@node9/proxy 1.5.0 → 1.5.2

package/dist/index.js

@@ -5,6 +5,9 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -27,19 +30,52 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// src/index.ts
-var src_exports = {};
-__export(src_exports, {
-  protect: () => protect
+// src/audit/hasher.ts
+function canonicalise(value) {
+  return _canonicalise(value, /* @__PURE__ */ new WeakSet());
+}
+function _canonicalise(value, seen) {
+  if (value === null || typeof value !== "object") return value;
+  if (value instanceof Date) return value.toISOString();
+  if (value instanceof RegExp) return value.toString();
+  if (Buffer.isBuffer(value)) return value.toString("base64");
+  if (seen.has(value)) return "[Circular]";
+  seen.add(value);
+  let result;
+  if (Array.isArray(value)) {
+    result = value.map((v) => _canonicalise(v, seen));
+  } else {
+    const obj = value;
+    result = Object.fromEntries(
+      Object.keys(obj).sort().map((k) => [k, _canonicalise(obj[k], seen)])
+    );
+  }
+  seen.delete(value);
+  return result;
+}
+function hashArgs(args) {
+  const canonical = JSON.stringify(canonicalise(args) ?? null);
+  return (0, import_crypto.createHash)("sha256").update(canonical).digest("hex").slice(0, 32);
+}
+var import_crypto;
+var init_hasher = __esm({
+  "src/audit/hasher.ts"() {
+    "use strict";
+    import_crypto = require("crypto");
+  }
 });
-module.exports = __toCommonJS(src_exports);
 
 // src/audit/index.ts
-var import_fs = __toESM(require("fs"));
-var import_path = __toESM(require("path"));
-var import_os = __toESM(require("os"));
-var LOCAL_AUDIT_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "audit.log");
-var HOOK_DEBUG_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
+var audit_exports = {};
+__export(audit_exports, {
+  HOOK_DEBUG_LOG: () => HOOK_DEBUG_LOG,
+  LOCAL_AUDIT_LOG: () => LOCAL_AUDIT_LOG,
+  appendConfigAudit: () => appendConfigAudit,
+  appendHookDebug: () => appendHookDebug,
+  appendLocalAudit: () => appendLocalAudit,
+  appendToLog: () => appendToLog,
+  redactSecrets: () => redactSecrets
+});
 function redactSecrets(text) {
   if (!text) return text;
   let redacted = text;
@@ -61,24 +97,24 @@ function appendToLog(logPath, entry) {
   } catch {
   }
 }
-function appendHookDebug(toolName, args, meta) {
-  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   appendToLog(HOOK_DEBUG_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
-    args: safeArgs,
+    ...argsField,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
     hostname: import_os.default.hostname(),
     cwd: process.cwd()
   });
 }
-function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
-  const safeArgs = args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {};
+function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
+  const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
-    args: safeArgs,
+    ...argsField,
     decision,
     checkedBy,
     agent: meta?.agent,
@@ -86,6 +122,35 @@ function appendLocalAudit(toolName, args, decision, checkedBy, meta) {
     hostname: import_os.default.hostname()
   });
 }
+function appendConfigAudit(entry) {
+  appendToLog(LOCAL_AUDIT_LOG, {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    ...entry,
+    hostname: import_os.default.hostname()
+  });
+}
+var import_fs, import_path, import_os, LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG;
+var init_audit = __esm({
+  "src/audit/index.ts"() {
+    "use strict";
+    import_fs = __toESM(require("fs"));
+    import_path = __toESM(require("path"));
+    import_os = __toESM(require("os"));
+    init_hasher();
+    LOCAL_AUDIT_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "audit.log");
+    HOOK_DEBUG_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
+  }
+});
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  protect: () => protect
+});
+module.exports = __toCommonJS(src_exports);
+
+// src/core.ts
+init_audit();
 
 // src/config/index.ts
 var import_fs3 = __toESM(require("fs"));
@@ -154,7 +219,8 @@ var ConfigFileSchema = import_zod.z.object({
     environment: import_zod.z.string().optional(),
     slackEnabled: import_zod.z.boolean().optional(),
     enableTrustSessions: import_zod.z.boolean().optional(),
-    allowGlobalPause: import_zod.z.boolean().optional()
+    allowGlobalPause: import_zod.z.boolean().optional(),
+    auditHashArgs: import_zod.z.boolean().optional()
   }).optional(),
   policy: import_zod.z.object({
     sandboxPaths: import_zod.z.array(import_zod.z.string()).optional(),
@@ -450,6 +516,7 @@ var DEFAULT_CONFIG = {
     approvalTimeoutMs: 12e4,
     // 120-second auto-deny timeout
     flightRecorder: true,
+    auditHashArgs: true,
     approvers: { native: true, browser: true, cloud: false, terminal: true }
   },
   policy: {
@@ -2017,6 +2084,45 @@ async function notifyDaemonViewer(toolName, args, meta, riskMetadata) {
   const { id, allowCount } = await res.json();
   return { id, allowCount: allowCount ?? 1 };
 }
+async function notifyTaint(filePath, source) {
+  if (!isDaemonRunning()) return;
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    await fetch(`${base}/taint`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ path: filePath, source }),
+      signal: AbortSignal.timeout(1e3)
+    });
+  } catch {
+  }
+}
+async function checkTaint(paths) {
+  if (paths.length === 0) return { tainted: false };
+  if (!isDaemonRunning()) return { tainted: false, daemonUnavailable: true };
+  const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
+  try {
+    const res = await fetch(`${base}/taint/check`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ paths }),
+      signal: AbortSignal.timeout(2e3)
+    });
+    return await res.json();
+  } catch (err) {
+    try {
+      const { appendToLog: appendToLog2, HOOK_DEBUG_LOG: HOOK_DEBUG_LOG2 } = await Promise.resolve().then(() => (init_audit(), audit_exports));
+      appendToLog2(HOOK_DEBUG_LOG2, {
+        ts: (/* @__PURE__ */ new Date()).toISOString(),
+        event: "checkTaint-error",
+        error: String(err),
+        paths
+      });
+    } catch {
+    }
+    return { tainted: false, daemonUnavailable: true };
+  }
+}
 async function resolveViaDaemon(id, decision, internalToken, source) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   await fetch(`${base}/resolve/${id}`, {
@@ -2031,7 +2137,7 @@ async function resolveViaDaemon(id, decision, internalToken, source) {
 var import_net = __toESM(require("net"));
 var import_path13 = __toESM(require("path"));
 var import_os9 = __toESM(require("os"));
-var import_crypto = require("crypto");
+var import_crypto2 = require("crypto");
 
 // src/ui/native.ts
 var import_child_process2 = require("child_process");
@@ -2353,9 +2459,13 @@ end run`;
   });
 }
 
+// src/auth/orchestrator.ts
+init_audit();
+
 // src/auth/cloud.ts
 var import_fs9 = __toESM(require("fs"));
 var import_os8 = __toESM(require("os"));
+init_audit();
 function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
   return fetch(`${creds.apiUrl}/audit`, {
     method: "POST",
@@ -2464,6 +2574,51 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
 }
 
 // src/auth/orchestrator.ts
+var WRITE_TOOLS = /* @__PURE__ */ new Set([
+  "write",
+  "write_file",
+  "create_file",
+  "edit",
+  "multiedit",
+  "str_replace_based_edit_tool",
+  "replace",
+  "notebook_edit",
+  "notebookedit"
+]);
+function isWriteTool(toolName) {
+  const t = toolName.toLowerCase().replace(/[^a-z_]/g, "_");
+  return WRITE_TOOLS.has(t);
+}
+function extractFilePaths(toolName, args) {
+  const paths = [];
+  if (!args || typeof args !== "object" || Array.isArray(args)) return paths;
+  const a = args;
+  for (const key of ["file_path", "path", "filename", "source", "src", "input"]) {
+    if (typeof a[key] === "string" && a[key]) paths.push(a[key]);
+  }
+  const cmd = typeof a.command === "string" ? a.command : typeof a.cmd === "string" ? a.cmd : "";
+  if (cmd) {
+    for (const m of cmd.matchAll(/(?:-T|--upload-file|--data(?:-binary)?)\s+@?(\S+)/g)) {
+      paths.push(m[1]);
+    }
+    for (const m of cmd.matchAll(/\b(?:scp|rsync)\s+(?:-\S+\s+)*(\S+)\s+\S+@/g)) {
+      paths.push(m[1]);
+    }
+    for (const m of cmd.matchAll(/<\s*(\S+)/g)) {
+      paths.push(m[1]);
+    }
+  }
+  return paths.filter(Boolean);
+}
+function isNetworkTool(toolName, args) {
+  const t = toolName.toLowerCase();
+  if (t === "bash" || t === "shell" || t === "run_shell_command" || t === "terminal.execute") {
+    const a = args;
+    const cmd = typeof a?.command === "string" ? a.command : typeof a?.cmd === "string" ? a.cmd : "";
+    return /\b(curl|wget|scp|rsync|nc|ncat|netcat|ssh)\b/.test(cmd);
+  }
+  return false;
+}
 var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : import_path13.default.join(import_os9.default.tmpdir(), "node9-activity.sock");
 function notifyActivity(data) {
   return new Promise((resolve) => {
@@ -2482,7 +2637,7 @@ function notifyActivity(data) {
 }
 async function authorizeHeadless(toolName, args, meta, options) {
   if (!options?.calledFromDaemon) {
-    const actId = (0, import_crypto.randomUUID)();
+    const actId = (0, import_crypto2.randomUUID)();
     const actTs = Date.now();
     await notifyActivity({ id: actId, ts: actTs, tool: toolName, args, status: "pending" });
     const result = await _authorizeHeadlessCore(toolName, args, meta, {
@@ -2494,7 +2649,7 @@ async function authorizeHeadless(toolName, args, meta, options) {
         id: actId,
         tool: toolName,
         ts: actTs,
-        status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : "block",
+        status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : result.blockedByLabel?.includes("Taint") ? "taint" : "block",
         label: result.blockedByLabel
       });
     }
@@ -2508,6 +2663,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   if (pauseState.paused) return { approved: true, checkedBy: "paused" };
   const creds = getCredentials();
   const config = getConfig(options?.cwd);
+  const hashAuditArgs = config.settings.auditHashArgs === true;
   const isTestEnv2 = !!(process.env.VITEST || process.env.NODE_ENV === "test" || process.env.CI || process.env.NODE9_TESTING === "1");
   const approvers = {
     ...config.settings.approvers || { native: true, browser: true, cloud: true, terminal: true }
@@ -2518,13 +2674,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     approvers.terminal = false;
   }
   if (config.settings.enableHookLogDebug && !isTestEnv2) {
-    appendHookDebug(toolName, args, meta);
+    appendHookDebug(toolName, args, meta, hashAuditArgs);
   }
   const isManual = meta?.agent === "Terminal";
   let explainableLabel = "Local Config";
   let policyMatchedField;
   let policyMatchedWord;
   let riskMetadata;
+  let taintWarning = null;
+  if (isNetworkTool(toolName, args)) {
+    const filePaths = extractFilePaths(toolName, args);
+    if (filePaths.length > 0) {
+      const taintResult = await checkTaint(filePaths);
+      if (taintResult.tainted && taintResult.record) {
+        const { path: taintedPath, source: taintSource } = taintResult.record;
+        taintWarning = `\u26A0\uFE0F ${taintedPath} was flagged by ${taintSource} \u2014 this file may contain sensitive data`;
+      } else if (taintResult.daemonUnavailable) {
+        taintWarning = `\u26A0\uFE0F Taint service unavailable \u2014 cannot verify if ${filePaths.join(", ")} is clean`;
+      }
+    }
+  }
   if (config.policy.dlp.enabled && (!isIgnoredTool(toolName) || config.policy.dlp.scanIgnoredTools)) {
     const argsObj = args && typeof args === "object" && !Array.isArray(args) ? args : {};
     const filePath = String(argsObj.file_path ?? argsObj.path ?? argsObj.filename ?? "");
@@ -2532,7 +2701,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (dlpMatch) {
       const dlpReason = `\u{1F6A8} DATA LOSS PREVENTION: ${dlpMatch.patternName} detected in field "${dlpMatch.fieldPath}" (${dlpMatch.redactedSample})`;
       if (dlpMatch.severity === "block") {
-        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta);
+        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta, true);
+        if (isWriteTool(toolName) && filePath) {
+          await notifyTaint(filePath, `DLP:${dlpMatch.patternName}`);
+        }
         return {
           approved: false,
           reason: dlpReason,
@@ -2540,7 +2712,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           blockedByLabel: "\u{1F6A8} Node9 DLP (Secret Detected)"
         };
       }
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "dlp-review-flagged", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "allow", "dlp-review-flagged", meta, hashAuditArgs);
       explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
     }
   }
@@ -2548,7 +2721,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
       if (policyResult.decision === "review") {
-        appendLocalAudit(toolName, args, "allow", "audit-mode", meta);
+        appendLocalAudit(toolName, args, "allow", "audit-mode", meta, hashAuditArgs);
         if (approvers.cloud && creds?.apiKey) {
           await auditLocalAllow(toolName, args, "audit-mode", creds, meta);
         }
@@ -2556,22 +2729,23 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     }
     return { approved: true, checkedBy: "audit" };
   }
-  if (!isIgnoredTool(toolName)) {
+  if (!taintWarning && !isIgnoredTool(toolName)) {
     if (getActiveTrustSession(toolName)) {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "trust", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "trust", meta, hashAuditArgs);
       return { approved: true, checkedBy: "trust" };
     }
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
         auditLocalAllow(toolName, args, "local-policy", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
       return { approved: true, checkedBy: "local-policy" };
     }
     if (policyResult.decision === "block") {
-      if (!isManual) appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
       return {
         approved: false,
         reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
@@ -2590,15 +2764,16 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       policyMatchedWord,
       policyResult.ruleName
     );
-    const persistent = getPersistentDecision(toolName);
+    const persistent = policyResult.ruleName ? null : getPersistentDecision(toolName);
     if (persistent === "allow") {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "persistent", creds, meta);
-      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta);
+      if (!isManual) appendLocalAudit(toolName, args, "allow", "persistent", meta, hashAuditArgs);
       return { approved: true, checkedBy: "persistent" };
     }
     if (persistent === "deny") {
-      if (!isManual) appendLocalAudit(toolName, args, "deny", "persistent-deny", meta);
+      if (!isManual)
+        appendLocalAudit(toolName, args, "deny", "persistent-deny", meta, hashAuditArgs);
       return {
         approved: false,
         reason: `This tool ("${toolName}") is explicitly listed in your 'Always Deny' list.`,
@@ -2606,10 +2781,21 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         blockedByLabel: "Persistent User Rule"
       };
     }
-  } else {
-    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta);
+  } else if (!taintWarning) {
+    if (!isManual) appendLocalAudit(toolName, args, "allow", "ignored", meta, hashAuditArgs);
     return { approved: true };
   }
+  if (taintWarning) {
+    explainableLabel = "\u{1F534} Node9 Taint (Exfiltration Prevention)";
+    riskMetadata = computeRiskMetadata(
+      args,
+      7,
+      explainableLabel,
+      void 0,
+      void 0,
+      taintWarning
+    );
+  }
   let cloudRequestId = null;
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
   if (cloudEnforced) {
@@ -2628,7 +2814,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         };
       }
       cloudRequestId = initResult.requestId || null;
-      explainableLabel = "Organization Policy (SaaS)";
+      if (!taintWarning) explainableLabel = "Organization Policy (SaaS)";
     } catch {
     }
   }
@@ -2815,7 +3001,8 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       args,
       finalResult.approved ? "allow" : "deny",
       finalResult.checkedBy || finalResult.blockedBy || "unknown",
-      meta
+      meta,
+      hashAuditArgs
     );
   }
   return finalResult;