🛡️ Node9 Proxy

Node9 sits between your AI agent and your system. Every shell command, file write, and tool call passes through Node9 first — blocked, approved, or logged based on your policy. Works with Claude Code, Gemini CLI, Cursor, Codex, and any MCP server.

📖 Full Documentation →

AIs are literal. Ask an agent to "fix disk space" and it might run docker system prune -af --volumes.

With Node9:

1. AI attempts: Bash("docker system prune -af --volumes")
2. Node9 intercepts: OS-native popup appears instantly
3. You block it — one click
4. AI pivots: "I'll remove large log files instead"

# macOS / Linux
brew tap node9-ai/node9 && brew install node9

# or via npm
npm install -g @node9/proxy

node9 setup      # auto-detects Claude Code, Gemini CLI, Cursor, Codex
node9 doctor     # verify everything is wired correctly

Enable expert-crafted protection for the infrastructure your agent touches:

node9 shield enable postgres   # blocks DROP TABLE, TRUNCATE, DROP COLUMN
node9 shield enable mongodb    # blocks dropDatabase, drop(), deleteMany({})
node9 shield enable redis      # blocks FLUSHALL, FLUSHDB
node9 shield enable aws        # blocks S3 delete, EC2 terminate, IAM changes
node9 shield enable k8s        # blocks namespace delete, helm uninstall
node9 shield enable docker     # blocks system prune, volume prune, rm -f
node9 shield enable github     # blocks gh repo delete, remote branch deletion
node9 shield enable bash-safe  # blocks curl|bash, base64|sh, rm -rf /
node9 shield enable filesystem # reviews chmod 777, writes to /etc/

node9 shield list              # see all shields and their status

Wrap any MCP server transparently. The AI sees the same server — Node9 intercepts every tool call:

{
  "mcpServers": {
    "postgres": {
      "command": "node9",
      "args": ["mcp", "--upstream", "npx -y @modelcontextprotocol/server-postgres postgresql://..."]
    }
  }
}

Or use node9 setup — it wraps existing MCP servers automatically.

MCP servers can change their tool definitions between sessions. A compromised or malicious server could silently add, remove, or modify tools after initial trust — a rug pull attack.

Node9 defends against this by pinning tool definitions on first use:

1. First connection — the gateway records a SHA-256 hash of all tool definitions
2. Subsequent connections — the hash is compared; if tools changed, the session is quarantined and all tool calls are blocked until a human reviews and approves the change
3. Corrupt pin state — fails closed (blocks), never silently re-trusts

node9 mcp pin list                # show all pinned servers and hashes
node9 mcp pin update <serverKey>  # remove pin, re-pin on next connection
node9 mcp pin reset               # clear all pins (re-pin on next connection)

This is automatic — no configuration needed. The gateway pins on first tools/list and enforces on every subsequent session.

from node9 import configure

configure(agent_name="my-agent", policy="require_approval")

# Your existing agent code runs unchanged — Node9 intercepts tool calls

Python SDK → · Governed Agent examples →

• Git: blocks git push --force, git reset --hard, git clean -fd
• SQL: blocks DELETE/UPDATE without WHERE, DROP TABLE, TRUNCATE
• Shell: blocks curl | bash, sudo commands
• DLP: blocks AWS keys, GitHub tokens, Stripe keys, PEM private keys in any tool call argument
• Auto-undo: git snapshot before every AI file edit → node9 undo to revert

Everything else — config reference, smart rules, stateful rules, trusted hosts, approval modes, CLI reference — is at node9.ai/docs.

• node9-python — Python SDK
• governed-agent — Reference governed agents (CI code review fixer)

Node9 Pro provides governance locking, SAML/SSO, and VPC deployment. Visit node9.ai.