fix: merge latest dev updates into main

CHANGELOG.md

@@ -16,7 +16,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - **Improved Pending Approval Cards:** Approval cards now show an `⚠️ Action Required` header with a live countdown timer that turns red under 15 seconds. Allow/Deny buttons have clearer labels (`✅ Allow this Action` / `🚫 Block this Action`). The deny button uses a softer outlined style to reduce accidental clicks.
 - **DLP Content Scanner:** Node9 now scans every tool call argument for secrets before policy evaluation. Seven built-in patterns cover AWS Access Key IDs, GitHub tokens (`ghp_`, `gho_`, `ghs_`), Slack bot tokens (`xoxb-`), OpenAI API keys, Stripe secret keys, PEM private keys, and Bearer tokens. `block`-severity patterns hard-deny the call immediately; `review`-severity patterns route through the normal race engine. Secrets are redacted to a prefix+suffix sample in all audit logs. Configurable via `policy.dlp.enabled` and `policy.dlp.scanIgnoredTools`.
 - **Shield Templates:** `node9 shield enable <service>` installs a curated rule set for a specific infrastructure service. Available shields: `postgres` (blocks `DROP TABLE`, `TRUNCATE`, `DROP COLUMN`; reviews `GRANT`/`REVOKE`), `github` (blocks `gh repo delete`; reviews remote branch deletion), `aws` (blocks S3 bucket deletion, EC2 termination; reviews IAM and RDS changes), `filesystem` (reviews `chmod 777` and writes to `/etc/`). Manage with `node9 shield enable|disable|list|status`.
-- **Shadow Git Snapshots (Phase 2):** (Coming Soon) Automatic lightweight git commits before AI edits, allowing `node9 undo`.
+- **Shadow Git Snapshots (Phase 2 — Implemented):** Node9 now takes automatic, lightweight git snapshots before every AI file edit using an isolated shadow bare repo at `~/.node9/snapshots/<hash16>/`. The user's `.git` is never touched — snapshots live in a separate hidden repository keyed by a SHA-256 hash of the project path. Run `node9 undo` to revert with a full diff preview; `--steps N` goes back multiple actions. Per-invocation `GIT_INDEX_FILE` prevents concurrent-session corruption. A `project-path.txt` sentinel inside each shadow repo detects hash collisions and directory renames and auto-recovers by reinitializing. `.git` and `.node9` directories are always excluded from snapshots (inception prevention). Performance-tuned with `core.untrackedCache` and `core.fsmonitor`. Periodic background `git gc --auto` keeps shadow repos tidy. The last 10 snapshots are tracked in `~/.node9/snapshots.json`.
+- **ReDoS Protection + LRU Regex Cache:** The policy engine now validates all user-supplied regex patterns before compilation. Patterns with nested quantifiers, quantified alternations, or quantified backreferences are rejected as ReDoS vectors. A bounded LRU cache (max 500 entries) stores compiled `RegExp` objects so repeated rule evaluations never recompile the same pattern. The `notMatches` condition is now fail-closed: if the regex is invalid, the condition fails rather than silently passing.
+- **Expanded DLP Patterns:** Two new `block`-severity content patterns added to the scanner: GCP service account JSON keys (detected via the `type` field unique to service account files) and NPM registry auth tokens (detected in `.npmrc` format). Total built-in patterns: 9.
+- **Sensitive File Path Blocking:** The DLP engine now intercepts tool calls targeting credential files before their content is ever read. Twenty path patterns cover SSH keys, AWS credentials, GCP config, Azure credentials, kubeconfig, dotenv files, PEM/key/p12/pfx certificate files, system auth files, and common credential JSON files. Symlinks are resolved via `fs.realpathSync.native()` before matching to prevent symlink escape attacks where a safe-looking path points to a protected file.
 - **`flightRecorder` setting:** New `settings.flightRecorder` flag (default `true`) controls whether the daemon records tool call activity to the flight recorder ring buffer. Can be set to `false` to disable activity recording when the browser dashboard is not in use.
 
 ### Changed

README.md

@@ -83,7 +83,7 @@ Node9 doesn't just "cut the wire." When a command is blocked, it injects a **Str
 
 ### ⏪ Shadow Git Snapshots (Auto-Undo)
 
-Node9 takes a silent, lightweight Git snapshot before every AI file edit. If the AI hallucinates and breaks your code, run `node9 undo` to instantly revert — with a full diff preview before anything changes.
+Node9 takes a silent, lightweight Git snapshot before every AI file edit. Snapshots are stored in an isolated shadow bare repo at `~/.node9/snapshots/` — your project's `.git` is never touched, and no existing git setup is required. If the AI hallucinates and breaks your code, run `node9 undo` to instantly revert — with a full diff preview before anything changes.
 
 ```bash
 # Undo the last AI action (shows diff + asks confirmation)
@@ -93,6 +93,8 @@ node9 undo
 node9 undo --steps 3
 ```
 
+The last 10 snapshots are kept globally across all sessions in `~/.node9/snapshots.json`. Older snapshots are dropped as new ones are added.
+
 ---
 
 ## 🎮 Try it Live

src/__tests__/core.test.ts

@@ -42,6 +42,8 @@ import {
   evaluateSmartConditions,
   shouldSnapshot,
   DEFAULT_CONFIG,
+  validateRegex,
+  getCompiledRegex,
 } from '../core.js';
 
 // Global spies
@@ -690,6 +692,29 @@ describe('evaluateSmartConditions', () => {
         )
       ).toBe(false);
     });
+
+    it('notMatches — fail-closed on invalid regex (returns false, not true)', () => {
+      // A buggy rule with a broken regex must fail-closed: the condition returns
+      // false (meaning "does not pass"), NOT true. If it returned true, an invalid
+      // notMatches rule would silently allow every call — a security hole.
+      expect(
+        evaluateSmartConditions(
+          { sql: 'DROP TABLE users' },
+          makeRule([{ field: 'sql', op: 'notMatches', value: '[broken(' }])
+        )
+      ).toBe(false);
+    });
+
+    it('notMatches — absent field (null) still returns true (field not present → condition passes)', () => {
+      // Original semantics: if the field is absent, notMatches passes (no value to match against).
+      // This must not regress when regex validation is added.
+      expect(
+        evaluateSmartConditions(
+          { command: 'ls' }, // no 'sql' field
+          makeRule([{ field: 'sql', op: 'notMatches', value: '^DROP' }])
+        )
+      ).toBe(true);
+    });
   });
 
   describe('conditionMode', () => {
@@ -1232,3 +1257,128 @@ describe('isDaemonRunning', () => {
     expect(isDaemonRunning()).toBe(false);
   });
 });
+
+// ── validateRegex — ReDoS protection ─────────────────────────────────────────
+
+describe('validateRegex', () => {
+  it('accepts valid simple patterns', () => {
+    expect(validateRegex('^DROP\\s+TABLE')).toBeNull(); // null = no error
+    expect(validateRegex('\\bWHERE\\b')).toBeNull();
+    expect(validateRegex('[A-Z]{3,}')).toBeNull();
+  });
+
+  it('rejects empty pattern', () => {
+    expect(validateRegex('')).not.toBeNull();
+  });
+
+  it('rejects patterns exceeding max length', () => {
+    expect(validateRegex('a'.repeat(101))).not.toBeNull();
+  });
+
+  it('rejects nested quantifiers — catastrophic backtracking risk', () => {
+    expect(validateRegex('(a+)+')).not.toBeNull();
+    expect(validateRegex('(a*)*')).not.toBeNull();
+    expect(validateRegex('([a-z]+){2,}')).not.toBeNull();
+  });
+
+  it('rejects quantified alternations where alternatives contain quantifiers (true ReDoS risk)', () => {
+    // Dangerous: alternatives themselves have quantifiers — can match same string many ways
+    expect(validateRegex('(a+|b+)*')).not.toBeNull();
+    expect(validateRegex('(a{1,10}|b{1,10}){1,10}')).not.toBeNull();
+    expect(validateRegex('(?:a+|b+){1,100}')).not.toBeNull();
+    expect(validateRegex('(a{2}|b{3})+')).not.toBeNull();
+  });
+
+  it('allows quantified alternations with fixed-length disjoint alternatives (safe)', () => {
+    // Safe: alternatives are fixed-length and disjoint — no ambiguous matching
+    expect(validateRegex('(foo|bar)+')).toBeNull();
+    expect(validateRegex('(a|b|c)*')).toBeNull();
+    expect(validateRegex('(GET|POST|PUT)+')).toBeNull();
+    expect(validateRegex('(https?|ftp)://')).toBeNull();
+    // ? is also safe (bounded zero-or-one)
+    expect(validateRegex('(?:a|b)*')).toBeNull();
+  });
+
+  it('allows bounded quantifiers with ? (safe — zero-or-one cannot backtrack)', () => {
+    // ? is safe: it matches at most one time, so no catastrophic backtracking
+    expect(validateRegex('(ba|z|da|fi|c|k)?sh')).toBeNull();
+    expect(validateRegex('(\\.\\w+)?')).toBeNull();
+  });
+
+  it('rejects quantified backreferences — catastrophic backtracking risk', () => {
+    // (\w+)\1+ can catastrophically backtrack on strings like 'aaaaaaaaab'
+    // The guard checks for \<digit>[*+{] in the pattern
+    expect(validateRegex('(\\w+)\\1+')).not.toBeNull();
+    expect(validateRegex('(\\w+)\\1*')).not.toBeNull();
+    expect(validateRegex('(\\w+)\\1{2,}')).not.toBeNull();
+  });
+
+  it('rejects invalid regex syntax', () => {
+    expect(validateRegex('[unclosed')).not.toBeNull();
+  });
+});
+
+// ── getCompiledRegex — LRU cache ──────────────────────────────────────────────
+
+describe('getCompiledRegex', () => {
+  it('returns a compiled RegExp for a valid pattern', () => {
+    const re = getCompiledRegex('^DROP', 'i');
+    expect(re).toBeInstanceOf(RegExp);
+    expect(re!.test('drop table')).toBe(true);
+  });
+
+  it('returns null for an invalid pattern', () => {
+    expect(getCompiledRegex('[invalid(')).toBeNull();
+  });
+
+  it('returns null for a ReDoS pattern', () => {
+    expect(getCompiledRegex('(a+)+')).toBeNull();
+  });
+
+  it('returns null for invalid flag characters', () => {
+    expect(getCompiledRegex('hello', 'z')).toBeNull(); // z is not a valid JS flag
+    expect(getCompiledRegex('hello', 'ig!')).toBeNull();
+  });
+
+  it('accepts valid flag characters', () => {
+    expect(getCompiledRegex('hello', 'i')).toBeInstanceOf(RegExp);
+    expect(getCompiledRegex('hello2', 'gi')).toBeInstanceOf(RegExp);
+    expect(getCompiledRegex('hello3', 'gims')).toBeInstanceOf(RegExp);
+  });
+
+  it('returns the same RegExp instance for the same pattern (cache hit)', () => {
+    const re1 = getCompiledRegex('cached-pattern');
+    const re2 = getCompiledRegex('cached-pattern');
+    expect(re1).toBe(re2); // same object reference
+  });
+
+  it('treats pattern+flags as a distinct cache key', () => {
+    const re1 = getCompiledRegex('hello', '');
+    const re2 = getCompiledRegex('hello', 'i');
+    expect(re1).not.toBe(re2);
+  });
+
+  it('cache key uses null-byte separator — no collision between pattern and flags', () => {
+    // Key format: `${pattern}\0${flags}`. Flags are always [gimsuy] so they
+    // can't contain \0. Verify that a pattern ending in 'i' with no flags
+    // does NOT collide with the same prefix with flag 'i'.
+    // pattern='foo\0' flags='' → key 'foo\0\0'
+    // pattern='foo'   flags='' → key 'foo\0'  (different length → no collision)
+    const reSuffix = getCompiledRegex('collision-test-i', '');
+    const reFlag = getCompiledRegex('collision-test-', 'i');
+    expect(reSuffix).not.toBe(reFlag); // distinct entries, not a cache collision
+    // Both should compile successfully
+    expect(reSuffix).toBeInstanceOf(RegExp);
+    expect(reFlag).toBeInstanceOf(RegExp);
+  });
+
+  it('handles 520 distinct patterns without error (LRU stays bounded)', () => {
+    // Adds more entries than REGEX_CACHE_MAX (500) to verify the eviction path
+    // runs without throwing and all returned values are valid RegExps.
+    // Note: getCompiledRegex is sync — no async interleaving concerns.
+    for (let i = 0; i < 520; i++) {
+      const re = getCompiledRegex(`lru-bound-test-[a-z]{${i + 1}}`);
+      expect(re).toBeInstanceOf(RegExp);
+    }
+  });
+});

src/__tests__/dlp.test.ts

@@ -1,5 +1,6 @@
-import { describe, it, expect } from 'vitest';
-import { scanArgs, DLP_PATTERNS } from '../dlp.js';
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import fs from 'fs';
+import { scanArgs, scanFilePath, DLP_PATTERNS } from '../dlp.js';
 
 // NOTE: All fake secret strings are built via concatenation so GitHub's secret
 // scanner doesn't flag this test file. The values are obviously fake (sequential
@@ -181,8 +182,11 @@ describe('scanArgs — performance guards', () => {
 // ── All patterns export ───────────────────────────────────────────────────────
 
 describe('DLP_PATTERNS export', () => {
-  it('exports at least 7 built-in patterns', () => {
-    expect(DLP_PATTERNS.length).toBeGreaterThanOrEqual(7);
+  it('exports at least 9 built-in patterns', () => {
+    // 9 patterns as of current implementation:
+    // AWS Key ID, GitHub Token, Slack Bot Token, OpenAI Key, Stripe Secret Key,
+    // Private Key PEM, GCP Service Account, NPM Auth Token, Bearer Token
+    expect(DLP_PATTERNS.length).toBeGreaterThanOrEqual(9);
   });
 
   it('all patterns have name, regex, and severity', () => {
@@ -193,3 +197,136 @@ describe('DLP_PATTERNS export', () => {
     }
   });
 });
+
+// ── scanFilePath — sensitive file path blocking ───────────────────────────────
+
+// Typed alias to reduce repetition when accessing realpathSync.native
+type RealpathWithNative = typeof fs.realpathSync & { native: (p: unknown) => string };
+
+describe('scanFilePath — sensitive path blocking', () => {
+  // Save the original .native so afterEach can restore it precisely.
+  // vi.restoreAllMocks() only restores vi.spyOn spies — direct property
+  // assignments survive it, so we must restore manually to guarantee isolation.
+  const originalNative = (fs.realpathSync as RealpathWithNative).native;
+
+  beforeEach(() => {
+    vi.spyOn(fs, 'realpathSync').mockImplementation((p) => String(p));
+    // Mock realpathSync.native — called unconditionally in production (no existsSync pre-check)
+    (fs.realpathSync as RealpathWithNative).native = vi
+      .fn()
+      .mockImplementation((p: unknown) => String(p));
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+    // Explicitly restore .native since restoreAllMocks() doesn't track it
+    (fs.realpathSync as RealpathWithNative).native = originalNative;
+  });
+
+  it('blocks access to SSH key files', () => {
+    const match = scanFilePath('/home/user/.ssh/id_rsa', '/');
+    expect(match).not.toBeNull();
+    expect(match!.patternName).toBe('Sensitive File Path');
+    expect(match!.severity).toBe('block');
+  });
+
+  it('blocks access to AWS credentials directory', () => {
+    const match = scanFilePath('/home/user/.aws/credentials', '/');
+    expect(match).not.toBeNull();
+    expect(match!.severity).toBe('block');
+  });
+
+  it('blocks .env files', () => {
+    expect(scanFilePath('/project/.env', '/')).not.toBeNull();
+    expect(scanFilePath('/project/.env.local', '/')).not.toBeNull();
+    expect(scanFilePath('/project/.env.production', '/')).not.toBeNull();
+  });
+
+  it('does NOT block .envoy or similar non-credential files', () => {
+    expect(scanFilePath('/project/.envoy-config', '/')).toBeNull();
+    expect(scanFilePath('/project/environment.ts', '/')).toBeNull();
+  });
+
+  it('blocks PEM certificate files', () => {
+    expect(scanFilePath('/certs/server.pem', '/')).not.toBeNull();
+    expect(scanFilePath('/keys/private.key', '/')).not.toBeNull();
+  });
+
+  it('blocks /etc/passwd and /etc/shadow', () => {
+    expect(scanFilePath('/etc/passwd', '/')).not.toBeNull();
+    expect(scanFilePath('/etc/shadow', '/')).not.toBeNull();
+  });
+
+  it('returns null for ordinary source files', () => {
+    expect(scanFilePath('src/app.ts', '/project')).toBeNull();
+    expect(scanFilePath('README.md', '/project')).toBeNull();
+    expect(scanFilePath('package.json', '/project')).toBeNull();
+  });
+
+  it('returns null for empty or missing path', () => {
+    expect(scanFilePath('', '/project')).toBeNull();
+  });
+
+  it('calls realpathSync.native unconditionally (no existsSync pre-check)', () => {
+    // native() is always called — existsSync guard removed to eliminate TOCTOU window
+    const nativeSpy = vi.mocked((fs.realpathSync as RealpathWithNative).native);
+    scanFilePath('/project/safe-looking-link.txt', '/project');
+    expect(nativeSpy).toHaveBeenCalled();
+  });
+
+  it('blocks when a symlink resolves to a sensitive path', () => {
+    (fs.realpathSync as RealpathWithNative).native = vi
+      .fn()
+      .mockReturnValue('/home/user/.ssh/id_rsa');
+    const match = scanFilePath('/project/totally-safe-link', '/project');
+    expect(match).not.toBeNull();
+    expect(match!.severity).toBe('block');
+  });
+
+  it('does NOT block when a symlink resolves to a safe path', () => {
+    (fs.realpathSync as RealpathWithNative).native = vi.fn().mockReturnValue('/project/src/app.ts');
+    expect(scanFilePath('/project/link-to-app', '/project')).toBeNull();
+  });
+
+  it('blocks path traversal that resolves outside project root to a sensitive path', () => {
+    // ../../.ssh/id_rsa from /project/src resolves to /home/user/.ssh/id_rsa
+    (fs.realpathSync as RealpathWithNative).native = vi
+      .fn()
+      .mockReturnValue('/home/user/.ssh/id_rsa');
+    const match = scanFilePath('../../.ssh/id_rsa', '/project/src');
+    expect(match).not.toBeNull();
+    expect(match!.severity).toBe('block');
+  });
+
+  it('treats ENOENT as safe — new file being written is not a symlink', () => {
+    (fs.realpathSync as RealpathWithNative).native = vi.fn().mockImplementation(() => {
+      throw Object.assign(new Error('ENOENT'), { code: 'ENOENT' });
+    });
+    // Non-existent file: safe, cannot be a symlink pointing anywhere
+    expect(scanFilePath('/project/src/new-file.ts', '/project')).toBeNull();
+  });
+
+  it('is fail-closed when native throws with a non-ENOENT error', () => {
+    // EACCES, unexpected errors, or TOCTOU remnants → block immediately
+    (fs.realpathSync as RealpathWithNative).native = vi.fn().mockImplementation(() => {
+      throw Object.assign(new Error('EACCES'), { code: 'EACCES' });
+    });
+    expect(() => scanFilePath('/project/src/app.ts', '/project')).not.toThrow();
+    const match = scanFilePath('/project/src/app.ts', '/project');
+    expect(match).not.toBeNull();
+    expect(match!.severity).toBe('block');
+  });
+
+  it('blocks (fail-closed) on TOCTOU — safe-looking symlink pointing to sensitive file', () => {
+    // The attack: /project/harmless-config.ts → /home/user/.ssh/id_rsa
+    // native() throws because file was deleted between check and resolve
+    (fs.realpathSync as RealpathWithNative).native = vi.fn().mockImplementation(() => {
+      throw Object.assign(new Error('ENOENT'), { code: 'ENOENT' });
+    });
+    // ENOENT on a path that looks safe → treated as safe (not a TOCTOU attack)
+    // The attack scenario requires the file to EXIST (so attacker can create symlink)
+    // In that case native() would succeed and return the sensitive resolved path
+    // This test confirms: if file is deleted mid-race, we don't block unnecessarily
+    expect(scanFilePath('/project/harmless-config.ts', '/project')).toBeNull();
+  });
+});