@node9/proxy 1.7.0 → 1.8.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +82 -21
- package/dist/cli.js +388 -194
- package/dist/cli.mjs +388 -194
- package/dist/index.js +89 -179
- package/dist/index.mjs +89 -179
- package/dist/shields/builtin/aws.json +59 -0
- package/dist/shields/builtin/bash-safe.json +78 -0
- package/dist/shields/builtin/filesystem.json +30 -0
- package/dist/shields/builtin/github.json +26 -0
- package/dist/shields/builtin/postgres.json +42 -0
- package/package.json +3 -2
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "aws",
|
|
3
|
+
"description": "Protects AWS infrastructure from destructive AI operations",
|
|
4
|
+
"aliases": ["amazon"],
|
|
5
|
+
"smartRules": [
|
|
6
|
+
{
|
|
7
|
+
"name": "shield:aws:block-delete-s3-bucket",
|
|
8
|
+
"tool": "*",
|
|
9
|
+
"conditions": [
|
|
10
|
+
{
|
|
11
|
+
"field": "command",
|
|
12
|
+
"op": "matches",
|
|
13
|
+
"value": "aws\\s+s3.*rb\\s|aws\\s+s3api\\s+delete-bucket",
|
|
14
|
+
"flags": "i"
|
|
15
|
+
}
|
|
16
|
+
],
|
|
17
|
+
"verdict": "block",
|
|
18
|
+
"reason": "S3 bucket deletion is irreversible — blocked by AWS shield"
|
|
19
|
+
},
|
|
20
|
+
{
|
|
21
|
+
"name": "shield:aws:review-iam-changes",
|
|
22
|
+
"tool": "*",
|
|
23
|
+
"conditions": [
|
|
24
|
+
{
|
|
25
|
+
"field": "command",
|
|
26
|
+
"op": "matches",
|
|
27
|
+
"value": "aws\\s+iam\\s+(create|delete|attach|detach|put|remove)",
|
|
28
|
+
"flags": "i"
|
|
29
|
+
}
|
|
30
|
+
],
|
|
31
|
+
"verdict": "review",
|
|
32
|
+
"reason": "IAM changes require human approval (AWS shield)"
|
|
33
|
+
},
|
|
34
|
+
{
|
|
35
|
+
"name": "shield:aws:block-ec2-terminate",
|
|
36
|
+
"tool": "*",
|
|
37
|
+
"conditions": [
|
|
38
|
+
{
|
|
39
|
+
"field": "command",
|
|
40
|
+
"op": "matches",
|
|
41
|
+
"value": "aws\\s+ec2\\s+terminate-instances",
|
|
42
|
+
"flags": "i"
|
|
43
|
+
}
|
|
44
|
+
],
|
|
45
|
+
"verdict": "block",
|
|
46
|
+
"reason": "EC2 instance termination is irreversible — blocked by AWS shield"
|
|
47
|
+
},
|
|
48
|
+
{
|
|
49
|
+
"name": "shield:aws:review-rds-delete",
|
|
50
|
+
"tool": "*",
|
|
51
|
+
"conditions": [
|
|
52
|
+
{ "field": "command", "op": "matches", "value": "aws\\s+rds\\s+delete-", "flags": "i" }
|
|
53
|
+
],
|
|
54
|
+
"verdict": "review",
|
|
55
|
+
"reason": "RDS deletion requires human approval (AWS shield)"
|
|
56
|
+
}
|
|
57
|
+
],
|
|
58
|
+
"dangerousWords": []
|
|
59
|
+
}
|
|
@@ -0,0 +1,78 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "bash-safe",
|
|
3
|
+
"description": "Blocks high-risk bash patterns: pipe-to-shell, rm -rf /, disk overwrites, eval",
|
|
4
|
+
"aliases": ["bash", "shell"],
|
|
5
|
+
"smartRules": [
|
|
6
|
+
{
|
|
7
|
+
"name": "shield:bash-safe:block-pipe-to-shell",
|
|
8
|
+
"tool": "bash",
|
|
9
|
+
"conditions": [
|
|
10
|
+
{
|
|
11
|
+
"field": "command",
|
|
12
|
+
"op": "matches",
|
|
13
|
+
"value": "(curl|wget)\\s+[^|]*\\|\\s*(bash|sh|zsh|fish|python3?|ruby|perl|node)",
|
|
14
|
+
"flags": "i"
|
|
15
|
+
}
|
|
16
|
+
],
|
|
17
|
+
"verdict": "block",
|
|
18
|
+
"reason": "Pipe-to-shell is a common supply-chain attack vector — blocked by bash-safe shield"
|
|
19
|
+
},
|
|
20
|
+
{
|
|
21
|
+
"name": "shield:bash-safe:block-obfuscated-exec",
|
|
22
|
+
"tool": "bash",
|
|
23
|
+
"conditions": [
|
|
24
|
+
{
|
|
25
|
+
"field": "command",
|
|
26
|
+
"op": "matches",
|
|
27
|
+
"value": "base64\\s+(-d|--decode).*\\|\\s*(bash|sh|zsh)",
|
|
28
|
+
"flags": "i"
|
|
29
|
+
}
|
|
30
|
+
],
|
|
31
|
+
"verdict": "block",
|
|
32
|
+
"reason": "Obfuscated execution via base64 decode — blocked by bash-safe shield"
|
|
33
|
+
},
|
|
34
|
+
{
|
|
35
|
+
"name": "shield:bash-safe:block-rm-root",
|
|
36
|
+
"tool": "bash",
|
|
37
|
+
"conditions": [
|
|
38
|
+
{
|
|
39
|
+
"field": "command",
|
|
40
|
+
"op": "matches",
|
|
41
|
+
"value": "rm\\s+(-[a-zA-Z]*r[a-zA-Z]*f|-[a-zA-Z]*f[a-zA-Z]*r)[a-zA-Z]*\\s+(\\/|~|\\$HOME|\\$\\{HOME\\})\\s*$",
|
|
42
|
+
"flags": "i"
|
|
43
|
+
}
|
|
44
|
+
],
|
|
45
|
+
"verdict": "block",
|
|
46
|
+
"reason": "rm -rf of root or home directory is catastrophic — blocked by bash-safe shield"
|
|
47
|
+
},
|
|
48
|
+
{
|
|
49
|
+
"name": "shield:bash-safe:block-disk-overwrite",
|
|
50
|
+
"tool": "bash",
|
|
51
|
+
"conditions": [
|
|
52
|
+
{
|
|
53
|
+
"field": "command",
|
|
54
|
+
"op": "matches",
|
|
55
|
+
"value": "dd\\s+.*of=\\/dev\\/(sd|nvme|hd|vd|xvd)",
|
|
56
|
+
"flags": "i"
|
|
57
|
+
}
|
|
58
|
+
],
|
|
59
|
+
"verdict": "block",
|
|
60
|
+
"reason": "Writing directly to a block device is irreversible — blocked by bash-safe shield"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"name": "shield:bash-safe:review-eval",
|
|
64
|
+
"tool": "bash",
|
|
65
|
+
"conditions": [
|
|
66
|
+
{
|
|
67
|
+
"field": "command",
|
|
68
|
+
"op": "matches",
|
|
69
|
+
"value": "\\beval\\s+[\\$`(\"]",
|
|
70
|
+
"flags": "i"
|
|
71
|
+
}
|
|
72
|
+
],
|
|
73
|
+
"verdict": "review",
|
|
74
|
+
"reason": "eval of dynamic content requires human approval (bash-safe shield)"
|
|
75
|
+
}
|
|
76
|
+
],
|
|
77
|
+
"dangerousWords": []
|
|
78
|
+
}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "filesystem",
|
|
3
|
+
"description": "Protects the local filesystem from dangerous AI operations",
|
|
4
|
+
"aliases": ["fs"],
|
|
5
|
+
"smartRules": [
|
|
6
|
+
{
|
|
7
|
+
"name": "shield:filesystem:review-chmod-777",
|
|
8
|
+
"tool": "bash",
|
|
9
|
+
"conditions": [
|
|
10
|
+
{ "field": "command", "op": "matches", "value": "chmod\\s+(777|a\\+rwx)", "flags": "i" }
|
|
11
|
+
],
|
|
12
|
+
"verdict": "review",
|
|
13
|
+
"reason": "chmod 777 requires human approval (filesystem shield)"
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
"name": "shield:filesystem:review-write-etc",
|
|
17
|
+
"tool": "bash",
|
|
18
|
+
"conditions": [
|
|
19
|
+
{
|
|
20
|
+
"field": "command",
|
|
21
|
+
"op": "matches",
|
|
22
|
+
"value": "(tee|\\bcp\\b|\\bmv\\b|install|>+)\\s+.*\\/etc\\/"
|
|
23
|
+
}
|
|
24
|
+
],
|
|
25
|
+
"verdict": "review",
|
|
26
|
+
"reason": "Writing to /etc requires human approval (filesystem shield)"
|
|
27
|
+
}
|
|
28
|
+
],
|
|
29
|
+
"dangerousWords": ["wipefs"]
|
|
30
|
+
}
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "github",
|
|
3
|
+
"description": "Protects GitHub repositories from destructive AI operations",
|
|
4
|
+
"aliases": ["git"],
|
|
5
|
+
"smartRules": [
|
|
6
|
+
{
|
|
7
|
+
"name": "shield:github:review-delete-branch-remote",
|
|
8
|
+
"tool": "bash",
|
|
9
|
+
"conditions": [
|
|
10
|
+
{ "field": "command", "op": "matches", "value": "git\\s+push\\s+.*--delete", "flags": "i" }
|
|
11
|
+
],
|
|
12
|
+
"verdict": "review",
|
|
13
|
+
"reason": "Remote branch deletion requires human approval (GitHub shield)"
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
"name": "shield:github:block-delete-repo",
|
|
17
|
+
"tool": "*",
|
|
18
|
+
"conditions": [
|
|
19
|
+
{ "field": "command", "op": "matches", "value": "gh\\s+repo\\s+delete", "flags": "i" }
|
|
20
|
+
],
|
|
21
|
+
"verdict": "block",
|
|
22
|
+
"reason": "Repository deletion is irreversible — blocked by GitHub shield"
|
|
23
|
+
}
|
|
24
|
+
],
|
|
25
|
+
"dangerousWords": []
|
|
26
|
+
}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "postgres",
|
|
3
|
+
"description": "Protects PostgreSQL databases from destructive AI operations",
|
|
4
|
+
"aliases": ["pg", "postgresql"],
|
|
5
|
+
"smartRules": [
|
|
6
|
+
{
|
|
7
|
+
"name": "shield:postgres:block-drop-table",
|
|
8
|
+
"tool": "*",
|
|
9
|
+
"conditions": [{ "field": "sql", "op": "matches", "value": "DROP\\s+TABLE", "flags": "i" }],
|
|
10
|
+
"verdict": "block",
|
|
11
|
+
"reason": "DROP TABLE is irreversible — blocked by Postgres shield"
|
|
12
|
+
},
|
|
13
|
+
{
|
|
14
|
+
"name": "shield:postgres:block-truncate",
|
|
15
|
+
"tool": "*",
|
|
16
|
+
"conditions": [
|
|
17
|
+
{ "field": "sql", "op": "matches", "value": "TRUNCATE\\s+TABLE", "flags": "i" }
|
|
18
|
+
],
|
|
19
|
+
"verdict": "block",
|
|
20
|
+
"reason": "TRUNCATE is irreversible — blocked by Postgres shield"
|
|
21
|
+
},
|
|
22
|
+
{
|
|
23
|
+
"name": "shield:postgres:block-drop-column",
|
|
24
|
+
"tool": "*",
|
|
25
|
+
"conditions": [
|
|
26
|
+
{ "field": "sql", "op": "matches", "value": "ALTER\\s+TABLE.*DROP\\s+COLUMN", "flags": "i" }
|
|
27
|
+
],
|
|
28
|
+
"verdict": "block",
|
|
29
|
+
"reason": "DROP COLUMN is irreversible — blocked by Postgres shield"
|
|
30
|
+
},
|
|
31
|
+
{
|
|
32
|
+
"name": "shield:postgres:review-grant-revoke",
|
|
33
|
+
"tool": "*",
|
|
34
|
+
"conditions": [
|
|
35
|
+
{ "field": "sql", "op": "matches", "value": "\\b(GRANT|REVOKE)\\b", "flags": "i" }
|
|
36
|
+
],
|
|
37
|
+
"verdict": "review",
|
|
38
|
+
"reason": "Permission changes require human approval (Postgres shield)"
|
|
39
|
+
}
|
|
40
|
+
],
|
|
41
|
+
"dangerousWords": ["dropdb", "pg_dropcluster"]
|
|
42
|
+
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@node9/proxy",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.8.2",
|
|
4
4
|
"description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
|
|
5
5
|
"main": "./dist/index.js",
|
|
6
6
|
"module": "./dist/index.mjs",
|
|
@@ -48,7 +48,7 @@
|
|
|
48
48
|
"LICENSE"
|
|
49
49
|
],
|
|
50
50
|
"scripts": {
|
|
51
|
-
"build": "tsup",
|
|
51
|
+
"build": "tsup && node scripts/copy-shield-assets.js",
|
|
52
52
|
"dev": "tsup --watch",
|
|
53
53
|
"demo": "tsx examples/demo.ts",
|
|
54
54
|
"typecheck": "tsc --noEmit",
|
|
@@ -75,6 +75,7 @@
|
|
|
75
75
|
"picomatch": "^4.0.3",
|
|
76
76
|
"safe-regex2": "^5.1.0",
|
|
77
77
|
"sh-syntax": "^0.5.8",
|
|
78
|
+
"smol-toml": "^1.6.1",
|
|
78
79
|
"zod": "^3.25.76"
|
|
79
80
|
},
|
|
80
81
|
"devDependencies": {
|