node9-ai 1.39.0 → 1.41.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +55 -0
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -31,6 +31,43 @@ node9 scan # after installation, same output
|
|
|
31
31
|
<img src="https://github.com/user-attachments/assets/7c5b30f1-1ca1-40b4-bfd5-d6671002e98e" width="720" alt="Node9 scan scorecard" />
|
|
32
32
|
</p>
|
|
33
33
|
|
|
34
|
+
## Security posture scorecard
|
|
35
|
+
|
|
36
|
+
`node9 posture` grades how exposed this machine is to a compromised agent — isolation, egress, secrets on disk, supply chain, privilege — and hands you the exact command to fix each finding.
|
|
37
|
+
|
|
38
|
+
```bash
|
|
39
|
+
node9 posture # scorecard with the #1 risk and a fix for every finding
|
|
40
|
+
node9 posture --ship # send a redacted snapshot to your node9 dashboard (fleet view)
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
Findings are grouped by **who can fix them**: 🔒 the ones node9 reduces (just run the command) and 🧱 the ones only you can. Each carries a plain-language what / why / who and a real remediation — e.g. the "agent runs unsandboxed on the host" finding points straight at `node9 sandbox run` (below).
|
|
44
|
+
|
|
45
|
+
```text
|
|
46
|
+
🛡️ Node9 Posture — agent on this host Score: 100/100 (Good)
|
|
47
|
+
2 advisories below don't affect the score — OS-level exposure, yours to weigh.
|
|
48
|
+
|
|
49
|
+
🟢 node9 is already protecting you
|
|
50
|
+
✅ Secrets node9 DLP is blocking this
|
|
51
|
+
✅ Egress node9 egress is approval-gating this
|
|
52
|
+
✅ Approval gate node9 is blocking this
|
|
53
|
+
✅ Privilege node9 is approval-gating this
|
|
54
|
+
|
|
55
|
+
🔒 node9 reduces these — run the command, the rest is yours
|
|
56
|
+
⚠️ Isolation Running directly on the host — no container
|
|
57
|
+
The agent runs loose on your whole machine, not in a sandbox.
|
|
58
|
+
→ node9 sandbox run <agent> — jail it: kernel egress + scoped mounts + node9 inside
|
|
59
|
+
→ node9 shield enable project-jail — or shrink the blast radius, keep host access
|
|
60
|
+
⚠️ Network exposure 4 services on 0.0.0.0 (node :3000/:4000, PostgreSQL :5432, Redis :6379)
|
|
61
|
+
Reachable from your whole network, not just this laptop.
|
|
62
|
+
→ node9 shield enable postgres|redis — node9 blocks DROP TABLE / FLUSHALL
|
|
63
|
+
→ bind to 127.0.0.1 / firewall the port (your part)
|
|
64
|
+
|
|
65
|
+
✅ Supply chain no issues found
|
|
66
|
+
✅ Coverage no issues found
|
|
67
|
+
|
|
68
|
+
Track this across your fleet & keep it green → node9.ai
|
|
69
|
+
```
|
|
70
|
+
|
|
34
71
|
## Live monitoring
|
|
35
72
|
|
|
36
73
|
<p align="center">
|
|
@@ -104,6 +141,23 @@ node9 shield list # show all shields + status
|
|
|
104
141
|
- **Auto-undo** — git snapshot before every AI file edit → `node9 undo` to revert
|
|
105
142
|
- **Skills pinning** — SHA-256 verification of installed Claude skills / plugins between sessions
|
|
106
143
|
|
|
144
|
+
## Sandbox — run an agent in a jail
|
|
145
|
+
|
|
146
|
+
When watching isn't enough, **`node9 sandbox`** runs the agent inside a disposable container with a **kernel-enforced egress allowlist** and **scoped mounts** — while node9's hooks govern and audit every tool call _inside_ the box. The hard version of protection: the agent can only touch the folder you mount and reach the hosts you allow; everything else is dropped at the kernel.
|
|
147
|
+
|
|
148
|
+
```bash
|
|
149
|
+
cd ~/my-project
|
|
150
|
+
node9 sandbox new # write node9.sandbox.yaml — what to mount + which hosts to allow
|
|
151
|
+
node9 sandbox run # build + boot the jailed agent (your project at /workspace)
|
|
152
|
+
node9 sandbox tail # watch the agent's actions live, from the host
|
|
153
|
+
```
|
|
154
|
+
|
|
155
|
+
- **Disposable** — the container is destroyed on exit; your project edits land on your real disk, nothing else survives.
|
|
156
|
+
- **Same policy** — your existing shields / egress rules / approvals apply inside the box, streamed to the same audit log and dashboard.
|
|
157
|
+
- **Closes the posture loop** — running it flips the Isolation / Egress findings green.
|
|
158
|
+
|
|
159
|
+
Honest scope (Phase 1): single container, **Claude first** (Codex next); the agent still holds its _own_ credentials in the box (the egress wall confines them to the allowed hosts) — _"the agent never holds a secret"_ is the credential-broker phase on the roadmap. Requires Docker.
|
|
160
|
+
|
|
107
161
|
## MCP gateway
|
|
108
162
|
|
|
109
163
|
Wrap any MCP server transparently. The agent sees the same server — Node9 intercepts every tool call.
|
|
@@ -199,6 +253,7 @@ def run_command(cmd: str) -> str:
|
|
|
199
253
|
- **MCP gateway** is a stdio proxy; intercepts `tools/list` + `tools/call` JSON-RPC, forwards the rest
|
|
200
254
|
- **Policy engine** uses [mvdan-sh](https://github.com/mvdan/sh) for bash AST analysis — defeats obfuscation via backslash escaping, variable substitution, eval of remote download
|
|
201
255
|
- **Shadow repo** for auto-undo lives at `~/.node9/snapshots/<hash16>/` — never touches your `.git`
|
|
256
|
+
- **Sandbox** generates a Dockerfile + entrypoint that seal an `ipset`/`iptables` deny-by-default egress wall, then drop to a non-root agent with node9's daemon + hooks running inside; only the agent's credential file is mounted, never your whole `~/.claude`
|
|
202
257
|
|
|
203
258
|
## Full docs
|
|
204
259
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "node9-ai",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.41.0",
|
|
4
4
|
"description": "Security layer for AI coding agents — intercepts dangerous tool calls before they execute",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"ai",
|
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
"node9-ai": "bin/node9.js"
|
|
26
26
|
},
|
|
27
27
|
"dependencies": {
|
|
28
|
-
"@node9/proxy": "1.
|
|
28
|
+
"@node9/proxy": "1.41.0"
|
|
29
29
|
},
|
|
30
30
|
"type": "module",
|
|
31
31
|
"engines": {
|