@solongate/proxy 0.11.0 → 0.12.1

package/hooks/guard.mjs

@@ -2,6 +2,7 @@
 /**
  * SolonGate Policy Guard Hook (PreToolUse)
  * Reads policy.json and blocks tool calls that violate constraints.
+ * Also runs prompt injection detection (Stage 1 rules) on tool arguments.
  * Exit code 2 = BLOCK, exit code 0 = ALLOW.
  * Logs ALL decisions (ALLOW + DENY) to SolonGate Cloud.
  * Auto-installed by: npx @solongate/proxy init
@@ -29,6 +30,98 @@ const dotenv = loadEnvKey(hookCwdEarly);
 const API_KEY = process.env.SOLONGATE_API_KEY || dotenv.SOLONGATE_API_KEY || '';
 const API_URL = process.env.SOLONGATE_API_URL || dotenv.SOLONGATE_API_URL || 'https://api.solongate.com';
 
+// ── Prompt Injection Detection (Stage 1: Rule-Based) ──
+const PI_CATEGORIES = [
+  {
+    name: 'delimiter_injection', weight: 0.95,
+    patterns: [
+      /<\/system>/i, /<\|im_end\|>/i, /<\|im_start\|>/i, /<\|endoftext\|>/i,
+      /\[INST\]/i, /\[\/INST\]/i, /<<SYS>>/i, /<<\/SYS>>/i,
+      /###\s*(Human|Assistant|System)\s*:/i, /<\|user\|>/i, /<\|assistant\|>/i,
+      /---\s*END\s*SYSTEM\s*PROMPT\s*---/i,
+    ],
+  },
+  {
+    name: 'instruction_override', weight: 0.9,
+    patterns: [
+      /\bignore\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|rules?|directives?)\b/i,
+      /\bdisregard\s+(all\s+)?(previous|prior|above|earlier|your)\s+(instructions?|prompts?|rules?|guidelines?)\b/i,
+      /\bforget\s+(all\s+|everything\s+)?(your|the|previous|prior|above|earlier)\b/i,
+      /\boverride\s+(the\s+)?(system|previous|current)\s+(prompt|instructions?|rules?|settings?)\b/i,
+      /\bdo\s+not\s+follow\s+(your|the|any)\s+(instructions?|rules?|guidelines?)\b/i,
+      /\bcancel\s+(all\s+)?(prior|previous)\s+(directives?|instructions?)\b/i,
+      /\bnew\s+instructions?\s+supersede\b/i,
+      /\byour\s+(previous\s+)?instructions?\s+are\s+(now\s+)?void\b/i,
+    ],
+  },
+  {
+    name: 'role_hijacking', weight: 0.85,
+    patterns: [
+      /\b(pretend|act|behave)\s+(you\s+are|as\s+if\s+you|like\s+you|to\s+be)\b/i,
+      /\byou\s+are\s+now\s+(a|an|the|my|DAN)\b/i,
+      /\bsimulate\s+being\b/i, /\bassume\s+the\s+role\s+of\b/i,
+      /\benter\s+(developer|admin|debug|god|sudo|unrestricted)\s+mode\b/i,
+      /\bswitch\s+to\s+(unrestricted|unfiltered)\s+mode\b/i,
+      /\byou\s+are\s+no\s+longer\s+bound\b/i,
+      /\bno\s+(safety\s+)?restrictions?\s+(apply|anymore|now)\b/i,
+    ],
+  },
+  {
+    name: 'jailbreak_keywords', weight: 0.8,
+    patterns: [
+      /\bjailbreak\b/i, /\bDAN\s+mode\b/i,
+      /\b(system\s+override|admin\s+mode|debug\s+mode|developer\s+mode|maintenance\s+mode)\b/i,
+      /\bmaster\s+key\b/i, /\bbackdoor\s+access\b/i,
+      /\bsudo\s+mode\b/i, /\bgod\s+mode\b/i,
+      /\bsafety\s+filters?\s+(off|disabled?|removed?)\b/i,
+    ],
+  },
+  {
+    name: 'encoding_evasion', weight: 0.75,
+    patterns: [
+      /\b(decode|translate)\s+(this|the\s+following)\s+(base64|rot13|hex)\b/i,
+      /\b(base64|rot13)\s*:\s*[A-Za-z0-9+/=]{10,}/i,
+      /\bexecute\s+the\s+(reverse|decoded)\b/i,
+      /\breverse\s+of\s*:\s*\w{10,}/i,
+    ],
+  },
+  {
+    name: 'separator_injection', weight: 0.7,
+    patterns: [
+      /[-=]{3,}\s*\n\s*(new\s+instructions?|system|instructions?)\s*:/i,
+      /```\s*\n\s*<\/?system>/i,
+      /\bEND\s+(SYSTEM\s+)?(PROMPT|INSTRUCTIONS?)\b.*\bNEW\s+(SYSTEM\s+)?(PROMPT|INSTRUCTIONS?)\b/is,
+    ],
+  },
+  {
+    name: 'multi_language', weight: 0.7,
+    patterns: [
+      /ignor(iere|a|e[zs]?)\s+(alle|todas?|toutes?|tüm|все)/iu,
+      /игнорируйте/iu, /yoksay/iu,
+      /vorherigen?\s+Anweisungen/iu, /instrucciones\s+anteriores/iu,
+      /instructions?\s+pr[eé]c[eé]dentes?/iu, /önceki\s+talimatlar/iu,
+    ],
+  },
+];
+
+function detectPromptInjection(text) {
+  const matched = [];
+  let maxWeight = 0;
+  for (const cat of PI_CATEGORIES) {
+    for (const pat of cat.patterns) {
+      if (pat.test(text)) {
+        matched.push(cat.name);
+        if (cat.weight > maxWeight) maxWeight = cat.weight;
+        break;
+      }
+    }
+  }
+  if (matched.length === 0) return null;
+  const score = Math.min(1.0, maxWeight + 0.05 * (matched.length - 1));
+  const trustScore = 1.0 - score;
+  return { score, trustScore, categories: matched, blocked: trustScore < 0.5 };
+}
+
 // ── Glob Matching ──
 function matchGlob(str, pattern) {
   if (pattern === '*') return true;
@@ -56,7 +149,7 @@ function matchPathGlob(path, pattern) {
   if (p === g) return true;
   if (g.includes('**')) {
     const parts = g.split('**').filter(s => s.length > 0);
-    if (parts.length === 0) return true; // just ** or ****
+    if (parts.length === 0) return true;
     return parts.every(segment => p.includes(segment));
   }
   return matchGlob(p, g);
@@ -123,7 +216,6 @@ function extractCommands(args) {
   if (typeof args === 'object' && args) {
     for (const [k, v] of Object.entries(args)) {
       if (fields.includes(k.toLowerCase()) && typeof v === 'string') {
-        // Split chained commands: cd /path && npm install → [cd /path, npm install]
         for (const part of v.split(/\s*(?:&&|\|\||;|\|)\s*/)) {
           const trimmed = part.trim();
           if (trimmed) cmds.push(trimmed);
@@ -151,7 +243,6 @@ function evaluate(policy, args) {
     .sort((a, b) => (a.priority || 100) - (b.priority || 100));
 
   for (const rule of denyRules) {
-    // Filename constraints
     if (rule.filenameConstraints && rule.filenameConstraints.denied) {
       const filenames = extractFilenames(args);
       for (const fn of filenames) {
@@ -160,7 +251,6 @@ function evaluate(policy, args) {
         }
       }
     }
-    // URL constraints
     if (rule.urlConstraints && rule.urlConstraints.denied) {
       const urls = extractUrls(args);
       for (const url of urls) {
@@ -169,7 +259,6 @@ function evaluate(policy, args) {
         }
       }
     }
-    // Command constraints
     if (rule.commandConstraints && rule.commandConstraints.denied) {
       const cmds = extractCommands(args);
       for (const cmd of cmds) {
@@ -178,7 +267,6 @@ function evaluate(policy, args) {
         }
       }
     }
-    // Path constraints
     if (rule.pathConstraints && rule.pathConstraints.denied) {
       const paths = extractPaths(args);
       for (const p of paths) {
@@ -226,6 +314,41 @@ process.stdin.on('end', async () => {
       }
     }
 
+    // ── Prompt Injection Detection (Stage 1: Rules) ──
+    const allText = scanStrings(args).join(' ');
+    const piResult = detectPromptInjection(allText);
+
+    if (piResult && piResult.blocked) {
+      const msg = 'SOLONGATE: Prompt injection detected (trust score: ' +
+        (piResult.trustScore * 100).toFixed(0) + '%, categories: ' +
+        piResult.categories.join(', ') + ')';
+
+      if (API_KEY && API_KEY.startsWith('sg_live_')) {
+        try {
+          await fetch(API_URL + '/api/v1/audit-logs', {
+            method: 'POST',
+            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+              tool: data.tool_name || '',
+              arguments: args,
+              decision: 'DENY',
+              reason: msg,
+              source: 'claude-code-guard',
+              pi_detected: true,
+              pi_trust_score: piResult.trustScore,
+              pi_blocked: true,
+              pi_categories: JSON.stringify(piResult.categories),
+              pi_stage_scores: JSON.stringify({ rules: piResult.score, embedding: 0, classifier: 0 }),
+            }),
+            signal: AbortSignal.timeout(3000),
+          });
+        } catch {}
+      }
+
+      process.stderr.write(msg);
+      process.exit(2);
+    }
+
     // Load policy (use cwd from hook data if available)
     const hookCwd = data.cwd || process.cwd();
     let policy;
@@ -233,6 +356,28 @@ process.stdin.on('end', async () => {
       const policyPath = resolve(hookCwd, 'policy.json');
       policy = JSON.parse(readFileSync(policyPath, 'utf-8'));
     } catch {
+      // No policy file — still log if PI was detected but not blocked
+      if (piResult && API_KEY && API_KEY.startsWith('sg_live_')) {
+        try {
+          await fetch(API_URL + '/api/v1/audit-logs', {
+            method: 'POST',
+            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+              tool: data.tool_name || '',
+              arguments: args,
+              decision: 'ALLOW',
+              reason: 'Prompt injection detected but below threshold (trust: ' + (piResult.trustScore * 100).toFixed(0) + '%)',
+              source: 'claude-code-guard',
+              pi_detected: true,
+              pi_trust_score: piResult.trustScore,
+              pi_blocked: false,
+              pi_categories: JSON.stringify(piResult.categories),
+              pi_stage_scores: JSON.stringify({ rules: piResult.score, embedding: 0, classifier: 0 }),
+            }),
+            signal: AbortSignal.timeout(3000),
+          });
+        } catch {}
+      }
       process.exit(0); // No policy = allow all
     }
 
@@ -242,14 +387,23 @@ process.stdin.on('end', async () => {
     // ── Log ALL decisions to SolonGate Cloud ──
     if (API_KEY && API_KEY.startsWith('sg_live_')) {
       try {
+        const logEntry = {
+          tool: data.tool_name || '', arguments: args,
+          decision, reason: reason || 'allowed by policy',
+          source: 'claude-code-guard',
+        };
+        // Attach PI metadata if detected
+        if (piResult) {
+          logEntry.pi_detected = true;
+          logEntry.pi_trust_score = piResult.trustScore;
+          logEntry.pi_blocked = false;
+          logEntry.pi_categories = JSON.stringify(piResult.categories);
+          logEntry.pi_stage_scores = JSON.stringify({ rules: piResult.score, embedding: 0, classifier: 0 });
+        }
         await fetch(API_URL + '/api/v1/audit-logs', {
           method: 'POST',
           headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
-          body: JSON.stringify({
-            tool: data.tool_name || '', arguments: args,
-            decision, reason: reason || 'allowed by policy',
-            source: 'claude-code-guard',
-          }),
+          body: JSON.stringify(logEntry),
           signal: AbortSignal.timeout(3000),
         });
       } catch {}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.11.0",
+  "version": "0.12.1",
   "description": "MCP security proxy — protect any MCP server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {