@node9/proxy 1.29.0 → 1.30.0

package/dist/dashboard.mjs

@@ -2220,7 +2220,13 @@ var init_config_schema = __esm({
         allowGlobalPause: z.boolean().optional(),
         auditHashArgs: z.boolean().optional(),
         agentPolicy: z.enum(["require_approval", "block_on_rules"]).optional(),
-        cloudSyncIntervalHours: z.number().positive().optional()
+        cloudSyncIntervalHours: z.number().positive().optional(),
+        // Outbox shipper (audit.log → SaaS batch ingest). enabled defaults
+        // to true; set false to fall back to local-only auditing.
+        shipper: z.object({
+          enabled: z.boolean().optional(),
+          intervalSeconds: z.number().min(5).optional()
+        }).optional()
       }).optional(),
       policy: z.object({
         sandboxPaths: z.array(z.string()).optional(),
@@ -2355,7 +2361,8 @@ var init_config = __esm({
         flightRecorder: true,
         auditHashArgs: true,
         approvers: { native: true, browser: false, cloud: false, terminal: true },
-        cloudSyncIntervalHours: 5
+        cloudSyncIntervalHours: 5,
+        shipper: { enabled: true, intervalSeconds: 20 }
       },
       policy: {
         sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],

package/dist/index.js

@@ -74,8 +74,13 @@ __export(audit_exports, {
   appendHookDebug: () => appendHookDebug,
   appendLocalAudit: () => appendLocalAudit,
   appendToLog: () => appendToLog,
+  buildArgsPreview: () => buildArgsPreview,
+  generateEventId: () => generateEventId,
   redactSecrets: () => redactSecrets
 });
+function generateEventId() {
+  return `${Date.now().toString(36)}-${import_crypto2.default.randomBytes(6).toString("hex")}`;
+}
 function isTestCall(toolName, args) {
   if (toolName !== "Bash" && toolName !== "bash") return false;
   const cmd = args?.command;
@@ -94,6 +99,17 @@ function redactSecrets(text) {
   );
   return redacted;
 }
+function buildArgsPreview(args) {
+  try {
+    const o = args && typeof args === "object" ? args : null;
+    const primary = o && (o.command ?? o.file_path ?? o.path ?? o.url ?? o.query);
+    const text = typeof primary === "string" ? primary : args ? JSON.stringify(args) : "";
+    if (!text) return void 0;
+    return redactSecrets(text).slice(0, 120);
+  } catch {
+    return void 0;
+  }
+}
 function appendToLog(logPath, entry) {
   try {
     const dir = import_path.default.dirname(logPath);
@@ -116,11 +132,18 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
   });
 }
 function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
-  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
+  const isDlpRow = checkedBy.toLowerCase().includes("dlp") || Boolean(meta?.dlpPattern);
+  const preview = auditHashArgsEnabled && !isDlpRow ? buildArgsPreview(args) : void 0;
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args), ...preview ? { argsPreview: preview } : {} } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   const testRun = isTestCall(toolName, args) || process.env.NODE9_TESTING === "1" ? { testRun: true } : {};
   const ruleNameField = meta?.ruleName ? { ruleName: meta.ruleName } : {};
   const agentToolNameField = meta?.agentToolName ? { agentToolName: meta.agentToolName } : {};
+  const dlpFields = meta?.dlpPattern ? { dlpPattern: meta.dlpPattern, dlpSample: meta.dlpSample } : {};
+  const cloudLinkField = meta?.cloudRequestId ? { cloudRequestId: meta.cloudRequestId } : {};
   appendToLog(LOCAL_AUDIT_LOG, {
+    // eid first: the outbox shipper dedups on it, and a fixed leading field
+    // makes the JSONL easy to eyeball.
+    eid: generateEventId(),
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
     ...agentToolNameField,
@@ -128,6 +151,8 @@ function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashAr
     decision,
     checkedBy,
     ...ruleNameField,
+    ...dlpFields,
+    ...cloudLinkField,
     ...testRun,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
@@ -142,13 +167,14 @@ function appendConfigAudit(entry) {
     hostname: import_os.default.hostname()
   });
 }
-var import_fs, import_path, import_os, LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG, TEST_COMMAND_RE;
+var import_fs, import_path, import_os, import_crypto2, LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG, TEST_COMMAND_RE;
 var init_audit = __esm({
   "src/audit/index.ts"() {
     "use strict";
     import_fs = __toESM(require("fs"));
     import_path = __toESM(require("path"));
     import_os = __toESM(require("os"));
+    import_crypto2 = __toESM(require("crypto"));
     init_hasher();
     LOCAL_AUDIT_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "audit.log");
     HOOK_DEBUG_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
@@ -246,7 +272,13 @@ var ConfigFileSchema = import_zod.z.object({
     allowGlobalPause: import_zod.z.boolean().optional(),
     auditHashArgs: import_zod.z.boolean().optional(),
     agentPolicy: import_zod.z.enum(["require_approval", "block_on_rules"]).optional(),
-    cloudSyncIntervalHours: import_zod.z.number().positive().optional()
+    cloudSyncIntervalHours: import_zod.z.number().positive().optional(),
+    // Outbox shipper (audit.log → SaaS batch ingest). enabled defaults
+    // to true; set false to fall back to local-only auditing.
+    shipper: import_zod.z.object({
+      enabled: import_zod.z.boolean().optional(),
+      intervalSeconds: import_zod.z.number().min(5).optional()
+    }).optional()
   }).optional(),
   policy: import_zod.z.object({
     sandboxPaths: import_zod.z.array(import_zod.z.string()).optional(),
@@ -314,7 +346,7 @@ var import_mvdan_sh = __toESM(require("mvdan-sh"), 1);
 var import_picomatch = __toESM(require("picomatch"), 1);
 var import_safe_regex22 = __toESM(require("safe-regex2"), 1);
 var import_safe_regex23 = __toESM(require("safe-regex2"), 1);
-var import_crypto2 = __toESM(require("crypto"), 1);
+var import_crypto3 = __toESM(require("crypto"), 1);
 var ASSIGNMENT_CONTEXT_RE = /\b(?:password|passwd|secret|token|api[_-]?key|auth(?:_key|_token)?|credential|private[_-]?key|access[_-]?key|client[_-]?secret)\s*[=:]\s*/i;
 function isAssignmentContext(text) {
   return ASSIGNMENT_CONTEXT_RE.test(text);
@@ -2847,7 +2879,7 @@ assertBuiltinShieldRegexesAreSafe();
 var LOOP_MAX_RECORDS = 500;
 function computeArgsHash(args) {
   const str = JSON.stringify(args ?? "");
-  return import_crypto2.default.createHash("sha256").update(str).digest("hex").slice(0, 16);
+  return import_crypto3.default.createHash("sha256").update(str).digest("hex").slice(0, 16);
 }
 function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
   const hash = computeArgsHash(args);
@@ -2960,7 +2992,8 @@ var DEFAULT_CONFIG = {
     flightRecorder: true,
     auditHashArgs: true,
     approvers: { native: true, browser: false, cloud: false, terminal: true },
-    cloudSyncIntervalHours: 5
+    cloudSyncIntervalHours: 5,
+    shipper: { enabled: true, intervalSeconds: 20 }
   },
   policy: {
     sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
@@ -3255,7 +3288,8 @@ function getConfig(cwd) {
   const projectConfig = tryLoadConfig(projectPath);
   const mergedSettings = {
     ...DEFAULT_CONFIG.settings,
-    approvers: { ...DEFAULT_CONFIG.settings.approvers }
+    approvers: { ...DEFAULT_CONFIG.settings.approvers },
+    shipper: { ...DEFAULT_CONFIG.settings.shipper }
   };
   const mergedPolicy = {
     sandboxPaths: [...DEFAULT_CONFIG.policy.sandboxPaths],
@@ -3286,6 +3320,7 @@ function getConfig(cwd) {
     if (s.enableHookLogDebug !== void 0)
       mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
     if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
+    if (s.shipper) mergedSettings.shipper = { ...mergedSettings.shipper, ...s.shipper };
     if (s.approvalTimeoutMs !== void 0) mergedSettings.approvalTimeoutMs = s.approvalTimeoutMs;
     if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
       mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
@@ -3948,7 +3983,7 @@ async function resolveViaDaemon(id, decision, internalToken, source) {
 }
 
 // src/auth/orchestrator.ts
-var import_crypto3 = require("crypto");
+var import_crypto4 = require("crypto");
 
 // src/ui/native.ts
 var import_child_process = require("child_process");
@@ -4281,91 +4316,6 @@ var import_fs9 = __toESM(require("fs"));
 var import_os8 = __toESM(require("os"));
 var import_path11 = __toESM(require("path"));
 init_audit();
-var DLP_SAMPLE_MAX_LEN = 200;
-var DLP_PATTERN_MAX_LEN = 100;
-var KNOWN_CHECKED_BY = /* @__PURE__ */ new Set([
-  "dlp-block",
-  "observe-mode-dlp-would-block",
-  "dlp-review-flagged",
-  "loop-detected",
-  "audit-mode",
-  "local-policy",
-  "smart-rule-block",
-  // Smart-rule block was downgraded to review because the daemon was
-  // running and we're not in CI. The block attempt is still recorded;
-  // the user got a popup. Distinct from 'smart-rule-block' so the
-  // dashboard can show "block rule overridden" separately from a hard
-  // block that fired with no human in the loop.
-  "smart-rule-block-override",
-  "persistent",
-  "trust",
-  "observe-mode",
-  "observe-mode-would-block"
-]);
-function validateApiUrl(raw) {
-  let u;
-  try {
-    u = new URL(raw);
-  } catch {
-    return null;
-  }
-  if (u.username || u.password) return null;
-  if (u.protocol === "https:") return u;
-  if (u.protocol === "http:") {
-    const h = u.hostname;
-    if (h === "127.0.0.1" || h === "localhost" || h === "::1" || h === "[::1]") return u;
-  }
-  return null;
-}
-function auditLocalAllow(toolName, args, checkedBy, creds, meta, dlpInfo, containsSensitiveArgs = false, riskMetadata) {
-  const validated = validateApiUrl(creds.apiUrl);
-  if (!validated) {
-    try {
-      import_fs9.default.appendFileSync(
-        HOOK_DEBUG_LOG,
-        `[audit] refused to send: invalid apiUrl scheme/host (got "${String(creds.apiUrl).slice(0, 200)}")
-`
-      );
-    } catch {
-    }
-    return Promise.resolve();
-  }
-  const safeArgs = containsSensitiveArgs ? { tool: toolName, redacted: true } : args;
-  const dlpSample = dlpInfo && typeof dlpInfo.redactedSample === "string" ? dlpInfo.redactedSample.slice(0, DLP_SAMPLE_MAX_LEN) : void 0;
-  const dlpPattern = dlpInfo && typeof dlpInfo.pattern === "string" ? dlpInfo.pattern.slice(0, DLP_PATTERN_MAX_LEN) : void 0;
-  const safeCheckedBy = KNOWN_CHECKED_BY.has(checkedBy) ? checkedBy : "unknown";
-  const cleanedRiskMetadata = riskMetadata ? Object.fromEntries(
-    Object.entries(riskMetadata).filter(([, v]) => typeof v === "string" && v.length > 0)
-  ) : void 0;
-  const hasRiskMetadata = cleanedRiskMetadata && Object.keys(cleanedRiskMetadata).length > 0;
-  return fetch(`${validated.toString().replace(/\/$/, "")}/audit`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
-    body: JSON.stringify({
-      toolName,
-      args: safeArgs,
-      checkedBy: safeCheckedBy,
-      ...dlpInfo && { dlpPattern, dlpSample },
-      ...hasRiskMetadata && { riskMetadata: cleanedRiskMetadata },
-      // session_id (Claude Code + Gemini CLI) groups all audit rows from one
-      // agent run; transcript_path is the authoritative pointer to the
-      // session log (survives Gemini resume drift). Both optional —
-      // unsupported agents (MCP-mediated) leave them undefined.
-      ...meta?.sessionId && { runId: meta.sessionId },
-      ...meta?.transcriptPath && { transcriptPath: meta.transcriptPath },
-      context: {
-        agent: meta?.agent,
-        mcpServer: meta?.mcpServer,
-        hostname: import_os8.default.hostname(),
-        cwd: process.cwd(),
-        platform: import_os8.default.platform()
-      }
-    }),
-    signal: AbortSignal.timeout(5e3)
-  }).then(() => {
-  }).catch(() => {
-  });
-}
 async function initNode9SaaS(toolName, args, creds, meta, riskMetadata, agentPolicy, forceReview) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 1e4);
@@ -4576,7 +4526,7 @@ function notifyActivity(data) {
 }
 async function authorizeHeadless(toolName, args, meta, options) {
   if (!options?.calledFromDaemon) {
-    const actId = (0, import_crypto3.randomUUID)();
+    const actId = (0, import_crypto4.randomUUID)();
     const actTs = Date.now();
     const stripAnsi = (s) => s.replace(/\x1b(?:\[[0-9;?]*[a-zA-Z]|\][^\x07\x1b]*(?:\x07|\x1b\\)|[@-_])/g, "");
     const sanitizedAgent = meta?.agent ? stripAnsi(meta.agent).slice(0, 80) : void 0;
@@ -4671,17 +4621,11 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             args,
             "deny",
             isObserveMode ? "observe-mode-dlp-would-block" : "dlp-block",
-            meta,
-            true
-          );
-        if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(
-            toolName,
-            args,
-            isObserveMode ? "observe-mode-dlp-would-block" : "dlp-block",
-            creds,
-            meta,
-            { pattern: dlpMatch.patternName, redactedSample: dlpMatch.redactedSample },
+            {
+              ...meta,
+              dlpPattern: dlpMatch.patternName,
+              dlpSample: dlpMatch.redactedSample
+            },
             true
           );
         if (isWriteTool(toolName) && filePath) {
@@ -4737,9 +4681,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       const policyResult = await evaluatePolicy2(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
         appendLocalAudit(toolName, args, "allow", "audit-mode", meta, hashAuditArgs);
-        if (approvers.cloud && creds?.apiKey) {
-          await auditLocalAllow(toolName, args, "audit-mode", creds, meta);
-        }
       }
     }
     return { approved: true, checkedBy: "audit" };
@@ -4752,8 +4693,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         const reason = `It looks like you've called "${toolName}" ${loopResult.count} times with identical arguments in the last ${ld.windowSeconds}s. Are you stuck? Step back and reconsider your approach \u2014 what are you actually trying to accomplish, and is there a different way to get there?`;
         if (!isManual)
           appendLocalAudit(toolName, args, "deny", "loop-detected", meta, hashAuditArgs);
-        if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(toolName, args, "loop-detected", creds, meta, void 0, true);
         return {
           approved: false,
           reason,
@@ -4772,15 +4711,15 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       };
     }
     if (policyResult.decision === "allow") {
-      if (approvers.cloud && creds?.apiKey)
-        await auditLocalAllow(toolName, args, "local-policy", creds, meta, void 0, false, {
-          ruleName: policyResult.ruleName,
-          ruleDescription: policyResult.ruleDescription,
-          blockedByLabel: policyResult.blockedByLabel,
-          matchedField: policyResult.matchedField,
-          matchedWord: policyResult.matchedWord
-        });
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
+      if (!isManual)
+        appendLocalAudit(
+          toolName,
+          args,
+          "allow",
+          "local-policy",
+          { ...meta, ruleName: policyResult.ruleName },
+          hashAuditArgs
+        );
       return { approved: true, checkedBy: "local-policy" };
     }
     if (policyResult.decision === "block") {
@@ -4813,23 +4752,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             { ...meta, ruleName: policyResult.ruleName },
             hashAuditArgs
           );
-        if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(
-            toolName,
-            args,
-            "smart-rule-block-override",
-            creds,
-            meta,
-            void 0,
-            false,
-            {
-              ruleName: policyResult.ruleName,
-              ruleDescription: policyResult.ruleDescription,
-              blockedByLabel: policyResult.blockedByLabel,
-              matchedField: policyResult.matchedField,
-              matchedWord: policyResult.matchedWord
-            }
-          );
         const baseLabel = policyResult.blockedByLabel || "Smart Rule";
         const OVERRIDE_PREFIX = "\u26A0\uFE0F Override block rule: ";
         if (!baseLabel.startsWith(OVERRIDE_PREFIX)) {
@@ -4854,14 +4776,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             { ...meta, ruleName: policyResult.ruleName },
             hashAuditArgs
           );
-        if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta, void 0, false, {
-            ruleName: policyResult.ruleName,
-            ruleDescription: policyResult.ruleDescription,
-            blockedByLabel: policyResult.blockedByLabel,
-            matchedField: policyResult.matchedField,
-            matchedWord: policyResult.matchedWord
-          });
         return {
           approved: false,
           reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
@@ -4890,8 +4804,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (policyRuleDescription) riskMetadata.ruleDescription = policyRuleDescription.slice(0, 200);
     const persistent = policyResult.ruleName ? null : getPersistentDecision(toolName);
     if (persistent === "allow") {
-      if (approvers.cloud && creds?.apiKey)
-        await auditLocalAllow(toolName, args, "persistent", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta, hashAuditArgs);
       return { approved: true, checkedBy: "persistent" };
     }
@@ -4924,8 +4836,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     }
   }
   if (!taintWarning && getActiveTrustSession(toolName, args)) {
-    if (approvers.cloud && creds?.apiKey)
-      await auditLocalAllow(toolName, args, "trust", creds, meta);
     if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta, hashAuditArgs);
     return { approved: true, checkedBy: "trust" };
   }
@@ -5170,7 +5080,12 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       args,
       finalResult.approved ? "allow" : "deny",
       finalResult.checkedBy || finalResult.blockedBy || "unknown",
-      meta,
+      // cloudRequestId links this row to the BE-origin AuditLog row the
+      // /intercept handshake created — the shipper hands it to the SaaS so
+      // the BE enriches that row instead of inserting a duplicate. Matters
+      // for EVERY racer outcome, not just cloud wins: a native-popup
+      // decision on a cloud-pending request would otherwise count twice.
+      cloudRequestId ? { ...meta, cloudRequestId } : meta,
       hashAuditArgs
     );
   }