@solongate/proxy 0.1.0

package/dist/index.js

@@ -0,0 +1,1852 @@
+#!/usr/bin/env node
+
+// src/config.ts
+import { readFileSync, existsSync } from "fs";
+import { resolve } from "path";
+var PRESETS = {
+  restricted: {
+    id: "restricted",
+    name: "Restricted",
+    description: "Blocks dangerous tools (shell, web), allows safe tools",
+    version: 1,
+    rules: [
+      {
+        id: "deny-shell",
+        description: "Block shell execution",
+        effect: "DENY",
+        priority: 100,
+        toolPattern: "*shell*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        createdAt: "",
+        updatedAt: ""
+      },
+      {
+        id: "deny-exec",
+        description: "Block command execution",
+        effect: "DENY",
+        priority: 101,
+        toolPattern: "*exec*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        createdAt: "",
+        updatedAt: ""
+      },
+      {
+        id: "deny-eval",
+        description: "Block code eval",
+        effect: "DENY",
+        priority: 102,
+        toolPattern: "*eval*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        createdAt: "",
+        updatedAt: ""
+      },
+      {
+        id: "allow-rest",
+        description: "Allow all other tools",
+        effect: "ALLOW",
+        priority: 1e3,
+        toolPattern: "*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        createdAt: "",
+        updatedAt: ""
+      }
+    ],
+    createdAt: "",
+    updatedAt: ""
+  },
+  "read-only": {
+    id: "read-only",
+    name: "Read Only",
+    description: "Only allows read operations, blocks writes and execution",
+    version: 1,
+    rules: [
+      {
+        id: "allow-read",
+        description: "Allow read tools",
+        effect: "ALLOW",
+        priority: 100,
+        toolPattern: "*read*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        createdAt: "",
+        updatedAt: ""
+      },
+      {
+        id: "allow-list",
+        description: "Allow list tools",
+        effect: "ALLOW",
+        priority: 101,
+        toolPattern: "*list*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        createdAt: "",
+        updatedAt: ""
+      },
+      {
+        id: "allow-get",
+        description: "Allow get tools",
+        effect: "ALLOW",
+        priority: 102,
+        toolPattern: "*get*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        createdAt: "",
+        updatedAt: ""
+      },
+      {
+        id: "allow-search",
+        description: "Allow search tools",
+        effect: "ALLOW",
+        priority: 103,
+        toolPattern: "*search*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        createdAt: "",
+        updatedAt: ""
+      },
+      {
+        id: "allow-query",
+        description: "Allow query tools",
+        effect: "ALLOW",
+        priority: 104,
+        toolPattern: "*query*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        createdAt: "",
+        updatedAt: ""
+      }
+    ],
+    createdAt: "",
+    updatedAt: ""
+  },
+  permissive: {
+    id: "permissive",
+    name: "Permissive",
+    description: "Allows all tool calls (monitoring only)",
+    version: 1,
+    rules: [
+      {
+        id: "allow-all",
+        description: "Allow all",
+        effect: "ALLOW",
+        priority: 1e3,
+        toolPattern: "*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        createdAt: "",
+        updatedAt: ""
+      }
+    ],
+    createdAt: "",
+    updatedAt: ""
+  },
+  "deny-all": {
+    id: "deny-all",
+    name: "Deny All",
+    description: "Blocks all tool calls",
+    version: 1,
+    rules: [],
+    createdAt: "",
+    updatedAt: ""
+  }
+};
+function loadPolicy(source) {
+  if (typeof source === "object") return source;
+  if (PRESETS[source]) return PRESETS[source];
+  const filePath = resolve(source);
+  if (existsSync(filePath)) {
+    const content = readFileSync(filePath, "utf-8");
+    return JSON.parse(content);
+  }
+  throw new Error(
+    `Unknown policy "${source}". Use a preset (${Object.keys(PRESETS).join(", ")}), a JSON file path, or a PolicySet object.`
+  );
+}
+function parseArgs(argv) {
+  const args = argv.slice(2);
+  let policySource = "restricted";
+  let name = "solongate-proxy";
+  let verbose = false;
+  let validateInput = true;
+  let rateLimitPerTool;
+  let globalRateLimit;
+  let configFile;
+  let separatorIndex = args.indexOf("--");
+  const flags = separatorIndex >= 0 ? args.slice(0, separatorIndex) : args;
+  const upstreamArgs = separatorIndex >= 0 ? args.slice(separatorIndex + 1) : [];
+  for (let i = 0; i < flags.length; i++) {
+    switch (flags[i]) {
+      case "--policy":
+        policySource = flags[++i];
+        break;
+      case "--name":
+        name = flags[++i];
+        break;
+      case "--verbose":
+        verbose = true;
+        break;
+      case "--no-input-guard":
+        validateInput = false;
+        break;
+      case "--rate-limit":
+        rateLimitPerTool = parseInt(flags[++i], 10);
+        break;
+      case "--global-rate-limit":
+        globalRateLimit = parseInt(flags[++i], 10);
+        break;
+      case "--config":
+        configFile = flags[++i];
+        break;
+    }
+  }
+  if (configFile) {
+    const filePath = resolve(configFile);
+    const content = readFileSync(filePath, "utf-8");
+    const fileConfig = JSON.parse(content);
+    if (!fileConfig.upstream) {
+      throw new Error('Config file must include "upstream" with at least "command"');
+    }
+    return {
+      upstream: fileConfig.upstream,
+      policy: loadPolicy(fileConfig.policy ?? policySource),
+      name: fileConfig.name ?? name,
+      verbose: fileConfig.verbose ?? verbose,
+      validateInput: fileConfig.validateInput ?? validateInput,
+      rateLimitPerTool: fileConfig.rateLimitPerTool ?? rateLimitPerTool,
+      globalRateLimit: fileConfig.globalRateLimit ?? globalRateLimit
+    };
+  }
+  if (upstreamArgs.length === 0) {
+    throw new Error(
+      "No upstream server command provided.\n\nUsage: solongate-proxy [options] -- <command> [args...]\n\nExamples:\n  solongate-proxy -- node my-server.js\n  solongate-proxy --policy restricted -- npx @openclaw/server\n  solongate-proxy --config solongate.json\n"
+    );
+  }
+  const [command, ...commandArgs] = upstreamArgs;
+  return {
+    upstream: {
+      command,
+      args: commandArgs,
+      env: { ...process.env }
+    },
+    policy: loadPolicy(policySource),
+    name,
+    verbose,
+    validateInput,
+    rateLimitPerTool,
+    globalRateLimit
+  };
+}
+
+// src/proxy.ts
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+import {
+  ListToolsRequestSchema,
+  CallToolRequestSchema,
+  ListResourcesRequestSchema,
+  ListPromptsRequestSchema,
+  GetPromptRequestSchema,
+  ReadResourceRequestSchema,
+  ListResourceTemplatesRequestSchema
+} from "@modelcontextprotocol/sdk/types.js";
+
+// ../core/dist/index.js
+import { z } from "zod";
+var SolonGateError = class extends Error {
+  code;
+  timestamp;
+  details;
+  constructor(message, code, details = {}) {
+    super(message);
+    this.name = "SolonGateError";
+    this.code = code;
+    this.timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    this.details = Object.freeze({ ...details });
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+  /**
+   * Serializable representation for logging and API responses.
+   * Never includes stack traces (information leakage prevention).
+   */
+  toJSON() {
+    return {
+      name: this.name,
+      code: this.code,
+      message: this.message,
+      timestamp: this.timestamp,
+      details: this.details
+    };
+  }
+};
+var PolicyDeniedError = class extends SolonGateError {
+  constructor(toolName, reason, details = {}) {
+    super(
+      `Policy denied execution of tool "${toolName}": ${reason}`,
+      "POLICY_DENIED",
+      { toolName, reason, ...details }
+    );
+    this.name = "PolicyDeniedError";
+  }
+};
+var SchemaValidationError = class extends SolonGateError {
+  constructor(toolName, validationErrors) {
+    super(
+      `Schema validation failed for tool "${toolName}": ${validationErrors.join("; ")}`,
+      "SCHEMA_VALIDATION_FAILED",
+      { toolName, validationErrors }
+    );
+    this.name = "SchemaValidationError";
+  }
+};
+var RateLimitError = class extends SolonGateError {
+  constructor(toolName, limitPerMinute) {
+    super(
+      `Rate limit exceeded for tool "${toolName}": max ${limitPerMinute}/min`,
+      "RATE_LIMIT_EXCEEDED",
+      { toolName, limitPerMinute }
+    );
+    this.name = "RateLimitError";
+  }
+};
+var TrustLevel = {
+  UNTRUSTED: "UNTRUSTED",
+  VERIFIED: "VERIFIED",
+  TRUSTED: "TRUSTED"
+};
+var Permission = {
+  READ: "READ",
+  WRITE: "WRITE",
+  EXECUTE: "EXECUTE"
+};
+var PermissionSchema = z.enum(["READ", "WRITE", "EXECUTE"]);
+var NO_PERMISSIONS = Object.freeze(
+  /* @__PURE__ */ new Set()
+);
+var READ_ONLY = Object.freeze(
+  /* @__PURE__ */ new Set([Permission.READ])
+);
+var PolicyEffect = {
+  ALLOW: "ALLOW",
+  DENY: "DENY"
+};
+var PolicyRuleSchema = z.object({
+  id: z.string().min(1).max(256),
+  description: z.string().max(1024),
+  effect: z.enum(["ALLOW", "DENY"]),
+  priority: z.number().int().min(0).max(1e4).default(1e3),
+  toolPattern: z.string().min(1).max(512),
+  permission: z.enum(["READ", "WRITE", "EXECUTE"]),
+  minimumTrustLevel: z.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]),
+  argumentConstraints: z.record(z.unknown()).optional(),
+  pathConstraints: z.object({
+    allowed: z.array(z.string()).optional(),
+    denied: z.array(z.string()).optional(),
+    rootDirectory: z.string().optional(),
+    allowSymlinks: z.boolean().optional()
+  }).optional(),
+  enabled: z.boolean().default(true),
+  createdAt: z.string().datetime(),
+  updatedAt: z.string().datetime()
+});
+var PolicySetSchema = z.object({
+  id: z.string().min(1).max(256),
+  name: z.string().min(1).max(256),
+  description: z.string().max(2048),
+  version: z.number().int().min(0),
+  rules: z.array(PolicyRuleSchema),
+  createdAt: z.string().datetime(),
+  updatedAt: z.string().datetime()
+});
+function createSecurityContext(params) {
+  return {
+    trustLevel: "UNTRUSTED",
+    grantedPermissions: /* @__PURE__ */ new Set(),
+    sessionId: null,
+    metadata: {},
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    ...params
+  };
+}
+var DEFAULT_POLICY_EFFECT = "DENY";
+var MAX_RULES_PER_POLICY_SET = 1e3;
+var SECURITY_CONTEXT_TIMEOUT_MS = 5 * 60 * 1e3;
+var POLICY_EVALUATION_TIMEOUT_MS = 100;
+var RATE_LIMIT_WINDOW_MS = 6e4;
+var RATE_LIMIT_MAX_ENTRIES = 1e4;
+var UNSAFE_CONFIGURATION_WARNINGS = {
+  WILDCARD_ALLOW: "Wildcard ALLOW rules grant permission to ALL tools. This bypasses the default-deny model.",
+  TRUSTED_LEVEL_EXTERNAL: "Setting trust level to TRUSTED for external requests bypasses all security checks.",
+  WRITE_WITHOUT_READ: "Granting WRITE without READ is unusual and may indicate a misconfiguration.",
+  EXECUTE_WITHOUT_REVIEW: "EXECUTE permission allows tools to perform arbitrary actions. Review carefully.",
+  RATE_LIMIT_ZERO: "A rate limit of 0 means unlimited calls. This removes protection against runaway loops.",
+  DISABLED_VALIDATION: "Disabling schema validation removes input sanitization protections."
+};
+function createDeniedToolResult(reason) {
+  return {
+    content: [
+      {
+        type: "text",
+        text: JSON.stringify({
+          error: "POLICY_DENIED",
+          message: reason,
+          hint: "This tool call was blocked by SolonGate security policy. Check your policy configuration."
+        })
+      }
+    ],
+    isError: true
+  };
+}
+var DEFAULT_INPUT_GUARD_CONFIG = Object.freeze({
+  pathTraversal: true,
+  shellInjection: true,
+  wildcardAbuse: true,
+  lengthLimit: 4096,
+  entropyLimit: true
+});
+var PATH_TRAVERSAL_PATTERNS = [
+  /\.\.\//,
+  // ../
+  /\.\.\\/,
+  // ..\
+  /%2e%2e/i,
+  // URL-encoded ..
+  /%2e\./i,
+  // partial URL-encoded
+  /\.%2e/i,
+  // partial URL-encoded
+  /%252e%252e/i,
+  // double URL-encoded
+  /\.\.\0/
+  // null byte variant
+];
+var SENSITIVE_PATHS = [
+  /\/etc\/passwd/i,
+  /\/etc\/shadow/i,
+  /\/proc\//i,
+  /\/dev\//i,
+  /c:\\windows\\system32/i,
+  /c:\\windows\\syswow64/i,
+  /\/root\//i,
+  /~\//
+];
+function detectPathTraversal(value) {
+  for (const pattern of PATH_TRAVERSAL_PATTERNS) {
+    if (pattern.test(value)) return true;
+  }
+  for (const pattern of SENSITIVE_PATHS) {
+    if (pattern.test(value)) return true;
+  }
+  return false;
+}
+var SHELL_INJECTION_PATTERNS = [
+  /[;|&`]/,
+  // Command separators and backtick execution
+  /\$\(/,
+  // Command substitution $(...)
+  /\$\{/,
+  // Variable expansion ${...}
+  />\s*/,
+  // Output redirect
+  /<\s*/,
+  // Input redirect
+  /&&/,
+  // AND chaining
+  /\|\|/,
+  // OR chaining
+  /\beval\b/i,
+  // eval command
+  /\bexec\b/i,
+  // exec command
+  /\bsystem\b/i
+  // system call
+];
+function detectShellInjection(value) {
+  for (const pattern of SHELL_INJECTION_PATTERNS) {
+    if (pattern.test(value)) return true;
+  }
+  return false;
+}
+var MAX_WILDCARDS_PER_VALUE = 3;
+function detectWildcardAbuse(value) {
+  if (value.includes("**")) return true;
+  const wildcardCount = (value.match(/\*/g) || []).length;
+  if (wildcardCount > MAX_WILDCARDS_PER_VALUE) return true;
+  return false;
+}
+function checkLengthLimits(value, maxLength = 4096) {
+  return value.length <= maxLength;
+}
+var ENTROPY_THRESHOLD = 4.5;
+var MIN_LENGTH_FOR_ENTROPY_CHECK = 32;
+function checkEntropyLimits(value) {
+  if (value.length < MIN_LENGTH_FOR_ENTROPY_CHECK) return true;
+  const entropy = calculateShannonEntropy(value);
+  return entropy <= ENTROPY_THRESHOLD;
+}
+function calculateShannonEntropy(str) {
+  const freq = /* @__PURE__ */ new Map();
+  for (const char of str) {
+    freq.set(char, (freq.get(char) ?? 0) + 1);
+  }
+  let entropy = 0;
+  const len = str.length;
+  for (const count of freq.values()) {
+    const p = count / len;
+    if (p > 0) {
+      entropy -= p * Math.log2(p);
+    }
+  }
+  return entropy;
+}
+function sanitizeInput(field, value, config = DEFAULT_INPUT_GUARD_CONFIG) {
+  const threats = [];
+  if (typeof value !== "string") {
+    if (typeof value === "object" && value !== null) {
+      return sanitizeObject(field, value, config);
+    }
+    return { safe: true, threats: [] };
+  }
+  if (config.pathTraversal && detectPathTraversal(value)) {
+    threats.push({
+      type: "PATH_TRAVERSAL",
+      field,
+      value: truncate(value, 100),
+      description: "Path traversal pattern detected"
+    });
+  }
+  if (config.shellInjection && detectShellInjection(value)) {
+    threats.push({
+      type: "SHELL_INJECTION",
+      field,
+      value: truncate(value, 100),
+      description: "Shell injection pattern detected"
+    });
+  }
+  if (config.wildcardAbuse && detectWildcardAbuse(value)) {
+    threats.push({
+      type: "WILDCARD_ABUSE",
+      field,
+      value: truncate(value, 100),
+      description: "Wildcard abuse pattern detected"
+    });
+  }
+  if (!checkLengthLimits(value, config.lengthLimit)) {
+    threats.push({
+      type: "LENGTH_EXCEEDED",
+      field,
+      value: `[${value.length} chars]`,
+      description: `Value exceeds maximum length of ${config.lengthLimit}`
+    });
+  }
+  if (config.entropyLimit && !checkEntropyLimits(value)) {
+    threats.push({
+      type: "HIGH_ENTROPY",
+      field,
+      value: truncate(value, 100),
+      description: "High entropy string detected - possible encoded payload"
+    });
+  }
+  return { safe: threats.length === 0, threats };
+}
+function sanitizeObject(basePath, obj, config) {
+  const threats = [];
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < obj.length; i++) {
+      const result = sanitizeInput(`${basePath}[${i}]`, obj[i], config);
+      threats.push(...result.threats);
+    }
+  } else {
+    for (const [key, val] of Object.entries(obj)) {
+      const result = sanitizeInput(`${basePath}.${key}`, val, config);
+      threats.push(...result.threats);
+    }
+  }
+  return { safe: threats.length === 0, threats };
+}
+function truncate(str, maxLen) {
+  return str.length > maxLen ? str.slice(0, maxLen) + "..." : str;
+}
+var DEFAULT_TOKEN_TTL_SECONDS = 30;
+var TOKEN_ALGORITHM = "HS256";
+var MIN_SECRET_LENGTH = 32;
+
+// ../policy-engine/dist/index.js
+import { createHash } from "crypto";
+function normalizePath(path) {
+  let normalized = path.replace(/\\/g, "/");
+  if (normalized.length > 1 && normalized.endsWith("/")) {
+    normalized = normalized.slice(0, -1);
+  }
+  const parts = normalized.split("/");
+  const resolved = [];
+  for (const part of parts) {
+    if (part === "." || part === "") {
+      if (resolved.length === 0) resolved.push("");
+      continue;
+    }
+    if (part === "..") {
+      if (resolved.length > 1) {
+        resolved.pop();
+      }
+      continue;
+    }
+    resolved.push(part);
+  }
+  return resolved.join("/") || "/";
+}
+function isWithinRoot(path, root) {
+  const normalizedPath = normalizePath(path);
+  const normalizedRoot = normalizePath(root);
+  if (normalizedPath === normalizedRoot) return true;
+  return normalizedPath.startsWith(normalizedRoot + "/");
+}
+function matchPathPattern(path, pattern) {
+  const normalizedPath = normalizePath(path);
+  const normalizedPattern = normalizePath(pattern);
+  if (normalizedPattern === "*") return true;
+  if (normalizedPattern === normalizedPath) return true;
+  const patternParts = normalizedPattern.split("/");
+  const pathParts = normalizedPath.split("/");
+  return matchParts(pathParts, 0, patternParts, 0);
+}
+function matchParts(pathParts, pi, patternParts, qi) {
+  while (pi < pathParts.length && qi < patternParts.length) {
+    const pattern = patternParts[qi];
+    if (pattern === "**") {
+      if (qi === patternParts.length - 1) return true;
+      for (let i = pi; i <= pathParts.length; i++) {
+        if (matchParts(pathParts, i, patternParts, qi + 1)) {
+          return true;
+        }
+      }
+      return false;
+    }
+    if (pattern === "*") {
+      pi++;
+      qi++;
+      continue;
+    }
+    if (pattern !== pathParts[pi]) {
+      return false;
+    }
+    pi++;
+    qi++;
+  }
+  while (qi < patternParts.length && patternParts[qi] === "**") {
+    qi++;
+  }
+  return pi === pathParts.length && qi === patternParts.length;
+}
+function isPathAllowed(path, constraints) {
+  if (constraints.rootDirectory) {
+    if (!isWithinRoot(path, constraints.rootDirectory)) {
+      return false;
+    }
+  }
+  if (constraints.denied && constraints.denied.length > 0) {
+    for (const pattern of constraints.denied) {
+      if (matchPathPattern(path, pattern)) {
+        return false;
+      }
+    }
+  }
+  if (constraints.allowed && constraints.allowed.length > 0) {
+    let matchesAllowed = false;
+    for (const pattern of constraints.allowed) {
+      if (matchPathPattern(path, pattern)) {
+        matchesAllowed = true;
+        break;
+      }
+    }
+    if (!matchesAllowed) return false;
+  }
+  return true;
+}
+function extractPathArguments(args) {
+  const paths = [];
+  for (const value of Object.values(args)) {
+    if (typeof value === "string" && (value.includes("/") || value.includes("\\"))) {
+      paths.push(value);
+    }
+  }
+  return paths;
+}
+function ruleMatchesRequest(rule, request) {
+  if (!rule.enabled) return false;
+  if (rule.permission !== request.requiredPermission) return false;
+  if (!toolPatternMatches(rule.toolPattern, request.toolName)) return false;
+  if (!trustLevelMeetsMinimum(request.context.trustLevel, rule.minimumTrustLevel)) {
+    return false;
+  }
+  if (rule.argumentConstraints) {
+    if (!argumentConstraintsMatch(rule.argumentConstraints, request.arguments)) {
+      return false;
+    }
+  }
+  if (rule.pathConstraints) {
+    if (!pathConstraintsMatch(rule.pathConstraints, request.arguments)) {
+      return false;
+    }
+  }
+  return true;
+}
+function toolPatternMatches(pattern, toolName) {
+  if (pattern === "*") return true;
+  const startsWithStar = pattern.startsWith("*");
+  const endsWithStar = pattern.endsWith("*");
+  if (startsWithStar && endsWithStar) {
+    const infix = pattern.slice(1, -1);
+    return infix.length > 0 && toolName.includes(infix);
+  }
+  if (endsWithStar) {
+    const prefix = pattern.slice(0, -1);
+    return toolName.startsWith(prefix);
+  }
+  if (startsWithStar) {
+    const suffix = pattern.slice(1);
+    return toolName.endsWith(suffix);
+  }
+  return pattern === toolName;
+}
+var TRUST_LEVEL_ORDER = {
+  [TrustLevel.UNTRUSTED]: 0,
+  [TrustLevel.VERIFIED]: 1,
+  [TrustLevel.TRUSTED]: 2
+};
+function trustLevelMeetsMinimum(actual, minimum) {
+  return (TRUST_LEVEL_ORDER[actual] ?? -1) >= (TRUST_LEVEL_ORDER[minimum] ?? Infinity);
+}
+function argumentConstraintsMatch(constraints, args) {
+  for (const [key, constraint] of Object.entries(constraints)) {
+    if (!(key in args)) return false;
+    if (typeof constraint === "string" && typeof args[key] === "string") {
+      if (constraint !== "*" && args[key] !== constraint) return false;
+    }
+  }
+  return true;
+}
+function pathConstraintsMatch(constraints, args) {
+  const paths = extractPathArguments(args);
+  if (paths.length === 0) return true;
+  return paths.every((path) => isPathAllowed(path, constraints));
+}
+function evaluatePolicy(policySet, request) {
+  const startTime = performance.now();
+  const sortedRules = [...policySet.rules].sort(
+    (a, b) => a.priority - b.priority
+  );
+  for (const rule of sortedRules) {
+    if (ruleMatchesRequest(rule, request)) {
+      const endTime2 = performance.now();
+      return {
+        effect: rule.effect,
+        matchedRule: rule,
+        reason: `Matched rule "${rule.id}": ${rule.description}`,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        evaluationTimeMs: endTime2 - startTime
+      };
+    }
+  }
+  const endTime = performance.now();
+  return {
+    effect: DEFAULT_POLICY_EFFECT,
+    matchedRule: null,
+    reason: "No matching policy rule found. Default action: DENY.",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    evaluationTimeMs: endTime - startTime
+  };
+}
+function validatePolicyRule(input) {
+  const errors = [];
+  const warnings = [];
+  const result = PolicyRuleSchema.safeParse(input);
+  if (!result.success) {
+    return {
+      valid: false,
+      errors: result.error.errors.map(
+        (e) => `${e.path.join(".")}: ${e.message}`
+      ),
+      warnings: []
+    };
+  }
+  const rule = result.data;
+  if (rule.toolPattern === "*" && rule.effect === "ALLOW") {
+    warnings.push(UNSAFE_CONFIGURATION_WARNINGS.WILDCARD_ALLOW);
+  }
+  if (rule.minimumTrustLevel === "TRUSTED") {
+    warnings.push(UNSAFE_CONFIGURATION_WARNINGS.TRUSTED_LEVEL_EXTERNAL);
+  }
+  if (rule.permission === "EXECUTE") {
+    warnings.push(UNSAFE_CONFIGURATION_WARNINGS.EXECUTE_WITHOUT_REVIEW);
+  }
+  return { valid: true, errors, warnings };
+}
+function validatePolicySet(input) {
+  const errors = [];
+  const warnings = [];
+  const result = PolicySetSchema.safeParse(input);
+  if (!result.success) {
+    return {
+      valid: false,
+      errors: result.error.errors.map(
+        (e) => `${e.path.join(".")}: ${e.message}`
+      ),
+      warnings: []
+    };
+  }
+  const policySet = result.data;
+  if (policySet.rules.length > MAX_RULES_PER_POLICY_SET) {
+    errors.push(
+      `Policy set exceeds maximum of ${MAX_RULES_PER_POLICY_SET} rules`
+    );
+  }
+  const ruleIds = /* @__PURE__ */ new Set();
+  for (const rule of policySet.rules) {
+    if (ruleIds.has(rule.id)) {
+      errors.push(`Duplicate rule ID: "${rule.id}"`);
+    }
+    ruleIds.add(rule.id);
+  }
+  for (const rule of policySet.rules) {
+    const ruleResult = validatePolicyRule(rule);
+    warnings.push(...ruleResult.warnings);
+  }
+  const hasDenyRule = policySet.rules.some((r) => r.effect === "DENY");
+  if (!hasDenyRule && policySet.rules.length > 0) {
+    warnings.push(
+      "Policy set contains only ALLOW rules. The default-deny fallback is the only protection."
+    );
+  }
+  return {
+    valid: errors.length === 0,
+    errors,
+    warnings
+  };
+}
+function analyzeSecurityWarnings(policySet) {
+  const warnings = [];
+  for (const rule of policySet.rules) {
+    warnings.push(...analyzeRuleWarnings(rule));
+  }
+  const allowRules = policySet.rules.filter(
+    (r) => r.effect === "ALLOW" && r.enabled
+  );
+  const wildcardAllows = allowRules.filter((r) => r.toolPattern === "*");
+  if (wildcardAllows.length > 0) {
+    warnings.push({
+      level: "CRITICAL",
+      code: "WILDCARD_ALLOW",
+      message: UNSAFE_CONFIGURATION_WARNINGS.WILDCARD_ALLOW,
+      recommendation: "Replace wildcard ALLOW rules with specific tool patterns."
+    });
+  }
+  return warnings;
+}
+function analyzeRuleWarnings(rule) {
+  const warnings = [];
+  if (rule.effect === "ALLOW" && rule.minimumTrustLevel === "UNTRUSTED") {
+    warnings.push({
+      level: "CRITICAL",
+      code: "ALLOW_UNTRUSTED",
+      message: `Rule "${rule.id}" allows execution for UNTRUSTED requests. Unverified LLM requests can execute tools.`,
+      ruleId: rule.id,
+      recommendation: "Set minimumTrustLevel to VERIFIED or higher for ALLOW rules."
+    });
+  }
+  if (rule.effect === "ALLOW" && rule.permission === "EXECUTE") {
+    warnings.push({
+      level: "WARNING",
+      code: "ALLOW_EXECUTE",
+      message: UNSAFE_CONFIGURATION_WARNINGS.EXECUTE_WITHOUT_REVIEW,
+      ruleId: rule.id,
+      recommendation: "Ensure EXECUTE permissions are intentional and scoped to specific tools."
+    });
+  }
+  return warnings;
+}
+function createDefaultDenyPolicySet() {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return {
+    id: "default-deny",
+    name: "Default Deny All",
+    description: "Denies all tool executions. Add explicit ALLOW rules to grant access to specific tools.",
+    version: 1,
+    rules: [
+      {
+        id: "deny-all-execute",
+        description: "Explicitly deny all tool executions",
+        effect: PolicyEffect.DENY,
+        priority: 1e4,
+        toolPattern: "*",
+        permission: Permission.EXECUTE,
+        minimumTrustLevel: TrustLevel.UNTRUSTED,
+        enabled: true,
+        createdAt: now,
+        updatedAt: now
+      },
+      {
+        id: "deny-all-write",
+        description: "Explicitly deny all write operations",
+        effect: PolicyEffect.DENY,
+        priority: 1e4,
+        toolPattern: "*",
+        permission: Permission.WRITE,
+        minimumTrustLevel: TrustLevel.UNTRUSTED,
+        enabled: true,
+        createdAt: now,
+        updatedAt: now
+      },
+      {
+        id: "deny-all-read",
+        description: "Explicitly deny all read operations",
+        effect: PolicyEffect.DENY,
+        priority: 1e4,
+        toolPattern: "*",
+        permission: Permission.READ,
+        minimumTrustLevel: TrustLevel.UNTRUSTED,
+        enabled: true,
+        createdAt: now,
+        updatedAt: now
+      }
+    ],
+    createdAt: now,
+    updatedAt: now
+  };
+}
+var PolicyEngine = class {
+  policySet;
+  timeoutMs;
+  store;
+  constructor(options) {
+    this.policySet = options?.policySet ?? createDefaultDenyPolicySet();
+    this.timeoutMs = options?.timeoutMs ?? POLICY_EVALUATION_TIMEOUT_MS;
+    this.store = options?.store ?? null;
+  }
+  /**
+   * Evaluates an execution request against the current policy set.
+   * Never throws for denials - denial is a normal outcome, not an error.
+   */
+  evaluate(request) {
+    const startTime = performance.now();
+    const decision = evaluatePolicy(this.policySet, request);
+    const elapsed = performance.now() - startTime;
+    if (elapsed > this.timeoutMs) {
+      console.warn(
+        `[SolonGate] Policy evaluation took ${elapsed.toFixed(1)}ms (limit: ${this.timeoutMs}ms) for tool "${request.toolName}"`
+      );
+    }
+    return decision;
+  }
+  /**
+   * Loads a new policy set, replacing the current one.
+   * Validates before accepting. Auto-saves version when store is present.
+   */
+  loadPolicySet(policySet, options) {
+    const validation = validatePolicySet(policySet);
+    if (!validation.valid) {
+      return validation;
+    }
+    this.policySet = policySet;
+    if (this.store) {
+      this.store.saveVersion(
+        policySet,
+        options?.reason ?? "Policy updated",
+        options?.createdBy ?? "system"
+      );
+    }
+    return validation;
+  }
+  /**
+   * Rolls back to a previous policy version.
+   * Only available when a PolicyStore is configured.
+   */
+  rollback(version) {
+    if (!this.store) {
+      throw new Error("PolicyStore not configured - cannot rollback");
+    }
+    const policyVersion = this.store.rollback(this.policySet.id, version);
+    this.policySet = policyVersion.policySet;
+    return policyVersion;
+  }
+  getPolicySet() {
+    return this.policySet;
+  }
+  getSecurityWarnings() {
+    return analyzeSecurityWarnings(this.policySet);
+  }
+  getStore() {
+    return this.store;
+  }
+  reset() {
+    this.policySet = createDefaultDenyPolicySet();
+  }
+};
+var PolicyStore = class {
+  versions = /* @__PURE__ */ new Map();
+  /**
+   * Saves a new version of a policy set.
+   * The version number auto-increments.
+   */
+  saveVersion(policySet, reason, createdBy) {
+    const id = policySet.id;
+    const history = this.versions.get(id) ?? [];
+    const latestVersion = history.length > 0 ? history[history.length - 1].version : 0;
+    const version = {
+      version: latestVersion + 1,
+      policySet: Object.freeze({ ...policySet }),
+      hash: this.computeHash(policySet),
+      reason,
+      createdBy,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    const newHistory = [...history, version];
+    this.versions.set(id, newHistory);
+    return version;
+  }
+  /**
+   * Gets a specific version of a policy set.
+   */
+  getVersion(id, version) {
+    const history = this.versions.get(id);
+    if (!history) return null;
+    return history.find((v) => v.version === version) ?? null;
+  }
+  /**
+   * Gets the latest version of a policy set.
+   */
+  getLatest(id) {
+    const history = this.versions.get(id);
+    if (!history || history.length === 0) return null;
+    return history[history.length - 1];
+  }
+  /**
+   * Gets the full version history of a policy set.
+   */
+  getHistory(id) {
+    return this.versions.get(id) ?? [];
+  }
+  /**
+   * Rolls back to a previous version by creating a new version
+   * with the same content as the target version.
+   */
+  rollback(id, toVersion) {
+    const target = this.getVersion(id, toVersion);
+    if (!target) {
+      throw new Error(`Version ${toVersion} not found for policy "${id}"`);
+    }
+    return this.saveVersion(
+      target.policySet,
+      `Rollback to version ${toVersion}`,
+      "system"
+    );
+  }
+  /**
+   * Computes a diff between two policy versions.
+   */
+  diff(v1, v2) {
+    const oldRulesMap = new Map(v1.policySet.rules.map((r) => [r.id, r]));
+    const newRulesMap = new Map(v2.policySet.rules.map((r) => [r.id, r]));
+    const added = [];
+    const removed = [];
+    const modified = [];
+    for (const [id, newRule] of newRulesMap) {
+      const oldRule = oldRulesMap.get(id);
+      if (!oldRule) {
+        added.push(newRule);
+      } else if (JSON.stringify(oldRule) !== JSON.stringify(newRule)) {
+        modified.push({ old: oldRule, new: newRule });
+      }
+    }
+    for (const [id, oldRule] of oldRulesMap) {
+      if (!newRulesMap.has(id)) {
+        removed.push(oldRule);
+      }
+    }
+    return { added, removed, modified };
+  }
+  /**
+   * Computes SHA256 hash of a policy set for integrity verification.
+   */
+  computeHash(policySet) {
+    const serialized = JSON.stringify(policySet, Object.keys(policySet).sort());
+    return createHash("sha256").update(serialized).digest("hex");
+  }
+};
+
+// ../sdk-ts/dist/index.js
+import { randomUUID, createHmac } from "crypto";
+var DEFAULT_CONFIG = Object.freeze({
+  validateSchemas: true,
+  enableLogging: true,
+  logLevel: "info",
+  evaluationTimeoutMs: 100,
+  verboseErrors: false,
+  globalRateLimitPerMinute: 600,
+  rateLimitPerTool: 60,
+  tokenTtlSeconds: 30,
+  inputGuardConfig: DEFAULT_INPUT_GUARD_CONFIG,
+  enableVersionedPolicies: true
+});
+function resolveConfig(userConfig) {
+  const warnings = [];
+  const config = { ...DEFAULT_CONFIG, ...userConfig };
+  if (!config.validateSchemas) {
+    warnings.push(UNSAFE_CONFIGURATION_WARNINGS.DISABLED_VALIDATION);
+  }
+  if (config.globalRateLimitPerMinute === 0) {
+    warnings.push(UNSAFE_CONFIGURATION_WARNINGS.RATE_LIMIT_ZERO);
+  }
+  if (config.verboseErrors) {
+    warnings.push(
+      "Verbose errors enabled: internal error details will be sent to the LLM."
+    );
+  }
+  if (config.tokenSecret && config.tokenSecret.length < 32) {
+    warnings.push(
+      "Token secret is shorter than 32 characters. Use a longer secret for production."
+    );
+  }
+  return { config, warnings };
+}
+async function interceptToolCall(params, upstreamCall, options) {
+  const requestId = randomUUID();
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const context = createSecurityContext({ requestId });
+  const request = {
+    context,
+    toolName: params.name,
+    serverName: "default",
+    arguments: params.arguments ?? {},
+    requiredPermission: Permission.EXECUTE,
+    timestamp
+  };
+  if (options.rateLimiter) {
+    if (options.rateLimitPerTool) {
+      const toolLimit = options.rateLimiter.checkLimit(
+        params.name,
+        options.rateLimitPerTool
+      );
+      if (!toolLimit.allowed) {
+        const result = {
+          status: "ERROR",
+          request,
+          error: new RateLimitError(params.name, options.rateLimitPerTool),
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        };
+        options.onDecision?.(result);
+        return createDeniedToolResult(
+          `Rate limit exceeded for tool "${params.name}"`
+        );
+      }
+    }
+    if (options.globalRateLimitPerMinute) {
+      const globalLimit = options.rateLimiter.checkGlobalLimit(
+        options.globalRateLimitPerMinute
+      );
+      if (!globalLimit.allowed) {
+        const result = {
+          status: "ERROR",
+          request,
+          error: new RateLimitError("*", options.globalRateLimitPerMinute),
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        };
+        options.onDecision?.(result);
+        return createDeniedToolResult("Global rate limit exceeded");
+      }
+    }
+  }
+  if (options.validateSchemas && params.arguments) {
+    const guardConfig = options.inputGuardConfig ?? DEFAULT_INPUT_GUARD_CONFIG;
+    const sanitization = sanitizeInput("arguments", params.arguments, guardConfig);
+    if (!sanitization.safe) {
+      const threatDescriptions = sanitization.threats.map(
+        (t) => `${t.type}: ${t.description} (field: ${t.field})`
+      );
+      const result = {
+        status: "ERROR",
+        request,
+        error: new SchemaValidationError(params.name, threatDescriptions),
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      options.onDecision?.(result);
+      const reason = options.verboseErrors ? `Input validation failed: ${threatDescriptions.join("; ")}` : "Input validation failed.";
+      return createDeniedToolResult(reason);
+    }
+  }
+  const decision = options.policyEngine.evaluate(request);
+  if (decision.effect === "DENY") {
+    const result = {
+      status: "DENIED",
+      request,
+      decision,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    options.onDecision?.(result);
+    const reason = options.verboseErrors ? decision.reason : "Tool execution denied by security policy.";
+    return createDeniedToolResult(reason);
+  }
+  let capabilityToken;
+  if (options.tokenIssuer) {
+    capabilityToken = options.tokenIssuer.issue(
+      requestId,
+      [Permission.EXECUTE],
+      [params.name]
+    );
+  }
+  if (options.serverVerifier && capabilityToken) {
+    options.serverVerifier.createSignedRequest(params, capabilityToken);
+  }
+  try {
+    const startTime = performance.now();
+    const toolResult = await upstreamCall(params);
+    const durationMs = performance.now() - startTime;
+    if (options.rateLimiter) {
+      options.rateLimiter.recordCall(params.name);
+    }
+    const result = {
+      status: "ALLOWED",
+      request,
+      decision,
+      toolResult,
+      durationMs,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    options.onDecision?.(result);
+    return toolResult;
+  } catch (error) {
+    const result = {
+      status: "ERROR",
+      request,
+      error: error instanceof Error ? new PolicyDeniedError(params.name, error.message) : new PolicyDeniedError(params.name, "Unknown upstream error"),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    options.onDecision?.(result);
+    throw error;
+  }
+}
+var LOG_LEVEL_ORDER = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3
+};
+var SecurityLogger = class {
+  minLevel;
+  enabled;
+  constructor(options) {
+    this.minLevel = options.level;
+    this.enabled = options.enabled;
+  }
+  logDecision(result) {
+    if (!this.enabled) return;
+    const entry = {
+      type: "security_decision",
+      status: result.status,
+      toolName: result.request.toolName,
+      permission: result.request.requiredPermission,
+      trustLevel: result.request.context.trustLevel,
+      requestId: result.request.context.requestId,
+      timestamp: result.timestamp,
+      ...result.status === "ALLOWED" && { durationMs: result.durationMs },
+      ...result.status === "DENIED" && { reason: result.decision.reason },
+      ...result.status === "ERROR" && { error: result.error.code }
+    };
+    if (result.status === "DENIED" || result.status === "ERROR") {
+      this.log("warn", entry);
+    } else {
+      this.log("info", entry);
+    }
+  }
+  log(level, data) {
+    if (LOG_LEVEL_ORDER[level] < LOG_LEVEL_ORDER[this.minLevel]) return;
+    const output = JSON.stringify({ level, ...data });
+    switch (level) {
+      case "error":
+        console.error(`[SolonGate] ${output}`);
+        break;
+      case "warn":
+        console.warn(`[SolonGate] ${output}`);
+        break;
+      case "debug":
+        console.debug(`[SolonGate] ${output}`);
+        break;
+      default:
+        console.info(`[SolonGate] ${output}`);
+    }
+  }
+};
+var TokenIssuer = class {
+  secret;
+  ttlSeconds;
+  issuer;
+  usedNonces = /* @__PURE__ */ new Set();
+  revokedTokens = /* @__PURE__ */ new Set();
+  constructor(config) {
+    if (config.secret.length < MIN_SECRET_LENGTH) {
+      throw new Error(
+        `Token secret must be at least ${MIN_SECRET_LENGTH} characters`
+      );
+    }
+    this.secret = config.secret;
+    this.ttlSeconds = config.ttlSeconds || DEFAULT_TOKEN_TTL_SECONDS;
+    this.issuer = config.issuer;
+  }
+  /**
+   * Issues a signed capability token.
+   */
+  issue(requestId, permissions, toolScope, serverScope = ["*"], pathScope) {
+    const now = Math.floor(Date.now() / 1e3);
+    const jti = randomUUID();
+    const payload = {
+      jti,
+      iss: this.issuer,
+      sub: requestId,
+      iat: now,
+      exp: now + this.ttlSeconds,
+      permissions: [...permissions],
+      toolScope: [...toolScope],
+      serverScope: [...serverScope],
+      ...pathScope && { pathScope: [...pathScope] }
+    };
+    return this.sign(payload);
+  }
+  /**
+   * Verifies a capability token and consumes the nonce (single-use).
+   */
+  verify(token) {
+    const parsed = this.parseAndVerify(token);
+    if (!parsed.valid || !parsed.payload) {
+      return parsed;
+    }
+    const payload = parsed.payload;
+    const now = Math.floor(Date.now() / 1e3);
+    if (payload.exp <= now) {
+      return { valid: false, reason: "Token expired" };
+    }
+    if (this.revokedTokens.has(payload.jti)) {
+      return { valid: false, reason: "Token has been revoked" };
+    }
+    if (this.usedNonces.has(payload.jti)) {
+      return { valid: false, reason: "Token already used (replay detected)" };
+    }
+    this.usedNonces.add(payload.jti);
+    return { valid: true, payload };
+  }
+  /**
+   * Revokes a token by its ID.
+   */
+  revoke(jti) {
+    this.revokedTokens.add(jti);
+  }
+  /**
+   * Checks if a token ID has been revoked.
+   */
+  isRevoked(jti) {
+    return this.revokedTokens.has(jti);
+  }
+  // --- Internal helpers ---
+  sign(payload) {
+    const header = base64UrlEncode(JSON.stringify({ alg: TOKEN_ALGORITHM, typ: "JWT" }));
+    const body = base64UrlEncode(JSON.stringify(payload));
+    const signature = this.computeSignature(`${header}.${body}`);
+    return `${header}.${body}.${signature}`;
+  }
+  parseAndVerify(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      return { valid: false, reason: "Invalid token format" };
+    }
+    const [header, body, signature] = parts;
+    const expectedSignature = this.computeSignature(`${header}.${body}`);
+    if (signature !== expectedSignature) {
+      return { valid: false, reason: "Invalid token signature" };
+    }
+    try {
+      const payload = JSON.parse(base64UrlDecode(body));
+      return { valid: true, payload };
+    } catch {
+      return { valid: false, reason: "Invalid token payload" };
+    }
+  }
+  computeSignature(data) {
+    return base64UrlEncode(
+      createHmac("sha256", this.secret).update(data).digest("base64")
+    );
+  }
+};
+function base64UrlEncode(str) {
+  return Buffer.from(str).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlDecode(str) {
+  const padded = str + "=".repeat((4 - str.length % 4) % 4);
+  return Buffer.from(padded.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString();
+}
+var ServerVerifier = class {
+  gatewaySecret;
+  maxAgeMs;
+  usedNonces = /* @__PURE__ */ new Set();
+  constructor(config) {
+    if (config.gatewaySecret.length < 32) {
+      throw new Error("Gateway secret must be at least 32 characters");
+    }
+    this.gatewaySecret = config.gatewaySecret;
+    this.maxAgeMs = config.maxAgeMs ?? 6e4;
+  }
+  /**
+   * Computes HMAC signature for request data.
+   */
+  signRequest(params, capabilityToken) {
+    const data = JSON.stringify({ params, capabilityToken });
+    return createHmac("sha256", this.gatewaySecret).update(data).digest("hex");
+  }
+  /**
+   * Verifies the HMAC signature of request data.
+   */
+  verifySignature(params, capabilityToken, signature) {
+    const expected = this.signRequest(params, capabilityToken);
+    if (expected.length !== signature.length) return false;
+    let result = 0;
+    for (let i = 0; i < expected.length; i++) {
+      result |= expected.charCodeAt(i) ^ signature.charCodeAt(i);
+    }
+    return result === 0;
+  }
+  /**
+   * Creates a complete signed request including timestamp and nonce.
+   */
+  createSignedRequest(params, capabilityToken) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const nonce = randomUUID();
+    const signature = this.signRequest(params, capabilityToken);
+    return {
+      params,
+      capabilityToken,
+      signature,
+      timestamp,
+      nonce
+    };
+  }
+  /**
+   * Validates a complete signed request including timestamp, nonce, and signature.
+   */
+  validateSignedRequest(request) {
+    const requestTime = new Date(request.timestamp).getTime();
+    const now = Date.now();
+    if (isNaN(requestTime)) {
+      return { valid: false, reason: "Invalid timestamp" };
+    }
+    if (now - requestTime > this.maxAgeMs) {
+      return { valid: false, reason: "Request too old" };
+    }
+    if (requestTime > now + 3e4) {
+      return { valid: false, reason: "Request timestamp in the future" };
+    }
+    if (this.usedNonces.has(request.nonce)) {
+      return { valid: false, reason: "Duplicate nonce (replay detected)" };
+    }
+    if (!this.verifySignature(request.params, request.capabilityToken, request.signature)) {
+      return { valid: false, reason: "Invalid signature" };
+    }
+    this.usedNonces.add(request.nonce);
+    return { valid: true };
+  }
+};
+var RateLimiter = class {
+  windowMs;
+  records = /* @__PURE__ */ new Map();
+  globalRecords = [];
+  constructor(options) {
+    this.windowMs = options?.windowMs ?? RATE_LIMIT_WINDOW_MS;
+  }
+  /**
+   * Checks if a tool call is within the rate limit.
+   * Does NOT record the call - use recordCall() after successful execution.
+   */
+  checkLimit(toolName, limitPerWindow) {
+    const now = Date.now();
+    const windowStart = now - this.windowMs;
+    const records = this.getActiveRecords(toolName, windowStart);
+    const count = records.length;
+    const allowed = count < limitPerWindow;
+    const remaining = Math.max(0, limitPerWindow - count);
+    const resetAt = records.length > 0 ? records[0].timestamp + this.windowMs : now + this.windowMs;
+    return { allowed, remaining, resetAt };
+  }
+  /**
+   * Checks the global rate limit across all tools.
+   */
+  checkGlobalLimit(limitPerWindow) {
+    const now = Date.now();
+    const windowStart = now - this.windowMs;
+    this.globalRecords = this.globalRecords.filter(
+      (r) => r.timestamp > windowStart
+    );
+    const count = this.globalRecords.length;
+    const allowed = count < limitPerWindow;
+    const remaining = Math.max(0, limitPerWindow - count);
+    const resetAt = this.globalRecords.length > 0 ? this.globalRecords[0].timestamp + this.windowMs : now + this.windowMs;
+    return { allowed, remaining, resetAt };
+  }
+  /**
+   * Records a tool call for rate limiting.
+   * Call this after successful execution.
+   */
+  recordCall(toolName) {
+    const now = Date.now();
+    const record = { timestamp: now };
+    const records = this.records.get(toolName) ?? [];
+    records.push(record);
+    if (records.length > RATE_LIMIT_MAX_ENTRIES) {
+      const windowStart = now - this.windowMs;
+      const cleaned = records.filter((r) => r.timestamp > windowStart);
+      this.records.set(toolName, cleaned);
+    } else {
+      this.records.set(toolName, records);
+    }
+    this.globalRecords.push(record);
+    if (this.globalRecords.length > RATE_LIMIT_MAX_ENTRIES) {
+      const windowStart = now - this.windowMs;
+      this.globalRecords = this.globalRecords.filter(
+        (r) => r.timestamp > windowStart
+      );
+    }
+  }
+  /**
+   * Gets usage stats for a tool.
+   */
+  getUsage(toolName) {
+    const now = Date.now();
+    const windowStart = now - this.windowMs;
+    const records = this.getActiveRecords(toolName, windowStart);
+    return { count: records.length, windowStart };
+  }
+  /**
+   * Resets rate tracking for a specific tool.
+   */
+  resetTool(toolName) {
+    this.records.delete(toolName);
+  }
+  /**
+   * Resets all rate tracking.
+   */
+  resetAll() {
+    this.records.clear();
+    this.globalRecords = [];
+  }
+  getActiveRecords(toolName, windowStart) {
+    const records = this.records.get(toolName) ?? [];
+    const active = records.filter((r) => r.timestamp > windowStart);
+    if (active.length !== records.length) {
+      this.records.set(toolName, active);
+    }
+    return active;
+  }
+};
+var SolonGate = class {
+  policyEngine;
+  config;
+  logger;
+  configWarnings;
+  tokenIssuer;
+  serverVerifier;
+  rateLimiter;
+  constructor(options) {
+    const { config, warnings } = resolveConfig(options.config);
+    this.config = config;
+    this.configWarnings = warnings;
+    this.logger = new SecurityLogger({
+      level: config.logLevel,
+      enabled: config.enableLogging
+    });
+    for (const warning of warnings) {
+      console.warn(`[SolonGate] WARNING: ${warning}`);
+    }
+    const store = config.enableVersionedPolicies ? new PolicyStore() : void 0;
+    this.policyEngine = new PolicyEngine({
+      policySet: options.policySet ?? config.policySet,
+      timeoutMs: config.evaluationTimeoutMs,
+      store
+    });
+    this.tokenIssuer = config.tokenSecret ? new TokenIssuer({
+      secret: config.tokenSecret,
+      ttlSeconds: config.tokenTtlSeconds,
+      algorithm: TOKEN_ALGORITHM,
+      issuer: config.tokenIssuer ?? options.name
+    }) : null;
+    this.serverVerifier = config.gatewaySecret ? new ServerVerifier({ gatewaySecret: config.gatewaySecret }) : null;
+    this.rateLimiter = new RateLimiter();
+  }
+  /**
+   * Intercept and evaluate a tool call against the full security pipeline.
+   * If denied at any stage, returns an error result without calling upstream.
+   * If allowed, calls upstream and returns the result.
+   */
+  async executeToolCall(params, upstreamCall) {
+    return interceptToolCall(params, upstreamCall, {
+      policyEngine: this.policyEngine,
+      validateSchemas: this.config.validateSchemas,
+      verboseErrors: this.config.verboseErrors,
+      onDecision: (result) => this.logger.logDecision(result),
+      tokenIssuer: this.tokenIssuer ?? void 0,
+      serverVerifier: this.serverVerifier ?? void 0,
+      rateLimiter: this.rateLimiter,
+      inputGuardConfig: this.config.inputGuardConfig,
+      rateLimitPerTool: this.config.rateLimitPerTool,
+      globalRateLimitPerMinute: this.config.globalRateLimitPerMinute
+    });
+  }
+  /** Load a new policy set at runtime. */
+  loadPolicy(policySet, options) {
+    return this.policyEngine.loadPolicySet(policySet, options);
+  }
+  /** Get current security warnings. */
+  getWarnings() {
+    return [
+      ...this.configWarnings,
+      ...this.policyEngine.getSecurityWarnings().map((w) => `[${w.level}] ${w.message}`)
+    ];
+  }
+  /** Get the policy engine for direct access. */
+  getPolicyEngine() {
+    return this.policyEngine;
+  }
+  /** Get the rate limiter for direct access. */
+  getRateLimiter() {
+    return this.rateLimiter;
+  }
+  /** Get the token issuer (null if not configured). */
+  getTokenIssuer() {
+    return this.tokenIssuer;
+  }
+};
+
+// src/proxy.ts
+var log = (...args) => process.stderr.write(`[SolonGate] ${args.map(String).join(" ")}
+`);
+var Mutex = class {
+  queue = [];
+  locked = false;
+  async acquire() {
+    if (!this.locked) {
+      this.locked = true;
+      return;
+    }
+    return new Promise((resolve2) => {
+      this.queue.push(resolve2);
+    });
+  }
+  release() {
+    const next = this.queue.shift();
+    if (next) {
+      next();
+    } else {
+      this.locked = false;
+    }
+  }
+};
+var SolonGateProxy = class {
+  config;
+  gate;
+  client = null;
+  server = null;
+  callMutex = new Mutex();
+  upstreamTools = [];
+  constructor(config) {
+    this.config = config;
+    this.gate = new SolonGate({
+      name: config.name ?? "solongate-proxy",
+      policySet: config.policy,
+      config: {
+        validateSchemas: config.validateInput ?? true,
+        verboseErrors: config.verbose ?? false,
+        rateLimitPerTool: config.rateLimitPerTool,
+        globalRateLimitPerMinute: config.globalRateLimit
+      }
+    });
+    const warnings = this.gate.getWarnings();
+    for (const w of warnings) {
+      log("WARNING:", w);
+    }
+  }
+  /**
+   * Start the proxy: connect to upstream, then serve downstream.
+   */
+  async start() {
+    log("Starting SolonGate Proxy...");
+    log(`Policy: ${this.config.policy.name} (${this.config.policy.rules.length} rules)`);
+    log(`Upstream: ${this.config.upstream.command} ${(this.config.upstream.args ?? []).join(" ")}`);
+    await this.connectUpstream();
+    await this.discoverTools();
+    this.createServer();
+    await this.serve();
+  }
+  /**
+   * Connect to the upstream MCP server by spawning it as a child process.
+   */
+  async connectUpstream() {
+    this.client = new Client(
+      { name: "solongate-proxy-client", version: "0.1.0" },
+      { capabilities: {} }
+    );
+    const transport = new StdioClientTransport({
+      command: this.config.upstream.command,
+      args: this.config.upstream.args,
+      env: this.config.upstream.env,
+      cwd: this.config.upstream.cwd,
+      stderr: "pipe"
+    });
+    await this.client.connect(transport);
+    log("Connected to upstream server");
+  }
+  /**
+   * Discover tools from the upstream server.
+   */
+  async discoverTools() {
+    if (!this.client) throw new Error("Client not connected");
+    const result = await this.client.listTools();
+    this.upstreamTools = result.tools.map((t) => ({
+      name: t.name,
+      description: t.description,
+      inputSchema: t.inputSchema
+    }));
+    log(`Discovered ${this.upstreamTools.length} tools from upstream:`);
+    for (const tool of this.upstreamTools) {
+      log(`  - ${tool.name}: ${tool.description ?? "(no description)"}`);
+    }
+  }
+  /**
+   * Create the downstream MCP server with proxied handlers.
+   */
+  createServer() {
+    this.server = new Server(
+      {
+        name: this.config.name ?? "solongate-proxy",
+        version: "0.1.0"
+      },
+      {
+        capabilities: {
+          tools: {},
+          // Pass through resources and prompts if upstream supports them
+          resources: {},
+          prompts: {}
+        }
+      }
+    );
+    this.server.setRequestHandler(ListToolsRequestSchema, async () => {
+      return { tools: this.upstreamTools };
+    });
+    this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
+      const { name, arguments: args } = request.params;
+      log(`Tool call: ${name}`);
+      await this.callMutex.acquire();
+      try {
+        const result = await this.gate.executeToolCall(
+          { name, arguments: args ?? {} },
+          async (params) => {
+            if (!this.client) throw new Error("Upstream client disconnected");
+            const upstreamResult = await this.client.callTool({
+              name: params.name,
+              arguments: params.arguments
+            });
+            return upstreamResult;
+          }
+        );
+        log(`Result: ${result.isError ? "DENIED/ERROR" : "ALLOWED"}`);
+        return {
+          content: [...result.content],
+          isError: result.isError
+        };
+      } finally {
+        this.callMutex.release();
+      }
+    });
+    this.server.setRequestHandler(ListResourcesRequestSchema, async () => {
+      if (!this.client) return { resources: [] };
+      try {
+        return await this.client.listResources();
+      } catch {
+        return { resources: [] };
+      }
+    });
+    this.server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
+      if (!this.client) throw new Error("Upstream client disconnected");
+      return await this.client.readResource({ uri: request.params.uri });
+    });
+    this.server.setRequestHandler(ListResourceTemplatesRequestSchema, async () => {
+      if (!this.client) return { resourceTemplates: [] };
+      try {
+        return await this.client.listResourceTemplates();
+      } catch {
+        return { resourceTemplates: [] };
+      }
+    });
+    this.server.setRequestHandler(ListPromptsRequestSchema, async () => {
+      if (!this.client) return { prompts: [] };
+      try {
+        return await this.client.listPrompts();
+      } catch {
+        return { prompts: [] };
+      }
+    });
+    this.server.setRequestHandler(GetPromptRequestSchema, async (request) => {
+      if (!this.client) throw new Error("Upstream client disconnected");
+      return await this.client.getPrompt({
+        name: request.params.name,
+        arguments: request.params.arguments
+      });
+    });
+  }
+  /**
+   * Start serving on stdio (downstream to Claude).
+   */
+  async serve() {
+    if (!this.server) throw new Error("Server not created");
+    const transport = new StdioServerTransport();
+    await this.server.connect(transport);
+    log("Proxy is live. All tool calls are now protected by SolonGate.");
+    log("Waiting for requests...");
+  }
+};
+
+// src/index.ts
+console.log = (...args) => {
+  process.stderr.write(`[SolonGate] ${args.map(String).join(" ")}
+`);
+};
+console.warn = (...args) => {
+  process.stderr.write(`[SolonGate WARN] ${args.map(String).join(" ")}
+`);
+};
+console.error = (...args) => {
+  process.stderr.write(`[SolonGate ERROR] ${args.map(String).join(" ")}
+`);
+};
+async function main() {
+  try {
+    const config = parseArgs(process.argv);
+    const proxy = new SolonGateProxy(config);
+    await proxy.start();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    process.stderr.write(`[SolonGate] Fatal: ${message}
+`);
+    process.exit(1);
+  }
+}
+main();