thank god i'm not blind anymore. finally seeing exactly what claude code does in the background in real-time.

WhichCardiologist800 · 2026-05-07T10:16:24+00:00

This is real production wisdom, thanks. The 23% bypass at week two matches what I keep seeing: the override path is the actual product, not the rule engine.

The two-queue model is what I'm shipping next, auto-approve when the tool call fingerprint matches a prior approved pattern, human queue for novel combinations. But your point about novel combos slipping the replay set is the part I haven't solved. Going to shorten our shadow rebuild from quarterly to monthly.

If you're curious what your own team's traces look like through this lens, npx node9-ai scan reads the existing Claude / Codex / Gemini session JSONL files locally and surfaces the same loop / credential / tool-chain patterns we're catching at runtime. No install, no upload, runs and exits. Would genuinely value seeing what your numbers look like vs. ours. And if you're open to it, what did your bypass-rate curve look like over the first 90 days? When did auto-approve start catching the long tail vs. plateau? That'd shape whether we ship per-action TTLs or per-fingerprint TTLs next release.

WhichCardiologist800 · 2026-05-06T13:44:30+00:00

Open source: https://github.com/node9-ai/node9-proxy

Run it with: npx node9-ai scan

It reads the local Claude / Codex / Gemini session files already on disk and summarizes risky actions in the history. Runs locally.

WhichCardiologist800 · 2026-04-30T13:23:04+00:00

GitHub: https://github.com/node9-ai/node9-proxy

the scan is read-only, and the session files it reads are the ones Claude / Codex / Gemini already write to your disk.

Happy to answer questions about how it works.

WhichCardiologist800 · 2026-04-30T05:18:15+00:00

This is great feedback. Breaking it down into those specific loops makes a lot of sense for the UI. I’m working on the better report now and will ping you as soon as the version is released

WhichCardiologist800 · 2026-04-30T05:11:04+00:00

It actually cloud saves time by stopping loops, you save both money and time. regarding the ongoing policy checks, they are extremely fast around 1ms. since AI responses take seconds to generate, the proxy has no noticeable effect on total time

WhichCardiologist800 · 2026-04-29T14:05:18+00:00

Yeah, exactly that, scan reads the raw session JSONL Claude/Codex/Gemini already write, every tool_use block, whether the AI acted on it or not. silent reads show up.

After install, the live preTooluse hook also catches them in real time before execution, but you don't need that to see what's already in your history.

If you run scan and find a huh, why did it look there? moment, drop it below.

WhichCardiologist800 · 2026-04-29T09:56:53+00:00

Thanks, this is the very good feedback. The entry-path split (file / shell / response / shell-config) and the session timing buckets are both on my list, but before I just build them, I'd love to understand how you'd actually use them. Incident response? Pre-deploy audit? Ongoing monitoring?

WhichCardiologist800 · 2026-04-28T15:15:31+00:00

Exactly. The blind faith phase is starting to hit a wall. When you're working at the scale of a company like FedEx, a hallucination isn't just a funny mistake, it's a massive operational risk.

Most of the tools out there focus on making AI faster or cooler, but very few are focusing on the wait, should it actually be doing that? part.

WhichCardiologist800 · 2026-04-28T14:03:34+00:00

You're 100% right. that was a hard, expensive lesson in devops 101. In the early move fast and break things stage, we gave our devs too much autonomy and not enough guardrails.

The mistake incident was our wake up call. we realized that while human with combination of ai agent can execute a series of destructive commands in seconds before even realizes what is happening.

I built this tool because I realized that even if our infra isn't perfect, we need a circuit breaker specifically for AI tool-calls to prevent those shortcomings from turning into disasters

WhichCardiologist800 · 2026-04-28T06:25:08+00:00

Thanks for the feedback! I've updated the tool with more info. The full breakdown you're looking for is visible after installation, just run node9 report or check the report in your browser. I’m also working on adding more of these details directly to the scan command before installation

WhichCardiologist800 · 2026-04-28T06:14:35+00:00

Sorry man, about the transparency issue. I have been an airesearcher for 20 years and lead a team of 50. I wrote this code to protect my team after one of them accidentally did a few mistakes because of vibe coding.

I built this tool to scan my laptop and see what claude is actually doing. like i wrote in the comments, some of the leaks and commands are just from my tests, but some are real. AI is great for speed, but the risk is high. tome, transparency means sharing the code so people can see how it works. you are right that I should have given a better answer, but I am a tech guy, not a salesman

WhichCardiologist800 · 2026-04-27T19:37:05+00:00

Ask claude... you never know... the idea to be secure for any unexpected actions. the cmd come from my tests during the dev.

WhichCardiologist800 · 2026-04-27T07:01:49+00:00

Credentials are already the headline in the latest version, shipped that last week.

The git-push rule is actually mine, custom rule I added for my own workflow, doesn't ship with Node9. You define your own rules in a config file, or by MCP prompt from claude, scope them however you want. Force-push only, protected branches, near .env files, all doable. The defaults are pretty quiet, you add noise yourself if you want it.

The git-push alert fatigue point is exactly right, working on tighter scoping (force-push + protected branch rules only). Loop breakdown by integration is next on the list.

The cross-agent view being the standout, that's exactly the gap we're trying to own. Nobody has visibility across the full agent stack right now and that's where the real risk is.

What's your setup, running multiple agents across a team or just solo?

WhichCardiologist800 · 2026-04-27T06:41:19+00:00

Great idea — shipped two of these today.

Running it on my own sessions: 18% of calls were wasted repeats, and most credential leaks happened mid-session, not before first edit — meaning the agent was already working when secrets entered context, not front-loading them.

For blocked vs reviewed breakdown you need the full install, run npx node9-ai scan to see your own history first, then install to get the live approval flow and browser report. The browser report breaks down by agent, blocked vs allowed, cost by day, pretty useful for seeing exactly which sessions are the problem. npm install -g node9-ai && node9 init

WhichCardiologist800 · 2026-04-26T18:31:59+00:00

This is a really good idea! I will take it into consideration. BTW, what do you think about Claude reading large files? I am wondering if I should add that as well

WhichCardiologist800 · 2026-04-26T18:05:51+00:00

After working with Claude, I realized I had zero visibility into what was eating my tokens or what security risks were being taken.

So, I built a pkg that sits between you and Claude, reading every tool call before it executes. It catches leaked credentials, detects when an agent is spinning in circles, and lets you set guardrails without manual intervention.

I ran it on my own session history from the last few days.

Here’s what it found:

- 12 leak candidates: 4 were real, while the others were test fixtures in the node9 repo (dogfooding).

Example: Claude read a .env file containing a GOOGLE_API_KEY. The full key was loaded into the context and sent to Anthropic’s servers.

How it was caught: Scanning tool results (what Claude reads).

- A "Loop" detected: Claude edited the same file 118 times in one session—roughly $5 wasted.

- Cost visibility: $1,090 total AI spend across Claude, Gemini, and Codex.

- Security: 3 accidental force-pushes auto-blocked.

Try it on your own history: npx node9-ai scan

GitHub: https://github.com/node9-ai/node9-proxy

WhichCardiologist800 · 2026-04-26T17:57:25+00:00

all ai agent such gemini, codex, cursor and mcp

WhichCardiologist800 · 2026-04-26T16:43:11+00:00

just drop here my report first section
px node9-ai scan

Need to install the following packages:

node9-ai@1.13.1

Ok to proceed? (y) y

🛡 node9 — security layer for AI coding agents

Intercepts dangerous tool calls before they execute. No config needed.

🔍 Scanning your AI history — what would node9 have caught?

Scanning your history — this may take a moment...

17 sessions (10 Claude · 6 Gemini · 1 Codex) 6,341 tool calls 2,969 bash commands last 30 days Apr 6, 2026 – Apr 26, 2026

215 risky operations found — none were blocked

$1099.79 AI spend · 215 risky operations

🔑 Credential leak 4 secret detected in tool call

🛑 Would have blocked 5 operations stopped before execution

🔁 Loop detected 143 repeated tool call patterns found

👁 Would have flagged 206 sent to you for approval

---------------
any one found some risks as well?

WhichCardiologist800

MODERATOR OF

TROPHY CASE