@node9/proxy 1.5.2 → 1.5.3

package/dist/index.mjs

@@ -168,12 +168,21 @@ var SmartRuleSchema = z.object({
   verdict: z.enum(["allow", "review", "block"], {
     errorMap: () => ({ message: "verdict must be one of: allow, review, block" })
   }),
-  reason: z.string().optional()
+  reason: z.string().optional(),
+  // Unknown predicate names are filtered out rather than failing the whole rule.
+  // Failing the whole z.array() would cause sanitizeConfig to drop the entire
+  // `policy` top-level key, silently disabling ALL smart rules in the config.
+  dependsOnState: z.array(z.string()).transform(
+    (arr) => arr.filter(
+      (p) => p === "no_test_passed_since_last_edit"
+    )
+  ).optional(),
+  recoveryCommand: z.string().optional()
 });
 var ConfigFileSchema = z.object({
   version: z.string().optional(),
   settings: z.object({
-    mode: z.enum(["standard", "strict", "audit"]).optional(),
+    mode: z.enum(["standard", "strict", "audit", "observe"]).optional(),
     autoStartDaemon: z.boolean().optional(),
     enableUndo: z.boolean().optional(),
     enableHookLogDebug: z.boolean().optional(),
@@ -227,8 +236,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path14 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path14}: ${issue.message}`;
+    const path13 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path13}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -786,12 +795,17 @@ function getConfig(cwd) {
     if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
       mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
     if (s.environment !== void 0) mergedSettings.environment = s.environment;
+    if (s.hud !== void 0) mergedSettings.hud = { ...mergedSettings.hud, ...s.hud };
     if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
     if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
     if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
     if (p.toolInspection)
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
-    if (p.smartRules) mergedPolicy.smartRules.push(...p.smartRules);
+    if (p.smartRules) {
+      const defaultBlocks = mergedPolicy.smartRules.filter((r) => r.verdict === "block");
+      const defaultNonBlocks = mergedPolicy.smartRules.filter((r) => r.verdict !== "block");
+      mergedPolicy.smartRules = [...defaultBlocks, ...p.smartRules, ...defaultNonBlocks];
+    }
     if (p.snapshot) {
       const s2 = p.snapshot;
       if (s2.tools) mergedPolicy.snapshot.tools.push(...s2.tools);
@@ -1577,9 +1591,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path14) {
+function getNestedValue(obj, path13) {
   if (!obj || typeof obj !== "object") return null;
-  return path14.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path13.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -1718,7 +1732,13 @@ async function evaluatePolicy(toolName, args, agent, cwd) {
         blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
         reason: matchedRule.reason,
         tier: 2,
-        ruleName: matchedRule.name ?? matchedRule.tool
+        ruleName: matchedRule.name ?? matchedRule.tool,
+        ...matchedRule.verdict === "block" && matchedRule.dependsOnState?.length && {
+          dependsOnStatePredicates: matchedRule.dependsOnState
+        },
+        ...matchedRule.verdict === "block" && matchedRule.recoveryCommand && {
+          recoveryCommand: matchedRule.recoveryCommand
+        }
       };
     }
   }
@@ -1950,9 +1970,39 @@ function getPersistentDecision(toolName) {
 
 // src/auth/daemon.ts
 import fs8 from "fs";
+import net from "net";
 import path10 from "path";
 import os7 from "os";
 import { spawnSync } from "child_process";
+var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path10.join(os7.tmpdir(), "node9-activity.sock");
+function notifyActivitySocket(data) {
+  return new Promise((resolve) => {
+    try {
+      const payload = JSON.stringify(data);
+      const sock = net.createConnection(ACTIVITY_SOCKET_PATH);
+      sock.on("connect", () => {
+        sock.on("close", resolve);
+        sock.end(payload);
+      });
+      sock.on("error", resolve);
+    } catch {
+      resolve();
+    }
+  });
+}
+async function checkStatePredicates(predicates) {
+  if (predicates.length === 0) return {};
+  try {
+    const qs = predicates.map(encodeURIComponent).join(",");
+    const res = await fetch(`http://${DAEMON_HOST}:${DAEMON_PORT}/state/check?predicates=${qs}`, {
+      signal: AbortSignal.timeout(100)
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
 var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function getInternalToken() {
@@ -1988,7 +2038,7 @@ function isDaemonRunning() {
     return false;
   }
 }
-async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd) {
+async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd, recoveryCommand, skipBackgroundAuth, viewOnly) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const ctrl = new AbortController();
   const timer = setTimeout(() => ctrl.abort(), 5e3);
@@ -2006,7 +2056,10 @@ async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityI
         // activity-result as the CLI used for the pending activity event.
         activityId,
         ...riskMetadata && { riskMetadata },
-        ...cwd && { cwd }
+        ...cwd && { cwd },
+        ...recoveryCommand && { recoveryCommand },
+        ...skipBackgroundAuth && { skipBackgroundAuth: true },
+        ...viewOnly && { viewOnly: true }
       }),
       signal: ctrl.signal
     });
@@ -2026,10 +2079,10 @@ async function waitForDaemonDecision(id, signal) {
   try {
     const waitRes = await fetch(`${base}/wait/${id}`, { signal: waitCtrl.signal });
     if (!waitRes.ok) return { decision: "deny" };
-    const { decision, source } = await waitRes.json();
+    const { decision, source, reason } = await waitRes.json();
     if (decision === "allow") return { decision: "allow", source };
     if (decision === "abandoned") return { decision: "abandoned", source };
-    return { decision: "deny", source };
+    return { decision: "deny", source, reason };
   } finally {
     clearTimeout(waitTimer);
     if (signal) signal.removeEventListener("abort", onAbort);
@@ -2104,9 +2157,6 @@ async function resolveViaDaemon(id, decision, internalToken, source) {
 }
 
 // src/auth/orchestrator.ts
-import net from "net";
-import path13 from "path";
-import os9 from "os";
 import { randomUUID } from "crypto";
 
 // src/ui/native.ts
@@ -2589,21 +2639,8 @@ function isNetworkTool(toolName, args) {
   }
   return false;
 }
-var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path13.join(os9.tmpdir(), "node9-activity.sock");
 function notifyActivity(data) {
-  return new Promise((resolve) => {
-    try {
-      const payload = JSON.stringify(data);
-      const sock = net.createConnection(ACTIVITY_SOCKET_PATH);
-      sock.on("connect", () => {
-        sock.on("close", resolve);
-        sock.end(payload);
-      });
-      sock.on("error", resolve);
-    } catch {
-      resolve();
-    }
-  });
+  return notifyActivitySocket(data);
 }
 async function authorizeHeadless(toolName, args, meta, options) {
   if (!options?.calledFromDaemon) {
@@ -2620,7 +2657,9 @@ async function authorizeHeadless(toolName, args, meta, options) {
         tool: toolName,
         ts: actTs,
         status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : result.blockedByLabel?.includes("Taint") ? "taint" : "block",
-        label: result.blockedByLabel
+        label: result.blockedByLabel,
+        ruleHit: result.ruleHit,
+        observeWouldBlock: result.observeWouldBlock
       });
     }
     return result;
@@ -2647,10 +2686,12 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     appendHookDebug(toolName, args, meta, hashAuditArgs);
   }
   const isManual = meta?.agent === "Terminal";
+  const isObserveMode = config.settings.mode === "observe";
   let explainableLabel = "Local Config";
   let policyMatchedField;
   let policyMatchedWord;
   let riskMetadata;
+  let statefulRecoveryCommand;
   let taintWarning = null;
   if (isNetworkTool(toolName, args)) {
     const filePaths = extractFilePaths(toolName, args);
@@ -2671,10 +2712,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (dlpMatch) {
       const dlpReason = `\u{1F6A8} DATA LOSS PREVENTION: ${dlpMatch.patternName} detected in field "${dlpMatch.fieldPath}" (${dlpMatch.redactedSample})`;
       if (dlpMatch.severity === "block") {
-        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta, true);
+        if (!isManual)
+          appendLocalAudit(
+            toolName,
+            args,
+            "deny",
+            isObserveMode ? "observe-mode-dlp-would-block" : "dlp-block",
+            meta,
+            true
+          );
         if (isWriteTool(toolName) && filePath) {
           await notifyTaint(filePath, `DLP:${dlpMatch.patternName}`);
         }
+        if (isObserveMode) {
+          return {
+            approved: true,
+            checkedBy: "audit",
+            observeWouldBlock: true,
+            blockedByLabel: "\u{1F6A8} Node9 DLP (Secret Detected)"
+          };
+        }
         return {
           approved: false,
           reason: dlpReason,
@@ -2687,6 +2744,31 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
     }
   }
+  if (isObserveMode) {
+    if (!isIgnoredTool(toolName)) {
+      const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
+      const wouldBlock = policyResult.decision === "block";
+      if (!isManual)
+        appendLocalAudit(
+          toolName,
+          args,
+          "allow",
+          wouldBlock ? "observe-mode-would-block" : "observe-mode",
+          meta,
+          hashAuditArgs
+        );
+      return {
+        approved: true,
+        checkedBy: "audit",
+        ...wouldBlock && {
+          observeWouldBlock: true,
+          blockedByLabel: policyResult.blockedByLabel,
+          ruleHit: policyResult.ruleName
+        }
+      };
+    }
+    return { approved: true, checkedBy: "audit" };
+  }
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
@@ -2714,14 +2796,34 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       return { approved: true, checkedBy: "local-policy" };
     }
     if (policyResult.decision === "block") {
-      if (!isManual)
-        appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
-      return {
-        approved: false,
-        reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
-        blockedBy: "local-config",
-        blockedByLabel: policyResult.blockedByLabel
-      };
+      if (policyResult.dependsOnStatePredicates?.length) {
+        const stateResults = await checkStatePredicates(policyResult.dependsOnStatePredicates);
+        const predicatesMet = stateResults !== null && policyResult.dependsOnStatePredicates.every((p) => stateResults[p] === true);
+        if (stateResults === null && !isManual) {
+          appendToLog(HOOK_DEBUG_LOG, {
+            ts: (/* @__PURE__ */ new Date()).toISOString(),
+            event: "state-check-fail-open",
+            tool: toolName,
+            rule: policyResult.ruleName,
+            predicates: policyResult.dependsOnStatePredicates,
+            reason: "daemon unreachable or /state/check timed out \u2014 block rule downgraded to review"
+          });
+        }
+        if (predicatesMet && policyResult.recoveryCommand) {
+          statefulRecoveryCommand = policyResult.recoveryCommand;
+        }
+      } else {
+        if (!isManual)
+          appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+        return {
+          approved: false,
+          reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
+          blockedBy: "local-config",
+          blockedByLabel: policyResult.blockedByLabel,
+          ruleHit: policyResult.ruleName,
+          ...policyResult.recoveryCommand && { recoveryCommand: policyResult.recoveryCommand }
+        };
+      }
     }
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     policyMatchedField = policyResult.matchedField;
@@ -2828,7 +2930,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           meta,
           riskMetadata,
           options?.activityId,
-          options?.cwd
+          options?.cwd,
+          statefulRecoveryCommand
         );
         daemonEntryId = entry.id;
         daemonAllowCount = entry.allowCount;
@@ -2889,20 +2992,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   if (daemonEntryId && (approvers.browser || approvers.terminal)) {
     racePromises.push(
       (async () => {
-        const { decision: daemonDecision, source: decisionSource } = await waitForDaemonDecision(
-          daemonEntryId,
-          signal
-        );
+        const {
+          decision: daemonDecision,
+          source: decisionSource,
+          reason: daemonReason
+        } = await waitForDaemonDecision(daemonEntryId, signal);
         if (daemonDecision === "abandoned") throw new Error("Abandoned");
         const isApproved = daemonDecision === "allow";
-        const src = decisionSource === "terminal" || decisionSource === "browser" ? decisionSource : approvers.browser ? "browser" : "terminal";
+        const isRedirect = decisionSource === "terminal-redirect";
+        const src = decisionSource === "terminal" || decisionSource === "terminal-redirect" || decisionSource === "browser" ? decisionSource === "browser" ? "browser" : "terminal" : approvers.browser ? "browser" : "terminal";
         const via = src === "terminal" ? "Terminal (node9 tail)" : "Browser Dashboard";
         return {
           approved: isApproved,
-          reason: isApproved ? void 0 : `The human user rejected this action via the Node9 ${via}.`,
+          reason: isApproved ? void 0 : (
+            // Use the redirect reason from the tail when choice [2] was selected;
+            // otherwise fall back to the generic rejection message.
+            isRedirect && daemonReason || `The human user rejected this action via the Node9 ${via}.`
+          ),
           checkedBy: isApproved ? "daemon" : void 0,
           blockedBy: isApproved ? void 0 : "local-decision",
-          blockedByLabel: `User Decision (${via})`,
+          blockedByLabel: isRedirect ? "Steered Redirect (Terminal)" : `User Decision (${via})`,
           decisionSource: src
         };
       })()

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.5.2",
+  "version": "1.5.3",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",