@node9/proxy 1.30.0 → 1.31.0

package/dist/index.mjs

@@ -263,7 +263,15 @@ var ConfigFileSchema = z.object({
     }).optional(),
     dlp: z.object({
       enabled: z.boolean().optional(),
-      scanIgnoredTools: z.boolean().optional()
+      scanIgnoredTools: z.boolean().optional(),
+      pii: z.enum(["off", "block"]).optional()
+    }).optional(),
+    egress: z.object({
+      enabled: z.boolean().optional(),
+      mode: z.enum(["off", "review", "block"]).optional(),
+      allow: z.array(z.string()).optional(),
+      deny: z.array(z.string()).optional(),
+      allowPrivate: z.boolean().optional()
     }).optional(),
     loopDetection: z.object({
       enabled: z.boolean().optional(),
@@ -1245,6 +1253,201 @@ function extractLiteralArgs(callExpr) {
   }
   return { name, flags, paths };
 }
+var NET_BINARIES = /* @__PURE__ */ new Set(["curl", "wget", "scp", "ssh", "nc", "ncat", "netcat"]);
+var VALUE_FLAGS = {
+  curl: /* @__PURE__ */ new Set([
+    "-d",
+    "--data",
+    "--data-ascii",
+    "--data-binary",
+    "--data-raw",
+    "--data-urlencode",
+    "-F",
+    "--form",
+    "-H",
+    "--header",
+    "-X",
+    "--request",
+    "-o",
+    "--output",
+    "-T",
+    "--upload-file",
+    "-u",
+    "--user",
+    "-e",
+    "--referer",
+    "-A",
+    "--user-agent",
+    "-b",
+    "--cookie",
+    "-c",
+    "--cookie-jar",
+    "--connect-to",
+    "--resolve",
+    "--cacert",
+    "--cert",
+    "--key",
+    "-x",
+    "--proxy",
+    "-m",
+    "--max-time",
+    "--retry"
+  ]),
+  wget: /* @__PURE__ */ new Set([
+    "-O",
+    "--output-document",
+    "--post-data",
+    "--post-file",
+    "--header",
+    "-U",
+    "--user-agent",
+    "--user",
+    "--password",
+    "-o",
+    "--output-file",
+    "-P",
+    "--directory-prefix",
+    "-t",
+    "--tries",
+    "-T",
+    "--timeout"
+  ]),
+  scp: /* @__PURE__ */ new Set(["-i", "-F", "-l", "-o", "-c", "-S", "-P", "-J", "-D", "-W"]),
+  ssh: /* @__PURE__ */ new Set([
+    "-i",
+    "-p",
+    "-o",
+    "-l",
+    "-F",
+    "-c",
+    "-L",
+    "-R",
+    "-D",
+    "-W",
+    "-b",
+    "-e",
+    "-m",
+    "-O",
+    "-Q",
+    "-S",
+    "-J",
+    "-w",
+    "-B",
+    "-I",
+    "-E"
+  ]),
+  nc: /* @__PURE__ */ new Set(["-p", "-s", "-w", "-X", "-x", "-e", "-g", "-G", "-i", "-O", "-T", "-q", "-m"])
+};
+function resolveWordLiteral(w) {
+  const parts = w?.Parts || [];
+  let s = "";
+  for (const p of parts) {
+    const t = syntax.NodeType(p);
+    if (t === "Lit") s += (p.Value ?? "").replace(/\\(.)/g, "$1");
+    else if (t === "SglQuoted") s += p.Value ?? "";
+    else if (t === "DblQuoted") {
+      const inner = p.Parts || [];
+      if (!inner.every((ip) => syntax.NodeType(ip) === "Lit")) return null;
+      s += inner.map((ip) => ip.Value ?? "").join("");
+    } else {
+      return null;
+    }
+  }
+  return s;
+}
+function parseDestHost(token) {
+  if (!token) return null;
+  let t = token.trim();
+  if (!t || t.startsWith("-")) return null;
+  if (/^[a-z][a-z0-9+.-]*:\/\//i.test(t)) {
+    try {
+      const h = new URL(t).hostname.toLowerCase();
+      return h || null;
+    } catch {
+      return null;
+    }
+  }
+  const at = t.lastIndexOf("@");
+  if (at >= 0) t = t.slice(at + 1);
+  t = t.split("/")[0];
+  t = t.replace(/:\d+$/, "");
+  t = t.split(":")[0];
+  t = t.toLowerCase();
+  if (t.length > 253) return null;
+  if (t === "localhost") return t;
+  if (/^[a-z0-9.-]+\.[a-z0-9.-]+$/.test(t)) return t;
+  return null;
+}
+function destTokensForBinary(binary, args) {
+  const valueFlags = VALUE_FLAGS[binary] ?? /* @__PURE__ */ new Set();
+  const positionals = [];
+  const urlFlagValues = [];
+  for (let i = 0; i < args.length; i++) {
+    const tok = args[i];
+    if (tok === null) continue;
+    if (tok.startsWith("-")) {
+      if (tok.startsWith("--url=")) {
+        urlFlagValues.push(tok.slice("--url=".length));
+        continue;
+      }
+      if (tok === "--url") {
+        const next = args[i + 1];
+        if (typeof next === "string") urlFlagValues.push(next);
+        i++;
+        continue;
+      }
+      if (tok.includes("=")) continue;
+      if (valueFlags.has(tok)) i++;
+      continue;
+    }
+    positionals.push(tok);
+  }
+  switch (binary) {
+    case "curl":
+    case "wget":
+      return [...urlFlagValues, ...positionals];
+    case "ssh":
+      return positionals.slice(0, 1);
+    case "scp":
+      return positionals.filter((p) => p.includes(":") || p.includes("@"));
+    case "nc":
+    case "ncat":
+    case "netcat":
+      return positionals.slice(0, 1);
+    default:
+      return [];
+  }
+}
+function extractShellDestinations(command) {
+  const f = parseShared(command);
+  if (f === PARSE_FAIL) return [];
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  try {
+    syntax.Walk(f, (node) => {
+      if (!node) return false;
+      const n = node;
+      if (syntax.NodeType(n) !== "CallExpr") return true;
+      const callArgs = n.Args || [];
+      if (callArgs.length === 0) return true;
+      const name = (resolveWordLiteral(callArgs[0]) || "").toLowerCase();
+      if (!NET_BINARIES.has(name)) return true;
+      const rest = callArgs.slice(1).map((a) => resolveWordLiteral(a));
+      for (const raw of destTokensForBinary(name, rest)) {
+        const host = parseDestHost(raw);
+        if (!host) continue;
+        const key = `${name}:${host}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        out.push({ host, binary: name, raw });
+      }
+      return true;
+    });
+  } catch {
+    return out;
+  }
+  return out;
+}
 var FS_OP_CACHE_MAX = 5e3;
 var fsOpCache = /* @__PURE__ */ new Map();
 function analyzeFsOperation(command) {
@@ -1374,6 +1577,83 @@ function analyzeShellCommand(command) {
   }
   return { actions, paths, allTokens };
 }
+var DEFAULT_EGRESS_ALLOWLIST = [
+  "*.github.com",
+  "*.githubusercontent.com",
+  "*.npmjs.org",
+  "pypi.org",
+  "*.pythonhosted.org",
+  "crates.io",
+  "*.crates.io",
+  "rubygems.org",
+  "proxy.golang.org",
+  "sum.golang.org",
+  "*.anthropic.com",
+  "*.openai.com",
+  "*.googleapis.com",
+  "*.docker.io",
+  "*.docker.com",
+  "deb.debian.org",
+  "*.ubuntu.com"
+];
+function hostMatches(host, pattern) {
+  const h = host.toLowerCase();
+  const p = pattern.toLowerCase().trim();
+  if (!p) return false;
+  if (p === "*") return true;
+  if (p.startsWith("*.")) {
+    const suffix = p.slice(2);
+    return h === suffix || h.endsWith("." + suffix);
+  }
+  return h === p;
+}
+function matchesAny(host, patterns) {
+  for (const p of patterns) if (hostMatches(host, p)) return true;
+  return false;
+}
+function isPrivateHost(host) {
+  const h = host.toLowerCase();
+  if (h === "localhost" || h === "0.0.0.0") return true;
+  if (h.endsWith(".local") || h.endsWith(".internal") || h.endsWith(".localhost")) return true;
+  if (/^127\./.test(h)) return true;
+  if (/^10\./.test(h)) return true;
+  if (/^192\.168\./.test(h)) return true;
+  if (/^172\.(1[6-9]|2\d|3[01])\./.test(h)) return true;
+  return false;
+}
+function evaluateEgress(dests, policy) {
+  if (!policy.enabled) return null;
+  let review = null;
+  for (const d of dests) {
+    if (matchesAny(d.host, policy.deny)) {
+      return {
+        verdict: "block",
+        host: d.host,
+        binary: d.binary,
+        reason: `Egress to ${d.host} is on the deny list.`
+      };
+    }
+    if (policy.allowPrivate && isPrivateHost(d.host)) continue;
+    if (matchesAny(d.host, policy.allow) || matchesAny(d.host, DEFAULT_EGRESS_ALLOWLIST)) continue;
+    if (policy.mode === "block") {
+      return {
+        verdict: "block",
+        host: d.host,
+        binary: d.binary,
+        reason: `Egress to unknown host ${d.host} is blocked (egress policy: block).`
+      };
+    }
+    if (policy.mode === "review" && !review) {
+      review = {
+        verdict: "review",
+        host: d.host,
+        binary: d.binary,
+        reason: `${d.binary} is sending data to an unrecognized host (${d.host}). Approve this destination?`
+      };
+    }
+  }
+  return review;
+}
 var SOURCE_COMMANDS = /* @__PURE__ */ new Set([
   "cat",
   "head",
@@ -1939,6 +2219,22 @@ async function evaluatePolicy(config, toolName, args, context = {}, hooks = {})
     }
     const ptVerdict = pipeChainVerdict(shellCommand, isTrustedHost2);
     if (ptVerdict) return ptVerdict;
+    if (config.policy.egress?.enabled) {
+      const dests = extractShellDestinations(shellCommand);
+      if (dests.length > 0) {
+        const eg = evaluateEgress(dests, config.policy.egress);
+        if (eg) {
+          return {
+            decision: eg.verdict,
+            blockedByLabel: eg.verdict === "block" ? "\u{1F310} Node9 Egress (Blocked)" : "\u{1F310} Node9 Egress (Review)",
+            reason: eg.reason,
+            ruleName: `egress:${eg.binary}:${eg.host}`,
+            ruleDescription: eg.reason,
+            tier: eg.verdict === "block" ? 3 : 4
+          };
+        }
+      }
+    }
     const firstToken = analyzed.actions[0] ?? "";
     if (["ssh", "scp", "rsync"].includes(firstToken)) {
       const rawTokens = shellCommand.trim().split(/\s+/);
@@ -2860,6 +3156,32 @@ function evaluateLoopWindow(records, tool, args, threshold, windowMs, now) {
   const nextRecords = fresh.slice(-LOOP_MAX_RECORDS);
   return { nextRecords, count, looping: count >= threshold };
 }
+var PII_EMAIL_RE = /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/;
+var PII_SSN_RE = /\b\d{3}-\d{2}-\d{4}\b/;
+var PII_PHONE_RE = /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]\d{3}[-.\s]\d{4}\b/;
+var PII_CC_RE = /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6\d{3})[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/;
+function detectPii(text) {
+  const found = /* @__PURE__ */ new Set();
+  if (/@/.test(text) && PII_EMAIL_RE.test(text)) found.add("Email");
+  if (/-/.test(text) && PII_SSN_RE.test(text)) found.add("SSN");
+  if (PII_PHONE_RE.test(text)) found.add("Phone");
+  if (PII_CC_RE.test(text)) found.add("Credit Card");
+  return [...found];
+}
+var REALTIME_PII_PATTERNS = ["SSN", "Credit Card"];
+var MAX_PII_SCAN_BYTES = 1e5;
+function detectArgsPii(args) {
+  if (args === null || args === void 0) return [];
+  let text;
+  try {
+    text = typeof args === "string" ? args : JSON.stringify(args);
+  } catch {
+    return [];
+  }
+  if (typeof text !== "string") return [];
+  if (text.length > MAX_PII_SCAN_BYTES) text = text.slice(0, MAX_PII_SCAN_BYTES);
+  return detectPii(text).filter((p) => REALTIME_PII_PATTERNS.includes(p));
+}
 var LONG_OUTPUT_THRESHOLD_BYTES = 100 * 1024;
 
 // src/shields.ts
@@ -3147,7 +3469,8 @@ var DEFAULT_CONFIG = {
         description: "The AI wants to download a script from the internet and run it immediately, without you seeing what it contains. This is one of the most common ways malware gets installed."
       }
     ],
-    dlp: { enabled: true, scanIgnoredTools: true },
+    dlp: { enabled: true, scanIgnoredTools: true, pii: "off" },
+    egress: { enabled: false, mode: "review", allow: [], deny: [], allowPrivate: true },
     loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 },
     skillPinning: { enabled: false, mode: "warn", roots: [] }
   },
@@ -3273,6 +3596,11 @@ function getConfig(cwd) {
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
     },
     dlp: { ...DEFAULT_CONFIG.policy.dlp },
+    egress: {
+      ...DEFAULT_CONFIG.policy.egress,
+      allow: [...DEFAULT_CONFIG.policy.egress.allow],
+      deny: [...DEFAULT_CONFIG.policy.egress.deny]
+    },
     loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection },
     skillPinning: {
       ...DEFAULT_CONFIG.policy.skillPinning,
@@ -3323,6 +3651,15 @@ function getConfig(cwd) {
       const d = p.dlp;
       if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
       if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
+      if (d.pii !== void 0) mergedPolicy.dlp.pii = d.pii;
+    }
+    if (p.egress) {
+      const e = p.egress;
+      if (e.enabled !== void 0) mergedPolicy.egress.enabled = e.enabled;
+      if (e.mode !== void 0) mergedPolicy.egress.mode = e.mode;
+      if (Array.isArray(e.allow)) mergedPolicy.egress.allow.push(...e.allow);
+      if (Array.isArray(e.deny)) mergedPolicy.egress.deny.push(...e.deny);
+      if (e.allowPrivate !== void 0) mergedPolicy.egress.allowPrivate = e.allowPrivate;
     }
     if (p.loopDetection) {
       const ld = p.loopDetection;
@@ -4065,6 +4402,15 @@ function computeRiskMetadata(args, tier, blockedByLabel, matchedField, matchedWo
 var isTestEnv = () => {
   return process.env.NODE_ENV === "test" || process.env.VITEST === "true" || !!process.env.VITEST || process.env.CI === "true" || !!process.env.CI || process.env.NODE9_TESTING === "1";
 };
+var MIN_INTERACTION_MS = 400;
+function resolveNativeDecision(opts) {
+  const { code, output, elapsedMs, locked } = opts;
+  if (locked) return "deny";
+  const tooFast = elapsedMs < MIN_INTERACTION_MS;
+  if (output.includes("Always Allow")) return tooFast ? "deny" : "always_allow";
+  if (code === 0) return tooFast ? "deny" : "allow";
+  return "deny";
+}
 function formatArgs(args, matchedField, matchedWord) {
   if (args === null || args === void 0) return { message: "(none)", intent: "EXEC" };
   let parsed = args;
@@ -4208,6 +4554,7 @@ async function askNativePopup(toolName, args, agent, explainableLabel, locked =
   );
   return new Promise((resolve) => {
     let childProcess = null;
+    const startedAt = Date.now();
     const onAbort = () => {
       if (childProcess && childProcess.pid) {
         try {
@@ -4265,13 +4612,14 @@ end run`;
       }
       let output = "";
       childProcess?.stdout?.on("data", (d) => output += d.toString());
-      childProcess?.on("close", (code) => {
+      childProcess?.on("error", () => {
         if (signal) signal.removeEventListener("abort", onAbort);
-        if (locked) return resolve("deny");
-        if (output.includes("Always Allow")) return resolve("always_allow");
-        if (code === 0) return resolve("allow");
         resolve("deny");
       });
+      childProcess?.on("close", (code) => {
+        if (signal) signal.removeEventListener("abort", onAbort);
+        resolve(resolveNativeDecision({ code, output, elapsedMs: Date.now() - startedAt, locked }));
+      });
     } catch {
       resolve("deny");
     }
@@ -4573,6 +4921,37 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       if (taintResult.tainted && taintResult.record) {
         const { path: taintedPath, source: taintSource } = taintResult.record;
         taintWarning = `\u26A0\uFE0F ${taintedPath} was flagged by ${taintSource} \u2014 this file may contain sensitive data`;
+        if (config.policy.egress?.enabled) {
+          const a = args && typeof args === "object" && !Array.isArray(args) ? args : {};
+          const cmd = typeof a.command === "string" ? a.command : typeof a.cmd === "string" ? a.cmd : "";
+          const dests = cmd ? extractShellDestinations(cmd) : [];
+          const eg = dests.length > 0 ? evaluateEgress(dests, config.policy.egress) : null;
+          if (eg) {
+            if (!isManual)
+              appendLocalAudit(
+                toolName,
+                args,
+                "deny",
+                isObserveMode ? "observe-mode-taint-egress-would-block" : "taint-egress-block",
+                { ...meta, ruleName: `taint-egress:${eg.host}` },
+                hashAuditArgs
+              );
+            if (isObserveMode) {
+              return {
+                approved: true,
+                checkedBy: "audit",
+                observeWouldBlock: true,
+                blockedByLabel: "\u{1F534} Node9 Taint+Egress (Exfiltration)"
+              };
+            }
+            return {
+              approved: false,
+              reason: `\u{1F534} EXFILTRATION BLOCKED: the tainted file "${taintedPath}" is being sent to untrusted host "${eg.host}". A flagged file leaving to an unrecognized destination is blocked outright.`,
+              blockedBy: "local-config",
+              blockedByLabel: "\u{1F534} Node9 Taint+Egress (Exfiltration Blocked)"
+            };
+          }
+        }
       } else if (taintResult.daemonUnavailable) {
         taintWarning = `\u26A0\uFE0F Taint service unavailable \u2014 cannot verify if ${filePaths.join(", ")} is clean`;
       }
@@ -4621,6 +5000,35 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
     }
   }
+  if (config.policy.dlp.pii === "block" && (!isIgnoredTool2(toolName) || config.policy.dlp.scanIgnoredTools)) {
+    const piiFound = detectArgsPii(args);
+    if (piiFound.length > 0) {
+      const piiReason = `\u{1F512} PII DETECTED: ${piiFound.join(", ")} found in tool arguments. Remove or tokenize personal data before passing it to a tool.`;
+      if (!isManual)
+        appendLocalAudit(
+          toolName,
+          args,
+          "deny",
+          isObserveMode ? "observe-mode-pii-would-block" : "pii-block",
+          { ...meta, piiPatterns: piiFound.join(",") },
+          true
+        );
+      if (isObserveMode) {
+        return {
+          approved: true,
+          checkedBy: "audit",
+          observeWouldBlock: true,
+          blockedByLabel: "\u{1F512} Node9 PII (Detected)"
+        };
+      }
+      return {
+        approved: false,
+        reason: piiReason,
+        blockedBy: "local-config",
+        blockedByLabel: "\u{1F512} Node9 PII (Detected)"
+      };
+    }
+  }
   if (isObserveMode) {
     if (!isIgnoredTool2(toolName)) {
       const policyResult = await evaluatePolicy2(toolName, args, meta?.agent, options?.cwd);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.30.0",
+  "version": "1.31.0",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code, Codex, Gemini, Cursor, Opencode, Pi, and any MCP server.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",