@solongate/proxy 0.2.2 → 0.2.3

package/dist/index.js

@@ -140,9 +140,12 @@ POLICY PRESETS
 function installClaudeCodeHooks(apiKey) {
   const hooksDir = resolve2(".claude", "hooks");
   mkdirSync(hooksDir, { recursive: true });
-  const hookPath = join(hooksDir, "audit.mjs");
-  writeFileSync(hookPath, HOOK_SCRIPT);
-  console.error(`  Created ${hookPath}`);
+  const guardPath = join(hooksDir, "guard.mjs");
+  writeFileSync(guardPath, GUARD_SCRIPT);
+  console.error(`  Created ${guardPath}`);
+  const auditPath = join(hooksDir, "audit.mjs");
+  writeFileSync(auditPath, AUDIT_SCRIPT);
+  console.error(`  Created ${auditPath}`);
   const settingsPath = resolve2(".claude", "settings.json");
   let settings = {};
   if (existsSync2(settingsPath)) {
@@ -152,6 +155,18 @@ function installClaudeCodeHooks(apiKey) {
     }
   }
   settings.hooks = {
+    PreToolUse: [
+      {
+        matcher: ".*",
+        hooks: [
+          {
+            type: "command",
+            command: "node .claude/hooks/guard.mjs",
+            timeout: 5
+          }
+        ]
+      }
+    ],
     PostToolUse: [
       {
         matcher: ".*",
@@ -173,7 +188,8 @@ function installClaudeCodeHooks(apiKey) {
   console.error(`  Created ${settingsPath}`);
   console.error("");
   console.error("  Claude Code hooks installed!");
-  console.error("  Built-in tools (Read, Write, Edit, Bash) will now be audit-logged.");
+  console.error("  PreToolUse  \u2192 guard.mjs  (blocks dangerous calls)");
+  console.error("  PostToolUse \u2192 audit.mjs  (logs all calls to dashboard)");
 }
 function ensureEnvFile() {
   const envPath = resolve2(".env");
@@ -393,7 +409,7 @@ async function main() {
   console.error("  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518");
   console.error("");
 }
-var POLICY_PRESETS, SEARCH_PATHS, CLAUDE_DESKTOP_PATHS, HOOK_SCRIPT;
+var POLICY_PRESETS, SEARCH_PATHS, CLAUDE_DESKTOP_PATHS, GUARD_SCRIPT, AUDIT_SCRIPT;
 var init_init = __esm({
   "src/init.ts"() {
     "use strict";
@@ -404,10 +420,139 @@ var init_init = __esm({
       ".claude/mcp.json"
     ];
     CLAUDE_DESKTOP_PATHS = process.platform === "win32" ? [join(process.env["APPDATA"] ?? "", "Claude", "claude_desktop_config.json")] : process.platform === "darwin" ? [join(process.env["HOME"] ?? "", "Library", "Application Support", "Claude", "claude_desktop_config.json")] : [join(process.env["HOME"] ?? "", ".config", "claude", "claude_desktop_config.json")];
-    HOOK_SCRIPT = `#!/usr/bin/env node
+    GUARD_SCRIPT = `#!/usr/bin/env node
+/**
+ * SolonGate Guard Hook for Claude Code (PreToolUse)
+ * Blocks dangerous tool calls BEFORE they execute.
+ * Exit code 2 = BLOCK, exit code 0 = ALLOW.
+ * Auto-installed by: npx @solongate/proxy init
+ */
+
+const API_KEY = process.env.SOLONGATE_API_KEY || '';
+const API_URL = process.env.SOLONGATE_API_URL || 'https://api.solongate.com';
+
+// \u2500\u2500 Input Guard Patterns \u2500\u2500
+const PATH_TRAVERSAL = [
+  /\\.\\.\\//,  /\\\\.\\.\\\\\\\\/,  /%2e%2e/i,  /%2e\\./i,  /\\.%2e/i,  /%252e%252e/i,
+];
+const SENSITIVE_PATHS = [
+  /\\/etc\\/passwd/i, /\\/etc\\/shadow/i, /\\/proc\\//i,
+  /c:\\\\windows\\\\system32/i, /\\.env(\\.|$)/i,
+  /\\.aws\\/credentials/i, /\\.ssh\\/id_/i, /\\.kube\\/config/i,
+  /\\.git\\/config/i, /\\.npmrc/i, /\\.pypirc/i,
+];
+const SHELL_INJECTION = [
+  /\\$\\(/, /\\$\\{/, /\\\`/, /\\beval\\b/i, /\\bexec\\b/i, /\\bsystem\\b/i,
+  /%0a/i, /%0d/i,
+];
+const SSRF = [
+  /^https?:\\/\\/localhost\\b/i, /^https?:\\/\\/127\\./, /^https?:\\/\\/0\\.0\\.0\\.0/,
+  /^https?:\\/\\/10\\./, /^https?:\\/\\/172\\.(1[6-9]|2\\d|3[01])\\./,
+  /^https?:\\/\\/192\\.168\\./, /^https?:\\/\\/169\\.254\\./,
+  /metadata\\.google\\.internal/i,
+];
+const SQL_INJECTION = [
+  /'\\s{0,20}(OR|AND)\\s{0,20}'.{0,200}'/i,
+  /'\\s{0,10};\\s{0,10}(DROP|DELETE|UPDATE|INSERT|ALTER|CREATE|EXEC)/i,
+  /UNION\\s+(ALL\\s+)?SELECT/i, /\\bSLEEP\\s*\\(/i, /\\bWAITFOR\\s+DELAY/i,
+];
+
+// Dangerous command patterns for Bash tool
+const DANGEROUS_COMMANDS = [
+  /\\brm\\s+(-[a-zA-Z]*f|-[a-zA-Z]*r|--force|--recursive)/i,
+  /\\brm\\s+-rf\\b/i,
+  /\\bmkfs\\b/i, /\\bdd\\s+if=/i,
+  /\\b(shutdown|reboot|halt|poweroff)\\b/i,
+  /\\bchmod\\s+777\\b/,
+  /\\bcurl\\b.{0,200}\\|\\s*(sh|bash)\\b/i,
+  /\\bwget\\b.{0,200}\\|\\s*(sh|bash)\\b/i,
+  /\\bnc\\s+-[a-z]*l/i,  // netcat listener
+  />(\\s*)\\/dev\\/sd/,   // writing to raw disk
+  /\\bgit\\s+push\\s+.*--force\\b/i,
+  /\\bgit\\s+reset\\s+--hard\\b/i,
+];
+
+function checkValue(val) {
+  if (typeof val !== 'string' || val.length < 2) return null;
+  for (const p of PATH_TRAVERSAL) if (p.test(val)) return 'Path traversal detected';
+  for (const p of SENSITIVE_PATHS) if (p.test(val)) return 'Sensitive file access blocked';
+  for (const p of SSRF) if (p.test(val)) return 'SSRF attempt blocked';
+  for (const p of SQL_INJECTION) if (p.test(val)) return 'SQL injection detected';
+  if (val.length > 10000) return 'Input too long (max 10000 chars)';
+  return null;
+}
+
+function checkBashCommand(cmd) {
+  if (typeof cmd !== 'string') return null;
+  for (const p of DANGEROUS_COMMANDS) if (p.test(cmd)) return 'Dangerous command blocked: ' + cmd.slice(0, 80);
+  for (const p of SHELL_INJECTION) if (p.test(cmd)) return null; // shell injection is normal for Bash
+  return null;
+}
+
+let input = '';
+process.stdin.on('data', c => input += c);
+process.stdin.on('end', async () => {
+  try {
+    const data = JSON.parse(input);
+    const tool = data.tool_name || '';
+    const args = data.tool_input || {};
+    const start = Date.now();
+
+    let threat = null;
+
+    // Check Bash commands for dangerous patterns
+    if (tool === 'Bash' && args.command) {
+      threat = checkBashCommand(args.command);
+    }
+
+    // Check all string arguments for injection patterns
+    if (!threat) {
+      for (const [key, val] of Object.entries(args)) {
+        if (tool === 'Bash' && key === 'command') continue; // already checked
+        threat = checkValue(val);
+        if (threat) { threat = threat + ' (in ' + key + ')'; break; }
+        // Check nested strings
+        if (typeof val === 'object' && val) {
+          for (const v of Object.values(val)) {
+            threat = checkValue(v);
+            if (threat) { threat = threat + ' (in ' + key + ')'; break; }
+          }
+          if (threat) break;
+        }
+      }
+    }
+
+    const ms = Date.now() - start;
+
+    if (threat) {
+      // Send DENY audit log
+      if (API_KEY && API_KEY.startsWith('sg_live_')) {
+        fetch(API_URL + '/api/v1/audit-logs', {
+          method: 'POST',
+          headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            tool, arguments: Object.fromEntries(Object.entries(args).map(([k,v]) =>
+              [k, typeof v === 'string' && v.length > 200 ? v.slice(0,200)+'...' : v])),
+            decision: 'DENY', reason: threat, source: 'claude-code-guard',
+            evaluationTimeMs: ms,
+          }),
+          signal: AbortSignal.timeout(5000),
+        }).catch(() => {});
+      }
+      // Exit 2 = BLOCK. Message printed to stdout is shown to user.
+      process.stdout.write('SolonGate BLOCKED: ' + threat);
+      process.exit(2);
+    }
+  } catch {
+    // On error, allow (fail-open)
+  }
+  process.exit(0);
+});
+`;
+    AUDIT_SCRIPT = `#!/usr/bin/env node
 /**
- * SolonGate Audit Hook for Claude Code
- * Captures ALL tool calls (built-in + MCP) and sends to SolonGate Cloud.
+ * SolonGate Audit Hook for Claude Code (PostToolUse)
+ * Logs ALL tool calls to SolonGate Cloud after execution.
  * Auto-installed by: npx @solongate/proxy init
  */
 
@@ -424,7 +569,6 @@ process.stdin.on('end', async () => {
     const toolName = data.tool_name || 'unknown';
     const toolInput = data.tool_input || {};
 
-    // Skip logging the audit hook itself to avoid loops
     if (toolName === 'Bash' && JSON.stringify(toolInput).includes('audit-logs')) {
       process.exit(0);
     }
@@ -433,7 +577,6 @@ process.stdin.on('end', async () => {
       data.tool_response?.exitCode > 0 ||
       data.tool_response?.isError;
 
-    // Truncate large argument values for security
     const argsSummary = {};
     for (const [k, v] of Object.entries(toolInput)) {
       argsSummary[k] = typeof v === 'string' && v.length > 200

package/dist/init.js

@@ -139,10 +139,139 @@ POLICY PRESETS
 `;
   console.error(help);
 }
-var HOOK_SCRIPT = `#!/usr/bin/env node
+var GUARD_SCRIPT = `#!/usr/bin/env node
 /**
- * SolonGate Audit Hook for Claude Code
- * Captures ALL tool calls (built-in + MCP) and sends to SolonGate Cloud.
+ * SolonGate Guard Hook for Claude Code (PreToolUse)
+ * Blocks dangerous tool calls BEFORE they execute.
+ * Exit code 2 = BLOCK, exit code 0 = ALLOW.
+ * Auto-installed by: npx @solongate/proxy init
+ */
+
+const API_KEY = process.env.SOLONGATE_API_KEY || '';
+const API_URL = process.env.SOLONGATE_API_URL || 'https://api.solongate.com';
+
+// \u2500\u2500 Input Guard Patterns \u2500\u2500
+const PATH_TRAVERSAL = [
+  /\\.\\.\\//,  /\\\\.\\.\\\\\\\\/,  /%2e%2e/i,  /%2e\\./i,  /\\.%2e/i,  /%252e%252e/i,
+];
+const SENSITIVE_PATHS = [
+  /\\/etc\\/passwd/i, /\\/etc\\/shadow/i, /\\/proc\\//i,
+  /c:\\\\windows\\\\system32/i, /\\.env(\\.|$)/i,
+  /\\.aws\\/credentials/i, /\\.ssh\\/id_/i, /\\.kube\\/config/i,
+  /\\.git\\/config/i, /\\.npmrc/i, /\\.pypirc/i,
+];
+const SHELL_INJECTION = [
+  /\\$\\(/, /\\$\\{/, /\\\`/, /\\beval\\b/i, /\\bexec\\b/i, /\\bsystem\\b/i,
+  /%0a/i, /%0d/i,
+];
+const SSRF = [
+  /^https?:\\/\\/localhost\\b/i, /^https?:\\/\\/127\\./, /^https?:\\/\\/0\\.0\\.0\\.0/,
+  /^https?:\\/\\/10\\./, /^https?:\\/\\/172\\.(1[6-9]|2\\d|3[01])\\./,
+  /^https?:\\/\\/192\\.168\\./, /^https?:\\/\\/169\\.254\\./,
+  /metadata\\.google\\.internal/i,
+];
+const SQL_INJECTION = [
+  /'\\s{0,20}(OR|AND)\\s{0,20}'.{0,200}'/i,
+  /'\\s{0,10};\\s{0,10}(DROP|DELETE|UPDATE|INSERT|ALTER|CREATE|EXEC)/i,
+  /UNION\\s+(ALL\\s+)?SELECT/i, /\\bSLEEP\\s*\\(/i, /\\bWAITFOR\\s+DELAY/i,
+];
+
+// Dangerous command patterns for Bash tool
+const DANGEROUS_COMMANDS = [
+  /\\brm\\s+(-[a-zA-Z]*f|-[a-zA-Z]*r|--force|--recursive)/i,
+  /\\brm\\s+-rf\\b/i,
+  /\\bmkfs\\b/i, /\\bdd\\s+if=/i,
+  /\\b(shutdown|reboot|halt|poweroff)\\b/i,
+  /\\bchmod\\s+777\\b/,
+  /\\bcurl\\b.{0,200}\\|\\s*(sh|bash)\\b/i,
+  /\\bwget\\b.{0,200}\\|\\s*(sh|bash)\\b/i,
+  /\\bnc\\s+-[a-z]*l/i,  // netcat listener
+  />(\\s*)\\/dev\\/sd/,   // writing to raw disk
+  /\\bgit\\s+push\\s+.*--force\\b/i,
+  /\\bgit\\s+reset\\s+--hard\\b/i,
+];
+
+function checkValue(val) {
+  if (typeof val !== 'string' || val.length < 2) return null;
+  for (const p of PATH_TRAVERSAL) if (p.test(val)) return 'Path traversal detected';
+  for (const p of SENSITIVE_PATHS) if (p.test(val)) return 'Sensitive file access blocked';
+  for (const p of SSRF) if (p.test(val)) return 'SSRF attempt blocked';
+  for (const p of SQL_INJECTION) if (p.test(val)) return 'SQL injection detected';
+  if (val.length > 10000) return 'Input too long (max 10000 chars)';
+  return null;
+}
+
+function checkBashCommand(cmd) {
+  if (typeof cmd !== 'string') return null;
+  for (const p of DANGEROUS_COMMANDS) if (p.test(cmd)) return 'Dangerous command blocked: ' + cmd.slice(0, 80);
+  for (const p of SHELL_INJECTION) if (p.test(cmd)) return null; // shell injection is normal for Bash
+  return null;
+}
+
+let input = '';
+process.stdin.on('data', c => input += c);
+process.stdin.on('end', async () => {
+  try {
+    const data = JSON.parse(input);
+    const tool = data.tool_name || '';
+    const args = data.tool_input || {};
+    const start = Date.now();
+
+    let threat = null;
+
+    // Check Bash commands for dangerous patterns
+    if (tool === 'Bash' && args.command) {
+      threat = checkBashCommand(args.command);
+    }
+
+    // Check all string arguments for injection patterns
+    if (!threat) {
+      for (const [key, val] of Object.entries(args)) {
+        if (tool === 'Bash' && key === 'command') continue; // already checked
+        threat = checkValue(val);
+        if (threat) { threat = threat + ' (in ' + key + ')'; break; }
+        // Check nested strings
+        if (typeof val === 'object' && val) {
+          for (const v of Object.values(val)) {
+            threat = checkValue(v);
+            if (threat) { threat = threat + ' (in ' + key + ')'; break; }
+          }
+          if (threat) break;
+        }
+      }
+    }
+
+    const ms = Date.now() - start;
+
+    if (threat) {
+      // Send DENY audit log
+      if (API_KEY && API_KEY.startsWith('sg_live_')) {
+        fetch(API_URL + '/api/v1/audit-logs', {
+          method: 'POST',
+          headers: { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            tool, arguments: Object.fromEntries(Object.entries(args).map(([k,v]) =>
+              [k, typeof v === 'string' && v.length > 200 ? v.slice(0,200)+'...' : v])),
+            decision: 'DENY', reason: threat, source: 'claude-code-guard',
+            evaluationTimeMs: ms,
+          }),
+          signal: AbortSignal.timeout(5000),
+        }).catch(() => {});
+      }
+      // Exit 2 = BLOCK. Message printed to stdout is shown to user.
+      process.stdout.write('SolonGate BLOCKED: ' + threat);
+      process.exit(2);
+    }
+  } catch {
+    // On error, allow (fail-open)
+  }
+  process.exit(0);
+});
+`;
+var AUDIT_SCRIPT = `#!/usr/bin/env node
+/**
+ * SolonGate Audit Hook for Claude Code (PostToolUse)
+ * Logs ALL tool calls to SolonGate Cloud after execution.
  * Auto-installed by: npx @solongate/proxy init
  */
 
@@ -159,7 +288,6 @@ process.stdin.on('end', async () => {
     const toolName = data.tool_name || 'unknown';
     const toolInput = data.tool_input || {};
 
-    // Skip logging the audit hook itself to avoid loops
     if (toolName === 'Bash' && JSON.stringify(toolInput).includes('audit-logs')) {
       process.exit(0);
     }
@@ -168,7 +296,6 @@ process.stdin.on('end', async () => {
       data.tool_response?.exitCode > 0 ||
       data.tool_response?.isError;
 
-    // Truncate large argument values for security
     const argsSummary = {};
     for (const [k, v] of Object.entries(toolInput)) {
       argsSummary[k] = typeof v === 'string' && v.length > 200
@@ -201,9 +328,12 @@ process.stdin.on('end', async () => {
 function installClaudeCodeHooks(apiKey) {
   const hooksDir = resolve(".claude", "hooks");
   mkdirSync(hooksDir, { recursive: true });
-  const hookPath = join(hooksDir, "audit.mjs");
-  writeFileSync(hookPath, HOOK_SCRIPT);
-  console.error(`  Created ${hookPath}`);
+  const guardPath = join(hooksDir, "guard.mjs");
+  writeFileSync(guardPath, GUARD_SCRIPT);
+  console.error(`  Created ${guardPath}`);
+  const auditPath = join(hooksDir, "audit.mjs");
+  writeFileSync(auditPath, AUDIT_SCRIPT);
+  console.error(`  Created ${auditPath}`);
   const settingsPath = resolve(".claude", "settings.json");
   let settings = {};
   if (existsSync(settingsPath)) {
@@ -213,6 +343,18 @@ function installClaudeCodeHooks(apiKey) {
     }
   }
   settings.hooks = {
+    PreToolUse: [
+      {
+        matcher: ".*",
+        hooks: [
+          {
+            type: "command",
+            command: "node .claude/hooks/guard.mjs",
+            timeout: 5
+          }
+        ]
+      }
+    ],
     PostToolUse: [
       {
         matcher: ".*",
@@ -234,7 +376,8 @@ function installClaudeCodeHooks(apiKey) {
   console.error(`  Created ${settingsPath}`);
   console.error("");
   console.error("  Claude Code hooks installed!");
-  console.error("  Built-in tools (Read, Write, Edit, Bash) will now be audit-logged.");
+  console.error("  PreToolUse  \u2192 guard.mjs  (blocks dangerous calls)");
+  console.error("  PostToolUse \u2192 audit.mjs  (logs all calls to dashboard)");
 }
 function ensureEnvFile() {
   const envPath = resolve(".env");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "MCP security proxy \u00e2\u20ac\u201d protect any MCP server with policies, input validation, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {