node9-ai 1.38.0 → 1.40.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +55 -0
  2. package/package.json +2 -2
package/README.md CHANGED
@@ -31,6 +31,43 @@ node9 scan # after installation, same output
31
31
  <img src="https://github.com/user-attachments/assets/7c5b30f1-1ca1-40b4-bfd5-d6671002e98e" width="720" alt="Node9 scan scorecard" />
32
32
  </p>
33
33
 
34
+ ## Security posture scorecard
35
+
36
+ `node9 posture` grades how exposed this machine is to a compromised agent — isolation, egress, secrets on disk, supply chain, privilege — and hands you the exact command to fix each finding.
37
+
38
+ ```bash
39
+ node9 posture # scorecard with the #1 risk and a fix for every finding
40
+ node9 posture --ship # send a redacted snapshot to your node9 dashboard (fleet view)
41
+ ```
42
+
43
+ Findings are grouped by **who can fix them**: 🔒 the ones node9 reduces (just run the command) and 🧱 the ones only you can. Each carries a plain-language what / why / who and a real remediation — e.g. the "agent runs unsandboxed on the host" finding points straight at `node9 sandbox run` (below).
44
+
45
+ ```text
46
+ 🛡️ Node9 Posture — agent on this host Score: 100/100 (Good)
47
+ 2 advisories below don't affect the score — OS-level exposure, yours to weigh.
48
+
49
+ 🟢 node9 is already protecting you
50
+ ✅ Secrets node9 DLP is blocking this
51
+ ✅ Egress node9 egress is approval-gating this
52
+ ✅ Approval gate node9 is blocking this
53
+ ✅ Privilege node9 is approval-gating this
54
+
55
+ 🔒 node9 reduces these — run the command, the rest is yours
56
+ ⚠️ Isolation Running directly on the host — no container
57
+ The agent runs loose on your whole machine, not in a sandbox.
58
+ → node9 sandbox run <agent> — jail it: kernel egress + scoped mounts + node9 inside
59
+ → node9 shield enable project-jail — or shrink the blast radius, keep host access
60
+ ⚠️ Network exposure 4 services on 0.0.0.0 (node :3000/:4000, PostgreSQL :5432, Redis :6379)
61
+ Reachable from your whole network, not just this laptop.
62
+ → node9 shield enable postgres|redis — node9 blocks DROP TABLE / FLUSHALL
63
+ → bind to 127.0.0.1 / firewall the port (your part)
64
+
65
+ ✅ Supply chain no issues found
66
+ ✅ Coverage no issues found
67
+
68
+ Track this across your fleet & keep it green → node9.ai
69
+ ```
70
+
34
71
  ## Live monitoring
35
72
 
36
73
  <p align="center">
@@ -104,6 +141,23 @@ node9 shield list # show all shields + status
104
141
  - **Auto-undo** — git snapshot before every AI file edit → `node9 undo` to revert
105
142
  - **Skills pinning** — SHA-256 verification of installed Claude skills / plugins between sessions
106
143
 
144
+ ## Sandbox — run an agent in a jail
145
+
146
+ When watching isn't enough, **`node9 sandbox`** runs the agent inside a disposable container with a **kernel-enforced egress allowlist** and **scoped mounts** — while node9's hooks govern and audit every tool call _inside_ the box. The hard version of protection: the agent can only touch the folder you mount and reach the hosts you allow; everything else is dropped at the kernel.
147
+
148
+ ```bash
149
+ cd ~/my-project
150
+ node9 sandbox new # write node9.sandbox.yaml — what to mount + which hosts to allow
151
+ node9 sandbox run # build + boot the jailed agent (your project at /workspace)
152
+ node9 sandbox tail # watch the agent's actions live, from the host
153
+ ```
154
+
155
+ - **Disposable** — the container is destroyed on exit; your project edits land on your real disk, nothing else survives.
156
+ - **Same policy** — your existing shields / egress rules / approvals apply inside the box, streamed to the same audit log and dashboard.
157
+ - **Closes the posture loop** — running it flips the Isolation / Egress findings green.
158
+
159
+ Honest scope (Phase 1): single container, **Claude first** (Codex next); the agent still holds its _own_ credentials in the box (the egress wall confines them to the allowed hosts) — _"the agent never holds a secret"_ is the credential-broker phase on the roadmap. Requires Docker.
160
+
107
161
  ## MCP gateway
108
162
 
109
163
  Wrap any MCP server transparently. The agent sees the same server — Node9 intercepts every tool call.
@@ -199,6 +253,7 @@ def run_command(cmd: str) -> str:
199
253
  - **MCP gateway** is a stdio proxy; intercepts `tools/list` + `tools/call` JSON-RPC, forwards the rest
200
254
  - **Policy engine** uses [mvdan-sh](https://github.com/mvdan/sh) for bash AST analysis — defeats obfuscation via backslash escaping, variable substitution, eval of remote download
201
255
  - **Shadow repo** for auto-undo lives at `~/.node9/snapshots/<hash16>/` — never touches your `.git`
256
+ - **Sandbox** generates a Dockerfile + entrypoint that seal an `ipset`/`iptables` deny-by-default egress wall, then drop to a non-root agent with node9's daemon + hooks running inside; only the agent's credential file is mounted, never your whole `~/.claude`
202
257
 
203
258
  ## Full docs
204
259
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "node9-ai",
3
- "version": "1.38.0",
3
+ "version": "1.40.0",
4
4
  "description": "Security layer for AI coding agents — intercepts dangerous tool calls before they execute",
5
5
  "keywords": [
6
6
  "ai",
@@ -25,7 +25,7 @@
25
25
  "node9-ai": "bin/node9.js"
26
26
  },
27
27
  "dependencies": {
28
- "@node9/proxy": "1.38.0"
28
+ "@node9/proxy": "1.40.0"
29
29
  },
30
30
  "type": "module",
31
31
  "engines": {