1.49.0 • Published 22m agoCLI

node9-ai

Licence

Apache-2.0

Version

1.49.0

Deps

Size

30 kB

Vulns

Weekly

Stars

206

Summary Dependency Versions

Node9

What did your AI agent actually do? Find out.

Node9 sits between your AI agent and the tools it can use — discover what it's already been doing, protect against risky actions in real time, and review what happened over any time window.

Works with Claude Code · Codex CLI · Antigravity (agy) · GitHub Copilot CLI · Gemini CLI · Cursor · Windsurf · VSCode · Claude Desktop · Opencode · Pi · Hermes Agent · any MCP server.

What Node9 does

Discover — scan every past AI session for credential leaks, agent loops, blocked operations, and every secret on disk an agent could reach right now
Protect — review or block risky commands before they run — rm -rf, git push --force, DROP TABLE, credential reads, curl | bash, AWS/GitHub/Stripe key leaks
Review — period-windowed report (today / week / month / 90 days) — cost per agent, top tools, shields fired, blast radius

Retrospective scan

This is my own machine — 90 days while building Node9. Score 25/100, 5 credential files an AI agent could reach right now.

npx node9-ai scan   # before installation, runs in ~10s, nothing uploads
node9 scan          # after installation, same output

Node9 scan scorecard

Security posture scorecard

node9 posture grades how exposed this machine is to a compromised agent — isolation, egress, secrets on disk, supply chain, privilege — and hands you the exact command to fix each finding.

node9 posture          # scorecard with the #1 risk and a fix for every finding
node9 posture --ship   # send a redacted snapshot to your node9 dashboard (fleet view)

Findings are grouped by who can fix them: the ones node9 reduces (just run the command) and the ones only you can. Each carries a plain-language what / why / who and a real remediation — e.g. the "agent runs unsandboxed on the host" finding points straight at node9 sandbox run (below).

🛡️  Node9 Posture — agent on this host        Score: 100/100  (Good)
  2 advisories below don't affect the score — OS-level exposure, yours to weigh.

  🟢 node9 is already protecting you
  ✅ Secrets        node9 DLP is blocking this
  ✅ Egress         node9 egress is approval-gating this
  ✅ Approval gate  node9 is blocking this
  ✅ Privilege      node9 is approval-gating this

  🔒 node9 reduces these — run the command, the rest is yours
  ⚠️  Isolation     Running directly on the host — no container
                   The agent runs loose on your whole machine, not in a sandbox.
                   → node9 sandbox run <agent>   — jail it: kernel egress + scoped mounts + node9 inside
                   → node9 shield enable project-jail   — or shrink the blast radius, keep host access
  ⚠️  Network exposure  4 services on 0.0.0.0 (node :3000/:4000, PostgreSQL :5432, Redis :6379)
                   Reachable from your whole network, not just this laptop.
                   → node9 shield enable postgres|redis   — node9 blocks DROP TABLE / FLUSHALL
                   → bind to 127.0.0.1 / firewall the port   (your part)

  ✅ Supply chain   no issues found
  ✅ Coverage       no issues found

  Track this across your fleet & keep it green → node9.ai

Live monitoring

Node9 monitor dashboard

node9 monitor opens an interactive terminal dashboard with two views:

[1] Realtime — live activity, approvals, security alerts, current risk score
[2] Report — period-windowed summary: cost, top tools, shields fired, blast radius

Report

Press [2] in monitor for a period-windowed summary. Toggle the window with [T]oday · [W]eek · [M]onth · [N]inety — same panels as the scan above, driven by your post-install audit log.

Node9 monitor [2] Report

node9 monitor              # press [2] for Report view
node9 report --period 7d   # CLI form, no TUI

Install

# macOS / Linux
brew tap node9-ai/node9 && brew install node9

# or via npm (any platform)
npm install -g node9-ai

node9 init       # auto-wires all detected agents + MCP servers
node9 doctor     # verify everything is wired correctly

Requires Node.js 18+.

Shields — curated rule packs

Each shield is a curated rule set for a service or domain. Enable only what you need.

Shield	What it catches	Enable
`project-jail`	Blocks reads of `~/.ssh`, `~/.aws`, `.env`, credentials via Bash and Read tool	`node9 shield enable project-jail`
`bash-safe`	`curl \| bash`, `rm -rf /`, disk overwrite, `eval` of remote	`node9 shield enable bash-safe`
`postgres`	`DROP TABLE`, `TRUNCATE`, `DROP COLUMN`, `DELETE` without `WHERE`	`node9 shield enable postgres`
`mongodb`	`dropDatabase`, `drop()`, `deleteMany({})`, index drops	`node9 shield enable mongodb`
`redis`	`FLUSHALL`, `FLUSHDB`, `CONFIG SET` on a live server	`node9 shield enable redis`
`aws`	S3 delete, EC2 terminate, IAM changes, RDS destroy	`node9 shield enable aws`
`k8s`	namespace delete, `helm uninstall`, cluster role wipes	`node9 shield enable k8s`
`docker`	`system prune`, `volume prune`, `rm -f` containers	`node9 shield enable docker`
`github`	`gh repo delete`, remote branch deletion, settings changes	`node9 shield enable github`
`filesystem`	`chmod 777`, writes under `/etc/`, `/boot/`, `/usr/`	`node9 shield enable filesystem`
`mcp-tool-gating`	unapproved MCP tools silently activating new capabilities	`node9 shield enable mcp-tool-gating`

node9 shield list    # show all shields + status

Always on — no config needed

Git — catches git push --force, git reset --hard, git clean -fd
SQL — catches DELETE / UPDATE without WHERE, DROP TABLE, TRUNCATE
Shell — catches curl | bash, unauthorized sudo
DLP — flags AWS keys, GitHub tokens, Stripe keys, PEM private keys in any tool argument, file contents, or shell config (~/.zshrc, ~/.bashrc)
Response DLP — background scanner reads Claude's conversation history and alerts you if Claude wrote a secret in its response text
Auto-undo — git snapshot before every AI file edit → node9 undo to revert
Skills pinning — SHA-256 verification of installed Claude skills / plugins between sessions

Review prompts — approve inline, in your agent

When node9 flags an action for review (e.g. git push --force, a DROP TABLE), the approve/deny prompt renders inline in the agent conversation — no frozen session, no separate terminal, no hook-timeout race. node9 still runs the full evaluator and makes the decision; only the prompt surface moves to the agent.

On by default for Claude Code and GitHub Copilot CLI — the agents whose hook contract honors a native ask. Every other agent (Codex, Gemini, Antigravity, Hermes, Cursor, OpenCode, Pi) uses node9's own approver.
Control it with reviewChannel in ~/.node9/config.json (or --no-ask on the hook):

{
  "settings": {
    "reviewChannel": "ask", // "ask" = inline agent prompt (default) | "approver" = node9's own approver
  },
}

Team setups: when a cloud/team approver is configured (approvers.cloud: true), reviews route to that approver instead — node9 won't let an inline self-approval bypass routed/second-party approval.

Sandbox — run an agent in a jail

When watching isn't enough, node9 sandbox runs the agent inside a disposable container with a kernel-enforced egress allowlist and scoped mounts — while node9's hooks govern and audit every tool call inside the box. The hard version of protection: the agent can only touch the folder you mount and reach the hosts you allow; everything else is dropped at the kernel.

cd ~/my-project
node9 sandbox new        # write node9.sandbox.yaml — what to mount + which hosts to allow
node9 sandbox run        # build + boot the jailed agent (your project at /workspace)
node9 sandbox tail       # watch the agent's actions live, from the host

Disposable — the container is destroyed on exit; your project edits land on your real disk, nothing else survives.
Same policy — your existing shields / egress rules / approvals apply inside the box, streamed to the same audit log and dashboard.
Closes the posture loop — running it flips the Isolation / Egress findings green.

Honest scope (Phase 1): single container, Claude first (Codex next); the agent still holds its own credentials in the box (the egress wall confines them to the allowed hosts) — "the agent never holds a secret" is the credential-broker phase on the roadmap. Requires Docker.

MCP gateway

Wrap any MCP server transparently. The agent sees the same server — Node9 intercepts every tool call.

{
  "mcpServers": {
    "postgres": {
      "command": "node9",
      "args": ["mcp", "--upstream", "npx -y @modelcontextprotocol/server-postgres postgresql://..."]
    }
  }
}

Or just run node9 init — it wraps your existing MCP servers automatically.

MCP tool pinning — rug-pull defense

MCP servers can change their tool definitions between sessions. A compromised or malicious server could silently add, remove, or modify tools after you first trusted it — a rug pull attack.

Node9 pins tool definitions on first use:

First connection — gateway records a SHA-256 hash of every tool's name, description, and schema
Subsequent connections — hash is compared; if tools changed, the session is quarantined and every tool call is blocked until a human reviews and approves the change
Corrupt pin state — fails closed (blocks), never silently re-trusts

node9 mcp pin list                # show all pinned servers and hashes
node9 mcp pin update <serverKey>  # remove pin, re-pin on next connection
node9 mcp pin reset               # clear all pins

Other commands

Beyond the three flow commands above (scan / monitor / report):

Command	What it shows	When to use
`node9 blast`	What an AI agent can reach right now — files, creds, env	First thing to run on any machine
`node9 tail`	Live stream of every tool call (text-only, no TUI)	Piping into other tools, CI, logs
`node9 sessions`	Session history with prompt, tool trace, cost, snapshot	Reviewing a handoff or past work
`node9 dlp`	Credential-leak findings in Claude response text	Any time a DLP desktop alert fires
`node9 mask`	Redact plaintext secrets from local session history files	After a DLP finding — cleans local disk

Plus a live HUD in your Claude Code statusline:

🛡 node9 | standard | [bash-safe] | ✅ 12 allowed  🛑 2 blocked  🚨 0 dlp | ~$0.43
📊 claude-opus-4-7 | ctx [████████░░░] 54% | 5h [██░░░░░░░░] 12% | 7d [█░░░░░░░] 7%
🗂 2 CLAUDE.md | 8 rules | 3 MCPs | 4 hooks

Reading the data — what the numbers mean

Node9 surfaces the signal. Here are the patterns worth knowing:

Signal	Likely meaning
`Would have blocked` ≥ 5 in a week	Agent is attempting high-impact ops; shields are worth reviewing
Single `review-git-push` rule >50% of findings	Your own rule is firing as intended — not a risk, just supervision
DLP finding in `user-prompt` tool	You pasted a secret into your own prompt — rotate the key
Agent Loop ×50+ on same file	Agent stuck in edit/test/fix cycle — check context or slow down
MCP tool pin mismatch	Server changed its tools — review before re-trusting
Large MCP response warning	That server is inflating your context window for every subsequent turn
`Response DLP` alert	Claude wrote a secret in its response text — not blocked, rotate immediately
DLP finding in `tool-result`	Claude read a file containing a secret (`.env`, credentials) — rotate the key and run `node9 mask`
DLP finding in `[Shell]`	Plaintext secret in `~/.zshrc` or `~/.bashrc` — every AI session can see it

One-off signals are normal; persistent patterns are what you act on.

Python SDK — govern any Python agent

from node9 import configure, protect

configure(agent_name="my-agent", policy="require_approval")

@protect("bash")
def run_command(cmd: str) -> str:
    ...

Python SDK → · CI code review agent example →

Under the hood

Scan reads raw agent history from ~/.claude/projects/, ~/.gemini/tmp/, ~/.gemini/antigravity-*/brain/, ~/.copilot/session-state/, ~/.codex/sessions/ — no API calls, fully offline
Runtime intercepts tool calls via pre-execution hooks (Claude Code, Codex, Antigravity, GitHub Copilot CLI, Gemini CLI, Opencode, Pi) or via the MCP gateway (Cursor, Windsurf, VSCode, Claude Desktop). All decisions land in ~/.node9/audit.log atomically.
MCP gateway is a stdio proxy; intercepts tools/list + tools/call JSON-RPC, forwards the rest
Policy engine uses mvdan-sh for bash AST analysis — defeats obfuscation via backslash escaping, variable substitution, eval of remote download
Shadow repo for auto-undo lives at ~/.node9/snapshots/<hash16>/ — never touches your .git
Sandbox generates a Dockerfile + entrypoint that seal an ipset/iptables deny-by-default egress wall, then drop to a non-root agent with node9's daemon + hooks running inside; only the agent's credential file is mounted, never your whole ~/.claude

Full docs

Config reference, smart rules, stateful rules, trusted hosts, approval modes, CLI reference — at node9.ai/docs.

node9-python — Python SDK
node9-pr-agent — GitHub Action that reviews PRs through Node9