@node9/proxy 1.9.2 → 1.10.0

package/dist/index.js

@@ -76,6 +76,11 @@ __export(audit_exports, {
   appendToLog: () => appendToLog,
   redactSecrets: () => redactSecrets
 });
+function isTestCall(toolName, args) {
+  if (toolName !== "Bash" && toolName !== "bash") return false;
+  const cmd = args?.command;
+  return typeof cmd === "string" && TEST_COMMAND_RE.test(cmd);
+}
 function redactSecrets(text) {
   if (!text) return text;
   let redacted = text;
@@ -111,12 +116,14 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
 }
 function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
   const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
+  const testRun = isTestCall(toolName, args) ? { testRun: true } : {};
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
     ...argsField,
     decision,
     checkedBy,
+    ...testRun,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
     hostname: import_os.default.hostname()
@@ -129,7 +136,7 @@ function appendConfigAudit(entry) {
     hostname: import_os.default.hostname()
   });
 }
-var import_fs, import_path, import_os, LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG;
+var import_fs, import_path, import_os, LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG, TEST_COMMAND_RE;
 var init_audit = __esm({
   "src/audit/index.ts"() {
     "use strict";
@@ -139,6 +146,7 @@ var init_audit = __esm({
     init_hasher();
     LOCAL_AUDIT_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "audit.log");
     HOOK_DEBUG_LOG = import_path.default.join(import_os.default.homedir(), ".node9", "hook-debug.log");
+    TEST_COMMAND_RE = /(?:^|\s)(npm\s+(?:run\s+)?test|npx\s+(?:vitest|jest|mocha)|yarn\s+(?:run\s+)?test|pnpm\s+(?:run\s+)?test|vitest|jest|mocha|pytest|py\.test|cargo\s+test|go\s+test|bundle\s+exec\s+rspec|rspec|phpunit|dotnet\s+test)\b/i;
   }
 });
 
@@ -199,6 +207,7 @@ var SmartRuleSchema = import_zod.z.object({
     errorMap: () => ({ message: "verdict must be one of: allow, review, block" })
   }),
   reason: import_zod.z.string().optional(),
+  description: import_zod.z.string().optional(),
   // Unknown predicate names are filtered out rather than failing the whole rule.
   // Failing the whole z.array() would cause sanitizeConfig to drop the entire
   // `policy` top-level key, silently disabling ALL smart rules in the config.
@@ -245,6 +254,11 @@ var ConfigFileSchema = import_zod.z.object({
     dlp: import_zod.z.object({
       enabled: import_zod.z.boolean().optional(),
       scanIgnoredTools: import_zod.z.boolean().optional()
+    }).optional(),
+    loopDetection: import_zod.z.object({
+      enabled: import_zod.z.boolean().optional(),
+      threshold: import_zod.z.number().min(2).optional(),
+      windowSeconds: import_zod.z.number().min(10).optional()
     }).optional()
   }).optional(),
   environments: import_zod.z.record(import_zod.z.object({ requireApproval: import_zod.z.boolean().optional() })).optional()
@@ -266,8 +280,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path14 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path14}: ${issue.message}`;
+    const path15 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path15}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -492,7 +506,8 @@ var DEFAULT_CONFIG = {
           }
         ],
         verdict: "block",
-        reason: "Recursive delete of home directory is irreversible"
+        reason: "Recursive delete of home directory is irreversible",
+        description: "The AI wants to recursively delete your home directory. This will permanently destroy all your personal files and cannot be undone."
       },
       // ── SQL safety ────────────────────────────────────────────────────────
       {
@@ -504,7 +519,8 @@ var DEFAULT_CONFIG = {
         ],
         conditionMode: "all",
         verdict: "review",
-        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table"
+        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table",
+        description: "The AI is running a SQL statement that will modify every row in the table \u2014 no WHERE filter was found. This could wipe or corrupt all your data."
       },
       {
         name: "review-drop-truncate-shell",
@@ -519,7 +535,8 @@ var DEFAULT_CONFIG = {
         ],
         conditionMode: "all",
         verdict: "review",
-        reason: "SQL DDL destructive statement inside a shell command"
+        reason: "SQL DDL destructive statement inside a shell command",
+        description: "The AI wants to drop or truncate a database table via the shell. This permanently deletes the table structure or all its data."
       },
       // ── Git safety ────────────────────────────────────────────────────────
       {
@@ -535,7 +552,8 @@ var DEFAULT_CONFIG = {
         ],
         conditionMode: "all",
         verdict: "block",
-        reason: "Force push overwrites remote history and cannot be undone"
+        reason: "Force push overwrites remote history and cannot be undone",
+        description: "The AI wants to force push to a remote git branch. This rewrites shared history and can permanently destroy commits that teammates have already pulled."
       },
       {
         name: "review-git-push",
@@ -550,7 +568,8 @@ var DEFAULT_CONFIG = {
         ],
         conditionMode: "all",
         verdict: "review",
-        reason: "git push sends changes to a shared remote"
+        reason: "git push sends changes to a shared remote",
+        description: "The AI wants to push commits to a remote repository. Once pushed, those changes are visible to everyone with access."
       },
       {
         name: "review-git-destructive",
@@ -565,7 +584,8 @@ var DEFAULT_CONFIG = {
         ],
         conditionMode: "all",
         verdict: "review",
-        reason: "Destructive git operation \u2014 discards history or working-tree changes"
+        reason: "Destructive git operation \u2014 discards history or working-tree changes",
+        description: "The AI wants to run a destructive git operation (reset, rebase, clean, or branch delete) that can permanently discard commits or uncommitted work."
       },
       // ── Shell safety ──────────────────────────────────────────────────────
       {
@@ -574,7 +594,8 @@ var DEFAULT_CONFIG = {
         conditions: [{ field: "command", op: "matches", value: "\\bsudo\\s", flags: "i" }],
         conditionMode: "all",
         verdict: "review",
-        reason: "Command requires elevated privileges"
+        reason: "Command requires elevated privileges",
+        description: "The AI wants to run a command as root (sudo). Commands with root access can modify system files, install software, or change security settings."
       },
       {
         name: "review-curl-pipe-shell",
@@ -589,10 +610,12 @@ var DEFAULT_CONFIG = {
         ],
         conditionMode: "all",
         verdict: "block",
-        reason: "Piping remote script into a shell is a supply-chain attack vector"
+        reason: "Piping remote script into a shell is a supply-chain attack vector",
+        description: "The AI wants to download a script from the internet and run it immediately, without you seeing what it contains. This is one of the most common ways malware gets installed."
       }
     ],
-    dlp: { enabled: true, scanIgnoredTools: true }
+    dlp: { enabled: true, scanIgnoredTools: true },
+    loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 }
   },
   environments: {}
 };
@@ -622,7 +645,8 @@ var ADVISORY_SMART_RULES = [
     tool: "*",
     conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
     verdict: "review",
-    reason: "rm can permanently delete files \u2014 confirm the target path"
+    reason: "rm can permanently delete files \u2014 confirm the target path",
+    description: "The AI wants to delete files. Unlike moving to trash, rm is permanent \u2014 the files cannot be recovered without a backup."
   },
   // ── SQL safety (Safe by Default) ──────────────────────────────────────────
   // These rules fire when an AI calls a database tool directly (e.g. MCP postgres,
@@ -634,14 +658,16 @@ var ADVISORY_SMART_RULES = [
     tool: "*",
     conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
     verdict: "review",
-    reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead"
+    reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead",
+    description: "The AI wants to drop a database table. This permanently deletes the table and all its data \u2014 there is no undo."
   },
   {
     name: "review-truncate-sql",
     tool: "*",
     conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
     verdict: "review",
-    reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead"
+    reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead",
+    description: "The AI wants to truncate a database table, which instantly deletes every row. The table structure remains but all data is gone."
   },
   {
     name: "review-drop-column-sql",
@@ -650,7 +676,8 @@ var ADVISORY_SMART_RULES = [
       { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
     ],
     verdict: "review",
-    reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead"
+    reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead",
+    description: "The AI wants to drop a column from a database table. This permanently removes the column and all its data from every row."
   }
 ];
 var cachedConfig = null;
@@ -710,7 +737,8 @@ function getConfig(cwd) {
       onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
     },
-    dlp: { ...DEFAULT_CONFIG.policy.dlp }
+    dlp: { ...DEFAULT_CONFIG.policy.dlp },
+    loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection }
   };
   const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
   const applyLayer = (source) => {
@@ -749,6 +777,13 @@ function getConfig(cwd) {
       if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
       if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
     }
+    if (p.loopDetection) {
+      const ld = p.loopDetection;
+      if (ld.enabled !== void 0) mergedPolicy.loopDetection.enabled = ld.enabled;
+      if (ld.threshold !== void 0) mergedPolicy.loopDetection.threshold = ld.threshold;
+      if (ld.windowSeconds !== void 0)
+        mergedPolicy.loopDetection.windowSeconds = ld.windowSeconds;
+    }
     const envs = source.environments || {};
     for (const [envName, envConfig] of Object.entries(envs)) {
       if (envConfig && typeof envConfig === "object") {
@@ -1523,9 +1558,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path14) {
+function getNestedValue(obj, path15) {
   if (!obj || typeof obj !== "object") return null;
-  return path14.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path15.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -1665,6 +1700,9 @@ async function evaluatePolicy(toolName, args, agent, cwd) {
         reason: matchedRule.reason,
         tier: 2,
         ruleName: matchedRule.name ?? matchedRule.tool,
+        ...(matchedRule.description ?? matchedRule.reason) && {
+          ruleDescription: matchedRule.description ?? matchedRule.reason
+        },
         ...matchedRule.verdict === "block" && matchedRule.dependsOnState?.length && {
           dependsOnStatePredicates: matchedRule.dependsOnState
         },
@@ -2090,7 +2128,7 @@ async function resolveViaDaemon(id, decision, internalToken, source) {
 }
 
 // src/auth/orchestrator.ts
-var import_crypto2 = require("crypto");
+var import_crypto3 = require("crypto");
 
 // src/ui/native.ts
 var import_child_process2 = require("child_process");
@@ -2558,6 +2596,52 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
   }
 }
 
+// src/loop-detector.ts
+var import_fs10 = __toESM(require("fs"));
+var import_path14 = __toESM(require("path"));
+var import_os9 = __toESM(require("os"));
+var import_crypto2 = __toESM(require("crypto"));
+function loopStateFile() {
+  return import_path14.default.join(import_os9.default.homedir(), ".node9", "loop-state.json");
+}
+var MAX_RECORDS = 500;
+function computeArgsHash(args) {
+  const str = JSON.stringify(args ?? "");
+  return import_crypto2.default.createHash("sha256").update(str).digest("hex").slice(0, 16);
+}
+function readState() {
+  try {
+    if (!import_fs10.default.existsSync(loopStateFile())) return [];
+    const raw = import_fs10.default.readFileSync(loopStateFile(), "utf-8");
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed)) return [];
+    return parsed;
+  } catch {
+    return [];
+  }
+}
+function writeState(records) {
+  const dir = import_path14.default.dirname(loopStateFile());
+  if (!import_fs10.default.existsSync(dir)) import_fs10.default.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${loopStateFile()}.${import_os9.default.hostname()}.${process.pid}.tmp`;
+  import_fs10.default.writeFileSync(tmpPath, JSON.stringify(records));
+  import_fs10.default.renameSync(tmpPath, loopStateFile());
+}
+function recordAndCheck(tool, args, threshold = 3, windowMs = 12e4) {
+  try {
+    const hash = computeArgsHash(args);
+    const now = Date.now();
+    const cutoff = now - windowMs;
+    const records = readState().filter((r) => r.ts >= cutoff);
+    records.push({ t: tool, h: hash, ts: now });
+    const count = records.filter((r) => r.t === tool && r.h === hash).length;
+    writeState(records.slice(-MAX_RECORDS));
+    return { looping: count >= threshold, count };
+  } catch {
+    return { looping: false, count: 0 };
+  }
+}
+
 // src/auth/orchestrator.ts
 var WRITE_TOOLS = /* @__PURE__ */ new Set([
   "write",
@@ -2609,7 +2693,7 @@ function notifyActivity(data) {
 }
 async function authorizeHeadless(toolName, args, meta, options) {
   if (!options?.calledFromDaemon) {
-    const actId = (0, import_crypto2.randomUUID)();
+    const actId = (0, import_crypto3.randomUUID)();
     const actTs = Date.now();
     await notifyActivity({ id: actId, ts: actTs, tool: toolName, args, status: "pending" });
     const result = await _authorizeHeadlessCore(toolName, args, meta, {
@@ -2656,6 +2740,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   let explainableLabel = "Local Config";
   let policyMatchedField;
   let policyMatchedWord;
+  let policyRuleDescription;
   let riskMetadata;
   let statefulRecoveryCommand;
   let localSmartRuleMatched = false;
@@ -2749,6 +2834,21 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     return { approved: true, checkedBy: "audit" };
   }
   if (!taintWarning && !isIgnoredTool(toolName)) {
+    const ld = config.policy.loopDetection;
+    if (ld.enabled) {
+      const loopResult = recordAndCheck(toolName, args, ld.threshold, ld.windowSeconds * 1e3);
+      if (loopResult.looping) {
+        const reason = `It looks like you've called "${toolName}" ${loopResult.count} times with identical arguments in the last ${ld.windowSeconds}s. Are you stuck? Step back and reconsider your approach \u2014 what are you actually trying to accomplish, and is there a different way to get there?`;
+        if (!isManual)
+          appendLocalAudit(toolName, args, "deny", "loop-detected", meta, hashAuditArgs);
+        return {
+          approved: false,
+          reason,
+          blockedBy: "loop-detection",
+          blockedByLabel: "\u{1F504} Loop Detected"
+        };
+      }
+    }
     if (getActiveTrustSession(toolName)) {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "trust", creds, meta);
@@ -2795,7 +2895,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           blockedBy: "local-config",
           blockedByLabel: policyResult.blockedByLabel,
           ruleHit: policyResult.ruleName,
-          ...policyResult.recoveryCommand && { recoveryCommand: policyResult.recoveryCommand }
+          ...policyResult.recoveryCommand && { recoveryCommand: policyResult.recoveryCommand },
+          ...policyResult.ruleDescription && { ruleDescription: policyResult.ruleDescription }
         };
       }
     }
@@ -2803,6 +2904,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     policyMatchedField = policyResult.matchedField;
     policyMatchedWord = policyResult.matchedWord;
     if (policyResult.ruleName) localSmartRuleMatched = true;
+    if (policyResult.ruleDescription) policyRuleDescription = policyResult.ruleDescription;
+    else if (policyResult.reason) policyRuleDescription = policyResult.reason;
     riskMetadata = computeRiskMetadata(
       args,
       policyResult.tier ?? 6,
@@ -3066,7 +3169,8 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       hashAuditArgs
     );
   }
-  return finalResult;
+  const enrichedResult = !finalResult.approved && policyRuleDescription && !finalResult.ruleDescription ? { ...finalResult, ruleDescription: policyRuleDescription } : finalResult;
+  return enrichedResult;
 }
 async function authorizeAction(toolName, args) {
   const result = await authorizeHeadless(toolName, args);