@solongate/proxy 0.24.0 → 0.25.0

package/dist/index.js

@@ -133,6 +133,11 @@ function parseArgs(argv) {
   let port;
   let policyId;
   let advancedDetection = true;
+  let aiJudgeEnabled = false;
+  let aiJudgeModel = "llama3.2";
+  let aiJudgeEndpoint = "http://localhost:11434";
+  let aiJudgeApiKey;
+  let aiJudgeTimeout = 5e3;
   let separatorIndex = args.indexOf("--");
   const flags = separatorIndex >= 0 ? args.slice(0, separatorIndex) : args;
   const upstreamArgs = separatorIndex >= 0 ? args.slice(separatorIndex + 1) : [];
@@ -178,8 +183,33 @@ function parseArgs(argv) {
       case "--no-advanced-detection":
         advancedDetection = false;
         break;
+      case "--ai-judge":
+        aiJudgeEnabled = true;
+        break;
+      case "--ai-judge-model":
+        aiJudgeModel = flags[++i];
+        aiJudgeEnabled = true;
+        break;
+      case "--ai-judge-endpoint":
+        aiJudgeEndpoint = flags[++i];
+        aiJudgeEnabled = true;
+        break;
+      case "--ai-judge-api-key":
+        aiJudgeApiKey = flags[++i];
+        aiJudgeEnabled = true;
+        break;
+      case "--ai-judge-timeout":
+        aiJudgeTimeout = parseInt(flags[++i], 10);
+        break;
     }
   }
+  const aiJudge = aiJudgeEnabled ? {
+    enabled: true,
+    model: aiJudgeModel,
+    endpoint: aiJudgeEndpoint,
+    apiKey: aiJudgeApiKey,
+    timeoutMs: aiJudgeTimeout
+  } : void 0;
   if (apiKey && /^\$\{.+\}$/.test(apiKey)) {
     apiKey = void 0;
   }
@@ -227,7 +257,8 @@ function parseArgs(argv) {
       port: port ?? fileConfig.port,
       policyPath: resolvePolicyPath(cfgPolicySource) ?? void 0,
       policyId: policyId ?? fileConfig.policyId,
-      advancedDetection: advancedDetection ? { enabled: true } : void 0
+      advancedDetection: advancedDetection ? { enabled: true } : void 0,
+      aiJudge
     };
   }
   if (upstreamUrl) {
@@ -249,7 +280,8 @@ function parseArgs(argv) {
       port,
       policyPath: resolvedPolicyPath ?? void 0,
       policyId,
-      advancedDetection: advancedDetection ? { enabled: true } : void 0
+      advancedDetection: advancedDetection ? { enabled: true } : void 0,
+      aiJudge
     };
   }
   if (upstreamArgs.length === 0) {
@@ -6066,6 +6098,181 @@ var PolicySyncManager = class {
   }
 };
 
+// src/ai-judge.ts
+var SYSTEM_PROMPT = `You are a security judge for an MCP (Model Context Protocol) proxy. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+
+You will receive a JSON object with:
+- "tool": the MCP tool name being called
+- "arguments": the tool's arguments
+- "protected_files": list of files that must NEVER be read, written, copied, moved, or accessed
+- "protected_paths": list of directories/paths that must NEVER be accessed
+- "denied_actions": list of actions that are never allowed
+
+DENY if the tool call could, directly or indirectly:
+- Read, display, copy, move, or exfiltrate any protected file \u2014 even through:
+  - Shell glob patterns (e.g., "cred*" could match "credentials.json")
+  - Command substitution ($(...), backticks)
+  - Variable interpolation or string concatenation
+  - Input redirection (< file)
+  - Script files that might read protected files
+  - Find/exec patterns
+  - Any Unix/Windows utility that reads file content (cat, head, tail, less, more, type, perl, awk, sed, sort, diff, comm, paste, tee, xxd, od, strings, dd, tr, etc.)
+- Delete, modify, or overwrite any protected file or path
+- Send data to external URLs, webhooks, or attacker-controlled endpoints
+- Execute remotely downloaded code (curl|bash, wget|sh, etc.)
+- Leak environment variables (printenv, env, /proc/self/environ, npm run env, process.env)
+- Create scripts that bypass security controls
+
+ALLOW if:
+- The action is a normal development operation (ls, git status, npm build, etc.)
+- The action does not touch any protected file or path
+- The action is clearly benign (creating hello.js, reading public docs, etc.)
+
+When in doubt, DENY. False positives are acceptable; false negatives are not.
+
+Respond with ONLY valid JSON, no markdown, no explanation outside the JSON:
+{"decision": "ALLOW" or "DENY", "reason": "brief one-line explanation", "confidence": 0.0 to 1.0}`;
+var AiJudge = class {
+  config;
+  protectedFiles;
+  protectedPaths;
+  deniedActions;
+  isOllamaEndpoint;
+  constructor(config, protectedFiles, protectedPaths, deniedActions = [
+    "file deletion",
+    "data exfiltration",
+    "remote code execution",
+    "environment variable leak",
+    "security control bypass"
+  ]) {
+    this.config = config;
+    this.protectedFiles = protectedFiles;
+    this.protectedPaths = protectedPaths;
+    this.deniedActions = deniedActions;
+    this.isOllamaEndpoint = config.endpoint.includes("11434") || config.endpoint.includes("ollama");
+  }
+  /**
+   * Evaluate a tool call. Returns ALLOW or DENY verdict.
+   * Fail-closed: any error (timeout, parse failure, connection refused) → DENY.
+   */
+  async evaluate(toolName, args) {
+    const userMessage = JSON.stringify({
+      tool: toolName,
+      arguments: args,
+      protected_files: this.protectedFiles,
+      protected_paths: this.protectedPaths,
+      denied_actions: this.deniedActions
+    });
+    try {
+      const response = await this.callLLM(userMessage);
+      return this.parseVerdict(response);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        decision: "DENY",
+        reason: `AI Judge error (fail-closed): ${message}`,
+        confidence: 1
+      };
+    }
+  }
+  /**
+   * Call the LLM endpoint. Supports Ollama and OpenAI-compatible APIs.
+   */
+  async callLLM(userMessage) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), this.config.timeoutMs);
+    try {
+      let url;
+      let body;
+      const headers = { "Content-Type": "application/json" };
+      if (this.isOllamaEndpoint) {
+        url = `${this.config.endpoint}/api/chat`;
+        body = JSON.stringify({
+          model: this.config.model,
+          messages: [
+            { role: "system", content: SYSTEM_PROMPT },
+            { role: "user", content: userMessage }
+          ],
+          stream: false,
+          options: {
+            temperature: 0,
+            num_predict: 200
+          }
+        });
+      } else {
+        url = `${this.config.endpoint}/v1/chat/completions`;
+        body = JSON.stringify({
+          model: this.config.model,
+          messages: [
+            { role: "system", content: SYSTEM_PROMPT },
+            { role: "user", content: userMessage }
+          ],
+          temperature: 0,
+          max_tokens: 200
+        });
+        if (this.config.apiKey) {
+          headers["Authorization"] = `Bearer ${this.config.apiKey}`;
+        }
+      }
+      const res = await fetch(url, {
+        method: "POST",
+        headers,
+        body,
+        signal: controller.signal
+      });
+      if (!res.ok) {
+        throw new Error(`LLM endpoint returned ${res.status}: ${res.statusText}`);
+      }
+      const data = await res.json();
+      if (this.isOllamaEndpoint) {
+        const message = data.message;
+        return message?.content ?? "";
+      } else {
+        const choices = data.choices;
+        const first = choices?.[0];
+        const message = first?.message;
+        return message?.content ?? "";
+      }
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+  /**
+   * Parse the LLM response into a structured verdict.
+   * If parsing fails → DENY (fail-closed).
+   */
+  parseVerdict(response) {
+    try {
+      const jsonMatch = response.match(/\{[\s\S]*\}/);
+      if (!jsonMatch) {
+        return {
+          decision: "DENY",
+          reason: `AI Judge could not parse response (fail-closed): ${response.slice(0, 100)}`,
+          confidence: 1
+        };
+      }
+      const parsed = JSON.parse(jsonMatch[0]);
+      const decision = String(parsed.decision ?? "").toUpperCase();
+      const reason = String(parsed.reason ?? "no reason provided");
+      const confidence = typeof parsed.confidence === "number" ? Math.min(1, Math.max(0, parsed.confidence)) : 0.5;
+      if (decision !== "ALLOW" && decision !== "DENY") {
+        return {
+          decision: "DENY",
+          reason: `AI Judge returned invalid decision "${decision}" (fail-closed)`,
+          confidence: 1
+        };
+      }
+      return { decision, reason, confidence };
+    } catch {
+      return {
+        decision: "DENY",
+        reason: `AI Judge JSON parse error (fail-closed): ${response.slice(0, 100)}`,
+        confidence: 1
+      };
+    }
+  }
+};
+
 // src/proxy.ts
 var log2 = (...args) => process.stderr.write(`[SolonGate] ${args.map(String).join(" ")}
 `);
@@ -6117,6 +6324,7 @@ var SolonGateProxy = class {
   server = null;
   toolMutexes = new ToolMutexMap();
   syncManager = null;
+  aiJudge = null;
   upstreamTools = [];
   constructor(config) {
     this.config = config;
@@ -6198,6 +6406,16 @@ var SolonGateProxy = class {
     this.registerToolsToCloud();
     this.registerServerToCloud();
     this.startPolicySync();
+    if (this.config.aiJudge?.enabled) {
+      const protectedFiles = this.extractProtectedFiles();
+      const protectedPaths = this.extractProtectedPaths();
+      this.aiJudge = new AiJudge(
+        this.config.aiJudge,
+        protectedFiles,
+        protectedPaths
+      );
+      log2(`AI Judge enabled \u2014 model: ${this.config.aiJudge.model}, endpoint: ${this.config.aiJudge.endpoint}`);
+    }
     this.createServer();
     await this.serve();
   }
@@ -6360,6 +6578,23 @@ var SolonGateProxy = class {
           { name, arguments: args ?? {} },
           async (params) => {
             if (!this.client) throw new Error("Upstream client disconnected");
+            if (this.aiJudge) {
+              const verdict = await this.aiJudge.evaluate(
+                params.name,
+                params.arguments ?? {}
+              );
+              if (verdict.decision === "DENY") {
+                log2(`AI Judge DENY: ${params.name} \u2014 ${verdict.reason} (confidence: ${verdict.confidence})`);
+                return {
+                  content: [{
+                    type: "text",
+                    text: `[SolonGate AI Judge] Blocked: ${verdict.reason}`
+                  }],
+                  isError: true
+                };
+              }
+              log2(`AI Judge ALLOW: ${params.name} \u2014 ${verdict.reason}`);
+            }
             const upstreamResult = await this.client.callTool({
               name: params.name,
               arguments: params.arguments
@@ -6609,6 +6844,36 @@ ${msg.content.text}`;
    * - Polls cloud API for dashboard changes → writes to local policy.json
    * - Version number determines which is newer (higher wins, cloud wins on tie)
    */
+  /**
+   * Extract protected filenames from policy DENY rules (filenameConstraints.denied).
+   */
+  extractProtectedFiles() {
+    const files = /* @__PURE__ */ new Set();
+    for (const rule of this.config.policy.rules) {
+      if (rule.effect === "DENY" && rule.enabled !== false) {
+        const denied = rule.filenameConstraints?.denied;
+        if (denied) {
+          for (const f of denied) files.add(f);
+        }
+      }
+    }
+    return [...files];
+  }
+  /**
+   * Extract protected paths from policy DENY rules (pathConstraints.denied).
+   */
+  extractProtectedPaths() {
+    const paths = /* @__PURE__ */ new Set();
+    for (const rule of this.config.policy.rules) {
+      if (rule.effect === "DENY" && rule.enabled !== false) {
+        const denied = rule.pathConstraints?.denied;
+        if (denied) {
+          for (const p of denied) paths.add(p);
+        }
+      }
+    }
+    return [...paths];
+  }
   startPolicySync() {
     const apiKey = this.config.apiKey;
     if (!apiKey) return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.24.0",
+  "version": "0.25.0",
   "description": "MCP security proxy — protect any MCP server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {