npm - @node9/proxy - Versions diffs - 1.30.0 → 1.31.0 - Mend

@node9/proxy 1.30.0 → 1.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/dashboard.mjs CHANGED Viewed

@@ -2241,7 +2241,15 @@ var init_config_schema = __esm({
         }).optional(),
         dlp: z.object({
           enabled: z.boolean().optional(),
-          scanIgnoredTools: z.boolean().optional()
+          scanIgnoredTools: z.boolean().optional(),
+          pii: z.enum(["off", "block"]).optional()
+        }).optional(),
+        egress: z.object({
+          enabled: z.boolean().optional(),
+          mode: z.enum(["off", "review", "block"]).optional(),
+          allow: z.array(z.string()).optional(),
+          deny: z.array(z.string()).optional(),
+          allowPrivate: z.boolean().optional()
         }).optional(),
         loopDetection: z.object({
           enabled: z.boolean().optional(),
@@ -2546,7 +2554,8 @@ var init_config = __esm({
             description: "The AI wants to download a script from the internet and run it immediately, without you seeing what it contains. This is one of the most common ways malware gets installed."
           }
         ],
-        dlp: { enabled: true, scanIgnoredTools: true },
+        dlp: { enabled: true, scanIgnoredTools: true, pii: "off" },
+        egress: { enabled: false, mode: "review", allow: [], deny: [], allowPrivate: true },
         loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 },
         skillPinning: { enabled: false, mode: "warn", roots: [] }
       },
@@ -2642,6 +2651,14 @@ var init_litellm = __esm({
   }
 });
+// src/cost-codex.ts
+var init_cost_codex = __esm({
+  "src/cost-codex.ts"() {
+    "use strict";
+    init_litellm();
+  }
+});
 // src/costSync.ts
 function decodeProjectDirName(dirName) {
   return dirName.replace(/-/g, "/");
@@ -2653,6 +2670,7 @@ var init_costSync = __esm({
     init_config();
     init_audit();
     init_litellm();
+    init_cost_codex();
     SYNC_INTERVAL_MS = 10 * 60 * 1e3;
   }
 });

package/dist/index.js CHANGED Viewed

@@ -293,7 +293,15 @@ var ConfigFileSchema = import_zod.z.object({
     }).optional(),
     dlp: import_zod.z.object({
       enabled: import_zod.z.boolean().optional(),
-      scanIgnoredTools: import_zod.z.boolean().optional()
+      scanIgnoredTools: import_zod.z.boolean().optional(),
+      pii: import_zod.z.enum(["off", "block"]).optional()
+    }).optional(),
+    egress: import_zod.z.object({
+      enabled: import_zod.z.boolean().optional(),
+      mode: import_zod.z.enum(["off", "review", "block"]).optional(),
+      allow: import_zod.z.array(import_zod.z.string()).optional(),
+      deny: import_zod.z.array(import_zod.z.string()).optional(),
+      allowPrivate: import_zod.z.boolean().optional()
     }).optional(),
     loopDetection: import_zod.z.object({
       enabled: import_zod.z.boolean().optional(),
@@ -1275,6 +1283,201 @@ function extractLiteralArgs(callExpr) {
   }
   return { name, flags, paths };
 }
+var NET_BINARIES = /* @__PURE__ */ new Set(["curl", "wget", "scp", "ssh", "nc", "ncat", "netcat"]);
+var VALUE_FLAGS = {
+  curl: /* @__PURE__ */ new Set([
+    "-d",
+    "--data",
+    "--data-ascii",
+    "--data-binary",
+    "--data-raw",
+    "--data-urlencode",
+    "-F",
+    "--form",
+    "-H",
+    "--header",
+    "-X",
+    "--request",
+    "-o",
+    "--output",
+    "-T",
+    "--upload-file",
+    "-u",
+    "--user",
+    "-e",
+    "--referer",
+    "-A",
+    "--user-agent",
+    "-b",
+    "--cookie",
+    "-c",
+    "--cookie-jar",
+    "--connect-to",
+    "--resolve",
+    "--cacert",
+    "--cert",
+    "--key",
+    "-x",
+    "--proxy",
+    "-m",
+    "--max-time",
+    "--retry"
+  ]),
+  wget: /* @__PURE__ */ new Set([
+    "-O",
+    "--output-document",
+    "--post-data",
+    "--post-file",
+    "--header",
+    "-U",
+    "--user-agent",
+    "--user",
+    "--password",
+    "-o",
+    "--output-file",
+    "-P",
+    "--directory-prefix",
+    "-t",
+    "--tries",
+    "-T",
+    "--timeout"
+  ]),
+  scp: /* @__PURE__ */ new Set(["-i", "-F", "-l", "-o", "-c", "-S", "-P", "-J", "-D", "-W"]),
+  ssh: /* @__PURE__ */ new Set([
+    "-i",
+    "-p",
+    "-o",
+    "-l",
+    "-F",
+    "-c",
+    "-L",
+    "-R",
+    "-D",
+    "-W",
+    "-b",
+    "-e",
+    "-m",
+    "-O",
+    "-Q",
+    "-S",
+    "-J",
+    "-w",
+    "-B",
+    "-I",
+    "-E"
+  ]),
+  nc: /* @__PURE__ */ new Set(["-p", "-s", "-w", "-X", "-x", "-e", "-g", "-G", "-i", "-O", "-T", "-q", "-m"])
+};
+function resolveWordLiteral(w) {
+  const parts = w?.Parts || [];
+  let s = "";
+  for (const p of parts) {
+    const t = syntax.NodeType(p);
+    if (t === "Lit") s += (p.Value ?? "").replace(/\\(.)/g, "$1");
+    else if (t === "SglQuoted") s += p.Value ?? "";
+    else if (t === "DblQuoted") {
+      const inner = p.Parts || [];
+      if (!inner.every((ip) => syntax.NodeType(ip) === "Lit")) return null;
+      s += inner.map((ip) => ip.Value ?? "").join("");
+    } else {
+      return null;
+    }
+  }
+  return s;
+}
+function parseDestHost(token) {
+  if (!token) return null;
+  let t = token.trim();
+  if (!t || t.startsWith("-")) return null;
+  if (/^[a-z][a-z0-9+.-]*:\/\//i.test(t)) {
+    try {
+      const h = new URL(t).hostname.toLowerCase();
+      return h || null;
+    } catch {
+      return null;
+    }
+  }
+  const at = t.lastIndexOf("@");
+  if (at >= 0) t = t.slice(at + 1);
+  t = t.split("/")[0];
+  t = t.replace(/:\d+$/, "");
+  t = t.split(":")[0];
+  t = t.toLowerCase();
+  if (t.length > 253) return null;
+  if (t === "localhost") return t;
+  if (/^[a-z0-9.-]+\.[a-z0-9.-]+$/.test(t)) return t;
+  return null;
+}
+function destTokensForBinary(binary, args) {
+  const valueFlags = VALUE_FLAGS[binary] ?? /* @__PURE__ */ new Set();
+  const positionals = [];
+  const urlFlagValues = [];
+  for (let i = 0; i < args.length; i++) {
+    const tok = args[i];
+    if (tok === null) continue;
+    if (tok.startsWith("-")) {
+      if (tok.startsWith("--url=")) {
+        urlFlagValues.push(tok.slice("--url=".length));
+        continue;
+      }
+      if (tok === "--url") {
+        const next = args[i + 1];
+        if (typeof next === "string") urlFlagValues.push(next);
+        i++;
+        continue;
+      }
+      if (tok.includes("=")) continue;
+      if (valueFlags.has(tok)) i++;
+      continue;
+    }
+    positionals.push(tok);
+  }
+  switch (binary) {
+    case "curl":
+    case "wget":
+      return [...urlFlagValues, ...positionals];
+    case "ssh":
+      return positionals.slice(0, 1);
+    case "scp":
+      return positionals.filter((p) => p.includes(":") || p.includes("@"));
+    case "nc":
+    case "ncat":
+    case "netcat":
+      return positionals.slice(0, 1);
+    default:
+      return [];
+  }
+}
+function extractShellDestinations(command) {
+  const f = parseShared(command);
+  if (f === PARSE_FAIL) return [];
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  try {
+    syntax.Walk(f, (node) => {
+      if (!node) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const callArgs = n.Args || [];
+      if (callArgs.length === 0) return true;
+      const name = (resolveWordLiteral(callArgs[0]) || "").toLowerCase();
+      if (!NET_BINARIES.has(name)) return true;
+      const rest = callArgs.slice(1).map((a) => resolveWordLiteral(a));
+      for (const raw of destTokensForBinary(name, rest)) {
+        const host = parseDestHost(raw);
+        if (!host) continue;
+        const key = `${name}:${host}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        out.push({ host, binary: name, raw });
+      }
+      return true;
+    });
+  } catch {
+    return out;
+  }
+  return out;
+}
 var FS_OP_CACHE_MAX = 5e3;
 var fsOpCache = /* @__PURE__ */ new Map();
 function analyzeFsOperation(command) {
@@ -1404,6 +1607,83 @@ function analyzeShellCommand(command) {
   }
   return { actions, paths, allTokens };
 }
+var DEFAULT_EGRESS_ALLOWLIST = [
+  "*.github.com",
+  "*.githubusercontent.com",
+  "*.npmjs.org",
+  "pypi.org",
+  "*.pythonhosted.org",
+  "crates.io",
+  "*.crates.io",
+  "rubygems.org",
+  "proxy.golang.org",
+  "sum.golang.org",
+  "*.anthropic.com",
+  "*.openai.com",
+  "*.googleapis.com",
+  "*.docker.io",
+  "*.docker.com",
+  "deb.debian.org",
+  "*.ubuntu.com"
+];
+function hostMatches(host, pattern) {
+  const h = host.toLowerCase();
+  const p = pattern.toLowerCase().trim();
+  if (!p) return false;
+  if (p === "*") return true;
+  if (p.startsWith("*.")) {
+    const suffix = p.slice(2);
+    return h === suffix || h.endsWith("." + suffix);
+  }
+  return h === p;
+}
+function matchesAny(host, patterns) {
+  for (const p of patterns) if (hostMatches(host, p)) return true;
+  return false;
+}
+function isPrivateHost(host) {
+  const h = host.toLowerCase();
+  if (h === "localhost" || h === "0.0.0.0") return true;
+  if (h.endsWith(".local") || h.endsWith(".internal") || h.endsWith(".localhost")) return true;
+  if (/^127\./.test(h)) return true;
+  if (/^10\./.test(h)) return true;
+  if (/^192\.168\./.test(h)) return true;
+  if (/^172\.(1[6-9]|2\d|3[01])\./.test(h)) return true;
+  return false;
+}
+function evaluateEgress(dests, policy) {
+  if (!policy.enabled) return null;
+  let review = null;
+  for (const d of dests) {
+    if (matchesAny(d.host, policy.deny)) {
+      return {
+        verdict: "block",
+        host: d.host,
+        binary: d.binary,
+        reason: `Egress to ${d.host} is on the deny list.`
+      };
+    }
+    if (policy.allowPrivate && isPrivateHost(d.host)) continue;
+    if (matchesAny(d.host, policy.allow) || matchesAny(d.host, DEFAULT_EGRESS_ALLOWLIST)) continue;
+    if (policy.mode === "block") {
+      return {
+        verdict: "block",
+        host: d.host,
+        binary: d.binary,
+        reason: `Egress to unknown host ${d.host} is blocked (egress policy: block).`
+      };
+    }
+    if (policy.mode === "review" && !review) {
+      review = {
+        verdict: "review",
+        host: d.host,
+        binary: d.binary,
+        reason: `${d.binary} is sending data to an unrecognized host (${d.host}). Approve this destination?`
+      };
+    }
+  }
+  return review;
+}
 var SOURCE_COMMANDS = /* @__PURE__ */ new Set([
   "cat",
   "head",
@@ -1969,6 +2249,22 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
     }
     const ptVerdict = pipeChainVerdict(shellCommand, isTrustedHost2);
     if (ptVerdict) return ptVerdict;
+    if (config.policy.egress?.enabled) {
+      const dests = extractShellDestinations(shellCommand);
+      if (dests.length > 0) {
+        const eg = evaluateEgress(dests, config.policy.egress);
+        if (eg) {
+          return {
+            decision: eg.verdict,
+            blockedByLabel: eg.verdict === "block" ? "\u{1F310} Node9 Egress (Blocked)" : "\u{1F310} Node9 Egress (Review)",
+            reason: eg.reason,
+            ruleName: `egress:${eg.binary}:${eg.host}`,
+            ruleDescription: eg.reason,
+            tier: eg.verdict === "block" ? 3 : 4
+          };
+        }
+      }
+    }
     const firstToken = analyzed.actions[0] ?? "";
     if (["ssh", "scp", "rsync"].includes(firstToken)) {
       const rawTokens = shellCommand.trim().split(/\s+/);
@@ -2890,6 +3186,32 @@ function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
   const nextRecords = fresh.slice(-LOOP_MAX_RECORDS);
   return { nextRecords, count, looping: count >= threshold };
 }
+var PII_EMAIL_RE = /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/;
+var PII_SSN_RE = /\b\d{3}-\d{2}-\d{4}\b/;
+var PII_PHONE_RE = /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]\d{3}[-.\s]\d{4}\b/;
+var PII_CC_RE = /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6\d{3})[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/;
+function detectPii(text) {
+  const found = /* @__PURE__ */ new Set();
+  if (/@/.test(text) && PII_EMAIL_RE.test(text)) found.add("Email");
+  if (/-/.test(text) && PII_SSN_RE.test(text)) found.add("SSN");
+  if (PII_PHONE_RE.test(text)) found.add("Phone");
+  if (PII_CC_RE.test(text)) found.add("Credit Card");
+  return [...found];
+}
+var REALTIME_PII_PATTERNS = ["SSN", "Credit Card"];
+var MAX_PII_SCAN_BYTES = 1e5;
+function detectArgsPii(args) {
+  if (args === null || args === void 0) return [];
+  let text;
+  try {
+    text = typeof args === "string" ? args : JSON.stringify(args);
+  } catch {
+    return [];
+  }
+  if (typeof text !== "string") return [];
+  if (text.length > MAX_PII_SCAN_BYTES) text = text.slice(0, MAX_PII_SCAN_BYTES);
+  return detectPii(text).filter((p) => REALTIME_PII_PATTERNS.includes(p));
+}
 var LONG_OUTPUT_THRESHOLD_BYTES = 100 * 1024;
 // src/shields.ts
@@ -3177,7 +3499,8 @@ var DEFAULT_CONFIG = {
         description: "The AI wants to download a script from the internet and run it immediately, without you seeing what it contains. This is one of the most common ways malware gets installed."
       }
     ],
-    dlp: { enabled: true, scanIgnoredTools: true },
+    dlp: { enabled: true, scanIgnoredTools: true, pii: "off" },
+    egress: { enabled: false, mode: "review", allow: [], deny: [], allowPrivate: true },
     loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 },
     skillPinning: { enabled: false, mode: "warn", roots: [] }
   },
@@ -3303,6 +3626,11 @@ function getConfig(cwd) {
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
     },
     dlp: { ...DEFAULT_CONFIG.policy.dlp },
+    egress: {
+      ...DEFAULT_CONFIG.policy.egress,
+      allow: [...DEFAULT_CONFIG.policy.egress.allow],
+      deny: [...DEFAULT_CONFIG.policy.egress.deny]
+    },
     loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection },
     skillPinning: {
       ...DEFAULT_CONFIG.policy.skillPinning,
@@ -3353,6 +3681,15 @@ function getConfig(cwd) {
       const d = p.dlp;
       if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
       if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
+      if (d.pii !== void 0) mergedPolicy.dlp.pii = d.pii;
+    }
+    if (p.egress) {
+      const e = p.egress;
+      if (e.enabled !== void 0) mergedPolicy.egress.enabled = e.enabled;
+      if (e.mode !== void 0) mergedPolicy.egress.mode = e.mode;
+      if (Array.isArray(e.allow)) mergedPolicy.egress.allow.push(...e.allow);
+      if (Array.isArray(e.deny)) mergedPolicy.egress.deny.push(...e.deny);
+      if (e.allowPrivate !== void 0) mergedPolicy.egress.allowPrivate = e.allowPrivate;
     }
     if (p.loopDetection) {
       const ld = p.loopDetection;
@@ -4095,6 +4432,15 @@ function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWo
 var isTestEnv = () => {
   return process.env.NODE_ENV === "test" || process.env.VITEST === "true" || !!process.env.VITEST || process.env.CI === "true" || !!process.env.CI || process.env.NODE9_TESTING === "1";
 };
+var MIN_INTERACTION_MS = 400;
+function resolveNativeDecision(opts) {
+  const { code, output, elapsedMs, locked } = opts;
+  if (locked) return "deny";
+  const tooFast = elapsedMs < MIN_INTERACTION_MS;
+  if (output.includes("Always Allow")) return tooFast ? "deny" : "always_allow";
+  if (code === 0) return tooFast ? "deny" : "allow";
+  return "deny";
+}
 function formatArgs(args, matchedField, matchedWord) {
   if (args === null || args === void 0) return { message: "(none)", intent: "EXEC" };
   let parsed = args;
@@ -4238,6 +4584,7 @@ async function askNativePopup(toolName, args, agent, explainableLabel, locked =
   );
   return new Promise((resolve) => {
     let childProcess = null;
+    const startedAt = Date.now();
     const onAbort = () => {
       if (childProcess && childProcess.pid) {
         try {
@@ -4295,13 +4642,14 @@ end run`;
       }
       let output = "";
       childProcess?.stdout?.on("data", (d) => output += d.toString());
-      childProcess?.on("close", (code) => {
+      childProcess?.on("error", () => {
         if (signal) signal.removeEventListener("abort", onAbort);
-        if (locked) return resolve("deny");
-        if (output.includes("Always Allow")) return resolve("always_allow");
-        if (code === 0) return resolve("allow");
         resolve("deny");
       });
+      childProcess?.on("close", (code) => {
+        if (signal) signal.removeEventListener("abort", onAbort);
+        resolve(resolveNativeDecision({ code, output, elapsedMs: Date.now() - startedAt, locked }));
+      });
     } catch {
       resolve("deny");
     }
@@ -4603,6 +4951,37 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       if (taintResult.tainted && taintResult.record) {
         const { path: taintedPath, source: taintSource } = taintResult.record;
         taintWarning = `\u26A0\uFE0F ${taintedPath} was flagged by ${taintSource} \u2014 this file may contain sensitive data`;
+        if (config.policy.egress?.enabled) {
+          const a = args && typeof args === "object" && !Array.isArray(args) ? args : {};
+          const cmd = typeof a.command === "string" ? a.command : typeof a.cmd === "string" ? a.cmd : "";
+          const dests = cmd ? extractShellDestinations(cmd) : [];
+          const eg = dests.length > 0 ? evaluateEgress(dests, config.policy.egress) : null;
+          if (eg) {
+            if (!isManual)
+              appendLocalAudit(
+                toolName,
+                args,
+                "deny",
+                isObserveMode ? "observe-mode-taint-egress-would-block" : "taint-egress-block",
+                { ...meta, ruleName: `taint-egress:${eg.host}` },
+                hashAuditArgs
+              );
+            if (isObserveMode) {
+              return {
+                approved: true,
+                checkedBy: "audit",
+                observeWouldBlock: true,
+                blockedByLabel: "\u{1F534} Node9 Taint+Egress (Exfiltration)"
+              };
+            }
+            return {
+              approved: false,
+              reason: `\u{1F534} EXFILTRATION BLOCKED: the tainted file "${taintedPath}" is being sent to untrusted host "${eg.host}". A flagged file leaving to an unrecognized destination is blocked outright.`,
+              blockedBy: "local-config",
+              blockedByLabel: "\u{1F534} Node9 Taint+Egress (Exfiltration Blocked)"
+            };
+          }
+        }
       } else if (taintResult.daemonUnavailable) {
         taintWarning = `\u26A0\uFE0F Taint service unavailable \u2014 cannot verify if ${filePaths.join(", ")} is clean`;
       }
@@ -4651,6 +5030,35 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
     }
   }
+  if (config.policy.dlp.pii === "block" && (!isIgnoredTool2(toolName) || config.policy.dlp.scanIgnoredTools)) {
+    const piiFound = detectArgsPii(args);
+    if (piiFound.length > 0) {
+      const piiReason = `\u{1F512} PII DETECTED: ${piiFound.join(", ")} found in tool arguments. Remove or tokenize personal data before passing it to a tool.`;
+      if (!isManual)
+        appendLocalAudit(
+          toolName,
+          args,
+          "deny",
+          isObserveMode ? "observe-mode-pii-would-block" : "pii-block",
+          { ...meta, piiPatterns: piiFound.join(",") },
+          true
+        );
+      if (isObserveMode) {
+        return {
+          approved: true,
+          checkedBy: "audit",
+          observeWouldBlock: true,
+          blockedByLabel: "\u{1F512} Node9 PII (Detected)"
+        };
+      }
+      return {
+        approved: false,
+        reason: piiReason,
+        blockedBy: "local-config",
+        blockedByLabel: "\u{1F512} Node9 PII (Detected)"
+      };
+    }
+  }
   if (isObserveMode) {
     if (!isIgnoredTool2(toolName)) {
       const policyResult = await evaluatePolicy2(toolName, args, meta?.agent, options?.cwd);