@node9/proxy 1.6.0 → 1.7.1

package/dist/index.js

@@ -411,6 +411,84 @@ var SHIELDS = {
     ],
     dangerousWords: []
   },
+  "bash-safe": {
+    name: "bash-safe",
+    description: "Blocks high-risk bash patterns: pipe-to-shell, rm -rf /, disk overwrites, eval",
+    aliases: ["bash", "shell"],
+    smartRules: [
+      {
+        name: "shield:bash-safe:block-pipe-to-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "(curl|wget)\\s+[^|]*\\|\\s*(bash|sh|zsh|fish|python3?|ruby|perl|node)",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "Pipe-to-shell is a common supply-chain attack vector \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:block-obfuscated-exec",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "base64\\s+(-d|--decode).*\\|\\s*(bash|sh|zsh)",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "Obfuscated execution via base64 decode \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:block-rm-root",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)[a-zA-Z]*\\s+(\\/|~|\\$HOME|\\$\\{HOME\\})\\s*$",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "rm -rf of root or home directory is catastrophic \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:block-disk-overwrite",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "dd\\s+.*of=\\/dev\\/(sd|nvme|hd|vd|xvd)",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "Writing directly to a block device is irreversible \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:review-eval",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: '\\beval\\s+[\\$`("]',
+            flags: "i"
+          }
+        ],
+        verdict: "review",
+        reason: "eval of dynamic content requires human approval (bash-safe shield)"
+      }
+    ],
+    dangerousWords: []
+  },
   filesystem: {
     name: "filesystem",
     description: "Protects the local filesystem from dangerous AI operations",
@@ -517,7 +595,7 @@ var DANGEROUS_WORDS = [
 var DEFAULT_CONFIG = {
   version: "1.0",
   settings: {
-    mode: "audit",
+    mode: "standard",
     autoStartDaemon: true,
     enableUndo: true,
     // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
@@ -2721,6 +2799,7 @@ async function authorizeHeadless(toolName, args, meta, options) {
       await notifyActivity({
         id: actId,
         tool: toolName,
+        args,
         ts: actTs,
         status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : result.blockedByLabel?.includes("Taint") ? "taint" : "block",
         label: result.blockedByLabel,

package/dist/index.mjs

@@ -381,6 +381,84 @@ var SHIELDS = {
     ],
     dangerousWords: []
   },
+  "bash-safe": {
+    name: "bash-safe",
+    description: "Blocks high-risk bash patterns: pipe-to-shell, rm -rf /, disk overwrites, eval",
+    aliases: ["bash", "shell"],
+    smartRules: [
+      {
+        name: "shield:bash-safe:block-pipe-to-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "(curl|wget)\\s+[^|]*\\|\\s*(bash|sh|zsh|fish|python3?|ruby|perl|node)",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "Pipe-to-shell is a common supply-chain attack vector \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:block-obfuscated-exec",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "base64\\s+(-d|--decode).*\\|\\s*(bash|sh|zsh)",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "Obfuscated execution via base64 decode \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:block-rm-root",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)[a-zA-Z]*\\s+(\\/|~|\\$HOME|\\$\\{HOME\\})\\s*$",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "rm -rf of root or home directory is catastrophic \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:block-disk-overwrite",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "dd\\s+.*of=\\/dev\\/(sd|nvme|hd|vd|xvd)",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "Writing directly to a block device is irreversible \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:review-eval",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: '\\beval\\s+[\\$`("]',
+            flags: "i"
+          }
+        ],
+        verdict: "review",
+        reason: "eval of dynamic content requires human approval (bash-safe shield)"
+      }
+    ],
+    dangerousWords: []
+  },
   filesystem: {
     name: "filesystem",
     description: "Protects the local filesystem from dangerous AI operations",
@@ -487,7 +565,7 @@ var DANGEROUS_WORDS = [
 var DEFAULT_CONFIG = {
   version: "1.0",
   settings: {
-    mode: "audit",
+    mode: "standard",
     autoStartDaemon: true,
     enableUndo: true,
     // 🔥 ALWAYS TRUE BY DEFAULT for the safety net
@@ -2691,6 +2769,7 @@ async function authorizeHeadless(toolName, args, meta, options) {
       await notifyActivity({
         id: actId,
         tool: toolName,
+        args,
         ts: actTs,
         status: result.approved ? "allow" : result.blockedByLabel?.includes("DLP") ? "dlp" : result.blockedByLabel?.includes("Taint") ? "taint" : "block",
         label: result.blockedByLabel,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.6.0",
+  "version": "1.7.1",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -75,6 +75,7 @@
     "picomatch": "^4.0.3",
     "safe-regex2": "^5.1.0",
     "sh-syntax": "^0.5.8",
+    "smol-toml": "^1.6.1",
     "zod": "^3.25.76"
   },
   "devDependencies": {