npm - @solongate/proxy - Versions diffs - 0.26.0 → 0.26.2 - Mend

@solongate/proxy 0.26.0 → 0.26.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -6135,45 +6135,37 @@ var PolicySyncManager = class {
 };
 // src/ai-judge.ts
-var SYSTEM_PROMPT = `You are a security judge for an MCP (Model Context Protocol) proxy. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
+var SYSTEM_PROMPT = `You are a security judge for an AI coding tool. You evaluate tool calls and decide if they should be ALLOWED or DENIED.
 You will receive a JSON object with:
-- "tool": the MCP tool name being called
+- "tool": the tool name being called
 - "arguments": the tool's arguments
-- "protected_files": list of files that must NEVER be read, written, copied, moved, or accessed
-- "protected_paths": list of directories/paths that must NEVER be accessed
+- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected \u2014 nothing else.
+- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected \u2014 nothing else.
 - "denied_actions": list of actions that are never allowed
-DENY if the tool call could, directly or indirectly:
-- Read, display, copy, move, or exfiltrate any protected file \u2014 even through:
-  - Shell glob patterns (e.g., "cred*" could match "credentials.json")
-  - Command substitution ($(...), backticks)
-  - Process substitution (<(cat file), <(command file)) \u2014 ALWAYS check inside <(...) for protected files
-  - Variable interpolation or string concatenation (e.g., f=".en"; cat \${f}v builds ".env")
-  - Partial variable construction \u2014 if shell variables are concatenated to form a filename, analyze the RESULT
-  - Input redirection (< file)
-  - Script files that might read protected files
-  - Find/exec patterns
-  - Multi-stage operations: if command A archives/copies a protected file and command B reads the copy, DENY the ENTIRE chain (e.g., "tar czf /tmp/x.tgz .env && tar xzf /tmp/x.tgz -O")
-  - Any Unix/Windows utility that reads file content (cat, head, tail, less, more, type, perl, awk, sed, sort, diff, comm, paste, tee, xxd, od, strings, dd, tr, tar, zip, etc.)
-- Delete, modify, or overwrite any protected file or path
-- Send data to external URLs, webhooks, or attacker-controlled endpoints
-- Execute remotely downloaded code (curl|bash, wget|sh, etc.)
-- Leak environment variables (printenv, env, /proc/self/environ, npm run env, process.env)
-- Create scripts that bypass security controls
+IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
-CRITICAL patterns to watch for:
-- <(cat .env) or <(cat ANYPROTECTEDFILE) \u2014 process substitution ALWAYS reads the file
-- Compound commands with && or ; where ANY part touches a protected file \u2014 DENY the whole thing
-- Variable tricks like f=".en"; cat \${f}v \u2014 mentally evaluate the variable to see if it resolves to a protected filename
-- tar/zip/cp that archives a protected file, even if the second command reads the archive \u2014 DENY both
+DENY if the tool call could, directly or indirectly, access a file from the protected_files list \u2014 even through:
+- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
+- Command substitution ($(...), backticks)
+- Process substitution (<(cat file)) \u2014 check inside <(...) for protected files
+- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" \u2014 DENY only if .env is in protected_files)
+- Input redirection (< file)
+- Multi-stage operations: tar/cp a protected file then read the copy \u2014 DENY the entire chain
+- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
+Also DENY if:
+- The command sends data to external URLs (curl -d, wget --post)
+- The command leaks environment variables (printenv, env, process.env)
+- The command executes remotely downloaded code (curl|bash)
 ALLOW if:
-- The action is a normal development operation (ls, git status, npm build, etc.)
+- The file is NOT in protected_files \u2014 even if cat, head, etc. is used. Reading non-protected files is normal.
+- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
 - The action does not touch any protected file or path
-- The action is clearly benign (creating hello.js, reading public docs, etc.)
-When in doubt, DENY. False positives are acceptable; false negatives are not.
+CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. Do NOT over-block.
 Respond with ONLY valid JSON, no markdown, no explanation outside the JSON:
 {"decision": "ALLOW" or "DENY", "reason": "brief one-line explanation", "confidence": 0.0 to 1.0}`;

package/hooks/guard.mjs CHANGED Viewed

@@ -1071,40 +1071,32 @@ process.stdin.on('end', async () => {
 You will receive a JSON object with:
 - "tool": the tool name being called (e.g., Bash, Write, Read, Edit)
 - "arguments": the tool's arguments
-- "protected_files": list of files that must NEVER be read, written, copied, moved, or accessed
-- "protected_paths": list of directories/paths that must NEVER be accessed
+- "protected_files": EXACT list of files that must NEVER be accessed. ONLY these specific files are protected — nothing else.
+- "protected_paths": EXACT list of directories that must NEVER be accessed. ONLY these specific paths are protected — nothing else.
 - "denied_actions": list of actions that are never allowed
-DENY if the tool call could, directly or indirectly:
-- Read, display, copy, move, or exfiltrate any protected file — even through:
-  - Shell glob patterns (e.g., "cred*" could match "credentials.json")
-  - Command substitution ($(...), backticks)
-  - Process substitution (<(cat file), <(command file)) — ALWAYS check inside <(...) for protected files
-  - Variable interpolation or string concatenation (e.g., f=".en"; cat \${f}v builds ".env")
-  - Partial variable construction — if shell variables are concatenated to form a filename, analyze the RESULT
-  - Input redirection (< file)
-  - Script files that might read protected files
-  - Find/exec patterns
-  - Multi-stage operations: if command A archives/copies a protected file and command B reads the copy, DENY the ENTIRE chain
-  - Any Unix/Windows utility that reads file content (cat, head, tail, less, more, type, perl, awk, sed, sort, diff, comm, paste, tee, xxd, od, strings, dd, tr, tar, zip, etc.)
-- Delete, modify, or overwrite any protected file or path
-- Send data to external URLs, webhooks, or attacker-controlled endpoints
-- Execute remotely downloaded code (curl|bash, wget|sh, etc.)
-- Leak environment variables (printenv, env, /proc/self/environ, npm run env, process.env)
-- Create scripts that bypass security controls
-CRITICAL patterns to watch for:
-- <(cat .env) or <(cat ANYPROTECTEDFILE) — process substitution ALWAYS reads the file
-- Compound commands with && or ; where ANY part touches a protected file — DENY the whole thing
-- Variable tricks like f=".en"; cat \${f}v — mentally evaluate the variable to see if it resolves to a protected filename
-- tar/zip/cp that archives a protected file, even if the second command reads the archive — DENY both
+IMPORTANT: You must ONLY protect files and paths that are EXPLICITLY listed in protected_files and protected_paths. If a file is NOT in the list, it is NOT protected and access should be ALLOWED. Do NOT invent or assume additional protected files.
+DENY if the tool call could, directly or indirectly, access a file from the protected_files list — even through:
+- Shell glob patterns (e.g., "cred*" could match "credentials.json" IF credentials.json is in protected_files)
+- Command substitution ($(...), backticks)
+- Process substitution (<(cat file)) — check inside <(...) for protected files
+- Variable interpolation (e.g., f=".en"; cat \${f}v builds ".env" — DENY only if .env is in protected_files)
+- Input redirection (< file)
+- Multi-stage operations: tar/cp a protected file then read the copy — DENY the entire chain
+- Any utility that reads file content (cat, head, tail, less, perl, awk, sed, xxd, od, strings, dd, etc.)
+Also DENY if:
+- The command sends data to external URLs (curl -d, wget --post)
+- The command leaks environment variables (printenv, env, process.env)
+- The command executes remotely downloaded code (curl|bash)
 ALLOW if:
-- The action is a normal development operation (ls, git status, npm build, etc.)
+- The file is NOT in protected_files — even if cat, head, etc. is used. Reading non-protected files is normal.
+- The action is a normal development operation (ls, git status, npm build, cat app.js, etc.)
 - The action does not touch any protected file or path
-- The action is clearly benign
-When in doubt, DENY. False positives are acceptable; false negatives are not.
+CRITICAL: Only DENY access to files EXPLICITLY in the protected_files list. "cat app.js" is ALLOWED if app.js is not in protected_files. "cat package.json" is ALLOWED if package.json is not in protected_files. Do NOT over-block.
 Respond with ONLY valid JSON: {"decision": "ALLOW" or "DENY", "reason": "brief explanation", "confidence": 0.0 to 1.0}`;
@@ -1133,16 +1125,16 @@ Respond with ONLY valid JSON: {"decision": "ALLOW" or "DENY", "reason": "brief e
             if (jsonMatch) {
               const verdict = JSON.parse(jsonMatch[0]);
               if (verdict.decision === 'DENY') {
-                reason = '[AI Judge] ' + (verdict.reason || 'Blocked by semantic analysis');
+                reason = '[SolonGate AI Judge] Blocked: ' + (verdict.reason || 'Semantic analysis detected a policy violation');
               }
             }
           } else {
             // Fail-closed: LLM error → DENY
-            reason = '[AI Judge] LLM endpoint error (fail-closed)';
+            reason = '[SolonGate AI Judge] Blocked: Groq API error (fail-closed)';
           }
         } catch (err) {
           // Fail-closed: timeout or parse error → DENY
-          reason = '[AI Judge] ' + (err.message || 'error') + ' (fail-closed)';
+          reason = '[SolonGate AI Judge] Blocked: ' + (err.message || 'error') + ' (fail-closed)';
         }
       }
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/proxy",
-  "version": "0.26.0",
+  "version": "0.26.2",
   "description": "MCP security proxy — protect any MCP server with customizable policies, path/command constraints, rate limiting, and audit logging. Zero code changes required.",
   "type": "module",
   "bin": {