@node9/proxy 1.13.0 → 1.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +37 -31
  2. package/dist/cli.js +1754 -1264
  3. package/dist/cli.mjs +1737 -1248
  4. package/dist/index.js +26 -2
  5. package/dist/index.mjs +26 -2
  6. package/dist/shields/builtin/project-jail.json +64 -0
  7. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -126,6 +126,7 @@ function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashAr
126
126
  ...testRun,
127
127
  agent: meta?.agent,
128
128
  mcpServer: meta?.mcpServer,
129
+ sessionId: meta?.sessionId,
129
130
  hostname: import_os.default.hostname()
130
131
  });
131
132
  }
@@ -1419,6 +1420,15 @@ var DLP_PATTERNS = [
1419
1420
  keywords: ["age-secret-key-"]
1420
1421
  }
1421
1422
  ];
1423
+ var DLP_PATTERNS_GLOBAL = DLP_PATTERNS.map(
1424
+ (p) => ({
1425
+ pattern: p,
1426
+ globalRegex: new RegExp(
1427
+ p.regex.source,
1428
+ p.regex.flags.includes("g") ? p.regex.flags : p.regex.flags + "g"
1429
+ )
1430
+ })
1431
+ );
1422
1432
  var SENSITIVE_PATH_PATTERNS = [
1423
1433
  /[/\\]\.ssh[/\\]/i,
1424
1434
  /[/\\]\.aws[/\\]/i,
@@ -3577,8 +3587,22 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
3577
3587
  };
3578
3588
  }
3579
3589
  } else if (!taintWarning) {
3580
- if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
3581
- return { approved: true };
3590
+ const toolLower = toolName.toLowerCase();
3591
+ const isFileTool = toolLower === "read" || toolLower === "grep" || toolLower === "glob" || toolLower === "read_file" || toolLower === "grep_search" || toolLower === "list_files";
3592
+ if (isFileTool && readActiveShields().includes("project-jail")) {
3593
+ const argsObj = args && typeof args === "object" && !Array.isArray(args) ? args : {};
3594
+ const filePath = String(
3595
+ argsObj.file_path ?? argsObj.path ?? argsObj.pattern ?? argsObj.filename ?? ""
3596
+ );
3597
+ if (filePath && scanFilePath(filePath)) {
3598
+ } else {
3599
+ if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
3600
+ return { approved: true };
3601
+ }
3602
+ } else {
3603
+ if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
3604
+ return { approved: true };
3605
+ }
3582
3606
  }
3583
3607
  if (!taintWarning && getActiveTrustSession(toolName, args)) {
3584
3608
  if (approvers.cloud && creds?.apiKey)
package/dist/index.mjs CHANGED
@@ -106,6 +106,7 @@ function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashAr
106
106
  ...testRun,
107
107
  agent: meta?.agent,
108
108
  mcpServer: meta?.mcpServer,
109
+ sessionId: meta?.sessionId,
109
110
  hostname: os.hostname()
110
111
  });
111
112
  }
@@ -1389,6 +1390,15 @@ var DLP_PATTERNS = [
1389
1390
  keywords: ["age-secret-key-"]
1390
1391
  }
1391
1392
  ];
1393
+ var DLP_PATTERNS_GLOBAL = DLP_PATTERNS.map(
1394
+ (p) => ({
1395
+ pattern: p,
1396
+ globalRegex: new RegExp(
1397
+ p.regex.source,
1398
+ p.regex.flags.includes("g") ? p.regex.flags : p.regex.flags + "g"
1399
+ )
1400
+ })
1401
+ );
1392
1402
  var SENSITIVE_PATH_PATTERNS = [
1393
1403
  /[/\\]\.ssh[/\\]/i,
1394
1404
  /[/\\]\.aws[/\\]/i,
@@ -3547,8 +3557,22 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
3547
3557
  };
3548
3558
  }
3549
3559
  } else if (!taintWarning) {
3550
- if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
3551
- return { approved: true };
3560
+ const toolLower = toolName.toLowerCase();
3561
+ const isFileTool = toolLower === "read" || toolLower === "grep" || toolLower === "glob" || toolLower === "read_file" || toolLower === "grep_search" || toolLower === "list_files";
3562
+ if (isFileTool && readActiveShields().includes("project-jail")) {
3563
+ const argsObj = args && typeof args === "object" && !Array.isArray(args) ? args : {};
3564
+ const filePath = String(
3565
+ argsObj.file_path ?? argsObj.path ?? argsObj.pattern ?? argsObj.filename ?? ""
3566
+ );
3567
+ if (filePath && scanFilePath(filePath)) {
3568
+ } else {
3569
+ if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
3570
+ return { approved: true };
3571
+ }
3572
+ } else {
3573
+ if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
3574
+ return { approved: true };
3575
+ }
3552
3576
  }
3553
3577
  if (!taintWarning && getActiveTrustSession(toolName, args)) {
3554
3578
  if (approvers.cloud && creds?.apiKey)
package/dist/shields/builtin/project-jail.json ADDED
@@ -0,0 +1,64 @@
1
+ {
2
+ "name": "project-jail",
3
+ "description": "Restricts AI agents from reading sensitive credential files outside the current project",
4
+ "aliases": ["jail"],
5
+ "smartRules": [
6
+ {
7
+ "name": "shield:project-jail:block-read-ssh",
8
+ "tool": "bash",
9
+ "conditions": [
10
+ {
11
+ "field": "command",
12
+ "op": "matches",
13
+ "value": "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.ssh[\\/\\\\]",
14
+ "flags": "i"
15
+ }
16
+ ],
17
+ "verdict": "block",
18
+ "reason": "Reading SSH private keys is blocked by project-jail shield"
19
+ },
20
+ {
21
+ "name": "shield:project-jail:block-read-aws",
22
+ "tool": "bash",
23
+ "conditions": [
24
+ {
25
+ "field": "command",
26
+ "op": "matches",
27
+ "value": "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.aws[\\/\\\\]",
28
+ "flags": "i"
29
+ }
30
+ ],
31
+ "verdict": "block",
32
+ "reason": "Reading AWS credentials is blocked by project-jail shield"
33
+ },
34
+ {
35
+ "name": "shield:project-jail:block-read-env",
36
+ "tool": "bash",
37
+ "conditions": [
38
+ {
39
+ "field": "command",
40
+ "op": "matches",
41
+ "value": "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*\\.env(\\.local|\\.production|\\.staging)?\\b",
42
+ "flags": "i"
43
+ }
44
+ ],
45
+ "verdict": "block",
46
+ "reason": "Reading .env files is blocked by project-jail shield"
47
+ },
48
+ {
49
+ "name": "shield:project-jail:block-read-credentials",
50
+ "tool": "bash",
51
+ "conditions": [
52
+ {
53
+ "field": "command",
54
+ "op": "matches",
55
+ "value": "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials)",
56
+ "flags": "i"
57
+ }
58
+ ],
59
+ "verdict": "block",
60
+ "reason": "Reading credential files is blocked by project-jail shield"
61
+ }
62
+ ],
63
+ "dangerousWords": []
64
+ }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@node9/proxy",
3
- "version": "1.13.0",
3
+ "version": "1.14.0",
4
4
  "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.mjs",