@node9/proxy 1.5.2 → 1.5.4

package/dist/index.mjs

@@ -168,12 +168,21 @@ var SmartRuleSchema = z.object({
   verdict: z.enum(["allow", "review", "block"], {
     errorMap: () => ({ message: "verdict must be one of: allow, review, block" })
   }),
-  reason: z.string().optional()
+  reason: z.string().optional(),
+  // Unknown predicate names are filtered out rather than failing the whole rule.
+  // Failing the whole z.array() would cause sanitizeConfig to drop the entire
+  // `policy` top-level key, silently disabling ALL smart rules in the config.
+  dependsOnState: z.array(z.string()).transform(
+    (arr) => arr.filter(
+      (p) => p === "no_test_passed_since_last_edit"
+    )
+  ).optional(),
+  recoveryCommand: z.string().optional()
 });
 var ConfigFileSchema = z.object({
   version: z.string().optional(),
   settings: z.object({
-    mode: z.enum(["standard", "strict", "audit"]).optional(),
+    mode: z.enum(["standard", "strict", "audit", "observe"]).optional(),
     autoStartDaemon: z.boolean().optional(),
     enableUndo: z.boolean().optional(),
     enableHookLogDebug: z.boolean().optional(),
@@ -542,7 +551,9 @@ var DEFAULT_CONFIG = {
           {
             field: "command",
             op: "matches",
-            value: "rm\\b.*(-[rRfF]*[rR][rRfF]*|--recursive)"
+            // Require the recursive flag to be preceded by whitespace so that
+            // filenames containing "-r" (e.g. "ai-review.yml") don't false-positive.
+            value: "rm\\b.*\\s(-[rRfF]*[rR][rRfF]*|--recursive)(\\s|$)"
           },
           {
             field: "command",
@@ -786,12 +797,17 @@ function getConfig(cwd) {
     if (s.approvalTimeoutSeconds !== void 0 && s.approvalTimeoutMs === void 0)
       mergedSettings.approvalTimeoutMs = s.approvalTimeoutSeconds * 1e3;
     if (s.environment !== void 0) mergedSettings.environment = s.environment;
+    if (s.hud !== void 0) mergedSettings.hud = { ...mergedSettings.hud, ...s.hud };
     if (p.sandboxPaths) mergedPolicy.sandboxPaths.push(...p.sandboxPaths);
     if (p.ignoredTools) mergedPolicy.ignoredTools.push(...p.ignoredTools);
     if (p.dangerousWords) mergedPolicy.dangerousWords = [...p.dangerousWords];
     if (p.toolInspection)
       mergedPolicy.toolInspection = { ...mergedPolicy.toolInspection, ...p.toolInspection };
-    if (p.smartRules) mergedPolicy.smartRules.push(...p.smartRules);
+    if (p.smartRules) {
+      const defaultBlocks = mergedPolicy.smartRules.filter((r) => r.verdict === "block");
+      const defaultNonBlocks = mergedPolicy.smartRules.filter((r) => r.verdict !== "block");
+      mergedPolicy.smartRules = [...defaultBlocks, ...p.smartRules, ...defaultNonBlocks];
+    }
     if (p.snapshot) {
       const s2 = p.snapshot;
       if (s2.tools) mergedPolicy.snapshot.tools.push(...s2.tools);
@@ -1718,7 +1734,13 @@ async function evaluatePolicy(toolName, args, agent, cwd) {
         blockedByLabel: `Smart Rule: ${matchedRule.name ?? matchedRule.tool}`,
         reason: matchedRule.reason,
         tier: 2,
-        ruleName: matchedRule.name ?? matchedRule.tool
+        ruleName: matchedRule.name ?? matchedRule.tool,
+        ...matchedRule.verdict === "block" && matchedRule.dependsOnState?.length && {
+          dependsOnStatePredicates: matchedRule.dependsOnState
+        },
+        ...matchedRule.verdict === "block" && matchedRule.recoveryCommand && {
+          recoveryCommand: matchedRule.recoveryCommand
+        }
       };
     }
   }
@@ -1950,9 +1972,39 @@ function getPersistentDecision(toolName) {
 
 // src/auth/daemon.ts
 import fs8 from "fs";
+import net from "net";
 import path10 from "path";
 import os7 from "os";
 import { spawnSync } from "child_process";
+var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path10.join(os7.tmpdir(), "node9-activity.sock");
+function notifyActivitySocket(data) {
+  return new Promise((resolve) => {
+    try {
+      const payload = JSON.stringify(data);
+      const sock = net.createConnection(ACTIVITY_SOCKET_PATH);
+      sock.on("connect", () => {
+        sock.on("close", resolve);
+        sock.end(payload);
+      });
+      sock.on("error", resolve);
+    } catch {
+      resolve();
+    }
+  });
+}
+async function checkStatePredicates(predicates) {
+  if (predicates.length === 0) return {};
+  try {
+    const qs = predicates.map(encodeURIComponent).join(",");
+    const res = await fetch(`http://${DAEMON_HOST}:${DAEMON_PORT}/state/check?predicates=${qs}`, {
+      signal: AbortSignal.timeout(100)
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
 var DAEMON_PORT = 7391;
 var DAEMON_HOST = "127.0.0.1";
 function getInternalToken() {
@@ -1988,7 +2040,7 @@ function isDaemonRunning() {
     return false;
   }
 }
-async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd) {
+async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd, recoveryCommand, skipBackgroundAuth, viewOnly) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const ctrl = new AbortController();
   const timer = setTimeout(() => ctrl.abort(), 5e3);
@@ -2006,7 +2058,10 @@ async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityI
         // activity-result as the CLI used for the pending activity event.
         activityId,
         ...riskMetadata && { riskMetadata },
-        ...cwd && { cwd }
+        ...cwd && { cwd },
+        ...recoveryCommand && { recoveryCommand },
+        ...skipBackgroundAuth && { skipBackgroundAuth: true },
+        ...viewOnly && { viewOnly: true }
       }),
       signal: ctrl.signal
     });
@@ -2026,10 +2081,10 @@ async function waitForDaemonDecision(id, signal) {
   try {
     const waitRes = await fetch(`${base}/wait/${id}`, { signal: waitCtrl.signal });
     if (!waitRes.ok) return { decision: "deny" };
-    const { decision, source } = await waitRes.json();
+    const { decision, source, reason } = await waitRes.json();
     if (decision === "allow") return { decision: "allow", source };
     if (decision === "abandoned") return { decision: "abandoned", source };
-    return { decision: "deny", source };
+    return { decision: "deny", source, reason };
   } finally {
     clearTimeout(waitTimer);
     if (signal) signal.removeEventListener("abort", onAbort);
@@ -2104,9 +2159,6 @@ async function resolveViaDaemon(id, decision, internalToken, source) {
 }
 
 // src/auth/orchestrator.ts
-import net from "net";
-import path13 from "path";
-import os9 from "os";
 import { randomUUID } from "crypto";
 
 // src/ui/native.ts
@@ -2436,6 +2488,7 @@ init_audit();
 init_audit();
 import fs9 from "fs";
 import os8 from "os";
+import path13 from "path";
 function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
   return fetch(`${creds.apiUrl}/audit`, {
     method: "POST",
@@ -2460,6 +2513,33 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
 async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 1e4);
+  if (!creds.apiKey) throw new Error("Node9 API Key is missing");
+  let ciContext;
+  if (process.env.CI) {
+    try {
+      const ciContextPath = path13.join(os8.homedir(), ".node9", "ci-context.json");
+      const stats = fs9.statSync(ciContextPath);
+      if (stats.size > 1e4) throw new Error("ci-context.json exceeds 10 KB");
+      const raw = fs9.readFileSync(ciContextPath, "utf8");
+      const parsed = JSON.parse(raw);
+      if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+        throw new Error("ci-context.json is not a plain object");
+      }
+      const p = parsed;
+      ciContext = {
+        tests_after: p["tests_after"],
+        files_changed: p["files_changed"],
+        issues_found: p["issues_found"],
+        issues_fixed: p["issues_fixed"],
+        github_repository: p["github_repository"],
+        github_head_ref: p["github_head_ref"],
+        iteration: p["iteration"],
+        draft_pr_number: p["draft_pr_number"],
+        draft_pr_url: p["draft_pr_url"]
+      };
+    } catch {
+    }
+  }
   try {
     const response = await fetch(creds.apiUrl, {
       method: "POST",
@@ -2474,7 +2554,8 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
           cwd: process.cwd(),
           platform: os8.platform()
         },
-        ...riskMetadata && { riskMetadata }
+        ...riskMetadata && { riskMetadata },
+        ...ciContext && { ciContext }
       }),
       signal: controller.signal
     });
@@ -2500,12 +2581,17 @@ async function pollNode9SaaS(requestId, creds, signal) {
       });
       clearTimeout(pollTimer);
       if (!statusRes.ok) continue;
-      const { status, reason } = await statusRes.json();
+      const statusBody = await statusRes.json();
+      const { status } = statusBody;
       if (status === "APPROVED") {
-        return { approved: true, reason };
+        return { approved: true, reason: statusBody.reason };
       }
       if (status === "DENIED" || status === "AUTO_BLOCKED" || status === "TIMED_OUT") {
-        return { approved: false, reason };
+        return { approved: false, reason: statusBody.reason };
+      }
+      if (status === "FIX") {
+        const feedbackText = statusBody.feedbackText ?? statusBody.reason ?? "Run again with feedback.";
+        return { approved: false, reason: feedbackText };
       }
     } catch {
     }
@@ -2589,21 +2675,8 @@ function isNetworkTool(toolName, args) {
   }
   return false;
 }
-var ACTIVITY_SOCKET_PATH = process.platform === "win32" ? "\\\\.\\pipe\\node9-activity" : path13.join(os9.tmpdir(), "node9-activity.sock");
 function notifyActivity(data) {
-  return new Promise((resolve) => {
-    try {
-      const payload = JSON.stringify(data);
-      const sock = net.createConnection(ACTIVITY_SOCKET_PATH);
-      sock.on("connect", () => {
-        sock.on("close", resolve);
-        sock.end(payload);
-      });
-      sock.on("error", resolve);
-    } catch {
-      resolve();
-    }
-  });
+  return notifyActivitySocket(data);
 }
 async function authorizeHeadless(toolName, args, meta, options) {
   if (!options?.calledFromDaemon) {
@@ -2620,7 +2693,9 @@ async function authorizeHeadless(toolName, args, meta, options) {
         tool: toolName,
         ts: actTs,
         status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : result.blockedByLabel?.includes("Taint") ? "taint" : "block",
-        label: result.blockedByLabel
+        label: result.blockedByLabel,
+        ruleHit: result.ruleHit,
+        observeWouldBlock: result.observeWouldBlock
       });
     }
     return result;
@@ -2647,10 +2722,12 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     appendHookDebug(toolName, args, meta, hashAuditArgs);
   }
   const isManual = meta?.agent === "Terminal";
+  const isObserveMode = config.settings.mode === "observe";
   let explainableLabel = "Local Config";
   let policyMatchedField;
   let policyMatchedWord;
   let riskMetadata;
+  let statefulRecoveryCommand;
   let taintWarning = null;
   if (isNetworkTool(toolName, args)) {
     const filePaths = extractFilePaths(toolName, args);
@@ -2671,10 +2748,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     if (dlpMatch) {
       const dlpReason = `\u{1F6A8} DATA LOSS PREVENTION: ${dlpMatch.patternName} detected in field "${dlpMatch.fieldPath}" (${dlpMatch.redactedSample})`;
       if (dlpMatch.severity === "block") {
-        if (!isManual) appendLocalAudit(toolName, args, "deny", "dlp-block", meta, true);
+        if (!isManual)
+          appendLocalAudit(
+            toolName,
+            args,
+            "deny",
+            isObserveMode ? "observe-mode-dlp-would-block" : "dlp-block",
+            meta,
+            true
+          );
         if (isWriteTool(toolName) && filePath) {
           await notifyTaint(filePath, `DLP:${dlpMatch.patternName}`);
         }
+        if (isObserveMode) {
+          return {
+            approved: true,
+            checkedBy: "audit",
+            observeWouldBlock: true,
+            blockedByLabel: "\u{1F6A8} Node9 DLP (Secret Detected)"
+          };
+        }
         return {
           approved: false,
           reason: dlpReason,
@@ -2687,6 +2780,31 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       explainableLabel = "\u{1F6A8} Node9 DLP (Credential Review)";
     }
   }
+  if (isObserveMode) {
+    if (!isIgnoredTool(toolName)) {
+      const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
+      const wouldBlock = policyResult.decision === "block";
+      if (!isManual)
+        appendLocalAudit(
+          toolName,
+          args,
+          "allow",
+          wouldBlock ? "observe-mode-would-block" : "observe-mode",
+          meta,
+          hashAuditArgs
+        );
+      return {
+        approved: true,
+        checkedBy: "audit",
+        ...wouldBlock && {
+          observeWouldBlock: true,
+          blockedByLabel: policyResult.blockedByLabel,
+          ruleHit: policyResult.ruleName
+        }
+      };
+    }
+    return { approved: true, checkedBy: "audit" };
+  }
   if (config.settings.mode === "audit") {
     if (!isIgnoredTool(toolName)) {
       const policyResult = await evaluatePolicy(toolName, args, meta?.agent, options?.cwd);
@@ -2709,19 +2827,46 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
-        auditLocalAllow(toolName, args, "local-policy", creds, meta);
+        await auditLocalAllow(toolName, args, "local-policy", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
       return { approved: true, checkedBy: "local-policy" };
     }
     if (policyResult.decision === "block") {
-      if (!isManual)
-        appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
-      return {
-        approved: false,
-        reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
-        blockedBy: "local-config",
-        blockedByLabel: policyResult.blockedByLabel
-      };
+      if (policyResult.dependsOnStatePredicates?.length) {
+        const stateResults = await checkStatePredicates(policyResult.dependsOnStatePredicates);
+        const predicatesMet = stateResults !== null && policyResult.dependsOnStatePredicates.every((p) => stateResults[p] === true);
+        if (stateResults === null && !isManual) {
+          appendToLog(HOOK_DEBUG_LOG, {
+            ts: (/* @__PURE__ */ new Date()).toISOString(),
+            event: "state-check-fail-open",
+            tool: toolName,
+            rule: policyResult.ruleName,
+            predicates: policyResult.dependsOnStatePredicates,
+            reason: "daemon unreachable or /state/check timed out \u2014 block rule downgraded to review"
+          });
+        }
+        if (predicatesMet && policyResult.recoveryCommand) {
+          statefulRecoveryCommand = policyResult.recoveryCommand;
+        }
+      } else if (isDaemonRunning() && !isTestEnv2) {
+        if (!isManual)
+          appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+        if (approvers.cloud && creds?.apiKey)
+          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta);
+      } else {
+        if (!isManual)
+          appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+        if (approvers.cloud && creds?.apiKey)
+          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta);
+        return {
+          approved: false,
+          reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",
+          blockedBy: "local-config",
+          blockedByLabel: policyResult.blockedByLabel,
+          ruleHit: policyResult.ruleName,
+          ...policyResult.recoveryCommand && { recoveryCommand: policyResult.recoveryCommand }
+        };
+      }
     }
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     policyMatchedField = policyResult.matchedField;
@@ -2828,7 +2973,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           meta,
           riskMetadata,
           options?.activityId,
-          options?.cwd
+          options?.cwd,
+          statefulRecoveryCommand
         );
         daemonEntryId = entry.id;
         daemonAllowCount = entry.allowCount;
@@ -2889,20 +3035,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   if (daemonEntryId && (approvers.browser || approvers.terminal)) {
     racePromises.push(
       (async () => {
-        const { decision: daemonDecision, source: decisionSource } = await waitForDaemonDecision(
-          daemonEntryId,
-          signal
-        );
+        const {
+          decision: daemonDecision,
+          source: decisionSource,
+          reason: daemonReason
+        } = await waitForDaemonDecision(daemonEntryId, signal);
         if (daemonDecision === "abandoned") throw new Error("Abandoned");
         const isApproved = daemonDecision === "allow";
-        const src = decisionSource === "terminal" || decisionSource === "browser" ? decisionSource : approvers.browser ? "browser" : "terminal";
+        const isRedirect = decisionSource === "terminal-redirect";
+        const src = decisionSource === "terminal" || decisionSource === "terminal-redirect" || decisionSource === "browser" ? decisionSource === "browser" ? "browser" : "terminal" : approvers.browser ? "browser" : "terminal";
         const via = src === "terminal" ? "Terminal (node9 tail)" : "Browser Dashboard";
         return {
           approved: isApproved,
-          reason: isApproved ? void 0 : `The human user rejected this action via the Node9 ${via}.`,
+          reason: isApproved ? void 0 : (
+            // Use the redirect reason from the tail when choice [2] was selected;
+            // otherwise fall back to the generic rejection message.
+            isRedirect && daemonReason || `The human user rejected this action via the Node9 ${via}.`
+          ),
           checkedBy: isApproved ? "daemon" : void 0,
           blockedBy: isApproved ? void 0 : "local-decision",
-          blockedByLabel: `User Decision (${via})`,
+          blockedByLabel: isRedirect ? "Steered Redirect (Terminal)" : `User Decision (${via})`,
           decisionSource: src
         };
       })()

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.5.2",
+  "version": "1.5.4",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -58,12 +58,12 @@
     "format:check": "prettier --check .",
     "fix": "npm run format && npm run lint:fix",
     "validate": "npm run format && npm run lint && npm run typecheck && npm run test && npm run test:e2e && npm run build",
-    "test:e2e": "NODE9_TESTING=1 bash scripts/e2e.sh",
+    "test:e2e": "cross-env NODE9_TESTING=1 bash scripts/e2e.sh",
+    "test": "cross-env NODE9_TESTING=1 vitest --run",
+    "test:coverage": "cross-env NODE9_TESTING=1 vitest --run --coverage",
+    "test:watch": "cross-env NODE9_TESTING=1 vitest",
     "preuninstall": "node9 uninstall || echo 'node9 uninstall failed — remove hooks manually from ~/.claude/settings.json'",
     "prepublishOnly": "npm run validate",
-    "test": "vitest --run",
-    "test:coverage": "vitest --run --coverage",
-    "test:watch": "vitest",
     "test:ui": "vitest --ui",
     "dev:tail": "node -e \"try{const d=JSON.parse(require('fs').readFileSync(require('os').homedir()+'/.node9/daemon.pid','utf8'));const pid=d.pid;if(Number.isInteger(pid)&&pid>0&&pid<4194304)process.kill(pid)}catch(e){if(e.code!=='ESRCH'&&e.code!=='ENOENT')process.stderr.write(e.message+'\\n')}\" && npm run build && node dist/cli.js tail"
   },
@@ -88,6 +88,7 @@
     "@types/node": "^25.3.1",
     "@types/picomatch": "^4.0.2",
     "@vitest/coverage-v8": "4.1.2",
+    "cross-env": "^10.1.0",
     "prettier": "^3.4.2",
     "semantic-release": "^25.0.3",
     "tsup": "^8.5.1",