{"id":"node9-ai-node9-proxy","name":"node9-proxy","homepage":"https://node9.ai/","repo_url":"https://github.com/node9-ai/node9-proxy","category":"security","subcategories":[],"tags":["ai-safety","ai-security","agentic-ai","human-in-the-loop","mcp","proxy","execution-security","dlp","audit","undo","hitl"],"what_it_does":"@node9/proxy (Node9) is an execution security layer for agentic AI tools. It intercepts potentially dangerous shell/file/DB actions and MCP tool calls before execution, performs DLP scanning for secrets, routes high-risk actions through a human-in-the-loop approval “race engine” (native popup/browser/terminal/Slack), and can snapshot/undo file edits via shadow Git snapshots. It also supports an MCP Gateway as a transparent stdio proxy between AI clients and MCP servers.","use_cases":["Human-in-the-loop governance for agent tool execution (Claude Code/Gemini CLI/Cursor)","DLP blocking/redaction for secret exfiltration attempts in tool arguments","Preventing destructive operations (e.g., rm -rf, git force/reset/clean, SQL DROP/TRUNCATE without WHERE)","Policy-driven protection for MCP servers (filesystem, databases, other MCP tools) via a gateway","Audit/traceability of tool calls with a real-time dashboard/terminal stream","Safe rollback of AI file edits via snapshot + undo/diff preview"],"not_for":["Replacing comprehensive cloud security controls (IAM/WAF/DLP at the network/cloud layer)","Environments where human approval prompts are impossible or unacceptable (fully unattended automation)","Handling of unknown/unsupported tool semantics where correct risk classification cannot be guaranteed","Providing strong compliance attestations where third-party audit/SLA documentation is required (not evidenced here)"],"best_when":"You run developer productivity agents that can execute commands/tools and you want deterministic guardrails (block/review/allow) plus audit trails and undo for filesystem changes.","avoid_when":"You cannot monitor/approve interactive prompts and/or need non-interactive CI/CD execution without guardrails causing interruptions.","alternatives":["Generic sandboxing/containment (containers, seccomp, OS-level policies)","Agent frameworks with built-in tool permissioning and allowlists","Traditional secret scanning/DLP proxies at egress (e.g., proxy + rules)","Filesystem/DB permissions enforced via least-privilege service accounts and restricted credentials","Other MCP proxy/gateway approaches with explicit policy layers"],"af_score":53.5,"security_score":66.5,"reliability_score":35.0,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:47:30.598516+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["CLI-driven interception/approval flow (no specific auth mechanism described in README)","Optional human approval via Slack noted (auth/scopes not described)"],"oauth":false,"scopes":false,"notes":"README describes Trusted Hosts and policy configuration but does not describe authentication mechanisms (API keys/OAuth) for Node9 itself. Slack-based approval is mentioned but not detailed."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing information provided in the supplied content."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":53.5,"security_score":66.5,"reliability_score":35.0,"mcp_server_quality":78.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":85.0,"rate_limit_clarity":0.0,"tls_enforcement":70.0,"auth_strength":55.0,"scope_granularity":70.0,"dependency_hygiene":45.0,"secret_handling":90.0,"security_notes":"README claims DLP scanning/redaction (no full secrets logged) and blocking/review routing for secrets and dangerous actions. It also supports Trusted Hosts to downgrade certain pipe-chain decisions. However, explicit transport security (e.g., TLS requirements for any components), detailed auth model for approvals, and dependency vulnerability posture are not provided. Pattern-based DLP and tool-name matching may yield gaps; upstream command supply-chain risk is explicitly cautioned.","uptime_documented":0.0,"version_stability":55.0,"breaking_changes_history":20.0,"error_recovery":65.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Tool-call argument inspection may miss secrets not matching configured patterns (pattern-based DLP).","“Supply-chain warning” exists for .mcp.json upstream commands; using untrusted repo configs can cause unintended upstream execution even though Node9 provides a proxy/policy layer.","Approval prompts can interrupt agent workflows; agents should handle block/review responses and negotiate alternatives.","The MCP gateway intercepts tool calls, but correctness depends on accurate mapping of MCP tool names to protected actions (configuration/rules).","Shadow snapshot/undo helps with filesystem edits, but may not fully cover non-file side effects (e.g., external system changes) unless those are also intercepted/blocked."]}}