npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@node9/proxy

v1.19.2

Published

The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

node9.ainode9.ai

Keywords

ai-securitymcpmcp-proxyclaude-codegemini-clicursoragentic-aiagent-securitysudosecurity-proxyhuman-in-the-loophitl

Readme

What node9 scan shows on a real machine

This is my own machine — 30 days while building Node9. Score 25/100, 5 credential files an AI agent could reach right now.

🛡  Node9 Scan  ·  21 sessions  ·  8,114 tool calls  ·  Apr 6 – May 1, 2026

Security Score: 25/100  ·  Critical
$3,789 AI spend  ·  62 risky operations

🔑  14   credential leak     (Bearer Token ×4, GCP API Key ×4, JWT ×2)
🛑  15   would have blocked  (force-push ×5, read-ssh ×4, read-aws ×4)
🔁  193  agent loops         (18% wasted  ·  ~$6.51)
👁  33   flagged for review  (git-destructive ×19, rm ×9, sudo ×2)

🔭  Blast radius             ssh × gcp × npm × other (5 exposures)

→  npx node9-ai scan         run this on your machine

Run it on yours — npx node9-ai scan finishes in ~10 seconds and runs entirely local. Nothing uploads. The full breakdown with every tool call, file path, and timestamp is node9 scan (default mode). For a browser dashboard view, run node9 daemon start --openui.

What Node9 does

  • 🛑 Block dangerous AI actions before they run — rm -rf, git push --force, DROP TABLE, credential reads, curl | bash
  • 🔍 Scan what your AI agent has already been doing — loops, leaked secrets, blocked operations across every session
  • 🔑 Catch credential leaks — AWS keys, GitHub tokens, JWTs, GCP API keys, PEM private keys flagged in tool arguments, file contents Claude reads back, and shell config files
  • 🔭 Map your blast radius — every SSH key, AWS credential, and .env file an AI agent on this machine could reach right now

Works with Claude Code · Cursor · Codex · Gemini CLI · any MCP server.

How is this different from gitleaks / Snyk / TruffleHog?

Those scan repositories for credentials. Node9 scans AI agent session history — what your AI ran, what it read, what credentials passed through tool calls. Different surface area.

Node9 catches things gitleaks can't:

  • Credentials the AI read but never committed
  • Agent edit loops that burn tokens on retries
  • Dangerous shell commands the AI ran without confirmation
  • Blast radius — which credential files an AI agent on this machine could reach right now

Run gitleaks for committed code. Run Node9 for AI session history.

Install

# macOS / Linux
brew tap node9-ai/node9 && brew install node9

# or via npm (any platform)
npm install -g node9-ai
node9 init       # auto-wires Claude Code, Gemini CLI, Cursor, Codex, MCP servers
node9 doctor     # verify everything is wired correctly

That's it — future agent sessions are protected.

Shields — expert policy in one command

Each shield is a curated rule set for a service or domain. Enable only what you need.

| Shield | What it catches | Enable | | ----------------- | ------------------------------------------------------------------------------ | ------------------------------------- | | project-jail | Blocks reads of ~/.ssh, ~/.aws, .env, credentials via Bash and Read tool | node9 shield enable project-jail | | bash-safe | curl \| bash, rm -rf /, disk overwrite, eval of remote | node9 shield enable bash-safe | | postgres | DROP TABLE, TRUNCATE, DROP COLUMN, DELETE without WHERE | node9 shield enable postgres | | mongodb | dropDatabase, drop(), deleteMany({}), index drops | node9 shield enable mongodb | | redis | FLUSHALL, FLUSHDB, CONFIG SET on a live server | node9 shield enable redis | | aws | S3 delete, EC2 terminate, IAM changes, RDS destroy | node9 shield enable aws | | k8s | namespace delete, helm uninstall, cluster role wipes | node9 shield enable k8s | | docker | system prune, volume prune, rm -f containers | node9 shield enable docker | | github | gh repo delete, remote branch deletion, settings changes | node9 shield enable github | | filesystem | chmod 777, writes under /etc/, /boot/, /usr/ | node9 shield enable filesystem | | mcp-tool-gating | unapproved MCP tools silently activating new capabilities | node9 shield enable mcp-tool-gating |

node9 shield list    # show all shields + status

Always on — no config needed

  • Git — blocks git push --force, git reset --hard, git clean -fd
  • SQL — blocks DELETE / UPDATE without WHERE, DROP TABLE, TRUNCATE
  • Shell — blocks curl | bash, unauthorized sudo
  • DLP — blocks AWS keys, GitHub tokens, Stripe keys, PEM private keys in any tool argument, file Claude reads, or shell config (~/.zshrc, ~/.bashrc)
  • Response DLP — background scanner reads Claude's conversation history and alerts you if Claude wrote a secret in its response text (not just executed one). Gemini / Codex coverage coming.
  • Auto-undo — git snapshot before every AI file edit → node9 undo to revert
  • Skills pinning — SHA-256 verification of installed Claude skills / plugins between sessions

MCP gateway — protect any MCP server

Wrap any MCP server transparently. The agent sees the same server — Node9 intercepts every tool call.

{
  "mcpServers": {
    "postgres": {
      "command": "node9",
      "args": ["mcp", "--upstream", "npx -y @modelcontextprotocol/server-postgres postgresql://..."]
    }
  }
}

Or just run node9 init — it wraps your existing MCP servers automatically.

MCP servers can change their tool definitions between sessions. A compromised or malicious server could silently add, remove, or modify tools after you first trusted it — a rug pull attack.

Node9 pins tool definitions on first use:

  1. First connection — gateway records a SHA-256 hash of every tool's name, description, and schema
  2. Subsequent connections — hash is compared; if tools changed, the session is quarantined and every tool call is blocked until a human reviews and approves the change
  3. Corrupt pin state — fails closed (blocks), never silently re-trusts
node9 mcp pin list                # show all pinned servers and hashes
node9 mcp pin update <serverKey>  # remove pin, re-pin on next connection
node9 mcp pin reset               # clear all pins

Automatic, no configuration. The gateway pins on first tools/list and enforces on every subsequent session.

When an MCP server returns a 500KB+ response, it sits in the context window for every subsequent LLM turn — often silently doubling per-turn cost. Node9 warns you in real time with a toast and records the event in the dashboard so you can spot the offender.

Observability — five views

Every tool call is recorded — command, arguments, decision, cost. See what your agent did, five ways:

| Command | What it shows | When to use | | ---------------- | --------------------------------------------------------- | ----------------------------------------- | | node9 blast | What an AI agent can reach right now — files, creds, env | First thing to run on any machine | | node9 scan | Retrospective audit of existing agent history | Before installing, or to review past risk | | node9 mask | Redact plaintext secrets from local session history files | After a DLP finding — cleans local disk | | node9 tail | Live stream of every tool call | Watching an agent work in real time | | node9 report | Per-period summary: allowed/blocked/DLP/cost + top tools | Reviewing what happened after a session | | node9 sessions | Session history with prompt, tool trace, cost, snapshot | Reviewing a handoff or past work | | node9 dlp | Credential-leak findings in Claude response text | Any time a DLP desktop alert fires |

Plus a live HUD in your Claude Code statusline:

🛡 node9 | standard | [bash-safe] | ✅ 12 allowed  🛑 2 blocked  🚨 0 dlp | ~$0.43
📊 claude-opus-4-6 | ctx [████████░░░] 54% | 5h [██░░░░░░░░] 12% | 7d [█░░░░░░░] 7%
🗂 2 CLAUDE.md | 8 rules | 3 MCPs | 4 hooks

And a browser dashboard that auto-opens after node9 scan — History Audit modal with full drill-down, per-agent breakdown, loop-cost estimate, and live status strip.

Reading the data — what the numbers mean

Node9 surfaces the signal. Here are the patterns worth knowing:

| Signal | Likely meaning | | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | | Would have blocked ≥ 5 in a week | Agent is attempting destructive ops; shields need review | | Single review-git-push rule accounts for >50% of findings | Your own rule is firing as intended — not a risk, just supervision | | DLP finding in user-prompt tool | You pasted a secret into your own prompt — rotate the key | | Agent Loop ×50+ on same file | Agent stuck in edit/test/fix cycle — check context or slow down | | MCP tool pin mismatch | Server changed its tools — review before re-trusting | | Large MCP response warning | That server is inflating your context window for every subsequent turn | | Response DLP alert | Claude wrote a secret in its response text — not blocked, rotate immediately | | DLP finding in tool-result | Claude read a file containing a secret (.env, credentials) — rotate the key and run node9 mask | | DLP finding in [Shell] | Plaintext secret in ~/.zshrc or ~/.bashrc — every AI session can see it |

These are starting points, not verdicts. One-off signals are normal; persistent patterns are what you act on.

Python SDK — govern any Python agent

from node9 import configure, protect

configure(agent_name="my-agent", policy="require_approval")

@protect("bash")
def run_command(cmd: str) -> str:
    ...

Python SDK → · CI code review agent example →

Under the hood

  • Scan reads raw agent history from ~/.claude/projects/, ~/.gemini/tmp/, ~/.codex/sessions/ — no API calls, fully offline
  • Runtime wires PreToolUse hooks into Claude Code, Gemini CLI, and Codex — hooks write to ~/.node9/audit.log atomically
  • MCP gateway is a stdio proxy; intercepts tools/list + tools/call JSON-RPC, forwards the rest
  • Policy engine uses mvdan-sh for bash AST analysis — defeats obfuscation via backslash escaping, variable substitution, eval of remote download
  • Shadow repo for auto-undo lives at ~/.node9/snapshots/<hash16>/ — never touches your .git

📖 Full docs

Everything else — config reference, smart rules, stateful rules, trusted hosts, approval modes, Slack integration, CLI reference — is at node9.ai/docs.

Related projects

  • node9-python — Python SDK for governed agents
  • node9-pr-agent — GitHub Action that reviews PRs through Node9 (reference implementation of a governed agent)

Enterprise

Node9 Pro adds governance locking, SAML/SSO, central audit export, and VPC deployment. See node9.ai.