npm - @solongate/proxy - Versions diffs - 0.26.1 → 0.26.3 - Mend

@solongate/proxy 0.26.1 → 0.26.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -5,13 +5,15 @@ var __esm = (fn, res) => function __init() {
 };
 // src/config.ts
-import { readFileSync, existsSync, appendFileSync } from "fs";
+import { readFileSync, existsSync } from "fs";
+import { appendFile } from "fs/promises";
 import { resolve } from "path";
 async function fetchCloudPolicy(apiKey, apiUrl, policyId) {
   let resolvedId = policyId;
   if (!resolvedId) {
     const listRes = await fetch(`${apiUrl}/api/v1/policies`, {
-      headers: { "Authorization": `Bearer ${apiKey}` }
+      headers: { "Authorization": `Bearer ${apiKey}` },
+      signal: AbortSignal.timeout(1e4)
     });
     if (!listRes.ok) {
       const body = await listRes.text().catch(() => "");
@@ -26,7 +28,8 @@ async function fetchCloudPolicy(apiKey, apiUrl, policyId) {
   }
   const url = `${apiUrl}/api/v1/policies/${resolvedId}`;
   const res = await fetch(url, {
-    headers: { "Authorization": `Bearer ${apiKey}` }
+    headers: { "Authorization": `Bearer ${apiKey}` },
+    signal: AbortSignal.timeout(1e4)
   });
   if (!res.ok) {
     const body = await res.text().catch(() => "");
@@ -73,7 +76,10 @@ async function sendAuditLog(apiKey, apiUrl, entry) {
 `);
   try {
     const line = JSON.stringify({ ...entry, timestamp: (/* @__PURE__ */ new Date()).toISOString() }) + "\n";
-    appendFileSync(AUDIT_LOG_BACKUP_PATH, line, "utf-8");
+    appendFile(AUDIT_LOG_BACKUP_PATH, line, "utf-8").catch((err) => {
+      process.stderr.write(`[SolonGate] Audit backup write error: ${err instanceof Error ? err.message : String(err)}
+`);
+    });
   } catch (err) {
     process.stderr.write(`[SolonGate] Audit backup write error: ${err instanceof Error ? err.message : String(err)}
 `);
@@ -327,7 +333,7 @@ function parseArgs(argv) {
       transport: upstreamTransport ?? "stdio",
       command,
       args: commandArgs,
-      env: { ...process.env }
+      env: { PATH: process.env.PATH ?? "", HOME: process.env.HOME ?? "", USERPROFILE: process.env.USERPROFILE ?? "" }
     },
     policy: loadPolicy(policySource ?? "policy.json"),
     name,
@@ -348,10 +354,11 @@ function resolvePolicyPath(source) {
   if (existsSync(filePath)) return filePath;
   return null;
 }
-var AUDIT_MAX_RETRIES, AUDIT_LOG_BACKUP_PATH, DEFAULT_POLICY;
+var DEFAULT_API_URL, AUDIT_MAX_RETRIES, AUDIT_LOG_BACKUP_PATH, DEFAULT_POLICY;
 var init_config = __esm({
   "src/config.ts"() {
     "use strict";
+    DEFAULT_API_URL = "https://api.solongate.com";
     AUDIT_MAX_RETRIES = 3;
     AUDIT_LOG_BACKUP_PATH = resolve(".solongate-audit-backup.jsonl");
     DEFAULT_POLICY = {
@@ -366,23 +373,71 @@ var init_config = __esm({
   }
 });
+// src/cli-utils.ts
+function log3(msg) {
+  process.stderr.write(msg + "\n");
+}
+function printBanner(subtitle) {
+  log3("");
+  for (let i = 0; i < BANNER_FULL.length; i++) {
+    log3(`${c.bold}${BANNER_COLORS[i]}${BANNER_FULL[i]}${c.reset}`);
+  }
+  log3("");
+  log3(`  ${c.dim}${c.italic}${subtitle}${c.reset}`);
+  log3("");
+}
+var c, BANNER_FULL, BANNER_COLORS;
+var init_cli_utils = __esm({
+  "src/cli-utils.ts"() {
+    "use strict";
+    c = {
+      reset: "\x1B[0m",
+      bold: "\x1B[1m",
+      dim: "\x1B[2m",
+      italic: "\x1B[3m",
+      white: "\x1B[97m",
+      gray: "\x1B[90m",
+      blue1: "\x1B[38;2;20;50;160m",
+      blue2: "\x1B[38;2;40;80;190m",
+      blue3: "\x1B[38;2;60;110;215m",
+      blue4: "\x1B[38;2;90;140;230m",
+      blue5: "\x1B[38;2;130;170;240m",
+      blue6: "\x1B[38;2;170;200;250m",
+      green: "\x1B[38;2;80;200;120m",
+      red: "\x1B[38;2;220;80;80m",
+      cyan: "\x1B[38;2;100;200;220m",
+      yellow: "\x1B[38;2;220;200;80m",
+      bgBlue: "\x1B[48;2;20;50;160m"
+    };
+    BANNER_FULL = [
+      " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557      \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557   \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557",
+      " \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D",
+      " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551  \u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2557  ",
+      " \u255A\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2554\u2550\u2550\u255D  ",
+      " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551  \u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557",
+      " \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D"
+    ];
+    BANNER_COLORS = [c.blue1, c.blue2, c.blue3, c.blue4, c.blue5, c.blue6];
+  }
+});
 // src/init.ts
 var init_exports = {};
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
-import { resolve as resolve2, join, dirname as dirname2 } from "path";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync2, existsSync as existsSync4, mkdirSync as mkdirSync2 } from "fs";
+import { resolve as resolve3, join, dirname as dirname2 } from "path";
 import { fileURLToPath } from "url";
-import { execSync } from "child_process";
+import { execFileSync } from "child_process";
 import { createInterface } from "readline";
 function findConfigFile(explicitPath, createIfMissing = false) {
   if (explicitPath) {
-    if (existsSync3(explicitPath)) {
-      return { path: resolve2(explicitPath), type: "mcp" };
+    if (existsSync4(explicitPath)) {
+      return { path: resolve3(explicitPath), type: "mcp" };
     }
     return null;
   }
   for (const searchPath of SEARCH_PATHS) {
-    const full = resolve2(searchPath);
-    if (existsSync3(full)) return { path: full, type: "mcp" };
+    const full = resolve3(searchPath);
+    if (existsSync4(full)) return { path: full, type: "mcp" };
   }
   if (createIfMissing) {
     const starterConfig = {
@@ -397,19 +452,19 @@ function findConfigFile(explicitPath, createIfMissing = false) {
         }
       }
     };
-    const starterPath = resolve2(".mcp.json");
+    const starterPath = resolve3(".mcp.json");
     writeFileSync2(starterPath, JSON.stringify(starterConfig, null, 2) + "\n");
     console.log("  Created .mcp.json with starter servers (filesystem, playwright).");
     console.log("");
     return { path: starterPath, type: "mcp", created: true };
   }
   for (const desktopPath of CLAUDE_DESKTOP_PATHS) {
-    if (existsSync3(desktopPath)) return { path: desktopPath, type: "claude-desktop" };
+    if (existsSync4(desktopPath)) return { path: desktopPath, type: "claude-desktop" };
   }
   return null;
 }
 function readConfig(filePath) {
-  const content = readFileSync3(filePath, "utf-8");
+  const content = readFileSync4(filePath, "utf-8");
   const parsed = JSON.parse(content);
   if (parsed.mcpServers) return parsed;
   throw new Error(`Unrecognized config format in ${filePath}`);
@@ -525,53 +580,53 @@ EXAMPLES
   console.log(help);
 }
 function readHookScript(filename) {
-  return readFileSync3(join(HOOKS_DIR, filename), "utf-8");
+  return readFileSync4(join(HOOKS_DIR, filename), "utf-8");
 }
 function unlockProtectedDirs() {
   const dirs = [".solongate", ".claude", ".cursor", ".gemini", ".antigravity", ".openclaw", ".perplexity"];
   for (const dir of dirs) {
-    const fullDir = resolve2(dir);
-    if (!existsSync3(fullDir)) continue;
+    const fullDir = resolve3(dir);
+    if (!existsSync4(fullDir)) continue;
     try {
       if (process.platform === "win32") {
         try {
-          execSync(`powershell.exe -Command "icacls '${fullDir}' /remove:d '*S-1-1-0' /T /Q"`, { stdio: "ignore" });
+          execFileSync("icacls", [fullDir, "/remove:d", "*S-1-1-0", "/T", "/Q"], { stdio: "ignore" });
         } catch {
         }
         try {
-          execSync(`attrib -R /S /D "${fullDir}"`, { stdio: "ignore" });
+          execFileSync("attrib", ["-R", "/S", "/D", fullDir], { stdio: "ignore" });
         } catch {
         }
       } else {
         try {
-          execSync(`chattr -i -R "${fullDir}"`, { stdio: "ignore" });
+          execFileSync("chattr", ["-i", "-R", fullDir], { stdio: "ignore" });
         } catch {
         }
-        execSync(`chmod -R u+w "${fullDir}"`, { stdio: "ignore" });
+        execFileSync("chmod", ["-R", "u+w", fullDir], { stdio: "ignore" });
       }
     } catch {
     }
   }
   const protectedFiles = [".env", ".gitignore", ".mcp.json", "policy.json"];
   for (const file of protectedFiles) {
-    const fullPath = resolve2(file);
-    if (!existsSync3(fullPath)) continue;
+    const fullPath = resolve3(file);
+    if (!existsSync4(fullPath)) continue;
     try {
       if (process.platform === "win32") {
         try {
-          execSync(`powershell.exe -Command "icacls '${fullPath}' /remove:d '*S-1-1-0' /Q"`, { stdio: "ignore" });
+          execFileSync("icacls", [fullPath, "/remove:d", "*S-1-1-0", "/Q"], { stdio: "ignore" });
         } catch {
         }
         try {
-          execSync(`attrib -R "${fullPath}"`, { stdio: "ignore" });
+          execFileSync("attrib", ["-R", fullPath], { stdio: "ignore" });
         } catch {
         }
       } else {
         try {
-          execSync(`chattr -i "${fullPath}"`, { stdio: "ignore" });
+          execFileSync("chattr", ["-i", fullPath], { stdio: "ignore" });
         } catch {
         }
-        execSync(`chmod u+w "${fullPath}"`, { stdio: "ignore" });
+        execFileSync("chmod", ["u+w", fullPath], { stdio: "ignore" });
       }
     } catch {
     }
@@ -579,7 +634,7 @@ function unlockProtectedDirs() {
 }
 function installHooks(selectedTools = []) {
   unlockProtectedDirs();
-  const hooksDir = resolve2(".solongate", "hooks");
+  const hooksDir = resolve3(".solongate", "hooks");
   mkdirSync2(hooksDir, { recursive: true });
   const guardPath = join(hooksDir, "guard.mjs");
   writeFileSync2(guardPath, readHookScript("guard.mjs"));
@@ -618,12 +673,12 @@ function installHooks(selectedTools = []) {
   const clients = selectedTools.length > 0 ? allClients.filter((c3) => selectedTools.includes(c3.key)) : allClients;
   const activatedNames = [];
   for (const client of clients) {
-    const clientDir = resolve2(client.dir);
+    const clientDir = resolve3(client.dir);
     mkdirSync2(clientDir, { recursive: true });
     const settingsPath = join(clientDir, "settings.json");
     let existing = {};
     try {
-      existing = JSON.parse(readFileSync3(settingsPath, "utf-8"));
+      existing = JSON.parse(readFileSync4(settingsPath, "utf-8"));
     } catch {
     }
     const merged = { ...existing, hooks: hookSettings.hooks };
@@ -638,8 +693,8 @@ function installHooks(selectedTools = []) {
   console.log(`  Activated for: ${activatedNames.join(", ")}`);
 }
 function ensureEnvFile() {
-  const envPath = resolve2(".env");
-  if (!existsSync3(envPath)) {
+  const envPath = resolve3(".env");
+  if (!existsSync4(envPath)) {
     const envContent = `# SolonGate Configuration
 # IMPORTANT: Never commit this file to git!
@@ -655,9 +710,9 @@ GROQ_API_KEY=gsk_your_groq_key_here
     console.log(`  \u2192 Set your API key in .env (get one at https://dashboard.solongate.com)`);
     console.log("");
   }
-  const gitignorePath = resolve2(".gitignore");
-  if (existsSync3(gitignorePath)) {
-    let gitignore = readFileSync3(gitignorePath, "utf-8");
+  const gitignorePath = resolve3(".gitignore");
+  if (existsSync4(gitignorePath)) {
+    let gitignore = readFileSync4(gitignorePath, "utf-8");
     let updated = false;
     if (!gitignore.includes(".env")) {
       gitignore = gitignore.trimEnd() + "\n.env\n.env.local\n";
@@ -678,26 +733,7 @@ GROQ_API_KEY=gsk_your_groq_key_here
 }
 async function main() {
   const options = parseInitArgs(process.argv);
-  const _c = {
-    reset: "\x1B[0m",
-    bold: "\x1B[1m",
-    dim: "\x1B[2m",
-    italic: "\x1B[3m",
-    blue1: "\x1B[38;2;20;50;160m",
-    blue2: "\x1B[38;2;40;80;190m",
-    blue3: "\x1B[38;2;60;110;215m",
-    blue4: "\x1B[38;2;90;140;230m",
-    blue5: "\x1B[38;2;130;170;240m",
-    blue6: "\x1B[38;2;170;200;250m"
-  };
-  const fullBanner = [
-    " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557      \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557   \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557",
-    " \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D",
-    " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551  \u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2557  ",
-    " \u255A\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2554\u2550\u2550\u255D  ",
-    " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551  \u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557",
-    " \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D"
-  ];
+  const fullBanner = BANNER_FULL;
   const mediumBanner = [
     " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557      \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557   \u2588\u2588\u2557",
     " \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551",
@@ -724,13 +760,13 @@ async function main() {
   ];
   const cols = process.stdout.columns || 80;
   const bannerLines = cols >= 82 ? fullBanner : cols >= 50 ? mediumBanner : smallBanner;
-  const bannerColors = [_c.blue1, _c.blue2, _c.blue3, _c.blue4, _c.blue5, _c.blue6];
+  const bannerColors = BANNER_COLORS;
   console.log("");
   for (let i = 0; i < bannerLines.length; i++) {
-    console.log(`${_c.bold}${bannerColors[i % bannerColors.length]}${bannerLines[i]}${_c.reset}`);
+    console.log(`${c.bold}${bannerColors[i % bannerColors.length]}${bannerLines[i]}${c.reset}`);
   }
   console.log("");
-  console.log(`  ${_c.dim}${_c.italic}Init Setup${_c.reset}`);
+  console.log(`  ${c.dim}${c.italic}Init Setup${c.reset}`);
   console.log("");
   await sleep(400);
   const configInfo = findConfigFile(options.configPath, true);
@@ -796,9 +832,9 @@ async function main() {
   console.log("");
   let apiKey = options.apiKey || process.env.SOLONGATE_API_KEY || "";
   if (!apiKey) {
-    const envPath = resolve2(".env");
-    if (existsSync3(envPath)) {
-      const envContent = readFileSync3(envPath, "utf-8");
+    const envPath = resolve3(".env");
+    if (existsSync4(envPath)) {
+      const envContent = readFileSync4(envPath, "utf-8");
       const match = envContent.match(/^SOLONGATE_API_KEY=(sg_(?:live|test)_\w+)/m);
       if (match) apiKey = match[1];
     }
@@ -823,8 +859,8 @@ async function main() {
   }
   let policyValue;
   if (options.policy) {
-    const policyPath = resolve2(options.policy);
-    if (existsSync3(policyPath)) {
+    const policyPath = resolve3(options.policy);
+    if (existsSync4(policyPath)) {
       policyValue = `./${options.policy}`;
       console.log(`  Policy:  ${policyPath}`);
     } else {
@@ -832,8 +868,8 @@ async function main() {
       process.exit(1);
     }
   } else {
-    const defaultPolicy = resolve2("policy.json");
-    if (existsSync3(defaultPolicy)) {
+    const defaultPolicy = resolve3("policy.json");
+    if (existsSync4(defaultPolicy)) {
       policyValue = "./policy.json";
       console.log(`  Policy:  ${defaultPolicy} (auto-detected)`);
     } else {
@@ -856,7 +892,7 @@ async function main() {
   }
   await sleep(400);
   if (configInfo.type === "claude-desktop") {
-    const original = JSON.parse(readFileSync3(configInfo.path, "utf-8"));
+    const original = JSON.parse(readFileSync4(configInfo.path, "utf-8"));
     original.mcpServers = newConfig.mcpServers;
     writeFileSync2(configInfo.path, JSON.stringify(original, null, 2) + "\n");
   } else {
@@ -904,6 +940,7 @@ var SEARCH_PATHS, CLAUDE_DESKTOP_PATHS, sleep, __dirname, HOOKS_DIR;
 var init_init = __esm({
   "src/init.ts"() {
     "use strict";
+    init_cli_utils();
     SEARCH_PATHS = [
       ".mcp.json",
       "mcp.json",
@@ -912,7 +949,7 @@ var init_init = __esm({
     CLAUDE_DESKTOP_PATHS = process.platform === "win32" ? [join(process.env["APPDATA"] ?? "", "Claude", "claude_desktop_config.json")] : process.platform === "darwin" ? [join(process.env["HOME"] ?? "", "Library", "Application Support", "Claude", "claude_desktop_config.json")] : [join(process.env["HOME"] ?? "", ".config", "claude", "claude_desktop_config.json")];
     sleep = (ms) => new Promise((r) => setTimeout(r, ms));
     __dirname = dirname2(fileURLToPath(import.meta.url));
-    HOOKS_DIR = resolve2(__dirname, "..", "hooks");
+    HOOKS_DIR = resolve3(__dirname, "..", "hooks");
     main().catch((err) => {
       console.log(`Fatal: ${err instanceof Error ? err.message : String(err)}`);
       process.exit(1);
@@ -922,9 +959,9 @@ var init_init = __esm({
 // src/inject.ts
 var inject_exports = {};
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, existsSync as existsSync4, copyFileSync } from "fs";
-import { resolve as resolve3 } from "path";
-import { execSync as execSync2 } from "child_process";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, existsSync as existsSync5, copyFileSync } from "fs";
+import { resolve as resolve4 } from "path";
+import { execSync } from "child_process";
 function parseInjectArgs(argv) {
   const args = argv.slice(2);
   const opts = {
@@ -979,31 +1016,10 @@ WHAT IT DOES
   All tool() calls are automatically protected by SolonGate.
 `);
 }
-function log3(msg) {
-  process.stderr.write(msg + "\n");
-}
-function printBanner(subtitle) {
-  const lines = [
-    " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557      \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557   \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557",
-    " \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D",
-    " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551  \u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2557  ",
-    " \u255A\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2554\u2550\u2550\u255D  ",
-    " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551  \u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557",
-    " \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D"
-  ];
-  const colors = [c.blue1, c.blue2, c.blue3, c.blue4, c.blue5, c.blue6];
-  log3("");
-  for (let i = 0; i < lines.length; i++) {
-    log3(`${c.bold}${colors[i]}${lines[i]}${c.reset}`);
-  }
-  log3("");
-  log3(`  ${c.dim}${c.italic}${subtitle}${c.reset}`);
-  log3("");
-}
 function detectProject() {
-  if (!existsSync4(resolve3("package.json"))) return false;
+  if (!existsSync5(resolve4("package.json"))) return false;
   try {
-    const pkg = JSON.parse(readFileSync4(resolve3("package.json"), "utf-8"));
+    const pkg = JSON.parse(readFileSync5(resolve4("package.json"), "utf-8"));
     const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
     return !!(allDeps["@modelcontextprotocol/sdk"] || allDeps["@modelcontextprotocol/server"]);
   } catch {
@@ -1012,18 +1028,18 @@ function detectProject() {
 }
 function findTsEntryFile() {
   try {
-    const pkg = JSON.parse(readFileSync4(resolve3("package.json"), "utf-8"));
+    const pkg = JSON.parse(readFileSync5(resolve4("package.json"), "utf-8"));
     if (pkg.bin) {
       const binPath = typeof pkg.bin === "string" ? pkg.bin : Object.values(pkg.bin)[0];
       if (typeof binPath === "string") {
         const srcPath = binPath.replace(/^\.\/dist\//, "./src/").replace(/\.js$/, ".ts");
-        if (existsSync4(resolve3(srcPath))) return resolve3(srcPath);
-        if (existsSync4(resolve3(binPath))) return resolve3(binPath);
+        if (existsSync5(resolve4(srcPath))) return resolve4(srcPath);
+        if (existsSync5(resolve4(binPath))) return resolve4(binPath);
       }
     }
     if (pkg.main) {
       const srcPath = pkg.main.replace(/^\.\/dist\//, "./src/").replace(/\.js$/, ".ts");
-      if (existsSync4(resolve3(srcPath))) return resolve3(srcPath);
+      if (existsSync5(resolve4(srcPath))) return resolve4(srcPath);
     }
   } catch {
   }
@@ -1036,10 +1052,10 @@ function findTsEntryFile() {
     "main.ts"
   ];
   for (const c3 of candidates) {
-    const full = resolve3(c3);
-    if (existsSync4(full)) {
+    const full = resolve4(c3);
+    if (existsSync5(full)) {
       try {
-        const content = readFileSync4(full, "utf-8");
+        const content = readFileSync5(full, "utf-8");
         if (content.includes("McpServer") || content.includes("McpServer")) {
           return full;
         }
@@ -1048,18 +1064,18 @@ function findTsEntryFile() {
     }
   }
   for (const c3 of candidates) {
-    if (existsSync4(resolve3(c3))) return resolve3(c3);
+    if (existsSync5(resolve4(c3))) return resolve4(c3);
   }
   return null;
 }
 function detectPackageManager() {
-  if (existsSync4(resolve3("pnpm-lock.yaml"))) return "pnpm";
-  if (existsSync4(resolve3("yarn.lock"))) return "yarn";
+  if (existsSync5(resolve4("pnpm-lock.yaml"))) return "pnpm";
+  if (existsSync5(resolve4("yarn.lock"))) return "yarn";
   return "npm";
 }
 function installSdk() {
   try {
-    const pkg = JSON.parse(readFileSync4(resolve3("package.json"), "utf-8"));
+    const pkg = JSON.parse(readFileSync5(resolve4("package.json"), "utf-8"));
     const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
     if (allDeps["@solongate/sdk"]) {
       log3("  @solongate/sdk already installed");
@@ -1071,7 +1087,7 @@ function installSdk() {
   const cmd = pm === "yarn" ? "yarn add @solongate/sdk" : `${pm} install @solongate/sdk`;
   log3(`  Installing @solongate/sdk via ${pm}...`);
   try {
-    execSync2(cmd, { stdio: "pipe", cwd: process.cwd() });
+    execSync(cmd, { stdio: "pipe", cwd: process.cwd() });
     return true;
   } catch (err) {
     log3(`  Failed to install: ${err instanceof Error ? err.message : String(err)}`);
@@ -1080,7 +1096,7 @@ function installSdk() {
   }
 }
 function injectTypeScript(filePath) {
-  const original = readFileSync4(filePath, "utf-8");
+  const original = readFileSync5(filePath, "utf-8");
   const changes = [];
   let modified = original;
   if (modified.includes("SecureMcpServer")) {
@@ -1196,8 +1212,8 @@ async function main2() {
     process.exit(1);
   }
   log3("  Language: TypeScript");
-  const entryFile = opts.file ? resolve3(opts.file) : findTsEntryFile();
-  if (!entryFile || !existsSync4(entryFile)) {
+  const entryFile = opts.file ? resolve4(opts.file) : findTsEntryFile();
+  if (!entryFile || !existsSync5(entryFile)) {
     log3(`  Could not find entry file.${opts.file ? ` File not found: ${opts.file}` : ""}`);
     log3("");
     log3("  Specify it manually: --file <path>");
@@ -1210,7 +1226,7 @@ async function main2() {
   log3("");
   const backupPath = entryFile + ".solongate-backup";
   if (opts.restore) {
-    if (!existsSync4(backupPath)) {
+    if (!existsSync5(backupPath)) {
       log3("  No backup found. Nothing to restore.");
       process.exit(1);
     }
@@ -1246,7 +1262,7 @@ async function main2() {
     log3("  To apply: npx @solongate/proxy inject");
     process.exit(0);
   }
-  if (!existsSync4(backupPath)) {
+  if (!existsSync5(backupPath)) {
     copyFileSync(entryFile, backupPath);
     log3("");
     log3(`  Backup: ${backupPath}`);
@@ -1267,24 +1283,10 @@ async function main2() {
   log3("  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518");
   log3("");
 }
-var c;
 var init_inject = __esm({
   "src/inject.ts"() {
     "use strict";
-    c = {
-      reset: "\x1B[0m",
-      bold: "\x1B[1m",
-      dim: "\x1B[2m",
-      italic: "\x1B[3m",
-      green: "\x1B[38;2;80;200;120m",
-      red: "\x1B[38;2;220;80;80m",
-      blue1: "\x1B[38;2;20;50;160m",
-      blue2: "\x1B[38;2;40;80;190m",
-      blue3: "\x1B[38;2;60;110;215m",
-      blue4: "\x1B[38;2;90;140;230m",
-      blue5: "\x1B[38;2;130;170;240m",
-      blue6: "\x1B[38;2;170;200;250m"
-    };
+    init_cli_utils();
     main2().catch((err) => {
       log3(`Fatal: ${err instanceof Error ? err.message : String(err)}`);
       process.exit(1);
@@ -1294,46 +1296,25 @@ var init_inject = __esm({
 // src/create.ts
 var create_exports = {};
-import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync4, existsSync as existsSync5 } from "fs";
-import { resolve as resolve4, join as join2 } from "path";
-import { execSync as execSync3 } from "child_process";
-function log4(msg) {
-  process.stderr.write(msg + "\n");
-}
-function printBanner2(subtitle) {
-  const lines = [
-    " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557      \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557   \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557",
-    " \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D",
-    " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551  \u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2557  ",
-    " \u255A\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2554\u2550\u2550\u255D  ",
-    " \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551  \u2588\u2588\u2551   \u2588\u2588\u2551   \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557",
-    " \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D"
-  ];
-  const colors = [c2.blue1, c2.blue2, c2.blue3, c2.blue4, c2.blue5, c2.blue6];
-  log4("");
-  for (let i = 0; i < lines.length; i++) {
-    log4(`${c2.bold}${colors[i]}${lines[i]}${c2.reset}`);
-  }
-  log4("");
-  log4(`  ${c2.dim}${c2.italic}${subtitle}${c2.reset}`);
-  log4("");
-}
+import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync4, existsSync as existsSync6 } from "fs";
+import { resolve as resolve5, join as join2 } from "path";
+import { execSync as execSync2 } from "child_process";
 function withSpinner(message, fn) {
   const frames = ["\u28FE", "\u28FD", "\u28FB", "\u28BF", "\u287F", "\u28DF", "\u28EF", "\u28F7"];
   let i = 0;
   const id = setInterval(() => {
-    const color = i % 2 === 0 ? c2.blue3 : c2.blue5;
-    process.stderr.write(`\r  ${color}${frames[i++ % frames.length]}${c2.reset} ${c2.dim}${message}${c2.reset}`);
+    const color = i % 2 === 0 ? c.blue3 : c.blue5;
+    process.stderr.write(`\r  ${color}${frames[i++ % frames.length]}${c.reset} ${c.dim}${message}${c.reset}`);
   }, 80);
   try {
     const result = fn();
     clearInterval(id);
-    process.stderr.write(`\r  ${c2.green}\u2713${c2.reset} ${message}${" ".repeat(20)}
+    process.stderr.write(`\r  ${c.green}\u2713${c.reset} ${message}${" ".repeat(20)}
 `);
     return result;
   } catch (err) {
     clearInterval(id);
-    process.stderr.write(`\r  ${c2.red}\u2717${c2.reset} ${message} \u2014 failed${" ".repeat(10)}
+    process.stderr.write(`\r  ${c.red}\u2717${c.reset} ${message} \u2014 failed${" ".repeat(10)}
 `);
     throw err;
   }
@@ -1365,20 +1346,20 @@ function parseCreateArgs(argv) {
     }
   }
   if (!opts.name) {
-    log4("");
-    log4("  Error: Project name required.");
-    log4("");
-    log4("  Usage: npx @solongate/proxy create <name>");
-    log4("");
-    log4("  Examples:");
-    log4("    npx @solongate/proxy create my-mcp-server");
-    log4("    npx @solongate/proxy create weather-api");
+    log3("");
+    log3("  Error: Project name required.");
+    log3("");
+    log3("  Usage: npx @solongate/proxy create <name>");
+    log3("");
+    log3("  Examples:");
+    log3("    npx @solongate/proxy create my-mcp-server");
+    log3("    npx @solongate/proxy create weather-api");
     process.exit(1);
   }
   return opts;
 }
 function printHelp3() {
-  log4(`
+  log3(`
 SolonGate Create \u2014 Scaffold a secure MCP server in seconds
 USAGE
@@ -1528,10 +1509,10 @@ dist/
 }
 async function main3() {
   const opts = parseCreateArgs(process.argv);
-  const dir = resolve4(opts.name);
-  printBanner2("Create MCP Server");
-  if (existsSync5(dir)) {
-    log4(`  ${c2.red}Error:${c2.reset} Directory "${opts.name}" already exists.`);
+  const dir = resolve5(opts.name);
+  printBanner("Create MCP Server");
+  if (existsSync6(dir)) {
+    log3(`  ${c.red}Error:${c.reset} Directory "${opts.name}" already exists.`);
     process.exit(1);
   }
   withSpinner(`Setting up ${opts.name}...`, () => {
@@ -1540,87 +1521,68 @@ async function main3() {
   });
   if (!opts.noInstall) {
     withSpinner("Installing dependencies...", () => {
-      execSync3("npm install", { cwd: dir, stdio: "pipe" });
+      execSync2("npm install", { cwd: dir, stdio: "pipe" });
     });
   }
-  log4("");
+  log3("");
   const stripAnsi = (s) => s.replace(/\x1b\[[0-9;]*m/g, "");
   const W = 52;
   const hr = "\u2500".repeat(W + 2);
   const bLine = (text) => {
     const visible = stripAnsi(text);
     const padding = W - visible.length;
-    log4(`  ${c2.dim}\u2502${c2.reset} ${text}${" ".repeat(Math.max(0, padding))} ${c2.dim}\u2502${c2.reset}`);
+    log3(`  ${c.dim}\u2502${c.reset} ${text}${" ".repeat(Math.max(0, padding))} ${c.dim}\u2502${c.reset}`);
   };
-  const bEmpty = () => log4(`  ${c2.dim}\u2502${c2.reset} ${" ".repeat(W)} ${c2.dim}\u2502${c2.reset}`);
-  log4(`  ${c2.dim}\u256D${hr}\u256E${c2.reset}`);
-  log4(`  ${c2.dim}\u2502${c2.reset} ${c2.green}${c2.bold}\u2714  MCP Server created successfully!${c2.reset}${" ".repeat(W - 35)} ${c2.dim}\u2502${c2.reset}`);
-  log4(`  ${c2.dim}\u251C${hr}\u2524${c2.reset}`);
+  const bEmpty = () => log3(`  ${c.dim}\u2502${c.reset} ${" ".repeat(W)} ${c.dim}\u2502${c.reset}`);
+  log3(`  ${c.dim}\u256D${hr}\u256E${c.reset}`);
+  log3(`  ${c.dim}\u2502${c.reset} ${c.green}${c.bold}\u2714  MCP Server created successfully!${c.reset}${" ".repeat(W - 35)} ${c.dim}\u2502${c.reset}`);
+  log3(`  ${c.dim}\u251C${hr}\u2524${c.reset}`);
   bEmpty();
-  bLine(`${c2.yellow}Next steps:${c2.reset}`);
+  bLine(`${c.yellow}Next steps:${c.reset}`);
   bEmpty();
-  bLine(`  ${c2.cyan}$${c2.reset} cd ${c2.bold}${opts.name}${c2.reset}`);
-  bLine(`  ${c2.cyan}$${c2.reset} npm run build`);
-  bLine(`  ${c2.cyan}$${c2.reset} npm run dev          ${c2.dim}# dev mode${c2.reset}`);
-  bLine(`  ${c2.cyan}$${c2.reset} npm start            ${c2.dim}# production${c2.reset}`);
+  bLine(`  ${c.cyan}$${c.reset} cd ${c.bold}${opts.name}${c.reset}`);
+  bLine(`  ${c.cyan}$${c.reset} npm run build`);
+  bLine(`  ${c.cyan}$${c.reset} npm run dev          ${c.dim}# dev mode${c.reset}`);
+  bLine(`  ${c.cyan}$${c.reset} npm start            ${c.dim}# production${c.reset}`);
   bEmpty();
-  log4(`  ${c2.dim}\u251C${hr}\u2524${c2.reset}`);
+  log3(`  ${c.dim}\u251C${hr}\u2524${c.reset}`);
   bEmpty();
-  bLine(`${c2.yellow}Set your API key:${c2.reset}`);
+  bLine(`${c.yellow}Set your API key:${c.reset}`);
   bEmpty();
-  bLine(`  ${c2.cyan}$${c2.reset} export SOLONGATE_API_KEY=${c2.blue3}sg_live_xxx${c2.reset}`);
+  bLine(`  ${c.cyan}$${c.reset} export SOLONGATE_API_KEY=${c.blue3}sg_live_xxx${c.reset}`);
   bEmpty();
-  bLine(`${c2.dim}https://dashboard.solongate.com/api-keys/${c2.reset}`);
+  bLine(`${c.dim}https://dashboard.solongate.com/api-keys/${c.reset}`);
   bEmpty();
-  log4(`  ${c2.dim}\u251C${hr}\u2524${c2.reset}`);
+  log3(`  ${c.dim}\u251C${hr}\u2524${c.reset}`);
   bEmpty();
-  bLine(`${c2.yellow}Use with any MCP server:${c2.reset}`);
+  bLine(`${c.yellow}Use with any MCP server:${c.reset}`);
   bEmpty();
-  bLine(`  ${c2.cyan}$${c2.reset} solongate-proxy -- npx @modelcontextprotocol/server-filesystem .`);
-  bLine(`  ${c2.cyan}$${c2.reset} solongate-proxy -- npx @playwright/mcp@latest`);
-  bLine(`  ${c2.dim}Wraps any MCP server or AI tool with SolonGate protection${c2.reset}`);
+  bLine(`  ${c.cyan}$${c.reset} solongate-proxy -- npx @modelcontextprotocol/server-filesystem .`);
+  bLine(`  ${c.cyan}$${c.reset} solongate-proxy -- npx @playwright/mcp@latest`);
+  bLine(`  ${c.dim}Wraps any MCP server or AI tool with SolonGate protection${c.reset}`);
   bEmpty();
-  log4(`  ${c2.dim}\u251C${hr}\u2524${c2.reset}`);
+  log3(`  ${c.dim}\u251C${hr}\u2524${c.reset}`);
   bEmpty();
-  bLine(`${c2.yellow}Use with Claude Code / Cursor / MCP client:${c2.reset}`);
+  bLine(`${c.yellow}Use with Claude Code / Cursor / MCP client:${c.reset}`);
   bEmpty();
-  bLine(`  ${c2.dim}1.${c2.reset} Replace ${c2.blue3}sg_live_YOUR_KEY_HERE${c2.reset} in .mcp.json`);
-  bLine(`  ${c2.dim}2.${c2.reset} Open this folder in your MCP client`);
-  bLine(`  ${c2.dim}3.${c2.reset} .mcp.json is auto-detected on startup`);
+  bLine(`  ${c.dim}1.${c.reset} Replace ${c.blue3}sg_live_YOUR_KEY_HERE${c.reset} in .mcp.json`);
+  bLine(`  ${c.dim}2.${c.reset} Open this folder in your MCP client`);
+  bLine(`  ${c.dim}3.${c.reset} .mcp.json is auto-detected on startup`);
   bEmpty();
-  bLine(`${c2.yellow}Direct test (without MCP client):${c2.reset}`);
+  bLine(`${c.yellow}Direct test (without MCP client):${c.reset}`);
   bEmpty();
-  bLine(`  ${c2.dim}1.${c2.reset} Replace ${c2.blue3}sg_live_YOUR_KEY_HERE${c2.reset} in .env`);
-  bLine(`  ${c2.dim}2.${c2.reset} ${c2.cyan}$${c2.reset} npm run build && npm start`);
+  bLine(`  ${c.dim}1.${c.reset} Replace ${c.blue3}sg_live_YOUR_KEY_HERE${c.reset} in .env`);
+  bLine(`  ${c.dim}2.${c.reset} ${c.cyan}$${c.reset} npm run build && npm start`);
   bEmpty();
-  log4(`  ${c2.dim}\u2570${hr}\u256F${c2.reset}`);
-  log4("");
+  log3(`  ${c.dim}\u2570${hr}\u256F${c.reset}`);
+  log3("");
 }
-var c2;
 var init_create = __esm({
   "src/create.ts"() {
     "use strict";
-    c2 = {
-      reset: "\x1B[0m",
-      bold: "\x1B[1m",
-      dim: "\x1B[2m",
-      italic: "\x1B[3m",
-      white: "\x1B[97m",
-      gray: "\x1B[90m",
-      blue1: "\x1B[38;2;20;50;160m",
-      blue2: "\x1B[38;2;40;80;190m",
-      blue3: "\x1B[38;2;60;110;215m",
-      blue4: "\x1B[38;2;90;140;230m",
-      blue5: "\x1B[38;2;130;170;240m",
-      blue6: "\x1B[38;2;170;200;250m",
-      green: "\x1B[38;2;80;200;120m",
-      red: "\x1B[38;2;220;80;80m",
-      cyan: "\x1B[38;2;100;200;220m",
-      yellow: "\x1B[38;2;220;200;80m",
-      bgBlue: "\x1B[48;2;20;50;160m"
-    };
+    init_cli_utils();
     main3().catch((err) => {
-      log4(`Fatal: ${err instanceof Error ? err.message : String(err)}`);
+      log3(`Fatal: ${err instanceof Error ? err.message : String(err)}`);
       process.exit(1);
     });
   }
@@ -1628,14 +1590,14 @@ var init_create = __esm({
 // src/pull-push.ts
 var pull_push_exports = {};
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, existsSync as existsSync6 } from "fs";
-import { resolve as resolve5 } from "path";
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync5, existsSync as existsSync7 } from "fs";
+import { resolve as resolve6 } from "path";
 function loadEnv() {
   if (process.env.SOLONGATE_API_KEY) return;
-  const envPath = resolve5(".env");
-  if (!existsSync6(envPath)) return;
+  const envPath = resolve6(".env");
+  if (!existsSync7(envPath)) return;
   try {
-    const content = readFileSync5(envPath, "utf-8");
+    const content = readFileSync6(envPath, "utf-8");
     for (const line of content.split("\n")) {
       const trimmed = line.trim();
       if (!trimmed || trimmed.startsWith("#")) continue;
@@ -1677,20 +1639,20 @@ function parseCliArgs() {
     }
   }
   if (!apiKey) {
-    log5(red("ERROR: API key not found."));
-    log5("");
-    log5("Set it in .env file:");
-    log5("  SOLONGATE_API_KEY=sg_live_...");
-    log5("");
-    log5("Or pass via environment:");
-    log5(`  SOLONGATE_API_KEY=sg_live_... solongate-proxy ${command}`);
+    log4(red("ERROR: API key not found."));
+    log4("");
+    log4("Set it in .env file:");
+    log4("  SOLONGATE_API_KEY=sg_live_...");
+    log4("");
+    log4("Or pass via environment:");
+    log4(`  SOLONGATE_API_KEY=sg_live_... solongate-proxy ${command}`);
     process.exit(1);
   }
   if (!apiKey.startsWith("sg_live_")) {
-    log5(red("ERROR: Pull/push/list requires a live API key (sg_live_...)."));
+    log4(red("ERROR: Pull/push/list requires a live API key (sg_live_...)."));
     process.exit(1);
   }
-  return { command, apiKey, file: resolve5(file), policyId };
+  return { command, apiKey, file: resolve6(file), policyId };
 }
 async function listPolicies(apiKey) {
   const res = await fetch(`${API_URL}/api/v1/policies`, {
@@ -1703,18 +1665,18 @@ async function listPolicies(apiKey) {
 async function list(apiKey, policyId) {
   const policies = await listPolicies(apiKey);
   if (policies.length === 0) {
-    log5(yellow("No policies found. Create one in the dashboard first."));
-    log5(dim("  https://dashboard.solongate.com/policies"));
+    log4(yellow("No policies found. Create one in the dashboard first."));
+    log4(dim("  https://dashboard.solongate.com/policies"));
     return;
   }
   if (policyId) {
     const match = policies.find((p) => p.id === policyId);
     if (!match) {
-      log5(red(`Policy not found: ${policyId}`));
-      log5("");
-      log5("Available policies:");
+      log4(red(`Policy not found: ${policyId}`));
+      log4("");
+      log4("Available policies:");
       for (const p of policies) {
-        log5(`  ${dim("\u2022")} ${p.id}`);
+        log4(`  ${dim("\u2022")} ${p.id}`);
       }
       process.exit(1);
     }
@@ -1722,148 +1684,148 @@ async function list(apiKey, policyId) {
     printPolicyDetail(full);
     return;
   }
-  log5("");
-  log5(bold(`  Policies (${policies.length})`));
-  log5(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  log5("");
-  for (const p of policies) {
-    try {
-      const full = await fetchCloudPolicy(apiKey, API_URL, p.id);
-      printPolicySummary(p, full.rules);
-    } catch {
-      printPolicySummary(p, []);
-    }
+  log4("");
+  log4(bold(`  Policies (${policies.length})`));
+  log4(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  log4("");
+  const fullPolicies = await Promise.all(
+    policies.map(
+      (p) => fetchCloudPolicy(apiKey, API_URL, p.id).then((full) => ({ policy: p, rules: full.rules })).catch(() => ({ policy: p, rules: [] }))
+    )
+  );
+  for (const { policy, rules } of fullPolicies) {
+    printPolicySummary(policy, rules);
   }
-  log5(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  log5("");
-  log5(`  ${dim("View details:")}  solongate-proxy list --policy-id <ID>`);
-  log5(`  ${dim("Pull policy:")}   solongate-proxy pull --policy-id <ID>`);
-  log5(`  ${dim("Push policy:")}   solongate-proxy push --policy-id <ID>`);
-  log5("");
+  log4(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  log4("");
+  log4(`  ${dim("View details:")}  solongate-proxy list --policy-id <ID>`);
+  log4(`  ${dim("Pull policy:")}   solongate-proxy pull --policy-id <ID>`);
+  log4(`  ${dim("Push policy:")}   solongate-proxy push --policy-id <ID>`);
+  log4("");
 }
 function printPolicySummary(p, rules) {
   const ruleCount = rules.length;
   const allowCount = rules.filter((r) => r.effect === "ALLOW").length;
   const denyCount = rules.filter((r) => r.effect === "DENY").length;
-  log5(`  ${cyan(p.id)}`);
-  log5(`    ${bold(p.name)}  ${dim(`v${p.version ?? "?"}`)}`);
-  log5(`    ${dim("Rules:")} ${ruleCount}  ${green(`${allowCount} ALLOW`)}  ${red(`${denyCount} DENY`)}`);
+  log4(`  ${cyan(p.id)}`);
+  log4(`    ${bold(p.name)}  ${dim(`v${p.version ?? "?"}`)}`);
+  log4(`    ${dim("Rules:")} ${ruleCount}  ${green(`${allowCount} ALLOW`)}  ${red(`${denyCount} DENY`)}`);
   if (p.created_at) {
-    log5(`    ${dim("Updated:")} ${new Date(p.created_at).toLocaleString()}`);
+    log4(`    ${dim("Updated:")} ${new Date(p.created_at).toLocaleString()}`);
   }
-  log5("");
+  log4("");
 }
 function printPolicyDetail(policy) {
-  log5("");
-  log5(bold(`  ${policy.name}`));
-  log5(`  ${dim("ID:")} ${cyan(policy.id)}  ${dim("Version:")} ${policy.version}  ${dim("Rules:")} ${policy.rules.length}`);
-  log5("");
+  log4("");
+  log4(bold(`  ${policy.name}`));
+  log4(`  ${dim("ID:")} ${cyan(policy.id)}  ${dim("Version:")} ${policy.version}  ${dim("Rules:")} ${policy.rules.length}`);
+  log4("");
   if (policy.rules.length === 0) {
-    log5(yellow("  No rules defined."));
-    log5("");
+    log4(yellow("  No rules defined."));
+    log4("");
     return;
   }
-  log5(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  log4(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   for (const rule of policy.rules) {
     const effectColor = rule.effect === "ALLOW" ? green : red;
-    log5("");
-    log5(`  ${effectColor(rule.effect.padEnd(5))}  ${bold(rule.toolPattern)}  ${dim(`P:${rule.priority}`)}`);
+    log4("");
+    log4(`  ${effectColor(rule.effect.padEnd(5))}  ${bold(rule.toolPattern)}  ${dim(`P:${rule.priority}`)}`);
     if (rule.description) {
-      log5(`         ${dim(rule.description)}`);
+      log4(`         ${dim(rule.description)}`);
     }
-    log5(`         ${dim(`${rule.permission}  trust:${rule.minimumTrustLevel || "UNTRUSTED"}`)}`);
+    log4(`         ${dim(`${rule.permission}  trust:${rule.minimumTrustLevel || "UNTRUSTED"}`)}`);
     if (rule.pathConstraints) {
       const pc = rule.pathConstraints;
-      if (pc.rootDirectory) log5(`         ${magenta("ROOT")} ${pc.rootDirectory}`);
-      if (pc.allowed?.length) log5(`         ${green("PATHS")} ${pc.allowed.join(", ")}`);
-      if (pc.denied?.length) log5(`         ${red("DENY")}  ${pc.denied.join(", ")}`);
+      if (pc.rootDirectory) log4(`         ${magenta("ROOT")} ${pc.rootDirectory}`);
+      if (pc.allowed?.length) log4(`         ${green("PATHS")} ${pc.allowed.join(", ")}`);
+      if (pc.denied?.length) log4(`         ${red("DENY")}  ${pc.denied.join(", ")}`);
     }
     if (rule.commandConstraints) {
       const cc = rule.commandConstraints;
-      if (cc.allowed?.length) log5(`         ${green("CMDS")}  ${cc.allowed.join(", ")}`);
-      if (cc.denied?.length) log5(`         ${red("DENY")}  ${cc.denied.join(", ")}`);
+      if (cc.allowed?.length) log4(`         ${green("CMDS")}  ${cc.allowed.join(", ")}`);
+      if (cc.denied?.length) log4(`         ${red("DENY")}  ${cc.denied.join(", ")}`);
     }
     if (rule.filenameConstraints) {
       const fc = rule.filenameConstraints;
-      if (fc.allowed?.length) log5(`         ${green("FILES")} ${fc.allowed.join(", ")}`);
-      if (fc.denied?.length) log5(`         ${red("DENY")}  ${fc.denied.join(", ")}`);
+      if (fc.allowed?.length) log4(`         ${green("FILES")} ${fc.allowed.join(", ")}`);
+      if (fc.denied?.length) log4(`         ${red("DENY")}  ${fc.denied.join(", ")}`);
     }
     if (rule.urlConstraints) {
       const uc = rule.urlConstraints;
-      if (uc.allowed?.length) log5(`         ${green("URLS")}  ${uc.allowed.join(", ")}`);
-      if (uc.denied?.length) log5(`         ${red("DENY")}  ${uc.denied.join(", ")}`);
+      if (uc.allowed?.length) log4(`         ${green("URLS")}  ${uc.allowed.join(", ")}`);
+      if (uc.denied?.length) log4(`         ${red("DENY")}  ${uc.denied.join(", ")}`);
     }
   }
-  log5("");
-  log5(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  log5("");
+  log4("");
+  log4(dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  log4("");
 }
 async function pull(apiKey, file, policyId) {
   if (!policyId) {
     const policies = await listPolicies(apiKey);
     if (policies.length === 0) {
-      log5(red("No policies found. Create one in the dashboard first."));
+      log4(red("No policies found. Create one in the dashboard first."));
       process.exit(1);
     }
     if (policies.length === 1) {
       policyId = policies[0].id;
-      log5(dim(`Auto-selecting only policy: ${policyId}`));
+      log4(dim(`Auto-selecting only policy: ${policyId}`));
     } else {
-      log5(yellow(`Found ${policies.length} policies:`));
-      log5("");
+      log4(yellow(`Found ${policies.length} policies:`));
+      log4("");
       for (const p of policies) {
-        log5(`  ${cyan(p.id)}  ${p.name}  ${dim(`v${p.version ?? "?"}`)}`);
+        log4(`  ${cyan(p.id)}  ${p.name}  ${dim(`v${p.version ?? "?"}`)}`);
       }
-      log5("");
-      log5("Use --policy-id <ID> to specify which one to pull.");
+      log4("");
+      log4("Use --policy-id <ID> to specify which one to pull.");
       process.exit(1);
     }
   }
-  log5(`Pulling ${cyan(policyId)} from dashboard...`);
+  log4(`Pulling ${cyan(policyId)} from dashboard...`);
   const policy = await fetchCloudPolicy(apiKey, API_URL, policyId);
   const { id: _id, ...policyWithoutId } = policy;
   const json = JSON.stringify(policyWithoutId, null, 2) + "\n";
   writeFileSync5(file, json, "utf-8");
-  log5("");
-  log5(green("  Saved to: ") + file);
-  log5(`  ${dim("Name:")}    ${policy.name}`);
-  log5(`  ${dim("Version:")} ${policy.version}`);
-  log5(`  ${dim("Rules:")}   ${policy.rules.length}`);
-  log5("");
-  log5(dim("The policy file does not contain an ID."));
-  log5(dim("Use --policy-id to specify the target when pushing/pulling."));
-  log5("");
+  log4("");
+  log4(green("  Saved to: ") + file);
+  log4(`  ${dim("Name:")}    ${policy.name}`);
+  log4(`  ${dim("Version:")} ${policy.version}`);
+  log4(`  ${dim("Rules:")}   ${policy.rules.length}`);
+  log4("");
+  log4(dim("The policy file does not contain an ID."));
+  log4(dim("Use --policy-id to specify the target when pushing/pulling."));
+  log4("");
 }
 async function push(apiKey, file, policyId) {
-  if (!existsSync6(file)) {
-    log5(red(`ERROR: File not found: ${file}`));
+  if (!existsSync7(file)) {
+    log4(red(`ERROR: File not found: ${file}`));
     process.exit(1);
   }
   if (!policyId) {
-    log5(red("ERROR: --policy-id is required for push."));
-    log5("");
-    log5("This determines which cloud policy to update.");
-    log5("");
-    log5("Usage:");
-    log5("  solongate-proxy push --policy-id my-policy");
-    log5("  solongate-proxy push --policy-id my-policy --file custom.json");
-    log5("");
-    log5("List your policies:");
-    log5("  solongate-proxy list");
+    log4(red("ERROR: --policy-id is required for push."));
+    log4("");
+    log4("This determines which cloud policy to update.");
+    log4("");
+    log4("Usage:");
+    log4("  solongate-proxy push --policy-id my-policy");
+    log4("  solongate-proxy push --policy-id my-policy --file custom.json");
+    log4("");
+    log4("List your policies:");
+    log4("  solongate-proxy list");
     process.exit(1);
   }
-  const content = readFileSync5(file, "utf-8");
+  const content = readFileSync6(file, "utf-8");
   let policy;
   try {
     policy = JSON.parse(content);
   } catch {
-    log5(red(`ERROR: Invalid JSON in ${file}`));
+    log4(red(`ERROR: Invalid JSON in ${file}`));
     process.exit(1);
   }
-  log5(`Pushing to ${cyan(policyId)}...`);
-  log5(`  ${dim("File:")}  ${file}`);
-  log5(`  ${dim("Name:")}  ${policy.name || "Unnamed"}`);
-  log5(`  ${dim("Rules:")} ${(policy.rules || []).length}`);
+  log4(`Pushing to ${cyan(policyId)}...`);
+  log4(`  ${dim("File:")}  ${file}`);
+  log4(`  ${dim("Name:")}  ${policy.name || "Unnamed"}`);
+  log4(`  ${dim("Rules:")} ${(policy.rules || []).length}`);
   const checkRes = await fetch(`${API_URL}/api/v1/policies/${policyId}`, {
     headers: { "Authorization": `Bearer ${apiKey}` }
   });
@@ -1885,15 +1847,15 @@ async function push(apiKey, file, policyId) {
   });
   if (!res.ok) {
     const body = await res.text().catch(() => "");
-    log5(red(`ERROR: Push failed (${res.status}): ${body}`));
+    log4(red(`ERROR: Push failed (${res.status}): ${body}`));
     process.exit(1);
   }
   const data = await res.json();
-  log5("");
-  log5(green(`  Pushed to cloud: v${data._version ?? "created"}`));
-  log5(`  ${dim("Policy ID:")} ${policyId}`);
-  log5(`  ${dim("Method:")}    ${method === "PUT" ? "Updated existing" : "Created new"}`);
-  log5("");
+  log4("");
+  log4(green(`  Pushed to cloud: v${data._version ?? "created"}`));
+  log4(`  ${dim("Policy ID:")} ${policyId}`);
+  log4(`  ${dim("Method:")}    ${method === "PUT" ? "Updated existing" : "Created new"}`);
+  log4("");
 }
 async function main4() {
   const { command, apiKey, file, policyId } = parseCliArgs();
@@ -1905,32 +1867,32 @@ async function main4() {
     } else if (command === "list" || command === "ls") {
       await list(apiKey, policyId);
     } else {
-      log5(red(`Unknown command: ${command}`));
-      log5("");
-      log5(bold("Usage:"));
-      log5("  solongate-proxy list                          List all policies");
-      log5("  solongate-proxy list --policy-id <ID>         Show policy details");
-      log5("  solongate-proxy pull --policy-id <ID>         Pull policy to local file");
-      log5("  solongate-proxy push --policy-id <ID>         Push local file to cloud");
-      log5("");
-      log5(bold("Flags:"));
-      log5("  --policy-id, --id <ID>    Cloud policy ID (required for push)");
-      log5("  --file, -f <path>         Local file path (default: policy.json)");
-      log5("  --api-key <key>           API key (or set SOLONGATE_API_KEY)");
-      log5("");
+      log4(red(`Unknown command: ${command}`));
+      log4("");
+      log4(bold("Usage:"));
+      log4("  solongate-proxy list                          List all policies");
+      log4("  solongate-proxy list --policy-id <ID>         Show policy details");
+      log4("  solongate-proxy pull --policy-id <ID>         Pull policy to local file");
+      log4("  solongate-proxy push --policy-id <ID>         Push local file to cloud");
+      log4("");
+      log4(bold("Flags:"));
+      log4("  --policy-id, --id <ID>    Cloud policy ID (required for push)");
+      log4("  --file, -f <path>         Local file path (default: policy.json)");
+      log4("  --api-key <key>           API key (or set SOLONGATE_API_KEY)");
+      log4("");
       process.exit(1);
     }
   } catch (err) {
-    log5(red(`ERROR: ${err instanceof Error ? err.message : String(err)}`));
+    log4(red(`ERROR: ${err instanceof Error ? err.message : String(err)}`));
     process.exit(1);
   }
 }
-var log5, dim, bold, green, red, yellow, cyan, magenta, API_URL;
+var log4, dim, bold, green, red, yellow, cyan, magenta, API_URL;
 var init_pull_push = __esm({
   "src/pull-push.ts"() {
     "use strict";
     init_config();
-    log5 = (...args) => process.stderr.write(`${args.map(String).join(" ")}
+    log4 = (...args) => process.stderr.write(`${args.map(String).join(" ")}
 `);
     dim = (s) => `\x1B[2m${s}\x1B[0m`;
     bold = (s) => `\x1B[1m${s}\x1B[0m`;
@@ -1965,6 +1927,8 @@ import {
   ListResourceTemplatesRequestSchema
 } from "@modelcontextprotocol/sdk/types.js";
 import { createServer as createHttpServer } from "http";
+import { resolve as resolve2 } from "path";
+import { existsSync as existsSync3, readFileSync as readFileSync3 } from "fs";
 // ../sdk-ts/dist/index.js
 import { z } from "zod";
@@ -1979,21 +1943,6 @@ var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
 };
-var DEFAULT_ADVANCED_DETECTION_CONFIG;
-var init_types = __esm2({
-  "src/prompt-injection/types.ts"() {
-    DEFAULT_ADVANCED_DETECTION_CONFIG = {
-      enabled: true,
-      threshold: 0.5,
-      weights: {
-        rules: 0.3,
-        embedding: 0.3,
-        classifier: 0.4
-      },
-      onModelDownloadStart: void 0
-    };
-  }
-});
 function runStage1Rules(input) {
   const matchedCategories = [];
   let maxWeight = 0;
@@ -2049,7 +1998,7 @@ var init_stage1_rules = __esm2({
         patterns: [
           /\bignore\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|rules?|directives?)\b/i,
           /\bdisregard\s+(all\s+)?(previous|prior|above|earlier|your)\s+(instructions?|prompts?|rules?|guidelines?)\b/i,
-          /\bforget\s+(all\s+)?(your|the|previous|prior)\s+(instructions?|rules?|constraints?|guidelines?)\b/i,
+          /\bforget\s+(all\s+|everything\s+)?(your|the|previous|prior|above|earlier)\b/i,
           /\boverride\s+(the\s+)?(system|previous|current)\s+(prompt|instructions?|rules?|settings?)\b/i,
           /\bdo\s+not\s+follow\s+(your|the|any)\s+(instructions?|rules?|guidelines?)\b/i,
           /\bcancel\s+(all\s+)?(prior|previous)\s+(directives?|instructions?)\b/i,
@@ -2108,19 +2057,34 @@ var init_stage1_rules = __esm2({
         name: "multi_language",
         weight: 0.7,
         patterns: [
-          /\bignor(iere|a|e[zs]?)\s+(alle|todas?|toutes?|tüm|все)\b/i,
-          /\bигнорируйте\b/i,
-          /\byoksay\b/i,
-          /\bvorherigen?\s+Anweisungen\b/i,
-          /\binstrucciones\s+anteriores\b/i,
-          /\binstructions?\s+pr[eé]c[eé]dentes?\b/i,
-          /\bönceki\s+talimatlar\b/i
+          /ignor(iere|a|e[zs]?)\s+(alle|todas?|toutes?|tüm|все)/iu,
+          /игнорируйте/iu,
+          /yoksay/iu,
+          /vorherigen?\s+Anweisungen/iu,
+          /instrucciones\s+anteriores/iu,
+          /instructions?\s+pr[eé]c[eé]dentes?/iu,
+          /önceki\s+talimatlar/iu
         ]
       }
     ];
     ADDITIONAL_MATCH_BONUS = 0.05;
   }
 });
+var DEFAULT_ADVANCED_DETECTION_CONFIG;
+var init_types = __esm2({
+  "src/prompt-injection/types.ts"() {
+    DEFAULT_ADVANCED_DETECTION_CONFIG = {
+      enabled: true,
+      threshold: 0.5,
+      weights: {
+        rules: 0.3,
+        embedding: 0.3,
+        classifier: 0.4
+      },
+      onModelDownloadStart: void 0
+    };
+  }
+});
 var ATTACK_VECTORS;
 var init_attack_vectors = __esm2({
   "src/prompt-injection/attack-vectors.ts"() {
@@ -2242,37 +2206,49 @@ async function getOrCreatePipeline(task, model, onDownloadStart) {
   if (pipelineCache.has(cacheKey)) {
     return pipelineCache.get(cacheKey);
   }
-  const transformers = await getTransformers();
-  if (!transformers) return null;
-  const modelSizes = {
-    "Xenova/all-MiniLM-L6-v2": 22,
-    "Xenova/deberta-v3-base-prompt-injection-v2": 184
-  };
-  console.warn(
-    `[SolonGate] Downloading model "${model}" (~${modelSizes[model] ?? "?"}MB) for prompt injection detection. This is a one-time download cached at ~/.cache/huggingface/hub/`
-  );
-  if (onDownloadStart) {
-    onDownloadStart(model, modelSizes[model] ?? 0);
-  }
-  try {
-    const pipe = await transformers.pipeline(task, model);
-    pipelineCache.set(cacheKey, pipe);
-    return pipe;
-  } catch (err) {
-    console.warn(`[SolonGate] Failed to load model "${model}":`, err);
-    return null;
+  if (pipelineInflight.has(cacheKey)) {
+    return pipelineInflight.get(cacheKey);
   }
+  const promise = (async () => {
+    const transformers = await getTransformers();
+    if (!transformers) return null;
+    const modelSizes = {
+      "Xenova/all-MiniLM-L6-v2": 22,
+      "Xenova/deberta-v3-base-prompt-injection-v2": 184
+    };
+    if (onDownloadStart) {
+      onDownloadStart(model, modelSizes[model] ?? 0);
+    } else {
+      console.warn(
+        `[SolonGate] Downloading model "${model}" (~${modelSizes[model] ?? "?"}MB) for prompt injection detection. This is a one-time download cached at ~/.cache/huggingface/hub/`
+      );
+    }
+    try {
+      const pipe = await transformers.pipeline(task, model);
+      pipelineCache.set(cacheKey, pipe);
+      return pipe;
+    } catch (err) {
+      console.warn(`[SolonGate] Failed to load model "${model}":`, err);
+      return null;
+    } finally {
+      pipelineInflight.delete(cacheKey);
+    }
+  })();
+  pipelineInflight.set(cacheKey, promise);
+  return promise;
 }
 var transformersModule;
 var transformersChecked;
 var loadingPromise;
 var pipelineCache;
+var pipelineInflight;
 var init_model_manager = __esm2({
   "src/prompt-injection/model-manager.ts"() {
     transformersModule = null;
     transformersChecked = false;
     loadingPromise = null;
     pipelineCache = /* @__PURE__ */ new Map();
+    pipelineInflight = /* @__PURE__ */ new Map();
   }
 });
 function cosineSimilarity(a, b) {
@@ -2288,10 +2264,11 @@ function cosineSimilarity(a, b) {
   return denom === 0 ? 0 : dotProduct / denom;
 }
 async function embed(pipe, texts) {
+  const output = await pipe(texts, { pooling: "mean", normalize: true });
+  const dim2 = output.dims?.[1] ?? output.data.length / texts.length;
   const results = [];
-  for (const text of texts) {
-    const output = await pipe(text, { pooling: "mean", normalize: true });
-    results.push(new Float32Array(output.data));
+  for (let i = 0; i < texts.length; i++) {
+    results.push(new Float32Array(output.data.slice(i * dim2, (i + 1) * dim2)));
   }
   return results;
 }
@@ -2652,6 +2629,7 @@ function createDeniedToolResult(reason) {
     isError: true
   };
 }
+init_stage1_rules();
 var DEFAULT_INPUT_GUARD_CONFIG = Object.freeze({
   pathTraversal: true,
   shellInjection: true,
@@ -2716,61 +2694,14 @@ function detectHiddenDirective(value) {
   }
   return false;
 }
-var INVISIBLE_UNICODE_PATTERNS = [
-  /\u200B/,
-  // Zero-width space
-  /\u200C/,
-  // Zero-width non-joiner
-  /\u200D/,
-  // Zero-width joiner
-  /\u200E/,
-  // Left-to-right mark
-  /\u200F/,
-  // Right-to-left mark
-  /\u2060/,
-  // Word joiner
-  /\u2061/,
-  // Function application
-  /\u2062/,
-  // Invisible times
-  /\u2063/,
-  // Invisible separator
-  /\u2064/,
-  // Invisible plus
-  /\uFEFF/,
-  // Zero-width no-break space (BOM)
-  /\u202A/,
-  // Left-to-right embedding
-  /\u202B/,
-  // Right-to-left embedding
-  /\u202C/,
-  // Pop directional formatting
-  /\u202D/,
-  // Left-to-right override
-  /\u202E/,
-  // Right-to-left override (text reversal attack)
-  /\u2066/,
-  // Left-to-right isolate
-  /\u2067/,
-  // Right-to-left isolate
-  /\u2068/,
-  // First strong isolate
-  /\u2069/,
-  // Pop directional isolate
-  /[\uE000-\uF8FF]/,
-  // Private Use Area
-  /[\uDB80-\uDBFF][\uDC00-\uDFFF]/
-  // Supplementary Private Use Area
-];
+var INVISIBLE_UNICODE_RE = /[\u200B-\u200F\u202A-\u202E\u2060-\u2064\u2066-\u2069\uFEFF\uE000-\uF8FF]|[\uDB80-\uDBFF][\uDC00-\uDFFF]/g;
 var INVISIBLE_CHAR_THRESHOLD = 3;
 function detectInvisibleUnicode(value) {
+  INVISIBLE_UNICODE_RE.lastIndex = 0;
   let count = 0;
-  for (const pattern of INVISIBLE_UNICODE_PATTERNS) {
-    const matches = value.match(new RegExp(pattern.source, "g"));
-    if (matches) {
-      count += matches.length;
-      if (count >= INVISIBLE_CHAR_THRESHOLD) return true;
-    }
+  while (INVISIBLE_UNICODE_RE.exec(value)) {
+    count++;
+    if (count >= INVISIBLE_CHAR_THRESHOLD) return true;
   }
   return false;
 }
@@ -3026,9 +2957,52 @@ var COMMAND_HEURISTICS = [
   // network commands
   /^(rm|del|rmdir)\s+/i,
   // destructive commands
-  /^(cat|type|more|less)\s+.*[/\\]/i
+  /^(cat|type|more|less)\s+.*[/\\]/i,
   // file read commands with paths
+  /^(eval|source)\s+/i,
+  // eval/source wrappers
+  /^(printenv|env|set)\b/i,
+  // environment variable leak
+  /^(cat|head|tail|more|less|strings|xxd|od|hexdump|bat)\s+/i
+  // file read commands
+];
+var SUBSHELL_WRAPPERS = [
+  /^(?:sh|bash|zsh|fish|dash|ksh)\s+-c\s+['"](.+?)['"]\s*$/i,
+  /^(?:sh|bash|zsh|fish|dash|ksh)\s+-c\s+(.+)$/i,
+  /^eval\s+['"](.+?)['"]\s*$/i,
+  /^eval\s+(.+)$/i,
+  /^(?:sh|bash|zsh|fish|dash|ksh)\s+<<\s*['"]?(\w+)['"]?\n([\s\S]+?)\n\1$/i
 ];
+var MAX_RECURSION_DEPTH = 8;
+function extractInnerCommands(command, depth = 0) {
+  const results = [command];
+  if (depth >= MAX_RECURSION_DEPTH) return results;
+  const trimmed = command.trim();
+  for (const pattern of SUBSHELL_WRAPPERS) {
+    const match = trimmed.match(pattern);
+    if (match) {
+      const inner = (match[2] ?? match[1] ?? "").trim();
+      if (inner) {
+        results.push(inner);
+        const nested = extractInnerCommands(inner, depth + 1);
+        for (const n of nested) {
+          if (n !== inner) results.push(n);
+        }
+      }
+      break;
+    }
+  }
+  const chainParts = trimmed.split(/\s*(?:&&|;)\s*/);
+  if (chainParts.length > 1) {
+    for (const part of chainParts) {
+      const p = part.trim();
+      if (p && p !== trimmed && !p.includes("=")) {
+        results.push(p);
+      }
+    }
+  }
+  return [...new Set(results)];
+}
 function extractCommandArguments(args) {
   const commands = [];
   const seen = /* @__PURE__ */ new Set();
@@ -3065,6 +3039,16 @@ function extractCommandArguments(args) {
   for (const [key, value] of Object.entries(args)) {
     scanValue(key, value);
   }
+  const expanded = [];
+  for (const cmd of commands) {
+    for (const inner of extractInnerCommands(cmd)) {
+      if (!seen.has(inner)) {
+        seen.add(inner);
+        expanded.push(inner);
+      }
+    }
+  }
+  commands.push(...expanded);
   return commands;
 }
 function matchCommandPattern(command, pattern) {
@@ -3109,6 +3093,37 @@ function isCommandAllowed(command, constraints) {
   }
   return true;
 }
+var SENSITIVE_FILENAMES = [
+  ".env",
+  ".env.local",
+  ".env.production",
+  ".env.development",
+  ".env.staging",
+  ".env.test",
+  ".env.example",
+  "credentials.json",
+  "secrets.json",
+  "secrets.yaml",
+  "secrets.yml",
+  ".npmrc",
+  ".pypirc",
+  ".netrc",
+  ".docker/config.json",
+  "id_rsa",
+  "id_dsa",
+  "id_ecdsa",
+  "id_ed25519",
+  "authorized_keys",
+  "known_hosts",
+  "policy.json",
+  ".mcp.json",
+  "guard.mjs",
+  "audit.mjs",
+  "settings.json"
+];
+function stripShellSyntax(value) {
+  return value.replace(/\$\(/g, " ").replace(/\)/g, " ").replace(/`/g, " ").replace(/\$\{[^}]*\}/g, " ").replace(/\$\w+/g, " ").replace(/['"]/g, " ").replace(/>{1,2}/g, " ").replace(/<{1,3}/g, " ").replace(/[|;&]/g, " ").replace(/\+=/g, " ").replace(/(\w)=/g, "$1 ").replace(/[{}]/g, " ").replace(/[()]/g, " ").replace(/\\/g, " ").replace(/\s+/g, " ").trim();
+}
 function extractFilenames(args) {
   const filenames = [];
   const seen = /* @__PURE__ */ new Set();
@@ -3123,30 +3138,78 @@ function extractFilenames(args) {
     if (typeof value === "string") {
       const trimmed = value.trim();
       if (!trimmed) return;
-      if (/^https?:\/\//i.test(trimmed)) return;
-      if (trimmed.includes("/") || trimmed.includes("\\")) {
-        const normalized = trimmed.replace(/\\/g, "/");
-        const parts = normalized.split("/");
-        const basename = parts[parts.length - 1];
-        if (basename && basename.length > 0) {
-          addFilename(basename);
+      const isUrl = /^https?:\/\//i.test(trimmed);
+      if (isUrl) return;
+      const lower = trimmed.toLowerCase();
+      for (const sensitive of SENSITIVE_FILENAMES) {
+        const sl = sensitive.toLowerCase();
+        if (lower.includes(sl)) {
+          addFilename(sensitive);
         }
-        return;
       }
-      if (trimmed.includes(" ")) {
-        for (const token of trimmed.split(/\s+/)) {
-          if (token.includes("/") || token.includes("\\")) {
-            const parts = token.replace(/\\/g, "/").split("/");
-            const basename = parts[parts.length - 1];
-            if (basename && looksLikeFilename(basename)) addFilename(basename);
-          } else if (looksLikeFilename(token)) {
-            addFilename(token);
+      const stripped = stripShellSyntax(trimmed);
+      const words = stripped.split(/\s+/).filter(Boolean);
+      for (const word of words) {
+        if (looksLikeFilename(word)) {
+          addFilename(word);
+        }
+        if (word.includes("/")) {
+          const parts = word.split("/");
+          const basename = parts[parts.length - 1];
+          if (basename && looksLikeFilename(basename)) {
+            addFilename(basename);
           }
         }
-        return;
+        if (word.includes("*") || word.includes("?")) {
+          for (const expanded of expandSensitiveGlob(word)) {
+            addFilename(expanded);
+          }
+        }
+      }
+      const quotedParts = [];
+      const quotedMatches = trimmed.matchAll(/['"]([^'"]*)['"]/g);
+      for (const m of quotedMatches) {
+        if (m[1]) quotedParts.push(m[1]);
       }
-      if (looksLikeFilename(trimmed)) {
-        addFilename(trimmed);
+      const assignMatches = trimmed.matchAll(/\b\w+=([^\s&;|'"]+)/g);
+      for (const m of assignMatches) {
+        if (m[1]) quotedParts.push(m[1]);
+      }
+      const cappedParts = quotedParts.length > 8 ? quotedParts.slice(0, 8) : quotedParts;
+      if (cappedParts.length >= 2) {
+        for (let i = 0; i < cappedParts.length; i++) {
+          for (let j = i + 1; j < cappedParts.length; j++) {
+            const concat = cappedParts[i] + cappedParts[j];
+            if (looksLikeFilename(concat)) addFilename(concat);
+            const concatLower = concat.toLowerCase();
+            for (const sensitive of SENSITIVE_FILENAMES) {
+              if (concatLower === sensitive.toLowerCase()) {
+                addFilename(sensitive);
+              }
+            }
+            for (let k = j + 1; k < cappedParts.length; k++) {
+              const triple = concat + cappedParts[k];
+              if (looksLikeFilename(triple)) addFilename(triple);
+              const tripleLower = triple.toLowerCase();
+              for (const sensitive of SENSITIVE_FILENAMES) {
+                if (tripleLower === sensitive.toLowerCase()) {
+                  addFilename(sensitive);
+                }
+              }
+            }
+          }
+        }
+      }
+      for (const word of words) {
+        const wordLower = word.toLowerCase().replace(/[*?]/g, "");
+        if (wordLower.length >= 3) {
+          for (const sensitive of SENSITIVE_FILENAMES) {
+            const sl = sensitive.toLowerCase();
+            if (sl.startsWith(wordLower) && wordLower !== sl) {
+              addFilename(sensitive);
+            }
+          }
+        }
       }
       return;
     }
@@ -3165,24 +3228,49 @@ function extractFilenames(args) {
   }
   return filenames;
 }
+function expandSensitiveGlob(pattern) {
+  const p = pattern.toLowerCase();
+  const matches = [];
+  if (p === "*") return matches;
+  for (const filename of SENSITIVE_FILENAMES) {
+    const f = filename.toLowerCase();
+    const startsWithStar = p.startsWith("*");
+    const endsWithStar = p.endsWith("*");
+    if (startsWithStar && endsWithStar) {
+      const infix = p.slice(1, -1);
+      if (infix && f.includes(infix)) matches.push(filename);
+    } else if (endsWithStar) {
+      const prefix = p.slice(0, -1);
+      if (f.startsWith(prefix)) matches.push(filename);
+    } else if (startsWithStar) {
+      const suffix = p.slice(1);
+      if (f.endsWith(suffix)) matches.push(filename);
+    } else if (p.includes("?")) {
+      const regex = new RegExp("^" + p.replace(/\?/g, ".").replace(/\*/g, ".*") + "$", "i");
+      if (regex.test(f)) matches.push(filename);
+    }
+  }
+  return matches;
+}
+var KNOWN_EXTENSIONLESS_FILES = /* @__PURE__ */ new Set([
+  "id_rsa",
+  "id_dsa",
+  "id_ecdsa",
+  "id_ed25519",
+  "authorized_keys",
+  "known_hosts",
+  "makefile",
+  "dockerfile",
+  "vagrantfile",
+  "gemfile",
+  "rakefile",
+  "procfile",
+  "environ"
+]);
 function looksLikeFilename(s) {
   if (s.startsWith(".")) return true;
   if (/\.\w+$/.test(s)) return true;
-  const knownFiles = /* @__PURE__ */ new Set([
-    "id_rsa",
-    "id_dsa",
-    "id_ecdsa",
-    "id_ed25519",
-    "authorized_keys",
-    "known_hosts",
-    "makefile",
-    "dockerfile",
-    "vagrantfile",
-    "gemfile",
-    "rakefile",
-    "procfile"
-  ]);
-  if (knownFiles.has(s.toLowerCase())) return true;
+  if (KNOWN_EXTENSIONLESS_FILES.has(s.toLowerCase())) return true;
   return false;
 }
 function matchFilenamePattern(filename, pattern) {
@@ -3473,9 +3561,7 @@ function urlConstraintsMatch(constraints, args) {
 }
 function evaluatePolicy(policySet, request) {
   const startTime = performance.now();
-  const sortedRules = [...policySet.rules].sort(
-    (a, b) => a.priority - b.priority
-  );
+  const sortedRules = policySet.rules;
   for (const rule of sortedRules) {
     if (ruleMatchesRequest(rule, request)) {
       const endTime2 = performance.now();
@@ -3497,7 +3583,6 @@ function evaluatePolicy(policySet, request) {
     evaluationTimeMs: endTime - startTime,
     metadata: {
       evaluatedRules: sortedRules.length,
-      ruleIds: sortedRules.map((r) => r.id),
       requestContext: {
         tool: request.toolName,
         arguments: Object.keys(request.arguments ?? {})
@@ -3505,31 +3590,6 @@ function evaluatePolicy(policySet, request) {
     }
   };
 }
-function validatePolicyRule(input) {
-  const errors = [];
-  const warnings = [];
-  const result = PolicyRuleSchema.safeParse(input);
-  if (!result.success) {
-    return {
-      valid: false,
-      errors: result.error.errors.map(
-        (e) => `${e.path.join(".")}: ${e.message}`
-      ),
-      warnings: []
-    };
-  }
-  const rule = result.data;
-  if (rule.toolPattern === "*" && rule.effect === "ALLOW") {
-    warnings.push(UNSAFE_CONFIGURATION_WARNINGS.WILDCARD_ALLOW);
-  }
-  if (rule.minimumTrustLevel === "TRUSTED") {
-    warnings.push(UNSAFE_CONFIGURATION_WARNINGS.TRUSTED_LEVEL_EXTERNAL);
-  }
-  if (!rule.permission || rule.permission === "EXECUTE") {
-    warnings.push(UNSAFE_CONFIGURATION_WARNINGS.EXECUTE_WITHOUT_REVIEW);
-  }
-  return { valid: true, errors, warnings };
-}
 function validatePolicySet(input) {
   const errors = [];
   const warnings = [];
@@ -3557,8 +3617,15 @@ function validatePolicySet(input) {
     ruleIds.add(rule.id);
   }
   for (const rule of policySet.rules) {
-    const ruleResult = validatePolicyRule(rule);
-    warnings.push(...ruleResult.warnings);
+    if (rule.toolPattern === "*" && rule.effect === "ALLOW") {
+      warnings.push(UNSAFE_CONFIGURATION_WARNINGS.WILDCARD_ALLOW);
+    }
+    if (rule.minimumTrustLevel === "TRUSTED") {
+      warnings.push(UNSAFE_CONFIGURATION_WARNINGS.TRUSTED_LEVEL_EXTERNAL);
+    }
+    if (!rule.permission || rule.permission === "EXECUTE") {
+      warnings.push(UNSAFE_CONFIGURATION_WARNINGS.EXECUTE_WITHOUT_REVIEW);
+    }
   }
   const hasDenyRule = policySet.rules.some((r) => r.effect === "DENY");
   if (!hasDenyRule && policySet.rules.length > 0) {
@@ -3664,10 +3731,12 @@ function createDefaultDenyPolicySet() {
 }
 var PolicyEngine = class {
   policySet;
+  sortedRules = [];
   timeoutMs;
   store;
   constructor(options) {
     this.policySet = options?.policySet ?? createDefaultDenyPolicySet();
+    this.sortedRules = [...this.policySet.rules].sort((a, b) => a.priority - b.priority);
     this.timeoutMs = options?.timeoutMs ?? POLICY_EVALUATION_TIMEOUT_MS;
     this.store = options?.store ?? null;
   }
@@ -3677,7 +3746,8 @@ var PolicyEngine = class {
    */
   evaluate(request) {
     const startTime = performance.now();
-    const decision = evaluatePolicy(this.policySet, request);
+    const preSorted = { ...this.policySet, rules: this.sortedRules };
+    const decision = evaluatePolicy(preSorted, request);
     const elapsed = performance.now() - startTime;
     if (elapsed > this.timeoutMs) {
       console.warn(
@@ -3696,6 +3766,7 @@ var PolicyEngine = class {
       return validation;
     }
     this.policySet = policySet;
+    this.sortedRules = [...policySet.rules].sort((a, b) => a.priority - b.priority);
     if (this.store) {
       this.store.saveVersion(
         policySet,
@@ -3715,6 +3786,7 @@ var PolicyEngine = class {
     }
     const policyVersion = this.store.rollback(this.policySet.id, version);
     this.policySet = policyVersion.policySet;
+    this.sortedRules = [...this.policySet.rules].sort((a, b) => a.priority - b.priority);
     return policyVersion;
   }
   getPolicySet() {
@@ -3728,8 +3800,15 @@ var PolicyEngine = class {
   }
   reset() {
     this.policySet = createDefaultDenyPolicySet();
+    this.sortedRules = [...this.policySet.rules].sort((a, b) => a.priority - b.priority);
   }
 };
+function stableStringify(val) {
+  return JSON.stringify(
+    val,
+    (_key, v) => v !== null && typeof v === "object" && !Array.isArray(v) ? Object.fromEntries(Object.entries(v).sort(([a], [b]) => a.localeCompare(b))) : v
+  );
+}
 var PolicyStore = class {
   versions = /* @__PURE__ */ new Map();
   /**
@@ -3748,8 +3827,8 @@ var PolicyStore = class {
       createdBy,
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     };
-    const newHistory = [...history, version];
-    this.versions.set(id, newHistory);
+    history.push(version);
+    this.versions.set(id, history);
     return version;
   }
   /**
@@ -3802,7 +3881,7 @@ var PolicyStore = class {
       const oldRule = oldRulesMap.get(id);
       if (!oldRule) {
         added.push(newRule);
-      } else if (JSON.stringify(oldRule) !== JSON.stringify(newRule)) {
+      } else if (stableStringify(oldRule) !== stableStringify(newRule)) {
         modified.push({ old: oldRule, new: newRule });
       }
     }
@@ -3817,7 +3896,10 @@ var PolicyStore = class {
    * Computes SHA256 hash of a policy set for integrity verification.
    */
   computeHash(policySet) {
-    const serialized = JSON.stringify(policySet, Object.keys(policySet).sort());
+    const serialized = JSON.stringify(
+      policySet,
+      (_key, val) => val !== null && typeof val === "object" && !Array.isArray(val) ? Object.fromEntries(Object.entries(val).sort(([a], [b]) => a.localeCompare(b))) : val
+    );
     return createHash("sha256").update(serialized).digest("hex");
   }
 };
@@ -3882,12 +3964,13 @@ var DATA_SINK_TOOLS = /* @__PURE__ */ new Set([
 var CHAIN_WINDOW_SIZE = 10;
 var CHAIN_TIME_WINDOW_MS = 6e4;
 var ExfiltrationChainTracker = class {
-  recentCalls = [];
+  recentCalls = new Array(CHAIN_WINDOW_SIZE);
+  writeIndex = 0;
+  count = 0;
   record(toolName) {
-    this.recentCalls.push({ name: toolName, timestamp: Date.now() });
-    while (this.recentCalls.length > CHAIN_WINDOW_SIZE) {
-      this.recentCalls.shift();
-    }
+    this.recentCalls[this.writeIndex] = { name: toolName, timestamp: Date.now() };
+    this.writeIndex = (this.writeIndex + 1) % CHAIN_WINDOW_SIZE;
+    if (this.count < CHAIN_WINDOW_SIZE) this.count++;
   }
   /**
    * Check if a data sink tool call follows a recent data source tool call,
@@ -3897,9 +3980,13 @@ var ExfiltrationChainTracker = class {
     if (!DATA_SINK_TOOLS.has(currentTool)) return false;
     const now = Date.now();
     const cutoff = now - CHAIN_TIME_WINDOW_MS;
-    return this.recentCalls.some(
-      (call) => DATA_SOURCE_TOOLS.has(call.name) && call.timestamp >= cutoff
-    );
+    for (let i = 0; i < this.count; i++) {
+      const call = this.recentCalls[i];
+      if (call && DATA_SOURCE_TOOLS.has(call.name) && call.timestamp >= cutoff) {
+        return true;
+      }
+    }
+    return false;
   }
 };
 async function interceptToolCall(params, upstreamCall, options) {
@@ -3925,7 +4012,7 @@ async function interceptToolCall(params, upstreamCall, options) {
           status: "ERROR",
           request,
           error: new RateLimitError(params.name, options.rateLimitPerTool),
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+          timestamp
         };
         options.onDecision?.(result);
         return createDeniedToolResult(
@@ -3942,7 +4029,7 @@ async function interceptToolCall(params, upstreamCall, options) {
           status: "ERROR",
           request,
           error: new RateLimitError("*", options.globalRateLimitPerMinute),
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+          timestamp
         };
         options.onDecision?.(result);
         return createDeniedToolResult("Global rate limit exceeded");
@@ -3958,10 +4045,10 @@ async function interceptToolCall(params, upstreamCall, options) {
           effect: "DENY",
           matchedRule: null,
           reason: `Exfiltration chain detected: data-sink tool "${params.name}" called after recent data-source tool`,
-          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          timestamp,
           evaluationTimeMs: 0
         },
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        timestamp
       };
       options.onDecision?.(result);
       return createDeniedToolResult(
@@ -3976,7 +4063,7 @@ async function interceptToolCall(params, upstreamCall, options) {
       status: "DENIED",
       request,
       decision,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      timestamp
     };
     options.onDecision?.(result);
     const reason = options.verboseErrors ? decision.reason : "Tool execution denied by security policy.";
@@ -3990,12 +4077,14 @@ async function interceptToolCall(params, upstreamCall, options) {
       [params.name]
     );
   }
+  let callParams = params;
   if (options.serverVerifier && capabilityToken) {
-    options.serverVerifier.createSignedRequest(params, capabilityToken);
+    const signed = options.serverVerifier.createSignedRequest(params, capabilityToken);
+    callParams = signed;
   }
   try {
     const startTime = performance.now();
-    const toolResult = await upstreamCall(params);
+    const toolResult = await upstreamCall(callParams);
     const durationMs = performance.now() - startTime;
     const scanConfig = options.responseScanConfig ?? DEFAULT_RESPONSE_SCAN_CONFIG;
     let finalResult = toolResult;
@@ -4026,7 +4115,7 @@ ${item.text}`;
       decision,
       toolResult: finalResult,
       durationMs,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      timestamp
     };
     options.onDecision?.(result);
     return finalResult;
@@ -4035,7 +4124,7 @@ ${item.text}`;
       status: "ERROR",
       request,
       error: error instanceof Error ? new PolicyDeniedError(params.name, error.message) : new PolicyDeniedError(params.name, "Unknown upstream error"),
-      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      timestamp
     };
     options.onDecision?.(result);
     throw error;
@@ -4115,6 +4204,7 @@ var ExpiringSet = class {
     return true;
   }
   get size() {
+    this.maybeSweep();
     return this.entries.size;
   }
   maybeSweep() {
@@ -4552,7 +4642,7 @@ var SolonGate = class {
           "X-API-Key": this.apiKey,
           "Authorization": `Bearer ${this.apiKey}`
         },
-        signal: AbortSignal.timeout(1e4)
+        signal: AbortSignal.timeout(5e3)
       });
       if (res.status === 401) {
         throw new LicenseError("Invalid or expired API key.");
@@ -4563,13 +4653,13 @@ var SolonGate = class {
       this.licenseValidated = true;
     } catch (err) {
       if (err instanceof LicenseError) throw err;
-      throw new LicenseError(
-        "Unable to reach SolonGate license server. Check your internet connection."
-      );
+      console.warn("[SolonGate] License validation failed (network error), allowing through:", err instanceof Error ? err.message : String(err));
+      this.licenseValidated = true;
     }
   }
   /**
    * Fetch policy from SolonGate Cloud API (fire once, non-blocking).
+   * TODO: extract cloud policy parsing to shared module with packages/proxy/src/config.ts
    */
   fetchCloudPolicyOnce() {
     const apiUrl = this.config.apiUrl ?? "https://api.solongate.com";
@@ -4589,7 +4679,6 @@ var SolonGate = class {
         updatedAt: ""
       };
       this.policyEngine.loadPolicySet(policySet);
-      console.warn(`[SolonGate] Loaded cloud policy: ${policySet.name} (${policySet.rules.length} rules)`);
     }).catch(() => {
     });
   }
@@ -4599,7 +4688,7 @@ var SolonGate = class {
   startPolicyPolling() {
     const apiUrl = this.config.apiUrl ?? "https://api.solongate.com";
     let currentVersion = 0;
-    this.pollingTimer = setInterval(async () => {
+    const timer = setInterval(async () => {
       try {
         const res = await fetch(`${apiUrl}/api/v1/policies/default`, {
           headers: { "Authorization": `Bearer ${this.apiKey}` },
@@ -4608,7 +4697,6 @@ var SolonGate = class {
         if (!res.ok) return;
         const data = await res.json();
         const version = Number(data._version ?? 0);
-        const rulesCount = Array.isArray(data.rules) ? data.rules.length : 0;
         if (version !== currentVersion && version > 0) {
           const policySet = {
             id: String(data.id ?? "cloud"),
@@ -4621,11 +4709,12 @@ var SolonGate = class {
           };
           this.policyEngine.loadPolicySet(policySet);
           currentVersion = version;
-          console.warn(`[SolonGate] Policy updated from dashboard: ${policySet.name} v${version} (${rulesCount} rules)`);
         }
       } catch {
       }
     }, 6e4);
+    if (typeof timer.unref === "function") timer.unref();
+    this.pollingTimer = timer;
   }
   /**
    * Send audit log to SolonGate Cloud API (fire-and-forget).
@@ -4639,7 +4728,8 @@ var SolonGate = class {
         "Authorization": `Bearer ${this.apiKey}`,
         "Content-Type": "application/json"
       },
-      body: JSON.stringify(entry)
+      body: JSON.stringify(entry),
+      signal: AbortSignal.timeout(5e3)
     }).catch(() => {
     });
   }
@@ -4727,21 +4817,6 @@ var __export2 = (target, all) => {
   for (var name in all)
     __defProp2(target, name, { get: all[name], enumerable: true });
 };
-var DEFAULT_ADVANCED_DETECTION_CONFIG2;
-var init_types2 = __esm3({
-  "src/prompt-injection/types.ts"() {
-    DEFAULT_ADVANCED_DETECTION_CONFIG2 = {
-      enabled: true,
-      threshold: 0.5,
-      weights: {
-        rules: 0.3,
-        embedding: 0.3,
-        classifier: 0.4
-      },
-      onModelDownloadStart: void 0
-    };
-  }
-});
 function runStage1Rules2(input) {
   const matchedCategories = [];
   let maxWeight = 0;
@@ -4869,6 +4944,21 @@ var init_stage1_rules2 = __esm3({
     ADDITIONAL_MATCH_BONUS2 = 0.05;
   }
 });
+var DEFAULT_ADVANCED_DETECTION_CONFIG2;
+var init_types2 = __esm3({
+  "src/prompt-injection/types.ts"() {
+    DEFAULT_ADVANCED_DETECTION_CONFIG2 = {
+      enabled: true,
+      threshold: 0.5,
+      weights: {
+        rules: 0.3,
+        embedding: 0.3,
+        classifier: 0.4
+      },
+      onModelDownloadStart: void 0
+    };
+  }
+});
 var ATTACK_VECTORS2;
 var init_attack_vectors2 = __esm3({
   "src/prompt-injection/attack-vectors.ts"() {
@@ -4990,37 +5080,49 @@ async function getOrCreatePipeline2(task, model, onDownloadStart) {
   if (pipelineCache2.has(cacheKey)) {
     return pipelineCache2.get(cacheKey);
   }
-  const transformers = await getTransformers2();
-  if (!transformers) return null;
-  const modelSizes = {
-    "Xenova/all-MiniLM-L6-v2": 22,
-    "Xenova/deberta-v3-base-prompt-injection-v2": 184
-  };
-  console.warn(
-    `[SolonGate] Downloading model "${model}" (~${modelSizes[model] ?? "?"}MB) for prompt injection detection. This is a one-time download cached at ~/.cache/huggingface/hub/`
-  );
-  if (onDownloadStart) {
-    onDownloadStart(model, modelSizes[model] ?? 0);
-  }
-  try {
-    const pipe = await transformers.pipeline(task, model);
-    pipelineCache2.set(cacheKey, pipe);
-    return pipe;
-  } catch (err) {
-    console.warn(`[SolonGate] Failed to load model "${model}":`, err);
-    return null;
+  if (pipelineInflight2.has(cacheKey)) {
+    return pipelineInflight2.get(cacheKey);
   }
+  const promise = (async () => {
+    const transformers = await getTransformers2();
+    if (!transformers) return null;
+    const modelSizes = {
+      "Xenova/all-MiniLM-L6-v2": 22,
+      "Xenova/deberta-v3-base-prompt-injection-v2": 184
+    };
+    if (onDownloadStart) {
+      onDownloadStart(model, modelSizes[model] ?? 0);
+    } else {
+      console.warn(
+        `[SolonGate] Downloading model "${model}" (~${modelSizes[model] ?? "?"}MB) for prompt injection detection. This is a one-time download cached at ~/.cache/huggingface/hub/`
+      );
+    }
+    try {
+      const pipe = await transformers.pipeline(task, model);
+      pipelineCache2.set(cacheKey, pipe);
+      return pipe;
+    } catch (err) {
+      console.warn(`[SolonGate] Failed to load model "${model}":`, err);
+      return null;
+    } finally {
+      pipelineInflight2.delete(cacheKey);
+    }
+  })();
+  pipelineInflight2.set(cacheKey, promise);
+  return promise;
 }
 var transformersModule2;
 var transformersChecked2;
 var loadingPromise2;
 var pipelineCache2;
+var pipelineInflight2;
 var init_model_manager2 = __esm3({
   "src/prompt-injection/model-manager.ts"() {
     transformersModule2 = null;
     transformersChecked2 = false;
     loadingPromise2 = null;
     pipelineCache2 = /* @__PURE__ */ new Map();
+    pipelineInflight2 = /* @__PURE__ */ new Map();
   }
 });
 function cosineSimilarity2(a, b) {
@@ -5036,10 +5138,11 @@ function cosineSimilarity2(a, b) {
   return denom === 0 ? 0 : dotProduct / denom;
 }
 async function embed2(pipe, texts) {
+  const output = await pipe(texts, { pooling: "mean", normalize: true });
+  const dim2 = output.dims?.[1] ?? output.data.length / texts.length;
   const results = [];
-  for (const text of texts) {
-    const output = await pipe(text, { pooling: "mean", normalize: true });
-    results.push(new Float32Array(output.data));
+  for (let i = 0; i < texts.length; i++) {
+    results.push(new Float32Array(output.data.slice(i * dim2, (i + 1) * dim2)));
   }
   return results;
 }
@@ -5308,6 +5411,10 @@ var PolicySetSchema2 = z2.object({
   updatedAt: z2.string().datetime()
 });
 var SECURITY_CONTEXT_TIMEOUT_MS = 5 * 60 * 1e3;
+var INPUT_GUARD_ENTROPY_THRESHOLD = 4.5;
+var INPUT_GUARD_MIN_ENTROPY_LENGTH = 32;
+var INPUT_GUARD_MAX_WILDCARDS = 3;
+init_stage1_rules2();
 var DEFAULT_INPUT_GUARD_CONFIG2 = Object.freeze({
   pathTraversal: true,
   shellInjection: true,
@@ -5431,11 +5538,12 @@ function detectShellInjection(value) {
   }
   return false;
 }
-var MAX_WILDCARDS_PER_VALUE = 3;
 function detectWildcardAbuse(value) {
   if (value.includes("**")) return true;
-  const wildcardCount = (value.match(/\*/g) || []).length;
-  if (wildcardCount > MAX_WILDCARDS_PER_VALUE) return true;
+  let count = 0;
+  for (let i = 0; i < value.length; i++) {
+    if (value.charCodeAt(i) === 42 && ++count > INPUT_GUARD_MAX_WILDCARDS) return true;
+  }
   return false;
 }
 var SSRF_PATTERNS = [
@@ -5523,43 +5631,9 @@ function detectSQLInjection(value) {
   }
   return false;
 }
-var PROMPT_INJECTION_PATTERNS = [
-  // Instruction override attempts
-  /\bignore\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|rules?|directives?)\b/i,
-  /\bdisregard\s+(all\s+)?(previous|prior|above|earlier|your)\s+(instructions?|prompts?|rules?|guidelines?)\b/i,
-  /\bforget\s+(all\s+)?(your|the|previous|prior)\s+(instructions?|rules?|constraints?|guidelines?)\b/i,
-  /\boverride\s+(the\s+)?(system|previous|current)\s+(prompt|instructions?|rules?|settings?)\b/i,
-  /\bdo\s+not\s+follow\s+(your|the|any)\s+(instructions?|rules?|guidelines?)\b/i,
-  // Role hijacking
-  /\b(pretend|act|behave)\s+(you\s+are|as\s+if\s+you|like\s+you|to\s+be)\b/i,
-  /\byou\s+are\s+now\s+(a|an|the|my)\b/i,
-  /\bsimulate\s+being\b/i,
-  /\bassume\s+the\s+role\s+of\b/i,
-  /\benter\s+(developer|admin|debug|god|sudo)\s+mode\b/i,
-  // Delimiter injection (LLM token boundaries)
-  /<\/system>/i,
-  /<\|im_end\|>/i,
-  /<\|im_start\|>/i,
-  /<\|endoftext\|>/i,
-  /\[INST\]/i,
-  /\[\/INST\]/i,
-  /<<SYS>>/i,
-  /<<\/SYS>>/i,
-  /###\s*(Human|Assistant|System)\s*:/i,
-  /<\|user\|>/i,
-  /<\|assistant\|>/i,
-  // Meta-prompting / jailbreak keywords
-  /\b(system\s+override|admin\s+mode|debug\s+mode|developer\s+mode|maintenance\s+mode)\b/i,
-  /\bjailbreak\b/i,
-  /\bDAN\s+mode\b/i,
-  // Instruction injection via separators
-  /[-=]{3,}\s*\n\s*(new\s+instructions?|system|instructions?)\s*:/i
-];
 function detectPromptInjection(value) {
-  for (const pattern of PROMPT_INJECTION_PATTERNS) {
-    if (pattern.test(value)) return true;
-  }
-  return false;
+  const result = runStage1Rules2(value);
+  return result.score > 0;
 }
 var EXFILTRATION_PATTERNS = [
   // Base64 data in URL query parameters (min 20 chars of base64)
@@ -5590,26 +5664,34 @@ function detectBoundaryEscape(value) {
 function checkLengthLimits(value, maxLength = 4096) {
   return value.length <= maxLength;
 }
-var ENTROPY_THRESHOLD = 4.5;
-var MIN_LENGTH_FOR_ENTROPY_CHECK = 32;
 function checkEntropyLimits(value) {
-  if (value.length < MIN_LENGTH_FOR_ENTROPY_CHECK) return true;
+  if (value.length < INPUT_GUARD_MIN_ENTROPY_LENGTH) return true;
   const entropy = calculateShannonEntropy(value);
-  return entropy <= ENTROPY_THRESHOLD;
+  return entropy <= INPUT_GUARD_ENTROPY_THRESHOLD;
 }
 function calculateShannonEntropy(str) {
-  const freq = /* @__PURE__ */ new Map();
-  for (const char of str) {
-    freq.set(char, (freq.get(char) ?? 0) + 1);
+  const freq = new Uint32Array(128);
+  let nonAsciiCount = 0;
+  for (let i = 0; i < str.length; i++) {
+    const code = str.charCodeAt(i);
+    if (code < 128) {
+      freq[code] = (freq[code] ?? 0) + 1;
+    } else {
+      nonAsciiCount++;
+    }
   }
   let entropy = 0;
   const len = str.length;
-  for (const count of freq.values()) {
-    const p = count / len;
-    if (p > 0) {
+  for (let i = 0; i < 128; i++) {
+    if ((freq[i] ?? 0) > 0) {
+      const p = (freq[i] ?? 0) / len;
       entropy -= p * Math.log2(p);
     }
   }
+  if (nonAsciiCount > 0) {
+    const p = nonAsciiCount / len;
+    entropy -= p * Math.log2(p);
+  }
   return entropy;
 }
 function sanitizeInput(field, value, config = DEFAULT_INPUT_GUARD_CONFIG2) {
@@ -5749,18 +5831,11 @@ async function sanitizeInputAsync(field, value, config = DEFAULT_INPUT_GUARD_CON
   return { ...syncResult, trustScore: void 0 };
 }
 async function sanitizeObjectAsync(basePath, obj, config) {
-  const threats = [];
-  if (Array.isArray(obj)) {
-    for (let i = 0; i < obj.length; i++) {
-      const result = await sanitizeInputAsync(`${basePath}[${i}]`, obj[i], config);
-      threats.push(...result.threats);
-    }
-  } else {
-    for (const [key, val] of Object.entries(obj)) {
-      const result = await sanitizeInputAsync(`${basePath}.${key}`, val, config);
-      threats.push(...result.threats);
-    }
-  }
+  const entries = Array.isArray(obj) ? obj.map((item, i) => [`[${i}]`, item]) : Object.entries(obj);
+  const results = await Promise.all(
+    entries.map(([key, val]) => sanitizeInputAsync(`${basePath}.${key}`, val, config))
+  );
+  const threats = results.flatMap((r) => r.threats);
   return { safe: threats.length === 0, threats, trustScore: void 0 };
 }
 init_detector2();
@@ -5815,61 +5890,14 @@ function detectHiddenDirective2(value) {
   }
   return false;
 }
-var INVISIBLE_UNICODE_PATTERNS2 = [
-  /\u200B/,
-  // Zero-width space
-  /\u200C/,
-  // Zero-width non-joiner
-  /\u200D/,
-  // Zero-width joiner
-  /\u200E/,
-  // Left-to-right mark
-  /\u200F/,
-  // Right-to-left mark
-  /\u2060/,
-  // Word joiner
-  /\u2061/,
-  // Function application
-  /\u2062/,
-  // Invisible times
-  /\u2063/,
-  // Invisible separator
-  /\u2064/,
-  // Invisible plus
-  /\uFEFF/,
-  // Zero-width no-break space (BOM)
-  /\u202A/,
-  // Left-to-right embedding
-  /\u202B/,
-  // Right-to-left embedding
-  /\u202C/,
-  // Pop directional formatting
-  /\u202D/,
-  // Left-to-right override
-  /\u202E/,
-  // Right-to-left override (text reversal attack)
-  /\u2066/,
-  // Left-to-right isolate
-  /\u2067/,
-  // Right-to-left isolate
-  /\u2068/,
-  // First strong isolate
-  /\u2069/,
-  // Pop directional isolate
-  /[\uE000-\uF8FF]/,
-  // Private Use Area
-  /[\uDB80-\uDBFF][\uDC00-\uDFFF]/
-  // Supplementary Private Use Area
-];
+var INVISIBLE_UNICODE_RE2 = /[\u200B-\u200F\u202A-\u202E\u2060-\u2064\u2066-\u2069\uFEFF\uE000-\uF8FF]|[\uDB80-\uDBFF][\uDC00-\uDFFF]/g;
 var INVISIBLE_CHAR_THRESHOLD2 = 3;
 function detectInvisibleUnicode2(value) {
+  INVISIBLE_UNICODE_RE2.lastIndex = 0;
   let count = 0;
-  for (const pattern of INVISIBLE_UNICODE_PATTERNS2) {
-    const matches = value.match(new RegExp(pattern.source, "g"));
-    if (matches) {
-      count += matches.length;
-      if (count >= INVISIBLE_CHAR_THRESHOLD2) return true;
-    }
+  while (INVISIBLE_UNICODE_RE2.exec(value)) {
+    count++;
+    if (count >= INVISIBLE_CHAR_THRESHOLD2) return true;
   }
   return false;
 }
@@ -5944,7 +5972,7 @@ var PolicySyncManager = class {
   currentPolicy;
   localVersion;
   cloudVersion;
-  skipNextWatch = false;
+  lastWriteTime = 0;
   debounceTimer = null;
   pollTimer = null;
   watcher = null;
@@ -6013,8 +6041,7 @@ var PolicySyncManager = class {
    * Handle local file change event.
    */
   async onFileChange(filePath) {
-    if (this.skipNextWatch) {
-      this.skipNextWatch = false;
+    if (Date.now() - this.lastWriteTime < 1e3) {
       return;
     }
     try {
@@ -6083,31 +6110,43 @@ var PolicySyncManager = class {
    */
   async pushToCloud(policy) {
     const cloudId = this.policyId || policy.id || "default";
-    const existingRes = await fetch(`${this.apiUrl}/api/v1/policies/${cloudId}`, {
-      headers: { "Authorization": `Bearer ${this.apiKey}` }
+    const payload = JSON.stringify({
+      id: cloudId,
+      name: policy.name || "Default Policy",
+      description: policy.description || "Synced from proxy",
+      version: policy.version || 1,
+      rules: policy.rules
     });
-    const method = existingRes.ok ? "PUT" : "POST";
-    const url = existingRes.ok ? `${this.apiUrl}/api/v1/policies/${cloudId}` : `${this.apiUrl}/api/v1/policies`;
-    const res = await fetch(url, {
-      method,
+    const putRes = await fetch(`${this.apiUrl}/api/v1/policies/${cloudId}`, {
+      method: "PUT",
       headers: {
         "Authorization": `Bearer ${this.apiKey}`,
         "Content-Type": "application/json"
       },
-      body: JSON.stringify({
-        id: cloudId,
-        name: policy.name || "Default Policy",
-        description: policy.description || "Synced from proxy",
-        version: policy.version || 1,
-        rules: policy.rules
-      })
+      body: payload
     });
-    if (!res.ok) {
-      const body = await res.text().catch(() => "");
-      throw new Error(`Push failed (${res.status}): ${body}`);
+    if (putRes.ok) {
+      const data = await putRes.json();
+      return { version: Number(data._version ?? policy.version) };
     }
-    const data = await res.json();
-    return { version: Number(data._version ?? policy.version) };
+    if (putRes.status === 404) {
+      const postRes = await fetch(`${this.apiUrl}/api/v1/policies`, {
+        method: "POST",
+        headers: {
+          "Authorization": `Bearer ${this.apiKey}`,
+          "Content-Type": "application/json"
+        },
+        body: payload
+      });
+      if (!postRes.ok) {
+        const body2 = await postRes.text().catch(() => "");
+        throw new Error(`Push failed (${postRes.status}): ${body2}`);
+      }
+      const data = await postRes.json();
+      return { version: Number(data._version ?? policy.version) };
+    }
+    const body = await putRes.text().catch(() => "");
+    throw new Error(`Push failed (${putRes.status}): ${body}`);
   }
   /**
    * Write policy to local file (with loop prevention).
@@ -6115,14 +6154,13 @@ var PolicySyncManager = class {
    */
   writeToFile(policy) {
     if (!this.localPath) return;
-    this.skipNextWatch = true;
+    this.lastWriteTime = Date.now();
     try {
       const { id: _id, ...rest } = policy;
       const json = JSON.stringify(rest, null, 2) + "\n";
       writeFileSync(this.localPath, json, "utf-8");
     } catch (err) {
       log(`File write error: ${err instanceof Error ? err.message : String(err)}`);
-      this.skipNextWatch = false;
     }
   }
   /**
@@ -6130,6 +6168,9 @@ var PolicySyncManager = class {
    */
   policiesEqual(a, b) {
     if (a.name !== b.name || a.rules.length !== b.rules.length) return false;
+    if (a.version !== void 0 && b.version !== void 0 && a.version === b.version && a.id === b.id) {
+      return true;
+    }
     return JSON.stringify(a.rules) === JSON.stringify(b.rules);
   }
 };
@@ -6193,9 +6234,10 @@ var AiJudge = class {
    * Fail-closed: any error (timeout, parse failure, connection refused) → DENY.
    */
   async evaluate(toolName, args) {
+    const sanitizedArgs = this.sanitizeArgs(args);
     const userMessage = JSON.stringify({
       tool: toolName,
-      arguments: args,
+      arguments: sanitizedArgs,
       protected_files: this.protectedFiles,
       protected_paths: this.protectedPaths,
       denied_actions: this.deniedActions
@@ -6212,13 +6254,35 @@ var AiJudge = class {
       };
     }
   }
+  /**
+   * Sanitize tool arguments before sending to the judge LLM.
+   * Truncates long strings and strips control characters to reduce injection surface.
+   */
+  sanitizeArgs(args, maxStringLen = 2e3) {
+    const sanitize = (val, depth = 0) => {
+      if (depth > 10) return "[nested]";
+      if (typeof val === "string") {
+        const truncated = val.length > maxStringLen ? val.slice(0, maxStringLen) + "...[truncated]" : val;
+        return truncated;
+      }
+      if (Array.isArray(val)) return val.slice(0, 50).map((v) => sanitize(v, depth + 1));
+      if (val && typeof val === "object") {
+        const out = {};
+        for (const [k, v] of Object.entries(val)) {
+          out[k] = sanitize(v, depth + 1);
+        }
+        return out;
+      }
+      return val;
+    };
+    return sanitize(args);
+  }
   /**
    * Call the LLM endpoint. Supports Groq, OpenAI, and Ollama.
    */
   async callLLM(userMessage) {
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), this.config.timeoutMs);
-    try {
+    const signal = AbortSignal.timeout(this.config.timeoutMs);
+    {
       let url;
       let body;
       const headers = { "Content-Type": "application/json" };
@@ -6252,7 +6316,7 @@ var AiJudge = class {
         method: "POST",
         headers,
         body,
-        signal: controller.signal
+        signal
       });
       if (!res.ok) {
         const errBody = await res.text().catch(() => "");
@@ -6268,8 +6332,6 @@ var AiJudge = class {
         const message = first?.message;
         return message?.content ?? "";
       }
-    } finally {
-      clearTimeout(timeout);
     }
   }
   /**
@@ -6297,6 +6359,13 @@ var AiJudge = class {
           confidence: 1
         };
       }
+      if (decision === "ALLOW" && confidence < 0.7) {
+        return {
+          decision: "DENY",
+          reason: `Low-confidence ALLOW (${confidence.toFixed(2)}) treated as DENY \u2014 ${reason}`,
+          confidence
+        };
+      }
       return { decision, reason, confidence };
     } catch {
       return {
@@ -6311,6 +6380,7 @@ var AiJudge = class {
 // src/proxy.ts
 var log2 = (...args) => process.stderr.write(`[SolonGate] ${args.map(String).join(" ")}
 `);
+var TEXT_ENCODER = new TextEncoder();
 var Mutex = class {
   queue = [];
   locked = false;
@@ -6319,7 +6389,7 @@ var Mutex = class {
       this.locked = true;
       return;
     }
-    return new Promise((resolve6, reject) => {
+    return new Promise((resolve7, reject) => {
       const timer = setTimeout(() => {
         const idx = this.queue.indexOf(onReady);
         if (idx !== -1) this.queue.splice(idx, 1);
@@ -6327,7 +6397,7 @@ var Mutex = class {
       }, timeoutMs);
       const onReady = () => {
         clearTimeout(timer);
-        resolve6();
+        resolve7();
       };
       this.queue.push(onReady);
     });
@@ -6361,8 +6431,10 @@ var SolonGateProxy = class {
   syncManager = null;
   aiJudge = null;
   upstreamTools = [];
+  guardConfig;
   constructor(config) {
     this.config = config;
+    this.guardConfig = config.advancedDetection ? { ...DEFAULT_INPUT_GUARD_CONFIG2, advancedDetection: config.advancedDetection } : DEFAULT_INPUT_GUARD_CONFIG2;
     this.gate = new SolonGate({
       name: config.name ?? "solongate-proxy",
       apiKey: "sg_test_proxy_internal_00000000",
@@ -6384,7 +6456,7 @@ var SolonGateProxy = class {
    */
   async start() {
     log2("Starting SolonGate Proxy...");
-    const apiUrl = this.config.apiUrl ?? "https://api.solongate.com";
+    const apiUrl = this.config.apiUrl ?? DEFAULT_API_URL;
     if (this.config.apiKey) {
       if (this.config.apiKey.startsWith("sg_test_")) {
         const nodeEnv = process.env.NODE_ENV ?? "";
@@ -6449,10 +6521,9 @@ var SolonGateProxy = class {
             log2("AI Judge: CLI flags override cloud config.");
           } else if (cloudJudge.enabled) {
             let groqKey;
-            const dotenvPath = (await import("path")).resolve(".env");
-            const { existsSync: existsSync7, readFileSync: readFileSync6 } = await import("fs");
-            if (existsSync7(dotenvPath)) {
-              const content = readFileSync6(dotenvPath, "utf-8");
+            const dotenvPath = resolve2(".env");
+            if (existsSync3(dotenvPath)) {
+              const content = readFileSync3(dotenvPath, "utf-8");
               const match = content.match(/^GROQ_API_KEY=(.+)/m);
               if (match) groqKey = match[1].trim();
             }
@@ -6567,7 +6638,7 @@ var SolonGateProxy = class {
     const MUTEX_TIMEOUT_MS = 3e4;
     this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
       const { name, arguments: args } = request.params;
-      const argsSize = new TextEncoder().encode(JSON.stringify(args ?? {})).length;
+      const argsSize = TEXT_ENCODER.encode(JSON.stringify(args ?? {})).length;
       if (argsSize > MAX_ARGUMENT_SIZE) {
         log2(`DENY: ${name} \u2014 payload size ${argsSize} exceeds limit ${MAX_ARGUMENT_SIZE}`);
         return {
@@ -6578,8 +6649,7 @@ var SolonGateProxy = class {
       log2(`Tool call: ${name}`);
       let piResult;
       if (args && typeof args === "object") {
-        const guardConfig = this.config.advancedDetection ? { ...DEFAULT_INPUT_GUARD_CONFIG2, advancedDetection: this.config.advancedDetection } : DEFAULT_INPUT_GUARD_CONFIG2;
-        const argsCheck = this.config.advancedDetection ? await sanitizeInputAsync("tool.arguments", args, guardConfig) : sanitizeInput("tool.arguments", args);
+        const argsCheck = this.config.advancedDetection ? await sanitizeInputAsync("tool.arguments", args, this.guardConfig) : sanitizeInput("tool.arguments", args);
         const hasPromptInjection = argsCheck.threats.some((t) => t.type === "PROMPT_INJECTION");
         if (hasPromptInjection) {
           const trustResult = "trustScore" in argsCheck ? argsCheck.trustScore : void 0;
@@ -6598,7 +6668,7 @@ var SolonGateProxy = class {
           const threats = argsCheck.threats.map((t) => `${t.type}: ${t.description}`).join("; ");
           log2(`DENY tool call: ${name} \u2014 ${threats}`);
           if (this.config.apiKey && !this.config.apiKey.startsWith("sg_test_")) {
-            const apiUrl = this.config.apiUrl ?? "https://api.solongate.com";
+            const apiUrl = this.config.apiUrl ?? DEFAULT_API_URL;
             sendAuditLog(this.config.apiKey, apiUrl, {
               tool: name,
               arguments: args ?? {},
@@ -6675,7 +6745,7 @@ var SolonGateProxy = class {
         const evaluationTimeMs = Date.now() - startTime;
         log2(`Result: ${decision} (${evaluationTimeMs}ms)`);
         if (this.config.apiKey && !this.config.apiKey.startsWith("sg_test_")) {
-          const apiUrl = this.config.apiUrl ?? "https://api.solongate.com";
+          const apiUrl = this.config.apiUrl ?? DEFAULT_API_URL;
           log2(`Sending audit log: ${name} \u2192 ${decision} (key: ${this.config.apiKey.slice(0, 16)}...)`);
           let reason = "allowed";
           let matchedRule;
@@ -6721,8 +6791,7 @@ var SolonGateProxy = class {
     this.server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
       if (!this.client) throw new Error("Upstream client disconnected");
       const uri = request.params.uri;
-      const guardConfig = this.config.advancedDetection ? { ...DEFAULT_INPUT_GUARD_CONFIG2, advancedDetection: this.config.advancedDetection } : void 0;
-      const uriCheck = guardConfig ? await sanitizeInputAsync("resource.uri", uri, guardConfig) : sanitizeInput("resource.uri", uri);
+      const uriCheck = this.config.advancedDetection ? await sanitizeInputAsync("resource.uri", uri, this.guardConfig) : sanitizeInput("resource.uri", uri);
       if (!uriCheck.safe) {
         const threats = uriCheck.threats.map((t) => `${t.type}: ${t.description}`).join("; ");
         log2(`DENY resource read: ${uri} \u2014 ${threats}`);
@@ -6777,8 +6846,7 @@ ${content.text}`;
       if (!this.client) throw new Error("Upstream client disconnected");
       const args = request.params.arguments;
       if (args && typeof args === "object") {
-        const promptGuardConfig = this.config.advancedDetection ? { ...DEFAULT_INPUT_GUARD_CONFIG2, advancedDetection: this.config.advancedDetection } : void 0;
-        const argsCheck = promptGuardConfig ? await sanitizeInputAsync("prompt.arguments", args, promptGuardConfig) : sanitizeInput("prompt.arguments", args);
+        const argsCheck = this.config.advancedDetection ? await sanitizeInputAsync("prompt.arguments", args, this.guardConfig) : sanitizeInput("prompt.arguments", args);
         if (!argsCheck.safe) {
           const threats = argsCheck.threats.map((t) => `${t.type}: ${t.description}`).join("; ");
           log2(`DENY prompt get: ${request.params.name} \u2014 ${threats}`);
@@ -6813,11 +6881,11 @@ ${msg.content.text}`;
    */
   registerToolsToCloud() {
     if (!this.config.apiKey || this.config.apiKey.startsWith("sg_test_")) return;
-    const apiUrl = this.config.apiUrl ?? "https://api.solongate.com";
-    let registered = 0;
+    const apiUrl = this.config.apiUrl ?? DEFAULT_API_URL;
     const total = this.upstreamTools.length;
-    for (const tool of this.upstreamTools) {
-      fetch(`${apiUrl}/api/v1/tools`, {
+    log2(`Registering ${total} tools to dashboard...`);
+    const promises = this.upstreamTools.map(
+      (tool) => fetch(`${apiUrl}/api/v1/tools`, {
         method: "POST",
         headers: {
           "Authorization": `Bearer ${this.config.apiKey}`,
@@ -6831,17 +6899,24 @@ ${msg.content.text}`;
           enabled: true
         })
       }).then(async (res) => {
-        if (res.ok || res.status === 409) {
-          registered++;
-        } else {
+        if (!res.ok && res.status !== 409) {
           const body = await res.text().catch(() => "");
-          log2(`Tool registration failed for "${tool.name}" (${res.status}): ${body}`);
+          throw new Error(`${tool.name} (${res.status}): ${body}`);
         }
-      }).catch((err) => {
-        log2(`Tool registration error for "${tool.name}": ${err instanceof Error ? err.message : String(err)}`);
-      });
-    }
-    log2(`Registering ${total} tools to dashboard...`);
+      })
+    );
+    Promise.allSettled(promises).then((results) => {
+      const fulfilled = results.filter((r) => r.status === "fulfilled").length;
+      const rejected = results.filter((r) => r.status === "rejected");
+      if (rejected.length > 0) {
+        for (const r of rejected) {
+          log2(`Tool registration failed: ${r.reason}`);
+        }
+        log2(`Tool registration: ${fulfilled}/${total} succeeded, ${rejected.length} failed.`);
+      } else {
+        log2(`Tool registration: ${fulfilled}/${total} succeeded.`);
+      }
+    });
   }
   /**
    * Guess tool permissions from tool name.
@@ -6862,7 +6937,7 @@ ${msg.content.text}`;
    */
   registerServerToCloud() {
     if (!this.config.apiKey || this.config.apiKey.startsWith("sg_test_")) return;
-    const apiUrl = this.config.apiUrl ?? "https://api.solongate.com";
+    const apiUrl = this.config.apiUrl ?? DEFAULT_API_URL;
     const transport = this.config.upstream.transport ?? "stdio";
     let serverName = this.config.name ?? "solongate-proxy";
     let serverUrl;
@@ -6946,7 +7021,7 @@ ${msg.content.text}`;
   startPolicySync() {
     const apiKey = this.config.apiKey;
     if (!apiKey) return;
-    const apiUrl = this.config.apiUrl ?? "https://api.solongate.com";
+    const apiUrl = this.config.apiUrl ?? DEFAULT_API_URL;
     this.syncManager = new PolicySyncManager({
       localPath: this.config.policyPath ?? null,
       apiKey,