@node9/proxy 1.7.0 → 1.8.2

package/dist/cli.mjs

@@ -250,6 +250,70 @@ import fs2 from "fs";
 import path2 from "path";
 import os2 from "os";
 import crypto from "crypto";
+function validateShieldDefinition(raw, filePath) {
+  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+    process.stderr.write(`[node9] Shield file is not an object: ${filePath}
+`);
+    return null;
+  }
+  const r = raw;
+  if (typeof r.name !== "string" || !r.name) {
+    process.stderr.write(`[node9] Shield file missing 'name': ${filePath}
+`);
+    return null;
+  }
+  if (typeof r.description !== "string") {
+    process.stderr.write(`[node9] Shield file missing 'description': ${filePath}
+`);
+    return null;
+  }
+  if (!Array.isArray(r.aliases)) {
+    process.stderr.write(`[node9] Shield file missing 'aliases' array: ${filePath}
+`);
+    return null;
+  }
+  if (!Array.isArray(r.smartRules)) {
+    process.stderr.write(`[node9] Shield file missing 'smartRules' array: ${filePath}
+`);
+    return null;
+  }
+  if (!Array.isArray(r.dangerousWords)) {
+    process.stderr.write(`[node9] Shield file missing 'dangerousWords' array: ${filePath}
+`);
+    return null;
+  }
+  return r;
+}
+function loadShieldsFromDir(dir, label) {
+  const result = {};
+  let entries;
+  try {
+    entries = fs2.readdirSync(dir).filter((f) => f.endsWith(".json"));
+  } catch (err2) {
+    if (err2.code !== "ENOENT") {
+      process.stderr.write(`[node9] Could not read ${label} shields dir ${dir}: ${String(err2)}
+`);
+    }
+    return result;
+  }
+  for (const file of entries) {
+    const filePath = path2.join(dir, file);
+    try {
+      const raw = JSON.parse(fs2.readFileSync(filePath, "utf-8"));
+      const shield = validateShieldDefinition(raw, filePath);
+      if (shield) result[shield.name] = shield;
+    } catch (err2) {
+      process.stderr.write(`[node9] Failed to load ${label} shield ${file}: ${String(err2)}
+`);
+    }
+  }
+  return result;
+}
+function buildSHIELDS() {
+  const builtins = loadShieldsFromDir(BUILTIN_DIR, "builtin");
+  const userShields = loadShieldsFromDir(USER_SHIELDS_DIR, "user");
+  return { ...builtins, ...userShields };
+}
 function resolveShieldName(input) {
   const lower = input.toLowerCase();
   if (SHIELDS[lower]) return lower;
@@ -356,177 +420,30 @@ function resolveShieldRule(shieldName, identifier) {
   }
   return null;
 }
-var SHIELDS, SHIELDS_STATE_FILE;
+function installShield(name, shieldJson) {
+  if (!/^[a-zA-Z0-9_-]+$/.test(name)) {
+    throw new Error(
+      `Invalid shield name '${name}': only alphanumeric characters, hyphens, and underscores are allowed`
+    );
+  }
+  const shield = validateShieldDefinition(shieldJson, `<downloaded:${name}>`);
+  if (!shield) throw new Error(`Downloaded shield '${name}' failed validation`);
+  if (shield.name !== name) {
+    throw new Error(`Shield name mismatch: file declares '${shield.name}' but expected '${name}'`);
+  }
+  fs2.mkdirSync(USER_SHIELDS_DIR, { recursive: true });
+  const filePath = path2.join(USER_SHIELDS_DIR, `${name}.json`);
+  const tmp = `${filePath}.${crypto.randomBytes(6).toString("hex")}.tmp`;
+  fs2.writeFileSync(tmp, JSON.stringify(shieldJson, null, 2), { mode: 384 });
+  fs2.renameSync(tmp, filePath);
+}
+var BUILTIN_DIR, USER_SHIELDS_DIR, SHIELDS, SHIELDS_STATE_FILE;
 var init_shields = __esm({
   "src/shields.ts"() {
     "use strict";
-    SHIELDS = {
-      postgres: {
-        name: "postgres",
-        description: "Protects PostgreSQL databases from destructive AI operations",
-        aliases: ["pg", "postgresql"],
-        smartRules: [
-          {
-            name: "shield:postgres:block-drop-table",
-            tool: "*",
-            conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
-            verdict: "block",
-            reason: "DROP TABLE is irreversible \u2014 blocked by Postgres shield"
-          },
-          {
-            name: "shield:postgres:block-truncate",
-            tool: "*",
-            conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
-            verdict: "block",
-            reason: "TRUNCATE is irreversible \u2014 blocked by Postgres shield"
-          },
-          {
-            name: "shield:postgres:block-drop-column",
-            tool: "*",
-            conditions: [
-              { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
-            ],
-            verdict: "block",
-            reason: "DROP COLUMN is irreversible \u2014 blocked by Postgres shield"
-          },
-          {
-            name: "shield:postgres:review-grant-revoke",
-            tool: "*",
-            conditions: [{ field: "sql", op: "matches", value: "\\b(GRANT|REVOKE)\\b", flags: "i" }],
-            verdict: "review",
-            reason: "Permission changes require human approval (Postgres shield)"
-          }
-        ],
-        dangerousWords: ["dropdb", "pg_dropcluster"]
-      },
-      github: {
-        name: "github",
-        description: "Protects GitHub repositories from destructive AI operations",
-        aliases: ["git"],
-        smartRules: [
-          {
-            // Note: git branch -d/-D is already caught by the built-in review-git-destructive rule.
-            // This rule adds coverage for `git push --delete` which the built-in does not match.
-            name: "shield:github:review-delete-branch-remote",
-            tool: "bash",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: "git\\s+push\\s+.*--delete",
-                flags: "i"
-              }
-            ],
-            verdict: "review",
-            reason: "Remote branch deletion requires human approval (GitHub shield)"
-          },
-          {
-            name: "shield:github:block-delete-repo",
-            tool: "*",
-            conditions: [
-              { field: "command", op: "matches", value: "gh\\s+repo\\s+delete", flags: "i" }
-            ],
-            verdict: "block",
-            reason: "Repository deletion is irreversible \u2014 blocked by GitHub shield"
-          }
-        ],
-        dangerousWords: []
-      },
-      aws: {
-        name: "aws",
-        description: "Protects AWS infrastructure from destructive AI operations",
-        aliases: ["amazon"],
-        smartRules: [
-          {
-            name: "shield:aws:block-delete-s3-bucket",
-            tool: "*",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
-                flags: "i"
-              }
-            ],
-            verdict: "block",
-            reason: "S3 bucket deletion is irreversible \u2014 blocked by AWS shield"
-          },
-          {
-            name: "shield:aws:review-iam-changes",
-            tool: "*",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
-                flags: "i"
-              }
-            ],
-            verdict: "review",
-            reason: "IAM changes require human approval (AWS shield)"
-          },
-          {
-            name: "shield:aws:block-ec2-terminate",
-            tool: "*",
-            conditions: [
-              {
-                field: "command",
-                op: "matches",
-                value: "aws\\s+ec2\\s+terminate-instances",
-                flags: "i"
-              }
-            ],
-            verdict: "block",
-            reason: "EC2 instance termination is irreversible \u2014 blocked by AWS shield"
-          },
-          {
-            name: "shield:aws:review-rds-delete",
-            tool: "*",
-            conditions: [
-              { field: "command", op: "matches", value: "aws\\s+rds\\s+delete-", flags: "i" }
-            ],
-            verdict: "review",
-            reason: "RDS deletion requires human approval (AWS shield)"
-          }
-        ],
-        dangerousWords: []
-      },
-      filesystem: {
-        name: "filesystem",
-        description: "Protects the local filesystem from dangerous AI operations",
-        aliases: ["fs"],
-        smartRules: [
-          {
-            name: "shield:filesystem:review-chmod-777",
-            tool: "bash",
-            conditions: [
-              { field: "command", op: "matches", value: "chmod\\s+(777|a\\+rwx)", flags: "i" }
-            ],
-            verdict: "review",
-            reason: "chmod 777 requires human approval (filesystem shield)"
-          },
-          {
-            name: "shield:filesystem:review-write-etc",
-            tool: "bash",
-            conditions: [
-              {
-                field: "command",
-                // Narrow to write-indicative operations to avoid approval fatigue on reads.
-                // Matches: tee /etc/*, cp .../etc/*, mv .../etc/*, > /etc/*, install .../etc/*
-                op: "matches",
-                value: "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
-              }
-            ],
-            verdict: "review",
-            reason: "Writing to /etc requires human approval (filesystem shield)"
-          }
-        ],
-        // dd removed: too common as a legitimate tool (disk imaging, file ops).
-        // mkfs removed: already in the built-in DANGEROUS_WORDS baseline.
-        // wipefs retained: rarely legitimate in an agent context and not in built-ins.
-        dangerousWords: ["wipefs"]
-      }
-    };
+    BUILTIN_DIR = path2.join(__dirname, "shields", "builtin");
+    USER_SHIELDS_DIR = path2.join(os2.homedir(), ".node9", "shields");
+    SHIELDS = buildSHIELDS();
     SHIELDS_STATE_FILE = path2.join(os2.homedir(), ".node9", "shields.json");
   }
 });
@@ -2503,7 +2420,7 @@ function isDaemonRunning() {
     return false;
   }
 }
-async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd, recoveryCommand, skipBackgroundAuth, viewOnly) {
+async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityId, cwd, recoveryCommand, skipBackgroundAuth, viewOnly, localSmartRuleMatched) {
   const base = `http://${DAEMON_HOST}:${DAEMON_PORT}`;
   const ctrl = new AbortController();
   const timer = setTimeout(() => ctrl.abort(), 5e3);
@@ -2524,7 +2441,8 @@ async function registerDaemonEntry(toolName, args, meta, riskMetadata, activityI
         ...cwd && { cwd },
         ...recoveryCommand && { recoveryCommand },
         ...skipBackgroundAuth && { skipBackgroundAuth: true },
-        ...viewOnly && { viewOnly: true }
+        ...viewOnly && { viewOnly: true },
+        ...localSmartRuleMatched && { localSmartRuleMatched: true }
       }),
       signal: ctrl.signal
     });
@@ -3214,6 +3132,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   let policyMatchedWord;
   let riskMetadata;
   let statefulRecoveryCommand;
+  let localSmartRuleMatched = false;
   let taintWarning = null;
   if (isNetworkTool(toolName, args)) {
     const filePaths = extractFilePaths(toolName, args);
@@ -3357,6 +3276,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     explainableLabel = policyResult.blockedByLabel || "Local Config";
     policyMatchedField = policyResult.matchedField;
     policyMatchedWord = policyResult.matchedWord;
+    if (policyResult.ruleName) localSmartRuleMatched = true;
     riskMetadata = computeRiskMetadata(
       args,
       policyResult.tier ?? 6,
@@ -3399,22 +3319,26 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   }
   let cloudRequestId = null;
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
-  if (cloudEnforced) {
+  if (cloudEnforced && !localSmartRuleMatched && !options?.localSmartRuleMatched) {
     try {
       const initResult = await initNode9SaaS(toolName, args, creds, meta, riskMetadata);
       if (!initResult.pending) {
         if (initResult.shadowMode) {
           return { approved: true, checkedBy: "cloud" };
         }
-        return {
-          approved: !!initResult.approved,
-          reason: initResult.reason || (initResult.approved ? void 0 : "Action rejected by organization policy."),
-          checkedBy: initResult.approved ? "cloud" : void 0,
-          blockedBy: initResult.approved ? void 0 : "team-policy",
-          blockedByLabel: "Organization Policy (SaaS)"
-        };
+        if (!localSmartRuleMatched && !options?.localSmartRuleMatched) {
+          return {
+            approved: !!initResult.approved,
+            reason: initResult.reason || (initResult.approved ? void 0 : "Action rejected by organization policy."),
+            checkedBy: initResult.approved ? "cloud" : void 0,
+            blockedBy: initResult.approved ? void 0 : "team-policy",
+            blockedByLabel: "Organization Policy (SaaS)"
+          };
+        }
+      }
+      if (!localSmartRuleMatched && !options?.localSmartRuleMatched) {
+        cloudRequestId = initResult.requestId || null;
       }
-      cloudRequestId = initResult.requestId || null;
       if (!taintWarning) explainableLabel = "Organization Policy (SaaS)";
     } catch {
     }
@@ -3460,7 +3384,10 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           riskMetadata,
           options?.activityId,
           options?.cwd,
-          statefulRecoveryCommand
+          statefulRecoveryCommand,
+          void 0,
+          void 0,
+          localSmartRuleMatched || options?.localSmartRuleMatched
         );
         daemonEntryId = entry.id;
         daemonAllowCount = entry.allowCount;
@@ -3468,7 +3395,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       }
     }
   }
-  if (cloudEnforced && cloudRequestId) {
+  if (cloudEnforced && cloudRequestId && !localSmartRuleMatched && !options?.localSmartRuleMatched) {
     racePromises.push(
       (async () => {
         try {
@@ -6135,7 +6062,8 @@ data: ${JSON.stringify(item.data)}
           viewOnly = false,
           fromCLI = false,
           activityId,
-          cwd
+          cwd,
+          localSmartRuleMatched = false
         } = JSON.parse(body);
         const id = fromCLI && typeof activityId === "string" && activityId || randomUUID4();
         const entry = {
@@ -6215,7 +6143,7 @@ data: ${JSON.stringify(item.data)}
             agent: typeof agent === "string" ? agent : void 0,
             mcpServer: typeof mcpServer === "string" ? mcpServer : void 0
           },
-          { calledFromDaemon: true }
+          { calledFromDaemon: true, localSmartRuleMatched: !!localSmartRuleMatched }
         ).then((result) => {
           const e = pending.get(id);
           if (!e) return;
@@ -7052,6 +6980,7 @@ async function startTail(options = {}) {
   }
   const connectionTime = Date.now();
   const activityPending = /* @__PURE__ */ new Map();
+  const orphanedResults = /* @__PURE__ */ new Map();
   let csrfToken = "";
   const approvalQueue = [];
   let cardActive = false;
@@ -7386,9 +7315,14 @@ async function startTail(options = {}) {
         renderResult(data, data);
         return;
       }
+      const orphaned = orphanedResults.get(data.id);
+      if (orphaned) {
+        orphanedResults.delete(data.id);
+        renderResult(data, orphaned);
+        return;
+      }
       activityPending.set(data.id, data);
-      const slowTool = /bash|shell|query|sql|agent/i.test(data.tool);
-      if (slowTool) renderPending(data);
+      renderPending(data);
     }
     if (event === "snapshot") {
       const time = new Date(data.ts).toLocaleTimeString([], { hour12: false });
@@ -7407,6 +7341,8 @@ async function startTail(options = {}) {
       if (original) {
         renderResult(original, data);
         activityPending.delete(data.id);
+      } else {
+        orphanedResults.set(data.id, data);
       }
     }
   }
@@ -7646,6 +7582,29 @@ function renderOffline() {
   process.stdout.write(`${color(BLUE, "\u{1F6E1}")} ${bold("node9")} ${dim("|")} ${dim("offline")}
 `);
 }
+function readActiveShieldsHud() {
+  const now = Date.now();
+  if (shieldsCache && now - shieldsCache.ts < SHIELDS_CACHE_TTL_MS) {
+    return shieldsCache.value;
+  }
+  try {
+    const shieldsPath = path29.join(os22.homedir(), ".node9", "shields.json");
+    if (!fs26.existsSync(shieldsPath)) {
+      shieldsCache = { value: [], ts: now };
+      return [];
+    }
+    const parsed = JSON.parse(fs26.readFileSync(shieldsPath, "utf-8"));
+    if (!Array.isArray(parsed.active)) {
+      shieldsCache = { value: [], ts: now };
+      return [];
+    }
+    const value = parsed.active.filter((s) => typeof s === "string").map((s) => s.slice(0, 64)).slice(0, 20);
+    shieldsCache = { value, ts: now };
+    return value;
+  } catch {
+    return [];
+  }
+}
 function renderSecurityLine(status) {
   const parts = [];
   parts.push(`${color(BLUE, "\u{1F6E1}")} ${bold("node9")}`);
@@ -7663,6 +7622,18 @@ function renderSecurityLine(status) {
   };
   const mc = modeColors[status.mode] ?? WHITE;
   parts.push(`${dim("|")} ${color(mc, modeIcon[status.mode] ?? "")}${color(mc, status.mode)}`);
+  const activeShields = readActiveShieldsHud();
+  if (activeShields.length > 0) {
+    const shieldAbbrevs = {
+      "bash-safe": "bash",
+      filesystem: "fs",
+      postgres: "pg",
+      github: "gh",
+      aws: "aws"
+    };
+    const labels = activeShields.map((s) => shieldAbbrevs[s] ?? s).join(" ");
+    parts.push(color(DIM, `[${labels}]`));
+  }
   if (status.mode === "observe") {
     parts.push(`${dim("|")} ${color(GREEN2, `\u2705 ${status.session.allowed} passed`)}`);
     if (status.session.wouldBlock > 0) {
@@ -7759,7 +7730,7 @@ async function main() {
     renderOffline();
   }
 }
-var RESET3, BOLD3, DIM, RED2, GREEN2, YELLOW2, BLUE, MAGENTA, CYAN2, WHITE, BAR_FILLED, BAR_EMPTY, BAR_WIDTH;
+var RESET3, BOLD3, DIM, RED2, GREEN2, YELLOW2, BLUE, MAGENTA, CYAN2, WHITE, BAR_FILLED, BAR_EMPTY, BAR_WIDTH, shieldsCache, SHIELDS_CACHE_TTL_MS;
 var init_hud = __esm({
   "src/cli/hud.ts"() {
     "use strict";
@@ -7777,6 +7748,8 @@ var init_hud = __esm({
     BAR_FILLED = "\u2588";
     BAR_EMPTY = "\u2591";
     BAR_WIDTH = 10;
+    shieldsCache = null;
+    SHIELDS_CACHE_TTL_MS = 2e3;
   }
 });
 
@@ -7790,6 +7763,7 @@ import path14 from "path";
 import os10 from "os";
 import chalk from "chalk";
 import { confirm } from "@inquirer/prompts";
+import { parse as parseToml, stringify as stringifyToml } from "smol-toml";
 var NODE9_MCP_SERVER_ENTRY = { command: "node9", args: ["mcp-server"] };
 function hasNode9McpServer(servers) {
   const entry = servers["node9"];
@@ -8153,7 +8127,8 @@ function detectAgents(homeDir2 = os10.homedir()) {
   return {
     claude: exists(path14.join(homeDir2, ".claude")) || exists(path14.join(homeDir2, ".claude.json")),
     gemini: exists(path14.join(homeDir2, ".gemini")),
-    cursor: exists(path14.join(homeDir2, ".cursor"))
+    cursor: exists(path14.join(homeDir2, ".cursor")),
+    codex: exists(path14.join(homeDir2, ".codex"))
   };
 }
 async function setupCursor() {
@@ -8218,6 +8193,82 @@ async function setupCursor() {
     printDaemonTip();
   }
 }
+function readToml(filePath) {
+  try {
+    if (fs11.existsSync(filePath)) {
+      return parseToml(fs11.readFileSync(filePath, "utf-8"));
+    }
+  } catch {
+  }
+  return null;
+}
+function writeToml(filePath, data) {
+  const dir = path14.dirname(filePath);
+  if (!fs11.existsSync(dir)) fs11.mkdirSync(dir, { recursive: true });
+  fs11.writeFileSync(filePath, stringifyToml(data));
+}
+async function setupCodex() {
+  const homeDir2 = os10.homedir();
+  const configPath = path14.join(homeDir2, ".codex", "config.toml");
+  const config = readToml(configPath) ?? {};
+  const servers = config.mcp_servers ?? {};
+  let anythingChanged = false;
+  if (!hasNode9McpServer(servers)) {
+    servers["node9"] = NODE9_MCP_SERVER_ENTRY;
+    config.mcp_servers = servers;
+    writeToml(configPath, config);
+    console.log(chalk.green("  \u2705 node9 MCP server added   \u2192 node9 mcp-server"));
+    anythingChanged = true;
+  }
+  const serversToWrap = [];
+  for (const [name, server] of Object.entries(servers)) {
+    if (!server.command || server.command === "node9") continue;
+    const parts = [server.command, ...server.args ?? []];
+    serversToWrap.push({ name, originalCmd: parts.join(" "), parts });
+  }
+  if (serversToWrap.length > 0) {
+    console.log(chalk.bold("The following existing entries will be modified:\n"));
+    console.log(chalk.white(`  ${configPath}`));
+    for (const { name, originalCmd } of serversToWrap) {
+      console.log(chalk.gray(`    \u2022 ${name}: "${originalCmd}" \u2192 node9 ${originalCmd}`));
+    }
+    console.log("");
+    const proceed = await confirm({ message: "Wrap these MCP servers?", default: true });
+    if (proceed) {
+      for (const { name, parts } of serversToWrap) {
+        servers[name] = { ...servers[name], command: "node9", args: parts };
+      }
+      config.mcp_servers = servers;
+      writeToml(configPath, config);
+      console.log(chalk.green(`
+  \u2705 ${serversToWrap.length} MCP server(s) wrapped`));
+      anythingChanged = true;
+    } else {
+      console.log(chalk.yellow("  Skipped MCP server wrapping."));
+    }
+    console.log("");
+  }
+  console.log(
+    chalk.yellow(
+      "  \u26A0\uFE0F  Note: Codex does not yet support native pre-execution hooks.\n     MCP proxy wrapping is the only supported protection mode for Codex.\n     Native bash and file operations are not monitored."
+    )
+  );
+  console.log("");
+  if (!anythingChanged && serversToWrap.length === 0) {
+    console.log(
+      chalk.blue(
+        "\u2139\uFE0F  No MCP servers found to wrap. Add MCP servers to ~/.codex/config.toml and re-run."
+      )
+    );
+    printDaemonTip();
+    return;
+  }
+  if (anythingChanged) {
+    console.log(chalk.green.bold("\u{1F6E1}\uFE0F  Node9 is now protecting Codex via MCP proxy!"));
+    console.log(chalk.gray("    Restart Codex for changes to take effect."));
+    printDaemonTip();
+  }
+}
 function setupHud() {
   const homeDir2 = os10.homedir();
   const hooksPath = path14.join(homeDir2, ".claude", "settings.json");
@@ -8935,7 +8986,7 @@ RAW: ${raw}
               }
             }) + "\n"
           );
-          process.exit(0);
+          process.exit(2);
         };
         if (!toolName) {
           sendBlock("Node9: unrecognised hook payload \u2014 tool name missing.");
@@ -9170,6 +9221,27 @@ init_shields();
 init_audit();
 init_config();
 import chalk6 from "chalk";
+
+// src/utils/https-fetch.ts
+import https from "https";
+function httpsFetch(url) {
+  return new Promise((resolve, reject) => {
+    https.get(url, (res) => {
+      if (res.statusCode !== 200) {
+        reject(new Error(`HTTP ${String(res.statusCode)} for ${url}`));
+        res.resume();
+        return;
+      }
+      const chunks = [];
+      res.on("data", (chunk) => chunks.push(chunk));
+      res.on("end", () => resolve(Buffer.concat(chunks).toString("utf-8")));
+      res.on("error", reject);
+    }).on("error", reject);
+  });
+}
+
+// src/cli/commands/shield.ts
+var COMMUNITY_INDEX_URL = "https://raw.githubusercontent.com/node9ai/node9-proxy/main/shields/community/index.json";
 function registerShieldCommand(program2) {
   const shieldCmd = program2.command("shield").description("Manage pre-packaged security shield templates");
   shieldCmd.command("enable <service>").description("Enable a security shield for a specific service").action((service) => {
@@ -9229,7 +9301,32 @@ function registerShieldCommand(program2) {
 \u{1F6E1}\uFE0F  Shield "${name}" disabled.
 `));
   });
-  shieldCmd.command("list").description("Show all available shields").action(() => {
+  shieldCmd.command("list").description("Show available shields (add --community to browse the marketplace)").option("--community", "List shields available from the community marketplace").action((opts) => {
+    if (opts.community) {
+      console.log(chalk6.bold("\n\u{1F6E1}\uFE0F  Community Shield Marketplace\n"));
+      console.log(chalk6.gray("  Fetching index\u2026\n"));
+      httpsFetch(COMMUNITY_INDEX_URL).then((body) => {
+        const entries = JSON.parse(body);
+        const installed = new Set(listShields().map((s) => s.name));
+        for (const e of entries) {
+          const tag = installed.has(e.name) ? chalk6.green("installed") : chalk6.gray("available");
+          console.log(
+            `  ${tag}  ${chalk6.cyan(e.name.padEnd(12))} ${e.description}  ${chalk6.gray(`by ${e.author}`)}`
+          );
+        }
+        console.log("");
+        console.log(
+          chalk6.gray(`  Install a shield: ${chalk6.cyan("node9 shield install <name>")}
+`)
+        );
+      }).catch((err2) => {
+        console.error(chalk6.red(`
+\u274C Could not fetch community index: ${String(err2)}
+`));
+        process.exit(1);
+      });
+      return;
+    }
     const active = new Set(readActiveShields());
     console.log(chalk6.bold("\n\u{1F6E1}\uFE0F  Available Shields\n"));
     for (const shield of listShields()) {
@@ -9239,6 +9336,10 @@ function registerShieldCommand(program2) {
         console.log(chalk6.gray(`              aliases: ${shield.aliases.join(", ")}`));
     }
     console.log("");
+    console.log(
+      chalk6.gray(`  Browse community shields: ${chalk6.cyan("node9 shield list --community")}
+`)
+    );
   });
   shieldCmd.command("status").description("Show active shields and their individual rules with verdicts").action(() => {
     const active = readActiveShields();
@@ -9376,6 +9477,52 @@ function registerShieldCommand(program2) {
 `)
     );
   });
+  shieldCmd.command("install <name>").description("Install a shield from the community marketplace into ~/.node9/shields/").action((name) => {
+    if (!/^[a-zA-Z0-9_-]+$/.test(name)) {
+      console.error(
+        chalk6.red(
+          `
+\u274C Invalid shield name: only alphanumeric characters, hyphens, and underscores are allowed
+`
+        )
+      );
+      process.exit(1);
+    }
+    console.log(chalk6.bold(`
+\u{1F6E1}\uFE0F  Installing shield "${name}"\u2026
+`));
+    httpsFetch(COMMUNITY_INDEX_URL).then((indexBody) => {
+      const entries = JSON.parse(indexBody);
+      const entry = entries.find((e) => e.name === name);
+      if (!entry) {
+        const names = entries.map((e) => chalk6.cyan(e.name)).join(", ");
+        console.error(
+          chalk6.red(`\u274C Shield "${name}" not found in the community marketplace.
+`)
+        );
+        console.error(`  Available: ${names}
+`);
+        process.exit(1);
+      }
+      return httpsFetch(entry.url);
+    }).then((shieldBody) => {
+      const shieldJson = JSON.parse(shieldBody);
+      installShield(name, shieldJson);
+      console.log(
+        chalk6.green(`\u2705  Shield "${name}" installed to ~/.node9/shields/${name}.json`)
+      );
+      console.log(
+        chalk6.gray(`   Activate it with: ${chalk6.cyan(`node9 shield enable ${name}`)}
+`)
+      );
+      appendConfigAudit({ event: "shield-install", shield: name });
+    }).catch((err2) => {
+      console.error(chalk6.red(`
+\u274C Install failed: ${String(err2)}
+`));
+      process.exit(1);
+    });
+  });
 }
 function registerConfigShowCommand(program2) {
   program2.command("config show").description(
@@ -9910,7 +10057,9 @@ import chalk11 from "chalk";
 import fs23 from "fs";
 import path25 from "path";
 import os19 from "os";
-import https from "https";
+import https2 from "https";
+init_shields();
+var DEFAULT_SHIELDS = ["bash-safe", "filesystem", "postgres"];
 function fireTelemetryPing(agents) {
   try {
     const body = JSON.stringify({
@@ -9919,7 +10068,7 @@ function fireTelemetryPing(agents) {
       os: process.platform,
       node9_version: process.env.npm_package_version ?? "unknown"
     });
-    const req = https.request(
+    const req = https2.request(
       {
         hostname: "api.node9.ai",
         path: "/api/v1/telemetry",
@@ -9953,7 +10102,17 @@ function registerInitCommand(program2) {
         message: "Enable recommended safety shields? (blocks rm -rf, SQL drops, pipe-to-shell)",
         default: true
       });
-      if (enableShields) chosenMode = "standard";
+      if (enableShields) {
+        chosenMode = "standard";
+        try {
+          const current = readActiveShields();
+          const merged = Array.from(/* @__PURE__ */ new Set([...current, ...DEFAULT_SHIELDS]));
+          const hasNewShields = DEFAULT_SHIELDS.some((s) => !current.includes(s));
+          if (hasNewShields) writeActiveShields(merged);
+        } catch (err2) {
+          console.log(chalk11.yellow(`  \u26A0\uFE0F  Could not update shields: ${String(err2)}`));
+        }
+      }
       console.log("");
     }
     const configPath = path25.join(os19.homedir(), ".node9", "config.json");
@@ -9991,9 +10150,9 @@ function registerInitCommand(program2) {
     );
     if (found.length === 0) {
       console.log(
-        chalk11.gray("No AI agents detected. Install Claude Code, Gemini CLI, or Cursor")
+        chalk11.gray("No AI agents detected. Install Claude Code, Gemini CLI, Cursor, or Codex")
       );
-      console.log(chalk11.gray("then run: node9 addto <claude|gemini|cursor>"));
+      console.log(chalk11.gray("then run: node9 addto <claude|gemini|cursor|codex>"));
       return;
     }
     console.log(chalk11.bold("Detected agents:"));
@@ -10006,6 +10165,7 @@ function registerInitCommand(program2) {
       if (agent === "claude") await setupClaude();
       else if (agent === "gemini") await setupGemini();
       else if (agent === "cursor") await setupCursor();
+      else if (agent === "codex") await setupCodex();
       console.log("");
     }
     {
@@ -10627,6 +10787,20 @@ var TOOLS = [
       required: ["service"]
     }
   },
+  {
+    name: "node9_shield_disable",
+    description: "Disable a node9 shield. Use node9_shield_list to see currently active shields.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        service: {
+          type: "string",
+          description: 'Shield name to disable (e.g. "postgres", "aws", "github", "filesystem").'
+        }
+      },
+      required: ["service"]
+    }
+  },
   {
     name: "node9_approver_list",
     description: "List all node9 approver channels and their current enabled/disabled state. Approvers are the channels through which node9 asks a human to approve risky tool calls. Channels: native (OS popup), browser (web UI), cloud (team policy server), terminal (stdin).",
@@ -10756,6 +10930,24 @@ function handleShieldEnable(args) {
   const shield = getShield(name);
   return `Shield "${name}" enabled \u2014 ${shield.smartRules.length} smart rule${shield.smartRules.length === 1 ? "" : "s"} now active.`;
 }
+function handleShieldDisable(args) {
+  const service = args.service;
+  if (typeof service !== "string" || !service) {
+    throw new Error("service is required");
+  }
+  const name = resolveShieldName(service);
+  if (!name) {
+    throw new Error(
+      `Unknown shield: "${service}". Run node9_shield_list to see available shields.`
+    );
+  }
+  const active = readActiveShields();
+  if (!active.includes(name)) {
+    return `Shield "${name}" is not active.`;
+  }
+  writeActiveShields(active.filter((s) => s !== name));
+  return `Shield "${name}" disabled.`;
+}
 var GLOBAL_CONFIG_PATH2 = path27.join(os20.homedir(), ".node9", "config.json");
 var APPROVER_CHANNELS = ["native", "browser", "cloud", "terminal"];
 function readGlobalConfigRaw() {
@@ -10884,6 +11076,8 @@ function runMcpServer() {
           text = handleShieldList();
         } else if (toolName === "node9_shield_enable") {
           text = handleShieldEnable(toolArgs);
+        } else if (toolName === "node9_shield_disable") {
+          text = handleShieldDisable(toolArgs);
         } else if (toolName === "node9_approver_list") {
           text = handleApproverList();
         } else if (toolName === "node9_approver_set") {