@node9/proxy 1.14.0 → 1.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/README.md +17 -0
  2. package/dist/cli.js +3136 -2165
  3. package/dist/cli.mjs +3117 -2147
  4. package/dist/index.js +2511 -1709
  5. package/dist/index.mjs +2511 -1709
  6. package/package.json +5 -2
  7. package/dist/shields/builtin/aws.json +0 -59
  8. package/dist/shields/builtin/bash-safe.json +0 -92
  9. package/dist/shields/builtin/docker.json +0 -120
  10. package/dist/shields/builtin/filesystem.json +0 -30
  11. package/dist/shields/builtin/github.json +0 -26
  12. package/dist/shields/builtin/k8s.json +0 -92
  13. package/dist/shields/builtin/mcp-tool-gating.json +0 -7
  14. package/dist/shields/builtin/mongodb.json +0 -78
  15. package/dist/shields/builtin/postgres.json +0 -42
  16. package/dist/shields/builtin/project-jail.json +0 -64
  17. package/dist/shields/builtin/redis.json +0 -78
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@node9/proxy",
3
- "version": "1.14.0",
3
+ "version": "1.15.0",
4
4
  "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.mjs",
@@ -18,6 +18,9 @@
18
18
  "engines": {
19
19
  "node": ">=18"
20
20
  },
21
+ "workspaces": [
22
+ "packages/*"
23
+ ],
21
24
  "repository": {
22
25
  "type": "git",
23
26
  "url": "git+https://github.com/node9-ai/node9-proxy.git"
@@ -48,7 +51,7 @@
48
51
  "LICENSE"
49
52
  ],
50
53
  "scripts": {
51
- "build": "tsup && node scripts/copy-shield-assets.js",
54
+ "build": "npm --workspace @node9/policy-engine run build && tsup",
52
55
  "dev": "tsup --watch",
53
56
  "demo": "tsx examples/demo.ts",
54
57
  "typecheck": "tsc --noEmit",
package/dist/shields/builtin/aws.json DELETED
@@ -1,59 +0,0 @@
1
- {
2
- "name": "aws",
3
- "description": "Protects AWS infrastructure from destructive AI operations",
4
- "aliases": ["amazon"],
5
- "smartRules": [
6
- {
7
- "name": "shield:aws:block-delete-s3-bucket",
8
- "tool": "*",
9
- "conditions": [
10
- {
11
- "field": "command",
12
- "op": "matches",
13
- "value": "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
14
- "flags": "i"
15
- }
16
- ],
17
- "verdict": "block",
18
- "reason": "S3 bucket deletion is irreversible — blocked by AWS shield"
19
- },
20
- {
21
- "name": "shield:aws:review-iam-changes",
22
- "tool": "*",
23
- "conditions": [
24
- {
25
- "field": "command",
26
- "op": "matches",
27
- "value": "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
28
- "flags": "i"
29
- }
30
- ],
31
- "verdict": "review",
32
- "reason": "IAM changes require human approval (AWS shield)"
33
- },
34
- {
35
- "name": "shield:aws:block-ec2-terminate",
36
- "tool": "*",
37
- "conditions": [
38
- {
39
- "field": "command",
40
- "op": "matches",
41
- "value": "aws\\s+ec2\\s+terminate-instances",
42
- "flags": "i"
43
- }
44
- ],
45
- "verdict": "block",
46
- "reason": "EC2 instance termination is irreversible — blocked by AWS shield"
47
- },
48
- {
49
- "name": "shield:aws:review-rds-delete",
50
- "tool": "*",
51
- "conditions": [
52
- { "field": "command", "op": "matches", "value": "aws\\s+rds\\s+delete-", "flags": "i" }
53
- ],
54
- "verdict": "review",
55
- "reason": "RDS deletion requires human approval (AWS shield)"
56
- }
57
- ],
58
- "dangerousWords": []
59
- }
package/dist/shields/builtin/bash-safe.json DELETED
@@ -1,92 +0,0 @@
1
- {
2
- "name": "bash-safe",
3
- "description": "Blocks high-risk bash patterns: pipe-to-shell, rm -rf /, disk overwrites, eval",
4
- "aliases": ["bash", "shell"],
5
- "smartRules": [
6
- {
7
- "name": "shield:bash-safe:block-pipe-to-shell",
8
- "tool": "bash",
9
- "conditions": [
10
- {
11
- "field": "command",
12
- "op": "matches",
13
- "value": "(^|&&|\\|\\||;)\\s*(curl|wget)\\s+[^|]*\\|\\s*(?:(bash|sh|zsh|fish)|(python3?|ruby|perl|node)\\b(?!\\s+-[cem]\\b))",
14
- "flags": "i"
15
- }
16
- ],
17
- "verdict": "block",
18
- "reason": "Pipe-to-shell is a common supply-chain attack vector — blocked by bash-safe shield"
19
- },
20
- {
21
- "name": "shield:bash-safe:block-obfuscated-exec",
22
- "tool": "bash",
23
- "conditions": [
24
- {
25
- "field": "command",
26
- "op": "matches",
27
- "value": "\\bbase64\\s+(-d|--decode)[^|;&]*\\|\\s*(bash|sh|zsh)",
28
- "flags": "i"
29
- }
30
- ],
31
- "verdict": "block",
32
- "reason": "Obfuscated execution via base64 decode — blocked by bash-safe shield"
33
- },
34
- {
35
- "name": "shield:bash-safe:block-rm-root",
36
- "tool": "bash",
37
- "conditions": [
38
- {
39
- "field": "command",
40
- "op": "matches",
41
- "value": "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)[a-zA-Z]*\\s+(\\/|~|\\$HOME|\\$\\{HOME\\})\\s*$",
42
- "flags": "i"
43
- }
44
- ],
45
- "verdict": "block",
46
- "reason": "rm -rf of root or home directory is catastrophic — blocked by bash-safe shield"
47
- },
48
- {
49
- "name": "shield:bash-safe:block-disk-overwrite",
50
- "tool": "bash",
51
- "conditions": [
52
- {
53
- "field": "command",
54
- "op": "matches",
55
- "value": "(^|&&|\\|\\||;)\\s*dd\\s+.*of=\\/dev\\/(sd|nvme|hd|vd|xvd)",
56
- "flags": "i"
57
- }
58
- ],
59
- "verdict": "block",
60
- "reason": "Writing directly to a block device is irreversible — blocked by bash-safe shield"
61
- },
62
- {
63
- "name": "shield:bash-safe:block-eval-remote",
64
- "tool": "bash",
65
- "conditions": [
66
- {
67
- "field": "command",
68
- "op": "matches",
69
- "value": "(^|&&|\\|\\||;)\\s*eval\\s+.*\\$\\((curl|wget)\\b",
70
- "flags": "i"
71
- }
72
- ],
73
- "verdict": "block",
74
- "reason": "eval of remote download is a near-certain supply-chain attack — blocked by bash-safe shield"
75
- },
76
- {
77
- "name": "shield:bash-safe:review-eval-dynamic",
78
- "tool": "bash",
79
- "conditions": [
80
- {
81
- "field": "command",
82
- "op": "matches",
83
- "value": "(^|&&|\\|\\||[;|\\n{(`])\\s*eval\\s+([\\$`(]|\"[^\"]*\\$)",
84
- "flags": "i"
85
- }
86
- ],
87
- "verdict": "review",
88
- "reason": "eval of dynamic content — backup regex rule for scan path (real-time uses AST detection)"
89
- }
90
- ],
91
- "dangerousWords": []
92
- }
package/dist/shields/builtin/docker.json DELETED
@@ -1,120 +0,0 @@
1
- {
2
- "name": "docker",
3
- "description": "Protects Docker environments from destructive AI operations",
4
- "aliases": [],
5
- "smartRules": [
6
- {
7
- "name": "shield:docker:block-system-prune",
8
- "tool": "*",
9
- "conditions": [
10
- {
11
- "field": "command",
12
- "op": "matches",
13
- "value": "docker\\s+system\\s+prune",
14
- "flags": "i"
15
- }
16
- ],
17
- "verdict": "block",
18
- "reason": "docker system prune removes all unused containers, images, and volumes — blocked by Docker shield"
19
- },
20
- {
21
- "name": "shield:docker:block-volume-prune",
22
- "tool": "*",
23
- "conditions": [
24
- {
25
- "field": "command",
26
- "op": "matches",
27
- "value": "docker\\s+volume\\s+prune",
28
- "flags": "i"
29
- }
30
- ],
31
- "verdict": "block",
32
- "reason": "docker volume prune destroys all unused volumes and their data — blocked by Docker shield"
33
- },
34
- {
35
- "name": "shield:docker:block-rm-force",
36
- "tool": "*",
37
- "conditionMode": "all",
38
- "conditions": [
39
- {
40
- "field": "command",
41
- "op": "matches",
42
- "value": "docker\\s+rm\\b",
43
- "flags": "i"
44
- },
45
- {
46
- "field": "command",
47
- "op": "matches",
48
- "value": "(^|\\s)(-f|--force)(\\s|$)",
49
- "flags": "i"
50
- }
51
- ],
52
- "verdict": "block",
53
- "reason": "Force-removing running containers is destructive — blocked by Docker shield"
54
- },
55
- {
56
- "name": "shield:docker:review-volume-rm",
57
- "tool": "*",
58
- "conditions": [
59
- {
60
- "field": "command",
61
- "op": "matches",
62
- "value": "docker\\s+volume\\s+rm\\s+",
63
- "flags": "i"
64
- }
65
- ],
66
- "verdict": "review",
67
- "reason": "Volume removal deletes persistent data and requires human approval (Docker shield)"
68
- },
69
- {
70
- "name": "shield:docker:review-stop-kill",
71
- "tool": "*",
72
- "conditions": [
73
- {
74
- "field": "command",
75
- "op": "matches",
76
- "value": "docker\\s+(stop|kill)\\s+",
77
- "flags": "i"
78
- }
79
- ],
80
- "verdict": "review",
81
- "reason": "Stopping or killing containers requires human approval (Docker shield)"
82
- },
83
- {
84
- "name": "shield:docker:review-image-rm",
85
- "tool": "*",
86
- "conditions": [
87
- {
88
- "field": "command",
89
- "op": "matches",
90
- "value": "docker\\s+image\\s+rm\\b",
91
- "flags": "i"
92
- }
93
- ],
94
- "verdict": "review",
95
- "reason": "Image removal requires human approval (Docker shield)"
96
- },
97
- {
98
- "name": "shield:docker:review-rmi-force",
99
- "tool": "*",
100
- "conditionMode": "all",
101
- "conditions": [
102
- {
103
- "field": "command",
104
- "op": "matches",
105
- "value": "docker\\s+rmi\\b",
106
- "flags": "i"
107
- },
108
- {
109
- "field": "command",
110
- "op": "matches",
111
- "value": "(^|\\s)(-f|--force)(\\s|$)",
112
- "flags": "i"
113
- }
114
- ],
115
- "verdict": "review",
116
- "reason": "Force image removal requires human approval (Docker shield)"
117
- }
118
- ],
119
- "dangerousWords": []
120
- }
package/dist/shields/builtin/filesystem.json DELETED
@@ -1,30 +0,0 @@
1
- {
2
- "name": "filesystem",
3
- "description": "Protects the local filesystem from dangerous AI operations",
4
- "aliases": ["fs"],
5
- "smartRules": [
6
- {
7
- "name": "shield:filesystem:review-chmod-777",
8
- "tool": "bash",
9
- "conditions": [
10
- { "field": "command", "op": "matches", "value": "chmod\\s+(777|a\\+rwx)", "flags": "i" }
11
- ],
12
- "verdict": "review",
13
- "reason": "chmod 777 requires human approval (filesystem shield)"
14
- },
15
- {
16
- "name": "shield:filesystem:review-write-etc",
17
- "tool": "bash",
18
- "conditions": [
19
- {
20
- "field": "command",
21
- "op": "matches",
22
- "value": "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
23
- }
24
- ],
25
- "verdict": "review",
26
- "reason": "Writing to /etc requires human approval (filesystem shield)"
27
- }
28
- ],
29
- "dangerousWords": ["wipefs"]
30
- }
package/dist/shields/builtin/github.json DELETED
@@ -1,26 +0,0 @@
1
- {
2
- "name": "github",
3
- "description": "Protects GitHub repositories from destructive AI operations",
4
- "aliases": ["git"],
5
- "smartRules": [
6
- {
7
- "name": "shield:github:review-delete-branch-remote",
8
- "tool": "bash",
9
- "conditions": [
10
- { "field": "command", "op": "matches", "value": "git\\s+push\\s+.*--delete", "flags": "i" }
11
- ],
12
- "verdict": "review",
13
- "reason": "Remote branch deletion requires human approval (GitHub shield)"
14
- },
15
- {
16
- "name": "shield:github:block-delete-repo",
17
- "tool": "*",
18
- "conditions": [
19
- { "field": "command", "op": "matches", "value": "gh\\s+repo\\s+delete", "flags": "i" }
20
- ],
21
- "verdict": "block",
22
- "reason": "Repository deletion is irreversible — blocked by GitHub shield"
23
- }
24
- ],
25
- "dangerousWords": []
26
- }
package/dist/shields/builtin/k8s.json DELETED
@@ -1,92 +0,0 @@
1
- {
2
- "name": "k8s",
3
- "description": "Protects Kubernetes clusters from destructive AI operations",
4
- "aliases": ["kubernetes", "kubectl"],
5
- "smartRules": [
6
- {
7
- "name": "shield:k8s:block-delete-namespace",
8
- "tool": "*",
9
- "conditions": [
10
- {
11
- "field": "command",
12
- "op": "matches",
13
- "value": "kubectl\\s+delete\\s+(ns|namespace)\\s+",
14
- "flags": "i"
15
- }
16
- ],
17
- "verdict": "block",
18
- "reason": "Deleting a namespace destroys all resources inside it — blocked by k8s shield"
19
- },
20
- {
21
- "name": "shield:k8s:block-delete-all",
22
- "tool": "*",
23
- "conditions": [
24
- {
25
- "field": "command",
26
- "op": "matches",
27
- "value": "kubectl\\s+delete\\s+.*--all\\b",
28
- "flags": "i"
29
- }
30
- ],
31
- "verdict": "block",
32
- "reason": "kubectl delete --all is irreversible — blocked by k8s shield"
33
- },
34
- {
35
- "name": "shield:k8s:block-helm-uninstall",
36
- "tool": "*",
37
- "conditions": [
38
- {
39
- "field": "command",
40
- "op": "matches",
41
- "value": "helm\\s+(uninstall|delete|del)\\s+",
42
- "flags": "i"
43
- }
44
- ],
45
- "verdict": "block",
46
- "reason": "helm uninstall removes a release and its resources — blocked by k8s shield"
47
- },
48
- {
49
- "name": "shield:k8s:review-scale-zero",
50
- "tool": "*",
51
- "conditions": [
52
- {
53
- "field": "command",
54
- "op": "matches",
55
- "value": "kubectl\\s+scale\\s+.*--replicas=0",
56
- "flags": "i"
57
- }
58
- ],
59
- "verdict": "review",
60
- "reason": "Scaling to zero takes down a workload and requires human approval (k8s shield)"
61
- },
62
- {
63
- "name": "shield:k8s:review-delete-deployment",
64
- "tool": "*",
65
- "conditions": [
66
- {
67
- "field": "command",
68
- "op": "matches",
69
- "value": "kubectl\\s+delete\\s+(deployment|deploy|statefulset|sts|daemonset|ds)\\s+",
70
- "flags": "i"
71
- }
72
- ],
73
- "verdict": "review",
74
- "reason": "Deleting a workload requires human approval (k8s shield)"
75
- },
76
- {
77
- "name": "shield:k8s:review-apply-force",
78
- "tool": "*",
79
- "conditions": [
80
- {
81
- "field": "command",
82
- "op": "matches",
83
- "value": "kubectl\\s+(apply|replace)\\s+.*--force",
84
- "flags": "i"
85
- }
86
- ],
87
- "verdict": "review",
88
- "reason": "Force-apply overwrites live resources and requires human approval (k8s shield)"
89
- }
90
- ],
91
- "dangerousWords": []
92
- }
package/dist/shields/builtin/mcp-tool-gating.json DELETED
@@ -1,7 +0,0 @@
1
- {
2
- "name": "mcp-tool-gating",
3
- "description": "Intercept MCP tool lists and require user approval before the agent can use any tools from a new server",
4
- "aliases": ["mcp-gating", "mcp-tools"],
5
- "smartRules": [],
6
- "dangerousWords": []
7
- }
package/dist/shields/builtin/mongodb.json DELETED
@@ -1,78 +0,0 @@
1
- {
2
- "name": "mongodb",
3
- "description": "Protects MongoDB databases from destructive AI operations",
4
- "aliases": ["mongo"],
5
- "smartRules": [
6
- {
7
- "name": "shield:mongodb:block-drop-database",
8
- "tool": "*",
9
- "conditions": [
10
- {
11
- "field": "command",
12
- "op": "matches",
13
- "value": "\\.dropDatabase\\s*\\(",
14
- "flags": "i"
15
- }
16
- ],
17
- "verdict": "block",
18
- "reason": "dropDatabase is irreversible — blocked by MongoDB shield"
19
- },
20
- {
21
- "name": "shield:mongodb:block-drop-collection",
22
- "tool": "*",
23
- "conditions": [
24
- {
25
- "field": "command",
26
- "op": "matches",
27
- "value": "\\.drop\\s*\\(|db\\.getCollection\\([^)]+\\)\\.drop\\s*\\(",
28
- "flags": "i"
29
- }
30
- ],
31
- "verdict": "block",
32
- "reason": "Collection drop is irreversible — blocked by MongoDB shield"
33
- },
34
- {
35
- "name": "shield:mongodb:block-delete-many-empty-filter",
36
- "tool": "*",
37
- "conditions": [
38
- {
39
- "field": "command",
40
- "op": "matches",
41
- "value": "\\.deleteMany\\s*\\(\\s*\\{\\s*\\}\\s*\\)",
42
- "flags": "i"
43
- }
44
- ],
45
- "verdict": "block",
46
- "reason": "deleteMany({}) with empty filter wipes the entire collection — blocked by MongoDB shield"
47
- },
48
- {
49
- "name": "shield:mongodb:review-delete-many",
50
- "tool": "*",
51
- "conditions": [
52
- {
53
- "field": "command",
54
- "op": "matches",
55
- "value": "\\.deleteMany\\s*\\(",
56
- "flags": "i"
57
- }
58
- ],
59
- "verdict": "review",
60
- "reason": "deleteMany requires human approval (MongoDB shield)"
61
- },
62
- {
63
- "name": "shield:mongodb:review-drop-index",
64
- "tool": "*",
65
- "conditions": [
66
- {
67
- "field": "command",
68
- "op": "matches",
69
- "value": "\\.dropIndex\\s*\\(|\\.dropIndexes\\s*\\(",
70
- "flags": "i"
71
- }
72
- ],
73
- "verdict": "review",
74
- "reason": "Index drops affect query performance and require human approval (MongoDB shield)"
75
- }
76
- ],
77
- "dangerousWords": ["dropDatabase", "dropCollection", "mongodrop"]
78
- }
package/dist/shields/builtin/postgres.json DELETED
@@ -1,42 +0,0 @@
1
- {
2
- "name": "postgres",
3
- "description": "Protects PostgreSQL databases from destructive AI operations",
4
- "aliases": ["pg", "postgresql"],
5
- "smartRules": [
6
- {
7
- "name": "shield:postgres:block-drop-table",
8
- "tool": "*",
9
- "conditions": [{ "field": "sql", "op": "matches", "value": "DROP\\s+TABLE", "flags": "i" }],
10
- "verdict": "block",
11
- "reason": "DROP TABLE is irreversible — blocked by Postgres shield"
12
- },
13
- {
14
- "name": "shield:postgres:block-truncate",
15
- "tool": "*",
16
- "conditions": [
17
- { "field": "sql", "op": "matches", "value": "TRUNCATE\\s+TABLE", "flags": "i" }
18
- ],
19
- "verdict": "block",
20
- "reason": "TRUNCATE is irreversible — blocked by Postgres shield"
21
- },
22
- {
23
- "name": "shield:postgres:block-drop-column",
24
- "tool": "*",
25
- "conditions": [
26
- { "field": "sql", "op": "matches", "value": "ALTER\\s+TABLE.*DROP\\s+COLUMN", "flags": "i" }
27
- ],
28
- "verdict": "block",
29
- "reason": "DROP COLUMN is irreversible — blocked by Postgres shield"
30
- },
31
- {
32
- "name": "shield:postgres:review-grant-revoke",
33
- "tool": "*",
34
- "conditions": [
35
- { "field": "sql", "op": "matches", "value": "\\b(GRANT|REVOKE)\\b", "flags": "i" }
36
- ],
37
- "verdict": "review",
38
- "reason": "Permission changes require human approval (Postgres shield)"
39
- }
40
- ],
41
- "dangerousWords": ["dropdb", "pg_dropcluster"]
42
- }
package/dist/shields/builtin/project-jail.json DELETED
@@ -1,64 +0,0 @@
1
- {
2
- "name": "project-jail",
3
- "description": "Restricts AI agents from reading sensitive credential files outside the current project",
4
- "aliases": ["jail"],
5
- "smartRules": [
6
- {
7
- "name": "shield:project-jail:block-read-ssh",
8
- "tool": "bash",
9
- "conditions": [
10
- {
11
- "field": "command",
12
- "op": "matches",
13
- "value": "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.ssh[\\/\\\\]",
14
- "flags": "i"
15
- }
16
- ],
17
- "verdict": "block",
18
- "reason": "Reading SSH private keys is blocked by project-jail shield"
19
- },
20
- {
21
- "name": "shield:project-jail:block-read-aws",
22
- "tool": "bash",
23
- "conditions": [
24
- {
25
- "field": "command",
26
- "op": "matches",
27
- "value": "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.aws[\\/\\\\]",
28
- "flags": "i"
29
- }
30
- ],
31
- "verdict": "block",
32
- "reason": "Reading AWS credentials is blocked by project-jail shield"
33
- },
34
- {
35
- "name": "shield:project-jail:block-read-env",
36
- "tool": "bash",
37
- "conditions": [
38
- {
39
- "field": "command",
40
- "op": "matches",
41
- "value": "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*\\.env(\\.local|\\.production|\\.staging)?\\b",
42
- "flags": "i"
43
- }
44
- ],
45
- "verdict": "block",
46
- "reason": "Reading .env files is blocked by project-jail shield"
47
- },
48
- {
49
- "name": "shield:project-jail:block-read-credentials",
50
- "tool": "bash",
51
- "conditions": [
52
- {
53
- "field": "command",
54
- "op": "matches",
55
- "value": "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials)",
56
- "flags": "i"
57
- }
58
- ],
59
- "verdict": "block",
60
- "reason": "Reading credential files is blocked by project-jail shield"
61
- }
62
- ],
63
- "dangerousWords": []
64
- }