@node9/proxy 1.13.1 → 1.14.0

package/dist/index.js

@@ -126,6 +126,7 @@ function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashAr
     ...testRun,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
+    sessionId: meta?.sessionId,
     hostname: import_os.default.hostname()
   });
 }
@@ -3586,8 +3587,22 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       };
     }
   } else if (!taintWarning) {
-    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
-    return { approved: true };
+    const toolLower = toolName.toLowerCase();
+    const isFileTool = toolLower === "read" || toolLower === "grep" || toolLower === "glob" || toolLower === "read_file" || toolLower === "grep_search" || toolLower === "list_files";
+    if (isFileTool && readActiveShields().includes("project-jail")) {
+      const argsObj = args && typeof args === "object" && !Array.isArray(args) ? args : {};
+      const filePath = String(
+        argsObj.file_path ?? argsObj.path ?? argsObj.pattern ?? argsObj.filename ?? ""
+      );
+      if (filePath && scanFilePath(filePath)) {
+      } else {
+        if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
+        return { approved: true };
+      }
+    } else {
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
+      return { approved: true };
+    }
   }
   if (!taintWarning && getActiveTrustSession(toolName, args)) {
     if (approvers.cloud && creds?.apiKey)

package/dist/index.mjs

@@ -106,6 +106,7 @@ function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashAr
     ...testRun,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
+    sessionId: meta?.sessionId,
     hostname: os.hostname()
   });
 }
@@ -3556,8 +3557,22 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       };
     }
   } else if (!taintWarning) {
-    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
-    return { approved: true };
+    const toolLower = toolName.toLowerCase();
+    const isFileTool = toolLower === "read" || toolLower === "grep" || toolLower === "glob" || toolLower === "read_file" || toolLower === "grep_search" || toolLower === "list_files";
+    if (isFileTool && readActiveShields().includes("project-jail")) {
+      const argsObj = args && typeof args === "object" && !Array.isArray(args) ? args : {};
+      const filePath = String(
+        argsObj.file_path ?? argsObj.path ?? argsObj.pattern ?? argsObj.filename ?? ""
+      );
+      if (filePath && scanFilePath(filePath)) {
+      } else {
+        if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
+        return { approved: true };
+      }
+    } else {
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
+      return { approved: true };
+    }
   }
   if (!taintWarning && getActiveTrustSession(toolName, args)) {
     if (approvers.cloud && creds?.apiKey)

package/dist/shields/builtin/project-jail.json

@@ -0,0 +1,64 @@
+{
+  "name": "project-jail",
+  "description": "Restricts AI agents from reading sensitive credential files outside the current project",
+  "aliases": ["jail"],
+  "smartRules": [
+    {
+      "name": "shield:project-jail:block-read-ssh",
+      "tool": "bash",
+      "conditions": [
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.ssh[\\/\\\\]",
+          "flags": "i"
+        }
+      ],
+      "verdict": "block",
+      "reason": "Reading SSH private keys is blocked by project-jail shield"
+    },
+    {
+      "name": "shield:project-jail:block-read-aws",
+      "tool": "bash",
+      "conditions": [
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.aws[\\/\\\\]",
+          "flags": "i"
+        }
+      ],
+      "verdict": "block",
+      "reason": "Reading AWS credentials is blocked by project-jail shield"
+    },
+    {
+      "name": "shield:project-jail:block-read-env",
+      "tool": "bash",
+      "conditions": [
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*\\.env(\\.local|\\.production|\\.staging)?\\b",
+          "flags": "i"
+        }
+      ],
+      "verdict": "block",
+      "reason": "Reading .env files is blocked by project-jail shield"
+    },
+    {
+      "name": "shield:project-jail:block-read-credentials",
+      "tool": "bash",
+      "conditions": [
+        {
+          "field": "command",
+          "op": "matches",
+          "value": "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials)",
+          "flags": "i"
+        }
+      ],
+      "verdict": "block",
+      "reason": "Reading credential files is blocked by project-jail shield"
+    }
+  ],
+  "dangerousWords": []
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.13.1",
+  "version": "1.14.0",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",