🛡️ Node9

Every command your AI agent runs, reviewed before it runs.

Node9 sits between your AI agent and your system. Every shell command, file write, database query, and MCP tool call passes through Node9 first — blocked, reviewed, or logged based on your policy. Works with Claude Code, Gemini CLI, Cursor, Codex, and any MCP server.

• 🛑 Block dangerous actions (git push --force, rm -rf /, curl|bash, DROP TABLE, ...) before they run
• 👁 Review anything worth a human glance — OS-native popup, Slack, or browser approval
• 🔑 Catch credential leaks in tool arguments, file contents Claude reads back, and shell config files
• 🔁 Stop agent loops that burn tokens and money
• 🔌 Gate MCP tools and detect rug-pull attacks on server definitions
• 📊 Dashboard + scan report in your browser — see what your agents actually did

Try it in 10 seconds — no install

npx node9-ai scan

Reads your existing Claude / Gemini / Codex session history, runs the full Node9 policy engine, and shows every operation that would have been blocked or flagged.

🔍  Scanning your AI history  — what would node9 have caught?

  15 sessions  (8 Claude · 6 Gemini · 1 Codex)  5,470 tool calls
  2,439 bash commands  last 90 days  Apr 6, 2026 – Apr 23, 2026

  Found 168 risky operations in your history

    🛑  Would have blocked       3   operations stopped before execution
    👁   Would have flagged     162   sent to you for approval
    🔑  Credential leak          3   secret detected in history or shell config
    🔁  Loop detected          117   repeated tool call patterns found

  ──────────────────────────────────────────────────────────────────────
  Your Rules  ·  added in node9.config.json   2 blocked · 157 review
    🛑  block-force-push ×2  — Force push overwrites remote history
    👁   review-git-push ×154 — git push sends changes to a shared remote

  ──────────────────────────────────────────────────────────────────────
  bash-safe  ·  high-risk bash patterns    1 blocked · 1 review
    🛑  block-eval-remote  — eval of remote download (supply-chain attack)

  🌐  View in browser:  http://127.0.0.1:7391/

The last line opens a live dashboard in your browser with collapsible drill-downs, per-agent breakdown, and credential-leak samples:

Install

# macOS / Linux
brew tap node9-ai/node9 && brew install node9

# or via npm (any platform)
npm install -g node9-ai

node9 init       # auto-wires Claude Code, Gemini CLI, Cursor, Codex, MCP servers
node9 doctor     # verify everything is wired correctly

That's it — future agent sessions are protected.

Shields — expert policy in one command

Each shield is a curated rule set for a service or domain. Enable only what you need.

node9 shield list    # show all shields + status

Always on — no config needed

• Git — blocks git push --force, git reset --hard, git clean -fd
• SQL — blocks DELETE / UPDATE without WHERE, DROP TABLE, TRUNCATE
• Shell — blocks curl | bash, unauthorized sudo
• DLP — blocks AWS keys, GitHub tokens, Stripe keys, PEM private keys in any tool argument, file Claude reads, or shell config (~/.zshrc, ~/.bashrc)
• Response DLP — background scanner reads Claude's conversation history and alerts you if Claude wrote a secret in its response text (not just executed one). Gemini / Codex coverage coming.
• Auto-undo — git snapshot before every AI file edit → node9 undo to revert
• Skills pinning — SHA-256 verification of installed Claude skills / plugins between sessions

MCP gateway — protect any MCP server

Wrap any MCP server transparently. The agent sees the same server — Node9 intercepts every tool call.

{
  "mcpServers": {
    "postgres": {
      "command": "node9",
      "args": ["mcp", "--upstream", "npx -y @modelcontextprotocol/server-postgres postgresql://..."]
    }
  }
}

Or just run node9 init — it wraps your existing MCP servers automatically.

node9 mcp pin list                # show all pinned servers and hashes
node9 mcp pin update <serverKey>  # remove pin, re-pin on next connection
node9 mcp pin reset               # clear all pins

Observability — five views

Every tool call is recorded — command, arguments, decision, cost. See what your agent did, five ways:

Plus a live HUD in your Claude Code statusline:

🛡 node9 | standard | [bash-safe] | ✅ 12 allowed  🛑 2 blocked  🚨 0 dlp | ~$0.43
📊 claude-opus-4-6 | ctx [████████░░░] 54% | 5h [██░░░░░░░░] 12% | 7d [█░░░░░░░] 7%
🗂 2 CLAUDE.md | 8 rules | 3 MCPs | 4 hooks

And a browser dashboard that auto-opens after node9 scan — History Audit modal with full drill-down, per-agent breakdown, loop-cost estimate, and live status strip.

Reading the data — what the numbers mean

Node9 surfaces the signal. Here are the patterns worth knowing:

These are starting points, not verdicts. One-off signals are normal; persistent patterns are what you act on.

Python SDK — govern any Python agent

from node9 import configure, protect

configure(agent_name="my-agent", policy="require_approval")

@protect("bash")
def run_command(cmd: str) -> str:
    ...

Python SDK → · CI code review agent example →

Under the hood

• Scan reads raw agent history from ~/.claude/projects/, ~/.gemini/tmp/, ~/.codex/sessions/ — no API calls, fully offline
• Runtime wires PreToolUse hooks into Claude Code, Gemini CLI, and Codex — hooks write to ~/.node9/audit.log atomically
• MCP gateway is a stdio proxy; intercepts tools/list + tools/call JSON-RPC, forwards the rest
• Policy engine uses mvdan-sh for bash AST analysis — defeats obfuscation via backslash escaping, variable substitution, eval of remote download
• Shadow repo for auto-undo lives at ~/.node9/snapshots/<hash16>/ — never touches your .git

📖 Full docs

Everything else — config reference, smart rules, stateful rules, trusted hosts, approval modes, Slack integration, CLI reference — is at node9.ai/docs.

Related projects

• node9-python — Python SDK for governed agents
• node9-pr-agent — GitHub Action that reviews PRs through Node9 (reference implementation of a governed agent)

Enterprise

Node9 Pro adds governance locking, SAML/SSO, central audit export, and VPC deployment. See node9.ai.

_{Built with ☕ and healthy paranoia.}