@solongate/proxy 0.15.5 → 0.16.1

package/dist/index.js

@@ -306,6 +306,7 @@ var init_exports = {};
 import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
 import { resolve as resolve2, join, dirname as dirname2 } from "path";
 import { fileURLToPath } from "url";
+import { execSync } from "child_process";
 import { createInterface } from "readline";
 function findConfigFile(explicitPath, createIfMissing = false) {
   if (explicitPath) {
@@ -514,10 +515,37 @@ function installHooks(selectedTools = []) {
     console.log(`  Created ${settingsPath}`);
     activatedNames.push(client.name);
   }
+  const protectedDirs = [".solongate", ...clients.map((c3) => c3.dir)];
+  try {
+    if (process.platform === "win32") {
+      for (const dir of protectedDirs) {
+        const fullDir = resolve2(dir);
+        if (existsSync3(fullDir)) {
+          try {
+            execSync(`attrib +R /S /D "${fullDir}"`, { stdio: "ignore" });
+          } catch {
+          }
+        }
+      }
+    } else {
+      for (const dir of protectedDirs) {
+        const fullDir = resolve2(dir);
+        if (existsSync3(fullDir)) {
+          try {
+            execSync(`chmod -R a-w "${fullDir}"`, { stdio: "ignore" });
+          } catch {
+          }
+        }
+      }
+    }
+    console.log("  OS-level read-only protection applied");
+  } catch {
+  }
   console.log("");
   console.log("  Hooks installed:");
   console.log("  guard.mjs  \u2192 blocks policy-violating calls (pre-execution)");
   console.log("  audit.mjs  \u2192 logs all calls to dashboard (post-execution)");
+  console.log("  File system \u2192 read-only (OS-level protection)");
   console.log(`  Activated for: ${activatedNames.join(", ")}`);
 }
 function ensureEnvFile() {
@@ -804,7 +832,7 @@ var init_init = __esm({
 var inject_exports = {};
 import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, existsSync as existsSync4, copyFileSync } from "fs";
 import { resolve as resolve3 } from "path";
-import { execSync } from "child_process";
+import { execSync as execSync2 } from "child_process";
 function parseInjectArgs(argv) {
   const args = argv.slice(2);
   const opts = {
@@ -951,7 +979,7 @@ function installSdk() {
   const cmd = pm === "yarn" ? "yarn add @solongate/sdk" : `${pm} install @solongate/sdk`;
   log3(`  Installing @solongate/sdk via ${pm}...`);
   try {
-    execSync(cmd, { stdio: "pipe", cwd: process.cwd() });
+    execSync2(cmd, { stdio: "pipe", cwd: process.cwd() });
     return true;
   } catch (err) {
     log3(`  Failed to install: ${err instanceof Error ? err.message : String(err)}`);
@@ -1176,7 +1204,7 @@ var init_inject = __esm({
 var create_exports = {};
 import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync4, existsSync as existsSync5 } from "fs";
 import { resolve as resolve4, join as join2 } from "path";
-import { execSync as execSync2 } from "child_process";
+import { execSync as execSync3 } from "child_process";
 function log4(msg) {
   process.stderr.write(msg + "\n");
 }
@@ -1420,7 +1448,7 @@ async function main3() {
   });
   if (!opts.noInstall) {
     withSpinner("Installing dependencies...", () => {
-      execSync2("npm install", { cwd: dir, stdio: "pipe" });
+      execSync3("npm install", { cwd: dir, stdio: "pipe" });
     });
   }
   log4("");

package/dist/init.js

@@ -4,6 +4,7 @@
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
 import { resolve, join, dirname } from "path";
 import { fileURLToPath } from "url";
+import { execSync } from "child_process";
 import { createInterface } from "readline";
 var SEARCH_PATHS = [
   ".mcp.json",
@@ -221,10 +222,37 @@ function installHooks(selectedTools = []) {
     console.log(`  Created ${settingsPath}`);
     activatedNames.push(client.name);
   }
+  const protectedDirs = [".solongate", ...clients.map((c) => c.dir)];
+  try {
+    if (process.platform === "win32") {
+      for (const dir of protectedDirs) {
+        const fullDir = resolve(dir);
+        if (existsSync(fullDir)) {
+          try {
+            execSync(`attrib +R /S /D "${fullDir}"`, { stdio: "ignore" });
+          } catch {
+          }
+        }
+      }
+    } else {
+      for (const dir of protectedDirs) {
+        const fullDir = resolve(dir);
+        if (existsSync(fullDir)) {
+          try {
+            execSync(`chmod -R a-w "${fullDir}"`, { stdio: "ignore" });
+          } catch {
+          }
+        }
+      }
+    }
+    console.log("  OS-level read-only protection applied");
+  } catch {
+  }
   console.log("");
   console.log("  Hooks installed:");
   console.log("  guard.mjs  \u2192 blocks policy-violating calls (pre-execution)");
   console.log("  audit.mjs  \u2192 logs all calls to dashboard (post-execution)");
+  console.log("  File system \u2192 read-only (OS-level protection)");
   console.log(`  Activated for: ${activatedNames.join(", ")}`);
 }
 function ensureEnvFile() {

package/hooks/guard.mjs

@@ -296,21 +296,93 @@ process.stdin.on('end', async () => {
       'policy.json', '.mcp.json',
     ];
 
-    // Strip shell quotes/escapes: .sol'on'gate → .solongate, .sol"on"gate → .solongate
+    // Block helper — logs to cloud + exits with code 2
+    async function blockSelfProtection(reason) {
+      if (API_KEY && API_KEY.startsWith('sg_live_')) {
+        try {
+          await fetch(API_URL + '/api/v1/audit-logs', {
+            method: 'POST',
+            headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+              tool: data.tool_name || '', arguments: args,
+              decision: 'DENY', reason,
+              source: 'claude-code-guard',
+            }),
+            signal: AbortSignal.timeout(3000),
+          });
+        } catch {}
+      }
+      process.stderr.write(reason);
+      process.exit(2);
+    }
+
+    // ── Normalization layers ──
+
+    // 1. Decode ANSI-C quoting: $'\x72' → r, $'\162' → r, $'\n' → newline
+    function decodeAnsiC(s) {
+      return s.replace(/\$'([^']*)'/g, (_, content) => {
+        return content
+          .replace(/\\x([0-9a-fA-F]{2})/g, (__, hex) => String.fromCharCode(parseInt(hex, 16)))
+          .replace(/\\([0-7]{1,3})/g, (__, oct) => String.fromCharCode(parseInt(oct, 8)))
+          .replace(/\\u([0-9a-fA-F]{4})/g, (__, hex) => String.fromCharCode(parseInt(hex, 16)))
+          .replace(/\\n/g, '\n').replace(/\\t/g, '\t').replace(/\\r/g, '\r')
+          .replace(/\\(.)/g, '$1');
+      });
+    }
+
+    // 2. Strip all shell quoting: empty quotes, single, double, backslash escapes
     function stripShellQuotes(s) {
-      return s.replace(/\\(.)/g, '$1').replace(/'/g, '').replace(/"/g, '');
+      let r = s;
+      r = r.replace(/""/g, '');    // empty double quotes
+      r = r.replace(/''/g, '');    // empty single quotes
+      r = r.replace(/\\(.)/g, '$1'); // backslash escapes
+      r = r.replace(/'/g, '');     // remaining single quotes
+      r = r.replace(/"/g, '');     // remaining double quotes
+      return r;
+    }
+
+    // 3. Full normalization pipeline
+    function normalizeShell(s) {
+      return stripShellQuotes(decodeAnsiC(s));
+    }
+
+    // 4. Extract inner commands from eval, bash -c, sh -c, pipe to bash/sh
+    function extractInnerCommands(s) {
+      const inner = [];
+      // eval "cmd" or eval 'cmd' or eval cmd
+      for (const m of s.matchAll(/\beval\s+["']([^"']+)["']/gi)) inner.push(m[1]);
+      for (const m of s.matchAll(/\beval\s+([^;"'|&]+)/gi)) inner.push(m[1]);
+      // bash -c "cmd" or sh -c "cmd"
+      for (const m of s.matchAll(/\b(?:bash|sh)\s+-c\s+["']([^"']+)["']/gi)) inner.push(m[1]);
+      // echo "cmd" | bash/sh or printf "cmd" | bash/sh
+      for (const m of s.matchAll(/(?:echo|printf)\s+["']([^"']+)["']\s*\|\s*(?:bash|sh)\b/gi)) inner.push(m[1]);
+      // find ... -name "pattern" ... -exec ...
+      for (const m of s.matchAll(/-name\s+["']?([^\s"']+)["']?/gi)) inner.push(m[1]);
+      return inner;
+    }
+
+    // 5. Check variable assignments for protected path fragments
+    // e.g. X=".solon" && rm -rf ${X}gate → detects ".solon" as prefix of ".solongate"
+    function checkVarAssignments(s) {
+      const assignments = [...s.matchAll(/(\w+)=["']?([^"'\s&|;]+)["']?/g)];
+      for (const [, , value] of assignments) {
+        const v = value.toLowerCase();
+        if (v.length < 3) continue; // avoid false positives
+        for (const p of protectedPaths) {
+          if (p.startsWith(v) || p.includes(v)) return p;
+        }
+      }
+      return null;
     }
 
-    // Check if a glob/wildcard pattern could match any protected path
-    // e.g. ".antig*" matches ".antigravity", "/path/.sol*" matches ".solongate"
+    // 6. Check if a glob/wildcard could match any protected path
     function globMatchesProtected(s) {
       if (!s.includes('*') && !s.includes('?')) return null;
-      // Extract all path segments and the full string to test
       const segments = s.split('/').filter(Boolean);
       const candidates = [s, ...segments];
       for (const candidate of candidates) {
         if (!candidate.includes('*') && !candidate.includes('?')) continue;
-        // Simple prefix match: ".antig*" → prefix ".antig", check if any protected path starts with it
+        // Prefix match: ".antig*" → prefix ".antig"
         const starIdx = candidate.indexOf('*');
         const qIdx = candidate.indexOf('?');
         const firstWild = starIdx === -1 ? qIdx : qIdx === -1 ? starIdx : Math.min(starIdx, qIdx);
@@ -320,79 +392,125 @@ process.stdin.on('end', async () => {
             if (p.startsWith(prefix)) return p;
           }
         }
-        // Also try regex for complex patterns like ".cl?ude"
+        // Regex match for patterns like ".cl?ude"
         try {
           const escaped = candidate.replace(/[.+^${}()|[\]\\]/g, '\\$&').replace(/\\\*/g, '.*').replace(/\\\?/g, '.');
           const re = new RegExp('^' + escaped + '$', 'i');
           for (const p of protectedPaths) {
             if (re.test(p)) return p;
           }
-        } catch { /* invalid regex, skip */ }
+        } catch {}
       }
       return null;
     }
 
-    // Normalize: lowercase, forward slashes, strip shell quotes
+    // ── Build all candidate strings from tool input ──
     const rawStrings = scanStrings(args).map(s => s.replace(/\\/g, '/').toLowerCase());
-    const allStrings = [];
+    const allStrings = new Set();
+
     for (const s of rawStrings) {
-      allStrings.push(s);
-      // Also add quote-stripped version
-      const stripped = stripShellQuotes(s);
-      if (stripped !== s) allStrings.push(stripped);
-      // Split by spaces (for commands like "rm -rf .sol'on'gate .cl*")
-      for (const tok of s.split(/\s+/)) {
-        if (tok !== s) {
-          allStrings.push(tok);
-          const strippedTok = stripShellQuotes(tok);
-          if (strippedTok !== tok) allStrings.push(strippedTok);
+      // Raw string
+      allStrings.add(s);
+      // Normalized (ANSI-C decoded, quotes stripped)
+      const norm = normalizeShell(s);
+      allStrings.add(norm);
+      // Extract inner commands (eval, bash -c, pipe to bash, find -name)
+      for (const inner of extractInnerCommands(s)) {
+        allStrings.add(inner.toLowerCase());
+        allStrings.add(normalizeShell(inner.toLowerCase()));
+      }
+      // Split by spaces + shell operators for token-level checks
+      for (const tok of s.split(/[\s;&|]+/)) {
+        if (tok) {
+          allStrings.add(tok);
+          allStrings.add(normalizeShell(tok));
         }
       }
+      // Also split normalized version
+      for (const tok of norm.split(/[\s;&|]+/)) {
+        if (tok) allStrings.add(tok);
+      }
     }
 
+    // ── Check all candidates ──
     for (const s of allStrings) {
       // Direct match
       for (const p of protectedPaths) {
         if (s.includes(p)) {
-          const msg = 'SOLONGATE: Access to protected file "' + p + '" is blocked';
-          if (API_KEY && API_KEY.startsWith('sg_live_')) {
-            try {
-              await fetch(API_URL + '/api/v1/audit-logs', {
-                method: 'POST',
-                headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
-                body: JSON.stringify({
-                  tool: data.tool_name || '', arguments: args,
-                  decision: 'DENY', reason: msg,
-                  source: 'claude-code-guard',
-                }),
-                signal: AbortSignal.timeout(3000),
-              });
-            } catch {}
-          }
-          process.stderr.write(msg);
-          process.exit(2);
+          await blockSelfProtection('SOLONGATE: Access to protected path "' + p + '" is blocked');
         }
       }
       // Wildcard/glob match
       const globHit = globMatchesProtected(s);
       if (globHit) {
-        const msg = 'SOLONGATE: Wildcard pattern "' + s + '" matches protected path "' + globHit + '" — blocked';
-        if (API_KEY && API_KEY.startsWith('sg_live_')) {
-          try {
-            await fetch(API_URL + '/api/v1/audit-logs', {
-              method: 'POST',
-              headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
-              body: JSON.stringify({
-                tool: data.tool_name || '', arguments: args,
-                decision: 'DENY', reason: msg,
-                source: 'claude-code-guard',
-              }),
-              signal: AbortSignal.timeout(3000),
-            });
-          } catch {}
+        await blockSelfProtection('SOLONGATE: Wildcard "' + s + '" matches protected "' + globHit + '" — blocked');
+      }
+      // Variable assignment targeting protected paths
+      const varHit = checkVarAssignments(s);
+      if (varHit) {
+        await blockSelfProtection('SOLONGATE: Variable assignment targets protected "' + varHit + '" — blocked');
+      }
+    }
+
+    // ── Layer 7: Dangerous execution pattern detection ──
+    // These can construct ANY string at runtime — block when touching protected dirs
+    const fullCmd = rawStrings.join(' ');
+
+    // 7a. Inline interpreter execution: node -e, python -c, perl -e, ruby -e
+    // Extract the -e/-c argument and scan it
+    const interpreterPatterns = [
+      /\bnode\s+(?:-e|--eval)\s+["']([^"']+)["']/gi,
+      /\bnode\s+(?:-e|--eval)\s+([^;&|"']+)/gi,
+      /\bpython[23]?\s+-c\s+["']([^"']+)["']/gi,
+      /\bperl\s+-e\s+["']([^"']+)["']/gi,
+      /\bruby\s+-e\s+["']([^"']+)["']/gi,
+    ];
+    for (const pat of interpreterPatterns) {
+      for (const m of fullCmd.matchAll(pat)) {
+        const code = m[1].toLowerCase();
+        for (const p of protectedPaths) {
+          if (code.includes(p)) {
+            await blockSelfProtection('SOLONGATE: Interpreter code targets "' + p + '" — blocked');
+          }
+        }
+        // Also check the normalized version
+        const normCode = normalizeShell(code);
+        for (const p of protectedPaths) {
+          if (normCode.includes(p)) {
+            await blockSelfProtection('SOLONGATE: Interpreter code targets "' + p + '" — blocked');
+          }
+        }
+      }
+    }
+
+    // 7b. Base64 decode piped to execution — always block
+    if (/\bbase64\s+-d\b.*\|\s*(?:bash|sh|node|python|perl|ruby)\b/i.test(fullCmd) ||
+        /\bbase64\s+--decode\b.*\|\s*(?:bash|sh|node|python|perl|ruby)\b/i.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: base64 decode piped to interpreter — blocked');
+    }
+
+    // 7c. Temp script file execution: bash /path/file, sh /path/file
+    // If "bash <file>" or "sh <file>" and the file is not a well-known script
+    if (/\b(?:bash|sh)\s+(?:\/tmp\/|\/var\/tmp\/|~\/\.|\.\/[^.s])/i.test(fullCmd)) {
+      await blockSelfProtection('SOLONGATE: Temp script execution detected — blocked');
+    }
+
+    // 7d. Process substitution and here-strings that could construct protected paths
+    if (/>\s*\(\s*(?:rm|mv|cp|cat)\b/i.test(fullCmd) || /<<<.*(?:rm|mv|cp|cat)\b/i.test(fullCmd)) {
+      for (const p of protectedPaths) {
+        const prefix = p.slice(0, 4); // e.g. ".sol", ".cla"
+        if (fullCmd.includes(prefix)) {
+          await blockSelfProtection('SOLONGATE: Process substitution near protected path "' + p + '" — blocked');
+        }
+      }
+    }
+
+    // 7e. xargs with destructive operations
+    if (/\bxargs\b.*\b(?:rm|mv|cp|rmdir|unlink)\b/i.test(fullCmd)) {
+      for (const p of protectedPaths) {
+        if (fullCmd.includes(p.slice(0, 4))) {
+          await blockSelfProtection('SOLONGATE: xargs with destructive op near "' + p + '" — blocked');
         }
-        process.stderr.write(msg);
-        process.exit(2);
       }
     }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.15.5",
+  "version": "0.16.1",
   "description": "MCP security proxy — protect any MCP server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {