{"id":50730636,"url":"https://github.com/node9-ai/node9-wrapper","last_synced_at":"2026-06-10T08:30:26.052Z","repository":{"id":353120932,"uuid":"1218014103","full_name":"node9-ai/node9-wrapper","owner":"node9-ai","description":null,"archived":false,"fork":false,"pushed_at":"2026-06-07T21:04:06.000Z","size":50,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-07T23:09:36.860Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/node9-ai.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-22T12:56:27.000Z","updated_at":"2026-06-07T21:04:09.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/node9-ai/node9-wrapper","commit_stats":null,"previous_names":["node9-ai/node9-wrapper"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/node9-ai/node9-wrapper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/node9-ai%2Fnode9-wrapper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/node9-ai%2Fnode9-wrapper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/node9-ai%2Fnode9-wrapper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/node9-ai%2Fnode9-wrapper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/node9-ai","download_url":"https://codeload.github.com/node9-ai/node9-wrapper/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/node9-ai%2Fnode9-wrapper/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34144679,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-10T08:30:22.207Z","updated_at":"2026-06-10T08:30:26.040Z","avatar_url":"https://github.com/node9-ai.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e๐Ÿ›ก๏ธ Node9\u003c/h1\u003e\n\u003cp align=\"center\"\u003e\u003cstrong\u003eWhat did your AI agent actually do? Find out.\u003c/strong\u003e\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://www.npmjs.com/package/node9-ai\"\u003e\u003cimg src=\"https://img.shields.io/npm/v/node9-ai.svg\" alt=\"npm version\" /\u003e\u003c/a\u003e\n \u003ca href=\"https://www.npmjs.com/package/node9-ai\"\u003e\u003cimg src=\"https://img.shields.io/npm/dm/node9-ai.svg\" alt=\"monthly downloads\" /\u003e\u003c/a\u003e\n \u003ca href=\"https://opensource.org/licenses/Apache-2.0\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-Apache%202.0-blue.svg\" alt=\"License: Apache 2.0\" /\u003e\u003c/a\u003e\n \u003ca href=\"https://node9.ai/docs\"\u003e\u003cimg src=\"https://img.shields.io/badge/docs-node9.ai-blue\" alt=\"Documentation\" /\u003e\u003c/a\u003e\n \u003ca href=\"https://huggingface.co/spaces/Node9ai/node9-security-demo\"\u003e\u003cimg src=\"https://huggingface.co/datasets/huggingface/badges/resolve/main/open-in-hf-spaces-sm.svg\" alt=\"Try on HF Spaces\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\nNode9 sits between your AI agent and the tools it can use โ€” **discover** what it's already been doing, **protect** against risky actions in real time, and **review** what happened over any time window.\n\nWorks with **Claude Code ยท Codex CLI ยท Antigravity (agy) ยท GitHub Copilot CLI ยท Gemini CLI ยท Cursor ยท Windsurf ยท VSCode ยท Claude Desktop ยท Opencode ยท Pi ยท Hermes Agent ยท any MCP server**.\n\n## What Node9 does\n\n- ๐Ÿ” **Discover** โ€” scan every past AI session for credential leaks, agent loops, blocked operations, and every secret on disk an agent could reach right now\n- ๐Ÿ›ก **Protect** โ€” review or block risky commands before they run โ€” `rm -rf`, `git push --force`, `DROP TABLE`, credential reads, `curl | bash`, AWS/GitHub/Stripe key leaks\n- ๐Ÿ“Š **Review** โ€” period-windowed report (today / week / month / 90 days) โ€” cost per agent, top tools, shields fired, blast radius\n\n## Retrospective scan\n\nThis is my own machine โ€” 90 days while building Node9. Score 25/100, 5 credential files an AI agent could reach right now.\n\n```bash\nnpx node9-ai scan # before installation, runs in ~10s, nothing uploads\nnode9 scan # after installation, same output\n```\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://github.com/user-attachments/assets/7c5b30f1-1ca1-40b4-bfd5-d6671002e98e\" width=\"720\" alt=\"Node9 scan scorecard\" /\u003e\n\u003c/p\u003e\n\n## Live monitoring\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://github.com/user-attachments/assets/4661da97-c174-4bae-ae54-4c52a1d69213\" width=\"720\" alt=\"Node9 monitor dashboard\" /\u003e\n\u003c/p\u003e\n\n`node9 monitor` opens an interactive terminal dashboard with two views:\n\n- **`[1]` Realtime** โ€” live activity, approvals, security alerts, current risk score\n- **`[2]` Report** โ€” period-windowed summary: cost, top tools, shields fired, blast radius\n\n## Report\n\nPress `[2]` in monitor for a period-windowed summary. Toggle the window with `[T]oday` ยท `[W]eek` ยท `[M]onth` ยท `[N]inety` โ€” same panels as the scan above, driven by your post-install audit log.\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://github.com/user-attachments/assets/66c02a72-e477-443d-807f-d65a21d096cd\" width=\"720\" alt=\"Node9 monitor [2] Report\" /\u003e\n\u003c/p\u003e\n\n```bash\nnode9 monitor # press [2] for Report view\nnode9 report --period 7d # CLI form, no TUI\n```\n\n## Install\n\n```bash\n# macOS / Linux\nbrew tap node9-ai/node9 \u0026\u0026 brew install node9\n\n# or via npm (any platform)\nnpm install -g node9-ai\n```\n\n```bash\nnode9 init # auto-wires all detected agents + MCP servers\nnode9 doctor # verify everything is wired correctly\n```\n\nRequires Node.js 18+.\n\n## Shields โ€” curated rule packs\n\nEach shield is a curated rule set for a service or domain. Enable only what you need.\n\n| Shield | What it catches | Enable |\n| ----------------- | ------------------------------------------------------------------------------ | ------------------------------------- |\n| `project-jail` | Blocks reads of `~/.ssh`, `~/.aws`, `.env`, credentials via Bash and Read tool | `node9 shield enable project-jail` |\n| `bash-safe` | `curl \\| bash`, `rm -rf /`, disk overwrite, `eval` of remote | `node9 shield enable bash-safe` |\n| `postgres` | `DROP TABLE`, `TRUNCATE`, `DROP COLUMN`, `DELETE` without `WHERE` | `node9 shield enable postgres` |\n| `mongodb` | `dropDatabase`, `drop()`, `deleteMany({})`, index drops | `node9 shield enable mongodb` |\n| `redis` | `FLUSHALL`, `FLUSHDB`, `CONFIG SET` on a live server | `node9 shield enable redis` |\n| `aws` | S3 delete, EC2 terminate, IAM changes, RDS destroy | `node9 shield enable aws` |\n| `k8s` | namespace delete, `helm uninstall`, cluster role wipes | `node9 shield enable k8s` |\n| `docker` | `system prune`, `volume prune`, `rm -f` containers | `node9 shield enable docker` |\n| `github` | `gh repo delete`, remote branch deletion, settings changes | `node9 shield enable github` |\n| `filesystem` | `chmod 777`, writes under `/etc/`, `/boot/`, `/usr/` | `node9 shield enable filesystem` |\n| `mcp-tool-gating` | unapproved MCP tools silently activating new capabilities | `node9 shield enable mcp-tool-gating` |\n\n```bash\nnode9 shield list # show all shields + status\n```\n\n## Always on โ€” no config needed\n\n- **Git** โ€” catches `git push --force`, `git reset --hard`, `git clean -fd`\n- **SQL** โ€” catches `DELETE` / `UPDATE` without `WHERE`, `DROP TABLE`, `TRUNCATE`\n- **Shell** โ€” catches `curl | bash`, unauthorized `sudo`\n- **DLP** โ€” flags AWS keys, GitHub tokens, Stripe keys, PEM private keys in any tool argument, file contents, or shell config (`~/.zshrc`, `~/.bashrc`)\n- **Response DLP** โ€” background scanner reads Claude's conversation history and alerts you if Claude _wrote_ a secret in its response text\n- **Auto-undo** โ€” git snapshot before every AI file edit โ†’ `node9 undo` to revert\n- **Skills pinning** โ€” SHA-256 verification of installed Claude skills / plugins between sessions\n\n## MCP gateway\n\nWrap any MCP server transparently. The agent sees the same server โ€” Node9 intercepts every tool call.\n\n```json\n{\n \"mcpServers\": {\n \"postgres\": {\n \"command\": \"node9\",\n \"args\": [\"mcp\", \"--upstream\", \"npx -y @modelcontextprotocol/server-postgres postgresql://...\"]\n }\n }\n}\n```\n\nOr just run `node9 init` โ€” it wraps your existing MCP servers automatically.\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e๐Ÿ” MCP tool pinning โ€” rug-pull defense\u003c/strong\u003e\u003c/summary\u003e\n\nMCP servers can change their tool definitions between sessions. A compromised or malicious server could silently add, remove, or modify tools after you first trusted it โ€” a **rug pull** attack.\n\nNode9 pins tool definitions on first use:\n\n1. **First connection** โ€” gateway records a SHA-256 hash of every tool's name, description, and schema\n2. **Subsequent connections** โ€” hash is compared; if tools changed, the session is **quarantined** and every tool call is blocked until a human reviews and approves the change\n3. **Corrupt pin state** โ€” fails closed (blocks), never silently re-trusts\n\n```bash\nnode9 mcp pin list # show all pinned servers and hashes\nnode9 mcp pin update \u003cserverKey\u003e # remove pin, re-pin on next connection\nnode9 mcp pin reset # clear all pins\n```\n\n\u003c/details\u003e\n\n## Other commands\n\nBeyond the three flow commands above (`scan` / `monitor` / `report`):\n\n| Command | What it shows | When to use |\n| ---------------- | --------------------------------------------------------- | --------------------------------------- |\n| `node9 blast` | What an AI agent can reach right now โ€” files, creds, env | First thing to run on any machine |\n| `node9 tail` | Live stream of every tool call (text-only, no TUI) | Piping into other tools, CI, logs |\n| `node9 sessions` | Session history with prompt, tool trace, cost, snapshot | Reviewing a handoff or past work |\n| `node9 dlp` | Credential-leak findings in Claude response text | Any time a DLP desktop alert fires |\n| `node9 mask` | Redact plaintext secrets from local session history files | After a DLP finding โ€” cleans local disk |\n\nPlus a **live HUD** in your Claude Code statusline:\n\n```\n๐Ÿ›ก node9 | standard | [bash-safe] | โœ… 12 allowed ๐Ÿ›‘ 2 blocked ๐Ÿšจ 0 dlp | ~$0.43\n๐Ÿ“Š claude-opus-4-7 | ctx [โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘] 54% | 5h [โ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘] 12% | 7d [โ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘] 7%\n๐Ÿ—‚ 2 CLAUDE.md | 8 rules | 3 MCPs | 4 hooks\n```\n\n## Reading the data โ€” what the numbers mean\n\nNode9 surfaces the signal. Here are the patterns worth knowing:\n\n| Signal | Likely meaning |\n| ---------------------------------------------- | -------------------------------------------------------------------------------------------------- |\n| `Would have blocked` โ‰ฅ 5 in a week | Agent is attempting high-impact ops; shields are worth reviewing |\n| Single `review-git-push` rule \u003e50% of findings | Your own rule is firing as intended โ€” not a risk, just supervision |\n| DLP finding in `user-prompt` tool | You pasted a secret into your own prompt โ€” rotate the key |\n| Agent Loop ร—50+ on same file | Agent stuck in edit/test/fix cycle โ€” check context or slow down |\n| MCP tool pin mismatch | Server changed its tools โ€” review before re-trusting |\n| Large MCP response warning | That server is inflating your context window for every subsequent turn |\n| `Response DLP` alert | Claude wrote a secret in its response text โ€” not blocked, rotate immediately |\n| DLP finding in `tool-result` | Claude read a file containing a secret (`.env`, credentials) โ€” rotate the key and run `node9 mask` |\n| DLP finding in `[Shell]` | Plaintext secret in `~/.zshrc` or `~/.bashrc` โ€” every AI session can see it |\n\nOne-off signals are normal; persistent patterns are what you act on.\n\n## Python SDK โ€” govern any Python agent\n\n```python\nfrom node9 import configure, protect\n\nconfigure(agent_name=\"my-agent\", policy=\"require_approval\")\n\n@protect(\"bash\")\ndef run_command(cmd: str) -\u003e str:\n ...\n```\n\n**[Python SDK โ†’](https://github.com/node9-ai/node9-python)** ยท **[CI code review agent example โ†’](https://github.com/node9-ai/node9-pr-agent)**\n\n## Under the hood\n\n- **Scan** reads raw agent history from `~/.claude/projects/`, `~/.gemini/tmp/`, `~/.gemini/antigravity-*/brain/`, `~/.copilot/session-state/`, `~/.codex/sessions/` โ€” no API calls, fully offline\n- **Runtime** intercepts tool calls via pre-execution hooks (Claude Code, Codex, Antigravity, GitHub Copilot CLI, Gemini CLI, Opencode, Pi) or via the MCP gateway (Cursor, Windsurf, VSCode, Claude Desktop). All decisions land in `~/.node9/audit.log` atomically.\n- **MCP gateway** is a stdio proxy; intercepts `tools/list` + `tools/call` JSON-RPC, forwards the rest\n- **Policy engine** uses [mvdan-sh](https://github.com/mvdan/sh) for bash AST analysis โ€” defeats obfuscation via backslash escaping, variable substitution, eval of remote download\n- **Shadow repo** for auto-undo lives at `~/.node9/snapshots/\u003chash16\u003e/` โ€” never touches your `.git`\n\n## Full docs\n\nConfig reference, smart rules, stateful rules, trusted hosts, approval modes, CLI reference โ€” at **[node9.ai/docs](https://node9.ai/docs)**.\n\n## Related projects\n\n- **[node9-python](https://github.com/node9-ai/node9-python)** โ€” Python SDK\n- **[node9-pr-agent](https://github.com/node9-ai/node9-pr-agent)** โ€” GitHub Action that reviews PRs through Node9\n\n## Enterprise\n\n**Node9 Pro** adds governance locking, SAML/SSO, central audit export, and VPC deployment. See [node9.ai](https://node9.ai).\n\n## License\n\nApache-2.0\n\n\u003cp align=\"center\"\u003e\n \u003csub\u003eBuilt with โ˜• and healthy paranoia.\u003c/sub\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnode9-ai%2Fnode9-wrapper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnode9-ai%2Fnode9-wrapper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnode9-ai%2Fnode9-wrapper/lists"}