Node9 sits between your AI agent and your system. Every shell command, file write, and tool call passes through Node9 first β blocked, approved, or logged based on your policy. Works with Claude Code, Gemini CLI, Cursor, Codex, and any MCP server.
AIs move fast. Ask an agent to "ship the fix" and it might push straight to git without asking you.
With Node9:
- AI attempts:
Bash("git push origin main") - Node9 intercepts: OS-native popup appears instantly
- You block it β one click
- AI pivots: "I'll create a PR for review instead"
# macOS / Linux
brew tap node9-ai/node9 && brew install node9
# or via npm
npm install -g @node9/proxynode9 init # auto-detects Claude Code, Gemini CLI, Cursor, Codex
node9 doctor # verify everything is wired correctlyEnable expert-crafted protection for the infrastructure your agent touches:
node9 shield enable postgres # blocks DROP TABLE, TRUNCATE, DROP COLUMN
node9 shield enable mongodb # blocks dropDatabase, drop(), deleteMany({})
node9 shield enable redis # blocks FLUSHALL, FLUSHDB
node9 shield enable aws # blocks S3 delete, EC2 terminate, IAM changes
node9 shield enable k8s # blocks namespace delete, helm uninstall
node9 shield enable docker # blocks system prune, volume prune, rm -f
node9 shield enable github # blocks gh repo delete, remote branch deletion
node9 shield enable bash-safe # blocks curl|bash, base64|sh, rm -rf /
node9 shield enable filesystem # reviews chmod 777, writes to /etc/
node9 shield list # see all shields and their statusWrap any MCP server transparently. The AI sees the same server β Node9 intercepts every tool call:
{
"mcpServers": {
"postgres": {
"command": "node9",
"args": ["mcp", "--upstream", "npx -y @modelcontextprotocol/server-postgres postgresql://..."]
}
}
}Or use node9 init β it wraps existing MCP servers automatically.
MCP servers can change their tool definitions between sessions. A compromised or malicious server could silently add, remove, or modify tools after initial trust β a rug pull attack.
Node9 defends against this by pinning tool definitions on first use:
- First connection β the gateway records a SHA-256 hash of all tool definitions
- Subsequent connections β the hash is compared; if tools changed, the session is quarantined and all tool calls are blocked until a human reviews and approves the change
- Corrupt pin state β fails closed (blocks), never silently re-trusts
node9 mcp pin list # show all pinned servers and hashes
node9 mcp pin update <serverKey> # remove pin, re-pin on next connection
node9 mcp pin reset # clear all pins (re-pin on next connection)This is automatic β no configuration needed. The gateway pins on first tools/list and enforces on every subsequent session.
from node9 import configure
configure(agent_name="my-agent", policy="require_approval")
# Your existing agent code runs unchanged β Node9 intercepts tool callsPython SDK β Β· Governed Agent examples β
- Git: blocks
git push --force,git reset --hard,git clean -fd - SQL: blocks
DELETE/UPDATEwithoutWHERE,DROP TABLE,TRUNCATE - Shell: blocks
curl | bash,sudocommands - DLP: blocks AWS keys, GitHub tokens, Stripe keys, PEM private keys in any tool call argument
- Auto-undo: git snapshot before every AI file edit β
node9 undoto revert
Every tool call your AI agent makes is recorded β command, arguments, result, and cost estimate. Node9 wires a live statusline into Claude Code that shows you what's happening in real time:
π‘ node9 | standard | [bash-safe] | β
12 allowed π 2 blocked π¨ 0 dlp | ~$0.43 | β‘ no-force-push
π claude-opus-4-6 | ctx [βββββββββββββββ] 54% | 5h [βββββββββββββββ] 12% | 7d [βββββββββββββββ] 7%
π 2 CLAUDE.md | 8 rules | 3 MCPs | 4 hooks
Line 1 β Security state: active mode, enabled shields, session totals (allowed / blocked / DLP hits), estimated cost, last rule that fired.
Line 2 β Context & rate limits: model name, context window usage, 5-hour and 7-day token rate-limit bars β so you can see when an agent is burning through quota.
Line 3 β Environment: how many CLAUDE.md files, rules, MCP servers, and hooks are active in the current project.
The HUD is wired automatically by node9 init. Full session logs land in ~/.node9/audit.log.
Run node9 report after a session to get a summary dashboard β what was allowed, what was blocked, DLP hits, cost (Claude Code only), and daily activity:
$ node9 report --period 7d
π‘ node9 Report Β· Last 7 Days Apr 8 β Apr 14 2,255 events
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
1,746 allowed π 509 blocked π¨ 70 DLP hits 23% block rate π° $82.91
Top Tools Top Blocks
βββββββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββββ
Bash ββββββ 1,595 timeout ββββββ 281
Read ββββββ 196 smart-rule-block ββββββ 79
Edit ββββββ 118 observe-mode-dlp-wouldβ¦ ββββββ 69
drop_resource ββββββ 69 persistent-deny ββββββ 69
Grep ββββββ 35 local-decision ββββββ 5
Daily Activity
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Apr 9 ββββββββββββββββββββββββββββββ 833 216 blocked
Apr 10 ββββββββββββββββββββββββββββββ 145 24 blocked
Apr 11 ββββββββββββββββββββββββββββββ 617 139 blocked
Periods: today, 7d (default), 30d, month. Cost data is read from ~/.claude/projects/ β no API calls, fully offline.
Everything else β config reference, smart rules, stateful rules, trusted hosts, approval modes, CLI reference β is at node9.ai/docs.
- node9-python β Python SDK
- governed-agent β Reference governed agents (CI code review fixer)
Node9 Pro provides governance locking, SAML/SSO, and VPC deployment. Visit node9.ai.