@node9/proxy 1.19.3 → 1.20.0

package/dist/index.js

@@ -118,12 +118,14 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
 function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
   const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   const testRun = isTestCall(toolName, args) || process.env.NODE9_TESTING === "1" ? { testRun: true } : {};
+  const ruleNameField = meta?.ruleName ? { ruleName: meta.ruleName } : {};
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
     ...argsField,
     decision,
     checkedBy,
+    ...ruleNameField,
     ...testRun,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
@@ -1089,15 +1091,50 @@ var SENSITIVE_PATH_RULES = [
     match: (p) => /(^|[\\/])\.aws[\\/]/i.test(p)
   },
   {
+    // Mirrors the JSON shield's `.env` pattern (project-jail.json's
+    // review-read-env-any-tool) so the AST FS-op path catches the
+    // same set the regex shield does — including Next.js / Vite's
+    // `.env.<env>.local` double-suffix overrides which are commonly
+    // gitignored AND commonly contain real secrets.
+    //
+    // Intentional non-matches (dev fixtures): .env.example, .env.sample,
+    // .env.template, .env.test, .envrc. See shields.test.ts:983-995
+    // for the canonical test-asserted contract.
     rule: "shield:project-jail:block-read-env",
     reason: "Reading .env files is blocked by project-jail shield",
-    match: (p) => /(?:^|[\\/])\.env(?:\.local|\.production|\.staging)?$/i.test(p)
+    match: (p) => /(?:^|[\\/])\.env(?:\.(?:local|production|staging|development|production\.local|staging\.local|development\.local))?$/i.test(
+      p
+    )
   },
   {
-    rule: "shield:project-jail:block-read-credentials",
-    reason: "Reading credential files is blocked by project-jail shield",
-    match: (p) => /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials)$/i.test(
-      p
+    // verdict: 'review' (not 'block') is a deliberate design choice
+    // documented in commit 29327a8. SSH keys and AWS credentials are
+    // cryptographic material with no legitimate read use-case for
+    // an AI agent → hard `block`. But .netrc / .npmrc / .docker /
+    // .kube / gcloud are CONFIG files that hold tokens AND have
+    // legitimate diagnostic reads ("which registry am I configured
+    // for", "what cluster am I on"). Hard-blocking those creates
+    // friction without much safety win because the review gate
+    // still catches genuine exfiltration attempts.
+    //
+    // The review gate FAILS CLOSED on timeout (daemon.approvalTimeoutMs
+    // returns a deny verdict via the orchestrator's timeout branch),
+    // so a stuck or unattended approval does NOT silently grant
+    // credential access. If the threat model demands strict block,
+    // a future per-shield strict-mode toggle is the right fix —
+    // not a regex-level upgrade here.
+    rule: "shield:project-jail:review-read-credentials",
+    reason: "Reading credential files requires approval (project-jail shield)",
+    verdict: "review",
+    match: (p) => (
+      // .kube/config holds Kubernetes cluster credentials and was
+      // flagged as missing by the node9-pr-agent review (the comment
+      // above mentioned .kube but the regex didn't include it — a
+      // textbook code-comment vs code drift). The JSON shield's
+      // review-read-credentials-any-tool already had it. Now aligned.
+      /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials|\.kube[\\/]config)$/i.test(
+        p
+      )
     )
   }
 ];
@@ -1116,7 +1153,7 @@ var AST_FS_REGEX_RULES = /* @__PURE__ */ new Set([
   "shield:project-jail:block-read-ssh",
   "shield:project-jail:block-read-aws",
   "shield:project-jail:block-read-env",
-  "shield:project-jail:block-read-credentials"
+  "shield:project-jail:review-read-credentials"
 ]);
 function isProtectedHomePath(rawPath) {
   let p = rawPath.replace(/^\$HOME[\\/]?|^\$\{HOME\}[\\/]?/, "~/");
@@ -1228,7 +1265,12 @@ function analyzeFsOperationImpl(command) {
         for (const p of paths) {
           for (const sp of SENSITIVE_PATH_RULES) {
             if (sp.match(p)) {
-              result = { ruleName: sp.rule, verdict: "block", reason: sp.reason, path: p };
+              result = {
+                ruleName: sp.rule,
+                verdict: sp.verdict ?? "block",
+                reason: sp.reason,
+                path: p
+              };
               return false;
             }
           }
@@ -2512,7 +2554,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.ssh[\\/\\\\]",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*?\\.ssh[\\/\\\\]",
           flags: "i"
         }
       ],
@@ -2526,7 +2568,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.aws[\\/\\\\]",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*?\\.aws[\\/\\\\]",
           flags: "i"
         }
       ],
@@ -2548,7 +2590,7 @@ var project_jail_default = {
       reason: "Reading .env files is blocked by project-jail shield"
     },
     {
-      name: "shield:project-jail:block-read-credentials",
+      name: "shield:project-jail:review-read-credentials",
       tool: "bash",
       conditions: [
         {
@@ -2558,8 +2600,64 @@ var project_jail_default = {
           flags: "i"
         }
       ],
+      verdict: "review",
+      reason: "Reading credential files requires approval (project-jail shield)"
+    },
+    {
+      name: "shield:project-jail:block-read-ssh-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.ssh[\\/\\\\]",
+          flags: "i"
+        }
+      ],
       verdict: "block",
-      reason: "Reading credential files is blocked by project-jail shield"
+      reason: "Reading SSH private keys is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-aws-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.aws[\\/\\\\]",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading AWS credentials is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:review-read-env-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.env(\\.(local|production|staging|development|production\\.local|staging\\.local|development\\.local))?$",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Reading .env files requires approval (project-jail shield)"
+    },
+    {
+      name: "shield:project-jail:review-read-credentials-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: ".*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials|\\.kube[\\/\\\\]config)",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Reading credential files requires approval (project-jail shield)"
     }
   ],
   dangerousWords: []
@@ -3731,7 +3829,7 @@ async function waitForDaemonDecision(id, signal) {
     if (signal) signal.removeEventListener("abort", onAbort);
   }
 }
-async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
+async function notifyDaemonViewer(toolName, args, meta, riskMetadata, activityId, socketActivitySent) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const res = await fetch(`${base}/check`, {
     method: "POST",
@@ -3742,7 +3840,12 @@ async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
       slackDelegated: true,
       agent: meta?.agent,
       mcpServer: meta?.mcpServer,
-      ...riskMetadata && { riskMetadata }
+      ...riskMetadata && { riskMetadata },
+      // fromCLI=true tells the daemon the CLI already sent the activity
+      // event via socket. Same contract as registerDaemonEntry — without
+      // it the daemon double-emits 'activity' for cloud-enforced flows.
+      fromCLI: socketActivitySent !== false,
+      activityId
     }),
     signal: AbortSignal.timeout(3e3)
   });
@@ -4659,7 +4762,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             args,
             "deny",
             "smart-rule-block-override",
-            meta,
+            // Same rationale as the smart-rule-block path above —
+            // pass the specific rule name so [2] SHIELDS can
+            // attribute this override-block to its owning shield.
+            { ...meta, ruleName: policyResult.ruleName },
             hashAuditArgs
           );
         if (approvers.cloud && creds?.apiKey)
@@ -4689,7 +4795,20 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         }
       } else {
         if (!isManual)
-          appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+          appendLocalAudit(
+            toolName,
+            args,
+            "deny",
+            "smart-rule-block",
+            // Include policyResult.ruleName so the [2] Report SHIELDS
+            // panel can attribute this block to its specific shield
+            // (e.g. `shield:project-jail:block-read-ssh`) via the
+            // rule→shield map. checkedBy stays as the generic
+            // `smart-rule-block` for backward compat with existing
+            // log readers.
+            { ...meta, ruleName: policyResult.ruleName },
+            hashAuditArgs
+          );
         if (approvers.cloud && creds?.apiKey)
           auditLocalAllow(toolName, args, "smart-rule-block", creds, meta, void 0, false, {
             ruleName: policyResult.ruleName,
@@ -4837,7 +4956,14 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   let daemonAllowCount = 1;
   if (approvers.terminal && isDaemonRunning() && !options?.calledFromDaemon) {
     if (cloudEnforced && cloudRequestId) {
-      const viewer = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(() => null);
+      const viewer = await notifyDaemonViewer(
+        toolName,
+        args,
+        meta,
+        riskMetadata,
+        options?.activityId,
+        options?.socketActivitySent
+      ).catch(() => null);
       viewerId = viewer?.id ?? null;
       daemonEntryId = viewerId;
       if (viewer) daemonAllowCount = viewer.allowCount;

package/dist/index.mjs

@@ -98,12 +98,14 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
 function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
   const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   const testRun = isTestCall(toolName, args) || process.env.NODE9_TESTING === "1" ? { testRun: true } : {};
+  const ruleNameField = meta?.ruleName ? { ruleName: meta.ruleName } : {};
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
     ...argsField,
     decision,
     checkedBy,
+    ...ruleNameField,
     ...testRun,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
@@ -1059,15 +1061,50 @@ var SENSITIVE_PATH_RULES = [
     match: (p) => /(^|[\\/])\.aws[\\/]/i.test(p)
   },
   {
+    // Mirrors the JSON shield's `.env` pattern (project-jail.json's
+    // review-read-env-any-tool) so the AST FS-op path catches the
+    // same set the regex shield does — including Next.js / Vite's
+    // `.env.<env>.local` double-suffix overrides which are commonly
+    // gitignored AND commonly contain real secrets.
+    //
+    // Intentional non-matches (dev fixtures): .env.example, .env.sample,
+    // .env.template, .env.test, .envrc. See shields.test.ts:983-995
+    // for the canonical test-asserted contract.
     rule: "shield:project-jail:block-read-env",
     reason: "Reading .env files is blocked by project-jail shield",
-    match: (p) => /(?:^|[\\/])\.env(?:\.local|\.production|\.staging)?$/i.test(p)
+    match: (p) => /(?:^|[\\/])\.env(?:\.(?:local|production|staging|development|production\.local|staging\.local|development\.local))?$/i.test(
+      p
+    )
   },
   {
-    rule: "shield:project-jail:block-read-credentials",
-    reason: "Reading credential files is blocked by project-jail shield",
-    match: (p) => /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials)$/i.test(
-      p
+    // verdict: 'review' (not 'block') is a deliberate design choice
+    // documented in commit 29327a8. SSH keys and AWS credentials are
+    // cryptographic material with no legitimate read use-case for
+    // an AI agent → hard `block`. But .netrc / .npmrc / .docker /
+    // .kube / gcloud are CONFIG files that hold tokens AND have
+    // legitimate diagnostic reads ("which registry am I configured
+    // for", "what cluster am I on"). Hard-blocking those creates
+    // friction without much safety win because the review gate
+    // still catches genuine exfiltration attempts.
+    //
+    // The review gate FAILS CLOSED on timeout (daemon.approvalTimeoutMs
+    // returns a deny verdict via the orchestrator's timeout branch),
+    // so a stuck or unattended approval does NOT silently grant
+    // credential access. If the threat model demands strict block,
+    // a future per-shield strict-mode toggle is the right fix —
+    // not a regex-level upgrade here.
+    rule: "shield:project-jail:review-read-credentials",
+    reason: "Reading credential files requires approval (project-jail shield)",
+    verdict: "review",
+    match: (p) => (
+      // .kube/config holds Kubernetes cluster credentials and was
+      // flagged as missing by the node9-pr-agent review (the comment
+      // above mentioned .kube but the regex didn't include it — a
+      // textbook code-comment vs code drift). The JSON shield's
+      // review-read-credentials-any-tool already had it. Now aligned.
+      /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials|\.kube[\\/]config)$/i.test(
+        p
+      )
     )
   }
 ];
@@ -1086,7 +1123,7 @@ var AST_FS_REGEX_RULES = /* @__PURE__ */ new Set([
   "shield:project-jail:block-read-ssh",
   "shield:project-jail:block-read-aws",
   "shield:project-jail:block-read-env",
-  "shield:project-jail:block-read-credentials"
+  "shield:project-jail:review-read-credentials"
 ]);
 function isProtectedHomePath(rawPath) {
   let p = rawPath.replace(/^\$HOME[\\/]?|^\$\{HOME\}[\\/]?/, "~/");
@@ -1198,7 +1235,12 @@ function analyzeFsOperationImpl(command) {
         for (const p of paths) {
           for (const sp of SENSITIVE_PATH_RULES) {
             if (sp.match(p)) {
-              result = { ruleName: sp.rule, verdict: "block", reason: sp.reason, path: p };
+              result = {
+                ruleName: sp.rule,
+                verdict: sp.verdict ?? "block",
+                reason: sp.reason,
+                path: p
+              };
               return false;
             }
           }
@@ -2482,7 +2524,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.ssh[\\/\\\\]",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*?\\.ssh[\\/\\\\]",
           flags: "i"
         }
       ],
@@ -2496,7 +2538,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.aws[\\/\\\\]",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*?\\.aws[\\/\\\\]",
           flags: "i"
         }
       ],
@@ -2518,7 +2560,7 @@ var project_jail_default = {
       reason: "Reading .env files is blocked by project-jail shield"
     },
     {
-      name: "shield:project-jail:block-read-credentials",
+      name: "shield:project-jail:review-read-credentials",
       tool: "bash",
       conditions: [
         {
@@ -2528,8 +2570,64 @@ var project_jail_default = {
           flags: "i"
         }
       ],
+      verdict: "review",
+      reason: "Reading credential files requires approval (project-jail shield)"
+    },
+    {
+      name: "shield:project-jail:block-read-ssh-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.ssh[\\/\\\\]",
+          flags: "i"
+        }
+      ],
       verdict: "block",
-      reason: "Reading credential files is blocked by project-jail shield"
+      reason: "Reading SSH private keys is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-aws-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.aws[\\/\\\\]",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading AWS credentials is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:review-read-env-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.env(\\.(local|production|staging|development|production\\.local|staging\\.local|development\\.local))?$",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Reading .env files requires approval (project-jail shield)"
+    },
+    {
+      name: "shield:project-jail:review-read-credentials-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: ".*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials|\\.kube[\\/\\\\]config)",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Reading credential files requires approval (project-jail shield)"
     }
   ],
   dangerousWords: []
@@ -3701,7 +3799,7 @@ async function waitForDaemonDecision(id, signal) {
     if (signal) signal.removeEventListener("abort", onAbort);
   }
 }
-async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
+async function notifyDaemonViewer(toolName, args, meta, riskMetadata, activityId, socketActivitySent) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const res = await fetch(`${base}/check`, {
     method: "POST",
@@ -3712,7 +3810,12 @@ async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
       slackDelegated: true,
       agent: meta?.agent,
       mcpServer: meta?.mcpServer,
-      ...riskMetadata && { riskMetadata }
+      ...riskMetadata && { riskMetadata },
+      // fromCLI=true tells the daemon the CLI already sent the activity
+      // event via socket. Same contract as registerDaemonEntry — without
+      // it the daemon double-emits 'activity' for cloud-enforced flows.
+      fromCLI: socketActivitySent !== false,
+      activityId
     }),
     signal: AbortSignal.timeout(3e3)
   });
@@ -4629,7 +4732,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             args,
             "deny",
             "smart-rule-block-override",
-            meta,
+            // Same rationale as the smart-rule-block path above —
+            // pass the specific rule name so [2] SHIELDS can
+            // attribute this override-block to its owning shield.
+            { ...meta, ruleName: policyResult.ruleName },
             hashAuditArgs
           );
         if (approvers.cloud && creds?.apiKey)
@@ -4659,7 +4765,20 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         }
       } else {
         if (!isManual)
-          appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+          appendLocalAudit(
+            toolName,
+            args,
+            "deny",
+            "smart-rule-block",
+            // Include policyResult.ruleName so the [2] Report SHIELDS
+            // panel can attribute this block to its specific shield
+            // (e.g. `shield:project-jail:block-read-ssh`) via the
+            // rule→shield map. checkedBy stays as the generic
+            // `smart-rule-block` for backward compat with existing
+            // log readers.
+            { ...meta, ruleName: policyResult.ruleName },
+            hashAuditArgs
+          );
         if (approvers.cloud && creds?.apiKey)
           auditLocalAllow(toolName, args, "smart-rule-block", creds, meta, void 0, false, {
             ruleName: policyResult.ruleName,
@@ -4807,7 +4926,14 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   let daemonAllowCount = 1;
   if (approvers.terminal && isDaemonRunning() && !options?.calledFromDaemon) {
     if (cloudEnforced && cloudRequestId) {
-      const viewer = await notifyDaemonViewer(toolName, args, meta, riskMetadata).catch(() => null);
+      const viewer = await notifyDaemonViewer(
+        toolName,
+        args,
+        meta,
+        riskMetadata,
+        options?.activityId,
+        options?.socketActivitySent
+      ).catch(() => null);
       viewerId = viewer?.id ?? null;
       daemonEntryId = viewerId;
       if (viewer) daemonAllowCount = viewer.allowCount;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.19.3",
+  "version": "1.20.0",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -77,8 +77,10 @@
     "chalk": "^4.1.2",
     "commander": "^14.0.3",
     "execa": "^9.6.1",
+    "ink": "^7.0.2",
     "mvdan-sh": "^0.10.1",
     "picomatch": "^4.0.3",
+    "react": "^19.2.6",
     "safe-regex2": "^5.1.0",
     "smol-toml": "^1.6.1",
     "zod": "^3.25.76"
@@ -96,8 +98,10 @@
     "@semantic-release/release-notes-generator": "^14.1.0",
     "@types/node": "^25.3.1",
     "@types/picomatch": "^4.0.2",
+    "@types/react": "^19.2.14",
     "@vitest/coverage-v8": "4.1.2",
     "cross-env": "^10.1.0",
+    "ink-testing-library": "^4.0.0",
     "prettier": "^3.4.2",
     "semantic-release": "^25.0.3",
     "tsup": "^8.5.1",