@node9/proxy 1.7.0 → 1.7.1

package/dist/cli.js

@@ -513,6 +513,84 @@ var init_shields = __esm({
         ],
         dangerousWords: []
       },
+      "bash-safe": {
+        name: "bash-safe",
+        description: "Blocks high-risk bash patterns: pipe-to-shell, rm -rf /, disk overwrites, eval",
+        aliases: ["bash", "shell"],
+        smartRules: [
+          {
+            name: "shield:bash-safe:block-pipe-to-shell",
+            tool: "bash",
+            conditions: [
+              {
+                field: "command",
+                op: "matches",
+                value: "(curl|wget)\\s+[^|]*\\|\\s*(bash|sh|zsh|fish|python3?|ruby|perl|node)",
+                flags: "i"
+              }
+            ],
+            verdict: "block",
+            reason: "Pipe-to-shell is a common supply-chain attack vector \u2014 blocked by bash-safe shield"
+          },
+          {
+            name: "shield:bash-safe:block-obfuscated-exec",
+            tool: "bash",
+            conditions: [
+              {
+                field: "command",
+                op: "matches",
+                value: "base64\\s+(-d|--decode).*\\|\\s*(bash|sh|zsh)",
+                flags: "i"
+              }
+            ],
+            verdict: "block",
+            reason: "Obfuscated execution via base64 decode \u2014 blocked by bash-safe shield"
+          },
+          {
+            name: "shield:bash-safe:block-rm-root",
+            tool: "bash",
+            conditions: [
+              {
+                field: "command",
+                op: "matches",
+                value: "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)[a-zA-Z]*\\s+(\\/|~|\\$HOME|\\$\\{HOME\\})\\s*$",
+                flags: "i"
+              }
+            ],
+            verdict: "block",
+            reason: "rm -rf of root or home directory is catastrophic \u2014 blocked by bash-safe shield"
+          },
+          {
+            name: "shield:bash-safe:block-disk-overwrite",
+            tool: "bash",
+            conditions: [
+              {
+                field: "command",
+                op: "matches",
+                value: "dd\\s+.*of=\\/dev\\/(sd|nvme|hd|vd|xvd)",
+                flags: "i"
+              }
+            ],
+            verdict: "block",
+            reason: "Writing directly to a block device is irreversible \u2014 blocked by bash-safe shield"
+          },
+          {
+            name: "shield:bash-safe:review-eval",
+            tool: "bash",
+            conditions: [
+              {
+                field: "command",
+                op: "matches",
+                value: '\\beval\\s+[\\$`("]',
+                flags: "i"
+              }
+            ],
+            verdict: "review",
+            reason: "eval of dynamic content requires human approval (bash-safe shield)"
+          }
+        ],
+        dangerousWords: []
+      },
       filesystem: {
         name: "filesystem",
         description: "Protects the local filesystem from dangerous AI operations",
@@ -7070,6 +7148,7 @@ async function startTail(options = {}) {
   }
   const connectionTime = Date.now();
   const activityPending = /* @__PURE__ */ new Map();
+  const orphanedResults = /* @__PURE__ */ new Map();
   let csrfToken = "";
   const approvalQueue = [];
   let cardActive = false;
@@ -7404,9 +7483,14 @@ async function startTail(options = {}) {
         renderResult(data, data);
         return;
       }
+      const orphaned = orphanedResults.get(data.id);
+      if (orphaned) {
+        orphanedResults.delete(data.id);
+        renderResult(data, orphaned);
+        return;
+      }
       activityPending.set(data.id, data);
-      const slowTool = /bash|shell|query|sql|agent/i.test(data.tool);
-      if (slowTool) renderPending(data);
+      renderPending(data);
     }
     if (event === "snapshot") {
       const time = new Date(data.ts).toLocaleTimeString([], { hour12: false });
@@ -7425,6 +7509,8 @@ async function startTail(options = {}) {
       if (original) {
         renderResult(original, data);
         activityPending.delete(data.id);
+      } else {
+        orphanedResults.set(data.id, data);
       }
     }
   }
@@ -7667,6 +7753,29 @@ function renderOffline() {
   process.stdout.write(`${color(BLUE, "\u{1F6E1}")} ${bold("node9")} ${dim("|")} ${dim("offline")}
 `);
 }
+function readActiveShieldsHud() {
+  const now = Date.now();
+  if (shieldsCache && now - shieldsCache.ts < SHIELDS_CACHE_TTL_MS) {
+    return shieldsCache.value;
+  }
+  try {
+    const shieldsPath = import_path29.default.join(import_os22.default.homedir(), ".node9", "shields.json");
+    if (!import_fs26.default.existsSync(shieldsPath)) {
+      shieldsCache = { value: [], ts: now };
+      return [];
+    }
+    const parsed = JSON.parse(import_fs26.default.readFileSync(shieldsPath, "utf-8"));
+    if (!Array.isArray(parsed.active)) {
+      shieldsCache = { value: [], ts: now };
+      return [];
+    }
+    const value = parsed.active.filter((s) => typeof s === "string").map((s) => s.slice(0, 64)).slice(0, 20);
+    shieldsCache = { value, ts: now };
+    return value;
+  } catch {
+    return [];
+  }
+}
 function renderSecurityLine(status) {
   const parts = [];
   parts.push(`${color(BLUE, "\u{1F6E1}")} ${bold("node9")}`);
@@ -7684,6 +7793,18 @@ function renderSecurityLine(status) {
   };
   const mc = modeColors[status.mode] ?? WHITE;
   parts.push(`${dim("|")} ${color(mc, modeIcon[status.mode] ?? "")}${color(mc, status.mode)}`);
+  const activeShields = readActiveShieldsHud();
+  if (activeShields.length > 0) {
+    const shieldAbbrevs = {
+      "bash-safe": "bash",
+      filesystem: "fs",
+      postgres: "pg",
+      github: "gh",
+      aws: "aws"
+    };
+    const labels = activeShields.map((s) => shieldAbbrevs[s] ?? s).join(" ");
+    parts.push(color(DIM, `[${labels}]`));
+  }
   if (status.mode === "observe") {
     parts.push(`${dim("|")} ${color(GREEN2, `\u2705 ${status.session.allowed} passed`)}`);
     if (status.session.wouldBlock > 0) {
@@ -7780,7 +7901,7 @@ async function main() {
     renderOffline();
   }
 }
-var import_fs26, import_path29, import_os22, import_http3, RESET3, BOLD3, DIM, RED2, GREEN2, YELLOW2, BLUE, MAGENTA, CYAN2, WHITE, BAR_FILLED, BAR_EMPTY, BAR_WIDTH;
+var import_fs26, import_path29, import_os22, import_http3, RESET3, BOLD3, DIM, RED2, GREEN2, YELLOW2, BLUE, MAGENTA, CYAN2, WHITE, BAR_FILLED, BAR_EMPTY, BAR_WIDTH, shieldsCache, SHIELDS_CACHE_TTL_MS;
 var init_hud = __esm({
   "src/cli/hud.ts"() {
     "use strict";
@@ -7802,6 +7923,8 @@ var init_hud = __esm({
     BAR_FILLED = "\u2588";
     BAR_EMPTY = "\u2591";
     BAR_WIDTH = 10;
+    shieldsCache = null;
+    SHIELDS_CACHE_TTL_MS = 2e3;
   }
 });
 
@@ -7815,6 +7938,7 @@ var import_path14 = __toESM(require("path"));
 var import_os10 = __toESM(require("os"));
 var import_chalk = __toESM(require("chalk"));
 var import_prompts = require("@inquirer/prompts");
+var import_smol_toml = require("smol-toml");
 var NODE9_MCP_SERVER_ENTRY = { command: "node9", args: ["mcp-server"] };
 function hasNode9McpServer(servers) {
   const entry = servers["node9"];
@@ -8178,7 +8302,8 @@ function detectAgents(homeDir2 = import_os10.default.homedir()) {
   return {
     claude: exists(import_path14.default.join(homeDir2, ".claude")) || exists(import_path14.default.join(homeDir2, ".claude.json")),
     gemini: exists(import_path14.default.join(homeDir2, ".gemini")),
-    cursor: exists(import_path14.default.join(homeDir2, ".cursor"))
+    cursor: exists(import_path14.default.join(homeDir2, ".cursor")),
+    codex: exists(import_path14.default.join(homeDir2, ".codex"))
   };
 }
 async function setupCursor() {
@@ -8243,6 +8368,82 @@ async function setupCursor() {
     printDaemonTip();
   }
 }
+function readToml(filePath) {
+  try {
+    if (import_fs11.default.existsSync(filePath)) {
+      return (0, import_smol_toml.parse)(import_fs11.default.readFileSync(filePath, "utf-8"));
+    }
+  } catch {
+  }
+  return null;
+}
+function writeToml(filePath, data) {
+  const dir = import_path14.default.dirname(filePath);
+  if (!import_fs11.default.existsSync(dir)) import_fs11.default.mkdirSync(dir, { recursive: true });
+  import_fs11.default.writeFileSync(filePath, (0, import_smol_toml.stringify)(data));
+}
+async function setupCodex() {
+  const homeDir2 = import_os10.default.homedir();
+  const configPath = import_path14.default.join(homeDir2, ".codex", "config.toml");
+  const config = readToml(configPath) ?? {};
+  const servers = config.mcp_servers ?? {};
+  let anythingChanged = false;
+  if (!hasNode9McpServer(servers)) {
+    servers["node9"] = NODE9_MCP_SERVER_ENTRY;
+    config.mcp_servers = servers;
+    writeToml(configPath, config);
+    console.log(import_chalk.default.green("  \u2705 node9 MCP server added   \u2192 node9 mcp-server"));
+    anythingChanged = true;
+  }
+  const serversToWrap = [];
+  for (const [name, server] of Object.entries(servers)) {
+    if (!server.command || server.command === "node9") continue;
+    const parts = [server.command, ...server.args ?? []];
+    serversToWrap.push({ name, originalCmd: parts.join(" "), parts });
+  }
+  if (serversToWrap.length > 0) {
+    console.log(import_chalk.default.bold("The following existing entries will be modified:\n"));
+    console.log(import_chalk.default.white(`  ${configPath}`));
+    for (const { name, originalCmd } of serversToWrap) {
+      console.log(import_chalk.default.gray(`    \u2022 ${name}: "${originalCmd}" \u2192 node9 ${originalCmd}`));
+    }
+    console.log("");
+    const proceed = await (0, import_prompts.confirm)({ message: "Wrap these MCP servers?", default: true });
+    if (proceed) {
+      for (const { name, parts } of serversToWrap) {
+        servers[name] = { ...servers[name], command: "node9", args: parts };
+      }
+      config.mcp_servers = servers;
+      writeToml(configPath, config);
+      console.log(import_chalk.default.green(`
+  \u2705 ${serversToWrap.length} MCP server(s) wrapped`));
+      anythingChanged = true;
+    } else {
+      console.log(import_chalk.default.yellow("  Skipped MCP server wrapping."));
+    }
+    console.log("");
+  }
+  console.log(
+    import_chalk.default.yellow(
+      "  \u26A0\uFE0F  Note: Codex does not yet support native pre-execution hooks.\n     MCP proxy wrapping is the only supported protection mode for Codex.\n     Native bash and file operations are not monitored."
+    )
+  );
+  console.log("");
+  if (!anythingChanged && serversToWrap.length === 0) {
+    console.log(
+      import_chalk.default.blue(
+        "\u2139\uFE0F  No MCP servers found to wrap. Add MCP servers to ~/.codex/config.toml and re-run."
+      )
+    );
+    printDaemonTip();
+    return;
+  }
+  if (anythingChanged) {
+    console.log(import_chalk.default.green.bold("\u{1F6E1}\uFE0F  Node9 is now protecting Codex via MCP proxy!"));
+    console.log(import_chalk.default.gray("    Restart Codex for changes to take effect."));
+    printDaemonTip();
+  }
+}
 function setupHud() {
   const homeDir2 = import_os10.default.homedir();
   const hooksPath = import_path14.default.join(homeDir2, ".claude", "settings.json");
@@ -9936,6 +10137,8 @@ var import_path25 = __toESM(require("path"));
 var import_os19 = __toESM(require("os"));
 var import_https = __toESM(require("https"));
 init_core();
+init_shields();
+var DEFAULT_SHIELDS = ["bash-safe", "filesystem", "postgres"];
 function fireTelemetryPing(agents) {
   try {
     const body = JSON.stringify({
@@ -9978,7 +10181,17 @@ function registerInitCommand(program2) {
         message: "Enable recommended safety shields? (blocks rm -rf, SQL drops, pipe-to-shell)",
         default: true
       });
-      if (enableShields) chosenMode = "standard";
+      if (enableShields) {
+        chosenMode = "standard";
+        try {
+          const current = readActiveShields();
+          const merged = Array.from(/* @__PURE__ */ new Set([...current, ...DEFAULT_SHIELDS]));
+          const hasNewShields = DEFAULT_SHIELDS.some((s) => !current.includes(s));
+          if (hasNewShields) writeActiveShields(merged);
+        } catch (err2) {
+          console.log(import_chalk11.default.yellow(`  \u26A0\uFE0F  Could not update shields: ${String(err2)}`));
+        }
+      }
       console.log("");
     }
     const configPath = import_path25.default.join(import_os19.default.homedir(), ".node9", "config.json");
@@ -10016,9 +10229,9 @@ function registerInitCommand(program2) {
     );
     if (found.length === 0) {
       console.log(
-        import_chalk11.default.gray("No AI agents detected. Install Claude Code, Gemini CLI, or Cursor")
+        import_chalk11.default.gray("No AI agents detected. Install Claude Code, Gemini CLI, Cursor, or Codex")
       );
-      console.log(import_chalk11.default.gray("then run: node9 addto <claude|gemini|cursor>"));
+      console.log(import_chalk11.default.gray("then run: node9 addto <claude|gemini|cursor|codex>"));
       return;
     }
     console.log(import_chalk11.default.bold("Detected agents:"));
@@ -10031,6 +10244,7 @@ function registerInitCommand(program2) {
       if (agent === "claude") await setupClaude();
       else if (agent === "gemini") await setupGemini();
       else if (agent === "cursor") await setupCursor();
+      else if (agent === "codex") await setupCodex();
       console.log("");
     }
     {
@@ -10652,6 +10866,20 @@ var TOOLS = [
       required: ["service"]
     }
   },
+  {
+    name: "node9_shield_disable",
+    description: "Disable a node9 shield. Use node9_shield_list to see currently active shields.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        service: {
+          type: "string",
+          description: 'Shield name to disable (e.g. "postgres", "aws", "github", "filesystem").'
+        }
+      },
+      required: ["service"]
+    }
+  },
   {
     name: "node9_approver_list",
     description: "List all node9 approver channels and their current enabled/disabled state. Approvers are the channels through which node9 asks a human to approve risky tool calls. Channels: native (OS popup), browser (web UI), cloud (team policy server), terminal (stdin).",
@@ -10781,6 +11009,24 @@ function handleShieldEnable(args) {
   const shield = getShield(name);
   return `Shield "${name}" enabled \u2014 ${shield.smartRules.length} smart rule${shield.smartRules.length === 1 ? "" : "s"} now active.`;
 }
+function handleShieldDisable(args) {
+  const service = args.service;
+  if (typeof service !== "string" || !service) {
+    throw new Error("service is required");
+  }
+  const name = resolveShieldName(service);
+  if (!name) {
+    throw new Error(
+      `Unknown shield: "${service}". Run node9_shield_list to see available shields.`
+    );
+  }
+  const active = readActiveShields();
+  if (!active.includes(name)) {
+    return `Shield "${name}" is not active.`;
+  }
+  writeActiveShields(active.filter((s) => s !== name));
+  return `Shield "${name}" disabled.`;
+}
 var GLOBAL_CONFIG_PATH2 = import_path27.default.join(import_os20.default.homedir(), ".node9", "config.json");
 var APPROVER_CHANNELS = ["native", "browser", "cloud", "terminal"];
 function readGlobalConfigRaw() {
@@ -10909,6 +11155,8 @@ function runMcpServer() {
           text = handleShieldList();
         } else if (toolName === "node9_shield_enable") {
           text = handleShieldEnable(toolArgs);
+        } else if (toolName === "node9_shield_disable") {
+          text = handleShieldDisable(toolArgs);
         } else if (toolName === "node9_approver_list") {
           text = handleApproverList();
         } else if (toolName === "node9_approver_set") {

package/dist/cli.mjs

@@ -491,6 +491,84 @@ var init_shields = __esm({
         ],
         dangerousWords: []
       },
+      "bash-safe": {
+        name: "bash-safe",
+        description: "Blocks high-risk bash patterns: pipe-to-shell, rm -rf /, disk overwrites, eval",
+        aliases: ["bash", "shell"],
+        smartRules: [
+          {
+            name: "shield:bash-safe:block-pipe-to-shell",
+            tool: "bash",
+            conditions: [
+              {
+                field: "command",
+                op: "matches",
+                value: "(curl|wget)\\s+[^|]*\\|\\s*(bash|sh|zsh|fish|python3?|ruby|perl|node)",
+                flags: "i"
+              }
+            ],
+            verdict: "block",
+            reason: "Pipe-to-shell is a common supply-chain attack vector \u2014 blocked by bash-safe shield"
+          },
+          {
+            name: "shield:bash-safe:block-obfuscated-exec",
+            tool: "bash",
+            conditions: [
+              {
+                field: "command",
+                op: "matches",
+                value: "base64\\s+(-d|--decode).*\\|\\s*(bash|sh|zsh)",
+                flags: "i"
+              }
+            ],
+            verdict: "block",
+            reason: "Obfuscated execution via base64 decode \u2014 blocked by bash-safe shield"
+          },
+          {
+            name: "shield:bash-safe:block-rm-root",
+            tool: "bash",
+            conditions: [
+              {
+                field: "command",
+                op: "matches",
+                value: "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)[a-zA-Z]*\\s+(\\/|~|\\$HOME|\\$\\{HOME\\})\\s*$",
+                flags: "i"
+              }
+            ],
+            verdict: "block",
+            reason: "rm -rf of root or home directory is catastrophic \u2014 blocked by bash-safe shield"
+          },
+          {
+            name: "shield:bash-safe:block-disk-overwrite",
+            tool: "bash",
+            conditions: [
+              {
+                field: "command",
+                op: "matches",
+                value: "dd\\s+.*of=\\/dev\\/(sd|nvme|hd|vd|xvd)",
+                flags: "i"
+              }
+            ],
+            verdict: "block",
+            reason: "Writing directly to a block device is irreversible \u2014 blocked by bash-safe shield"
+          },
+          {
+            name: "shield:bash-safe:review-eval",
+            tool: "bash",
+            conditions: [
+              {
+                field: "command",
+                op: "matches",
+                value: '\\beval\\s+[\\$`("]',
+                flags: "i"
+              }
+            ],
+            verdict: "review",
+            reason: "eval of dynamic content requires human approval (bash-safe shield)"
+          }
+        ],
+        dangerousWords: []
+      },
       filesystem: {
         name: "filesystem",
         description: "Protects the local filesystem from dangerous AI operations",
@@ -7052,6 +7130,7 @@ async function startTail(options = {}) {
   }
   const connectionTime = Date.now();
   const activityPending = /* @__PURE__ */ new Map();
+  const orphanedResults = /* @__PURE__ */ new Map();
   let csrfToken = "";
   const approvalQueue = [];
   let cardActive = false;
@@ -7386,9 +7465,14 @@ async function startTail(options = {}) {
         renderResult(data, data);
         return;
       }
+      const orphaned = orphanedResults.get(data.id);
+      if (orphaned) {
+        orphanedResults.delete(data.id);
+        renderResult(data, orphaned);
+        return;
+      }
       activityPending.set(data.id, data);
-      const slowTool = /bash|shell|query|sql|agent/i.test(data.tool);
-      if (slowTool) renderPending(data);
+      renderPending(data);
     }
     if (event === "snapshot") {
       const time = new Date(data.ts).toLocaleTimeString([], { hour12: false });
@@ -7407,6 +7491,8 @@ async function startTail(options = {}) {
       if (original) {
         renderResult(original, data);
         activityPending.delete(data.id);
+      } else {
+        orphanedResults.set(data.id, data);
       }
     }
   }
@@ -7646,6 +7732,29 @@ function renderOffline() {
   process.stdout.write(`${color(BLUE, "\u{1F6E1}")} ${bold("node9")} ${dim("|")} ${dim("offline")}
 `);
 }
+function readActiveShieldsHud() {
+  const now = Date.now();
+  if (shieldsCache && now - shieldsCache.ts < SHIELDS_CACHE_TTL_MS) {
+    return shieldsCache.value;
+  }
+  try {
+    const shieldsPath = path29.join(os22.homedir(), ".node9", "shields.json");
+    if (!fs26.existsSync(shieldsPath)) {
+      shieldsCache = { value: [], ts: now };
+      return [];
+    }
+    const parsed = JSON.parse(fs26.readFileSync(shieldsPath, "utf-8"));
+    if (!Array.isArray(parsed.active)) {
+      shieldsCache = { value: [], ts: now };
+      return [];
+    }
+    const value = parsed.active.filter((s) => typeof s === "string").map((s) => s.slice(0, 64)).slice(0, 20);
+    shieldsCache = { value, ts: now };
+    return value;
+  } catch {
+    return [];
+  }
+}
 function renderSecurityLine(status) {
   const parts = [];
   parts.push(`${color(BLUE, "\u{1F6E1}")} ${bold("node9")}`);
@@ -7663,6 +7772,18 @@ function renderSecurityLine(status) {
   };
   const mc = modeColors[status.mode] ?? WHITE;
   parts.push(`${dim("|")} ${color(mc, modeIcon[status.mode] ?? "")}${color(mc, status.mode)}`);
+  const activeShields = readActiveShieldsHud();
+  if (activeShields.length > 0) {
+    const shieldAbbrevs = {
+      "bash-safe": "bash",
+      filesystem: "fs",
+      postgres: "pg",
+      github: "gh",
+      aws: "aws"
+    };
+    const labels = activeShields.map((s) => shieldAbbrevs[s] ?? s).join(" ");
+    parts.push(color(DIM, `[${labels}]`));
+  }
   if (status.mode === "observe") {
     parts.push(`${dim("|")} ${color(GREEN2, `\u2705 ${status.session.allowed} passed`)}`);
     if (status.session.wouldBlock > 0) {
@@ -7759,7 +7880,7 @@ async function main() {
     renderOffline();
   }
 }
-var RESET3, BOLD3, DIM, RED2, GREEN2, YELLOW2, BLUE, MAGENTA, CYAN2, WHITE, BAR_FILLED, BAR_EMPTY, BAR_WIDTH;
+var RESET3, BOLD3, DIM, RED2, GREEN2, YELLOW2, BLUE, MAGENTA, CYAN2, WHITE, BAR_FILLED, BAR_EMPTY, BAR_WIDTH, shieldsCache, SHIELDS_CACHE_TTL_MS;
 var init_hud = __esm({
   "src/cli/hud.ts"() {
     "use strict";
@@ -7777,6 +7898,8 @@ var init_hud = __esm({
     BAR_FILLED = "\u2588";
     BAR_EMPTY = "\u2591";
     BAR_WIDTH = 10;
+    shieldsCache = null;
+    SHIELDS_CACHE_TTL_MS = 2e3;
   }
 });
 
@@ -7790,6 +7913,7 @@ import path14 from "path";
 import os10 from "os";
 import chalk from "chalk";
 import { confirm } from "@inquirer/prompts";
+import { parse as parseToml, stringify as stringifyToml } from "smol-toml";
 var NODE9_MCP_SERVER_ENTRY = { command: "node9", args: ["mcp-server"] };
 function hasNode9McpServer(servers) {
   const entry = servers["node9"];
@@ -8153,7 +8277,8 @@ function detectAgents(homeDir2 = os10.homedir()) {
   return {
     claude: exists(path14.join(homeDir2, ".claude")) || exists(path14.join(homeDir2, ".claude.json")),
     gemini: exists(path14.join(homeDir2, ".gemini")),
-    cursor: exists(path14.join(homeDir2, ".cursor"))
+    cursor: exists(path14.join(homeDir2, ".cursor")),
+    codex: exists(path14.join(homeDir2, ".codex"))
   };
 }
 async function setupCursor() {
@@ -8218,6 +8343,82 @@ async function setupCursor() {
     printDaemonTip();
   }
 }
+function readToml(filePath) {
+  try {
+    if (fs11.existsSync(filePath)) {
+      return parseToml(fs11.readFileSync(filePath, "utf-8"));
+    }
+  } catch {
+  }
+  return null;
+}
+function writeToml(filePath, data) {
+  const dir = path14.dirname(filePath);
+  if (!fs11.existsSync(dir)) fs11.mkdirSync(dir, { recursive: true });
+  fs11.writeFileSync(filePath, stringifyToml(data));
+}
+async function setupCodex() {
+  const homeDir2 = os10.homedir();
+  const configPath = path14.join(homeDir2, ".codex", "config.toml");
+  const config = readToml(configPath) ?? {};
+  const servers = config.mcp_servers ?? {};
+  let anythingChanged = false;
+  if (!hasNode9McpServer(servers)) {
+    servers["node9"] = NODE9_MCP_SERVER_ENTRY;
+    config.mcp_servers = servers;
+    writeToml(configPath, config);
+    console.log(chalk.green("  \u2705 node9 MCP server added   \u2192 node9 mcp-server"));
+    anythingChanged = true;
+  }
+  const serversToWrap = [];
+  for (const [name, server] of Object.entries(servers)) {
+    if (!server.command || server.command === "node9") continue;
+    const parts = [server.command, ...server.args ?? []];
+    serversToWrap.push({ name, originalCmd: parts.join(" "), parts });
+  }
+  if (serversToWrap.length > 0) {
+    console.log(chalk.bold("The following existing entries will be modified:\n"));
+    console.log(chalk.white(`  ${configPath}`));
+    for (const { name, originalCmd } of serversToWrap) {
+      console.log(chalk.gray(`    \u2022 ${name}: "${originalCmd}" \u2192 node9 ${originalCmd}`));
+    }
+    console.log("");
+    const proceed = await confirm({ message: "Wrap these MCP servers?", default: true });
+    if (proceed) {
+      for (const { name, parts } of serversToWrap) {
+        servers[name] = { ...servers[name], command: "node9", args: parts };
+      }
+      config.mcp_servers = servers;
+      writeToml(configPath, config);
+      console.log(chalk.green(`
+  \u2705 ${serversToWrap.length} MCP server(s) wrapped`));
+      anythingChanged = true;
+    } else {
+      console.log(chalk.yellow("  Skipped MCP server wrapping."));
+    }
+    console.log("");
+  }
+  console.log(
+    chalk.yellow(
+      "  \u26A0\uFE0F  Note: Codex does not yet support native pre-execution hooks.\n     MCP proxy wrapping is the only supported protection mode for Codex.\n     Native bash and file operations are not monitored."
+    )
+  );
+  console.log("");
+  if (!anythingChanged && serversToWrap.length === 0) {
+    console.log(
+      chalk.blue(
+        "\u2139\uFE0F  No MCP servers found to wrap. Add MCP servers to ~/.codex/config.toml and re-run."
+      )
+    );
+    printDaemonTip();
+    return;
+  }
+  if (anythingChanged) {
+    console.log(chalk.green.bold("\u{1F6E1}\uFE0F  Node9 is now protecting Codex via MCP proxy!"));
+    console.log(chalk.gray("    Restart Codex for changes to take effect."));
+    printDaemonTip();
+  }
+}
 function setupHud() {
   const homeDir2 = os10.homedir();
   const hooksPath = path14.join(homeDir2, ".claude", "settings.json");
@@ -9911,6 +10112,8 @@ import fs23 from "fs";
 import path25 from "path";
 import os19 from "os";
 import https from "https";
+init_shields();
+var DEFAULT_SHIELDS = ["bash-safe", "filesystem", "postgres"];
 function fireTelemetryPing(agents) {
   try {
     const body = JSON.stringify({
@@ -9953,7 +10156,17 @@ function registerInitCommand(program2) {
         message: "Enable recommended safety shields? (blocks rm -rf, SQL drops, pipe-to-shell)",
         default: true
       });
-      if (enableShields) chosenMode = "standard";
+      if (enableShields) {
+        chosenMode = "standard";
+        try {
+          const current = readActiveShields();
+          const merged = Array.from(/* @__PURE__ */ new Set([...current, ...DEFAULT_SHIELDS]));
+          const hasNewShields = DEFAULT_SHIELDS.some((s) => !current.includes(s));
+          if (hasNewShields) writeActiveShields(merged);
+        } catch (err2) {
+          console.log(chalk11.yellow(`  \u26A0\uFE0F  Could not update shields: ${String(err2)}`));
+        }
+      }
       console.log("");
     }
     const configPath = path25.join(os19.homedir(), ".node9", "config.json");
@@ -9991,9 +10204,9 @@ function registerInitCommand(program2) {
     );
     if (found.length === 0) {
       console.log(
-        chalk11.gray("No AI agents detected. Install Claude Code, Gemini CLI, or Cursor")
+        chalk11.gray("No AI agents detected. Install Claude Code, Gemini CLI, Cursor, or Codex")
       );
-      console.log(chalk11.gray("then run: node9 addto <claude|gemini|cursor>"));
+      console.log(chalk11.gray("then run: node9 addto <claude|gemini|cursor|codex>"));
       return;
     }
     console.log(chalk11.bold("Detected agents:"));
@@ -10006,6 +10219,7 @@ function registerInitCommand(program2) {
       if (agent === "claude") await setupClaude();
       else if (agent === "gemini") await setupGemini();
       else if (agent === "cursor") await setupCursor();
+      else if (agent === "codex") await setupCodex();
       console.log("");
     }
     {
@@ -10627,6 +10841,20 @@ var TOOLS = [
       required: ["service"]
     }
   },
+  {
+    name: "node9_shield_disable",
+    description: "Disable a node9 shield. Use node9_shield_list to see currently active shields.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        service: {
+          type: "string",
+          description: 'Shield name to disable (e.g. "postgres", "aws", "github", "filesystem").'
+        }
+      },
+      required: ["service"]
+    }
+  },
   {
     name: "node9_approver_list",
     description: "List all node9 approver channels and their current enabled/disabled state. Approvers are the channels through which node9 asks a human to approve risky tool calls. Channels: native (OS popup), browser (web UI), cloud (team policy server), terminal (stdin).",
@@ -10756,6 +10984,24 @@ function handleShieldEnable(args) {
   const shield = getShield(name);
   return `Shield "${name}" enabled \u2014 ${shield.smartRules.length} smart rule${shield.smartRules.length === 1 ? "" : "s"} now active.`;
 }
+function handleShieldDisable(args) {
+  const service = args.service;
+  if (typeof service !== "string" || !service) {
+    throw new Error("service is required");
+  }
+  const name = resolveShieldName(service);
+  if (!name) {
+    throw new Error(
+      `Unknown shield: "${service}". Run node9_shield_list to see available shields.`
+    );
+  }
+  const active = readActiveShields();
+  if (!active.includes(name)) {
+    return `Shield "${name}" is not active.`;
+  }
+  writeActiveShields(active.filter((s) => s !== name));
+  return `Shield "${name}" disabled.`;
+}
 var GLOBAL_CONFIG_PATH2 = path27.join(os20.homedir(), ".node9", "config.json");
 var APPROVER_CHANNELS = ["native", "browser", "cloud", "terminal"];
 function readGlobalConfigRaw() {
@@ -10884,6 +11130,8 @@ function runMcpServer() {
           text = handleShieldList();
         } else if (toolName === "node9_shield_enable") {
           text = handleShieldEnable(toolArgs);
+        } else if (toolName === "node9_shield_disable") {
+          text = handleShieldDisable(toolArgs);
         } else if (toolName === "node9_approver_list") {
           text = handleApproverList();
         } else if (toolName === "node9_approver_set") {

package/dist/index.js

@@ -411,6 +411,84 @@ var SHIELDS = {
     ],
     dangerousWords: []
   },
+  "bash-safe": {
+    name: "bash-safe",
+    description: "Blocks high-risk bash patterns: pipe-to-shell, rm -rf /, disk overwrites, eval",
+    aliases: ["bash", "shell"],
+    smartRules: [
+      {
+        name: "shield:bash-safe:block-pipe-to-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "(curl|wget)\\s+[^|]*\\|\\s*(bash|sh|zsh|fish|python3?|ruby|perl|node)",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "Pipe-to-shell is a common supply-chain attack vector \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:block-obfuscated-exec",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "base64\\s+(-d|--decode).*\\|\\s*(bash|sh|zsh)",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "Obfuscated execution via base64 decode \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:block-rm-root",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)[a-zA-Z]*\\s+(\\/|~|\\$HOME|\\$\\{HOME\\})\\s*$",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "rm -rf of root or home directory is catastrophic \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:block-disk-overwrite",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "dd\\s+.*of=\\/dev\\/(sd|nvme|hd|vd|xvd)",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "Writing directly to a block device is irreversible \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:review-eval",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: '\\beval\\s+[\\$`("]',
+            flags: "i"
+          }
+        ],
+        verdict: "review",
+        reason: "eval of dynamic content requires human approval (bash-safe shield)"
+      }
+    ],
+    dangerousWords: []
+  },
   filesystem: {
     name: "filesystem",
     description: "Protects the local filesystem from dangerous AI operations",

package/dist/index.mjs

@@ -381,6 +381,84 @@ var SHIELDS = {
     ],
     dangerousWords: []
   },
+  "bash-safe": {
+    name: "bash-safe",
+    description: "Blocks high-risk bash patterns: pipe-to-shell, rm -rf /, disk overwrites, eval",
+    aliases: ["bash", "shell"],
+    smartRules: [
+      {
+        name: "shield:bash-safe:block-pipe-to-shell",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "(curl|wget)\\s+[^|]*\\|\\s*(bash|sh|zsh|fish|python3?|ruby|perl|node)",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "Pipe-to-shell is a common supply-chain attack vector \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:block-obfuscated-exec",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "base64\\s+(-d|--decode).*\\|\\s*(bash|sh|zsh)",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "Obfuscated execution via base64 decode \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:block-rm-root",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)[a-zA-Z]*\\s+(\\/|~|\\$HOME|\\$\\{HOME\\})\\s*$",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "rm -rf of root or home directory is catastrophic \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:block-disk-overwrite",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: "dd\\s+.*of=\\/dev\\/(sd|nvme|hd|vd|xvd)",
+            flags: "i"
+          }
+        ],
+        verdict: "block",
+        reason: "Writing directly to a block device is irreversible \u2014 blocked by bash-safe shield"
+      },
+      {
+        name: "shield:bash-safe:review-eval",
+        tool: "bash",
+        conditions: [
+          {
+            field: "command",
+            op: "matches",
+            value: '\\beval\\s+[\\$`("]',
+            flags: "i"
+          }
+        ],
+        verdict: "review",
+        reason: "eval of dynamic content requires human approval (bash-safe shield)"
+      }
+    ],
+    dangerousWords: []
+  },
   filesystem: {
     name: "filesystem",
     description: "Protects the local filesystem from dangerous AI operations",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.7.0",
+  "version": "1.7.1",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -75,6 +75,7 @@
     "picomatch": "^4.0.3",
     "safe-regex2": "^5.1.0",
     "sh-syntax": "^0.5.8",
+    "smol-toml": "^1.6.1",
     "zod": "^3.25.76"
   },
   "devDependencies": {