@node9/proxy 1.21.4 → 1.22.0

package/dist/cli.js

@@ -6359,7 +6359,7 @@ function teardownClaude() {
   let changed = false;
   const settings = readJson(hooksPath);
   if (settings?.hooks) {
-    for (const event of ["PreToolUse", "PostToolUse"]) {
+    for (const event of ["PreToolUse", "PostToolUse", "UserPromptSubmit"]) {
       const before = settings.hooks[event]?.length ?? 0;
       settings.hooks[event] = settings.hooks[event]?.filter(
         (m) => !m.hooks.some((h) => isNode9Hook(h.command))
@@ -6540,6 +6540,33 @@ async function setupClaude() {
       }
     }
   }
+  const hasPromptHook = settings.hooks.UserPromptSubmit?.some(
+    (m) => m.hooks.some((h) => isNode9Hook(h.command))
+  );
+  if (!hasPromptHook) {
+    if (!settings.hooks.UserPromptSubmit) settings.hooks.UserPromptSubmit = [];
+    settings.hooks.UserPromptSubmit.push({
+      matcher: ".*",
+      hooks: [{ type: "command", command: fullPathCommand("check"), timeout: 600 }]
+    });
+    console.log(import_chalk.default.green("  \u2705 UserPromptSubmit hook added \u2192 node9 check (prompt DLP)"));
+    hooksChanged = true;
+    anythingChanged = true;
+  } else if (settings.hooks.UserPromptSubmit) {
+    for (const matcher of settings.hooks.UserPromptSubmit) {
+      for (const h of matcher.hooks) {
+        const cmd = h.command ?? "";
+        if (isNode9Hook(cmd) && isStaleHookCommand(cmd)) {
+          h.command = fullPathCommand("check");
+          console.log(
+            import_chalk.default.yellow("  \u{1F527} UserPromptSubmit hook repaired (stale path \u2192 current binary)")
+          );
+          hooksChanged = true;
+          anythingChanged = true;
+        }
+      }
+    }
+  }
   if (!hasNode9McpServer(servers)) {
     servers["node9"] = NODE9_MCP_SERVER_ENTRY;
     claudeConfig.mcpServers = servers;
@@ -6826,9 +6853,79 @@ function writeToml(filePath, data) {
 async function setupCodex() {
   const homeDir2 = import_os11.default.homedir();
   const configPath = import_path14.default.join(homeDir2, ".codex", "config.toml");
+  const hooksPath = import_path14.default.join(homeDir2, ".codex", "hooks.json");
   const config = readToml(configPath) ?? {};
   const servers = config.mcp_servers ?? {};
   let anythingChanged = false;
+  const hooksFile = readJson(hooksPath) ?? {};
+  if (!hooksFile.hooks) hooksFile.hooks = {};
+  let hooksChanged = false;
+  if (!hooksFile.hooks.PreToolUse) hooksFile.hooks.PreToolUse = [];
+  for (const matcher of CODEX_PRE_TOOL_MATCHERS) {
+    const existing = hooksFile.hooks.PreToolUse.find((m) => m.matcher === matcher);
+    if (!existing) {
+      hooksFile.hooks.PreToolUse.push({
+        matcher,
+        hooks: [{ type: "command", command: fullPathCommand("check"), timeout: 600 }]
+      });
+      hooksChanged = true;
+    } else {
+      for (const h of existing.hooks) {
+        const cmd = h.command ?? "";
+        if (isNode9Hook(cmd) && isStaleHookCommand(cmd)) {
+          h.command = fullPathCommand("check");
+          hooksChanged = true;
+        }
+      }
+    }
+  }
+  if (!hooksFile.hooks.UserPromptSubmit) hooksFile.hooks.UserPromptSubmit = [];
+  const hasPromptHook = hooksFile.hooks.UserPromptSubmit.some(
+    (m) => m.hooks.some((h) => isNode9Hook(h.command))
+  );
+  if (!hasPromptHook) {
+    hooksFile.hooks.UserPromptSubmit.push({
+      hooks: [{ type: "command", command: fullPathCommand("check"), timeout: 600 }]
+    });
+    hooksChanged = true;
+  } else {
+    for (const m of hooksFile.hooks.UserPromptSubmit) {
+      for (const h of m.hooks) {
+        const cmd = h.command ?? "";
+        if (isNode9Hook(cmd) && isStaleHookCommand(cmd)) {
+          h.command = fullPathCommand("check");
+          hooksChanged = true;
+        }
+      }
+    }
+  }
+  if (!hooksFile.hooks.PostToolUse) hooksFile.hooks.PostToolUse = [];
+  const hasPostHook = hooksFile.hooks.PostToolUse.some(
+    (m) => m.hooks.some((h) => isNode9Hook(h.command))
+  );
+  if (!hasPostHook) {
+    hooksFile.hooks.PostToolUse.push({
+      matcher: ".*",
+      hooks: [{ type: "command", command: fullPathCommand("log"), timeout: 600 }]
+    });
+    hooksChanged = true;
+  } else {
+    for (const m of hooksFile.hooks.PostToolUse) {
+      for (const h of m.hooks) {
+        const cmd = h.command ?? "";
+        if (isNode9Hook(cmd) && isStaleHookCommand(cmd)) {
+          h.command = fullPathCommand("log");
+          hooksChanged = true;
+        }
+      }
+    }
+  }
+  if (hooksChanged) {
+    writeJson(hooksPath, hooksFile);
+    console.log(import_chalk.default.green("  \u2705 Codex hooks added         \u2192 node9 check / node9 log"));
+    anythingChanged = true;
+  }
+  const hooksInstalled = (hooksFile.hooks?.PreToolUse?.length ?? 0) > 0;
   if (!hasNode9McpServer(servers)) {
     servers["node9"] = NODE9_MCP_SERVER_ENTRY;
     config.mcp_servers = servers;
@@ -6868,23 +6965,39 @@ async function setupCodex() {
     }
     console.log("");
   }
-  console.log(
-    import_chalk.default.yellow(
-      "  \u26A0\uFE0F  Note: Codex does not yet support native pre-execution hooks.\n     MCP proxy wrapping is the only supported protection mode for Codex.\n     Native bash and file operations are not monitored."
-    )
-  );
-  console.log("");
-  if (!anythingChanged && serversToWrap.length === 0) {
+  const hooksDisabled = config.features?.hooks === false || config.codex_hooks === false;
+  if (hooksDisabled) {
     console.log(
-      import_chalk.default.blue(
-        "\u2139\uFE0F  No MCP servers found to wrap. Add MCP servers to ~/.codex/config.toml and re-run."
+      import_chalk.default.yellow(
+        "  \u26A0\uFE0F  Codex hooks are disabled in ~/.codex/config.toml ([features].hooks = false).\n     Re-enable hooks to activate Node9 shield evaluation on Bash, apply_patch,\n     MCP tool calls, and prompt submissions. Until then, only MCP proxy wrapping\n     is active."
+      )
+    );
+    console.log("");
+  }
+  const printCodexTrustReminder = () => {
+    console.log(
+      import_chalk.default.yellow(
+        "    \u279C  Open Codex and run /hooks to review and trust the Node9 entries.\n       Until trusted, only MCP proxy wrapping is active."
       )
     );
+  };
+  if (!anythingChanged && serversToWrap.length === 0) {
+    if (hooksInstalled) {
+      console.log(import_chalk.default.blue("\u2139\uFE0F  Codex hooks already installed."));
+      printCodexTrustReminder();
+    } else {
+      console.log(
+        import_chalk.default.blue(
+          "\u2139\uFE0F  No MCP servers found to wrap. Add MCP servers to ~/.codex/config.toml and re-run."
+        )
+      );
+    }
     printDaemonTip();
     return;
   }
   if (anythingChanged) {
-    console.log(import_chalk.default.green.bold("\u{1F6E1}\uFE0F  Node9 is now protecting Codex via MCP proxy!"));
+    console.log(import_chalk.default.green.bold("\u{1F6E1}\uFE0F  Node9 hooks installed for Codex."));
+    printCodexTrustReminder();
     console.log(import_chalk.default.gray("    Restart Codex for changes to take effect."));
     printDaemonTip();
   }
@@ -6892,6 +7005,23 @@ async function setupCodex() {
 function teardownCodex() {
   const homeDir2 = import_os11.default.homedir();
   const configPath = import_path14.default.join(homeDir2, ".codex", "config.toml");
+  const hooksPath = import_path14.default.join(homeDir2, ".codex", "hooks.json");
+  const hooksFile = readJson(hooksPath);
+  if (hooksFile?.hooks) {
+    let hooksChanged = false;
+    for (const event of ["PreToolUse", "PostToolUse", "UserPromptSubmit"]) {
+      const before = hooksFile.hooks[event]?.length ?? 0;
+      hooksFile.hooks[event] = hooksFile.hooks[event]?.filter(
+        (m) => !m.hooks.some((h) => isNode9Hook(h.command))
+      );
+      if ((hooksFile.hooks[event]?.length ?? 0) < before) hooksChanged = true;
+      if (hooksFile.hooks[event]?.length === 0) delete hooksFile.hooks[event];
+    }
+    if (hooksChanged) {
+      writeJson(hooksPath, hooksFile);
+      console.log(import_chalk.default.green("  \u2705 Removed Node9 hooks from ~/.codex/hooks.json"));
+    }
+  }
   const config = readToml(configPath);
   if (!config?.mcp_servers) {
     console.log(import_chalk.default.blue("  \u2139\uFE0F  ~/.codex/config.toml not found \u2014 nothing to remove"));
@@ -7350,7 +7480,7 @@ function getAgentsStatus(homeDir2 = import_os11.default.homedir()) {
     }
   ];
 }
-var import_fs12, import_path14, import_os11, import_chalk, import_prompts, import_smol_toml, NODE9_MCP_SERVER_ENTRY;
+var import_fs12, import_path14, import_os11, import_chalk, import_prompts, import_smol_toml, NODE9_MCP_SERVER_ENTRY, CODEX_PRE_TOOL_MATCHERS;
 var init_setup = __esm({
   "src/setup.ts"() {
     "use strict";
@@ -7361,6 +7491,7 @@ var init_setup = __esm({
     import_prompts = require("@inquirer/prompts");
     import_smol_toml = require("smol-toml");
     NODE9_MCP_SERVER_ENTRY = { command: "node9", args: ["mcp-server"] };
+    CODEX_PRE_TOOL_MATCHERS = ["^Bash$", "^apply_patch$", "^mcp__.*"];
   }
 });
 
@@ -15655,10 +15786,15 @@ function resolveUserSkillRoot(entry, cwd) {
 }
 
 // src/cli/commands/check.ts
+init_dlp();
+init_audit();
 function sanitize2(value) {
   return value.replace(/[\x00-\x1F\x7F]/g, "");
 }
 function detectAiAgent(payload) {
+  if (payload.turn_id !== void 0) {
+    return "Codex";
+  }
   if (payload.hook_event_name === "PreToolUse" || payload.hook_event_name === "PostToolUse" || payload.tool_use_id !== void 0 || payload.permission_mode !== void 0) {
     return "Claude Code";
   }
@@ -15704,7 +15840,68 @@ RAW: ${raw}
           }
           process.exit(0);
         }
-        const config = getConfig(payload.cwd || void 0);
+        if (payload.hook_event_name === "UserPromptSubmit") {
+          const prompt = typeof payload.prompt === "string" ? payload.prompt : "";
+          if (process.env.NODE9_DEBUG === "1") {
+            try {
+              const logPath = import_path32.default.join(import_os27.default.homedir(), ".node9", "hook-debug.log");
+              if (!import_fs31.default.existsSync(import_path32.default.dirname(logPath)))
+                import_fs31.default.mkdirSync(import_path32.default.dirname(logPath), { recursive: true });
+              const sanitized = JSON.stringify({
+                ...payload,
+                prompt: `<redacted, ${prompt.length} bytes>`
+              });
+              import_fs31.default.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${sanitized}
+`);
+            } catch {
+            }
+          }
+          if (!prompt) process.exit(0);
+          const dlpMatch = scanArgs({ prompt });
+          if (!dlpMatch) process.exit(0);
+          const agent2 = detectAiAgent(payload);
+          const sessionId2 = typeof payload.session_id === "string" ? payload.session_id : void 0;
+          appendLocalAudit(
+            "UserPromptSubmit",
+            { prompt },
+            "deny",
+            "dlp-block",
+            { agent: agent2, sessionId: sessionId2 },
+            true
+          );
+          const reason = `\u{1F6A8} Node9 DLP: ${dlpMatch.patternName} detected in prompt (${dlpMatch.redactedSample}). Prompt was not submitted \u2014 remove the credential and try again.`;
+          try {
+            const ttyFd = import_fs31.default.openSync("/dev/tty", "w");
+            import_fs31.default.writeSync(
+              ttyFd,
+              import_chalk9.default.bgRed.white.bold(`
+ \u{1F6A8} NODE9 DLP \u2014 PROMPT BLOCKED 
+`) + import_chalk9.default.red(`   ${dlpMatch.patternName} detected in your prompt.
+`) + import_chalk9.default.gray(`   Match: ${dlpMatch.redactedSample}
+`) + import_chalk9.default.cyan(`   Edit the prompt to remove the credential and resubmit.
+
+`)
+            );
+            import_fs31.default.closeSync(ttyFd);
+          } catch {
+          }
+          const isCodex = agent2 === "Codex";
+          process.stdout.write(
+            JSON.stringify({
+              decision: "block",
+              reason,
+              systemMessage: reason,
+              hookSpecificOutput: isCodex ? { hookEventName: "UserPromptSubmit" } : {
+                hookEventName: "UserPromptSubmit",
+                permissionDecision: "deny",
+                permissionDecisionReason: reason
+              }
+            }) + "\n"
+          );
+          process.exit(2);
+        }
+        const safeCwdForConfig = typeof payload.cwd === "string" && import_path32.default.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const config = getConfig(safeCwdForConfig);
         if (config.settings.autoStartDaemon && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON) {
           try {
             const scriptPath = process.argv[1];
@@ -16088,7 +16285,7 @@ function registerLogCommand(program2) {
         const payload = JSON.parse(raw);
         const tool = sanitize3(payload.tool_name ?? payload.name ?? "unknown");
         const rawInput = payload.tool_input ?? payload.args ?? {};
-        const agent = payload.hook_event_name === "PreToolUse" || payload.hook_event_name === "PostToolUse" || payload.tool_use_id !== void 0 || payload.permission_mode !== void 0 ? "Claude Code" : payload.hook_event_name === "BeforeTool" || payload.hook_event_name === "AfterTool" || payload.timestamp !== void 0 ? "Gemini CLI" : void 0;
+        const agent = payload.turn_id !== void 0 ? "Codex" : payload.hook_event_name === "PreToolUse" || payload.hook_event_name === "PostToolUse" || payload.tool_use_id !== void 0 || payload.permission_mode !== void 0 ? "Claude Code" : payload.hook_event_name === "BeforeTool" || payload.hook_event_name === "AfterTool" || payload.timestamp !== void 0 ? "Gemini CLI" : void 0;
         const entry = {
           ts: (/* @__PURE__ */ new Date()).toISOString(),
           tool,

package/dist/cli.mjs

@@ -6341,7 +6341,7 @@ function teardownClaude() {
   let changed = false;
   const settings = readJson(hooksPath);
   if (settings?.hooks) {
-    for (const event of ["PreToolUse", "PostToolUse"]) {
+    for (const event of ["PreToolUse", "PostToolUse", "UserPromptSubmit"]) {
       const before = settings.hooks[event]?.length ?? 0;
       settings.hooks[event] = settings.hooks[event]?.filter(
         (m) => !m.hooks.some((h) => isNode9Hook(h.command))
@@ -6522,6 +6522,33 @@ async function setupClaude() {
       }
     }
   }
+  const hasPromptHook = settings.hooks.UserPromptSubmit?.some(
+    (m) => m.hooks.some((h) => isNode9Hook(h.command))
+  );
+  if (!hasPromptHook) {
+    if (!settings.hooks.UserPromptSubmit) settings.hooks.UserPromptSubmit = [];
+    settings.hooks.UserPromptSubmit.push({
+      matcher: ".*",
+      hooks: [{ type: "command", command: fullPathCommand("check"), timeout: 600 }]
+    });
+    console.log(chalk.green("  \u2705 UserPromptSubmit hook added \u2192 node9 check (prompt DLP)"));
+    hooksChanged = true;
+    anythingChanged = true;
+  } else if (settings.hooks.UserPromptSubmit) {
+    for (const matcher of settings.hooks.UserPromptSubmit) {
+      for (const h of matcher.hooks) {
+        const cmd = h.command ?? "";
+        if (isNode9Hook(cmd) && isStaleHookCommand(cmd)) {
+          h.command = fullPathCommand("check");
+          console.log(
+            chalk.yellow("  \u{1F527} UserPromptSubmit hook repaired (stale path \u2192 current binary)")
+          );
+          hooksChanged = true;
+          anythingChanged = true;
+        }
+      }
+    }
+  }
   if (!hasNode9McpServer(servers)) {
     servers["node9"] = NODE9_MCP_SERVER_ENTRY;
     claudeConfig.mcpServers = servers;
@@ -6808,9 +6835,79 @@ function writeToml(filePath, data) {
 async function setupCodex() {
   const homeDir2 = os11.homedir();
   const configPath = path14.join(homeDir2, ".codex", "config.toml");
+  const hooksPath = path14.join(homeDir2, ".codex", "hooks.json");
   const config = readToml(configPath) ?? {};
   const servers = config.mcp_servers ?? {};
   let anythingChanged = false;
+  const hooksFile = readJson(hooksPath) ?? {};
+  if (!hooksFile.hooks) hooksFile.hooks = {};
+  let hooksChanged = false;
+  if (!hooksFile.hooks.PreToolUse) hooksFile.hooks.PreToolUse = [];
+  for (const matcher of CODEX_PRE_TOOL_MATCHERS) {
+    const existing = hooksFile.hooks.PreToolUse.find((m) => m.matcher === matcher);
+    if (!existing) {
+      hooksFile.hooks.PreToolUse.push({
+        matcher,
+        hooks: [{ type: "command", command: fullPathCommand("check"), timeout: 600 }]
+      });
+      hooksChanged = true;
+    } else {
+      for (const h of existing.hooks) {
+        const cmd = h.command ?? "";
+        if (isNode9Hook(cmd) && isStaleHookCommand(cmd)) {
+          h.command = fullPathCommand("check");
+          hooksChanged = true;
+        }
+      }
+    }
+  }
+  if (!hooksFile.hooks.UserPromptSubmit) hooksFile.hooks.UserPromptSubmit = [];
+  const hasPromptHook = hooksFile.hooks.UserPromptSubmit.some(
+    (m) => m.hooks.some((h) => isNode9Hook(h.command))
+  );
+  if (!hasPromptHook) {
+    hooksFile.hooks.UserPromptSubmit.push({
+      hooks: [{ type: "command", command: fullPathCommand("check"), timeout: 600 }]
+    });
+    hooksChanged = true;
+  } else {
+    for (const m of hooksFile.hooks.UserPromptSubmit) {
+      for (const h of m.hooks) {
+        const cmd = h.command ?? "";
+        if (isNode9Hook(cmd) && isStaleHookCommand(cmd)) {
+          h.command = fullPathCommand("check");
+          hooksChanged = true;
+        }
+      }
+    }
+  }
+  if (!hooksFile.hooks.PostToolUse) hooksFile.hooks.PostToolUse = [];
+  const hasPostHook = hooksFile.hooks.PostToolUse.some(
+    (m) => m.hooks.some((h) => isNode9Hook(h.command))
+  );
+  if (!hasPostHook) {
+    hooksFile.hooks.PostToolUse.push({
+      matcher: ".*",
+      hooks: [{ type: "command", command: fullPathCommand("log"), timeout: 600 }]
+    });
+    hooksChanged = true;
+  } else {
+    for (const m of hooksFile.hooks.PostToolUse) {
+      for (const h of m.hooks) {
+        const cmd = h.command ?? "";
+        if (isNode9Hook(cmd) && isStaleHookCommand(cmd)) {
+          h.command = fullPathCommand("log");
+          hooksChanged = true;
+        }
+      }
+    }
+  }
+  if (hooksChanged) {
+    writeJson(hooksPath, hooksFile);
+    console.log(chalk.green("  \u2705 Codex hooks added         \u2192 node9 check / node9 log"));
+    anythingChanged = true;
+  }
+  const hooksInstalled = (hooksFile.hooks?.PreToolUse?.length ?? 0) > 0;
   if (!hasNode9McpServer(servers)) {
     servers["node9"] = NODE9_MCP_SERVER_ENTRY;
     config.mcp_servers = servers;
@@ -6850,23 +6947,39 @@ async function setupCodex() {
     }
     console.log("");
   }
-  console.log(
-    chalk.yellow(
-      "  \u26A0\uFE0F  Note: Codex does not yet support native pre-execution hooks.\n     MCP proxy wrapping is the only supported protection mode for Codex.\n     Native bash and file operations are not monitored."
-    )
-  );
-  console.log("");
-  if (!anythingChanged && serversToWrap.length === 0) {
+  const hooksDisabled = config.features?.hooks === false || config.codex_hooks === false;
+  if (hooksDisabled) {
     console.log(
-      chalk.blue(
-        "\u2139\uFE0F  No MCP servers found to wrap. Add MCP servers to ~/.codex/config.toml and re-run."
+      chalk.yellow(
+        "  \u26A0\uFE0F  Codex hooks are disabled in ~/.codex/config.toml ([features].hooks = false).\n     Re-enable hooks to activate Node9 shield evaluation on Bash, apply_patch,\n     MCP tool calls, and prompt submissions. Until then, only MCP proxy wrapping\n     is active."
+      )
+    );
+    console.log("");
+  }
+  const printCodexTrustReminder = () => {
+    console.log(
+      chalk.yellow(
+        "    \u279C  Open Codex and run /hooks to review and trust the Node9 entries.\n       Until trusted, only MCP proxy wrapping is active."
       )
     );
+  };
+  if (!anythingChanged && serversToWrap.length === 0) {
+    if (hooksInstalled) {
+      console.log(chalk.blue("\u2139\uFE0F  Codex hooks already installed."));
+      printCodexTrustReminder();
+    } else {
+      console.log(
+        chalk.blue(
+          "\u2139\uFE0F  No MCP servers found to wrap. Add MCP servers to ~/.codex/config.toml and re-run."
+        )
+      );
+    }
     printDaemonTip();
     return;
   }
   if (anythingChanged) {
-    console.log(chalk.green.bold("\u{1F6E1}\uFE0F  Node9 is now protecting Codex via MCP proxy!"));
+    console.log(chalk.green.bold("\u{1F6E1}\uFE0F  Node9 hooks installed for Codex."));
+    printCodexTrustReminder();
     console.log(chalk.gray("    Restart Codex for changes to take effect."));
     printDaemonTip();
   }
@@ -6874,6 +6987,23 @@ async function setupCodex() {
 function teardownCodex() {
   const homeDir2 = os11.homedir();
   const configPath = path14.join(homeDir2, ".codex", "config.toml");
+  const hooksPath = path14.join(homeDir2, ".codex", "hooks.json");
+  const hooksFile = readJson(hooksPath);
+  if (hooksFile?.hooks) {
+    let hooksChanged = false;
+    for (const event of ["PreToolUse", "PostToolUse", "UserPromptSubmit"]) {
+      const before = hooksFile.hooks[event]?.length ?? 0;
+      hooksFile.hooks[event] = hooksFile.hooks[event]?.filter(
+        (m) => !m.hooks.some((h) => isNode9Hook(h.command))
+      );
+      if ((hooksFile.hooks[event]?.length ?? 0) < before) hooksChanged = true;
+      if (hooksFile.hooks[event]?.length === 0) delete hooksFile.hooks[event];
+    }
+    if (hooksChanged) {
+      writeJson(hooksPath, hooksFile);
+      console.log(chalk.green("  \u2705 Removed Node9 hooks from ~/.codex/hooks.json"));
+    }
+  }
   const config = readToml(configPath);
   if (!config?.mcp_servers) {
     console.log(chalk.blue("  \u2139\uFE0F  ~/.codex/config.toml not found \u2014 nothing to remove"));
@@ -7332,11 +7462,12 @@ function getAgentsStatus(homeDir2 = os11.homedir()) {
     }
   ];
 }
-var NODE9_MCP_SERVER_ENTRY;
+var NODE9_MCP_SERVER_ENTRY, CODEX_PRE_TOOL_MATCHERS;
 var init_setup = __esm({
   "src/setup.ts"() {
     "use strict";
     NODE9_MCP_SERVER_ENTRY = { command: "node9", args: ["mcp-server"] };
+    CODEX_PRE_TOOL_MATCHERS = ["^Bash$", "^apply_patch$", "^mcp__.*"];
   }
 });
 
@@ -15628,10 +15759,15 @@ function resolveUserSkillRoot(entry, cwd) {
 }
 
 // src/cli/commands/check.ts
+init_dlp();
+init_audit();
 function sanitize2(value) {
   return value.replace(/[\x00-\x1F\x7F]/g, "");
 }
 function detectAiAgent(payload) {
+  if (payload.turn_id !== void 0) {
+    return "Codex";
+  }
   if (payload.hook_event_name === "PreToolUse" || payload.hook_event_name === "PostToolUse" || payload.tool_use_id !== void 0 || payload.permission_mode !== void 0) {
     return "Claude Code";
   }
@@ -15677,7 +15813,68 @@ RAW: ${raw}
           }
           process.exit(0);
         }
-        const config = getConfig(payload.cwd || void 0);
+        if (payload.hook_event_name === "UserPromptSubmit") {
+          const prompt = typeof payload.prompt === "string" ? payload.prompt : "";
+          if (process.env.NODE9_DEBUG === "1") {
+            try {
+              const logPath = path32.join(os27.homedir(), ".node9", "hook-debug.log");
+              if (!fs31.existsSync(path32.dirname(logPath)))
+                fs31.mkdirSync(path32.dirname(logPath), { recursive: true });
+              const sanitized = JSON.stringify({
+                ...payload,
+                prompt: `<redacted, ${prompt.length} bytes>`
+              });
+              fs31.appendFileSync(logPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] STDIN: ${sanitized}
+`);
+            } catch {
+            }
+          }
+          if (!prompt) process.exit(0);
+          const dlpMatch = scanArgs({ prompt });
+          if (!dlpMatch) process.exit(0);
+          const agent2 = detectAiAgent(payload);
+          const sessionId2 = typeof payload.session_id === "string" ? payload.session_id : void 0;
+          appendLocalAudit(
+            "UserPromptSubmit",
+            { prompt },
+            "deny",
+            "dlp-block",
+            { agent: agent2, sessionId: sessionId2 },
+            true
+          );
+          const reason = `\u{1F6A8} Node9 DLP: ${dlpMatch.patternName} detected in prompt (${dlpMatch.redactedSample}). Prompt was not submitted \u2014 remove the credential and try again.`;
+          try {
+            const ttyFd = fs31.openSync("/dev/tty", "w");
+            fs31.writeSync(
+              ttyFd,
+              chalk9.bgRed.white.bold(`
+ \u{1F6A8} NODE9 DLP \u2014 PROMPT BLOCKED 
+`) + chalk9.red(`   ${dlpMatch.patternName} detected in your prompt.
+`) + chalk9.gray(`   Match: ${dlpMatch.redactedSample}
+`) + chalk9.cyan(`   Edit the prompt to remove the credential and resubmit.
+
+`)
+            );
+            fs31.closeSync(ttyFd);
+          } catch {
+          }
+          const isCodex = agent2 === "Codex";
+          process.stdout.write(
+            JSON.stringify({
+              decision: "block",
+              reason,
+              systemMessage: reason,
+              hookSpecificOutput: isCodex ? { hookEventName: "UserPromptSubmit" } : {
+                hookEventName: "UserPromptSubmit",
+                permissionDecision: "deny",
+                permissionDecisionReason: reason
+              }
+            }) + "\n"
+          );
+          process.exit(2);
+        }
+        const safeCwdForConfig = typeof payload.cwd === "string" && path32.isAbsolute(payload.cwd) ? payload.cwd : void 0;
+        const config = getConfig(safeCwdForConfig);
         if (config.settings.autoStartDaemon && !isDaemonRunning() && !process.env.NODE9_NO_AUTO_DAEMON) {
           try {
             const scriptPath = process.argv[1];
@@ -16061,7 +16258,7 @@ function registerLogCommand(program2) {
         const payload = JSON.parse(raw);
         const tool = sanitize3(payload.tool_name ?? payload.name ?? "unknown");
         const rawInput = payload.tool_input ?? payload.args ?? {};
-        const agent = payload.hook_event_name === "PreToolUse" || payload.hook_event_name === "PostToolUse" || payload.tool_use_id !== void 0 || payload.permission_mode !== void 0 ? "Claude Code" : payload.hook_event_name === "BeforeTool" || payload.hook_event_name === "AfterTool" || payload.timestamp !== void 0 ? "Gemini CLI" : void 0;
+        const agent = payload.turn_id !== void 0 ? "Codex" : payload.hook_event_name === "PreToolUse" || payload.hook_event_name === "PostToolUse" || payload.tool_use_id !== void 0 || payload.permission_mode !== void 0 ? "Claude Code" : payload.hook_event_name === "BeforeTool" || payload.hook_event_name === "AfterTool" || payload.timestamp !== void 0 ? "Gemini CLI" : void 0;
         const entry = {
           ts: (/* @__PURE__ */ new Date()).toISOString(),
           tool,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.21.4",
+  "version": "1.22.0",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",