Node9 is the execution security layer for the Agentic Era. It encases autonomous AI Agents (Claude Code, Gemini CLI, Cursor, MCP Servers) in a deterministic security wrapper, intercepting dangerous shell commands and tool calls before they execute.
While others try to guess if a prompt is malicious (Semantic Security), Node9 governs the actual action (Execution Security).
AIs are literal. When you ask an agent to "Fix my disk space," it might decide to run docker system prune -af.
With Node9, the interaction looks like this:
- 🤖 AI attempts a "Nuke":
Bash("docker system prune -af --volumes") - 🛡️ Node9 Intercepts: An OS-native popup appears immediately.
- 🛑 User Blocks: You click "Block" in the popup.
- 🧠 AI Negotiates: Node9 explains the block to the AI. The AI responds: "I understand. I will pivot to a safer cleanup, like removing only large log files instead."
Node9 initiates a Concurrent Race across all enabled channels. The first channel to receive a human signature wins and instantly cancels the others:
- Native Popup: OS-level dialog (Mac/Win/Linux) for sub-second keyboard dismissal.
- Browser Dashboard: Local web UI for deep inspection of large payloads (SQL/Code).
- Cloud (Slack): Remote asynchronous approval for team governance.
- Terminal: Classic
[Y/n]prompt for manual proxy usage and SSH sessions.
Node9 records every tool call your AI agent makes in real-time — no polling, no log files, no refresh. Two ways to watch:
Browser Dashboard (node9 daemon start → localhost:7391)
A live 3-column dashboard. The left column streams every tool call as it happens, updating in-place from ● PENDING to ✓ ALLOW or ✗ BLOCK. The center handles pending approvals. The right sidebar controls shields and persistent decisions — all without ever causing a browser scrollbar.
Terminal (node9 tail)
A split-pane friendly stream for terminal-first developers and SSH sessions:
node9 tail # live events only
node9 tail --history # replay recent history then go live
node9 tail | grep DLP # filter to DLP blocks only🛰️ Node9 tail → localhost:7391
Showing live events. Press Ctrl+C to exit.
21:06:58 📖 Read {"file_path":"src/core.ts"} ✓ ALLOW
21:06:59 🔍 Grep {"pattern":"authorizeHeadless"} ✓ ALLOW
21:07:01 💻 Bash {"command":"npm run build"} ✓ ALLOW
21:07:04 💻 Bash {"command":"curl … Bearer sk-ant-…"} ✗ BLOCK 🛡️ DLP
node9 tail auto-starts the daemon if it isn't running — no setup step needed.
Node9 doesn't just "cut the wire." When a command is blocked, it injects a Structured Negotiation Prompt back into the AI's context window. This teaches the AI why it was stopped and instructs it to pivot to a safer alternative.
Node9 takes a silent, lightweight Git snapshot before every AI file edit. If the AI hallucinates and breaks your code, run node9 undo to instantly revert — with a full diff preview before anything changes.
# Undo the last AI action (shows diff + asks confirmation)
node9 undo
# Go back N actions at once
node9 undo --steps 3No install needed — test Node9's policy engine against real commands in the browser:
# Recommended — via Homebrew (macOS / Linux)
brew tap node9-ai/node9
brew install node9
# Or via npm
npm install -g @node9/proxy
# 1. Wire Node9 to your agent
node9 setup # interactive menu — picks the right agent for you
node9 addto claude # or wire directly
node9 addto gemini
# 2. Enable shields for the services you use
node9 shield enable postgres
node9 shield enable aws
# 3. Verify everything is wired correctly
node9 doctorNode9 has two layers of protection. You get Layer 1 automatically. Layer 2 is one command per service.
Built into the binary. Zero configuration required. Protects the tools every developer uses.
| What it protects | Example blocked action |
|---|---|
| Git | git push --force, git reset --hard, git clean -fd |
| Shell | curl ... | bash, sudo commands |
| SQL | DELETE / UPDATE without a WHERE clause |
| Filesystem | rm -rf targeting home directory |
| Secrets (DLP) | AWS keys, GitHub tokens, Stripe keys, PEM private keys |
Node9 scans every tool call argument for secrets before the command reaches your agent. If a credential is detected, Node9 hard-blocks the action, redacts the secret in the audit log, and injects a negotiation prompt telling the AI what went wrong.
Built-in patterns:
| Pattern | Severity | Prefix format |
|---|---|---|
| AWS Access Key ID | block |
AKIA + 16 chars |
| GitHub Token | block |
ghp_, gho_, ghs_ |
| Slack Bot Token | block |
xoxb- |
| OpenAI API Key | block |
sk- + 20+ chars |
| Stripe Secret Key | block |
sk_live_ / sk_test_ |
| PEM Private Key | block |
-----BEGIN PRIVATE KEY--- |
| Bearer Token | review |
Authorization: Bearer ... |
block = hard deny, no approval prompt. review = routed through the normal race engine for human approval.
Secrets are never logged in full — the audit trail stores only a redacted sample (AKIA****MPLE).
Config knobs (in node9.config.json or ~/.node9/config.json):
{
"policy": {
"dlp": {
"enabled": true,
"scanIgnoredTools": true
}
}
}| Key | Default | Description |
|---|---|---|
dlp.enabled |
true |
Master switch — disable to turn off all DLP scanning |
dlp.scanIgnoredTools |
true |
Also scan tools in ignoredTools (e.g. web_search, read_file) |
Shields add protection for specific infrastructure and services — only relevant if you actually use them.
| Shield | What it protects |
|---|---|
postgres |
Blocks DROP TABLE, TRUNCATE, DROP COLUMN; reviews GRANT/REVOKE |
github |
Blocks gh repo delete; reviews remote branch deletion |
aws |
Blocks S3 bucket deletion, EC2 termination; reviews IAM changes, RDS deletion |
filesystem |
Reviews chmod 777, writes to /etc/ |
node9 shield enable postgres # protect your database
node9 shield enable aws # protect your cloud infrastructure
node9 shield list # see all available shields
node9 shield status # see what's currently active| Mode | Target | How it works |
|---|---|---|
| Hook Mode | Claude, Gemini, Cursor | node9 addto <agent> wires native pre-execution hooks. |
| Proxy Mode | MCP Servers, Shell | node9 "npx <server>" intercepts JSON-RPC traffic. |
| Manual Mode | You | node9 rm -rf / protects you from your own typos. |
Node9 merges configuration from multiple sources in priority order. Higher tiers win:
| Tier | Source | Notes |
|---|---|---|
| 1 | Environment variables | NODE9_MODE=strict overrides everything |
| 2 | Cloud / Org policy | Set in the Node9 dashboard — cannot be overridden locally |
| 3 | Project config | node9.config.json in the working directory |
| 4 | Global config | ~/.node9/config.json |
| 5 | Built-in defaults | Always active, no config needed |
Settings (mode, approvers, timeouts) follow the table above — higher tier wins. A project config overrides a global config.
Smart rules work differently. All layers are concatenated into a single ordered list and evaluated first-match-wins:
built-in defaults → global config → project config → shields → advisory defaults
Because built-in block rules sit at the front of this list, they always fire before any user-defined allow rule. A project or global config cannot bypass Layer 1 protection. Within the user layers, a project block rule fires before a shield block rule — so project policy can tighten or selectively override a shield.
Most users never need this. If you need protection beyond Layer 1 and the available shields, add Smart Rules to node9.config.json in your project root or ~/.node9/config.json globally.
Smart Rules match on raw tool arguments using structured conditions:
{
"policy": {
"smartRules": [
{
"name": "block-prod-deploy",
"tool": "bash",
"conditions": [
{ "field": "command", "op": "matches", "value": "kubectl.*--namespace=production" }
],
"verdict": "block",
"reason": "Deploying to production requires a manual release process"
}
]
}
}Smart Rule fields:
| Field | Description |
|---|---|
tool |
Tool name or glob ("bash", "mcp__postgres__*", "*") |
conditions |
Array of conditions evaluated against the raw args object |
conditionMode |
"all" (AND, default) or "any" (OR) |
verdict |
"review" (approval prompt) | "block" (hard deny) | "allow" (skip all checks) |
reason |
Human-readable explanation shown in the approval prompt and audit log |
Condition operators:
op |
Meaning |
|---|---|
matches |
Field value matches regex (value = pattern, flags = e.g. "i") |
notMatches |
Field value does not match regex (value = pattern, flags optional) |
contains |
Field value contains substring |
notContains |
Field value does not contain substring |
exists |
Field is present and non-empty |
notExists |
Field is absent or empty |
matchesGlob |
Field value matches a glob pattern (value = e.g. "**/node_modules/**") |
notMatchesGlob |
Field value does not match a glob pattern |
The field key supports dot-notation for nested args: "params.query.sql".
Use node9 explain <tool> <args> to dry-run any tool call and see exactly which rule would trigger.
{
"version": "1.0",
"settings": {
"mode": "audit",
"enableUndo": true,
"flightRecorder": true,
"approvalTimeoutMs": 30000,
"approvers": {
"native": true,
"browser": true,
"cloud": false,
"terminal": true
}
}
}| Key | Default | Description |
|---|---|---|
mode |
"audit" |
audit (log-only) | standard (approve/block) | strict (deny by default) |
enableUndo |
true |
Take git snapshots before every AI file edit |
flightRecorder |
true |
Record tool call activity to the flight recorder ring buffer for the browser UI |
approvalTimeoutMs |
30000 |
Auto-deny after N ms if no human responds (0 = wait forever) |
approvers.native |
true |
OS-native popup |
approvers.browser |
true |
Browser dashboard (node9 daemon) |
approvers.cloud |
false |
Slack / SaaS approval — requires node9 login; opt-in only |
approvers.terminal |
true |
[Y/n] prompt in terminal |
Tip — choosing a mode: Start with the default
auditto observe what your agent does without blocking anything. Once you understand its behaviour, switch tostandard(blocks dangerous commands with human approval) orstrict(denies anything not explicitly allowed) in your~/.node9/config.jsonor projectnode9.config.json.
| Command | Description |
|---|---|
node9 setup |
Interactive menu — detects installed agents and wires hooks for you |
node9 addto <agent> |
Wire hooks for a specific agent (claude, gemini, cursor) |
node9 init |
Create default ~/.node9/config.json |
node9 status |
Show current protection status and active rules |
node9 doctor |
Health check — verifies binaries, config, credentials, and all agent hooks |
node9 shield <cmd> |
Manage shields (enable, disable, list, status) |
node9 tail [--history] |
Stream live agent activity to the terminal (auto-starts daemon if needed) |
node9 explain <tool> [args] |
Trace the policy waterfall for a given tool call (dry-run, no approval prompt) |
node9 undo [--steps N] |
Revert the last N AI file edits using shadow Git snapshots |
node9 check |
Called by agent hooks; evaluates a pending tool call and exits 0 (allow) or 1 (block) |
Node9 Doctor v1.2.0
────────────────────────────────────────
Binaries
✅ Node.js v20.11.0
✅ git version 2.43.0
Configuration
✅ ~/.node9/config.json found and valid
✅ ~/.node9/credentials.json — cloud credentials found
Agent Hooks
✅ Claude Code — PreToolUse hook active
⚠️ Gemini CLI — not configured (optional)
⚠️ Cursor — not configured (optional)
────────────────────────────────────────
All checks passed ✅
Dry-runs the policy engine and prints exactly which rule would fire — useful for debugging:
node9 explain bash '{"command":"rm -rf /tmp/build"}'Policy Waterfall for: bash
──────────────────────────────────────────────
Tier 1 · Cloud Org Policy SKIP (no org policy loaded)
Tier 2 · Dangerous Words BLOCK ← matched "rm -rf"
──────────────────────────────────────────────
Verdict: BLOCK (dangerous word: rm -rf)
node9 check exits immediately / Claude is never blocked
Node9 fails open by design to prevent breaking your agent. Check debug logs: NODE9_DEBUG=1 claude. Also verify you are in standard or strict mode — the default audit mode approves everything and only logs.
Terminal prompt never appears during Claude/Gemini sessions
Interactive agents run hooks in a "Headless" subprocess. You must enable native: true or browser: true in your config to see approval prompts.
"Blocked by Organization (SaaS)" A corporate policy has locked this action. You must click the "Approve" button in your company's Slack channel to proceed.
node9 tail --history says "Daemon failed to start" even though the daemon is running
This can happen when the daemon's PID file (~/.node9/daemon.pid) is missing — for example after a crash or a botched restart left a daemon running without a PID file. Node9 now detects this automatically: it performs an HTTP health probe and a live port check before deciding the daemon is gone. If you hit this on an older version, run node9 daemon stop then node9 daemon -b to create a clean PID file.
- Multi-Channel Race Engine (Simultaneous Native/Browser/Cloud/Terminal)
- AI Negotiation Loop (Instructional feedback loop to guide LLM behavior)
- Resolution Waterfall (Cascading configuration: Env > Cloud > Project > Global)
- Native OS Dialogs (Sub-second approval via Mac/Win/Linux system windows)
- Shadow Git Snapshots (1-click Undo for AI hallucinations)
- Identity-Aware Execution (Differentiates between Human vs. AI risk levels)
- Shield Templates (
node9 shield enable <service>— one-click protection for Postgres, GitHub, AWS) - Content Scanner / DLP (Detect and block secrets like AWS keys and Bearer tokens in-flight)
- Flight Recorder (Real-time activity stream in browser dashboard and
node9 tailterminal view) - Universal MCP Gateway (Standalone security tunnel for LangChain, CrewAI, and any agent without native hooks)
- Cursor & Windsurf Hook (Native hook support for AI-first IDEs)
- VS Code Extension (Approval requests in a native sidebar — no more OS popups)
- Execution Sandboxing (Simulate dangerous commands in a virtual FS before applying)
- Multi-Admin Quorum (Require 2+ human signatures for high-stakes production actions)
- SOC2 Tamper-proof Audit Trail (Cryptographically signed, cloud-managed logs)
- node9-python — Python SDK for Node9
Node9 Pro provides Governance Locking, SAML/SSO, and VPC Deployment. Visit node9.ai