@node9/proxy 1.7.0 → 1.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/README.md +82 -21
  2. package/dist/cli.js +388 -194
  3. package/dist/cli.mjs +388 -194
  4. package/dist/index.js +89 -179
  5. package/dist/index.mjs +89 -179
  6. package/dist/shields/builtin/aws.json +59 -0
  7. package/dist/shields/builtin/bash-safe.json +78 -0
  8. package/dist/shields/builtin/filesystem.json +30 -0
  9. package/dist/shields/builtin/github.json +26 -0
  10. package/dist/shields/builtin/postgres.json +42 -0
  11. package/package.json +3 -2
package/README.md CHANGED
@@ -203,20 +203,73 @@ Secrets are **never logged in full** — the audit trail stores only a redacted
203
203
 
204
204
  Shields add protection for specific infrastructure and services — only relevant if you actually use them.
205
205
 
206
+ **Builtin shields** (ship with every install):
207
+
206
208
  | Shield | What it protects |
207
- | :----------- | :-------------------------------------------------------------------------------------------------------------- |
209
+ | :----------- | :-------------------------------------------------------------------------------------------------------------- | -------------------------------- | --------------------------------- |
208
210
  | `postgres` | Hard-blocks `DROP TABLE`, `TRUNCATE`, `DROP COLUMN` (upgrades Layer 1 review → block); reviews `GRANT`/`REVOKE` |
209
211
  | `github` | Blocks `gh repo delete`; reviews remote branch deletion |
210
212
  | `aws` | Blocks S3 bucket deletion, EC2 termination; reviews IAM changes, RDS deletion |
213
+ | `bash-safe` | Blocks pipe-to-shell (`curl | bash`), obfuscated exec (`base64 | sh`), `rm -rf /`, raw disk writes |
211
214
  | `filesystem` | Reviews `chmod 777`, writes to `/etc/` |
212
215
 
213
216
  ```bash
214
217
  node9 shield enable postgres # protect your database
215
218
  node9 shield enable aws # protect your cloud infrastructure
216
- node9 shield list # see all available shields
219
+ node9 shield list # see all builtin shields
220
+ node9 shield list --community # browse the community marketplace
217
221
  node9 shield status # see what's currently active
218
222
  ```
219
223
 
224
+ #### Community Marketplace
225
+
226
+ Browse and install shields published by the community:
227
+
228
+ ```bash
229
+ node9 shield list --community # see what's available
230
+ node9 shield install k8s # download to ~/.node9/shields/k8s.json
231
+ node9 shield enable k8s # activate it
232
+ ```
233
+
234
+ Installed shields are validated against the same schema as builtins and stored in `~/.node9/shields/`. They're picked up automatically on the next daemon start.
235
+
236
+ #### Custom (Private) Shields
237
+
238
+ Drop a JSON file directly into `~/.node9/shields/` to create a private shield — no install command needed:
239
+
240
+ ```json
241
+ // ~/.node9/shields/my-company.json
242
+ {
243
+ "name": "my-company",
244
+ "description": "Blocks ops our security team disallows",
245
+ "aliases": ["corp"],
246
+ "smartRules": [
247
+ {
248
+ "name": "shield:my-company:block-prod-deploy",
249
+ "tool": "bash",
250
+ "conditions": [{ "field": "command", "op": "matches", "value": "kubectl.*production" }],
251
+ "verdict": "block",
252
+ "reason": "Production deploys require a change ticket"
253
+ }
254
+ ],
255
+ "dangerousWords": []
256
+ }
257
+ ```
258
+
259
+ ```bash
260
+ node9 shield enable my-company
261
+ ```
262
+
263
+ #### Per-rule overrides
264
+
265
+ Tune individual rules within an active shield without disabling the whole shield:
266
+
267
+ ```bash
268
+ node9 shield set aws review-rds-delete block # escalate review → block
269
+ node9 shield set postgres block-drop-table review --force # downgrade block → review (requires --force)
270
+ node9 shield unset postgres block-drop-table # restore the default
271
+ ```
272
+
220
273
  ### 🔓 Trusted Hosts
221
274
 
222
275
  Node9 blocks any pipe-chain that sends sensitive files to the network. If the destination is **your own internal API or logging service**, that friction is unnecessary. Trusted hosts let you declare known-safe destinations:
@@ -626,24 +679,31 @@ When the daemon is not running the HUD shows `🛡 node9 | offline` instead of a
626
679
 
627
680
  ## 🖥️ CLI Reference
628
681
 
629
- | Command | Description |
630
- | :----------------------------------- | :------------------------------------------------------------------------------------ |
631
- | `node9 setup` | Interactive menu — detects installed agents and wires hooks for you |
632
- | `node9 addto <agent>` | Wire hooks for a specific agent (`claude`, `gemini`, `cursor`) |
633
- | `node9 setup hud` | Add the node9 security statusline to Claude Code (also done automatically by `init`) |
634
- | `node9 init` | Create default config, wire detected agents, and set up the HUD |
635
- | `node9 status` | Show current protection status and active rules |
636
- | `node9 doctor` | Health check — verifies binaries, config, credentials, and all agent hooks |
637
- | `node9 shield <cmd>` | Manage shields (`enable`, `disable`, `list`, `status`) |
638
- | `node9 trust add <host>` | Add a host to the trusted list — pipe-chain blocks to this host are downgraded |
639
- | `node9 trust remove <host>` | Remove a trusted host |
640
- | `node9 trust list` | Show all trusted hosts |
641
- | `node9 tail [--history]` | Stream live agent activity to the terminal (auto-starts daemon if needed) |
642
- | `node9 explain <tool> [args]` | Trace the policy waterfall for a given tool call (dry-run, no approval prompt) |
643
- | `node9 undo [--steps N]` | Revert the last N AI file edits using shadow Git snapshots |
644
- | `node9 mcp-gateway --upstream <cmd>` | Wrap an MCP server with Node9 security — intercepts every tool call |
645
- | `node9 mcp-server` | Run the Node9 MCP server exposes undo and other tools to Claude, Cursor, and Gemini |
646
- | `node9 check` | Called by agent hooks; evaluates a pending tool call and exits 0 (allow) or 1 (block) |
682
+ | Command | Description |
683
+ | :------------------------------------------- | :------------------------------------------------------------------------------------ |
684
+ | `node9 setup` | Interactive menu — detects installed agents and wires hooks for you |
685
+ | `node9 addto <agent>` | Wire hooks for a specific agent (`claude`, `gemini`, `cursor`) |
686
+ | `node9 setup hud` | Add the node9 security statusline to Claude Code (also done automatically by `init`) |
687
+ | `node9 init` | Create default config, wire detected agents, and set up the HUD |
688
+ | `node9 status` | Show current protection status and active rules |
689
+ | `node9 doctor` | Health check — verifies binaries, config, credentials, and all agent hooks |
690
+ | `node9 shield enable <name>` | Activate a shield |
691
+ | `node9 shield disable <name>` | Deactivate a shield |
692
+ | `node9 shield list` | Show builtin shields and their enable/disable status |
693
+ | `node9 shield list --community` | Browse the community marketplace |
694
+ | `node9 shield install <name>` | Download a community shield to `~/.node9/shields/` |
695
+ | `node9 shield status` | Show active shields with per-rule verdicts and any overrides |
696
+ | `node9 shield set <shield> <rule> <verdict>` | Override a rule verdict (`block`, `review`, `allow --force`) |
697
+ | `node9 shield unset <shield> <rule>` | Remove a rule override, restoring the shield default |
698
+ | `node9 trust add <host>` | Add a host to the trusted list pipe-chain blocks to this host are downgraded |
699
+ | `node9 trust remove <host>` | Remove a trusted host |
700
+ | `node9 trust list` | Show all trusted hosts |
701
+ | `node9 tail [--history]` | Stream live agent activity to the terminal (auto-starts daemon if needed) |
702
+ | `node9 explain <tool> [args]` | Trace the policy waterfall for a given tool call (dry-run, no approval prompt) |
703
+ | `node9 undo [--steps N]` | Revert the last N AI file edits using shadow Git snapshots |
704
+ | `node9 mcp-gateway --upstream <cmd>` | Wrap an MCP server with Node9 security — intercepts every tool call |
705
+ | `node9 mcp-server` | Run the Node9 MCP server — exposes undo and other tools to Claude, Cursor, and Gemini |
706
+ | `node9 check` | Called by agent hooks; evaluates a pending tool call and exits 0 (allow) or 1 (block) |
647
707
 
648
708
  ### `node9 doctor`
649
709
 
@@ -710,7 +770,8 @@ This can happen when the daemon's PID file (`~/.node9/daemon.pid`) is missing
710
770
  - [x] **Native OS Dialogs** (Sub-second approval via Mac/Win/Linux system windows)
711
771
  - [x] **Shadow Git Snapshots** (1-click Undo for AI hallucinations)
712
772
  - [x] **Identity-Aware Execution** (Differentiates between Human vs. AI risk levels)
713
- - [x] **Shield Templates** (`node9 shield enable <service>` — one-click protection for Postgres, GitHub, AWS)
773
+ - [x] **Shield Templates** (`node9 shield enable <service>` — one-click protection for Postgres, GitHub, AWS, bash-safe, filesystem)
774
+ - [x] **Shields Marketplace** (`node9 shield list --community`, `node9 shield install <name>` — community-published shields + private custom shields in `~/.node9/shields/`)
714
775
  - [x] **Content Scanner / DLP** (Detect and block secrets like AWS keys and Bearer tokens in-flight)
715
776
  - [x] **Flight Recorder** (Real-time activity stream in browser dashboard and `node9 tail` terminal view)
716
777
  - [x] **Universal MCP Gateway** (Transparent stdio proxy — wraps any MCP server for any AI agent: `node9 mcp-gateway --upstream <cmd>`)