npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@agenshield/interceptor

v0.7.2

Published

Node.js runtime interception via ESM loader and CJS preload

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

davidfronteggdavidfrontegg

Keywords

Readme

@agenshield/interceptor

Node.js runtime interception via ESM loader and CJS preload. It instruments selected Node APIs to apply AgenShield policy checks and (in some cases) route traffic through the broker.

Purpose

  • Enforce policy checks inside a Node process without changing application code.
  • Provide a quick on-ramp for CLI tools (npm, curl wrappers, etc.).
  • Emit local audit events to the broker.

Installation

npm install @agenshield/interceptor

Usage

ESM loader (recommended)

node --import @agenshield/interceptor/register app.js

CommonJS preload

node -r @agenshield/interceptor/require app.js

Programmatic

import { installInterceptors, uninstallInterceptors } from '@agenshield/interceptor';

installInterceptors({
  socketPath: '/var/run/agenshield.sock',
  failOpen: false,
});

// ... your app ...

uninstallInterceptors();

What Gets Intercepted

  • fetch (global)
  • http / https (request, get)
  • WebSocket (global, if present)
  • fs, fs/promises (read/write/list)
  • child_process (exec, spawn, execSync, etc.)

Configuration

createConfig() reads environment variables (or you can pass overrides to installInterceptors()):

  • AGENSHIELD_SOCKET - Unix socket path.
  • AGENSHIELD_HOST - HTTP fallback host.
  • AGENSHIELD_PORT - HTTP fallback port.
  • AGENSHIELD_FAIL_OPEN - true to allow operations if broker is unreachable.
  • AGENSHIELD_LOG_LEVEL - debug|info|warn|error.
  • AGENSHIELD_INTERCEPT_FETCH - enable/disable fetch interception.
  • AGENSHIELD_INTERCEPT_HTTP - enable/disable http/https interception.
  • AGENSHIELD_INTERCEPT_WS - enable/disable WebSocket interception.
  • AGENSHIELD_INTERCEPT_FS - enable/disable fs interception.
  • AGENSHIELD_INTERCEPT_EXEC - enable/disable child_process interception.
  • AGENSHIELD_TIMEOUT - broker request timeout (ms).
  • AGENSHIELD_POLICY_CACHE_TTL - policy cache TTL (ms).

Behavior Details (Important)

  • fetch requests are proxied through the broker (http_request) and return a synthetic Response.
  • http/https requests are NOT proxied; a policy check runs asynchronously and may destroy the request if denied.
  • fs async APIs perform a policy check, then call the original local method (no broker proxy).
  • fs sync APIs perform a synchronous policy check via SyncClient, then call the original local method.
  • child_process.exec performs an async policy check and returns a dummy process immediately; the actual command is executed only after policy approval.
  • child_process.spawn and execFile perform async policy checks but still start the process immediately.
  • WebSocket interception closes connections post-hoc if denied.

Limitations and Caveats

  • Only fetch is truly proxied through the broker; other interceptors are policy checks around local calls.
  • Async HTTP and process interceptors cannot fully block before the underlying operation starts.
  • Sync interceptors (fs, execSync, spawnSync) use a hardcoded broker socket/host/port (/var/run/agenshield.sock, localhost:5200) and ignore config overrides.
  • Broker URL bypass checks are hardcoded to localhost:5200; non-default ports can lead to interception recursion.
  • WebSocket interception requires globalThis.WebSocket to exist (not always true in Node without a polyfill).
  • Native modules or direct syscalls that bypass Node APIs are not intercepted.

Roadmap (Ideas)

  • Use config overrides for sync clients.
  • Full proxying for http/https and child_process where possible.
  • Safer broker URL detection for non-default ports.
  • Comprehensive test suite around interception edge cases.

Development

# Build
npx nx build shield-interceptor

Contribution Guide

  • Keep interceptors isolated and reversible (always restore originals).
  • Add new interceptors in src/interceptors/ and register in src/installer.ts.
  • Extend @agenshield/ipc if new operation types are introduced.

Agent Notes

  • src/installer.ts is the authoritative install/uninstall sequence.
  • src/interceptors/base.ts handles policy checks and fail-open behavior.
  • src/client/http-client.ts is async (socket then HTTP), while src/client/sync-client.ts uses a subprocess for sync calls.
  • When adjusting policy checks, update PolicyEvaluator caching semantics in src/policy/.