@node9/proxy 1.5.3 → 1.5.4

package/dist/index.js

@@ -266,8 +266,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path13 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path13}: ${issue.message}`;
+    const path14 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path14}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -581,7 +581,9 @@ var DEFAULT_CONFIG = {
           {
             field: "command",
             op: "matches",
-            value: "rm\\b.*(-[rRfF]*[rR][rRfF]*|--recursive)"
+            // Require the recursive flag to be preceded by whitespace so that
+            // filenames containing "-r" (e.g. "ai-review.yml") don't false-positive.
+            value: "rm\\b.*\\s(-[rRfF]*[rR][rRfF]*|--recursive)(\\s|$)"
           },
           {
             field: "command",
@@ -1621,9 +1623,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path13) {
+function getNestedValue(obj, path14) {
   if (!obj || typeof obj !== "object") return null;
-  return path13.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path14.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -2515,6 +2517,7 @@ init_audit();
 // src/auth/cloud.ts
 var import_fs9 = __toESM(require("fs"));
 var import_os8 = __toESM(require("os"));
+var import_path13 = __toESM(require("path"));
 init_audit();
 function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
   return fetch(`${creds.apiUrl}/audit`, {
@@ -2540,6 +2543,33 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
 async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 1e4);
+  if (!creds.apiKey) throw new Error("Node9 API Key is missing");
+  let ciContext;
+  if (process.env.CI) {
+    try {
+      const ciContextPath = import_path13.default.join(import_os8.default.homedir(), ".node9", "ci-context.json");
+      const stats = import_fs9.default.statSync(ciContextPath);
+      if (stats.size > 1e4) throw new Error("ci-context.json exceeds 10 KB");
+      const raw = import_fs9.default.readFileSync(ciContextPath, "utf8");
+      const parsed = JSON.parse(raw);
+      if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+        throw new Error("ci-context.json is not a plain object");
+      }
+      const p = parsed;
+      ciContext = {
+        tests_after: p["tests_after"],
+        files_changed: p["files_changed"],
+        issues_found: p["issues_found"],
+        issues_fixed: p["issues_fixed"],
+        github_repository: p["github_repository"],
+        github_head_ref: p["github_head_ref"],
+        iteration: p["iteration"],
+        draft_pr_number: p["draft_pr_number"],
+        draft_pr_url: p["draft_pr_url"]
+      };
+    } catch {
+    }
+  }
   try {
     const response = await fetch(creds.apiUrl, {
       method: "POST",
@@ -2554,7 +2584,8 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
           cwd: process.cwd(),
           platform: import_os8.default.platform()
         },
-        ...riskMetadata && { riskMetadata }
+        ...riskMetadata && { riskMetadata },
+        ...ciContext && { ciContext }
       }),
       signal: controller.signal
     });
@@ -2580,12 +2611,17 @@ async function pollNode9SaaS(requestId, creds, signal) {
       });
       clearTimeout(pollTimer);
       if (!statusRes.ok) continue;
-      const { status, reason } = await statusRes.json();
+      const statusBody = await statusRes.json();
+      const { status } = statusBody;
       if (status === "APPROVED") {
-        return { approved: true, reason };
+        return { approved: true, reason: statusBody.reason };
       }
       if (status === "DENIED" || status === "AUTO_BLOCKED" || status === "TIMED_OUT") {
-        return { approved: false, reason };
+        return { approved: false, reason: statusBody.reason };
+      }
+      if (status === "FIX") {
+        const feedbackText = statusBody.feedbackText ?? statusBody.reason ?? "Run again with feedback.";
+        return { approved: false, reason: feedbackText };
       }
     } catch {
     }
@@ -2821,7 +2857,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
-        auditLocalAllow(toolName, args, "local-policy", creds, meta);
+        await auditLocalAllow(toolName, args, "local-policy", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
       return { approved: true, checkedBy: "local-policy" };
     }
@@ -2842,9 +2878,16 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         if (predicatesMet && policyResult.recoveryCommand) {
           statefulRecoveryCommand = policyResult.recoveryCommand;
         }
+      } else if (isDaemonRunning() && !isTestEnv2) {
+        if (!isManual)
+          appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+        if (approvers.cloud && creds?.apiKey)
+          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta);
       } else {
         if (!isManual)
           appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+        if (approvers.cloud && creds?.apiKey)
+          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta);
         return {
           approved: false,
           reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",

package/dist/index.mjs

@@ -236,8 +236,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path13 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path13}: ${issue.message}`;
+    const path14 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path14}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -551,7 +551,9 @@ var DEFAULT_CONFIG = {
           {
             field: "command",
             op: "matches",
-            value: "rm\\b.*(-[rRfF]*[rR][rRfF]*|--recursive)"
+            // Require the recursive flag to be preceded by whitespace so that
+            // filenames containing "-r" (e.g. "ai-review.yml") don't false-positive.
+            value: "rm\\b.*\\s(-[rRfF]*[rR][rRfF]*|--recursive)(\\s|$)"
           },
           {
             field: "command",
@@ -1591,9 +1593,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path13) {
+function getNestedValue(obj, path14) {
   if (!obj || typeof obj !== "object") return null;
-  return path13.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path14.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -2486,6 +2488,7 @@ init_audit();
 init_audit();
 import fs9 from "fs";
 import os8 from "os";
+import path13 from "path";
 function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
   return fetch(`${creds.apiUrl}/audit`, {
     method: "POST",
@@ -2510,6 +2513,33 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
 async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 1e4);
+  if (!creds.apiKey) throw new Error("Node9 API Key is missing");
+  let ciContext;
+  if (process.env.CI) {
+    try {
+      const ciContextPath = path13.join(os8.homedir(), ".node9", "ci-context.json");
+      const stats = fs9.statSync(ciContextPath);
+      if (stats.size > 1e4) throw new Error("ci-context.json exceeds 10 KB");
+      const raw = fs9.readFileSync(ciContextPath, "utf8");
+      const parsed = JSON.parse(raw);
+      if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+        throw new Error("ci-context.json is not a plain object");
+      }
+      const p = parsed;
+      ciContext = {
+        tests_after: p["tests_after"],
+        files_changed: p["files_changed"],
+        issues_found: p["issues_found"],
+        issues_fixed: p["issues_fixed"],
+        github_repository: p["github_repository"],
+        github_head_ref: p["github_head_ref"],
+        iteration: p["iteration"],
+        draft_pr_number: p["draft_pr_number"],
+        draft_pr_url: p["draft_pr_url"]
+      };
+    } catch {
+    }
+  }
   try {
     const response = await fetch(creds.apiUrl, {
       method: "POST",
@@ -2524,7 +2554,8 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
           cwd: process.cwd(),
           platform: os8.platform()
         },
-        ...riskMetadata && { riskMetadata }
+        ...riskMetadata && { riskMetadata },
+        ...ciContext && { ciContext }
       }),
       signal: controller.signal
     });
@@ -2550,12 +2581,17 @@ async function pollNode9SaaS(requestId, creds, signal) {
       });
       clearTimeout(pollTimer);
       if (!statusRes.ok) continue;
-      const { status, reason } = await statusRes.json();
+      const statusBody = await statusRes.json();
+      const { status } = statusBody;
       if (status === "APPROVED") {
-        return { approved: true, reason };
+        return { approved: true, reason: statusBody.reason };
       }
       if (status === "DENIED" || status === "AUTO_BLOCKED" || status === "TIMED_OUT") {
-        return { approved: false, reason };
+        return { approved: false, reason: statusBody.reason };
+      }
+      if (status === "FIX") {
+        const feedbackText = statusBody.feedbackText ?? statusBody.reason ?? "Run again with feedback.";
+        return { approved: false, reason: feedbackText };
       }
     } catch {
     }
@@ -2791,7 +2827,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     const policyResult = await evaluatePolicy(toolName, args, meta?.agent);
     if (policyResult.decision === "allow") {
       if (approvers.cloud && creds?.apiKey)
-        auditLocalAllow(toolName, args, "local-policy", creds, meta);
+        await auditLocalAllow(toolName, args, "local-policy", creds, meta);
       if (!isManual) appendLocalAudit(toolName, args, "allow", "local-policy", meta, hashAuditArgs);
       return { approved: true, checkedBy: "local-policy" };
     }
@@ -2812,9 +2848,16 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
         if (predicatesMet && policyResult.recoveryCommand) {
           statefulRecoveryCommand = policyResult.recoveryCommand;
         }
+      } else if (isDaemonRunning() && !isTestEnv2) {
+        if (!isManual)
+          appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+        if (approvers.cloud && creds?.apiKey)
+          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta);
       } else {
         if (!isManual)
           appendLocalAudit(toolName, args, "deny", "smart-rule-block", meta, hashAuditArgs);
+        if (approvers.cloud && creds?.apiKey)
+          auditLocalAllow(toolName, args, "smart-rule-block", creds, meta);
         return {
           approved: false,
           reason: policyResult.reason ?? "Action explicitly blocked by Smart Policy.",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.5.3",
+  "version": "1.5.4",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -58,12 +58,12 @@
     "format:check": "prettier --check .",
     "fix": "npm run format && npm run lint:fix",
     "validate": "npm run format && npm run lint && npm run typecheck && npm run test && npm run test:e2e && npm run build",
-    "test:e2e": "NODE9_TESTING=1 bash scripts/e2e.sh",
+    "test:e2e": "cross-env NODE9_TESTING=1 bash scripts/e2e.sh",
+    "test": "cross-env NODE9_TESTING=1 vitest --run",
+    "test:coverage": "cross-env NODE9_TESTING=1 vitest --run --coverage",
+    "test:watch": "cross-env NODE9_TESTING=1 vitest",
     "preuninstall": "node9 uninstall || echo 'node9 uninstall failed — remove hooks manually from ~/.claude/settings.json'",
     "prepublishOnly": "npm run validate",
-    "test": "vitest --run",
-    "test:coverage": "vitest --run --coverage",
-    "test:watch": "vitest",
     "test:ui": "vitest --ui",
     "dev:tail": "node -e \"try{const d=JSON.parse(require('fs').readFileSync(require('os').homedir()+'/.node9/daemon.pid','utf8'));const pid=d.pid;if(Number.isInteger(pid)&&pid>0&&pid<4194304)process.kill(pid)}catch(e){if(e.code!=='ESRCH'&&e.code!=='ENOENT')process.stderr.write(e.message+'\\n')}\" && npm run build && node dist/cli.js tail"
   },
@@ -88,6 +88,7 @@
     "@types/node": "^25.3.1",
     "@types/picomatch": "^4.0.2",
     "@vitest/coverage-v8": "4.1.2",
+    "cross-env": "^10.1.0",
     "prettier": "^3.4.2",
     "semantic-release": "^25.0.3",
     "tsup": "^8.5.1",