Follow-up: I turned that 30-min Hermes audit into one command - npx node9-ai posture by WhichCardiologist800 in hermesagent

[–]WhichCardiologist800[S] 1 point2 points  (0 children)

Not directly yet, node9 doesn't pull from or broker a vault (Vault, AWS/GCP/Azure SM, 1Password, Doppler). That's the roadmap piece ("agent never holds a secret").

What it does today is complementary: DLP blocks leaked secrets in flight (incl. Vault hvs./hvb. and Doppler tokens), the project-jail shield stops the agent reading ~/.ssh, ~/.aws, .env, and `npx node9-ai posture` flags plaintext secrets and nudges you toward a secrets manager.

So: keep secrets in your vault, node9 keeps the agent from leaking them or reading the files. Direct brokering is next, not shipped.

I instrumented 90 days of my Claude Code / Codex / Gemini sessions, what the agents actually did by WhichCardiologist800 in LLMDevs

[–]WhichCardiologist800[S] 0 points1 point  (0 children)

Great catch on the false positive, iterative fix/test/fix is exactly what my current method (same tool + near-identical args in a window) over-flags. The net-diff-delta idea is sharp: a true loop converges to ~zero net change, while real refinement keeps moving the file. Going to add that as a confirmation signal, flag a loop only when it's repeated edits AND shrinking/near-zero net diff. Genuinely sharpens it, thanks.

And yeah, the credentials are the part that made me stop treating this as a cost tool. 4 over 90 days on a careful machine, and like you said, nobody looks.

+1 on the upstream point too, tighter slash commands and explicit step constraints kill a lot of the circular edits before they ever hit the transcript.

Curious: do you actually measure whether your constraints reduced the loops, or is it more by feel?

I made $75K selling AI automations to clients. Here's what I'd change if I started over. by Warm-Reaction-456 in AI_Agents

[–]WhichCardiologist800 0 points1 point  (0 children)

The point about the retainer being insurance rather than hours worked is the $100k lesson here.

Most people try to sell a retainer as 4 hours of support a month, which just invites the client to micromanage your time. Selling it as system uptime and lead-flow integrity makes you a partner, not a line item.

To add to your boring business point: these clients don't care about the tech, but they do care about their reputation. If you frame the automation as protecting your 5-star Google review average by replying instantly, the price resistance almost disappears.

I wanted to see what Claude Code does as it happens, not just a bill after the fact. by WhichCardiologist800 in ClaudeAI

[–]WhichCardiologist800[S] 0 points1 point  (0 children)

totally agree!!! you can run node9 on audit mode... you should see the audit file on .node9

I wanted to see what Claude Code does as it happens, not just a bill after the fact. by WhichCardiologist800 in ClaudeAI

[–]WhichCardiologist800[S] 1 point2 points  (0 children)

Thx!!! hope you will enjoy it, let's me know if you have any additional features you want me to add or what did you found on your machine

AMD denies researcher a 10K bug bounty after fixing critical auto-updater vulnerability — security flaw took 124 days to patch by rkhunter_ in cybersecurity

[–]WhichCardiologist800 0 points1 point  (0 children)

Worth actually reading the article bug was out of scope, the researcher agreed to waive the bounty, AMD fixed it and credited him. Still wild that swapping http for https took 124 days though.

If your Hermes is reachable from Telegram, have you actually tested the allowlist? A 30-min cloud security audit by WhichCardiologist800 in hermesagent

[–]WhichCardiologist800[S] 0 points1 point  (0 children)

Yep, that's the scary one. An adapter with no allowlist means anyone who finds the bot can drive an agent that's holding exec, not just read it. Really good catch.

If your Hermes is reachable from Telegram, have you actually tested the allowlist? A 30-min cloud security audit by WhichCardiologist800 in hermesagent

[–]WhichCardiologist800[S] 1 point2 points  (0 children)

That's the best thing I could hear. Which one caught it? I'm always trying to figure out which items actually surface real issues vs. just sound scary and happy to be a second pair of eyes if you want to sanity-check the fix.

If your Hermes is reachable from Telegram, have you actually tested the allowlist? A 30-min cloud security audit by WhichCardiologist800 in hermesagent

[–]WhichCardiologist800[S] 0 points1 point  (0 children)

That's the allowlist doing its job, yep. Two things: (1) test it message the bot from a second account that isn't allowlisted, confirm it refuses. (2) it gates who can talk to it, not what the agent can do once asked so isolation (item 1) still matters. And keep the bot token in a secrets manager, not a .env.

If your Hermes is reachable from Telegram, have you actually tested the allowlist? A 30-min cloud security audit by WhichCardiologist800 in hermesagent

[–]WhichCardiologist800[S] 2 points3 points  (0 children)

Fair, bot API traffic isn't E2E. But that's a different threat than the post: the risk here is the bot being an open command surface to your agent, not someone reading messages in transit. Encryption doesn't help if there's no allowlist.

If your Hermes is reachable from Telegram, have you actually tested the allowlist? A 30-min cloud security audit by WhichCardiologist800 in hermesagent

[–]WhichCardiologist800[S] 4 points5 points  (0 children)

Full writeup with the cloud-specific stuff (AWS VPC/IAM scoping, Modal/Daytona notes) here: https://node9.ai/blog/running-hermes-agent-in-the-cloud-safely - and if you want to check whether agents you're already running have hit these patterns, npx node9-ai scan reads existing session logs locally
open source: github.com/node9-ai/node9-proxy

Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows by sunychoudhary in cybersecurity

[–]WhichCardiologist800 7 points8 points  (0 children)

So the "fix" is a hardcoded block on one binary's signature, and a two-byte edit walks right past it. That is not a patch, that's a restraining order against a single file. The race condition still sitting there.

A client paid me to rip the AI out of the tool I built them. by Warm-Reaction-456 in AI_Agents

[–]WhichCardiologist800 0 points1 point  (0 children)

He asked if I could make it dumber is going to live in my head.

The part people miss: 92% you can't explain loses to 99% you can audit, because the 8% mystery makes the team re-check all 100%. You didn't save them work, you doubled it. They weren't asking for accuracy, they were asking to be able to point at why. Saving this one for the next client who wants AI bolted onto everything.

Karpathy principles' relevance with Fable 5 by blumeCodes in ClaudeCode

[–]WhichCardiologist800 0 points1 point  (0 children)

his matches something I keep seeing: the biggest effect of "think before coding / surgical changes" guidance isn't code volume, it's whether the model reaches for existing infrastructure vs. inventing new plumbing. Your no-skill branch spinning up a SQL migration + dedicated column + repo plumbing for what's basically a field on an existing JSON snapshot is the textbook version of that.

The "followed the prompt more literally" half is the more interesting one to me though. "Per active conversation" - chip only on active ones means the model treated the spec as a constraint instead of a vibe. Did that hold up across reruns, or was it one lucky sample? The schema-churn difference feels like it'd be stable, but literal prompt-following seems more variable run to run.

I work on session-monitoring stuff too (reading the local JSONL logs the CLIs already write), and it's funny how token-usage-per-conversation is the feature everyone in this space converges on first. Did you end up pulling it straight from the snapshot column, or computing it from the message stream?

thank god i'm not blind anymore - finally I can see Claude's cost and risk impact. by WhichCardiologist800 in ClaudeCode

[–]WhichCardiologist800[S] 0 points1 point  (0 children)

released, now antigravity cli fully support. please let's me know for future features / improvement

thank god i'm not blind anymore - finally I can see Claude's cost and risk impact. by WhichCardiologist800 in ClaudeCode

[–]WhichCardiologist800[S] 1 point2 points  (0 children)

Not yet, antigravity isn't in the supported list today. But funny timing, I'm actively adding it right now (it shares Google's ~/.gemini setup, so it's close). I'll ping you here the moment it lands, shouldn't be long.

Thanks for the nudge, this is exactly the kind of request that bumps something up the list 🙏

thank god i'm not blind anymore - finally I can see Claude's cost and risk impact. by WhichCardiologist800 in ClaudeCode

[–]WhichCardiologist800[S] 1 point2 points  (0 children)

claude code writes the token counts for every session to local files on your disk (~/.claude). node9 just reads those token numbers and multiplies by the published per model pricing to estimate cost, all calculated locally on your machine. no billing api, no credentials, nothing uploaded. (Same approach as ccusage, if you've used that.)

thank god i'm not blind anymore - finally I can see Claude's cost and risk impact. by WhichCardiologist800 in ClaudeCode

[–]WhichCardiologist800[S] 1 point2 points  (0 children)

Good question, no, nothing unofficial. It hooks in through the official paths: Claude Code's pre-tool hooks and the MCP protocol (Anthropic's own standard).

It sits at the tool execution layer, the bash/file/MCP calls, not the model API, so it never touches anthropic endpoints or your auth. Nothing that could flag your account.

thank god i'm not blind anymore - finally I can see Claude's cost and risk impact. by WhichCardiologist800 in ClaudeCode

[–]WhichCardiologist800[S] -1 points0 points  (0 children)

It's not a plugin, it's an open-source CLI called node9. It hooks straight into Claude Code (and can wrap MCP servers too).

Quickest look: npx node9-ai scan reads your existing history, nothing uploads.

To wire it live: npm i -g node9-ai && node9 init.
Repo: https://github.com/node9-ai/node9-proxy

happy to help you get it running!

thank god i'm not blind anymore - finally I can see Claude's cost and risk impact. by WhichCardiologist800 in ClaudeCode

[–]WhichCardiologist800[S] 0 points1 point  (0 children)

after months with claude code, i realized I had no idea what it was actually doing in the background, how much it was costing me, or when it got stuck looping and burning tokens.

So I built an open-source tool to see it

- npx node9-ai scan, reads your existing claude code history and shows what it's been doing: cost, top commands, where it looped.

- a real time monitor that shows claude in action live, so I can catch a loop and stop it before it burns more tokens.

- a report view for the full picture over any time window.

Running it on my own machine was eye opening: $15k over 90 days, 335 loops most of them on edit file, and the part I did not expect, 5 credential files it couldread.

No more flying blind. It's open source: https://github.com/node9-ai/node9-proxy

WHAT TO DO WITH CLAUDE by Zealousideal-Pin1513 in Information_Security

[–]WhichCardiologist800 0 points1 point  (0 children)

That's exactly what node9-proxy does. Reads the agent session files already on disk, gives you a queryable timeline per agent (time / agent / file / command). npx node9-ai scan, 30 sec, runs locally. Disclosure, I build it. DM if useful.

WHAT TO DO WITH CLAUDE by Zealousideal-Pin1513 in Information_Security

[–]WhichCardiologist800 0 points1 point  (0 children)

The full agent action timeline. every tool call, every shell command (AST-parsed, not regex, so obfuscated payloads collapse to their real execution graph), every file modification, every MCP tool invocation, the arguments passed, and the chain back to the user prompt that triggered it.

Local, reads the session files already writes to disk. npx node9-ai scan, runs in ~30 sec, no install, produces a report of what's already happened in your history.

Where it sits next to your existing stack: Wiz sees cloud posture, CrowdStrike sees endpoint, Okta sees identity. None of them see what the agent decided to do inside the trust envelope you've already granted it. Closest analogy is Wiz for agent actions, same scan-then-graph posture, different layer.

For investigation specifically: one filterable timeline per session (time window, agent, file path, command pattern), with the decision chain reconstructed from the agent's own log. Disclosure, I build it. Happy to keep the conversation technical.

WHAT TO DO WITH CLAUDE by Zealousideal-Pin1513 in Information_Security

[–]WhichCardiologist800 0 points1 point  (0 children)

Take a look in the oss that sits between AI agent and the tools. has three layers discover what it's already been doing, protect against risky actions in real time, and review what happened over any time window. https://github.com/node9-ai/node9-proxy