Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/node9-ai/node9-proxy

The Execution Security Layer for the Agentic Era. Providing deterministic "Sudo" governance and audit logs for autonomous AI agents.
https://github.com/node9-ai/node9-proxy

ai-safety ai-security claude-code gemini gemini-cli llm llm-agent mcp-server

Last synced: 6 days ago
JSON representation

The Execution Security Layer for the Agentic Era. Providing deterministic "Sudo" governance and audit logs for autonomous AI agents.

Awesome Lists containing this project

README 

          
# ๐Ÿ›ก๏ธ Node9 Proxy



### The "Sudo" Command for AI Agents.



[![NPM Version](https://img.shields.io/npm/v/@node9/proxy.svg)](https://www.npmjs.com/package/@node9/proxy)

[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)

[![Open in HF Spaces](https://huggingface.co/datasets/huggingface/badges/resolve/main/open-in-hf-spaces-sm.svg)](https://huggingface.co/spaces/Node9ai/node9-security-demo)

[![Documentation](https://img.shields.io/badge/docs-node9.ai%2Fdocs-blue)](https://node9.ai/docs)



**Node9** sits between your AI agent and your system. Every shell command, file write, and tool call passes through Node9 first โ€” blocked, approved, or logged based on your policy. Works with Claude Code, Gemini CLI, Cursor, Codex, and any MCP server.



๐Ÿ“– **[Full Documentation โ†’](https://node9.ai/docs)**



---



## The "Aha!" Moment



**AIs are literal.** Ask an agent to "fix disk space" and it might run `docker system prune -af --volumes`.





  




With Node9:



1. **AI attempts:** `Bash("docker system prune -af --volumes")`

2. **Node9 intercepts:** OS-native popup appears instantly

3. **You block it** โ€” one click

4. **AI pivots:** _"I'll remove large log files instead"_



---



## Install



```bash

# macOS / Linux

brew tap node9-ai/node9 && brew install node9



# or via npm

npm install -g @node9/proxy

```



```bash

node9 setup      # auto-detects Claude Code, Gemini CLI, Cursor, Codex

node9 doctor     # verify everything is wired correctly

```



---



## Shields โ€” one command per service



Enable expert-crafted protection for the infrastructure your agent touches:



```bash

node9 shield enable postgres   # blocks DROP TABLE, TRUNCATE, DROP COLUMN

node9 shield enable mongodb    # blocks dropDatabase, drop(), deleteMany({})

node9 shield enable redis      # blocks FLUSHALL, FLUSHDB

node9 shield enable aws        # blocks S3 delete, EC2 terminate, IAM changes

node9 shield enable k8s        # blocks namespace delete, helm uninstall

node9 shield enable docker     # blocks system prune, volume prune, rm -f

node9 shield enable github     # blocks gh repo delete, remote branch deletion

node9 shield enable bash-safe  # blocks curl|bash, base64|sh, rm -rf /

node9 shield enable filesystem # reviews chmod 777, writes to /etc/



node9 shield list              # see all shields and their status

```



---



## MCP Gateway โ€” protect any MCP server



Wrap any MCP server transparently. The AI sees the same server โ€” Node9 intercepts every tool call:



```json

{

  "mcpServers": {

    "postgres": {

      "command": "node9",

      "args": ["mcp", "--upstream", "npx -y @modelcontextprotocol/server-postgres postgresql://..."]

    }

  }

}

```



Or use `node9 setup` โ€” it wraps existing MCP servers automatically.



### MCP Tool Pinning โ€” rug pull defense



MCP servers can change their tool definitions between sessions. A compromised or malicious server could silently add, remove, or modify tools after initial trust โ€” a **rug pull** attack.



Node9 defends against this by **pinning** tool definitions on first use:



1. **First connection** โ€” the gateway records a SHA-256 hash of all tool definitions

2. **Subsequent connections** โ€” the hash is compared; if tools changed, the session is **quarantined** and all tool calls are blocked until a human reviews and approves the change

3. **Corrupt pin state** โ€” fails closed (blocks), never silently re-trusts



```bash

node9 mcp pin list                # show all pinned servers and hashes

node9 mcp pin update   # remove pin, re-pin on next connection

node9 mcp pin reset               # clear all pins (re-pin on next connection)

```



This is automatic โ€” no configuration needed. The gateway pins on first `tools/list` and enforces on every subsequent session.



---



## Python SDK โ€” govern any Python agent



```python

from node9 import configure



configure(agent_name="my-agent", policy="require_approval")



# Your existing agent code runs unchanged โ€” Node9 intercepts tool calls

```



**[Python SDK โ†’](https://github.com/node9-ai/node9-python)** ยท **[Governed Agent examples โ†’](https://github.com/node9-ai/governed-agent)**



---



## What's always on (no config needed)



- **Git:** blocks `git push --force`, `git reset --hard`, `git clean -fd`

- **SQL:** blocks `DELETE`/`UPDATE` without `WHERE`, `DROP TABLE`, `TRUNCATE`

- **Shell:** blocks `curl | bash`, `sudo` commands

- **DLP:** blocks AWS keys, GitHub tokens, Stripe keys, PEM private keys in any tool call argument

- **Auto-undo:** git snapshot before every AI file edit โ†’ `node9 undo` to revert



---



## ๐Ÿ“– Full docs



Everything else โ€” config reference, smart rules, stateful rules, trusted hosts, approval modes, CLI reference โ€” is at **[node9.ai/docs](https://node9.ai/docs)**.



---



## Related



- [node9-python](https://github.com/node9-ai/node9-python) โ€” Python SDK

- [governed-agent](https://github.com/node9-ai/governed-agent) โ€” Reference governed agents (CI code review fixer)



---



## Enterprise



Node9 Pro provides governance locking, SAML/SSO, and VPC deployment. Visit [node9.ai](https://node9.ai).