@node9/proxy 1.29.0 → 1.30.0

package/dist/index.mjs

@@ -51,11 +51,17 @@ __export(audit_exports, {
   appendHookDebug: () => appendHookDebug,
   appendLocalAudit: () => appendLocalAudit,
   appendToLog: () => appendToLog,
+  buildArgsPreview: () => buildArgsPreview,
+  generateEventId: () => generateEventId,
   redactSecrets: () => redactSecrets
 });
 import fs from "fs";
 import path from "path";
 import os from "os";
+import crypto from "crypto";
+function generateEventId() {
+  return `${Date.now().toString(36)}-${crypto.randomBytes(6).toString("hex")}`;
+}
 function isTestCall(toolName, args) {
   if (toolName !== "Bash" && toolName !== "bash") return false;
   const cmd = args?.command;
@@ -74,6 +80,17 @@ function redactSecrets(text) {
   );
   return redacted;
 }
+function buildArgsPreview(args) {
+  try {
+    const o = args && typeof args === "object" ? args : null;
+    const primary = o && (o.command ?? o.file_path ?? o.path ?? o.url ?? o.query);
+    const text = typeof primary === "string" ? primary : args ? JSON.stringify(args) : "";
+    if (!text) return void 0;
+    return redactSecrets(text).slice(0, 120);
+  } catch {
+    return void 0;
+  }
+}
 function appendToLog(logPath, entry) {
   try {
     const dir = path.dirname(logPath);
@@ -96,11 +113,18 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
   });
 }
 function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
-  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
+  const isDlpRow = checkedBy.toLowerCase().includes("dlp") || Boolean(meta?.dlpPattern);
+  const preview = auditHashArgsEnabled && !isDlpRow ? buildArgsPreview(args) : void 0;
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args), ...preview ? { argsPreview: preview } : {} } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   const testRun = isTestCall(toolName, args) || process.env.NODE9_TESTING === "1" ? { testRun: true } : {};
   const ruleNameField = meta?.ruleName ? { ruleName: meta.ruleName } : {};
   const agentToolNameField = meta?.agentToolName ? { agentToolName: meta.agentToolName } : {};
+  const dlpFields = meta?.dlpPattern ? { dlpPattern: meta.dlpPattern, dlpSample: meta.dlpSample } : {};
+  const cloudLinkField = meta?.cloudRequestId ? { cloudRequestId: meta.cloudRequestId } : {};
   appendToLog(LOCAL_AUDIT_LOG, {
+    // eid first: the outbox shipper dedups on it, and a fixed leading field
+    // makes the JSONL easy to eyeball.
+    eid: generateEventId(),
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
     ...agentToolNameField,
@@ -108,6 +132,8 @@ function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashAr
     decision,
     checkedBy,
     ...ruleNameField,
+    ...dlpFields,
+    ...cloudLinkField,
     ...testRun,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
@@ -216,7 +242,13 @@ var ConfigFileSchema = z.object({
     allowGlobalPause: z.boolean().optional(),
     auditHashArgs: z.boolean().optional(),
     agentPolicy: z.enum(["require_approval", "block_on_rules"]).optional(),
-    cloudSyncIntervalHours: z.number().positive().optional()
+    cloudSyncIntervalHours: z.number().positive().optional(),
+    // Outbox shipper (audit.log → SaaS batch ingest). enabled defaults
+    // to true; set false to fall back to local-only auditing.
+    shipper: z.object({
+      enabled: z.boolean().optional(),
+      intervalSeconds: z.number().min(5).optional()
+    }).optional()
   }).optional(),
   policy: z.object({
     sandboxPaths: z.array(z.string()).optional(),
@@ -284,7 +316,7 @@ import mvdanSh from "mvdan-sh";
 import pm from "picomatch";
 import safeRegex2 from "safe-regex2";
 import safeRegex3 from "safe-regex2";
-import crypto from "crypto";
+import crypto2 from "crypto";
 var ASSIGNMENT_CONTEXT_RE = /\b(?:password|passwd|secret|token|api[_-]?key|auth(?:_key|_token)?|credential|private[_-]?key|access[_-]?key|client[_-]?secret)\s*[=:]\s*/i;
 function isAssignmentContext(text) {
   return ASSIGNMENT_CONTEXT_RE.test(text);
@@ -2817,7 +2849,7 @@ assertBuiltinShieldRegexesAreSafe();
 var LOOP_MAX_RECORDS = 500;
 function computeArgsHash(args) {
   const str = JSON.stringify(args ?? "");
-  return crypto.createHash("sha256").update(str).digest("hex").slice(0, 16);
+  return crypto2.createHash("sha256").update(str).digest("hex").slice(0, 16);
 }
 function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
   const hash = computeArgsHash(args);
@@ -2930,7 +2962,8 @@ var DEFAULT_CONFIG = {
     flightRecorder: true,
     auditHashArgs: true,
     approvers: { native: true, browser: false, cloud: false, terminal: true },
-    cloudSyncIntervalHours: 5
+    cloudSyncIntervalHours: 5,
+    shipper: { enabled: true, intervalSeconds: 20 }
   },
   policy: {
     sandboxPaths: ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
@@ -3225,7 +3258,8 @@ function getConfig(cwd) {
   const projectConfig = tryLoadConfig(projectPath);
   const mergedSettings = {
     ...DEFAULT_CONFIG.settings,
-    approvers: { ...DEFAULT_CONFIG.settings.approvers }
+    approvers: { ...DEFAULT_CONFIG.settings.approvers },
+    shipper: { ...DEFAULT_CONFIG.settings.shipper }
   };
   const mergedPolicy = {
     sandboxPaths: [...DEFAULT_CONFIG.policy.sandboxPaths],
@@ -3256,6 +3290,7 @@ function getConfig(cwd) {
     if (s.enableHookLogDebug !== void 0)
       mergedSettings.enableHookLogDebug = s.enableHookLogDebug;
     if (s.approvers) mergedSettings.approvers = { ...mergedSettings.approvers, ...s.approvers };
+    if (s.shipper) mergedSettings.shipper = { ...mergedSettings.shipper, ...s.shipper };
     if (s.approvalTimeoutMs !== void 0) mergedSettings.approvalTimeoutMs = s.approvalTimeoutMs;
     if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
       mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
@@ -4251,91 +4286,6 @@ init_audit();
 import fs9 from "fs";
 import os8 from "os";
 import path11 from "path";
-var DLP_SAMPLE_MAX_LEN = 200;
-var DLP_PATTERN_MAX_LEN = 100;
-var KNOWN_CHECKED_BY = /* @__PURE__ */ new Set([
-  "dlp-block",
-  "observe-mode-dlp-would-block",
-  "dlp-review-flagged",
-  "loop-detected",
-  "audit-mode",
-  "local-policy",
-  "smart-rule-block",
-  // Smart-rule block was downgraded to review because the daemon was
-  // running and we're not in CI. The block attempt is still recorded;
-  // the user got a popup. Distinct from 'smart-rule-block' so the
-  // dashboard can show "block rule overridden" separately from a hard
-  // block that fired with no human in the loop.
-  "smart-rule-block-override",
-  "persistent",
-  "trust",
-  "observe-mode",
-  "observe-mode-would-block"
-]);
-function validateApiUrl(raw) {
-  let u;
-  try {
-    u = new URL(raw);
-  } catch {
-    return null;
-  }
-  if (u.username || u.password) return null;
-  if (u.protocol === "https:") return u;
-  if (u.protocol === "http:") {
-    const h = u.hostname;
-    if (h === "127.0.0.1" || h === "localhost" || h === "::1" || h === "[::1]") return u;
-  }
-  return null;
-}
-function auditLocalAllow(toolName, args, checkedBy, creds, meta, dlpInfo, containsSensitiveArgs = false, riskMetadata) {
-  const validated = validateApiUrl(creds.apiUrl);
-  if (!validated) {
-    try {
-      fs9.appendFileSync(
-        HOOK_DEBUG_LOG,
-        `[audit] refused to send: invalid apiUrl scheme/host (got "${String(creds.apiUrl).slice(0, 200)}")
-`
-      );
-    } catch {
-    }
-    return Promise.resolve();
-  }
-  const safeArgs = containsSensitiveArgs ? { tool: toolName, redacted: true } : args;
-  const dlpSample = dlpInfo && typeof dlpInfo.redactedSample === "string" ? dlpInfo.redactedSample.slice(0, DLP_SAMPLE_MAX_LEN) : void 0;
-  const dlpPattern = dlpInfo && typeof dlpInfo.pattern === "string" ? dlpInfo.pattern.slice(0, DLP_PATTERN_MAX_LEN) : void 0;
-  const safeCheckedBy = KNOWN_CHECKED_BY.has(checkedBy) ? checkedBy : "unknown";
-  const cleanedRiskMetadata = riskMetadata ? Object.fromEntries(
-    Object.entries(riskMetadata).filter(([, v]) => typeof v === "string" && v.length > 0)
-  ) : void 0;
-  const hasRiskMetadata = cleanedRiskMetadata && Object.keys(cleanedRiskMetadata).length > 0;
-  return fetch(`${validated.toString().replace(/\/$/, "")}/audit`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json", Authorization: `Bearer ${creds.apiKey}` },
-    body: JSON.stringify({
-      toolName,
-      args: safeArgs,
-      checkedBy: safeCheckedBy,
-      ...dlpInfo && { dlpPattern, dlpSample },
-      ...hasRiskMetadata && { riskMetadata: cleanedRiskMetadata },
-      // session_id (Claude Code + Gemini CLI) groups all audit rows from one
-      // agent run; transcript_path is the authoritative pointer to the
-      // session log (survives Gemini resume drift). Both optional —
-      // unsupported agents (MCP-mediated) leave them undefined.
-      ...meta?.sessionId && { runId: meta.sessionId },
-      ...meta?.transcriptPath && { transcriptPath: meta.transcriptPath },
-      context: {
-        agent: meta?.agent,
-        mcpServer: meta?.mcpServer,
-        hostname: os8.hostname(),
-        cwd: process.cwd(),
-        platform: os8.platform()
-      }
-    }),
-    signal: AbortSignal.timeout(5e3)
-  }).then(() => {
-  }).catch(() => {
-  });
-}
 async function initNode9SaaS(toolName, args, creds, meta, riskMetadata, agentPolicy, forceReview) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 1e4);
@@ -4641,17 +4591,11 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             args,
             "deny",
             isObserveMode ? "observe-mode-dlp-would-block" : "dlp-block",
-            meta,
-            true
-          );
-        if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(
-            toolName,
-            args,
-            isObserveMode ? "observe-mode-dlp-would-block" : "dlp-block",
-            creds,
-            meta,
-            { pattern: dlpMatch.patternName, redactedSample: dlpMatch.redactedSample },
+            {
+              ...meta,
+              dlpPattern: dlpMatch.patternName,
+              dlpSample: dlpMatch.redactedSample
+            },
             true
           );
         if (isWriteTool(toolName) && filePath) {
@@ -4707,9 +4651,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       const policyResult = await evaluatePolicy2(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
         appendLocalAudit(toolName, args, "allow", "audit-mode", meta, hashAuditArgs);
-        if (approvers.cloud && creds?.apiKey) {
-          await auditLocalAllow(toolName, args, "audit-mode", creds, meta);
-        }
       }
     }
     return { approved: true, checkedBy: "audit" };
@@ -4722,8 +4663,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         const reason = `It looks like you've called "${toolName}" ${loopResult.count} times with identical arguments in the last ${ld.windowSeconds}s. Are you stuck? Step back and reconsider your approach \u2014 what are you actually trying to accomplish, and is there a different way to get there?`;
         if (!isManual)
           appendLocalAudit(toolName, args, "deny", "loop-detected", meta, hashAuditArgs);
-        if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(toolName, args, "loop-detected", creds, meta, void 0, true);
         return {
           approved: false,
           reason,
@@ -4742,15 +4681,15 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       };
     }
     if (policyResult.decision === "allow") {
-      if (approvers.cloud && creds?.apiKey)
-        await auditLocalAllow(toolName, args, "local-policy", creds, meta, void 0, false, {
-          ruleName: policyResult.ruleName,
-          ruleDescription: policyResult.ruleDescription,
-          blockedByLabel: policyResult.blockedByLabel,
-          matchedField: policyResult.matchedField,
-          matchedWord: policyResult.matchedWord
-        });
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
+      if (!isManual)
+        appendLocalAudit(
+          toolName,
+          args,
+          "allow",
+          "local-policy",
+          { ...meta, ruleName: policyResult.ruleName },
+          hashAuditArgs
+        );
       return { approved: true, checkedBy: "local-policy" };
     }
     if (policyResult.decision === "block") {
@@ -4783,23 +4722,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             { ...meta, ruleName: policyResult.ruleName },
             hashAuditArgs
           );
-        if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(
-            toolName,
-            args,
-            "smart-rule-block-override",
-            creds,
-            meta,
-            void 0,
-            false,
-            {
-              ruleName: policyResult.ruleName,
-              ruleDescription: policyResult.ruleDescription,
-              blockedByLabel: policyResult.blockedByLabel,
-              matchedField: policyResult.matchedField,
-              matchedWord: policyResult.matchedWord
-            }
-          );
         const baseLabel = policyResult.blockedByLabel || "Smart Rule";
         const OVERRIDE_PREFIX = "\u26A0\uFE0F Override block rule: ";
         if (!baseLabel.startsWith(OVERRIDE_PREFIX)) {
@@ -4824,14 +4746,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
             { ...meta, ruleName: policyResult.ruleName },
             hashAuditArgs
           );
-        if (approvers.cloud && creds?.apiKey)
-          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta, void 0, false, {
-            ruleName: policyResult.ruleName,
-            ruleDescription: policyResult.ruleDescription,
-            blockedByLabel: policyResult.blockedByLabel,
-            matchedField: policyResult.matchedField,
-            matchedWord: policyResult.matchedWord
-          });
         return {
           approved: false,
           reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
@@ -4860,8 +4774,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (policyRuleDescription) riskMetadata.ruleDescription = policyRuleDescription.slice(0, 200);
     const persistent = policyResult.ruleName ? null : getPersistentDecision(toolName);
     if (persistent === "allow") {
-      if (approvers.cloud && creds?.apiKey)
-        await auditLocalAllow(toolName, args, "persistent", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta, hashAuditArgs);
       return { approved: true, checkedBy: "persistent" };
     }
@@ -4894,8 +4806,6 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     }
   }
   if (!taintWarning && getActiveTrustSession(toolName, args)) {
-    if (approvers.cloud && creds?.apiKey)
-      await auditLocalAllow(toolName, args, "trust", creds, meta);
     if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta, hashAuditArgs);
     return { approved: true, checkedBy: "trust" };
   }
@@ -5140,7 +5050,12 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       args,
       finalResult.approved ? "allow" : "deny",
       finalResult.checkedBy || finalResult.blockedBy || "unknown",
-      meta,
+      // cloudRequestId links this row to the BE-origin AuditLog row the
+      // /intercept handshake created — the shipper hands it to the SaaS so
+      // the BE enriches that row instead of inserting a duplicate. Matters
+      // for EVERY racer outcome, not just cloud wins: a native-popup
+      // decision on a cloud-pending request would otherwise count twice.
+      cloudRequestId ? { ...meta, cloudRequestId } : meta,
       hashAuditArgs
     );
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.29.0",
+  "version": "1.30.0",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code, Codex, Gemini, Cursor, Opencode, Pi, and any MCP server.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",