node9-proxy
@node9/proxy (Node9) is an execution security layer for agentic AI tools. It intercepts potentially dangerous shell/file/DB actions and MCP tool calls before execution, performs DLP scanning for secrets, routes high-risk actions through a human-in-the-loop approval “race engine” (native popup/browser/terminal/Slack), and can snapshot/undo file edits via shadow Git snapshots. It also supports an MCP Gateway as a transparent stdio proxy between AI clients and MCP servers.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
README claims DLP scanning/redaction (no full secrets logged) and blocking/review routing for secrets and dangerous actions. It also supports Trusted Hosts to downgrade certain pipe-chain decisions. However, explicit transport security (e.g., TLS requirements for any components), detailed auth model for approvals, and dependency vulnerability posture are not provided. Pattern-based DLP and tool-name matching may yield gaps; upstream command supply-chain risk is explicitly cautioned.
⚡ Reliability
Best When
You run developer productivity agents that can execute commands/tools and you want deterministic guardrails (block/review/allow) plus audit trails and undo for filesystem changes.
Avoid When
You cannot monitor/approve interactive prompts and/or need non-interactive CI/CD execution without guardrails causing interruptions.
Use Cases
- • Human-in-the-loop governance for agent tool execution (Claude Code/Gemini CLI/Cursor)
- • DLP blocking/redaction for secret exfiltration attempts in tool arguments
- • Preventing destructive operations (e.g., rm -rf, git force/reset/clean, SQL DROP/TRUNCATE without WHERE)
- • Policy-driven protection for MCP servers (filesystem, databases, other MCP tools) via a gateway
- • Audit/traceability of tool calls with a real-time dashboard/terminal stream
- • Safe rollback of AI file edits via snapshot + undo/diff preview
Not For
- • Replacing comprehensive cloud security controls (IAM/WAF/DLP at the network/cloud layer)
- • Environments where human approval prompts are impossible or unacceptable (fully unattended automation)
- • Handling of unknown/unsupported tool semantics where correct risk classification cannot be guaranteed
- • Providing strong compliance attestations where third-party audit/SLA documentation is required (not evidenced here)
Interface
Authentication
README describes Trusted Hosts and policy configuration but does not describe authentication mechanisms (API keys/OAuth) for Node9 itself. Slack-based approval is mentioned but not detailed.
Pricing
No pricing information provided in the supplied content.
Agent Metadata
Known Gotchas
- ⚠ Tool-call argument inspection may miss secrets not matching configured patterns (pattern-based DLP).
- ⚠ “Supply-chain warning” exists for .mcp.json upstream commands; using untrusted repo configs can cause unintended upstream execution even though Node9 provides a proxy/policy layer.
- ⚠ Approval prompts can interrupt agent workflows; agents should handle block/review responses and negotiate alternatives.
- ⚠ The MCP gateway intercepts tool calls, but correctness depends on accurate mapping of MCP tool names to protected actions (configuration/rules).
- ⚠ Shadow snapshot/undo helps with filesystem edits, but may not fully cover non-file side effects (e.g., external system changes) unless those are also intercepted/blocked.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for node9-proxy.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.