npm - @node9/proxy - Versions diffs - 1.9.2 → 1.10.0 - Mend

@node9/proxy 1.9.2 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.mjs CHANGED Viewed

@@ -56,6 +56,11 @@ __export(audit_exports, {
 import fs from "fs";
 import path from "path";
 import os from "os";
+function isTestCall(toolName, args) {
+  if (toolName !== "Bash" && toolName !== "bash") return false;
+  const cmd = args?.command;
+  return typeof cmd === "string" && TEST_COMMAND_RE.test(cmd);
+}
 function redactSecrets(text) {
   if (!text) return text;
   let redacted = text;
@@ -91,12 +96,14 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
 }
 function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
   const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
+  const testRun = isTestCall(toolName, args) ? { testRun: true } : {};
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
     ...argsField,
     decision,
     checkedBy,
+    ...testRun,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
     hostname: os.hostname()
@@ -109,13 +116,14 @@ function appendConfigAudit(entry) {
     hostname: os.hostname()
   });
 }
-var LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG;
+var LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG, TEST_COMMAND_RE;
 var init_audit = __esm({
   "src/audit/index.ts"() {
     "use strict";
     init_hasher();
     LOCAL_AUDIT_LOG = path.join(os.homedir(), ".node9", "audit.log");
     HOOK_DEBUG_LOG = path.join(os.homedir(), ".node9", "hook-debug.log");
+    TEST_COMMAND_RE = /(?:^|\s)(npm\s+(?:run\s+)?test|npx\s+(?:vitest|jest|mocha)|yarn\s+(?:run\s+)?test|pnpm\s+(?:run\s+)?test|vitest|jest|mocha|pytest|py\.test|cargo\s+test|go\s+test|bundle\s+exec\s+rspec|rspec|phpunit|dotnet\s+test)\b/i;
   }
 });
@@ -169,6 +177,7 @@ var SmartRuleSchema = z.object({
     errorMap: () => ({ message: "verdict must be one of: allow, review, block" })
   }),
   reason: z.string().optional(),
+  description: z.string().optional(),
   // Unknown predicate names are filtered out rather than failing the whole rule.
   // Failing the whole z.array() would cause sanitizeConfig to drop the entire
   // `policy` top-level key, silently disabling ALL smart rules in the config.
@@ -215,6 +224,11 @@ var ConfigFileSchema = z.object({
     dlp: z.object({
       enabled: z.boolean().optional(),
       scanIgnoredTools: z.boolean().optional()
+    }).optional(),
+    loopDetection: z.object({
+      enabled: z.boolean().optional(),
+      threshold: z.number().min(2).optional(),
+      windowSeconds: z.number().min(10).optional()
     }).optional()
   }).optional(),
   environments: z.record(z.object({ requireApproval: z.boolean().optional() })).optional()
@@ -236,8 +250,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path14 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path14}: ${issue.message}`;
+    const path15 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path15}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -462,7 +476,8 @@ var DEFAULT_CONFIG = {
           }
         ],
         verdict: "block",
-        reason: "Recursive delete of home directory is irreversible"
+        reason: "Recursive delete of home directory is irreversible",
+        description: "The AI wants to recursively delete your home directory. This will permanently destroy all your personal files and cannot be undone."
       },
       // ── SQL safety ────────────────────────────────────────────────────────
       {
@@ -474,7 +489,8 @@ var DEFAULT_CONFIG = {
         ],
         conditionMode: "all",
         verdict: "review",
-        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table"
+        reason: "DELETE/UPDATE without WHERE clause \u2014 would affect every row in the table",
+        description: "The AI is running a SQL statement that will modify every row in the table \u2014 no WHERE filter was found. This could wipe or corrupt all your data."
       },
       {
         name: "review-drop-truncate-shell",
@@ -489,7 +505,8 @@ var DEFAULT_CONFIG = {
         ],
         conditionMode: "all",
         verdict: "review",
-        reason: "SQL DDL destructive statement inside a shell command"
+        reason: "SQL DDL destructive statement inside a shell command",
+        description: "The AI wants to drop or truncate a database table via the shell. This permanently deletes the table structure or all its data."
       },
       // ── Git safety ────────────────────────────────────────────────────────
       {
@@ -505,7 +522,8 @@ var DEFAULT_CONFIG = {
         ],
         conditionMode: "all",
         verdict: "block",
-        reason: "Force push overwrites remote history and cannot be undone"
+        reason: "Force push overwrites remote history and cannot be undone",
+        description: "The AI wants to force push to a remote git branch. This rewrites shared history and can permanently destroy commits that teammates have already pulled."
       },
       {
         name: "review-git-push",
@@ -520,7 +538,8 @@ var DEFAULT_CONFIG = {
         ],
         conditionMode: "all",
         verdict: "review",
-        reason: "git push sends changes to a shared remote"
+        reason: "git push sends changes to a shared remote",
+        description: "The AI wants to push commits to a remote repository. Once pushed, those changes are visible to everyone with access."
       },
       {
         name: "review-git-destructive",
@@ -535,7 +554,8 @@ var DEFAULT_CONFIG = {
         ],
         conditionMode: "all",
         verdict: "review",
-        reason: "Destructive git operation \u2014 discards history or working-tree changes"
+        reason: "Destructive git operation \u2014 discards history or working-tree changes",
+        description: "The AI wants to run a destructive git operation (reset, rebase, clean, or branch delete) that can permanently discard commits or uncommitted work."
       },
       // ── Shell safety ──────────────────────────────────────────────────────
       {
@@ -544,7 +564,8 @@ var DEFAULT_CONFIG = {
         conditions: [{ field: "command", op: "matches", value: "\\bsudo\\s", flags: "i" }],
         conditionMode: "all",
         verdict: "review",
-        reason: "Command requires elevated privileges"
+        reason: "Command requires elevated privileges",
+        description: "The AI wants to run a command as root (sudo). Commands with root access can modify system files, install software, or change security settings."
       },
       {
         name: "review-curl-pipe-shell",
@@ -559,10 +580,12 @@ var DEFAULT_CONFIG = {
         ],
         conditionMode: "all",
         verdict: "block",
-        reason: "Piping remote script into a shell is a supply-chain attack vector"
+        reason: "Piping remote script into a shell is a supply-chain attack vector",
+        description: "The AI wants to download a script from the internet and run it immediately, without you seeing what it contains. This is one of the most common ways malware gets installed."
       }
     ],
-    dlp: { enabled: true, scanIgnoredTools: true }
+    dlp: { enabled: true, scanIgnoredTools: true },
+    loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 }
   },
   environments: {}
 };
@@ -592,7 +615,8 @@ var ADVISORY_SMART_RULES = [
     tool: "*",
     conditions: [{ field: "command", op: "matches", value: "(^|&&|\\|\\||;)\\s*rm\\b" }],
     verdict: "review",
-    reason: "rm can permanently delete files \u2014 confirm the target path"
+    reason: "rm can permanently delete files \u2014 confirm the target path",
+    description: "The AI wants to delete files. Unlike moving to trash, rm is permanent \u2014 the files cannot be recovered without a backup."
   },
   // ── SQL safety (Safe by Default) ──────────────────────────────────────────
   // These rules fire when an AI calls a database tool directly (e.g. MCP postgres,
@@ -604,14 +628,16 @@ var ADVISORY_SMART_RULES = [
     tool: "*",
     conditions: [{ field: "sql", op: "matches", value: "DROP\\s+TABLE", flags: "i" }],
     verdict: "review",
-    reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead"
+    reason: "DROP TABLE is irreversible \u2014 enable the postgres shield to block instead",
+    description: "The AI wants to drop a database table. This permanently deletes the table and all its data \u2014 there is no undo."
   },
   {
     name: "review-truncate-sql",
     tool: "*",
     conditions: [{ field: "sql", op: "matches", value: "TRUNCATE\\s+TABLE", flags: "i" }],
     verdict: "review",
-    reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead"
+    reason: "TRUNCATE removes all rows \u2014 enable the postgres shield to block instead",
+    description: "The AI wants to truncate a database table, which instantly deletes every row. The table structure remains but all data is gone."
   },
   {
     name: "review-drop-column-sql",
@@ -620,7 +646,8 @@ var ADVISORY_SMART_RULES = [
       { field: "sql", op: "matches", value: "ALTER\\s+TABLE.*DROP\\s+COLUMN", flags: "i" }
     ],
     verdict: "review",
-    reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead"
+    reason: "DROP COLUMN is irreversible \u2014 enable the postgres shield to block instead",
+    description: "The AI wants to drop a column from a database table. This permanently removes the column and all its data from every row."
   }
 ];
 var cachedConfig = null;
@@ -680,7 +707,8 @@ function getConfig(cwd) {
       onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
     },
-    dlp: { ...DEFAULT_CONFIG.policy.dlp }
+    dlp: { ...DEFAULT_CONFIG.policy.dlp },
+    loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection }
   };
   const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
   const applyLayer = (source) => {
@@ -719,6 +747,13 @@ function getConfig(cwd) {
       if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
       if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
     }
+    if (p.loopDetection) {
+      const ld = p.loopDetection;
+      if (ld.enabled !== void 0) mergedPolicy.loopDetection.enabled = ld.enabled;
+      if (ld.threshold !== void 0) mergedPolicy.loopDetection.threshold = ld.threshold;
+      if (ld.windowSeconds !== void 0)
+        mergedPolicy.loopDetection.windowSeconds = ld.windowSeconds;
+    }
     const envs = source.environments || {};
     for (const [envName, envConfig] of Object.entries(envs)) {
       if (envConfig && typeof envConfig === "object") {
@@ -1493,9 +1528,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path14) {
+function getNestedValue(obj, path15) {
   if (!obj || typeof obj !== "object") return null;
-  return path14.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path15.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -1635,6 +1670,9 @@ async function evaluatePolicy(toolName, args, agent, cwd) {
         reason: matchedRule.reason,
         tier: 2,
         ruleName: matchedRule.name ?? matchedRule.tool,
+        ...(matchedRule.description ?? matchedRule.reason) && {
+          ruleDescription: matchedRule.description ?? matchedRule.reason
+        },
         ...matchedRule.verdict === "block" && matchedRule.dependsOnState?.length && {
           dependsOnStatePredicates: matchedRule.dependsOnState
         },
@@ -2528,6 +2566,52 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
   }
 }
+// src/loop-detector.ts
+import fs10 from "fs";
+import path14 from "path";
+import os9 from "os";
+import crypto from "crypto";
+function loopStateFile() {
+  return path14.join(os9.homedir(), ".node9", "loop-state.json");
+}
+var MAX_RECORDS = 500;
+function computeArgsHash(args) {
+  const str = JSON.stringify(args ?? "");
+  return crypto.createHash("sha256").update(str).digest("hex").slice(0, 16);
+}
+function readState() {
+  try {
+    if (!fs10.existsSync(loopStateFile())) return [];
+    const raw = fs10.readFileSync(loopStateFile(), "utf-8");
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed)) return [];
+    return parsed;
+  } catch {
+    return [];
+  }
+}
+function writeState(records) {
+  const dir = path14.dirname(loopStateFile());
+  if (!fs10.existsSync(dir)) fs10.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${loopStateFile()}.${os9.hostname()}.${process.pid}.tmp`;
+  fs10.writeFileSync(tmpPath, JSON.stringify(records));
+  fs10.renameSync(tmpPath, loopStateFile());
+}
+function recordAndCheck(tool, args, threshold = 3, windowMs = 12e4) {
+  try {
+    const hash = computeArgsHash(args);
+    const now = Date.now();
+    const cutoff = now - windowMs;
+    const records = readState().filter((r) => r.ts >= cutoff);
+    records.push({ t: tool, h: hash, ts: now });
+    const count = records.filter((r) => r.t === tool && r.h === hash).length;
+    writeState(records.slice(-MAX_RECORDS));
+    return { looping: count >= threshold, count };
+  } catch {
+    return { looping: false, count: 0 };
+  }
+}
 // src/auth/orchestrator.ts
 var WRITE_TOOLS = /* @__PURE__ */ new Set([
   "write",
@@ -2626,6 +2710,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   let explainableLabel = "Local Config";
   let policyMatchedField;
   let policyMatchedWord;
+  let policyRuleDescription;
   let riskMetadata;
   let statefulRecoveryCommand;
   let localSmartRuleMatched = false;
@@ -2719,6 +2804,21 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     return { approved: true, checkedBy: "audit" };
   }
   if (!taintWarning && !isIgnoredTool(toolName)) {
+    const ld = config.policy.loopDetection;
+    if (ld.enabled) {
+      const loopResult = recordAndCheck(toolName, args, ld.threshold, ld.windowSeconds * 1e3);
+      if (loopResult.looping) {
+        const reason = `It looks like you've called "${toolName}" ${loopResult.count} times with identical arguments in the last ${ld.windowSeconds}s. Are you stuck? Step back and reconsider your approach \u2014 what are you actually trying to accomplish, and is there a different way to get there?`;
+        if (!isManual)
+          appendLocalAudit(toolName, args, "deny", "loop-detected", meta, hashAuditArgs);
+        return {
+          approved: false,
+          reason,
+          blockedBy: "loop-detection",
+          blockedByLabel: "\u{1F504} Loop Detected"
+        };
+      }
+    }
     if (getActiveTrustSession(toolName)) {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "trust", creds, meta);
@@ -2765,7 +2865,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           blockedBy: "local-config",
           blockedByLabel: policyResult.blockedByLabel,
           ruleHit: policyResult.ruleName,
-          ...policyResult.recoveryCommand && { recoveryCommand: policyResult.recoveryCommand }
+          ...policyResult.recoveryCommand && { recoveryCommand: policyResult.recoveryCommand },
+          ...policyResult.ruleDescription && { ruleDescription: policyResult.ruleDescription }
         };
       }
     }
@@ -2773,6 +2874,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     policyMatchedField = policyResult.matchedField;
     policyMatchedWord = policyResult.matchedWord;
     if (policyResult.ruleName) localSmartRuleMatched = true;
+    if (policyResult.ruleDescription) policyRuleDescription = policyResult.ruleDescription;
+    else if (policyResult.reason) policyRuleDescription = policyResult.reason;
     riskMetadata = computeRiskMetadata(
       args,
       policyResult.tier ?? 6,
@@ -3036,7 +3139,8 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       hashAuditArgs
     );
   }
-  return finalResult;
+  const enrichedResult = !finalResult.approved && policyRuleDescription && !finalResult.ruleDescription ? { ...finalResult, ruleDescription: policyRuleDescription } : finalResult;
+  return enrichedResult;
 }
 async function authorizeAction(toolName, args) {
   const result = await authorizeHeadless(toolName, args);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.9.2",
+  "version": "1.10.0",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",