@solongate/proxy 0.25.7 → 0.26.1

package/dist/index.js

@@ -6135,45 +6135,37 @@ var PolicySyncManager = class {
 };
 
 // src/ai-judge.ts
-var SYSTEM_PROMPT = `You are a security judge for an MCP (Model Context Protocol) proxy. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
 
 You will receive a JSON object with:
-- "tool": the MCP tool name being called
+- "tool": the tool name being called
 - "arguments": the tool's arguments
-- "protected_files": list of files that must NEVER be read, written, copied, moved, or accessed
-- "protected_paths": list of directories/paths that must NEVER be accessed
+- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected \u2014 nothing else.
+- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected \u2014 nothing else.
 - "denied_actions": list of actions that are never allowed
 
-DENY if the tool call could, directly or indirectly:
-- Read, display, copy, move, or exfiltrate any protected file \u2014 even through:
-  - Shell glob patterns (e.g., "cred*" could match "credentials.json")
-  - Command substitution ($(...), backticks)
-  - Process substitution (<(cat file), <(command file)) \u2014 ALWAYS check inside <(...) for protected files
-  - Variable interpolation or string concatenation (e.g., f=".en"; cat \${f}v builds ".env")
-  - Partial variable construction \u2014 if shell variables are concatenated to form a filename, analyze the RESULT
-  - Input redirection (< file)
-  - Script files that might read protected files
-  - Find/exec patterns
-  - Multi-stage operations: if command A archives/copies a protected file and command B reads the copy, DENY the ENTIRE chain (e.g., "tar czf /tmp/x.tgz .env && tar xzf /tmp/x.tgz -O")
-  - Any Unix/Windows utility that reads file content (cat, head, tail, less, more, type, perl, awk, sed, sort, diff, comm, paste, tee, xxd, od, strings, dd, tr, tar, zip, etc.)
-- Delete, modify, or overwrite any protected file or path
-- Send data to external URLs, webhooks, or attacker-controlled endpoints
-- Execute remotely downloaded code (curl|bash, wget|sh, etc.)
-- Leak environment variables (printenv, env, /proc/self/environ, npm run env, process.env)
-- Create scripts that bypass security controls
+IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
 
-CRITICAL patterns to watch for:
-- <(cat .env) or <(cat ANYPROTECTEDFILE) \u2014 process substitution ALWAYS reads the file
-- Compound commands with && or ; where ANY part touches a protected file \u2014 DENY the whole thing
-- Variable tricks like f=".en"; cat \${f}v \u2014 mentally evaluate the variable to see if it resolves to a protected filename
-- tar/zip/cp that archives a protected file, even if the second command reads the archive \u2014 DENY both
+DENY if the tool call could, directly or indirectly, access a file from the protected_files list \u2014 even through:
+- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
+- Command substitution ($(...), backticks)
+- Process substitution (<(cat file)) \u2014 check inside <(...) for protected files
+- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" \u2014 DENY only if .env is in protected_files)
+- Input redirection (< file)
+- Multi-stage operations: tar/cp a protected file then read the copy \u2014 DENY the entire chain
+- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
+
+Also DENY if:
+- The command sends data to external URLs (curl -d, wget --post)
+- The command leaks environment variables (printenv, env, process.env)
+- The command executes remotely downloaded code (curl|bash)
 
 ALLOW if:
-- The action is a normal development operation (ls, git status, npm build, etc.)
+- The file is NOT in protected_files \u2014 even if cat, head, etc. is used. Reading non-protected files is normal.
+- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
 - The action does not touch any protected file or path
-- The action is clearly benign (creating hello.js, reading public docs, etc.)
 
-When in doubt, DENY. False positives are acceptable; false negatives are not.
+CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. Do NOT over-block.
 
 Respond with ONLY valid JSON, no markdown, no explanation outside the JSON:
 {"decision": "ALLOW" or "DENY", "reason": "brief one-line explanation", "confidence": 0.0 to 1.0}`;

package/hooks/guard.mjs

@@ -1013,7 +1013,132 @@ process.stdin.on('end', async () => {
       process.exit(0); // No policy = allow all
     }
 
-    const reason = evaluate(policy, args);
+    let reason = evaluate(policy, args);
+
+    // ── AI Judge: semantic intent analysis (runs when policy ALLOWs) ──
+    if (!reason) {
+      const GROQ_KEY = process.env.GROQ_API_KEY || dotenv.GROQ_API_KEY || '';
+      let aiJudgeEnabled = false;
+      let aiJudgeModel = 'llama-3.1-8b-instant';
+      let aiJudgeEndpoint = 'https://api.groq.com/openai';
+      let aiJudgeTimeout = 5000;
+
+      // Check cloud config for AI Judge settings
+      if (API_KEY && API_KEY.startsWith('sg_live_')) {
+        try {
+          const cfgRes = await fetch(API_URL + '/api/v1/project-config/ai-judge', {
+            headers: { 'Authorization': 'Bearer ' + API_KEY },
+            signal: AbortSignal.timeout(3000),
+          });
+          if (cfgRes.ok) {
+            const cfg = await cfgRes.json();
+            aiJudgeEnabled = Boolean(cfg.enabled);
+            if (cfg.model) aiJudgeModel = cfg.model;
+            if (cfg.endpoint) aiJudgeEndpoint = cfg.endpoint;
+            if (cfg.timeoutMs) aiJudgeTimeout = cfg.timeoutMs;
+          }
+        } catch {}
+      }
+
+      if (aiJudgeEnabled && GROQ_KEY) {
+        try {
+          // Extract protected files/paths from policy
+          const protectedFiles = [];
+          const protectedPathsList = [];
+          if (policy && policy.rules) {
+            for (const rule of policy.rules) {
+              if (rule.effect === 'DENY' && rule.enabled !== false) {
+                if (rule.filenameConstraints && rule.filenameConstraints.denied) {
+                  for (const f of rule.filenameConstraints.denied) protectedFiles.push(f);
+                }
+                if (rule.pathConstraints && rule.pathConstraints.denied) {
+                  for (const p of rule.pathConstraints.denied) protectedPathsList.push(p);
+                }
+              }
+            }
+          }
+
+          const judgePayload = JSON.stringify({
+            tool: toolName,
+            arguments: args,
+            protected_files: protectedFiles,
+            protected_paths: protectedPathsList,
+            denied_actions: ['file deletion', 'data exfiltration', 'remote code execution', 'environment variable leak', 'security control bypass'],
+          });
+
+          const systemPrompt = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+
+You will receive a JSON object with:
+- "tool": the tool name being called (e.g., Bash, Write, Read, Edit)
+- "arguments": the tool's arguments
+- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected — nothing else.
+- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected — nothing else.
+- "denied_actions": list of actions that are never allowed
+
+IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
+
+DENY if the tool call could, directly or indirectly, access a file from the protected_files list — even through:
+- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
+- Command substitution ($(...), backticks)
+- Process substitution (<(cat file)) — check inside <(...) for protected files
+- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" — DENY only if .env is in protected_files)
+- Input redirection (< file)
+- Multi-stage operations: tar/cp a protected file then read the copy — DENY the entire chain
+- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
+
+Also DENY if:
+- The command sends data to external URLs (curl -d, wget --post)
+- The command leaks environment variables (printenv, env, process.env)
+- The command executes remotely downloaded code (curl|bash)
+
+ALLOW if:
+- The file is NOT in protected_files — even if cat, head, etc. is used. Reading non-protected files is normal.
+- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
+- The action does not touch any protected file or path
+
+CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. "cat package.json" is ALLOWED if package.json is not in protected_files. Do NOT over-block.
+
+Respond with ONLY valid JSON: {"decision": "ALLOW" or "DENY", "reason": "brief explanation", "confidence": 0.0 to 1.0}`;
+
+          const llmRes = await fetch(aiJudgeEndpoint + '/v1/chat/completions', {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              'Authorization': 'Bearer ' + GROQ_KEY,
+            },
+            body: JSON.stringify({
+              model: aiJudgeModel,
+              messages: [
+                { role: 'system', content: systemPrompt },
+                { role: 'user', content: judgePayload },
+              ],
+              temperature: 0,
+              max_tokens: 200,
+            }),
+            signal: AbortSignal.timeout(aiJudgeTimeout),
+          });
+
+          if (llmRes.ok) {
+            const llmData = await llmRes.json();
+            const content = llmData.choices?.[0]?.message?.content || '';
+            const jsonMatch = content.match(/\{[\s\S]*\}/);
+            if (jsonMatch) {
+              const verdict = JSON.parse(jsonMatch[0]);
+              if (verdict.decision === 'DENY') {
+                reason = '[AI Judge] ' + (verdict.reason || 'Blocked by semantic analysis');
+              }
+            }
+          } else {
+            // Fail-closed: LLM error → DENY
+            reason = '[AI Judge] LLM endpoint error (fail-closed)';
+          }
+        } catch (err) {
+          // Fail-closed: timeout or parse error → DENY
+          reason = '[AI Judge] ' + (err.message || 'error') + ' (fail-closed)';
+        }
+      }
+    }
+
     const decision = reason ? 'DENY' : 'ALLOW';
 
     // ── Log ALL decisions to SolonGate Cloud ──

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.25.7",
+  "version": "0.26.1",
   "description": "MCP security proxy — protect any MCP server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {