npm - @node9/proxy - Versions diffs - 1.19.4 → 1.20.1 - Mend

@node9/proxy 1.19.4 → 1.20.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -118,12 +118,14 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
 function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
   const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   const testRun = isTestCall(toolName, args) || process.env.NODE9_TESTING === "1" ? { testRun: true } : {};
+  const ruleNameField = meta?.ruleName ? { ruleName: meta.ruleName } : {};
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
     ...argsField,
     decision,
     checkedBy,
+    ...ruleNameField,
     ...testRun,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
@@ -1089,15 +1091,50 @@ var SENSITIVE_PATH_RULES = [
     match: (p) => /(^|[\\/])\.aws[\\/]/i.test(p)
   },
   {
+    // Mirrors the JSON shield's `.env` pattern (project-jail.json's
+    // review-read-env-any-tool) so the AST FS-op path catches the
+    // same set the regex shield does — including Next.js / Vite's
+    // `.env.<env>.local` double-suffix overrides which are commonly
+    // gitignored AND commonly contain real secrets.
+    //
+    // Intentional non-matches (dev fixtures): .env.example, .env.sample,
+    // .env.template, .env.test, .envrc. See shields.test.ts:983-995
+    // for the canonical test-asserted contract.
     rule: "shield:project-jail:block-read-env",
     reason: "Reading .env files is blocked by project-jail shield",
-    match: (p) => /(?:^|[\\/])\.env(?:\.local|\.production|\.staging)?$/i.test(p)
+    match: (p) => /(?:^|[\\/])\.env(?:\.(?:local|production|staging|development|production\.local|staging\.local|development\.local))?$/i.test(
+      p
+    )
   },
   {
-    rule: "shield:project-jail:block-read-credentials",
-    reason: "Reading credential files is blocked by project-jail shield",
-    match: (p) => /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials)$/i.test(
-      p
+    // verdict: 'review' (not 'block') is a deliberate design choice
+    // documented in commit 29327a8. SSH keys and AWS credentials are
+    // cryptographic material with no legitimate read use-case for
+    // an AI agent → hard `block`. But .netrc / .npmrc / .docker /
+    // .kube / gcloud are CONFIG files that hold tokens AND have
+    // legitimate diagnostic reads ("which registry am I configured
+    // for", "what cluster am I on"). Hard-blocking those creates
+    // friction without much safety win because the review gate
+    // still catches genuine exfiltration attempts.
+    //
+    // The review gate FAILS CLOSED on timeout (daemon.approvalTimeoutMs
+    // returns a deny verdict via the orchestrator's timeout branch),
+    // so a stuck or unattended approval does NOT silently grant
+    // credential access. If the threat model demands strict block,
+    // a future per-shield strict-mode toggle is the right fix —
+    // not a regex-level upgrade here.
+    rule: "shield:project-jail:review-read-credentials",
+    reason: "Reading credential files requires approval (project-jail shield)",
+    verdict: "review",
+    match: (p) => (
+      // .kube/config holds Kubernetes cluster credentials and was
+      // flagged as missing by the node9-pr-agent review (the comment
+      // above mentioned .kube but the regex didn't include it — a
+      // textbook code-comment vs code drift). The JSON shield's
+      // review-read-credentials-any-tool already had it. Now aligned.
+      /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials|\.kube[\\/]config)$/i.test(
+        p
+      )
     )
   }
 ];
@@ -1116,7 +1153,7 @@ var AST_FS_REGEX_RULES = /* @__PURE__ */ new Set([
   "shield:project-jail:block-read-ssh",
   "shield:project-jail:block-read-aws",
   "shield:project-jail:block-read-env",
-  "shield:project-jail:block-read-credentials"
+  "shield:project-jail:review-read-credentials"
 ]);
 function isProtectedHomePath(rawPath) {
   let p = rawPath.replace(/^\$HOME[\\/]?|^\$\{HOME\}[\\/]?/, "~/");
@@ -1228,7 +1265,12 @@ function analyzeFsOperationImpl(command) {
         for (const p of paths) {
           for (const sp of SENSITIVE_PATH_RULES) {
             if (sp.match(p)) {
-              result = { ruleName: sp.rule, verdict: "block", reason: sp.reason, path: p };
+              result = {
+                ruleName: sp.rule,
+                verdict: sp.verdict ?? "block",
+                reason: sp.reason,
+                path: p
+              };
               return false;
             }
           }
@@ -2512,7 +2554,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.ssh[\\/\\\\]",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*?\\.ssh[\\/\\\\]",
           flags: "i"
         }
       ],
@@ -2526,7 +2568,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.aws[\\/\\\\]",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*?\\.aws[\\/\\\\]",
           flags: "i"
         }
       ],
@@ -2548,7 +2590,7 @@ var project_jail_default = {
       reason: "Reading .env files is blocked by project-jail shield"
     },
     {
-      name: "shield:project-jail:block-read-credentials",
+      name: "shield:project-jail:review-read-credentials",
       tool: "bash",
       conditions: [
         {
@@ -2558,8 +2600,64 @@ var project_jail_default = {
           flags: "i"
         }
       ],
+      verdict: "review",
+      reason: "Reading credential files requires approval (project-jail shield)"
+    },
+    {
+      name: "shield:project-jail:block-read-ssh-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.ssh[\\/\\\\]",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading SSH private keys is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-aws-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.aws[\\/\\\\]",
+          flags: "i"
+        }
+      ],
       verdict: "block",
-      reason: "Reading credential files is blocked by project-jail shield"
+      reason: "Reading AWS credentials is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:review-read-env-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.env(\\.(local|production|staging|development|production\\.local|staging\\.local|development\\.local))?$",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Reading .env files requires approval (project-jail shield)"
+    },
+    {
+      name: "shield:project-jail:review-read-credentials-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: ".*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials|\\.kube[\\/\\\\]config)",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Reading credential files requires approval (project-jail shield)"
     }
   ],
   dangerousWords: []
@@ -4664,7 +4762,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             args,
             "deny",
             "smart-rule-block-override",
-            meta,
+            // Same rationale as the smart-rule-block path above —
+            // pass the specific rule name so [2] SHIELDS can
+            // attribute this override-block to its owning shield.
+            { ...meta, ruleName: policyResult.ruleName },
             hashAuditArgs
           );
         if (approvers.cloud && creds?.apiKey)
@@ -4694,7 +4795,20 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         }
       } else {
         if (!isManual)
-          appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+          appendLocalAudit(
+            toolName,
+            args,
+            "deny",
+            "smart-rule-block",
+            // Include policyResult.ruleName so the [2] Report SHIELDS
+            // panel can attribute this block to its specific shield
+            // (e.g. `shield:project-jail:block-read-ssh`) via the
+            // rule→shield map. checkedBy stays as the generic
+            // `smart-rule-block` for backward compat with existing
+            // log readers.
+            { ...meta, ruleName: policyResult.ruleName },
+            hashAuditArgs
+          );
         if (approvers.cloud && creds?.apiKey)
           auditLocalAllow(toolName, args, "smart-rule-block", creds, meta, void 0, false, {
             ruleName: policyResult.ruleName,

package/dist/index.mjs CHANGED Viewed

@@ -98,12 +98,14 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
 function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
   const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   const testRun = isTestCall(toolName, args) || process.env.NODE9_TESTING === "1" ? { testRun: true } : {};
+  const ruleNameField = meta?.ruleName ? { ruleName: meta.ruleName } : {};
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
     ...argsField,
     decision,
     checkedBy,
+    ...ruleNameField,
     ...testRun,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
@@ -1059,15 +1061,50 @@ var SENSITIVE_PATH_RULES = [
     match: (p) => /(^|[\\/])\.aws[\\/]/i.test(p)
   },
   {
+    // Mirrors the JSON shield's `.env` pattern (project-jail.json's
+    // review-read-env-any-tool) so the AST FS-op path catches the
+    // same set the regex shield does — including Next.js / Vite's
+    // `.env.<env>.local` double-suffix overrides which are commonly
+    // gitignored AND commonly contain real secrets.
+    //
+    // Intentional non-matches (dev fixtures): .env.example, .env.sample,
+    // .env.template, .env.test, .envrc. See shields.test.ts:983-995
+    // for the canonical test-asserted contract.
     rule: "shield:project-jail:block-read-env",
     reason: "Reading .env files is blocked by project-jail shield",
-    match: (p) => /(?:^|[\\/])\.env(?:\.local|\.production|\.staging)?$/i.test(p)
+    match: (p) => /(?:^|[\\/])\.env(?:\.(?:local|production|staging|development|production\.local|staging\.local|development\.local))?$/i.test(
+      p
+    )
   },
   {
-    rule: "shield:project-jail:block-read-credentials",
-    reason: "Reading credential files is blocked by project-jail shield",
-    match: (p) => /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials)$/i.test(
-      p
+    // verdict: 'review' (not 'block') is a deliberate design choice
+    // documented in commit 29327a8. SSH keys and AWS credentials are
+    // cryptographic material with no legitimate read use-case for
+    // an AI agent → hard `block`. But .netrc / .npmrc / .docker /
+    // .kube / gcloud are CONFIG files that hold tokens AND have
+    // legitimate diagnostic reads ("which registry am I configured
+    // for", "what cluster am I on"). Hard-blocking those creates
+    // friction without much safety win because the review gate
+    // still catches genuine exfiltration attempts.
+    //
+    // The review gate FAILS CLOSED on timeout (daemon.approvalTimeoutMs
+    // returns a deny verdict via the orchestrator's timeout branch),
+    // so a stuck or unattended approval does NOT silently grant
+    // credential access. If the threat model demands strict block,
+    // a future per-shield strict-mode toggle is the right fix —
+    // not a regex-level upgrade here.
+    rule: "shield:project-jail:review-read-credentials",
+    reason: "Reading credential files requires approval (project-jail shield)",
+    verdict: "review",
+    match: (p) => (
+      // .kube/config holds Kubernetes cluster credentials and was
+      // flagged as missing by the node9-pr-agent review (the comment
+      // above mentioned .kube but the regex didn't include it — a
+      // textbook code-comment vs code drift). The JSON shield's
+      // review-read-credentials-any-tool already had it. Now aligned.
+      /(?:credentials\.json|\.netrc|\.npmrc|\.docker[\\/]config\.json|gcloud[\\/]credentials|\.kube[\\/]config)$/i.test(
+        p
+      )
     )
   }
 ];
@@ -1086,7 +1123,7 @@ var AST_FS_REGEX_RULES = /* @__PURE__ */ new Set([
   "shield:project-jail:block-read-ssh",
   "shield:project-jail:block-read-aws",
   "shield:project-jail:block-read-env",
-  "shield:project-jail:block-read-credentials"
+  "shield:project-jail:review-read-credentials"
 ]);
 function isProtectedHomePath(rawPath) {
   let p = rawPath.replace(/^\$HOME[\\/]?|^\$\{HOME\}[\\/]?/, "~/");
@@ -1198,7 +1235,12 @@ function analyzeFsOperationImpl(command) {
         for (const p of paths) {
           for (const sp of SENSITIVE_PATH_RULES) {
             if (sp.match(p)) {
-              result = { ruleName: sp.rule, verdict: "block", reason: sp.reason, path: p };
+              result = {
+                ruleName: sp.rule,
+                verdict: sp.verdict ?? "block",
+                reason: sp.reason,
+                path: p
+              };
               return false;
             }
           }
@@ -2482,7 +2524,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.ssh[\\/\\\\]",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*?\\.ssh[\\/\\\\]",
           flags: "i"
         }
       ],
@@ -2496,7 +2538,7 @@ var project_jail_default = {
         {
           field: "command",
           op: "matches",
-          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*[\\/\\\\]\\.aws[\\/\\\\]",
+          value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*?\\.aws[\\/\\\\]",
           flags: "i"
         }
       ],
@@ -2518,7 +2560,7 @@ var project_jail_default = {
       reason: "Reading .env files is blocked by project-jail shield"
     },
     {
-      name: "shield:project-jail:block-read-credentials",
+      name: "shield:project-jail:review-read-credentials",
       tool: "bash",
       conditions: [
         {
@@ -2528,8 +2570,64 @@ var project_jail_default = {
           flags: "i"
         }
       ],
+      verdict: "review",
+      reason: "Reading credential files requires approval (project-jail shield)"
+    },
+    {
+      name: "shield:project-jail:block-read-ssh-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.ssh[\\/\\\\]",
+          flags: "i"
+        }
+      ],
+      verdict: "block",
+      reason: "Reading SSH private keys is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:block-read-aws-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.aws[\\/\\\\]",
+          flags: "i"
+        }
+      ],
       verdict: "block",
-      reason: "Reading credential files is blocked by project-jail shield"
+      reason: "Reading AWS credentials is blocked by project-jail shield"
+    },
+    {
+      name: "shield:project-jail:review-read-env-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: "(^|[\\/\\\\])\\.env(\\.(local|production|staging|development|production\\.local|staging\\.local|development\\.local))?$",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Reading .env files requires approval (project-jail shield)"
+    },
+    {
+      name: "shield:project-jail:review-read-credentials-any-tool",
+      tool: "*",
+      conditions: [
+        {
+          field: "file_path",
+          op: "matches",
+          value: ".*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials|\\.kube[\\/\\\\]config)",
+          flags: "i"
+        }
+      ],
+      verdict: "review",
+      reason: "Reading credential files requires approval (project-jail shield)"
     }
   ],
   dangerousWords: []
@@ -4634,7 +4732,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             args,
             "deny",
             "smart-rule-block-override",
-            meta,
+            // Same rationale as the smart-rule-block path above —
+            // pass the specific rule name so [2] SHIELDS can
+            // attribute this override-block to its owning shield.
+            { ...meta, ruleName: policyResult.ruleName },
             hashAuditArgs
           );
         if (approvers.cloud && creds?.apiKey)
@@ -4664,7 +4765,20 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         }
       } else {
         if (!isManual)
-          appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+          appendLocalAudit(
+            toolName,
+            args,
+            "deny",
+            "smart-rule-block",
+            // Include policyResult.ruleName so the [2] Report SHIELDS
+            // panel can attribute this block to its specific shield
+            // (e.g. `shield:project-jail:block-read-ssh`) via the
+            // rule→shield map. checkedBy stays as the generic
+            // `smart-rule-block` for backward compat with existing
+            // log readers.
+            { ...meta, ruleName: policyResult.ruleName },
+            hashAuditArgs
+          );
         if (approvers.cloud && creds?.apiKey)
           auditLocalAllow(toolName, args, "smart-rule-block", creds, meta, void 0, false, {
             ruleName: policyResult.ruleName,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.19.4",
+  "version": "1.20.1",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -83,6 +83,7 @@
     "react": "^19.2.6",
     "safe-regex2": "^5.1.0",
     "smol-toml": "^1.6.1",
+    "string-width": "^4.2.3",
     "zod": "^3.25.76"
   },
   "bundleDependencies": [
@@ -101,6 +102,7 @@
     "@types/react": "^19.2.14",
     "@vitest/coverage-v8": "4.1.2",
     "cross-env": "^10.1.0",
+    "ink-testing-library": "^4.0.0",
     "prettier": "^3.4.2",
     "semantic-release": "^25.0.3",
     "tsup": "^8.5.1",