by node9-ai
The Execution Security Layer for the Agentic Era. Providing deterministic "Sudo" governance and audit logs for autonomous AI agents.
# Add to your Claude Code skills
git clone https://github.com/node9-ai/node9-proxyNode9 sits between your AI agent and the tools it can use — discover what it's already been doing, protect against risky actions in real time, and review what happened over any time window.
Works with Claude Code · Codex CLI · Gemini CLI · Cursor · Windsurf · any MCP server.
rm -rf, git push --force, DROP TABLE, credential reads, curl | bash, AWS/GitHub/Stripe key leaksThis is my own machine — 90 days while building Node9. Score 25/100, 5 credential files an AI agent could reach right now.
npx node9-ai scan # before installation, runs in ~10s, nothing uploads
node9 scan # after installation, same output
node9 monitor opens an interactive terminal dashboard with two views:
[1] Realtime — live activity, approvals, security alerts, current risk score[2] Report — period-windowed summary: cost, top tools, shields fired, blast radiusPress [2] in monitor for a period-windowed summary. Toggle the window with · · · — same panels as the scan above, driven by your post-install audit log.
No comments yet. Be the first to share your thoughts!
[T]oday[W]eek[M]onth[N]inetynode9 monitor # press [2] for Report view
node9 report --period 7d # CLI form, no TUI
# macOS / Linux
brew tap node9-ai/node9 && brew install node9
# or via npm (any platform)
npm install -g node9-ai
node9 init # auto-wires Claude Code, Gemini CLI, Cursor, Codex, MCP servers
node9 doctor # verify everything is wired correctly
Requires Node.js 18+.
Each shield is a curated rule set for a service or domain. Enable only what you need.
| Shield | What it catches | Enable |
| ----------------- | ------------------------------------------------------------------------------ | ------------------------------------- |
| project-jail | Blocks reads of ~/.ssh, ~/.aws, .env, credentials via Bash and Read tool | node9 shield enable project-jail |
| bash-safe | curl \| bash, rm -rf /, disk overwrite, eval of remote | node9 shield enable bash-safe |
| postgres | DROP TABLE, TRUNCATE, DROP COLUMN, DELETE without WHERE | node9 shield enable postgres |
| mongodb | dropDatabase, drop(), deleteMany({}), index drops | node9 shield enable mongodb |
| redis | FLUSHALL, FLUSHDB, CONFIG SET on a live server | node9 shield enable redis |
| aws | S3 delete, EC2 terminate, IAM changes, RDS destroy | node9 shield enable aws |
| k8s | namespace delete, helm uninstall, cluster role wipes | node9 shield enable k8s |
| docker | system prune, volume prune, rm -f containers | node9 shield enable docker |
| github | gh repo delete, remote branch deletion, settings changes | node9 shield enable github |
| filesystem | chmod 777, writes under /etc/, /boot/, /usr/ | node9 shield enable filesystem |
| mcp-tool-gating | unapproved MCP tools silently activating new capabilities | node9 shield enable mcp-tool-gating |
node9 shield list # show all shields + status
git push --force, git reset --hard, git clean -fdDELETE / UPDATE without WHERE, DROP TABLE, TRUNCATEcurl | bash, unauthorized sudo~/.zshrc, ~/.bashrc)node9 undo to revertWrap any MCP server transparently. The agent sees the same server — Node9 intercepts every tool call.
{
"mcpServers": {
"postgres": {
"command": "node9",
"args": ["mcp", "--upstream", "npx -y @modelcontextprotocol/server-postgres postgresql://..."]
}
}
}
Or just run node9 init — it wraps your existing MCP servers automatically.
MCP servers can change their tool definitions between sessions. A compromised or malicious server could silently add, remove, or modify tools after you first trusted it — a rug pull attack.
Node9 pins tool definitions on first use:
node9 mcp pin list # show all pinned servers and hashes
node9 mcp pin update <serverKey> # remove pin, re-pin on next connection
node9 mcp pin reset # clear all pins
Beyond the three flow commands above (scan / monitor / report):
| Command | What it shows | When to use |
| ---------------- | --------------------------------------------------------- | --------------------------------------- |
| node9 blast | What an AI agent can reach right now — files, creds, env | First thing to run on any machine |
| node9 tail | Live stream of every tool call (text-only, no TUI) | Piping into other tools, CI, logs |
| node9 sessions | Session history with prompt, tool trace, cost, snapshot | Reviewing a handoff or past work |
| node9 dlp | Credential-leak findings in Claude response text | Any time a DLP desktop alert fires |
| node9 mask | Redact plaintext secrets from local session history files | After a DLP finding — cleans local disk |
Plus a live HUD in your Claude Code statusline:
🛡 node9 | standard | [bash-safe] | ✅ 12 allowed 🛑 2 blocked 🚨 0 dlp | ~$0.43
📊 claude-opus-4-7 | ctx [████████░░░] 54% | 5h [██░░░░░░░░] 12% | 7d [█░░░░░░░] 7%
🗂 2 CLAUDE.md | 8 rules | 3 MCPs | 4 hooks
Node9 surfaces the signal. Here are the patterns worth knowing:
| Signal | Likely meaning |
| ---------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| Would have blocked ≥ 5 in a week | Agent is attempting high-impact ops; shields are worth reviewing |
| Single review-git-push rule >50% of findings | Your own rule is firing as intended — not a risk, just supervision |
| DLP finding in user-prompt tool | You pasted a secret into your own prompt — rotate the key |
| Agent Loop ×50+ on same file | Agent stuck in edit/test/fix cycle — check context or slow down |
| MCP tool pin mismatch | Server changed its tools — review before re-trusting |
| Large MCP response warning | That server is inflating your context window for every subsequent turn |
| Response DLP alert | Claude