@solongate/proxy 0.2.9 → 0.3.1

package/dist/index.js

@@ -1338,118 +1338,6 @@ var init_create = __esm({
   }
 });
 
-// ../core/dist/index.js
-import { z } from "zod";
-var Permission = {
-  READ: "READ",
-  WRITE: "WRITE",
-  EXECUTE: "EXECUTE"
-};
-var PermissionSchema = z.enum(["READ", "WRITE", "EXECUTE"]);
-var NO_PERMISSIONS = Object.freeze(
-  /* @__PURE__ */ new Set()
-);
-var READ_ONLY = Object.freeze(
-  /* @__PURE__ */ new Set([Permission.READ])
-);
-var PolicyRuleSchema = z.object({
-  id: z.string().min(1).max(256),
-  description: z.string().max(1024),
-  effect: z.enum(["ALLOW", "DENY"]),
-  priority: z.number().int().min(0).max(1e4).default(1e3),
-  toolPattern: z.string().min(1).max(512),
-  permission: z.enum(["READ", "WRITE", "EXECUTE"]),
-  minimumTrustLevel: z.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]),
-  argumentConstraints: z.record(z.unknown()).optional(),
-  pathConstraints: z.object({
-    allowed: z.array(z.string()).optional(),
-    denied: z.array(z.string()).optional(),
-    rootDirectory: z.string().optional(),
-    allowSymlinks: z.boolean().optional()
-  }).optional(),
-  enabled: z.boolean().default(true),
-  createdAt: z.string().datetime(),
-  updatedAt: z.string().datetime()
-});
-var PolicySetSchema = z.object({
-  id: z.string().min(1).max(256),
-  name: z.string().min(1).max(256),
-  description: z.string().max(2048),
-  version: z.number().int().min(0),
-  rules: z.array(PolicyRuleSchema),
-  createdAt: z.string().datetime(),
-  updatedAt: z.string().datetime()
-});
-var SECURITY_CONTEXT_TIMEOUT_MS = 5 * 60 * 1e3;
-var DEFAULT_INPUT_GUARD_CONFIG = Object.freeze({
-  pathTraversal: true,
-  shellInjection: true,
-  wildcardAbuse: true,
-  lengthLimit: 4096,
-  entropyLimit: true,
-  ssrf: true,
-  sqlInjection: true
-});
-var SSRF_PATTERNS = [
-  /^https?:\/\/localhost\b/i,
-  /^https?:\/\/127\.\d{1,3}\.\d{1,3}\.\d{1,3}/,
-  /^https?:\/\/0\.0\.0\.0/,
-  /^https?:\/\/\[::1\]/,
-  // IPv6 loopback
-  /^https?:\/\/10\.\d{1,3}\.\d{1,3}\.\d{1,3}/,
-  // 10.x.x.x
-  /^https?:\/\/172\.(1[6-9]|2\d|3[01])\./,
-  // 172.16-31.x.x
-  /^https?:\/\/192\.168\./,
-  // 192.168.x.x
-  /^https?:\/\/169\.254\./,
-  // Link-local / AWS metadata
-  /metadata\.google\.internal/i,
-  // GCP metadata
-  /^https?:\/\/metadata\b/i,
-  // Generic metadata endpoint
-  // IPv6 bypass patterns
-  /^https?:\/\/\[fe80:/i,
-  // IPv6 link-local
-  /^https?:\/\/\[fc00:/i,
-  // IPv6 unique local
-  /^https?:\/\/\[fd[0-9a-f]{2}:/i,
-  // IPv6 unique local (fd00::/8)
-  /^https?:\/\/\[::ffff:127\./i,
-  // IPv4-mapped IPv6 loopback
-  /^https?:\/\/\[::ffff:10\./i,
-  // IPv4-mapped IPv6 private
-  /^https?:\/\/\[::ffff:172\.(1[6-9]|2\d|3[01])\./i,
-  // IPv4-mapped IPv6 private
-  /^https?:\/\/\[::ffff:192\.168\./i,
-  // IPv4-mapped IPv6 private
-  /^https?:\/\/\[::ffff:169\.254\./i,
-  // IPv4-mapped IPv6 link-local
-  // Hex IP bypass (e.g., 0x7f000001 = 127.0.0.1)
-  /^https?:\/\/0x[0-9a-f]+\b/i,
-  // Octal IP bypass (e.g., 0177.0.0.1 = 127.0.0.1)
-  /^https?:\/\/0[0-7]{1,3}\./
-];
-function detectDecimalIP(value) {
-  const match = value.match(/^https?:\/\/(\d{8,10})(?:[:/]|$)/);
-  if (!match || !match[1]) return false;
-  const decimal = parseInt(match[1], 10);
-  if (isNaN(decimal) || decimal > 4294967295) return false;
-  return decimal >= 2130706432 && decimal <= 2147483647 || // 127.0.0.0/8
-  decimal >= 167772160 && decimal <= 184549375 || // 10.0.0.0/8
-  decimal >= 2886729728 && decimal <= 2887778303 || // 172.16.0.0/12
-  decimal >= 3232235520 && decimal <= 3232301055 || // 192.168.0.0/16
-  decimal >= 2851995648 && decimal <= 2852061183 || // 169.254.0.0/16
-  decimal === 0;
-}
-function detectSSRF(value) {
-  for (const pattern of SSRF_PATTERNS) {
-    if (pattern.test(value)) return true;
-  }
-  if (detectDecimalIP(value)) return true;
-  return false;
-}
-
 // src/config.ts
 import { readFileSync, existsSync } from "fs";
 import { resolve } from "path";
@@ -1497,48 +1385,72 @@ var PRESETS = {
   restricted: {
     id: "restricted",
     name: "Restricted",
-    description: "Blocks dangerous tools (shell, web), allows safe tools",
+    description: "Blocks dangerous commands (rm -rf, curl|bash, dd, etc.), allows safe tools with path restrictions",
     version: 1,
     rules: [
       {
-        id: "deny-shell",
-        description: "Block shell execution",
-        effect: "DENY",
-        priority: 100,
-        toolPattern: "*shell*",
-        permission: "EXECUTE",
-        minimumTrustLevel: "UNTRUSTED",
-        enabled: true,
-        createdAt: "",
-        updatedAt: ""
-      },
-      {
-        id: "deny-exec",
-        description: "Block command execution",
+        id: "deny-dangerous-commands",
+        description: "Block dangerous shell commands",
         effect: "DENY",
-        priority: 101,
-        toolPattern: "*exec*",
+        priority: 50,
+        toolPattern: "*",
         permission: "EXECUTE",
         minimumTrustLevel: "UNTRUSTED",
         enabled: true,
+        commandConstraints: {
+          denied: [
+            "rm -rf *",
+            "rm -r /*",
+            "mkfs*",
+            "dd if=*",
+            "curl*|*bash*",
+            "curl*|*sh*",
+            "wget*|*bash*",
+            "wget*|*sh*",
+            "shutdown*",
+            "reboot*",
+            "kill -9*",
+            "chmod*777*",
+            "iptables*",
+            "passwd*",
+            "useradd*",
+            "userdel*"
+          ]
+        },
         createdAt: "",
         updatedAt: ""
       },
       {
-        id: "deny-eval",
-        description: "Block code eval",
+        id: "deny-sensitive-paths",
+        description: "Block access to sensitive files",
         effect: "DENY",
-        priority: 102,
-        toolPattern: "*eval*",
+        priority: 51,
+        toolPattern: "*",
         permission: "EXECUTE",
         minimumTrustLevel: "UNTRUSTED",
         enabled: true,
+        pathConstraints: {
+          denied: [
+            "**/.env*",
+            "**/.ssh/**",
+            "**/.aws/**",
+            "**/.kube/**",
+            "**/credentials*",
+            "**/secrets*",
+            "**/*.pem",
+            "**/*.key",
+            "/etc/passwd",
+            "/etc/shadow",
+            "/proc/**",
+            "/dev/**"
+          ]
+        },
         createdAt: "",
         updatedAt: ""
       },
       {
         id: "allow-rest",
-        description: "Allow all other tools",
+        description: "Allow all other tool calls",
         effect: "ALLOW",
         priority: 1e3,
         toolPattern: "*",
@@ -1555,7 +1467,7 @@ var PRESETS = {
   "read-only": {
     id: "read-only",
     name: "Read Only",
-    description: "Only allows read operations, blocks writes and execution",
+    description: "Only allows read/list/get/search/query tools",
     version: 1,
     rules: [
       {
@@ -1622,6 +1534,110 @@ var PRESETS = {
     createdAt: "",
     updatedAt: ""
   },
+  sandbox: {
+    id: "sandbox",
+    name: "Sandbox",
+    description: "Allows file ops within working directory only, blocks dangerous commands, allows safe shell commands",
+    version: 1,
+    rules: [
+      {
+        id: "deny-dangerous-commands",
+        description: "Block dangerous shell commands",
+        effect: "DENY",
+        priority: 50,
+        toolPattern: "*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        commandConstraints: {
+          denied: [
+            "rm -rf *",
+            "rm -r /*",
+            "mkfs*",
+            "dd if=*",
+            "curl*|*bash*",
+            "wget*|*sh*",
+            "shutdown*",
+            "reboot*",
+            "chmod*777*"
+          ]
+        },
+        createdAt: "",
+        updatedAt: ""
+      },
+      {
+        id: "allow-safe-commands",
+        description: "Allow safe shell commands only",
+        effect: "ALLOW",
+        priority: 100,
+        toolPattern: "*shell*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        commandConstraints: {
+          allowed: [
+            "ls*",
+            "cat*",
+            "head*",
+            "tail*",
+            "wc*",
+            "grep*",
+            "find*",
+            "echo*",
+            "pwd",
+            "whoami",
+            "date",
+            "env",
+            "git*",
+            "npm*",
+            "pnpm*",
+            "yarn*",
+            "node*",
+            "python*",
+            "pip*"
+          ]
+        },
+        createdAt: "",
+        updatedAt: ""
+      },
+      {
+        id: "deny-sensitive-paths",
+        description: "Block access to sensitive files",
+        effect: "DENY",
+        priority: 51,
+        toolPattern: "*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        pathConstraints: {
+          denied: [
+            "**/.env*",
+            "**/.ssh/**",
+            "**/.aws/**",
+            "**/credentials*",
+            "**/*.pem",
+            "**/*.key"
+          ]
+        },
+        createdAt: "",
+        updatedAt: ""
+      },
+      {
+        id: "allow-rest",
+        description: "Allow all other tools",
+        effect: "ALLOW",
+        priority: 1e3,
+        toolPattern: "*",
+        permission: "EXECUTE",
+        minimumTrustLevel: "UNTRUSTED",
+        enabled: true,
+        createdAt: "",
+        updatedAt: ""
+      }
+    ],
+    createdAt: "",
+    updatedAt: ""
+  },
   permissive: {
     id: "permissive",
     name: "Permissive",
@@ -1671,7 +1687,6 @@ function parseArgs(argv) {
   let policySource = "restricted";
   let name = "solongate-proxy";
   let verbose = false;
-  let validateInput = true;
   let rateLimitPerTool;
   let globalRateLimit;
   let configFile;
@@ -1694,9 +1709,6 @@ function parseArgs(argv) {
       case "--verbose":
         verbose = true;
         break;
-      case "--no-input-guard":
-        validateInput = false;
-        break;
       case "--rate-limit":
         rateLimitPerTool = parseInt(flags[++i], 10);
         break;
@@ -1745,17 +1757,11 @@ function parseArgs(argv) {
     if (!fileConfig.upstream) {
       throw new Error('Config file must include "upstream" with at least "command" or "url"');
     }
-    if (fileConfig.upstream.url && detectSSRF(fileConfig.upstream.url)) {
-      throw new Error(
-        `Upstream URL blocked: "${fileConfig.upstream.url}" points to an internal or private network address.`
-      );
-    }
     return {
       upstream: fileConfig.upstream,
       policy: loadPolicy(fileConfig.policy ?? policySource),
       name: fileConfig.name ?? name,
       verbose: fileConfig.verbose ?? verbose,
-      validateInput: fileConfig.validateInput ?? validateInput,
       rateLimitPerTool: fileConfig.rateLimitPerTool ?? rateLimitPerTool,
       globalRateLimit: fileConfig.globalRateLimit ?? globalRateLimit,
       apiKey: apiKey ?? fileConfig.apiKey,
@@ -1764,12 +1770,6 @@ function parseArgs(argv) {
     };
   }
   if (upstreamUrl) {
-    if (detectSSRF(upstreamUrl)) {
-      throw new Error(
-        `Upstream URL blocked: "${upstreamUrl}" points to an internal or private network address.
-SSRF protection prevents connecting to localhost, private IPs, or cloud metadata endpoints.`
-      );
-    }
     const transport = upstreamTransport ?? (upstreamUrl.includes("/sse") ? "sse" : "http");
     return {
       upstream: {
@@ -1781,7 +1781,6 @@ SSRF protection prevents connecting to localhost, private IPs, or cloud metadata
       policy: loadPolicy(policySource),
       name,
       verbose,
-      validateInput,
       rateLimitPerTool,
       globalRateLimit,
       apiKey,
@@ -1805,7 +1804,6 @@ SSRF protection prevents connecting to localhost, private IPs, or cloud metadata
     policy: loadPolicy(policySource),
     name,
     verbose,
-    validateInput,
     rateLimitPerTool,
     globalRateLimit,
     apiKey,
@@ -1834,7 +1832,7 @@ import {
 import { createServer as createHttpServer } from "http";
 
 // ../sdk-ts/dist/index.js
-import { z as z2 } from "zod";
+import { z } from "zod";
 import { createHash, randomUUID, createHmac } from "crypto";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 var SolonGateError = class extends Error {
@@ -1873,16 +1871,6 @@ var PolicyDeniedError = class extends SolonGateError {
     this.name = "PolicyDeniedError";
   }
 };
-var SchemaValidationError = class extends SolonGateError {
-  constructor(toolName, validationErrors) {
-    super(
-      `Schema validation failed for tool "${toolName}": ${validationErrors.join("; ")}`,
-      "SCHEMA_VALIDATION_FAILED",
-      { toolName, validationErrors }
-    );
-    this.name = "SchemaValidationError";
-  }
-};
 var RateLimitError = class extends SolonGateError {
   constructor(toolName, limitPerMinute) {
     super(
@@ -1898,49 +1886,53 @@ var TrustLevel = {
   VERIFIED: "VERIFIED",
   TRUSTED: "TRUSTED"
 };
-var Permission2 = {
+var Permission = {
   READ: "READ",
   WRITE: "WRITE",
   EXECUTE: "EXECUTE"
 };
-z2.enum(["READ", "WRITE", "EXECUTE"]);
+z.enum(["READ", "WRITE", "EXECUTE"]);
 Object.freeze(
   /* @__PURE__ */ new Set()
 );
 Object.freeze(
-  /* @__PURE__ */ new Set([Permission2.READ])
+  /* @__PURE__ */ new Set([Permission.READ])
 );
 var PolicyEffect = {
   ALLOW: "ALLOW",
   DENY: "DENY"
 };
-var PolicyRuleSchema2 = z2.object({
-  id: z2.string().min(1).max(256),
-  description: z2.string().max(1024),
-  effect: z2.enum(["ALLOW", "DENY"]),
-  priority: z2.number().int().min(0).max(1e4).default(1e3),
-  toolPattern: z2.string().min(1).max(512),
-  permission: z2.enum(["READ", "WRITE", "EXECUTE"]),
-  minimumTrustLevel: z2.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]),
-  argumentConstraints: z2.record(z2.unknown()).optional(),
-  pathConstraints: z2.object({
-    allowed: z2.array(z2.string()).optional(),
-    denied: z2.array(z2.string()).optional(),
-    rootDirectory: z2.string().optional(),
-    allowSymlinks: z2.boolean().optional()
+var PolicyRuleSchema = z.object({
+  id: z.string().min(1).max(256),
+  description: z.string().max(1024),
+  effect: z.enum(["ALLOW", "DENY"]),
+  priority: z.number().int().min(0).max(1e4).default(1e3),
+  toolPattern: z.string().min(1).max(512),
+  permission: z.enum(["READ", "WRITE", "EXECUTE"]),
+  minimumTrustLevel: z.enum(["UNTRUSTED", "VERIFIED", "TRUSTED"]),
+  argumentConstraints: z.record(z.unknown()).optional(),
+  pathConstraints: z.object({
+    allowed: z.array(z.string()).optional(),
+    denied: z.array(z.string()).optional(),
+    rootDirectory: z.string().optional(),
+    allowSymlinks: z.boolean().optional()
+  }).optional(),
+  commandConstraints: z.object({
+    allowed: z.array(z.string()).optional(),
+    denied: z.array(z.string()).optional()
   }).optional(),
-  enabled: z2.boolean().default(true),
-  createdAt: z2.string().datetime(),
-  updatedAt: z2.string().datetime()
+  enabled: z.boolean().default(true),
+  createdAt: z.string().datetime(),
+  updatedAt: z.string().datetime()
 });
-var PolicySetSchema2 = z2.object({
-  id: z2.string().min(1).max(256),
-  name: z2.string().min(1).max(256),
-  description: z2.string().max(2048),
-  version: z2.number().int().min(0),
-  rules: z2.array(PolicyRuleSchema2),
-  createdAt: z2.string().datetime(),
-  updatedAt: z2.string().datetime()
+var PolicySetSchema = z.object({
+  id: z.string().min(1).max(256),
+  name: z.string().min(1).max(256),
+  description: z.string().max(2048),
+  version: z.number().int().min(0),
+  rules: z.array(PolicyRuleSchema),
+  createdAt: z.string().datetime(),
+  updatedAt: z.string().datetime()
 });
 function createSecurityContext(params) {
   return {
@@ -1979,7 +1971,7 @@ function createDeniedToolResult(reason) {
     isError: true
   };
 }
-var DEFAULT_INPUT_GUARD_CONFIG2 = Object.freeze({
+var DEFAULT_INPUT_GUARD_CONFIG = Object.freeze({
   pathTraversal: true,
   shellInjection: true,
   wildcardAbuse: true,
@@ -1988,296 +1980,6 @@ var DEFAULT_INPUT_GUARD_CONFIG2 = Object.freeze({
   ssrf: true,
   sqlInjection: true
 });
-var PATH_TRAVERSAL_PATTERNS = [
-  /\.\.\//,
-  // ../
-  /\.\.\\/,
-  // ..\
-  /%2e%2e/i,
-  // URL-encoded ..
-  /%2e\./i,
-  // partial URL-encoded
-  /\.%2e/i,
-  // partial URL-encoded
-  /%252e%252e/i,
-  // double URL-encoded
-  /\.\.\0/
-  // null byte variant
-];
-var SENSITIVE_PATHS = [
-  /\/etc\/passwd/i,
-  /\/etc\/shadow/i,
-  /\/proc\//i,
-  /\/dev\//i,
-  /c:\\windows\\system32/i,
-  /c:\\windows\\syswow64/i,
-  /\/root\//i,
-  /~\//,
-  /\.env(\.|$)/i,
-  // .env, .env.local, .env.production
-  /\.aws\/credentials/i,
-  // AWS credentials
-  /\.ssh\/id_/i,
-  // SSH keys
-  /\.kube\/config/i,
-  // Kubernetes config
-  /wp-config\.php/i,
-  // WordPress config
-  /\.git\/config/i,
-  // Git config
-  /\.npmrc/i,
-  // npm credentials
-  /\.pypirc/i
-  // PyPI credentials
-];
-function detectPathTraversal(value) {
-  for (const pattern of PATH_TRAVERSAL_PATTERNS) {
-    if (pattern.test(value)) return true;
-  }
-  for (const pattern of SENSITIVE_PATHS) {
-    if (pattern.test(value)) return true;
-  }
-  return false;
-}
-var SHELL_INJECTION_PATTERNS = [
-  /[;|&`]/,
-  // Command separators and backtick execution
-  /\$\(/,
-  // Command substitution $(...)
-  /\$\{/,
-  // Variable expansion ${...}
-  />\s*/,
-  // Output redirect
-  /<\s*/,
-  // Input redirect
-  /&&/,
-  // AND chaining
-  /\|\|/,
-  // OR chaining
-  /\beval\b/i,
-  // eval command
-  /\bexec\b/i,
-  // exec command
-  /\bsystem\b/i,
-  // system call
-  /%0a/i,
-  // URL-encoded newline
-  /%0d/i,
-  // URL-encoded carriage return
-  /%09/i,
-  // URL-encoded tab
-  /\r\n/,
-  // CRLF injection
-  /\n/
-  // Newline (command separator on Unix)
-];
-function detectShellInjection(value) {
-  for (const pattern of SHELL_INJECTION_PATTERNS) {
-    if (pattern.test(value)) return true;
-  }
-  return false;
-}
-var MAX_WILDCARDS_PER_VALUE = 3;
-function detectWildcardAbuse(value) {
-  if (value.includes("**")) return true;
-  const wildcardCount = (value.match(/\*/g) || []).length;
-  if (wildcardCount > MAX_WILDCARDS_PER_VALUE) return true;
-  return false;
-}
-var SSRF_PATTERNS2 = [
-  /^https?:\/\/localhost\b/i,
-  /^https?:\/\/127\.\d{1,3}\.\d{1,3}\.\d{1,3}/,
-  /^https?:\/\/0\.0\.0\.0/,
-  /^https?:\/\/\[::1\]/,
-  // IPv6 loopback
-  /^https?:\/\/10\.\d{1,3}\.\d{1,3}\.\d{1,3}/,
-  // 10.x.x.x
-  /^https?:\/\/172\.(1[6-9]|2\d|3[01])\./,
-  // 172.16-31.x.x
-  /^https?:\/\/192\.168\./,
-  // 192.168.x.x
-  /^https?:\/\/169\.254\./,
-  // Link-local / AWS metadata
-  /metadata\.google\.internal/i,
-  // GCP metadata
-  /^https?:\/\/metadata\b/i,
-  // Generic metadata endpoint
-  // IPv6 bypass patterns
-  /^https?:\/\/\[fe80:/i,
-  // IPv6 link-local
-  /^https?:\/\/\[fc00:/i,
-  // IPv6 unique local
-  /^https?:\/\/\[fd[0-9a-f]{2}:/i,
-  // IPv6 unique local (fd00::/8)
-  /^https?:\/\/\[::ffff:127\./i,
-  // IPv4-mapped IPv6 loopback
-  /^https?:\/\/\[::ffff:10\./i,
-  // IPv4-mapped IPv6 private
-  /^https?:\/\/\[::ffff:172\.(1[6-9]|2\d|3[01])\./i,
-  // IPv4-mapped IPv6 private
-  /^https?:\/\/\[::ffff:192\.168\./i,
-  // IPv4-mapped IPv6 private
-  /^https?:\/\/\[::ffff:169\.254\./i,
-  // IPv4-mapped IPv6 link-local
-  // Hex IP bypass (e.g., 0x7f000001 = 127.0.0.1)
-  /^https?:\/\/0x[0-9a-f]+\b/i,
-  // Octal IP bypass (e.g., 0177.0.0.1 = 127.0.0.1)
-  /^https?:\/\/0[0-7]{1,3}\./
-];
-function detectDecimalIP2(value) {
-  const match = value.match(/^https?:\/\/(\d{8,10})(?:[:/]|$)/);
-  if (!match || !match[1]) return false;
-  const decimal = parseInt(match[1], 10);
-  if (isNaN(decimal) || decimal > 4294967295) return false;
-  return decimal >= 2130706432 && decimal <= 2147483647 || // 127.0.0.0/8
-  decimal >= 167772160 && decimal <= 184549375 || // 10.0.0.0/8
-  decimal >= 2886729728 && decimal <= 2887778303 || // 172.16.0.0/12
-  decimal >= 3232235520 && decimal <= 3232301055 || // 192.168.0.0/16
-  decimal >= 2851995648 && decimal <= 2852061183 || // 169.254.0.0/16
-  decimal === 0;
-}
-function detectSSRF2(value) {
-  for (const pattern of SSRF_PATTERNS2) {
-    if (pattern.test(value)) return true;
-  }
-  if (detectDecimalIP2(value)) return true;
-  return false;
-}
-var SQL_INJECTION_PATTERNS = [
-  /'\s{0,20}(OR|AND)\s{0,20}'.{0,200}'/i,
-  // ' OR '1'='1 — bounded to prevent ReDoS
-  /'\s{0,10};\s{0,10}(DROP|DELETE|UPDATE|INSERT|ALTER|CREATE|EXEC)/i,
-  // '; DROP TABLE
-  /UNION\s+(ALL\s+)?SELECT/i,
-  // UNION SELECT
-  /--\s*$/m,
-  // SQL comment at end of line
-  /\/\*.{0,500}?\*\//,
-  // SQL block comment — bounded + non-greedy
-  /\bSLEEP\s*\(/i,
-  // Time-based injection
-  /\bBENCHMARK\s*\(/i,
-  // MySQL benchmark
-  /\bWAITFOR\s+DELAY/i,
-  // MSSQL delay
-  /\b(LOAD_FILE|INTO\s+OUTFILE|INTO\s+DUMPFILE)\b/i
-  // File operations
-];
-function detectSQLInjection(value) {
-  for (const pattern of SQL_INJECTION_PATTERNS) {
-    if (pattern.test(value)) return true;
-  }
-  return false;
-}
-function checkLengthLimits(value, maxLength = 4096) {
-  return value.length <= maxLength;
-}
-var ENTROPY_THRESHOLD = 4.5;
-var MIN_LENGTH_FOR_ENTROPY_CHECK = 32;
-function checkEntropyLimits(value) {
-  if (value.length < MIN_LENGTH_FOR_ENTROPY_CHECK) return true;
-  const entropy = calculateShannonEntropy(value);
-  return entropy <= ENTROPY_THRESHOLD;
-}
-function calculateShannonEntropy(str) {
-  const freq = /* @__PURE__ */ new Map();
-  for (const char of str) {
-    freq.set(char, (freq.get(char) ?? 0) + 1);
-  }
-  let entropy = 0;
-  const len = str.length;
-  for (const count of freq.values()) {
-    const p = count / len;
-    if (p > 0) {
-      entropy -= p * Math.log2(p);
-    }
-  }
-  return entropy;
-}
-function sanitizeInput(field, value, config = DEFAULT_INPUT_GUARD_CONFIG2) {
-  const threats = [];
-  if (typeof value !== "string") {
-    if (typeof value === "object" && value !== null) {
-      return sanitizeObject(field, value, config);
-    }
-    return { safe: true, threats: [] };
-  }
-  if (config.pathTraversal && detectPathTraversal(value)) {
-    threats.push({
-      type: "PATH_TRAVERSAL",
-      field,
-      value: truncate(value, 100),
-      description: "Path traversal pattern detected"
-    });
-  }
-  if (config.shellInjection && detectShellInjection(value)) {
-    threats.push({
-      type: "SHELL_INJECTION",
-      field,
-      value: truncate(value, 100),
-      description: "Shell injection pattern detected"
-    });
-  }
-  if (config.wildcardAbuse && detectWildcardAbuse(value)) {
-    threats.push({
-      type: "WILDCARD_ABUSE",
-      field,
-      value: truncate(value, 100),
-      description: "Wildcard abuse pattern detected"
-    });
-  }
-  if (!checkLengthLimits(value, config.lengthLimit)) {
-    threats.push({
-      type: "LENGTH_EXCEEDED",
-      field,
-      value: `[${value.length} chars]`,
-      description: `Value exceeds maximum length of ${config.lengthLimit}`
-    });
-  }
-  if (config.entropyLimit && !checkEntropyLimits(value)) {
-    threats.push({
-      type: "HIGH_ENTROPY",
-      field,
-      value: truncate(value, 100),
-      description: "High entropy string detected - possible encoded payload"
-    });
-  }
-  if (config.ssrf && detectSSRF2(value)) {
-    threats.push({
-      type: "SSRF",
-      field,
-      value: truncate(value, 100),
-      description: "Server-side request forgery pattern detected \u2014 internal/metadata URL blocked"
-    });
-  }
-  if (config.sqlInjection && detectSQLInjection(value)) {
-    threats.push({
-      type: "SQL_INJECTION",
-      field,
-      value: truncate(value, 100),
-      description: "SQL injection pattern detected"
-    });
-  }
-  return { safe: threats.length === 0, threats };
-}
-function sanitizeObject(basePath, obj, config) {
-  const threats = [];
-  if (Array.isArray(obj)) {
-    for (let i = 0; i < obj.length; i++) {
-      const result = sanitizeInput(`${basePath}[${i}]`, obj[i], config);
-      threats.push(...result.threats);
-    }
-  } else {
-    for (const [key, val] of Object.entries(obj)) {
-      const result = sanitizeInput(`${basePath}.${key}`, val, config);
-      threats.push(...result.threats);
-    }
-  }
-  return { safe: threats.length === 0, threats };
-}
-function truncate(str, maxLen) {
-  return str.length > maxLen ? str.slice(0, maxLen) + "..." : str;
-}
 var DEFAULT_TOKEN_TTL_SECONDS = 30;
 var TOKEN_ALGORITHM = "HS256";
 var MIN_SECRET_LENGTH = 32;
@@ -2335,6 +2037,14 @@ function matchParts(pathParts, pi, patternParts, qi) {
       qi++;
       continue;
     }
+    if (pattern.includes("*")) {
+      if (!matchSegmentGlob(pathParts[pi], pattern)) {
+        return false;
+      }
+      pi++;
+      qi++;
+      continue;
+    }
     if (pattern !== pathParts[pi]) {
       return false;
     }
@@ -2371,6 +2081,31 @@ function isPathAllowed(path, constraints) {
   }
   return true;
 }
+function matchSegmentGlob(segment, pattern) {
+  const startsWithStar = pattern.startsWith("*");
+  const endsWithStar = pattern.endsWith("*");
+  if (pattern === "*") return true;
+  if (startsWithStar && endsWithStar) {
+    const infix = pattern.slice(1, -1);
+    return segment.toLowerCase().includes(infix.toLowerCase());
+  }
+  if (startsWithStar) {
+    const suffix = pattern.slice(1);
+    return segment.toLowerCase().endsWith(suffix.toLowerCase());
+  }
+  if (endsWithStar) {
+    const prefix = pattern.slice(0, -1);
+    return segment.toLowerCase().startsWith(prefix.toLowerCase());
+  }
+  const starIdx = pattern.indexOf("*");
+  if (starIdx !== -1) {
+    const prefix = pattern.slice(0, starIdx);
+    const suffix = pattern.slice(starIdx + 1);
+    const seg = segment.toLowerCase();
+    return seg.startsWith(prefix.toLowerCase()) && seg.endsWith(suffix.toLowerCase()) && seg.length >= prefix.length + suffix.length;
+  }
+  return segment === pattern;
+}
 function extractPathArguments(args) {
   const paths = [];
   for (const value of Object.values(args)) {
@@ -2380,6 +2115,69 @@ function extractPathArguments(args) {
   }
   return paths;
 }
+var COMMAND_FIELDS = /* @__PURE__ */ new Set([
+  "command",
+  "cmd",
+  "query",
+  "code",
+  "script",
+  "shell",
+  "exec",
+  "sql",
+  "expression"
+]);
+function extractCommandArguments(args) {
+  const commands = [];
+  for (const [key, value] of Object.entries(args)) {
+    if (typeof value !== "string") continue;
+    if (COMMAND_FIELDS.has(key.toLowerCase())) {
+      commands.push(value);
+    }
+  }
+  return commands;
+}
+function matchCommandPattern(command, pattern) {
+  if (pattern === "*") return true;
+  const normalizedCommand = command.trim().toLowerCase();
+  const normalizedPattern = pattern.trim().toLowerCase();
+  if (normalizedPattern === normalizedCommand) return true;
+  const startsWithStar = normalizedPattern.startsWith("*");
+  const endsWithStar = normalizedPattern.endsWith("*");
+  if (startsWithStar && endsWithStar) {
+    const infix = normalizedPattern.slice(1, -1);
+    return infix.length > 0 && normalizedCommand.includes(infix);
+  }
+  if (endsWithStar) {
+    const prefix = normalizedPattern.slice(0, -1);
+    return normalizedCommand.startsWith(prefix);
+  }
+  if (startsWithStar) {
+    const suffix = normalizedPattern.slice(1);
+    return normalizedCommand.endsWith(suffix);
+  }
+  const commandName = normalizedCommand.split(/\s+/)[0] ?? "";
+  return commandName === normalizedPattern;
+}
+function isCommandAllowed(command, constraints) {
+  if (constraints.denied && constraints.denied.length > 0) {
+    for (const pattern of constraints.denied) {
+      if (matchCommandPattern(command, pattern)) {
+        return false;
+      }
+    }
+  }
+  if (constraints.allowed && constraints.allowed.length > 0) {
+    let matchesAllowed = false;
+    for (const pattern of constraints.allowed) {
+      if (matchCommandPattern(command, pattern)) {
+        matchesAllowed = true;
+        break;
+      }
+    }
+    if (!matchesAllowed) return false;
+  }
+  return true;
+}
 function ruleMatchesRequest(rule, request) {
   if (!rule.enabled) return false;
   if (rule.permission !== request.requiredPermission) return false;
@@ -2393,8 +2191,19 @@ function ruleMatchesRequest(rule, request) {
     }
   }
   if (rule.pathConstraints) {
-    if (!pathConstraintsMatch(rule.pathConstraints, request.arguments)) {
-      return false;
+    const satisfied = pathConstraintsMatch(rule.pathConstraints, request.arguments);
+    if (rule.effect === "DENY") {
+      if (satisfied) return false;
+    } else {
+      if (!satisfied) return false;
+    }
+  }
+  if (rule.commandConstraints) {
+    const satisfied = commandConstraintsMatch(rule.commandConstraints, request.arguments);
+    if (rule.effect === "DENY") {
+      if (satisfied) return false;
+    } else {
+      if (!satisfied) return false;
     }
   }
   return true;
@@ -2482,6 +2291,11 @@ function pathConstraintsMatch(constraints, args) {
   if (paths.length === 0) return true;
   return paths.every((path) => isPathAllowed(path, constraints));
 }
+function commandConstraintsMatch(constraints, args) {
+  const commands = extractCommandArguments(args);
+  if (commands.length === 0) return true;
+  return commands.every((cmd) => isCommandAllowed(cmd, constraints));
+}
 function evaluatePolicy(policySet, request) {
   const startTime = performance.now();
   const sortedRules = [...policySet.rules].sort(
@@ -2519,7 +2333,7 @@ function evaluatePolicy(policySet, request) {
 function validatePolicyRule(input) {
   const errors = [];
   const warnings = [];
-  const result = PolicyRuleSchema2.safeParse(input);
+  const result = PolicyRuleSchema.safeParse(input);
   if (!result.success) {
     return {
       valid: false,
@@ -2544,7 +2358,7 @@ function validatePolicyRule(input) {
 function validatePolicySet(input) {
   const errors = [];
   const warnings = [];
-  const result = PolicySetSchema2.safeParse(input);
+  const result = PolicySetSchema.safeParse(input);
   if (!result.success) {
     return {
       valid: false,
@@ -2638,7 +2452,7 @@ function createDefaultDenyPolicySet() {
         effect: PolicyEffect.DENY,
         priority: 1e4,
         toolPattern: "*",
-        permission: Permission2.EXECUTE,
+        permission: Permission.EXECUTE,
         minimumTrustLevel: TrustLevel.UNTRUSTED,
         enabled: true,
         createdAt: now,
@@ -2650,7 +2464,7 @@ function createDefaultDenyPolicySet() {
         effect: PolicyEffect.DENY,
         priority: 1e4,
         toolPattern: "*",
-        permission: Permission2.WRITE,
+        permission: Permission.WRITE,
         minimumTrustLevel: TrustLevel.UNTRUSTED,
         enabled: true,
         createdAt: now,
@@ -2662,7 +2476,7 @@ function createDefaultDenyPolicySet() {
         effect: PolicyEffect.DENY,
         priority: 1e4,
         toolPattern: "*",
-        permission: Permission2.READ,
+        permission: Permission.READ,
         minimumTrustLevel: TrustLevel.UNTRUSTED,
         enabled: true,
         createdAt: now,
@@ -2841,7 +2655,6 @@ var DEFAULT_CONFIG = Object.freeze({
   globalRateLimitPerMinute: 600,
   rateLimitPerTool: 60,
   tokenTtlSeconds: 30,
-  inputGuardConfig: DEFAULT_INPUT_GUARD_CONFIG2,
   enableVersionedPolicies: true
 });
 function resolveConfig(userConfig) {
@@ -2874,7 +2687,7 @@ async function interceptToolCall(params, upstreamCall, options) {
     toolName: params.name,
     serverName: "default",
     arguments: params.arguments ?? {},
-    requiredPermission: Permission2.EXECUTE,
+    requiredPermission: Permission.EXECUTE,
     timestamp
   };
   if (options.rateLimiter) {
@@ -2912,24 +2725,6 @@ async function interceptToolCall(params, upstreamCall, options) {
       }
     }
   }
-  if (options.validateSchemas && params.arguments) {
-    const guardConfig = options.inputGuardConfig ?? DEFAULT_INPUT_GUARD_CONFIG2;
-    const sanitization = sanitizeInput("arguments", params.arguments, guardConfig);
-    if (!sanitization.safe) {
-      const threatDescriptions = sanitization.threats.map(
-        (t) => `${t.type}: ${t.description} (field: ${t.field})`
-      );
-      const result = {
-        status: "ERROR",
-        request,
-        error: new SchemaValidationError(params.name, threatDescriptions),
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      };
-      options.onDecision?.(result);
-      const reason = options.verboseErrors ? `Input validation failed: ${sanitization.threats.length} threat(s) detected` : "Input validation failed.";
-      return createDeniedToolResult(reason);
-    }
-  }
   const decision = options.policyEngine.evaluate(request);
   if (decision.effect === "DENY") {
     const result = {
@@ -2946,7 +2741,7 @@ async function interceptToolCall(params, upstreamCall, options) {
   if (options.tokenIssuer) {
     capabilityToken = options.tokenIssuer.issue(
       requestId,
-      [Permission2.EXECUTE],
+      [Permission.EXECUTE],
       [params.name]
     );
   }
@@ -3523,7 +3318,6 @@ var SolonGate = class {
       tokenIssuer: this.tokenIssuer ?? void 0,
       serverVerifier: this.serverVerifier ?? void 0,
       rateLimiter: this.rateLimiter,
-      inputGuardConfig: this.config.inputGuardConfig,
       rateLimitPerTool: this.config.rateLimitPerTool,
       globalRateLimitPerMinute: this.config.globalRateLimitPerMinute
     });
@@ -3591,7 +3385,7 @@ var SolonGateProxy = class {
       apiKey: "sg_test_proxy_internal_00000000",
       policySet: config.policy,
       config: {
-        validateSchemas: config.validateInput ?? true,
+        validateSchemas: true,
         verboseErrors: config.verbose ?? false,
         rateLimitPerTool: config.rateLimitPerTool,
         globalRateLimitPerMinute: config.globalRateLimit

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.2.9",
-  "description": "MCP security proxy \u00e2\u20ac\u201d protect any MCP server with policies, input validation, rate limiting, and audit logging. Zero code changes required.",
+  "version": "0.3.1",
+  "description": "MCP security proxy — protect any MCP server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {
     "solongate-proxy": "./dist/index.js",