@node9/proxy 1.9.3 → 1.10.1

package/dist/index.mjs

@@ -56,6 +56,11 @@ __export(audit_exports, {
 import fs from "fs";
 import path from "path";
 import os from "os";
+function isTestCall(toolName, args) {
+  if (toolName !== "Bash" && toolName !== "bash") return false;
+  const cmd = args?.command;
+  return typeof cmd === "string" && TEST_COMMAND_RE.test(cmd);
+}
 function redactSecrets(text) {
   if (!text) return text;
   let redacted = text;
@@ -91,12 +96,14 @@ function appendHookDebug(toolName, args, meta, auditHashArgsEnabled) {
 }
 function appendLocalAudit(toolName, args, decision, checkedBy, meta, auditHashArgsEnabled) {
   const argsField = auditHashArgsEnabled ? { argsHash: hashArgs(args) } : { args: args ? JSON.parse(redactSecrets(JSON.stringify(args))) : {} };
+  const testRun = isTestCall(toolName, args) ? { testRun: true } : {};
   appendToLog(LOCAL_AUDIT_LOG, {
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     tool: toolName,
     ...argsField,
     decision,
     checkedBy,
+    ...testRun,
     agent: meta?.agent,
     mcpServer: meta?.mcpServer,
     hostname: os.hostname()
@@ -109,13 +116,14 @@ function appendConfigAudit(entry) {
     hostname: os.hostname()
   });
 }
-var LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG;
+var LOCAL_AUDIT_LOG, HOOK_DEBUG_LOG, TEST_COMMAND_RE;
 var init_audit = __esm({
   "src/audit/index.ts"() {
     "use strict";
     init_hasher();
     LOCAL_AUDIT_LOG = path.join(os.homedir(), ".node9", "audit.log");
     HOOK_DEBUG_LOG = path.join(os.homedir(), ".node9", "hook-debug.log");
+    TEST_COMMAND_RE = /(?:^|\s)(npm\s+(?:run\s+)?test|npx\s+(?:vitest|jest|mocha)|yarn\s+(?:run\s+)?test|pnpm\s+(?:run\s+)?test|vitest|jest|mocha|pytest|py\.test|cargo\s+test|go\s+test|bundle\s+exec\s+rspec|rspec|phpunit|dotnet\s+test)\b/i;
   }
 });
 
@@ -200,7 +208,8 @@ var ConfigFileSchema = z.object({
     slackEnabled: z.boolean().optional(),
     enableTrustSessions: z.boolean().optional(),
     allowGlobalPause: z.boolean().optional(),
-    auditHashArgs: z.boolean().optional()
+    auditHashArgs: z.boolean().optional(),
+    agentPolicy: z.enum(["require_approval", "block_on_rules"]).optional()
   }).optional(),
   policy: z.object({
     sandboxPaths: z.array(z.string()).optional(),
@@ -216,6 +225,11 @@ var ConfigFileSchema = z.object({
     dlp: z.object({
       enabled: z.boolean().optional(),
       scanIgnoredTools: z.boolean().optional()
+    }).optional(),
+    loopDetection: z.object({
+      enabled: z.boolean().optional(),
+      threshold: z.number().min(2).optional(),
+      windowSeconds: z.number().min(10).optional()
     }).optional()
   }).optional(),
   environments: z.record(z.object({ requireApproval: z.boolean().optional() })).optional()
@@ -237,8 +251,8 @@ function sanitizeConfig(raw) {
     }
   }
   const lines = result.error.issues.map((issue) => {
-    const path14 = issue.path.length > 0 ? issue.path.join(".") : "root";
-    return `  \u2022 ${path14}: ${issue.message}`;
+    const path15 = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `  \u2022 ${path15}: ${issue.message}`;
   });
   return {
     sanitized,
@@ -571,7 +585,8 @@ var DEFAULT_CONFIG = {
         description: "The AI wants to download a script from the internet and run it immediately, without you seeing what it contains. This is one of the most common ways malware gets installed."
       }
     ],
-    dlp: { enabled: true, scanIgnoredTools: true }
+    dlp: { enabled: true, scanIgnoredTools: true },
+    loopDetection: { enabled: true, threshold: 5, windowSeconds: 120 }
   },
   environments: {}
 };
@@ -693,7 +708,8 @@ function getConfig(cwd) {
       onlyPaths: [...DEFAULT_CONFIG.policy.snapshot.onlyPaths],
       ignorePaths: [...DEFAULT_CONFIG.policy.snapshot.ignorePaths]
     },
-    dlp: { ...DEFAULT_CONFIG.policy.dlp }
+    dlp: { ...DEFAULT_CONFIG.policy.dlp },
+    loopDetection: { ...DEFAULT_CONFIG.policy.loopDetection }
   };
   const mergedEnvironments = { ...DEFAULT_CONFIG.environments };
   const applyLayer = (source) => {
@@ -732,6 +748,13 @@ function getConfig(cwd) {
       if (d.enabled !== void 0) mergedPolicy.dlp.enabled = d.enabled;
       if (d.scanIgnoredTools !== void 0) mergedPolicy.dlp.scanIgnoredTools = d.scanIgnoredTools;
     }
+    if (p.loopDetection) {
+      const ld = p.loopDetection;
+      if (ld.enabled !== void 0) mergedPolicy.loopDetection.enabled = ld.enabled;
+      if (ld.threshold !== void 0) mergedPolicy.loopDetection.threshold = ld.threshold;
+      if (ld.windowSeconds !== void 0)
+        mergedPolicy.loopDetection.windowSeconds = ld.windowSeconds;
+    }
     const envs = source.environments || {};
     for (const [envName, envConfig] of Object.entries(envs)) {
       if (envConfig && typeof envConfig === "object") {
@@ -1506,9 +1529,9 @@ function matchesPattern(text, patterns) {
   const withoutDotSlash = text.replace(/^\.\//, "");
   return isMatch(withoutDotSlash) || isMatch(`./${withoutDotSlash}`);
 }
-function getNestedValue(obj, path14) {
+function getNestedValue(obj, path15) {
   if (!obj || typeof obj !== "object") return null;
-  return path14.split(".").reduce((prev, curr) => prev?.[curr], obj);
+  return path15.split(".").reduce((prev, curr) => prev?.[curr], obj);
 }
 function evaluateSmartConditions(args, rule) {
   if (!rule.conditions || rule.conditions.length === 0) return true;
@@ -2269,11 +2292,12 @@ ${smartTruncate(str, 500)}`
 function escapePango(text) {
   return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
-function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1) {
+function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1, ruleDescription) {
   const lines = [];
   if (locked) lines.push("\u26A0\uFE0F  LOCKED BY ADMIN POLICY\n");
   lines.push(`\u{1F916} ${agent || "AI Agent"}  |  \u{1F527} ${toolName}`);
   lines.push(`\u{1F6E1}\uFE0F  ${explainableLabel || "Security Policy"}`);
+  if (ruleDescription) lines.push(`\u2139  ${ruleDescription}`);
   lines.push("");
   lines.push(formattedArgs);
   if (allowCount >= 3) {
@@ -2286,7 +2310,7 @@ function buildPlainMessage(toolName, formattedArgs, agent, explainableLabel, loc
   }
   return lines.join("\n");
 }
-function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1) {
+function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, locked, allowCount = 1, ruleDescription) {
   const lines = [];
   if (locked) {
     lines.push('<span foreground="red" weight="bold">\u26A0\uFE0F  LOCKED BY ADMIN POLICY</span>');
@@ -2296,6 +2320,7 @@ function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, loc
     `<b>\u{1F916} ${escapePango(agent || "AI Agent")}</b>  |  <b>\u{1F527} <tt>${escapePango(toolName)}</tt></b>`
   );
   lines.push(`<i>\u{1F6E1}\uFE0F  ${escapePango(explainableLabel || "Security Policy")}</i>`);
+  if (ruleDescription) lines.push(`<i>\u2139  ${escapePango(ruleDescription)}</i>`);
   lines.push("");
   lines.push(`<tt>${escapePango(formattedArgs)}</tt>`);
   if (allowCount >= 3) {
@@ -2312,7 +2337,7 @@ function buildPangoMessage(toolName, formattedArgs, agent, explainableLabel, loc
   }
   return lines.join("\n");
 }
-async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord, allowCount = 1) {
+async function askNativePopup(toolName, args, agent, explainableLabel, locked = false, signal, matchedField, matchedWord, allowCount = 1, ruleDescription) {
   if (isTestEnv()) return "deny";
   const { message: formattedArgs, intent } = formatArgs(args, matchedField, matchedWord);
   const intentLabel = intent === "EDIT" ? "Code Edit" : "Action Approval";
@@ -2323,7 +2348,8 @@ async function askNativePopup(toolName, args, agent, explainableLabel, locked =
     agent,
     explainableLabel,
     locked,
-    allowCount
+    allowCount,
+    ruleDescription
   );
   return new Promise((resolve) => {
     let childProcess = null;
@@ -2357,7 +2383,8 @@ end run`;
           agent,
           explainableLabel,
           locked,
-          allowCount
+          allowCount,
+          ruleDescription
         );
         const argsList = [
           locked ? "--info" : "--question",
@@ -2425,7 +2452,7 @@ function auditLocalAllow(toolName, args, checkedBy, creds, meta) {
   }).catch(() => {
   });
 }
-async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
+async function initNode9SaaS(toolName, args, creds, meta, riskMetadata, agentPolicy, forceReview) {
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), 1e4);
   if (!creds.apiKey) throw new Error("Node9 API Key is missing");
@@ -2470,7 +2497,9 @@ async function initNode9SaaS(toolName, args, creds, meta, riskMetadata) {
           platform: os8.platform()
         },
         ...riskMetadata && { riskMetadata },
-        ...ciContext && { ciContext }
+        ...ciContext && { ciContext },
+        ...agentPolicy && { policy: agentPolicy },
+        ...forceReview && { forceReview: true }
       }),
       signal: controller.signal
     });
@@ -2544,6 +2573,52 @@ async function resolveNode9SaaS(requestId, creds, approved, decidedBy) {
   }
 }
 
+// src/loop-detector.ts
+import fs10 from "fs";
+import path14 from "path";
+import os9 from "os";
+import crypto from "crypto";
+function loopStateFile() {
+  return path14.join(os9.homedir(), ".node9", "loop-state.json");
+}
+var MAX_RECORDS = 500;
+function computeArgsHash(args) {
+  const str = JSON.stringify(args ?? "");
+  return crypto.createHash("sha256").update(str).digest("hex").slice(0, 16);
+}
+function readState() {
+  try {
+    if (!fs10.existsSync(loopStateFile())) return [];
+    const raw = fs10.readFileSync(loopStateFile(), "utf-8");
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed)) return [];
+    return parsed;
+  } catch {
+    return [];
+  }
+}
+function writeState(records) {
+  const dir = path14.dirname(loopStateFile());
+  if (!fs10.existsSync(dir)) fs10.mkdirSync(dir, { recursive: true });
+  const tmpPath = `${loopStateFile()}.${os9.hostname()}.${process.pid}.tmp`;
+  fs10.writeFileSync(tmpPath, JSON.stringify(records));
+  fs10.renameSync(tmpPath, loopStateFile());
+}
+function recordAndCheck(tool, args, threshold = 3, windowMs = 12e4) {
+  try {
+    const hash = computeArgsHash(args);
+    const now = Date.now();
+    const cutoff = now - windowMs;
+    const records = readState().filter((r) => r.ts >= cutoff);
+    records.push({ t: tool, h: hash, ts: now });
+    const count = records.filter((r) => r.t === tool && r.h === hash).length;
+    writeState(records.slice(-MAX_RECORDS));
+    return { looping: count >= threshold, count };
+  } catch {
+    return { looping: false, count: 0 };
+  }
+}
+
 // src/auth/orchestrator.ts
 var WRITE_TOOLS = /* @__PURE__ */ new Set([
   "write",
@@ -2642,6 +2717,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   let explainableLabel = "Local Config";
   let policyMatchedField;
   let policyMatchedWord;
+  let policyRuleDescription;
   let riskMetadata;
   let statefulRecoveryCommand;
   let localSmartRuleMatched = false;
@@ -2735,6 +2811,21 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     return { approved: true, checkedBy: "audit" };
   }
   if (!taintWarning && !isIgnoredTool(toolName)) {
+    const ld = config.policy.loopDetection;
+    if (ld.enabled) {
+      const loopResult = recordAndCheck(toolName, args, ld.threshold, ld.windowSeconds * 1e3);
+      if (loopResult.looping) {
+        const reason = `It looks like you've called "${toolName}" ${loopResult.count} times with identical arguments in the last ${ld.windowSeconds}s. Are you stuck? Step back and reconsider your approach \u2014 what are you actually trying to accomplish, and is there a different way to get there?`;
+        if (!isManual)
+          appendLocalAudit(toolName, args, "deny", "loop-detected", meta, hashAuditArgs);
+        return {
+          approved: false,
+          reason,
+          blockedBy: "loop-detection",
+          blockedByLabel: "\u{1F504} Loop Detected"
+        };
+      }
+    }
     if (getActiveTrustSession(toolName)) {
       if (approvers.cloud && creds?.apiKey)
         await auditLocalAllow(toolName, args, "trust", creds, meta);
@@ -2790,6 +2881,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
     policyMatchedField = policyResult.matchedField;
     policyMatchedWord = policyResult.matchedWord;
     if (policyResult.ruleName) localSmartRuleMatched = true;
+    if (policyResult.ruleDescription) policyRuleDescription = policyResult.ruleDescription;
+    else if (policyResult.reason) policyRuleDescription = policyResult.reason;
     riskMetadata = computeRiskMetadata(
       args,
       policyResult.tier ?? 6,
@@ -2798,6 +2891,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       policyMatchedWord,
       policyResult.ruleName
     );
+    if (policyRuleDescription) riskMetadata.ruleDescription = policyRuleDescription.slice(0, 200);
     const persistent = policyResult.ruleName ? null : getPersistentDecision(toolName);
     if (persistent === "allow") {
       if (approvers.cloud && creds?.apiKey)
@@ -2832,9 +2926,18 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
   }
   let cloudRequestId = null;
   const cloudEnforced = approvers.cloud && !!creds?.apiKey;
-  if (cloudEnforced && !localSmartRuleMatched && !options?.localSmartRuleMatched) {
+  const forceReview = localSmartRuleMatched === true || options?.localSmartRuleMatched === true || void 0;
+  if (cloudEnforced) {
     try {
-      const initResult = await initNode9SaaS(toolName, args, creds, meta, riskMetadata);
+      const initResult = await initNode9SaaS(
+        toolName,
+        args,
+        creds,
+        meta,
+        riskMetadata,
+        config.settings.agentPolicy,
+        forceReview
+      );
       if (!initResult.pending) {
         if (initResult.shadowMode) {
           return { approved: true, checkedBy: "cloud" };
@@ -2849,9 +2952,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           };
         }
       }
-      if (!localSmartRuleMatched && !options?.localSmartRuleMatched) {
-        cloudRequestId = initResult.requestId || null;
-      }
+      if (initResult.pending) cloudRequestId = initResult.requestId || null;
       if (!taintWarning) explainableLabel = "Organization Policy (SaaS)";
     } catch {
     }
@@ -2908,7 +3009,7 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
       }
     }
   }
-  if (cloudEnforced && cloudRequestId && !localSmartRuleMatched && !options?.localSmartRuleMatched) {
+  if (cloudEnforced && cloudRequestId) {
     racePromises.push(
       (async () => {
         try {
@@ -2940,7 +3041,8 @@ async function _authorizeHeadlessCore(toolName, args, meta, options) {
           signal,
           policyMatchedField,
           policyMatchedWord,
-          daemonAllowCount
+          daemonAllowCount,
+          riskMetadata?.ruleDescription
         );
         if (decision === "always_allow") {
           writeTrustSession(toolName, 36e5);
@@ -3053,7 +3155,8 @@ REASON: Action blocked because no approval channels are available. (Native/Brows
       hashAuditArgs
     );
   }
-  return finalResult;
+  const enrichedResult = !finalResult.approved && policyRuleDescription && !finalResult.ruleDescription ? { ...finalResult, ruleDescription: policyRuleDescription } : finalResult;
+  return enrichedResult;
 }
 async function authorizeAction(toolName, args) {
   const result = await authorizeHeadless(toolName, args);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node9/proxy",
-  "version": "1.9.3",
+  "version": "1.10.1",
   "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",