verification of agent skill files between sessions; quarantines on drift (AST 02 + AST 07 — supply chain & update drift)
128
133
 
129
134
  ---
130
135