@node9/proxy 1.13.0 → 1.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +37 -31
- package/dist/cli.js +1754 -1264
- package/dist/cli.mjs +1737 -1248
- package/dist/index.js +26 -2
- package/dist/index.mjs +26 -2
- package/dist/shields/builtin/project-jail.json +64 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -18,7 +18,8 @@ Node9 sits between your AI agent and your system. Every shell command, file writ
|
|
|
18
18
|
|
|
19
19
|
- 🛑 **Block** dangerous actions (`git push --force`, `rm -rf /`, `curl|bash`, `DROP TABLE`, ...) before they run
|
|
20
20
|
- 👁 **Review** anything worth a human glance — OS-native popup, Slack, or browser approval
|
|
21
|
-
- 🔑 **Catch credential leaks** in tool arguments
|
|
21
|
+
- 🔑 **Catch credential leaks** in tool arguments, file contents Claude reads back, and shell config files
|
|
22
|
+
- 🔭 **Map your blast radius** — see exactly what SSH keys, AWS credentials, and `.env` files an AI agent can reach right now
|
|
22
23
|
- 🔁 **Stop agent loops** that burn tokens and money
|
|
23
24
|
- 🔌 **Gate MCP tools** and detect rug-pull attacks on server definitions
|
|
24
25
|
- 📊 **Dashboard + scan report** in your browser — see what your agents actually did
|
|
@@ -43,7 +44,7 @@ Reads your existing Claude / Gemini / Codex session history, runs the full Node9
|
|
|
43
44
|
|
|
44
45
|
🛑 Would have blocked 3 operations stopped before execution
|
|
45
46
|
👁 Would have flagged 162 sent to you for approval
|
|
46
|
-
🔑 Credential leak 3 secret detected in
|
|
47
|
+
🔑 Credential leak 3 secret detected in history or shell config
|
|
47
48
|
🔁 Loop detected 117 repeated tool call patterns found
|
|
48
49
|
|
|
49
50
|
──────────────────────────────────────────────────────────────────────
|
|
@@ -89,18 +90,19 @@ That's it — future agent sessions are protected.
|
|
|
89
90
|
|
|
90
91
|
Each shield is a curated rule set for a service or domain. Enable only what you need.
|
|
91
92
|
|
|
92
|
-
| Shield | What it catches
|
|
93
|
-
| ----------------- |
|
|
94
|
-
| `
|
|
95
|
-
| `
|
|
96
|
-
| `
|
|
97
|
-
| `
|
|
98
|
-
| `
|
|
99
|
-
| `
|
|
100
|
-
| `
|
|
101
|
-
| `
|
|
102
|
-
| `
|
|
103
|
-
| `
|
|
93
|
+
| Shield | What it catches | Enable |
|
|
94
|
+
| ----------------- | ------------------------------------------------------------------------------ | ------------------------------------- |
|
|
95
|
+
| `project-jail` | Blocks reads of `~/.ssh`, `~/.aws`, `.env`, credentials via Bash and Read tool | `node9 shield enable project-jail` |
|
|
96
|
+
| `bash-safe` | `curl \| bash`, `rm -rf /`, disk overwrite, `eval` of remote | `node9 shield enable bash-safe` |
|
|
97
|
+
| `postgres` | `DROP TABLE`, `TRUNCATE`, `DROP COLUMN`, `DELETE` without `WHERE` | `node9 shield enable postgres` |
|
|
98
|
+
| `mongodb` | `dropDatabase`, `drop()`, `deleteMany({})`, index drops | `node9 shield enable mongodb` |
|
|
99
|
+
| `redis` | `FLUSHALL`, `FLUSHDB`, `CONFIG SET` on a live server | `node9 shield enable redis` |
|
|
100
|
+
| `aws` | S3 delete, EC2 terminate, IAM changes, RDS destroy | `node9 shield enable aws` |
|
|
101
|
+
| `k8s` | namespace delete, `helm uninstall`, cluster role wipes | `node9 shield enable k8s` |
|
|
102
|
+
| `docker` | `system prune`, `volume prune`, `rm -f` containers | `node9 shield enable docker` |
|
|
103
|
+
| `github` | `gh repo delete`, remote branch deletion, settings changes | `node9 shield enable github` |
|
|
104
|
+
| `filesystem` | `chmod 777`, writes under `/etc/`, `/boot/`, `/usr/` | `node9 shield enable filesystem` |
|
|
105
|
+
| `mcp-tool-gating` | unapproved MCP tools silently activating new capabilities | `node9 shield enable mcp-tool-gating` |
|
|
104
106
|
|
|
105
107
|
```bash
|
|
106
108
|
node9 shield list # show all shields + status
|
|
@@ -113,7 +115,7 @@ node9 shield list # show all shields + status
|
|
|
113
115
|
- **Git** — blocks `git push --force`, `git reset --hard`, `git clean -fd`
|
|
114
116
|
- **SQL** — blocks `DELETE` / `UPDATE` without `WHERE`, `DROP TABLE`, `TRUNCATE`
|
|
115
117
|
- **Shell** — blocks `curl | bash`, unauthorized `sudo`
|
|
116
|
-
- **DLP** — blocks AWS keys, GitHub tokens, Stripe keys, PEM private keys in any tool argument
|
|
118
|
+
- **DLP** — blocks AWS keys, GitHub tokens, Stripe keys, PEM private keys in any tool argument, file Claude reads, or shell config (`~/.zshrc`, `~/.bashrc`)
|
|
117
119
|
- **Response DLP** — background scanner reads Claude's conversation history and alerts you if Claude _wrote_ a secret in its response text (not just executed one). Gemini / Codex coverage coming.
|
|
118
120
|
- **Auto-undo** — git snapshot before every AI file edit → `node9 undo` to revert
|
|
119
121
|
- **Skills pinning** — SHA-256 verification of installed Claude skills / plugins between sessions
|
|
@@ -171,13 +173,15 @@ When an MCP server returns a 500KB+ response, it sits in the context window for
|
|
|
171
173
|
|
|
172
174
|
Every tool call is recorded — command, arguments, decision, cost. See what your agent did, five ways:
|
|
173
175
|
|
|
174
|
-
| Command | What it shows
|
|
175
|
-
| ---------------- |
|
|
176
|
-
| `node9
|
|
177
|
-
| `node9
|
|
178
|
-
| `node9
|
|
179
|
-
| `node9
|
|
180
|
-
| `node9
|
|
176
|
+
| Command | What it shows | When to use |
|
|
177
|
+
| ---------------- | --------------------------------------------------------- | ----------------------------------------- |
|
|
178
|
+
| `node9 blast` | What an AI agent can reach right now — files, creds, env | First thing to run on any machine |
|
|
179
|
+
| `node9 scan` | Retrospective audit of existing agent history | Before installing, or to review past risk |
|
|
180
|
+
| `node9 mask` | Redact plaintext secrets from local session history files | After a DLP finding — cleans local disk |
|
|
181
|
+
| `node9 tail` | Live stream of every tool call | Watching an agent work in real time |
|
|
182
|
+
| `node9 report` | Per-period summary: allowed/blocked/DLP/cost + top tools | Reviewing what happened after a session |
|
|
183
|
+
| `node9 sessions` | Session history with prompt, tool trace, cost, snapshot | Reviewing a handoff or past work |
|
|
184
|
+
| `node9 dlp` | Credential-leak findings in Claude response text | Any time a DLP desktop alert fires |
|
|
181
185
|
|
|
182
186
|
Plus a **live HUD** in your Claude Code statusline:
|
|
183
187
|
|
|
@@ -195,15 +199,17 @@ And a **browser dashboard** that auto-opens after `node9 scan` — History Audit
|
|
|
195
199
|
|
|
196
200
|
Node9 surfaces the signal. Here are the patterns worth knowing:
|
|
197
201
|
|
|
198
|
-
| Signal | Likely meaning
|
|
199
|
-
| ----------------------------------------------------------- |
|
|
200
|
-
| `Would have blocked` ≥ 5 in a week | Agent is attempting destructive ops; shields need review
|
|
201
|
-
| Single `review-git-push` rule accounts for >50% of findings | Your own rule is firing as intended — not a risk, just supervision
|
|
202
|
-
| DLP finding in `user-prompt` tool | You pasted a secret into your own prompt — rotate the key
|
|
203
|
-
| Agent Loop ×50+ on same file | Agent stuck in edit/test/fix cycle — check context or slow down
|
|
204
|
-
| MCP tool pin mismatch | Server changed its tools — review before re-trusting
|
|
205
|
-
| Large MCP response warning | That server is inflating your context window for every subsequent turn
|
|
206
|
-
| `Response DLP` alert | Claude wrote a secret in its response text — not blocked, rotate immediately
|
|
202
|
+
| Signal | Likely meaning |
|
|
203
|
+
| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
|
|
204
|
+
| `Would have blocked` ≥ 5 in a week | Agent is attempting destructive ops; shields need review |
|
|
205
|
+
| Single `review-git-push` rule accounts for >50% of findings | Your own rule is firing as intended — not a risk, just supervision |
|
|
206
|
+
| DLP finding in `user-prompt` tool | You pasted a secret into your own prompt — rotate the key |
|
|
207
|
+
| Agent Loop ×50+ on same file | Agent stuck in edit/test/fix cycle — check context or slow down |
|
|
208
|
+
| MCP tool pin mismatch | Server changed its tools — review before re-trusting |
|
|
209
|
+
| Large MCP response warning | That server is inflating your context window for every subsequent turn |
|
|
210
|
+
| `Response DLP` alert | Claude wrote a secret in its response text — not blocked, rotate immediately |
|
|
211
|
+
| DLP finding in `tool-result` | Claude read a file containing a secret (`.env`, credentials) — rotate the key and run `node9 mask` |
|
|
212
|
+
| DLP finding in `[Shell]` | Plaintext secret in `~/.zshrc` or `~/.bashrc` — every AI session can see it |
|
|
207
213
|
|
|
208
214
|
These are starting points, not verdicts. One-off signals are normal; persistent patterns are what you act on.
|
|
209
215
|
|